search

dart-lang / pub

The pub command line tool
https://dart.dev/tools/pub/cmd
BSD 3-Clause "New" or "Revised" License
1.04k stars 224 forks source link

unpub - Insufficient permissions 403 #3318

Closed ulyssescb closed 2 years ago

ulyssescb commented 2 years ago

Environment

Problem

name: myapp
description: Myapp package for Flutter.
version: 0.1.0
repository: https://github.com/<org>/<repo>
publish_to: https://unpub.mycompany.com.br

environment:
  sdk: ">=2.12.0 <3.0.0"
  flutter: ">=2.2.0"

dependencies:
  flutter:
    sdk: flutter
  diacritic: ^0.1.3
  http: ^0.13.3
  json_annotation: ^4.0.1
  provider: ^5.0.0
  cached_network_image: ^3.0.0
...

Our unpub service is internet-facing so Git Actions can access it. For AuthN and AuthZ we've our own system, which leverages Open Policy Agent (OPA) as sidecars.

We generated a static token for authorization with the schema:

{
  "exp": 1958052082,
  "iat": 1642519282,
  "nbf": 1642519282,
  "aud": "opa",
  "iss": "opa",
  "clientId": "unpub"
}

where clientId is used to be validate against our AuthN server.

This token is add with:

export UNPUB_TOKEN="eyJhbGciOiJSUxazI1NiIsInR..."
flutter pub token add https://unpub.mycompany.com.br --env-var UNPUB_TOKEN

Expected behavior

#Works fine
flutter pub get

#Works fine
flutter pub publish -n 

#Fails
flutter pub publish -f

Actual behavior

flutter pub publish -f

Publishing myapp 0.1.0 to https://unpub.my.com.br:
|-- CHANGELOG.md
|-- LICENSE
|-- README.md
|-- analysis_options.yaml

...
Uploading...
Insufficient permissions to the resource at the https://unpub.mycompany.com.br package repository.
You can modify credentials using:
    pub token add https://unpub.mycompany.com.br
Authentication failed

Verbose output

flutter pub publish -f -v

< All deps are correctly downloaded >

IO  : HTTP response 403 Forbidden for POST https://unpub.mycompany.com.br/api/packages/versions/newUpload
    | took 0:00:00.485395
    | connection: keep-alive
    | x-dns-prefetch-control: off
    | date: Fri, 25 Feb 2022 18:27:53 GMT
    | x-kong-proxy-latency: 175
    | vary: Origin
    | strict-transport-security: max-age=31536000;
    | referrer-policy: no-referrer
    | x-xss-protection: 1; mode=block
    | x-kong-upstream-latency: 3
    | server: envoy
    | x-envoy-upstream-service-time: 2
    | content-length: 0
    | x-download-options: noopen
    | via: kong/2.6.0
    | x-frame-options: deny
    | x-content-type-options: nosniff
FINE: Uploading finished (0.675s).
ERR : Insufficient permissions to the resource at the https://unpub.mycompany.com.br package repository.
    | You can modify credentials using:
    |     pub token add https://unpub.mycompany.com.br
    | Authentication failed!

When issuing POST against my servier using flutter as client, the server returns 403. Adding a token with pub token add works for publishing ? I'm guessing that could be something with realm="pub" but I couldn't figure it out.

I don't think its a problem with our AuthN server, because this is working as well:

TOKEN="eyJhbGciOiJSUxazI1NiIsInR..."
curl https://unpub.mycompany.com.br/api/packages/versions/newUpload -H "Authorization: Bearer $TOKEN" -X POST -v

HTTP/2 302
isoos commented 2 years ago

This is an issue with unpub server. The authentication flow changed in Dart 2.15: we've added token support and IIRC in 2.16 removed the oauth token for third-party servers (for security hardening the toolchain). unpub issue tracker was notified, but apparently they haven't updated their flow: https://github.com/bytedance/unpub/issues/36

jonasfj commented 2 years ago

IMO, this is not related to pub, this is unpub relying on features we've removed because of security concerns.

See also https://github.com/dart-lang/sdk/security/advisories/GHSA-r32f-vhjp-qhj7