(feat) add ability to allow anonymous usage mode based on "auth.public" site config and "allow-anonymous-usage" license tag

[erzhtor]

Closes https://github.com/sourcegraph/sourcegraph/issues/52439.

Test plan

• sg start dotcom and generate license with allow-anonymous-usage tag
• Restart in enterprise mode sg start enterprise and set newly created license
• Set auth.public=true in site config
• Check that instance allows searching and browsing public repositories

Demo

Screen.Recording.2023-05-25.at.15.18.24.mov

[erzhtor]

FYI: this is a new special license tag that is required to allow auth.public site config to take effect.

[sourcegraph-bot]

Codenotify: Notifying subscribers in CODENOTIFY files for diff 35c3b8f...89fa487.

Notify	File(s)
@unknwon	enterprise/cmd/frontend/internal/auth/BUILD.bazel enterprise/cmd/frontend/internal/auth/confauth/BUILD.bazel enterprise/cmd/frontend/internal/auth/confauth/middleware.go enterprise/cmd/frontend/internal/auth/confauth/middleware_test.go enterprise/cmd/frontend/internal/auth/init.go enterprise/internal/licensing/tags.go

[erzhtor]

FYI: I had to create an extra middleware that is passed from enterprise code, which will set certain context values. This is used because currently the code which controls access in regular oss code, whereas licensing is located in enterprise. So enterprise talks to main access control logic via context.

Perhaps, not the nicest code, but this is the only easy way if we want to guard this new feature based on license tags. Other proper ways will require way more refactoring, which I don't think worth it.

[erzhtor]

@kopancek, I found a better approach using existing auth.RegisterMiddelwares instead of drilling down new extra middleware argument 🙌 . Also, added unite tests. I would appreciate it if you could re-take a look.

[kopancek]

The approach looks good to me, would add some tests for the changed logic, especially the AllowAnonymousRequest and the new middleware.

[kopancek]

Should we combine this with the other clauses? Also it seems like checkAllowAnonymousRequest is already doing the conf.AuthPublic check... E.g. something like:

Suggested change

	if checkAllowAnonymousRequest(req) {
	return true
	}
	return checkAllowAnonymousRequest(req) || strings.HasPrefix(req.URL.Path, "/.assets/") || defaultCode

[erzhtor]

Personally, I like to keep clauses separate for simplicity purposes, as combining them will make reading it harder. Besides all the rest of the existing clauses follow the same convention of being separate.

[github-actions]

The backport to 5.0 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-5.0 5.0
# Navigate to the new working tree
cd .worktrees/backport-5.0
# Create a new branch
git switch --create backport-52440-to-5.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d8a8e5bedb08073227ac01589c3eafa4268ec590
# Push it to GitHub
git push --set-upstream origin backport-52440-to-5.0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-5.0

Then, create a pull request where the base branch is 5.0 and the compare/head branch is backport-52440-to-5.0.