Implement Basic Auth ZTA

lib/livebook/config.ex

@@ -10,6 +10,14 @@ defmodule Livebook.Config do
   #
   # IMPORTANT: this list must be in sync with Livebook Teams.
   @identity_providers [
+    %{
+      type: :basic_auth,
+      name: "Basic Auth",
+      value: "Credentials (username:password)",
+      module: Livebook.ZTA.BasicAuth,
+      placeholder: "username:password",
+      input: "password"
+    },
     %{
       type: :cloudflare,
       name: "Cloudflare",

lib/livebook/teams/deployment_group.ex

@@ -6,7 +6,7 @@ defmodule Livebook.Teams.DeploymentGroup do
   alias Livebook.Teams.AgentKey
 
   # If this list is updated, it must also be mirrored on Livebook Teams Server.
-  @zta_providers ~w(cloudflare google_iap tailscale teleport)a
+  @zta_providers ~w(basic_auth cloudflare google_iap tailscale teleport)a
 
   @type t :: %__MODULE__{
           id: String.t() | nil,

lib/livebook/zta/basic_auth.ex

@@ -0,0 +1,29 @@
+defmodule Livebook.ZTA.BasicAuth do
+  def child_spec(opts) do
+    %{id: __MODULE__, start: {__MODULE__, :start_link, [opts]}}
+  end
+
+  def start_link(options) do
+    name = Keyword.fetch!(options, :name)
+    identity_key = Keyword.fetch!(options, :identity_key)
+
+    Livebook.ZTA.put(name, identity_key)
+    :ignore
+  end
+
+  def authenticate(name, conn, _options) do
+    user_credentials = Plug.BasicAuth.parse_basic_auth(conn)
+    app_credentials = Livebook.ZTA.get(name)
+
+    {conn, authenticate_user(user_credentials, app_credentials)}
+  end
+
+  defp authenticate_user({username, password}, {app_username, app_password}) do
+    if Plug.Crypto.secure_compare(username, app_username) and
+         Plug.Crypto.secure_compare(password, app_password) do
+      %{payload: %{}}
+    end
+  end
+
+  defp authenticate_user(_, _), do: nil
+end

lib/livebook_web/components/app_components.ex

@@ -134,6 +134,7 @@ defmodule LivebookWeb.AppComponents do
           <.text_field
             :if={zta_metadata = zta_metadata(@form[:zta_provider].value)}
             field={@form[:zta_key]}
+            type={Map.get(zta_metadata, :input, "text")}
             label={zta_metadata.value}
             placeholder={zta_placeholder(zta_metadata)}
             phx-debounce

test/livebook/zta/basic_auth_test.exs

@@ -0,0 +1,42 @@
+defmodule Livebook.ZTA.BasicAuthTest do
+  use ExUnit.Case, async: true
+  use Plug.Test
+
+  alias Livebook.ZTA.BasicAuth
+
+  import Plug.BasicAuth, only: [encode_basic_auth: 2]
+
+  @name Context.Test.BasicAuth
+
+  setup do
+    username = "ChonkierCat"
+    password = Livebook.Utils.random_long_id()
+    options = [name: @name, identity_key: {username, password}]
+
+    {:ok, username: username, password: password, options: options, conn: conn(:get, "/")}
+  end
+
+  test "returns the user_identity when credentials are valid", context do
+    authorization = encode_basic_auth(context.username, context.password)
+    conn = put_req_header(context.conn, "authorization", authorization)
+    start_supervised!({BasicAuth, context.options})
+
+    assert {_conn, %{payload: %{}}} = BasicAuth.authenticate(@name, conn, [])
+  end
+
+  test "returns nil when the username is invalid", context do
+    authorization = encode_basic_auth("foo", context.password)
+    conn = put_req_header(context.conn, "authorization", authorization)
+    start_supervised!({BasicAuth, context.options})
+
+    assert {_conn, nil} = BasicAuth.authenticate(@name, conn, [])
+  end
+
+  test "returns nil when the password is invalid", context do
+    authorization = encode_basic_auth(context.username, Livebook.Utils.random_long_id())
+    conn = put_req_header(context.conn, "authorization", authorization)
+    start_supervised!({BasicAuth, context.options})
+
+    assert {_conn, nil} = BasicAuth.authenticate(@name, conn, [])
+  end
+end