Per-Repository Access Rights to allow access for Outside Collaborators

[hybridherbst]

Feature Request

From the docs (and from my tests), it looks like currently per-org and per-team access is supported. Would it be possible to add per-repo? While per-team works for many usecases, per-repo would be better in some cases.

Most relevant usecase there would be that on a per-repository level access can be configured to contain Outside Collaborators, while on a per-team level people are always org members and can't be outside collaborators.

Is your feature request related to a problem? Please describe.

Teams can't contain outside collaborators, and thus grouping outside collaborators with access rights in Verdaccio through this plugin is impossible right now (or I'm missing something to configure per-repo access rights).

Describe the solution you'd like

Ability to use the same syntax (github/org/stuff) but the latter part could either be a team (as-is) or a repo (new).

Describe alternatives you've considered

As far as I can see the alternative would be adding invidual users which also might not be supported (or I couldn't find it); this would kinda defeat the purpose of using a middleware though.

EDIT: I think the right place to add something like this would be somewhere around here or here; my javascript/typescript knowledge is pretty limited though :(

[n4bb12]

Sounds like a good use case.

How would you suggest doing that configuration-wise?

[hybridherbst]

Ideally I think the system would just figure out what matches, e.g.

github/GITHUB_ORG
github/GITHUB_ORG/GITHUB_TEAM
github/GITHUB_ORG/GITHUB_REPO
github/GITHUB_USER

If github/GITHUB_ORG/GITHUB_TEAM wasn't already in use I'd probably use the same syntax as the URL on GitHub, e.g. github/GITHUB_ORG/teams/GITHUB_TEAM to have unique identifiers, but that would break existing stuff, not great.

So this might mean that there's multiple requests though (not sure what's cached and what not), an alternative would be

github/GITHUB_ORG/repo:GITHUB_REPO
github/user:GITHUB_USER

or

github/GITHUB_ORG/repo/GITHUB_REPO
github/user/GITHUB_USER

What do you think?

[n4bb12]

The thing with teams and repos is that they don't share namespaces. One could create a repository named the same as a certain team and thereby gain access to the packages only that team is supposed to have access to.

github/GITHUB_USER works because orgs and usernames share the same name pool, hence it's not possible to forge a collision.

I'm also thinking something along those lines, just not quite sure how to deal with that.

[hybridherbst]

I think the safest way would be to explicitly specify github/GITHUB_ORG/repo:GITHUB_REPO which can't be a path then?

[n4bb12]

That should work. I like your github/GITHUB_ORG/repo/GITHUB_REPO variant because it's a little bit easier to split. Thank you :)

[hybridherbst]

Thank you! Looking forward to this :)

[hybridherbst]

Do you think you might get to this anytime soon? Especially the per-repo access part. If not, no problem, just trying to understand if I should set up things with teams in the meantime or can wait a bit :) Thanks!

[n4bb12]

https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/3.1.0

Please let me know if you encounter any issues.

[n4bb12]

Sorry, outside collaborators don't work yet because org membership is currently a hard login requirement. See https://github.com/n4bb12/verdaccio-github-oauth-ui/blob/master/src/server/plugin/AuthCore.ts#L46.

We could question if an org membership should really be necessary for login. Access to packages can be restricted independently of the login. Users that are not part of a certain org could be able to log in but simply not see anything and not have access to anything.

But the current semantics are that $authenticated refers to members of the org configured in the plugin options. See https://github.com/n4bb12/verdaccio-github-oauth-ui#org-required. Lifting this requirement would unfortunately be a breaking change.

Maybe we could make the org option optional. Currently, it's required. If it is configured, it could be a login requirement (current behavior), if not, everybody could log in and only the package configuration would restrict access. That might be a way to keep things backward compatible and allow access for outside collaborators.

What do you think?

[hybridherbst]

Yes, I think making it optional sounds right (I thought it was only used to get the secret etc to route to the right request, I didn't expect it to already control access).

Besides allowing outside collaborators, this also would allow adding specific other orgs to specific access controls, which I thought was already possible and we were planning to use anyways - so good find 🙂

[hybridherbst]

Ugh, seems this is a can of worms, private repos seem to only be included if the requested OAuth scope contains "repo", there's no "repo:read", and "org:read" doesn't seem to return private repos at all.

[n4bb12]

private repos seem to only be included if the requested OAuth scope contains "repo"

Good catch! I fixed this (https://github.com/n4bb12/verdaccio-github-oauth-ui/commit/eef7d995203df7a13b94032ce047c44730758e26) and made a release (3.1.1).

However, this of course makes https://github.com/n4bb12/verdaccio-github-oauth-ui/issues/139 worse since the list now gets even longer.

[hybridherbst]

Thank you! - so making the org optional might be the last step remaining for this, right?

[n4bb12]

Yes, currently working on it. 😀

[hybridherbst]

Awesome - let me know when you have something to test!

[n4bb12]

Here you go https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/3.2.0 See the updated configuration docs https://github.com/n4bb12/verdaccio-github-oauth-ui#verdaccio-config