Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use with CI_JOB_TOKEN #4

Open
cdaguerre opened this issue Jan 23, 2018 · 17 comments
Open

Use with CI_JOB_TOKEN #4

cdaguerre opened this issue Jan 23, 2018 · 17 comments

Comments

@cdaguerre
Copy link

Is it possible to login to verdaccio with the gitlab-ci-token user and the $CI_JOB_TOKENenv var during CI builds?

@bufferoverflow
Copy link
Owner

@bufferoverflow
Copy link
Owner

combine somehow with npm token , verdaccio/verdaccio#541

@Flauschbaellchen
Copy link

As the ToDo list has been removed from the README I like to know if this feature is still planned?

I currently trying to automate the publishing through gitlab-ci and the general workaround would be to login locally and copy the auth-token from .npmrc.
afterwards save it to the secret variables within gitlab-ci and setup the CI to prepopulate .npmrc.

however, as we have a huge number of packages hard-linking them to one account is unpractical, time-consuming and error-prone if member/group permissions change.

It would be great to have gitlab-ci-token/$CI_JOB_TOKEN to work out of the box using npm-cli-login or something similar.

@bufferoverflow
Copy link
Owner

Yes, this is a must have feature. I just have no time at the moment to implement or at least identify required upstream changes within gitlab... so any kind of contribution is welcome!

@spangenberg
Copy link

@Flauschbaellchen I'm using verdaccio-gitlab-ci for this in addition to verdaccio-gitlab.

I only had to configure verdaccio-gitlab-ci before verdaccio-gitlab in the auth section.

For npm-cli-login I'm doing then this:

npm install --global --registry https://registry.npmjs.org npm-cli-login
npm-cli-login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" -r "https://$NPM_REGISTRY" -e "[email protected]" --config-path "$PWD/.npmrc"

@juanpicado
Copy link
Collaborator

@spangenberg I'd suggest add it to the list of plugins for more visibility https://github.com/verdaccio/verdaccio/blob/master/docs/plugins.md#authorization-plugins

@dlouzan
Copy link
Collaborator

dlouzan commented Oct 20, 2018

I will also add some documentation for this in the verdaccio-gitlab readme, so we close the circle :trollface:

@dlouzan
Copy link
Collaborator

dlouzan commented Oct 20, 2018

I have been reading the source code of this verdaccio-gitlab-ci plugin and it's quite small, I think we could integrate this functionality into verdaccio-gitlab if the author is ok with it. The main difference at the moment is that verdaccio-gitlab is depending on personal access tokens for authentication, and the gitlab-ci-token plugin seems to depend somehow on the oauth2 flow, although I haven't found any gitlab official documentation for the auth endpoint used in there:

/jwt/auth?account=builder&client_id=docker&offline_token=[FILTERED]&service=container_registry

@spangenberg I still haven't tested it but I assume that you had to configure the gitlab url twice in your verdaccio configuration file, once for each gitlab plugin, isn't it? That would be a direct benefit of integrating this functionality.

I don't think there's currently any way to avoid having to login to npm at the beginning of the gitlab-ci job, much as the same is needed for docker login.

@dlouzan dlouzan self-assigned this Oct 20, 2018
@dlouzan
Copy link
Collaborator

dlouzan commented Oct 29, 2018

@dlouzan
Copy link
Collaborator

dlouzan commented Oct 29, 2018

@dlouzan dlouzan removed their assignment Feb 4, 2019
@icedream
Copy link

icedream commented Feb 20, 2019

Hello,

this seems to have stalled for a while, so I would like to input some information as I would also like to see job tokens being supported as a way of authentication.

node-gitlab is being used to talk to the GitLab API, which currently does not have any directly implemented/documented support for Job Tokens, only for OAuth and Private Access Tokens. So in order to implement this cleanly, firstly, there needs to be a patch for supporting job tokens there. There is a dirty workaround to enforce Job Token authentication through node-gitlab by overriding the headers set internally (see patch linked at the bottom).

Secondly there needs to be a way for NPM to supply login credentials in a way that verdaccio-gitlab can detect the supplied password as Job Tokens, not as Private Access Tokens. I thought of two ideas so far:

  • Supplying ci as username which in GitLab is currently a reserved username anyways so normal users aren't able to log in with that username anyways. Older GitLab versions (I suspect 8 and older) however do not restrict creation of a ci user account so it's not 100% safe for all versions. The reason we can not use gitlab-ci-token as a username is that it is actually not a reserved user name.
  • Supplying the password as ci:<job token here> as PATs - at least from what I know - can not contain colons anyways. The username doesn't matter.

Using Job Tokens will not identify a user, as such the currently implemented username equality check needs to be skipped for Job Token authentication.

I made a quick and dirty patch to try out the effects of using a Job Token with verdaccio-gitlab. With this patch logging in via NPM, via the website and installing packages works for me at least. I did not test publishing packages however yet.

EDIT: I opened an issue at node-gitlab to support Job Tokens.

@icedream
Copy link

Now waiting on a new release for node-gitlab as the changes there have been merged to master.

@icedream
Copy link

icedream commented Mar 9, 2019

node-gitlab v4.4.1 has been tagged, I am going to try and send in a pull request to run verdaccio-gitlab against this version asap.

@jbergstroem
Copy link

jbergstroem commented Mar 13, 2019

@icedream said: node-gitlab v4.4.1 has been tagged, I am going to try and send in a pull request to run verdaccio-gitlab against this version asap.

Can't wait! Will be an awesome addition.

@icedream
Copy link

icedream commented Jul 19, 2019

Hello,

just a little update as I finally got to testing package publishing. The current patches I sent in here are in fact not sufficient to allow for the CI login to be able to publish packages. Reason is that verdaccio-gitlab only checks for GitLab groups a user is assigned to and compares them against the parts of which the package name to publish is made of (so for @group/package it would check if the authenticated user - our CI "user" - is in either the GitLab group group or package). There is no checks for usernames or groups as allowed by the Verdaccio configuration, so no already implemented way to add ci to allowed usernames for publishing.

I respectively added this functionality to my patch set and I will start drafting a pull request with this in the coming days.

@jaredvacanti
Copy link

Is there a distinction between having the Gitlab CI be able to publish packages to a verdaccio instance and having the CI/CD tool pull from private verdaccio registry (authenticated publishing vs authenticated pulling)? Is this PR (not quite a PR, but the gist mentioned by @icedream) required for both?

@Nielio
Copy link

Nielio commented Sep 7, 2020

Thank's to @spangenberg i got it!

# Verdaccio config.yml
auth:
  htpasswd: # optional
    file: /verdaccio/htpasswd
    max_users: -1
  gitlab-ci: # have to be before `gitlab`
    url: https://your.gitlab
  gitlab:
    url: https://your.gitlab
# Verdaccio Dockerfile
FROM verdaccio/verdaccio

USER root

# -- Plugins --
# Have to be before ENV=production
# Note: no not use verdaccio-memory. It prevents any persitance for published packages

RUN npm i verdaccio-gitlab-ci
RUN npm i verdaccio-gitlab

# -- Plugins end --

ENV NODE_ENV=production

RUN npm i --no-audit --no-package-lock

COPY config.yaml /verdaccio/conf/

USER verdaccio

EXPOSE 4873
# .gitlab-ci.yml from npm module repo
publish:
  image: node:12-alpine
  stage: deploy
  before_script:
    - npm i npm-cli-login
    - npx npm-cli-login -u gitlab-ci-token -p "$CI_JOB_TOKEN" -r https://your.verdaccio -e "[email protected]" --config-path "$PWD/.npmrc"
  script:
    - npm publish

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants