feat: implement authentication support

This feature is Enterprise only (requires BUSL).

Any access to the schematic requires the user to be authenticated
before access.

Moreover, any schematic stores the owner in the schematic, so each
schematic becomes private (owned by the user which created it).

Authentication is configured using a set of usernames and keys
associates with each user (API key).

Signed-off-by: Andrey Smirnov <[email protected]>

Author: smira

cmd/image-factory/cmd/options.go

@@ -10,7 +10,7 @@ import (
 )
 
 // Options configures the behavior of the image factory.
-type Options struct {
+type Options struct { //nolint:govet // keeping order for semantic clarity
 	// HTTP configuration for the image factory frontend.
 	HTTP HTTPOptions `koanf:"http"`
 
@@ -31,6 +31,11 @@ type Options struct {
 
 	// Artifacts defines names and references for various images used by the factory.
 	Artifacts ArtifactsOptions `koanf:"artifacts"`
+
+	// Authentication settings.
+	//
+	// Note: only available in the Enterprise edition.
+	Authentication AuthenticationOptions `koanf:"authentication"`
 }
 
 // AssetBuilderOptions contains settings for building assets.
@@ -342,6 +347,16 @@ type ComponentsOptions struct {
 	Talosctl string `koanf:"talosctl"`
 }
 
+// AuthenticationOptions holds authentication settings.
+type AuthenticationOptions struct { //nolint:govet // keeping order for semantic clarity
+	// Enabled enables authentication.
+	Enabled bool `koanf:"enabled"`
+	// ConfigPath is the path to the authentication configuration file.
+	//
+	// It is required if authentication is enabled.
+	ConfigPath string `koanf:"configPath"`
+}
+
 // DefaultOptions are the default options.
 var DefaultOptions = Options{
 	HTTP: HTTPOptions{

cmd/image-factory/cmd/service.go

@@ -108,8 +108,18 @@ func RunFactory(ctx context.Context, logger *zap.Logger, opts Options) error {
 		return fmt.Errorf("failed to initialize SecureBoot service: %w", err)
 	}
 
+	var authProvider enterprise.AuthProvider
+
+	if opts.Authentication.Enabled {
+		authProvider, err = enterprise.NewAuthProvider(opts.Authentication.ConfigPath)
+		if err != nil {
+			return fmt.Errorf("failed to initialize authentication provider: %w", err)
+		}
+	}
+
 	var frontendOptions frontendhttp.Options
 
+	frontendOptions.AuthProvider = authProvider
 	frontendOptions.CacheSigningKey = cacheSigningKey
 
 	frontendOptions.ExternalURL, err = url.Parse(opts.HTTP.ExternalURL)

docs/api.md

@@ -42,6 +42,9 @@ Well-known schematic IDs:
 
 * `376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba` - default schematic (without any customizations)
 
+The schematic in Enterprise edition may contain an `owner` field, which restricts access to the schematic to the specified owner only.
+This requires authentication to be enabled.
+
 ### `GET /schematics/:schematic`
 
 Retrieve a specific schematic by its ID.

docs/configuration.md

@@ -579,6 +579,26 @@ RefreshInterval specifies how often the image factory should refresh its connect
 
 ---
 
+### `authentication.enabled`
+
+- **Type:** `bool`
+- **Env:** `AUTHENTICATION_ENABLED`
+
+Enabled enables authentication.
+
+---
+
+### `authentication.configPath`
+
+- **Type:** `string`
+- **Env:** `AUTHENTICATION_CONFIGPATH`
+
+ConfigPath is the path to the authentication configuration file.
+
+It is required if authentication is enabled.
+
+---
+
 ## Default Configuration
 
 ### YAML
@@ -613,6 +633,9 @@ artifacts:
         registry: ghcr.io
         repository: schematics
     talosVersionRecheckInterval: 15m0s
+authentication:
+    configPath: ""
+    enabled: false
 build:
     maxConcurrency: 6
     minTalosVersion: 1.2.0
@@ -690,6 +713,8 @@ IF_ARTIFACTS_SCHEMATIC_NAMESPACE=siderolabs/image-factory
 IF_ARTIFACTS_SCHEMATIC_REGISTRY=ghcr.io
 IF_ARTIFACTS_SCHEMATIC_REPOSITORY=schematics
 IF_ARTIFACTS_TALOSVERSIONRECHECKINTERVAL=15m0s
+IF_AUTHENTICATION_CONFIGPATH=
+IF_AUTHENTICATION_ENABLED=false
 IF_BUILD_MAXCONCURRENCY=6
 IF_BUILD_MINTALOSVERSION=1.2.0
 IF_CACHE_CDN_ENABLED=false

enterprise/auth/auth.go

@@ -0,0 +1,40 @@
+// Copyright (c) 2025 Sidero Labs, Inc.
+//
+// Use of this software is governed by the Business Source License
+// included in the LICENSE file.
+
+//go:build enterprise
+
+// Package auth provides authentication mechanisms.
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+// NewProvider initializes a new authentication provider.
+func NewProvider(configPath string) (*provider, error) {
+	return &provider{}, nil
+}
+
+type provider struct{}
+
+func (p *provider) Middleware(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, p httprouter.Params) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, p httprouter.Params) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, p httprouter.Params) error {
+		username, password, ok := r.BasicAuth()
+		if !ok {
+			return handler(ctx, w, r, p)
+		}
+
+		_ = password
+
+		ctx = context.WithValue(ctx, authContextKey{}, username)
+
+		return handler(ctx, w, r, p)
+	}
+}
+
+type authContextKey struct{}

internal/frontend/http/configuration.go

@@ -28,12 +28,12 @@ func (f *Frontend) handleSchematicCreate(ctx context.Context, w http.ResponseWri
 		return err
 	}
 
-	cfg, err := schematic.Unmarshal(data)
+	schmtic, err := schematic.Unmarshal(data)
 	if err != nil {
 		return err
 	}
 
-	id, err := f.schematicFactory.Put(ctx, cfg)
+	id, err := f.schematicFactory.Put(ctx, schmtic)
 	if err != nil {
 		return err
 	}

internal/frontend/http/http.go

@@ -36,6 +36,7 @@ import (
 	"github.com/siderolabs/image-factory/internal/schematic/storage"
 	"github.com/siderolabs/image-factory/internal/secureboot"
 	"github.com/siderolabs/image-factory/internal/version"
+	"github.com/siderolabs/image-factory/pkg/enterprise"
 	schematicpkg "github.com/siderolabs/image-factory/pkg/schematic"
 )
 
@@ -59,6 +60,7 @@ type Options struct {
 	CacheSigningKey                  crypto.PrivateKey
 	ExternalURL                      *url.URL
 	ExternalPXEURL                   *url.URL
+	AuthProvider                     enterprise.AuthProvider
 	InstallerInternalRepository      name.Repository
 	InstallerExternalRepository      name.Repository
 	MetricsNamespace                 string
@@ -177,6 +179,10 @@ func (f *Frontend) wrapper(h func(ctx context.Context, w http.ResponseWriter, r
 
 		w.Header().Set("Server", version.ServerString())
 
+		if f.options.AuthProvider != nil {
+			h = f.options.AuthProvider.Middleware(h)
+		}
+
 		err := h(ctx, w, r, p)
 
 		duration := time.Since(start)
@@ -198,6 +204,13 @@ func (f *Frontend) wrapper(h func(ctx context.Context, w http.ResponseWriter, r
 			status = http.StatusBadRequest
 
 			http.Error(w, err.Error(), http.StatusBadRequest)
+		case xerrors.TagIs[schematicpkg.RequiresAuthenticationTag](err):
+			level = zap.WarnLevel
+			status = http.StatusUnauthorized
+
+			w.Header().Set("WWW-Authenticate", `Basic realm="Image Factory Enterprise"`)
+
+			http.Error(w, "authentication required to access this schematic", http.StatusUnauthorized)
 		case errors.Is(err, context.Canceled):
 			status = 499
 			// client closed connection

pkg/client/client.go

@@ -11,6 +11,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"maps"
 	"net/http"
 	"net/url"
 
@@ -36,8 +37,9 @@ type OverlayInfo struct {
 
 // Client is the Image Factory HTTP API client.
 type Client struct {
-	baseURL *url.URL
-	client  http.Client
+	baseURL      *url.URL
+	extraHeaders http.Header
+	client       http.Client
 }
 
 // New creates a new Image Factory API client.
@@ -50,8 +52,9 @@ func New(baseURL string, options ...Option) (*Client, error) {
 	}
 
 	c := &Client{
-		baseURL: bURL,
-		client:  opts.Client,
+		baseURL:      bURL,
+		client:       opts.Client,
+		extraHeaders: opts.ExtraHeaders,
 	}
 
 	return c, nil
@@ -141,6 +144,8 @@ func (c *Client) do(ctx context.Context, method, uri string, requestData []byte,
 		req.Header.Add(k, v)
 	}
 
+	maps.Copy(req.Header, c.extraHeaders)
+
 	resp, err := c.client.Do(req)
 	if err != nil {
 		return err

pkg/client/options.go

@@ -4,10 +4,15 @@
 
 package client
 
-import "net/http"
+import (
+	"encoding/base64"
+	"net/http"
+)
 
 // Options defines client options.
 type Options struct {
+	// ExtraHeaders represents extra headers to be added to each request.
+	ExtraHeaders http.Header
 	// Client is the http client.
 	Client http.Client
 }
@@ -22,6 +27,19 @@ func WithClient(client http.Client) Option {
 	}
 }
 
+// WithBasicAuth adds basic authentication to each request.
+func WithBasicAuth(username, password string) Option {
+	return func(o *Options) {
+		if o.ExtraHeaders == nil {
+			o.ExtraHeaders = http.Header{}
+		}
+
+		auth := username + ":" + password
+
+		o.ExtraHeaders.Set("Authorization", "Basic "+base64.StdEncoding.EncodeToString([]byte(auth)))
+	}
+}
+
 func withDefaults(options []Option) *Options {
 	opts := &Options{}
 

pkg/enterprise/enterprise.go

@@ -0,0 +1,14 @@
+// Package enterprise provide glue to Enterprise code.
+package enterprise
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+// AuthProvider defines an authentication provider.
+type AuthProvider interface {
+	Middleware(func(ctx context.Context, w http.ResponseWriter, r *http.Request, p httprouter.Params) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, p httprouter.Params) error
+}