1. Home
  2. Categories
  3. Support
  4. Permissions fine-tuning for NuGet feeds

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

Permissions fine-tuning for NuGet feeds

  • C

    Hello,

    I realize that one has to grant Feeds_ViewFeed permission to the anonymous user in order for package publishing to work and the reason behind that is because dotnet nuget push... makes a request to the https://host/nuget/feed-name/v3/index.json URL first without passing in the api key provided using the --api-key parameter in order for getting the following response.

    {
  "version": "3.0.0",
  "resources": [
    {
      "@id": "https://host/nuget/feed-name/v3/search",
      "@type": "SearchQueryService",
      "comment": "Query endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/search",
      "@type": "SearchQueryService/3.0.0-rc",
      "comment": "Query endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/search",
      "@type": "SearchQueryService/3.0.0-beta",
      "comment": "Query endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/autocomplete",
      "@type": "SearchAutocompleteService",
      "comment": "Autocomplete endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/autocomplete",
      "@type": "SearchAutocompleteService/3.0.0-rc",
      "comment": "Autocomplete endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/autocomplete",
      "@type": "SearchAutocompleteService/3.0.0-beta",
      "comment": "Autocomplete endpoint of NuGet Search service"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations/",
      "@type": "RegistrationsBaseUrl",
      "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations/",
      "@type": "RegistrationsBaseUrl/3.0.0-rc",
      "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations/",
      "@type": "RegistrationsBaseUrl/3.0.0-beta",
      "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations-gz/",
      "@type": "RegistrationsBaseUrl/3.4.0",
      "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations-gz/",
      "@type": "RegistrationsBaseUrl/3.6.0",
      "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
    },
    {
      "@id": "https://host/nuget/feed-name/v3/flatcontainer",
      "@type": "PackageBaseAddress/3.0.0",
      "comment": "Base URL of where NuGet packages are stored, in the format https://api.nuget.org/v3-flatcontainer/{id-lower}/{version-lower}/{id-lower}.{version-lower}.nupkg"
    },
    {
      "@id": "https://host/feeds/feed-name/{id}/{version}",
      "@type": "PackageDetailsUriTemplate/5.1.0",
      "comment": "URI template used by NuGet Client to construct details URL for packages"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations/{id-lower}/index.json",
      "@type": "PackageDisplayMetadataUriTemplate/3.0.0-rc",
      "comment": "URI template used by NuGet Client to construct display metadata for Packages using ID"
    },
    {
      "@id": "https://host/nuget/feed-name/v3/registrations/{id-lower}/{version-lower}.json",
      "@type": "PackageVersionDisplayMetadataUriTemplate/3.0.0-rc",
      "comment": "URI template used by NuGet Client to construct display metadata for Packages using ID, Version"
    },
    {
      "@id": "https://host/nuget/feed-name/",
      "@type": "LegacyGallery"
    },
    {
      "@id": "https://host/nuget/feed-name/",
      "@type": "LegacyGallery/2.0.0"
    },
    {
      "@id": "https://host/nuget/feed-name/package",
      "@type": "PackagePublish/2.0.0"
    }
  ]
}

    However, granting Feeds_ViewFeed permission to the anonymous user also grants permission to view feed pages where packages are listed. E.g.: https://host/feeds/feed-name.

    Since viewing a feed and the packages inside it and requesting feed resources are two separate things, what about having another permission like Feeds_RequestResources that is separate from the Feeds_ViewFeed permission so that if a NuGet client directly sends a request to the https://host/nuget/feed-name/v3/index.json URL, anonymous users are allowed but if they want to view a feed, they are not.

    That should be pretty easy for the ProGet team to understand if the request is a so called resources request since that is already what you are doing, you are correctly responding to the initial request by providing the resources.

    May I have your opinion please?

    P.S. Any workaround suggestion is welcome. My ProGet instance is running on Docker and is accessed using IIS ARR via rewrite.

    Regards,
    Coskun

    0
  • atripp
    inedo-engineer

    Hi @coskun_0070 ,

    If I understand correctly, the issue is that you're having a hard time getting dotnet nuget push to work without granting anonymous access to view feeds?

    In this case, I believe you need to add the URL as an authenticated package source. This will also let you download packages with dotnet nuget restore.

    I believe this issue is resolved by dotnet nuget add source.

    https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-add-source

    Cheers,
    Alana

    0
  • C

    Hi @atripp ,

    I already tried dotnet nuget add source and it works except it fills in our CI logs with full of the following warning.

    warn : No API Key was provided and no API Key could be found for 'https://host/nuget/feed-name/package'. To save an API Key for a source use the 'setApiKey' command.

    So I thought using the --api-key parameter would be a better choice and the a permission like the one I mentioned above would really help get this issue fixed.

    0 atripp 1 Reply
  • atripp
    inedo-engineer

    Hi @coskun_0070 ,

    Did you try setting an api key with setApiKey? Perhaps there's another way to suppress this messages?

    While it's relatively easy to add privileges and features, we've learned the hard way that it creates a lot more work in the long-run from a support standpoint and user confusion. It's best to keep things simple.

    I think this is something addressable via nuget client configuration.
    Cheers,
    Alana

    0 C 1 Reply
  • C

    Hi @atripp

    Unfortunately the setApiKey is not supported by the dotnet CLI.

    Dotnet tooling regarding package management is not ideal when it comes to nuget and dotnet nuget.

    Thanks for your replies.

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation