NuGet - API Skeleton
requested to merge 36496-nuget-api-skeleton-the-service-index-authentication-feature-flag into master
What does this MR do?
This MR lays the grounds for adding NuGet Packages support to GitLab.
This API is meant to be used by the following tools: nuget and Visual Studio.
See the epic: &2271 (closed)
See the related issue for this MR: #36496 (closed) and #20050 (closed)
This MR adds the following:
- The API class for NuGet packages
- The NuGet Packages are accessed at the project level (no group level, no instance level).
- Handles the http basic auth
- Implements the service index for a NuGet Feed. A basic json document that describes the available services. See https://docs.microsoft.com/en-us/nuget/api/service-index
- Other services (see #36496 (closed)) will be implemented in future MRs.
- Several TODOS for the NuGet support to be implemented by future MRs.
- As this NuGet Packages support implementation will be spread over several MRs, this MR adds a project based feature flag.
- Being behind a feature flag, changelog entry and documentation are not included in this MR.
Notes on the authentication:
-
nugetand Visual Studio uses http basic auth exclusively. - When adding a feed (public or private), Visual Studio will try to access the service index url without any credentials.
- If the feed is private (= non public project), the request should be properly rejected:
- Respond with 401 Unauthorized
- Set the
Www-Authenticate: Basic realmheader in the response
- If Visual Studio receives the above response, it will retry to access the service index with the http basic auth credentials set.
Screenshots
Adding a NuGet Feed from the nuget CLI:
Public project
$ nuget sources Add -Name "Public Feed" -Source "https://sgitlab.local/api/v4/projects/11/packages/nuget" -UserName admin@example.com -Password Kafcw6cLUy8pTysR4yVB
Package source with Name: Public Feed added successfully.Private project
$ nuget sources Add -Name "Private Feed" -Source "https://sgitlab.local/api/v4/projects/10/packages/nuget" -UserName admin@example.com -Password Kafcw6cLUy8pTysR4yVB
Package source with Name: Private Feed added successfully.Adding a NuGet Feed from Visual Studio Code:
Public project
Private project
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Tim Rizzi