Skip to content

Adapt Debian distributions API to consider package registry access level

Jonas Wälter requested to merge siemens/gitlab:read_package/debian-distributions-API into master

What does this MR do and why?

This MR is a step of #329253 (closed) (see implementation plan):

  • In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the package_registry_access_level feature flag.
  • In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the read_package_policy_rule feature flag and cleaned up in !96767 (merged).

Now, we need to modify the APIs of all package types to the changes: This MR adapts the Debian project distributions API.

Why do we need to modify the API if considering the new setting has already been implemented in the policies?

Currently, it checks in a first step if there's access to the project (:read_project permission). If not, the request is aborted prematurely. The :read_package permission is checked only in a second step. But with the new project settings, it's possible that there's NO access to the project itself (:read_project permission), but there's access to the package registry (:read_package permission). So we must not check for the :read_project permission first.

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Enable the feature flags:

    Feature.enable(:read_package_policy_rule)
Feature.enable(:debian_packages)

  2. Try to use the Debian project distribution API of a private project as anonymous (see docs): 404 Project Not Found

GET /projects/:id/debian_distributions
GET /projects/:id/debian_distributions/:codename
GET /projects/:id/debian_distributions/:codename/key.asc

  1. Change the package_registry_access_level of the private project to allow access for everyone:

    project = Project.find(2)
project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)

  2. Try to use the Debian project distribution API of a private project as anonymous (see docs): 200 OK

GET /projects/:id/debian_distributions
GET /projects/:id/debian_distributions/:codename
GET /projects/:id/debian_distributions/:codename/key.asc

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #385258 (closed)

Edited by David Fernandez

Merge request reports