Add separate credentials for deployment

mikroskeem · Jun 17, 2019 · 64b873c · 64b873c
1 parent 2368db7
commit 64b873c
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/config.go b/config.go
@@ -22,8 +22,13 @@ type repositoryInfo struct {
 
 	// Credentials are used for generic repository access authentication. If empty, then repository
 	// can be accessed freely by anyone
+	// Note that these credentials do not grant deployment access.
 	Credentials []string `toml:"credentials"`
 
 	// Deploy configures whether deployment to said repository is allowed or not
 	Deploy bool `toml:"deploy"`
+
+	// DeployCredentials are used to authenticate deployments.
+	// These credentials grant both access and deployment
+	DeployCredentials []string `toml:"deploy_credentials"`
 }
diff --git a/config.sample.toml b/config.sample.toml
@@ -9,6 +9,9 @@ repository_listing = true
     [repositories.internal]
     path = "/srv/maven/repository/internal"
     deploy = true
+    deploy_credentials = [
+        "baz:quux"
+    ]
     credentials = [
         "foo:bar"
     ]
diff --git a/server.go b/server.go
@@ -57,18 +57,35 @@ func repositoryHandler(name string, info repositoryInfo) (http.HandlerFunc, stri
 	fileServer := http.StripPrefix(repoRoute, http.FileServer(http.Dir(info.Path)))
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Do authentication if credentials are configured
-		if len(info.Credentials) > 0 {
-			username, password, credsSupplied := r.BasicAuth()
-			if !credsSupplied || !checkAuthentication(info.Credentials, username, password) {
-				w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="Repository %s is protected"`, name))
-				http.Error(w, "unauthorized", http.StatusUnauthorized)
-				return
+		username, password, credsSupplied := r.BasicAuth()
+
+		// Check user access
+		accessRequiresAuth := len(info.Credentials) > 0
+		deployRequiresAuth := len(info.DeployCredentials) > 0
+		canAccess := !accessRequiresAuth
+		canDeploy := !deployRequiresAuth
+
+		if deployRequiresAuth {
+			canDeploy = credsSupplied && checkAuthentication(info.DeployCredentials, username, password)
+			if canDeploy {
+				canAccess = true
+			}
+		}
+
+		if accessRequiresAuth && !canAccess {
+			canAccess = credsSupplied && checkAuthentication(info.Credentials, username, password)
+			if !canAccess {
+				canDeploy = false
 			}
 		}
 
 		// Simply serve artifacts
 		if r.Method == "GET" {
+			if !canAccess {
+				w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="Repository %s is protected"`, name))
+				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
 			fileServer.ServeHTTP(w, r)
 			return
 		}
@@ -81,6 +98,12 @@ func repositoryHandler(name string, info repositoryInfo) (http.HandlerFunc, stri
 				return
 			}
 
+			if !canDeploy {
+				w.Header().Set("WWW-Authenticate", fmt.Sprintf(`Basic realm="Repository %s deployment is protected"`, name))
+				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+
 			file, err := filepath.Rel(repoRoute, r.URL.Path)
 			if err != nil {
 				panic(err)