added parameter to configure incoming connections backlog size

.gitea/workflows/build.yaml

@@ -0,0 +1,64 @@
+name: CI
+on:
+  push:
+    tags:
+      - '*'
+jobs:
+  build:
+    runs-on: hostinger
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v4
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v3
+      - name: Execute Gradle build
+        run: ./gradlew build
+      - name: Prepare Docker image build
+        run: ./gradlew prepareDockerBuild
+      - name: Get project version
+        id: retrieve-version
+        run: ./gradlew -q version >> "$GITHUB_OUTPUT"
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          driver: docker-container
+      - name: Login to Gitea container registry
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.woggioni.net
+          username: woggioni
+          password: ${{ secrets.PUBLISHER_TOKEN }}
+      -
+        name: Build gbcs Docker image
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: "docker/build/docker"
+          platforms: linux/amd64,linux/arm64
+          push: true
+          pull: true
+          tags: |
+            gitea.woggioni.net/woggioni/gbcs:latest
+            gitea.woggioni.net/woggioni/gbcs:${{ steps.retrieve-version.outputs.VERSION }}
+          target: release
+          cache-from: type=registry,ref=gitea.woggioni.net/woggioni/gbcs:buildx
+      -
+        name: Build gbcs memcached Docker image
+        uses: docker/build-push-action@v5.3.0
+        with:
+          context: "docker/build/docker"
+          platforms: linux/amd64,linux/arm64
+          push: true
+          pull: true
+          tags: |
+            gitea.woggioni.net/woggioni/gbcs:memcached
+            gitea.woggioni.net/woggioni/gbcs:memcached-${{ steps.retrieve-version.outputs.VERSION }}
+          target: release-memcached
+          cache-from: type=registry,ref=gitea.woggioni.net/woggioni/gbcs:buildx
+          cache-to: type=registry,mode=max,compression=zstd,image-manifest=true,oci-mediatypes=true,ref=gitea.woggioni.net/woggioni/gbcs:buildx
+      - name: Publish artifacts
+        env:
+          PUBLISHER_TOKEN: ${{ secrets.PUBLISHER_TOKEN }}
+        run: ./gradlew publish
+

.gitignore

@@ -3,3 +3,5 @@
 
 # Ignore Gradle build output directory
 build
+
+gbcs-cli/native-image/*.json

build.gradle

@@ -1,105 +1,108 @@
 plugins {
-    id 'application'
+    alias catalog.plugins.kotlin.jvm apply false
-    alias catalog.plugins.kotlin.jvm
+    alias catalog.plugins.sambal
-    alias catalog.plugins.graalvm.native.image
+    alias catalog.plugins.lombok apply false
-    alias catalog.plugins.graalvm.jlink
-    alias catalog.plugins.envelope
-    id 'maven-publish'
 }
 
-import net.woggioni.gradle.envelope.EnvelopeJarTask
+
-import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 import org.jetbrains.kotlin.gradle.dsl.JvmTarget
+import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
-group = 'net.woggioni'
+allprojects { subproject ->
+    group = 'net.woggioni'
 
-version = getProperty('gbcs.version')
+        if(project.currentTag.isPresent()) {
-
+            version = project.currentTag.map { it[0] }.get()
-application {
+        } else {
-    mainModule = 'net.woggioni.gbcs'
+            version = project.gitRevision.map { gitRevision ->
-    mainClass = 'net.woggioni.gbcs.GradleBuildCacheServer'
+                "${getProperty('gbcs.version')}.${gitRevision[0..10]}"
-//    mainClass = 'net.woggioni.gbcs.NettyPingServer'
+            }.get()
-}
-
-configureNativeImage {
-    mainClass = 'net.woggioni.gbcs.GraalNativeImageConfiguration'
-}
-
-repositories {
-    maven {
-        url = getProperty('gitea.maven.url')
-        content {
-            includeModule 'net.woggioni', 'jwo'
-            includeGroup 'com.lys'
         }
-    }
-    mavenCentral()
-}
 
-dependencies {
-    implementation catalog.jwo
-    implementation catalog.slf4j.api
-    implementation catalog.netty.codec.http
-
-//    runtimeOnly catalog.slf4j.jdk14
-    runtimeOnly catalog.logback.classic
-//    // https://mvnrepository.com/artifact/org.fusesource.jansi/jansi
-//    runtimeOnly group: 'org.fusesource.jansi', name: 'jansi', version: '2.4.1'
-
-
-    testImplementation catalog.junit.jupiter.api
-    testImplementation catalog.junit.jupiter.params
-    testRuntimeOnly catalog.junit.jupiter.engine
-}
-
-java {
-    withSourcesJar()
-    modularity.inferModulePath = true
-    toolchain {
-        languageVersion = JavaLanguageVersion.of(21)
-//        vendor = JvmVendorSpec.GRAAL_VM
-    }
-}
-
-test {
-    useJUnitPlatform()
-}
-
-tasks.named(JavaPlugin.COMPILE_JAVA_TASK_NAME, JavaCompile) {
-    options.compilerArgs << '--patch-module' << 'net.woggioni.gbcs=' + project.sourceSets.main.output.asPath
-}
-
-tasks.withType(JavaCompile) {
-    modularity.inferModulePath = true
-    options.release = 21
-}
-
-
-tasks.named("compileKotlin", KotlinCompile.class) {
-    compilerOptions.jvmTarget = JvmTarget.JVM_21
-}
-
-Provider<EnvelopeJarTask> envelopeJarTaskProvider = tasks.named('envelopeJar', EnvelopeJarTask.class) {
-//    systemProperties['java.util.logging.config.class'] = 'net.woggioni.gbcs.LoggingConfig'
-//    systemProperties['log.config.source'] = 'logging.properties'
-    systemProperties['logback.configurationFile'] = 'classpath:logback.xml'
-}
-
-
-def envelopeJarArtifact = artifacts.add('archives', envelopeJarTaskProvider.get().archiveFile.get().asFile) {
-    type = 'jar'
-    builtBy envelopeJarTaskProvider
-}
-
-publishing {
     repositories {
         maven {
-            url = 'https://mvn.woggioni.net/'
+            url = getProperty('gitea.maven.url')
+            content {
+                includeModule 'net.woggioni', 'jwo'
+                includeModule 'net.woggioni', 'xmemcached'
+                includeGroup 'com.lys'
+            }
+        }
+        mavenCentral()
+    }
+
+    pluginManager.withPlugin('java-library') {
+
+        ext {
+            jpmsModuleName = subproject.group + '.' + subproject.name.replace('-', '.')
+        }
+
+        java {
+            withSourcesJar()
+            modularity.inferModulePath = true
+            toolchain {
+                languageVersion = JavaLanguageVersion.of(21)
+                vendor = JvmVendorSpec.ORACLE
+            }
+        }
+
+        test {
+            useJUnitPlatform()
+        }
+
+        tasks.withType(JavaCompile) {
+            modularity.inferModulePath = true
+            options.release = 21
+        }
+
+        tasks.named(JavaPlugin.COMPILE_JAVA_TASK_NAME, JavaCompile) {
+            options.compilerArgumentProviders << new CommandLineArgumentProvider() {
+                @Override
+                Iterable<String> asArguments() {
+                    return ['--patch-module', subproject.jpmsModuleName + '=' + subproject.sourceSets.main.output.asPath]
+                }
+            }
+            options.javaModuleVersion = version
         }
     }
-    publications {
+
-        maven(MavenPublication) {
+    pluginManager.withPlugin(catalog.plugins.kotlin.jvm.get().pluginId) {
-            artifact envelopeJarArtifact
+        tasks.withType(KotlinCompile.class) {
+            compilerOptions.jvmTarget = JvmTarget.JVM_21
         }
     }
-}
+
+    pluginManager.withPlugin(catalog.plugins.lombok.get().pluginId) {
+        lombok {
+            version = catalog.versions.lombok
+        }
+    }
+
+    pluginManager.withPlugin('maven-publish') {
+
+        publishing {
+            repositories {
+                maven {
+                    name = "Gitea"
+                    url = uri(getProperty('gitea.maven.url'))
+
+                    credentials(HttpHeaderCredentials) {
+                        name = "Authorization"
+                        value = "token ${System.getenv()["PUBLISHER_TOKEN"]}"
+                    }
+
+                    authentication {
+                        header(HttpHeaderAuthentication)
+                    }
+                }
+            }
+        }
+    }
+}
+
+tasks.register('version') {
+    doLast {
+        println("VERSION=$version")
+    }
+}
+

docker/Dockerfile

@@ -0,0 +1,19 @@
+FROM eclipse-temurin:21-jre-alpine AS base-release
+RUN adduser -D luser
+USER luser
+WORKDIR /home/luser
+
+FROM base-release AS release
+ADD gbcs-cli-envelope-*.jar gbcs.jar
+ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar", "server"]
+
+FROM base-release AS release-memcached
+ADD --chown=luser:luser gbcs-cli-envelope-*.jar gbcs.jar
+RUN mkdir plugins
+WORKDIR /home/luser/plugins
+RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/gbcs-server-memcached*.tar
+WORKDIR /home/luser
+ENTRYPOINT ["java", "-jar", "/home/luser/gbcs.jar", "server"]
+
+FROM release-memcached as compose
+COPY --chown=luser:luser conf/gbcs-memcached.xml /home/luser/.config/gbcs/gbcs.xml

docker/build.gradle

@@ -0,0 +1,67 @@
+plugins {
+    id 'base'
+    alias(catalog.plugins.gradle.docker)
+}
+
+import com.bmuschko.gradle.docker.tasks.image.DockerBuildImage
+import com.bmuschko.gradle.docker.tasks.image.DockerPushImage
+import com.bmuschko.gradle.docker.tasks.image.DockerTagImage
+
+
+configurations {
+    docker {
+        canBeResolved = true
+        transitive = false
+        visible = false
+        canBeConsumed = false
+    }
+}
+
+dependencies {
+    docker project(path: ':gbcs-cli', configuration: 'release')
+    docker project(path: ':gbcs-server-memcached', configuration: 'release')
+}
+
+Provider<Task> cleanTaskProvider = tasks.named(BasePlugin.CLEAN_TASK_NAME) {}
+
+Provider<Copy> prepareDockerBuild = tasks.register('prepareDockerBuild', Copy) {
+    dependsOn cleanTaskProvider
+    group = 'docker'
+    into project.layout.buildDirectory.file('docker')
+    from(configurations.docker)
+    from(file('Dockerfile'))
+}
+
+Provider<DockerBuildImage> dockerBuild = tasks.register('dockerBuildImage', DockerBuildImage) {
+    group = 'docker'
+    dependsOn prepareDockerBuild
+    images.add('gitea.woggioni.net/woggioni/gbcs:latest')
+    images.add("gitea.woggioni.net/woggioni/gbcs:${version}")
+}
+
+Provider<DockerTagImage> dockerTag = tasks.register('dockerTagImage', DockerTagImage) {
+    group = 'docker'
+    repository = 'gitea.woggioni.net/woggioni/gbcs'
+    imageId = 'gitea.woggioni.net/woggioni/gbcs:latest'
+    tag = version
+}
+
+Provider<DockerTagImage> dockerTagMemcached = tasks.register('dockerTagMemcachedImage', DockerTagImage) {
+    group = 'docker'
+    repository = 'gitea.woggioni.net/woggioni/gbcs'
+    imageId = 'gitea.woggioni.net/woggioni/gbcs:memcached'
+    tag = "${version}-memcached"
+}
+
+Provider<DockerPushImage> dockerPush = tasks.register('dockerPushImage', DockerPushImage) {
+    group = 'docker'
+    dependsOn dockerTag, dockerTagMemcached
+    registryCredentials {
+        url = getProperty('docker.registry.url')
+        username = 'woggioni'
+        password = System.getenv().get("PUBLISHER_TOKEN")
+    }
+    images = [dockerTag.flatMap{ it.tag }, dockerTagMemcached.flatMap{ it.tag }]
+}
+
+

gbcs-api/build.gradle

@@ -0,0 +1,16 @@
+plugins {
+    id 'java-library'
+    id 'maven-publish'
+    alias catalog.plugins.lombok
+}
+
+dependencies {
+}
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            from(components["java"])
+        }
+    }
+}

gbcs-api/src/main/java/module-info.java

@@ -0,0 +1,6 @@
+module net.woggioni.gbcs.api {
+    requires static lombok;
+    requires java.xml;
+    exports net.woggioni.gbcs.api;
+    exports net.woggioni.gbcs.api.exception;
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/Cache.java

@@ -0,0 +1,11 @@
+package net.woggioni.gbcs.api;
+
+import net.woggioni.gbcs.api.exception.ContentTooLargeException;
+
+import java.nio.channels.ReadableByteChannel;
+
+public interface Cache extends AutoCloseable {
+    ReadableByteChannel get(String key);
+
+    void put(String key, byte[] content) throws ContentTooLargeException;
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/CacheProvider.java

@@ -0,0 +1,17 @@
+package net.woggioni.gbcs.api;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public interface CacheProvider<T extends Configuration.Cache> {
+
+    String getXmlSchemaLocation();
+
+    String getXmlNamespace();
+
+    String getXmlType();
+
+    T deserialize(Element parent);
+
+    Element serialize(Document doc, T cache);
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/Configuration.java

@@ -0,0 +1,130 @@
+package net.woggioni.gbcs.api;
+
+
+import lombok.EqualsAndHashCode;
+import lombok.Value;
+
+import java.nio.file.Path;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+@Value
+public class Configuration {
+    String host;
+    int port;
+    String serverPath;
+    Map<String, User> users;
+    Map<String, Group> groups;
+    Cache cache;
+    Authentication authentication;
+    Tls tls;
+    boolean useVirtualThread;
+    int maxRequestSize;
+    int incomingConnectionsBacklogSize;
+
+    @Value
+    public static class Group {
+        @EqualsAndHashCode.Include
+        String name;
+        Set<Role> roles;
+    }
+
+    @Value
+    public static class User {
+        @EqualsAndHashCode.Include
+        String name;
+        String password;
+        Set<Group> groups;
+
+
+        public Set<Role> getRoles() {
+            return groups.stream()
+                    .flatMap(group -> group.getRoles().stream())
+                    .collect(Collectors.toSet());
+        }
+    }
+
+    @FunctionalInterface
+    public interface UserExtractor {
+        User extract(X509Certificate cert);
+    }
+
+    @FunctionalInterface
+    public interface GroupExtractor {
+        Group extract(X509Certificate cert);
+    }
+
+    @Value
+    public static class Tls {
+        KeyStore keyStore;
+        TrustStore trustStore;
+        boolean verifyClients;
+    }
+
+    @Value
+    public static class KeyStore {
+        Path file;
+        String password;
+        String keyAlias;
+        String keyPassword;
+    }
+
+    @Value
+    public static class TrustStore {
+        Path file;
+        String password;
+        boolean checkCertificateStatus;
+    }
+
+    @Value
+    public static class TlsCertificateExtractor {
+        String rdnType;
+        String pattern;
+    }
+
+    public interface Authentication {}
+
+    public static class BasicAuthentication implements Authentication {}
+
+    @Value
+    public static class ClientCertificateAuthentication implements Authentication {
+        TlsCertificateExtractor userExtractor;
+        TlsCertificateExtractor groupExtractor;
+    }
+
+    public interface Cache {
+        net.woggioni.gbcs.api.Cache materialize();
+        String getNamespaceURI();
+        String getTypeName();
+    }
+
+    public static Configuration of(
+            String host,
+            int port,
+            String serverPath,
+            Map<String, User> users,
+            Map<String, Group> groups,
+            Cache cache,
+            Authentication authentication,
+            Tls tls,
+            boolean useVirtualThread,
+            int maxRequestSize,
+            int incomingConnectionsBacklogSize
+    ) {
+        return new Configuration(
+                host,
+                port,
+                serverPath != null && !serverPath.isEmpty() && !serverPath.equals("/") ? serverPath : null,
+                users,
+                groups,
+                cache,
+                authentication,
+                tls,
+                useVirtualThread,
+                maxRequestSize,
+                incomingConnectionsBacklogSize
+        );
+    }
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/Role.java

@@ -0,0 +1,5 @@
+package net.woggioni.gbcs.api;
+
+public enum Role {
+    Reader, Writer
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/exception/ConfigurationException.java

@@ -0,0 +1,11 @@
+package net.woggioni.gbcs.api.exception;
+
+public class ConfigurationException extends GbcsException {
+    public ConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public ConfigurationException(String message) {
+        this(message, null);
+    }
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/exception/ContentTooLargeException.java

@@ -0,0 +1,7 @@
+package net.woggioni.gbcs.api.exception;
+
+public class ContentTooLargeException extends GbcsException {
+    public ContentTooLargeException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

gbcs-api/src/main/java/net/woggioni/gbcs/api/exception/GbcsException.java

@@ -0,0 +1,7 @@
+package net.woggioni.gbcs.api.exception;
+
+public class GbcsException extends RuntimeException {
+    public GbcsException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

gbcs-cli/build.gradle

@@ -0,0 +1,88 @@
+plugins {
+    id 'java-library'
+    alias catalog.plugins.kotlin.jvm
+    alias catalog.plugins.envelope
+    alias catalog.plugins.sambal
+    alias catalog.plugins.graalvm.native.image
+    alias catalog.plugins.graalvm.jlink
+    alias catalog.plugins.jpms.check
+    id 'maven-publish'
+}
+
+import net.woggioni.gradle.envelope.EnvelopeJarTask
+import net.woggioni.gradle.graalvm.NativeImageConfigurationTask
+import net.woggioni.gradle.graalvm.NativeImagePlugin
+import net.woggioni.gradle.graalvm.NativeImageTask
+import net.woggioni.gradle.graalvm.JlinkPlugin
+import net.woggioni.gradle.graalvm.JlinkTask
+
+Property<String> mainClassName = objects.property(String.class)
+mainClassName.set('net.woggioni.gbcs.cli.GradleBuildCacheServerCli')
+
+tasks.named(JavaPlugin.COMPILE_JAVA_TASK_NAME, JavaCompile) {
+    options.javaModuleMainClass = mainClassName
+}
+
+configurations {
+    release {
+        transitive = false
+        canBeConsumed = true
+        canBeResolved = true
+        visible = true
+    }
+}
+
+envelopeJar {
+    mainModule = 'net.woggioni.gbcs.cli'
+    mainClass = mainClassName
+
+    extraClasspath = ["plugins"]
+}
+
+dependencies {
+    implementation catalog.jwo
+    implementation catalog.slf4j.api
+    implementation catalog.netty.codec.http
+    implementation catalog.picocli
+
+    implementation project(':gbcs-client')
+    implementation project(':gbcs-server')
+
+//    runtimeOnly catalog.slf4j.jdk14
+    runtimeOnly catalog.logback.classic
+}
+
+Provider<EnvelopeJarTask> envelopeJarTaskProvider = tasks.named('envelopeJar', EnvelopeJarTask.class) {
+//    systemProperties['java.util.logging.config.class'] = 'net.woggioni.gbcs.LoggingConfig'
+//    systemProperties['log.config.source'] = 'logging.properties'
+    systemProperties['logback.configurationFile'] = 'classpath:net/woggioni/gbcs/cli/logback.xml'
+}
+
+tasks.named(NativeImagePlugin.CONFIGURE_NATIVE_IMAGE_TASK_NAME, NativeImageConfigurationTask) {
+    mainClass = mainClassName
+}
+
+tasks.named(NativeImagePlugin.NATIVE_IMAGE_TASK_NAME, NativeImageTask) {
+    mainClass = mainClassName
+    useMusl = true
+    buildStaticImage = true
+}
+
+tasks.named(JlinkPlugin.JLINK_TASK_NAME, JlinkTask) {
+    mainClass = mainClassName
+    mainModule = 'net.woggioni.gbcs.cli'
+}
+
+artifacts {
+    release(envelopeJarTaskProvider)
+}
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            artifact envelopeJar
+        }
+    }
+}
+
+

gbcs-cli/native-image/native-image.properties

@@ -0,0 +1,2 @@
+Args=-H:Optimize=3 --gc=serial
+#-H:TraceClassInitialization=io.netty.handler.ssl.BouncyCastleAlpnSslUtils

gbcs-cli/src/main/java/module-info.java

@@ -0,0 +1,17 @@
+module net.woggioni.gbcs.cli {
+    requires org.slf4j;
+    requires net.woggioni.gbcs.server;
+    requires info.picocli;
+    requires net.woggioni.gbcs.common;
+    requires net.woggioni.gbcs.client;
+    requires kotlin.stdlib;
+    requires net.woggioni.jwo;
+    requires net.woggioni.gbcs.api;
+
+    exports net.woggioni.gbcs.cli.impl.converters to info.picocli;
+    opens net.woggioni.gbcs.cli.impl.commands to info.picocli;
+    opens net.woggioni.gbcs.cli.impl to info.picocli;
+    opens net.woggioni.gbcs.cli to info.picocli, net.woggioni.gbcs.common;
+
+    exports net.woggioni.gbcs.cli;
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/GradleBuildCacheServerCli.kt

@@ -0,0 +1,63 @@
+package net.woggioni.gbcs.cli
+
+import net.woggioni.gbcs.common.GbcsUrlStreamHandlerFactory
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.cli.impl.AbstractVersionProvider
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.cli.impl.commands.BenchmarkCommand
+import net.woggioni.gbcs.cli.impl.commands.ClientCommand
+import net.woggioni.gbcs.cli.impl.commands.GetCommand
+import net.woggioni.gbcs.cli.impl.commands.PasswordHashCommand
+import net.woggioni.gbcs.cli.impl.commands.PutCommand
+import net.woggioni.gbcs.cli.impl.commands.ServerCommand
+import net.woggioni.jwo.Application
+import picocli.CommandLine
+import picocli.CommandLine.Model.CommandSpec
+
+
+@CommandLine.Command(
+    name = "gbcs", versionProvider = GradleBuildCacheServerCli.VersionProvider::class
+)
+class GradleBuildCacheServerCli : GbcsCommand() {
+
+    class VersionProvider : AbstractVersionProvider()
+    companion object {
+        @JvmStatic
+        fun main(vararg args: String) {
+            Thread.currentThread().contextClassLoader = GradleBuildCacheServerCli::class.java.classLoader
+            GbcsUrlStreamHandlerFactory.install()
+            val log = contextLogger()
+            val app = Application.builder("gbcs")
+                .configurationDirectoryEnvVar("GBCS_CONFIGURATION_DIR")
+                .configurationDirectoryPropertyKey("net.woggioni.gbcs.conf.dir")
+                .build()
+            val gbcsCli = GradleBuildCacheServerCli()
+            val commandLine = CommandLine(gbcsCli)
+            commandLine.setExecutionExceptionHandler { ex, cl, parseResult ->
+                log.error(ex.message, ex)
+                CommandLine.ExitCode.SOFTWARE
+            }
+            commandLine.addSubcommand(ServerCommand(app))
+            commandLine.addSubcommand(PasswordHashCommand())
+            commandLine.addSubcommand(
+                CommandLine(ClientCommand(app)).apply {
+                    addSubcommand(BenchmarkCommand())
+                    addSubcommand(PutCommand())
+                    addSubcommand(GetCommand())
+                })
+            System.exit(commandLine.execute(*args))
+        }
+    }
+
+    @CommandLine.Option(names = ["-V", "--version"], versionHelp = true)
+    var versionHelp = false
+        private set
+
+    @CommandLine.Spec
+    private lateinit var spec: CommandSpec
+
+
+    override fun run() {
+        spec.commandLine().usage(System.out);
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/AbstractVersionProvider.kt

@@ -0,0 +1,30 @@
+package net.woggioni.gbcs.cli.impl
+
+import picocli.CommandLine
+import java.util.jar.Attributes
+import java.util.jar.JarFile
+import java.util.jar.Manifest
+
+
+abstract class AbstractVersionProvider : CommandLine.IVersionProvider {
+    private val version: String
+    private val vcsHash: String
+
+    init {
+        val mf = Manifest()
+        javaClass.module.getResourceAsStream(JarFile.MANIFEST_NAME).use { `is` ->
+            mf.read(`is`)
+        }
+        val mainAttributes = mf.mainAttributes
+        version = mainAttributes.getValue(Attributes.Name.SPECIFICATION_VERSION) ?: throw RuntimeException("Version information not found in manifest")
+        vcsHash = mainAttributes.getValue(Attributes.Name.IMPLEMENTATION_VERSION) ?: throw RuntimeException("Version information not found in manifest")
+    }
+
+    override fun getVersion(): Array<String?> {
+        return if (version.endsWith("-SNAPSHOT")) {
+            arrayOf(version, vcsHash)
+        } else {
+            arrayOf(version)
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/GbcsCommand.kt

@@ -0,0 +1,19 @@
+package net.woggioni.gbcs.cli.impl
+
+import net.woggioni.jwo.Application
+import picocli.CommandLine
+import java.nio.file.Path
+
+
+abstract class GbcsCommand : Runnable {
+
+    @CommandLine.Option(names = ["-h", "--help"], usageHelp = true)
+    var usageHelp = false
+        private set
+
+    protected fun findConfigurationFile(app: Application, fileName : String): Path {
+        val confDir = app.computeConfigurationDirectory()
+        val configurationFile = confDir.resolve(fileName)
+        return configurationFile
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/BenchmarkCommand.kt

@@ -0,0 +1,132 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.common.error
+import net.woggioni.gbcs.common.info
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.client.GbcsClient
+import picocli.CommandLine
+import java.security.SecureRandom
+import java.time.Duration
+import java.time.Instant
+import java.util.Base64
+import java.util.concurrent.ExecutionException
+import java.util.concurrent.Future
+import java.util.concurrent.LinkedBlockingQueue
+import java.util.concurrent.atomic.AtomicLong
+import kotlin.random.Random
+
+@CommandLine.Command(
+    name = "benchmark",
+    description = ["Run a load test against the server"],
+    showDefaultValues = true
+)
+class BenchmarkCommand : GbcsCommand() {
+    private val log = contextLogger()
+
+    @CommandLine.Spec
+    private lateinit var spec: CommandLine.Model.CommandSpec
+
+    @CommandLine.Option(
+        names = ["-e", "--entries"],
+        description = ["Total number of elements to be added to the cache"],
+        paramLabel = "NUMBER_OF_ENTRIES"
+    )
+    private var numberOfEntries = 1000
+
+    override fun run() {
+        val clientCommand = spec.parent().userObject() as ClientCommand
+        val profile = clientCommand.profileName.let { profileName ->
+            clientCommand.configuration.profiles[profileName]
+                ?: throw IllegalArgumentException("Profile $profileName does not exist in configuration")
+        }
+        val client = GbcsClient(profile)
+
+        val entryGenerator = sequence {
+            val random = Random(SecureRandom.getInstance("NativePRNGNonBlocking").nextLong())
+            while (true) {
+                val key = Base64.getUrlEncoder().encode(random.nextBytes(16)).toString(Charsets.UTF_8)
+                val value = random.nextBytes(0x1000)
+                yield(key to value)
+            }
+        }
+
+        val entries = let {
+            val completionQueue = LinkedBlockingQueue<Future<Pair<String, ByteArray>>>(numberOfEntries)
+            val start = Instant.now()
+            val totalElapsedTime = AtomicLong(0)
+            entryGenerator.take(numberOfEntries).forEach { entry ->
+                val requestStart = System.nanoTime()
+                val future = client.put(entry.first, entry.second).thenApply { entry }
+                future.whenComplete { _, _ ->
+                    totalElapsedTime.addAndGet((System.nanoTime() - requestStart))
+                    completionQueue.put(future)
+                }
+            }
+
+            val inserted = sequence<Pair<String, ByteArray>> {
+                var completionCounter = 0
+                while (completionCounter < numberOfEntries) {
+                    val future = completionQueue.take()
+                    try {
+                        yield(future.get())
+                    } catch (ee: ExecutionException) {
+                        val cause = ee.cause ?: ee
+                        log.error(cause.message, cause)
+                    }
+                    completionCounter += 1
+                }
+            }.toList()
+            val end = Instant.now()
+            log.info {
+                val elapsed = Duration.between(start, end).toMillis()
+                "Insertion rate: ${numberOfEntries.toDouble() / elapsed * 1000} ops/s"
+            }
+            log.info {
+                "Average time per insertion: ${totalElapsedTime.get() / numberOfEntries.toDouble() * 1000} ms"
+            }
+            inserted
+        }
+        log.info {
+            "Inserted ${entries.size} entries"
+        }
+        if (entries.isNotEmpty()) {
+            val completionQueue = LinkedBlockingQueue<Future<Unit>>(entries.size)
+            val start = Instant.now()
+            val totalElapsedTime = AtomicLong(0)
+            entries.forEach { entry ->
+                val requestStart = System.nanoTime()
+                val future = client.get(entry.first).thenApply {
+                    totalElapsedTime.addAndGet((System.nanoTime() - requestStart))
+                    if (it == null) {
+                        log.error {
+                            "Missing entry for key '${entry.first}'"
+                        }
+                    } else if (!entry.second.contentEquals(it)) {
+                        log.error {
+                            "Retrieved a value different from what was inserted for key '${entry.first}'"
+                        }
+                    }
+                }
+                future.whenComplete { _, _ ->
+                    completionQueue.put(future)
+                }
+            }
+            var completionCounter = 0
+            while (completionCounter < entries.size) {
+                completionQueue.take()
+                completionCounter += 1
+            }
+            val end = Instant.now()
+            log.info {
+                val elapsed = Duration.between(start, end).toMillis()
+                "Retrieval rate: ${entries.size.toDouble() / elapsed * 1000} ops/s"
+            }
+            log.info {
+                "Average time per retrieval: ${totalElapsedTime.get() / numberOfEntries.toDouble() * 1e6} ms"
+            }
+        } else {
+            log.error("Skipping retrieval benchmark as it was not possible to insert any entry in the cache")
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/ClientCommand.kt

@@ -0,0 +1,41 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.client.GbcsClient
+import net.woggioni.jwo.Application
+import picocli.CommandLine
+import java.nio.file.Path
+
+@CommandLine.Command(
+    name = "client",
+    description = ["GBCS client"],
+    showDefaultValues = true
+)
+class ClientCommand(app : Application) : GbcsCommand() {
+
+    @CommandLine.Option(
+        names = ["-c", "--configuration"],
+        description = ["Path to the client configuration file"],
+        paramLabel = "CONFIGURATION_FILE"
+    )
+    private var configurationFile : Path = findConfigurationFile(app, "gbcs-client.xml")
+
+    @CommandLine.Option(
+        names = ["-p", "--profile"],
+        description = ["Name of the client profile to be used"],
+        paramLabel = "PROFILE",
+        required = true
+    )
+    var profileName : String? = null
+
+    val configuration : GbcsClient.Configuration by lazy {
+        GbcsClient.Configuration.parse(configurationFile)
+    }
+
+    override fun run() {
+        println("Available profiles:")
+        configuration.profiles.forEach { (profileName, _) ->
+            println(profileName)
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/GetCommand.kt

@@ -0,0 +1,51 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.client.GbcsClient
+import picocli.CommandLine
+import java.nio.file.Files
+import java.nio.file.Path
+
+@CommandLine.Command(
+    name = "get",
+    description = ["Fetch a value from the cache with the specified key"],
+    showDefaultValues = true
+)
+class GetCommand : GbcsCommand() {
+    private val log = contextLogger()
+
+    @CommandLine.Spec
+    private lateinit var spec: CommandLine.Model.CommandSpec
+
+    @CommandLine.Option(
+        names = ["-k", "--key"],
+        description = ["The key for the new value"],
+        paramLabel = "KEY"
+    )
+    private var key : String = ""
+
+    @CommandLine.Option(
+        names = ["-v", "--value"],
+        description = ["Path to a file where the retrieved value will be written (defaults to stdout)"],
+        paramLabel = "VALUE_FILE",
+    )
+    private var output : Path? = null
+
+    override fun run() {
+        val clientCommand = spec.parent().userObject() as ClientCommand
+        val profile = clientCommand.profileName.let { profileName ->
+            clientCommand.configuration.profiles[profileName]
+                ?: throw IllegalArgumentException("Profile $profileName does not exist in configuration")
+        }
+        GbcsClient(profile).use { client ->
+            client.get(key).thenApply { value ->
+                value?.let {
+                    (output?.let(Files::newOutputStream) ?: System.out).use {
+                        it.write(value)
+                    }
+                } ?: throw NoSuchElementException("No value found for key $key")
+            }.get()
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/PasswordHashCommand.kt

@@ -0,0 +1,37 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.common.PasswordSecurity.hashPassword
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.cli.impl.converters.OutputStreamConverter
+import net.woggioni.jwo.UncloseableOutputStream
+import picocli.CommandLine
+import java.io.OutputStream
+import java.io.OutputStreamWriter
+import java.io.PrintWriter
+
+
+@CommandLine.Command(
+    name = "password",
+    description = ["Generate a password hash to add to GBCS configuration file"],
+    showDefaultValues = true
+)
+class PasswordHashCommand : GbcsCommand() {
+    @CommandLine.Option(
+        names = ["-o", "--output-file"],
+        description = ["Write the output to a file instead of stdout"],
+        converter = [OutputStreamConverter::class],
+        showDefaultValue = CommandLine.Help.Visibility.NEVER,
+        paramLabel = "OUTPUT_FILE"
+    )
+    private var outputStream: OutputStream = UncloseableOutputStream(System.out)
+
+    override fun run() {
+        val password1 = String(System.console().readPassword("Type your password:"))
+        val password2 = String(System.console().readPassword("Type your password again for confirmation:"))
+        if(password1 != password2) throw IllegalArgumentException("Passwords do not match")
+
+        PrintWriter(OutputStreamWriter(outputStream, Charsets.UTF_8)).use {
+            it.println(hashPassword(password1))
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/PutCommand.kt

@@ -0,0 +1,48 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.gbcs.cli.impl.converters.InputStreamConverter
+import net.woggioni.gbcs.client.GbcsClient
+import picocli.CommandLine
+import java.io.InputStream
+
+@CommandLine.Command(
+    name = "put",
+    description = ["Add or replace a value to the cache with the specified key"],
+    showDefaultValues = true
+)
+class PutCommand : GbcsCommand() {
+    private val log = contextLogger()
+
+    @CommandLine.Spec
+    private lateinit var spec: CommandLine.Model.CommandSpec
+
+    @CommandLine.Option(
+        names = ["-k", "--key"],
+        description = ["The key for the new value"],
+        paramLabel = "KEY"
+    )
+    private var key : String = ""
+
+    @CommandLine.Option(
+        names = ["-v", "--value"],
+        description = ["Path to a file containing the value to be added (defaults to stdin)"],
+        paramLabel = "VALUE_FILE",
+        converter = [InputStreamConverter::class]
+    )
+    private var value : InputStream = System.`in`
+
+    override fun run() {
+        val clientCommand = spec.parent().userObject() as ClientCommand
+        val profile = clientCommand.profileName.let { profileName ->
+            clientCommand.configuration.profiles[profileName]
+                ?: throw IllegalArgumentException("Profile $profileName does not exist in configuration")
+        }
+        GbcsClient(profile).use { client ->
+            value.use {
+                client.put(key, it.readAllBytes())
+            }.get()
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/commands/ServerCommand.kt

@@ -0,0 +1,67 @@
+package net.woggioni.gbcs.cli.impl.commands
+
+import net.woggioni.gbcs.server.GradleBuildCacheServer
+import net.woggioni.gbcs.server.GradleBuildCacheServer.Companion.DEFAULT_CONFIGURATION_URL
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.common.debug
+import net.woggioni.gbcs.common.info
+import net.woggioni.gbcs.cli.impl.GbcsCommand
+import net.woggioni.jwo.Application
+import net.woggioni.jwo.JWO
+import picocli.CommandLine
+import java.io.ByteArrayOutputStream
+import java.nio.file.Files
+import java.nio.file.Path
+
+@CommandLine.Command(
+    name = "server",
+    description = ["GBCS server"],
+    showDefaultValues = true
+)
+class ServerCommand(app : Application) : GbcsCommand() {
+
+    private val log = contextLogger()
+
+    private fun createDefaultConfigurationFile(configurationFile: Path) {
+        log.info {
+            "Creating default configuration file at '$configurationFile'"
+        }
+        val defaultConfigurationFileResource = DEFAULT_CONFIGURATION_URL
+        Files.newOutputStream(configurationFile).use { outputStream ->
+            defaultConfigurationFileResource.openStream().use { inputStream ->
+                JWO.copy(inputStream, outputStream)
+            }
+        }
+    }
+
+    @CommandLine.Option(
+        names = ["-c", "--config-file"],
+        description = ["Read the application configuration from this file"],
+        paramLabel = "CONFIG_FILE"
+    )
+    private var configurationFile: Path = findConfigurationFile(app, "gbcs-server.xml")
+
+    val configuration : Configuration by lazy {
+        GradleBuildCacheServer.loadConfiguration(configurationFile)
+    }
+
+    override fun run() {
+        if (!Files.exists(configurationFile)) {
+            Files.createDirectories(configurationFile.parent)
+            createDefaultConfigurationFile(configurationFile)
+        }
+
+        val configuration = GradleBuildCacheServer.loadConfiguration(configurationFile)
+        log.debug {
+            ByteArrayOutputStream().also {
+                GradleBuildCacheServer.dumpConfiguration(configuration, it)
+            }.let {
+                "Server configuration:\n${String(it.toByteArray())}"
+            }
+        }
+        val server = GradleBuildCacheServer(configuration)
+        server.run().use {
+        }
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/converters/InputStreamConverter.kt

@@ -0,0 +1,13 @@
+package net.woggioni.gbcs.cli.impl.converters
+
+import picocli.CommandLine
+import java.io.InputStream
+import java.nio.file.Files
+import java.nio.file.Paths
+
+
+class InputStreamConverter : CommandLine.ITypeConverter<InputStream> {
+    override fun convert(value: String): InputStream {
+        return Files.newInputStream(Paths.get(value))
+    }
+}

gbcs-cli/src/main/kotlin/net/woggioni/gbcs/cli/impl/converters/OutputStreamConverter.kt

@@ -0,0 +1,13 @@
+package net.woggioni.gbcs.cli.impl.converters
+
+import picocli.CommandLine
+import java.io.OutputStream
+import java.nio.file.Files
+import java.nio.file.Paths
+
+
+class OutputStreamConverter : CommandLine.ITypeConverter<OutputStream> {
+    override fun convert(value: String): OutputStream {
+        return Files.newOutputStream(Paths.get(value))
+    }
+}

gbcs-cli/src/main/resources/net/woggioni/gbcs/cli/logback.xml

@@ -6,13 +6,15 @@
     <import class="ch.qos.logback.core.ConsoleAppender"/>
 
     <appender name="console" class="ConsoleAppender">
-        <target>System.out</target>
+        <target>System.err</target>
         <encoder class="PatternLayoutEncoder">
             <pattern>%d [%highlight(%-5level)] \(%thread\) %logger{36} -%kvp- %msg %n</pattern>
         </encoder>
     </appender>
 
-    <root level="debug">
+    <root level="info">
         <appender-ref ref="console"/>
     </root>
+    <logger name="com.google.code.yanf4j" level="warn"/>
+    <logger name="net.rubyeye.xmemcached" level="warn"/>
 </configuration>

gbcs-client/build.gradle

@@ -0,0 +1,15 @@
+plugins {
+    id 'java-library'
+    alias catalog.plugins.kotlin.jvm
+}
+
+dependencies {
+    implementation project(':gbcs-api')
+    implementation project(':gbcs-common')
+    implementation catalog.picocli
+    implementation catalog.slf4j.api
+    implementation catalog.netty.buffer
+    implementation catalog.netty.codec.http
+}
+
+

gbcs-client/src/main/java/module-info.java

@@ -0,0 +1,17 @@
+module net.woggioni.gbcs.client {
+    requires io.netty.handler;
+    requires io.netty.codec.http;
+    requires io.netty.transport;
+    requires kotlin.stdlib;
+    requires io.netty.common;
+    requires io.netty.buffer;
+    requires java.xml;
+    requires net.woggioni.gbcs.common;
+    requires net.woggioni.gbcs.api;
+    requires io.netty.codec;
+    requires org.slf4j;
+
+    exports net.woggioni.gbcs.client;
+
+    opens net.woggioni.gbcs.client.schema;
+}

gbcs-client/src/main/kotlin/net/woggioni/gbcs/client/Client.kt

@@ -0,0 +1,253 @@
+package net.woggioni.gbcs.client
+
+import io.netty.bootstrap.Bootstrap
+import io.netty.buffer.ByteBuf
+import io.netty.buffer.Unpooled
+import io.netty.channel.Channel
+import io.netty.channel.ChannelHandlerContext
+import io.netty.channel.ChannelOption
+import io.netty.channel.ChannelPipeline
+import io.netty.channel.SimpleChannelInboundHandler
+import io.netty.channel.nio.NioEventLoopGroup
+import io.netty.channel.pool.AbstractChannelPoolHandler
+import io.netty.channel.pool.ChannelPool
+import io.netty.channel.pool.FixedChannelPool
+import io.netty.channel.socket.nio.NioSocketChannel
+import io.netty.handler.codec.DecoderException
+import io.netty.handler.codec.http.DefaultFullHttpRequest
+import io.netty.handler.codec.http.FullHttpRequest
+import io.netty.handler.codec.http.FullHttpResponse
+import io.netty.handler.codec.http.HttpClientCodec
+import io.netty.handler.codec.http.HttpContentDecompressor
+import io.netty.handler.codec.http.HttpHeaderNames
+import io.netty.handler.codec.http.HttpHeaderValues
+import io.netty.handler.codec.http.HttpMethod
+import io.netty.handler.codec.http.HttpObjectAggregator
+import io.netty.handler.codec.http.HttpResponseStatus
+import io.netty.handler.codec.http.HttpVersion
+import io.netty.handler.ssl.SslContext
+import io.netty.handler.ssl.SslContextBuilder
+import io.netty.handler.stream.ChunkedWriteHandler
+import io.netty.util.concurrent.Future
+import io.netty.util.concurrent.GenericFutureListener
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.common.debug
+import net.woggioni.gbcs.client.impl.Parser
+import java.net.InetSocketAddress
+import java.net.URI
+import java.nio.file.Files
+import java.nio.file.Path
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import java.util.Base64
+import java.util.concurrent.CompletableFuture
+import java.util.concurrent.atomic.AtomicInteger
+import io.netty.util.concurrent.Future as NettyFuture
+
+
+class GbcsClient(private val profile: Configuration.Profile) : AutoCloseable {
+    private val group: NioEventLoopGroup
+    private var sslContext: SslContext
+    private val log = contextLogger()
+    private val pool: ChannelPool
+
+    data class Configuration(
+        val profiles: Map<String, Profile>
+    ) {
+        sealed class Authentication {
+            data class TlsClientAuthenticationCredentials(
+                val key: PrivateKey,
+                val certificateChain: Array<X509Certificate>
+            ) : Authentication()
+
+            data class BasicAuthenticationCredentials(val username: String, val password: String) : Authentication()
+        }
+
+        data class Profile(
+            val serverURI: URI,
+            val authentication: Authentication?,
+            val maxConnections : Int
+        )
+
+        companion object {
+            fun parse(path: Path): Configuration {
+                return Files.newInputStream(path).use {
+                    Xml.parseXml(path.toUri().toURL(), it)
+                }.let(Parser::parse)
+            }
+        }
+    }
+
+    init {
+        group = NioEventLoopGroup()
+        sslContext = SslContextBuilder.forClient().also { builder ->
+            (profile.authentication as? Configuration.Authentication.TlsClientAuthenticationCredentials)?.let { tlsClientAuthenticationCredentials ->
+                builder.keyManager(
+                    tlsClientAuthenticationCredentials.key,
+                    *tlsClientAuthenticationCredentials.certificateChain
+                )
+            }
+        }.build()
+
+        val (scheme, host, port) = profile.serverURI.run {
+            Triple(
+                if (scheme == null) "http" else profile.serverURI.scheme,
+                host,
+                port.takeIf { it > 0 } ?: if ("https" == scheme.lowercase()) 443 else 80
+            )
+        }
+
+        val bootstrap = Bootstrap().apply {
+            group(group)
+            channel(NioSocketChannel::class.java)
+            option(ChannelOption.TCP_NODELAY, true)
+            option(ChannelOption.SO_KEEPALIVE, true)
+            remoteAddress(InetSocketAddress(host, port))
+        }
+        val channelPoolHandler = object : AbstractChannelPoolHandler() {
+
+            @Volatile
+            private var connectionCount = AtomicInteger()
+
+            @Volatile
+            private var leaseCount = AtomicInteger()
+
+            override fun channelReleased(ch: Channel) {
+                log.debug {
+                    "Released lease ${leaseCount.decrementAndGet()}"
+                }
+            }
+
+            override fun channelAcquired(ch: Channel?) {
+                log.debug {
+                    "Acquired lease ${leaseCount.getAndIncrement()}"
+                }
+            }
+
+            override fun channelCreated(ch: Channel) {
+                log.debug {
+                    "Created connection ${connectionCount.getAndIncrement()}"
+                }
+                val pipeline: ChannelPipeline = ch.pipeline()
+
+                // Add SSL handler if needed
+                if ("https".equals(scheme, ignoreCase = true)) {
+                    pipeline.addLast("ssl", sslContext.newHandler(ch.alloc(), host, port))
+                }
+
+                // HTTP handlers
+                pipeline.addLast("codec", HttpClientCodec())
+                pipeline.addLast("decompressor", HttpContentDecompressor())
+                pipeline.addLast("aggregator", HttpObjectAggregator(1048576))
+                pipeline.addLast("chunked", ChunkedWriteHandler())
+            }
+        }
+        pool = FixedChannelPool(bootstrap, channelPoolHandler, profile.maxConnections)
+    }
+
+    fun get(key: String): CompletableFuture<ByteArray?> {
+        return sendRequest(profile.serverURI.resolve(key), HttpMethod.GET, null)
+            .thenApply {
+                val status = it.status()
+                if (it.status() == HttpResponseStatus.NOT_FOUND) {
+                    null
+                } else if (it.status() != HttpResponseStatus.OK) {
+                    throw HttpException(status)
+                } else {
+                    it.content()
+                }
+            }.thenApply { maybeByteBuf ->
+                maybeByteBuf?.let {
+                    val result = ByteArray(it.readableBytes())
+                    it.getBytes(0, result)
+                    result
+                }
+            }
+    }
+
+    fun put(key: String, content: ByteArray): CompletableFuture<Unit> {
+        return sendRequest(profile.serverURI.resolve(key), HttpMethod.PUT, content).thenApply {
+            val status = it.status()
+            if (it.status() != HttpResponseStatus.CREATED) {
+                throw HttpException(status)
+            }
+        }
+    }
+
+    private fun sendRequest(uri: URI, method: HttpMethod, body: ByteArray?): CompletableFuture<FullHttpResponse> {
+        val responseFuture = CompletableFuture<FullHttpResponse>()
+        // Custom handler for processing responses
+        pool.acquire().addListener(object : GenericFutureListener<NettyFuture<Channel>> {
+            override fun operationComplete(channelFuture: Future<Channel>) {
+                if (channelFuture.isSuccess) {
+                    val channel = channelFuture.now
+                    val pipeline = channel.pipeline()
+                    channel.pipeline().addLast("handler", object : SimpleChannelInboundHandler<FullHttpResponse>() {
+                        override fun channelRead0(
+                            ctx: ChannelHandlerContext,
+                            response: FullHttpResponse
+                        ) {
+                            responseFuture.complete(response)
+                            pipeline.removeLast()
+                            pool.release(channel)
+                        }
+
+                        override fun exceptionCaught(ctx: ChannelHandlerContext, cause: Throwable) {
+                            val ex = when (cause) {
+                                is DecoderException -> cause.cause
+                                else -> cause
+                            }
+                            responseFuture.completeExceptionally(ex)
+                            ctx.close()
+                            pipeline.removeLast()
+                            pool.release(channel)
+                        }
+                    })
+                    // Prepare the HTTP request
+                    val request: FullHttpRequest = let {
+                        val content: ByteBuf? = body?.takeIf(ByteArray::isNotEmpty)?.let(Unpooled::wrappedBuffer)
+                        DefaultFullHttpRequest(
+                            HttpVersion.HTTP_1_1,
+                            method,
+                            uri.rawPath,
+                            content ?: Unpooled.buffer(0)
+                        ).apply {
+                            headers().apply {
+                                if (content != null) {
+                                    set(HttpHeaderNames.CONTENT_TYPE, HttpHeaderValues.APPLICATION_OCTET_STREAM)
+                                    set(HttpHeaderNames.CONTENT_LENGTH, content.readableBytes())
+                                }
+                                set(HttpHeaderNames.HOST, profile.serverURI.host)
+                                set(HttpHeaderNames.CONNECTION, HttpHeaderValues.CLOSE)
+                                set(
+                                    HttpHeaderNames.ACCEPT_ENCODING,
+                                    HttpHeaderValues.GZIP.toString() + "," + HttpHeaderValues.DEFLATE.toString()
+                                )
+                                // Add basic auth if configured
+                                (profile.authentication as? Configuration.Authentication.BasicAuthenticationCredentials)?.let { credentials ->
+                                    val auth = "${credentials.username}:${credentials.password}"
+                                    val encodedAuth = Base64.getEncoder().encodeToString(auth.toByteArray())
+                                    set(HttpHeaderNames.AUTHORIZATION, "Basic $encodedAuth")
+                                }
+                            }
+                        }
+                    }
+
+                    // Set headers
+                    // Send the request
+                    channel.writeAndFlush(request)
+                }
+            }
+        })
+        return responseFuture
+    }
+
+    fun shutDown(): NettyFuture<*> {
+        return group.shutdownGracefully()
+    }
+
+    override fun close() {
+        shutDown().sync()
+    }
+}

gbcs-client/src/main/kotlin/net/woggioni/gbcs/client/Exception.kt

@@ -0,0 +1,9 @@
+package net.woggioni.gbcs.client
+
+import io.netty.handler.codec.http.HttpResponseStatus
+
+class HttpException(private val status : HttpResponseStatus) : RuntimeException(status.reasonPhrase()) {
+
+    override val message: String
+        get() = "Http status ${status.code()}: ${status.reasonPhrase()}"
+}

gbcs-client/src/main/kotlin/net/woggioni/gbcs/client/impl/Parser.kt

@@ -0,0 +1,69 @@
+package net.woggioni.gbcs.client.impl
+
+import net.woggioni.gbcs.api.exception.ConfigurationException
+import net.woggioni.gbcs.common.Xml.Companion.asIterable
+import net.woggioni.gbcs.common.Xml.Companion.renderAttribute
+import net.woggioni.gbcs.client.GbcsClient
+import org.w3c.dom.Document
+import java.net.URI
+import java.nio.file.Files
+import java.nio.file.Path
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+
+object Parser {
+
+    fun parse(document: Document): GbcsClient.Configuration {
+        val root = document.documentElement
+
+        val profiles = mutableMapOf<String, GbcsClient.Configuration.Profile>()
+
+        for (child in root.asIterable()) {
+            val tagName = child.localName
+            when (tagName) {
+                "profile" -> {
+                    val name = child.renderAttribute("name") ?: throw ConfigurationException("name attribute is required")
+                    val uri = child.renderAttribute("base-url")?.let(::URI) ?: throw ConfigurationException("base-url attribute is required")
+                    var authentication: GbcsClient.Configuration.Authentication? = null
+                    for (gchild in child.asIterable()) {
+                        when (gchild.localName) {
+                            "tls-client-auth" -> {
+                                val keyStoreFile = gchild.renderAttribute("key-store-file")
+                                val keyStorePassword =
+                                    gchild.renderAttribute("key-store-password")
+                                val keyAlias = gchild.renderAttribute("key-alias")
+                                val keyPassword = gchild.renderAttribute("key-password")
+
+                                val keystore = KeyStore.getInstance("PKCS12").apply {
+                                    Files.newInputStream(Path.of(keyStoreFile)).use {
+                                        load(it, keyStorePassword?.toCharArray())
+                                    }
+                                }
+                                val key = keystore.getKey(keyAlias, keyPassword?.toCharArray()) as PrivateKey
+                                val certChain = keystore.getCertificateChain(keyAlias).asSequence()
+                                    .map { it as X509Certificate }
+                                    .toList()
+                                    .toTypedArray()
+                                authentication =
+                                    GbcsClient.Configuration.Authentication.TlsClientAuthenticationCredentials(key, certChain)
+                            }
+
+                            "basic-auth" -> {
+                                val username = gchild.renderAttribute("user") ?: throw ConfigurationException("username attribute is required")
+                                val password = gchild.renderAttribute("password") ?: throw ConfigurationException("password attribute is required")
+                                authentication =
+                                    GbcsClient.Configuration.Authentication.BasicAuthenticationCredentials(username, password)
+                            }
+                        }
+                    }
+                    val maxConnections = child.renderAttribute("max-connections")
+                        ?.let(String::toInt)
+                        ?: 50
+                    profiles[name] = GbcsClient.Configuration.Profile(uri, authentication, maxConnections)
+                }
+            }
+        }
+        return GbcsClient.Configuration(profiles)
+    }
+}

gbcs-client/src/main/resources/net/woggioni/gbcs/client/schema/gbcs-client.xsd

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<xs:schema targetNamespace="urn:net.woggioni.gbcs.client"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema"
+           xmlns:gbcs-client="urn:net.woggioni.gbcs.client"
+           elementFormDefault="unqualified"
+>
+    <xs:element name="profiles" type="gbcs-client:profilesType"/>
+
+    <xs:complexType name="profilesType">
+        <xs:sequence minOccurs="0">
+            <xs:element name="profile" type="gbcs-client:profileType" maxOccurs="unbounded"/>
+        </xs:sequence>
+    </xs:complexType>
+
+    <xs:complexType name="profileType">
+        <xs:choice>
+            <xs:element name="basic-auth" type="gbcs-client:basicAuthType"/>
+            <xs:element name="tls-client-auth" type="gbcs-client:tlsClientAuthType"/>
+        </xs:choice>
+        <xs:attribute name="name" type="xs:token" use="required"/>
+        <xs:attribute name="base-url" type="xs:anyURI" use="required"/>
+        <xs:attribute name="max-connections" type="xs:positiveInteger" default="50"/>
+    </xs:complexType>
+
+    <xs:complexType name="basicAuthType">
+        <xs:attribute name="user" type="xs:token" use="required"/>
+        <xs:attribute name="password" type="xs:string" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="tlsClientAuthType">
+        <xs:attribute name="key-store-file" type="xs:anyURI" use="required"/>
+        <xs:attribute name="key-store-password" type="xs:string" use="required"/>
+        <xs:attribute name="key-alias" type="xs:token" use="required"/>
+        <xs:attribute name="key-password" type="xs:string" use="optional"/>
+    </xs:complexType>
+
+</xs:schema>

gbcs-client/src/test/resources/net/woggioni/gbcs/client/test/gbcs-client.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<gbcs-client:profiles xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+                      xmlns:gbcs-client="urn:net.woggioni.gbcs.client"
+                      xs:schemaLocation="urn:net.woggioni.gbcs.client jms://net.woggioni.gbcs.client/net/woggioni/gbcs/client/schema/gbcs-client.xsd"
+                      >
+    <profile name="profile1" base-url="https://gbcs1.example.com/">
+        <tls-client-auth
+                key-store-file="keystore.pfx"
+                key-store-password="password"
+                key-alias="woggioni@c962475fa38"
+                key-password="key-password"/>
+    </profile>
+    <profile name="profile2" base-url="https://gbcs2.example.com/">
+        <basic-auth user="user" password="password"/>
+    </profile>
+</gbcs-client:profiles>

gbcs-common/build.gradle

@@ -0,0 +1,20 @@
+
+plugins {
+    id 'java-library'
+    id 'maven-publish'
+    alias catalog.plugins.kotlin.jvm
+}
+
+dependencies {
+    implementation project(':gbcs-api')
+    implementation catalog.slf4j.api
+    implementation catalog.jwo
+}
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            from(components["java"])
+        }
+    }
+}

gbcs-common/src/main/java/module-info.java

@@ -0,0 +1,9 @@
+module net.woggioni.gbcs.common {
+    requires java.xml;
+    requires java.logging;
+    requires org.slf4j;
+    requires kotlin.stdlib;
+    requires net.woggioni.jwo;
+
+    exports net.woggioni.gbcs.common;
+}

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/GBCS.kt

@@ -0,0 +1,12 @@
+package net.woggioni.gbcs.common
+
+import java.net.URI
+import java.net.URL
+
+object GBCS {
+    fun String.toUrl() : URL = URL.of(URI(this), null)
+
+    const val GBCS_NAMESPACE_URI: String = "urn:net.woggioni.gbcs.server"
+    const val GBCS_PREFIX: String = "gbcs"
+    const val XML_SCHEMA_NAMESPACE_URI = "http://www.w3.org/2001/XMLSchema-instance"
+}

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/GbcsUrlStreamHandlerFactory.kt

@@ -0,0 +1,108 @@
+package net.woggioni.gbcs.common
+
+import java.io.IOException
+import java.io.InputStream
+import java.net.URL
+import java.net.URLConnection
+import java.net.URLStreamHandler
+import java.net.URLStreamHandlerFactory
+import java.util.Optional
+import java.util.concurrent.atomic.AtomicBoolean
+import java.util.stream.Collectors
+
+
+class GbcsUrlStreamHandlerFactory : URLStreamHandlerFactory {
+
+    private class ClasspathHandler(private val classLoader: ClassLoader = GbcsUrlStreamHandlerFactory::class.java.classLoader) :
+        URLStreamHandler() {
+
+        override fun openConnection(u: URL): URLConnection? {
+            return javaClass.module
+                ?.takeIf { m: Module -> m.layer != null }
+                ?.let {
+                    val path = u.path
+                    val i = path.lastIndexOf('/')
+                    val packageName = path.substring(0, i).replace('/', '.')
+                    val modules = packageMap[packageName]!!
+                    ClasspathResourceURLConnection(
+                        u,
+                        modules
+                    )
+                }
+                ?: classLoader.getResource(u.path)?.let(URL::openConnection)
+        }
+    }
+
+    private class JpmsHandler : URLStreamHandler() {
+
+        override fun openConnection(u: URL): URLConnection {
+            val thisModule = javaClass.module
+            val sourceModule = Optional.ofNullable(thisModule)
+                .map { obj: Module -> obj.layer }
+                .flatMap { layer: ModuleLayer ->
+                    val moduleName = u.host
+                    layer.findModule(moduleName)
+                }.orElse(thisModule)
+            return JpmsResourceURLConnection(u, sourceModule)
+        }
+    }
+
+    private class JpmsResourceURLConnection(url: URL, private val module: Module) : URLConnection(url) {
+        override fun connect() {
+        }
+
+        @Throws(IOException::class)
+        override fun getInputStream(): InputStream {
+            return module.getResourceAsStream(getURL().path)
+        }
+    }
+
+    override fun createURLStreamHandler(protocol: String): URLStreamHandler? {
+        return when (protocol) {
+            "classpath" -> ClasspathHandler()
+            "jpms" -> JpmsHandler()
+            else -> null
+        }
+    }
+
+    private class ClasspathResourceURLConnection(url: URL?, private val modules: List<Module>) :
+        URLConnection(url) {
+        override fun connect() {}
+
+        override fun getInputStream(): InputStream? {
+            for (module in modules) {
+                val result = module.getResourceAsStream(getURL().path)
+                if (result != null) return result
+            }
+            return null
+        }
+    }
+
+    companion object {
+        private val installed = AtomicBoolean(false)
+        fun install() {
+            if (!installed.getAndSet(true)) {
+                URL.setURLStreamHandlerFactory(GbcsUrlStreamHandlerFactory())
+            }
+        }
+
+        private val packageMap: Map<String, List<Module>> by lazy {
+            GbcsUrlStreamHandlerFactory::class.java.module.layer
+                .modules()
+                .stream()
+                .flatMap { m: Module ->
+                    m.packages.stream()
+                        .map { p: String -> p to m }
+                }
+                .collect(
+                    Collectors.groupingBy(
+                        Pair<String, Module>::first,
+                        Collectors.mapping(
+                            Pair<String, Module>::second,
+                            Collectors.toUnmodifiableList<Module>()
+                        )
+                    )
+                )
+        }
+    }
+}

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/HostAndPort.kt

@@ -0,0 +1,8 @@
+package net.woggioni.gbcs.common
+
+
+data class HostAndPort(val host: String, val port: Int = 0) {
+    override fun toString(): String {
+        return "$host:$port"
+    }
+}

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/Logging.kt

@@ -1,9 +1,8 @@
-package net.woggioni.gbcs
+package net.woggioni.gbcs.common
 
-import io.netty.channel.ChannelHandlerContext
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
-import java.net.InetSocketAddress
+import org.slf4j.event.Level
 import java.nio.file.Files
 import java.nio.file.Path
 import java.util.logging.LogManager
@@ -54,6 +53,12 @@ inline fun log(log : Logger,
     }
 }
 
+inline fun Logger.log(level : Level, messageBuilder : () -> String) {
+    if(isEnabledForLevel(level)) {
+        makeLoggingEventBuilder(level).log(messageBuilder())
+    }
+}
+
 inline fun Logger.trace(messageBuilder : () -> String) {
     if(isTraceEnabled) {
         trace(messageBuilder())
@@ -84,31 +89,6 @@ inline fun Logger.error(messageBuilder : () -> String) {
     }
 }
 
-inline fun Logger.trace(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
-    log(this, ctx, { isTraceEnabled }, { trace(it) } , messageBuilder)
-}
-inline fun Logger.debug(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
-    log(this, ctx, { isDebugEnabled }, { debug(it) } , messageBuilder)
-}
-inline fun Logger.info(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
-    log(this, ctx, { isInfoEnabled }, { info(it) } , messageBuilder)
-}
-inline fun Logger.warn(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
-    log(this, ctx, { isWarnEnabled }, { warn(it) } , messageBuilder)
-}
-inline fun Logger.error(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
-    log(this, ctx, { isErrorEnabled }, { error(it) } , messageBuilder)
-}
-
-inline fun log(log : Logger, ctx : ChannelHandlerContext,
-                        filter : Logger.() -> Boolean,
-                        loggerMethod : Logger.(String) -> Unit, messageBuilder : () -> String) {
-    if(log.filter()) {
-        val clientAddress = (ctx.channel().remoteAddress() as InetSocketAddress).address.hostAddress
-        log.loggerMethod(clientAddress + " - " + messageBuilder())
-    }
-}
-
 
 class LoggingConfig {
 

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/PasswordSecurity.kt

@@ -0,0 +1,46 @@
+package net.woggioni.gbcs.common
+
+import java.security.SecureRandom
+import java.security.spec.KeySpec
+import java.util.Base64
+import javax.crypto.SecretKeyFactory
+import javax.crypto.spec.PBEKeySpec
+
+object PasswordSecurity {
+    private const val KEY_LENGTH = 256
+
+    private fun concat(arr1: ByteArray, arr2: ByteArray): ByteArray {
+        val result = ByteArray(arr1.size + arr2.size)
+        var j = 0
+        for(element in arr1) {
+            result[j] = element
+            j += 1
+        }
+        for(element in arr2) {
+            result[j] = element
+            j += 1
+        }
+        return result
+    }
+
+    fun hashPassword(password : String, salt : String? = null) : String {
+        val actualSalt = salt?.let(Base64.getDecoder()::decode) ?: SecureRandom().run {
+            val result = ByteArray(16)
+            nextBytes(result)
+            result
+        }
+        val spec: KeySpec = PBEKeySpec(password.toCharArray(), actualSalt, 10, KEY_LENGTH)
+        val factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1")
+        val hash = factory.generateSecret(spec).encoded
+        return String(Base64.getEncoder().encode(concat(hash, actualSalt)))
+    }
+
+    fun decodePasswordHash(passwordHash : String) : Pair<ByteArray, ByteArray> {
+        val decoded = Base64.getDecoder().decode(passwordHash)
+        val hash = ByteArray(KEY_LENGTH / 8)
+        val salt = ByteArray(decoded.size - KEY_LENGTH / 8)
+        System.arraycopy(decoded, 0, hash, 0, hash.size)
+        System.arraycopy(decoded, hash.size, salt, 0, salt.size)
+        return hash to salt
+    }
+}

gbcs-common/src/main/kotlin/net/woggioni/gbcs/common/Xml.kt

@@ -0,0 +1,244 @@
+package net.woggioni.gbcs.common
+
+import net.woggioni.jwo.JWO
+import org.slf4j.LoggerFactory
+import org.slf4j.event.Level
+import org.w3c.dom.Document
+import org.w3c.dom.Element
+import org.w3c.dom.Node
+import org.w3c.dom.NodeList
+import org.xml.sax.SAXNotRecognizedException
+import org.xml.sax.SAXNotSupportedException
+import org.xml.sax.SAXParseException
+import java.io.InputStream
+import java.io.OutputStream
+import java.net.URL
+import javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD
+import javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA
+import javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
+import javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI
+import javax.xml.parsers.DocumentBuilder
+import javax.xml.parsers.DocumentBuilderFactory
+import javax.xml.transform.OutputKeys
+import javax.xml.transform.TransformerFactory
+import javax.xml.transform.dom.DOMSource
+import javax.xml.transform.stream.StreamResult
+import javax.xml.transform.stream.StreamSource
+import javax.xml.validation.Schema
+import javax.xml.validation.SchemaFactory
+import org.xml.sax.ErrorHandler as ErrHandler
+
+
+class NodeListIterator(private val nodeList: NodeList) : Iterator<Node> {
+    private var cursor: Int = 0
+    override fun hasNext(): Boolean {
+        return cursor < nodeList.length
+    }
+
+    override fun next(): Node {
+        return if (hasNext()) nodeList.item(cursor++) else throw NoSuchElementException()
+    }
+}
+
+class ElementIterator(parent: Element, name: String? = null) : Iterator<Element> {
+    private val it: NodeListIterator
+    private val name: String?
+    private var next: Element?
+
+    init {
+        it = NodeListIterator(parent.childNodes)
+        this.name = name
+        next = getNext()
+    }
+
+    override fun hasNext(): Boolean {
+        return next != null
+    }
+
+    override fun next(): Element {
+        val result = next ?: throw NoSuchElementException()
+        next = getNext()
+        return result
+    }
+
+    private fun getNext(): Element? {
+        var result: Element? = null
+        while (it.hasNext()) {
+            val node: Node = it.next()
+            if (node is Element && (name == null || name == node.tagName)) {
+                result = node
+                break
+            }
+        }
+        return result
+    }
+}
+
+class Xml(val doc: Document, val element: Element) {
+
+    class ErrorHandler(private val fileURL: URL) : ErrHandler {
+
+        companion object {
+            private val log = LoggerFactory.getLogger(ErrorHandler::class.java)
+        }
+
+         override fun warning(ex: SAXParseException)= err(ex, Level.WARN)
+
+        private fun err(ex: SAXParseException, level: Level) {
+            log.log(level) {
+                "Problem at ${fileURL}:${ex.lineNumber}:${ex.columnNumber} parsing deployment configuration: ${ex.message}"
+            }
+            throw ex
+        }
+
+        override fun error(ex: SAXParseException) = err(ex, Level.ERROR)
+        override fun fatalError(ex: SAXParseException) = err(ex, Level.ERROR)
+    }
+
+    companion object {
+        private val dictMap: Map<String, Map<String, Any>> = sequenceOf(
+            "env" to System.getenv().asSequence().map { (k, v) -> k to (v as Any) }.toMap(),
+            "sys" to System.getProperties().asSequence().map { (k, v) -> k as String to (v as Any) }.toMap()
+        ).toMap()
+
+        private fun renderConfigurationTemplate(template: String): String {
+            return JWO.renderTemplate(template, emptyMap(), dictMap).replace("$$", "$")
+        }
+
+        fun Element.renderAttribute(name : String, namespaceURI: String? = null) = if(namespaceURI == null) {
+            getAttribute(name)
+        } else {
+            getAttributeNS(name, namespaceURI)
+        }.takeIf(String::isNotEmpty)?.let(Companion::renderConfigurationTemplate)
+
+
+        fun Element.asIterable() = Iterable { ElementIterator(this, null) }
+        fun NodeList.asIterable() = Iterable { NodeListIterator(this) }
+
+        private fun disableProperty(dbf: DocumentBuilderFactory, propertyName: String) {
+            try {
+                dbf.setAttribute(propertyName, "")
+            } catch (iae: IllegalArgumentException) {
+                // Property not supported.
+            }
+        }
+
+        private fun disableProperty(sf: SchemaFactory, propertyName: String) {
+            try {
+                sf.setProperty(propertyName, "")
+            } catch (ex: SAXNotRecognizedException) {
+                // Property not supported.
+            } catch (ex: SAXNotSupportedException) {
+            }
+        }
+
+        fun getSchema(schema: URL): Schema {
+            val sf = SchemaFactory.newInstance(W3C_XML_SCHEMA_NS_URI)
+            sf.setFeature(FEATURE_SECURE_PROCESSING, false)
+            sf.errorHandler = ErrorHandler(schema)
+            return sf.newSchema(schema)
+        }
+
+        fun getSchema(inputStream: InputStream): Schema {
+            val sf = SchemaFactory.newInstance(W3C_XML_SCHEMA_NS_URI)
+            sf.setFeature(FEATURE_SECURE_PROCESSING, true)
+            return sf.newSchema(StreamSource(inputStream))
+        }
+
+        fun newDocumentBuilderFactory(schemaResourceURL: URL?): DocumentBuilderFactory {
+            val dbf = DocumentBuilderFactory.newInstance()
+            dbf.setFeature(FEATURE_SECURE_PROCESSING, false)
+            dbf.setAttribute(ACCESS_EXTERNAL_SCHEMA, "all")
+            disableProperty(dbf, ACCESS_EXTERNAL_DTD)
+            dbf.isExpandEntityReferences = true
+            dbf.isIgnoringComments = true
+            dbf.isNamespaceAware = true
+            dbf.isValidating = schemaResourceURL == null
+            dbf.setFeature("http://apache.org/xml/features/validation/schema", true)
+            schemaResourceURL?.let {
+                dbf.schema = getSchema(it)
+            }
+            return dbf
+        }
+
+        fun newDocumentBuilder(resource: URL, schemaResourceURL: URL?): DocumentBuilder {
+            val db = newDocumentBuilderFactory(schemaResourceURL).newDocumentBuilder()
+            db.setErrorHandler(ErrorHandler(resource))
+            return db
+        }
+
+        fun parseXmlResource(resource: URL, schemaResourceURL: URL?): Document {
+            val db = newDocumentBuilder(resource, schemaResourceURL)
+            return resource.openStream().use(db::parse)
+        }
+
+        fun parseXml(sourceURL: URL, sourceStream: InputStream? = null, schemaResourceURL: URL? = null): Document {
+            val db = newDocumentBuilder(sourceURL, schemaResourceURL)
+            return sourceStream?.let(db::parse) ?: sourceURL.openStream().use(db::parse)
+        }
+
+        fun write(doc: Document, output: OutputStream) {
+            val transformerFactory = TransformerFactory.newInstance()
+            val transformer = transformerFactory.newTransformer()
+            transformer.setOutputProperty(OutputKeys.INDENT, "yes")
+            transformer.setOutputProperty(OutputKeys.INDENT, "yes")
+            transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4")
+            transformer.setOutputProperty(OutputKeys.STANDALONE, "yes")
+            transformer.setOutputProperty(OutputKeys.ENCODING, "UTF-8")
+            val source = DOMSource(doc)
+            val result = StreamResult(output)
+            transformer.transform(source, result)
+        }
+
+        fun of(
+            namespaceURI: String,
+            qualifiedName: String,
+            schemaResourceURL: URL? = null,
+            cb: Xml.(el: Element) -> Unit
+        ): Document {
+            val dbf = newDocumentBuilderFactory(schemaResourceURL)
+            val db = dbf.newDocumentBuilder()
+            val doc = db.newDocument()
+            val root = doc.createElementNS(namespaceURI, qualifiedName)
+                .also(doc::appendChild)
+            Xml(doc, root).cb(root)
+            return doc
+        }
+
+        fun of(doc: Document, el: Element, cb: Xml.(el: Element) -> Unit): Element {
+            Xml(doc, el).cb(el)
+            return el
+        }
+
+        fun Element.removeChildren() {
+            while (true) {
+                removeChild(firstChild ?: break)
+            }
+        }
+    }
+
+    fun node(
+        name: String,
+        namespaceURI: String? = null,
+        attrs: Map<String, String> = emptyMap(),
+        cb: Xml.(el: Element) -> Unit = {}
+    ): Element {
+        val child = doc.createElementNS(namespaceURI, name)
+        for ((key, value) in attrs) {
+            child.setAttribute(key, value)
+        }
+        return child
+            .also {
+                element.appendChild(it)
+                Xml(doc, it).cb(it)
+            }
+    }
+
+    fun attr(key: String, value: String, namespaceURI: String? = null) {
+        element.setAttributeNS(namespaceURI, key, value)
+    }
+
+    fun text(txt: String) {
+        element.appendChild(doc.createTextNode(txt))
+    }
+}

gbcs-server-memcached/build.gradle

@@ -0,0 +1,58 @@
+plugins {
+    id 'java-library'
+    id 'maven-publish'
+    alias catalog.plugins.kotlin.jvm
+}
+
+configurations {
+    bundle {
+        extendsFrom runtimeClasspath
+        canBeResolved = true
+        canBeConsumed = false
+        visible = false
+
+        resolutionStrategy {
+            dependencies {
+                exclude group: 'org.slf4j', module: 'slf4j-api'
+                exclude group: 'org.jetbrains.kotlin', module: 'kotlin-stdlib'
+                exclude group: 'org.jetbrains', module: 'annotations'
+            }
+        }
+    }
+
+    release {
+        transitive = false
+        canBeConsumed = true
+        canBeResolved = true
+        visible = true
+    }
+}
+
+dependencies {
+    compileOnly project(':gbcs-common')
+    compileOnly project(':gbcs-api')
+    compileOnly catalog.jwo
+    implementation catalog.xmemcached
+}
+
+Provider<Tar> bundleTask = tasks.register("bundle", Tar) {
+    from(tasks.named(JavaPlugin.JAR_TASK_NAME))
+    from(configurations.bundle)
+    group = BasePlugin.BUILD_GROUP
+}
+
+tasks.named(BasePlugin.ASSEMBLE_TASK_NAME) {
+    dependsOn(bundleTask)
+}
+
+artifacts {
+    release(bundleTask)
+}
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            artifact bundleTask
+        }
+    }
+}

gbcs-server-memcached/src/main/java/module-info.java

@@ -0,0 +1,14 @@
+import net.woggioni.gbcs.api.CacheProvider;
+
+module net.woggioni.gbcs.server.memcached {
+    requires net.woggioni.gbcs.common;
+    requires net.woggioni.gbcs.api;
+    requires com.googlecode.xmemcached;
+    requires net.woggioni.jwo;
+    requires java.xml;
+    requires kotlin.stdlib;
+
+    provides CacheProvider with net.woggioni.gbcs.server.memcached.MemcachedCacheProvider;
+
+    opens net.woggioni.gbcs.server.memcached.schema;
+}

gbcs-server-memcached/src/main/kotlin/net/woggioni/gbcs/server/memcached/MemcachedCache.kt

@@ -0,0 +1,59 @@
+package net.woggioni.gbcs.server.memcached
+
+import net.rubyeye.xmemcached.XMemcachedClientBuilder
+import net.rubyeye.xmemcached.command.BinaryCommandFactory
+import net.rubyeye.xmemcached.transcoders.CompressionMode
+import net.rubyeye.xmemcached.transcoders.SerializingTranscoder
+import net.woggioni.gbcs.api.Cache
+import net.woggioni.gbcs.api.exception.ContentTooLargeException
+import net.woggioni.gbcs.common.HostAndPort
+import net.woggioni.jwo.JWO
+import java.io.ByteArrayInputStream
+import java.net.InetSocketAddress
+import java.nio.channels.Channels
+import java.nio.channels.ReadableByteChannel
+import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
+import java.time.Duration
+
+class MemcachedCache(
+    servers: List<HostAndPort>,
+    private val maxAge: Duration,
+    maxSize : Int,
+    digestAlgorithm: String?,
+    compressionMode: CompressionMode,
+) : Cache {
+    private val memcachedClient = XMemcachedClientBuilder(
+        servers.stream().map { addr: HostAndPort -> InetSocketAddress(addr.host, addr.port) }.toList()
+    ).apply {
+        commandFactory = BinaryCommandFactory()
+        digestAlgorithm?.let { dAlg ->
+            setKeyProvider { key ->
+                val md = MessageDigest.getInstance(dAlg)
+                md.update(key.toByteArray(StandardCharsets.UTF_8))
+                JWO.bytesToHex(md.digest())
+            }
+        }
+        transcoder = SerializingTranscoder(maxSize).apply {
+            setCompressionMode(compressionMode)
+        }
+    }.build()
+
+    override fun get(key: String): ReadableByteChannel? {
+        return memcachedClient.get<ByteArray>(key)
+            ?.let(::ByteArrayInputStream)
+            ?.let(Channels::newChannel)
+    }
+
+    override fun put(key: String, content: ByteArray) {
+        try {
+            memcachedClient[key, maxAge.toSeconds().toInt()] = content
+        } catch (e: IllegalArgumentException) {
+            throw ContentTooLargeException(e.message, e)
+        }
+    }
+
+    override fun close() {
+        memcachedClient.shutdown()
+    }
+}

gbcs-server-memcached/src/main/kotlin/net/woggioni/gbcs/server/memcached/MemcachedCacheConfiguration.kt

@@ -0,0 +1,26 @@
+package net.woggioni.gbcs.server.memcached
+
+import net.rubyeye.xmemcached.transcoders.CompressionMode
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.HostAndPort
+import java.time.Duration
+
+data class MemcachedCacheConfiguration(
+    var servers: List<HostAndPort>,
+    var maxAge: Duration = Duration.ofDays(1),
+    var maxSize: Int = 0x100000,
+    var digestAlgorithm: String? = null,
+    var compressionMode: CompressionMode = CompressionMode.ZIP,
+) : Configuration.Cache {
+    override fun materialize() = MemcachedCache(
+        servers,
+        maxAge,
+        maxSize,
+        digestAlgorithm,
+        compressionMode
+    )
+
+    override fun getNamespaceURI() = "urn:net.woggioni.gbcs.server.memcached"
+
+    override fun getTypeName() = "memcachedCacheType"
+}

gbcs-server-memcached/src/main/kotlin/net/woggioni/gbcs/server/memcached/MemcachedCacheProvider.kt

@@ -0,0 +1,88 @@
+package net.woggioni.gbcs.server.memcached
+
+import net.rubyeye.xmemcached.transcoders.CompressionMode
+import net.woggioni.gbcs.api.CacheProvider
+import net.woggioni.gbcs.api.exception.ConfigurationException
+import net.woggioni.gbcs.common.GBCS
+import net.woggioni.gbcs.common.HostAndPort
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.common.Xml.Companion.asIterable
+import net.woggioni.gbcs.common.Xml.Companion.renderAttribute
+import org.w3c.dom.Document
+import org.w3c.dom.Element
+import java.time.Duration
+
+class MemcachedCacheProvider : CacheProvider<MemcachedCacheConfiguration> {
+    override fun getXmlSchemaLocation() = "jpms://net.woggioni.gbcs.server.memcached/net/woggioni/gbcs/server/memcached/schema/gbcs-memcached.xsd"
+
+    override fun getXmlType() = "memcachedCacheType"
+
+    override fun getXmlNamespace() = "urn:net.woggioni.gbcs.server.memcached"
+
+    val xmlNamespacePrefix : String
+        get() = "gbcs-memcached"
+
+    override fun deserialize(el: Element): MemcachedCacheConfiguration {
+        val servers = mutableListOf<HostAndPort>()
+        val maxAge = el.renderAttribute("max-age")
+            ?.let(Duration::parse)
+            ?: Duration.ofDays(1)
+        val maxSize = el.renderAttribute("max-size")
+            ?.let(String::toInt)
+            ?: 0x100000
+        val compressionMode = el.renderAttribute("compression-mode")
+            ?.let {
+                when (it) {
+                    "gzip" -> CompressionMode.GZIP
+                    "zip" -> CompressionMode.ZIP
+                    else -> CompressionMode.ZIP
+                }
+            }
+            ?: CompressionMode.ZIP
+        val digestAlgorithm = el.renderAttribute("digest")
+        for (child in el.asIterable()) {
+            when (child.nodeName) {
+                "server" -> {
+                    val host = child.renderAttribute("host") ?: throw ConfigurationException("host attribute is required")
+                    val port = child.renderAttribute("port")?.toInt() ?: throw ConfigurationException("port attribute is required")
+                    servers.add(HostAndPort(host, port))
+                }
+            }
+        }
+
+        return MemcachedCacheConfiguration(
+            servers,
+            maxAge,
+            maxSize,
+            digestAlgorithm,
+            compressionMode,
+        )
+    }
+
+    override fun serialize(doc: Document, cache: MemcachedCacheConfiguration) = cache.run {
+        val result = doc.createElement("cache")
+        Xml.of(doc, result) {
+            attr("xmlns:${xmlNamespacePrefix}", xmlNamespace, namespaceURI = "http://www.w3.org/2000/xmlns/")
+
+            attr("xs:type", "${xmlNamespacePrefix}:$xmlType", GBCS.XML_SCHEMA_NAMESPACE_URI)
+            for (server in servers) {
+                node("server") {
+                    attr("host", server.host)
+                    attr("port", server.port.toString())
+                }
+            }
+            attr("max-age", maxAge.toString())
+            attr("max-size", maxSize.toString())
+            digestAlgorithm?.let { digestAlgorithm ->
+                attr("digest", digestAlgorithm)
+            }
+            attr(
+                "compression-mode", when (compressionMode) {
+                    CompressionMode.GZIP -> "gzip"
+                    CompressionMode.ZIP -> "zip"
+                }
+            )
+        }
+        result
+    }
+}

gbcs-server-memcached/src/main/resources/META-INF/services/net.woggioni.gbcs.api.CacheProvider

@@ -0,0 +1 @@
+net.woggioni.gbcs.server.memcached.MemcachedCacheProvider

gbcs-server-memcached/src/main/resources/net/woggioni/gbcs/server/memcached/schema/gbcs-memcached.xsd

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<xs:schema targetNamespace="urn:net.woggioni.gbcs.server.memcached"
+           xmlns:gbcs-memcached="urn:net.woggioni.gbcs.server.memcached"
+           xmlns:gbcs="urn:net.woggioni.gbcs.server"
+           xmlns:xs="http://www.w3.org/2001/XMLSchema">
+
+    <xs:import schemaLocation="jpms://net.woggioni.gbcs.server/net/woggioni/gbcs/server/schema/gbcs.xsd" namespace="urn:net.woggioni.gbcs.server"/>
+
+    <xs:complexType name="memcachedServerType">
+        <xs:attribute name="host" type="xs:token" use="required"/>
+        <xs:attribute name="port" type="xs:positiveInteger" use="required"/>
+    </xs:complexType>
+
+    <xs:complexType name="memcachedCacheType">
+        <xs:complexContent>
+            <xs:extension base="gbcs:cacheType">
+                <xs:sequence maxOccurs="unbounded">
+                    <xs:element name="server" type="gbcs-memcached:memcachedServerType"/>
+                </xs:sequence>
+                <xs:attribute name="max-age" type="xs:duration" default="P1D"/>
+                <xs:attribute name="max-size" type="xs:unsignedInt" default="1048576"/>
+                <xs:attribute name="digest" type="xs:token" />
+                <xs:attribute name="compression-mode" type="gbcs-memcached:compressionType" default="zip"/>
+            </xs:extension>
+        </xs:complexContent>
+    </xs:complexType>
+
+    <xs:simpleType name="compressionType">
+        <xs:restriction base="xs:token">
+            <xs:enumeration value="zip"/>
+            <xs:enumeration value="gzip"/>
+        </xs:restriction>
+    </xs:simpleType>
+
+</xs:schema>

gbcs-server/build.gradle

@@ -0,0 +1,35 @@
+plugins {
+    id 'java-library'
+    alias catalog.plugins.kotlin.jvm
+    id 'maven-publish'
+}
+
+dependencies {
+    implementation catalog.jwo
+    implementation catalog.slf4j.api
+    implementation catalog.netty.codec.http
+
+    api project(':gbcs-common')
+    api project(':gbcs-api')
+
+//    runtimeOnly catalog.slf4j.jdk14
+    testRuntimeOnly catalog.logback.classic
+
+    testImplementation catalog.bcprov.jdk18on
+    testImplementation catalog.bcpkix.jdk18on
+    testImplementation catalog.junit.jupiter.api
+    testImplementation catalog.junit.jupiter.params
+    testRuntimeOnly catalog.junit.jupiter.engine
+
+    testRuntimeOnly project(":gbcs-server-memcached")
+}
+
+publishing {
+    publications {
+        maven(MavenPublication) {
+            from(components["java"])
+        }
+    }
+}
+
+

gbcs-server/src/main/java/module-info.java

@@ -0,0 +1,28 @@
+import net.woggioni.gbcs.api.CacheProvider;
+import net.woggioni.gbcs.server.cache.FileSystemCacheProvider;
+
+module net.woggioni.gbcs.server {
+    requires java.sql;
+    requires java.xml;
+    requires java.logging;
+    requires java.naming;
+    requires kotlin.stdlib;
+    requires io.netty.buffer;
+    requires io.netty.transport;
+    requires io.netty.codec.http;
+    requires io.netty.common;
+    requires io.netty.handler;
+    requires io.netty.codec;
+    requires org.slf4j;
+    requires net.woggioni.jwo;
+    requires net.woggioni.gbcs.common;
+    requires net.woggioni.gbcs.api;
+
+    exports net.woggioni.gbcs.server;
+
+    opens net.woggioni.gbcs.server;
+    opens net.woggioni.gbcs.server.schema;
+
+    uses CacheProvider;
+    provides CacheProvider with FileSystemCacheProvider;
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/GradleBuildCacheServer.kt

@@ -0,0 +1,525 @@
+package net.woggioni.gbcs.server
+
+import io.netty.bootstrap.ServerBootstrap
+import io.netty.buffer.ByteBuf
+import io.netty.buffer.Unpooled
+import io.netty.channel.Channel
+import io.netty.channel.ChannelDuplexHandler
+import io.netty.channel.ChannelFuture
+import io.netty.channel.ChannelFutureListener
+import io.netty.channel.ChannelHandler.Sharable
+import io.netty.channel.ChannelHandlerContext
+import io.netty.channel.ChannelInitializer
+import io.netty.channel.ChannelOption
+import io.netty.channel.ChannelPromise
+import io.netty.channel.DefaultFileRegion
+import io.netty.channel.SimpleChannelInboundHandler
+import io.netty.channel.nio.NioEventLoopGroup
+import io.netty.channel.socket.nio.NioServerSocketChannel
+import io.netty.handler.codec.DecoderException
+import io.netty.handler.codec.compression.CompressionOptions
+import io.netty.handler.codec.http.DefaultFullHttpResponse
+import io.netty.handler.codec.http.DefaultHttpContent
+import io.netty.handler.codec.http.DefaultHttpResponse
+import io.netty.handler.codec.http.FullHttpRequest
+import io.netty.handler.codec.http.FullHttpResponse
+import io.netty.handler.codec.http.HttpContentCompressor
+import io.netty.handler.codec.http.HttpHeaderNames
+import io.netty.handler.codec.http.HttpHeaderValues
+import io.netty.handler.codec.http.HttpMethod
+import io.netty.handler.codec.http.HttpObjectAggregator
+import io.netty.handler.codec.http.HttpRequest
+import io.netty.handler.codec.http.HttpResponseStatus
+import io.netty.handler.codec.http.HttpServerCodec
+import io.netty.handler.codec.http.HttpUtil
+import io.netty.handler.codec.http.HttpVersion
+import io.netty.handler.codec.http.LastHttpContent
+import io.netty.handler.ssl.ClientAuth
+import io.netty.handler.ssl.SslContext
+import io.netty.handler.ssl.SslContextBuilder
+import io.netty.handler.ssl.SslHandler
+import io.netty.handler.stream.ChunkedNioFile
+import io.netty.handler.stream.ChunkedNioStream
+import io.netty.handler.stream.ChunkedWriteHandler
+import io.netty.util.concurrent.DefaultEventExecutorGroup
+import io.netty.util.concurrent.EventExecutorGroup
+import net.woggioni.gbcs.api.Cache
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Role
+import net.woggioni.gbcs.api.exception.ConfigurationException
+import net.woggioni.gbcs.api.exception.ContentTooLargeException
+import net.woggioni.gbcs.common.GBCS.toUrl
+import net.woggioni.gbcs.common.PasswordSecurity.decodePasswordHash
+import net.woggioni.gbcs.common.PasswordSecurity.hashPassword
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.common.contextLogger
+import net.woggioni.gbcs.common.info
+import net.woggioni.gbcs.server.auth.AbstractNettyHttpAuthenticator
+import net.woggioni.gbcs.server.auth.Authorizer
+import net.woggioni.gbcs.server.auth.ClientCertificateValidator
+import net.woggioni.gbcs.server.auth.RoleAuthorizer
+import net.woggioni.gbcs.server.configuration.Parser
+import net.woggioni.gbcs.server.configuration.Serializer
+import net.woggioni.jwo.JWO
+import net.woggioni.jwo.Tuple2
+import java.io.OutputStream
+import java.net.InetSocketAddress
+import java.nio.channels.FileChannel
+import java.nio.file.Files
+import java.nio.file.Path
+import java.security.KeyStore
+import java.security.PrivateKey
+import java.security.cert.X509Certificate
+import java.util.Arrays
+import java.util.Base64
+import java.util.regex.Matcher
+import java.util.regex.Pattern
+import javax.naming.ldap.LdapName
+import javax.net.ssl.SSLPeerUnverifiedException
+
+
+class GradleBuildCacheServer(private val cfg: Configuration) {
+    private val log = contextLogger()
+
+    companion object {
+
+        val DEFAULT_CONFIGURATION_URL by lazy { "classpath:net/woggioni/gbcs/gbcs-default.xml".toUrl() }
+        private const val SSL_HANDLER_NAME = "sslHandler"
+
+        fun loadConfiguration(configurationFile: Path): Configuration {
+            val doc = Files.newInputStream(configurationFile).use {
+                Xml.parseXml(configurationFile.toUri().toURL(), it)
+            }
+            return Parser.parse(doc)
+        }
+
+        fun dumpConfiguration(conf: Configuration, outputStream: OutputStream) {
+            Xml.write(Serializer.serialize(conf), outputStream)
+        }
+    }
+
+    private class HttpChunkContentCompressor(
+        threshold: Int,
+        vararg compressionOptions: CompressionOptions = emptyArray()
+    ) : HttpContentCompressor(threshold, *compressionOptions) {
+        override fun write(ctx: ChannelHandlerContext, msg: Any, promise: ChannelPromise) {
+            var message: Any? = msg
+            if (message is ByteBuf) {
+                // convert ByteBuf to HttpContent to make it work with compression. This is needed as we use the
+                // ChunkedWriteHandler to send files when compression is enabled.
+                val buff = message
+                if (buff.isReadable) {
+                    // We only encode non empty buffers, as empty buffers can be used for determining when
+                    // the content has been flushed and it confuses the HttpContentCompressor
+                    // if we let it go
+                    message = DefaultHttpContent(buff)
+                }
+            }
+            super.write(ctx, message, promise)
+        }
+    }
+
+    @Sharable
+    private class ClientCertificateAuthenticator(
+        authorizer: Authorizer,
+        private val anonymousUserRoles: Set<Role>?,
+        private val userExtractor: Configuration.UserExtractor?,
+        private val groupExtractor: Configuration.GroupExtractor?,
+    ) : AbstractNettyHttpAuthenticator(authorizer) {
+
+        override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): Set<Role>? {
+            return try {
+                val sslHandler = (ctx.pipeline().get(SSL_HANDLER_NAME) as? SslHandler)
+                    ?: throw ConfigurationException("Client certificate authentication cannot be used when TLS is disabled")
+                val sslEngine = sslHandler.engine()
+                sslEngine.session.peerCertificates.takeIf {
+                    it.isNotEmpty()
+                }?.let { peerCertificates ->
+                    val clientCertificate = peerCertificates.first() as X509Certificate
+                    val user = userExtractor?.extract(clientCertificate)
+                    val group = groupExtractor?.extract(clientCertificate)
+                    (group?.roles ?: emptySet()) + (user?.roles ?: emptySet())
+                } ?: anonymousUserRoles
+            } catch (es: SSLPeerUnverifiedException) {
+                anonymousUserRoles
+            }
+        }
+    }
+
+    @Sharable
+    private class NettyHttpBasicAuthenticator(
+        private val users: Map<String, Configuration.User>, authorizer: Authorizer
+    ) : AbstractNettyHttpAuthenticator(authorizer) {
+        private val log = contextLogger()
+
+        override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): Set<Role>? {
+            val authorizationHeader = req.headers()[HttpHeaderNames.AUTHORIZATION] ?: let {
+                log.debug(ctx) {
+                    "Missing Authorization header"
+                }
+                return users[""]?.roles
+            }
+            val cursor = authorizationHeader.indexOf(' ')
+            if (cursor < 0) {
+                log.debug(ctx) {
+                    "Invalid Authorization header: '$authorizationHeader'"
+                }
+                return users[""]?.roles
+            }
+            val authenticationType = authorizationHeader.substring(0, cursor)
+            if ("Basic" != authenticationType) {
+                log.debug(ctx) {
+                    "Invalid authentication type header: '$authenticationType'"
+                }
+                return users[""]?.roles
+            }
+            val (username, password) = Base64.getDecoder().decode(authorizationHeader.substring(cursor + 1))
+                .let(::String)
+                .let {
+                    val colon = it.indexOf(':')
+                    if (colon < 0) {
+                        log.debug(ctx) {
+                            "Missing colon from authentication"
+                        }
+                        return null
+                    }
+                    it.substring(0, colon) to it.substring(colon + 1)
+                }
+
+            return username.let(users::get)?.takeIf { user ->
+                user.password?.let { passwordAndSalt ->
+                    val (_, salt) = decodePasswordHash(passwordAndSalt)
+                    hashPassword(password, Base64.getEncoder().encodeToString(salt)) == passwordAndSalt
+                } ?: false
+            }?.roles
+        }
+    }
+
+    private class ServerInitializer(
+        private val cfg: Configuration,
+        private val eventExecutorGroup: EventExecutorGroup
+    ) : ChannelInitializer<Channel>() {
+
+        private val serverHandler = let {
+            val cacheImplementation = cfg.cache.materialize()
+            val prefix = Path.of("/").resolve(Path.of(cfg.serverPath ?: "/"))
+            ServerHandler(cacheImplementation, prefix)
+        }
+
+        private val exceptionHandler = ExceptionHandler()
+
+        private val authenticator = when (val auth = cfg.authentication) {
+            is Configuration.BasicAuthentication -> NettyHttpBasicAuthenticator(cfg.users, RoleAuthorizer())
+            is Configuration.ClientCertificateAuthentication -> {
+                ClientCertificateAuthenticator(
+                    RoleAuthorizer(),
+                    cfg.users[""]?.roles,
+                    userExtractor(auth),
+                    groupExtractor(auth)
+                )
+            }
+
+            else -> null
+        }
+
+        companion object {
+            private fun createSslCtx(tls: Configuration.Tls): SslContext {
+                val keyStore = tls.keyStore
+                return if (keyStore == null) {
+                    throw IllegalArgumentException("No keystore configured")
+                } else {
+                    val javaKeyStore = loadKeystore(keyStore.file, keyStore.password)
+                    val serverKey = javaKeyStore.getKey(
+                        keyStore.keyAlias, (keyStore.keyPassword ?: "").let(String::toCharArray)
+                    ) as PrivateKey
+                    val serverCert: Array<X509Certificate> =
+                        Arrays.stream(javaKeyStore.getCertificateChain(keyStore.keyAlias))
+                            .map { it as X509Certificate }
+                            .toArray { size -> Array<X509Certificate?>(size) { null } }
+                    SslContextBuilder.forServer(serverKey, *serverCert).apply {
+                        if (tls.isVerifyClients) {
+                            clientAuth(ClientAuth.OPTIONAL)
+                            tls.trustStore?.let { trustStore ->
+                                val ts = loadKeystore(trustStore.file, trustStore.password)
+                                trustManager(
+                                    ClientCertificateValidator.getTrustManager(ts, trustStore.isCheckCertificateStatus)
+                                )
+                            }
+                        }
+                    }.build()
+                }
+            }
+
+            fun loadKeystore(file: Path, password: String?): KeyStore {
+                val ext = JWO.splitExtension(file)
+                    .map(Tuple2<String, String>::get_2)
+                    .orElseThrow {
+                        IllegalArgumentException(
+                            "Keystore file '${file}' must have .jks, .p12, .pfx extension"
+                        )
+                    }
+                val keystore = when (ext.substring(1).lowercase()) {
+                    "jks" -> KeyStore.getInstance("JKS")
+                    "p12", "pfx" -> KeyStore.getInstance("PKCS12")
+                    else -> throw IllegalArgumentException(
+                        "Keystore file '${file}' must have .jks, .p12, .pfx extension"
+                    )
+                }
+                Files.newInputStream(file).use {
+                    keystore.load(it, password?.let(String::toCharArray))
+                }
+                return keystore
+            }
+        }
+
+        private val sslContext: SslContext? = cfg.tls?.let(Companion::createSslCtx)
+
+        private fun userExtractor(authentication: Configuration.ClientCertificateAuthentication) =
+            authentication.userExtractor?.let { extractor ->
+                val pattern = Pattern.compile(extractor.pattern)
+                val rdnType = extractor.rdnType
+                Configuration.UserExtractor { cert: X509Certificate ->
+                    val userName = LdapName(cert.subjectX500Principal.name).rdns.find {
+                        it.type == rdnType
+                    }?.let {
+                        pattern.matcher(it.value.toString())
+                    }?.takeIf(Matcher::matches)?.group(1)
+                    cfg.users[userName] ?: throw java.lang.RuntimeException("Failed to extract user")
+                }
+            }
+
+        private fun groupExtractor(authentication: Configuration.ClientCertificateAuthentication) =
+            authentication.groupExtractor?.let { extractor ->
+                val pattern = Pattern.compile(extractor.pattern)
+                val rdnType = extractor.rdnType
+                Configuration.GroupExtractor { cert: X509Certificate ->
+                    val groupName = LdapName(cert.subjectX500Principal.name).rdns.find {
+                        it.type == rdnType
+                    }?.let {
+                        pattern.matcher(it.value.toString())
+                    }?.takeIf(Matcher::matches)?.group(1)
+                    cfg.groups[groupName] ?: throw java.lang.RuntimeException("Failed to extract group")
+                }
+            }
+
+        override fun initChannel(ch: Channel) {
+            val pipeline = ch.pipeline()
+            sslContext?.newHandler(ch.alloc())?.also {
+                pipeline.addLast(SSL_HANDLER_NAME, it)
+            }
+            pipeline.addLast(HttpServerCodec())
+            pipeline.addLast(HttpChunkContentCompressor(1024))
+            pipeline.addLast(ChunkedWriteHandler())
+            pipeline.addLast(HttpObjectAggregator(cfg.maxRequestSize))
+            authenticator?.let {
+                pipeline.addLast(it)
+            }
+            pipeline.addLast(eventExecutorGroup, serverHandler)
+            pipeline.addLast(exceptionHandler)
+        }
+    }
+
+    @Sharable
+    private class ExceptionHandler : ChannelDuplexHandler() {
+        private val log = contextLogger()
+
+        private val NOT_AUTHORIZED: FullHttpResponse = DefaultFullHttpResponse(
+            HttpVersion.HTTP_1_1, HttpResponseStatus.FORBIDDEN, Unpooled.EMPTY_BUFFER
+        ).apply {
+            headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
+        }
+
+        private val TOO_BIG: FullHttpResponse = DefaultFullHttpResponse(
+            HttpVersion.HTTP_1_1, HttpResponseStatus.REQUEST_ENTITY_TOO_LARGE, Unpooled.EMPTY_BUFFER
+        ).apply {
+            headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
+        }
+
+        override fun exceptionCaught(ctx: ChannelHandlerContext, cause: Throwable) {
+            when (cause) {
+                is DecoderException -> {
+                    log.error(cause.message, cause)
+                    ctx.close()
+                }
+
+                is SSLPeerUnverifiedException -> {
+                    ctx.writeAndFlush(NOT_AUTHORIZED.retainedDuplicate())
+                        .addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
+                }
+
+                is ContentTooLargeException -> {
+                    ctx.writeAndFlush(TOO_BIG.retainedDuplicate())
+                        .addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
+                }
+
+                else -> {
+                    log.error(cause.message, cause)
+                    ctx.close()
+                }
+            }
+        }
+    }
+
+    @Sharable
+    private class ServerHandler(private val cache: Cache, private val serverPrefix: Path) :
+        SimpleChannelInboundHandler<FullHttpRequest>() {
+
+        private val log = contextLogger()
+
+        override fun channelRead0(ctx: ChannelHandlerContext, msg: FullHttpRequest) {
+            val keepAlive: Boolean = HttpUtil.isKeepAlive(msg)
+            val method = msg.method()
+            if (method === HttpMethod.GET) {
+                val path = Path.of(msg.uri())
+                val prefix = path.parent
+                val key = path.fileName.toString()
+                if (serverPrefix == prefix) {
+                    cache.get(key)?.let { channel ->
+                        log.debug(ctx) {
+                            "Cache hit for key '$key'"
+                        }
+                        val response = DefaultHttpResponse(msg.protocolVersion(), HttpResponseStatus.OK)
+                        response.headers()[HttpHeaderNames.CONTENT_TYPE] = HttpHeaderValues.APPLICATION_OCTET_STREAM
+                        if (!keepAlive) {
+                            response.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.CLOSE)
+                            response.headers().set(HttpHeaderNames.TRANSFER_ENCODING, HttpHeaderValues.IDENTITY)
+                        } else {
+                            response.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.KEEP_ALIVE)
+                            response.headers().set(HttpHeaderNames.TRANSFER_ENCODING, HttpHeaderValues.CHUNKED)
+                        }
+                        ctx.write(response)
+                        when (channel) {
+                            is FileChannel -> {
+                                if (keepAlive) {
+                                    ctx.write(ChunkedNioFile(channel))
+                                    ctx.writeAndFlush(LastHttpContent.EMPTY_LAST_CONTENT)
+                                } else {
+                                    ctx.writeAndFlush(DefaultFileRegion(channel, 0, channel.size()))
+                                        .addListener(ChannelFutureListener.CLOSE)
+                                }
+                            }
+
+                            else -> {
+                                ctx.write(ChunkedNioStream(channel))
+                                ctx.writeAndFlush(LastHttpContent.EMPTY_LAST_CONTENT)
+                            }
+                        }
+                    } ?: let {
+                        log.debug(ctx) {
+                            "Cache miss for key '$key'"
+                        }
+                        val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.NOT_FOUND)
+                        response.headers()[HttpHeaderNames.CONTENT_LENGTH] = 0
+                        ctx.writeAndFlush(response)
+                    }
+                } else {
+                    log.warn(ctx) {
+                        "Got request for unhandled path '${msg.uri()}'"
+                    }
+                    val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
+                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = 0
+                    ctx.writeAndFlush(response)
+                }
+            } else if (method === HttpMethod.PUT) {
+                val path = Path.of(msg.uri())
+                val prefix = path.parent
+                val key = path.fileName.toString()
+
+                if (serverPrefix == prefix) {
+                    log.debug(ctx) {
+                        "Added value for key '$key' to build cache"
+                    }
+                    val bodyBytes = msg.content().run {
+                        if (isDirect) {
+                            ByteArray(readableBytes()).also {
+                                readBytes(it)
+                            }
+                        } else {
+                            array()
+                        }
+                    }
+                    cache.put(key, bodyBytes)
+                    val response = DefaultFullHttpResponse(
+                        msg.protocolVersion(), HttpResponseStatus.CREATED,
+                        Unpooled.copiedBuffer(key.toByteArray())
+                    )
+                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = response.content().readableBytes()
+                    ctx.writeAndFlush(response)
+                } else {
+                    log.warn(ctx) {
+                        "Got request for unhandled path '${msg.uri()}'"
+                    }
+                    val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
+                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
+                    ctx.writeAndFlush(response)
+                }
+            } else {
+                log.warn(ctx) {
+                    "Got request with unhandled method '${msg.method().name()}'"
+                }
+                val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
+                response.headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
+                ctx.writeAndFlush(response)
+            }
+        }
+    }
+
+    class ServerHandle(
+        httpChannelFuture: ChannelFuture,
+        private val executorGroups: Iterable<EventExecutorGroup>
+    ) : AutoCloseable {
+        private val httpChannel: Channel = httpChannelFuture.channel()
+        private val closeFuture: ChannelFuture = httpChannel.closeFuture()
+        private val log = contextLogger()
+
+        fun shutdown(): ChannelFuture {
+            return httpChannel.close()
+        }
+
+        override fun close() {
+            try {
+                closeFuture.sync()
+            } finally {
+                executorGroups.forEach {
+                    it.shutdownGracefully().sync()
+                }
+            }
+            log.info {
+                "GradleBuildCacheServer has been gracefully shut down"
+            }
+        }
+    }
+
+    fun run(): ServerHandle {
+        // Create the multithreaded event loops for the server
+        val bossGroup = NioEventLoopGroup(0)
+        val serverSocketChannel = NioServerSocketChannel::class.java
+        val workerGroup = bossGroup
+        val eventExecutorGroup = run {
+            val threadFactory = if (cfg.isUseVirtualThread) {
+                Thread.ofVirtual().factory()
+            } else {
+                null
+            }
+            DefaultEventExecutorGroup(Runtime.getRuntime().availableProcessors(), threadFactory)
+        }
+        // A helper class that simplifies server configuration
+        val bootstrap = ServerBootstrap().apply {
+            // Configure the server
+            group(bossGroup, workerGroup)
+            channel(serverSocketChannel)
+            childHandler(ServerInitializer(cfg, eventExecutorGroup))
+            option(ChannelOption.SO_BACKLOG, cfg.incomingConnectionsBacklogSize)
+            childOption(ChannelOption.SO_KEEPALIVE, true)
+        }
+
+
+        // Bind and start to accept incoming connections.
+        val bindAddress = InetSocketAddress(cfg.host, cfg.port)
+        val httpChannel = bootstrap.bind(bindAddress).sync()
+        log.info {
+            "GradleBuildCacheServer is listening on ${cfg.host}:${cfg.port}"
+        }
+        return ServerHandle(httpChannel, setOf(bossGroup, workerGroup, eventExecutorGroup))
+    }
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/Logging.kt

@@ -0,0 +1,30 @@
+package net.woggioni.gbcs.server
+
+import io.netty.channel.ChannelHandlerContext
+import org.slf4j.Logger
+import java.net.InetSocketAddress
+
+inline fun Logger.trace(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
+    log(this, ctx, { isTraceEnabled }, { trace(it) } , messageBuilder)
+}
+inline fun Logger.debug(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
+    log(this, ctx, { isDebugEnabled }, { debug(it) } , messageBuilder)
+}
+inline fun Logger.info(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
+    log(this, ctx, { isInfoEnabled }, { info(it) } , messageBuilder)
+}
+inline fun Logger.warn(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
+    log(this, ctx, { isWarnEnabled }, { warn(it) } , messageBuilder)
+}
+inline fun Logger.error(ctx : ChannelHandlerContext, messageBuilder : () -> String) {
+    log(this, ctx, { isErrorEnabled }, { error(it) } , messageBuilder)
+}
+
+inline fun log(log : Logger, ctx : ChannelHandlerContext,
+                        filter : Logger.() -> Boolean,
+                        loggerMethod : Logger.(String) -> Unit, messageBuilder : () -> String) {
+    if(log.filter()) {
+        val clientAddress = (ctx.channel().remoteAddress() as InetSocketAddress).address.hostAddress
+        log.loggerMethod(clientAddress + " - " + messageBuilder())
+    }
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/Authenticator.kt

@@ -1,4 +1,4 @@
-package net.woggioni.gbcs
+package net.woggioni.gbcs.server.auth
 
 import io.netty.buffer.Unpooled
 import io.netty.channel.ChannelFutureListener
@@ -11,11 +11,13 @@ import io.netty.handler.codec.http.HttpRequest
 import io.netty.handler.codec.http.HttpResponseStatus
 import io.netty.handler.codec.http.HttpVersion
 import io.netty.util.ReferenceCountUtil
+import net.woggioni.gbcs.api.Role
+
 
 abstract class AbstractNettyHttpAuthenticator(private val authorizer : Authorizer)
         : ChannelInboundHandlerAdapter() {
 
-    private companion object {
+    companion object {
         private val AUTHENTICATION_FAILED: FullHttpResponse = DefaultFullHttpResponse(
                 HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.EMPTY_BUFFER).apply {
             headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
@@ -26,12 +28,14 @@ abstract class AbstractNettyHttpAuthenticator(private val authorizer : Authorize
             headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
         }
     }
-    abstract fun authenticate(ctx : ChannelHandlerContext, req : HttpRequest) : String?
+
+
+    abstract fun authenticate(ctx : ChannelHandlerContext, req : HttpRequest) : Set<Role>?
 
     override fun channelRead(ctx: ChannelHandlerContext, msg: Any) {
         if(msg is HttpRequest) {
-            val user = authenticate(ctx, msg) ?: return authenticationFailure(ctx, msg)
+            val roles = authenticate(ctx, msg) ?: return authenticationFailure(ctx, msg)
-            val authorized = authorizer.authorize(user, msg)
+            val authorized = authorizer.authorize(roles, msg)
             if(authorized) {
                 super.channelRead(ctx, msg)
             } else {

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/Authorizer.kt

@@ -0,0 +1,8 @@
+package net.woggioni.gbcs.server.auth
+
+import io.netty.handler.codec.http.HttpRequest
+import net.woggioni.gbcs.api.Role
+
+fun interface Authorizer {
+    fun authorize(roles : Set<Role>, request: HttpRequest) : Boolean
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/ClientCertificateValidator.kt

@@ -1,16 +1,18 @@
-package net.woggioni.gbcs
+package net.woggioni.gbcs.server.auth
 
+import io.netty.channel.ChannelHandlerContext
+import io.netty.channel.ChannelInboundHandlerAdapter
+import io.netty.handler.ssl.SslHandler
+import io.netty.handler.ssl.SslHandshakeCompletionEvent
 import java.security.KeyStore
 import java.security.cert.CertPathValidator
+import java.security.cert.CertPathValidatorException
+import java.security.cert.CertificateException
 import java.security.cert.CertificateFactory
 import java.security.cert.PKIXParameters
 import java.security.cert.PKIXRevocationChecker
 import java.security.cert.X509Certificate
 import java.util.EnumSet
-import io.netty.channel.ChannelHandlerContext
-import io.netty.channel.ChannelInboundHandlerAdapter
-import io.netty.handler.ssl.SslHandler
-import io.netty.handler.ssl.SslHandshakeCompletionEvent
 import javax.net.ssl.SSLSession
 import javax.net.ssl.TrustManagerFactory
 import javax.net.ssl.X509TrustManager
@@ -48,7 +50,11 @@ class ClientCertificateValidator private constructor(
                 object : X509TrustManager {
                     override fun checkClientTrusted(chain: Array<out X509Certificate>, authType: String) {
                         val clientCertificateChain = certificateFactory.generateCertPath(chain.toList())
-                        validator.validate(clientCertificateChain, params)
+                        try {
+                            validator.validate(clientCertificateChain, params)
+                        } catch (ex : CertPathValidatorException) {
+                            throw CertificateException(ex)
+                        }
                     }
 
                     override fun checkServerTrusted(chain: Array<out X509Certificate>, authType: String) {

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/auth/UserAuthorizer.kt

@@ -1,9 +1,10 @@
-package net.woggioni.gbcs
+package net.woggioni.gbcs.server.auth
 
 import io.netty.handler.codec.http.HttpMethod
 import io.netty.handler.codec.http.HttpRequest
+import net.woggioni.gbcs.api.Role
 
-class UserAuthorizer(private val users: Map<String, Set<Role>>) : Authorizer {
+class RoleAuthorizer : Authorizer {
 
     companion object {
         private val METHOD_MAP = mapOf(
@@ -12,11 +13,11 @@ class UserAuthorizer(private val users: Map<String, Set<Role>>) : Authorizer {
         )
     }
 
-    override fun authorize(user: String, request: HttpRequest) = users[user]?.let { roles ->
+    override fun authorize(roles: Set<Role>, request: HttpRequest) : Boolean {
         val allowedMethods = roles.asSequence()
             .mapNotNull(METHOD_MAP::get)
             .flatten()
             .toSet()
-        request.method() in allowedMethods
+        return request.method() in allowedMethods
-    } ?: false
+    }
 }

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/cache/FileSystemCache.kt

@@ -0,0 +1,133 @@
+package net.woggioni.gbcs.server.cache
+
+import net.woggioni.gbcs.api.Cache
+import net.woggioni.jwo.JWO
+import net.woggioni.jwo.LockFile
+import java.nio.channels.Channels
+import java.nio.channels.FileChannel
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.StandardCopyOption
+import java.nio.file.StandardOpenOption
+import java.nio.file.attribute.BasicFileAttributes
+import java.security.MessageDigest
+import java.time.Duration
+import java.time.Instant
+import java.util.concurrent.atomic.AtomicReference
+import java.util.zip.Deflater
+import java.util.zip.DeflaterOutputStream
+import java.util.zip.Inflater
+import java.util.zip.InflaterInputStream
+
+
+class FileSystemCache(
+    val root: Path,
+    val maxAge: Duration,
+    val digestAlgorithm: String?,
+    val compressionEnabled: Boolean,
+    val compressionLevel: Int
+) : Cache {
+
+    private fun lockFilePath(key: String): Path = root.resolve("$key.lock")
+
+    init {
+        Files.createDirectories(root)
+    }
+
+    private var nextGc = AtomicReference(Instant.now().plus(maxAge))
+
+    override fun get(key: String) = (digestAlgorithm
+        ?.let(MessageDigest::getInstance)
+        ?.let { md ->
+            digestString(key.toByteArray(), md)
+        } ?: key).let { digest ->
+        LockFile.acquire(lockFilePath(digest), true).use {
+            root.resolve(digest).takeIf(Files::exists)?.let { file ->
+                if (compressionEnabled) {
+                    val inflater = Inflater()
+                    Channels.newChannel(InflaterInputStream(Files.newInputStream(file), inflater))
+                } else {
+                    FileChannel.open(file, StandardOpenOption.READ)
+                }
+            }
+        }.also {
+            gc()
+        }
+    }
+
+    override fun put(key: String, content: ByteArray) {
+        (digestAlgorithm
+            ?.let(MessageDigest::getInstance)
+            ?.let { md ->
+                digestString(key.toByteArray(), md)
+            } ?: key).let { digest ->
+            LockFile.acquire(lockFilePath(digest), false).use {
+                val file = root.resolve(digest)
+                val tmpFile = Files.createTempFile(root, null, ".tmp")
+                try {
+                    Files.newOutputStream(tmpFile).let {
+                        if (compressionEnabled) {
+                            val deflater = Deflater(compressionLevel)
+                            DeflaterOutputStream(it, deflater)
+                        } else {
+                            it
+                        }
+                    }.use {
+                        it.write(content)
+                    }
+                    Files.move(tmpFile, file, StandardCopyOption.ATOMIC_MOVE)
+                } catch (t: Throwable) {
+                    Files.delete(tmpFile)
+                    throw t
+                }
+            }
+        }.also {
+            gc()
+        }
+    }
+
+    private fun gc() {
+        val now = Instant.now()
+        val oldValue = nextGc.getAndSet(now.plus(maxAge))
+        if (oldValue < now) {
+            actualGc(now)
+        }
+    }
+
+    @Synchronized
+    private fun actualGc(now: Instant) {
+        Files.list(root).filter {
+            !it.fileName.toString().endsWith(".lock")
+        }.filter {
+            val creationTimeStamp = Files.readAttributes(it, BasicFileAttributes::class.java)
+                .creationTime()
+                .toInstant()
+            now > creationTimeStamp.plus(maxAge)
+        }.forEach { file ->
+            val lockFile = lockFilePath(file.fileName.toString())
+            LockFile.acquire(lockFile, false).use {
+                Files.delete(file)
+            }
+            Files.delete(lockFile)
+        }
+    }
+
+    override fun close() {}
+
+    companion object {
+        fun digest(
+            data: ByteArray,
+            md: MessageDigest = MessageDigest.getInstance("MD5")
+        ): ByteArray {
+            md.update(data)
+            return md.digest()
+        }
+
+        fun digestString(
+            data: ByteArray,
+            md: MessageDigest = MessageDigest.getInstance("MD5")
+        ): String {
+            return JWO.bytesToHex(digest(data, md))
+        }
+    }
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/cache/FileSystemCacheConfiguration.kt

@@ -0,0 +1,27 @@
+package net.woggioni.gbcs.server.cache
+
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.GBCS
+import net.woggioni.jwo.Application
+import java.nio.file.Path
+import java.time.Duration
+
+data class FileSystemCacheConfiguration(
+    val root: Path?,
+    val maxAge: Duration,
+    val digestAlgorithm : String?,
+    val compressionEnabled: Boolean,
+    val compressionLevel: Int,
+) : Configuration.Cache {
+    override fun materialize() = FileSystemCache(
+        root ?: Application.builder("gbcs").build().computeCacheDirectory(),
+        maxAge,
+        digestAlgorithm,
+        compressionEnabled,
+        compressionLevel
+    )
+
+    override fun getNamespaceURI() = GBCS.GBCS_NAMESPACE_URI
+
+    override fun getTypeName() = "fileSystemCacheType"
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/cache/FileSystemCacheProvider.kt

@@ -0,0 +1,63 @@
+package net.woggioni.gbcs.server.cache
+
+import net.woggioni.gbcs.api.CacheProvider
+import net.woggioni.gbcs.common.GBCS
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.common.Xml.Companion.renderAttribute
+import org.w3c.dom.Document
+import org.w3c.dom.Element
+import java.nio.file.Path
+import java.time.Duration
+import java.util.zip.Deflater
+
+class FileSystemCacheProvider : CacheProvider<FileSystemCacheConfiguration> {
+
+    override fun getXmlSchemaLocation() = "classpath:net/woggioni/gbcs/server/schema/gbcs.xsd"
+
+    override fun getXmlType() = "fileSystemCacheType"
+
+    override fun getXmlNamespace() = "urn:net.woggioni.gbcs.server"
+
+    override fun deserialize(el: Element): FileSystemCacheConfiguration {
+        val path = el.renderAttribute("path")
+            ?.let(Path::of)
+        val maxAge = el.renderAttribute("max-age")
+            ?.let(Duration::parse)
+            ?: Duration.ofDays(1)
+        val enableCompression = el.renderAttribute("enable-compression")
+            ?.let(String::toBoolean)
+            ?: true
+        val compressionLevel = el.renderAttribute("compression-level")
+            ?.let(String::toInt)
+            ?: Deflater.DEFAULT_COMPRESSION
+        val digestAlgorithm = el.renderAttribute("digest") ?: "MD5"
+
+        return FileSystemCacheConfiguration(
+            path,
+            maxAge,
+            digestAlgorithm,
+            enableCompression,
+            compressionLevel
+        )
+    }
+
+    override fun serialize(doc: Document, cache : FileSystemCacheConfiguration) = cache.run {
+        val result = doc.createElement("cache")
+        Xml.of(doc, result) {
+            val prefix = doc.lookupPrefix(GBCS.GBCS_NAMESPACE_URI)
+            attr("xs:type", "${prefix}:fileSystemCacheType", GBCS.XML_SCHEMA_NAMESPACE_URI)
+            attr("path", root.toString())
+            attr("max-age", maxAge.toString())
+            digestAlgorithm?.let { digestAlgorithm ->
+                attr("digest", digestAlgorithm)
+            }
+            attr("enable-compression", compressionEnabled.toString())
+            compressionLevel.takeIf {
+                it != Deflater.DEFAULT_COMPRESSION
+            }?.let {
+                attr("compression-level", it.toString())
+            }
+        }
+        result
+    }
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/CacheSerializers.kt

@@ -0,0 +1,15 @@
+package net.woggioni.gbcs.server.configuration
+
+import net.woggioni.gbcs.api.CacheProvider
+import net.woggioni.gbcs.api.Configuration
+import java.util.ServiceLoader
+
+object CacheSerializers {
+    val index = (Configuration::class.java.module.layer?.let { layer ->
+        ServiceLoader.load(layer, CacheProvider::class.java)
+    } ?: ServiceLoader.load(CacheProvider::class.java))
+        .asSequence()
+        .map {
+            (it.xmlNamespace to it.xmlType) to it
+        }.toMap()
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Parser.kt

@@ -0,0 +1,210 @@
+package net.woggioni.gbcs.server.configuration
+
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Configuration.Authentication
+import net.woggioni.gbcs.api.Configuration.BasicAuthentication
+import net.woggioni.gbcs.api.Configuration.Cache
+import net.woggioni.gbcs.api.Configuration.ClientCertificateAuthentication
+import net.woggioni.gbcs.api.Configuration.Group
+import net.woggioni.gbcs.api.Configuration.KeyStore
+import net.woggioni.gbcs.api.Configuration.Tls
+import net.woggioni.gbcs.api.Configuration.TlsCertificateExtractor
+import net.woggioni.gbcs.api.Configuration.TrustStore
+import net.woggioni.gbcs.api.Configuration.User
+import net.woggioni.gbcs.api.Role
+import net.woggioni.gbcs.api.exception.ConfigurationException
+import net.woggioni.gbcs.common.Xml.Companion.asIterable
+import net.woggioni.gbcs.common.Xml.Companion.renderAttribute
+import org.w3c.dom.Document
+import org.w3c.dom.Element
+import org.w3c.dom.TypeInfo
+import java.nio.file.Paths
+
+object Parser {
+    fun parse(document: Document): Configuration {
+        val root = document.documentElement
+        val anonymousUser = User("", null, emptySet())
+        var cache: Cache? = null
+        var host = "127.0.0.1"
+        var port = 11080
+        var users : Map<String, User> = mapOf(anonymousUser.name to anonymousUser)
+        var groups = emptyMap<String, Group>()
+        var tls: Tls? = null
+        val serverPath = root.renderAttribute("path")
+        val useVirtualThread = root.renderAttribute("use-virtual-threads")
+            ?.let(String::toBoolean) ?: true
+        val maxRequestSize = root.renderAttribute("max-request-size")
+            ?.let(String::toInt) ?: 67108864
+        val incomingConnectionsBacklogSize = root.renderAttribute("incoming-connections-backlog-size")
+            ?.let(String::toInt) ?: 1024
+        var authentication: Authentication? = null
+        for (child in root.asIterable()) {
+            val tagName = child.localName
+            when (tagName) {
+                "authorization" -> {
+                    var knownUsers = sequenceOf(anonymousUser)
+                    for (gchild in child.asIterable()) {
+                        when (gchild.localName) {
+                            "users" -> {
+                                knownUsers += parseUsers(gchild)
+                            }
+                            "groups" -> {
+                                val pair = parseGroups(gchild, knownUsers)
+                                users = pair.first
+                                groups = pair.second
+                            }
+                        }
+                    }
+                }
+
+                "bind" -> {
+                    host = child.renderAttribute("host") ?: throw ConfigurationException("host attribute is required")
+                    port = Integer.parseInt(child.renderAttribute("port"))
+                }
+
+                "cache" -> {
+                    cache = (child as TypeInfo).let { tf ->
+                        val typeNamespace = tf.typeNamespace
+                        val typeName = tf.typeName
+                        CacheSerializers.index[typeNamespace to typeName]
+                            ?: throw IllegalArgumentException("Cache provider for namespace '$typeNamespace' not found")
+                    }.deserialize(child)
+                }
+
+                "authentication" -> {
+                    for (gchild in child.asIterable()) {
+                        when (gchild.localName) {
+                            "basic" -> {
+                                authentication = BasicAuthentication()
+                            }
+
+                            "client-certificate" -> {
+                                var tlsExtractorUser: TlsCertificateExtractor? = null
+                                var tlsExtractorGroup: TlsCertificateExtractor? = null
+                                for (ggchild in gchild.asIterable()) {
+                                    when (ggchild.localName) {
+                                        "group-extractor" -> {
+                                            val attrName = ggchild.renderAttribute("attribute-name")
+                                            val pattern = ggchild.renderAttribute("pattern")
+                                            tlsExtractorGroup = TlsCertificateExtractor(attrName, pattern)
+                                        }
+
+                                        "user-extractor" -> {
+                                            val attrName = ggchild.renderAttribute("attribute-name")
+                                            val pattern = ggchild.renderAttribute("pattern")
+                                            tlsExtractorUser = TlsCertificateExtractor(attrName, pattern)
+                                        }
+                                    }
+                                }
+                                authentication = ClientCertificateAuthentication(tlsExtractorUser, tlsExtractorGroup)
+                            }
+                        }
+                    }
+                }
+
+                "tls" -> {
+                    val verifyClients = child.renderAttribute("verify-clients")
+                        ?.let(String::toBoolean) ?: false
+                    var keyStore: KeyStore? = null
+                    var trustStore: TrustStore? = null
+                    for (granChild in child.asIterable()) {
+                        when (granChild.localName) {
+                            "keystore" -> {
+                                val keyStoreFile = Paths.get(granChild.renderAttribute("file"))
+                                val keyStorePassword = granChild.renderAttribute("password")
+                                val keyAlias = granChild.renderAttribute("key-alias")
+                                val keyPassword = granChild.renderAttribute("key-password")
+                                keyStore = KeyStore(
+                                    keyStoreFile,
+                                    keyStorePassword,
+                                    keyAlias,
+                                    keyPassword
+                                )
+                            }
+
+                            "truststore" -> {
+                                val trustStoreFile = Paths.get(granChild.renderAttribute("file"))
+                                val trustStorePassword = granChild.renderAttribute("password")
+                                val checkCertificateStatus = granChild.renderAttribute("check-certificate-status")
+                                    ?.let(String::toBoolean)
+                                    ?: false
+                                trustStore = TrustStore(
+                                    trustStoreFile,
+                                    trustStorePassword,
+                                    checkCertificateStatus
+                                )
+                            }
+                        }
+                    }
+                    tls = Tls(keyStore, trustStore, verifyClients)
+                }
+            }
+        }
+        return Configuration(
+            host,
+            port,
+            serverPath,
+            users,
+            groups,
+            cache!!,
+            authentication,
+            tls,
+            useVirtualThread,
+            maxRequestSize,
+            incomingConnectionsBacklogSize
+        )
+    }
+
+    private fun parseRoles(root: Element) = root.asIterable().asSequence().map {
+        when (it.localName) {
+            "reader" -> Role.Reader
+            "writer" -> Role.Writer
+            else -> throw UnsupportedOperationException("Illegal node '${it.localName}'")
+        }
+    }.toSet()
+
+    private fun parseUserRefs(root: Element) = root.asIterable().asSequence().map {
+        it.renderAttribute("ref")
+    }.toSet()
+
+    private fun parseUsers(root: Element): Sequence<User> {
+        return root.asIterable().asSequence().filter {
+            it.localName == "user"
+        }.map { el ->
+            val username = el.renderAttribute("name")
+            val password = el.renderAttribute("password")
+            User(username, password, emptySet())
+        }
+    }
+
+    private fun parseGroups(root: Element, knownUsers: Sequence<User>): Pair<Map<String, User>, Map<String, Group>> {
+        val knownUsersMap = knownUsers.associateBy(User::getName)
+        val userGroups = mutableMapOf<String, MutableSet<String>>()
+        val groups = root.asIterable().asSequence().filter {
+            it.localName == "group"
+        }.map { el ->
+            val groupName = el.renderAttribute("name") ?: throw ConfigurationException("Group name is required")
+            var roles = emptySet<Role>()
+            for (child in el.asIterable()) {
+                when (child.localName) {
+                    "users" -> {
+                        parseUserRefs(child).mapNotNull(knownUsersMap::get).forEach { user ->
+                            userGroups.computeIfAbsent(user.name) {
+                                mutableSetOf()
+                            }.add(groupName)
+                        }
+                    }
+
+                    "roles" -> {
+                        roles = parseRoles(child)
+                    }
+                }
+            }
+            groupName to Group(groupName, roles)
+        }.toMap()
+        val users = knownUsersMap.map { (name, user) ->
+            name to User(name, user.password, userGroups[name]?.mapNotNull { groups[it] }?.toSet() ?: emptySet())
+        }.toMap()
+        return users to groups
+    }
+}

gbcs-server/src/main/kotlin/net/woggioni/gbcs/server/configuration/Serializer.kt

@@ -0,0 +1,144 @@
+package net.woggioni.gbcs.server.configuration
+
+import net.woggioni.gbcs.api.CacheProvider
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.GBCS
+import net.woggioni.gbcs.common.Xml
+import org.w3c.dom.Document
+
+object Serializer {
+
+    fun serialize(conf : Configuration) : Document {
+
+        val schemaLocations = CacheSerializers.index.values.asSequence().map {
+            it.xmlNamespace to it.xmlSchemaLocation
+        }.toMap()
+        return Xml.of(GBCS.GBCS_NAMESPACE_URI, GBCS.GBCS_PREFIX + ":server") {
+            attr("use-virtual-threads", conf.isUseVirtualThread.toString())
+            attr("max-request-size", conf.maxRequestSize.toString())
+            attr("incoming-connections-backlog-size", conf.incomingConnectionsBacklogSize.toString())
+
+//            attr("xmlns:xs", GradleBuildCacheServer.XML_SCHEMA_NAMESPACE_URI)
+            val value = schemaLocations.asSequence().map { (k, v) -> "$k $v" }.joinToString(" ")
+            attr("xs:schemaLocation", value , namespaceURI = GBCS.XML_SCHEMA_NAMESPACE_URI)
+
+            conf.serverPath
+                ?.takeIf(String::isNotEmpty)
+                ?.let { serverPath ->
+                attr("path", serverPath)
+            }
+            node("bind") {
+                attr("host", conf.host)
+                attr("port", conf.port.toString())
+            }
+            val cache = conf.cache
+            val serializer : CacheProvider<Configuration.Cache> =
+                (CacheSerializers.index[cache.namespaceURI to cache.typeName] as? CacheProvider<Configuration.Cache>) ?: throw NotImplementedError()
+            element.appendChild(serializer.serialize(doc, cache))
+            node("authorization") {
+                node("users") {
+                    for(user in conf.users.values) {
+                        if(user.name.isNotEmpty()) {
+                            node("user") {
+                                attr("name", user.name)
+                                user.password?.let { password ->
+                                    attr("password", password)
+                                }
+                            }
+                        }
+                    }
+                }
+                node("groups") {
+                    val groups = conf.users.values.asSequence()
+                        .flatMap {
+                                user -> user.groups.map { it to user }
+                        }.groupBy(Pair<Configuration.Group, Configuration.User>::first, Pair<Configuration.Group, Configuration.User>::second)
+                    for(pair in groups) {
+                        val group = pair.key
+                        val users = pair.value
+                        node("group") {
+                            attr("name", group.name)
+                            if(users.isNotEmpty()) {
+                                node("users") {
+                                    var anonymousUser : Configuration.User? = null
+                                    for(user in users) {
+                                        if(user.name.isNotEmpty()) {
+                                            node("user") {
+                                                attr("ref", user.name)
+                                            }
+                                        } else {
+                                            anonymousUser = user
+                                        }
+                                    }
+                                    if(anonymousUser != null) {
+                                        node("anonymous")
+                                    }
+                                }
+                            }
+                            if(group.roles.isNotEmpty()) {
+                                node("roles") {
+                                    for(role in group.roles) {
+                                        node(role.toString().lowercase())
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+            conf.authentication?.let { authentication ->
+                node("authentication") {
+                    when(authentication) {
+                        is Configuration.BasicAuthentication -> {
+                            node("basic")
+                        }
+                        is Configuration.ClientCertificateAuthentication -> {
+                            node("client-certificate") {
+                                authentication.groupExtractor?.let { extractor ->
+                                    node("group-extractor") {
+                                        attr("attribute-name", extractor.rdnType)
+                                        attr("pattern", extractor.pattern)
+                                    }
+                                }
+                                authentication.userExtractor?.let { extractor ->
+                                    node("user-extractor") {
+                                        attr("attribute-name", extractor.rdnType)
+                                        attr("pattern", extractor.pattern)
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+
+            conf.tls?.let { tlsConfiguration ->
+                node("tls") {
+                    tlsConfiguration.keyStore?.let { keyStore ->
+                        node("keystore") {
+                            attr("file", keyStore.file.toString())
+                            keyStore.password?.let { keyStorePassword ->
+                                attr("password", keyStorePassword)
+                            }
+                            attr("key-alias", keyStore.keyAlias)
+                            keyStore.keyPassword?.let { keyPassword ->
+                                attr("key-password", keyPassword)
+                            }
+                        }
+                    }
+
+                    tlsConfiguration.trustStore?.let { trustStore ->
+                        node("truststore") {
+                            attr("file", trustStore.file.toString())
+                            trustStore.password?.let { password ->
+                                attr("password", password)
+                            }
+                            attr("check-certificate-status", trustStore.isCheckCertificateStatus.toString())
+                        }
+                    }
+                }
+            }
+        }
+    }
+}

gbcs-server/src/main/resources/META-INF/services/net.woggioni.gbcs.api.CacheProvider

@@ -0,0 +1 @@
+net.woggioni.gbcs.server.cache.FileSystemCacheProvider

gbcs-server/src/main/resources/net/woggioni/gbcs/server/gbcs-default.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<gbcs:server use-virtual-threads="false"
+             max-request-size="67108864"
+             incoming-connections-backlog-size="1024"
+             xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:gbcs="urn:net.woggioni.gbcs.server"
+             xs:schemaLocation="urn:net.woggioni.gbcs.server jpms://net.woggioni.gbcs.server/net/woggioni/gbcs/server/schema/gbcs.xsd">
+    <bind host="127.0.0.1" port="8080"/>
+    <cache xs:type="gbcs:fileSystemCacheType" path="/tmp/gbcs" max-age="P7D"/>
+    <authentication>
+        <none/>
+    </authentication>
+</gbcs:server>

gbcs-server/src/main/resources/net/woggioni/gbcs/server/schema/gbcs.xsd

@@ -1,14 +1,15 @@
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-<xs:schema targetNamespace="urn:net.woggioni.gbcs"
+<xs:schema targetNamespace="urn:net.woggioni.gbcs.server"
            xmlns:xs="http://www.w3.org/2001/XMLSchema"
-           xmlns:gbcs="urn:net.woggioni.gbcs">
+           xmlns:gbcs="urn:net.woggioni.gbcs.server"
+           elementFormDefault="unqualified">
     <xs:element name="server" type="gbcs:serverType"/>
 
     <xs:complexType name="serverType">
         <xs:sequence minOccurs="0">
             <xs:element name="bind" type="gbcs:bindType" maxOccurs="1"/>
-            <xs:element name="cache" type="gbcs:cacheDirType" maxOccurs="1"/>
+            <xs:element name="cache" type="gbcs:cacheType" maxOccurs="1"/>
-            <xs:element name="authorization" type="gbcs:authorizationType" maxOccurs="1">
+            <xs:element name="authorization" type="gbcs:authorizationType" minOccurs="0">
                 <xs:key name="userId">
                     <xs:selector xpath="users/user"/>
                     <xs:field xpath="@name"/>
@@ -18,32 +19,44 @@
                     <xs:field xpath="@ref"/>
                 </xs:keyref>
             </xs:element>
-            <xs:element name="tls-certificate-authorization" type="gbcs:tlsCertificateAuthorizationType" minOccurs="0" maxOccurs="1"/>
+            <xs:element name="authentication" type="gbcs:authenticationType" minOccurs="0" maxOccurs="1"/>
             <xs:element name="tls" type="gbcs:tlsType" minOccurs="0" maxOccurs="1"/>
         </xs:sequence>
-        <xs:attribute name="path" type="xs:string"/>
+        <xs:attribute name="path" type="xs:string" use="optional"/>
-        <xs:attribute name="useVirtualThreads" type="xs:boolean" use="optional"/>
+        <xs:attribute name="use-virtual-threads" type="xs:boolean" use="optional" default="true"/>
+        <xs:attribute name="max-request-size" type="xs:unsignedInt" use="optional" default="67108864"/>
+        <xs:attribute name="incoming-connections-backlog-size" type="xs:unsignedInt" use="optional" default="1024"/>
     </xs:complexType>
 
     <xs:complexType name="bindType">
-        <xs:attribute name="host" type="xs:string" use="required"/>
+        <xs:attribute name="host" type="xs:token" use="required"/>
         <xs:attribute name="port" type="xs:unsignedShort" use="required"/>
     </xs:complexType>
 
-    <xs:complexType name="cacheDirType">
+    <xs:complexType name="cacheType" abstract="true"/>
-        <xs:attribute name="path" type="xs:string" use="required"/>
+
+    <xs:complexType name="fileSystemCacheType">
+        <xs:complexContent>
+            <xs:extension base="gbcs:cacheType">
+                <xs:attribute name="path" type="xs:string" use="required"/>
+                <xs:attribute name="max-age" type="xs:duration" default="P1D"/>
+                <xs:attribute name="digest" type="xs:token" default="MD5"/>
+                <xs:attribute name="enable-compression" type="xs:boolean" default="true"/>
+                <xs:attribute name="compression-level" type="xs:byte" default="-1"/>
+            </xs:extension>
+        </xs:complexContent>
     </xs:complexType>
 
     <xs:complexType name="tlsCertificateAuthorizationType">
         <xs:sequence>
-            <xs:element name="group-extractor" type="gbcs:X500NameExtractorType"/>
+            <xs:element name="group-extractor" type="gbcs:X500NameExtractorType" minOccurs="0"/>
-            <xs:element name="user-extractor" type="gbcs:X500NameExtractorType"/>
+            <xs:element name="user-extractor" type="gbcs:X500NameExtractorType" minOccurs="0"/>
         </xs:sequence>
     </xs:complexType>
 
     <xs:complexType name="X500NameExtractorType">
-        <xs:attribute name="attribute-name" type="xs:string"/>
+        <xs:attribute name="attribute-name" type="xs:token"/>
-        <xs:attribute name="pattern" type="xs:string"/>
+        <xs:attribute name="pattern" type="xs:token"/>
     </xs:complexType>
 
     <xs:complexType name="authorizationType">
@@ -58,6 +71,14 @@
         </xs:all>
     </xs:complexType>
 
+    <xs:complexType name="authenticationType">
+        <xs:choice>
+            <xs:element name="basic"/>
+            <xs:element name="client-certificate" type="gbcs:tlsCertificateAuthorizationType"/>
+            <xs:element name="none"/>
+        </xs:choice>
+    </xs:complexType>
+
     <xs:complexType name="usersType">
         <xs:sequence>
             <xs:element name="user" type="gbcs:userType" minOccurs="0" maxOccurs="unbounded"/>
@@ -65,10 +86,7 @@
     </xs:complexType>
 
     <xs:complexType name="userType">
-        <xs:all minOccurs="0" maxOccurs="1">
+        <xs:attribute name="name" type="xs:token" use="required"/>
-            <xs:element name="roles" type="gbcs:rolesType"/>
-        </xs:all>
-        <xs:attribute name="name" type="xs:string" use="required"/>
         <xs:attribute name="password" type="xs:string" use="optional"/>
     </xs:complexType>
 
@@ -88,11 +106,11 @@
             </xs:element>
             <xs:element name="roles" type="gbcs:rolesType" maxOccurs="1" minOccurs="0"/>
         </xs:sequence>
-        <xs:attribute name="name" type="xs:string"/>
+        <xs:attribute name="name" type="xs:token"/>
     </xs:complexType>
 
     <xs:simpleType name="role" final="restriction" >
-        <xs:restriction base="xs:string">
+        <xs:restriction base="xs:token">
             <xs:enumeration value="READER" />
             <xs:enumeration value="WRITER" />
         </xs:restriction>
@@ -109,7 +127,8 @@
 
     <xs:complexType name="userRefsType">
         <xs:sequence>
-            <xs:element name="user" type="gbcs:userRefType" maxOccurs="unbounded" minOccurs="0"/>
+                <xs:element name="user" type="gbcs:userRefType" maxOccurs="unbounded" minOccurs="0"/>
+                <xs:element name="anonymous" minOccurs="0" maxOccurs="1"/>
         </xs:sequence>
     </xs:complexType>
 

gbcs-server/src/test/java/net/woggioni/gbcs/server/test/utils/CertificateUtils.java

@@ -0,0 +1,224 @@
+package net.woggioni.gbcs.server.test.utils;
+
+import org.bouncycastle.asn1.DERSequence;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.asn1.x509.BasicConstraints;
+import org.bouncycastle.asn1.x509.ExtendedKeyUsage;
+import org.bouncycastle.asn1.x509.Extension;
+import org.bouncycastle.asn1.x509.GeneralName;
+import org.bouncycastle.asn1.x509.GeneralNames;
+import org.bouncycastle.asn1.x509.KeyPurposeId;
+import org.bouncycastle.asn1.x509.KeyUsage;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+
+public class CertificateUtils {
+
+    public record X509Credentials(
+            KeyPair keyPair,
+            X509Certificate certificate
+    ){ }
+    public static class CertificateAuthority {
+        private final PrivateKey privateKey;
+        private final X509Certificate certificate;
+
+        public CertificateAuthority(PrivateKey privateKey, X509Certificate certificate) {
+            this.privateKey = privateKey;
+            this.certificate = certificate;
+        }
+
+        public PrivateKey getPrivateKey() { return privateKey; }
+        public X509Certificate getCertificate() { return certificate; }
+    }
+
+    /**
+     * Creates a new Certificate Authority (CA)
+     * @param commonName The CA's common name
+     * @param validityDays How long the CA should be valid for
+     * @return The generated CA containing both private key and certificate
+     */
+    public static X509Credentials createCertificateAuthority(String commonName, int validityDays)
+            throws Exception {
+        // Generate key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(4096);
+        KeyPair keyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name("CN=" + commonName);
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                issuerName,
+                keyPair.getPublic()
+        );
+
+        // Add CA extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(true)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.keyCertSign | KeyUsage.cRLSign)
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(keyPair.getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+        return new X509Credentials(keyPair, cert);
+    }
+
+    /**
+     * Creates a server certificate signed by the CA
+     * @param ca The Certificate Authority to sign with
+     * @param subjectName The server's common name
+     * @param validityDays How long the certificate should be valid for
+     * @return KeyPair containing the server's private key and certificate
+     */
+    public static X509Credentials createServerCertificate(X509Credentials ca, X500Name subjectName, int validityDays)
+            throws Exception {
+        // Generate server key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(2048);
+        KeyPair serverKeyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name(ca.certificate().getSubjectX500Principal().getName());
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                subjectName,
+                serverKeyPair.getPublic()
+        );
+
+        // Add server certificate extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(false)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment)
+        );
+        certBuilder.addExtension(
+                Extension.extendedKeyUsage,
+                true,
+                new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_serverAuth})
+        );
+        GeneralNames subjectAltNames = GeneralNames.getInstance(
+            new DERSequence(
+                new GeneralName[] {
+                    new GeneralName(GeneralName.iPAddress, "127.0.0.1")
+                }
+            )
+        );
+        certBuilder.addExtension(
+                Extension.subjectAlternativeName,
+                true,
+                subjectAltNames
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(ca.keyPair().getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+
+        return new X509Credentials(serverKeyPair, cert);
+    }
+
+    /**
+     * Creates a client certificate signed by the CA
+     * @param ca The Certificate Authority to sign with
+     * @param subjectName The client's common name
+     * @param validityDays How long the certificate should be valid for
+     * @return KeyPair containing the client's private key and certificate
+     */
+    public static X509Credentials createClientCertificate(X509Credentials ca, X500Name subjectName, int validityDays)
+            throws Exception {
+        // Generate client key pair
+        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
+        keyPairGenerator.initialize(2048);
+        KeyPair clientKeyPair = keyPairGenerator.generateKeyPair();
+
+        // Prepare certificate data
+        X500Name issuerName = new X500Name(ca.certificate().getSubjectX500Principal().getName());
+        BigInteger serialNumber = new BigInteger(160, new SecureRandom());
+        Instant now = Instant.now();
+        Date startDate = Date.from(now);
+        Date endDate = Date.from(now.plus(validityDays, ChronoUnit.DAYS));
+
+        // Create certificate builder
+        X509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(
+                issuerName,
+                serialNumber,
+                startDate,
+                endDate,
+                subjectName,
+                clientKeyPair.getPublic()
+        );
+
+        // Add client certificate extensions
+        certBuilder.addExtension(
+                Extension.basicConstraints,
+                true,
+                new BasicConstraints(false)
+        );
+        certBuilder.addExtension(
+                Extension.keyUsage,
+                true,
+                new KeyUsage(KeyUsage.digitalSignature)
+        );
+        certBuilder.addExtension(
+                Extension.extendedKeyUsage,
+                true,
+                new ExtendedKeyUsage(new KeyPurposeId[]{KeyPurposeId.id_kp_clientAuth})
+        );
+
+        // Sign the certificate
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .build(ca.keyPair().getPrivate());
+        X509Certificate cert = new JcaX509CertificateConverter()
+                .getCertificate(certBuilder.build(signer));
+
+        return new X509Credentials(clientKeyPair, cert);
+    }
+}

gbcs-server/src/test/java/net/woggioni/gbcs/server/test/utils/NetworkUtils.java

@@ -0,0 +1,30 @@
+package net.woggioni.gbcs.server.test.utils;
+
+import net.woggioni.jwo.JWO;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+
+public class NetworkUtils {
+
+    private static final int MAX_ATTEMPTS = 50;
+
+    public static int getFreePort() {
+        int count = 0;
+        while(count < MAX_ATTEMPTS) {
+            try (ServerSocket serverSocket = new ServerSocket(0, 50, InetAddress.getLocalHost())) {
+                final var candidate = serverSocket.getLocalPort();
+                if (candidate > 0) {
+                    return candidate;
+                } else {
+                    JWO.newThrowable(RuntimeException.class, "Got invalid port number: %d", candidate);
+                    throw new RuntimeException("Error trying to find an open port");
+                }
+            } catch (IOException ignored) {
+                ++count;
+            }
+        }
+        throw new RuntimeException("Error trying to find an open port");
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/AbstractBasicAuthServerTest.kt

@@ -0,0 +1,78 @@
+package net.woggioni.gbcs.server.test
+
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Role
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.server.cache.FileSystemCacheConfiguration
+import net.woggioni.gbcs.server.configuration.Serializer
+import net.woggioni.gbcs.server.test.utils.NetworkUtils
+import java.net.URI
+import java.net.http.HttpRequest
+import java.nio.charset.StandardCharsets
+import java.nio.file.Path
+import java.time.Duration
+import java.util.Base64
+import java.util.zip.Deflater
+import kotlin.random.Random
+
+
+abstract class AbstractBasicAuthServerTest : AbstractServerTest() {
+
+    private lateinit var cacheDir : Path
+
+    protected val random = Random(101325)
+    protected val keyValuePair = newEntry(random)
+    protected val serverPath = "gbcs"
+    protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
+    protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
+
+    abstract protected val users : List<Configuration.User>
+
+    override fun setUp() {
+        this.cacheDir = testDir.resolve("cache")
+        cfg = Configuration(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            serverPath,
+            users.asSequence().map { it.name to it}.toMap(),
+            sequenceOf(writersGroup, readersGroup).map { it.name to it}.toMap(),
+            FileSystemCacheConfiguration(this.cacheDir,
+                maxAge = Duration.ofSeconds(3600 * 24),
+                digestAlgorithm = "MD5",
+                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+                compressionEnabled = false
+            ),
+            Configuration.BasicAuthentication(),
+            null,
+            true,
+            0x10000,
+            100
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    protected fun buildAuthorizationHeader(user : Configuration.User, password : String) : String {
+        val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let{
+            String(it, StandardCharsets.UTF_8)
+        }
+        return "Basic $b64"
+    }
+
+    protected fun newRequestBuilder(key : String) = HttpRequest.newBuilder()
+        .uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
+
+
+    protected fun newEntry(random : Random) : Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/AbstractServerTest.kt

@@ -0,0 +1,50 @@
+package net.woggioni.gbcs.server.test
+
+import net.woggioni.gbcs.server.GradleBuildCacheServer
+import net.woggioni.gbcs.api.Configuration
+import org.junit.jupiter.api.AfterAll
+import org.junit.jupiter.api.BeforeAll
+import org.junit.jupiter.api.MethodOrderer
+import org.junit.jupiter.api.TestInstance
+import org.junit.jupiter.api.TestMethodOrder
+import org.junit.jupiter.api.io.TempDir
+import java.nio.file.Path
+
+
+@TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@TestMethodOrder(MethodOrderer.OrderAnnotation::class)
+abstract class AbstractServerTest {
+
+    protected lateinit var cfg : Configuration
+
+    protected lateinit var testDir : Path
+
+    private var serverHandle : GradleBuildCacheServer.ServerHandle? = null
+
+    @BeforeAll
+    fun setUp0(@TempDir tmpDir : Path) {
+        this.testDir = tmpDir
+        setUp()
+        startServer(cfg)
+    }
+
+    @AfterAll
+    fun tearDown0() {
+        tearDown()
+        stopServer()
+    }
+
+    abstract fun setUp()
+
+    abstract fun tearDown()
+
+    private fun startServer(cfg : Configuration) {
+        this.serverHandle = GradleBuildCacheServer(cfg).run()
+    }
+
+    private fun stopServer() {
+        this.serverHandle?.use {
+            it.shutdown()
+        }
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/AbstractTlsServerTest.kt

@@ -0,0 +1,189 @@
+package net.woggioni.gbcs.server.test
+
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Role
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.server.cache.FileSystemCacheConfiguration
+import net.woggioni.gbcs.server.configuration.Serializer
+import net.woggioni.gbcs.server.test.utils.CertificateUtils
+import net.woggioni.gbcs.server.test.utils.CertificateUtils.X509Credentials
+import net.woggioni.gbcs.server.test.utils.NetworkUtils
+import org.bouncycastle.asn1.x500.X500Name
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.nio.charset.StandardCharsets
+import java.nio.file.Files
+import java.nio.file.Path
+import java.security.KeyStore
+import java.security.KeyStore.PasswordProtection
+import java.time.Duration
+import java.util.Base64
+import java.util.zip.Deflater
+import javax.net.ssl.KeyManagerFactory
+import javax.net.ssl.SSLContext
+import javax.net.ssl.TrustManagerFactory
+import kotlin.random.Random
+
+
+abstract class AbstractTlsServerTest : AbstractServerTest() {
+
+    companion object {
+        private const val CA_CERTIFICATE_ENTRY = "gbcs-ca"
+        private const val CLIENT_CERTIFICATE_ENTRY = "gbcs-client"
+        private const val SERVER_CERTIFICATE_ENTRY = "gbcs-server"
+        private const val PASSWORD = "password"
+    }
+
+    private lateinit var cacheDir: Path
+    private lateinit var serverKeyStoreFile: Path
+    private lateinit var clientKeyStoreFile: Path
+    private lateinit var trustStoreFile: Path
+    private lateinit var serverKeyStore: KeyStore
+    private lateinit var clientKeyStore: KeyStore
+    private lateinit var trustStore: KeyStore
+    protected lateinit var ca: X509Credentials
+
+    protected val readersGroup = Configuration.Group("readers", setOf(Role.Reader))
+    protected val writersGroup = Configuration.Group("writers", setOf(Role.Writer))
+    protected val random = Random(101325)
+    protected val keyValuePair = newEntry(random)
+    private val serverPath : String? = null
+
+    protected abstract val users : List<Configuration.User>
+
+    protected fun createKeyStoreAndTrustStore() {
+        ca = CertificateUtils.createCertificateAuthority(CA_CERTIFICATE_ENTRY, 30)
+        val serverCert = CertificateUtils.createServerCertificate(ca, X500Name("CN=$SERVER_CERTIFICATE_ENTRY"), 30)
+        val clientCert = CertificateUtils.createClientCertificate(ca, X500Name("CN=$CLIENT_CERTIFICATE_ENTRY"), 30)
+
+        serverKeyStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+            setEntry(
+                SERVER_CERTIFICATE_ENTRY,
+                KeyStore.PrivateKeyEntry(
+                    serverCert.keyPair().private,
+                    arrayOf(serverCert.certificate(), ca.certificate)
+                ),
+                PasswordProtection(PASSWORD.toCharArray())
+            )
+        }
+        Files.newOutputStream(this.serverKeyStoreFile).use {
+            serverKeyStore.store(it, null)
+        }
+
+        clientKeyStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+            setEntry(
+                CLIENT_CERTIFICATE_ENTRY,
+                KeyStore.PrivateKeyEntry(
+                    clientCert.keyPair().private,
+                    arrayOf(clientCert.certificate(), ca.certificate)
+                ),
+                PasswordProtection(PASSWORD.toCharArray())
+            )
+        }
+        Files.newOutputStream(this.clientKeyStoreFile).use {
+            clientKeyStore.store(it, null)
+        }
+
+        trustStore = KeyStore.getInstance("PKCS12").apply {
+            load(null, null)
+            setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+        }
+        Files.newOutputStream(this.trustStoreFile).use {
+            trustStore.store(it, null)
+        }
+    }
+
+    protected fun getClientKeyStore(ca: X509Credentials, subject: X500Name) = KeyStore.getInstance("PKCS12").apply {
+        val clientCert = CertificateUtils.createClientCertificate(ca, subject, 30)
+
+        load(null, null)
+        setEntry(CA_CERTIFICATE_ENTRY, KeyStore.TrustedCertificateEntry(ca.certificate), PasswordProtection(null))
+        setEntry(
+            CLIENT_CERTIFICATE_ENTRY,
+            KeyStore.PrivateKeyEntry(clientCert.keyPair().private, arrayOf(clientCert.certificate(), ca.certificate)),
+            PasswordProtection(PASSWORD.toCharArray())
+        )
+    }
+
+    protected fun getHttpClient(clientKeyStore: KeyStore?): HttpClient {
+        val kmf = clientKeyStore?.let {
+            KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()).apply {
+                init(it, PASSWORD.toCharArray())
+            }
+        }
+
+
+        // Set up trust manager factory with the truststore
+        val tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm())
+        tmf.init(trustStore)
+
+        // Create SSL context with the key and trust managers
+        val sslContext = SSLContext.getInstance("TLS").apply {
+            init(kmf?.keyManagers ?: emptyArray(), tmf.trustManagers, null)
+        }
+        return HttpClient.newBuilder().sslContext(sslContext).build()
+    }
+
+    override fun setUp() {
+        this.clientKeyStoreFile = testDir.resolve("client-keystore.p12")
+        this.serverKeyStoreFile = testDir.resolve("server-keystore.p12")
+        this.trustStoreFile = testDir.resolve("truststore.p12")
+        this.cacheDir = testDir.resolve("cache")
+        createKeyStoreAndTrustStore()
+        cfg = Configuration(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            serverPath,
+            users.asSequence().map { it.name to it }.toMap(),
+            sequenceOf(writersGroup, readersGroup).map { it.name to it }.toMap(),
+            FileSystemCacheConfiguration(this.cacheDir,
+                maxAge = Duration.ofSeconds(3600 * 24),
+                compressionEnabled = true,
+                compressionLevel = Deflater.DEFAULT_COMPRESSION,
+                digestAlgorithm = "MD5"
+            ),
+            Configuration.ClientCertificateAuthentication(
+                Configuration.TlsCertificateExtractor("CN", "(.*)"),
+                null
+            ),
+            Configuration.Tls(
+                Configuration.KeyStore(this.serverKeyStoreFile, null, SERVER_CERTIFICATE_ENTRY, PASSWORD),
+                Configuration.TrustStore(this.trustStoreFile, null, false),
+                true
+            ),
+            false,
+            0x10000,
+            100
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    protected fun newRequestBuilder(key: String) = HttpRequest.newBuilder()
+        .uri(URI.create("https://${cfg.host}:${cfg.port}/${serverPath ?: ""}/$key"))
+
+    private fun buildAuthorizationHeader(user: Configuration.User, password: String): String {
+        val b64 = Base64.getEncoder().encode("${user.name}:${password}".toByteArray(Charsets.UTF_8)).let {
+            String(it, StandardCharsets.UTF_8)
+        }
+        return "Basic $b64"
+    }
+
+    protected fun newEntry(random: Random): Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/BasicAuthServerTest.kt

@@ -0,0 +1,147 @@
+package net.woggioni.gbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Role
+import net.woggioni.gbcs.common.PasswordSecurity.hashPassword
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+
+class BasicAuthServerTest : AbstractBasicAuthServerTest() {
+
+    companion object {
+        private const val PASSWORD = "password"
+    }
+
+    override val users = listOf(
+        Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup)),
+        Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup)),
+        Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup)),
+        Configuration.User("", null, setOf(readersGroup))
+    )
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun putAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles && Role.Writer !in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(3)
+    fun getAsAWriterUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(4)
+    fun putAsAWriterUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(5)
+    fun getAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(6)
+    fun getAsAnonymousUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(7)
+    fun getMissingKeyAsAReaderUser() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = newEntry(random)
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Authorization", buildAuthorizationHeader(user, PASSWORD))
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/ConfigurationTest.kt

@@ -0,0 +1,38 @@
+package net.woggioni.gbcs.server.test
+
+import net.woggioni.gbcs.common.GBCS.toUrl
+import net.woggioni.gbcs.common.GbcsUrlStreamHandlerFactory
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.server.configuration.Parser
+import net.woggioni.gbcs.server.configuration.Serializer
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.io.TempDir
+import org.junit.jupiter.params.ParameterizedTest
+import org.junit.jupiter.params.provider.ValueSource
+import java.nio.file.Files
+import java.nio.file.Path
+
+class ConfigurationTest {
+
+    @ValueSource(
+        strings = [
+            "classpath:net/woggioni/gbcs/server/test/gbcs-default.xml",
+            "classpath:net/woggioni/gbcs/server/test/gbcs-memcached.xml",
+            "classpath:net/woggioni/gbcs/server/test/gbcs-tls.xml",
+        ]
+    )
+    @ParameterizedTest
+    fun test(configurationUrl: String, @TempDir testDir: Path) {
+        GbcsUrlStreamHandlerFactory.install()
+        val doc = Xml.parseXml(configurationUrl.toUrl())
+        val cfg = Parser.parse(doc)
+        val configFile = testDir.resolve("gbcs.xml")
+        Files.newOutputStream(configFile).use {
+            Xml.write(Serializer.serialize(cfg), it)
+        }
+        Xml.write(Serializer.serialize(cfg), System.out)
+
+        val parsed = Parser.parse(Xml.parseXml(configFile.toUri().toURL()))
+        Assertions.assertEquals(cfg, parsed)
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/NoAnonymousUserBasicAuthServerTest.kt

@@ -0,0 +1,52 @@
+package net.woggioni.gbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.PasswordSecurity.hashPassword
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+
+class NoAnonymousUserBasicAuthServerTest : AbstractBasicAuthServerTest() {
+
+    companion object {
+        private const val PASSWORD = "anotherPassword"
+    }
+
+    override val users = listOf(
+        Configuration.User("user1", hashPassword(PASSWORD), setOf(readersGroup)),
+        Configuration.User("user2", hashPassword(PASSWORD), setOf(writersGroup)),
+        Configuration.User("user3", hashPassword(PASSWORD), setOf(readersGroup, writersGroup)),
+    )
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/NoAnonymousUserTlsServerTest.kt

@@ -0,0 +1,47 @@
+package net.woggioni.gbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.gbcs.api.Configuration
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+class NoAnonymousUserTlsServerTest : AbstractTlsServerTest() {
+
+    override val users = listOf(
+        Configuration.User("user1", null, setOf(readersGroup)),
+        Configuration.User("user2", null, setOf(writersGroup)),
+        Configuration.User("user3", null, setOf(readersGroup, writersGroup)),
+    )
+
+    @Test
+    @Order(1)
+    fun getAsAnonymousUser() {
+        val (key, _) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun putAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.UNAUTHORIZED.code(), response.statusCode())
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/NoAuthServerTest.kt

@@ -0,0 +1,133 @@
+package net.woggioni.gbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.common.Xml
+import net.woggioni.gbcs.server.cache.FileSystemCacheConfiguration
+import net.woggioni.gbcs.server.configuration.Serializer
+import net.woggioni.gbcs.server.test.utils.NetworkUtils
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.URI
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+import java.nio.file.Path
+import java.time.Duration
+import java.util.Base64
+import java.util.zip.Deflater
+import kotlin.random.Random
+
+
+class NoAuthServerTest : AbstractServerTest() {
+
+    private lateinit var cacheDir : Path
+
+    private val random = Random(101325)
+    private val keyValuePair = newEntry(random)
+    private val serverPath = "/some/nested/path"
+
+    override fun setUp() {
+        this.cacheDir = testDir.resolve("cache")
+        cfg = Configuration(
+            "127.0.0.1",
+            NetworkUtils.getFreePort(),
+            serverPath,
+            emptyMap(),
+            emptyMap(),
+            FileSystemCacheConfiguration(
+                this.cacheDir,
+                maxAge = Duration.ofSeconds(3600 * 24),
+                compressionEnabled = true,
+                digestAlgorithm = "MD5",
+                compressionLevel = Deflater.DEFAULT_COMPRESSION
+            ),
+            null,
+            null,
+            true,
+            0x10000,
+            100
+        )
+        Xml.write(Serializer.serialize(cfg), System.out)
+    }
+
+    override fun tearDown() {
+    }
+
+    fun newRequestBuilder(key : String) = HttpRequest.newBuilder()
+        .uri(URI.create("http://${cfg.host}:${cfg.port}/$serverPath/$key"))
+
+    fun newEntry(random : Random) : Pair<String, ByteArray> {
+        val key = ByteArray(0x10).let {
+            random.nextBytes(it)
+            Base64.getUrlEncoder().encodeToString(it)
+        }
+        val value = ByteArray(0x1000).also {
+            random.nextBytes(it)
+        }
+        return key to value
+    }
+
+    @Test
+    @Order(1)
+    fun putWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value) = keyValuePair
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getWithNoAuthorizationHeader() {
+        val client: HttpClient = HttpClient.newHttpClient()
+        val (key, value ) = keyValuePair
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(3)
+    fun getMissingKey() {
+        val client: HttpClient = HttpClient.newHttpClient()
+
+        val (key, _) = newEntry(random)
+        val requestBuilder = newRequestBuilder(key).GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+
+//    @Test
+//    @Order(4)
+//    fun manyRequestsTest() {
+//        val client: HttpClient = HttpClient.newHttpClient()
+//
+//        for(i in 0 until 100000) {
+//
+//            val newEntry = random.nextBoolean()
+//            val (key, _) = if(newEntry) {
+//                newEntry(random)
+//            } else {
+//                keyValuePair
+//            }
+//            val requestBuilder = newRequestBuilder(key).GET()
+//
+//            val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+//            if(newEntry) {
+//                Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+//            } else {
+//                Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+//            }
+//        }
+//    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/TlsServerTest.kt

@@ -0,0 +1,136 @@
+package net.woggioni.gbcs.server.test
+
+import io.netty.handler.codec.http.HttpResponseStatus
+import net.woggioni.gbcs.api.Configuration
+import net.woggioni.gbcs.api.Role
+import org.bouncycastle.asn1.x500.X500Name
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Order
+import org.junit.jupiter.api.Test
+import java.net.http.HttpClient
+import java.net.http.HttpRequest
+import java.net.http.HttpResponse
+
+
+class TlsServerTest : AbstractTlsServerTest() {
+
+    override val users = listOf(
+        Configuration.User("user1", null, setOf(readersGroup)),
+        Configuration.User("user2", null, setOf(writersGroup)),
+        Configuration.User("user3", null, setOf(readersGroup, writersGroup)),
+        Configuration.User("", null, setOf(readersGroup))
+    )
+
+    @Test
+    @Order(1)
+    fun putAsAReaderUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles && Role.Writer !in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(2)
+    fun getAsAWriterUser() {
+        val (key, _) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(3)
+    fun putAsAWriterUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Writer in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.CREATED.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(4)
+    fun getAsAReaderUser() {
+        val (key, value) = keyValuePair
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(5)
+    fun getMissingKeyAsAReaderUser() {
+        val (key, _) = newEntry(random)
+        val user = cfg.users.values.find {
+            Role.Reader in it.roles
+        } ?: throw RuntimeException("Reader user not found")
+        val client: HttpClient = getHttpClient(getClientKeyStore(ca, X500Name("CN=${user.name}")))
+
+        val requestBuilder = newRequestBuilder(key)
+            .GET()
+
+        val response: HttpResponse<ByteArray> =
+            client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.NOT_FOUND.code(), response.statusCode())
+    }
+
+    @Test
+    @Order(6)
+    fun getAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .GET()
+
+        val response: HttpResponse<ByteArray> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofByteArray())
+        Assertions.assertEquals(HttpResponseStatus.OK.code(), response.statusCode())
+        Assertions.assertArrayEquals(value, response.body())
+    }
+
+    @Test
+    @Order(7)
+    fun putAsAnonymousUser() {
+        val (key, value) = keyValuePair
+        val client: HttpClient = getHttpClient(null)
+
+        val requestBuilder = newRequestBuilder(key)
+            .header("Content-Type", "application/octet-stream")
+            .PUT(HttpRequest.BodyPublishers.ofByteArray(value))
+
+        val response: HttpResponse<String> = client.send(requestBuilder.build(), HttpResponse.BodyHandlers.ofString())
+        Assertions.assertEquals(HttpResponseStatus.FORBIDDEN.code(), response.statusCode())
+    }
+}

gbcs-server/src/test/kotlin/net/woggioni/gbcs/server/test/X500NameTest.kt

@@ -0,0 +1,19 @@
+package net.woggioni.gbcs.server.test
+
+import org.junit.jupiter.api.Assertions
+import org.junit.jupiter.api.Test
+import javax.naming.ldap.LdapName
+
+class X500NameTest {
+
+    @Test
+    fun test() {
+        val name =
+            "C=SG, L=Bugis, CN=woggioni@f6aa5663ef26, emailAddress=oggioni.walter@gmail.com, street=1 Fraser Street\\, Duo Residences #23-05, postalCode=189350, GN=Walter, SN=Oggioni, pseudonym=woggioni"
+        val ldapName = LdapName(name)
+        val value = ldapName.rdns.asSequence().find {
+            it.type == "CN"
+        }!!.value
+        Assertions.assertEquals("woggioni@f6aa5663ef26", value)
+    }
+}

gbcs-server/src/test/resources/logback.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE configuration>
+
+<configuration>
+    <import class="ch.qos.logback.classic.encoder.PatternLayoutEncoder"/>
+    <import class="ch.qos.logback.core.ConsoleAppender"/>
+
+    <appender name="console" class="ConsoleAppender">
+        <target>System.err</target>
+        <encoder class="PatternLayoutEncoder">
+            <pattern>%d [%highlight(%-5level)] \(%thread\) %logger{36} -%kvp- %msg %n</pattern>
+        </encoder>
+    </appender>
+
+    <root level="info">
+        <appender-ref ref="console"/>
+    </root>
+    <logger name="io.netty" level="debug"/>
+    <logger name="com.google.code.yanf4j" level="warn"/>
+    <logger name="net.rubyeye.xmemcached" level="warn"/>
+</configuration>

gbcs-server/src/test/resources/net/woggioni/gbcs/server/test/gbcs-default.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<gbcs:server use-virtual-threads="false" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:gbcs="urn:net.woggioni.gbcs.server"
+             xs:schemaLocation="urn:net.woggioni.gbcs.server jpms://net.woggioni.gbcs.server/net/woggioni/gbcs/server/schema/gbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="gbcs:fileSystemCacheType" path="/tmp/gbcs" max-age="P7D"/>
+    <authentication>
+        <none/>
+    </authentication>
+</gbcs:server>

gbcs-server/src/test/resources/net/woggioni/gbcs/server/test/gbcs-memcached.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<gbcs:server use-virtual-threads="false" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:gbcs="urn:net.woggioni.gbcs.server"
+             xmlns:gbcs-memcached="urn:net.woggioni.gbcs.server.memcached"
+             xs:schemaLocation="urn:net.woggioni.gbcs.server.memcached jpms://net.woggioni.gbcs.server.memcached/net/woggioni/gbcs/server/memcached/schema/gbcs-memcached.xsd urn:net.woggioni.gbcs.server jpms://net.woggioni.gbcs.server/net/woggioni/gbcs/server/schema/gbcs.xsd">
+    <bind host="127.0.0.1" port="11443" />
+    <cache xs:type="gbcs-memcached:memcachedCacheType" max-age="P7D" max-size="101325" digest="SHA-256">
+        <server host="127.0.0.1" port="11211"/>
+    </cache>
+    <authentication>
+        <none/>
+    </authentication>
+</gbcs:server>

gbcs-server/src/test/resources/net/woggioni/gbcs/server/test/gbcs-tls.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<gbcs:server use-virtual-threads="false" max-request-size="4096" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:gbcs="urn:net.woggioni.gbcs.server"
+             xs:schemaLocation="urn:net.woggioni.gbcs.server jpms://net.woggioni.gbcs.server/net/woggioni/gbcs/server/schema/gbcs.xsd">
+    <bind host="127.0.0.1" port="11443"/>
+    <cache xs:type="gbcs:fileSystemCacheType" path="/tmp/gbcs" max-age="P7D"/>
+    <authorization>
+        <users>
+            <user name="user1" password="password1"/>
+            <user name="user2" password="password2"/>
+            <user name="user3" password="password3"/>
+        </users>
+        <groups>
+            <group name="readers">
+                <users>
+                    <user ref="user1"/>
+<!--                    <user ref="user5"/>-->
+                    <anonymous/>
+                </users>
+                <roles>
+                    <reader/>
+                </roles>
+            </group>
+            <group name="writers">
+                <users>
+                    <user ref="user2"/>
+                </users>
+                <roles>
+                    <writer/>
+                </roles>
+            </group>
+            <group name="readers-writers">
+                <users>
+                    <user ref="user3"/>
+                </users>
+                <roles>
+                    <reader/>
+                    <writer/>
+                </roles>
+            </group>
+        </groups>
+    </authorization>
+    <authentication>
+        <client-certificate>
+            <group-extractor pattern="group-pattern" attribute-name="O"/>
+            <user-extractor pattern="user-pattern" attribute-name="CN"/>
+        </client-certificate>
+    </authentication>
+    <tls>
+        <keystore file="keystore.pfx" key-alias="key1" password="password" key-password="key-password"/>
+        <truststore file="truststore.pfx" password="password" check-certificate-status="true" />
+    </tls>
+</gbcs:server>

gradle.properties

@@ -1,5 +1,12 @@
-gbcs.version = 2024.12.13
+org.gradle.configuration-cache=false
+org.gradle.parallel=true
+org.gradle.caching=true
 
-lys.version = 2024.12.07
+gbcs.version = 0.0.8
+
+lys.version = 2025.01.17
 
 gitea.maven.url = https://gitea.woggioni.net/api/packages/woggioni/maven
+docker.registry.url=gitea.woggioni.net
+
+jpms-check.configurationName = runtimeClasspath

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.11.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.12-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -15,6 +15,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
+# SPDX-License-Identifier: Apache-2.0
+#
 
 ##############################################################################
 #
@@ -55,7 +57,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/platforms/jvm/plugins-application/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -84,7 +86,8 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
+' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum

gradlew.bat

@@ -13,6 +13,8 @@
 @rem See the License for the specific language governing permissions and
 @rem limitations under the License.
 @rem
+@rem SPDX-License-Identifier: Apache-2.0
+@rem
 
 @if "%DEBUG%"=="" @echo off
 @rem ##########################################################################

native-image/native-image.properties

@@ -1 +0,0 @@
-Args=-H:Optimize=3 -H:+TraceClassInitialization

settings.gradle

@@ -20,10 +20,16 @@ dependencyResolutionManagement {
     versionCatalogs {
         catalog {
             from group: 'com.lys', name: 'lys-catalog', version: getProperty('lys.version')
-            version('envelope', '2024.12.15')
         }
     }
 }
 
 rootProject.name = 'gbcs'
 
+include 'gbcs-api'
+include 'gbcs-common'
+include 'gbcs-server-memcached'
+include 'gbcs-cli'
+include 'docker'
+include 'gbcs-client'
+include 'gbcs-server'

src/main/java/module-info.java

@@ -1,22 +0,0 @@
-import net.woggioni.gbcs.url.ClasspathUrlStreamHandlerFactoryProvider;
-
-module net.woggioni.gbcs {
-    requires java.sql;
-    requires java.xml;
-    requires java.logging;
-    requires kotlin.stdlib;
-    requires io.netty.buffer;
-    requires io.netty.transport;
-    requires io.netty.codec.http;
-    requires io.netty.common;
-    requires io.netty.handler;
-    requires io.netty.codec;
-    requires org.slf4j;
-    requires net.woggioni.jwo;
-
-    exports net.woggioni.gbcs;
-    exports net.woggioni.gbcs.url;
-//    opens net.woggioni.gbcs to net.woggioni.envelope;
-    provides java.net.URLStreamHandlerFactory with ClasspathUrlStreamHandlerFactoryProvider;
-    uses java.net.URLStreamHandlerFactory;
-}

src/main/java/net/woggioni/gbcs/NettyPingServer.java

@@ -1,88 +0,0 @@
-package net.woggioni.gbcs;
-
-import io.netty.bootstrap.ServerBootstrap;
-import io.netty.channel.*;
-import io.netty.channel.nio.NioEventLoopGroup;
-import io.netty.channel.socket.SocketChannel;
-import io.netty.channel.socket.nio.NioServerSocketChannel;
-import io.netty.handler.codec.string.StringDecoder;
-import io.netty.handler.codec.string.StringEncoder;
-import io.netty.util.CharsetUtil;
-
-public class NettyPingServer {
-    private final int port;
-
-    public NettyPingServer(int port) {
-        this.port = port;
-    }
-
-    public void start() throws Exception {
-        // Create event loop groups for handling incoming connections and processing
-        EventLoopGroup bossGroup = new NioEventLoopGroup();
-        EventLoopGroup workerGroup = new NioEventLoopGroup();
-
-        try {
-            // Create server bootstrap configuration
-            ServerBootstrap bootstrap = new ServerBootstrap()
-                    .group(bossGroup, workerGroup)
-                    .channel(NioServerSocketChannel.class)
-                    .childHandler(new ChannelInitializer<SocketChannel>() {
-                        @Override
-                        protected void initChannel(SocketChannel ch) throws Exception {
-                            ch.pipeline().addLast(
-                                    new StringDecoder(CharsetUtil.UTF_8),
-                                    new StringEncoder(CharsetUtil.UTF_8),
-                                    new PingServerHandler()
-                            );
-                        }
-                    })
-                    .option(ChannelOption.SO_BACKLOG, 128)
-                    .childOption(ChannelOption.SO_KEEPALIVE, true);
-
-            // Bind and start the server
-            ChannelFuture future = bootstrap.bind(port).sync();
-            System.out.println("Ping Server started on port: " + port);
-            try(final var handle = new GradleBuildCacheServer.ServerHandle(future, bossGroup, workerGroup)) {
-                Thread.sleep(5000);
-                future.channel().close();
-                // Wait until the server socket is closed
-                future.channel().closeFuture().sync();
-            }
-        } finally {
-            // Shutdown event loop groups
-//            workerGroup.shutdownGracefully();
-//            bossGroup.shutdownGracefully();
-        }
-    }
-
-    // Custom handler for processing ping requests
-    private static class PingServerHandler extends SimpleChannelInboundHandler<String> {
-        @Override
-        protected void channelRead0(ChannelHandlerContext ctx, String msg) throws Exception {
-            // Check if the received message is a ping request
-            if ("ping".equalsIgnoreCase(msg.trim())) {
-                // Respond with "pong"
-                ctx.writeAndFlush("pong\n");
-                System.out.println("Received ping, sent pong");
-            }
-        }
-
-        @Override
-        public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
-            // Log and close the connection in case of any errors
-            cause.printStackTrace();
-            ctx.close();
-        }
-    }
-
-    // Main method to start the server
-    public static void main(String[] args) throws Exception {
-        int port = 8080; // Default port
-        if (args.length > 0) {
-            port = Integer.parseInt(args[0]);
-        }
-
-        new NettyPingServer(port).start();
-    }
-}
-

src/main/java/net/woggioni/gbcs/url/ClasspathUrlStreamHandlerFactoryProvider.java

@@ -1,41 +0,0 @@
-package net.woggioni.gbcs.url;
-
-import java.io.IOException;
-import java.net.URL;
-import java.net.URLConnection;
-import java.net.URLStreamHandler;
-import java.net.URLStreamHandlerFactory;
-
-public class ClasspathUrlStreamHandlerFactoryProvider implements URLStreamHandlerFactory {
-
-    private static class Handler extends URLStreamHandler {
-        private final ClassLoader classLoader;
-
-        public Handler() {
-            this.classLoader = getClass().getClassLoader();
-        }
-
-        public Handler(ClassLoader classLoader) {
-            this.classLoader = classLoader;
-        }
-
-        @Override
-        protected URLConnection openConnection(URL u) throws IOException {
-            final URL resourceUrl = classLoader.getResource(u.getPath());
-            return resourceUrl.openConnection();
-        }
-    }
-
-    @Override
-    public URLStreamHandler createURLStreamHandler(String protocol) {
-        URLStreamHandler result;
-        switch (protocol) {
-            case "classpath":
-                result = new Handler();
-                break;
-            default:
-                result = null;
-        }
-        return result;
-    }
-}

src/main/kotlin/net/woggioni/gbcs/Authorizer.kt

@@ -1,7 +0,0 @@
-package net.woggioni.gbcs
-
-import io.netty.handler.codec.http.HttpRequest
-
-fun interface Authorizer {
-    fun authorize(user : String, request: HttpRequest) : Boolean
-}

src/main/kotlin/net/woggioni/gbcs/Configuration.kt

@@ -1,109 +0,0 @@
-package net.woggioni.gbcs
-
-import java.nio.file.Path
-import java.nio.file.Paths
-import org.w3c.dom.Document
-import net.woggioni.gbcs.Xml.asIterable
-import org.w3c.dom.Element
-
-data class HostAndPort(val host: String, val port : Integer) {
-    override fun toString() = "$host:$port"
-}
-
-data class TlsConfiguration(val keyStore: KeyStore?, val trustStore: TrustStore?, val verifyClients : Boolean)
-data class KeyStore(
-    val file : Path,
-    val password : String?,
-    val keyAlias: String,
-    val keyPassword : String?
-)
-
-data class TrustStore(
-    val file : Path,
-    val password : String?,
-    val checkCertificateStatus : Boolean
-)
-
-data class Configuration(
-    val cacheFolder : Path,
-    val host : String,
-    val port : Int,
-    val users : Map<String, Set<Role>>,
-    val groups : Map<String, Set<Role>>,
-    val tlsConfiguration: TlsConfiguration?,
-    val serverPath : String,
-    val useVirtualThread : Boolean
-) {
-    companion object {
-        fun parse(document : Element) : Configuration {
-
-            var cacheFolder = Paths.get(System.getProperty("user.home")).resolve(".gbcs")
-            var host = "127.0.0.1"
-            var port = 11080
-            val users = emptyMap<String, Set<Role>>()
-            val groups = emptyMap<String, Set<Role>>()
-            var tlsConfiguration : TlsConfiguration? = null
-            val serverPath = document.getAttribute("path")
-                .takeIf(String::isNotEmpty)
-                ?: "/"
-            val useVirtualThread = document.getAttribute("useVirtualThreads")
-                .takeIf(String::isNotEmpty)
-                ?.let(String::toBoolean) ?: false
-
-            for(child in document.asIterable()) {
-                when(child.nodeName) {
-                    "bind" -> {
-                        host = child.getAttribute("host")
-                        port = Integer.parseInt(child.getAttribute("port"))
-                    }
-                    "cache" -> {
-                        cacheFolder = Paths.get(child.textContent)
-                    }
-                    "tls" -> {
-                        val verifyClients = child.getAttribute("verify-clients")
-                            .takeIf(String::isNotEmpty)
-                            ?.let(String::toBoolean) ?: false
-                        var keyStore : KeyStore? = null
-                        var trustStore : TrustStore? = null
-                        for(granChild in child.asIterable()) {
-                            when(granChild.nodeName) {
-                                "keystore" -> {
-                                    val trustStoreFile = Paths.get(granChild.getAttribute("file"))
-                                    val trustStorePassword = granChild.getAttribute("password")
-                                        .takeIf(String::isNotEmpty)
-                                    val keyAlias = granChild.getAttribute("key-alias")
-                                    val keyPasswordPassword = granChild.getAttribute("password")
-                                        .takeIf(String::isNotEmpty)
-                                    keyStore = KeyStore(
-                                        trustStoreFile,
-                                        trustStorePassword,
-                                        keyAlias,
-                                        keyPasswordPassword
-                                    )
-                                }
-                                "truststore" -> {
-                                    val trustStoreFile = Paths.get(granChild.getAttribute("file"))
-                                    val trustStorePassword = granChild.getAttribute("password")
-                                        .takeIf(String::isNotEmpty)
-                                    val checkCertificateStatus = granChild.getAttribute("check-certificate-status")
-                                        .takeIf(String::isNotEmpty)
-                                        ?.let(String::toBoolean)
-                                        ?: false
-                                    trustStore = TrustStore(
-                                        trustStoreFile,
-                                        trustStorePassword,
-                                        checkCertificateStatus
-                                    )
-                                }
-                            }
-                        }
-                        tlsConfiguration = TlsConfiguration(keyStore, trustStore, verifyClients)
-                    }
-                }
-
-            }
-
-            return Configuration(cacheFolder, host, port, users, groups, tlsConfiguration, serverPath, useVirtualThread)
-        }
-    }
-}

src/main/kotlin/net/woggioni/gbcs/GradleBuildCacheServer.kt

@@ -1,474 +0,0 @@
-package net.woggioni.gbcs
-
-import java.net.InetSocketAddress
-import java.net.URL
-import java.net.URLStreamHandlerFactory
-import java.nio.channels.FileChannel
-import java.nio.file.Files
-import java.nio.file.Path
-import java.nio.file.StandardCopyOption
-import java.nio.file.StandardOpenOption
-import java.security.KeyStore
-import java.security.MessageDigest
-import java.security.PrivateKey
-import java.security.cert.X509Certificate
-import java.util.AbstractMap.SimpleEntry
-import java.util.Arrays
-import java.util.Base64
-import java.util.concurrent.Executors
-import io.netty.bootstrap.ServerBootstrap
-import io.netty.buffer.ByteBuf
-import io.netty.buffer.Unpooled
-import io.netty.channel.Channel
-import io.netty.channel.ChannelDuplexHandler
-import io.netty.channel.ChannelFuture
-import io.netty.channel.ChannelFutureListener
-import io.netty.channel.ChannelHandlerContext
-import io.netty.channel.ChannelInitializer
-import io.netty.channel.ChannelOption
-import io.netty.channel.ChannelPromise
-import io.netty.channel.DefaultFileRegion
-import io.netty.channel.EventLoopGroup
-import io.netty.channel.SimpleChannelInboundHandler
-import io.netty.channel.nio.NioEventLoopGroup
-import io.netty.channel.socket.nio.NioServerSocketChannel
-import io.netty.handler.codec.DecoderException
-import io.netty.handler.codec.compression.CompressionOptions
-import io.netty.handler.codec.http.DefaultFullHttpResponse
-import io.netty.handler.codec.http.DefaultHttpContent
-import io.netty.handler.codec.http.DefaultHttpResponse
-import io.netty.handler.codec.http.FullHttpRequest
-import io.netty.handler.codec.http.FullHttpResponse
-import io.netty.handler.codec.http.HttpContentCompressor
-import io.netty.handler.codec.http.HttpHeaderNames
-import io.netty.handler.codec.http.HttpHeaderValues
-import io.netty.handler.codec.http.HttpMethod
-import io.netty.handler.codec.http.HttpObjectAggregator
-import io.netty.handler.codec.http.HttpRequest
-import io.netty.handler.codec.http.HttpResponseStatus
-import io.netty.handler.codec.http.HttpServerCodec
-import io.netty.handler.codec.http.HttpUtil
-import io.netty.handler.codec.http.HttpVersion
-import io.netty.handler.codec.http.LastHttpContent
-import io.netty.handler.ssl.ClientAuth
-import io.netty.handler.ssl.SslContext
-import io.netty.handler.ssl.SslContextBuilder
-import io.netty.handler.stream.ChunkedNioFile
-import io.netty.handler.stream.ChunkedWriteHandler
-import io.netty.util.concurrent.DefaultEventExecutorGroup
-import io.netty.util.concurrent.DefaultThreadFactory
-import io.netty.util.concurrent.EventExecutorGroup
-import net.woggioni.gbcs.url.ClasspathUrlStreamHandlerFactoryProvider
-import javax.net.ssl.SSLPeerUnverifiedException
-import net.woggioni.jwo.Application
-import net.woggioni.jwo.JWO
-import net.woggioni.jwo.Tuple2
-import java.net.URI
-import java.util.concurrent.ForkJoinPool
-
-
-class GradleBuildCacheServer(private val cfg : Configuration) {
-
-    internal class HttpChunkContentCompressor(threshold : Int, vararg  compressionOptions: CompressionOptions = emptyArray())
-        : HttpContentCompressor(threshold, *compressionOptions) {
-        override fun write(ctx: ChannelHandlerContext, msg: Any, promise: ChannelPromise) {
-            var message: Any? = msg
-            if (message is ByteBuf) {
-                // convert ByteBuf to HttpContent to make it work with compression. This is needed as we use the
-                // ChunkedWriteHandler to send files when compression is enabled.
-                val buff = message
-                if (buff.isReadable) {
-                    // We only encode non empty buffers, as empty buffers can be used for determining when
-                    // the content has been flushed and it confuses the HttpContentCompressor
-                    // if we let it go
-                    message = DefaultHttpContent(buff)
-                }
-            }
-            super.write(ctx, message, promise)
-        }
-    }
-
-    private class NettyHttpBasicAuthenticator(
-            private val credentials: Map<String, String>, authorizer: Authorizer) : AbstractNettyHttpAuthenticator(authorizer) {
-
-        companion object {
-            private val log = contextLogger()
-        }
-
-        override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): String? {
-            val authorizationHeader = req.headers()[HttpHeaderNames.AUTHORIZATION] ?: let {
-                log.debug(ctx) {
-                    "Missing Authorization header"
-                }
-                return null
-            }
-            val cursor = authorizationHeader.indexOf(' ')
-            if (cursor < 0) {
-                log.debug(ctx) {
-                    "Invalid Authorization header: '$authorizationHeader'"
-                }
-                return null
-            }
-            val authenticationType = authorizationHeader.substring(0, cursor)
-            if ("Basic" != authenticationType) {
-                log.debug(ctx) {
-                    "Invalid authentication type header: '$authenticationType'"
-                }
-                return null
-            }
-            val (user, password) = Base64.getDecoder().decode(authorizationHeader.substring(cursor + 1))
-                    .let(::String)
-                    .let {
-                        val colon = it.indexOf(':')
-                        if(colon < 0) {
-                            log.debug(ctx) {
-                                "Missing colon from authentication"
-                            }
-                            return null
-                        }
-                        it.substring(0, colon) to it.substring(colon + 1)
-                    }
-            return user.takeIf {
-                credentials[user] == password
-            }
-        }
-    }
-
-    private class ServerInitializer(private val cfg : Configuration) : ChannelInitializer<Channel>() {
-
-        private fun createSslCtx(tlsConfiguration : TlsConfiguration) : SslContext {
-            val keyStore = tlsConfiguration.keyStore
-            return if(keyStore == null) {
-                throw IllegalArgumentException("No keystore configured")
-            } else {
-                val javaKeyStore = loadKeystore(keyStore.file, keyStore.password)
-                val serverKey = javaKeyStore.getKey(
-                    keyStore.keyAlias, keyStore.keyPassword?.let(String::toCharArray)) as PrivateKey
-                val serverCert : Array<X509Certificate> = Arrays.stream(javaKeyStore.getCertificateChain(keyStore.keyAlias))
-                    .map { it as X509Certificate }
-                    .toArray {size -> Array<X509Certificate?>(size) { null } }
-                SslContextBuilder.forServer(serverKey, *serverCert).apply {
-                    if(tlsConfiguration.verifyClients) {
-                        clientAuth(ClientAuth.REQUIRE)
-                        val trustStore = tlsConfiguration.trustStore
-                        if (trustStore != null) {
-                            val ts = loadKeystore(trustStore.file, trustStore.password)
-                            trustManager(
-                                ClientCertificateValidator.getTrustManager(ts, trustStore.checkCertificateStatus))
-                        }
-                    }
-                }.build()
-            }
-        }
-
-        private val sslContext : SslContext? = cfg.tlsConfiguration?.let(this::createSslCtx)
-
-        companion object {
-            val group: EventExecutorGroup = DefaultEventExecutorGroup(Runtime.getRuntime().availableProcessors())
-            fun loadKeystore(file : Path, password : String?) : KeyStore {
-                val ext = JWO.splitExtension(file)
-                    .map(Tuple2<String, String>::get_2)
-                    .orElseThrow {
-                        IllegalArgumentException(
-                            "Keystore file '${file}' must have .jks, .p12, .pfx extension")
-                    }
-                val keystore = when(ext.substring(1).lowercase()) {
-                    "jks" -> KeyStore.getInstance("JKS")
-                    "p12", "pfx" -> KeyStore.getInstance("PKCS12")
-                    else -> throw IllegalArgumentException(
-                        "Keystore file '${file}' must have .jks, .p12, .pfx extension")
-                }
-                Files.newInputStream(file).use {
-                    keystore.load(it, password?.let(String::toCharArray))
-                }
-                return keystore
-            }
-        }
-
-        override fun initChannel(ch: Channel) {
-            val userAuthorizer = UserAuthorizer(cfg.users)
-            val pipeline = ch.pipeline()
-            if(sslContext != null) {
-                val sslHandler = sslContext.newHandler(ch.alloc())
-                pipeline.addLast(sslHandler)
-            }
-            pipeline.addLast(HttpServerCodec())
-            pipeline.addLast(HttpChunkContentCompressor(1024))
-            pipeline.addLast(ChunkedWriteHandler())
-            pipeline.addLast(HttpObjectAggregator(Int.MAX_VALUE))
-//            pipeline.addLast(NettyHttpBasicAuthenticator(mapOf("user" to "password")), userAuthorizer)
-            pipeline.addLast(group, ServerHandler(cfg.cacheFolder, cfg.serverPath))
-            pipeline.addLast(ExceptionHandler())
-            Files.createDirectories(cfg.cacheFolder)
-        }
-    }
-
-    private class ExceptionHandler : ChannelDuplexHandler() {
-        private val log = contextLogger()
-
-        private val NOT_AUTHORIZED: FullHttpResponse = DefaultFullHttpResponse(
-            HttpVersion.HTTP_1_1, HttpResponseStatus.FORBIDDEN, Unpooled.EMPTY_BUFFER).apply {
-            headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
-        }
-        override fun exceptionCaught(ctx: ChannelHandlerContext, cause: Throwable) {
-            when(cause) {
-                is DecoderException -> {
-                    log.error(cause.message, cause)
-                    ctx.close()
-                }
-                is SSLPeerUnverifiedException -> {
-                    ctx.writeAndFlush(NOT_AUTHORIZED.retainedDuplicate()).addListener(ChannelFutureListener.CLOSE_ON_FAILURE)
-                }
-                else -> {
-                     log.error(cause.message, cause)
-                     ctx.close()
-                 }
-            }
-        }
-    }
-
-    private class ServerHandler(private val cacheDir: Path, private val serverPrefix: String) : SimpleChannelInboundHandler<FullHttpRequest>() {
-
-        companion object {
-            private val log = contextLogger()
-
-            private fun splitPath(req: HttpRequest): Map.Entry<String, String> {
-                val uri = req.uri()
-                val i = uri.lastIndexOf('/')
-                if (i < 0) throw RuntimeException(String.format("Malformed request URI: '%s'", uri))
-                return SimpleEntry(uri.substring(0, i), uri.substring(i + 1))
-            }
-        }
-
-        override fun channelRead0(ctx: ChannelHandlerContext, msg: FullHttpRequest) {
-            val keepAlive: Boolean = HttpUtil.isKeepAlive(msg)
-            val method = msg.method()
-            if (method === HttpMethod.GET) {
-                val (prefix, key) = splitPath(msg)
-                if (serverPrefix == prefix) {
-                    val file = cacheDir.resolve(digestString(key.toByteArray()))
-                    if (Files.exists(file)) {
-                        log.debug(ctx) {
-                            "Cache hit for key '$key'"
-                        }
-                        val response = DefaultHttpResponse(msg.protocolVersion(), HttpResponseStatus.OK)
-                        response.headers()[HttpHeaderNames.CONTENT_TYPE] = HttpHeaderValues.APPLICATION_OCTET_STREAM
-                        if(!keepAlive) {
-                            response.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.CLOSE)
-                            response.headers().set(HttpHeaderNames.TRANSFER_ENCODING, HttpHeaderValues.IDENTITY)
-                        } else {
-                            response.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.KEEP_ALIVE)
-                            response.headers().set(HttpHeaderNames.TRANSFER_ENCODING, HttpHeaderValues.CHUNKED)
-                        }
-                        ctx.write(response)
-                        val channel = FileChannel.open(file, StandardOpenOption.READ)
-                        if(keepAlive) {
-                            ctx.write(ChunkedNioFile(channel))
-                            ctx.writeAndFlush(LastHttpContent.EMPTY_LAST_CONTENT)
-                        } else {
-                            ctx.writeAndFlush(DefaultFileRegion(channel, 0, Files.size(file))).addListener(ChannelFutureListener.CLOSE)
-                        }
-                    } else {
-                        log.debug(ctx) {
-                            "Cache miss for key '$key'"
-                        }
-                        val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.NOT_FOUND)
-                        response.headers()[HttpHeaderNames.CONTENT_LENGTH] = 0
-                        ctx.writeAndFlush(response)
-                    }
-                } else {
-                    log.warn(ctx) {
-                        "Got request for unhandled path '${msg.uri()}'"
-                    }
-                    val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
-                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = 0
-                    ctx.writeAndFlush(response)
-                }
-            } else if (method === HttpMethod.PUT) {
-                val (prefix, key) = splitPath(msg)
-                if (serverPrefix == prefix) {
-                    log.debug(ctx) {
-                        "Added value for key '$key' to build cache"
-                    }
-                    val content = msg.content()
-                    val file = cacheDir.resolve(digestString(key.toByteArray()))
-                    val tmpFile = Files.createTempFile(cacheDir, null, ".tmp")
-                    try {
-                        Files.newOutputStream(tmpFile).use {
-                            content.readBytes(it, content.readableBytes())
-                        }
-                        Files.move(tmpFile, file, StandardCopyOption.ATOMIC_MOVE)
-                    } catch (t : Throwable) {
-                        Files.delete(tmpFile)
-                        throw t
-                    }
-                    val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.CREATED,
-                            Unpooled.copiedBuffer(key.toByteArray()))
-                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = response.content().readableBytes()
-                    ctx.writeAndFlush(response)
-                } else {
-                    log.warn(ctx) {
-                        "Got request for unhandled path '${msg.uri()}'"
-                    }
-                    val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
-                    response.headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
-                    ctx.writeAndFlush(response)
-                }
-            } else {
-                log.warn(ctx) {
-                    "Got request with unhandled method '${msg.method().name()}'"
-                }
-                val response = DefaultFullHttpResponse(msg.protocolVersion(), HttpResponseStatus.BAD_REQUEST)
-                response.headers()[HttpHeaderNames.CONTENT_LENGTH] = "0"
-                ctx.writeAndFlush(response)
-            }
-        }
-    }
-
-    class ServerHandle(
-        private val httpChannel : ChannelFuture,
-        private val bossGroup: EventLoopGroup,
-        private val workerGroup: EventLoopGroup) : AutoCloseable {
-
-        private val closeFuture : ChannelFuture = httpChannel.channel().closeFuture()
-
-        fun shutdown() : ChannelFuture {
-            return httpChannel.channel().close()
-        }
-
-        override fun close() {
-            try {
-                closeFuture.sync()
-            } finally {
-                val fut1 = workerGroup.shutdownGracefully()
-                val fut2 = if(bossGroup !== workerGroup) {
-                    bossGroup.shutdownGracefully()
-                } else null
-                fut1.sync()
-                fut2?.sync()
-            }
-        }
-    }
-
-    fun run() : ServerHandle {
-        // Create the multithreaded event loops for the server
-        val bossGroup = NioEventLoopGroup()
-        val serverSocketChannel = NioServerSocketChannel::class.java
-        val workerGroup = if(cfg.useVirtualThread) {
-            NioEventLoopGroup(0, Executors.newVirtualThreadPerTaskExecutor())
-        } else {
-            NioEventLoopGroup(0, Executors.newWorkStealingPool())
-        }
-        // A helper class that simplifies server configuration
-        val bootstrap = ServerBootstrap().apply {
-            // Configure the server
-            group(bossGroup, workerGroup)
-            channel(serverSocketChannel)
-            childHandler(ServerInitializer(cfg))
-            option(ChannelOption.SO_BACKLOG, 128)
-            childOption(ChannelOption.SO_KEEPALIVE, true)
-        }
-
-
-        // Bind and start to accept incoming connections.
-        val bindAddress = InetSocketAddress(cfg.host, cfg.port)
-        val httpChannel = bootstrap.bind(bindAddress).sync()
-        return ServerHandle(httpChannel, bossGroup, workerGroup)
-    }
-
-    companion object {
-
-        private val log by lazy {
-            contextLogger()
-        }
-        private const val PROTOCOL_HANDLER = "java.protocol.handler.pkgs"
-        private const val HANDLERS_PACKAGE = "net.woggioni.gbcs.url"
-
-        /**
-         * Reset any cached handlers just in case a jar protocol has already been used. We
-         * reset the handler by trying to set a null [URLStreamHandlerFactory] which
-         * should have no effect other than clearing the handlers cache.
-         */
-        private fun resetCachedUrlHandlers() {
-            try {
-                URL.setURLStreamHandlerFactory(null)
-            } catch (ex: Error) {
-                // Ignore
-            }
-        }
-        fun registerUrlProtocolHandler() {
-            val handlers = System.getProperty(PROTOCOL_HANDLER, "")
-            System.setProperty(
-                PROTOCOL_HANDLER,
-                if (handlers == null || handlers.isEmpty()) HANDLERS_PACKAGE else "$handlers|$HANDLERS_PACKAGE"
-            )
-            resetCachedUrlHandlers()
-        }
-
-        fun loadConfiguration(args: Array<String>) : Configuration {
-            registerUrlProtocolHandler()
-            URL.setURLStreamHandlerFactory(ClasspathUrlStreamHandlerFactoryProvider())
-            Thread.currentThread().contextClassLoader = GradleBuildCacheServer::class.java.classLoader
-            val app = Application.builder("gbcs")
-                .configurationDirectoryEnvVar("GBCS_CONFIGURATION_DIR")
-                .configurationDirectoryPropertyKey("net.woggioni.gbcs.conf.dir")
-                .build()
-            val confDir = app.computeConfigurationDirectory()
-            val configurationFile = confDir.resolve("gbcs.xml")
-            log.info { "here" }
-            if(!Files.exists(configurationFile)) {
-                Files.createDirectories(confDir)
-                val defaultConfigurationFileResourcePath = "classpath:net/woggioni/gbcs/gbcs-default.xml"
-                val defaultConfigurationFileResource = URI(defaultConfigurationFileResourcePath).toURL()
-                Files.newOutputStream(configurationFile).use { outputStream ->
-                    defaultConfigurationFileResource.openStream().use { inputStream ->
-                        JWO.copy(inputStream, outputStream)
-                    }
-                }
-            }
-//            val schemaUrl = javaClass.getResource("/net/woggioni/gbcs/gbcs.xsd")
-            val schemaUrl = URL.of(URI("classpath:net/woggioni/gbcs/gbcs.xsd"), null)
-            val dbf = Xml.newDocumentBuilderFactory()
-//            dbf.schema = Xml.getSchema(this::class.java.module.getResourceAsStream("/net/woggioni/gbcs/gbcs.xsd"))
-            dbf.schema = Xml.getSchema(schemaUrl)
-            val db = dbf.newDocumentBuilder().apply {
-                setErrorHandler(Xml.ErrorHandler(schemaUrl))
-            }
-            val doc = Files.newInputStream(configurationFile).use(db::parse)
-            return Configuration.parse(doc.documentElement)
-        }
-
-        @JvmStatic
-        fun main(args: Array<String>) {
-            val configuration = loadConfiguration(args)
-//            Runtime.getRuntime().addShutdownHook(Thread {
-//                    Thread.sleep(5000)
-//                    javaClass.classLoader.loadClass("net.woggioni.jwo.exception.ChildProcessException")
-//                }
-//            )
-            GradleBuildCacheServer(configuration).run().use {
-            }
-        }
-
-        fun digest(data : ByteArray,
-                   md : MessageDigest = MessageDigest.getInstance("MD5")) : ByteArray {
-            md.update(data)
-            return md.digest()
-        }
-
-        fun digestString(data : ByteArray,
-                   md : MessageDigest = MessageDigest.getInstance("MD5")) : String {
-            return JWO.bytesToHex(digest(data, md))
-        }
-    }
-}
-
-object GraalNativeImageConfiguration {
-    @JvmStatic
-    fun main(args: Array<String>) {
-        val conf = GradleBuildCacheServer.loadConfiguration(args)
-        val handle  = GradleBuildCacheServer(conf).run()
-        Thread.sleep(10_000)
-        handle.shutdown()
-    }
-}

src/main/kotlin/net/woggioni/gbcs/Role.kt

@@ -1,5 +0,0 @@
-package net.woggioni.gbcs
-
-enum class Role {
-    Reader, Writer
-}

src/main/kotlin/net/woggioni/gbcs/Xml.kt

@@ -1,174 +0,0 @@
-package net.woggioni.gbcs
-
-import java.io.InputStream
-import java.io.InputStreamReader
-import java.net.URL
-import javax.xml.XMLConstants.ACCESS_EXTERNAL_DTD
-import javax.xml.XMLConstants.ACCESS_EXTERNAL_SCHEMA
-import javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING
-import javax.xml.XMLConstants.W3C_XML_SCHEMA_NS_URI
-import javax.xml.parsers.DocumentBuilder
-import javax.xml.parsers.DocumentBuilderFactory
-import javax.xml.transform.Source
-import javax.xml.transform.stream.StreamSource
-import javax.xml.validation.Schema
-import javax.xml.validation.SchemaFactory
-import net.woggioni.jwo.xml.Xml
-import org.slf4j.LoggerFactory
-import org.w3c.dom.Document
-import org.w3c.dom.Element
-import org.w3c.dom.Node
-import org.w3c.dom.NodeList
-import org.xml.sax.ErrorHandler as ErrHandler
-import org.xml.sax.SAXNotRecognizedException
-import org.xml.sax.SAXNotSupportedException
-import org.xml.sax.SAXParseException
-
-class NodeListIterator(private val nodeList: NodeList) : Iterator<Node> {
-    private var cursor : Int = 0
-    override fun hasNext(): Boolean {
-        return cursor < nodeList.length
-    }
-
-    override fun next(): Node {
-        return if (hasNext()) nodeList.item(cursor++) else throw NoSuchElementException()
-    }
-}
-
-class ElementIterator(parent: Element, name: String? = null) : Iterator<Element> {
-    private val it: NodeListIterator
-    private val name: String?
-    private var next: Element?
-
-    init {
-        it = NodeListIterator(parent.childNodes)
-        this.name = name
-        next = getNext()
-    }
-
-    override fun hasNext(): Boolean {
-        return next != null
-    }
-
-    override fun next(): Element {
-        val result = next ?: throw NoSuchElementException()
-        next = getNext()
-        return result
-    }
-
-    private fun getNext(): Element? {
-        var result: Element? = null
-        while (it.hasNext()) {
-            val node: Node = it.next()
-            if (node is Element && (name == null || name == node.tagName)) {
-                result = node
-                break
-            }
-        }
-        return result
-    }
-}
-
-object Xml {
-
-    class ErrorHandler(private val fileURL: URL) : ErrHandler {
-
-        companion object {
-            private val log = LoggerFactory.getLogger(ErrorHandler::class.java)
-        }
-
-        override fun warning(ex: SAXParseException) {
-            log.warn(
-                    "Problem at {}:{}:{} parsing deployment configuration: {}",
-                    fileURL, ex.lineNumber, ex.columnNumber, ex.message
-            )
-        }
-
-        override fun error(ex: SAXParseException) {
-            log.error(
-                    "Problem at {}:{}:{} parsing deployment configuration: {}",
-                    fileURL, ex.lineNumber, ex.columnNumber, ex.message
-            )
-            throw ex
-        }
-
-        override fun fatalError(ex: SAXParseException) {
-            log.error(
-                    "Problem at {}:{}:{} parsing deployment configuration: {}",
-                    fileURL, ex.lineNumber, ex.columnNumber, ex.message
-            )
-            throw ex
-        }
-    }
-
-    private fun disableProperty(dbf: DocumentBuilderFactory, propertyName: String) {
-        try {
-            dbf.setAttribute(propertyName, "")
-        } catch (iae: IllegalArgumentException) {
-            // Property not supported.
-        }
-    }
-
-    private fun disableProperty(sf: SchemaFactory, propertyName: String) {
-        try {
-            sf.setProperty(propertyName, "")
-        } catch (ex: SAXNotRecognizedException) {
-            // Property not supported.
-        } catch (ex: SAXNotSupportedException) {
-        }
-    }
-
-    fun getSchema(schema: URL): Schema {
-        val sf = SchemaFactory.newInstance(W3C_XML_SCHEMA_NS_URI)
-        sf.setFeature(FEATURE_SECURE_PROCESSING, true)
-//        disableProperty(sf, ACCESS_EXTERNAL_SCHEMA)
-//        disableProperty(sf, ACCESS_EXTERNAL_DTD)
-        sf.errorHandler = ErrorHandler(schema)
-        return sf.newSchema(schema)
-    }
-
-    fun getSchema(inputStream: InputStream): Schema {
-        val sf = SchemaFactory.newInstance(W3C_XML_SCHEMA_NS_URI)
-        sf.setFeature(FEATURE_SECURE_PROCESSING, true)
-//        disableProperty(sf, ACCESS_EXTERNAL_SCHEMA)
-//        disableProperty(sf, ACCESS_EXTERNAL_DTD)
-        return sf.newSchema(StreamSource(inputStream))
-    }
-
-    fun newDocumentBuilderFactory(): DocumentBuilderFactory {
-        val dbf = DocumentBuilderFactory.newInstance()
-        dbf.setFeature(FEATURE_SECURE_PROCESSING, true)
-        disableProperty(dbf, ACCESS_EXTERNAL_SCHEMA)
-        disableProperty(dbf, ACCESS_EXTERNAL_DTD)
-        dbf.isExpandEntityReferences = false
-        dbf.isIgnoringComments = true
-        dbf.isNamespaceAware = true
-        dbf.isValidating = false
-        return dbf
-    }
-
-//    fun newDocumentBuilder(resource: URL, schemaResourceURL: String?): DocumentBuilder {
-//        val db = newDocumentBuilderFactory(schemaResourceURL).newDocumentBuilder()
-//        db.setErrorHandler(XmlErrorHandler(resource))
-//        return db
-//    }
-
-//    fun parseXmlResource(resource: URL, schemaResourceURL: String?): Document {
-//        val db = newDocumentBuilder(resource, schemaResourceURL)
-//        return resource.openStream().use(db::parse)
-//    }
-//
-//    fun newDocumentBuilder(resource: URL): DocumentBuilder {
-//        val db = newDocumentBuilderFactory(null).newDocumentBuilder()
-//        db.setErrorHandler(XmlErrorHandler(resource))
-//        return db
-//    }
-
-//    fun parseXmlResource(resource: URL): Document {
-//        val db = newDocumentBuilder(resource, null)
-//        return resource.openStream().use(db::parse)
-//    }
-
-    fun Element.asIterable() = Iterable { ElementIterator(this, null) }
-    fun NodeList.asIterable() = Iterable { NodeListIterator(this) }
-}