Refactor NPM requests specs for shared endpoints
This MR was extracted from !53491 (merged) changes.
Related issue: #33685 (closed)
🎱 Context
The ~"NPM Registry" API can be accessed at two levels:
- Instance
- Project
A number of API endpoints are present in both levels. As such, they're centralized in a single file.
Likewise, the requests specs for those endpoints are centralized with shared examples.
While working on !53491 (merged) that aims to remove the naming convention at the project level, I noticed the following:
- The current shared examples don't really go through all the possible conditions. For example, for the metadata endpoint, we have these variables to play with:
- Project visibility: public, private, internal
- User role on the project: anonymous, guest, reporter, maintainer
- Request forward enabled or not
- Package name style: following the naming convention or not.
- This is not a huge factor in this MR but we will play with this a lot on !53491 (merged)
- The specs don't authenticate the user in the same way as
$ npm
would do.- They use a request paremeter whereas
$ npm
uses theBearer
http Authorization header. - This can lead to issues when we will move to the new authentication logic we're working on for package managers API.
- This logic will reject any authentication method that has not been explicitly allowed on the API and request parameters will not be allowed
😺
- This logic will reject any authentication method that has not been explicitly allowed on the API and request parameters will not be allowed
- They use a request paremeter whereas
Given that the ~"NPM Registry" is one of the most used package registry among all types, I think it would be better to go through as many conditions as possible. This way, when working on deep changes such as !53491 (merged), a
🤔 What does this MR do?
Refactor the shared examples for the npm request specs:
- Use table based specs to better describe the different conditions.
- Take into account the exceptional cases that can happen when we are at the
instance
level.- Here is an example: a guest user asking a non existing package on private project:
- At the
project
level, the response will beforbidden
because we located the project but the user can't read the packages (he needs to be at least reporter). - At the
instance
level, there is no way to locate the project = we end up replyingnot found
.
- At the
- Here is an example: a guest user asking a non existing package on private project:
- Take into account the exceptional cases that can happen when we are at the
- Send the
Authorization: Bearer X
header for authenticate the request - Move the shared example for package tags to a dedicated file for npm.
- No feature change in this MR
- Thus, this MR doesn't need a changelog entry
- or a documentation change
🖥 Screenshots (strongly suggested)
🔍 Before the MR
$ bundle exec spring rspec /Users/david/projects/gitlab-development-kit/gitlab/spec/requests/api/npm_instance_packages_spec.rb /Users/david/projects/gitlab-development-kit/gitlab/spec/requests/api/npm_project_packages_spec.rb
# [snip..snip]
Finished in 1 minute 43.68 seconds (files took 4.47 seconds to load)
262 examples, 0 failures
📈 With this MR
$ bundle exec spring rspec /Users/david/projects/gitlab-development-kit/gitlab/spec/requests/api/npm_instance_packages_spec.rb /Users/david/projects/gitlab-development-kit/gitlab/spec/requests/api/npm_project_packages_spec.rb
# [snip..snip]
Finished in 4 minutes 7.1 seconds (files took 5.28 seconds to load)
712 examples, 0 failures
🚓 Does this MR meet the acceptance criteria?
⚙ Conformity
- [-] Changelog entry
- [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
🔩 Availability and Testing
- [-] Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
- [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
🔒 Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team