Protected containers: Validation for repository_path_pattern
requested to merge gitlab-community/gitlab:424367-protected-containers-add-validation-for-container-path into master
What does this MR do and why?
- This MR is implemented in the context of the EPIC &9825
- The field
container_path_pattern
will be used to match incomming container (image) commands => this means that not every string value should be allowed for this field => therefore, this MR adds more validations to this field - One validation ensures that the field
container_path_pattern
starts with the project's full path because the container registry accepts container images with a certain naming convention, see https://docs.gitlab.com/ee/user/packages/container_registry/#naming-convention-for-your-container-images - For the new feature "Protected Packages", this MR follows !132279 (merged)
Screenshots or screen recordings
There are no frontend changes. Only changes in the backend .
How to set up and validate locally
- Create a valid package protection rule because the field
package_name_pattern
is
Project.find(7).full_path # => "flightjs/Flight"
container_registry_protection_rule = ContainerRegistry::Protection::Rule.new(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern: "flightjs/flight")
container_registry_protection_rule.valid? # => true
container_registry_protection_rule = ContainerRegistry::Protection::Rule.new(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern: "flightjs/flight/sub-flight/*")
container_registry_protection_rule.valid? # => true
- Create an invalid package protection rule because the field
package_name_pattern
cannot represent a valid package name
Project.find(7).full_path # => "flightjs/Flight"
container_registry_protection_rule = ContainerRegistry::Protection::Rule.new(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern:: "other-scope-flightjs/Flight")
container_registry_protection_rule.valid? # => false
container_registry_protection_rule.errors.full_messages # => ["Container path pattern is invalid"]
- Create an invalid package protection rule because the field
package_name_pattern
can only contain downcased characters
Project.find(7).full_path # => "flightjs/Flight"
container_registry_protection_rule = ContainerRegistry::Protection::Rule.new(project: Project.find(7), push_protected_up_to_access_level: :developer, delete_protected_up_to_access_level: :developer, repository_path_pattern:: "flightjs/Flight")
container_registry_protection_rule.valid? # => false
Todos
-
Discuss lower-case, extracted in another MR -
Unfortunately, there is no other https://docs.docker.com/engine/reference/commandline/tag/ -
Check if we can reuse the regex used in this test cases, see spec/lib/gitlab/path_regex_spec.rb
-
Improve validation error text regarding repository_path_pattern_in_project_scope
in https://gitlab.com/gitlab-community/gitlab/-/blob/efb1493d9b91644df55ddc962d1e4bbf17e52568/app/models/container_registry/protection/rule.rb#L34
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR. -
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the merge request performance guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Waiting for Protected containers: New scope for finding con... (!135969 - merged)
-
Related to #424367 (closed)
Edited by Gerardo Navarro