Merge pull request #120 from hyp3rd/feat/dist-mem-cache

feat: Introduce an OIDC-based authentication path

Author: hyp3rd

.golangci.yaml

@@ -63,6 +63,20 @@ linters:
     # (access to unexported helpers without re-exporting). Documented choice.
     - testpackage
 
+  exclusions:
+    rules:
+      # Phase C OIDC: makeOIDCServerVerify returns a closure with the
+      # signature `func(fiber.Ctx) (httpauth.Identity, error)` per
+      # the Policy.ServerVerify contract. The closure derives ctx
+      # from `c.Context()` (fiber's request-scoped ctx) — tying JWT
+      # verification to the boot-time discovery context would freeze
+      # cancellation at the wrong scope. contextcheck can't tell the
+      # closure receives ctx via the framework parameter and false-
+      # positives. Targeted to this single file.
+      - path: cmd/hypercache-server/oidc\.go
+        linters:
+          - contextcheck
+
   settings:
     cyclop:
       # The maximal code complexity to report.

CHANGELOG.md

@@ -8,6 +8,34 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Added
 
+- **OIDC verifier on the client API (`Policy.ServerVerify` hook).**
+  When `HYPERCACHE_OIDC_ISSUER` + `HYPERCACHE_OIDC_AUDIENCE` are
+  set, the binary fetches the IdP's
+  `/.well-known/openid-configuration` at boot, builds a
+  go-oidc-backed JWT verifier, and attaches it to
+  [`Policy.ServerVerify`](pkg/httpauth/policy.go). JWTs presented
+  via `Authorization: Bearer <jwt>` are validated for signature
+  and `iss`/`aud`/`exp`/`iat`/`nbf`, then the configured identity
+  claim (`HYPERCACHE_OIDC_IDENTITY_CLAIM`, default `sub`; common
+  override `email`) becomes `Identity.ID` and the configured
+  scope claim (`HYPERCACHE_OIDC_SCOPE_CLAIM`, default `scope` —
+  standard OAuth2 space-separated string; arrays also supported)
+  maps to `Identity.Scopes` (only `read`/`write`/`admin` survive;
+  unknown OIDC scopes are dropped silently). Coexists with the
+  static-bearer flow: a JWT that doesn't match any configured
+  `Tokens` entry falls through `resolveBearer` →
+  `ServerVerify`, so operators can run hybrid deployments
+  (machine integrations on static bearers, humans on OIDC).
+  Fail-fast at boot on an unreachable issuer URL or partial
+  config (one of issuer/audience set without the other). New
+  dep: `github.com/coreos/go-oidc/v3` (justified — JWKS
+  rotation, key id selection, alg validation, claim validation
+  are non-trivial; rolling our own is a CVE-magnet). 10 unit
+  tests in [oidc_test.go](cmd/hypercache-server/oidc_test.go)
+  drive an in-process IdP stub (signs JWTs with a hand-rolled
+  RSA key, serves discovery + JWKS); 4 integration tests in
+  [management_http_test.go](tests/management_http_test.go)
+  verify bearer + OIDC coexistence on the management port.
 - **`GET /cluster/events` — SSE stream of topology updates.** New
   Server-Sent Events endpoint on the management HTTP port that
   pushes `members` (full membership snapshot) and `heartbeat`

Makefile

@@ -37,6 +37,27 @@ stop-dev-cluster:
 	@echo
 	docker compose -f docker-compose.cluster.yml down -v --rmi local --remove-orphans
 
+# OIDC end-to-end example. The full stack — cache cluster +
+# Keycloak + Monitor — is defined and orchestrated from the
+# monitor repo's `examples/oidc/`. This target is a thin
+# passthrough so cache-repo operators can boot the stack
+# without leaving their working tree. The monitor repo must be
+# cloned as a sibling: ../hypercache-monitor.
+start-oidc:
+	@if [ ! -f ../hypercache-monitor/examples/oidc/docker-compose.yml ]; then \
+		echo "expected ../hypercache-monitor/examples/oidc/docker-compose.yml; clone the monitor repo as a sibling"; \
+		exit 1; \
+	fi
+	$(MAKE) -C ../hypercache-monitor start-oidc
+
+stop-oidc:
+	@if [ ! -f ../hypercache-monitor/examples/oidc/docker-compose.yml ]; then exit 0; fi
+	$(MAKE) -C ../hypercache-monitor stop-oidc
+
+clean-oidc:
+	@if [ ! -f ../hypercache-monitor/examples/oidc/docker-compose.yml ]; then exit 0; fi
+	$(MAKE) -C ../hypercache-monitor clean-oidc
+
 # test-cluster brings up the 5-node docker-compose cluster, waits for
 # every node's /healthz to be 200, runs the cross-node smoke test
 # (PUT/GET/DELETE asserted on every node), and tears the stack down —
@@ -235,4 +256,5 @@ help:
 	@echo
 	@echo "For more information, see the project README."
 
-.PHONY: init prepare-toolchain prepare-base-tools update-toolchain test test-race typecheck build ci bench bench-baseline vet update-deps lint sec help
+.PHONY: init prepare-toolchain prepare-base-tools update-toolchain test test-race typecheck build ci bench bench-baseline vet update-deps lint sec help \
+	start-dev-cluster stop-dev-cluster start-oidc stop-oidc clean-oidc

README.md

@@ -29,10 +29,7 @@ It ships with a default [histogram stats collector](./stats/stats.go) and severa
 
 - Thread-safe & lock‑optimized (sharded map + worker pool)
 - High-performance (low allocations on hot paths, pooled items, serializer‑aware sizing)
-- Multiple backends (extensible):
-            1. [In-memory](./pkg/backend/inmemory.go)
-            1. [Redis](./pkg/backend/redis.go)
-            1. [Redis Cluster](./pkg/backend/redis_cluster.go)
+- Multiple backends (extensible): 1. [In-memory](./pkg/backend/inmemory.go) 1. [Redis](./pkg/backend/redis.go) 1. [Redis Cluster](./pkg/backend/redis_cluster.go)
 - Item expiration & proactive expiration triggering (debounced/coalesced)
 - Background or proactive (interval = 0) eviction using pluggable algorithms
 - Manual, non-blocking eviction triggering (`TriggerEviction()`)
@@ -178,32 +175,32 @@ if err != nil {
 
 ### Advanced options quick reference
 
-| Option | Purpose |
-| -------- | --------- |
-| `WithEvictionInterval` | Periodic eviction loop; set to `0` for proactive per-write eviction. |
-| `WithExpirationInterval` | Periodic scan for expired items. |
-| `WithExpirationTriggerBuffer` | Buffer size for coalesced expiration trigger channel. |
-| `WithExpirationTriggerDebounce` | Drop rapid-fire triggers within a window. |
-| `WithEvictionAlgorithm` | Select eviction algorithm (lru, lfu, clock, cawolfu, arc*). |
-| `WithEvictionShardCount` | Number of eviction-algorithm shards (default 32; 1 disables sharding). |
-| `WithMaxEvictionCount` | Cap number of items evicted per cycle. |
-| `WithMaxCacheSize` | Max cumulative serialized item size (bytes). |
-| `WithStatsCollector` | Choose stats collector implementation. |
-| `WithManagementHTTP` | Start optional management HTTP server. |
-| `WithDistReplication` | (DistMemory) Set replication factor (owners per key). |
-| `WithDistVirtualNodes` | (DistMemory) Virtual nodes per physical node for consistent hashing. |
-| `WithDistMerkleChunkSize` | (DistMemory) Keys per Merkle leaf chunk (power-of-two recommended). |
-| `WithDistMerkleAutoSync` | (DistMemory) Interval for background Merkle sync (<=0 disables). |
-| `WithDistMerkleAutoSyncPeers` | (DistMemory) Limit peers synced per auto-sync tick (0=all). |
-| `WithDistListKeysCap` | (DistMemory) Cap number of keys fetched via fallback enumeration. |
-| `WithDistNode` | (DistMemory) Explicit node identity (id/address). |
-| `WithDistSeeds` | (DistMemory) Static seed addresses to pre-populate membership. |
-| `WithDistTombstoneTTL` | (DistMemory) Retain delete tombstones for this duration before compaction (<=0 = infinite). |
-| `WithDistTombstoneSweep` | (DistMemory) Interval to run tombstone compaction (<=0 disables). |
-| `WithDistHTTPLimits` | (DistMemory) Body / response / timeout / concurrency caps for the dist HTTP server + auto-client. |
-| `WithDistHTTPAuth` | (DistMemory) Bearer-token auth (`Token`) plus optional `ServerVerify` / `ClientSign` hooks. |
-
-*ARC is experimental (not registered by default).
+| Option                          | Purpose                                                                                           |
+| ------------------------------- | ------------------------------------------------------------------------------------------------- |
+| `WithEvictionInterval`          | Periodic eviction loop; set to `0` for proactive per-write eviction.                              |
+| `WithExpirationInterval`        | Periodic scan for expired items.                                                                  |
+| `WithExpirationTriggerBuffer`   | Buffer size for coalesced expiration trigger channel.                                             |
+| `WithExpirationTriggerDebounce` | Drop rapid-fire triggers within a window.                                                         |
+| `WithEvictionAlgorithm`         | Select eviction algorithm (lru, lfu, clock, cawolfu, arc\*).                                      |
+| `WithEvictionShardCount`        | Number of eviction-algorithm shards (default 32; 1 disables sharding).                            |
+| `WithMaxEvictionCount`          | Cap number of items evicted per cycle.                                                            |
+| `WithMaxCacheSize`              | Max cumulative serialized item size (bytes).                                                      |
+| `WithStatsCollector`            | Choose stats collector implementation.                                                            |
+| `WithManagementHTTP`            | Start optional management HTTP server.                                                            |
+| `WithDistReplication`           | (DistMemory) Set replication factor (owners per key).                                             |
+| `WithDistVirtualNodes`          | (DistMemory) Virtual nodes per physical node for consistent hashing.                              |
+| `WithDistMerkleChunkSize`       | (DistMemory) Keys per Merkle leaf chunk (power-of-two recommended).                               |
+| `WithDistMerkleAutoSync`        | (DistMemory) Interval for background Merkle sync (<=0 disables).                                  |
+| `WithDistMerkleAutoSyncPeers`   | (DistMemory) Limit peers synced per auto-sync tick (0=all).                                       |
+| `WithDistListKeysCap`           | (DistMemory) Cap number of keys fetched via fallback enumeration.                                 |
+| `WithDistNode`                  | (DistMemory) Explicit node identity (id/address).                                                 |
+| `WithDistSeeds`                 | (DistMemory) Static seed addresses to pre-populate membership.                                    |
+| `WithDistTombstoneTTL`          | (DistMemory) Retain delete tombstones for this duration before compaction (<=0 = infinite).       |
+| `WithDistTombstoneSweep`        | (DistMemory) Interval to run tombstone compaction (<=0 disables).                                 |
+| `WithDistHTTPLimits`            | (DistMemory) Body / response / timeout / concurrency caps for the dist HTTP server + auto-client. |
+| `WithDistHTTPAuth`              | (DistMemory) Bearer-token auth (`Token`) plus optional `ServerVerify` / `ClientSign` hooks.       |
+
+\*ARC is experimental (not registered by default).
 
 ### Type-safe access (`Typed[V]`)
 
@@ -280,7 +277,10 @@ limits := backend.DistHTTPLimits{
 
 // 2) Auth: a shared bearer token covers most clusters; ServerVerify /
 //    ClientSign hooks are escape hatches for JWT, mTLS-derived
-//    identity, HMAC, etc.
+//    identity, HMAC, etc. The hypercache-server binary uses the
+//    ServerVerify hook to plug in an OIDC verifier
+//    (cmd/hypercache-server/oidc.go) when HYPERCACHE_OIDC_ISSUER is
+//    set; static-bearer logins coexist with IdP-issued JWTs.
 auth := backend.DistHTTPAuth{Token: "shared-cluster-secret"}
 
 bi, _ := backend.NewDistMemory(ctx,
@@ -316,44 +316,44 @@ Replica removal cleanup (actively dropping data from nodes no longer replicas) i
 
 Metrics (via management or `Metrics()`):
 
-| Metric | Description |
-| -------- | ------------- |
-| RebalancedKeys | Count of all rebalance-related migrations (primary changes + replica diff replications). |
-| RebalancedPrimary | Count of primary ownership change migrations (subset of RebalancedKeys). |
-| RebalanceBatches | Number of migration batches executed. |
-| RebalanceThrottle | Times migration concurrency limiter saturated. |
-| RebalanceLastNanos | Duration (ns) of last rebalance scan. |
-| RebalancedReplicaDiff | Count of replica-only diff replications (new replicas seeded). |
-| RebalanceReplicaDiffThrottle | Times replica-only diff processing hit per-tick cap. |
+| Metric                       | Description                                                                              |
+| ---------------------------- | ---------------------------------------------------------------------------------------- |
+| RebalancedKeys               | Count of all rebalance-related migrations (primary changes + replica diff replications). |
+| RebalancedPrimary            | Count of primary ownership change migrations (subset of RebalancedKeys).                 |
+| RebalanceBatches             | Number of migration batches executed.                                                    |
+| RebalanceThrottle            | Times migration concurrency limiter saturated.                                           |
+| RebalanceLastNanos           | Duration (ns) of last rebalance scan.                                                    |
+| RebalancedReplicaDiff        | Count of replica-only diff replications (new replicas seeded).                           |
+| RebalanceReplicaDiffThrottle | Times replica-only diff processing hit per-tick cap.                                     |
 
 Test helpers `AddPeer` and `RemovePeer` simulate join / leave events that trigger redistribution in integration tests (`dist_rebalance_*.go`).
 
 ### Roadmap / PRD Progress Snapshot
 
-| Area | Status |
-| ------ | -------- |
-| Core in-process sharding | Done |
-| Replication fan-out | Done |
-| Read-repair | Done |
-| Quorum consistency (R/W) | Done |
-| Hinted handoff (TTL, replay, caps) | Done |
-| Tombstones (TTL + compaction) | Done |
-| Merkle anti-entropy (pull) | Done |
-| Merkle phase metrics | Done |
-| Auto Merkle background sync | Done |
+| Area                                                               | Status                                                    |
+| ------------------------------------------------------------------ | --------------------------------------------------------- |
+| Core in-process sharding                                           | Done                                                      |
+| Replication fan-out                                                | Done                                                      |
+| Read-repair                                                        | Done                                                      |
+| Quorum consistency (R/W)                                           | Done                                                      |
+| Hinted handoff (TTL, replay, caps)                                 | Done                                                      |
+| Tombstones (TTL + compaction)                                      | Done                                                      |
+| Merkle anti-entropy (pull)                                         | Done                                                      |
+| Merkle phase metrics                                               | Done                                                      |
+| Auto Merkle background sync                                        | Done                                                      |
 | Rebalancing (primary/lost ownership + replica-add diff + shedding) | Partial (shedding grace delete added; future retry/queue) |
-| Failure detection (heartbeat) | Partial (basic) |
-| Lightweight gossip snapshot | Partial |
-| Replica-only migration diff | Planned |
-| Adaptive Merkle scheduling | Planned |
-| Advanced versioning (HLC/vector) | Planned |
-| Client SDK (direct routing) | Planned |
-| Tracing spans | Planned |
-| Security (TLS/auth) | Done (since v0.5.0; see "Transport hardening") |
-| Compression | Planned |
-| Persistence | Out of scope (current phase) |
-| Chaos / fault injection | Planned |
-| Benchmarks & tests | Ongoing (broad coverage) |
+| Failure detection (heartbeat)                                      | Partial (basic)                                           |
+| Lightweight gossip snapshot                                        | Partial                                                   |
+| Replica-only migration diff                                        | Planned                                                   |
+| Adaptive Merkle scheduling                                         | Planned                                                   |
+| Advanced versioning (HLC/vector)                                   | Planned                                                   |
+| Client SDK (direct routing)                                        | Planned                                                   |
+| Tracing spans                                                      | Planned                                                   |
+| Security (TLS/auth)                                                | Done (since v0.5.0; see "Transport hardening")            |
+| Compression                                                        | Planned                                                   |
+| Persistence                                                        | Out of scope (current phase)                              |
+| Chaos / fault injection                                            | Planned                                                   |
+| Benchmarks & tests                                                 | Ongoing (broad coverage)                                  |
 
 Example minimal setup:
 
@@ -433,4 +433,4 @@ I'm a surfer, and a software architect with 15 years of experience designing hig
 [![LinkedIn](https://img.shields.io/badge/LinkedIn-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://www.linkedin.com/in/francesco-cosentino/)
 
 [build-link]: https://github.com/hyp3rd/hypercache/actions/workflows/go.yml
-[codeql-link]:https://github.com/hyp3rd/hypercache/actions/workflows/codeql.yml
+[codeql-link]: https://github.com/hyp3rd/hypercache/actions/workflows/codeql.yml