Skip to content

Make "allow anyone to pull" work with group-level Maven endpoints

Moaz Khalifa requested to merge 468059-allow-anyone-to-pull-public-maven-packageson-group-level into master

Context

In GitLab package registry, there's a project-level setting that can allow anyone to pull from the package registry, regardless of the project's visibility.

That works fine for the project-level endpoints. However, it's not supported for the group-level endpoints.

In Maven Repository, we have one endpoint that we need to support the allow anyone to pull setting for: the Download a package file at the group-level endpoint.

Solution

We have a SQL query that says: within this group, collect all the public projects + all the projects where the user has reporter access.

We will need to update that to: within this group, collect all the public projects + all the projects where the user has reporter access + all the projects that have a public package registry.

The change is gated behind a feature flag.

What does this MR do and why?

  • Modify Packages::Maven::PackageFinder & API::MavenPackages classes to support allow anyone to pull setting.
  • Add the related specs.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Make sure you have a private project in a private or public group to use it as the package registry.

  2. Open rails console:

    # Enable the ~"feature flag"
Feature.enable(:allow_anyone_to_pull_public_maven_packages_on_group_level)

# Enable `package_registry_allow_anyone_to_pull_option` application setting
ApplicationSetting.last.update(package_registry_allow_anyone_to_pull_option: true)

# Enable Allow anyone to pull from Package Registry in the private project from step 1
Project.find(<id>).project_feature.update(package_registry_access_level: ::ProjectFeature::PUBLIC)

# Create an external user that we are sure they dont have access to the group or project
user = FactoryBot.create(:user, :external)
# Keep the username of the user, we will use it later
user.username

# Create PAT for the external user, we will use it later
pat =  FactoryBot.create(:personal_access_token, user: ext).token

# stub file upload
def fixture_file_upload(*args, **kwargs)
  Rack::Test::UploadedFile.new(*args, **kwargs)
end

# Create a maven package in the private project from step 1
package = FactoryBot.create(:maven_package, project_id: <private_project_id>)

# Keep the package path, we will use it in the download endpoint
package.maven_metadatum.path

# get a name of one of the package's files to test with:
package.package_files.last.file_name

  3. Try downloading the package using the group-level endpoint. The endpoint requires two params: path & file_name. We already have them from the console steps.

    It should work without passing any token and also with passing the external user PAT as the Private-Token header:

    curl --header "Private-Token: <personal_access_token>" "http://gdk.test:3000/api/v4/groups/<group_id>/-/packages/maven/<path>/<file_name>"

Related to #468059

Edited by Moaz Khalifa

Merge request reports