Add an application setting to enable public package registries
🌱 Context
We allow non-public projects to have a public registry.
This is not ideal for customers in highly regulated environments. They need to ensure that their project's package registry is never available to the public. And since there is no way to turn this feature off globally, they have no way of preventing this behavior.
🚑 Solution
This MR introduces a new application setting, package_registry_allow_anyone_to_pull_option
:
- When this is set to false:
- the toggle
Allow anyone to pull from package registry
is not displayed - Anonymous downloads are rejected, even for projects that had the
Allow anyone to pull from package registry
toggle enabled
- the toggle
At the moment, package_registry_allow_anyone_to_pull_option
can only be set from the Rails console or through the Application Settings API. The frontend changes needed to set package_registry_allow_anyone_to_pull_option
will be done in a follow-up MR.
DB migration log
up
main: == [advisory_lock_connection] object_id: 223960, pg_backend_pid: 35620
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrating
main: -- add_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
main: -> 0.0032s
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrated (0.0075s)
main: == [advisory_lock_connection] object_id: 223960, pg_backend_pid: 35620
ci: == [advisory_lock_connection] object_id: 224240, pg_backend_pid: 35624
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrating
ci: -- add_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
ci: -> 0.0039s
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: migrated (0.0124s)
ci: == [advisory_lock_connection] object_id: 224240, pg_backend_pid: 35624
down
main: == [advisory_lock_connection] object_id: 223700, pg_backend_pid: 36917
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverting
main: -- remove_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
main: -> 0.0027s
main: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverted (0.0103s)
main: == [advisory_lock_connection] object_id: 223700, pg_backend_pid: 36917
ci: == [advisory_lock_connection] object_id: 223640, pg_backend_pid: 37662
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverting
ci: -- remove_column(:application_settings, :package_registry_allow_anyone_to_pull_option, :boolean, {:null=>false, :default=>true})
ci: -> 0.0031s
ci: == 20230720062249 AddPackageRegistryAllowAnyoneToPullOptionToApplicationSettings: reverted (0.0183s)
ci: == [advisory_lock_connection] object_id: 223640, pg_backend_pid: 37662
Screenshots or screen recordings
Project Settings -> General -> Visibility
Before:
After (with package_registry_allow_anyone_to_pull_option disabled):
How to set up and validate locally
package_registry_allow_anyone_to_pull_option
is set to false
Verify that public downloads are prevented when - Generate a new npm package with
npm init
- Publish the package to the project-level endpoint (documentation)
- Download the package (documentation)
- Go to project settings -> general page. Expand the visibility options and change the project visibility to private.
- Open the Rails console and run the command below to set
package_registry_allow_anyone_to_pull_option
tofalse
::Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: false)
- Go to project settings -> general page again. Expand the visibility options and scroll down to the Package Registry options. You should no longer see the
Allow anyone to pull from Package Registry
toggle. - Retry step 3: download the package again - the response should be an HTTP 404.
allow_public_package_registry
is set to true
Verify that public downloads are allowed when - Open the Rails console and run the command below to set
allow_public_package_registry
totrue
::Gitlab::CurrentSettings.update!(package_registry_allow_anyone_to_pull_option: true)
- Go to project settings -> general page. Expand the visibility options and scroll down to the Package Registry options. Set the
Allow anyone to pull from Package Registry
toggle totrue
. - You should be able to download the package again.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #413538 (closed)