DEV Community: Uladzimir Tsykun The latest articles on DEV Community by Uladzimir Tsykun (@vtsykun). https://dev.to/vtsykun https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1035119%2Ff0ab9122-1075-425e-ac35-eec95caa0e36.jpeg DEV Community: Uladzimir Tsykun https://dev.to/vtsykun en Mirroring Composer dependencies with Packeton Uladzimir Tsykun Sun, 05 Mar 2023 17:46:34 +0000 https://dev.to/vtsykun/mirror-composer-dependencies-with-packeton-1jea https://dev.to/vtsykun/mirror-composer-dependencies-with-packeton-1jea <h2> Introduce </h2> <p>Packeton is an open-source private Composer repository based on Packagist.org and Satis, distributed under the MIT license. Back in 2018, there was no free alternative to the Private Packagist packagist.com with the necessary functionality, but the Satis functionality is very limited. I like the UI of the Packagist.org thought it would be cool to use it for my own private Packagist, so I forked it to make it available for everyone to reuse. The source code is available on <a href="https://github.com/vtsykun/packeton" rel="noopener noreferrer">GitHub</a></p> <h2> Mirror dependencies </h2> <p>Mirroring dependencies can be useful for several scenarios:</p> <ul> <li>Speed-up downloading dependencies </li> <li>Sharing access to a private Composer repository, such as Magento, with your team and customers.</li> <li>Preventing Dependency Confusion <a href="https://blog.packagist.com/preventing-dependency-hijacking/" rel="noopener noreferrer">attacks</a>.</li> </ul> <p>Packeton will create a local copy of a remote repository, allowing you to download dependencies and metadata from the local copy instead of the remote composer repository.</p> <h3> Installation </h3> <p>To get started with Packeton, you'll first need to install the application. You can do this using Docker by creating a <code>docker-compose.yml</code> file with the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3.6'</span> <span class="na">services</span><span class="pi">:</span> <span class="na">packeton</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">packeton/packeton:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">packeton</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">packeton</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">ADMIN_USER</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">ADMIN_PASSWORD</span><span class="pi">:</span> <span class="m">123456</span> <span class="c1"># Default password</span> <span class="na">ADMIN_EMAIL</span><span class="pi">:</span> <span class="s">admin@example.com</span> <span class="na">TRUSTED_PROXIES</span><span class="pi">:</span> <span class="s">172.16.0.0/12</span> <span class="c1"># Default SQLite</span> <span class="c1"># DATABASE_URL: "mysql://app:!ChangeMe!@127.0.0.1:3306/app?serverVersion=8&amp;charset=utf8mb4"</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">127.0.0.1:8081:80'</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">.docker:/data</span> </code></pre> </div> <p>Run the following command to start the container: <code>docker-compose up -d</code> The application will then be accessible at <code>http://127.0.0.1:8081</code>.</p> <p>Next, you may want to install an Nginx reverse proxy to make the application available at a custom domain name. Here's an example configuration for this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>server { listen *:443 http2; server_name packages.example.org; ssl_certificate /etc/nginx/ssl/example.org.crt; ssl_certificate_key /etc/nginx/ssl/example.org.key; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_session_timeout 5m; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 16k; gzip_http_version 1.1; gzip_min_length 2048; gzip_types text/css application/javascript text/javascript application/json; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8081/; } } </code></pre> </div> <p>Now you can login on <code>packages.example.org</code></p> <h3> Configure Composer proxy </h3> <p>To configure the Composer proxy, you need to add it on configuration level. For example, for a docker installation, this is a file <code>config.yaml</code> in a volume. For source code installation put config file with any name the directory <code>{project dir}/config/packages</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">packeton</span><span class="pi">:</span> <span class="na">mirrors</span><span class="pi">:</span> <span class="na">orocrm</span><span class="pi">:</span> <span class="na">url</span><span class="pi">:</span> <span class="s">https://satis.oroinc.com/</span> <span class="c1"># SSH keys for create ZIP archive from Git source.</span> <span class="na">git_ssh_keys</span><span class="pi">:</span> <span class="na">git@github.com:oroinc</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/var/www/.ssh/private_key'</span> <span class="c1"># logo: 'https://example.com/logo.png'</span> <span class="c1"># http_basic:</span> <span class="c1"># username: user</span> <span class="c1"># password: pass</span> <span class="c1"># Allow public access, default false</span> <span class="c1"># public_access: true</span> <span class="c1"># default false</span> <span class="c1"># sync_lazy: true</span> <span class="c1"># enable_dist_mirror: false</span> <span class="c1"># Additional restriction, but you can restrict it in UI</span> <span class="c1"># available_package_patterns:</span> <span class="c1"># - 'vend1/*'</span> <span class="c1"># available_packages:</span> <span class="c1"># - 'pack1/name1' # but you can restrict it in UI</span> <span class="c1"># JSON. auth.json to pass composer opts.</span> <span class="c1"># composer_auth: '{"auth.json..."}'</span> <span class="c1"># default auto.</span> <span class="na">sync_interval</span><span class="pi">:</span> <span class="s">~</span> <span class="c1"># Console info message</span> <span class="na">info_cmd_message</span><span class="pi">:</span> <span class="s">~</span> </code></pre> </div> <p>Now you will need to restart docker container to apply configuration. </p> <p>The proxy information now will be shown by url <a href="https://packages.example.com/proxies/orocrm" rel="noopener noreferrer">https://packages.example.com/proxies/orocrm</a><br> Synchronization of metadata is launched by cron, and in order to update the data after creating a proxy, you need to run the update through the console or through UI. If everything happened without errors, then you will see the result of the synchronization as below</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk6sk7y4fzk5a3fz56at.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbk6sk7y4fzk5a3fz56at.png" alt="Job Result"></a></p> <p>To use this proxy you need to add this line to your composer.json.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> "repositories": [ { "type": "composer", "url": "https://packages.example.org/mirror/orocrm" } ] </code></pre> </div> <p>By default, this resource is available only with aurization, so you need enable auth for composer <code>composer config --global --auth http-basic.packages.example.org {username} {apitoken}</code> Where <code>apitoken</code> you can see on the profile page.</p> <h4> Dependencies Approval. </h4> <p>In Packeton by default dependencies are automatically enabled, when you run the first time <code>composer update</code>. In the example above, I used the repository <a href="https://satis.oroinc.com" rel="noopener noreferrer">https://satis.oroinc.com</a> that has third-party dependencies. Example of the <a href="https://github.com/oroinc/platform-application/blob/5.1.0-rc.2/composer.json#L15" rel="noopener noreferrer">application</a> that uses this repo.</p> <p>The root file <a href="https://satis.oroinc.com/packages.json" rel="noopener noreferrer">packages.json</a> does not contains restrictions by <code>available_package_patterns</code>. Depending on the satis settings, if <code>require-all</code> is enabled, the third party vendor can publish a package under any vendor name. For example <code>symfony/process</code>. So attacker may replace your dependencies, because if a package name is found in this custom package repository, only those versions are loaded at all. </p> <p>To select specific packages that you use in a project and remove those you don't need, you can turn on strict mode. Go to proxy settings and select the "Strict mode"</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feakg0r9l92aje8e9i6hs.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feakg0r9l92aje8e9i6hs.png" alt="Image description"></a></p> <p>Then, using the Mass mirror action, you can enable and approve your packages. Put the composer info output as shown below.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5kvregbfw8nuzohbtq6v.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5kvregbfw8nuzohbtq6v.png" alt="Image description"></a></p> <p>Depending on the User-Agent the metadata is available in two formats for Composer 2 and 1 at once. However, the original repository only provide the metadata for Composer 1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"providers-lazy-url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/mirror/orocrm/pkg/%package%.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mirrors"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dist-url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/mirror/orocrm/zipball/%package%/%version%/%reference%.%type%"</span><span class="p">,</span><span class="w"> </span><span class="nl">"preferred"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"metadata-url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/mirror/orocrm/p2/%package%.json"</span><span class="p">,</span><span class="w"> </span><span class="nl">"available-packages"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"oro/platform-enterprise"</span><span class="p">,</span><span class="w"> </span><span class="s2">"oro/crm-enterprise"</span><span class="p">,</span><span class="w"> </span><span class="s2">"oro/api-doc-bundle"</span><span class="p">,</span><span class="w"> </span><span class="s2">"oro/crm-pro-ldap-bundle"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If User-Agent header is match with Composer 1, then all packages will be merge into one snapshot <code>includes</code> for spend up Composer 1 downloads.</p> <p>When the User-Agent header matches to Composer1, Packeton will merge all packages into one snapshot <code>includes</code> to speed up Composer 1 downloads. Because Composer 1 is not able to perform parallel downloads, so by merging all packages into one snapshot, Packeton can reduce the number of requests Composer 1.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"includes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"include-packeton/all$6150da03358e44ebc3b99713c643e98dc06a221e.json"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sha1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"6150da03358e44ebc3b99713c643e98dc06a221e"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"mirrors"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"dist-url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/mirror/orocrm/zipball/%package%/%version%/%reference%.%type%"</span><span class="p">,</span><span class="w"> </span><span class="nl">"preferred"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Links </h2> <ul> <li>Packeton source code <a href="https://github.com/vtsykun/packeton" rel="noopener noreferrer">https://github.com/vtsykun/packeton</a> </li> <li>Installation instruction <a href="https://docs.packeton.org/installation.html" rel="noopener noreferrer">https://docs.packeton.org/installation.html</a> </li> <li>About Preventing Dependency Confusion with Composer <a href="https://blog.packagist.com/preventing-dependency-hijacking/" rel="noopener noreferrer">https://blog.packagist.com/preventing-dependency-hijacking/</a> </li> </ul> php composer tutorial programming