Raise test upstream endpoints from `:read_virtual_registry` to `:update_virtual_registry`

Moaz Khalifarequested to merge
duo-edit-20260420-100547 into master

What does this MR do and why?

The test upstream endpoints (GET/POST /upstreams/:id/test and POST /groups/:id/-/upstreams/test) were authorized via :read_virtual_registry. These endpoints trigger outbound HTTP requests from the GitLab instance — the POST variants additionally accept user-supplied url, username, and password parameters.

With !231294 (merged) introducing a read_virtual_registry custom role assignable to minimal-access members, the population of users who could trigger these outbound HTTP requests expanded significantly. Minimal-access is a much lower trust tier than the Guest+ membership that previously bounded :read_virtual_registry access.

This MR corrects the authorization on all test endpoints by raising the required ability from :read_virtual_registry to :update_virtual_registry (Maintainer+), which matches the operational intent of the test capability — it is a setup/debug tool, not a runtime package-resolution path.

Changes:

  • ee/lib/api/virtual_registries/packages/maven/upstreams.rb — raises authorization on GET /upstreams/:id/test, POST /upstreams/:id/test, and POST /groups/:id/-/upstreams/test to :update_virtual_registry. For the groups/:id namespace, an explicit authorize! is added inside the post :test block because the surrounding after_validation gate (:read_virtual_registry) is shared with the list endpoint and must remain unchanged.
  • ee/lib/api/virtual_registries/container/upstreams.rb — same changes for the container equivalents.
  • Specs updated to assert that developer/reporter/guest now receive 403 Forbidden on all test endpoints, and role-based table tests added for the groups/:id test endpoints which previously had none.

Read-oriented endpoints (list, show, cache reads) continue to use :read_virtual_registry and are unaffected.

Closes #597211

How to set up and validate locally

Prerequisites (see Virtual Registry prerequisites):

  • GitLab EE instance with a valid license.
  • The virtual registry setting must be enabled (enabled by default; check under Admin > Settings > Packages and registries).
  • The dependency proxy setting must be enabled (enabled by default).
  • A top-level group (virtual registries are not available on subgroups).
# Rails console setup
group = Group.all.detect(&:root?)

maintainer = FactoryBot.create(:user)
guest      = FactoryBot.create(:user)
group.add_maintainer(maintainer)
group.add_guest(guest)

registry  = FactoryBot.create(:virtual_registries_packages_maven_registry, group: group)
upstream  = FactoryBot.create(:virtual_registries_packages_maven_upstream, registries: [registry])

maintainer_pat = FactoryBot.create(:personal_access_token, user: maintainer)
guest_pat      = FactoryBot.create(:personal_access_token, user: guest)

puts "upstream id: #{upstream.id}"
puts "group id: #{group.id}"

As maintainer → expect 200 OK:

curl -H "PRIVATE-TOKEN: <maintainer_pat>" \
  "http://gdk.test:3000/api/v4/virtual_registries/packages/maven/upstreams/<upstream_id>/test"

As guest → expect 403 Forbidden:

curl -H "PRIVATE-TOKEN: <guest_pat>" \
  "http://gdk.test:3000/api/v4/virtual_registries/packages/maven/upstreams/<upstream_id>/test"

Repeat for POST /upstreams/:id/test and POST /groups/:id/-/virtual_registries/packages/maven/upstreams/test, and the container equivalents.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Moaz Khalifa

Merge request reports