Skip to content

Separate user permissions from the package finder

Dzmitry (Dima) Meshcharakou requested to merge 393933-maven-package-registry-group-level-endpoint-separate-user-permissions-from-finder into master

What does this MR do and why?

This MR changes the maven package finder to return the packages without looking at users permissions. The permission check on a project is happening later inside in API https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/maven_packages.rb#L172

It'll mainly affect two cases:

  1. When the duplicate packages are published to the two different projects and the user doesn't have an access to the most recent one.
    Before The user will get the previous published version of the package that they an access to 200 OK
    After The user won't get any packages 403 Forbidden as not enough permission to read the most recent package.

  2. The request forward feature.
    Before The package exists but the user doesn't have permissions to read it. The finder won't return any packages and the request will be forwarded to the maven central (when the feature is enabled).
    After The user's request won't be forwarded to the maven central since the package exists but user doesn't have permission to read it.

This is a breaking change and introduced behind the feature flag

Screenshots or screen recordings

No UI changes 🌈

How to set up and validate locally

Execute the following commands in rails console:

  1. Enable the feature flag

    Feature.enable(:maven_remove_permissions_check_from_finder)

  2. Create a new group with two projects

    g = FactoryBot.create(:group, :private)
p1 = FactoryBot.create(:project, group: g)
p2 = FactoryBot.create(:project, group: g)

  3. Create a new user with a token

    u = FactoryBot.create(:user)

pat = FactoryBot.create(:personal_access_token, user: u, scopes: ["api", "read_registry"])


 # check the token - we need it for the curl request later pat.token

  1. Add an user to the group and the projects

    g.add_guest(u)
p1.add_reporter(u)
p2.add_guest(u)

  2. Create two maven packages

    # stub file upload
def fixture_file_upload(*args, **kwargs)
  Rack::Test::UploadedFile.new(*args, **kwargs)
end

package1 = FactoryBot.create(:maven_package, project: p1)
package2 = FactoryBot.create(:maven_package, project: p2, name: package1.name, version: package1.version)

# Note down the package's name - we need it for the curl request later
package1.name

  3. Create a new curl request

    With this MR

    $ curl --header "PRIVATE-TOKEN: <PAT token>" "http://gdk.test:3000/api/v4/groups/<group ID>/-/packages/maven/<package's name>/1.1-SNAPSHOT/maven-metadata.xml"

    The result should be 403 Forbidden

    Additionally we could check that no packages were downloaded:

    package1.reload.last_downloaded_at
=> nil

package2.reload.last_downloaded_at
=> nil

    With master or with the FF disabled

    $ curl --header "PRIVATE-TOKEN: <PAT token>" "http://gdk.test:3000/api/v4/groups/<group ID>/-/packages/maven/<packages's name>/1.1-SNAPSHOT/maven-metadata.xml"

    The result is 200 OK

    And the package's last_downloaded_at should return a timestamp

    package1.reload.last_downloaded_at

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #393933 (closed)

Edited by Dzmitry (Dima) Meshcharakou

Merge request reports