libstore: Enable kerberos negotiation for http binary caches

2024-09-19 10:50:24 -04:00 · 2024-04-19 18:59:31 -04:00 · 2024-04-19 18:59:31 -04:00 · 1c97877ec9
parent 18485d2d53
commit 1c97877ec9
4 changed files with 16 additions and 6 deletions
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@ -320,7 +320,7 @@ struct curlFileTransfer : public FileTransfer
            curl_easy_setopt(req, CURLOPT_PIPEWAIT, 1);
            #endif
            #if LIBCURL_VERSION_NUM >= 0x072f00
-            if (fileTransferSettings.enableHttp2)
+            if (fileTransferSettings.enableHttp2 && !request.negotiate)
                curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2TLS);
            else
                curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
@ -357,6 +357,12 @@ struct curlFileTransfer : public FileTransfer
                curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
            }

+            if (request.negotiate) {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE);
+                curl_easy_setopt(req, CURLOPT_USERNAME, "");
+                curl_easy_setopt(req, CURLOPT_PASSWORD, "");
+            }
+
            curl_easy_setopt(req, CURLOPT_CONNECTTIMEOUT, fileTransferSettings.connectTimeout.get());

            curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);
--- a/src/libstore/filetransfer.hh
+++ b/src/libstore/filetransfer.hh
@ -64,6 +64,7 @@ struct FileTransferRequest
    std::string expectedETag;
    bool verifyTLS = true;
    bool head = false;
+    bool negotiate = false;
    size_t tries = fileTransferSettings.tries;
    unsigned int baseRetryTimeMs = 250;
    ActivityId parentAct;
--- a/src/libstore/http-binary-cache-store.cc
+++ b/src/libstore/http-binary-cache-store.cc
@ -26,15 +26,13 @@ HttpBinaryCacheStoreConfig::HttpBinaryCacheStoreConfig(
        cacheUri.pop_back();
 }

-
 std::string HttpBinaryCacheStoreConfig::doc()
 {
    return
-      #include "http-binary-cache-store.md"
-      ;
+#include "http-binary-cache-store.md"
+        ;
 }

-
 class HttpBinaryCacheStore : public virtual HttpBinaryCacheStoreConfig, public virtual BinaryCacheStore
 {
 private:
@ -143,10 +141,12 @@ protected:

    FileTransferRequest makeRequest(const std::string & path)
    {
-        return FileTransferRequest(
+        auto request = FileTransferRequest(
            hasPrefix(path, "https://") || hasPrefix(path, "http://") || hasPrefix(path, "file://")
            ? path
            : cacheUri + "/" + path);
+        request.negotiate = negotiate;
+        return request;

    }

--- a/src/libstore/http-binary-cache-store.hh
+++ b/src/libstore/http-binary-cache-store.hh
@ -10,6 +10,9 @@ struct HttpBinaryCacheStoreConfig : virtual BinaryCacheStoreConfig

    Path cacheUri;

+    const Setting<bool> negotiate{this, false, "negotiate",
+        "Whether to do kerberos negotiate when talking to the http binary cache."};
+
    const std::string name() override
    {
        return "HTTP Binary Cache Store";