Rubygems dependencies endpoint (!55917) · Merge requests · GitLab.org / GitLab

Steve Abrams requested to merge 299282-rubygems-dependency-endpoint into master Mar 05, 2021

🔍 What does this MR do?

This is part of the effort to allow GitLab to be a gem registry for RubyGems. When working with the RubyGems package manager, users can upload their gems to the GitLab package registry. In order to install gems from the GitLab package registry, we need to be able to process requests to:

GET /api/v4/projects/<project_id>/packages/rubygems/gems/api/v1/dependencies?gems=<comma separated gem names>

This is the dependencies endpoint that the RubyGems client uses when installing a gem (gem install rails or bundle install). It takes a list of comma separated gem names, and returns an array of the dependencies for each version of the specified gems (the returned data is Marshaled and not directly readable).

In this MR, we take the a list of incoming gem names and search all RubyGem packages within the requested project for a gem with that name. Then we iterate through each version of the gem and map all of it's dependencies to a hash structure defined in the rubygems API (scroll to very bottom of the page). The endpoint responds with a Marshal dump of the array of dependency hash structures.

Note this API is behind a feature flag, so we do not include documentation or a changelog at this time.

🚫 What this MR does not do

Implementing this endpoint is only one part of what happens when a user uses gem install my_gem or bundle install to install a gem. Other requests are also made, which will be handled in separate MRs.

📸 Screenshots (strongly suggested)

→ ruby -ropen-uri -rpp -e 'pp Marshal.load(open("http://gdk.test:3001/api/v4/projects/59/packages/rubygems/api/v1/dependencies?gems=package,package2"))'
-e:1: warning: calling URI.open via Kernel#open is deprecated, call URI.open directly or use URI#open
[{:name=>"package", :number=>"0.0.1", :platform=>"ruby", :dependencies=>[]},
 {:name=>"package",
  :number=>"0.0.3",
  :platform=>"ruby",
  :dependencies=>
   [["dependency_1", "~> 1.2.3"],
    ["dependency_2", "= 3.0.0"],
    ["dependency_3", ">= 1.0.0"],
    ["dependency_4", ">= 0"]]},
 {:name=>"package",
  :number=>"0.0.2",
  :platform=>"ruby",
  :dependencies=>
   [["dependency_1", "~> 1.2.3"],
    ["dependency_2", "= 3.0.0"],
    ["dependency_3", ">= 1.0.0"],
    ["dependency_4", ">= 0"]]},
 {:name=>"package2",
  :number=>"0.0.2",
  :platform=>"ruby",
  :dependencies=>
    ["dependency_2", "= 3.0.0"],
    ["dependency_4", ">= 0"]]}]

☑ Does this MR meet the acceptance criteria?

Conformity

📋 Does this MR need a changelog?
- [-] I have included a changelog entry.
- I have not included a changelog entry because this API is behind a feature flag.
[-] Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
[-] Database guides
[-] Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
[-] Tested in all supported browsers
[-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

[-] Label as security and @ mention @gitlab-com/gl-security/appsec
[-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
[-] Security reports checked/validated by a reviewer from the AppSec team

Related to #299282 (closed)

Edited Mar 09, 2021 by Steve Abrams

Rubygems dependencies endpoint