Identity & security foundation

[coopernetes]

Motivation

jgit-proxy currently has no concept of authenticated users:

• REST API is fully open
• reviewerUsername in Attestation is an unverified string
• DummyUserAuthorizationService always returns true
• HTTP Basic challenge to git clients is never validated

This tracked the full AuthN/AuthZ/identity work. All phases are now either complete or have been broken out into standalone issues.

---

Data Model ✅

Three tables underpin the whole identity system — all implemented.

---

Phase 0 — Spring Security foundation ✅

• SecurityConfig with form login, CSRF, stateful sessions
• reviewerUsername derived from SecurityContext principal
• Static users from YAML config wired as InMemoryUserDetailsManager
• Route protection — all API routes require authentication

---

Phase 1 — Pluggable identity providers ✅

• StaticUserStore (YAML, read-only) and JdbcUserStore / MutableUserStore
• CheckUserPushPermissionHook / CheckUserPushPermissionFilter + BasicAuthChallengeFilter
• StaticUserAuthProvider and JdbcUserAuthProvider
• LdapAuthenticationProvider with LdapEmailContextMapper — auth.provider: ldap
• OIDC authorization code flow via oauth2Login — auth.provider: oidc

---

Phase 2 — Identity linking ✅

• ProfileController at /api/me — self-service email and SCM identity management
• Admin user management — tracked in User CRUD, list view #48 (closed) and Admin pages: user management, config, health #34/Dashboard: user management and SCM identity admin views #38

---

Phase 3 — Upstream SCM OAuth

Tracked in #40.

---

Phase 4 — Push attribution enforcement ✅

• IdentityVerificationHook (order 160) — configurable via commit.identity-verification: strict | warn | off
• PushRecord.userEmail populated from authenticated principal
• SCM username cross-referenced against user_scm_identities via TokenPushIdentityResolver

---

Remaining work (tracked in separate issues)

• Admin pages: user management, config, health #34 / Dashboard: user management and SCM identity admin views #38 — Admin user management UI + backend endpoints
• SCM OAuth integration: link proxy users to GitHub/GitLab accounts #40 — SCM OAuth (GitHub/GitLab account linking)
• Per-repo push and approval authorization #47 — Per-repo push & approval authorization

[coopernetes]

Progress update

Significant work has landed across recent commits. Checking off what's done:

Phase 0 — Spring Security foundation: ✅ DONE

• SecurityConfig, form login, CSRF, role-based route protection
• Static users from YAML config wired as InMemoryUserDetailsManager
• /api/me endpoint, custom login page
• reviewerUsername derived from SecurityContext principal

Phase 1 — Pluggable identity providers: ~80% done

• ✅ StaticUserStore, JdbcUserStore, JdbcUserEmailStore, JdbcScmIdentityStore
• ✅ StaticUserAuthProvider wired into AuthenticationManager
• ✅ JdbcUserAuthProvider (via Spring UserDetailsService backed by JdbcUserStore)
• ❌ LdapUserAuthProvider — not implemented
• ❌ OidcUserService — not implemented
• ✅ BasicAuthValidationFilter equivalent via CheckUserPushPermissionFilter + PushIdentityResolver

Phase 2 — Identity linking: ~50% done

• ✅ LinkedIdentityAuthorizationService — resolves committer email against user_emails
• ❌ AdminController under /api/admin/ — not done (tracked in Admin pages: user management, config, health #34 / Dashboard: user management and SCM identity admin views #38)

Phase 3 — Upstream SCM OAuth: ❌ not started

Phase 4 — Push attribution enforcement: ~50% done

• ✅ CheckUserPushPermissionHook and CheckUserPushPermissionFilter — gates push against resolved identity
• ✅ PushIdentityResolver interface + ConfigPushIdentityResolver + TokenPushIdentityResolver
• ❌ IdentityVerificationHook — verify committer email against user_emails; cross-reference user_scm_identities

---

Given the size of this issue, proposing to break out the remaining work:

• Phase 3 (SCM OAuth) → new standalone issue — it's a significant feature with its own OAuth flow, token storage, and config
• Phase 4 remainder (IdentityVerificationHook) → small focused issue or tackled as part of Dashboard: user management and SCM identity admin views #38 backend work
• LDAP/OIDC auth providers → separate issue if/when there's demand

This issue can likely be closed once the IdentityVerificationHook and AdminController gaps are filled, with Phase 3 (OAuth) living in its own issue.

[coopernetes]

All phases either complete or broken out into standalone issues: #34/#38 (admin CRUD), #40 (SCM OAuth), #47 (per-repo authz), #54 (LDAP). Closing this umbrella.