Implement npm group level endpoints: CRUD tags and security audit

Dzmitry (Dima) Meshcharakourequested to merge
299834-npm-group-level-endpoints into master

Context

In !119073 (merged) we added the support for package metadata endpoint on the group level.

Now it's time to add the rest.

What does this MR do and why?

This MR makes the following endpoints available on the group-level:

Dist-Tags

List tags (docs)
  • GET /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags
Create or update a tag (docs)
  • PUT /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags/:tag
Delete a tag (docs)
  • DELETE /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags/:tag

Audit endpoints

  • POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/advisories/bulk
  • POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/audits/quick

Screenshots or screen recordings

No.

How to set up and validate locally

  1. Create a new npm package that will be installed using the group-level endpoint. For that in rails console run the following:

    def fixture_file_upload(*args, **kwargs)
  Rack::Test::UploadedFile.new(*args, **kwargs)
end

project = Project.first
package = FactoryBot.create(:npm_package, project: project, name: "@#{project.namespace.path}/hello_world", version: '1.0.0')
project.namespace_id # note it down, we'll be using it later
project.namespace.path # node it down, we'll be using it later
Feature.enable(:npm_group_level_endpoints, Namespace.find(project.namespace_id)) # enable the feature flag for selected namespace

  2. Create an empty npm package where we will test all endpoints:

    $ mkdir npm-test-group-level && cd $_
$ touch .tool-versions
$ echo nodejs 18.16.0 > .tool-versions
$ npm init

  3. Create .npmrc file in the same directory with a group-level endpoint:

    $ touch .npmrc
$ echo @scope:registry=http://gdk.test:3000/api/v4/groups/<group_id>/-/packages/npm/ >> .npmrc
$ echo //gdk.test:3000/api/v4/groups/<group_id>/-/packages/npm/:_authToken="${TOKEN}" >> .npmrc

    Note: Replace scope with namespace.path and <group_id> with namespace_id from the step 1.

  4. Install the package:

    $ TOKEN=<your_token> npm i @scope/hello_world

    Note: Replace <your_token> with a valid token and scope with namespace.path from the step 1.

  5. Create a new tag

    $ TOKEN=<your_token> npm dist-tag add @scope/hello_world@1.0.0 my-tag

    Note: Replace <your_token> with a valid token and scope with namespace.path from the step 1.

  6. List existing tags

    $ TOKEN=<your_token> npm dist-tag ls @scope/hello_world

    Note: Replace <your_token> with a valid token and scope with namespace.path from the step 1.

  7. Delete a tag

    $ TOKEN=<your_token> npm dist-tag rm @scope/hello_world@1.0.0 my-tag

    Note: Replace <your_token> with a valid token and scope with namespace.path from the step 1.

  8. List existing tags

    $ TOKEN=<your_token> npm dist-tag ls @scope/hello_world

    Note: Replace <your_token> with a valid token and scope with namespace.path from the step 1.

  9. Run audit using GitLab npm Registry and check the report

    $ TOKEN=<your_token> npm audit --registry http://gdk.test:3000/api/v4/groups/:group_id/-/packages/npm/

    Note: Replace <your_token> with a valid token and group_id with namespace_id from the step 1.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #299834 (closed)

Edited by Dzmitry (Dima) Meshcharakou

Merge request reports