Skip to content
Snippets Groups Projects
Verified Commit 720fbbd8 authored by Moaz Khalifa's avatar Moaz Khalifa Committed by GitLab
Browse files
parent cb69d70b
No related branches found
No related tags found
1 merge request!164380Make "allow anyone to pull" work with group-level Maven endpoints
......@@ -57,8 +57,7 @@ def projects_visible_to_user_including_public_registries(user, within_group:)
return ::Project.none unless Ability.allowed?(user, :read_package_within_public_registries,
within_group.packages_policy_subject)
projects_visible_to_reporters(user, within_group: within_group,
within_public_package_registry: !Ability.allowed?(user, :read_group, within_group))
projects_visible_to_reporters(user, within_group: within_group, within_public_package_registry: true)
end
def projects_visible_to_reporters(user, within_group:, within_public_package_registry: false)
......
......@@ -22,6 +22,8 @@ def packages
def group_packages
if Feature.enabled?(:maven_remove_permissions_check_from_finder, @project_or_group)
packages_for(@current_user, within_group: @project_or_group)
elsif ::Feature.enabled?(:allow_anyone_to_pull_public_maven_packages_on_group_level, @project_or_group)
packages_visible_to_user_including_public_registries(@current_user, within_group: @project_or_group)
else
super
end
......
---
name: allow_anyone_to_pull_public_maven_packages_on_group_level
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/468059
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164380
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/481768
milestone: '17.4'
group: group::package registry
type: gitlab_com_derisk
default_enabled: false
......@@ -157,15 +157,19 @@ def find_and_present_package_file(package, file_name, format, params)
end
route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, basic_auth_personal_access_token: true
get ':id/-/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
action = if ::Feature.enabled?(:allow_anyone_to_pull_public_maven_packages_on_group_level, find_group(params[:id]))
:read_package_within_public_registries
else
:read_group
end
# return a similar failure to group = find_group(params[:id])
group = find_authorized_group!
group = find_authorized_group!(action: action)
if Feature.disabled?(:maven_central_request_forwarding, group&.root_ancestor)
not_found!('Group') unless path_exists?(params[:path])
end
not_found!('Group') unless can?(current_user, :read_group, group)
file_name, format = extract_format(params[:file_name])
package = fetch_package(file_name: file_name, group: group)
......
......@@ -111,6 +111,31 @@
it { expect(subject.last).to eq(package2) }
end
end
context 'with anonymous access to public registry in private group/project' do
let(:project_or_group) { group }
let(:user) { nil }
before_all do
[group, project].each do |entity|
entity.update_column(:visibility_level, Gitlab::VisibilityLevel.const_get(:PRIVATE, false))
end
project.project_feature.update!(package_registry_access_level: ::ProjectFeature::PUBLIC)
stub_feature_flags(maven_remove_permissions_check_from_finder: false)
end
it_behaves_like 'handling valid and invalid paths'
context 'when the FF allow_anyone_to_pull_public_maven_packages_on_group_level disabled' do
let(:param_path) { package.maven_metadatum.path }
before do
stub_feature_flags(allow_anyone_to_pull_public_maven_packages_on_group_level: false)
end
it { is_expected.to be_empty }
end
end
end
it 'uses CTE in the query' do
......
......@@ -743,6 +743,26 @@ def download_file_with_token(file_name:, params: {}, request_headers: headers_wi
it_behaves_like 'returning response status', :redirect
end
end
context 'with anonymous access to a public registry' do
let(:headers_with_token) { {} }
before do
project.project_feature.update!(package_registry_access_level: ::ProjectFeature::PUBLIC)
stub_feature_flags(maven_remove_permissions_check_from_finder: false)
end
it_behaves_like 'successfully returning the file'
context 'when the FF allow_anyone_to_pull_public_maven_packages_on_group_level disabled' do
before do
stub_feature_flags(allow_anyone_to_pull_public_maven_packages_on_group_level: false)
stub_feature_flags(maven_central_request_forwarding: false)
end
it_behaves_like 'returning response status', :not_found
end
end
end
context 'maven metadata file' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment