Private feed implementation

src/BaGetter.Core/Authentication/ApiKeyAuthenticationService.cs

@@ -1,4 +1,5 @@
 using System;
+using System.Linq;
 using System.Threading;
 using System.Threading.Tasks;
 using Microsoft.Extensions.Options;
@@ -8,12 +9,14 @@ namespace BaGetter.Core;
 public class ApiKeyAuthenticationService : IAuthenticationService
 {
     private readonly string _apiKey;
+    private readonly string[] _apiKeys;
 
     public ApiKeyAuthenticationService(IOptionsSnapshot<BaGetterOptions> options)
     {
         ArgumentNullException.ThrowIfNull(options);
 
         _apiKey = string.IsNullOrEmpty(options.Value.ApiKey) ? null : options.Value.ApiKey;
+        _apiKeys = options.Value.ApiKeys;
     }
 
     public Task<bool> AuthenticateAsync(string apiKey, CancellationToken cancellationToken)
@@ -22,8 +25,8 @@ public Task<bool> AuthenticateAsync(string apiKey, CancellationToken cancellatio
     private bool Authenticate(string apiKey)
     {
         // No authentication is necessary if there is no required API key.
-        if (_apiKey == null) return true;
+        if (_apiKey == null && (_apiKeys is null || _apiKeys.Length==0)) return true;
 
-        return _apiKey == apiKey;
+        return _apiKey == apiKey || _apiKeys?.Contains(apiKey) == true;
     }
 }

src/BaGetter.Core/Authentication/AuthenticationConstants.cs

@@ -0,0 +1,12 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace BaGetter.Authentication;
+public static class AuthenticationConstants
+{
+    public const string NugetBasicAuthenticationScheme = "NugetBasicAuthentication";
+    public const string NugetUserPolicy = "NuGetUserPolicy";
+}

src/BaGetter.Core/Configuration/AuthenticationOptions.cs

@@ -0,0 +1,8 @@
+namespace BaGetter.Core;
+
+public class AuthenticationOptions
+{
+    public string Username { get; set; }
+
+    public string Password { get; set; }
+}

src/BaGetter.Core/Configuration/BaGetterOptions.cs

@@ -8,6 +8,12 @@ public class BaGetterOptions
     /// </summary>
     public string ApiKey { get; set; }
 
+    /// <summary>
+    /// The API Key required to authenticate package
+    /// operations. If empty, package operations do not require authentication.
+    /// </summary>
+    public string[] ApiKeys { get; set; }
+
     /// <summary>
     /// The application root URL for usage in reverse proxy scenarios.
     /// </summary>
@@ -58,4 +64,6 @@ public class BaGetterOptions
     public HealthCheckOptions HealthCheck { get; set; }
 
     public StatisticsOptions Statistics { get; set; }
+
+    public AuthenticationOptions[] Authentication { get; set; }
 }

src/BaGetter.Web/Controllers/PackageContentController.cs

@@ -1,8 +1,10 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using BaGetter.Authentication;
 using BaGetter.Core;
 using BaGetter.Protocol.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using NuGet.Versioning;
 
@@ -12,6 +14,8 @@ namespace BaGetter.Web;
 /// The Package Content resource, used to download content from packages.
 /// See: https://docs.microsoft.com/nuget/api/package-base-address-resource
 /// </summary>
+
+[Authorize(AuthenticationSchemes = AuthenticationConstants.NugetBasicAuthenticationScheme, Policy = AuthenticationConstants.NugetUserPolicy)]
 public class PackageContentController : Controller
 {
     private readonly IPackageContentService _content;

src/BaGetter.Web/Controllers/PackageMetadataController.cs

@@ -1,8 +1,10 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using BaGetter.Authentication;
 using BaGetter.Core;
 using BaGetter.Protocol.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using NuGet.Versioning;
 
@@ -12,6 +14,8 @@ namespace BaGetter.Web;
 /// The Package Metadata resource, used to fetch packages' information.
 /// See: https://docs.microsoft.com/en-us/nuget/api/registration-base-url-resource
 /// </summary>
+
+[Authorize(AuthenticationSchemes = AuthenticationConstants.NugetBasicAuthenticationScheme, Policy = AuthenticationConstants.NugetUserPolicy)]
 public class PackageMetadataController : Controller
 {
     private readonly IPackageMetadataService _metadata;

src/BaGetter.Web/Controllers/SearchController.cs

@@ -1,12 +1,15 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using BaGetter.Authentication;
 using BaGetter.Core;
 using BaGetter.Protocol.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace BaGetter.Web;
 
+[Authorize(AuthenticationSchemes = AuthenticationConstants.NugetBasicAuthenticationScheme, Policy = AuthenticationConstants.NugetUserPolicy)]
 public class SearchController : Controller
 {
     private readonly ISearchService _searchService;

src/BaGetter.Web/Controllers/ServiceIndexController.cs

@@ -1,15 +1,19 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using BaGetter.Authentication;
 using BaGetter.Core;
 using BaGetter.Protocol.Models;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace BaGetter.Web;
 
 /// <summary>
 /// The NuGet Service Index. This aids NuGet client to discover this server's services.
 /// </summary>
+
+[Authorize(AuthenticationSchemes = AuthenticationConstants.NugetBasicAuthenticationScheme, Policy = AuthenticationConstants.NugetUserPolicy)]
 public class ServiceIndexController : Controller
 {
     private readonly IServiceIndexService _serviceIndex;

src/BaGetter.Web/Controllers/SymbolController.cs

@@ -1,13 +1,16 @@
 using System;
 using System.Threading;
 using System.Threading.Tasks;
+using BaGetter.Authentication;
 using BaGetter.Core;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace BaGetter.Web;
 
+[Authorize(AuthenticationSchemes = AuthenticationConstants.NugetBasicAuthenticationScheme, Policy = AuthenticationConstants.NugetUserPolicy)]
 public class SymbolController : Controller
 {
     private readonly IAuthenticationService _authentication;

src/BaGetter/Authentication/NugetBasicAuthenticationHandler.cs

@@ -0,0 +1,91 @@
+using Azure.Core;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Text;
+using System.Threading.Tasks;
+using System;
+using BaGetter.Core;
+using System.Linq;
+
+namespace BaGetter.Web.Authentication;
+
+public class NugetBasicAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    private readonly IOptions<BaGetterOptions> bagetterOptions;
+
+    public NugetBasicAuthenticationHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder,
+        IOptions<BaGetterOptions> bagetterOptions)
+        : base(options, logger, encoder)
+    {
+        this.bagetterOptions = bagetterOptions;
+    }
+
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        if (bagetterOptions.Value.Authentication is null || bagetterOptions.Value.Authentication.Length==0 || bagetterOptions.Value.Authentication.All(a=> string.IsNullOrWhiteSpace(a.Username) && string.IsNullOrWhiteSpace(a.Password)))
+        {
+            var claims = new[]
+            {
+                new Claim(ClaimTypes.Anonymous, string.Empty),
+            };
+            var identity = new ClaimsIdentity(claims, Scheme.Name);
+            var principal = new ClaimsPrincipal(identity);
+
+            var ticket = new AuthenticationTicket(principal, Scheme.Name);
+
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+        else
+        {
+            if (!Request.Headers.TryGetValue("Authorization", out var auth))
+                return Task.FromResult(AuthenticateResult.NoResult());
+
+            string username = null;
+            string password = null;
+            try
+            {
+                var authHeader = AuthenticationHeaderValue.Parse(auth);
+                var credentialBytes = Convert.FromBase64String(authHeader.Parameter);
+                var credentials = Encoding.UTF8.GetString(credentialBytes).Split([':'], 2);
+                username = credentials[0];
+                password = credentials[1];
+            }
+            catch
+            {
+                return Task.FromResult(AuthenticateResult.Fail("Invalid Authorization Header"));
+            }
+
+            if (!ValidateCredentials(username, password))
+                return Task.FromResult(AuthenticateResult.Fail("Invalid Username or Password"));
+
+            var claims = new[]
+            {
+                new Claim(ClaimTypes.Name, username),
+            };
+            var identity = new ClaimsIdentity(claims, Scheme.Name);
+            var principal = new ClaimsPrincipal(identity);
+
+            var ticket = new AuthenticationTicket(principal, Scheme.Name);
+
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+    }
+
+    protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
+    {
+        Response.Headers.WWWAuthenticate = "Basic realm=\"NuGet Server\"";
+        await base.HandleChallengeAsync(properties);
+    }
+
+    private bool ValidateCredentials(string username, string password)
+    {
+        return bagetterOptions.Value.Authentication.Any(a=> a.Username.Equals(username, StringComparison.OrdinalIgnoreCase) && a.Password == password);
+    }
+}

src/BaGetter/Startup.cs

@@ -1,7 +1,10 @@
 using System;
+using BaGetter.Authentication;
 using BaGetter.Core;
 using BaGetter.Core.Extensions;
 using BaGetter.Web;
+using BaGetter.Web.Authentication;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation;
@@ -27,6 +30,16 @@ public void ConfigureServices(IServiceCollection services)
         services.ConfigureOptions<ValidateBaGetterOptions>();
         services.ConfigureOptions<ConfigureBaGetterServer>();
 
+        services.AddAuthentication(AuthenticationConstants.NugetBasicAuthenticationScheme)
+            .AddScheme<AuthenticationSchemeOptions, NugetBasicAuthenticationHandler>(AuthenticationConstants.NugetBasicAuthenticationScheme, null);
+        services.AddAuthorization(options =>
+        {
+            options.AddPolicy(AuthenticationConstants.NugetUserPolicy, policy =>
+            {
+                policy.RequireAuthenticatedUser();
+            });
+        });
+
         services.AddBaGetterOptions<IISServerOptions>(nameof(IISServerOptions));
         services.AddBaGetterWebApplication(ConfigureBaGetterApplication);
 
@@ -81,9 +94,12 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
         app.UsePathBase(options.PathBase);
 
         app.UseStaticFiles();
-        app.UseRouting();
+        app.UseAuthentication(); 
+        app.UseRouting(); 
+        app.UseAuthorization();
 
         app.UseCors(ConfigureBaGetterServer.CorsPolicy);
+
         app.UseOperationCancelledMiddleware();
 
         app.UseEndpoints(endpoints =>

src/BaGetter/appsettings.json

@@ -52,11 +52,18 @@
   },
 
   "HealthCheck": {
-    "Path" : "/health"
+    "Path": "/health"
   },
 
   "Statistics": {
     "EnableStatisticsPage": true,
     "ListConfiguredServices": true
-  }
+  },
+
+  //"Authentication": [
+  //  {
+  //    "Username": "test",
+  //    "Password": "testPwd"
+  //  }
+  //]
 }