Protected packages: Skip package protection check for deploy tokens
requested to merge gitlab-community/gitlab:323970-protected-packages-npm-push-protection-fix-bypass-deploy-token into master
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA
What does this MR do and why?
Packages can also be pushed (published) to the GitLab package regsitry with a deploy token, see guide for deploy token. However, the current implementation of the package protection feature expects a user, but deploy tokens are not connected to users. This causes the current implementation to break.
The focus of this MR is to fix the current implementation in the following way:
- The current implementation does not break when a deploy token is used
- When a protection rule exists for a given package then the package is only protected when the field
:minimum_access_level_for_pushis set to:admin; otherwise, the package is proteced and cannot be published
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
Screenshots or screen recordings
Before
Console output when publishing a package with a deploy token
➜ npm_package git:(main) ✗ source .env && NPM_TOKEN=$DEPLOY_TOKEN_FOR_PROJECT npm publish
npm verb cli /Users/client-siemens/.asdf/installs/nodejs/20.12.2/bin/node /Users/client-siemens/.asdf/installs/nodejs/20.12.2/bin/npm
npm info using npm@10.5.0
npm info using node@v20.12.2
npm verb title npm publish
npm verb argv "publish"
npm verb logfile logs-max:10 dir:/Users/client-siemens/.npm/_logs/2024-06-18T09_00_30_855Z-
npm verb logfile /Users/client-siemens/.npm/_logs/2024-06-18T09_00_30_855Z-debug-0.log
npm verb publish [ '.' ]
npm notice
npm notice 📦 @flightjs/flight-js-3@1.0.22
npm notice === Tarball Contents ===
npm notice 327B .env
npm notice 15B .tool-versions
npm notice 205B README.md
npm notice 218B package.json
npm notice === Tarball Details ===
npm notice name: @flightjs/flight-js-3
npm notice version: 1.0.22
npm notice filename: flightjs-flight-js-3-1.0.22.tgz
npm notice package size: 647 B
npm notice unpacked size: 765 B
npm notice shasum: 819785897ecb594d7093217d515821de60b975ad
npm notice integrity: sha512-ofRIvwfaVNLBt[...]7X9B2Pls7y1HA==
npm notice total files: 4
npm notice
npm notice Publishing to http://gdk.test:3000/api/v4/projects/7/packages/npm/ with tag latest and default access
npm http fetch PUT 500 http://gdk.test:3000/api/v4/projects/7/packages/npm/@flightjs%2fflight-js-3 79433ms attempt #3
npm verb stack HttpErrorGeneral: 500 Internal Server Error - PUT http://gdk.test:3000/api/v4/projects/7/packages/npm/@flightjs%2fflight-js-3
npm verb stack at /Users/client-siemens/.asdf/installs/nodejs/20.12.2/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:95:15
npm verb stack at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
npm verb stack at async publish (/Users/client-siemens/.asdf/installs/nodejs/20.12.2/lib/node_modules/npm/node_modules/libnpmpublish/lib/publish.js:53:15)
npm verb stack at async otplease (/Users/client-siemens/.asdf/installs/nodejs/20.12.2/lib/node_modules/npm/lib/utils/otplease.js:4:12)
npm verb stack at async Publish.exec (/Users/client-siemens/.asdf/installs/nodejs/20.12.2/lib/node_modules/npm/lib/commands/publish.js:126:7)
npm verb stack at async module.exports (/Users/client-siemens/.asdf/installs/nodejs/20.12.2/lib/node_modules/npm/lib/cli-entry.js:61:5)
npm verb statusCode 500
npm verb pkgid @flightjs/flight-js-3@1.0.22
npm verb cwd /Users/client-siemens/Development/protected-packages-examples/npm_package
npm verb Darwin 23.5.0
npm verb node v20.12.2
npm verb npm v10.5.0
npm ERR! code E500
npm ERR! 500 Internal Server Error - PUT http://gdk.test:3000/api/v4/projects/7/packages/npm/@flightjs%2fflight-js-3
npm verb exit 1
npm verb code 1
npm ERR! A complete log of this run can be found in: /Users/client-siemens/.npm/_logs/2024-06-18T09_00_30_855Z-debug-0.logAfter
Console output when publishing a package with a deploy token
➜ npm_package git:(main) ✗ source .env && NPM_TOKEN=$DEPLOY_TOKEN_FOR_PROJECT npm publish
npm verb cli /Users/client-siemens/.asdf/installs/nodejs/20.12.2/bin/node /Users/client-siemens/.asdf/installs/nodejs/20.12.2/bin/npm
npm info using npm@10.5.0
npm info using node@v20.12.2
npm verb title npm publish
npm verb argv "publish"
npm verb logfile logs-max:10 dir:/Users/client-siemens/.npm/_logs/2024-06-18T08_58_51_098Z-
npm verb logfile /Users/client-siemens/.npm/_logs/2024-06-18T08_58_51_098Z-debug-0.log
npm verb publish [ '.' ]
npm notice
npm notice 📦 @flightjs/flight-js-3@1.0.21
npm notice === Tarball Contents ===
npm notice 327B .env
npm notice 15B .tool-versions
npm notice 205B README.md
npm notice 218B package.json
npm notice === Tarball Details ===
npm notice name: @flightjs/flight-js-3
npm notice version: 1.0.21
npm notice filename: flightjs-flight-js-3-1.0.21.tgz
npm notice package size: 647 B
npm notice unpacked size: 765 B
npm notice shasum: fd2b6993a549c5756e6fa5a5e3653fb2f59d7256
npm notice integrity: sha512-ctgQM2FrzO9iX[...]xlD6AWGbhoGxg==
npm notice total files: 4
npm notice
npm notice Publishing to http://gdk.test:3000/api/v4/projects/7/packages/npm/ with tag latest and default access
npm http fetch PUT 200 http://gdk.test:3000/api/v4/projects/7/packages/npm/@flightjs%2fflight-js-3 414ms
+ @flightjs/flight-js-3@1.0.21
npm verb exit 0
npm info ok How to set up and validate locally
- Enable feature flag via
rails c
Feature.enable(:packages_protected_packages)- Create a new package protection rule through the frontend and use the following values: http://gdk.test:3000/flightjs/Flight/-/settings/packages_and_registries
- Package name pattern:
@flightjs/test-npm-package-* - Package type:
:npm - Minimum access level for push:
:owner
- Create a dummy project for npm package for testing publishing
# Go to a directory outside of the gitlab and gdk directory
mkdir test-npm-package && cd test-npm-package
npm init esm --yes- Adjust the package name in
package.jsonand set it to"@flightjs/test-npm-package-prod"<= this should match the given package_name_pattern in step 2 - Create or adjust file
.npmrcin order to push the npm package to the GitLab registry, see https://docs.gitlab.com/ee/user/packages/npm_registry/#authenticating-via-the-npmrc - Create a deploy token, see https://docs.gitlab.com/ee/user/project/deploy_tokens/#create-a-deploy-token
- Publish npm test package using the newly created deploy token
NPM_TOKEN=<deploy_token> npm publish- The package should have been published successfully (instead of receiving an 500 internal server error)
👍 - Lookup the the package protection rule created in step 2 and set the
minimum_access_level_for_pushto the valueAdmin(this will only allow admins to publish packages): http://gdk.test:3000/flightjs/Flight/-/settings/packages_and_registries - Try to publish a new version of the pacckage with the deploy token
npm version patch && NPM_TOKEN=<deploy_token> npm publish- Again, the package should have been published successfully (instead of receiving an 500 internal server error)
👍
Related to #323970
Edited by Gerardo Navarro