Skip to content

Adds request forwarding warning to package details modal

Rahul Chanila requested to merge 388694-update-package-forwarding-warning-modal-details-page into master

What does this MR do and why?

When users have package forwarding enabled (currently available for npm, PyPI, and Maven), there is a risk that a package could be deleted and then requests for that package will be forwarded to the public registry. Worst case, a malicious package exists under the same name on the public registry and is installed.

This MR adds a warning in confirmation modal for package detail page:

  • When users try to delete the package with forwarding enabled
  • When users try to delete other package version with forwarding enabled.
  • When users try to bulk delete other package versions with forwarding enabled.
  • When users try to delete all the files in the package resulting in deletion of package with forwarding enabled.

Previous MRs

Implementation

  • Modifies package details graphql query to return group forwarding settings
  • Re-use delete-modal from from previous MR
  • Removes usage of delete-package-modal from package-versions_list component
  • Adds request forwarding template to delete package modal on details component.
  • Modified the text while deleting a package to include package name & version

Screenshots or screen recordings

action screenshot
with request forwarding & trying to delete package Screenshot_2023-04-19_at_12.00.12_pm
with request forwarding & trying to bulk delete packages Screenshot_2023-04-14_at_11.32.20_pm
delete package Screenshot_2023-04-14_at_11.28.48_pm
bulk delete package Screenshot_2023-04-14_at_11.29.10_pm

How to set up and validate locally

  1. Visit Group > Settings > Packages and registries
  2. Enable request forwarding for one of NPM, PyPI, Maven package formats
  3. Publish different types of packages, as mentioned in https://gitlab.com/gitlab-org/ci-cd/package-stage/package/-/wikis/Packages-Tips-&-Tricks Example:

    1. rails c - Open the rails console

    2. p = Project.find(1) - Find one of your GDK projects. Project id can be found on the project home page

    3. FactoryBot.create_list(:npm_package, 25, project: p, name: p.name) - Creates 25 npm packages

    4. Add this line if above fails during the creation of files

       def fixture_file_upload(*args, **kwargs)
   Rack::Test::UploadedFile.new(*args, **kwargs)
 end
  4. Visit groups & projects package registry list page
  5. clicking on one of the packages should take you to the details page.
  6. should show warning in the modal if package type matches the request forwarding when trying to:
    1. delete package
    2. delete package in the other versions tab
    3. bulk delete packages in the other versions tab
    4. Trying to delete all the files in the package
  7. For package formats that does not allow request forwarding, this warning should not appear.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Closes #388694

Edited by Rahul Chanila

Merge request reports