Skip to content

Adapt npm API to consider the package registry access level

Jonas Wälter requested to merge siemens/gitlab:read_package/npm-API into master

What does this MR do and why?

This MR is a step of #329253 (closed) (see implementation plan):

  • In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the package_registry_access_level feature flag.
  • In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the read_package_policy_rule feature flag and cleaned up in !96767 (merged).

Now, we need to modify the APIs of all package types to the changes: This MR adapts the npm API.

Why do we need to modify the API if considering the new setting has already been implemented in the policies?

Currently, it checks in a first step if there's access to the project (:read_project permission). If not, the request is aborted prematurely. The :read_package permission is checked only in a second step. But with the new project settings, it's possible that there's NO access to the project itself (:read_project permission), but there's access to the package registry (:read_package permission). So we must not check for the :read_project permission first.

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Enable the feature flag:

    Feature.enable(:read_package_policy_rule)

  2. Try to download a npm package file or get metadata and tags of a private project as anonymous (see docs): 404 Project Not Found

GET projects/:id/packages/npm/:package_name/-/:file_name
GET projects/:id/packages/npm/:package_name
GET projects/:id/packages/npm/-/package/:package_name/dist-tags

  1. Change the package_registry_access_level of the private project to allow access for everyone:

    project = Project.find(2)
project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)

  2. Try to download a npm package file or get metadata and tags of a private project as anonymous (see docs): 200 OK

GET projects/:id/packages/npm/:package_name/-/:file_name
GET projects/:id/packages/npm/:package_name
GET projects/:id/packages/npm/-/package/:package_name/dist-tags

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports