feat(git): support Basic Auth for git-receive-pack (#2089)

Git CLI uses HTTP Basic Authentication when pushing, with the token as the password.

Author: benjamin-747

.github/workflows/orion-server-deploy.yml

@@ -79,15 +79,12 @@ jobs:
           GCP_IMAGE_BASE="us-central1-docker.pkg.dev/${{ env.GCP_PROJECT_ID }}/${{ env.REPOSITORY }}"
 
           TAG="${{ env.IMAGE_TAG_BASE }}-$ARCH_SUFFIX"
-          AWS_CACHE_IMAGE="$AWS_IMAGE_BASE:buildcache-$ARCH_SUFFIX"
           CACHE_SCOPE="orion-server-$ARCH_SUFFIX"
 
           docker buildx build \
             --platform "$PLATFORM" \
             --cache-from type=gha,scope=$CACHE_SCOPE \
-            --cache-from type=registry,ref=$AWS_CACHE_IMAGE \
             --cache-to type=gha,mode=max,scope=$CACHE_SCOPE \
-            --cache-to type=registry,ref=$AWS_CACHE_IMAGE,mode=max \
             --provenance=false \
             --sbom=false \
             -f orion-server/Dockerfile \

Cargo.lock

@@ -62,7 +62,7 @@ futures-util = "0.3.32"
 axum = { version = "0.8.9", features = ["macros", "json"] }
 axum-extra = "0.12.6"
 russh = "0.55.0"
-tower-http = "0.6.10"
+tower-http = "0.6.11"
 tower = "0.5.3"
 tower-sessions = { version = "0.15", features = ["memory-store"] }
 time = { version = "0.3.47", features = ["serde"] }
@@ -97,7 +97,7 @@ uuid = "1.23.1"
 regex = "1.12.3"
 ed25519-dalek = "2.2.0"
 ctrlc = "3.5.2"
-cedar-policy = "4.10.0"
+cedar-policy = "4.11.0"
 secp256k1 = "0.31.1"
 pgp = "0.19.0"
 base64 = "0.22.1"
@@ -106,7 +106,7 @@ utoipa = { version = "5.5.0", features = ["chrono"] }
 utoipa-axum = "0.2.0"
 utoipa-swagger-ui = "9.0.2"
 tempfile = "3.27.0"
-dashmap = "6.1.0"
+dashmap = "6.2.1"
 once_cell = "1.21.4"
 serial_test = "3.4.0"
 sysinfo = "0.39.2"

Cargo.toml

@@ -71,6 +71,7 @@ utoipa = { workspace = true, features = ["axum_extras"] }
 utoipa-axum = { workspace = true }
 utoipa-swagger-ui = { workspace = true, features = ["axum"] }
 once_cell = { workspace = true }
+base64 = { workspace = true }
 
 
 [target.'cfg(not(windows))'.dependencies]

mono/Cargo.toml

@@ -1,6 +1,5 @@
-# ---------- planner stage ----------
-# This stage analyzes the Cargo workspace and produces a dependency recipe.
-# The recipe will change ONLY when Cargo.toml changes.
+# ────── Stage 0: Chef ──────
+# Downloads and installs cargo-chef (prebuilt binary, no Rust compilation needed).
 FROM rust:1.95.0 AS chef
 
 ARG TARGETARCH=amd64
@@ -11,7 +10,6 @@ WORKDIR /opt/mega
 # Prebuilt cargo-chef (avoids compiling it on every cold planner layer).
 RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl \
     && rm -rf /var/lib/apt/lists/* \
-    && set -eux \
     && case "$TARGETARCH" in \
          amd64) chef_arch=x86_64-unknown-linux-musl ;; \
          arm64) chef_arch=aarch64-unknown-linux-gnu ;; \
@@ -20,6 +18,13 @@ RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates
     && curl -fsSL "https://github.com/LukeMathWalker/cargo-chef/releases/download/v${CARGO_CHEF_VERSION}/cargo-chef-${chef_arch}.tar.gz" \
          | tar xz -C /usr/local/cargo/bin
 
+# ────── Stage 1: Planner ──────
+# Copies all Cargo.toml files; cargo-chef emits recipe.json describing the full dependency graph.
+# This stage is cached unless a Cargo.toml changes.
+FROM chef AS planner
+
+WORKDIR /opt/mega
+
 COPY Cargo.toml ./
 COPY api-model/Cargo.toml api-model/
 COPY ceres/Cargo.toml ceres/
@@ -38,14 +43,13 @@ COPY orion-server/bellatrix/Cargo.toml orion-server/bellatrix/
 COPY saturn/Cargo.toml saturn/
 COPY vault/Cargo.toml vault/
 
+# Named cache mounts let the builder stage inherit this cache via `from=planner`.
+RUN --mount=type=cache,target=/usr/local/cargo/registry,id=mono-registry \
+    --mount=type=cache,target=/usr/local/cargo/git,id=mono-git \
+    cargo chef prepare --bin mono --recipe-path recipe.json
 
-# Generate a recipe describing the dependency graph
-RUN cargo chef prepare --bin mono --recipe-path recipe.json
-
-
-# ---------- builder stage ----------
-# This stage builds dependencies first (cached),
-# then builds the actual application binary.
+# ────── Stage 2: Builder ──────
+# Installs system libs, builds all dependencies (cached), then builds the mono binary.
 FROM chef AS builder
 
 WORKDIR /opt/mega
@@ -60,56 +64,34 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libprotobuf-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Faster linking (release deps + final mono link).
+# Faster linking for release builds.
 ENV RUSTFLAGS="-C link-arg=-fuse-ld=mold"
 
-# Copy the dependency recipe from the planner stage
-COPY --from=chef /opt/mega/recipe.json recipe.json
+# Inherit registry/git caches from the planner stage.
+COPY --from=planner /opt/mega/recipe.json recipe.json
 
-# Build and cache all Rust dependencies
-# This layer will be reused as long as dependencies do not change
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
-    cargo chef cook --bin mono --release --recipe-path recipe.json
+RUN --mount=type=cache,target=/usr/local/cargo/registry,id=mono-registry,from=planner \
+    --mount=type=cache,target=/usr/local/cargo/git,id=mono-git,from=planner \
+    cargo chef cook --release --recipe-path recipe.json
 
-# Copy only the workspace sources AFTER dependencies are cached.
-# This avoids sending the entire repo context (which can be multiple GB) to the builder.
-COPY Cargo.toml ./
-COPY api-model ./api-model
-COPY ceres ./ceres
-COPY common ./common
-COPY config ./config
-COPY context ./context
-COPY io-orbit ./io-orbit
-COPY jupiter ./jupiter
-COPY mono ./mono
-COPY orion ./orion
-COPY orion-server ./orion-server
-COPY saturn ./saturn
-COPY vault ./vault
-
-# Build the mono binary (fixed release)
-#
-# NOTE: Build output must be persisted into the image layer for the runtime stage `COPY`.
-# A buildkit cache mount is not committed into the layer, so we build into a cached dir
-# then copy the final binary into `/opt/mega/target/...` (regular filesystem).
-RUN --mount=type=cache,target=/usr/local/cargo/registry \
-    --mount=type=cache,target=/usr/local/cargo/git \
+COPY . .
+
+# Persist built binary into the image layer (buildkit cache mounts evaporate after build).
+RUN --mount=type=cache,target=/usr/local/cargo/registry,id=mono-registry,from=planner \
+    --mount=type=cache,target=/usr/local/cargo/git,id=mono-git,from=planner \
     --mount=type=cache,target=/opt/mega/target-cache \
     CARGO_TARGET_DIR=/opt/mega/target-cache cargo build --release -p mono && \
     mkdir -p /opt/mega/target/release && \
     cp /opt/mega/target-cache/release/mono /opt/mega/target/release/mono
 
-
-# ---------- runtime stage ----------
-# This is the minimal runtime image containing only the binary and runtime deps
-FROM debian:bookworm-slim
+# ────── Stage 3: Runtime ──────
+FROM debian:trixie-slim
 
 # Install runtime dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
     ca-certificates \
     less \
-    libssl3 \
+    libssl3t64 \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy the compiled binary and startup script

mono/Dockerfile

@@ -5,6 +5,7 @@ use axum::{
     body::Body,
     http::{HeaderValue, Request, Response},
 };
+use base64::Engine;
 use bytes::{Bytes, BytesMut};
 use ceres::{
     api_service::state::ProtocolApiState,
@@ -52,29 +53,50 @@ fn auth_failed() -> Result<Response<Body>, ProtocolError> {
         .status(401)
         .header(
             http::header::WWW_AUTHENTICATE,
-            HeaderValue::from_static("Bearer realm=\"Mega\""),
+            HeaderValue::from_static("Basic realm=\"Mega\", Bearer realm=\"Mega\""),
         )
         .body(Body::empty())
         .unwrap();
     Ok(resp)
 }
 
+/// Parses Basic Auth header, returning the password (which is the token).
+/// The username is ignored since we only care about the token in the password field.
+fn basic_auth_password_from_authorization_value(value: &str) -> Option<String> {
+    let stripped = value
+        .strip_prefix("Basic ")
+        .or_else(|| value.strip_prefix("basic "))?;
+    let decoded = base64::engine::general_purpose::STANDARD
+        .decode(stripped.trim())
+        .ok()?;
+    let decoded_str = String::from_utf8(decoded).ok()?;
+    // Basic auth format: "username:password"
+    Some(decoded_str.split(':').nth(1)?.to_owned())
+}
+
 /// Uses [`crate::api::oauth::login_user_from_mono_access_token`] (same as [`crate::api::oauth::AccessTokenUser`]).
-async fn git_receive_pack_bearer_auth(
+/// Supports both Bearer tokens and Basic Auth (with token as password).
+async fn git_receive_pack_auth(
     state: &ProtocolApiState,
     pack_protocol: &mut SmartSession,
     headers: &http::HeaderMap,
 ) -> Result<bool, ProtocolError> {
-    let token = headers
-        .get(AUTHORIZATION)
-        .and_then(|v| v.to_str().ok())
-        .and_then(bearer_token_from_authorization_value);
+    let auth_header = headers.get(AUTHORIZATION).and_then(|v| v.to_str().ok());
+
+    // Try Bearer token first
+    let token = auth_header.and_then(bearer_token_from_authorization_value);
+
+    // If no Bearer token, try Basic Auth (token as password)
+    let token = token
+        .map(String::from)
+        .or_else(|| auth_header.and_then(basic_auth_password_from_authorization_value));
+
     let Some(token) = token else {
         return Ok(false);
     };
 
     let Some(user) =
-        login_user_from_mono_access_token(&state.storage.user_storage(), token).await?
+        login_user_from_mono_access_token(&state.storage.user_storage(), &token).await?
     else {
         return Ok(false);
     };
@@ -179,7 +201,7 @@ pub async fn git_receive_pack(
 ) -> Result<Response<Body>, ProtocolError> {
     let mut pack_protocol =
         SmartSession::new(repo_path, ServiceType::ReceivePack, TransportProtocol::Http);
-    if !git_receive_pack_bearer_auth(state, &mut pack_protocol, req.headers()).await? {
+    if !git_receive_pack_auth(state, &mut pack_protocol, req.headers()).await? {
         return auth_failed();
     }
     // Convert the request body into a data stream.

mono/src/git_protocol/http.rs

@@ -1 +1 @@
-lts/*
+20