Skip to content

Add authorization to composer package archive download

Piotr Stankowski requested to merge trakos/gitlab:fix-unsecured-archive-endpoint into master

What does this MR do and why?

Fixes #331601 (closed).

Endpoint https://gitlab.com/api/v4/projects/<project_id>/packages/composer/archives/<package_name>.zip?sha=<sha> without this MR does not require authorization, even for private projects.

Those urls are stored in composer.lock, so currently calling composer install does not require any authorization to download repository archive.

This MR changes it, so that fetching composer package source requires authorization and read_package ability.

Screenshots - documentation changes

image

image

image

How to set up and validate locally

  1. Create project with composer package registered. It has to be in a group. I've simply used existing seeder to create projects with composer packages - bundle exec rake db:seed_fu FILTER=composer SEED_COMPOSER=1

  2. Make that project private. I've used seeded project http://<gdk-host>/composer/Log, make it private or internal if it isn't (I think that visibility seeds randomly).

  3. Try to download http://<gdk-host>/api/v4/projects/<project_id>/packages/composer/archives/<package_name>.zip?sha=<sha>. Example for composer/log (project id and sha might be different):

    wget 'http://127.0.0.1:3000/api/v4/projects/22/packages/composer/archives/psr/log.zip?sha=fe5ea303b0887d5caefd3d431c3e61ad47037001'

    Without my changes it downloads without authorization, but with my changes you'll receive something similar to:

    HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed

  4. Use token to download file, verify that it works. Example (using default gdk admin token):

    wget --header='Authorization: Bearer ypCa3Dzb23o5nvsixwPA' 'http://127.0.0.1:3000/api/v4/projects/22/packages/composer/archives/psr/log.zip?sha=fe5ea303b0887d5caefd3d431c3e61ad47037001'

Additionally I've also verified that it works correctly with composer command:

mkdir tmp-test-project
cd tmp-test-project
composer init --name=test/test -q
# Change <group-id> to id of the group with your project containing psr/log; change 127.0.0.1:3000 to your gdk address
# Note that for composer I had to use 127.0.0.1 instead of localhost.
composer config repositories.0 composer http://127.0.0.1:3000/api/v4/group/<group_id>/-/packages/composer/
# I don't have https in my local gdk, so I'm allowing composer to use http
composer config secure-http false
# Disable official repo, since psr/log exists there and might be used instead
composer config repositories.packagist false
# Add authorization - change 127.0.0.1:3000 to your gdk address; I'm using root gdk token here
composer config 'gitlab-token.127.0.0.1:3000' ypCa3Dzb23o5nvsixwPA
composer config gitlab-domains '127.0.0.1:3000'
# Install package - this works if everything was set up correctly.
composer require psr/log:dev-master
# Remove vendor and auth.json - removing vendor means that package will have to be reinstalled, and removing auth makes future requests unauthorized.
rm -fr vendor auth.json
# Verify that it cannot be installed anymore without credentials.
# The --no-cache is important, as otherwise it would just use locally cached directory
composer install --no-cache

Without my MR the command above would install the package just fine - without any authorization - but now it will prompt for username/password.

Then I rerun command after authorizing:

composer config 'gitlab-token.127.0.0.1:3000' ypCa3Dzb23o5nvsixwPA
# This will reinstall correctly now:
composer install --no-cache

And verified that it installed correctly with token.

Changed documentation sections:

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Piotr Stankowski

Merge request reports