diff options
| -rw-r--r-- | internal/authz/middleware.go | 13 | ||||
| -rw-r--r-- | internal/authz/middleware_test.go | 7 |
2 files changed, 16 insertions, 4 deletions
diff --git a/internal/authz/middleware.go b/internal/authz/middleware.go index f7e1728..2aa4ba7 100644 --- a/internal/authz/middleware.go +++ b/internal/authz/middleware.go @@ -24,9 +24,9 @@ func Authentication(authMap TokenMap, next http.Handler) http.Handler { slog.Info("access request recv") u, p, ok := req.BasicAuth() if !ok { - rw.Header().Set("WWW-Authenticate", `Basic realm="git"`) - http.Error(rw, "Authentication Required", http.StatusUnauthorized) - return + u = "anon" + ctx := context.WithValue(req.Context(), AuthzUrnKey, u) + next.ServeHTTP(rw, req.WithContext(ctx)) } urn := fmt.Sprintf("uid:%s", u) hash, ok := authMap[urn] @@ -68,10 +68,15 @@ func Authorization(adminSvc *admin.Servicer, next http.Handler) http.Handler { http.Error(rw, "Bad Request", http.StatusBadRequest) return } - if !ok { + if !ok && urn == "anon" { + rw.Header().Set("WWW-Authenticate", `Basic realm="git"`) + http.Error(rw, "Authentication Required", http.StatusUnauthorized) + return + } else if !ok { slog.Info("Not Authorized", "urn", urn, "repo", repo) http.Error(rw, "Access denied", http.StatusForbidden) return + } slog.Debug("Access Attempt", "action", action, "repo", repo) next.ServeHTTP(rw, req.WithContext(ctx)) diff --git a/internal/authz/middleware_test.go b/internal/authz/middleware_test.go index 3dfa997..2d499ce 100644 --- a/internal/authz/middleware_test.go +++ b/internal/authz/middleware_test.go @@ -112,6 +112,13 @@ func TestAuthorization(t *testing.T) { description: "an unauthorized action should yield a 403", body: []byte("Access denied\n"), }, + { + url: fmt.Sprintf("%s/%s", baseURL, "repo/url/bar"), + user: "anon", + expectedStatus: http.StatusUnauthorized, + description: "an unauthorized action should yield a 403", + body: []byte("Authentication Required\n"), + }, } svcr, _ := admin.NewService( "../../auth_model.ini", |