Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Security on download-package (ProGet Extension)
-
I have looked at the BeforeDownloadPackageAdapterBase and Users_ValidateLogin classes of the SDK but couldn't find a way to implement the following extension:
Check the provided username and password when there's an attempt to download a package and return an HTTP error or redirect to an error page.Or will it be easier to implement a custom ASP.NET HttpModule and configure that in the ProGet web application's web.config? In that case I need to know when someone attempts to download any package and check the feed name, username and password.
Product: ProGet
Version: 3.6.1
-
I think I got around this by implementing a custom HttpModule.
I also removed all priviliges of the ViewOnly role. When accessing a feed through ProGet, I'm now redirected to the login page as expected.
However when I try to access a feed through Visual Studio Manage NuGet packages:
- The first time I'm prompted for Basic HTTP Auth credentials in the format "localhost\something". I also tried with the domain "ProGet Feed [feedname]". But in neither case the credentials are accepted as valid. Which domain to use?
- The second time I try to access I'm no longer prompted for the credentials. How to clear the previously entered credentials?
Is there a way to configure credentials globally?
%AppData%\NuGet\NuGet.config seems to be restored to its original content all the time (credentials are removed). Also I'm not sure that's the ideal solution because it requires configuration on every developer machine.
Secondly, for using nuget.exe from the commandline: is there a way to automatically pick up the right credentials without specifying them each time (global configuraton)?
-
Sorry, I thought I had replied to this (maybe you also submitted a ticket)?
But feed-scoped privileges were designed for exactly this -- to allow you to restrict the feed to certain users/groups/etc.
Otherwise, we don't have any extensibility points that are available that can support this, and a custom HttpModule really isn't supported or considered, so it could be the cause of this behavior.
-
Thanks for the feedback. The HttpModule was not the cause. I just had to configure the NuGet.config credentials correctly in %ProgramData%\NuGet\Config\NuGet.Config, which is machine wide rather than user specific. I will distribute this configuration to all developer machines using an Active Directory Group Policy.