Allow exceptions to "Allow duplicates" group setting for Package registry
What does this MR do and why?
In Group -> Settings -> Packages and registries -> Duplicate packages, we allow users to specify if duplicate packages are allowed. A exception regexp can be specified, so that when duplicate packages are not allowed, packages with a name or version that matches the regexp can still be allowed. Users have asked us for the reverse case: when duplicates are allowed, prevent upload of duplicate packages that match the exception regexp. This MR implements that reverse case.
Because we're dealing with user-supplied regexes, we need to use Gitlab::UntrustedRegexp, which uses the re2 engine. The re2 engine does not allow negative cases. As such, we need to implement the new behavior using code logic.
Here's a summary of the existing behavior and the new behavior:
- If duplicates are not allowed
- Uploading a non-duplicate is allowed
- Uploading a duplicate that does not match the regexp exception is not allowed
- Uploading a duplicate that matches the regexp exception is allowed
- If duplicates are allowed
- Uploading a non-duplicate is allowed
- Uploading a duplicate that does not match the regexp exception is allowed
- New Behavior:
- Regexp can be edited
- Uploading a duplicate that matches the regexp exception is not allowed
Because this MR changes the behavior for several package formats at once, the changes are behind the derisk feature flag packages_allow_duplicate_exceptions.
Links to duplicate package rules
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
NA. Aside from the exception regex text input being always enabled, there are no observable UI changes.
How to set up and validate locally
Preliminaries
- Enable the feature flag
- Have a personal access token and a project ID ready
Validating new behavior
- Go to Group -> Settings -> Packages and registries -> Duplicate packages
- Enable the
Allow duplicatestoggle for Generic packages - Upload a package. This should be successful the first time.
curl --fail-with-body --header "PRIVATE-TOKEN: glpat-<token>" \
--upload-file bananas.txt \
"http://gdk.test:3000/api/v4/projects/<project-id>/packages/generic/bananas/0.0.1/file.txt"- Rerun step 3. This is a duplicate, but the upload should be successful, because duplicates are allowed.
- In the UI, input "bananas" to the
Exceptionstextbox for generic packages. Hover away from the textbox to save. - Rerun step 3. You should get an error message
💥 .
curl: (22) The requested URL returned error: 400
{"message":"400 Bad request - Duplicate package is not allowed"}⏎ Validating that we didn't break old behavior when duplicates are not allowed
- Go to Group -> Settings -> Packages and registries -> Duplicate packages
- Disable the
Allow duplicatestoggle for Generic packages - Upload a non-duplicate package. The upload should be successful.
curl --fail-with-body --header "PRIVATE-TOKEN: glpat-<token>" \
--upload-file bananas.txt \
"http://gdk.test:3000/api/v4/projects/<project-id>/packages/generic/lemon/0.0.1/file.txt"- Rerun step 3. It should now
💥 with a duplicate error
curl: (22) The requested URL returned error: 400
{"message":"400 Bad request - Duplicate package is not allowed"}⏎ - In the UI, input "lemon" to the
Exceptionstextbox for generic packages. Hover away from the textbox to save. - Rerun step 3. The upload should be successful.
Related to #482901 (closed) #485632 #485634 #485635