Skip to content

Adds package forwarding warning to delete modal

Rahul Chanila requested to merge 388694-update-package-forwarding-warning-modal into master

What does this MR do and why?

When users have package forwarding enabled (currently available for npm, PyPI, and Maven), there is a risk that a package could be deleted and then requests for that package will be forwarded to the public registry. Worst case, a malicious package exists under the same name on the public registry and is installed.

This MR adds a warning in confirmation modal for package list page:

  • When users try to delete a single package with forwarding enabled
  • When users try to bulk delete packages with forwarding enabled.

Previous MRs

Implementation

  • Removes usage of delete-package-modal from list page.
  • Improves shared delete-modal to handle one item.
  • This delete-modal will be used in the next MR for the details page.

Screenshots or screen recordings

Action Screenshot
delete a package which does not have request forwarding set Screenshot_2023-04-12_at_12.40.43_pm
delete a package which has request forwarding set Screenshot_2023-04-12_at_12.40.55_pm
delete packages where some of the package formats have request forwarding set Screenshot_2023-04-12_at_12.41.15_pm
delete packages when none of the package formats have request forwarding set Screenshot_2023-04-12_at_12.42.24_pm

How to set up and validate locally

  1. Visit Group > Settings > Packages and registries
  2. Enable request forwarding for one of NPM, PyPI, Maven package formats
  3. Publish different types of packages, as mentioned in https://gitlab.com/gitlab-org/ci-cd/package-stage/package/-/wikis/Packages-Tips-&-Tricks Example:

    1. rails c - Open the rails console

    2. p = Project.find(1) - Find one of your GDK projects. Project id can be found on the project home page

    3. FactoryBot.create_list(:npm_package, 25, project: p, name: p.name) - Creates 25 npm packages

    4. Add this line if above fails during the creation of files

       def fixture_file_upload(*args, **kwargs)
   Rack::Test::UploadedFile.new(*args, **kwargs)
 end
  4. Visit groups & projects package registry list page.
  5. Trying to delete package should show warning in the modal if package type matches the request forwarding
  6. Trying to bulk delete packages should show warning in the modal if some of the package types match the request forwarding.
  7. For package formats that does not allow request forwarding, this warning should not appear.

These changes should not be applicable on details page.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #388694

Edited by Rahul Chanila

Merge request reports