test

.gitea/workflows/build-dev.yaml

@@ -46,6 +46,18 @@ jobs:
           tags: |
             gitea.woggioni.net/woggioni/rbcs:memcache-dev
           target: release-memcache
+      -
+        name: Build rbcs redis Docker image
+        uses: docker/build-push-action@v5.3.0
+        with:
+          builder: "multiplatform-builder"
+          context: "docker/build/docker"
+          platforms: linux/amd64,linux/arm64
+          push: true
+          pull: true
+          tags: |
+            gitea.woggioni.net/woggioni/rbcs:redis-dev
+          target: release-redis
       -
         name: Build rbcs native Docker image
         uses: docker/build-push-action@v5.3.0

.gitea/workflows/build.yaml

@@ -32,8 +32,8 @@ jobs:
           push: true
           pull: true
           tags: |
-            gitea.woggioni.net/woggioni/rbcs:vanilla
+            gitea.woggioni.net/woggioni/rbcs:latest
-            gitea.woggioni.net/woggioni/rbcs:vanilla-${{ steps.retrieve-version.outputs.VERSION }}
+            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}
           target: release-vanilla
       -
         name: Build rbcs memcache Docker image
@@ -45,11 +45,22 @@ jobs:
           push: true
           pull: true
           tags: |
-            gitea.woggioni.net/woggioni/rbcs:latest
-            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}
             gitea.woggioni.net/woggioni/rbcs:memcache
-            gitea.woggioni.net/woggioni/rbcs:memcache-${{ steps.retrieve-version.outputs.VERSION }}
+            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-memcache
           target: release-memcache
+      -
+        name: Build rbcs redis Docker image
+        uses: docker/build-push-action@v5.3.0
+        with:
+          builder: "multiplatform-builder"
+          context: "docker/build/docker"
+          platforms: linux/amd64,linux/arm64
+          push: true
+          pull: true
+          tags: |
+            gitea.woggioni.net/woggioni/rbcs:redis
+            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-redis
+          target: release-redis
       -
         name: Build rbcs native Docker image
         uses: docker/build-push-action@v5.3.0
@@ -61,7 +72,7 @@ jobs:
           pull: true
           tags: |
             gitea.woggioni.net/woggioni/rbcs:native
-            gitea.woggioni.net/woggioni/rbcs:native-${{ steps.retrieve-version.outputs.VERSION }}
+            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-native
           target: release-native
       -
         name: Build rbcs jlink Docker image
@@ -74,7 +85,7 @@ jobs:
           pull: true
           tags: |
             gitea.woggioni.net/woggioni/rbcs:jlink
-            gitea.woggioni.net/woggioni/rbcs:jlink-${{ steps.retrieve-version.outputs.VERSION }}-jlink
+            gitea.woggioni.net/woggioni/rbcs:${{ steps.retrieve-version.outputs.VERSION }}-jlink
           target: release-jlink
       - name: Publish artifacts
         env:

docker/Dockerfile

@@ -16,6 +16,15 @@ WORKDIR /home/luser
 ADD logback.xml .
 ENTRYPOINT ["java", "-Dlogback.configurationFile=logback.xml", "-XX:MaxRAMPercentage=70", "-XX:GCTimeRatio=24", "-XX:+UseZGC", "-XX:+ZGenerational", "-jar", "/home/luser/rbcs.jar"]
 
+FROM base-release AS release-redis
+ADD --chown=luser:luser rbcs-cli-envelope-*.jar rbcs.jar
+RUN mkdir plugins
+WORKDIR /home/luser/plugins
+RUN --mount=type=bind,source=.,target=/build/distributions tar -xf /build/distributions/rbcs-server-redis*.tar
+WORKDIR /home/luser
+ADD logback.xml .
+ENTRYPOINT ["java", "-Dlogback.configurationFile=logback.xml", "-XX:MaxRAMPercentage=70", "-XX:GCTimeRatio=24", "-XX:+UseZGC", "-XX:+ZGenerational", "-jar", "/home/luser/rbcs.jar"]
+
 FROM busybox:musl AS base-native
 RUN mkdir -p /var/lib/rbcs /etc/rbcs
 RUN adduser -D -u 1000 rbcs -h /var/lib/rbcs

gradle.properties

@@ -2,9 +2,9 @@ org.gradle.configuration-cache=false
 org.gradle.parallel=true
 org.gradle.caching=true
 
-rbcs.version = 0.3.7
+rbcs.version = 0.4.0
 
-lys.version = 2026.02.19
+lys.version = 2026.03.26
 
 gitea.maven.url = https://gitea.woggioni.net/api/packages/woggioni/maven
 docker.registry.url=gitea.woggioni.net

rbcs-api/src/main/java/net/woggioni/rbcs/api/Configuration.java

@@ -136,6 +136,13 @@ public class Configuration {
         TlsCertificateExtractor groupExtractor;
     }
 
+    @Value
+    public static class ForwardedClientCertificateAuthentication implements Authentication {
+        String headerName;
+        TlsCertificateExtractor userExtractor;
+        TlsCertificateExtractor groupExtractor;
+    }
+
     public interface Cache {
         CacheHandlerFactory materialize();
         String getNamespaceURI();

rbcs-cli/build.gradle

@@ -50,6 +50,7 @@ configurations {
 dependencies {
     configureNativeImageImplementation project
     configureNativeImageImplementation project(':rbcs-server-memcache')
+    configureNativeImageImplementation project(':rbcs-server-redis')
 
     implementation catalog.jwo
     implementation catalog.slf4j.api
@@ -62,6 +63,7 @@ dependencies {
     runtimeOnly catalog.logback.classic
 //    runtimeOnly catalog.slf4j.simple
     nativeImage project(':rbcs-server-memcache')
+    nativeImage project(':rbcs-server-redis')
 
 }
 
@@ -138,6 +140,7 @@ Provider<JlinkTask> jlinkTaskProvider = tasks.named(JlinkPlugin.JLINK_TASK_NAME,
     )
     additionalModules = [
         'net.woggioni.rbcs.server.memcache',
+        'net.woggioni.rbcs.server.redis',
         'ch.qos.logback.classic',
         'jdk.crypto.ec'
     ]

rbcs-cli/conf/rbcs-server-redis.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<rbcs:server xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"
+             xmlns:rbcs="urn:net.woggioni.rbcs.server"
+             xmlns:rbcs-redis="urn:net.woggioni.rbcs.server.redis"
+             xs:schemaLocation="urn:net.woggioni.rbcs.server.redis jpms://net.woggioni.rbcs.server.redis/net/woggioni/rbcs/server/redis/schema/rbcs-redis.xsd urn:net.woggioni.rbcs.server.memcache jpms://net.woggioni.rbcs.server.memcache/net/woggioni/rbcs/server/memcache/schema/rbcs-memcache.xsd urn:net.woggioni.rbcs.server jpms://net.woggioni.rbcs.server/net/woggioni/rbcs/server/schema/rbcs-server.xsd"
+>
+    <bind host="127.0.0.1" port="8080" incoming-connections-backlog-size="1024"/>
+    <connection
+            max-request-size="67108864"
+            idle-timeout="PT10S"
+            read-idle-timeout="PT20S"
+            write-idle-timeout="PT20S"/>
+    <event-executor use-virtual-threads="true"/>
+    <cache xs:type="rbcs-redis:redisCacheType" max-age="P7D" digest="MD5">
+        <server host="127.0.0.1" port="6379" max-connections="256"/>
+    </cache>
+    <!--cache xs:type="rbcs:inMemoryCacheType" max-age="P7D" enable-compression="false" max-size="0x10000000" /-->
+    <!--cache xs:type="rbcs:fileSystemCacheType" max-age="P7D" enable-compression="false" /-->
+    <authorization>
+        <users>
+            <user name="woggioni" password="II+qeNLft2pZ/JVNo9F7jpjM/BqEcfsJW27NZ6dPVs8tAwHbxrJppKYsbL7J/SMl">
+                <quota calls="100" period="PT1S"/>
+            </user>
+            <user name="gitea" password="v6T9+q6/VNpvLknji3ixPiyz2YZCQMXj2FN7hvzbfc2Ig+IzAHO0iiBCH9oWuBDq"/>
+            <anonymous>
+                <quota calls="10" period="PT60S" initial-available-calls="10" max-available-calls="10"/>
+            </anonymous>
+        </users>
+        <groups>
+            <group name="readers">
+                <users>
+                    <anonymous/>
+                </users>
+                <roles>
+                    <reader/>
+                </roles>
+            </group>
+            <group name="writers">
+                <users>
+                    <user ref="woggioni"/>
+                    <user ref="gitea"/>
+                </users>
+                <roles>
+                    <reader/>
+                    <writer/>
+                </roles>
+            </group>
+        </groups>
+    </authorization>
+    <authentication>
+        <none/>
+    </authentication>
+</rbcs:server>

rbcs-cli/src/configureNativeImage/kotlin/net/woggioni/rbcs/cli/graal/GraalNativeImageConfiguration.kt

@@ -27,16 +27,27 @@ import net.woggioni.rbcs.server.cache.FileSystemCacheConfiguration
 import net.woggioni.rbcs.server.cache.InMemoryCacheConfiguration
 import net.woggioni.rbcs.server.configuration.Parser
 import net.woggioni.rbcs.server.memcache.MemcacheCacheConfiguration
+import net.woggioni.rbcs.server.redis.RedisCacheConfiguration
 
 object GraalNativeImageConfiguration {
     @JvmStatic
     fun main(vararg args : String) {
 
-        val serverURL = URI.create("file:conf/rbcs-server.xml").toURL()
+        let {
-        val serverDoc = serverURL.openStream().use {
+            val serverURL = URI.create("file:conf/rbcs-server.xml").toURL()
-            Xml.parseXml(serverURL, it)
+            val serverDoc = serverURL.openStream().use {
+                Xml.parseXml(serverURL, it)
+            }
+            Parser.parse(serverDoc)
+        }
+
+        let {
+            val serverURL = URI.create("file:conf/rbcs-server-redis.xml").toURL()
+            val serverDoc = serverURL.openStream().use {
+                Xml.parseXml(serverURL, it)
+            }
+            Parser.parse(serverDoc)
         }
-        Parser.parse(serverDoc)
 
         val url = URI.create("file:conf/rbcs-client.xml").toURL()
         val clientDoc = url.openStream().use {
@@ -90,6 +101,18 @@ object GraalNativeImageConfiguration {
                 "MD5",
                 null,
                 1,
+            ),
+            RedisCacheConfiguration(
+                listOf(RedisCacheConfiguration.Server(
+                    HostAndPort("127.0.0.1", 6379),
+                    1000,
+                    4)
+                ),
+                Duration.ofSeconds(60),
+                "someCustomPrefix",
+                "MD5",
+                null,
+                1,
             )
         )
 

rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/RemoteBuildCacheServer.kt

@@ -155,6 +155,59 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
         }
     }
 
+    @Sharable
+    private class ForwardedClientCertificateAuthenticator(
+        authorizer: Authorizer,
+        private val anonymousUserGroups: Set<Configuration.Group>?,
+        private val subjectDnUserExtractor: SubjectDnExtractor?,
+        private val subjectDnGroupExtractor: SubjectDnExtractor?,
+        private val headerName: String,
+        private val trustedProxyIPs: List<Cidr>,
+        private val users: Map<String, Configuration.User>,
+        private val groups: Map<String, Configuration.Group>,
+    ) : AbstractNettyHttpAuthenticator(authorizer) {
+
+        companion object {
+            private val log = createLogger<ForwardedClientCertificateAuthenticator>()
+        }
+
+        override fun authenticate(ctx: ChannelHandlerContext, req: HttpRequest): AuthenticationResult? {
+            val clientIp = ctx.channel().attr(clientIp).get()
+            if (clientIp == null || trustedProxyIPs.none { it.contains(clientIp.address) }) {
+                log.debug(ctx) {
+                    "Rejecting forwarded client certificate authentication from untrusted address: $clientIp"
+                }
+                return null
+            }
+            val subjectDn = req.headers()[headerName]
+                ?: return anonymousUserGroups?.let { AuthenticationResult(null, it) }
+            val ldapName = try {
+                LdapName(subjectDn)
+            } catch (e: Exception) {
+                log.debug(ctx) {
+                    "Invalid subject DN in header $headerName: $subjectDn"
+                }
+                return anonymousUserGroups?.let { AuthenticationResult(null, it) }
+            }
+            val user = subjectDnUserExtractor?.extract(ldapName)?.let { userName ->
+                users[userName] ?: throw RuntimeException("Failed to extract user '$userName'")
+            }
+            val group = subjectDnGroupExtractor?.extract(ldapName)?.let { groupName ->
+                groups[groupName] ?: throw RuntimeException("Failed to extract group '$groupName'")
+            }
+            val allGroups = ((user?.groups ?: emptySet()).asSequence() + sequenceOf(group).filterNotNull()).toSet()
+            return AuthenticationResult(user, allGroups)
+        }
+    }
+
+    private data class SubjectDnExtractor(val rdnType: String, val pattern: Pattern) {
+        fun extract(ldapName: LdapName): String? {
+            return ldapName.rdns.find { it.type == rdnType }
+                ?.let { pattern.matcher(it.value.toString()) }
+                ?.takeIf(Matcher::matches)?.group(1)
+        }
+    }
+
     @Sharable
     private class NettyHttpBasicAuthenticator(
         private val users: Map<String, Configuration.User>, authorizer: Authorizer
@@ -261,6 +314,23 @@ class RemoteBuildCacheServer(private val cfg: Configuration) {
                 )
             }
 
+            is Configuration.ForwardedClientCertificateAuthentication -> {
+                ForwardedClientCertificateAuthenticator(
+                    RoleAuthorizer(),
+                    cfg.users[""]?.groups,
+                    auth.userExtractor?.let { extractor ->
+                        SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
+                    },
+                    auth.groupExtractor?.let { extractor ->
+                        SubjectDnExtractor(extractor.rdnType, Pattern.compile(extractor.pattern))
+                    },
+                    auth.headerName,
+                    cfg.trustedProxyIPs,
+                    cfg.users,
+                    cfg.groups,
+                )
+            }
+
             else -> null
         }
 

rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/auth/Authenticator.kt

@@ -12,15 +12,18 @@ import io.netty.handler.codec.http.HttpRequest
 import io.netty.handler.codec.http.HttpResponseStatus
 import io.netty.handler.codec.http.HttpVersion
 import io.netty.util.ReferenceCountUtil
+import java.net.InetSocketAddress
 import net.woggioni.rbcs.api.Configuration
 import net.woggioni.rbcs.api.Configuration.Group
 import net.woggioni.rbcs.api.Role
+import net.woggioni.rbcs.common.createLogger
 import net.woggioni.rbcs.server.RemoteBuildCacheServer
 
-
 abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer) : ChannelInboundHandlerAdapter() {
 
     companion object {
+        private val log = createLogger<AbstractNettyHttpAuthenticator>()
+
         private val AUTHENTICATION_FAILED: FullHttpResponse = DefaultFullHttpResponse(
             HttpVersion.HTTP_1_1, HttpResponseStatus.UNAUTHORIZED, Unpooled.EMPTY_BUFFER
         ).apply {
@@ -53,6 +56,16 @@ abstract class AbstractNettyHttpAuthenticator(private val authorizer: Authorizer
                         result.groups.asSequence().flatMap { it.roles.asSequence() }
             ).toSet()
             val authorized = authorizer.authorize(roles, msg)
+            if(log.isTraceEnabled) {
+                val authorizedMessage = if(authorized) { "Authorized" } else { "Forbidden" }
+                val clientAddress = ctx.channel().attr<InetSocketAddress>(RemoteBuildCacheServer.clientIp).get()
+                val roleString = "[" + roles.asSequence().map { "\"" + it + "\""}.joinToString(", ") + "]"
+                result.user?.let { user ->
+                    log.trace("$authorizedMessage ${msg.method()} request from user $user with address $clientAddress, granted roles $roleString")
+                } ?: {
+                    log.trace("$authorizedMessage anonymous ${msg.method()} request with address $clientAddress, granted roles $roleString")
+                }
+            }
             if (authorized) {
                 super.channelRead(ctx, msg)
             } else {

rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/configuration/Parser.kt

@@ -8,6 +8,7 @@ import net.woggioni.rbcs.api.Configuration.Authentication
 import net.woggioni.rbcs.api.Configuration.BasicAuthentication
 import net.woggioni.rbcs.api.Configuration.Cache
 import net.woggioni.rbcs.api.Configuration.ClientCertificateAuthentication
+import net.woggioni.rbcs.api.Configuration.ForwardedClientCertificateAuthentication
 import net.woggioni.rbcs.api.Configuration.Group
 import net.woggioni.rbcs.api.Configuration.KeyStore
 import net.woggioni.rbcs.api.Configuration.Tls
@@ -77,6 +78,28 @@ object Parser {
                                 }
                                 authentication = ClientCertificateAuthentication(tlsExtractorUser, tlsExtractorGroup)
                             }
+
+                            "forwarded-client-certificate" -> {
+                                val headerName = gchild.renderAttribute("header-name") ?: "X-Client-Cert-Subject-DN"
+                                var tlsExtractorUser: TlsCertificateExtractor? = null
+                                var tlsExtractorGroup: TlsCertificateExtractor? = null
+                                for (ggchild in gchild.asIterable()) {
+                                    when (ggchild.localName) {
+                                        "group-extractor" -> {
+                                            val attrName = ggchild.renderAttribute("attribute-name")
+                                            val pattern = ggchild.renderAttribute("pattern")
+                                            tlsExtractorGroup = TlsCertificateExtractor(attrName, pattern)
+                                        }
+
+                                        "user-extractor" -> {
+                                            val attrName = ggchild.renderAttribute("attribute-name")
+                                            val pattern = ggchild.renderAttribute("pattern")
+                                            tlsExtractorUser = TlsCertificateExtractor(attrName, pattern)
+                                        }
+                                    }
+                                }
+                                authentication = ForwardedClientCertificateAuthentication(headerName, tlsExtractorUser, tlsExtractorGroup)
+                            }
                         }
                     }
                 }

rbcs-server/src/main/kotlin/net/woggioni/rbcs/server/configuration/Serializer.kt

@@ -165,6 +165,23 @@ object Serializer {
                                 }
                             }
                         }
+                        is Configuration.ForwardedClientCertificateAuthentication -> {
+                            node("forwarded-client-certificate") {
+                                attr("header-name", authentication.headerName)
+                                authentication.groupExtractor?.let { extractor ->
+                                    node("group-extractor") {
+                                        attr("attribute-name", extractor.rdnType)
+                                        attr("pattern", extractor.pattern)
+                                    }
+                                }
+                                authentication.userExtractor?.let { extractor ->
+                                    node("user-extractor") {
+                                        attr("attribute-name", extractor.rdnType)
+                                        attr("pattern", extractor.pattern)
+                                    }
+                                }
+                            }
+                        }
                     }
                 }
             }

rbcs-server/src/main/resources/net/woggioni/rbcs/server/schema/rbcs-server.xsd

@@ -311,6 +311,45 @@
         </xs:sequence>
     </xs:complexType>
 
+    <xs:complexType name="forwardedClientCertificateAuthorizationType">
+        <xs:annotation>
+            <xs:documentation>
+                Authenticate clients based on a custom HTTP header containing the client TLS certificate
+                subject DN, forwarded by a reverse proxy that performs TLS termination. The proxy must be
+                listed in the trusted-proxies configuration for the header to be accepted.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:sequence>
+            <xs:element name="group-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
+                <xs:annotation>
+                    <xs:documentation>
+                        A regex based extractor that will be used to determine which group the client belongs to,
+                        based on the X.500 name of the subject DN forwarded by the reverse proxy.
+                        When this is set RBAC works even if the user isn't listed in the &lt;users/&gt; section as
+                        the client will be assigned role solely based on the group he is found to belong to.
+                        Note that this does not allow for a client to be part of multiple groups.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
+            <xs:element name="user-extractor" type="rbcs:X500NameExtractorType" minOccurs="0">
+                <xs:annotation>
+                    <xs:documentation>
+                        A regex based extractor that will be used to assign a user to a connected client,
+                        based on the X.500 name of the subject DN forwarded by the reverse proxy.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
+        </xs:sequence>
+        <xs:attribute name="header-name" type="xs:token">
+            <xs:annotation>
+                <xs:documentation>
+                    Name of the HTTP header containing the client certificate subject DN
+                    forwarded by the reverse proxy. Defaults to "X-Client-Cert-Subject-DN".
+                </xs:documentation>
+            </xs:annotation>
+        </xs:attribute>
+    </xs:complexType>
+
     <xs:complexType name="X500NameExtractorType">
         <xs:annotation>
             <xs:documentation>
@@ -380,6 +419,15 @@
                     </xs:documentation>
                 </xs:annotation>
             </xs:element>
+            <xs:element name="forwarded-client-certificate" type="rbcs:forwardedClientCertificateAuthorizationType">
+                <xs:annotation>
+                    <xs:documentation>
+                        Enable forwarded client certificate authentication. Authenticates clients based on
+                        a custom HTTP header containing the client certificate subject DN, forwarded by a
+                        reverse proxy that performs TLS termination. Requires trusted-proxies to be configured.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:element>
             <xs:element name="none">
                 <xs:annotation>
                     <xs:documentation>