feat: gitlab-11.2-group-api-improvements

- use the new gitlab 11.2 `min_access_level` parameter in the groups api:
  publish rights are now configurable based on the access level of the
  user to the groups, it doesn't require owner permissions
- add new configuration parameters for `access` and `publish` access
  levels

Author: dlouzan

README.md

@@ -13,11 +13,16 @@ the following:
 
 - no admin token required
 - user authenticates with Personal Access Token
-- owned groups (no subgroups) are added to the user
-- publish packages if package scope or name is an owned group name
+- access & publish packages if package scope or name match a gitlab
+  group for which the user has appropriate permissions
 
 > This is experimental!
 
+## Gitlab Version Compatibility
+
+Gitlab 11.2+ is required due to usage of the `v4` api version and
+the granular group api `min_access_level` query param
+
 ## Use it
 
 You need at least node version 8.x.x, codename **carbon**.
@@ -47,6 +52,8 @@ auth:
     authCache:
       enabled: true
       ttl: 300
+    access: $reporter
+    publish: $maintainer
 
 uplinks:
   npmjs:

conf/docker.yaml

@@ -11,6 +11,8 @@ auth:
     authCache:
       enabled: true
       ttl: 300
+    access: $reporter
+    publish: $maintainer
 
 uplinks:
   npmjs:
@@ -31,5 +33,5 @@ packages:
     gitlab: true
 
 logs:
-  - {type: stdout, format: pretty, level: info }
+  - { type: stdout, format: pretty, level: info }
   #- {type: file, path: verdaccio.log, level: info}

conf/localhost.yaml

@@ -0,0 +1,37 @@
+storage: /tmp/storage/data
+
+plugins: /tmp/plugins
+
+listen:
+  - 0.0.0.0:4873
+
+auth:
+  gitlab:
+    url: http://localhost:50080
+    authCache:
+      enabled: true
+      ttl: 300
+    access: $reporter
+    publish: $maintainer
+
+uplinks:
+  npmjs:
+    url: https://registry.npmjs.org/
+
+packages:
+  '@*/*':
+    # scoped packages
+    access: $all
+    publish: $authenticated
+    proxy: npmjs
+    gitlab: true
+
+  '**':
+    access: $all
+    publish: $authenticated
+    proxy: npmjs
+    gitlab: true
+
+logs:
+  - { type: stdout, format: pretty, level: trace }
+  #- {type: file, path: verdaccio.log, level: info}

docker-compose.yml

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   gitlab:
-    image: 'gitlab/gitlab-ce:latest'
+    image: 'gitlab/gitlab-ce:nightly'
     restart: always
     environment:
       - GITLAB_ROOT_PASSWORD=verdaccio

src/authcache.js

@@ -24,7 +24,7 @@ export class AuthCache {
     });
     this.storage.on('expired', (key, value) => {
       if (this.logger.trace()) {
-        this.logger.trace(`[gitlab] expired key: ${key} with value: ${value}`);
+        this.logger.trace(`[gitlab] expired key: ${key} with value:`, value);
       }
     });
   }
@@ -45,15 +45,20 @@ export class AuthCache {
 
 }
 
+export type UserDataGroups = {
+  access: string[],
+  publish: string[]
+};
+
 export class UserData {
   _username: string;
-  _groups: string[];
+  _groups: UserDataGroups;
 
   get username(): string { return this._username; }
-  get groups(): string[] { return this._groups; }
-  set groups(groups: string[]) { this._groups = groups; }
+  get groups(): UserDataGroups { return this._groups; }
+  set groups(groups: UserDataGroups) { this._groups = groups; }
 
-  constructor(username: string, groups: string[]) {
+  constructor(username: string, groups: UserDataGroups) {
     this._username = username;
     this._groups = groups;
   }

src/gitlab.js

@@ -2,29 +2,50 @@
 // SPDX-License-Identifier: MIT
 // @flow
 
+import type { Callback, IPluginAuth, Logger, PluginOptions, RemoteUser, PackageAccess } from '@verdaccio/types';
+import type { UserDataGroups } from './authcache';
+
 import Gitlab from 'gitlab';
 import { AuthCache, UserData } from './authcache';
 import httperror from 'http-errors';
-import type { Callback, Config, IPluginAuth, Logger, PluginOptions, RemoteUser, PackageAccess } from '@verdaccio/types';
 
-export type VerdaccioGitlabConfig = Config & {
+export type VerdaccioGitlabAccessLevel =
+  '$guest' |
+  '$reporter' |
+  '$developer' |
+  '$maintainer' |
+  '$owner';
+
+export type VerdaccioGitlabConfig = {
   url: string,
   authCache?: {
     enabled?: boolean,
     ttl?: number
-  }
+  },
+  access?: VerdaccioGitlabAccessLevel,
+  publish?: VerdaccioGitlabAccessLevel
 };
 
-type VerdaccioGitlabPackageAccess = PackageAccess & {
+export type VerdaccioGitlabPackageAccess = PackageAccess & {
   name: string,
   gitlab?: boolean
 }
 
+const ACCESS_LEVEL_MAPPING = {
+  $guest: 10,
+  $reporter: 20,
+  $developer: 30,
+  $maintainer: 40,
+  $owner: 50
+};
+
 export default class VerdaccioGitLab implements IPluginAuth {
   options: PluginOptions;
   config: VerdaccioGitlabConfig;
   authCache: AuthCache;
   logger: Logger;
+  accessLevel: VerdaccioGitlabAccessLevel;
+  publishLevel: VerdaccioGitlabAccessLevel;
 
   constructor(
     config: VerdaccioGitlabConfig,
@@ -46,6 +67,17 @@ export default class VerdaccioGitLab implements IPluginAuth {
       this.logger.info(`[gitlab] initialized auth cache with ttl: ${ttl} seconds`);
     }
 
+    this.accessLevel = '$reporter';
+    if (this.config.access) {
+      this.accessLevel = this.config.access;
+    }
+    this.logger.info(`[gitlab] access control level: ${this.config.access || ''}`);
+
+    this.publishLevel = '$owner';
+    if (this.config.publish) {
+      this.publishLevel = this.config.publish;
+    }
+    this.logger.info(`[gitlab] publish control level: ${this.config.publish || ''}`);
   }
 
   authenticate(user: string, password: string, cb: Callback) {
@@ -55,8 +87,8 @@ export default class VerdaccioGitLab implements IPluginAuth {
     const cachedUserGroups = this._getCachedUserGroups(user, password);
 
     if (cachedUserGroups) {
-      this.logger.debug(`[gitlab] user: ${user} found in cache, authenticated with groups: ${cachedUserGroups.toString()}`);
-      return cb(null, cachedUserGroups);
+      this.logger.debug(`[gitlab] user: ${user} found in cache, authenticated with groups:`, cachedUserGroups);
+      return cb(null, cachedUserGroups.publish);
     }
 
     // Not found in cache, query gitlab
@@ -67,28 +99,47 @@ export default class VerdaccioGitLab implements IPluginAuth {
       token: password
     });
 
-    GitlabAPI.Users.current().then(response => {
+    const pUsers = GitlabAPI.Users.current();
+    return pUsers.then(response => {
       if (user !== response.username) {
         return cb(httperror[401]('wrong gitlab username'));
       }
 
-      // Set the groups of an authenticated user to themselves and all gitlab projects of which they are an owner
-      let ownedGroups = [user];
-      GitlabAPI.Groups.all({owned: true}).then(groups => {
-        for (let group of groups) {
-          if (group.path === group.full_path) {
-            ownedGroups.push(group.path);
-          }
-        }
+      const accessLevelId = this.config.access ? ACCESS_LEVEL_MAPPING[this.config.access] : null;
+      const publishLevelId = this.config.publish ? ACCESS_LEVEL_MAPPING[this.config.publish] : null;
+
+      const userGroups = {
+        access: [user],
+        publish: [user]
+      };
+
+      // Set the groups of an authenticated user:
+      // - for access, themselves and all groups with access level $auth.gitlab.access configuration
+      // - for publish, themselves and all groups with access level $auth.gitlab.publish configuration
+
+      const pAccessGroups = GitlabAPI.Groups.all({min_access_level: accessLevelId}).then(groups => {
+        this._addGroupsToArray(groups, userGroups.access);
+      }).catch(error => {
+        this.logger.error(`[gitlab] user: ${user} error querying access groups: ${error}`);
+      });
+
+      const pPublishGroups = GitlabAPI.Groups.all({min_access_level: publishLevelId}).then(groups => {
+        this._addGroupsToArray(groups, userGroups.publish);
+      }).catch(error => {
+        this.logger.error(`[gitlab] user: ${user} error querying publish groups: ${error}`);
+      });
 
-        // Store found groups in cache
-        this._setCachedUserGroups(user, password, ownedGroups);
-        this.logger.trace(`[gitlab] saving data in cache for user: ${user}`);
+      const pGroups = Promise.all([pAccessGroups, pPublishGroups]);
+      return pGroups.then(() => {
+        this._setCachedUserGroups(user, password, userGroups);
 
         this.logger.info(`[gitlab] user: ${user} authenticated`);
-        this.logger.debug(`[gitlab] user: ${user} authenticated, with groups: ${ownedGroups.toString()}`);
-        return cb(null, ownedGroups);
+        this.logger.debug(`[gitlab] user: ${user} authenticated, with groups:`, userGroups);
+        return cb(null, userGroups.publish);
+      }).catch(error => {
+        this.logger.error(`[gitlab] error authenticating: ${error}`);
       });
+
     }).catch(error => {
       this.logger.info(`[gitlab] user: ${user} error authenticating: ${error.message || {}}`);
       if (error) {
@@ -104,68 +155,83 @@ export default class VerdaccioGitLab implements IPluginAuth {
 
   allow_access(user: RemoteUser, _package: VerdaccioGitlabPackageAccess, cb: Callback) {
     if (!_package.gitlab) { return cb(); }
+
     if ((_package.access || []).includes('$authenticated') && user.name !== undefined) {
       this.logger.debug(`[gitlab] allow user: ${user.name} access to package: ${_package.name}`);
       return cb(null, true);
-    } else if (! (_package.access || []).includes('$authenticated')) {
+    } else if (!(_package.access || []).includes('$authenticated')) {
       this.logger.debug(`[gitlab] allow unauthenticated access to package: ${_package.name}`);
       return cb(null, true);
     } else {
       this.logger.debug(`[gitlab] deny user: ${user.name || ''} access to package: ${_package.name}`);
       return cb(null, false);
     }
+
   }
 
   allow_publish(user: RemoteUser, _package: VerdaccioGitlabPackageAccess, cb: Callback) {
     if (!_package.gitlab) { return cb(); }
-    let packageScopeOwner = false;
-    let packageOwner = false;
+    let packageScopePermit = false;
+    let packagePermit = false;
 
     // Only allow to publish packages when:
     //  - the package has exactly the same name as one of the user groups, or
     //  - the package scope is the same as one of the user groups
     for (let real_group of user.real_groups) { // jscs:ignore requireCamelCaseOrUpperCaseIdentifiers
       this.logger.trace(`[gitlab] publish: checking group: ${real_group} for user: ${user.name || ''} and package: ${_package.name}`);
       if (real_group === _package.name) {
-        packageOwner = true;
+        packagePermit = true;
         break;
       } else {
         if (_package.name.indexOf('@') === 0) {
           if (real_group === _package.name.slice(1, _package.name.lastIndexOf('/'))) {
-            packageScopeOwner = true;
+            packageScopePermit = true;
             break;
           }
         }
       }
     }
 
-    if (packageOwner === true) {
-      this.logger.debug(`[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} as owner of package-name`);
+    if (packagePermit === true) {
+      this.logger.debug(`[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} based on package-name`);
       return cb(null, false);
     } else {
-      if (packageScopeOwner === true) {
-        this.logger.debug(`[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} as owner of package-scope`);
+      if (packageScopePermit === true) {
+        this.logger.debug(`[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} based on package-scope`);
         return cb(null, false);
       } else {
         this.logger.debug(`[gitlab] user: ${user.name || ''} denied from publishing package: ${_package.name}`);
         if (_package.name.indexOf('@') === 0) {
-          return cb(httperror[403]('must be owner of package-scope'));
+          return cb(httperror[403](`must have required permissions: ${this.config.publish || ''} at package-scope`));
         } else {
-          return cb(httperror[403]('must be owner of package-name'));
+          return cb(httperror[403](`must have required permissions: ${this.config.publish || ''} at package-name`));
         }
       }
     }
   }
 
-  _getCachedUserGroups(username: string, password: string): ?string[] {
+  _getCachedUserGroups(username: string, password: string): ?UserDataGroups {
     if (! this.authCache) {
       return null;
     }
     const userData = this.authCache.findUser(username, password);
     return (userData || {}).groups || null;
   }
 
-  _setCachedUserGroups(username: string, password: string, groups: string[]): boolean {
-    return this.authCache && this.authCache.storeUser(username, password, new UserData(username, groups));
+  _setCachedUserGroups(username: string, password: string, groups: UserDataGroups): boolean {
+    if (! this.authCache) {
+      return false;
+    }
+    this.logger.trace(`[gitlab] saving data in cache for user: ${username}`);
+    return this.authCache.storeUser(username, password, new UserData(username, groups));
+  }
+
+  _addGroupsToArray(src: {path: string, full_path: string}[], dst: string[]) {
+    src.forEach(group => {
+      if (group.path === group.full_path) {
+        dst.push(group.path);
+      }
+    });
   }
+
 }