From 295fd3008493691f7f7c4789636c5de29aa28937 Mon Sep 17 00:00:00 2001
From: Tom Noonan II <t.noonanii@f5.com>
Date: Wed, 18 May 2022 16:26:41 -0400
Subject: [PATCH] Client auth support: Add optional HTTP basic client auth via
 CLIENT_AUTH_USER_FILE ENV var

---
 Dockerfile             | 1 +
 README.md              | 1 +
 files/client_auth.conf | 3 +++
 files/nginx.conf       | 4 ++++
 files/startup.sh       | 7 +++++++
 5 files changed, 16 insertions(+)
 create mode 100644 files/client_auth.conf

diff --git a/Dockerfile b/Dockerfile
index 43ed49a..9f63d1f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,7 @@ COPY files/root /etc/crontabs/root
 
 COPY files/nginx.conf /usr/local/openresty/nginx/conf/nginx.conf
 COPY files/ssl.conf /usr/local/openresty/nginx/conf/ssl.conf
+COPY files/client_auth.conf /usr/local/openresty/nginx/conf/client_auth.conf
 
 ENV PORT 5000
 RUN chmod a+x /startup.sh /renew_token.sh
diff --git a/README.md b/README.md
index 90eb759..429f782 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,7 @@ The proxy is packaged in a docker container and can be configured with following
 | `ENABLE_SSL`                        | Used to enable SSL/TLS for proxy               | Optional                          | `false`    |
 | `REGISTRY_HTTP_TLS_KEY`             | Path to TLS key in the container               | Required with TLS                 |            |
 | `REGISTRY_HTTP_TLS_CERTIFICATE`     | Path to TLS cert in the container              | Required with TLS                 |            |
+| `CLIENT_AUTH_USER_FILE`             | Path to auth_basic user file in the container for client authentication | Optional |            |
 
 ### Example:
 
diff --git a/files/client_auth.conf b/files/client_auth.conf
new file mode 100644
index 0000000..7b230a1
--- /dev/null
+++ b/files/client_auth.conf
@@ -0,0 +1,3 @@
+# Client auth configuration
+auth_basic basic;
+auth_basic_user_file CLIENT_AUTH_USER_FILE;
diff --git a/files/nginx.conf b/files/nginx.conf
index b714aac..eb81d73 100644
--- a/files/nginx.conf
+++ b/files/nginx.conf
@@ -30,6 +30,7 @@ http {
     listen PORT SSL_LISTEN default_server;
 
     SSL_INCLUDE
+    AUTH_INCLUDE
 
     # Cache
     add_header X-Cache-Status   $upstream_cache_status;
@@ -98,6 +99,9 @@ http {
     # query params. Also the params should be part of cache key for nginx to
     # issue HIT for same image blob.
     location @handle_redirect {
+      # Clear Authorization header from the client, if present
+      proxy_set_header Authorization "";
+
       set                    $saved_redirect_location '$upstream_http_location';
       proxy_pass             $saved_redirect_location;
       proxy_cache            cache;
diff --git a/files/startup.sh b/files/startup.sh
index fecd198..fe11b78 100755
--- a/files/startup.sh
+++ b/files/startup.sh
@@ -42,6 +42,7 @@ echo Using cache key $CACHE_KEY
 SCHEME=http
 CONFIG=/usr/local/openresty/nginx/conf/nginx.conf
 SSL_CONFIG=/usr/local/openresty/nginx/conf/ssl.conf
+AUTH_CONFIG=/usr/local/openresty/nginx/conf/client_auth.conf
 
 if [ "$ENABLE_SSL" ]; then
   sed -i -e s!REGISTRY_HTTP_TLS_CERTIFICATE!"$REGISTRY_HTTP_TLS_CERTIFICATE"!g $SSL_CONFIG
@@ -51,6 +52,11 @@ if [ "$ENABLE_SSL" ]; then
   SCHEME="https"
 fi
 
+if [ "$CLIENT_AUTH_USER_FILE" ]; then
+    sed -i -e s!CLIENT_AUTH_USER_FILE!"$CLIENT_AUTH_USER_FILE"!g $AUTH_CONFIG
+    AUTH_INCLUDE="include $AUTH_CONFIG;"
+fi
+
 # Update nginx config
 sed -i -e s!UPSTREAM!"$UPSTREAM"!g $CONFIG
 sed -i -e s!PORT!"$PORT"!g $CONFIG
@@ -60,6 +66,7 @@ sed -i -e s!CACHE_KEY!"$CACHE_KEY"!g $CONFIG
 sed -i -e s!SCHEME!"$SCHEME"!g $CONFIG
 sed -i -e s!SSL_INCLUDE!"$SSL_INCLUDE"!g $CONFIG
 sed -i -e s!SSL_LISTEN!"$SSL_LISTEN"!g $CONFIG
+sed -i -e s!AUTH_INCLUDE!"$AUTH_INCLUDE"!g $CONFIG
 
 # Update health-check
 sed -i -e s!PORT!"$PORT"!g /health-check.sh