Fix security issues with cache by proxying access (#503)

This is the forgejo-runner-side patch for a partial overhaul of the cache system to fix some access control issues with caches.

This code depends on changes in act which are being reviewed here: forgejo/act#107

Co-authored-by: Michael Kriese <michael.kriese@visualon.de>
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/502
Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/503
Reviewed-by: Gusted <gusted@noreply.code.forgejo.org>
Co-authored-by: Kwonunn <kwonunnx@gmail.com>
Co-committed-by: Kwonunn <kwonunnx@gmail.com>

internal/app/cmd/cache-server.go

@@ -17,9 +17,10 @@ import (
 )
 
 type cacheServerArgs struct {
-	Dir  string
-	Host string
-	Port uint16
+	Dir    string
+	Host   string
+	Port   uint16
+	Secret string
 }
 
 func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheServerArgs) func(cmd *cobra.Command, args []string) error {
@@ -32,9 +33,10 @@ func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheSer
 		initLogging(cfg)
 
 		var (
-			dir  = cfg.Cache.Dir
-			host = cfg.Cache.Host
-			port = cfg.Cache.Port
+			dir    = cfg.Cache.Dir
+			host   = cfg.Cache.Host
+			port   = cfg.Cache.Port
+			secret = cfg.Cache.Secret
 		)
 
 		// cacheArgs has higher priority
@@ -47,11 +49,21 @@ func runCacheServer(ctx context.Context, configFile *string, cacheArgs *cacheSer
 		if cacheArgs.Port != 0 {
 			port = cacheArgs.Port
 		}
+		if cacheArgs.Secret != "" {
+			secret = cacheArgs.Secret
+		}
+
+		if secret == "" {
+			// no cache secret was specified, panic
+			log.Error("no cache secret was specified, exiting.")
+			return nil
+		}
 
 		cacheHandler, err := artifactcache.StartHandler(
 			dir,
 			host,
 			port,
+			secret,
 			log.StandardLogger().WithField("module", "cache_request"),
 		)
 		if err != nil {