feat(sparql-proxy): reader credential + configurable read auth

Split the Caddyfile's single basic_auth block into two role-based
blocks so deployments can issue a read-only credential separately
from the admin/write credential.

- Writes (POST/PUT/DELETE/PATCH on /update and /store) always require
  Basic Auth, accepting only credentials from `users/admin/*`. This
  was the previous behavior, now isolated to its own block.
- Reads can optionally be gated. The new `@reads_protected` matcher
  reads its path list from the `SPARQL_READ_AUTH_PATHS` env var on
  the sparql-proxy container. The default (`__off__`) is a sentinel
  that matches no real request, so reads stay public until an
  operator opts in by setting e.g.
  `SPARQL_READ_AUTH_PATHS=/query /query/*` in `.env`. When the matcher
  fires, it accepts credentials from EITHER `users/admin/*` or the
  new `users/reader/*` — admin keeps full access, reader can issue
  read-only access to clients.

Env / config plumbing:
- compose: sparql-proxy gets an `environment:` block that forwards
  `SPARQL_READ_AUTH_PATHS` (default `__off__`) into the container.
- `infra/.env.example`: documents the optional new vars
  `SPARQL_READER_AUTH=reader/<password>` and
  `SPARQL_READ_AUTH_PATHS=/query /query/*`.
- `scripts/fix-data-perms.sh`: now writes `users/admin/sparql_users.caddy`
  from `SPARQL_AUTH` and (if set) `users/reader/sparql_reader.caddy`
  from `SPARQL_READER_AUTH`. Migrates the legacy single-file layout
  (`users/sparql_users.caddy`) into `users/admin/` automatically.

Backward-compat:
- Deployments that don't set `SPARQL_READER_AUTH` or
  `SPARQL_READ_AUTH_PATHS` behave identically to before — anonymous
  reads, admin-only writes.
- The legacy users-file path migrates in place when `fix-data-perms.sh`
  runs (which the deploy procedure now invokes as standard).

Author: caviri

infra/.env.example

@@ -121,6 +121,13 @@ SPARQL_PROXY_PORT=7878
 # infra/services/sparql-proxy/users (bcrypt hashes).
 SPARQL_AUTH=openpulse/replace-me
 
+# Optional reader credential for SPARQL queries. Setting this alone does
+# NOT gate reads — you also need to set SPARQL_READ_AUTH_PATHS below to
+# the read paths you want to protect (e.g. `/query /query/*`). Admin
+# credentials (SPARQL_AUTH) always continue to work on those paths too.
+# SPARQL_READER_AUTH=reader/replace-me
+# SPARQL_READ_AUTH_PATHS=/query /query/*
+
 
 # ── Portainer (--profile orchestration) ───────────────────────────────────
 # 7508 is reserved by the GrimoireLab nginx reverse-proxy (Kibiter UI). Use

infra/open-pulse-stack/docker-compose.yml

@@ -281,6 +281,13 @@ services:
         condition: service_started
     ports:
       - "${SPARQL_PROXY_PORT:-7878}:7878"
+    environment:
+      # Paths to protect with the reader/admin Basic Auth block in the
+      # Caddyfile. Default `__off__` is a sentinel that matches no real
+      # request, so reads pass through anonymously. Set to e.g.
+      # `/query /query/*` in your .env to require auth on reads (admin
+      # OR reader credentials accepted).
+      SPARQL_READ_AUTH_PATHS: "${SPARQL_READ_AUTH_PATHS:-__off__}"
     volumes:
       - ../services/sparql-proxy/Caddyfile:/etc/caddy/Caddyfile:ro
       - ../services/sparql-proxy/users:/etc/caddy/users:ro

infra/services/sparql-proxy/Caddyfile

@@ -1,14 +1,17 @@
 # Caddyfile for the SPARQL reverse proxy.
 #
-# Public read on /query and /. Authenticated writes on /update and /store
-# (the SPARQL Update + Graph Store HTTP Protocol endpoints).
+# Always-protected writes on /update and /store (admin credential).
+# Reads (`/query` and `/`) are public BY DEFAULT but can be gated behind a
+# second credential — see SPARQL_READ_AUTH_PATHS below.
 #
-# Users come from /etc/caddy/users (mounted from infra/services/sparql-proxy/users
-# in the host). One user per line: `user <bcrypt-hash>`.
+# Users come from /etc/caddy/users/{admin,reader}/* (mounted from
+# infra/services/sparql-proxy/users in the host). One user per line:
+# `user <bcrypt-hash>`. The hashes are generated by
+# scripts/fix-data-perms.sh from SPARQL_AUTH and SPARQL_READER_AUTH.
 #
-# The admin API is enabled on the default localhost:2019 inside the container only
-# (not exposed to the host). This is what powers `caddy reload` for hot-reloading
-# users without restarting the container.
+# The admin API is enabled on the default localhost:2019 inside the
+# container only (not exposed to the host). That's what powers
+# `caddy reload` for hot-reloading users without restarting the container.
 
 {
 	auto_https off
@@ -28,19 +31,39 @@
 	}
 
 	# ── SPARQL reverse-proxy ──────────────────────────────────────────
-	# Match every request that mutates the store.
+
+	# Optional read auth.
+	#
+	# When SPARQL_READ_AUTH_PATHS is unset, Caddy substitutes the sentinel
+	# `__off__`, which matches no real request → reads pass through.
+	#
+	# Set SPARQL_READ_AUTH_PATHS (in the sparql-proxy service env) to one or
+	# more paths to gate reads behind auth. Example:
+	#
+	#     SPARQL_READ_AUTH_PATHS=/query /query/*
+	#
+	# Both `users/admin/*` and `users/reader/*` are imported here, so admin
+	# credentials are accepted on reads (in addition to writes), while a
+	# dedicated reader credential can be issued for read-only access.
+	@reads_protected {
+		path {$SPARQL_READ_AUTH_PATHS:__off__}
+	}
+	basic_auth @reads_protected {
+		import /etc/caddy/users/admin/*
+		import /etc/caddy/users/reader/*
+	}
+
+	# Always-protected write paths. Admin credential only.
 	@writes {
 		method POST PUT DELETE PATCH
 		path /update /update/* /store /store/*
 	}
-
-	# Require Basic Auth on writes only. Reads pass through.
 	basic_auth @writes {
-		import /etc/caddy/users/*
+		import /etc/caddy/users/admin/*
 	}
 
-	# Everything (matched or not) is forwarded to Oxigraph. The matcher above
-	# determines whether basic_auth runs first.
+	# Everything (matched or not) is forwarded to Oxigraph. The matchers
+	# above determine whether basic_auth runs first.
 	reverse_proxy oxigraph:7878 {
 		header_up Host {host}
 	}

scripts/fix-data-perms.sh

@@ -127,53 +127,94 @@ restart_if_running() {
 # Phase 1 — sparql-proxy missing users file
 ###############################################################################
 
+# Generate one Caddyfile basic_auth users file from a `user/password` env value.
+# Writes <users_dir>/<file>; chmod 0644. No-op on dry-run.
+_write_caddy_user_file() {
+  local sp_value="$1" users_dir="$2" filename="$3" role="$4"
+  if [[ -z "$sp_value" || "$sp_value" != */* ]]; then
+    printf '  %s %s: no value (or malformed) — skipping\n' "$(yellow '[skip]')" "$role"
+    return
+  fi
+  local user pass
+  user=${sp_value%%/*}
+  pass=${sp_value#*/}
+  if [[ -z "$user" || -z "$pass" ]]; then
+    printf '  %s %s: empty user or password — skipping\n' "$(yellow '[skip]')" "$role"
+    return
+  fi
+  mkdir -p "$users_dir"
+  local out="$users_dir/$filename"
+  if [[ "$DRY_RUN" -eq 1 ]]; then
+    printf '  %s would write %s (user %s)\n' "$(yellow '[dry-run]')" "$out" "$user"
+    return
+  fi
+  local hash
+  hash=$(docker run --rm caddy:2-alpine caddy hash-password --plaintext "$pass" 2>/dev/null)
+  if [[ -z "$hash" ]]; then
+    printf '  %s %s: caddy hash-password failed\n' "$(red '[fail]')" "$role"
+    return
+  fi
+  printf '%s %s\n' "$user" "$hash" > "$out"
+  chmod 0644 "$out"
+  printf '  %s wrote %s for user %s\n' "$(green '[ok]')" "$out" "$user"
+}
+
 fix_sparql_users() {
-  log "sparql-proxy: ensure Caddy basic_auth users file"
+  log "sparql-proxy: ensure Caddy basic_auth users files (admin + optional reader)"
   local sp_dir="$INFRA/services/sparql-proxy"
   local users_dir="$sp_dir/users"
+  local admin_dir="$users_dir/admin"
+  local reader_dir="$users_dir/reader"
   local caddy="$sp_dir/Caddyfile"
-  local users_file="$users_dir/sparql_users.caddy"
   local env_file="$INFRA/env/.env"
 
-  mkdir -p "$users_dir"
-  if compgen -G "$users_dir/*" >/dev/null; then
-    printf '  %s users file already present in %s\n' "$(green '[ok]')" "$users_dir"
-  else
-    if [[ ! -f "$env_file" ]]; then
-      printf '  %s no %s; skipping users file generation\n' "$(yellow '[skip]')" "$env_file"
-      return
+  mkdir -p "$admin_dir" "$reader_dir"
+
+  # Migrate legacy single-file layout if present.
+  local legacy="$users_dir/sparql_users.caddy"
+  if [[ -f "$legacy" && ! -f "$admin_dir/sparql_users.caddy" ]]; then
+    if [[ "$DRY_RUN" -eq 1 ]]; then
+      printf '  %s would migrate %s -> %s\n' "$(yellow '[dry-run]')" "$legacy" "$admin_dir/sparql_users.caddy"
+    else
+      mv "$legacy" "$admin_dir/sparql_users.caddy"
+      printf '  %s migrated legacy users file to %s\n' "$(green '[ok]')" "$admin_dir/sparql_users.caddy"
     fi
-    local sparql_auth user pass
+  fi
+
+  if [[ ! -f "$env_file" ]]; then
+    printf '  %s no %s; skipping users file generation\n' "$(yellow '[skip]')" "$env_file"
+  else
+    # Admin (writes, plus reads if SPARQL_READ_AUTH_PATHS is set).
+    local sparql_auth
     sparql_auth=$(grep -E '^SPARQL_AUTH=' "$env_file" | head -1 | sed 's/^SPARQL_AUTH=//')
-    user=${sparql_auth%%/*}
-    pass=${sparql_auth#*/}
-    if [[ -z "$user" || -z "$pass" || "$user" == "$pass" ]]; then
-      printf '  %s SPARQL_AUTH missing or malformed in %s\n' "$(red '[fail]')" "$env_file"
-      return
-    fi
-    if [[ "$DRY_RUN" -eq 1 ]]; then
-      printf '  %s would generate %s for user %s\n' "$(yellow '[dry-run]')" "$users_file" "$user"
-      return
+    if compgen -G "$admin_dir/*" >/dev/null && [[ "$DRY_RUN" -ne 1 ]]; then
+      printf '  %s admin users file already present in %s\n' "$(green '[ok]')" "$admin_dir"
+    else
+      _write_caddy_user_file "$sparql_auth" "$admin_dir" "sparql_users.caddy" "admin"
     fi
-    local hash
-    hash=$(docker run --rm caddy:2-alpine caddy hash-password --plaintext "$pass" 2>/dev/null)
-    if [[ -z "$hash" ]]; then
-      printf '  %s caddy hash-password failed\n' "$(red '[fail]')"
-      return
+
+    # Reader (optional). Generated only if SPARQL_READER_AUTH is set.
+    local reader_auth
+    reader_auth=$(grep -E '^SPARQL_READER_AUTH=' "$env_file" | head -1 | sed 's/^SPARQL_READER_AUTH=//')
+    if [[ -n "$reader_auth" ]]; then
+      if compgen -G "$reader_dir/*" >/dev/null && [[ "$DRY_RUN" -ne 1 ]]; then
+        printf '  %s reader users file already present in %s\n' "$(green '[ok]')" "$reader_dir"
+      else
+        _write_caddy_user_file "$reader_auth" "$reader_dir" "sparql_reader.caddy" "reader"
+      fi
+    else
+      printf '  %s SPARQL_READER_AUTH not set — read gate stays off\n' "$(gray '[note]')"
     fi
-    printf '%s %s\n' "$user" "$hash" > "$users_file"
-    chmod 0644 "$users_file"
-    printf '  %s wrote %s\n' "$(green '[ok]')" "$users_file"
   fi
 
-  # Fix Caddyfile if it still imports the directory directly.
+  # Legacy Caddyfile glob fix (idempotent — no-op once already patched).
   if grep -qE '^[[:space:]]*import /etc/caddy/users[[:space:]]*$' "$caddy"; then
     if [[ "$DRY_RUN" -eq 1 ]]; then
-      printf '  %s would change "import /etc/caddy/users" -> "import /etc/caddy/users/*"\n' "$(yellow '[dry-run]')"
+      printf '  %s would change "import /etc/caddy/users" -> "import /etc/caddy/users/admin/*"\n' "$(yellow '[dry-run]')"
     else
       cp -a "$caddy" "${caddy}.bak.$(date +%Y%m%d-%H%M%S)"
-      sed -i -E 's|^([[:space:]]*)import /etc/caddy/users[[:space:]]*$|\1import /etc/caddy/users/*|' "$caddy"
-      printf '  %s patched Caddyfile import to glob\n' "$(green '[ok]')"
+      sed -i -E 's|^([[:space:]]*)import /etc/caddy/users[[:space:]]*$|\1import /etc/caddy/users/admin/*|' "$caddy"
+      printf '  %s patched Caddyfile legacy import\n' "$(green '[ok]')"
     fi
   fi