libstore: Add the ability to use different auth methods with Http Binary Caches

src/libstore/filetransfer.cc

@@ -316,7 +316,9 @@ struct curlFileTransfer : public FileTransfer
             curl_easy_setopt(req, CURLOPT_PIPEWAIT, 1);
             #endif
             #if LIBCURL_VERSION_NUM >= 0x072f00
-            if (fileTransferSettings.enableHttp2)
+            // Our writeCallbackWrapper does not support rewinding which breaks
+            // negotiate/kerberos auth over http/2.
+            if (fileTransferSettings.enableHttp2 && request.authmethod != "negotiate")
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_2TLS);
             else
                 curl_easy_setopt(req, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
@@ -353,6 +355,25 @@ struct curlFileTransfer : public FileTransfer
                 curl_easy_setopt(req, CURLOPT_SSL_VERIFYHOST, 0);
             }
 
+            if (request.authmethod == "basic") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
+            } else if (request.authmethod == "bearer") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_BEARER);
+                curl_easy_setopt(req, CURLOPT_XOAUTH2_BEARER, request.bearer_token.c_str());
+            } else if (request.authmethod == "digest") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
+            } else if (request.authmethod == "negotiate") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE);
+                curl_easy_setopt(req, CURLOPT_USERNAME, "");
+                curl_easy_setopt(req, CURLOPT_PASSWORD, "");
+            } else if (request.authmethod == "ntlm") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_NTLM);
+            } else if (request.authmethod == "any") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
+            } else if (request.authmethod == "anysafe") {
+                curl_easy_setopt(req, CURLOPT_HTTPAUTH, CURLAUTH_ANYSAFE);
+            }
+
             curl_easy_setopt(req, CURLOPT_CONNECTTIMEOUT, fileTransferSettings.connectTimeout.get());
 
             curl_easy_setopt(req, CURLOPT_LOW_SPEED_LIMIT, 1L);

src/libstore/filetransfer.hh

@@ -56,6 +56,8 @@ struct FileTransferRequest
     std::string expectedETag;
     bool verifyTLS = true;
     bool head = false;
+    std::string authmethod;
+    std::string bearer_token;
     size_t tries = fileTransferSettings.tries;
     unsigned int baseRetryTimeMs = 250;
     ActivityId parentAct;

src/libstore/http-binary-cache-store.cc

@@ -14,6 +14,16 @@ struct HttpBinaryCacheStoreConfig : virtual BinaryCacheStoreConfig
 
     const std::string name() override { return "HTTP Binary Cache Store"; }
 
+    const Setting<std::string> authmethod{this, "", "authmethod",
+        R"(
+          libcurl auth method to use (`basic`, `digest`, `bearer`, `negotiate`, `ntlm`, `any`, or `anysafe`).
+          Any other value will be silently ignored.
+          See https://curl.se/libcurl/c/CURLOPT_HTTPAUTH.html for more info.
+        )"};
+
+    const Setting<std::string> bearer_token{this, "", "bearer-token",
+        "Bearer token to use for authentication. Requires `authmethod` to be set to `bearer`."};
+
     std::string doc() override
     {
         return
@@ -144,11 +154,13 @@ class HttpBinaryCacheStore : public virtual HttpBinaryCacheStoreConfig, public v
 
     FileTransferRequest makeRequest(const std::string & path)
     {
-        return FileTransferRequest(
+        auto request = FileTransferRequest(
             hasPrefix(path, "https://") || hasPrefix(path, "http://") || hasPrefix(path, "file://")
             ? path
             : cacheUri + "/" + path);
-
+        request.authmethod = authmethod;
+        request.bearer_token = bearer_token;
+        return request;
     }
 
     void getFile(const std::string & path, Sink & sink) override