bufferoverflow · igorpupkinable · Feb 15, 2021 · Feb 16, 2021 · Feb 23, 2021
diff --git a/package.json b/package.json
@@ -49,18 +49,18 @@
  "node": ">=10"
  },
  "dependencies": {
- "gitlab": "3.5.1",
- "global-tunnel-ng": "2.5.3",
+ "gitlab": "^3.11.4",
+ "global-tunnel-ng": "~2.5.4",
  "http-errors": "1.7.3",
- "node-cache": "4.2.0",
+ "node-cache": "~4.2.1",
  "verdaccio": "^4.3.4"
  },
  "devDependencies": {
  "@commitlint/cli": "^8.3.3",
  "@commitlint/config-conventional": "^8.3.3",
  "@commitlint/travis-cli": "^8.3.3",
  "@types/http-errors": "^1.6.3",
- "@types/jest": "^24.0.24",
+ "@types/jest": "^26.0.20",
  "@types/lodash": "^4.14.149",
  "@types/node": "^13.1.0",
  "@typescript-eslint/eslint-plugin": "^2.13.0",
@@ -70,23 +70,23 @@
  "@verdaccio/eslint-config": "^8.5.0",
  "@verdaccio/types": "^8.5.0",
  "body-parser": "^1.19.0",
- "cross-env": "^6.0.3",
+ "cross-env": "^7.0.3",
  "eslint": "^6.8.0",
  "express": "^4.17.1",
  "generate-changelog": "^1.8.0",
  "http-status": "^1.4.2",
  "husky": "^3.1.0",
  "in-publish": "^2.0.0",
- "jest": "^24.9.0",
- "jest-environment-node": "^24.9.0",
+ "jest": "^26.6.3",
+ "jest-environment-node": "^26.6.2",
  "kleur": "3.0.3",
  "license-checker": "^25.0.1",
  "lodash": "^4.17.15",
- "markdownlint-cli": "^0.20.0",
+ "markdownlint-cli": "^0.26.0",
  "prettier": "^1.19.1",
  "request": "^2.88.0",
  "rimraf": "^3.0.0",
- "typescript": "^3.7.4"
+ "typescript": "^4.1.5"
  },
  "commitlint": {
  "extends": [

diff --git a/src/gitlab.ts b/src/gitlab.ts
@@ -165,37 +165,58 @@ export default class VerdaccioGitLab implements IPluginAuth<VerdaccioGitlabConfi
  }
 
  public allow_publish(user: RemoteUser, _package: VerdaccioGitlabPackageAccess & PackageAccess, cb: Callback) {
+ return this._callAction('publish', user, _package, cb);
+ }
+
+ public allow_unpublish(user: RemoteUser, _package: VerdaccioGitlabPackageAccess & PackageAccess, cb: Callback) {
+ return this._callAction('unpublish', user, _package, cb);
+ }
+
+ private _callAction(name: string, user: RemoteUser, _package: VerdaccioGitlabPackageAccess & PackageAccess, cb: Callback) {
  if (!_package.gitlab) return cb(null, false);
 
- const packageScopePermit = false;
+ const packageName = _package.name as string;
+
+ if (this._isActionAllowed(name, user, packageName)) {
+ return cb(null, true);
+ } else {
+ return cb(this._getActionPermissionError(packageName));
+ }
+ }
+
+ private _isActionAllowed(actionName: string, user: RemoteUser, packageName: string): boolean {
  let packagePermit = false;
- // Only allow to publish packages when:
+
+ // Only allow to (un)publish packages when:
  // - the package has exactly the same name as one of the user groups, or
  // - the package scope is the same as one of the user groups
  for (const real_group of user.real_groups) {
  // jscs:ignore requireCamelCaseOrUpperCaseIdentifiers
  this.logger.trace(
- `[gitlab] publish: checking group: ${real_group} for user: ${user.name || ''} and package: ${_package.name}`
+ `[gitlab] ${actionName}: checking group: ${real_group} for user: ${user.name || ''} and package: ${packageName}`
  );
 
- if (this._matchGroupWithPackage(real_group, _package.name as string)) {
+ if (this._matchGroupWithPackage(real_group, packageName)) {
  packagePermit = true;
  break;
  }
  }
 
- if (packagePermit || packageScopePermit) {
- const perm = packagePermit ? 'package-name' : 'package-scope';
- this.logger.debug(
- `[gitlab] user: ${user.name || ''} allowed to publish package: ${_package.name} based on ${perm}`
- );
- return cb(null, true);
- } else {
- this.logger.debug(`[gitlab] user: ${user.name || ''} denied from publishing package: ${_package.name}`);
- // @ts-ignore
- const missingPerm = _package.name.indexOf('@') === 0 ? 'package-scope' : 'package-name';
- return cb(getForbidden(`must have required permissions: ${this.publishLevel || ''} at ${missingPerm}`));
- }
+ this.logger.debug(
+ `[gitlab] user: ${user.name || ''} ` + (
+ packagePermit
+ ? `allowed to ${actionName} package: ${packageName} based on package-name`
+ : `denied from ${actionName}ing package: ${packageName}`
+ )
+ );
+
+ return packagePermit;
+ }
+
+ private _getActionPermissionError(packageName: string) {
+ // @ts-ignore
+ const missingPerm = packageName.startsWith('@') ? 'package-scope' : 'package-name';
+ return getForbidden(`must have required permissions: ${this.publishLevel || ''} at ${missingPerm}`);
  }
 
  private _matchGroupWithPackage(real_group: string, package_name: string): boolean {

diff --git a/test/unit/gitlab.spec.ts b/test/unit/gitlab.spec.ts
@@ -177,6 +177,25 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
  verdaccioGitlab.allow_publish(config.remoteUser, _package, cb);
  });
 
+ test('should allow unpublish of package based on user group', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: '@myGroup/myPackage',
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeFalsy();
+ expect(data).toBe(true);
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(config.remoteUser, _package, cb);
+ });
+
  test('should allow publish of package based on user project', done => {
  const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
  const _package: VerdaccioGitlabPackageAccess = {
@@ -196,6 +215,25 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
  verdaccioGitlab.allow_publish(config.remoteUser, _package, cb);
  });
 
+ test('should allow unpublish of package based on user project', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: '@anotherGroup/myProject',
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeFalsy();
+ expect(data).toBe(true);
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(config.remoteUser, _package, cb);
+ });
+
  test('should allow publish of package based on user name', done => {
  const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
  const _package: VerdaccioGitlabPackageAccess = {
@@ -215,6 +253,25 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
  verdaccioGitlab.allow_publish(config.remoteUser, _package, cb);
  });
 
+ test('should allow unpublish of package based on user name', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: config.user,
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeFalsy();
+ expect(data).toBe(true);
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(config.remoteUser, _package, cb);
+ });
+
  test('should deny publish of package based on unauthenticated', done => {
  const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
  const unauthenticatedUser: RemoteUser = {
@@ -239,6 +296,30 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
  verdaccioGitlab.allow_publish(unauthenticatedUser, _package, cb);
  });
 
+ test('should deny unpublish of package based on unauthenticated', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const unauthenticatedUser: RemoteUser = {
+ real_groups: [],
+ groups: [],
+ name: undefined,
+ };
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: config.user,
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeTruthy();
+ expect(data).toBeFalsy();
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(unauthenticatedUser, _package, cb);
+ });
+
  test('should deny publish of package based on group', done => {
  const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
  const _package: VerdaccioGitlabPackageAccess = {
@@ -258,6 +339,25 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
  verdaccioGitlab.allow_publish(config.remoteUser, _package, cb);
  });
 
+ test('should deny unpublish of package based on group', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: '@anotherGroup/myPackage',
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeTruthy();
+ expect(data).toBeFalsy();
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(config.remoteUser, _package, cb);
+ });
+
  test('should deny publish of package based on user', done => {
  const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
  const _package: VerdaccioGitlabPackageAccess = {
@@ -276,4 +376,23 @@ describe('Gitlab Auth Plugin Unit Tests', () => {
 
  verdaccioGitlab.allow_publish(config.remoteUser, _package, cb);
  });
+
+ test('should deny unpublish of package based on user', done => {
+ const verdaccioGitlab: VerdaccioGitlab = new VerdaccioGitlab(config.verdaccioGitlabConfig, config.options);
+ const _package: VerdaccioGitlabPackageAccess = {
+ name: 'anotherUser',
+ access: ['$all'],
+ gitlab: true,
+ publish: ['$authenticated'],
+ proxy: ['npmjs'],
+ };
+
+ const cb: Callback = (err, data) => {
+ expect(err).toBeTruthy();
+ expect(data).toBeFalsy();
+ done();
+ };
+
+ verdaccioGitlab.allow_unpublish(config.remoteUser, _package, cb);
+ });
 });