538ea57ed4
Claude Config API (v0.6): - Add CRUD endpoints for commands, skills, and agents - Commands/skills/agents stored in /workspace/.claude/ (per-project, in git) - Credentials shared via PVC at /root/.claude/ (shared across pods) - Use base64 encoding for file writes (prevents shell injection) - Add content size limits (1MB max) Security Hardening: - Add sanitize package for command/prompt validation - Add rate limiting middleware (token bucket algorithm) - Add concurrent command limiting - Add input sanitization to all command handlers - Gitignore secrets.yaml and credentials.yaml - Add *.example templates for secrets Testing Infrastructure: - Add testutil package with mocks and fixtures - Add unit tests for auth package (63% coverage) - Add unit tests for executor (47% coverage) - Add handler integration tests (40% coverage) - Add 100% coverage for sanitize, cmdlimit packages - Add 96% coverage for ratelimit package Infrastructure: - Shared Claude credentials PVC (ReadWriteMany) - Reduced workspace PVC size from 20Gi to 5Gi - Add init container cleanup before git clone - Document Longhorn RWX requirements Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
151 lines
2.9 KiB
Go
151 lines
2.9 KiB
Go
package memory
|
|
|
|
import (
|
|
"context"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/orchard9/rdev/internal/domain"
|
|
"github.com/orchard9/rdev/internal/port"
|
|
)
|
|
|
|
// APIKeyRepository is an in-memory implementation of port.APIKeyRepository.
|
|
type APIKeyRepository struct {
|
|
keys map[domain.APIKeyID]*domain.APIKey
|
|
keysByHash map[string]domain.APIKeyID
|
|
nextID int
|
|
mu sync.RWMutex
|
|
}
|
|
|
|
// NewAPIKeyRepository creates a new in-memory API key repository.
|
|
func NewAPIKeyRepository() *APIKeyRepository {
|
|
return &APIKeyRepository{
|
|
keys: make(map[domain.APIKeyID]*domain.APIKey),
|
|
keysByHash: make(map[string]domain.APIKeyID),
|
|
}
|
|
}
|
|
|
|
// Ensure APIKeyRepository implements port.APIKeyRepository at compile time.
|
|
var _ port.APIKeyRepository = (*APIKeyRepository)(nil)
|
|
|
|
// Create stores a new API key.
|
|
func (r *APIKeyRepository) Create(ctx context.Context, key *domain.APIKey, keyHash string) error {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
r.nextID++
|
|
key.ID = domain.APIKeyID(itoa(r.nextID))
|
|
key.CreatedAt = time.Now()
|
|
|
|
// Store the key
|
|
r.keys[key.ID] = key
|
|
r.keysByHash[keyHash] = key.ID
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetByHash retrieves an API key by its hash.
|
|
func (r *APIKeyRepository) GetByHash(ctx context.Context, keyHash string) (*domain.APIKey, error) {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
|
|
id, ok := r.keysByHash[keyHash]
|
|
if !ok {
|
|
return nil, domain.ErrKeyNotFound
|
|
}
|
|
|
|
key, ok := r.keys[id]
|
|
if !ok {
|
|
return nil, domain.ErrKeyNotFound
|
|
}
|
|
|
|
return key, nil
|
|
}
|
|
|
|
// Get retrieves an API key by ID.
|
|
func (r *APIKeyRepository) Get(ctx context.Context, id domain.APIKeyID) (*domain.APIKey, error) {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
|
|
key, ok := r.keys[id]
|
|
if !ok {
|
|
return nil, domain.ErrKeyNotFound
|
|
}
|
|
|
|
return key, nil
|
|
}
|
|
|
|
// List returns all API keys (without secrets).
|
|
func (r *APIKeyRepository) List(ctx context.Context) ([]*domain.APIKey, error) {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
|
|
keys := make([]*domain.APIKey, 0, len(r.keys))
|
|
for _, key := range r.keys {
|
|
keys = append(keys, key)
|
|
}
|
|
|
|
return keys, nil
|
|
}
|
|
|
|
// Revoke marks an API key as revoked.
|
|
func (r *APIKeyRepository) Revoke(ctx context.Context, id domain.APIKeyID) error {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
key, ok := r.keys[id]
|
|
if !ok {
|
|
return domain.ErrKeyNotFound
|
|
}
|
|
|
|
if key.RevokedAt != nil {
|
|
return domain.ErrKeyNotFound
|
|
}
|
|
|
|
now := time.Now()
|
|
key.RevokedAt = &now
|
|
return nil
|
|
}
|
|
|
|
// UpdateLastUsed updates the last used timestamp for a key.
|
|
func (r *APIKeyRepository) UpdateLastUsed(ctx context.Context, id domain.APIKeyID) error {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
key, ok := r.keys[id]
|
|
if !ok {
|
|
return domain.ErrKeyNotFound
|
|
}
|
|
|
|
now := time.Now()
|
|
key.LastUsedAt = &now
|
|
return nil
|
|
}
|
|
|
|
// itoa converts an integer to a string.
|
|
func itoa(i int) string {
|
|
if i == 0 {
|
|
return "0"
|
|
}
|
|
|
|
var buf [20]byte
|
|
pos := len(buf)
|
|
negative := i < 0
|
|
if negative {
|
|
i = -i
|
|
}
|
|
|
|
for i > 0 {
|
|
pos--
|
|
buf[pos] = byte('0' + i%10)
|
|
i /= 10
|
|
}
|
|
|
|
if negative {
|
|
pos--
|
|
buf[pos] = '-'
|
|
}
|
|
|
|
return string(buf[pos:])
|
|
}
|