Add namespace setting to enable/disable NuGet symbol server
Context
In Endpoint for symbol file download (!134564 - merged), we added a new endpoint to download the NuGet portable symbol PDB
files. However, there's no way to authenticate this endpoint as we do with other NuGet Repository private endpoints. The reason is that the debuggers (such as Visual Studio) don't support sending authentication credentials (PAT or deploy tokens). This thread has more details on the authentication challenge.
Although the endpoint isn't authenticated the same way we follow in the NuGet Repository, the PDB
files aren't simply public. To download a file, the debugger needs to send the file signature
and SHA256
checksum. This information cannot be obtained unless you have the executable .dll
file from the .nupkg
file of the package.
To make sure the users of the NuGet Repository are aware of such authentication limitation, we decided to add a namespace setting to let users decide if they want to enable/disable the NuGet symbol server. The setting is disabled by default; meaning that the PDB consumption endpoint isn't available unless a user explicitly enables the the NuGet symbol server setting for their namespace.
What does this MR do?
- Add a new setting named
nuget_symbol_server_enabled
to thenamespace_package_settings
table. Its default value isfalse
. It's a namespace setting because thesymbolefiles
endpoint can be used on the project & group levels. That's why we need a setting that can work on the two entities. - If a user tries to send a request to the
symbolefiles
endpoint and thenuget_symbol_server_enabled
setting is disabled, a403 forbidden
response would be returned. - Remove the
nuget_symbolfiles_endpoint
feature flag because it's needles now since we have the setting that can enable/disable the endpoint. - Update the documentation to explain how to use the
symbolefiles
endpoint to serve as a NuGet symbol server.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
N/A
How to set up and validate locally
- Open
rails console
and run the following commands to create a symbol file that we can test with:
# stub file upload
def fixture_file_upload(*args, **kwargs)
Rack::Test::UploadedFile.new(*args, **kwargs)
end
package = FactoryBot.create(:nuget_package, project: Project.last)
symbol = FactoryBot.create(:nuget_symbol, package: package)
# We will need the `file`, `signature` & `file_sha256` values of the created symbol record in the next step.
- in your terminal, try to send a request to the symbol file download endpoint:
curl --header "Symbolchecksum: SHA256:<file_sha256>" "http://gdk.test:3000/api/v4/projects/<project_id>/packages/nuget/symbolfiles/<file>/<signature>/<file>"
- You should receive a
403
response:
{
"message": "403 Forbidden"
}
-
Enable the namespace package setting
nuget_symbol_server_enabled
using the query below in graphql-explorer:mutation { updateNamespacePackageSettings(input: { namespacePath: "<your-namespace-full-path>", nugetSymbolServerEnabled: true }) { packageSettings { nugetSymbolServerEnabled } } }
-
In your terminal, try to re-send the same request to download the symbol file:
curl --header "Symbolchecksum: SHA256:<file_sha256>" "http://gdk.test:3000/api/v4/projects/<project_id>/packages/nuget/symbolfiles/<file>/<signature>/<file>" > package.pdb
- The file should be successfully downloaded.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #434129 (closed)