Skip to content

Add support for previewing artifacts that are not public

Tuomo Ala-Vannesluoma requested to merge tuomoa/gitlab-pages:preview_private_artifacts into master

Previewing private artifacts

Overview

This is initial implementation that adds support for previewing also private artifacts by leveraging the current access control implementation.

The initial preview works as before so for public artifacts nothing changes. But when access control is enabled and then when the GitLab API artifact request returns 404, user is redirected to authenticate like in the pages access control scenario. After that every request is fetched with a token. If artifact request returns invalid token the session is destroyed and the next request is done without the token. Also if the user already has a session with a token it's used when requesting the artifact.

The GitLab changes are implemented in the gitlab!16675 (merged) (old MR gitlab-foss!25567 (closed)).

Changes

  • Implemented authentication header to artifact package if token is given
  • New handlers package which passes a response func that is passed to the artifact package to check if we need to invalidate session (token expired or revoked) or if we need to authenticate (unauthenticated request returns 404)
  • Token response check in the auth package
  • New method to auth package for getting the token if it exists and new method to request authentication
  • Test for handler, artifact, auth and also acceptance tests

Other

This is MVC of the support. The logic could be improved to avoid unnecessary request with expired token if we would store the access token expiration time and then only if there is a non-expired token add it to the request. Now we are adding the token to every request if we have one. Also we are not setting cache header for public artifacts if they were fetched with a token as we don't know if the artifact was public or private.

What are the relevant issue numbers?

Implements gitlab#14897 (closed) (old issue gitlab-foss#10982 (moved))

Other

This can be tested by enabling access control for pages and then calling pages with an url for private artifact.

All feedback is appreciated!

Edited by Tuomo Ala-Vannesluoma

Merge request reports