fix: committer email policy and malformed permission deny URL (#181, #182) (#196)

## Summary

- **#182**: Permission deny messages were building the repo URL as
`https://{provider.name}{slug}`, producing malformed output like
`https://github/github.com/owner/repo`. Fixed to use `provider.getUri()`
in both the store-and-forward hook and transparent proxy filter.

- **#181**: The email domain check was validating the commit *author*
instead of the *committer*, causing false-positive rejections when a
developer rebased external contributor commits. The committer (the
corporate employee who ran the rebase) is the identity that matters for
compliance.

  Two independent policy knobs are now available:
- `commit.committer.email.*` — primary control; enforces that your staff
use their work identity. Rebased external commits pass as long as the
committer email is valid.
- `commit.author.email.*` — optional strict mode; blocks pushes
containing rebased commits from contributors outside the allowed domain.
When a violation fires, the message explains the rebase restriction and
suggests opening a PR from the original author's fork instead.

Each violation is labelled explicitly (`committer email (...)` vs
`author email (...)`) with a specific fix hint, so developers never need
to ask why their push was rejected.

## Test plan

- [ ] `./gradlew :git-proxy-java-core:test` passes (677 tests)
- [ ] Committer-only config: push with rebased external commit — author
email ignored, committer email checked
- [ ] Author+committer config: push with rebased external commit — two
labelled violations reported
- [ ] Permission deny message shows well-formed URL
(`https://github.com/owner/repo`)

Author: coopernetes

docs/CONFIGURATION.md

@@ -580,19 +580,32 @@ accepts the internal username, not an email address.
 
 ## Commit validation
 
-Per-commit checks (identity, author email, message content) apply to both store-and-forward and transparent proxy modes.
+Per-commit checks (identity, email policy, message content) apply to both store-and-forward and transparent proxy modes.
 
 ```yaml
 commit:
-  author:
+  # Committer email policy — the committer is the employee who ran git commit or git rebase.
+  # This is the primary corporate control: enforce that your staff use their work identity.
+  # Rebased commits from external contributors still pass as long as the committer email is valid.
+  committer:
     email:
       domain:
-        # Regex the email domain must match. Omit to allow all domains.
-        allow: "(corp\\.example\\.com|contractors\\.example\\.com)$"
+        # Regex the committer email domain must match. Omit to allow all domains.
+        allow: "corp\\.example\\.com$"
       local:
         # Regex blocking specific local-parts (before @). Omit to allow all.
         block: "^(noreply|no-reply|bot|nobody)$"
 
+  # Author email policy — the author is whoever originally wrote the commit.
+  # Configure this only if you want to disallow rebasing external contributors' commits.
+  # When set, any commit whose author email is outside the allowed domain is blocked —
+  # developers must open PRs from the original fork rather than rebasing upstream changes.
+  # Omit this block entirely to allow external author emails (the most common setup).
+  author:
+    email:
+      domain:
+        allow: "corp\\.example\\.com$"
+
   message:
     block:
       literals:

git-proxy-java-core/src/main/java/org/finos/gitproxy/config/CommitConfig.java

@@ -50,6 +50,10 @@ public static IdentityVerificationMode fromString(String value) {
     @Builder.Default
     private AuthorConfig author = AuthorConfig.builder().build();
 
+    /** Configuration for committer email validation. */
+    @Builder.Default
+    private CommitterConfig committer = CommitterConfig.builder().build();
+
     /** Configuration for commit message validation. */
     @Builder.Default
     private MessageConfig message = MessageConfig.builder().build();
@@ -64,6 +68,16 @@ public static class AuthorConfig {
         private EmailConfig email = EmailConfig.builder().build();
     }
 
+    /** Configuration for committer validation. */
+    @Data
+    @Builder
+    public static class CommitterConfig {
+
+        /** Configuration for email validation. */
+        @Builder.Default
+        private EmailConfig email = EmailConfig.builder().build();
+    }
+
     /** Configuration for email validation. */
     @Data
     @Builder

git-proxy-java-core/src/main/java/org/finos/gitproxy/git/CheckUserPushPermissionHook.java

@@ -119,8 +119,8 @@ public void onPreReceive(ReceivePack rp, Collection<ReceiveCommand> commands) {
                     user.getUsername(),
                     providerId,
                     repoSlug);
-            String repoRef = providerId != null && repoSlug != null
-                    ? String.format("https://%s%s", providerId, repoSlug)
+            String repoRef = provider != null && repoSlug != null
+                    ? provider.getUri().toString().replaceAll("/$", "") + repoSlug
                     : repoSlug;
             String detail = GitClientUtils.format(
                     sym(NO_ENTRY) + "  Push Blocked - Unauthorized",

git-proxy-java-core/src/main/java/org/finos/gitproxy/servlet/filter/CheckUserPushPermissionFilter.java

@@ -107,8 +107,9 @@ public void doHttpFilter(HttpServletRequest request, HttpServletResponse respons
                     user.getUsername(),
                     providerId,
                     slug);
-            String repoUrl =
-                    providerId != null && slug != null ? String.format("https://%s%s", providerId, slug) : slug;
+            String repoUrl = requestDetails.getProvider() != null && slug != null
+                    ? requestDetails.getProvider().getUri().toString().replaceAll("/$", "") + slug
+                    : slug;
             String title = sym(NO_ENTRY) + "  Push Blocked - Unauthorized";
             String message = sym(CROSS_MARK) + "  " + user.getUsername() + " is not allowed to push to:\n" + "   "
                     + sym(LINK) + "  " + repoUrl;

git-proxy-java-core/src/main/java/org/finos/gitproxy/validation/AuthorEmailCheck.java

@@ -14,8 +14,15 @@
 import org.finos.gitproxy.git.Commit;
 
 /**
- * Validates that every author email in the pushed commits passes format checks and matches the configured domain/local
- * rules.
+ * Validates committer and author emails in the pushed commits against configured domain/local rules.
+ *
+ * <p>Committer validation ({@code commit.committer.email.*}) is the primary corporate control: the committer is the
+ * employee who authored or rebased the change, and must use their work identity. Author validation
+ * ({@code commit.author.email.*}) is an optional stricter policy: when configured, it also checks the original author
+ * email, which effectively disallows rebasing commits from contributors outside the allowed domain.
+ *
+ * <p>Each policy is independent — configure one, both, or neither. Violations from each are reported separately with
+ * explicit labels so developers know exactly which identity triggered the block and what to do about it.
  */
 @RequiredArgsConstructor
 public class AuthorEmailCheck implements CommitCheck {
@@ -24,22 +31,38 @@ public class AuthorEmailCheck implements CommitCheck {
 
     @Override
     public List<Violation> check(List<Commit> commits) {
-        Set<String> emails = commits.stream().map(c -> c.getAuthor().getEmail()).collect(Collectors.toSet());
-
         List<Violation> violations = new ArrayList<>();
-        for (String email : emails) {
-            String reason = violationReason(email);
+
+        Set<String> committerEmails =
+                commits.stream().map(c -> c.getCommitter().getEmail()).collect(Collectors.toSet());
+        for (String email : committerEmails) {
+            String reason = violationReason(email, config.getCommitter().getEmail());
             if (reason != null) {
-                String detail = sym(CROSS_MARK) + "  " + email + ": " + reason + "\n"
-                        + "  \u2192 git config user.email \"you@example.com\"";
-                violations.add(new Violation(email, reason, detail));
+                String detail = sym(CROSS_MARK) + "  committer email (" + email + "): " + reason + "\n"
+                        + "  \u2192 The committer is you — the person who ran git commit or git rebase.\n"
+                        + "  \u2192 Fix: git config user.email \"you@corp.com\"";
+                violations.add(new Violation("committer:" + email, reason, detail));
             }
         }
+
+        Set<String> authorEmails =
+                commits.stream().map(c -> c.getAuthor().getEmail()).collect(Collectors.toSet());
+        for (String email : authorEmails) {
+            String reason = violationReason(email, config.getAuthor().getEmail());
+            if (reason != null) {
+                String detail = sym(CROSS_MARK) + "  author email (" + email + "): " + reason + "\n"
+                        + "  \u2192 This commit was originally authored by someone outside the allowed domain.\n"
+                        + "  \u2192 Rebasing external commits onto this branch is not permitted by policy.\n"
+                        + "  \u2192 Alternative: open a PR from the original author's fork instead of rebasing.";
+                violations.add(new Violation("author:" + email, reason, detail));
+            }
+        }
+
         return violations;
     }
 
-    /** Returns the reason the email is rejected, or {@code null} if it is allowed. */
-    private String violationReason(String email) {
+    /** Returns the reason the email is rejected under the given email config, or {@code null} if it is allowed. */
+    private String violationReason(String email, CommitConfig.EmailConfig emailConfig) {
         if (email == null || email.isEmpty()) {
             return "empty email";
         }
@@ -54,12 +77,12 @@ private String violationReason(String email) {
         String local = parts[0];
         String domain = parts[1];
 
-        Pattern localBlock = config.getAuthor().getEmail().getLocal().getBlock();
+        Pattern localBlock = emailConfig.getLocal().getBlock();
         if (localBlock != null && localBlock.matcher(local).find()) {
             return "blocked local part (" + local + ")";
         }
 
-        Pattern domainAllow = config.getAuthor().getEmail().getDomain().getAllow();
+        Pattern domainAllow = emailConfig.getDomain().getAllow();
         if (domainAllow != null && !domainAllow.matcher(domain).find()) {
             return "domain not allowed (" + domain + ")";
         }

git-proxy-java-core/src/test/java/org/finos/gitproxy/git/AuthorEmailValidationHookTest.java

@@ -58,7 +58,7 @@ private ObjectId createCommit(Git git, String message, String name, String email
 
     private CommitConfig allowExampleCom() {
         return CommitConfig.builder()
-                .author(CommitConfig.AuthorConfig.builder()
+                .committer(CommitConfig.CommitterConfig.builder()
                         .email(CommitConfig.EmailConfig.builder()
                                 .domain(CommitConfig.DomainConfig.builder()
                                         .allow(Pattern.compile("example\\.com$"))

git-proxy-java-core/src/test/java/org/finos/gitproxy/servlet/filter/CheckAuthorEmailsFilterTest.java

@@ -95,7 +95,7 @@ private HttpServletRequest mockPushRequest(GitRequestDetails details) throws IOE
 
     private CommitConfig testConfig() {
         return CommitConfig.builder()
-                .author(CommitConfig.AuthorConfig.builder()
+                .committer(CommitConfig.CommitterConfig.builder()
                         .email(CommitConfig.EmailConfig.builder()
                                 .domain(CommitConfig.DomainConfig.builder()
                                         .allow(Pattern.compile("(example\\.com|company\\.org)$"))

git-proxy-java-core/src/test/java/org/finos/gitproxy/servlet/filter/FilterChainIntegrationTest.java

@@ -100,7 +100,7 @@ private HttpServletRequest mockPushRequest(GitRequestDetails details) throws IOE
 
     private CommitConfig emailAndMessageConfig() {
         return CommitConfig.builder()
-                .author(CommitConfig.AuthorConfig.builder()
+                .committer(CommitConfig.CommitterConfig.builder()
                         .email(CommitConfig.EmailConfig.builder()
                                 .domain(CommitConfig.DomainConfig.builder()
                                         .allow(Pattern.compile("(example\\.com|company\\.org)$"))