Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: DANGER_GITLAB_API_TOKEN <project_278964_bot_445da1b60fc7336b6b6776383134d10f@noreply.gitlab.com>

Apply 1 suggestion(s) to 1 file(s)
720fbbd8 · Moaz Khalifa · GitLab · cb69d70b · 720fbbd8 · 720fbbd8
Verified Commit 720fbbd8 authored 5 months ago by Moaz Khalifa Committed by GitLab 5 months ago
--- a/app/finders/concerns/packages/finder_helper.rb
+++ b/app/finders/concerns/packages/finder_helper.rb
@@ -57,8 +57,7 @@ def projects_visible_to_user_including_public_registries(user, within_group:)
      return ::Project.none unless Ability.allowed?(user, :read_package_within_public_registries,
        within_group.packages_policy_subject)
-      projects_visible_to_reporters(user, within_group: within_group,
+      projects_visible_to_reporters(user, within_group: within_group, within_public_package_registry: true)
-        within_public_package_registry: !Ability.allowed?(user, :read_group, within_group))
    end
    def projects_visible_to_reporters(user, within_group:, within_public_package_registry: false)

--- a/app/finders/packages/maven/package_finder.rb
+++ b/app/finders/packages/maven/package_finder.rb
@@ -22,6 +22,8 @@ def packages
      def group_packages
        if Feature.enabled?(:maven_remove_permissions_check_from_finder, @project_or_group)
          packages_for(@current_user, within_group: @project_or_group)
+        elsif ::Feature.enabled?(:allow_anyone_to_pull_public_maven_packages_on_group_level, @project_or_group)
+          packages_visible_to_user_including_public_registries(@current_user, within_group: @project_or_group)
        else
          super
        end

--- a/config/feature_flags/gitlab_com_derisk/allow_anyone_to_pull_public_maven_packages_on_group_level.yml
+++ b/config/feature_flags/gitlab_com_derisk/allow_anyone_to_pull_public_maven_packages_on_group_level.yml
+---
+name: allow_anyone_to_pull_public_maven_packages_on_group_level
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/468059
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164380
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/481768
+milestone: '17.4'
+group: group::package registry
+type: gitlab_com_derisk
+default_enabled: false
--- a/lib/api/maven_packages.rb
+++ b/lib/api/maven_packages.rb
@@ -157,15 +157,19 @@ def find_and_present_package_file(package, file_name, format, params)
      end
      route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, basic_auth_personal_access_token: true
      get ':id/-/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
+        action = if ::Feature.enabled?(:allow_anyone_to_pull_public_maven_packages_on_group_level, find_group(params[:id]))
+                   :read_package_within_public_registries
+                 else
+                   :read_group
+                 end
        # return a similar failure to group = find_group(params[:id])
-        group = find_authorized_group!
+        group = find_authorized_group!(action: action)
        if Feature.disabled?(:maven_central_request_forwarding, group&.root_ancestor)
          not_found!('Group') unless path_exists?(params[:path])
        end
-        not_found!('Group') unless can?(current_user, :read_group, group)
        file_name, format = extract_format(params[:file_name])
        package = fetch_package(file_name: file_name, group: group)

--- a/spec/finders/packages/maven/package_finder_spec.rb
+++ b/spec/finders/packages/maven/package_finder_spec.rb
@@ -111,6 +111,31 @@
        it { expect(subject.last).to eq(package2) }
      end
    end
+    context 'with anonymous access to public registry in private group/project' do
+      let(:project_or_group) { group }
+      let(:user) { nil }
+      before_all do
+        [group, project].each do |entity|
+          entity.update_column(:visibility_level, Gitlab::VisibilityLevel.const_get(:PRIVATE, false))
+        end
+        project.project_feature.update!(package_registry_access_level: ::ProjectFeature::PUBLIC)
+        stub_feature_flags(maven_remove_permissions_check_from_finder: false)
+      end
+      it_behaves_like 'handling valid and invalid paths'
+      context 'when the FF allow_anyone_to_pull_public_maven_packages_on_group_level disabled' do
+        let(:param_path) { package.maven_metadatum.path }
+        before do
+          stub_feature_flags(allow_anyone_to_pull_public_maven_packages_on_group_level: false)
+        end
+        it { is_expected.to be_empty }
+      end
+    end
  end
  it 'uses CTE in the query' do

--- a/spec/requests/api/maven_packages_spec.rb
+++ b/spec/requests/api/maven_packages_spec.rb
@@ -743,6 +743,26 @@ def download_file_with_token(file_name:, params: {}, request_headers: headers_wi
          it_behaves_like 'returning response status', :redirect
        end
      end
+      context 'with anonymous access to a public registry' do
+        let(:headers_with_token) { {} }
+        before do
+          project.project_feature.update!(package_registry_access_level: ::ProjectFeature::PUBLIC)
+          stub_feature_flags(maven_remove_permissions_check_from_finder: false)
+        end
+        it_behaves_like 'successfully returning the file'
+        context 'when the FF allow_anyone_to_pull_public_maven_packages_on_group_level disabled' do
+          before do
+            stub_feature_flags(allow_anyone_to_pull_public_maven_packages_on_group_level: false)
+            stub_feature_flags(maven_central_request_forwarding: false)
+          end
+          it_behaves_like 'returning response status', :not_found
+        end
+      end
    end
    context 'maven metadata file' do