Protected packages: NuGet package push protection

• Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

Protected packages: NuGet package push protection

• Add new package type nuget to the PackageProtection::Rule model
• Integrate push package protection for package format Nuget
• Allow creation of NuGet package protection rule in frontend
• This commit adds the feature flag :packages_protected_packages_nuget

Changelog: added

🛠️ with ❤️ at Siemens

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Conforms to the merge request performance guidelines
• Explain why authorize is not possible

Screenshots or screen recordings

Before

In the project settings, the package protection rules only allow the package type npm and pypi.

In the backend, NuGet packages can be uploaded as usual to the package registry.

After

Regarding frontend, there is only a minimal change. As discussed here, a UX review should not be necessary for this.

The main changes of the MR are related to the backend. When a package protection rule for nuget is defined, then the nuget package is protected and cannot be uploaded. When pushing the nuget, you will get a forbidden error. The following console output will appear.

root@e2622ca19fa4:~/AppLogger# dotnet nuget push bin/Debug/flight-nuget-protected-test.0.0.2.nupkg --source gdk_test --api-key {{personal_access_token}}
warn : You are running the 'push' operation with an 'HTTP' source, 'http://gdk.test:3000/api/v4/projects/7/packages/nuget/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.
Pushing flight-nuget-protected-test.0.0.2.nupkg to 'http://gdk.test:3000/api/v4/projects/7/packages/nuget'...
warn : You are running the 'push' operation with an 'HTTP' source, 'http://gdk.test:3000/api/v4/projects/7/packages/nuget/'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.
  PUT http://gdk.test:3000/api/v4/projects/7/packages/nuget/
  Forbidden http://gdk.test:3000/api/v4/projects/7/packages/nuget/ 3775ms
error: Response status code does not indicate success: 403 (Forbidden).

How to set up and validate locally

1. In rails console, enable the feature flag :packages_protected_packages_nuget

Feature.enable(:packages_protected_packages_nuget)

2. Go to the package settings page of the seeded project "flightjs/Flight": http://gdk.test:3000/flightjs/Flight/-/settings/packages_and_registries

3. Create a new package protection rule for NuGet; set the field "Package name pattern" with the value Contoso.08.28.22.001.Test (<= this is the exemplary "PackageId" used in the NuGet quickstart example and that we push in a later step)

4. Create a NuGet package as explained in the NuGet quickstart guide; you can also use the GitLab guide for more details

5. Configure NuGet source remote with your local gdk package registry, see https://docs.gitlab.com/user/packages/nuget_repository/#project-level-endpoint

dotnet nuget add source "http://gdk.test:3000/api/v4/projects/7/packages/nuget/index.json" --name gdk_test --username {{username_of_project_developer}} --password {{personal_access_token_of_project_developer}} --store-password-in-clear-text

7. Create and upload the nuget package with the following commands

dotnet pack
dotnet nuget push bin/Debug/Contoso.08.28.22.001.Test.0.0.1.nupkg --source gdk_test --api-key {{personal_access_token_of_project_developer}}

8. The NuGet package should not be successfully pushed because it is protected, see console output above 💥
9. Create a new NuGet package with another package name (not Contoso.08.28.22.001.Test); in the NuGet package metadata file, change the tag <PackageId>Contoso.08.28.22.001.Test</PackageId> with the value <PackageId>flight-nuget-unprotected-test</PackageId>
10. Run the NuGet package upload commands again

dotnet pack
dotnet nuget push bin/Debug/flight-nuget-unprotected-test.0.0.1.nupkg --source gdk_test --api-key {{personal_access_token_of_project_developer}}

12. The NuGet package flight-nuget-unprotected-test should be successfully pushed, see console output in following collapsed section 👍

Click to expand the console output

root@e2622ca19fa4:~/AppLogger# dotnet nuget push bin/Debug/flight-nuget-protected-test.0.0.2.nupkg --source gdk_test --api-key ({personal_access_token_of_project_developer})
warn : You are running the 'push' operation with an 'HTTP' source, 'http://gdk.test:3000/api/v4/projects/7/packages/nuget/index.json'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.
Pushing flight-nuget-protected-test.0.0.2.nupkg to 'http://gdk.test:3000/api/v4/projects/7/packages/nuget'...
warn : You are running the 'push' operation with an 'HTTP' source, 'http://gdk.test:3000/api/v4/projects/7/packages/nuget/'. Non-HTTPS access will be removed in a future version. Consider migrating to an 'HTTPS' source.
  PUT http://gdk.test:3000/api/v4/projects/7/packages/nuget/
  Created http://gdk.test:3000/api/v4/projects/7/packages/nuget/ 2189ms
Your package was pushed.

Related to #323972