dzikoysk / reposilite

Lightweight and easy-to-use repository management software dedicated for the Maven-based artifacts in the JVM ecosystem 📦
https://reposilite.com
Apache License 2.0
1.41k stars 190 forks source link

Forwarding user access tokens to mirrored private repos #2273

Open traksag opened 4 weeks ago

traksag commented 4 weeks ago

Request details

Currently we're using Artifactory, but we're looking for an alternative that's lightweight, simple and less crashy. Reposilite seems like a good alternative, though it looks like we can't replicate our current setup with it. Our Artifactory setup is as follows:

The point of the repo all is that we can slap it in the pom.xml of all our public and private projects to handle dependency management without any fuss. Artifactory will only allow access to our private artifacts if a user has valid credentials for the private repos, even if the artifacts are accessed through the repo all.

I've perused the documentation and other discussions on here, but it seems it's not possible to replicate this kind of setup in Reposilite? If I create a public repo in Reposilite that mirrors the private repos, it seems the private artifacts aren't available through it, even if a user with valid credentials for the private repos attempts to retrieve them. And if I set mirror credentials for the private repos, the private artifacts effectively become public through the mirroring repo.

In our case, users have access to all private repos or none, so I suppose we could create two separate repos all-private and all-public that mirror all private and public repos respectively. Then we can use those two repos in all our projects for dependency management. However, that's a bit less convenient than using a single all repo and also requires additional pom.xml editing if we ever add more fine-grained access control to the private repos.

It may also be worthwhile to note that some of our public projects depend on private artifacts. We're not legally allowed to host these private artifacts publically, but everyone can compile these JARs themselves. They're in a private repo so CI and our dev team don't need to compile them.

I don't know if there are plans to support this kind of setup or if you would be willing to support this kind of behaviour. I'm up for attempting a pull request that implements it. I've also noticed there's a plugin API, though I haven't really looked into it. Is it possible to implement this kind of thing with a plugin?

dzikoysk commented 1 week ago

Currently, we don't support mirroring user's credentials. The reason behind it is quite simple - it's a relatively simple way to leak credentials to 3rd party repositories, and there's no straightforward workaround for that right now. Of course, in the mirror config, you can set credentials to the private repo that will be just shared between all users.

In general, I think it'd be safer if you'd just keep these repositories separated. As long as it might be not that convenient, it should be healthier from the security perspective.

I don't know if there are plans to support this kind of setup or if you would be willing to support this kind of behaviour. I'm up for attempting a pull request that implements it.

I'm currently shifting my priorities into 4.x, so I'll most likely not handle it on my own. If you'd like to explore it on your own, feel free to take a look at it. Even if it'll require too many changes on our side, you could just use your fork. We don't expect many changes in the 3.x, so it should be fairly simple to sync it with master from time to time.

I've also noticed there's a plugin API, though I haven't really looked into it. Is it possible to implement this kind of thing with a plugin?

Speaking about the plugin API - you can sneak in your own implementation, ResolvedFileEvent would be the first candidate there:

Of course, in case of any API limitations, we can for sure add more events as it usually costs us nothing.