Using flat-manager for private app repo

Dan Nicholson nicholson at endlessm.com
Mon Apr 29 18:46:14 UTC 2019 

At Endless we have a desire to have private app repos and have been
looking at having flat-manager manage the access. It already has a lot
of the pieces to manage build access. My hope is that this can be
extended to cover reading the repository.

The simple implementation we thought of is to limit access to commit
objects and delta superblocks. If you can't fetch the commit object
then you can't install the flatpak. The server would maintain a map of
refs to commits and deltas and only return them when the user was
authorized. A more complete implementation would limit access to all
of the objects referenced by the commit, but it's much simpler to just
handle refs and commits.

To handle this, an additional "read" subject and scope would be
checked in the JSON web token. The existing repos and prefixes in the
token scheme could be reused. For example, consider a token with the
following payload:

{
  "sub": "read",
  "scope": ["read"],
  "prefixes": ["com.example.Foo"],
  "repos": ["foo"],
  "name": "some user",
  "exp": 1556563021
}

This user could fetch com.example.Foo (and com.example.Foo.*) from the
foo repo but couldn't access the other private bar repo or the
com.example.Baz app in the foo repo.

A provider of a private repo would need an authorization server that
handled mapping users to allowed repos and apps that would hand back
an appropriate token to the user. I haven't thought through the client
side of this too much, but obviously some work would be needed to
transparently handle fetching the token when needed.

It would be pretty straightforward to reuse the /api authorization
logic in flat-manager for /repo. To continue with the current default
that repos are public, you could add a "private" boolean to the repo
configuration. If this was false (the default), then the authorization
checks would be skipped for /repo/<public repo>.

There are some more details about this scheme, but I wanted to know if
this seemed like something that would be acceptable in flat-manager.

--
Dan Nicholson  |  +1.206.437.0833  |  Endless

More information about the Flatpak mailing list