Download/install GitLab release binary via private Homebrew tap
Problem Statement
Hello @cbalane, your colleague @jaime suggested I tag you in this issue.
I'm having an issue downloading a GitLab release binary in a private Homebrew tap.
My company is currently running a self-hosted instance of GitLab Enterprise Edition 14.6.7. I've also tested locally with 15.4.0.
I've attempted to pass the token in the header and as a cookie. Both of which were unsuccessful.
I've searched GitLab forums and the internet for a solution and haven't found anything that works with GitLab releases.
Surely there must be a way to use GitLab releases with private Homebrew taps.
Reach
GitLab customers who manage internal tools using Homebrew.
5.0
Impact
A well-documented solution for this issue would greatly benefit all GitLab customers who use Homebrew to manage internal tools.
3.0
Confidence
I'm confident there is no documented solution for this issue.
100%
Effort
It would seem trivial to document/implement a solution for this issue.
A Ruby engineer could likely complete this in an afternoon.
Proposal
Support sessionless authentication for direct asset links.
diff --git a/app/controllers/projects/releases_controller.rb b/app/controllers/projects/releases_controller.rb
index da414d068a67..0b8c8c47a33f 100644
--- a/app/controllers/projects/releases_controller.rb
+++ b/app/controllers/projects/releases_controller.rb
@@ -8,6 +8,7 @@ class Projects::ReleasesController < Projects::ApplicationController
before_action :authorize_update_release!, only: %i[edit update]
before_action :authorize_create_release!, only: :new
before_action :validate_suffix_path, :fetch_latest_tag, only: :latest_permalink
+ prepend_before_action(only: [:downloads]) { authenticate_sessionless_user!(:release_download) }
feature_category :release_orchestration
urgency :low
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index c994f179b66a..5fe386abf847 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -290,6 +290,11 @@ def current_request
@current_request ||= ensure_action_dispatch_request(request)
end
+ def release_download_request?
+ # TODO: validate release download path
+ true
+ end
+
def valid_web_access_format?(request_format)
case request_format
when :rss
@@ -300,6 +305,8 @@ def valid_web_access_format?(request_format)
api_request?
when :archive
archive_request?
+ when :release_download
+ release_download_request?
end
end
Security
Since this is touching authentication logic, it is recommended to get the implementation reviewed by an AppSec team member. We may also want to put it behind a temporary feature flag so it can be disabled easily.