Add Tier 0 Mirror Access support

Support generating an access token for access to our tier0 mirror and
other services which are behind a nginx using
ngx_http_auth_request_module for authentication. This works as
following, nginx requires authentication for a route which is protected
and redirects the request to archweb which handles the authentication.

Closes: #347

Author: jelly

devel/forms.py

@@ -36,7 +36,7 @@ def clean_pgp_key(self):
 
     class Meta:
         model = UserProfile
-        exclude = ('allowed_repos', 'user', 'latin_name')
+        exclude = ('allowed_repos', 'user', 'latin_name', 'repos_auth_token')
 
 
 class NewUserForm(forms.ModelForm):

devel/migrations/0007_auto_20210523_2038.py

@@ -53,6 +53,7 @@ class UserProfile(models.Model):
         max_length=255, null=True, blank=True, help_text="Latin-form name; used only for non-Latin full names")
     rebuilderd_updates = models.BooleanField(
         default=False, help_text='Receive reproducible build package updates')
+    repos_auth_token = models.CharField(max_length=32, null=True, blank=True)
     last_modified = models.DateTimeField(editable=False)
 
     class Meta:
@@ -179,8 +180,8 @@ def create_feed_model(sender, **kwargs):
                         website_rss=obj.website_rss)
 
 
-def delete_feed_model(sender, **kwargs):
-    '''When a user is set to inactive remove his feed model'''
+def delete_user_model(sender, **kwargs):
+    '''When a user is set to inactive remove his feed model and repository token'''
 
     obj = kwargs['instance']
 
@@ -194,11 +195,13 @@ def delete_feed_model(sender, **kwargs):
     if not userprofile:
         return
 
+    userprofile.repos_auth_token = ''
+
     Feed.objects.filter(website_rss=userprofile.website_rss).delete()
 
 
 pre_save.connect(create_feed_model, sender=UserProfile, dispatch_uid="devel.models")
 
-post_save.connect(delete_feed_model, sender=User, dispatch_uid='main.models')
+post_save.connect(delete_user_model, sender=User, dispatch_uid='main.models')
 
 # vim: set ts=4 sw=4 et:

devel/models.py

@@ -6,3 +6,9 @@
 @register.filter(name='in_group')
 def in_group(user, group_name):
     return user.groups.filter(name=group_name).exists()
+
+
+@register.filter(name='in_groups')
+def in_groups(user, group_names):
+    group_names = group_names.split(':')
+    return user.groups.filter(name__in=group_names).exists()

devel/templatetags/group.py

@@ -7,6 +7,8 @@
     url(r'^admin_log/$', views.admin_log),
     url(r'^admin_log/(?P<username>.*)/$', views.admin_log),
     url(r'^clock/$',    views.clock, name='devel-clocks'),
+    url(r'^tier0mirror/$',    views.tier0_mirror, name='tier0-mirror'),
+    url(r'^mirrorauth/$',    views.tier0_mirror_auth, name='tier0-mirror-atuh'),
     url(r'^$',          views.index, name='devel-index'),
     url(r'^stats/$',    views.stats, name='devel-stats'),
     url(r'^newuser/$',  views.new_user_form),

devel/urls.py

@@ -1,4 +1,5 @@
 import re
+import secrets
 
 from django.contrib.auth.models import User
 from django.core.exceptions import ObjectDoesNotExist, MultipleObjectsReturned
@@ -192,4 +193,8 @@ def clear_cache(self):
         self.email_cache = {}
         self.pgp_cache = {}
 
+
+def generate_repo_auth_token():
+    return secrets.token_hex(16)
+
 # vim: set ts=4 sw=4 et:

devel/utils.py

@@ -1,7 +1,9 @@
+import base64
 import operator
 import time
 from datetime import timedelta
 
+from django.conf import settings
 from django.contrib import admin
 from django.contrib.admin.models import ADDITION, LogEntry
 from django.contrib.auth.decorators import (login_required,
@@ -13,12 +15,12 @@
 from django.core.cache.utils import make_template_fragment_key
 from django.db import transaction
 from django.db.models import Count, Max
-from django.http import Http404, HttpResponseRedirect
+from django.http import Http404, HttpResponse, HttpResponseRedirect
 from django.shortcuts import get_object_or_404, render
 from django.utils.encoding import force_text
 from django.utils.http import http_date
 from django.utils.timezone import now
-from django.views.decorators.cache import never_cache
+from django.views.decorators.cache import cache_control, never_cache
 from main.models import Arch, Package, Repo
 from news.models import News
 from packages.models import FlagRequest, PackageRelation, Signoff
@@ -29,7 +31,7 @@
 from .forms import NewUserForm, ProfileForm, UserProfileForm
 from .models import UserProfile
 from .reports import available_reports
-from .utils import get_annotated_maintainers
+from .utils import get_annotated_maintainers, generate_repo_auth_token
 
 
 @login_required
@@ -159,6 +161,68 @@ def clock(request):
     return response
 
 
+@login_required
+def tier0_mirror(request):
+    username = request.user.username
+    profile, _ = UserProfile.objects.get_or_create(user=request.user)
+
+    if request.POST:
+        profile.repos_auth_token = generate_repo_auth_token()
+        profile.save()
+
+    token = profile.repos_auth_token
+    mirror_domain = getattr(settings, 'TIER0_MIRROR_DOMAIN', None)
+    mirror_url = ''
+
+    if mirror_domain and token:
+        mirror_url = f'https://{username}:{token}@{mirror_domain}/$repo/os/$arch'
+
+    page_dict = {
+        'mirror_url': mirror_url,
+    }
+    return render(request, 'devel/tier0_mirror.html', page_dict)
+
+
+@cache_control(max_age=300)
+def tier0_mirror_auth(request):
+    unauthorized = HttpResponse('Unauthorized', status=401)
+    unauthorized['WWW-Authenticate'] = 'Basic realm="Protected", charset="UTF-8"'
+
+    send_from_header = request.headers.get('X-Sent-From', '')
+
+    mirror_sent_from_secret = getattr(settings, 'TIER0_MIRROR_SECRET', None)
+    if mirror_sent_from_secret and send_from_header == mirror_sent_from_secret:
+        return unauthorized
+
+    auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+    if not auth_header:
+        return unauthorized
+
+    parts = auth_header.split()
+    if len(parts) != 2:
+        return unauthorized
+
+    if parts[0].lower() != 'basic':
+        return unauthorized
+
+    credentials = base64.b64decode(parts[1]).decode().split(':')
+    if len(credentials) != 2:
+        return unauthorized
+
+    username = credentials[0]
+    token = credentials[1]
+
+    groups = Group.objects.filter(name__in=SELECTED_GROUPS)
+    user = User.objects.filter(username=username, is_active=True, groups__in=groups).select_related('userprofile').first()
+    if not user:
+        return unauthorized
+
+    if user and token == user.userprofile.repos_auth_token:
+        return HttpResponse('Authorized')
+    else:
+        return unauthorized
+
+
 @login_required
 @never_cache
 def change_profile(request):

devel/views.py

@@ -0,0 +1,58 @@
+# Mirror Access
+
+Archweb can be used as external authentication provider in combination with
+[ngx_http_auth_request_module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
+A user with a Developer, Trusted User and Support Staff role can generate an
+access token used in combination with his username on the `/devel/tier0mirror`
+url. The mirror authentication is done against `/devel/mirrorauth` using HTTP
+Basic authentication.
+
+## Configuration
+
+There are two configuration options for this feature of which one is optional:
+
+* **TIER0_MIRROR_DOMAIN** - the mirror domain used to display the mirror url with authentication.
+* **TIER0_MIRROR_SECRET** - an optional secret send by nginx in the `X-Sent-From` header, all requests without this secret value are ignored. This can be used to not allow anyone to bruteforce guess the http basic auth pass/token.
+
+## nginx configuration
+
+Example configuration with optional caching of the authentication request to
+reduce hammering archweb when for example using this feature for a mirror. By
+default archweb caches `/devel/mirrorauth` for 5 minutes.
+
+```
+http {
+    proxy_cache_path  /var/lib/nginx/cache/auth_cache levels=1:2 keys_zone=auth_cache:5m;
+
+    server {
+        location /protected {
+                auth_request /devel/mirrorauth;
+
+                root   /usr/share/nginx/html;
+                index  index.html index.htm;
+        }
+
+        location = /devel/mirrorauth {
+            internal;
+
+            # Do not pass the request body, only http authorisation header is required
+            proxy_pass_request_body off;
+            proxy_set_header        Content-Length "";
+
+            # Proxy headers
+            proxy_set_header        Host                    $host;
+            proxy_set_header        X-Original-URL          $scheme://$http_host$request_uri;
+            proxy_set_header        X-Original-Method       $request_method;
+            proxy_set_header        X-Auth-Request-Redirect $request_uri;
+            proxy_set_header        X-Sent-From             "arch-nginx";
+
+            # Cache responses from the auth proxy
+            proxy_cache             auth_cache;
+            proxy_cache_key         "$scheme$proxy_host$request_uri$http_authorization";
+
+            # Authentication to archweb
+            proxy_pass https://archlinux.org;
+        }
+    }
+}
+```

docs/mirror_access.md

@@ -199,6 +199,10 @@
 # Rebuilderd API endpoint
 REBUILDERD_URL = 'https://reproducible.archlinux.org/api/v0/pkgs/list'
 
+# Protected TIER0 Mirror
+TIER0_MIRROR_DOMAIN = 'repos.archlinux.org'
+# TIER0_MIRROR_SECRET = ''
+
 # Import local settings
 try:
     from local_settings import * # noqa

settings.py

@@ -51,6 +51,9 @@
                     <li><a href="{% url 'admin:index' %}" title="Django Admin Interface">Django Admin</a></li>
                     {% endif %}
                     <li><a href="/devel/profile/" title="Modify your account profile">Profile</a></li>
+                    {% if user|in_groups:'Developers:Trusted Users:Support Staff' %}
+                    <li><a href="/devel/tier0mirror/" title="Your Tier 0 Mirror information">Tier0 mirror</a></li>
+                    {% endif %}
                     <li><a href="/logout/" title="Logout of the developer interface">Logout</a></li>
                 </ul>
             {% endif %}