Add GraphQL query for the dependency proxy for packages settings (!132877) · Merge requests · GitLab.org / GitLab

David Fernandez requested to merge 410725-maven-dependency-proxy-graphql into master Sep 28, 2023

📞 Context

We're working on the very first version of the dependency proxy for packages. See #407460 (comment 1373731852) for all the details from the technical investigation.

At the core, the concept is right simple. GitLab will act with as a proxy. Basically, users can pull packages through it and GitLab will be a pull-through cache.

Package Manager clients (npm, maven, ...) <-> GitLab <-> External Package Registry

Because, GitLab is in the middle (aka proxy) of the package transport, we can leverage the GitLab Package registry to use it as a cache. In other words, before contacting the external package registry, we can check the local project registry to check if the package is already there. If that's the case, we can return it directly.

The first iteration will only cover the Maven package format.

We already added the API endpoints and logic in past MRs.

The dependency proxy is powered by some settings. Basically, users will need to set up the url and credentials of the remote registry. Have a look at the model class.

We now need the GraphQL changes to manipulate that settings object. See The dependency proxy settings GraphQL API (#410725 - closed). Basically:

Read the settings object from the project.
Update or create the settings object.

This MR solely focuses on (1.): the changes to read the settings object on GraphQL. (2.) will be implemented in a follow up.

This GraphQL parts will be used to power the frontend.

🛃 Permissions and gates

So obviously, not any user can read this settings object. So we will have a few checks to run before returning the object:

The packages feature needs to be enabled in the GitLab config (gitlab.yml). Enabled by default.
The dependency_proxy feature needs to be enabled in the GitLab config (gitlab.yml).
The packages feature in the project settings needs to be enabled.
This is an EE only feature, as such the project needs to have a license with the level of at least premium.
The user needs to be at least maintainer on the project.

To keep things a bit simple, all these checks have been embedded in the admin_dependency_proxy_packages_setting permission. If one of the above fail, the permission is not given.

🔮 Additional thoughts

The entire dependency proxy for packages is behind a feature flag so all the changes here are gated behind that feature flag. As such, we're going to follow https://docs.gitlab.com/ee/development/api_graphql_styleguide.html#feature-flags. In particular, all new GraphQL things will marked as alpha.

The settings object doesn't exist by default. We are using an approach similar to the other settings objects in the grouppackage registry. Please note that we don't have an id column on those settings objects, instead we have a project_id that is used as a primary key. As such, a project can only have one instance of those objects. The approach is as follows: when accessing the object from the project, either read it or build a default one (with empty or disabled values). As such, when all conditions are fulfilled (see above), the GraphQL query will never return a null object (even if the settings object doesn't exist in the database).

Lastly, I choose to not return the credentials back in the GraphQL. The idea is that we can only send them to create/update the settings object and then users will not have another chance to see them again. After all, they are credentials to an external package registry that can contain a pretty large amount of packages which is basically parts of software that can power an entire company. So, better be safe than sorry here.

🤔 What does this MR do and why?

Update the EE ProjectType to read the dependency proxy for packages settings object.
Add the GraphQL SettingType.
Add the related specs.
Add the related updates in the documentation.

The entire dependency proxy for packages is currently behind a feature flag. The rollout issue is [Feature flag] Enable packages_dependency_proxy... (#415218 - closed).

🖼 Screenshots or screen recordings

This is a GraphQL

⚙ How to set up and validate locally

Make sure that you have a license in the local instance.

In a rails console, enable the :

Feature.enable(:packages_dependency_proxy_maven)

Open http://gdk.test:8000/-/graphql-explorer

Run the following query:

query {
  project(fullPath: "<project full path>") {
    dependencyProxyPackagesSetting {
      enabled
      mavenExternalRegistryUrl
      mavenExternalRegistryUsername
    }
  }
}

🏁 MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Sep 28, 2023 by David Fernandez

Add GraphQL query for the dependency proxy for packages settings