Address review feedback: Pattern types, remove userEmail, stub secret scanning, add auth headers, shallow clones

Co-authored-by: coopernetes <57812123+coopernetes@users.noreply.github.com>

Author: Copilot

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java

@@ -2,6 +2,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.regex.Pattern;
 import lombok.Builder;
 import lombok.Data;
 
@@ -49,9 +50,9 @@ public static class DomainConfig {
 
         /**
          * Regex pattern for allowed email domains. If set, only emails matching this pattern are allowed. Example:
-         * ".*\\.company\\.com$" to allow only company.com domains.
+         * Pattern.compile(".*\\.company\\.com$") to allow only company.com domains.
          */
-        private String allow;
+        private Pattern allow;
     }
 
     /** Configuration for email local part validation. */
@@ -61,9 +62,9 @@ public static class LocalConfig {
 
         /**
          * Regex pattern for blocked email local parts. If set, emails matching this pattern are blocked. Example:
-         * "^(noreply|no-reply)$" to block noreply addresses.
+         * Pattern.compile("^(noreply|no-reply)$") to block noreply addresses.
          */
-        private String block;
+        private Pattern block;
     }
 
     /** Configuration for commit message validation. */
@@ -88,12 +89,9 @@ public static class BlockConfig {
         @Builder.Default
         private List<String> literals = new ArrayList<>();
 
-        /**
-         * List of regex patterns that are blocked in commit messages. Messages matching any of these patterns will be
-         * rejected.
-         */
+        /** List of compiled regex patterns that are blocked in commit messages. */
         @Builder.Default
-        private List<String> patterns = new ArrayList<>();
+        private List<Pattern> patterns = new ArrayList<>();
     }
 
     /**

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/SecretScanningConfig.java

@@ -172,7 +172,9 @@ private static Commit convertToCommit(RevCommit revCommit) {
         }
 
         // Extract GPG signature if present
-        String signature = extractGpgSignature(revCommit);
+        // Note: Signature extraction is handled by GitReceivePackParser during push parsing
+        // and is available in the Commit object passed from the push packet data
+        String signature = null;
 
         return Commit.builder()
                 .sha(revCommit.getName())
@@ -190,47 +192,4 @@ private static Commit convertToCommit(RevCommit revCommit) {
                 .signature(signature)
                 .build();
     }
-
-    /**
-     * Extract GPG signature from a commit if present.
-     *
-     * @param revCommit The JGit commit
-     * @return The GPG signature, or null if not present
-     */
-    private static String extractGpgSignature(RevCommit revCommit) {
-        byte[] rawBuffer = revCommit.getRawBuffer();
-        String raw = new String(rawBuffer);
-
-        int sigStart = raw.indexOf("gpgsig ");
-        if (sigStart < 0) {
-            return null;
-        }
-
-        // Find the start of the signature block
-        sigStart += 7; // length of "gpgsig "
-        int sigEnd = raw.indexOf("\n", sigStart);
-
-        // Build the complete signature by collecting continuation lines
-        StringBuilder signature = new StringBuilder();
-        int pos = sigStart;
-
-        while (pos < raw.length()) {
-            int nextNewline = raw.indexOf("\n", pos);
-            if (nextNewline < 0) {
-                break;
-            }
-
-            String line = raw.substring(pos, nextNewline);
-            if (!line.startsWith(" ")) {
-                // End of signature block
-                break;
-            }
-
-            // Remove leading space and add to signature
-            signature.append(line.substring(1)).append("\n");
-            pos = nextNewline + 1;
-        }
-
-        return signature.toString().trim();
-    }
 }

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/CommitInspectionService.java

@@ -17,9 +17,8 @@ public class GitRequestDetails {
     private HttpOperation operation;
     private Repository repository;
     private String branch; // null for fetch requests
-    private Commit commit;
-    private List<Commit> commits = new ArrayList<>(); // All commits in a push
-    private String userEmail; // Email of the user performing the operation
+    private Commit commit; // Head/parent commit from the push
+    private List<Commit> pushedCommits = new ArrayList<>(); // All commits received in this push
     private GitProxyProvider provider;
     private List<GitProxyFilter> filters = new ArrayList<>();
     private GitResult result = GitResult.PENDING;

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/GitRequestDetails.java

@@ -22,22 +22,40 @@ public class LocalRepositoryCache {
 
     private final Path cacheDirectory;
     private final Map<String, CachedRepository> cache = new ConcurrentHashMap<>();
+    private final int cloneDepth;
+    private final boolean registerShutdownHook;
 
-    /** Default constructor that uses system temp directory. */
+    /** Default constructor that uses system temp directory with shutdown hook. */
     public LocalRepositoryCache() throws IOException {
-        this(Files.createTempDirectory("jgit-proxy-cache-"));
+        this(Files.createTempDirectory("jgit-proxy-cache-"), 100, true);
     }
 
     /**
-     * Constructor with custom cache directory.
+     * Constructor with custom cache directory - Spring-friendly (no shutdown hook).
      *
      * @param cacheDirectory The directory to use for caching repositories
+     * @param registerShutdownHook Whether to register shutdown hook (false for Spring apps)
      */
-    public LocalRepositoryCache(Path cacheDirectory) {
+    public LocalRepositoryCache(Path cacheDirectory, boolean registerShutdownHook) throws IOException {
+        this(cacheDirectory, 100, registerShutdownHook);
+    }
+
+    /**
+     * Full constructor with custom cache directory and clone depth.
+     *
+     * @param cacheDirectory The directory to use for caching repositories
+     * @param cloneDepth The depth for shallow clones (0 for full clone)
+     * @param registerShutdownHook Whether to register shutdown hook (false for Spring apps)
+     */
+    public LocalRepositoryCache(Path cacheDirectory, int cloneDepth, boolean registerShutdownHook) {
         this.cacheDirectory = cacheDirectory;
-        log.info("Initialized LocalRepositoryCache at: {}", cacheDirectory);
-        // Register shutdown hook to clean up
-        Runtime.getRuntime().addShutdownHook(new Thread(this::cleanup));
+        this.cloneDepth = cloneDepth;
+        this.registerShutdownHook = registerShutdownHook;
+        log.info("Initialized LocalRepositoryCache at: {} with clone depth: {}", cacheDirectory, cloneDepth);
+        // Register shutdown hook to clean up (skip for Spring apps that use @PreDestroy)
+        if (registerShutdownHook) {
+            Runtime.getRuntime().addShutdownHook(new Thread(this::cleanup));
+        }
     }
 
     /**
@@ -85,16 +103,26 @@ private synchronized Repository cloneOrFetch(String remoteUrl, String cacheKey)
         if (repoDir.exists()) {
             log.debug("Repository directory exists, opening and fetching: {}", repoDir);
             Git git = Git.open(repoDir);
-            // Fetch latest changes
-            git.fetch().setRemote("origin").call();
+            // Fetch latest changes with depth if configured
+            if (cloneDepth > 0) {
+                git.fetch().setRemote("origin").setDepth(cloneDepth).call();
+            } else {
+                git.fetch().setRemote("origin").call();
+            }
             repository = git.getRepository();
         } else {
-            log.debug("Cloning repository to: {}", repoDir);
-            Git git = Git.cloneRepository()
+            log.debug("Cloning repository to: {} with depth: {}", repoDir, cloneDepth);
+            var cloneCommand = Git.cloneRepository()
                     .setURI(remoteUrl)
                     .setDirectory(repoDir)
-                    .setBare(true)
-                    .call();
+                    .setBare(true);
+
+            // Set shallow clone depth if configured
+            if (cloneDepth > 0) {
+                cloneCommand.setDepth(cloneDepth);
+            }
+
+            Git git = cloneCommand.call();
             repository = git.getRepository();
         }
 

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/LocalRepositoryCache.java

@@ -47,6 +47,18 @@ public Repository open(HttpServletRequest req, String name)
      * @return The remote repository URL
      */
     private String extractRemoteUrl(HttpServletRequest req, String name) {
+        // Extract authentication from Authorization header
+        String authHeader = req.getHeader("Authorization");
+        String authCredentials = "";
+
+        if (authHeader != null && authHeader.startsWith("Basic ")) {
+            // Extract credentials from Basic auth
+            String base64Credentials = authHeader.substring("Basic ".length()).trim();
+            String credentials = new String(java.util.Base64.getDecoder().decode(base64Credentials));
+            // credentials format is "username:password"
+            authCredentials = credentials + "@";
+        }
+
         // This is a simplified implementation
         // In a real implementation, you would extract the provider and construct the full URL
         // For now, we'll use the request info
@@ -55,9 +67,13 @@ private String extractRemoteUrl(HttpServletRequest req, String name) {
             // Remove leading slash and any git-receive-pack or git-upload-pack suffixes
             String cleanPath = pathInfo.substring(1).replaceAll("/(git-receive-pack|git-upload-pack|info/refs).*$", "");
 
-            // Construct URL based on the host from request
-            // This is simplified - in production you'd need more sophisticated URL construction
-            return "https://" + cleanPath + ".git";
+            // Construct URL with authentication if present
+            // Format: https://username:password@host/path.git
+            if (!authCredentials.isEmpty()) {
+                return "https://" + authCredentials + cleanPath + ".git";
+            } else {
+                return "https://" + cleanPath + ".git";
+            }
         }
 
         return name;

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/TemporaryRepositoryResolver.java

@@ -39,7 +39,7 @@ public void doHttpFilter(HttpServletRequest request, HttpServletResponse respons
             return;
         }
 
-        List<Commit> commits = requestDetails.getCommits();
+        List<Commit> commits = requestDetails.getPushedCommits();
         if (commits == null || commits.isEmpty()) {
             log.debug("No commits found in request details");
             return;
@@ -93,23 +93,19 @@ private boolean isEmailAllowed(String email) {
         String emailDomain = parts[1];
 
         // Check domain allow pattern
-        String domainAllowPattern =
+        Pattern domainAllowPattern =
                 commitConfig.getAuthor().getEmail().getDomain().getAllow();
-        if (domainAllowPattern != null && !domainAllowPattern.isEmpty()) {
-            if (!Pattern.compile(domainAllowPattern, Pattern.CASE_INSENSITIVE)
-                    .matcher(emailDomain)
-                    .find()) {
+        if (domainAllowPattern != null) {
+            if (!domainAllowPattern.matcher(emailDomain).find()) {
                 return false;
             }
         }
 
         // Check local part block pattern
-        String localBlockPattern =
+        Pattern localBlockPattern =
                 commitConfig.getAuthor().getEmail().getLocal().getBlock();
-        if (localBlockPattern != null && !localBlockPattern.isEmpty()) {
-            if (Pattern.compile(localBlockPattern, Pattern.CASE_INSENSITIVE)
-                    .matcher(emailLocal)
-                    .find()) {
+        if (localBlockPattern != null) {
+            if (localBlockPattern.matcher(emailLocal).find()) {
                 return false;
             }
         }

jgit-proxy-core/src/main/java/org/finos/gitproxy/servlet/filter/CheckAuthorEmailsFilter.java

@@ -8,7 +8,6 @@
 import java.util.List;
 import java.util.Set;
 import java.util.regex.Pattern;
-import java.util.regex.PatternSyntaxException;
 import java.util.stream.Collectors;
 import lombok.extern.slf4j.Slf4j;
 import org.finos.gitproxy.config.CommitConfig;
@@ -39,7 +38,7 @@ public void doHttpFilter(HttpServletRequest request, HttpServletResponse respons
             return;
         }
 
-        List<Commit> commits = requestDetails.getCommits();
+        List<Commit> commits = requestDetails.getPushedCommits();
         if (commits == null || commits.isEmpty()) {
             log.debug("No commits found in request details");
             return;
@@ -89,7 +88,7 @@ private boolean isMessageAllowed(String commitMessage) {
         }
 
         List<String> blockedLiterals = commitConfig.getMessage().getBlock().getLiterals();
-        List<String> blockedPatterns = commitConfig.getMessage().getBlock().getPatterns();
+        List<Pattern> blockedPatterns = commitConfig.getMessage().getBlock().getPatterns();
 
         // Check blocked literals (case-insensitive)
         for (String literal : blockedLiterals) {
@@ -100,16 +99,9 @@ private boolean isMessageAllowed(String commitMessage) {
         }
 
         // Check blocked patterns
-        for (String pattern : blockedPatterns) {
-            try {
-                Pattern compiledPattern = Pattern.compile(pattern, Pattern.CASE_INSENSITIVE);
-                if (compiledPattern.matcher(commitMessage).find()) {
-                    log.debug("Commit message matches blocked pattern: {}", pattern);
-                    return false;
-                }
-            } catch (PatternSyntaxException e) {
-                log.error("Invalid regex pattern: {}", pattern, e);
-                // Treat invalid patterns as not matching
+        for (Pattern pattern : blockedPatterns) {
+            if (pattern.matcher(commitMessage).find()) {
+                log.debug("Commit message matches blocked pattern");
                 return false;
             }
         }