RubyGems create package service and upload routes
🌲 Context
We are in the process of adding support for RubyGems packages (gems) to the package registry. So far, we have added the underlying models, initial API structure, and authentication needed to work with the RubyGems client. This MR adds the API endpoints that actually upload the gem and their supporting services.
🔍 What does this MR do?
- Adds behavior to two endpoints:
-
POST /api/v4/projects/:project_id/packages/rubygems/api/v1/gems/authorize
- Workhorse handles the file upload, so this route is a request workhorse makes after intercepting the main upload request. It asks for authorization to make the upload.
-
POST /api/v4/projects/:project_id/packages/rubygems/api/v1/gems
- This is the actual upload route (the one that workhorse intercepted). After workhorse has been authorized by the first route, it will upload the file, and then make a request to this route, but instead of including the uploaded file, it will include a set of metadata concerning the file (file name, location, size, hash). This data is used to create the database record associated with the file.
-
- Adds a package creation service for RubyGems
- When a
.gem
file is uploaded usinggem push
, it does not actually include the real filename or any information about the file (including gem name and version). That information needs to be extracted from the.gem
file after the upload. This MR does not include that metadata extraction. Here we create the package and package file records using placeholder names. We also consider the newly created package at this point to be "processing", so it is not viewable in the UI yet.
- When a
- Adds the scaffolding for pulling, pushing, and listing package events, and adds the push event to the API.
Notes
- This API is behind a feature flag
📸 Screenshots (strongly suggested)
→ gem push package-0.0.1.gem --host http://gdk.test:3001/api/v4/projects/59/packages/rubygems
Pushing gem to http://gdk.test:3001/api/v4/projects/59/packages/rubygems...
{"message":"201 Created"}
☑ Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry (behind a feature flag)
- [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides - [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related to #299263 (closed)
Edited by Steve Abrams