Skip to content

Add an application setting to enable public package registries

Radamanthus Batnag requested to merge 413538-instance-setting-for-turning-off-the-ability-to-make-the-package-registry-public into master

🌱 Context

We allow non-public projects to have a public registry.

This is not ideal for customers in highly regulated environments. They need to ensure that their project's package registry is never available to the public. And since there is no way to turn this feature off globally, they have no way of preventing this behavior.

🚑 Solution

This MR introduces a new application setting, package_registry_allow_anyone_to_pull_option:

  • When this is set to false:
    • the toggle Allow anyone to pull from package registry is not displayed
    • Anonymous downloads are rejected, even for projects that had the Allow anyone to pull from package registry toggle enabled

At the moment, package_registry_allow_anyone_to_pull_option can only be set from the Rails console or through the Application Settings API. The frontend changes needed to set package_registry_allow_anyone_to_pull_option will be done in a follow-up MR.

DB migration log

up 
main: == [advisory_lock_connection] object_id: 223960, pg_backend_pid: 35620
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrating 
main: -- add_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
main:    -> 0.0032s
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrated (0.0075s) 

main: == [advisory_lock_connection] object_id: 223960, pg_backend_pid: 35620
ci: == [advisory_lock_connection] object_id: 224240, pg_backend_pid: 35624
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrating 
ci: -- add_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
ci:    -> 0.0039s
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrated (0.0124s) 

ci: == [advisory_lock_connection] object_id: 224240, pg_backend_pid: 35624
down 
main: == [advisory_lock_connection] object_id: 223700, pg_backend_pid: 36917
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverting 
main: -- remove_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
main:    -> 0.0027s
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverted (0.0103s) 

main: == [advisory_lock_connection] object_id: 223700, pg_backend_pid: 36917
ci: == [advisory_lock_connection] object_id: 223640, pg_backend_pid: 37662
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverting 
ci: -- remove_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
ci:    -> 0.0031s
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverted (0.0183s) 

ci: == [advisory_lock_connection] object_id: 223640, pg_backend_pid: 37662

Screenshots or screen recordings

Project Settings -> General -> Visibility

Before:

allow-public-package-registry-enabled

After (with package_registry_allow_anyone_to_pull_option disabled):

allow-public-package-registry-disabled

How to set up and validate locally

Verify that public downloads are prevented when package_registry_allow_anyone_to_pull_option is set to false

  1. Generate a new npm package with npm init
  2. Publish the package to the project-level endpoint (documentation)
  3. Download the package (documentation)
  4. Go to project settings -> general page. Expand the visibility options and change the project visibility to private.
  5. Open the Rails console and run the command below to set package_registry_allow_anyone_to_pull_option to false 
::Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: false)
  1. Go to project settings -> general page again. Expand the visibility options and scroll down to the Package Registry options. You should no longer see the Allow anyone to pull from Package Registry toggle.
  2. Retry step 3: download the package again - the response should be an HTTP 404.

Verify that public downloads are allowed when allow_public_package_registry is set to true

  1. Open the Rails console and run the command below to set allow_public_package_registry to true 
::Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: true)
  1. Go to project settings -> general page. Expand the visibility options and scroll down to the Package Registry options. Set the Allow anyone to pull from Package Registry toggle to true.
  2. You should be able to download the package again.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #413538 (closed)

Edited by Radamanthus Batnag

Merge request reports