Skip to content

Exclude pending destruction files from duplicate check

Moaz Khalifa requested to merge 354872-fix-checking-duplicate-files-in-Generic-CreatePackageFileService into master

What does this MR do and why?

When the "Do not allow duplicates" option is enabled in the group settings for the Generic package registry, and a file is uploaded to a package, then deleted, attempting to upload the same file again with the same name results in a "400 Bad request - Duplicate package is not allowed" error, even though the file does not exist in the package.

After investigation, it appeared that the duplication check doesn't take into consideration the file's status.

That means when deleting a file, we don't delete it directly, we rather change its status to pending_destruction and later a cron job would catch it and execute the actual deletion. However, the user should be able to upload the file if the existing one has a pending_destruction status.

So the solution is to exclude the files that have pending_destruction status from the duplicate check we perform when uploading a file to the generic package registry.

How to set up and validate locally

  1. Create a GitLab group.
  2. Enable the "Do not allow duplicates" option in the group "Settings" > "Packages & Registries" > "Package Registry" > "Generic".
  3. Create a project within the group.
  4. After proper API authentication, upload to the generic package registry a file for a package:
$ curl --header "PRIVATE-TOKEN: <PAT>" \
       --upload-file example-file.txt \
       "http://gdk.test:3000/api/v4/projects/<project_id>/packages/generic/<package_name>/<package_version>/example-file.txt"
{"message":"201 Created"}
  • Delete the file:
$ curl --request DELETE \
      --header "PRIVATE-TOKEN: <PAT>" \
      "http://gdk.test:3000/api/v4/projects/<project_id>/packages/<package_id>/package_files/<package_file_id>"

  • Upload the file again, using the same package name, version, and file name:

    • Before the fix

$ curl --header "PRIVATE-TOKEN: <PAT>" \
       --upload-file /tmp/example-file.txt \
       "https://gitlab.com/api/v4/projects/34305995/packages/generic/demo-dupl-bug/1.0.0/example-file.txt"
{"message":"400 Bad request - Duplicate package is not allowed"}

  • After the fix

$ curl --header "PRIVATE-TOKEN: <PAT>" \
       --upload-file /tmp/example-file.txt \
       "https://gitlab.com/api/v4/projects/34305995/packages/generic/demo-dupl-bug/1.0.0/example-file.txt"
{"message":"201 Created"}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #354872 (closed)

💾 Database analysis

Edited by David Fernandez

Merge request reports