chore: update default & local cfgs

Author: coopernetes

.claude/settings.json

@@ -60,8 +60,6 @@ packetline-*.txt
 ### Data ###
 .data/
 
-### Claude Code memory (local only) ###
-memory/
 
 ### Gitea smoke test secrets (generated by docker/gitea-setup.sh) ###
 test/gitea/tokens.env

.gitignore

@@ -0,0 +1,54 @@
+package org.finos.gitproxy.db.memory;
+
+import java.util.Comparator;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.concurrent.ConcurrentHashMap;
+import org.finos.gitproxy.db.UrlRuleRegistry;
+import org.finos.gitproxy.db.model.AccessRule;
+
+/** In-memory {@link UrlRuleRegistry}. Data is lost on restart. */
+public class InMemoryUrlRuleRegistry implements UrlRuleRegistry {
+
+    private final Map<String, AccessRule> store = new ConcurrentHashMap<>();
+
+    @Override
+    public void initialize() {}
+
+    @Override
+    public void save(AccessRule rule) {
+        store.put(rule.getId(), rule);
+    }
+
+    @Override
+    public void update(AccessRule rule) {
+        store.put(rule.getId(), rule);
+    }
+
+    @Override
+    public void delete(String id) {
+        store.remove(id);
+    }
+
+    @Override
+    public Optional<AccessRule> findById(String id) {
+        return Optional.ofNullable(store.get(id));
+    }
+
+    @Override
+    public List<AccessRule> findAll() {
+        return store.values().stream()
+                .sorted(Comparator.comparingInt(AccessRule::getRuleOrder).thenComparing(AccessRule::getId))
+                .toList();
+    }
+
+    @Override
+    public List<AccessRule> findEnabledForProvider(String provider) {
+        return store.values().stream()
+                .filter(AccessRule::isEnabled)
+                .filter(r -> r.getProvider() == null || r.getProvider().equals(provider))
+                .sorted(Comparator.comparingInt(AccessRule::getRuleOrder).thenComparing(AccessRule::getId))
+                .toList();
+    }
+}

git-proxy-java-core/src/main/java/org/finos/gitproxy/db/memory/InMemoryUrlRuleRegistry.java

@@ -17,6 +17,9 @@ server:
 # push-identity-codeberg.sh expects "Identity Not Linked" as the failure scenario.
 #
 # Password format: {noop}plaintext (dev only).
+auth:
+  provider: local
+
 users:
   - username: admin
     password-hash: "{noop}admin"
@@ -130,9 +133,31 @@ rules:
   # also matches, and vice versa.
   #
   # If no allow rules are configured at all, the proxy operates in fail closed mode (all requests denied).
-  allow:
+  deny:
+    # Guard: never allow pushes to this proxy's own source repository through the proxy.
+    # /finos/git-proxy is allowed above (for dev testing), but git-proxy-java itself is not.
     - enabled: true
       order: 10
+      operations:
+        - PUSH
+      providers:
+        - github
+      slugs:
+        - /coopernetes/git-proxy-java
+
+    # GitHub Pages repositories are presentation sites — block pushes even if the
+    # owner is covered by an allow rule (e.g. a future finos/* allow entry).
+    - enabled: true
+      order: 20
+      operations:
+        - PUSH
+      providers:
+        - github
+      names:
+        - "*.github.io"
+  allow:
+    - enabled: true
+      order: 30
       operations:
         - FETCH
       providers:
@@ -142,7 +167,7 @@ rules:
         - /coopernetes/git-proxy-java
         - /coopernetes/test-repo
     - enabled: true
-      order: 20
+      order: 40
       operations:
         - FETCH
         - PUSH
@@ -151,7 +176,7 @@ rules:
       slugs:
         - /coopernetes/test-repo-gitlab
     - enabled: true
-      order: 30
+      order: 50
       operations:
         - FETCH
         - PUSH
@@ -160,33 +185,10 @@ rules:
       slugs:
         - /coopernetes/test-repo-codeberg
     - enabled: true
-      order: 40
+      order: 60
       operations:
         - FETCH
       owners:
         - finos
       providers:
-        - github
-
-  deny:
-    # Guard: never allow pushes to this proxy's own source repository through the proxy.
-    # /finos/git-proxy is allowed above (for dev testing), but git-proxy-java itself is not.
-    - enabled: true
-      order: 10
-      operations:
-        - PUSH
-      providers:
-        - github
-      slugs:
-        - /coopernetes/git-proxy-java
-
-    # GitHub Pages repositories are presentation sites — block pushes even if the
-    # owner is covered by an allow rule (e.g. a future finos/* allow entry).
-    - enabled: true
-      order: 20
-      operations:
-        - PUSH
-      providers:
-        - github
-      names:
-        - "*.github.io"
+        - github

git-proxy-java-server/src/main/resources/git-proxy-local.yml

@@ -167,6 +167,10 @@ secret-scan:
 #   {noop}plaintext   — no hashing, for local dev only
 #   {bcrypt}$2a$12$.. — bcrypt; generate with: htpasswd -bnBC 12 "" yourpassword | tr -d ':\n'
 #
+# Enable local auth with a single admin user. Not recommended for production!
+auth:
+  provider: local
+
 users:
  - username: admin
    password-hash: "{noop}admin"