dedicated ecosystem controllers

Author: timbastin

controllers/dependencyfirewall/controller.go

@@ -154,6 +154,23 @@ func (d *DependencyProxyController) fetchFromUpstream(ctx context.Context, eco e
 	return data, resp.Header, resp.StatusCode, nil
 }
 
+func ensureReadMethod(c shared.Context) error {
+	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
+		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	}
+	return nil
+}
+
+func (d *DependencyProxyController) passthroughUpstreamResponse(c shared.Context, headers http.Header, statusCode int, data []byte) error {
+	for key, values := range headers {
+		for _, value := range values {
+			c.Response().Header().Add(key, value)
+		}
+	}
+
+	return c.Blob(statusCode, headers.Get("Content-Type"), data)
+}
+
 func (d *DependencyProxyController) cacheData(cachePath string, data []byte) error {
 	dir := filepath.Dir(cachePath)
 	if err := os.MkdirAll(dir, 0755); err != nil {

controllers/dependencyfirewall/ecosystem_controllers.go

@@ -0,0 +1,31 @@
+package dependencyfirewall
+
+// NPMDependencyProxyController handles npm dependency proxy requests.
+// It embeds DependencyProxyController to reuse shared helpers and state.
+type NPMDependencyProxyController struct {
+	*DependencyProxyController
+}
+
+func NewNPMDependencyProxyController(controller *DependencyProxyController) *NPMDependencyProxyController {
+	return &NPMDependencyProxyController{DependencyProxyController: controller}
+}
+
+// GoDependencyProxyController handles Go dependency proxy requests.
+// It embeds DependencyProxyController to reuse shared helpers and state.
+type GoDependencyProxyController struct {
+	*DependencyProxyController
+}
+
+func NewGoDependencyProxyController(controller *DependencyProxyController) *GoDependencyProxyController {
+	return &GoDependencyProxyController{DependencyProxyController: controller}
+}
+
+// PythonDependencyProxyController handles PyPI dependency proxy requests.
+// It embeds DependencyProxyController to reuse shared helpers and state.
+type PythonDependencyProxyController struct {
+	*DependencyProxyController
+}
+
+func NewPythonDependencyProxyController(controller *DependencyProxyController) *PythonDependencyProxyController {
+	return &PythonDependencyProxyController{DependencyProxyController: controller}
+}

controllers/dependencyfirewall/golang.go

@@ -102,7 +102,7 @@ func (goEcosystem) writeResponse(c shared.Context, data []byte, path string, cac
 	return c.Blob(http.StatusOK, c.Response().Header().Get("Content-Type"), data)
 }
 
-func (d *DependencyProxyController) ProxyGo(c shared.Context) error {
+func (d *GoDependencyProxyController) ProxyGo(c shared.Context) error {
 	requestPath := golang.trimPrefix(c.Request().URL.Path)
 
 	ctx, span := depProxyTracer.Start(c.Request().Context(), "dependency-proxy.go",
@@ -115,8 +115,8 @@ func (d *DependencyProxyController) ProxyGo(c shared.Context) error {
 	defer span.End()
 	c.SetRequest(c.Request().WithContext(ctx))
 
-	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
-		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	if err := ensureReadMethod(c); err != nil {
+		return err
 	}
 
 	configs, err := d.GetDependencyProxyConfigs(c)
@@ -137,7 +137,7 @@ func (d *DependencyProxyController) ProxyGo(c shared.Context) error {
 }
 
 // proxyGoExplicitVersion handles Go proxy requests for a specific version (.info, .mod, .zip).
-func (d *DependencyProxyController) proxyGoExplicitVersion(c shared.Context, ctx context.Context, span trace.Span, eco ecosystem, configs DependencyProxyConfigs, requestPath string) error {
+func (d *GoDependencyProxyController) proxyGoExplicitVersion(c shared.Context, ctx context.Context, span trace.Span, eco ecosystem, configs DependencyProxyConfigs, requestPath string) error {
 	cachePath := d.getCachePath(eco, requestPath)
 
 	notAllowed, notAllowedReason := d.CheckNotAllowedPackage(ctx, eco, requestPath, configs)
@@ -196,12 +196,7 @@ func (d *DependencyProxyController) proxyGoExplicitVersion(c shared.Context, ctx
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "go", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	_, releaseTime, hasReleaseTime := d.ExtractGoVersionAndReleaseTime(data)
@@ -235,7 +230,7 @@ func (d *DependencyProxyController) proxyGoExplicitVersion(c shared.Context, ctx
 }
 
 // proxyGoLatest handles Go proxy requests for @latest and @v/list (version-resolution requests).
-func (d *DependencyProxyController) proxyGoLatest(c shared.Context, ctx context.Context, span trace.Span, eco ecosystem, configs DependencyProxyConfigs, requestPath, packageName string) error {
+func (d *GoDependencyProxyController) proxyGoLatest(c shared.Context, ctx context.Context, span trace.Span, eco ecosystem, configs DependencyProxyConfigs, requestPath, packageName string) error {
 	cachePath := d.getCachePath(eco, requestPath)
 
 	span.SetAttributes(attribute.Bool("proxy.cache_hit", false))
@@ -251,12 +246,7 @@ func (d *DependencyProxyController) proxyGoLatest(c shared.Context, ctx context.
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "go", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	resolvedVersion, releaseTime, hasReleaseTime := d.ExtractGoVersionAndReleaseTime(data)
@@ -311,7 +301,7 @@ func (d *DependencyProxyController) proxyGoLatest(c shared.Context, ctx context.
 }
 
 // ExtractGoVersionAndReleaseTime parses a Go proxy .info response and returns the resolved version and its release time.
-func (d *DependencyProxyController) ExtractGoVersionAndReleaseTime(data []byte) (string, time.Time, bool) {
+func (d *GoDependencyProxyController) ExtractGoVersionAndReleaseTime(data []byte) (string, time.Time, bool) {
 	var info struct {
 		Version string    `json:"Version"`
 		Time    time.Time `json:"Time"`

controllers/dependencyfirewall/npm.go

@@ -97,7 +97,7 @@ func (npmEcosystem) writeResponse(c shared.Context, data []byte, path string, ca
 
 // ProxyNPMTarball handles explicit-version npm requests (.tgz downloads).
 // Routes: GET /npm/:package/-/* and GET /npm/:scope/:name/-/*
-func (d *DependencyProxyController) ProxyNPMTarball(c shared.Context) error {
+func (d *NPMDependencyProxyController) ProxyNPMTarball(c shared.Context) error {
 	configs, err := d.GetDependencyProxyConfigs(c)
 	if err != nil {
 		slog.Error("Error getting dependency proxy configs", "error", err)
@@ -116,8 +116,8 @@ func (d *DependencyProxyController) ProxyNPMTarball(c shared.Context) error {
 	defer span.End()
 	c.SetRequest(c.Request().WithContext(ctx))
 
-	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
-		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	if err := ensureReadMethod(c); err != nil {
+		return err
 	}
 
 	slog.Info("Proxy request", "proxy", "npm", "type", "tarball", "method", c.Request().Method, "path", requestPath)
@@ -180,12 +180,7 @@ func (d *DependencyProxyController) ProxyNPMTarball(c shared.Context) error {
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "npm", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	_, releaseTime := d.ExtractNPMVersionAndReleaseTimeFromMetadata(data)
@@ -212,7 +207,7 @@ func (d *DependencyProxyController) ProxyNPMTarball(c shared.Context) error {
 
 // ProxyNPMMetadata handles metadata / version-resolution npm requests (no explicit version in path).
 // Routes: GET /npm/:package and GET /npm/:scope/:name
-func (d *DependencyProxyController) ProxyNPMMetadata(c shared.Context) error {
+func (d *NPMDependencyProxyController) ProxyNPMMetadata(c shared.Context) error {
 	configs, err := d.GetDependencyProxyConfigs(c)
 	if err != nil {
 		slog.Error("Error getting dependency proxy configs", "error", err)
@@ -231,8 +226,8 @@ func (d *DependencyProxyController) ProxyNPMMetadata(c shared.Context) error {
 	defer span.End()
 	c.SetRequest(c.Request().WithContext(ctx))
 
-	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
-		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	if err := ensureReadMethod(c); err != nil {
+		return err
 	}
 
 	slog.Info("Proxy request", "proxy", "npm", "type", "metadata", "method", c.Request().Method, "path", requestPath)
@@ -253,12 +248,7 @@ func (d *DependencyProxyController) ProxyNPMMetadata(c shared.Context) error {
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "npm", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	resolvedVersion, releaseTime := d.ExtractNPMVersionAndReleaseTimeFromMetadata(data)
@@ -308,7 +298,7 @@ func (d *DependencyProxyController) ProxyNPMMetadata(c shared.Context) error {
 	return npm.writeResponse(c, data, requestPath, false)
 }
 
-func (d *DependencyProxyController) ProxyNPMAudit(c shared.Context) error {
+func (d *NPMDependencyProxyController) ProxyNPMAudit(c shared.Context) error {
 	requestPath := npm.trimPrefix(c.Request().URL.Path)
 
 	ctx, span := depProxyTracer.Start(c.Request().Context(), "dependency-proxy.npm-audit",
@@ -338,18 +328,10 @@ func (d *DependencyProxyController) ProxyNPMAudit(c shared.Context) error {
 		return echo.NewHTTPError(http.StatusBadGateway, "Failed to fetch from upstream")
 	}
 
-	for key, values := range headers {
-		for _, value := range values {
-			c.Response().Header().Add(key, value)
-		}
-	}
-
-	fmt.Println(string(data))
-
-	return c.Blob(statusCode, headers.Get("Content-Type"), data)
+	return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 }
 
-func (d *DependencyProxyController) fetchNPMAuditFromUpstream(ctx context.Context, requestPath string, headers http.Header, bodyBytes []byte) ([]byte, http.Header, int, error) {
+func (d *NPMDependencyProxyController) fetchNPMAuditFromUpstream(ctx context.Context, requestPath string, headers http.Header, bodyBytes []byte) ([]byte, http.Header, int, error) {
 	requestPath = strings.TrimRight(requestPath, "/")
 	url, err := url.JoinPath(npmRegistry, requestPath)
 	if err != nil {
@@ -406,7 +388,7 @@ func (d *DependencyProxyController) fetchNPMAuditFromUpstream(ctx context.Contex
 }
 
 // ExtractNPMVersionAndReleaseTimeFromMetadata parses NPM package metadata JSON and extracts the latest version and its release time.
-func (d *DependencyProxyController) ExtractNPMVersionAndReleaseTimeFromMetadata(data []byte) (string, time.Time) {
+func (d *NPMDependencyProxyController) ExtractNPMVersionAndReleaseTimeFromMetadata(data []byte) (string, time.Time) {
 	var metadata struct {
 		DistTags struct {
 			Latest string `json:"latest"`

controllers/dependencyfirewall/python.go

@@ -57,7 +57,7 @@ func (pypiEcosystem) parsePackage(path string) (string, string) {
 	path = strings.TrimPrefix(path, "/")
 	if after, ok := strings.CutPrefix(path, "simple/"); ok {
 		return strings.TrimSuffix(after, "/"), ""
-	} else if strings.HasPrefix(path, "/packages/") {
+	} else if strings.HasPrefix(path, "packages/") {
 		filename := filepath.Base(path)
 		matches := pypiFilenameRe.FindStringSubmatch(filename)
 		if len(matches) > 2 {
@@ -106,9 +106,7 @@ func (pypiEcosystem) writeResponse(c shared.Context, data []byte, path string, c
 
 // ProxyPyPIPackage handles explicit-version PyPI package downloads (from /packages/).
 // Route: GET /pypi/packages/*
-func (d *DependencyProxyController) ProxyPyPIPackage(c shared.Context) error {
-	pypi := pypiEcosystem{}
-
+func (d *PythonDependencyProxyController) ProxyPyPIPackage(c shared.Context) error {
 	configs, err := d.GetDependencyProxyConfigs(c)
 	if err != nil {
 		slog.Error("Error getting dependency proxy configs", "error", err)
@@ -127,8 +125,8 @@ func (d *DependencyProxyController) ProxyPyPIPackage(c shared.Context) error {
 	defer span.End()
 	c.SetRequest(c.Request().WithContext(ctx))
 
-	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
-		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	if err := ensureReadMethod(c); err != nil {
+		return err
 	}
 
 	slog.Info("Proxy request", "proxy", "pypi", "type", "package", "method", c.Request().Method, "path", requestPath)
@@ -191,12 +189,7 @@ func (d *DependencyProxyController) ProxyPyPIPackage(c shared.Context) error {
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "pypi", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	if err := d.CacheDataWithIntegrity(cachePath, data); err != nil {
@@ -212,9 +205,7 @@ func (d *DependencyProxyController) ProxyPyPIPackage(c shared.Context) error {
 
 // ProxyPyPISimple handles PyPI /simple/ metadata requests, resolving the latest version before checking rules.
 // Route: GET /pypi/simple/:package
-func (d *DependencyProxyController) ProxyPyPISimple(c shared.Context) error {
-	pypi := pypiEcosystem{}
-
+func (d *PythonDependencyProxyController) ProxyPyPISimple(c shared.Context) error {
 	configs, err := d.GetDependencyProxyConfigs(c)
 	if err != nil {
 		slog.Error("Error getting dependency proxy configs", "error", err)
@@ -234,8 +225,8 @@ func (d *DependencyProxyController) ProxyPyPISimple(c shared.Context) error {
 	defer span.End()
 	c.SetRequest(c.Request().WithContext(ctx))
 
-	if c.Request().Method != http.MethodGet && c.Request().Method != http.MethodHead {
-		return echo.NewHTTPError(http.StatusMethodNotAllowed, "Method not allowed")
+	if err := ensureReadMethod(c); err != nil {
+		return err
 	}
 
 	slog.Info("Proxy request", "proxy", "pypi", "type", "simple", "method", c.Request().Method, "path", requestPath)
@@ -254,12 +245,7 @@ func (d *DependencyProxyController) ProxyPyPISimple(c shared.Context) error {
 
 	if statusCode != http.StatusOK {
 		slog.Debug("Upstream returned non-OK status", "proxy", "pypi", "status", statusCode)
-		for key, values := range headers {
-			for _, value := range values {
-				c.Response().Header().Add(key, value)
-			}
-		}
-		return c.Blob(statusCode, headers.Get("Content-Type"), data)
+		return d.passthroughUpstreamResponse(c, headers, statusCode, data)
 	}
 
 	// Fetch the PyPI JSON API to resolve version and release time before checking rules —
@@ -315,7 +301,7 @@ func (d *DependencyProxyController) ProxyPyPISimple(c shared.Context) error {
 	return pypi.writeResponse(c, data, requestPath, false)
 }
 
-func (d *DependencyProxyController) fetchPyPIFromUpstream(ctx context.Context, requestPath string, headers http.Header) ([]byte, http.Header, int, error) {
+func (d *PythonDependencyProxyController) fetchPyPIFromUpstream(ctx context.Context, requestPath string, headers http.Header) ([]byte, http.Header, int, error) {
 	requestPath = strings.TrimRight(requestPath, "/")
 	url, err := url.JoinPath(pypiRegistry, requestPath)
 	if err != nil {
@@ -351,7 +337,7 @@ func (d *DependencyProxyController) fetchPyPIFromUpstream(ctx context.Context, r
 
 // ExtractPyPIReleaseTime parses a PyPI JSON API response and returns the resolved version and its upload time.
 // If version is empty, it uses info.version (the current release).
-func (d *DependencyProxyController) ExtractPyPIReleaseTime(data []byte, version string) (string, time.Time, bool) {
+func (d *PythonDependencyProxyController) ExtractPyPIReleaseTime(data []byte, version string) (string, time.Time, bool) {
 	var metadata struct {
 		Info struct {
 			Version string `json:"version"`
@@ -378,7 +364,7 @@ func (d *DependencyProxyController) ExtractPyPIReleaseTime(data []byte, version
 }
 
 // fetchPyPILatestVersionAndReleaseTime fetches the PyPI JSON API and returns the resolved version and its release time.
-func (d *DependencyProxyController) fetchPyPILatestVersionAndReleaseTime(ctx context.Context, pkgName string) (string, time.Time, bool) {
+func (d *PythonDependencyProxyController) fetchPyPILatestVersionAndReleaseTime(ctx context.Context, pkgName string) (string, time.Time, bool) {
 	data, _, statusCode, err := d.fetchPyPIFromUpstream(ctx, "/pypi/"+pkgName+"/json", http.Header{})
 	if err != nil || statusCode != http.StatusOK {
 		return "", time.Time{}, false

controllers/providers.go

@@ -112,4 +112,7 @@ var ControllerModule = fx.Options(
 	fx.Provide(ProvideDependencyProxyCache),
 	fx.Provide(fx.Annotate(ProvideMaliciousPackageChecker, fx.As(new(shared.MaliciousPackageChecker)))),
 	fx.Provide(dependencyfirewall.NewDependencyProxyController),
+	fx.Provide(dependencyfirewall.NewNPMDependencyProxyController),
+	fx.Provide(dependencyfirewall.NewGoDependencyProxyController),
+	fx.Provide(dependencyfirewall.NewPythonDependencyProxyController),
 )