Release 1.3.0

also replace old user by new one before creation

.github/workflows/run-tests.yml

@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      - name: run check and tests in archlinux container
+      - name: run check and tests in arch linux container
         run: |
           docker run \
           -v  ${{ github.workspace }}:/build -w /build \

Makefile

@@ -1,15 +1,18 @@
-.PHONY: archive archive_directory archlinux check clean directory push tests version
+.PHONY: architecture archive archive_directory archlinux check clean directory push tests version
 .DEFAULT_GOAL := archlinux
 
 PROJECT := ahriman
 
-FILES := AUTHORS COPYING CONFIGURING.md README.md package src setup.cfg setup.py
+FILES := AUTHORS COPYING README.md docs package src setup.cfg setup.py
 TARGET_FILES := $(addprefix $(PROJECT)/, $(FILES))
 IGNORE_FILES := package/archlinux src/.mypy_cache
 
 $(TARGET_FILES) : $(addprefix $(PROJECT), %) : $(addprefix ., %) directory version
 	@cp -rp $< $@
 
+architecture:
+	cd src && pydeps ahriman -o ../docs/ahriman-architecture.svg --no-show --cluster
+
 archive: archive_directory
 	tar cJf "$(PROJECT)-$(VERSION)-src.tar.xz" "$(PROJECT)"
 	rm -rf "$(PROJECT)"

README.md

@@ -1,4 +1,4 @@
-# ArcHlinux ReposItory MANager
+# ArcH Linux ReposItory MANager
 
 [![build status](https://github.com/arcan1s/ahriman/actions/workflows/run-tests.yml/badge.svg)](https://github.com/arcan1s/ahriman/actions/workflows/run-tests.yml)
 [![CodeFactor](https://www.codefactor.io/repository/github/arcan1s/ahriman/badge)](https://www.codefactor.io/repository/github/arcan1s/ahriman)
@@ -7,67 +7,66 @@ Wrapper for managing custom repository inspired by [repo-scripts](https://github
 
 ## Features
 
-* Install-configure-forget manager for own repository
-* Multi-architecture support
-* VCS packages support
-* Sign support with gpg (repository, package, per package settings)
-* Synchronization to remote services (rsync, s3) and report generation (html)
-* Dependency manager
-* Repository status interface
+* Install-configure-forget manager for own repository.
+* Multi-architecture support.
+* VCS packages support.
+* Sign support with gpg (repository, package, per package settings).
+* Synchronization to remote services (rsync, s3) and report generation (html).
+* Dependency manager.
+* Repository status interface with optional authorization and control options:
+
+    ![web interface](web.png)
 
 ## Installation and run
 
-* Install package as usual.
-* Change settings if required, see [CONFIGURING](CONFIGURING.md) for more details.
-* Create `/var/lib/ahriman/.makepkg.conf` with `makepkg.conf` overrides if required (at least you might want to set `PACKAGER`):
+For installation details please refer to the [documentation](docs/setup.md). For command help, `--help` subcommand must be used, e.g.:
 
-    ```shell
-    echo 'PACKAGER="John Doe <john@doe.com>"' | sudo -u ahriman tee -a /var/lib/ahriman/.makepkg.conf
-    ```
+```shell
+$ ahriman --help
+usage: ahriman [-h] [-a ARCHITECTURE] [-c CONFIGURATION] [--force] [-l LOCK] [--no-log] [--no-report] [--unsafe] [-v]
+               {add,check,clean,config,create-user,init,key-import,rebuild,remove,remove-unknown,report,search,setup,sign,status,status-update,sync,update,web} ...
 
-* Configure build tools (it is required for correct dependency management system):
+ArcH Linux ReposItory MANager
 
-    * create build command, e.g. `ln -s /usr/bin/archbuild /usr/local/bin/ahriman-x86_64-build` (you can choose any name for command, basically it should be `{name}-{arch}-build`);
-    * create configuration file, e.g. `cp /usr/share/devtools/pacman-{extra,ahriman}.conf` (same as previous `pacman-{name}.conf`);
-    * change configuration file, add your own repository, add multilib repository etc;
-    * set `build_command` option to point to your command;
-    * configure `/etc/sudoers.d/ahriman` to allow running command without a password.
+optional arguments:
+  -h, --help            show this help message and exit
+  -a ARCHITECTURE, --architecture ARCHITECTURE
+                        target architectures (can be used multiple times) (default: None)
+  -c CONFIGURATION, --configuration CONFIGURATION
+                        configuration path (default: /etc/ahriman.ini)
+  --force               force run, remove file lock (default: False)
+  -l LOCK, --lock LOCK  lock file (default: /tmp/ahriman.lock)
+  --no-log              redirect all log messages to stderr (default: False)
+  --no-report           force disable reporting to web service (default: False)
+  --unsafe              allow to run ahriman as non-ahriman user (default: False)
+  -v, --version         show program's version number and exit
 
-    ```shell
-    ln -s /usr/bin/archbuild /usr/local/bin/ahriman-x86_64-build
-    cp /usr/share/devtools/pacman-{extra,ahriman}.conf
+command:
+  {add,check,clean,config,create-user,init,key-import,rebuild,remove,remove-unknown,report,search,setup,sign,status,status-update,sync,update,web}
+                        command to run
+    add                 add package
+    check               check for updates
+    clean               clean local caches
+    config              dump configuration
+    create-user         create user for web services
+    init                create repository tree
+    key-import          import PGP key
+    rebuild             rebuild repository
+    remove              remove package
+    remove-unknown      remove unknown packages
+    report              generate report
+    search              search for package
+    setup               initial service configuration
+    sign                sign packages
+    status              get package status
+    status-update       update package status
+    sync                sync repository
+    update              update packages
+    web                 start web server
+```
 
-    echo '[multilib]' | tee -a /usr/share/devtools/pacman-ahriman.conf
-    echo 'Include = /etc/pacman.d/mirrorlist' | tee -a /usr/share/devtools/pacman-ahriman.conf
+Subcommands have own help message as well.
 
-    echo '[aur-clone]' | tee -a /usr/share/devtools/pacman-ahriman.conf
-    echo 'SigLevel = Optional TrustAll' | tee -a /usr/share/devtools/pacman-ahriman.conf
-    echo 'Server = file:///var/lib/ahriman/repository/$arch' | tee -a /usr/share/devtools/pacman-ahriman.conf
+## Configuration
 
-    echo '[build]' | tee -a /etc/ahriman.ini.d/build.ini
-    echo 'build_command = ahriman-x86_64-build' | tee -a /etc/ahriman.ini.d/build.ini
-
-    echo 'Cmnd_Alias CARCHBUILD_CMD = /usr/local/bin/ahriman-x86_64-build *' | tee -a /etc/sudoers.d/ahriman
-    echo 'ahriman ALL=(ALL) NOPASSWD: CARCHBUILD_CMD' | tee -a /etc/sudoers.d/ahriman
-    chmod 400 /etc/sudoers.d/ahriman
-    ```
-
-* Start and enable `ahriman@.timer` via `systemctl`:
-
-    ```shell
-    systemctl enable --now ahriman@x86_64.timer
-    ```
-
-* Start and enable status page:
-
-    ```shell
-    systemctl enable --now ahriman-web@x86_64
-    ```
-
-* Add packages by using `ahriman add {package}` command:
-
-    ```shell
-    sudo -u ahriman ahriman -a x86_64 add yay --now
-    ```
-
-Note that initial service configuration can be done by running `ahriman setup` with specific arguments.
+Every available option is described in the [documentation](docs/configuration.md).

docs/architecture.md

@@ -0,0 +1,184 @@
+# Package structure
+
+Packages have strict rules of importing:
+
+* `ahriman.application` package must not be used anywhere except for itself.
+* `ahriman.core` and `ahriman.models` packages don't have any import restriction. Actually we would like to totally restrict importing of `core` package from `models`, but it is impossible at the moment.
+* `ahriman.web` package is allowed to be imported from `ahriman.application` (web handler only, only `ahriman.web.web` methods). It also must not be imported globally, only local import is allowed. 
+
+Full dependency diagram:
+
+![architecture](ahriman-architecture.svg)
+
+## `ahriman.application` package
+
+This package contains application (aka executable) related classes and everything for that. It also contains package called `ahriman.application.handlers` in which all available subcommands are described as separated classes derived from base `ahriman.application.handlers.handler.Handler` class. `ahriman.application.ahriman` contains only command line parses and executes specified `Handler` on success, `ahriman.application.application.Application` is a god class which provides interfaces for all repository related actions. `ahriman.application.lock.Lock` is additional class which provides file-based lock and also performs some common checks.
+
+## `ahriman.core` package
+
+This package contains everything which is required for any time of application run and separated to several packages:
+
+* `ahriman.core.alpm` package controls pacman related functions. It provides wrappers for `pyalpm` library and safe calls for repository tools (`repo-add` and `repo-remove`).
+* `ahriman.core.auth` package provides classes for authorization methods used by web mostly. Base class is `ahriman.core.auth.auth.Auth` which must be called by `load` method.
+* `ahriman.core.build_tools` is a package which provides wrapper for `devtools` commands.
+* `ahriman.core.report` is a package with reporting classes. Usually it must be called by `ahriman.core.report.report.Report.load` method.
+* `ahriman.core.repository` contains several traits and base repository (`ahriman.core.repository.repository.Repository` class) implementation.
+* `ahriman.core.sign` package provides sign feature (only gpg calls are available).
+* `ahriman.core.status` contains helpers and watcher class which are required for web application. Reporter must be initialized by using `ahriman.core.status.client.Client.load` method.
+* `ahriman.core.upload` package provides sync feature, must be called by `ahriman.core.upload.upload.Upload.load` method.
+
+This package also provides some generic functions and classes which may be used by other packages:
+
+* `ahriman.core.configuration.Configuration` is an extension for standard `configparser` library.
+* `ahriman.core.exceptions` provides custom exceptions.
+* `ahriman.core.spawn.Spawn` is a tool which can spawn another `ahriman` process. This feature is used by web application.
+* `ahriman.core.tree` is a dependency tree implementation.
+
+## `ahriman.models` package
+
+It provides models for any other part of application. Unlike `ahriman.core` package classes from here provides only conversion methods (e.g. create class from another or convert to). Mostly case classes and enumerations.
+
+## `ahriman.web` package
+
+Web application. It is important that this package is isolated from any other to allow it to be optional feature (i.e. dependencies which are required by the package are optional).
+
+* `ahriman.web.middlewares` provides middlewares for request handlers.
+* `ahriman.web.views` contains web views derived from aiohttp view class.
+* `ahriman.web.routes` creates routes for web application.
+* `ahriman.web.web` provides main web application functions (e.g. start, initialization).
+
+# Application run
+
+* Parse command line arguments, find command and related handler which is set by parser.
+* Call `Handler.execute` method.
+* Define list of architectures to run. In case if there is more than one architecture specified run several subprocesses or process in current process otherwise. Class attribute `ALLOW_MULTI_ARCHITECTURE_RUN` controls whether application can be run in multiple processes or not - this feature is required for some handlers (e.g. `Web`) which should be able to spawn child process in daemon mode (it is impossible to do for daemonic processes).
+* In each child process call lock functions.
+* After success checks pass control to `Handler.run` method defined by specific handler class.
+* Return result (success or failure) of each subprocess and exit from application.
+
+In most cases handlers spawn god class `ahriman.application.application.Application` class and call required methods.
+
+Application is designed to run from `systemd` services and provides parametrized by architecture timer and service file for that.
+
+# Basic flows
+
+## Add new packages or rebuild existing
+
+Idea is to copy package to the directory from which it will be handled at the next update run. Different variants are supported:
+
+* If supplied argument is file then application moves the file to the directory with built packages. Same rule applies for directory, but in this case it copies every package-like file from the specified directory.
+* If supplied argument iis not file then application tries to lookup for the specified name in AUR and clones it into the directory with manual updates. This scenario can also handle package dependencies which are missing in repositories.
+
+## Rebuild packages
+
+Same as add function for every package in repository. Optional filter by reverse dependency can be supplied.
+
+## Remove packages
+
+This flow removes package from filesystem, updates repository database and also runs synchronization and reporting methods.
+
+## Update packages
+
+This feature is divided into to stages: check AUR for updates and run rebuild for required packages. Whereas check does not do anything except for check itself, update flow is the following:
+
+1. Process every built package first. Those packages are usually added manually.
+2. Run sync and report methods.
+3. Generate dependency tree for packages to be built.
+4. For each level of tree it does:
+   1. Download package data from AUR.
+   2. Build every package in clean chroot.
+   3. Sign packages if required.
+   4. Add packages to database and sign database if required.
+   5. Process sync and report methods.
+
+After any step any package data is being removed.
+
+# Core functions reference
+
+## Configuration 
+
+`ahriman.core.configuration.Configuration` class provides some additional methods (e.g. `getpath` and `getlist`) and also combines multiple files into single configuration dictionary using architecture overrides. It is recommended to read class related settings from the class, not outside.
+
+## Utils
+
+For every external command run (which is actually not recommended if possible) custom wrapper for `subprocess` is used. Additional functions `ahriman.core.auth.helpers` provide safe calls for `aiohttp_security` methods and are required to make this dependency optional.
+
+## Submodules
+
+Some packages provide different behaviour depending on configuration settings. In this cases inheritance is used and recommended way to deal with them is to call class method `load` from base classes.
+
+## Authorization
+
+The package provides several authorization methods: disabled, based on configuration and OAuth2. 
+
+Disabled (default) authorization provider just allows everything for everyone and does not have any specific configuration (it uses some default configuration parameters though). It also provides generic interface for derived classes.
+
+Mapping (aka configuration) provider uses hashed passwords with salt from configuration file in order to authenticate users. This provider also enables user permission checking (read/write) (authorization). Thus, it defines the following methods:
+
+* `check_credentials` - user password validation (authentication).
+* `verify_access` - user permission validation (authorization).
+
+Passwords must be stored in configuration as `hash(password + salt)`, where `password` is user defined password (taken from user input), `salt` is random string (any length) defined globally in configuration and `hash` is secure hash function. Thus, the following configuration
+
+```ini
+[auth:read]
+username = $6$rounds=656000$mWBiecMPrHAL1VgX$oU4Y5HH8HzlvMaxwkNEJjK13ozElyU1wAHBoO/WW5dAaE4YEfnB0X3FxbynKMl4FBdC3Ovap0jINz4LPkNADg0
+```
+
+means that there is user `username` with `read` access and password `password` hashed by `sha512` with salt `salt`.
+
+OAuth provider uses library definitions (`aioauth-client`) in order _authenticate_ users. It still requires user permission to be set in configuration, thus it inherits mapping provider without any changes. Whereas we could override `check_credentials` (authentication method) by something custom, OAuth flow is a bit more complex than just forward request, thus we have to implement the flow in login form.
+
+OAuth's implementation also allows authenticating users via username + password (in the same way as mapping does) though it is not recommended for end-users and password must be left blank. In particular this feature is used by service reporting (aka robots).
+
+In order to configure users there is special command.
+
+## Additional features
+
+Some features require optional dependencies to be installed:
+
+* Version control executables (e.g. `git`, `svn`) for VCS packages.
+* `gnupg` application for package and repository sign feature.
+* `rsync` application for rsync based repository sync.
+* `boto3` python package for `S3` sync.
+* `Jinja2` python package for HTML report generation (it is also used by web application).
+
+# Web application
+
+Web application requires the following python packages to be installed:
+
+* Core part requires `aiohttp` (application itself), `aiohttp_jinja2` and `Jinja2` (HTML generation from templates).
+* In addition, authorization feature requires `aiohttp_security`, `aiohttp_session` and `cryptography`.
+* In addition to base authorization dependencies, OAuth2 also requires `aioauth-client` library.
+
+## Middlewares
+
+Service provides some custom middlewares, e.g. logging every exception (except for user ones) and user authorization.
+
+## Web views
+
+All web views are defined in separated package and derived from `ahriman.web.views.base.Base` class which provides typed interfaces for web application. 
+
+REST API supports both form and JSON data, but the last one is recommended. 
+
+Different APIs are separated into different packages:
+
+* `ahriman.web.views.service` provides views for application controls.
+* `ahriman.web.views.status` package provides REST API for application reporting.
+* `ahriman.web.views.user` package provides login and logout methods which can be called without authorization.
+
+## Templating
+
+Package provides base jinja templates which can be overridden by settings. Vanilla templates are actively using bootstrap library.
+
+## Requests and scopes
+
+Service provides optional authorization which can be turned on in settings. In order to control user access there are two levels of authorization - read-only (only GET-like requests) and write (anything).
+
+If this feature is configured any request except for whitelisted will be prohibited without authentication. In addition, configuration flag `auth.allow_read_only` can be used in order to allow seeing main page without authorization (this page is in default white list).
+
+For authenticated users it uses encrypted session cookies to store tokens; encryption key is generated each time at the start of the application. It also stores expiration time of the session inside.
+
+## External calls
+
+Web application provides external calls to control main service. It spawns child process with specific arguments and waits for its termination. This feature must be used either with authorization or in safe (i.e. when status page is not available world-wide) environment.

docs/configuration.md

@@ -18,6 +18,30 @@ libalpm and AUR related configuration.
 * `repositories` - list of pacman repositories, space separated list of strings, required.
 * `root` - root for alpm library, string, required.
 
+## `auth` group
+
+Base authorization settings. `OAuth` provider requires `aioauth-client` library to be installed.
+
+* `target` - specifies authorization provider, string, optional, default `disabled`. Allowed values are `disabled`, `configuration`, `oauth`.
+* `allow_read_only` - allow requesting read only pages without authorization, boolean, required.
+* `allowed_paths` - URI paths (exact match) which can be accessed without authorization, space separated list of strings, optional.
+* `allowed_paths_groups` - URI paths prefixes which can be accessed without authorization, space separated list of strings, optional.
+* `client_id` - OAuth2 application client ID, string, required in case if `oauth` is used.
+* `client_secret` - OAuth2 application client secret key, string, required in case if `oauth` is used.
+* `max_age` - parameter which controls both cookie expiration and token expiration inside the service, integer, optional, default is 7 days.
+* `oauth_provider` - OAuth2 provider class name as is in `aioauth-client` (e.g. `GoogleClient`, `GithubClient` etc), string, required in case if `oauth` is used.
+* `oauth_scopes` - scopes list for OAuth2 provider, which will allow retrieving user email (which is used for checking user permissions), e.g. `https://www.googleapis.com/auth/userinfo.email` for `GoogleClient` or `user:email` for `GithubClient`, space separated list of strings, required in case if `oauth` is used.
+* `salt` - password hash salt, string, required in case if authorization enabled (automatically generated by `create-user` subcommand).
+
+## `auth:*` groups
+
+Authorization mapping. Group name must refer to user access level, i.e. it should be one of `auth:read` (read hidden pages), `auth:write` (everything is allowed).
+
+Key is always username (case-insensitive), option value depends on authorization provider:
+
+* `OAuth` - by default requires only usernames and ignores values. But in case of direct login method call (via POST request) it will act as `Mapping` authorization method.
+* `Mapping` (default) - reads salted password hashes from values, uses SHA512 in order to hash passwords. Password can be set by using `create-user` subcommand.
+
 ## `build:*` groups
 
 Build related configuration. Group name must refer to architecture, e.g. it should be `build:x86_64` for x86_64 architecture.
@@ -47,12 +71,13 @@ Settings for signing packages or repository. Group name must refer to architectu
 
 Report generation settings.
 
-* `target` - list of reports to be generated, space separated list of strings, optional. Allowed values are `html`, `email`.
+* `target` - list of reports to be generated, space separated list of strings, required. Allowed values are `html`, `email`.
 
 ### `email:*` groups
 
 Group name must refer to architecture, e.g. it should be `email:x86_64` for x86_64 architecture.
 
+* `full_template_path` - path to Jinja2 template for full package description index, string, optional.
 * `homepage` - link to homepage, string, optional.
 * `host` - SMTP host for sending emails, string, required.
 * `link_path` - prefix for HTML links, string, required.
@@ -78,7 +103,7 @@ Group name must refer to architecture, e.g. it should be `html:x86_64` for x86_6
 
 Remote synchronization settings.
 
-* `target` - list of synchronizations to be used, space separated list of strings, optional. Allowed values are `rsync`, `s3`.
+* `target` - list of synchronizations to be used, space separated list of strings, required. Allowed values are `rsync`, `s3`.
 
 ### `rsync:*` groups
 
@@ -101,6 +126,10 @@ Group name must refer to architecture, e.g. it should be `s3:x86_64` for x86_64
 
 Web server settings. If any of `host`/`port` is not set, web integration will be disabled. Group name must refer to architecture, e.g. it should be `web:x86_64` for x86_64 architecture.
 
+* `address` - optional address in form `proto://host:port` (`port` can be omitted in case of default `proto` ports), will be used instead of `http://{host}:{port}` in case if set, string, optional. This option is required in case if `OAuth` provider is used.
 * `host` - host to bind, string, optional.
+* `password` - password to authorize in web service in order to update service status, string, required in case if authorization enabled.  
 * `port` - port to bind, int, optional.
+* `static_path` - path to directory with static files, string, required.
 * `templates` - path to templates directory, string, required.
+* `username` - username to authorize in web service in order to update service status, string, required in case if authorization enabled.  

docs/setup.md

@@ -0,0 +1,60 @@
+# Setup instructions
+
+1. Install package as usual.
+2. Change settings if required, see [configuration reference](configuration.md) for more details.
+3. Create `/var/lib/ahriman/.makepkg.conf` with `makepkg.conf` overrides if required (at least you might want to set `PACKAGER`):
+
+    ```shell
+    echo 'PACKAGER="John Doe <john@doe.com>"' | sudo -u ahriman tee -a /var/lib/ahriman/.makepkg.conf
+    ```
+
+4. Configure build tools (it is required for correct dependency management system):
+
+    1. Create build command, e.g. `ln -s /usr/bin/archbuild /usr/local/bin/ahriman-x86_64-build` (you can choose any name for command, basically it should be `{name}-{arch}-build`).
+    2. Create configuration file, e.g. `cp /usr/share/devtools/pacman-{extra,ahriman}.conf` (same as previous `pacman-{name}.conf`).
+    3. Change configuration file, add your own repository, add multilib repository etc;
+    4. Set `build_command` option to point to your command.
+    5. Configure `/etc/sudoers.d/ahriman` to allow running command without a password.
+
+    ```shell
+    ln -s /usr/bin/archbuild /usr/local/bin/ahriman-x86_64-build
+    cp /usr/share/devtools/pacman-{extra,ahriman}.conf
+
+    echo '[multilib]' | tee -a /usr/share/devtools/pacman-ahriman.conf
+    echo 'Include = /etc/pacman.d/mirrorlist' | tee -a /usr/share/devtools/pacman-ahriman.conf
+
+    echo '[aur-clone]' | tee -a /usr/share/devtools/pacman-ahriman.conf
+    echo 'SigLevel = Optional TrustAll' | tee -a /usr/share/devtools/pacman-ahriman.conf
+    echo 'Server = file:///var/lib/ahriman/repository/$arch' | tee -a /usr/share/devtools/pacman-ahriman.conf
+
+    echo '[build]' | tee -a /etc/ahriman.ini.d/build.ini
+    echo 'build_command = ahriman-x86_64-build' | tee -a /etc/ahriman.ini.d/build.ini
+
+    echo 'Cmnd_Alias CARCHBUILD_CMD = /usr/local/bin/ahriman-x86_64-build *' | tee -a /etc/sudoers.d/ahriman
+    echo 'ahriman ALL=(ALL) NOPASSWD: CARCHBUILD_CMD' | tee -a /etc/sudoers.d/ahriman
+    chmod 400 /etc/sudoers.d/ahriman
+    ```
+
+5. Start and enable `ahriman@.timer` via `systemctl`:
+
+    ```shell
+    systemctl enable --now ahriman@x86_64.timer
+    ```
+
+6. Start and enable status page:
+
+    ```shell
+    systemctl enable --now ahriman-web@x86_64
+    ```
+
+7. Add packages by using `ahriman add {package}` command:
+
+    ```shell
+    sudo -u ahriman ahriman -a x86_64 add yay --now
+    ```
+
+Note that initial service configuration can be done by running `ahriman setup` with specific arguments.
+
+## User creation
+
+`create-user` subcommand is recommended for new user creation.

package/archlinux/PKGBUILD

@@ -1,21 +1,25 @@
 # Maintainer: Evgeniy Alekseev
 
 pkgname='ahriman'
-pkgver=1.2.5
+pkgver=1.3.0
 pkgrel=1
-pkgdesc="ArcHlinux ReposItory MANager"
+pkgdesc="ArcH Linux ReposItory MANager"
 arch=('any')
 url="https://github.com/arcan1s/ahriman"
 license=('GPL3')
-depends=('devtools' 'git' 'pyalpm' 'python-aur' 'python-srcinfo')
-makedepends=('python-argparse-manpage' 'python-pip')
+depends=('devtools' 'git' 'pyalpm' 'python-aur' 'python-passlib' 'python-srcinfo')
+makedepends=('python-pip')
 optdepends=('breezy: -bzr packages support'
             'darcs: -darcs packages support'
             'gnupg: package and repository sign'
             'mercurial: -hg packages support'
+            'python-aioauth-client: web server with OAuth2 authorization'
             'python-aiohttp: web server'
             'python-aiohttp-jinja2: web server'
+            'python-aiohttp-security: web server with authorization'
+            'python-aiohttp-session: web server with authorization'
             'python-boto3: sync to s3'
+            'python-cryptography: web server with authorization'
             'python-jinja: html report generation'
             'rsync: sync by using rsync'
             'subversion: -svn packages support')

package/archlinux/ahriman.sysusers

@@ -1 +1 @@
-u ahriman 643 "ArcHlinux ReposItory MANager" /var/lib/ahriman
+u ahriman 643 "ArcH Linux ReposItory MANager" /var/lib/ahriman

package/etc/ahriman.ini

@@ -8,6 +8,13 @@ database = /var/lib/pacman
 repositories = core extra community multilib
 root = /
 
+[auth]
+target = disabled
+allow_read_only = yes
+max_age = 604800
+oauth_provider = GoogleClient
+oauth_scopes = https://www.googleapis.com/auth/userinfo.email
+
 [build]
 archbuild_flags =
 build_command = extra-x86_64-build
@@ -26,8 +33,9 @@ target =
 target =
 
 [email]
+full_template_path = /usr/share/ahriman/repo-index.jinja2
 no_empty_report = yes
-template_path = /usr/share/ahriman/repo-index.jinja2
+template_path = /usr/share/ahriman/email-index.jinja2
 ssl = disabled
 
 [html]
@@ -44,4 +52,5 @@ chunk_size = 8388608
 
 [web]
 host = 127.0.0.1
+static_path = /usr/share/ahriman/static
 templates = /usr/share/ahriman

package/etc/ahriman.ini.d/logging.ini

@@ -2,7 +2,7 @@
 keys = root,builder,build_details,http
 
 [handlers]
-keys = console_handler,build_file_handler,file_handler,http_handler,syslog_handler
+keys = console_handler,syslog_handler
 
 [formatters]
 keys = generic_format,syslog_format
@@ -13,24 +13,6 @@ level = DEBUG
 formatter = generic_format
 args = (sys.stderr,)
 
-[handler_file_handler]
-class = logging.handlers.RotatingFileHandler
-level = DEBUG
-formatter = generic_format
-args = ("/var/log/ahriman/ahriman.log", "a", 20971520, 20)
-
-[handler_build_file_handler]
-class = logging.handlers.RotatingFileHandler
-level = DEBUG
-formatter = generic_format
-args = ("/var/log/ahriman/build.log", "a", 20971520, 20)
-
-[handler_http_handler]
-class = logging.handlers.RotatingFileHandler
-level = DEBUG
-formatter = generic_format
-args = ("/var/log/ahriman/http.log", "a", 20971520, 20)
-
 [handler_syslog_handler]
 class = logging.handlers.SysLogHandler
 level = DEBUG

package/lib/systemd/system/ahriman-web@.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=ArcHlinux ReposItory MANager web server (%I architecture)
+Description=ArcH Linux ReposItory MANager web server (%I architecture)
 After=network.target
 
 [Service]
@@ -8,8 +8,5 @@ ExecStart=/usr/bin/ahriman --architecture %i web
 User=ahriman
 Group=ahriman
 
-KillSignal=SIGQUIT
-SuccessExitStatus=SIGQUIT
-
 [Install]
 WantedBy=multi-user.target

package/lib/systemd/system/ahriman@.service

@@ -1,5 +1,5 @@
 [Unit]
-Description=ArcHlinux ReposItory MANager (%I architecture)
+Description=ArcH Linux ReposItory MANager (%I architecture)
 
 [Service]
 ExecStart=/usr/bin/ahriman --architecture %i update

package/lib/systemd/system/ahriman@.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=ArcHlinux ReposItory MANager timer (%I architecture)
+Description=ArcH Linux ReposItory MANager timer (%I architecture)
 
 [Timer]
 OnCalendar=daily

package/share/ahriman/build-status.jinja2

@@ -3,52 +3,125 @@
     <head>
         <title>{{ repository }}</title>
 
-        {% include "style.jinja2" %}
+        <meta name="viewport" content="width=device-width, initial-scale=1">
 
-        {% include "sorttable.jinja2" %}
-        {% include "search.jinja2" %}
+        <link rel="shortcut icon" href="/static/favicon.ico">
+
+        {% include "utils/style.jinja2" %}
     </head>
 
     <body>
-        <div class="root">
+
+        <div class="container">
             <h1>ahriman
-                <img src="https://img.shields.io/badge/version-{{ version }}-informational" alt="{{ version }}">
-                <img src="https://img.shields.io/badge/architecture-{{ architecture }}-informational" alt="{{ architecture }}">
-                <img src="https://img.shields.io/badge/service%20status-{{ service.status }}-{{ service.status_color }}" alt="{{ service.status }}" title="{{ service.timestamp }}">
+                {% if auth.authenticated %}
+                    <img src="https://img.shields.io/badge/version-{{ version }}-informational" alt="{{ version }}">
+                    <img src="https://img.shields.io/badge/repository-{{ repository }}-informational" alt="{{ repository }}">
+                    <img src="https://img.shields.io/badge/architecture-{{ architecture }}-informational" alt="{{ architecture }}">
+                    <img src="https://img.shields.io/badge/service%20status-{{ service.status }}-{{ service.status_color }}" alt="{{ service.status }}" title="{{ service.timestamp }}">
+                {% endif %}
             </h1>
+        </div>
 
-            {% include "search-line.jinja2" %}
+        <div class="container">
+            <div id="toolbar">
+                {% if not auth.enabled or auth.username is not none %}
+                    <button id="add" class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#addForm">
+                        <i class="fa fa-plus"></i> Add
+                    </button>
+                    <button id="update" class="btn btn-secondary" onclick="updatePackages()" disabled>
+                        <i class="fa fa-play"></i> Update
+                    </button>
+                    <button id="remove" class="btn btn-danger" onclick="removePackages()" disabled>
+                        <i class="fa fa-trash"></i> Remove
+                    </button>
+                {% endif %}
+            </div>
 
-            <section class="element">
-                <table class="sortable search-table">
-                    <tr class="header">
-                        <th>package base</th>
-                        <th>packages</th>
-                        <th>version</th>
-                        <th>last update</th>
-                        <th>status</th>
+            <table id="packages" class="table table-striped table-hover"
+                   data-click-to-select="true"
+                   data-export-options='{"fileName": "packages"}'
+                   data-page-list="[10, 25, 50, 100, all]"
+                   data-page-size="10"
+                   data-pagination="true"
+                   data-resizable="true"
+                   data-search="true"
+                   data-show-columns="true"
+                   data-show-columns-search="true"
+                   data-show-columns-toggle-all="true"
+                   data-show-export="true"
+                   data-show-fullscreen="true"
+                   data-show-search-clear-button="true"
+                   data-sortable="true"
+                   data-sort-reset="true"
+                   data-toggle="table"
+                   data-toolbar="#toolbar">
+                <thead class="table-primary">
+                    <tr>
+                        <th data-checkbox="true"></th>
+                        <th data-sortable="true" data-switchable="false">package base</th>
+                        <th data-sortable="true">version</th>
+                        <th data-sortable="true">packages</th>
+                        <th data-sortable="true" data-visible="false">groups</th>
+                        <th data-sortable="true" data-visible="false">licenses</th>
+                        <th data-sortable="true">last update</th>
+                        <th data-sortable="true">status</th>
                     </tr>
+                </thead>
 
+                <tbody>
+                {% if auth.authenticated %}
                     {% for package in packages %}
-                        <tr class="package">
-                            <td class="include-search"><a href="{{ package.web_url }}" title="{{ package.base }}">{{ package.base }}</a></td>
-                            <td class="include-search">{{ package.packages|join("<br>"|safe) }}</td>
+                        <tr data-package-base="{{ package.base }}">
+                            <td data-checkbox="true"></td>
+                            <td><a href="{{ package.web_url }}" title="{{ package.base }}">{{ package.base }}</a></td>
                             <td>{{ package.version }}</td>
+                            <td>{{ package.packages|join("<br>"|safe) }}</td>
+                            <td>{{ package.groups|join("<br>"|safe) }}</td>
+                            <td>{{ package.licenses|join("<br>"|safe) }}</td>
                             <td>{{ package.timestamp }}</td>
-                            <td class="status package-{{ package.status }}">{{ package.status }}</td>
+                            <td class="table-{{ package.status_color }}">{{ package.status }}</td>
                         </tr>
                     {% endfor %}
-                </table>
-            </section>
+                {% else %}
+                    <tr>
+                        <td colspan="100%">In order to see statuses you must login first.</td>
+                    </tr>
+                {% endif %}
+                </tbody>
+            </table>
+        </div>
 
-            <footer>
-                <ul class="navigation">
-                    <li><a href="https://github.com/arcan1s/ahriman" title="sources">ahriman</a></li>
-                    <li><a href="https://github.com/arcan1s/ahriman/releases" title="releases list">releases</a></li>
-                    <li><a href="https://github.com/arcan1s/ahriman/issues" title="issues tracker">report a bug</a></li>
+        <div class="container">
+            <footer class="d-flex flex-wrap justify-content-between align-items-center border-top">
+                <ul class="nav">
+                    <li><a class="nav-link" href="https://github.com/arcan1s/ahriman" title="sources">ahriman</a></li>
+                    <li><a class="nav-link" href="https://github.com/arcan1s/ahriman/releases" title="releases list">releases</a></li>
+                    <li><a class="nav-link" href="https://github.com/arcan1s/ahriman/issues" title="issues tracker">report a bug</a></li>
                 </ul>
+
+                {% if auth.enabled %}
+                    {% if auth.username is none %}
+                        {{ auth.control|safe }}
+                    {% else %}
+                        <form action="/user-api/v1/logout" method="post">
+                            <button class="btn btn-link" style="text-decoration: none">logout ({{ auth.username }})</button>
+                        </form>
+                    {% endif %}
+                {% endif %}
             </footer>
         </div>
+
+        {% if auth.enabled %}
+            {% include "build-status/login-modal.jinja2" %}
+        {% endif %}
+
+        {% include "build-status/package-actions-modals.jinja2" %}
+
+        {% include "utils/bootstrap-scripts.jinja2" %}
+
+        {% include "build-status/package-actions-script.jinja2" %}
+
     </body>
 
 </html>

package/share/ahriman/build-status/login-modal.jinja2

@@ -0,0 +1,29 @@
+<div id="loginForm" tabindex="-1" role="dialog" class="modal fade">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <form action="/user-api/v1/login" method="post">
+                <div class="modal-header">
+                    <h4 class="modal-title">Login</h4>
+                    <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="close"></button>
+                </div>
+                <div class="modal-body">
+                    <div class="form-group row">
+                        <label for="username" class="col-sm-2 col-form-label">Username</label>
+                        <div class="col-sm-10">
+                            <input id="username" type="text" class="form-control" placeholder="enter username" name="username" required>
+                        </div>
+                    </div>
+                    <div class="form-group row">
+                        <label for="password" class="col-sm-2 col-form-label">Password</label>
+                        <div class="col-sm-10">
+                            <input id="password" type="password" class="form-control" placeholder="enter password" name="password" required>
+                        </div>
+                    </div>
+                </div>
+                <div class="modal-footer">
+                    <button class="btn btn-primary">Login</button>
+                </div>
+            </form>
+        </div>
+    </div>
+</div>

package/share/ahriman/build-status/package-actions-modals.jinja2

@@ -0,0 +1,59 @@
+<div id="addForm" tabindex="-1" role="dialog" class="modal fade">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h4 class="modal-title">Add new packages</h4>
+                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="close"></button>
+            </div>
+            <div class="modal-body">
+                <div class="form-group row">
+                    <label for="package" class="col-sm-2 col-form-label">Package</label>
+                    <div class="col-sm-10">
+                        <input id="package" type="text" list="knownPackages" class="form-control" placeholder="AUR package" name="package" required>
+                        <datalist id="knownPackages"></datalist>
+                    </div>
+                </div>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
+                <button type="button" class="btn btn-primary" data-bs-dismiss="modal" onclick="addPackages()">Add</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<div id="failedForm" tabindex="-1" role="dialog" class="modal fade">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <div class="modal-header bg-danger">
+                <h4 class="modal-title">Failed</h4>
+                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="close"></button>
+            </div>
+            <div class="modal-body">
+                <p>Packages update has failed.</p>
+                <p id="errorDetails"></p>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-primary" data-bs-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>
+
+<div id="successForm" tabindex="-1" role="dialog" class="modal fade">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <div class="modal-header bg-success">
+                <h4 class="modal-title">Success</h4>
+                <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="close"></button>
+            </div>
+            <div class="modal-body">
+                <p>Packages update has been run.</p>
+                <ul id="successDetails"></ul>
+            </div>
+            <div class="modal-footer">
+                <button type="button" class="btn btn-primary" data-bs-dismiss="modal">Close</button>
+            </div>
+        </div>
+    </div>
+</div>

package/share/ahriman/build-status/package-actions-script.jinja2

@@ -0,0 +1,89 @@
+<script>
+    const $remove = $("#remove");
+    const $update = $("#update");
+
+    const $table = $("#packages");
+    $table.on("check.bs.table uncheck.bs.table check-all.bs.table uncheck-all.bs.table",
+        function () {
+            $remove.prop("disabled", !$table.bootstrapTable("getSelections").length);
+            $update.prop("disabled", !$table.bootstrapTable("getSelections").length);
+        })
+
+    const $successForm = $("#successForm");
+    const $successDetails = $("#successDetails");
+    $successForm.on("hidden.bs.modal", function() { window.location.reload(); });
+
+    const $failedForm = $("#failedForm");
+    const $errorDetails = $("#errorDetails");
+    $failedForm.on("hidden.bs.modal", function() { window.location.reload(); });
+
+    const $package = $("#package");
+    const $knownPackages = $("#knownPackages");
+    $package.keyup(function () {
+        const $this = $(this);
+        clearTimeout($this.data("timeout"));
+
+        $this.data("timeout", setTimeout($.proxy(function () {
+            const $value = $package.val();
+
+            $.ajax({
+                url: "/service-api/v1/search",
+                data: {"for": $value},
+                type: "GET",
+                dataType: "json",
+                success: function (resp) {
+                    const $options = resp.map(function (pkg) {
+                        const $option = document.createElement("option");
+                        $option.value = `${pkg.package} (${pkg.description})`;
+                        return $option;
+                    });
+                    $knownPackages.empty().append($options);
+                    $this.focus();
+                },
+            })
+        }, this), 500));
+    })
+
+    function doPackageAction($uri, $packages) {
+        if ($packages.length === 0)
+            return;
+        $.ajax({
+            url: $uri,
+            data: JSON.stringify({packages: $packages}),
+            type: "POST",
+            contentType: "application/json",
+            success: function (_) {
+                const $details = $packages.map(function (pkg) {
+                    const $li = document.createElement("li");
+                    $li.innerText = pkg;
+                    return $li;
+                });
+                $successDetails.empty().append($details);
+                $successForm.modal("show");
+            },
+            error: function (jqXHR, textStatus, errorThrown) {
+                $errorDetails.text(errorThrown);
+                $failedForm.modal("show");
+            },
+        })
+    }
+
+    function getSelection() {
+        return $.map($table.bootstrapTable("getSelections"), function(row) {
+            return row._data["package-base"];
+        })
+    }
+
+    function addPackages() {
+        const $packages = [$package.val()]
+        doPackageAction("/service-api/v1/add", $packages);
+    }
+
+    function removePackages() { doPackageAction("/service-api/v1/remove", getSelection()); }
+
+    function updatePackages() { doPackageAction("/service-api/v1/add", getSelection()); }
+
+    $(function () {
+        $table.bootstrapTable("uncheckAll");
+    })
+</script>

package/share/ahriman/email-index.jinja2

@@ -0,0 +1,42 @@
+{#simplified version of full report#}
+<!doctype html>
+<html lang="en">
+    <head>
+        <title>{{ repository }}</title>
+
+        <meta name="viewport" content="width=device-width, initial-scale=1">
+
+        {% include "utils/style.jinja2" %}
+    </head>
+
+    <body>
+
+        <div class="container">
+            <table id="packages" class="table table-striped">
+                <thead class="table-primary">
+                    <tr>
+                        <th>package</th>
+                        <th>version</th>
+                        <th>archive size</th>
+                        <th>installed size</th>
+                        <th>build date</th>
+                    </tr>
+                </thead>
+
+                <tbody>
+                {% for package in packages %}
+                    <tr>
+                        <td><a href="{{ link_path }}/{{ package.filename }}" title="{{ package.name }}">{{ package.name }}</a></td>
+                        <td>{{ package.version }}</td>
+                        <td>{{ package.archive_size }}</td>
+                        <td>{{ package.installed_size }}</td>
+                        <td>{{ package.build_date }}</td>
+                    </tr>
+                {% endfor %}
+                </tbody>
+            </table>
+        </div>
+
+    </body>
+
+</html>

package/share/ahriman/repo-index.jinja2

@@ -3,66 +3,93 @@
     <head>
         <title>{{ repository }}</title>
 
-        {% include "style.jinja2" %}
+        <meta name="viewport" content="width=device-width, initial-scale=1">
 
-        {% if extended_report %}
-            {% include "sorttable.jinja2" %}
-            {% include "search.jinja2" %}
-        {% endif %}
+        {% include "utils/style.jinja2" %}
     </head>
 
     <body>
-        <div class="root">
-            {% if extended_report %}
-                <h1>Archlinux user repository</h1>
 
-                <section class="element">
-                    {% if pgp_key is not none %}
-                        <p>This repository is signed with <a href="http://keys.gnupg.net/pks/lookup?search=0x{{ pgp_key }}&fingerprint=on&op=index" title="key search">{{ pgp_key }}</a> by default.</p>
-                    {% endif %}
-
-                    <code>
-                        $ cat /etc/pacman.conf<br>
-                        [{{ repository }}]<br>
-                        Server = {{ link_path }}<br>
-                        SigLevel = Database{% if has_repo_signed %}Required{% else %}Never{% endif %} Package{% if has_package_signed %}Required{% else %}Never{% endif %} TrustedOnly
-                    </code>
-                </section>
-                
-                {% include "search-line.jinja2" %}
-            {% endif %}
-
-            <section class="element">
-                <table class="sortable search-table">
-                    <tr class="header">
-                        <th>package</th>
-                        <th>version</th>
-                        <th>archive size</th>
-                        <th>installed size</th>
-                        <th>build date</th>
-                    </tr>
-
-                    {% for package in packages %}
-                        <tr class="package">
-                            <td class="include-search"><a href="{{ link_path }}/{{ package.filename }}" title="{{ package.name }}">{{ package.name }}</a></td>
-                            <td>{{ package.version }}</td>
-                            <td>{{ package.archive_size }}</td>
-                            <td>{{ package.installed_size }}</td>
-                            <td>{{ package.build_date }}</td>
-                        </tr>
-                    {% endfor %}
-                </table>
-            </section>
-
-            {% if extended_report %}
-                <footer>
-                    <ul class="navigation">
-                        {% if homepage is not none %}
-                            <li><a href="{{ homepage }}" title="homepage">Homepage</a></li>
-                        {% endif %}
-                    </ul>
-                </footer>
-            {% endif %}
+        <div class="container">
+            <h1>Arch Linux user repository</h1>
         </div>
+
+        <div class="container">
+            {% if pgp_key is not none %}
+                <p>This repository is signed with <a href="https://pgp.mit.edu/pks/lookup?search=0x{{ pgp_key }}&fingerprint=on&op=index" title="key search">{{ pgp_key }}</a> by default.</p>
+            {% endif %}
+
+<pre>$ cat /etc/pacman.conf
+[{{ repository }}]
+Server = {{ link_path }}
+SigLevel = Database{% if has_repo_signed %}Required{% else %}Never{% endif %} Package{% if has_package_signed %}Required{% else %}Never{% endif %} TrustedOnly</pre>
+        </div>
+
+        <div class="container">
+            <table id="packages" class="table table-striped table-hover"
+                   data-export-options='{"fileName": "packages"}'
+                   data-page-list="[10, 25, 50, 100, all]"
+                   data-page-size="10"
+                   data-pagination="true"
+                   data-resizable="true"
+                   data-search="true"
+                   data-show-columns="true"
+                   data-show-columns-search="true"
+                   data-show-columns-toggle-all="true"
+                   data-show-export="true"
+                   data-show-fullscreen="true"
+                   data-show-search-clear-button="true"
+                   data-sortable="true"
+                   data-sort-reset="true"
+                   data-toggle="table">
+                <thead class="table-primary">
+                    <tr>
+                        <th data-sortable="true" data-switchable="false">package</th>
+                        <th data-sortable="true">version</th>
+                        <th data-sortable="true" data-visible="false">architecture</th>
+                        <th data-sortable="true" data-visible="false">description</th>
+                        <th data-sortable="true" data-visible="false">upstream url</th>
+                        <th data-sortable="true" data-visible="false">licenses</th>
+                        <th data-sortable="true" data-visible="false">groups</th>
+                        <th data-sortable="true" data-visible="false">depends</th>
+                        <th data-sortable="true">archive size</th>
+                        <th data-sortable="true">installed size</th>
+                        <th data-sortable="true">build date</th>
+                    </tr>
+                </thead>
+
+                <tbody>
+                {% for package in packages %}
+                    <tr>
+                        <td><a href="{{ link_path }}/{{ package.filename }}" title="{{ package.name }}">{{ package.name }}</a></td>
+                        <td>{{ package.version }}</td>
+                        <td>{{ package.architecture }}</td>
+                        <td>{{ package.description }}</td>
+                        <td><a href="{{ package.url }}" title="{{ package.name }} upstream url">{{ package.url }}</a></td>
+                        <td>{{ package.licenses|join("<br>"|safe) }}</td>
+                        <td>{{ package.groups|join("<br>"|safe) }}</td>
+                        <td>{{ package.depends|join("<br>"|safe) }}</td>
+                        <td>{{ package.archive_size }}</td>
+                        <td>{{ package.installed_size }}</td>
+                        <td>{{ package.build_date }}</td>
+                    </tr>
+                {% endfor %}
+                </tbody>
+            </table>
+        </div>
+
+        <div class="container">
+            <footer class="d-flex flex-wrap justify-content-between align-items-center border-top">
+                <ul class="nav">
+                    {% if homepage is not none %}
+                        <li><a class="nav-link" href="{{ homepage }}" title="homepage">Homepage</a></li>
+                    {% endif %}
+                </ul>
+            </footer>
+        </div>
+
+        {% include "utils/bootstrap-scripts.jinja2" %}
+
     </body>
+
 </html>

package/share/ahriman/search-line.jinja2

@@ -1,3 +0,0 @@
-<section class="element">
-    <input type="search" id="search" onkeyup="searchInTable()" placeholder="search for package" title="search for package"/>
-</section>

package/share/ahriman/search.jinja2

@@ -1,26 +0,0 @@
-<script type="text/javascript">
-    function searchInTable() {
-        const input = document.getElementById("search");
-        const filter = input.value.toLowerCase();
-        const tables = document.getElementsByClassName("search-table");
-
-        for (let i = 0; i < tables.length; i++) {
-            const trs = tables[i].getElementsByTagName("tr");
-            // from 1 coz of header
-            for (let i = 1; i < trs.length; i++) {
-                let tr = trs[i].getElementsByClassName("include-search");
-                let display = "none";
-                for (let j = 0; j < tr.length; j++) {
-                    if (tr[j].tagName.toLowerCase() === "td") {
-                        let contains = (element) => tr[j].innerHTML.toLowerCase().indexOf(element) > -1
-                        if (filter.some(contains)) {
-                            display = "";
-                            break;
-                        }
-                    }
-                }
-                trs[i].style.display = display;
-            }
-        }
-    }
-</script>

package/share/ahriman/sorttable.jinja2

@@ -1 +0,0 @@
-<script src="https://www.kryogenix.org/code/browser/sorttable/sorttable.js"></script>

package/share/ahriman/style.jinja2

@@ -1,136 +0,0 @@
-<style>
-    :root {
-        --color-building: 255, 255, 146;
-        --color-failed: 255, 94, 94;
-        --color-pending: 255, 255, 146;
-        --color-success: 94, 255, 94;
-        --color-unknown: 225, 225, 225;
-
-        --color-header: 200, 200, 255;
-        --color-hover: 255, 255, 225;
-        --color-line-blue: 235, 235, 255;
-        --color-line-white: 255, 255, 255;
-    }
-
-    @keyframes blink-building {
-        0% { background-color: rgba(var(--color-building), 1.0); }
-        10% { background-color: rgba(var(--color-building), 0.9); }
-        20% { background-color: rgba(var(--color-building), 0.8); }
-        30% { background-color: rgba(var(--color-building), 0.7); }
-        40% { background-color: rgba(var(--color-building), 0.6); }
-        50% { background-color: rgba(var(--color-building), 0.5); }
-        60% { background-color: rgba(var(--color-building), 0.4); }
-        70% { background-color: rgba(var(--color-building), 0.3); }
-        80% { background-color: rgba(var(--color-building), 0.2); }
-        90% { background-color: rgba(var(--color-building), 0.1); }
-        100% { background-color: rgba(var(--color-building), 0.0); }
-    }
-
-    div.root {
-        width: 70%;
-        padding: 15px 15% 0;
-    }
-
-    section.element, footer {
-        width: 100%;
-        padding: 10px 0;
-    }
-
-    code, input, table {
-        width: inherit;
-    }
-
-    th, td {
-        padding: 5px;
-    }
-
-    tr.package:nth-child(odd) {
-        background-color: rgba(var(--color-line-white), 1.0);
-    }
-
-    tr.package:nth-child(even) {
-        background-color: rgba(var(--color-line-blue), 1.0);
-    }
-
-    tr.package:hover {
-        background-color: rgba(var(--color-hover), 1.0);
-    }
-
-    tr.header{
-        background-color: rgba(var(--color-header), 1.0);
-    }
-
-    td.status {
-        text-align: center;
-    }
-
-    td.package-unknown {
-        background-color: rgba(var(--color-unknown), 1.0);
-    }
-    td.package-pending {
-        background-color: rgba(var(--color-pending), 1.0);
-    }
-    td.package-building {
-        background-color: rgba(var(--color-building), 1.0);
-        animation-name: blink-building;
-        animation-duration: 1s;
-        animation-timing-function: linear;
-        animation-iteration-count: infinite;
-        animation-direction: alternate;
-    }
-    td.package-failed {
-        background-color: rgba(var(--color-failed), 1.0);
-    }
-    td.package-success {
-        background-color: rgba(var(--color-success), 1.0);
-    }
-
-    li.service-unknown {
-        background-color: rgba(var(--color-unknown), 1.0);
-    }
-    li.service-building {
-        background-color: rgba(var(--color-building), 1.0);
-        animation-name: blink-building;
-        animation-duration: 1s;
-        animation-timing-function: linear;
-        animation-iteration-count: infinite;
-        animation-direction: alternate;
-    }
-    li.service-failed {
-        background-color: rgba(var(--color-failed), 1.0);
-    }
-    li.service-success {
-        background-color: rgba(var(--color-success), 1.0);
-    }
-
-    ul.navigation {
-        list-style-type: none;
-        margin: 0;
-        padding: 0;
-        overflow: hidden;
-        background-color: rgba(var(--color-header), 1.0);
-    }
-
-    ul.navigation li {
-        float: left;
-    }
-
-    ul.navigation li.status {
-        display: block;
-        text-align: center;
-        text-decoration: none;
-        padding: 14px 16px;
-    }
-
-    ul.navigation li a {
-        display: block;
-        color: black;
-        text-align: center;
-        text-decoration: none;
-        padding: 14px 16px;
-    }
-
-    ul.navigation li a:hover {
-        background-color: rgba(var(--color-hover), 1.0);
-    }
-</style>

package/share/ahriman/utils/bootstrap-scripts.jinja2

@@ -0,0 +1,12 @@
+<script src="https://cdn.jsdelivr.net/npm/jquery/dist/jquery.min.js"></script>
+
+<script src="https://unpkg.com/tableexport.jquery.plugin/tableExport.min.js"></script>
+
+<script src="https://unpkg.com/jquery-resizable-columns@0.2.3/dist/jquery.resizableColumns.min.js"></script>
+
+<script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/js/bootstrap.bundle.min.js" integrity="sha384-U1DAWAznBHeqEIlVSCgzq+c9gqGAJn5c/t99JyeKa9xxaYpSvHU5awsuZVVFIhvj" crossorigin="anonymous"></script>
+<script src="https://unpkg.com/bootstrap-table@1.18.3/dist/bootstrap-table.min.js"></script>
+
+<script src="https://unpkg.com/bootstrap-table@1.18.3/dist/extensions/export/bootstrap-table-export.min.js"></script>
+
+<script src="https://unpkg.com/bootstrap-table@1.18.3/dist/extensions/resizable/bootstrap-table-resizable.js"></script>

package/share/ahriman/utils/style.jinja2

@@ -0,0 +1,9 @@
+<script src="https://kit.fontawesome.com/0d6d6d5226.js" crossorigin="anonymous"></script>
+<link href="https://cdn.jsdelivr.net/npm/bootstrap@5.1.0/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-KyZXEAg3QhqLMpG8r+8fhAXLRk2vvoC2f3B09zVXn8CA5QIVfZOJ3BCsw2P0p/We" crossorigin="anonymous">
+
+<link href="https://unpkg.com/bootstrap-table@1.18.3/dist/bootstrap-table.min.css" rel="stylesheet">
+
+<link href="https://unpkg.com/jquery-resizable-columns@0.2.3/dist/jquery.resizableColumns.css" rel="stylesheet">
+
+<style>
+</style>

setup.cfg

@@ -3,6 +3,3 @@ test = pytest
 
 [tool:pytest]
 addopts = --cov=ahriman --cov-report term-missing:skip-covered --pspec
-
-[build_manpages]
-manpages = man/ahriman.1:module=ahriman.application.ahriman:function=_parser

setup.py

@@ -1,11 +1,10 @@
-from build_manpages import build_manpages
 from pathlib import Path
 from setuptools import setup, find_packages
 from typing import Any, Dict
 
 
 metadata_path = Path(__file__).resolve().parent / "src/ahriman/version.py"
-metadata: Dict[str, Any] = dict()
+metadata: Dict[str, Any] = {}
 with metadata_path.open() as metadata_file:
     exec(metadata_file.read(), metadata)  # pylint: disable=exec-used
 
@@ -16,7 +15,7 @@ setup(
     version=metadata["__version__"],
     zip_safe=False,
 
-    description="ArcHlinux ReposItory MANager",
+    description="ArcH Linux ReposItory MANager",
 
     author="arcanis",
     author_email="",
@@ -31,6 +30,7 @@ setup(
     ],
     install_requires=[
         "aur",
+        "passlib",
         "pyalpm",
         "requests",
         "srcinfo",
@@ -66,11 +66,20 @@ setup(
         ]),
         ("share/ahriman", [
             "package/share/ahriman/build-status.jinja2",
+            "package/share/ahriman/email-index.jinja2",
             "package/share/ahriman/repo-index.jinja2",
-            "package/share/ahriman/search.jinja2",
-            "package/share/ahriman/search-line.jinja2",
-            "package/share/ahriman/sorttable.jinja2",
-            "package/share/ahriman/style.jinja2",
+        ]),
+        ("share/ahriman/build-status", [
+            "package/share/ahriman/build-status/login-modal.jinja2",
+            "package/share/ahriman/build-status/package-actions-modals.jinja2",
+            "package/share/ahriman/build-status/package-actions-script.jinja2",
+        ]),
+        ("share/ahriman/static", [
+            "package/share/ahriman/static/favicon.ico",
+        ]),
+        ("share/ahriman/utils", [
+            "package/share/ahriman/utils/bootstrap-scripts.jinja2",
+            "package/share/ahriman/utils/style.jinja2",
         ]),
     ],
 
@@ -97,10 +106,10 @@ setup(
             "Jinja2",
             "aiohttp",
             "aiohttp_jinja2",
+            "aioauth-client",
+            "aiohttp_session",
+            "aiohttp_security",
+            "cryptography",
         ],
     },
-
-    cmdclass={
-        "build_manpages": build_manpages.build_manpages,
-    }
 )

src/ahriman/application/ahriman.py

@@ -27,6 +27,7 @@ from ahriman import version
 from ahriman.application import handlers
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.models.sign_settings import SignSettings
+from ahriman.models.user_access import UserAccess
 
 
 # pylint thinks it is bad idea, but get the fuck off
@@ -38,7 +39,7 @@ def _parser() -> argparse.ArgumentParser:
     command line parser generator
     :return: command line parser for the application
     """
-    parser = argparse.ArgumentParser(prog="ahriman", description="ArcHlinux ReposItory MANager",
+    parser = argparse.ArgumentParser(prog="ahriman", description="ArcH Linux ReposItory MANager",
                                      formatter_class=argparse.ArgumentDefaultsHelpFormatter)
     parser.add_argument("-a", "--architecture", help="target architectures (can be used multiple times)",
                         action="append")
@@ -65,6 +66,7 @@ def _parser() -> argparse.ArgumentParser:
     _set_key_import_parser(subparsers)
     _set_rebuild_parser(subparsers)
     _set_remove_parser(subparsers)
+    _set_remove_unknown_parser(subparsers)
     _set_report_parser(subparsers)
     _set_search_parser(subparsers)
     _set_setup_parser(subparsers)
@@ -73,6 +75,7 @@ def _parser() -> argparse.ArgumentParser:
     _set_status_update_parser(subparsers)
     _set_sync_parser(subparsers)
     _set_update_parser(subparsers)
+    _set_user_parser(subparsers)
     _set_web_parser(subparsers)
 
     return parser
@@ -160,7 +163,7 @@ def _set_key_import_parser(root: SubParserAction) -> argparse.ArgumentParser:
     parser = root.add_parser("key-import", help="import PGP key",
                              description="import PGP key from public sources to repository user",
                              formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-    parser.add_argument("--key-server", help="key server for key import", default="keys.gnupg.net")
+    parser.add_argument("--key-server", help="key server for key import", default="pgp.mit.edu")
     parser.add_argument("key", help="PGP key to import from public server")
     parser.set_defaults(handler=handlers.KeyImport, architecture=[""], lock=None, no_report=True)
     return parser
@@ -192,6 +195,20 @@ def _set_remove_parser(root: SubParserAction) -> argparse.ArgumentParser:
     return parser
 
 
+def _set_remove_unknown_parser(root: SubParserAction) -> argparse.ArgumentParser:
+    """
+    add parser for remove unknown packages subcommand
+    :param root: subparsers for the commands
+    :return: created argument parser
+    """
+    parser = root.add_parser("remove-unknown", help="remove unknown packages",
+                             description="remove packages which are missing in AUR",
+                             formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    parser.add_argument("--dry-run", help="just perform check for packages without removal", action="store_true")
+    parser.set_defaults(handler=handlers.RemoveUnknown, architecture=[])
+    return parser
+
+
 def _set_report_parser(root: SubParserAction) -> argparse.ArgumentParser:
     """
     add parser for report subcommand
@@ -262,6 +279,7 @@ def _set_status_parser(root: SubParserAction) -> argparse.ArgumentParser:
     parser = root.add_parser("status", help="get package status", description="request status of the package",
                              formatter_class=argparse.ArgumentDefaultsHelpFormatter)
     parser.add_argument("--ahriman", help="get service status itself", action="store_true")
+    parser.add_argument("--status", help="filter packages by status", choices=BuildStatusEnum, type=BuildStatusEnum)
     parser.add_argument("package", help="filter status by package base", nargs="*")
     parser.set_defaults(handler=handlers.Status, lock=None, no_log=True, no_report=True, unsafe=True)
     return parser
@@ -316,6 +334,33 @@ def _set_update_parser(root: SubParserAction) -> argparse.ArgumentParser:
     return parser
 
 
+def _set_user_parser(root: SubParserAction) -> argparse.ArgumentParser:
+    """
+    add parser for create user subcommand
+    :param root: subparsers for the commands
+    :return: created argument parser
+    """
+    parser = root.add_parser(
+        "user",
+        help="manage users for web services",
+        description="manage users for web services with password and role. In case if password was not entered it will be asked interactively",
+        formatter_class=argparse.ArgumentDefaultsHelpFormatter)
+    parser.add_argument("username", help="username for web service")
+    parser.add_argument("--as-service", help="add user as service user", action="store_true")
+    parser.add_argument(
+        "-a",
+        "--access",
+        help="user access level",
+        type=UserAccess,
+        choices=UserAccess,
+        default=UserAccess.Read)
+    parser.add_argument("--no-reload", help="do not reload authentication module", action="store_true")
+    parser.add_argument("-p", "--password", help="user password")
+    parser.add_argument("-r", "--remove", help="remove user from configuration", action="store_true")
+    parser.set_defaults(handler=handlers.User, architecture=[""], lock=None, no_log=True, no_report=True, unsafe=True)
+    return parser
+
+
 def _set_web_parser(root: SubParserAction) -> argparse.ArgumentParser:
     """
     add parser for web subcommand
@@ -324,7 +369,7 @@ def _set_web_parser(root: SubParserAction) -> argparse.ArgumentParser:
     """
     parser = root.add_parser("web", help="start web server", description="start web server",
                              formatter_class=argparse.ArgumentDefaultsHelpFormatter)
-    parser.set_defaults(handler=handlers.Web, lock=None, no_report=True)
+    parser.set_defaults(handler=handlers.Web, lock=None, no_report=True, parser=_parser)
     return parser
 
 

src/ahriman/application/application.py

@@ -40,16 +40,17 @@ class Application:
     :ivar repository: repository instance
     """
 
-    def __init__(self, architecture: str, configuration: Configuration) -> None:
+    def __init__(self, architecture: str, configuration: Configuration, no_report: bool) -> None:
         """
         default constructor
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
         self.logger = logging.getLogger("root")
         self.configuration = configuration
         self.architecture = architecture
-        self.repository = Repository(architecture, configuration)
+        self.repository = Repository(architecture, configuration, no_report)
 
     def _finalize(self, built_packages: Iterable[Package]) -> None:
         """
@@ -205,6 +206,19 @@ class Application:
         targets = target or None
         self.repository.process_sync(targets, built_packages)
 
+    def unknown(self) -> List[Package]:
+        """
+        get packages which were not found in AUR
+        :return: unknown package list
+        """
+        packages = []
+        for base in self.repository.packages():
+            try:
+                _ = Package.from_aur(base.base, base.aur_url)
+            except Exception:
+                packages.append(base)
+        return packages
+
     def update(self, updates: Iterable[Package]) -> None:
         """
         run package updates

src/ahriman/application/handlers/__init__.py

@@ -26,6 +26,7 @@ from ahriman.application.handlers.init import Init
 from ahriman.application.handlers.key_import import KeyImport
 from ahriman.application.handlers.rebuild import Rebuild
 from ahriman.application.handlers.remove import Remove
+from ahriman.application.handlers.remove_unknown import RemoveUnknown
 from ahriman.application.handlers.report import Report
 from ahriman.application.handlers.search import Search
 from ahriman.application.handlers.setup import Setup
@@ -34,4 +35,5 @@ from ahriman.application.handlers.status import Status
 from ahriman.application.handlers.status_update import StatusUpdate
 from ahriman.application.handlers.sync import Sync
 from ahriman.application.handlers.update import Update
+from ahriman.application.handlers.user import User
 from ahriman.application.handlers.web import Web

src/ahriman/application/handlers/add.py

@@ -32,14 +32,16 @@ class Add(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        application = Application(architecture, configuration)
+        application = Application(architecture, configuration, no_report)
         application.add(args.package, args.without_dependencies)
         if not args.now:
             return

src/ahriman/application/handlers/clean.py

@@ -32,12 +32,14 @@ class Clean(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).clean(args.no_build, args.no_cache, args.no_chroot,
-                                                       args.no_manual, args.no_packages)
+        Application(architecture, configuration, no_report).clean(args.no_build, args.no_cache, args.no_chroot,
+                                                                  args.no_manual, args.no_packages)

src/ahriman/application/handlers/dump.py

@@ -33,12 +33,14 @@ class Dump(Handler):
     _print = print
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
         dump = configuration.dump()
         for section, values in sorted(dump.items()):

src/ahriman/application/handlers/handler.py

@@ -27,17 +27,20 @@ from typing import Set, Type
 
 from ahriman.application.lock import Lock
 from ahriman.core.configuration import Configuration
-from ahriman.core.exceptions import MissingArchitecture
+from ahriman.core.exceptions import MissingArchitecture, MultipleArchitecture
 from ahriman.models.repository_paths import RepositoryPaths
 
 
 class Handler:
     """
     base handler class for command callbacks
+    :cvar ALLOW_MULTI_ARCHITECTURE_RUN: allow to run with multiple architectures
     """
 
+    ALLOW_MULTI_ARCHITECTURE_RUN = True
+
     @classmethod
-    def _call(cls: Type[Handler], args: argparse.Namespace, architecture: str) -> bool:
+    def call(cls: Type[Handler], args: argparse.Namespace, architecture: str) -> bool:
         """
         additional function to wrap all calls for multiprocessing library
         :param args: command line args
@@ -47,7 +50,7 @@ class Handler:
         try:
             configuration = Configuration.from_path(args.configuration, architecture, not args.no_log)
             with Lock(args, architecture, configuration):
-                cls.run(args, architecture, configuration)
+                cls.run(args, architecture, configuration, args.no_report)
             return True
         except Exception:
             logging.getLogger("root").exception("process exception")
@@ -61,9 +64,18 @@ class Handler:
         :return: 0 on success, 1 otherwise
         """
         architectures = cls.extract_architectures(args)
-        with Pool(len(architectures)) as pool:
-            result = pool.starmap(
-                cls._call, [(args, architecture) for architecture in architectures])
+
+        # actually we do not have to spawn another process if it is single-process application, do we?
+        if len(architectures) > 1:
+            if not cls.ALLOW_MULTI_ARCHITECTURE_RUN:
+                raise MultipleArchitecture(args.command)
+
+            with Pool(len(architectures)) as pool:
+                result = pool.starmap(
+                    cls.call, [(args, architecture) for architecture in architectures])
+        else:
+            result = [cls.call(args, architectures.pop())]
+
         return 0 if all(result) else 1
 
     @classmethod
@@ -80,7 +92,8 @@ class Handler:
 
         config = Configuration()
         config.load(args.configuration)
-        root = config.getpath("repository", "root")
+        # wtf???
+        root = config.getpath("repository", "root")  # pylint: disable=assignment-from-no-return
         architectures = RepositoryPaths.known_architectures(root)
 
         if not architectures:
@@ -88,11 +101,13 @@ class Handler:
         return architectures
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
         raise NotImplementedError

src/ahriman/application/handlers/init.py

@@ -32,11 +32,13 @@ class Init(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).repository.repo.init()
+        Application(architecture, configuration, no_report).repository.repo.init()

src/ahriman/application/handlers/key_import.py

@@ -32,11 +32,13 @@ class KeyImport(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).repository.sign.import_key(args.key_server, args.key)
+        Application(architecture, configuration, no_report).repository.sign.import_key(args.key_server, args.key)

src/ahriman/application/handlers/rebuild.py

@@ -32,16 +32,18 @@ class Rebuild(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
         depends_on = set(args.depends_on) if args.depends_on else None
 
-        application = Application(architecture, configuration)
+        application = Application(architecture, configuration, no_report)
         packages = [
             package
             for package in application.repository.packages()

src/ahriman/application/handlers/remove.py

@@ -32,11 +32,13 @@ class Remove(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).remove(args.package)
+        Application(architecture, configuration, no_report).remove(args.package)

src/ahriman/application/handlers/remove_unknown.py

@@ -0,0 +1,61 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import argparse
+
+from typing import Type
+
+from ahriman.application.application import Application
+from ahriman.application.handlers.handler import Handler
+from ahriman.core.configuration import Configuration
+from ahriman.models.package import Package
+
+
+class RemoveUnknown(Handler):
+    """
+    remove unknown packages handler
+    """
+
+    @classmethod
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
+        """
+        callback for command line
+        :param args: command line args
+        :param architecture: repository architecture
+        :param configuration: configuration instance
+        :param no_report: force disable reporting
+        """
+        application = Application(architecture, configuration, no_report)
+        unknown_packages = application.unknown()
+        if args.dry_run:
+            for package in unknown_packages:
+                RemoveUnknown.log_fn(package)
+            return
+
+        application.remove(package.base for package in unknown_packages)
+
+    @staticmethod
+    def log_fn(package: Package) -> None:
+        """
+        log package information
+        :param package: package object to log
+        """
+        print(f"=> {package.base} {package.version}")
+        print(f"   {package.web_url}")

src/ahriman/application/handlers/report.py

@@ -32,11 +32,13 @@ class Report(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).report(args.target, [])
+        Application(architecture, configuration, no_report).report(args.target, [])

src/ahriman/application/handlers/search.py

@@ -32,12 +32,14 @@ class Search(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
         search = " ".join(args.search)
         packages = aur.search(search)

src/ahriman/application/handlers/setup.py

@@ -18,7 +18,6 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 import argparse
-import configparser
 
 from pathlib import Path
 from typing import Type
@@ -44,14 +43,16 @@ class Setup(Handler):
     SUDOERS_PATH = Path("/etc/sudoers.d/ahriman")
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        application = Application(architecture, configuration)
+        application = Application(architecture, configuration, no_report)
         Setup.create_makepkg_configuration(args.packager, application.repository.paths)
         Setup.create_executable(args.build_command, architecture)
         Setup.create_devtools_configuration(args.build_command, architecture, args.from_configuration,
@@ -79,25 +80,20 @@ class Setup(Handler):
         :param repository: repository name
         :param include_path: path to directory with configuration includes
         """
-        configuration = configparser.ConfigParser()
+        configuration = Configuration()
 
         section = Configuration.section_name("build", architecture)
-        configuration.add_section(section)
-        configuration.set(section, "build_command", str(Setup.build_command(args.build_command, architecture)))
-
-        configuration.add_section("repository")
-        configuration.set("repository", "name", repository)
+        configuration.set_option(section, "build_command", str(Setup.build_command(args.build_command, architecture)))
+        configuration.set_option("repository", "name", repository)
 
         if args.sign_key is not None:
             section = Configuration.section_name("sign", architecture)
-            configuration.add_section(section)
-            configuration.set(section, "target", " ".join([target.name.lower() for target in args.sign_target]))
-            configuration.set(section, "key", args.sign_key)
+            configuration.set_option(section, "target", " ".join([target.name.lower() for target in args.sign_target]))
+            configuration.set_option(section, "key", args.sign_key)
 
         if args.web_port is not None:
             section = Configuration.section_name("web", architecture)
-            configuration.add_section(section)
-            configuration.set(section, "port", str(args.web_port))
+            configuration.set_option(section, "port", str(args.web_port))
 
         target = include_path / "setup-overrides.ini"
         with target.open("w") as ahriman_configuration:
@@ -115,7 +111,7 @@ class Setup(Handler):
         :param repository: repository name
         :param paths: repository paths instance
         """
-        configuration = configparser.ConfigParser()
+        configuration = Configuration()
         # preserve case
         # stupid mypy thinks that it is impossible
         configuration.optionxform = lambda key: key  # type: ignore
@@ -125,17 +121,15 @@ class Setup(Handler):
         configuration.read(source)
 
         # set our architecture now
-        configuration.set("options", "Architecture", architecture)
+        configuration.set_option("options", "Architecture", architecture)
 
         # add multilib
         if not no_multilib:
-            configuration.add_section("multilib")
-            configuration.set("multilib", "Include", str(Setup.MIRRORLIST_PATH))
+            configuration.set_option("multilib", "Include", str(Setup.MIRRORLIST_PATH))
 
         # add repository itself
-        configuration.add_section(repository)
-        configuration.set(repository, "SigLevel", "Optional TrustAll")  # we don't care
-        configuration.set(repository, "Server", f"file://{paths.repository}")
+        configuration.set_option(repository, "SigLevel", "Optional TrustAll")  # we don't care
+        configuration.set_option(repository, "Server", f"file://{paths.repository}")
 
         target = source.parent / f"pacman-{prefix}-{architecture}.conf"
         with target.open("w") as devtools_configuration:
@@ -158,7 +152,7 @@ class Setup(Handler):
         :param architecture: repository architecture
         """
         command = Setup.build_command(prefix, architecture)
-        Setup.SUDOERS_PATH.write_text(f"ahriman ALL=(ALL) NOPASSWD: {command} *\n")
+        Setup.SUDOERS_PATH.write_text(f"ahriman ALL=(ALL) NOPASSWD: {command} *\n", encoding="utf8")
         Setup.SUDOERS_PATH.chmod(0o400)  # security!
 
     @staticmethod

src/ahriman/application/handlers/sign.py

@@ -32,11 +32,13 @@ class Sign(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).sign(args.package)
+        Application(architecture, configuration, no_report).sign(args.package)

src/ahriman/application/handlers/status.py

@@ -19,7 +19,7 @@
 #
 import argparse
 
-from typing import Iterable, Tuple, Type
+from typing import Callable, Iterable, Tuple, Type
 
 from ahriman.application.application import Application
 from ahriman.application.handlers.handler import Handler
@@ -34,25 +34,32 @@ class Status(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        application = Application(architecture, configuration)
+        # we are using reporter here
+        client = Application(architecture, configuration, no_report=False).repository.reporter
         if args.ahriman:
-            ahriman = application.repository.reporter.get_self()
+            ahriman = client.get_self()
             print(ahriman.pretty_print())
             print()
         if args.package:
             packages: Iterable[Tuple[Package, BuildStatus]] = sum(
-                [application.repository.reporter.get(base) for base in args.package],
+                [client.get(base) for base in args.package],
                 start=[])
         else:
-            packages = application.repository.reporter.get(None)
-        for package, package_status in sorted(packages, key=lambda item: item[0].base):
+            packages = client.get(None)
+
+        comparator: Callable[[Tuple[Package, BuildStatus]], str] = lambda item: item[0].base
+        filter_fn: Callable[[Tuple[Package, BuildStatus]], bool] =\
+            lambda item: args.status is None or item[1].status == args.status
+        for package, package_status in sorted(filter(filter_fn, packages), key=comparator):
             print(package.pretty_print())
             print(f"\t{package.version}")
             print(f"\t{package_status.pretty_print()}")

src/ahriman/application/handlers/status_update.py

@@ -24,6 +24,7 @@ from typing import Callable, Type
 from ahriman.application.application import Application
 from ahriman.application.handlers.handler import Handler
 from ahriman.core.configuration import Configuration
+from ahriman.core.exceptions import InvalidCommand
 
 
 class StatusUpdate(Handler):
@@ -32,19 +33,24 @@ class StatusUpdate(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        client = Application(architecture, configuration).repository.reporter
+        # we are using reporter here
+        client = Application(architecture, configuration, no_report=False).repository.reporter
         callback: Callable[[str], None] = lambda p: client.remove(p) if args.remove else client.update(p, args.status)
         if args.package:
             # update packages statuses
             for package in args.package:
                 callback(package)
+        elif args.remove:
+            raise InvalidCommand("Remove option is supplied, but no packages set")
         else:
             # update service status
             client.update_self(args.status)

src/ahriman/application/handlers/sync.py

@@ -32,11 +32,13 @@ class Sync(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        Application(architecture, configuration).sync(args.target, [])
+        Application(architecture, configuration, no_report).sync(args.target, [])

src/ahriman/application/handlers/update.py

@@ -32,14 +32,16 @@ class Update(Handler):
     """
 
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
-        application = Application(architecture, configuration)
+        application = Application(architecture, configuration, no_report)
         packages = application.get_updates(args.package, args.no_aur, args.no_manual, args.no_vcs,
                                            Update.log_fn(application, args.dry_run))
         if args.dry_run:

src/ahriman/application/handlers/user.py

@@ -0,0 +1,139 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import argparse
+import getpass
+
+from pathlib import Path
+from typing import Type
+
+from ahriman.application.application import Application
+from ahriman.application.handlers.handler import Handler
+from ahriman.core.configuration import Configuration
+from ahriman.models.user import User as MUser
+from ahriman.models.user_access import UserAccess
+
+
+class User(Handler):
+    """
+    user management handler
+    """
+
+    @classmethod
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
+        """
+        callback for command line
+        :param args: command line args
+        :param architecture: repository architecture
+        :param configuration: configuration instance
+        :param no_report: force disable reporting
+        """
+        salt = User.get_salt(configuration)
+        user = User.create_user(args)
+        auth_configuration = User.get_auth_configuration(configuration.include)
+
+        User.clear_user(auth_configuration, user)
+        if not args.remove:
+            User.create_configuration(auth_configuration, user, salt, args.as_service)
+        User.write_configuration(auth_configuration)
+
+        if not args.no_reload:
+            client = Application(architecture, configuration, no_report=False).repository.reporter
+            client.reload_auth()
+
+    @staticmethod
+    def clear_user(configuration: Configuration, user: MUser) -> None:
+        """
+        remove user user from configuration file in case if it exists
+        :param configuration: configuration instance
+        :param user: user descriptor
+        """
+        for role in UserAccess:
+            section = Configuration.section_name("auth", role.value)
+            if not configuration.has_option(section, user.username):
+                continue
+            configuration.remove_option(section, user.username)
+
+    @staticmethod
+    def create_configuration(configuration: Configuration, user: MUser, salt: str, as_service_user: bool) -> None:
+        """
+        put new user to configuration
+        :param configuration: configuration instance
+        :param user: user descriptor
+        :param salt: password hash salt
+        :param as_service_user: add user as service user, also set password and user to configuration
+        """
+        section = Configuration.section_name("auth", user.access.value)
+        configuration.set_option("auth", "salt", salt)
+        configuration.set_option(section, user.username, user.hash_password(salt))
+
+        if as_service_user:
+            configuration.set_option("web", "username", user.username)
+            configuration.set_option("web", "password", user.password)
+
+    @staticmethod
+    def create_user(args: argparse.Namespace) -> MUser:
+        """
+        create user descriptor from arguments
+        :param args: command line args
+        :return: built user descriptor
+        """
+        user = MUser(args.username, args.password, args.access)
+        if user.password is None:
+            user.password = getpass.getpass()
+        return user
+
+    @staticmethod
+    def get_auth_configuration(include_path: Path) -> Configuration:
+        """
+        create configuration instance
+        :param include_path: path to directory with configuration includes
+        :return: configuration instance. In case if there are local settings they will be loaded
+        """
+        target = include_path / "auth.ini"
+        configuration = Configuration()
+        configuration.load(target)
+
+        return configuration
+
+    @staticmethod
+    def get_salt(configuration: Configuration, salt_length: int = 20) -> str:
+        """
+        get salt from configuration or create new string
+        :param configuration: configuration instance
+        :param salt_length: salt length
+        :return: current salt
+        """
+        salt = configuration.get("auth", "salt", fallback=None)
+        if salt:
+            return salt
+        return MUser.generate_password(salt_length)
+
+    @staticmethod
+    def write_configuration(configuration: Configuration) -> None:
+        """
+        write configuration file
+        :param configuration: configuration instance
+        """
+        if configuration.path is None:
+            return  # should never happen actually
+        with configuration.path.open("w") as ahriman_configuration:
+            configuration.write(ahriman_configuration)
+        configuration.path.chmod(0o600)

src/ahriman/application/handlers/web.py

@@ -23,6 +23,7 @@ from typing import Type
 
 from ahriman.application.handlers.handler import Handler
 from ahriman.core.configuration import Configuration
+from ahriman.core.spawn import Spawn
 
 
 class Web(Handler):
@@ -30,14 +31,23 @@ class Web(Handler):
     web server handler
     """
 
+    ALLOW_MULTI_ARCHITECTURE_RUN = False  # required to be able to spawn external processes
+
     @classmethod
-    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str, configuration: Configuration) -> None:
+    def run(cls: Type[Handler], args: argparse.Namespace, architecture: str,
+            configuration: Configuration, no_report: bool) -> None:
         """
         callback for command line
         :param args: command line args
         :param architecture: repository architecture
         :param configuration: configuration instance
+        :param no_report: force disable reporting
         """
+        # we are using local import for optional dependencies
         from ahriman.web.web import run_server, setup_service
-        application = setup_service(architecture, configuration)
+
+        spawner = Spawn(args.parser(), architecture, configuration)
+        spawner.start()
+
+        application = setup_service(architecture, configuration, spawner)
         run_server(application)

src/ahriman/core/auth/__init__.py

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#

src/ahriman/core/auth/auth.py

@@ -0,0 +1,149 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+import logging
+
+from typing import Dict, Optional, Type
+
+from ahriman.core.configuration import Configuration
+from ahriman.core.exceptions import DuplicateUser
+from ahriman.models.auth_settings import AuthSettings
+from ahriman.models.user import User
+from ahriman.models.user_access import UserAccess
+
+
+class Auth:
+    """
+    helper to deal with user authorization
+    :ivar allowed_paths: URI paths which can be accessed without authorization
+    :ivar allowed_paths_groups: URI paths prefixes which can be accessed without authorization
+    :ivar enabled: indicates if authorization is enabled
+    :cvar ALLOWED_PATHS: URI paths which can be accessed without authorization, predefined
+    :cvar ALLOWED_PATHS_GROUPS: URI paths prefixes which can be accessed without authorization, predefined
+    """
+
+    ALLOWED_PATHS = {"/", "/index.html"}
+    ALLOWED_PATHS_GROUPS = {"/static", "/user-api"}
+
+    def __init__(self, configuration: Configuration, provider: AuthSettings = AuthSettings.Disabled) -> None:
+        """
+        default constructor
+        :param configuration: configuration instance
+        :param provider: authorization type definition
+        """
+        self.logger = logging.getLogger("http")
+
+        self.allow_read_only = configuration.getboolean("auth", "allow_read_only")
+        self.allowed_paths = set(configuration.getlist("auth", "allowed_paths", fallback=[]))
+        self.allowed_paths.update(self.ALLOWED_PATHS)
+        self.allowed_paths_groups = set(configuration.getlist("auth", "allowed_paths_groups", fallback=[]))
+        self.allowed_paths_groups.update(self.ALLOWED_PATHS_GROUPS)
+        self.enabled = provider.is_enabled
+        self.max_age = configuration.getint("auth", "max_age", fallback=7 * 24 * 3600)
+
+    @property
+    def auth_control(self) -> str:
+        """
+        This workaround is required to make different behaviour for login interface.
+        In case of internal authentication it must provide an interface (modal form) to login with button sends POST
+        request. But for an external providers behaviour can be different: e.g. OAuth provider requires sending GET
+        request to external resource
+        :return: login control as html code to insert
+        """
+        return """<button type="button" class="btn btn-link" data-bs-toggle="modal" data-bs-target="#loginForm" style="text-decoration: none">login</button>"""
+
+    @classmethod
+    def load(cls: Type[Auth], configuration: Configuration) -> Auth:
+        """
+        load authorization module from settings
+        :param configuration: configuration instance
+        :return: authorization module according to current settings
+        """
+        provider = AuthSettings.from_option(configuration.get("auth", "target", fallback="disabled"))
+        if provider == AuthSettings.Configuration:
+            from ahriman.core.auth.mapping import Mapping
+            return Mapping(configuration)
+        if provider == AuthSettings.OAuth:
+            from ahriman.core.auth.oauth import OAuth
+            return OAuth(configuration)
+        return cls(configuration)
+
+    @staticmethod
+    def get_users(configuration: Configuration) -> Dict[str, User]:
+        """
+        load users from settings
+        :param configuration: configuration instance
+        :return: map of username to its descriptor
+        """
+        users: Dict[str, User] = {}
+        for role in UserAccess:
+            section = configuration.section_name("auth", role.value)
+            if not configuration.has_section(section):
+                continue
+            for user, password in configuration[section].items():
+                normalized_user = user.lower()
+                if normalized_user in users:
+                    raise DuplicateUser(normalized_user)
+                users[normalized_user] = User(normalized_user, password, role)
+        return users
+
+    async def check_credentials(self, username: Optional[str], password: Optional[str]) -> bool:  # pylint: disable=no-self-use
+        """
+        validate user password
+        :param username: username
+        :param password: entered password
+        :return: True in case if password matches, False otherwise
+        """
+        del username, password
+        return True
+
+    async def is_safe_request(self, uri: Optional[str], required: UserAccess) -> bool:
+        """
+        check if requested path are allowed without authorization
+        :param uri: request uri
+        :param required: required access level
+        :return: True in case if this URI can be requested without authorization and False otherwise
+        """
+        if required == UserAccess.Read and self.allow_read_only:
+            return True  # in case if read right requested and allowed in options
+        if not uri:
+            return False  # request without context is not allowed
+        return uri in self.allowed_paths or any(uri.startswith(path) for path in self.allowed_paths_groups)
+
+    async def known_username(self, username: Optional[str]) -> bool:  # pylint: disable=no-self-use
+        """
+        check if user is known
+        :param username: username
+        :return: True in case if user is known and can be authorized and False otherwise
+        """
+        del username
+        return True
+
+    async def verify_access(self, username: str, required: UserAccess, context: Optional[str]) -> bool:  # pylint: disable=no-self-use
+        """
+        validate if user has access to requested resource
+        :param username: username
+        :param required: required access level
+        :param context: URI request path
+        :return: True in case if user is allowed to do this request and False otherwise
+        """
+        del username, required, context
+        return True

src/ahriman/core/auth/helpers.py

@@ -0,0 +1,70 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from typing import Any
+
+try:
+    import aiohttp_security  # type: ignore
+    _has_aiohttp_security = True
+except ImportError:
+    _has_aiohttp_security = False
+
+
+async def authorized_userid(*args: Any) -> Any:
+    """
+    handle aiohttp security methods
+    :param args: argument list as provided by authorized_userid function
+    :return: None in case if no aiohttp_security module found and function call otherwise
+    """
+    if _has_aiohttp_security:
+        return await aiohttp_security.authorized_userid(*args)  # pylint: disable=no-value-for-parameter
+    return None
+
+
+async def check_authorized(*args: Any) -> Any:
+    """
+    handle aiohttp security methods
+    :param args: argument list as provided by check_authorized function
+    :return: None in case if no aiohttp_security module found and function call otherwise
+    """
+    if _has_aiohttp_security:
+        return await aiohttp_security.check_authorized(*args)  # pylint: disable=no-value-for-parameter
+    return None
+
+
+async def forget(*args: Any) -> Any:
+    """
+    handle aiohttp security methods
+    :param args: argument list as provided by forget function
+    :return: None in case if no aiohttp_security module found and function call otherwise
+    """
+    if _has_aiohttp_security:
+        return await aiohttp_security.forget(*args)  # pylint: disable=no-value-for-parameter
+    return None
+
+
+async def remember(*args: Any) -> Any:
+    """
+    handle disabled auth
+    :param args: argument list as provided by remember function
+    :return: None in case if no aiohttp_security module found and function call otherwise
+    """
+    if _has_aiohttp_security:
+        return await aiohttp_security.remember(*args)  # pylint: disable=no-value-for-parameter
+    return None

src/ahriman/core/auth/mapping.py

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from typing import Optional
+
+from ahriman.core.auth.auth import Auth
+from ahriman.core.configuration import Configuration
+from ahriman.models.auth_settings import AuthSettings
+from ahriman.models.user import User
+from ahriman.models.user_access import UserAccess
+
+
+class Mapping(Auth):
+    """
+    user authorization based on mapping from configuration file
+    :ivar salt: random generated string to salt passwords
+    :ivar _users: map of username to its descriptor
+    """
+
+    def __init__(self, configuration: Configuration, provider: AuthSettings = AuthSettings.Configuration) -> None:
+        """
+        default constructor
+        :param configuration: configuration instance
+        :param provider: authorization type definition
+        """
+        Auth.__init__(self, configuration, provider)
+        self.salt = configuration.get("auth", "salt")
+        self._users = self.get_users(configuration)
+
+    async def check_credentials(self, username: Optional[str], password: Optional[str]) -> bool:
+        """
+        validate user password
+        :param username: username
+        :param password: entered password
+        :return: True in case if password matches, False otherwise
+        """
+        if username is None or password is None:
+            return False  # invalid data supplied
+        user = self.get_user(username)
+        return user is not None and user.check_credentials(password, self.salt)
+
+    def get_user(self, username: str) -> Optional[User]:
+        """
+        retrieve user from in-memory mapping
+        :param username: username
+        :return: user descriptor if username is known and None otherwise
+        """
+        normalized_user = username.lower()
+        return self._users.get(normalized_user)
+
+    async def known_username(self, username: Optional[str]) -> bool:
+        """
+        check if user is known
+        :param username: username
+        :return: True in case if user is known and can be authorized and False otherwise
+        """
+        return username is not None and self.get_user(username) is not None
+
+    async def verify_access(self, username: str, required: UserAccess, context: Optional[str]) -> bool:
+        """
+        validate if user has access to requested resource
+        :param username: username
+        :param required: required access level
+        :param context: URI request path
+        :return: True in case if user is allowed to do this request and False otherwise
+        """
+        user = self.get_user(username)
+        return user is not None and user.verify_access(required)

src/ahriman/core/auth/oauth.py

@@ -0,0 +1,113 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import aioauth_client
+
+from typing import Optional, Type
+
+from ahriman.core.auth.mapping import Mapping
+from ahriman.core.configuration import Configuration
+from ahriman.core.exceptions import InvalidOption
+from ahriman.models.auth_settings import AuthSettings
+
+
+class OAuth(Mapping):
+    """
+    OAuth user authorization.
+    It is required to create application first and put application credentials.
+    :ivar client_id: application client id
+    :ivar client_secret: application client secret key
+    :ivar provider: provider class, should be one of aiohttp-client provided classes
+    :ivar redirect_uri: redirect URI registered in provider
+    :ivar scopes: list of scopes required by the application
+    """
+
+    def __init__(self, configuration: Configuration, provider: AuthSettings = AuthSettings.OAuth) -> None:
+        """
+        default constructor
+        :param configuration: configuration instance
+        :param provider: authorization type definition
+        """
+        Mapping.__init__(self, configuration, provider)
+        self.client_id = configuration.get("auth", "client_id")
+        self.client_secret = configuration.get("auth", "client_secret")
+        # in order to use OAuth feature the service must be publicity available
+        # thus we expect that address is set
+        self.redirect_uri = f"""{configuration.get("web", "address")}/user-api/v1/login"""
+        self.provider = self.get_provider(configuration.get("auth", "oauth_provider"))
+        # it is list but we will have to convert to string it anyway
+        self.scopes = configuration.get("auth", "oauth_scopes")
+
+    @property
+    def auth_control(self) -> str:
+        """
+        :return: login control as html code to insert
+        """
+        return """<a class="nav-link" href="/user-api/v1/login" title="login via OAuth2">login</a>"""
+
+    @staticmethod
+    def get_provider(name: str) -> Type[aioauth_client.OAuth2Client]:
+        """
+        load OAuth2 provider by name
+        :param name: name of the provider. Must be valid class defined in aioauth-client library
+        :return: loaded provider type
+        """
+        provider: Type[aioauth_client.OAuth2Client] = getattr(aioauth_client, name)
+        try:
+            is_oauth2_client = issubclass(provider, aioauth_client.OAuth2Client)
+        except TypeError:  # what if it is random string?
+            is_oauth2_client = False
+        if not is_oauth2_client:
+            raise InvalidOption(name)
+        return provider
+
+    def get_client(self) -> aioauth_client.OAuth2Client:
+        """
+        load client from parameters
+        :return: generated client according to current settings
+        """
+        return self.provider(client_id=self.client_id, client_secret=self.client_secret)
+
+    def get_oauth_url(self) -> str:
+        """
+        get authorization URI for the specified settings
+        :return: authorization URI as a string
+        """
+        client = self.get_client()
+        uri: str = client.get_authorize_url(scope=self.scopes, redirect_uri=self.redirect_uri)
+        return uri
+
+    async def get_oauth_username(self, code: str) -> Optional[str]:
+        """
+        extract OAuth username from remote
+        :param code: authorization code provided by external service
+        :return: username as is in OAuth provider
+        """
+        try:
+            client = self.get_client()
+            access_token, _ = await client.get_access_token(code, redirect_uri=self.redirect_uri)
+            client.access_token = access_token
+
+            print(f"HEEELOOOO {client}")
+            user, _ = await client.user_info()
+            username: str = user.email  # type: ignore
+            return username
+        except Exception:
+            self.logger.exception("got exception while performing request")
+            return None

src/ahriman/core/build_tools/task.py

@@ -53,10 +53,10 @@ class Task:
         self.package = package
         self.paths = paths
 
-        self.archbuild_flags = configuration.getlist("build", "archbuild_flags")
+        self.archbuild_flags = configuration.getlist("build", "archbuild_flags", fallback=[])
         self.build_command = configuration.get("build", "build_command")
-        self.makepkg_flags = configuration.getlist("build", "makepkg_flags")
-        self.makechrootpkg_flags = configuration.getlist("build", "makechrootpkg_flags")
+        self.makepkg_flags = configuration.getlist("build", "makepkg_flags", fallback=[])
+        self.makechrootpkg_flags = configuration.getlist("build", "makechrootpkg_flags", fallback=[])
 
     @property
     def cache_path(self) -> Path:

src/ahriman/core/configuration.py

@@ -24,12 +24,15 @@ import logging
 
 from logging.config import fileConfig
 from pathlib import Path
-from typing import Dict, List, Optional, Type
+from typing import Any, Dict, List, Optional, Type
+
+from ahriman.core.exceptions import InitializeException
 
 
 class Configuration(configparser.RawConfigParser):
     """
     extension for built-in configuration parser
+    :ivar architecture: repository architecture
     :ivar path: path to root configuration file
     :cvar ARCHITECTURE_SPECIFIC_SECTIONS: known sections which can be architecture specific (required by dump)
     :cvar DEFAULT_LOG_FORMAT: default log format (in case of fallback)
@@ -45,7 +48,11 @@ class Configuration(configparser.RawConfigParser):
         """
         default constructor. In the most cases must not be called directly
         """
-        configparser.RawConfigParser.__init__(self, allow_no_value=True)
+        configparser.RawConfigParser.__init__(self, allow_no_value=True, converters={
+            "list": lambda value: value.split(),
+            "path": self.__convert_path,
+        })
+        self.architecture: Optional[str] = None
         self.path: Optional[Path] = None
 
     @property
@@ -78,14 +85,25 @@ class Configuration(configparser.RawConfigParser):
         return config
 
     @staticmethod
-    def section_name(section: str, architecture: str) -> str:
+    def section_name(section: str, suffix: str) -> str:
         """
-        generate section name for architecture specific sections
+        generate section name for sections which depends on context
         :param section: section name
-        :param architecture: repository architecture
+        :param suffix: session suffix, e.g. repository architecture
         :return: correct section name for repository specific section
         """
-        return f"{section}:{architecture}"
+        return f"{section}:{suffix}"
+
+    def __convert_path(self, value: str) -> Path:
+        """
+        convert string value to path object
+        :param value: string configuration value
+        :return: path object which represents the configuration value
+        """
+        path = Path(value)
+        if self.path is None or path.is_absolute():
+            return path
+        return self.path.parent / path
 
     def dump(self) -> Dict[str, Dict[str, str]]:
         """
@@ -97,29 +115,11 @@ class Configuration(configparser.RawConfigParser):
             for section in self.sections()
         }
 
-    def getlist(self, section: str, key: str) -> List[str]:
-        """
-        get space separated string list option
-        :param section: section name
-        :param key: key name
-        :return: list of string if option is set, empty list otherwise
-        """
-        raw = self.get(section, key, fallback=None)
-        if not raw:  # empty string or none
-            return []
-        return raw.split()
+    # pylint and mypy are too stupid to find these methods
+    # pylint: disable=missing-function-docstring,multiple-statements,unused-argument,no-self-use
+    def getlist(self, *args: Any, **kwargs: Any) -> List[str]: ...
 
-    def getpath(self, section: str, key: str) -> Path:
-        """
-        helper to generate absolute configuration path for relative settings value
-        :param section: section name
-        :param key: key name
-        :return: absolute path according to current path configuration
-        """
-        value = Path(self.get(section, key))
-        if self.path is None or value.is_absolute():
-            return value
-        return self.path.parent / value
+    def getpath(self, *args: Any, **kwargs: Any) -> Path: ...
 
     def load(self, path: Path) -> None:
         """
@@ -169,19 +169,38 @@ class Configuration(configparser.RawConfigParser):
         merge architecture specific sections into main configuration
         :param architecture: repository architecture
         """
+        self.architecture = architecture
         for section in self.ARCHITECTURE_SPECIFIC_SECTIONS:
-            if not self.has_section(section):
-                self.add_section(section)  # add section if not exists
             # get overrides
             specific = self.section_name(section, architecture)
             if self.has_section(specific):
                 # if there is no such section it means that there is no overrides for this arch
                 # but we anyway will have to delete sections for others archs
                 for key, value in self[specific].items():
-                    self.set(section, key, value)
+                    self.set_option(section, key, value)
             # remove any arch specific section
             for foreign in self.sections():
                 # we would like to use lambda filter here, but pylint is too dumb
                 if not foreign.startswith(f"{section}:"):
                     continue
                 self.remove_section(foreign)
+
+    def reload(self) -> None:
+        """
+        reload configuration if possible or raise exception otherwise
+        """
+        if self.path is None or self.architecture is None:
+            raise InitializeException("Configuration path and/or architecture are not set")
+        self.load(self.path)
+        self.merge_sections(self.architecture)
+
+    def set_option(self, section: str, option: str, value: Optional[str]) -> None:
+        """
+        set option. Unlike default `configparser.RawConfigParser.set` it also creates section if it does not exist
+        :param section: section name
+        :param option: option name
+        :param value: option value as string in parsable format
+        """
+        if not self.has_section(section):
+            self.add_section(section)
+        self.set(section, option, value)

src/ahriman/core/exceptions.py

@@ -20,7 +20,7 @@
 from typing import Any
 
 
-class BuildFailed(Exception):
+class BuildFailed(RuntimeError):
     """
     base exception for failed builds
     """
@@ -30,10 +30,10 @@ class BuildFailed(Exception):
         default constructor
         :param package: package base raised exception
         """
-        Exception.__init__(self, f"Package {package} build failed, check logs for details")
+        RuntimeError.__init__(self, f"Package {package} build failed, check logs for details")
 
 
-class DuplicateRun(Exception):
+class DuplicateRun(RuntimeError):
     """
     exception which will be raised if there is another application instance
     """
@@ -42,22 +42,49 @@ class DuplicateRun(Exception):
         """
         default constructor
         """
-        Exception.__init__(self, "Another application instance is run")
+        RuntimeError.__init__(self, "Another application instance is run")
 
 
-class InitializeException(Exception):
+class DuplicateUser(ValueError):
+    """
+    exception which will be thrown in case if there are two users with different settings
+    """
+
+    def __init__(self, username: str) -> None:
+        """
+        default constructor
+        :param username: username with duplicates
+        """
+        ValueError.__init__(self, f"Found duplicate user with username {username}")
+
+
+class InitializeException(RuntimeError):
     """
     base service initialization exception
     """
 
-    def __init__(self) -> None:
+    def __init__(self, details: str) -> None:
         """
         default constructor
+        :param details: details of the exception
         """
-        Exception.__init__(self, "Could not load service")
+        RuntimeError.__init__(self, f"Could not load service: {details}")
 
 
-class InvalidOption(Exception):
+class InvalidCommand(ValueError):
+    """
+    exception raised on invalid command line options
+    """
+
+    def __init__(self, details: Any) -> None:
+        """
+        default constructor
+        :param details" error details
+        """
+        ValueError.__init__(self, details)
+
+
+class InvalidOption(ValueError):
     """
     exception which will be raised on configuration errors
     """
@@ -67,10 +94,10 @@ class InvalidOption(Exception):
         default constructor
         :param value: option value
         """
-        Exception.__init__(self, f"Invalid or unknown option value `{value}`")
+        ValueError.__init__(self, f"Invalid or unknown option value `{value}`")
 
 
-class InvalidPackageInfo(Exception):
+class InvalidPackageInfo(RuntimeError):
     """
     exception which will be raised on package load errors
     """
@@ -80,10 +107,10 @@ class InvalidPackageInfo(Exception):
         default constructor
         :param details: error details
         """
-        Exception.__init__(self, f"There are errors during reading package information: `{details}`")
+        RuntimeError.__init__(self, f"There are errors during reading package information: `{details}`")
 
 
-class MissingArchitecture(Exception):
+class MissingArchitecture(ValueError):
     """
     exception which will be raised if architecture is required, but missing
     """
@@ -93,10 +120,23 @@ class MissingArchitecture(Exception):
         default constructor
         :param command: command name which throws exception
         """
-        Exception.__init__(self, f"Architecture required for subcommand {command}, but missing")
+        ValueError.__init__(self, f"Architecture required for subcommand {command}, but missing")
 
 
-class ReportFailed(Exception):
+class MultipleArchitecture(ValueError):
+    """
+    exception which will be raised if multiple architectures are not supported by the handler
+    """
+
+    def __init__(self, command: str) -> None:
+        """
+        default constructor
+        :param command: command name which throws exception
+        """
+        ValueError.__init__(self, f"Multiple architectures are not supported by subcommand {command}")
+
+
+class ReportFailed(RuntimeError):
     """
     report generation exception
     """
@@ -105,10 +145,10 @@ class ReportFailed(Exception):
         """
         default constructor
         """
-        Exception.__init__(self, "Report failed")
+        RuntimeError.__init__(self, "Report failed")
 
 
-class SyncFailed(Exception):
+class SyncFailed(RuntimeError):
     """
     remote synchronization exception
     """
@@ -117,19 +157,19 @@ class SyncFailed(Exception):
         """
         default constructor
         """
-        Exception.__init__(self, "Sync failed")
+        RuntimeError.__init__(self, "Sync failed")
 
 
-class UnknownPackage(Exception):
+class UnknownPackage(ValueError):
     """
     exception for status watcher which will be thrown on unknown package
     """
 
     def __init__(self, base: str) -> None:
-        Exception.__init__(self, f"Package base {base} is unknown")
+        ValueError.__init__(self, f"Package base {base} is unknown")
 
 
-class UnsafeRun(Exception):
+class UnsafeRun(RuntimeError):
     """
     exception which will be raised in case if user is not owner of repository
     """
@@ -138,7 +178,7 @@ class UnsafeRun(Exception):
         """
         default constructor
         """
-        Exception.__init__(
+        RuntimeError.__init__(
             self,
             f"""Current UID {current_uid} differs from root owner {root_uid}.
 Note that for the most actions it is unsafe to run application as different user.

src/ahriman/core/report/email.py

@@ -54,6 +54,9 @@ class Email(Report, JinjaTemplate):
         Report.__init__(self, architecture, configuration)
         JinjaTemplate.__init__(self, "email", configuration)
 
+        self.full_template_path = configuration.getpath("email", "full_template_path", fallback=None)
+        self.template_path = configuration.getpath("email", "template_path")
+
         # base smtp settings
         self.host = configuration.get("email", "host")
         self.no_empty_report = configuration.getboolean("email", "no_empty_report", fallback=True)
@@ -100,6 +103,9 @@ class Email(Report, JinjaTemplate):
         """
         if self.no_empty_report and not built_packages:
             return
-        text = self.make_html(built_packages, False)
-        attachments = {"index.html": self.make_html(packages, True)}
+        text = self.make_html(built_packages, self.template_path)
+        if self.full_template_path is not None:
+            attachments = {"index.html": self.make_html(packages, self.full_template_path)}
+        else:
+            attachments = {}
         self._send(text, attachments)

src/ahriman/core/report/html.py

@@ -41,6 +41,7 @@ class HTML(Report, JinjaTemplate):
         JinjaTemplate.__init__(self, "html", configuration)
 
         self.report_path = configuration.getpath("html", "path")
+        self.template_path = configuration.getpath("html", "template_path")
 
     def generate(self, packages: Iterable[Package], built_packages: Iterable[Package]) -> None:
         """
@@ -48,5 +49,5 @@ class HTML(Report, JinjaTemplate):
         :param packages: list of packages to generate report
         :param built_packages: list of packages which has just been built
         """
-        html = self.make_html(packages, True)
+        html = self.make_html(packages, self.template_path)
         self.report_path.write_text(html)

src/ahriman/core/report/jinja_template.py

@@ -19,6 +19,7 @@
 #
 import jinja2
 
+from pathlib import Path
 from typing import Callable, Dict, Iterable
 
 from ahriman.core.configuration import Configuration
@@ -59,7 +60,6 @@ class JinjaTemplate:
     :ivar name: repository name
     :ivar default_pgp_key: default PGP key
     :ivar sign_targets: targets to sign enabled in configuration
-    :ivar template_path: path to directory with jinja templates
     """
 
     def __init__(self, section: str, configuration: Configuration) -> None:
@@ -69,7 +69,6 @@ class JinjaTemplate:
         :param configuration: configuration instance
         """
         self.link_path = configuration.get(section, "link_path")
-        self.template_path = configuration.getpath(section, "template_path")
 
         # base template vars
         self.homepage = configuration.get(section, "homepage", fallback=None)
@@ -77,16 +76,16 @@ class JinjaTemplate:
 
         self.sign_targets, self.default_pgp_key = GPG.sign_options(configuration)
 
-    def make_html(self, packages: Iterable[Package], extended_report: bool) -> str:
+    def make_html(self, packages: Iterable[Package], template_path: Path) -> str:
         """
         generate report for the specified packages
         :param packages: list of packages to generate report
-        :param extended_report: include additional blocks to the report
+        :param template_path: path to jinja template
         """
         # idea comes from https://stackoverflow.com/a/38642558
-        loader = jinja2.FileSystemLoader(searchpath=self.template_path.parent)
+        loader = jinja2.FileSystemLoader(searchpath=template_path.parent)
         environment = jinja2.Environment(loader=loader, autoescape=True)
-        template = environment.get_template(self.template_path.name)
+        template = environment.get_template(template_path.name)
 
         content = [
             {
@@ -107,7 +106,6 @@ class JinjaTemplate:
         comparator: Callable[[Dict[str, str]], str] = lambda item: item["filename"]
 
         return template.render(
-            extended_report=extended_report,
             homepage=self.homepage,
             link_path=self.link_path,
             has_package_signed=SignSettings.Packages in self.sign_targets,

src/ahriman/core/repository/executor.py

@@ -94,7 +94,7 @@ class Executor(Cleaner):
                     if package in requested and properties.filename is not None
                 }
             else:
-                to_remove = dict()
+                to_remove = {}
             for package, filename in to_remove.items():
                 remove_single(package, filename)
 

src/ahriman/core/repository/properties.py

@@ -43,7 +43,13 @@ class Properties:
     :ivar sign: GPG wrapper instance
     """
 
-    def __init__(self, architecture: str, configuration: Configuration) -> None:
+    def __init__(self, architecture: str, configuration: Configuration, no_report: bool) -> None:
+        """
+        default constructor
+        :param architecture: repository architecture
+        :param configuration: configuration instance
+        :param no_report: force disable reporting
+        """
         self.logger = logging.getLogger("builder")
         self.architecture = architecture
         self.configuration = configuration
@@ -54,8 +60,8 @@ class Properties:
         self.paths = RepositoryPaths(configuration.getpath("repository", "root"), architecture)
         self.paths.create_tree()
 
-        self.ignore_list = configuration.getlist("build", "ignore_packages")
+        self.ignore_list = configuration.getlist("build", "ignore_packages", fallback=[])
         self.pacman = Pacman(configuration)
         self.sign = GPG(architecture, configuration)
         self.repo = Repo(self.name, self.paths, self.sign.repository_sign_args)
-        self.reporter = Client.load(configuration)
+        self.reporter = Client() if no_report else Client.load(configuration)

src/ahriman/core/spawn.py

@@ -0,0 +1,137 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+import argparse
+import logging
+import uuid
+
+from multiprocessing import Process, Queue
+from threading import Lock, Thread
+from typing import Callable, Dict, Iterable, Tuple
+
+from ahriman.core.configuration import Configuration
+
+
+class Spawn(Thread):
+    """
+    helper to spawn external ahriman process
+    MUST NOT be used directly, the only one usage allowed is to spawn process from web services
+    :ivar active: map of active child processes required to avoid zombies
+    :ivar architecture: repository architecture
+    :ivar configuration: configuration instance
+    :ivar logger: spawner logger
+    :ivar queue: multiprocessing queue to read updates from processes
+    """
+
+    def __init__(self, args_parser: argparse.ArgumentParser, architecture: str, configuration: Configuration) -> None:
+        """
+        default constructor
+        :param args_parser: command line parser for the application
+        :param architecture: repository architecture
+        :param configuration: configuration instance
+        """
+        Thread.__init__(self, name="spawn")
+        self.architecture = architecture
+        self.args_parser = args_parser
+        self.configuration = configuration
+        self.logger = logging.getLogger("http")
+
+        self.lock = Lock()
+        self.active: Dict[str, Process] = {}
+        # stupid pylint does not know that it is possible
+        self.queue: Queue[Tuple[str, bool]] = Queue()  # pylint: disable=unsubscriptable-object
+
+    @staticmethod
+    def process(callback: Callable[[argparse.Namespace, str], bool], args: argparse.Namespace, architecture: str,
+                process_id: str, queue: Queue[Tuple[str, bool]]) -> None:  # pylint: disable=unsubscriptable-object
+        """
+        helper to run external process
+        :param callback: application run function (i.e. Handler.run method)
+        :param args: command line arguments
+        :param architecture: repository architecture
+        :param process_id: process unique identifier
+        :param queue: output queue
+        """
+        result = callback(args, architecture)
+        queue.put((process_id, result))
+
+    def packages_add(self, packages: Iterable[str], now: bool) -> None:
+        """
+        add packages
+        :param packages: packages list to add
+        :param now: build packages now
+        """
+        kwargs = {"now": ""} if now else {}
+        self.spawn_process("add", *packages, **kwargs)
+
+    def packages_remove(self, packages: Iterable[str]) -> None:
+        """
+        remove packages
+        :param packages: packages list to remove
+        """
+        self.spawn_process("remove", *packages)
+
+    def spawn_process(self, command: str, *args: str, **kwargs: str) -> None:
+        """
+        spawn external ahriman process with supplied arguments
+        :param command: subcommand to run
+        :param args: positional command arguments
+        :param kwargs: named command arguments
+        """
+        # default arguments
+        arguments = ["--architecture", self.architecture]
+        if self.configuration.path is not None:
+            arguments.extend(["--configuration", str(self.configuration.path)])
+        # positional command arguments
+        arguments.append(command)
+        arguments.extend(args)
+        # named command arguments
+        for argument, value in kwargs.items():
+            arguments.append(f"--{argument}")
+            if value:
+                arguments.append(value)
+
+        process_id = str(uuid.uuid4())
+        self.logger.info("full command line arguments of %s are %s", process_id, arguments)
+        parsed = self.args_parser.parse_args(arguments)
+
+        callback = parsed.handler.call
+        process = Process(target=self.process,
+                          args=(callback, parsed, self.architecture, process_id, self.queue),
+                          daemon=True)
+        process.start()
+
+        with self.lock:
+            self.active[process_id] = process
+
+    def run(self) -> None:
+        """
+        thread run method
+        """
+        for process_id, status in iter(self.queue.get, None):
+            self.logger.info("process %s has been terminated with status %s", process_id, status)
+
+            with self.lock:
+                process = self.active.pop(process_id, None)
+
+            if process is not None:
+                process.terminate()  # make sure lol
+                process.join()

src/ahriman/core/status/client.py

@@ -39,11 +39,12 @@ class Client:
         :param configuration: configuration instance
         :return: client according to current settings
         """
+        address = configuration.get("web", "address", fallback=None)
         host = configuration.get("web", "host", fallback=None)
         port = configuration.getint("web", "port", fallback=None)
-        if host is not None and port is not None:
+        if address or (host and port):
             from ahriman.core.status.web_client import WebClient
-            return WebClient(host, port)
+            return WebClient(configuration)
         return cls()
 
     def add(self, package: Package, status: BuildStatusEnum) -> None:
@@ -76,6 +77,11 @@ class Client:
         """
         return BuildStatus()
 
+    def reload_auth(self) -> None:
+        """
+        reload authentication module call
+        """
+
     def remove(self, base: str) -> None:
         """
         remove packages from watcher

src/ahriman/core/status/watcher.py

@@ -49,7 +49,7 @@ class Watcher:
         self.logger = logging.getLogger("http")
 
         self.architecture = architecture
-        self.repository = Repository(architecture, configuration)
+        self.repository = Repository(architecture, configuration, no_report=True)
 
         self.known: Dict[str, Tuple[Package, BuildStatus]] = {}
         self.status = BuildStatus()

src/ahriman/core/status/web_client.py

@@ -22,37 +22,99 @@ import requests
 
 from typing import List, Optional, Tuple
 
+from ahriman.core.configuration import Configuration
 from ahriman.core.status.client import Client
 from ahriman.core.util import exception_response_text
 from ahriman.models.build_status import BuildStatusEnum, BuildStatus
 from ahriman.models.internal_status import InternalStatus
 from ahriman.models.package import Package
+from ahriman.models.user import User
 
 
 class WebClient(Client):
     """
     build status reporter web client
-    :ivar host: host of web service
+    :ivar address: address of the web service
     :ivar logger: class logger
-    :ivar port: port of web service
+    :ivar user: web service user descriptor
     """
 
-    def __init__(self, host: str, port: int) -> None:
+    def __init__(self, configuration: Configuration) -> None:
         """
         default constructor
-        :param host: host of web service
-        :param port: port of web service
+        :param configuration: configuration instance
         """
         self.logger = logging.getLogger("http")
-        self.host = host
-        self.port = port
+        self.address = self.parse_address(configuration)
+        self.user = User.from_option(
+            configuration.get("web", "username", fallback=None),
+            configuration.get("web", "password", fallback=None))
 
+        self.__session = requests.session()
+        self._login()
+
+    @property
     def _ahriman_url(self) -> str:
         """
-        url generator
         :return: full url for web service for ahriman service itself
         """
-        return f"http://{self.host}:{self.port}/api/v1/ahriman"
+        return f"{self.address}/status-api/v1/ahriman"
+
+    @property
+    def _login_url(self) -> str:
+        """
+        :return: full url for web service to login
+        """
+        return f"{self.address}/user-api/v1/login"
+
+    @property
+    def _reload_auth_url(self) -> str:
+        """
+        :return: full url for web service to reload authentication module
+        """
+        return f"{self.address}/service-api/v1/reload-auth"
+
+    @property
+    def _status_url(self) -> str:
+        """
+        :return: full url for web service for status
+        """
+        return f"{self.address}/status-api/v1/status"
+
+    @staticmethod
+    def parse_address(configuration: Configuration) -> str:
+        """
+        parse address from configuration
+        :param configuration: configuration instance
+        :return: valid http address
+        """
+        address = configuration.get("web", "address", fallback=None)
+        if not address:
+            # build address from host and port directly
+            host = configuration.get("web", "host")
+            port = configuration.getint("web", "port")
+            address = f"http://{host}:{port}"
+        return address
+
+    def _login(self) -> None:
+        """
+        process login to the service
+        """
+        if self.user is None:
+            return  # no auth configured
+
+        payload = {
+            "username": self.user.username,
+            "password": self.user.password
+        }
+
+        try:
+            response = self.__session.post(self._login_url, json=payload)
+            response.raise_for_status()
+        except requests.exceptions.HTTPError as e:
+            self.logger.exception("could not login as %s: %s", self.user, exception_response_text(e))
+        except Exception:
+            self.logger.exception("could not login as %s", self.user)
 
     def _package_url(self, base: str = "") -> str:
         """
@@ -60,14 +122,7 @@ class WebClient(Client):
         :param base: package base to generate url
         :return: full url of web service for specific package base
         """
-        return f"http://{self.host}:{self.port}/api/v1/packages/{base}"
-
-    def _status_url(self) -> str:
-        """
-        url generator
-        :return: full url for web service for status
-        """
-        return f"http://{self.host}:{self.port}/api/v1/status"
+        return f"{self.address}/status-api/v1/packages/{base}"
 
     def add(self, package: Package, status: BuildStatusEnum) -> None:
         """
@@ -81,7 +136,7 @@ class WebClient(Client):
         }
 
         try:
-            response = requests.post(self._package_url(package.base), json=payload)
+            response = self.__session.post(self._package_url(package.base), json=payload)
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             self.logger.exception("could not add %s: %s", package.base, exception_response_text(e))
@@ -95,7 +150,7 @@ class WebClient(Client):
         :return: list of current package description and status if it has been found
         """
         try:
-            response = requests.get(self._package_url(base or ""))
+            response = self.__session.get(self._package_url(base or ""))
             response.raise_for_status()
 
             status_json = response.json()
@@ -115,7 +170,7 @@ class WebClient(Client):
         :return: current internal (web) service status
         """
         try:
-            response = requests.get(self._status_url())
+            response = self.__session.get(self._status_url)
             response.raise_for_status()
 
             status_json = response.json()
@@ -132,7 +187,7 @@ class WebClient(Client):
         :return: current ahriman status
         """
         try:
-            response = requests.get(self._ahriman_url())
+            response = self.__session.get(self._ahriman_url)
             response.raise_for_status()
 
             status_json = response.json()
@@ -143,13 +198,25 @@ class WebClient(Client):
             self.logger.exception("could not get service status")
         return BuildStatus()
 
+    def reload_auth(self) -> None:
+        """
+        reload authentication module call
+        """
+        try:
+            response = self.__session.post(self._reload_auth_url)
+            response.raise_for_status()
+        except requests.exceptions.HTTPError as e:
+            self.logger.exception("could not reload auth module: %s", exception_response_text(e))
+        except Exception:
+            self.logger.exception("could not reload auth module")
+
     def remove(self, base: str) -> None:
         """
         remove packages from watcher
         :param base: basename to remove
         """
         try:
-            response = requests.delete(self._package_url(base))
+            response = self.__session.delete(self._package_url(base))
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             self.logger.exception("could not delete %s: %s", base, exception_response_text(e))
@@ -165,7 +232,7 @@ class WebClient(Client):
         payload = {"status": status.value}
 
         try:
-            response = requests.post(self._package_url(base), json=payload)
+            response = self.__session.post(self._package_url(base), json=payload)
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             self.logger.exception("could not update %s: %s", base, exception_response_text(e))
@@ -180,7 +247,7 @@ class WebClient(Client):
         payload = {"status": status.value}
 
         try:
-            response = requests.post(self._ahriman_url(), json=payload)
+            response = self.__session.post(self._ahriman_url, json=payload)
             response.raise_for_status()
         except requests.exceptions.HTTPError as e:
             self.logger.exception("could not update service status: %s", exception_response_text(e))

src/ahriman/core/upload/s3.py

@@ -148,6 +148,6 @@ class S3(Upload):
             local_path = path / local_file
             remote_path = Path(self.architecture) / local_file
             (mime, _) = mimetypes.guess_type(local_path)
-            extra_args = {"Content-Type": mime} if mime is not None else None
+            extra_args = {"ContentType": mime} if mime is not None else None
 
             self.bucket.upload_file(Filename=str(local_path), Key=str(remote_path), ExtraArgs=extra_args)

src/ahriman/core/util.py

@@ -46,12 +46,12 @@ def check_output(*args: str, exception: Optional[Exception], cwd: Optional[Path]
         if logger is not None:
             for line in result.splitlines():
                 logger.debug(line)
+        return result
     except subprocess.CalledProcessError as e:
         if e.output is not None and logger is not None:
             for line in e.output.splitlines():
                 logger.debug(line)
         raise exception or e
-    return result
 
 
 def exception_response_text(exception: requests.exceptions.HTTPError) -> str:

src/ahriman/models/auth_settings.py

@@ -0,0 +1,62 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+from enum import Enum, auto
+from typing import Type
+
+from ahriman.core.exceptions import InvalidOption
+
+
+class AuthSettings(Enum):
+    """
+    web authorization type
+    :cvar Disabled: authorization is disabled
+    :cvar Configuration: configuration based authorization
+    :cvar OAuth: OAuth based provider
+    """
+
+    Disabled = auto()
+    Configuration = auto()
+    OAuth = auto()
+
+    @classmethod
+    def from_option(cls: Type[AuthSettings], value: str) -> AuthSettings:
+        """
+        construct value from configuration
+        :param value: configuration value
+        :return: parsed value
+        """
+        if value.lower() in ("disabled", "no"):
+            return cls.Disabled
+        if value.lower() in ("configuration", "mapping"):
+            return cls.Configuration
+        if value.lower() in ('oauth', 'oauth2'):
+            return cls.OAuth
+        raise InvalidOption(value)
+
+    @property
+    def is_enabled(self) -> bool:
+        """
+        :return: False in case if authorization is disabled and True otherwise
+        """
+        if self == AuthSettings.Disabled:
+            return False
+        return True

src/ahriman/models/build_status.py

@@ -58,6 +58,21 @@ class BuildStatusEnum(Enum):
             return "success"
         return "inactive"
 
+    def bootstrap_color(self) -> str:
+        """
+        converts itself to bootstrap color
+        :return: bootstrap color
+        """
+        if self == BuildStatusEnum.Pending:
+            return "warning"
+        if self == BuildStatusEnum.Building:
+            return "warning"
+        if self == BuildStatusEnum.Failed:
+            return "danger"
+        if self == BuildStatusEnum.Success:
+            return "success"
+        return "secondary"
+
 
 class BuildStatus:
     """

src/ahriman/models/counters.py

@@ -37,6 +37,7 @@ class Counters:
     :ivar failed: packages in failed status count
     :ivar success: packages in success status count
     """
+
     total: int
     unknown: int = 0
     pending: int = 0

src/ahriman/models/internal_status.py

@@ -34,6 +34,7 @@ class InternalStatus:
     :ivar repository: repository name
     :ivar version: service version
     """
+
     architecture: Optional[str] = None
     packages: Counters = field(default=Counters(total=0))
     repository: Optional[str] = None

src/ahriman/models/package.py

@@ -216,7 +216,7 @@ class Package:
         generate full version from components
         :param epoch: package epoch if any
         :param pkgver: package version
-        :param pkgrel: package release version (archlinux specific)
+        :param pkgrel: package release version (arch linux specific)
         :return: generated version
         """
         prefix = f"{epoch}:" if epoch else ""

src/ahriman/models/user.py

@@ -0,0 +1,110 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Optional, Type
+from passlib.pwd import genword as generate_password  # type: ignore
+from passlib.handlers.sha2_crypt import sha512_crypt  # type: ignore
+
+from ahriman.models.user_access import UserAccess
+
+
+@dataclass
+class User:
+    """
+    authorized web user model
+    :ivar username: username
+    :ivar password: hashed user password with salt
+    :ivar access: user role
+    """
+
+    username: str
+    password: str
+    access: UserAccess
+
+    _HASHER = sha512_crypt
+
+    @classmethod
+    def from_option(cls: Type[User], username: Optional[str], password: Optional[str],
+                    access: UserAccess = UserAccess.Read) -> Optional[User]:
+        """
+        build user descriptor from configuration options
+        :param username: username
+        :param password: password as string
+        :param access: optional user access
+        :return: generated user descriptor if all options are supplied and None otherwise
+        """
+        if username is None or password is None:
+            return None
+        return cls(username, password, access)
+
+    @staticmethod
+    def generate_password(length: int) -> str:
+        """
+        generate password with specified length
+        :param length: password length
+        :return: random string which contains letters and numbers
+        """
+        password: str = generate_password(length=length)
+        return password
+
+    def check_credentials(self, password: str, salt: str) -> bool:
+        """
+        validate user password
+        :param password: entered password
+        :param salt: salt for hashed password
+        :return: True in case if password matches, False otherwise
+        """
+        try:
+            verified: bool = self._HASHER.verify(password + salt, self.password)
+        except ValueError:
+            verified = False  # the absence of evidence is not the evidence of absence (c) Gin Rummy
+        return verified
+
+    def hash_password(self, salt: str) -> str:
+        """
+        generate hashed password from plain text
+        :param salt: salt for hashed password
+        :return: hashed string to store in configuration
+        """
+        if not self.password:
+            # in case of empty password we leave it empty. This feature is used by any external (like OAuth) provider
+            # when we do not store any password here
+            return ""
+        password_hash: str = self._HASHER.hash(self.password + salt)
+        return password_hash
+
+    def verify_access(self, required: UserAccess) -> bool:
+        """
+        validate if user has access to requested resource
+        :param required: required access level
+        :return: True in case if user is allowed to do this request and False otherwise
+        """
+        if self.access == UserAccess.Write:
+            return True  # everything is allowed
+        return self.access == required
+
+    def __repr__(self) -> str:
+        """
+        generate string representation of object
+        :return: unique string representation
+        """
+        return f"User(username={self.username}, access={self.access})"

src/ahriman/models/user_access.py

@@ -0,0 +1,31 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from enum import Enum
+
+
+class UserAccess(Enum):
+    """
+    web user access enumeration
+    :cvar Read: user can read status page
+    :cvar Write: user can modify task and package list
+    """
+
+    Read = "read"
+    Write = "write"

src/ahriman/models/user_identity.py

@@ -0,0 +1,84 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+import time
+
+from dataclasses import dataclass
+from typing import Optional, Type
+
+
+@dataclass
+class UserIdentity:
+    """
+    user identity used inside web service
+    :ivar username: username
+    :ivar expire_at: identity expiration timestamp
+    """
+
+    username: str
+    expire_at: int
+
+    @classmethod
+    def from_identity(cls: Type[UserIdentity], identity: str) -> Optional[UserIdentity]:
+        """
+        parse identity into object
+        :param identity: identity from session data
+        :return: user identity object if it can be parsed and not expired and None otherwise
+        """
+        try:
+            username, expire_at = identity.split()
+            user = cls(username, int(expire_at))
+            return None if user.is_expired() else user
+        except ValueError:
+            return None
+
+    @classmethod
+    def from_username(cls: Type[UserIdentity], username: Optional[str], max_age: int) -> Optional[UserIdentity]:
+        """
+        generate identity from username
+        :param username: username
+        :param max_age: time to expire, seconds
+        :return: constructed identity object
+        """
+        return cls(username, cls.expire_when(max_age)) if username is not None else None
+
+    @staticmethod
+    def expire_when(max_age: int) -> int:
+        """
+        generate expiration time using delta
+        :param max_age: time delta to generate. Must be usually TTE
+        :return: expiration timestamp
+        """
+        return int(time.time()) + max_age
+
+    def is_expired(self) -> bool:
+        """
+        compare timestamp with current timestamp and return True in case if identity is expired
+        :return: True in case if identity is expired and False otherwise
+        """
+        return self.expire_when(0) > self.expire_at
+
+    def to_identity(self) -> str:
+        """
+        convert object to identity representation
+        :return: web service identity
+        """
+        return f"{self.username} {self.expire_at}"

src/ahriman/version.py

@@ -17,4 +17,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-__version__ = "1.2.5"
+__version__ = "1.3.0"

src/ahriman/web/middlewares/__init__.py

@@ -17,3 +17,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
+from aiohttp.web import Request
+from aiohttp.web_response import StreamResponse
+from typing import Awaitable, Callable
+
+
+HandlerType = Callable[[Request], Awaitable[StreamResponse]]
+MiddlewareType = Callable[[Request, HandlerType], Awaitable[StreamResponse]]

src/ahriman/web/middlewares/auth_handler.py

@@ -0,0 +1,114 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import aiohttp_security  # type: ignore
+import base64
+
+from aiohttp import web
+from aiohttp.web import middleware, Request
+from aiohttp.web_response import StreamResponse
+from aiohttp_session import setup as setup_session  # type: ignore
+from aiohttp_session.cookie_storage import EncryptedCookieStorage  # type: ignore
+from cryptography import fernet
+from typing import Optional
+
+from ahriman.core.auth.auth import Auth
+from ahriman.models.user_access import UserAccess
+from ahriman.models.user_identity import UserIdentity
+from ahriman.web.middlewares import HandlerType, MiddlewareType
+
+
+class AuthorizationPolicy(aiohttp_security.AbstractAuthorizationPolicy):  # type: ignore
+    """
+    authorization policy implementation
+    :ivar validator: validator instance
+    """
+
+    def __init__(self, validator: Auth) -> None:
+        """
+        default constructor
+        :param validator: authorization module instance
+        """
+        self.validator = validator
+
+    async def authorized_userid(self, identity: str) -> Optional[str]:
+        """
+        retrieve authenticated username
+        :param identity: username
+        :return: user identity (username) in case if user exists and None otherwise
+        """
+        user = UserIdentity.from_identity(identity)
+        if user is None:
+            return None
+        return user.username if await self.validator.known_username(user.username) else None
+
+    async def permits(self, identity: str, permission: UserAccess, context: Optional[str] = None) -> bool:
+        """
+        check user permissions
+        :param identity: username
+        :param permission: requested permission level
+        :param context: URI request path
+        :return: True in case if user is allowed to perform this request and False otherwise
+        """
+        user = UserIdentity.from_identity(identity)
+        if user is None:
+            return False
+        return await self.validator.verify_access(user.username, permission, context)
+
+
+def auth_handler(validator: Auth) -> MiddlewareType:
+    """
+    authorization and authentication middleware
+    :param validator: authorization module instance
+    :return: built middleware
+    """
+    @middleware
+    async def handle(request: Request, handler: HandlerType) -> StreamResponse:
+        if request.method in ("GET", "HEAD", "OPTIONS"):
+            permission = UserAccess.Read
+        else:
+            permission = UserAccess.Write
+
+        if not await validator.is_safe_request(request.path, permission):
+            await aiohttp_security.check_permission(request, permission, request.path)
+
+        return await handler(request)
+
+    return handle
+
+
+def setup_auth(application: web.Application, validator: Auth) -> web.Application:
+    """
+    setup authorization policies for the application
+    :param application: web application instance
+    :param validator: authorization module instance
+    :return: configured web application
+    """
+    fernet_key = fernet.Fernet.generate_key()
+    secret_key = base64.urlsafe_b64decode(fernet_key)
+    storage = EncryptedCookieStorage(secret_key, cookie_name="API_SESSION", max_age=validator.max_age)
+    setup_session(application, storage)
+
+    authorization_policy = AuthorizationPolicy(validator)
+    identity_policy = aiohttp_security.SessionIdentityPolicy()
+
+    aiohttp_security.setup(application, identity_policy, authorization_policy)
+    application.middlewares.append(auth_handler(validator))
+
+    return application

src/ahriman/web/middlewares/exception_handler.py

@@ -21,13 +21,11 @@ from aiohttp.web import middleware, Request
 from aiohttp.web_exceptions import HTTPClientError
 from aiohttp.web_response import StreamResponse
 from logging import Logger
-from typing import Awaitable, Callable
+
+from ahriman.web.middlewares import HandlerType, MiddlewareType
 
 
-HandlerType = Callable[[Request], Awaitable[StreamResponse]]
-
-
-def exception_handler(logger: Logger) -> Callable[[Request, HandlerType], Awaitable[StreamResponse]]:
+def exception_handler(logger: Logger) -> MiddlewareType:
     """
     exception handler middleware. Just log any exception (except for client ones)
     :param logger: class logger

src/ahriman/web/routes.py

@@ -18,48 +18,86 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 from aiohttp.web import Application
+from pathlib import Path
 
-from ahriman.web.views.ahriman import AhrimanView
 from ahriman.web.views.index import IndexView
-from ahriman.web.views.package import PackageView
-from ahriman.web.views.packages import PackagesView
-from ahriman.web.views.status import StatusView
+from ahriman.web.views.service.add import AddView
+from ahriman.web.views.service.reload_auth import ReloadAuthView
+from ahriman.web.views.service.remove import RemoveView
+from ahriman.web.views.service.search import SearchView
+from ahriman.web.views.status.ahriman import AhrimanView
+from ahriman.web.views.status.package import PackageView
+from ahriman.web.views.status.packages import PackagesView
+from ahriman.web.views.status.status import StatusView
+from ahriman.web.views.user.login import LoginView
+from ahriman.web.views.user.logout import LogoutView
 
 
-def setup_routes(application: Application) -> None:
+def setup_routes(application: Application, static_path: Path) -> None:
     """
     setup all defined routes
 
     Available routes are:
 
-        GET /                           get build status page
-        GET /index.html                 same as above
+        GET /                                  get build status page
+        GET /index.html                        same as above
 
-        GET /api/v1/ahriman             get current service status
-        POST /api/v1/ahriman            update service status
+        POST /service-api/v1/add               add new packages to repository
 
-        GET /api/v1/packages            get all known packages
-        POST /api/v1/packages           force update every package from repository
+        POST /service-api/v1/reload-auth       reload authentication module
 
-        DELETE /api/v1/package/:base    delete package base from status page
-        GET /api/v1/package/:base       get package base status
-        POST /api/v1/package/:base      update package base status
+        POST /service-api/v1/remove            remove existing package from repository
 
-        GET /api/v1/status              get web service status itself
+        GET /service-api/v1/search             search for substring in AUR
+
+        POST /service-api/v1/update            update packages in repository, actually it is just alias for add
+
+        GET /status-api/v1/ahriman             get current service status
+        POST /status-api/v1/ahriman            update service status
+
+        GET /status-api/v1/packages            get all known packages
+        POST /status-api/v1/packages           force update every package from repository
+
+        DELETE /status-api/v1/package/:base    delete package base from status page
+        GET /status-api/v1/package/:base       get package base status
+        POST /status-api/v1/package/:base      update package base status
+
+        GET /status-api/v1/status              get web service status itself
+
+        GET /user-api/v1/login                 OAuth2 handler for login
+        POST /user-api/v1/login                login to service
+        POST /user-api/v1/logout               logout from service
 
     :param application: web application instance
+    :param static_path: path to static files directory
     """
-    application.router.add_get("/", IndexView)
-    application.router.add_get("/index.html", IndexView)
+    application.router.add_get("/", IndexView, allow_head=True)
+    application.router.add_get("/index.html", IndexView, allow_head=True)
 
-    application.router.add_get("/api/v1/ahriman", AhrimanView)
-    application.router.add_post("/api/v1/ahriman", AhrimanView)
+    application.router.add_static("/static", static_path, follow_symlinks=True)
 
-    application.router.add_get("/api/v1/packages", PackagesView)
-    application.router.add_post("/api/v1/packages", PackagesView)
+    application.router.add_post("/service-api/v1/add", AddView)
 
-    application.router.add_delete("/api/v1/packages/{package}", PackageView)
-    application.router.add_get("/api/v1/packages/{package}", PackageView)
-    application.router.add_post("/api/v1/packages/{package}", PackageView)
+    application.router.add_post("/service-api/v1/reload-auth", ReloadAuthView)
 
-    application.router.add_get("/api/v1/status", StatusView)
+    application.router.add_post("/service-api/v1/remove", RemoveView)
+
+    application.router.add_get("/service-api/v1/search", SearchView, allow_head=False)
+
+    application.router.add_post("/service-api/v1/update", AddView)
+
+    application.router.add_get("/status-api/v1/ahriman", AhrimanView, allow_head=True)
+    application.router.add_post("/status-api/v1/ahriman", AhrimanView)
+
+    application.router.add_get("/status-api/v1/packages", PackagesView, allow_head=True)
+    application.router.add_post("/status-api/v1/packages", PackagesView)
+
+    application.router.add_delete("/status-api/v1/packages/{package}", PackageView)
+    application.router.add_get("/status-api/v1/packages/{package}", PackageView, allow_head=True)
+    application.router.add_post("/status-api/v1/packages/{package}", PackageView)
+
+    application.router.add_get("/status-api/v1/status", StatusView, allow_head=True)
+
+    application.router.add_get("/user-api/v1/login", LoginView)
+    application.router.add_post("/user-api/v1/login", LoginView)
+    application.router.add_post("/user-api/v1/logout", LogoutView)

src/ahriman/web/views/base.py

@@ -18,7 +18,11 @@
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
 from aiohttp.web import View
+from typing import Any, Dict, List, Optional
 
+from ahriman.core.auth.auth import Auth
+from ahriman.core.configuration import Configuration
+from ahriman.core.spawn import Spawn
 from ahriman.core.status.watcher import Watcher
 
 
@@ -27,6 +31,14 @@ class BaseView(View):
     base web view to make things typed
     """
 
+    @property
+    def configuration(self) -> Configuration:
+        """
+        :return: configuration instance
+        """
+        configuration: Configuration = self.request.app["configuration"]
+        return configuration
+
     @property
     def service(self) -> Watcher:
         """
@@ -34,3 +46,50 @@ class BaseView(View):
         """
         watcher: Watcher = self.request.app["watcher"]
         return watcher
+
+    @property
+    def spawner(self) -> Spawn:
+        """
+        :return: external process spawner instance
+        """
+        spawner: Spawn = self.request.app["spawn"]
+        return spawner
+
+    @property
+    def validator(self) -> Auth:
+        """
+        :return: authorization service instance
+        """
+        validator: Auth = self.request.app["validator"]
+        return validator
+
+    async def extract_data(self, list_keys: Optional[List[str]] = None) -> Dict[str, Any]:
+        """
+        extract json data from either json or form data
+        :param list_keys: optional list of keys which must be forced to list from form data
+        :return: raw json object or form data converted to json
+        """
+        try:
+            json: Dict[str, Any] = await self.request.json()
+            return json
+        except ValueError:
+            return await self.data_as_json(list_keys or [])
+
+    async def data_as_json(self, list_keys: List[str]) -> Dict[str, Any]:
+        """
+        extract form data and convert it to json object
+        :param list_keys: list of keys which must be forced to list from form data
+        :return: form data converted to json. In case if a key is found multiple times it will be returned as list
+        """
+        raw = await self.request.post()
+        json: Dict[str, Any] = {}
+        for key, value in raw.items():
+            if key in json and isinstance(json[key], list):
+                json[key].append(value)
+            elif key in json:
+                json[key] = [json[key], value]
+            elif key in list_keys:
+                json[key] = [value]
+            else:
+                json[key] = value
+        return json

src/ahriman/web/views/index.py

@@ -22,6 +22,7 @@ import aiohttp_jinja2
 from typing import Any, Dict
 
 from ahriman import version
+from ahriman.core.auth.helpers import authorized_userid
 from ahriman.core.util import pretty_datetime
 from ahriman.web.views.base import BaseView
 
@@ -33,6 +34,11 @@ class IndexView(BaseView):
     It uses jinja2 templates for report generation, the following variables are allowed:
 
         architecture - repository architecture, string, required
+        auth - authorization descriptor, required
+                   * authenticated - alias to check if user can see the page, boolean, required
+                   * control - HTML to insert for login control, HTML string, required
+                   * enabled - whether authorization is enabled by configuration or not, boolean, required
+                   * username - authenticated username if any, string, null means not authenticated
         packages - sorted list of packages properties, required
                    * base, string
                    * depends, sorted list of strings
@@ -40,6 +46,7 @@ class IndexView(BaseView):
                    * licenses, sorted list of strings
                    * packages, sorted list of strings
                    * status, string based on enum value
+                   * status_color, string based on enum value
                    * timestamp, pretty printed datetime, string
                    * version, string
                    * web_url, string
@@ -66,19 +73,30 @@ class IndexView(BaseView):
                 "licenses": package.licenses,
                 "packages": list(sorted(package.packages)),
                 "status": status.status.value,
+                "status_color": status.status.bootstrap_color(),
                 "timestamp": pretty_datetime(status.timestamp),
                 "version": package.version,
-                "web_url": package.web_url
+                "web_url": package.web_url,
             } for package, status in sorted(self.service.packages, key=lambda item: item[0].base)
         ]
         service = {
             "status": self.service.status.status.value,
             "status_color": self.service.status.status.badges_color(),
-            "timestamp": pretty_datetime(self.service.status.timestamp)
+            "timestamp": pretty_datetime(self.service.status.timestamp),
+        }
+
+        # auth block
+        auth_username = await authorized_userid(self.request)
+        auth = {
+            "authenticated": not self.validator.enabled or self.validator.allow_read_only or auth_username is not None,
+            "control": self.validator.auth_control,
+            "enabled": self.validator.enabled,
+            "username": auth_username,
         }
 
         return {
             "architecture": self.service.architecture,
+            "auth": auth,
             "packages": packages,
             "repository": self.service.repository.name,
             "service": service,

src/ahriman/web/views/service/__init__.py

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#

src/ahriman/web/views/service/add.py

@@ -0,0 +1,52 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import HTTPFound, Response, json_response
+
+from ahriman.web.views.base import BaseView
+
+
+class AddView(BaseView):
+    """
+    add package web view
+    """
+
+    async def post(self) -> Response:
+        """
+        add new package
+
+        JSON body must be supplied, the following model is used:
+        {
+            "packages": "ahriman",   # either list of packages or package name as in AUR
+            "build_now": true       # optional flag which runs build
+        }
+
+        :return: redirect to main page on success
+        """
+        data = await self.extract_data(["packages"])
+
+        try:
+            now = data.get("build_now", True)
+            packages = data["packages"]
+        except Exception as e:
+            return json_response(data=str(e), status=400)
+
+        self.spawner.packages_add(packages, now)
+
+        return HTTPFound("/")

src/ahriman/web/views/service/reload_auth.py

@@ -0,0 +1,48 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import Response
+from aiohttp.web_exceptions import HTTPNoContent
+
+from ahriman.core.auth.auth import Auth
+from ahriman.web.views.base import BaseView
+
+
+class ReloadAuthView(BaseView):
+    """
+    reload authentication module web view
+    """
+
+    async def post(self) -> Response:
+        """
+        reload authentication module. No parameters supported here
+        :return: 204 on success
+        """
+        self.configuration.reload()
+
+        try:
+            import aiohttp_security  # type: ignore
+            self.request.app[aiohttp_security.api.AUTZ_KEY].validator =\
+                self.request.app["validator"] =\
+                Auth.load(self.configuration)
+        except (ImportError, KeyError):
+            self.request.app.logger.warning("could not update authentication module validator", exc_info=True)
+            raise
+
+        return HTTPNoContent()

src/ahriman/web/views/service/remove.py

@@ -0,0 +1,50 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import HTTPFound, Response, json_response
+
+from ahriman.web.views.base import BaseView
+
+
+class RemoveView(BaseView):
+    """
+    remove package web view
+    """
+
+    async def post(self) -> Response:
+        """
+        remove existing packages
+
+        JSON body must be supplied, the following model is used:
+        {
+            "packages": "ahriman",   # either list of packages or package name
+        }
+
+        :return: redirect to main page on success
+        """
+        data = await self.extract_data(["packages"])
+
+        try:
+            packages = data["packages"]
+        except Exception as e:
+            return json_response(data=str(e), status=400)
+
+        self.spawner.packages_remove(packages)
+
+        return HTTPFound("/")

src/ahriman/web/views/service/search.py

@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+import aur  # type: ignore
+
+from aiohttp.web import Response, json_response
+from typing import Callable, Iterator
+
+from ahriman.web.views.base import BaseView
+
+
+class SearchView(BaseView):
+    """
+    AUR search web view
+    """
+
+    async def get(self) -> Response:
+        """
+        search packages in AUR
+
+        search string (non empty) must be supplied as `for` parameter
+
+        :return: 200 with found package bases and descriptions sorted by base
+        """
+        search: Iterator[str] = filter(lambda s: len(s) > 3, self.request.query.getall("for", default=[]))
+        search_string = " ".join(search)
+
+        if not search_string:
+            return json_response(data="Search string must not be empty", status=400)
+        packages = aur.search(search_string)
+
+        comparator: Callable[[aur.Package], str] = lambda item: str(item.package_base)
+        response = [
+            {
+                "package": package.package_base,
+                "description": package.description,
+            } for package in sorted(packages, key=comparator)
+        ]
+        return json_response(response)

src/ahriman/web/views/status/__init__.py

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#

src/ahriman/web/views/status/ahriman.py

@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import HTTPBadRequest, HTTPNoContent, Response, json_response
+from aiohttp.web import HTTPNoContent, Response, json_response
 
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.web.views.base import BaseView
@@ -46,12 +46,12 @@ class AhrimanView(BaseView):
 
         :return: 204 on success
         """
-        data = await self.request.json()
+        data = await self.extract_data()
 
         try:
             status = BuildStatusEnum(data["status"])
         except Exception as e:
-            raise HTTPBadRequest(text=str(e))
+            return json_response(data=str(e), status=400)
 
         self.service.update_self(status)
 

src/ahriman/web/views/status/package.py

@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import HTTPBadRequest, HTTPNoContent, HTTPNotFound, Response, json_response
+from aiohttp.web import HTTPNoContent, HTTPNotFound, Response, json_response
 
 from ahriman.core.exceptions import UnknownPackage
 from ahriman.models.build_status import BuildStatusEnum
@@ -74,17 +74,17 @@ class PackageView(BaseView):
         :return: 204 on success
         """
         base = self.request.match_info["package"]
-        data = await self.request.json()
+        data = await self.extract_data()
 
         try:
             package = Package.from_json(data["package"]) if "package" in data else None
             status = BuildStatusEnum(data["status"])
         except Exception as e:
-            raise HTTPBadRequest(text=str(e))
+            return json_response(data=str(e), status=400)
 
         try:
             self.service.update(base, status, package)
         except UnknownPackage:
-            raise HTTPBadRequest(text=f"Package {base} is unknown, but no package body set")
+            return json_response(data=f"Package {base} is unknown, but no package body set", status=400)
 
         return HTTPNoContent()

src/ahriman/web/views/user/__init__.py

@@ -0,0 +1,19 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#

src/ahriman/web/views/user/login.py

@@ -0,0 +1,81 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import HTTPFound, HTTPMethodNotAllowed, HTTPUnauthorized, Response
+
+from ahriman.core.auth.helpers import remember
+from ahriman.models.user_identity import UserIdentity
+from ahriman.web.views.base import BaseView
+
+
+class LoginView(BaseView):
+    """
+    login endpoint view
+    """
+
+    async def get(self) -> Response:
+        """
+        OAuth2 response handler
+
+        In case if code provided it will do a request to get user email. In case if no code provided it will redirect
+        to authorization url provided by OAuth client
+
+        :return: redirect to main page
+        """
+        from ahriman.core.auth.oauth import OAuth
+
+        code = self.request.query.getone("code", default=None)
+        oauth_provider = self.validator
+        if not isinstance(oauth_provider, OAuth):  # there is actually property, but mypy does not like it anyway
+            raise HTTPMethodNotAllowed(self.request.method, ["POST"])
+
+        if not code:
+            return HTTPFound(oauth_provider.get_oauth_url())
+
+        response = HTTPFound("/")
+        username = await oauth_provider.get_oauth_username(code)
+        identity = UserIdentity.from_username(username, self.validator.max_age)
+        if identity is not None and await self.validator.known_username(username):
+            await remember(self.request, response, identity.to_identity())
+            return response
+
+        raise HTTPUnauthorized()
+
+    async def post(self) -> Response:
+        """
+        login user to service
+
+        either JSON body or form data must be supplied the following fields are required:
+        {
+            "username": "username"  # username to use for login
+            "password": "pa55w0rd"  # password to use for login
+        }
+
+        :return: redirect to main page
+        """
+        data = await self.extract_data()
+        username = data.get("username")
+
+        response = HTTPFound("/")
+        identity = UserIdentity.from_username(username, self.validator.max_age)
+        if identity is not None and await self.validator.check_credentials(username, data.get("password")):
+            await remember(self.request, response, identity.to_identity())
+            return response
+
+        raise HTTPUnauthorized()

src/ahriman/web/views/user/logout.py

@@ -0,0 +1,41 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import HTTPFound, Response
+
+from ahriman.core.auth.helpers import check_authorized, forget
+from ahriman.web.views.base import BaseView
+
+
+class LogoutView(BaseView):
+    """
+    logout endpoint view
+    """
+
+    async def post(self) -> Response:
+        """
+        logout user from the service. No parameters supported here
+        :return: redirect to main page
+        """
+        await check_authorized(self.request)
+
+        response = HTTPFound("/")
+        await forget(self.request, response)
+
+        return response

src/ahriman/web/web.py

@@ -23,8 +23,10 @@ import logging
 
 from aiohttp import web
 
+from ahriman.core.auth.auth import Auth
 from ahriman.core.configuration import Configuration
 from ahriman.core.exceptions import InitializeException
+from ahriman.core.spawn import Spawn
 from ahriman.core.status.watcher import Watcher
 from ahriman.web.middlewares.exception_handler import exception_handler
 from ahriman.web.routes import setup_routes
@@ -47,8 +49,9 @@ async def on_startup(application: web.Application) -> None:
     try:
         application["watcher"].load()
     except Exception:
-        application.logger.exception("could not load packages")
-        raise InitializeException()
+        message = "could not load packages"
+        application.logger.exception(message)
+        raise InitializeException(message)
 
 
 def run_server(application: web.Application) -> None:
@@ -66,11 +69,12 @@ def run_server(application: web.Application) -> None:
                 access_log=logging.getLogger("http"))
 
 
-def setup_service(architecture: str, configuration: Configuration) -> web.Application:
+def setup_service(architecture: str, configuration: Configuration, spawner: Spawn) -> web.Application:
     """
     create web application
     :param architecture: repository architecture
     :param configuration: configuration instance
+    :param spawner: spawner thread
     :return: web application instance
     """
     application = web.Application(logger=logging.getLogger("http"))
@@ -81,7 +85,7 @@ def setup_service(architecture: str, configuration: Configuration) -> web.Applic
     application.middlewares.append(exception_handler(application.logger))
 
     application.logger.info("setup routes")
-    setup_routes(application)
+    setup_routes(application, configuration.getpath("web", "static_path"))
 
     application.logger.info("setup templates")
     aiohttp_jinja2.setup(application, loader=jinja2.FileSystemLoader(configuration.getpath("web", "templates")))
@@ -92,4 +96,13 @@ def setup_service(architecture: str, configuration: Configuration) -> web.Applic
     application.logger.info("setup watcher")
     application["watcher"] = Watcher(architecture, configuration)
 
+    application.logger.info("setup process spawner")
+    application["spawn"] = spawner
+
+    application.logger.info("setup authorization")
+    validator = application["validator"] = Auth.load(configuration)
+    if validator.enabled:
+        from ahriman.web.middlewares.auth_handler import setup_auth
+        setup_auth(application, validator)
+
     return application

tests/ahriman/application/conftest.py

@@ -1,5 +1,4 @@
 import argparse
-import aur
 import pytest
 
 from pytest_mock import MockerFixture
@@ -8,7 +7,6 @@ from ahriman.application.ahriman import _parser
 from ahriman.application.application import Application
 from ahriman.application.lock import Lock
 from ahriman.core.configuration import Configuration
-from ahriman.models.package import Package
 
 
 @pytest.fixture
@@ -20,7 +18,7 @@ def application(configuration: Configuration, mocker: MockerFixture) -> Applicat
     :return: application test instance
     """
     mocker.patch("pathlib.Path.mkdir")
-    return Application("x86_64", configuration)
+    return Application("x86_64", configuration, no_report=True)
 
 
 @pytest.fixture
@@ -32,31 +30,6 @@ def args() -> argparse.Namespace:
     return argparse.Namespace(lock=None, force=False, unsafe=False, no_report=True)
 
 
-@pytest.fixture
-def aur_package_ahriman(package_ahriman: Package) -> aur.Package:
-    """
-    fixture for AUR package
-    :param package_ahriman: package fixture
-    :return: AUR package test instance
-    """
-    return aur.Package(
-        num_votes=None,
-        description=package_ahriman.packages[package_ahriman.base].description,
-        url_path=package_ahriman.web_url,
-        last_modified=None,
-        name=package_ahriman.base,
-        out_of_date=None,
-        id=None,
-        first_submitted=None,
-        maintainer=None,
-        version=package_ahriman.version,
-        license=package_ahriman.packages[package_ahriman.base].licenses,
-        url=None,
-        package_base=package_ahriman.base,
-        package_base_id=None,
-        category_id=None)
-
-
 @pytest.fixture
 def lock(args: argparse.Namespace, configuration: Configuration) -> Lock:
     """