Skip to content

Adapt Ruby gems API to consider package registry access level

Jonas Wälter requested to merge siemens/gitlab:read_package/rubygems-API into master

What does this MR do and why?

Solves #385259 (closed)

This MR is a step of #329253 (closed) (see implementation plan):

  • In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the package_registry_access_level feature flag.
  • In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the read_package_policy_rule feature flag and cleaned up in !96767 (merged).

Now, we need to modify the APIs of all package types to the changes: This MR adapts the Ruby gems API.

Why do we need to modify the API if considering the new setting has already been implemented in the policies?

Currently, it checks in a first step if there's access to the project (:read_project permission). If not, the request is aborted prematurely. The :read_package permission is checked only in a second step. But with the new project settings, it's possible that there's NO access to the project itself (:read_project permission), but there's access to the package registry (:read_package permission). So we must not check for the :read_project permission first.

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Enable the feature flags:

    Feature.enable(:read_package_policy_rule)
Feature.enable(:rubygem_packages)

  2. Try to download a gem file or fetch dependencies of a private project as anonymous (see docs): 404 Project Not Found

GET projects/:id/packages/rubygems/gems/:file_name
GET projects/:id/packages/rubygems/api/v1/dependencies

  1. Change the package_registry_access_level of the private project to allow access for everyone:

    project = Project.find(2)
project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)

  2. Try to download a gem file or fetch dependencies of a private project as anonymous (see docs): 200 OK

GET projects/:id/packages/rubygems/gems/:file_name
GET projects/:id/packages/rubygems/api/v1/dependencies

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports