diff options
| author | Max Resnick <max@ofmax.li> | 2024-08-21 22:30:42 -0700 |
|---|---|---|
| committer | Max Resnick <max@ofmax.li> | 2024-08-21 22:30:42 -0700 |
| commit | 100c673c3a95827698758139f887a3e744231c42 (patch) | |
| tree | 4dde9b67bad9e55c3d90617a430b0e2df88b9a33 /internal | |
| parent | 10cbeb6ce662990be14f2141d5c9baf7bce230c7 (diff) | |
| download | go-git-server-100c673c3a95827698758139f887a3e744231c42.tar.gz | |
feat: add anon access mgmt
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/authz/middleware.go | 13 | ||||
| -rw-r--r-- | internal/authz/middleware_test.go | 7 |
2 files changed, 16 insertions, 4 deletions
diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go index f7e1728..2aa4ba7 100644 --- a/internal/authz/middleware.go +++ b/internal/authz/middleware.go @@ -24,9 +24,9 @@ func Authentication(authMap TokenMap, next http.Handler) http.Handler { slog.Info("access request recv") u, p, ok := req.BasicAuth() if !ok { - rw.Header().Set("WWW-Authenticate", `Basic realm="git"`) - http.Error(rw, "Authentication Required", http.StatusUnauthorized) - return + u = "anon" + ctx := context.WithValue(req.Context(), AuthzUrnKey, u) + next.ServeHTTP(rw, req.WithContext(ctx)) } urn := fmt.Sprintf("uid:%s", u) hash, ok := authMap[urn] @@ -68,10 +68,15 @@ func Authorization(adminSvc *admin.Servicer, next http.Handler) http.Handler { http.Error(rw, "Bad Request", http.StatusBadRequest) return } - if !ok { + if !ok && urn == "anon" { + rw.Header().Set("WWW-Authenticate", `Basic realm="git"`) + http.Error(rw, "Authentication Required", http.StatusUnauthorized) + return + } else if !ok { slog.Info("Not Authorized", "urn", urn, "repo", repo) http.Error(rw, "Access denied", http.StatusForbidden) return + } slog.Debug("Access Attempt", "action", action, "repo", repo) next.ServeHTTP(rw, req.WithContext(ctx)) diff --git a/internal/authz/middleware_test.go b/internal/authz/middleware_test.go index 3dfa997..2d499ce 100644 --- a/internal/authz/middleware_test.go +++ b/internal/authz/middleware_test.go @@ -112,6 +112,13 @@ func TestAuthorization(t *testing.T) { description: "an unauthorized action should yield a 403", body: []byte("Access denied\n"), }, + { + url: fmt.Sprintf("%s/%s", baseURL, "repo/url/bar"), + user: "anon", + expectedStatus: http.StatusUnauthorized, + description: "an unauthorized action should yield a 403", + body: []byte("Authentication Required\n"), + }, } svcr, _ := admin.NewService( "../../auth_model.ini", |