p2phttp combining unauth and auth options

p2phttp: Support serving unauthenticated users while requesting authentication for operations that need it. Eg, --unauth-readonly can be combined with --authenv. Drop locking currently needs authentication so it will prompt for that. That still needs to be addressed somehow.
2024-10-17 11:10:28 -04:00 · 2024-10-17 11:10:28 -04:00 · 0629219617
commit 0629219617
parent 4e59828f4c
5 changed files with 67 additions and 15 deletions
--- a/P2P/Http/State.hs
+++ b/P2P/Http/State.hs
@ -52,8 +52,14 @@ data P2PHttpServerState = P2PHttpServerState

 type AnnexWorkerPool = TMVar (WorkerPool (Annex.AnnexState, Annex.AnnexRead))

-- Nothing when the server is not allowed to serve any requests.
-type GetServerMode = IsSecure -> Maybe Auth -> Maybe P2P.ServerMode
+type GetServerMode = IsSecure -> Maybe Auth -> ServerMode
+
+data ServerMode
+	= ServerMode
+		{ serverMode :: P2P.ServerMode
+		, authenticationAllowed :: Bool
+		}
+	| CannotServeRequests

 mkP2PHttpServerState :: AcquireP2PConnection -> AnnexWorkerPool -> GetServerMode -> IO P2PHttpServerState
 mkP2PHttpServerState acquireconn annexworkerpool getservermode = P2PHttpServerState
@ -143,13 +149,23 @@ checkAuthActionClass
 	-> (P2P.ServerMode -> Handler a)
 	-> Handler a
 checkAuthActionClass st sec auth actionclass go =
-	case (getServerMode st sec auth, actionclass) of
-		(Just P2P.ServeReadWrite, _) -> go P2P.ServeReadWrite
-		(Just P2P.ServeAppendOnly, RemoveAction) -> throwError err403
-		(Just P2P.ServeAppendOnly, _) -> go P2P.ServeAppendOnly
-		(Just P2P.ServeReadOnly, ReadAction) -> go P2P.ServeReadOnly
-		(Just P2P.ServeReadOnly, _) -> throwError err403
-		(Nothing, _) -> throwError basicAuthRequired
+	case (sm, actionclass) of
+		(ServerMode { serverMode = P2P.ServeReadWrite }, _) ->
+			go P2P.ServeReadWrite
+		(ServerMode { serverMode = P2P.ServeAppendOnly }, RemoveAction) -> 
+			throwError $ forbiddenWithoutAuth sm
+		(ServerMode { serverMode = P2P.ServeAppendOnly }, _) ->
+			go P2P.ServeAppendOnly
+		(ServerMode { serverMode = P2P.ServeReadOnly }, ReadAction) ->
+			go P2P.ServeReadOnly
+		(ServerMode { serverMode = P2P.ServeReadOnly }, _) -> 
+			throwError $ forbiddenWithoutAuth sm
+		(CannotServeRequests, _) -> throwError basicAuthRequired
+  where
+	sm = getServerMode st sec auth
+
+forbiddenAction :: ServerError
+forbiddenAction = err403

 basicAuthRequired :: ServerError
 basicAuthRequired = err401 { errHeaders = [(h, v)] }
@ -157,6 +173,11 @@ basicAuthRequired = err401 { errHeaders = [(h, v)] }
 	h = "WWW-Authenticate"
 	v = "Basic realm=\"git-annex\", charset=\"UTF-8\""

+forbiddenWithoutAuth :: ServerMode -> ServerError
+forbiddenWithoutAuth sm
+	| authenticationAllowed sm = basicAuthRequired
+	| otherwise = forbiddenAction
+
 data ConnectionParams = ConnectionParams
 	{ connectionProtocolVersion :: P2P.ProtocolVersion
 	, connectionServerUUID :: UUID