Initial commit: GitLab repository delivery middleware

HTTP service that fetches GitLab repository archives for configured
customers, merges them into a single tarball, and returns an encrypted
payload. Includes Nix flake for reproducible builds.

src/archive.go

@@ -0,0 +1,102 @@
+package main
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"path"
+	"sort"
+	"strings"
+)
+
+func MergeArchives(archives map[string][]byte) ([]byte, error) {
+	var buf bytes.Buffer
+	gw := gzip.NewWriter(&buf)
+	tw := tar.NewWriter(gw)
+
+	// Sort repo paths for deterministic output
+	repoPaths := make([]string, 0, len(archives))
+	for rp := range archives {
+		repoPaths = append(repoPaths, rp)
+	}
+	sort.Strings(repoPaths)
+
+	for _, repoPath := range repoPaths {
+		data := archives[repoPath]
+		prefix := path.Base(repoPath)
+
+		if err := mergeOne(tw, data, prefix); err != nil {
+			return nil, fmt.Errorf("merging %s: %w", repoPath, err)
+		}
+	}
+
+	if err := tw.Close(); err != nil {
+		return nil, fmt.Errorf("closing tar writer: %w", err)
+	}
+	if err := gw.Close(); err != nil {
+		return nil, fmt.Errorf("closing gzip writer: %w", err)
+	}
+
+	return buf.Bytes(), nil
+}
+
+func mergeOne(tw *tar.Writer, tgzData []byte, newPrefix string) error {
+	gr, err := gzip.NewReader(bytes.NewReader(tgzData))
+	if err != nil {
+		return fmt.Errorf("decompressing: %w", err)
+	}
+	defer gr.Close()
+
+	tr := tar.NewReader(gr)
+	gitlabPrefix := ""
+
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("reading tar entry: %w", err)
+		}
+
+		// Detect and strip the GitLab prefix directory from the first entry
+		if gitlabPrefix == "" {
+			// GitLab archives have a top-level dir like "repo-main-abc123/"
+			parts := strings.SplitN(hdr.Name, "/", 2)
+			if len(parts) > 0 {
+				gitlabPrefix = parts[0] + "/"
+			}
+		}
+
+		// Strip GitLab prefix and replace with our clean prefix
+		name := hdr.Name
+		if strings.HasPrefix(name, gitlabPrefix) {
+			name = strings.TrimPrefix(name, gitlabPrefix)
+		}
+		if name == "" {
+			// This is the top-level directory itself; replace it
+			name = ""
+		}
+		hdr.Name = newPrefix + "/" + name
+
+		// Clean up tar header for reproducibility
+		hdr.Uid = 0
+		hdr.Gid = 0
+		hdr.Uname = ""
+		hdr.Gname = ""
+
+		if err := tw.WriteHeader(hdr); err != nil {
+			return fmt.Errorf("writing tar header for %s: %w", hdr.Name, err)
+		}
+
+		if hdr.Typeflag == tar.TypeReg {
+			if _, err := io.Copy(tw, tr); err != nil {
+				return fmt.Errorf("writing tar content for %s: %w", hdr.Name, err)
+			}
+		}
+	}
+
+	return nil
+}

src/config.go

@@ -0,0 +1,95 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"os"
+
+	"github.com/BurntSushi/toml"
+)
+
+type rawConfig struct {
+	Schema string `toml:"schema"`
+	Config struct {
+		GitLabURL    string `toml:"gitlab_url"`
+		GitLabAPIKey string `toml:"gitlab_api_key"`
+	} `toml:"config"`
+	Customers map[string]rawCustomer `toml:"customers"`
+}
+
+type rawCustomer struct {
+	Key   string   `toml:"key"`
+	Repos []string `toml:"repos"`
+}
+
+type ResolvedConfig struct {
+	GitLabURL    string
+	GitLabAPIKey string
+	Customers    map[string]ResolvedCustomer
+}
+
+type ResolvedCustomer struct {
+	Key   []byte
+	Repos []string
+}
+
+func LoadConfig(path string) (*ResolvedConfig, error) {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("reading config: %w", err)
+	}
+
+	expanded := os.Expand(string(data), os.Getenv)
+
+	var raw rawConfig
+	if err := toml.Unmarshal([]byte(expanded), &raw); err != nil {
+		return nil, fmt.Errorf("parsing config: %w", err)
+	}
+
+	if err := validateRawConfig(&raw); err != nil {
+		return nil, err
+	}
+
+	resolved := &ResolvedConfig{
+		GitLabURL:    raw.Config.GitLabURL,
+		GitLabAPIKey: raw.Config.GitLabAPIKey,
+		Customers:    make(map[string]ResolvedCustomer, len(raw.Customers)),
+	}
+
+	for name, cust := range raw.Customers {
+		key, err := hex.DecodeString(cust.Key)
+		if err != nil {
+			return nil, fmt.Errorf("customer %q: invalid hex key: %w", name, err)
+		}
+		resolved.Customers[name] = ResolvedCustomer{
+			Key:   key,
+			Repos: cust.Repos,
+		}
+	}
+
+	return resolved, nil
+}
+
+func validateRawConfig(raw *rawConfig) error {
+	if raw.Schema != "v1" {
+		return fmt.Errorf("unsupported schema: %q (expected \"v1\")", raw.Schema)
+	}
+	if raw.Config.GitLabURL == "" {
+		return fmt.Errorf("config.gitlab_url is required")
+	}
+	if raw.Config.GitLabAPIKey == "" {
+		return fmt.Errorf("config.gitlab_api_key is required")
+	}
+	if len(raw.Customers) == 0 {
+		return fmt.Errorf("at least one customer is required")
+	}
+	for name, cust := range raw.Customers {
+		if len(cust.Key) != 64 {
+			return fmt.Errorf("customer %q: key must be 64 hex characters (got %d)", name, len(cust.Key))
+		}
+		if len(cust.Repos) == 0 {
+			return fmt.Errorf("customer %q: repos list must not be empty", name)
+		}
+	}
+	return nil
+}

src/crypto.go

@@ -0,0 +1,30 @@
+package main
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"fmt"
+	"io"
+)
+
+func Encrypt(key, plaintext []byte) ([]byte, error) {
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, fmt.Errorf("creating cipher: %w", err)
+	}
+
+	aesGCM, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, fmt.Errorf("creating GCM: %w", err)
+	}
+
+	nonce := make([]byte, aesGCM.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, fmt.Errorf("generating nonce: %w", err)
+	}
+
+	// Seal appends ciphertext+tag to nonce, giving: nonce || ciphertext || tag
+	ciphertext := aesGCM.Seal(nonce, nonce, plaintext, nil)
+	return ciphertext, nil
+}

src/gitlab.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"sync"
+)
+
+func FetchArchive(ctx context.Context, client *http.Client, gitlabURL, apiKey, repoPath string) ([]byte, error) {
+	escaped := url.PathEscape(repoPath)
+	archiveURL := fmt.Sprintf("https://%s/api/v4/projects/%s/repository/archive.tar.gz", gitlabURL, escaped)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, archiveURL, nil)
+	if err != nil {
+		return nil, fmt.Errorf("creating request for %s: %w", repoPath, err)
+	}
+	req.Header.Set("PRIVATE-TOKEN", apiKey)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("fetching %s: %w", repoPath, err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("fetching %s: HTTP %d", repoPath, resp.StatusCode)
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("reading response for %s: %w", repoPath, err)
+	}
+
+	return data, nil
+}
+
+type archiveResult struct {
+	repoPath string
+	data     []byte
+	err      error
+}
+
+func FetchAllArchives(ctx context.Context, client *http.Client, gitlabURL, apiKey string, repos []string) (map[string][]byte, error) {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	results := make(chan archiveResult, len(repos))
+	var wg sync.WaitGroup
+
+	for _, repo := range repos {
+		wg.Add(1)
+		go func(repoPath string) {
+			defer wg.Done()
+			data, err := FetchArchive(ctx, client, gitlabURL, apiKey, repoPath)
+			results <- archiveResult{repoPath: repoPath, data: data, err: err}
+		}(repo)
+	}
+
+	go func() {
+		wg.Wait()
+		close(results)
+	}()
+
+	archives := make(map[string][]byte, len(repos))
+	for res := range results {
+		if res.err != nil {
+			cancel()
+			// Drain remaining results
+			for range results {
+			}
+			return nil, res.err
+		}
+		archives[res.repoPath] = res.data
+	}
+
+	return archives, nil
+}

src/go.mod

@@ -0,0 +1,5 @@
+module repo-delivery-middleware
+
+go 1.23
+
+require github.com/BurntSushi/toml v1.5.0

src/go.sum

@@ -0,0 +1,2 @@
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=

src/handler.go

@@ -0,0 +1,55 @@
+package main
+
+import (
+	"log"
+	"net/http"
+)
+
+type PayloadHandler struct {
+	Config *ResolvedConfig
+	Client *http.Client
+}
+
+func (h *PayloadHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	customerName := r.Header.Get("X-API-Key")
+	if customerName == "" {
+		http.Error(w, "missing X-API-Key header", http.StatusUnauthorized)
+		return
+	}
+
+	customer, ok := h.Config.Customers[customerName]
+	if !ok {
+		http.Error(w, "unknown customer", http.StatusUnauthorized)
+		return
+	}
+
+	archives, err := FetchAllArchives(r.Context(), h.Client, h.Config.GitLabURL, h.Config.GitLabAPIKey, customer.Repos)
+	if err != nil {
+		log.Printf("fetch error for customer %q: %v", customerName, err)
+		http.Error(w, "failed to fetch repositories", http.StatusBadGateway)
+		return
+	}
+
+	merged, err := MergeArchives(archives)
+	if err != nil {
+		log.Printf("merge error for customer %q: %v", customerName, err)
+		http.Error(w, "failed to build payload", http.StatusInternalServerError)
+		return
+	}
+
+	encrypted, err := Encrypt(customer.Key, merged)
+	if err != nil {
+		log.Printf("encryption error for customer %q: %v", customerName, err)
+		http.Error(w, "encryption failed", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/octet-stream")
+	w.Header().Set("Content-Disposition", `attachment; filename="payload.bin"`)
+	w.Write(encrypted)
+}

src/main.go

@@ -0,0 +1,69 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"syscall"
+	"time"
+)
+
+func main() {
+	configPath := flag.String("config", "", "path to config file (or set CONFIG_PATH)")
+	listen := flag.String("listen", ":8080", "listen address")
+	flag.Parse()
+
+	if *configPath == "" {
+		*configPath = os.Getenv("CONFIG_PATH")
+	}
+	if *configPath == "" {
+		log.Fatalf("config path required: use --config or set CONFIG_PATH")
+	}
+
+	cfg, err := LoadConfig(*configPath)
+	if err != nil {
+		log.Fatalf("loading config: %v", err)
+	}
+
+	log.Printf("loaded %d customer(s)", len(cfg.Customers))
+
+	client := &http.Client{
+		Timeout: 5 * time.Minute,
+	}
+
+	mux := http.NewServeMux()
+	mux.Handle("/getPayload", &PayloadHandler{
+		Config: cfg,
+		Client: client,
+	})
+
+	srv := &http.Server{
+		Addr:    *listen,
+		Handler: mux,
+	}
+
+	// Graceful shutdown
+	done := make(chan os.Signal, 1)
+	signal.Notify(done, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		log.Printf("listening on %s", *listen)
+		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			log.Fatalf("server error: %v", err)
+		}
+	}()
+
+	<-done
+	log.Println("shutting down...")
+
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	if err := srv.Shutdown(ctx); err != nil {
+		log.Fatalf("shutdown error: %v", err)
+	}
+	log.Println("stopped")
+}