Private feed implementation #156
Conversation
|
Added code to resolve #147 partially. It does not restrict to given library, but it provides support for multiple apiKeys, so each team can have unique one and thus in need of change it is easier. Also it should not introduce any breaking change |
There was a problem hiding this comment.
Also I'd like additional opinions on this. Once we have user accounts, we should probably add the user as package owner, even if it's just to see who pushed what package. After that we can talk about authorization concepts like restricting uploads to an owner or something.
Once established, an auth concept is very complicated to amend so I'd like to do it right from the beginning.
There was a problem hiding this comment.
Could you also add an integration test for a private feed? Maybe a new class AuthIntegrationTests. Or add an authenticated request to the nuget client integration test, although I'm not sure if it gets ugly to add authentication for just one test method and not the others.
|
LMK if you need anything else |
|
I see #147 asks for package-specific API keys, do you think this PR may be later extended to enable that? The authentication options might be extended to include a package prefix, e.g. "Authentication": {
"Credentials": [
{
"Prefix": "Company.Team1.*",
"Username": "Team1User",
"Password": "Team1Pass"
}
]
}Maybe the additional "Authentication": {
"ApiKeys": [
{
"Key": "..."
}
]
}Not sure if this is overkill or if there is a different, easier/better way. This would however let us extend it with package prefixes later without introducing breaking changes. |
|
Oh when the handler is in Possible calls: I'm not currently fit enough to completely make the choice so, anything with an explanation why would be great. |
|
The apiKey object makes sense. I would split the per/package authentication into separate PR later on. I can implement that. Here I would like to focus on the base with enabling the functionality down the road. Because there is to consider if we would like to go with prefix like that, or maybe define auth scopes (array of prefixes), that could be then referenced in api keys and credentials. Might sound like a lot, but I dont think that would be that big of overhead for configuration. Or any other auth structure. Depends.... |
|
Yup, makes sense to limit that for BaGetterApplication, so it does not interfere with anything else |
|
I have a dilema. But maybe moving it into |
|
@tomasfil Okay, but don't stress yourself! |
|
@tomasfil Just bumbing as not to be forgotten :) |
|
@seriouz @Regenhardt Resolved the comments. |
|
Thanks, gonna take a look when I'm back. I've been in the hospital for a week unfortunately. |
|
How are we looking here? I hope you are doing well @Regenhardt ! |
|
Oh yes, way better, walking almost looks normal again 😊. Still getting settled and cleaning up after a month of not being at home, I'm gonna look at this soon, haven't forgotten it don't worry. |
|
I hope the PR merge can be successful and add a private package option. for any teams using this open source project hope for authenticated access rather than open access. this is a very important feature. without this feature, we can only solve it through other additional ways, but this solution does not seem to be based on software engineering principles. so I hope this PR merge successful soon. |
|
I will just add, that I am using locally deployed image for production sice Jul with 5 developers and everything works as expected, nothing broke yet and we didn't find any security issue of leaking the packages without authorization |
There was a problem hiding this comment.
LGTM, thanks a lot for this great addition @tomasfil! Will try to make a new release today :)
|
I’m waiting for your feature to be released because I plan to share it at a local tech meetup, focusing on project and code security. I’m really excited about it and check multiple times a day to see if it’s out yet. |
|
thanks a ton for all ! this given us an amazing and super useful feature. we really appreciate it! |
|
Hi, great to see private feed getting implemented. I have already deployed it. Only question I have is. While feed is private (access to index.json is protected by basic auth) the Web UI search is not limited, and packages can be downloaded from there. Is there solution to this, which I have overlooked? Thanks |
|
@theazgra They can be browsed, but not downloaded when credentials are setup. |
|
Once you insert credentials for download, then your browser remembers it tho |
|
@tomasfil Ah i See, ok, that makes sense. :) this + path deny in HAProxy is sufficient for our needs. Thanks |
Summary of the changes (in less than 80 chars)
Implements private feeds resolves #142
Used by nuget:
NuGet Sources Add -Name "feed_name" -Source "http://localhost:50557/v3/index.json" -UserName "username" -Password "password"
Addresses #142 #147