Merge pull request #60 from bufferoverflow/feat/improve-access-modes

feat: make allow_access behave closer to htpasswd default auth plugin

Author: bufferoverflow

README.md

@@ -93,23 +93,41 @@ yarn publish --registry http://localhost:4873
 
 Access and publish access rights depend on the mode used.
 
-### Normal Mode
+verdaccio-gitlab access control will only be applied to package sections that
+are marked with `gitlab: true` as in the configuration sample above. If you
+wish to disable gitlab authentication to any package config, just remove the
+element from the config.
 
-In the default mode, packages are available:
+### Normal Mode (default)
 
-- *access* is allowed depending on verdaccio `package` configuration
-  directives (unauthenticated / authenticated)
-- *publish* is allowed if the package name matches the logged in user
-  id, or if the package name / scope of the package matches one of the
-  user groups and the user has `auth.gitlab.publish` access rights on
+In normal mode, packages are available:
+
+#### Access
+
+*access* is allowed depending on the following verdaccio `package` configuration
+directives:
+
+- authenticated users are able to access all packages
+- unauthenticated users will be able to access packages marked with either
+  `$all` or `$anonymous` access levels at the package group definition
+
+Please note that no group or package name mapping is applied on access, any
+user successfully authenticated can access all packages.
+
+#### Publish
+
+*publish* is allowed if the package name matches the logged in user
+  id, or if the package name or scope of the package matches one of the
+  user's groups, and the user has `auth.gitlab.publish` access rights on
   the group
 
 For instance, assuming the following configuration:
 
 - `auth.gitlab.publish` = `$maintainer`
 - the gitlab user `sample_user` has access to group `group1` as
-  `$maintainer` and `group2` as `$reporter`
-- then this user could publish any of the npm packages:
+  `$maintainer` and `group2` as `$reporter` in gitlab
+- then this user would be able to *access* any package
+- *publish* any of the following npm packages in verdaccio:
   - `sample_user`
   - any package under `group1/**`
   - error if the user tries to publish any package under `group2/**`

src/gitlab.js

@@ -39,6 +39,13 @@ const ACCESS_LEVEL_MAPPING = {
   $owner: 50
 };
 
+// List of verdaccio builtin levels that map to anonymous access
+const BUILTIN_ACCESS_LEVEL_ANONYMOUS = [ '$anonymous', '$all' ];
+
+// Level to apply on 'allow_access' calls when a package definition does not define one
+const DEFAULT_ALLOW_ACCESS_LEVEL = [ '$all' ];
+
+
 export default class VerdaccioGitLab implements IPluginAuth {
   options: PluginOptions;
   config: VerdaccioGitlabConfig;
@@ -140,15 +147,19 @@ export default class VerdaccioGitLab implements IPluginAuth {
   allow_access(user: RemoteUser, _package: VerdaccioGitlabPackageAccess, cb: Callback) {
     if (!_package.gitlab) return cb(null, false);
 
-    if ((_package.access || []).includes('$authenticated') && user.name !== undefined) {
-      this.logger.debug(`[gitlab] allow user: ${user.name} access to package: ${_package.name}`);
-      return cb(null, false);
-    } else if ((_package.access || []).includes('$all')) {
-      this.logger.debug(`[gitlab] allow unauthenticated access to package: ${_package.name}`);
-      return cb(null, false);
-    } else {
-      this.logger.debug(`[gitlab] deny user: ${user.name || '<empty>'} access to package: ${_package.name}`);
-      return cb(httperror[401]('access denied, user not authenticated in gitlab and unauthenticated package access disabled'));
+    const packageAccess = (_package.access && _package.access.length > 0) ? _package.access : DEFAULT_ALLOW_ACCESS_LEVEL;
+
+    if (user.name !== undefined) { // successfully authenticated
+      this.logger.debug(`[gitlab] allow user: ${user.name} authenticated access to package: ${_package.name}`);
+      return cb(null, true);
+    } else { // unauthenticated
+      if (BUILTIN_ACCESS_LEVEL_ANONYMOUS.some(level => packageAccess.includes(level))) {
+        this.logger.debug(`[gitlab] allow anonymous access to package: ${_package.name}`);
+        return cb(null, true);
+      } else {
+        this.logger.debug(`[gitlab] deny access to package: ${_package.name}`);
+        return cb(httperror[401]('access denied, user not authenticated and anonymous access disabled'));
+      }
     }
   }
 
@@ -175,7 +186,7 @@ export default class VerdaccioGitLab implements IPluginAuth {
     if (packagePermit || packageScopePermit) {
       const perm = packagePermit ? 'package-name' : 'package-scope';
       this.logger.debug(`[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} based on ${perm}`);
-      return cb(null, false);
+      return cb(null, true);
     } else {
       this.logger.debug(`[gitlab] user: ${user.name || ''} denied from publishing package: ${_package.name}`);
       const missingPerm = _package.name.indexOf('@') === 0 ? 'package-scope' : 'package-name';

test/functional/auth/index.js

@@ -30,7 +30,7 @@ export default (server: any, gitlab: any) => { // eslint-disable-line no-unused-
         .status(HTTP_STATUS.UNAUTHORIZED)
         .then((body) => {
           expect(body).toHaveProperty('error');
-          expect(body.error).toMatch(/invalid/);
+          expect(body.error).toMatch(/error/);
         });
     });
   });

test/unit/gitlab.spec.js

@@ -67,7 +67,7 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
     const cb: Callback = (err, data) => {
       expect(err).toBeFalsy();
       // false allows the plugin chain to continue
-      expect(data).toBe(false);
+      expect(data).toBe(true);
       done();
     };
 
@@ -85,7 +85,25 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
     const cb: Callback = (err, data) => {
       expect(err).toBeFalsy();
       // false allows the plugin chain to continue
-      expect(data).toBe(false);
+      expect(data).toBe(true);
+      done();
+    };
+
+    verdaccioGitlab.allow_access(config.remoteUser, _package, cb);
+  });
+
+  test('should allow access to package when access level is empty (default = $all)', done => {
+    const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+    const _package: VerdaccioGitlabPackageAccess = {
+      name: config.user,
+      access: undefined,
+      gitlab: true
+    };
+
+    const cb: Callback = (err, data) => {
+      expect(err).toBeFalsy();
+      // false allows the plugin chain to continue
+      expect(data).toBe(true);
       done();
     };
 
@@ -123,7 +141,7 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
 
     const cb: Callback = (err, data) => {
       expect(err).toBeFalsy();
-      expect(data).toBe(false);
+      expect(data).toBe(true);
       done();
     };
 
@@ -139,7 +157,7 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
 
     const cb: Callback = (err, data) => {
       expect(err).toBeFalsy();
-      expect(data).toBe(false);
+      expect(data).toBe(true);
       done();
     };