Draft: Protected packages: Integrate package protection rules for pypi packages
requested to merge gitlab-community/gitlab:323971-protected-packages-pypi-push-protection into master
What does this MR do and why?
- Push protecting pypi packages when a package protection rule exists.
- Enabling pypi as a valid package type for package protection rules.
- This MR enables the package protection for the package format 'pypi'.
- When a
PackageProtectionRuleexists then newly pushed pypi packages will be protected / rejected. - This MR concentrates only on push protection for pypi packages; delete protection of pypi packages is out of scope for this MR.
- This MR is part of the EPIC Identify packages as protected to prevent accid... (&5574)
Screenshots or screen recordings
There are no frontend changes in this MR. The local validation steps contain a demo of the rejected command when a package is pushed.
How to set up and validate locally
- Enable feature flag via
rails c
Feature.enable(:packages_protected_packages)- Open the rails console (
rails c) and start playing around with the new model
Packages::Protection::Rule.create(
project: Project.find_by(name: "Flight"),
package_name_pattern: "protected-packages-examples-pypi-python-package",
package_type: :pypi,
push_protected_up_to_access_level: :owner
)- Create a dummy pypi python package
- Adjust the package name in
pyproject.tomland set it to"protected-packages-examples-pypi-python-package"<= this should match the given package_name_pattern in step 2 - Create or adjust file
.pypircin order to push the pypi package to your local GitLab registry, see https://docs.gitlab.com/ee/user/packages/pypi_repository/#publish-a-pypi-package the given package_name_pattern in step 3 - Build the pypi package and publish the pypi package
rm dist/* &&
python3 -m build &&
python3 -m twine upload --verbose --repository gitlab_gdk_test dist/* - Pushing the pypi package should be blocked by the
Packages::Protection::Rulecreated in step 3💥 - Now, change the package name in
pyproject.tomland set it to"protected-packages-examples-pypi-python-package-other"<= this will not match the given package_name_pattern in step 3 - Build the pypi package and publish the pypi package again
rm dist/* &&
python3 -m build &&
python3 -m twine upload --verbose --repository gitlab_gdk_test dist/* - Pushing the pypi package should not be blocked by the
Packages::Protection::Ruleas the package name does not match👍
Todos
Other refactoring opportunities
-
Rename helper on top of file -
Expect to be like the param -
Extract to sharede examples -
Assess why is is possible to define a user with no attachment to project => check if there is a bug -
Check if deploy token can be used with the pypi create package service -
Return propoer error message when package is already taekn push same python pacakge over and over again -
Warnings
be rspec /Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/requests/api/pypi_packages_spec.rb
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
WARNING: Shared example group 'creating pypi package files' has been previously defined at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
...and you are now defining it at:
/Users/client-siemens/Development/gitlab-development-kit/gitlab/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb:4
The new definition will overwrite the original one.
Run options: include {:focus=>true}MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides
-
Related to #323971
Edited by Gerardo Navarro