Maven package registry: move checks from upload to authorize endpoint
🔥 Problem
The Maven Repository uses direct uploads for its uploads. We're not going to detail all the aspects here but basically:
- workhorse intercepts the upload.
- workhorse asks rails: hey where do you want me to put this (request on the
/authorize
endpoint). - workhorse uploads the file to the location pointed by rails.
- workhorse call the rails upload endpoint with a "file" parameter which is a "pointer" to the location where the file has been uploaded (request on the upload endpoint).
We see that rails receives 2
requests during the upload (step (2.) and (4.)).
Currently, step (2.) checks are fairly simple:
- check that the user has the right permissions.
- check that the workhorse header is present.
Then on step (4.), we have additional checks:
-
.md5
file +FIPS
- duplicates check (users can control if duplicates are allowed or not).
The issue is that those additional checks could be done in step (2.). By doing so, we would save step (3.) which is an interaction with object storage. Also that would mean one less thing to do for workhorse.
🚒 Solution
- Move the additional checks from steps (2.) and (4.)
- For step (4.), extract the duplication check into its own service.
-
⚠ Use a feature flag.