bundle-server: introduce 'authorize' step to 'serve'

Add an 'authorize' function to the bundle web server for managing access to
bundle server content. This function returns one of two states:

- Deny, which indicates that bundle server content should not be served.
  This is configured with the desired 4XX response code and (optional)
  headers. Invoking 'ApplyResult()' with this result will fill in the
  response information and trigger 'serve' to exit immediately.
- Allow, indicating that the requstor may access the requested resource.
  This does not return an immediate response, but if headers are specified,
  they will be added to the eventual response. After applying this result
  with 'ApplyResult()', 'serve' will continue on to add the appropriate
  content to the response.

For now, the 'authorize' function is always nil, so it's never invoked. In
later patches, it will be configured via a new '--auth-config' option to the
web server.

Signed-off-by: Victoria Dye <vdye@github.com>

Author: vdye

cmd/git-bundle-web-server/bundle-server.go

@@ -20,24 +20,30 @@ import (
 	"github.com/git-ecosystem/git-bundle-server/internal/core"
 	"github.com/git-ecosystem/git-bundle-server/internal/git"
 	"github.com/git-ecosystem/git-bundle-server/internal/log"
+	"github.com/git-ecosystem/git-bundle-server/pkg/auth"
 )
 
+type authFunc func(*http.Request, string, string) auth.AuthResult
+
 type bundleWebServer struct {
 	logger             log.TraceLogger
 	server             *http.Server
 	serverWaitGroup    *sync.WaitGroup
 	listenAndServeFunc func() error
+	authorize          authFunc
 }
 
 func NewBundleWebServer(logger log.TraceLogger,
 	port string,
 	certFile string, keyFile string,
 	tlsMinVersion uint16,
 	clientCAFile string,
+	middlewareAuthorize authFunc,
 ) (*bundleWebServer, error) {
 	bundleServer := &bundleWebServer{
 		logger:          logger,
 		serverWaitGroup: &sync.WaitGroup{},
+		authorize:       middlewareAuthorize,
 	}
 
 	// Configure the http.Server
@@ -107,6 +113,13 @@ func (b *bundleWebServer) serve(w http.ResponseWriter, r *http.Request) {
 
 	route := owner + "/" + repo
 
+	if b.authorize != nil {
+		authResult := b.authorize(r, owner, repo)
+		if authResult.ApplyResult(w) {
+			return
+		}
+	}
+
 	userProvider := common.NewUserProvider()
 	fileSystem := common.NewFileSystem()
 	commandExecutor := cmd.NewCommandExecutor(b.logger)

cmd/git-bundle-web-server/main.go

@@ -29,12 +29,16 @@ func main() {
 		tlsMinVersion := utils.GetFlagValue[uint16](parser, "tls-version")
 		clientCA := utils.GetFlagValue[string](parser, "client-ca")
 
+		// Configure auth
+		middlewareAuthorize := authFunc(nil)
+
 		// Configure the server
 		bundleServer, err := NewBundleWebServer(logger,
 			port,
 			cert, key,
 			tlsMinVersion,
 			clientCA,
+			middlewareAuthorize,
 		)
 		if err != nil {
 			logger.Fatal(ctx, err)

pkg/auth/auth-result.go

@@ -0,0 +1,75 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+)
+
+// The Header type captures HTTP response header information.
+type Header struct {
+	Key   string
+	Value string
+}
+
+// The AuthResult represents the result of authenticating/authorizing via an
+// AuthMiddleware's Authorize function.
+type AuthResult struct {
+	applyResultFunc func(http.ResponseWriter) bool
+}
+
+// ApplyResult applies the AuthResult's configuration to the provided
+// http.ResponseWriter w and returns whether the web server should immediately
+// send the response (for an AuthResult created with Deny()) or continue on to
+// get and serve bundle server content (for an AuthResult created with
+// Accept()). If the AuthResult is invalid (e.g., created with AuthResult{}),
+// ApplyResult will indicate an immediate 500 response.
+func (a *AuthResult) ApplyResult(w http.ResponseWriter) bool {
+	if a.applyResultFunc == nil {
+		// AuthResult was initialized incorrectly - throw an ISE & exit
+		w.WriteHeader(http.StatusInternalServerError)
+		return true
+	} else {
+		return a.applyResultFunc(w)
+	}
+}
+
+func writeCustomHeaders(w http.ResponseWriter, headers []Header) {
+	for _, h := range headers {
+		w.Header().Add(h.Key, h.Value)
+	}
+}
+
+// Deny creates an AuthResult instance indicating that the bundle web server
+// should not serve the requested content and instead return an error response.
+// The response will have the status indicated by code (*must* be 4XX) and
+// include HTTP headers specified by the headers arg(s). Repeated headers (e.g.
+// multiple WWW-Authenticate headers) will be added to the response in the order
+// they are provided to this function.
+func Deny(code int, headers ...Header) AuthResult {
+	// Make sure the code is a 4XX
+	if code < 400 || code > 499 {
+		panic(fmt.Sprintf("invalid auth middleware response code (must be 4XX, got %d)", code))
+	}
+
+	// Configure ApplyResult to write the response & exit
+	return AuthResult{
+		applyResultFunc: func(w http.ResponseWriter) bool {
+			writeCustomHeaders(w, headers)
+			w.WriteHeader(code)
+			return true
+		},
+	}
+}
+
+// Allow creates an AuthResult instance indicating that the bundle web server
+// should serve the requested content. If headers are specified, they will be
+// applied to the http.ResponseWriter and applied to the response. Repeated
+// headers are applied in the order they are provided to this function.
+func Allow(headers ...Header) AuthResult {
+	return AuthResult{
+		applyResultFunc: func(w http.ResponseWriter) bool {
+			writeCustomHeaders(w, headers)
+			return false
+		},
+	}
+}

pkg/auth/auth-result_test.go

@@ -0,0 +1,146 @@
+package auth_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/git-ecosystem/git-bundle-server/pkg/auth"
+	"github.com/stretchr/testify/assert"
+)
+
+var denyTests = []struct {
+	title string
+
+	code              int
+	headers           []auth.Header
+	expectedInitPanic bool
+
+	expectedHeaders http.Header
+}{
+	{
+		"Invalid code causes panic",
+		500,
+		[]auth.Header{},
+		true,
+		nil,
+	},
+	{
+		"Valid code with no headers",
+		404,
+		[]auth.Header{},
+		false,
+		map[string][]string{},
+	},
+	{
+		"Valid code with unique headers",
+		401,
+		[]auth.Header{{"WWW-Authenticate", `Basic realm="restricted", charset="UTF-8"`}},
+		false,
+		map[string][]string{"Www-Authenticate": {`Basic realm="restricted", charset="UTF-8"`}},
+	},
+	{
+		"Valid code with repeated headers",
+		401,
+		[]auth.Header{
+			{"www-authenticate", `Basic realm="example.com"`},
+			{"WWW-Authenticate", `Bearer authorize="idp.example.com/oauth"`},
+		},
+		false,
+		map[string][]string{"Www-Authenticate": {
+			`Basic realm="example.com"`,
+			`Bearer authorize="idp.example.com/oauth"`,
+		}},
+	},
+}
+
+func Test_Deny(t *testing.T) {
+	for _, tt := range denyTests {
+		t.Run(tt.title, func(t *testing.T) {
+			w := httptest.NewRecorder()
+
+			// Create the AuthResult, call WriteResponse
+			if tt.expectedInitPanic {
+				assert.Panics(t, func() { auth.Deny(tt.code, tt.headers...) })
+				return
+			}
+			result := auth.Deny(tt.code, tt.headers...)
+			wroteResponse := result.ApplyResult(w)
+
+			// Response has been written; should exit
+			assert.True(t, wroteResponse)
+
+			// Check code and content
+			assert.Equal(t, tt.code, w.Code)
+			assert.Equal(t, tt.expectedHeaders, w.Header())
+			assert.Empty(t, w.Body)
+		})
+	}
+}
+
+var allowTests = []struct {
+	title string
+
+	headers         []auth.Header
+	expectedHeaders http.Header
+}{
+	{
+		"Allow with no headers",
+		[]auth.Header{},
+		map[string][]string{},
+	},
+	{
+		"Allow with headers",
+		[]auth.Header{{"Cache-Control", "no-store"}},
+		map[string][]string{"Cache-Control": {"no-store"}},
+	},
+	{
+		"Allow with repeated headers",
+		[]auth.Header{
+			{"FAKE-HEADER", "first value"},
+			{"fake-header", "second value"},
+		},
+		map[string][]string{"Fake-Header": {
+			"first value",
+			"second value",
+		}},
+	},
+}
+
+func Test_Allow(t *testing.T) {
+	for _, tt := range allowTests {
+		t.Run(tt.title, func(t *testing.T) {
+			w := httptest.NewRecorder()
+
+			// Create the AuthResult, call WriteResponse
+			result := auth.Allow(tt.headers...)
+			wroteResponse := result.ApplyResult(w)
+
+			// Make sure we aren't exiting
+			assert.False(t, wroteResponse)
+
+			// Make sure no code or body was written, but headers are
+			assert.Equal(t, 200, w.Code) // default code
+			assert.Equal(t, tt.expectedHeaders, w.Header())
+			assert.Empty(t, w.Body)
+		})
+	}
+}
+
+func Test_AuthResult(t *testing.T) {
+	t.Run("Default AuthResult writes 500 response", func(t *testing.T) {
+		w := httptest.NewRecorder()
+
+		// Create the AuthResult, call WriteResponse
+		result := auth.AuthResult{}
+		wroteResponse := result.ApplyResult(w)
+
+		// Response has been written; should exit
+		assert.True(t, wroteResponse)
+
+		// Check code and content
+		assert.Equal(t, 500, w.Code)
+		assert.Empty(t, w.Header())
+		assert.Empty(t, w.Body)
+	})
+}