Add service layer and new filter implementations for commit validation and security scanning

Co-authored-by: coopernetes <57812123+coopernetes@users.noreply.github.com>

Author: Copilot

jgit-proxy-core/build.gradle

@@ -38,6 +38,13 @@ dependencies {
     // Jakarta annotations
     api "jakarta.annotation:jakarta.annotation-api:3.0.0"
 
+    // Apache Commons Validator for email validation
+    implementation "commons-validator:commons-validator:1.9.0"
+    
+    // BouncyCastle for GPG signature verification
+    implementation "org.bouncycastle:bcprov-jdk18on:1.79"
+    implementation "org.bouncycastle:bcpg-jdk18on:1.79"
+    
     // JGit dependencies
     api "org.eclipse.jgit:org.eclipse.jgit:${jgitVersion}"
     implementation "org.eclipse.jgit:org.eclipse.jgit.http.apache:${jgitVersion}"

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java

@@ -0,0 +1,107 @@
+package org.finos.gitproxy.config;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Builder;
+import lombok.Data;
+
+/** Configuration for commit validation filters. */
+@Data
+@Builder
+public class CommitConfig {
+
+    /** Configuration for author email validation. */
+    @Builder.Default
+    private AuthorConfig author = AuthorConfig.builder().build();
+
+    /** Configuration for commit message validation. */
+    @Builder.Default
+    private MessageConfig message = MessageConfig.builder().build();
+
+    /** Configuration for author validation. */
+    @Data
+    @Builder
+    public static class AuthorConfig {
+
+        /** Configuration for email validation. */
+        @Builder.Default
+        private EmailConfig email = EmailConfig.builder().build();
+    }
+
+    /** Configuration for email validation. */
+    @Data
+    @Builder
+    public static class EmailConfig {
+
+        /** Configuration for email domain validation. */
+        @Builder.Default
+        private DomainConfig domain = DomainConfig.builder().build();
+
+        /** Configuration for email local part validation. */
+        @Builder.Default
+        private LocalConfig local = LocalConfig.builder().build();
+    }
+
+    /** Configuration for email domain validation. */
+    @Data
+    @Builder
+    public static class DomainConfig {
+
+        /**
+         * Regex pattern for allowed email domains. If set, only emails matching this pattern are allowed. Example:
+         * ".*\\.company\\.com$" to allow only company.com domains.
+         */
+        private String allow;
+    }
+
+    /** Configuration for email local part validation. */
+    @Data
+    @Builder
+    public static class LocalConfig {
+
+        /**
+         * Regex pattern for blocked email local parts. If set, emails matching this pattern are blocked. Example:
+         * "^(noreply|no-reply)$" to block noreply addresses.
+         */
+        private String block;
+    }
+
+    /** Configuration for commit message validation. */
+    @Data
+    @Builder
+    public static class MessageConfig {
+
+        /** Configuration for blocking specific message patterns. */
+        @Builder.Default
+        private BlockConfig block = BlockConfig.builder().build();
+    }
+
+    /** Configuration for blocking specific message patterns. */
+    @Data
+    @Builder
+    public static class BlockConfig {
+
+        /**
+         * List of literal strings that are blocked in commit messages. Messages containing any of these strings will be
+         * rejected (case-insensitive).
+         */
+        @Builder.Default
+        private List<String> literals = new ArrayList<>();
+
+        /**
+         * List of regex patterns that are blocked in commit messages. Messages matching any of these patterns will be
+         * rejected.
+         */
+        @Builder.Default
+        private List<String> patterns = new ArrayList<>();
+    }
+
+    /**
+     * Create a default configuration with no restrictions.
+     *
+     * @return A default CommitConfig instance
+     */
+    public static CommitConfig defaultConfig() {
+        return CommitConfig.builder().build();
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/GpgConfig.java

@@ -0,0 +1,36 @@
+package org.finos.gitproxy.config;
+
+import lombok.Builder;
+import lombok.Data;
+
+/** Configuration for GPG signature validation. */
+@Data
+@Builder
+public class GpgConfig {
+
+    /** Whether GPG signature validation is enabled. */
+    @Builder.Default
+    private boolean enabled = false;
+
+    /** Whether to require all commits to be signed. */
+    @Builder.Default
+    private boolean requireSignedCommits = false;
+
+    /**
+     * Path to a file containing trusted public keys in ASCII-armored format. If not set, a default dummy key will be
+     * used for testing.
+     */
+    private String trustedKeysFile;
+
+    /** Inline trusted public keys in ASCII-armored format. Used as an alternative to trustedKeysFile. */
+    private String trustedKeysInline;
+
+    /**
+     * Create a default configuration with GPG validation disabled.
+     *
+     * @return A default GpgConfig instance
+     */
+    public static GpgConfig defaultConfig() {
+        return GpgConfig.builder().build();
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/config/SecretScanningConfig.java

@@ -0,0 +1,64 @@
+package org.finos.gitproxy.config;
+
+import java.util.ArrayList;
+import java.util.List;
+import lombok.Builder;
+import lombok.Data;
+
+/** Configuration for secret scanning filters. */
+@Data
+@Builder
+public class SecretScanningConfig {
+
+    /** Whether secret scanning is enabled. */
+    @Builder.Default
+    private boolean enabled = true;
+
+    /**
+     * List of regex patterns to detect secrets. Each pattern should match potential secrets like API keys, passwords,
+     * tokens, etc.
+     */
+    @Builder.Default
+    private List<String> patterns = new ArrayList<>();
+
+    /** Maximum file size to scan in bytes. Files larger than this will be skipped. */
+    @Builder.Default
+    private long maxFileSizeBytes = 1024 * 1024; // 1MB default
+
+    /**
+     * List of file extensions to skip during scanning (e.g., ".jpg", ".png", ".zip"). Binary files are typically
+     * excluded.
+     */
+    @Builder.Default
+    private List<String> excludedExtensions = List.of(".jpg", ".jpeg", ".png", ".gif", ".zip", ".jar", ".class");
+
+    /**
+     * Create a default configuration with common secret patterns.
+     *
+     * @return A default SecretScanningConfig instance
+     */
+    public static SecretScanningConfig defaultConfig() {
+        List<String> defaultPatterns = new ArrayList<>();
+
+        // AWS Keys
+        defaultPatterns.add("AKIA[0-9A-Z]{16}"); // AWS Access Key ID
+        defaultPatterns.add("aws(.{0,20})?['\"][0-9a-zA-Z/+]{40}['\"]"); // AWS Secret Key
+
+        // Generic API Keys
+        defaultPatterns.add("api[_-]?key['\"]?\\s*[:=]\\s*['\"][0-9a-zA-Z]{32,45}['\"]");
+
+        // Generic Passwords
+        defaultPatterns.add("password['\"]?\\s*[:=]\\s*['\"][^'\"\\s]{8,}['\"]");
+
+        // Private Keys
+        defaultPatterns.add("-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----");
+
+        // Generic Tokens
+        defaultPatterns.add("token['\"]?\\s*[:=]\\s*['\"][0-9a-zA-Z]{20,}['\"]");
+
+        // Database Connection Strings
+        defaultPatterns.add("(jdbc|mongodb|mysql|postgresql)://[^\\s]+:[^\\s]+@");
+
+        return SecretScanningConfig.builder().patterns(defaultPatterns).build();
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/git/GitRequestDetails.java

@@ -18,6 +18,8 @@ public class GitRequestDetails {
     private Repository repository;
     private String branch; // null for fetch requests
     private Commit commit;
+    private List<Commit> commits = new ArrayList<>(); // All commits in a push
+    private String userEmail; // Email of the user performing the operation
     private GitProxyProvider provider;
     private List<GitProxyFilter> filters = new ArrayList<>();
     private GitResult result = GitResult.PENDING;

jgit-proxy-core/src/main/java/org/finos/gitproxy/service/DummyRepositoryService.java

@@ -0,0 +1,25 @@
+package org.finos.gitproxy.service;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Dummy implementation of {@link RepositoryService} that always authorizes repositories. This implementation should be
+ * replaced with a real implementation in production.
+ */
+@Slf4j
+public class DummyRepositoryService implements RepositoryService {
+
+    @Override
+    public boolean isRepositoryAuthorized(String repositoryUrl) {
+        log.debug("DummyRepositoryService: Repository {} is authorized (always true)", repositoryUrl);
+        // Always authorize in dummy implementation
+        return true;
+    }
+
+    @Override
+    public boolean repositoryExists(String repositoryUrl) {
+        log.debug("DummyRepositoryService: Repository {} exists (always true)", repositoryUrl);
+        // Always return true in dummy implementation
+        return true;
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/service/DummyUserAuthorizationService.java

@@ -0,0 +1,35 @@
+package org.finos.gitproxy.service;
+
+import lombok.extern.slf4j.Slf4j;
+
+/**
+ * Dummy implementation of {@link UserAuthorizationService} that always authorizes users. This implementation should be
+ * replaced with a real implementation in production.
+ */
+@Slf4j
+public class DummyUserAuthorizationService implements UserAuthorizationService {
+
+    @Override
+    public boolean isUserAuthorizedToPush(String userEmail, String repositoryUrl) {
+        log.debug("DummyUserAuthorizationService: Authorizing user {} for repository {}", userEmail, repositoryUrl);
+        // Always authorize in dummy implementation
+        return true;
+    }
+
+    @Override
+    public boolean userExists(String userEmail) {
+        log.debug("DummyUserAuthorizationService: User {} exists (always true)", userEmail);
+        // Always return true in dummy implementation
+        return true;
+    }
+
+    @Override
+    public String getUsernameByEmail(String userEmail) {
+        log.debug("DummyUserAuthorizationService: Getting username for {}", userEmail);
+        // Extract username from email as a placeholder
+        if (userEmail != null && userEmail.contains("@")) {
+            return userEmail.substring(0, userEmail.indexOf("@"));
+        }
+        return userEmail;
+    }
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/service/RepositoryService.java

@@ -0,0 +1,24 @@
+package org.finos.gitproxy.service;
+
+/**
+ * Service interface for repository operations. Implementations should provide repository metadata and authorization
+ * information.
+ */
+public interface RepositoryService {
+
+    /**
+     * Check if a repository is in the authorized list.
+     *
+     * @param repositoryUrl The URL of the repository
+     * @return true if the repository is authorized, false otherwise
+     */
+    boolean isRepositoryAuthorized(String repositoryUrl);
+
+    /**
+     * Check if a repository exists.
+     *
+     * @param repositoryUrl The URL of the repository
+     * @return true if the repository exists, false otherwise
+     */
+    boolean repositoryExists(String repositoryUrl);
+}

jgit-proxy-core/src/main/java/org/finos/gitproxy/service/UserAuthorizationService.java

@@ -0,0 +1,33 @@
+package org.finos.gitproxy.service;
+
+/**
+ * Service interface for user authorization. Implementations should determine whether a user is authorized to perform
+ * operations on repositories.
+ */
+public interface UserAuthorizationService {
+
+    /**
+     * Check if a user is authorized to push to a specific repository.
+     *
+     * @param userEmail The email address of the user
+     * @param repositoryUrl The URL of the repository
+     * @return true if the user is authorized, false otherwise
+     */
+    boolean isUserAuthorizedToPush(String userEmail, String repositoryUrl);
+
+    /**
+     * Check if a user exists in the system.
+     *
+     * @param userEmail The email address of the user
+     * @return true if the user exists, false otherwise
+     */
+    boolean userExists(String userEmail);
+
+    /**
+     * Get the username associated with an email address.
+     *
+     * @param userEmail The email address of the user
+     * @return The username, or null if not found
+     */
+    String getUsernameByEmail(String userEmail);
+}