Inedo Community Forums Forums
    • Recent
    • Tags
    • Popular
    • Login

    Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

    If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

    Permissions fine-tuning for NuGet feeds

    Scheduled Pinned Locked Moved Support
    5 Posts 2 Posters 15 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      coskun_0070
      last edited by coskun_0070

      Hello,

      I realize that one has to grant Feeds_ViewFeed permission to the anonymous user in order for package publishing to work and the reason behind that is because dotnet nuget push... makes a request to the https://host/nuget/feed-name/v3/index.json URL first without passing in the api key provided using the --api-key parameter in order for getting the following response.

      {
        "version": "3.0.0",
        "resources": [
          {
            "@id": "https://host/nuget/feed-name/v3/search",
            "@type": "SearchQueryService",
            "comment": "Query endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/search",
            "@type": "SearchQueryService/3.0.0-rc",
            "comment": "Query endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/search",
            "@type": "SearchQueryService/3.0.0-beta",
            "comment": "Query endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/autocomplete",
            "@type": "SearchAutocompleteService",
            "comment": "Autocomplete endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/autocomplete",
            "@type": "SearchAutocompleteService/3.0.0-rc",
            "comment": "Autocomplete endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/autocomplete",
            "@type": "SearchAutocompleteService/3.0.0-beta",
            "comment": "Autocomplete endpoint of NuGet Search service"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations/",
            "@type": "RegistrationsBaseUrl",
            "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations/",
            "@type": "RegistrationsBaseUrl/3.0.0-rc",
            "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations/",
            "@type": "RegistrationsBaseUrl/3.0.0-beta",
            "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations-gz/",
            "@type": "RegistrationsBaseUrl/3.4.0",
            "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations-gz/",
            "@type": "RegistrationsBaseUrl/3.6.0",
            "comment": "Base URL of Azure storage where NuGet package registration info is stored in GZIP format. This base URL includes SemVer 2.0.0 packages."
          },
          {
            "@id": "https://host/nuget/feed-name/v3/flatcontainer",
            "@type": "PackageBaseAddress/3.0.0",
            "comment": "Base URL of where NuGet packages are stored, in the format https://api.nuget.org/v3-flatcontainer/{id-lower}/{version-lower}/{id-lower}.{version-lower}.nupkg"
          },
          {
            "@id": "https://host/feeds/feed-name/{id}/{version}",
            "@type": "PackageDetailsUriTemplate/5.1.0",
            "comment": "URI template used by NuGet Client to construct details URL for packages"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations/{id-lower}/index.json",
            "@type": "PackageDisplayMetadataUriTemplate/3.0.0-rc",
            "comment": "URI template used by NuGet Client to construct display metadata for Packages using ID"
          },
          {
            "@id": "https://host/nuget/feed-name/v3/registrations/{id-lower}/{version-lower}.json",
            "@type": "PackageVersionDisplayMetadataUriTemplate/3.0.0-rc",
            "comment": "URI template used by NuGet Client to construct display metadata for Packages using ID, Version"
          },
          {
            "@id": "https://host/nuget/feed-name/",
            "@type": "LegacyGallery"
          },
          {
            "@id": "https://host/nuget/feed-name/",
            "@type": "LegacyGallery/2.0.0"
          },
          {
            "@id": "https://host/nuget/feed-name/package",
            "@type": "PackagePublish/2.0.0"
          }
        ]
      }
      

      However, granting Feeds_ViewFeed permission to the anonymous user also grants permission to view feed pages where packages are listed. E.g.: https://host/feeds/feed-name.

      Since viewing a feed and the packages inside it and requesting feed resources are two separate things, what about having another permission like Feeds_RequestResources that is separate from the Feeds_ViewFeed permission so that if a NuGet client directly sends a request to the https://host/nuget/feed-name/v3/index.json URL, anonymous users are allowed but if they want to view a feed, they are not.

      That should be pretty easy for the ProGet team to understand if the request is a so called resources request since that is already what you are doing, you are correctly responding to the initial request by providing the resources.

      May I have your opinion please?

      P.S. Any workaround suggestion is welcome. My ProGet instance is running on Docker and is accessed using IIS ARR via rewrite.

      Regards,
      Coskun

      1 Reply Last reply Reply Quote 0
      • atrippA Offline
        atripp inedo-engineer
        last edited by

        Hi @coskun_0070 ,

        If I understand correctly, the issue is that you're having a hard time getting dotnet nuget push to work without granting anonymous access to view feeds?

        In this case, I believe you need to add the URL as an authenticated package source. This will also let you download packages with dotnet nuget restore.

        I believe this issue is resolved by dotnet nuget add source.

        https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-add-source

        Cheers,
        Alana

        1 Reply Last reply Reply Quote 0
        • C Offline
          coskun_0070
          last edited by coskun_0070

          Hi @atripp ,

          I already tried dotnet nuget add source and it works except it fills in our CI logs with full of the following warning.

          warn : No API Key was provided and no API Key could be found for 'https://host/nuget/feed-name/package'. To save an API Key for a source use the 'setApiKey' command.
          

          So I thought using the --api-key parameter would be a better choice and the a permission like the one I mentioned above would really help get this issue fixed.

          atrippA 1 Reply Last reply Reply Quote 0
          • atrippA Offline
            atripp inedo-engineer @coskun_0070
            last edited by

            Hi @coskun_0070 ,

            Did you try setting an api key with setApiKey? Perhaps there's another way to suppress this messages?

            While it's relatively easy to add privileges and features, we've learned the hard way that it creates a lot more work in the long-run from a support standpoint and user confusion. It's best to keep things simple.

            I think this is something addressable via nuget client configuration.
            Cheers,
            Alana

            C 1 Reply Last reply Reply Quote 0
            • C Offline
              coskun_0070 @atripp
              last edited by

              Hi @atripp

              Unfortunately the setApiKey is not supported by the dotnet CLI.

              Dotnet tooling regarding package management is not ideal when it comes to nuget and dotnet nuget.

              Thanks for your replies.

              1 Reply Last reply Reply Quote 0

              Hello! It looks like you're interested in this conversation, but you don't have an account yet.

              Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

              With your input, this post could be even better 💗

              Register Login
              • 1 / 1
              • First post
                Last post
              Inedo Website Home • Support Home • Code of Conduct • Forums Guide • Documentation