feat(memory): add in-memory principal resolution

go.mod

@@ -1,3 +1,11 @@
 module github.com/meigma/authkit
 
 go 1.26
+
+require github.com/stretchr/testify v1.11.1
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)

go.sum

@@ -0,0 +1,10 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

store/memory/store.go

@@ -0,0 +1,164 @@
+package memory
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"maps"
+	"strconv"
+	"sync"
+
+	"github.com/meigma/authkit"
+)
+
+const principalIDPrefix = "principal_"
+
+// Store keeps principals and external identity links in memory.
+type Store struct {
+	mu                  sync.RWMutex
+	nextPrincipalNumber int
+	principals          map[string]authkit.Principal
+	links               map[identityKey]authkit.ExternalIdentity
+}
+
+type identityKey struct {
+	provider string
+	subject  string
+}
+
+// NewStore creates an empty in-memory store.
+func NewStore() *Store {
+	return &Store{
+		nextPrincipalNumber: 1,
+		principals:          make(map[string]authkit.Principal),
+		links:               make(map[identityKey]authkit.ExternalIdentity),
+	}
+}
+
+// CreatePrincipal creates a principal in the store.
+func (s *Store) CreatePrincipal(ctx context.Context, req authkit.CreatePrincipalRequest) (authkit.Principal, error) {
+	if err := ctx.Err(); err != nil {
+		return authkit.Principal{}, err
+	}
+
+	if req.Kind != authkit.PrincipalKindUser && req.Kind != authkit.PrincipalKindService {
+		return authkit.Principal{}, fmt.Errorf("memory: unsupported principal kind %q", req.Kind)
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	principal := authkit.Principal{
+		ID:          principalIDPrefix + strconv.Itoa(s.nextPrincipalNumber),
+		Kind:        req.Kind,
+		DisplayName: req.DisplayName,
+		Attributes:  cloneAttributes(req.Attributes),
+	}
+	s.nextPrincipalNumber++
+	s.principals[principal.ID] = principal
+
+	return clonePrincipal(principal), nil
+}
+
+// LinkIdentity links an external identity to an existing principal.
+func (s *Store) LinkIdentity(ctx context.Context, req authkit.LinkIdentityRequest) (authkit.ExternalIdentity, error) {
+	if err := ctx.Err(); err != nil {
+		return authkit.ExternalIdentity{}, err
+	}
+
+	if req.Provider == "" {
+		return authkit.ExternalIdentity{}, errors.New("memory: provider is required")
+	}
+	if req.Subject == "" {
+		return authkit.ExternalIdentity{}, errors.New("memory: subject is required")
+	}
+	if req.PrincipalID == "" {
+		return authkit.ExternalIdentity{}, errors.New("memory: principal ID is required")
+	}
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	if _, ok := s.principals[req.PrincipalID]; !ok {
+		return authkit.ExternalIdentity{}, fmt.Errorf("memory: principal %q does not exist", req.PrincipalID)
+	}
+
+	key := identityKey{
+		provider: req.Provider,
+		subject:  req.Subject,
+	}
+	if link, ok := s.links[key]; ok {
+		if link.PrincipalID == req.PrincipalID {
+			return link, nil
+		}
+
+		return authkit.ExternalIdentity{}, fmt.Errorf(
+			"memory: identity %q/%q is already linked to principal %q",
+			req.Provider,
+			req.Subject,
+			link.PrincipalID,
+		)
+	}
+
+	link := authkit.ExternalIdentity(req)
+	s.links[key] = link
+
+	return link, nil
+}
+
+// ResolveIdentity returns the principal linked to identity.
+func (s *Store) ResolveIdentity(ctx context.Context, identity authkit.Identity) (*authkit.Principal, error) {
+	if err := ctx.Err(); err != nil {
+		return nil, err
+	}
+
+	if identity.Provider == "" || identity.Subject == "" {
+		return nil, fmt.Errorf("%w: provider and subject are required", authkit.ErrUnresolvedIdentity)
+	}
+
+	s.mu.RLock()
+	defer s.mu.RUnlock()
+
+	link, ok := s.links[identityKey{
+		provider: identity.Provider,
+		subject:  identity.Subject,
+	}]
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: identity %q/%q is not linked",
+			authkit.ErrUnresolvedIdentity,
+			identity.Provider,
+			identity.Subject,
+		)
+	}
+
+	principal, ok := s.principals[link.PrincipalID]
+	if !ok {
+		return nil, fmt.Errorf(
+			"%w: linked principal %q does not exist",
+			authkit.ErrUnresolvedIdentity,
+			link.PrincipalID,
+		)
+	}
+
+	resolved := clonePrincipal(principal)
+
+	return &resolved, nil
+}
+
+func cloneAttributes(attrs map[string]any) map[string]any {
+	if len(attrs) == 0 {
+		return nil
+	}
+
+	cloned := make(map[string]any, len(attrs))
+	maps.Copy(cloned, attrs)
+
+	return cloned
+}
+
+func clonePrincipal(principal authkit.Principal) authkit.Principal {
+	principal.Attributes = cloneAttributes(principal.Attributes)
+
+	return principal
+}