Managing package access

[ditroiaj]

Hi everyone,

I am thinking about a self-hosted a NuGet.Server. Deploying the NuGet server is easy to do. The hard part is when I want to manage people access to our packages.
In that case, I need to allow specific access to packages to specific people.

Let’s imagine the following use case: we have 2 people A and B and we have 3 packages Package1, 2 and 3.
I want to be able to specify in the NuGet server configuration (or somewhere else) that Package 1 can be accessed in read-only (download) by Person A and B.
Then Package 2 is only accessible in read-only mode by Person A.
And finally, Package 3 is only accessible in read-only mode by Person B.

Is this possible ? What could be the best approach to achieve this result (or something close enough) ?

Thank you for your answer and for your work!

[zivkan]

From a NuGet client point of view, yes it's possible. It's the server's responsibility to not return packages that the HTTP requestor doesn't have access to in any of the relevant web APIs.

As I'm on the client team, I'm not an expert on NuGet.Server, however, my understanding is that it is intentionally minimalistic (the repo's readme uses the word lightweight). It's not designed to support advanced scenarios.

Our docs page on hosting your own NuGet feeds lists a few different NuGet server implementations, I believe most of which are self-hostable. Some are free, some are not. Maybe one of them has the capability you're looking for. Some of the servers are open source, so you're also able to extend its functionality and add this capability yourself.

[ditroiaj]

Hi @zivkan, first of all thank you for your reply!
I am running my NuGet.Server web application on an IIS web server.
I configured this Web Application to use Windows Authentication such that it ask the user for credentials and disable other authentication methods. I also set the "authenticatedUserOverride" to "UseAuthenticatedUser" in Web Application > Configuration Editor > system.webServer/serverRuntime.

My plan, based on the first part of your answer:

From a NuGet client point of view, yes it's possible. It's the server's responsibility to not return packages that the HTTP requestor doesn't have access to in any of the relevant web APIs.

was to use the user identity that he logged in with, to grant access to the NuGet packages, such that if PersonA has access to Packages 2, 3 but not to Package 1 could still list and download Packages 2 and 3.

But somehow, it does not seem to work. Even though I restrict access to a specific Package (actually its directory in the folder pointed by the NuGet repository path in Web.config), he is still able to list it in Visual Studio NuGet Manager.

Am I missing something or it is not supposed to work that way ?

[zivkan]

NuGet's HTTP protocol includes a search service/endpoint. If the search tells NuGet a package exists, it will be displayed in the Package Manager browse results. You'll need to configure the search endpoint to return a package list filtered on what the current user has access to.