Add setting for duplicate generic packages
🔬 : What does this MR do?
Users can upload files to the package registry using the generic package API.
This MR adds two namespace-level settings that allow users to control whether or not the registry should accept or reject duplicate package uploads (same file being uploaded the same package, meaning package with same name and version).
The settings are:
-
generic_duplicates_allowed
-true
means we allow duplicates,false
means we reject duplicates -
generic_duplicate_exception_regex
- Whengeneric_duplicates_allowed
is set tofalse
, packages with names that match this regex will allow duplicates.
These settings match the same settings added previously for Maven packages.
This MR does not update the frontend to add these settings to the UI, so I have not updated the Generic package documentation here.
🐘 Database
Migrations up:
== 20210429192653 AddGenericPackageDuplicateSettingsToNamespacePackageSettings: migrating
-- add_column(:namespace_package_settings, :generic_duplicates_allowed, :boolean, {:null=>false, :default=>true})
-> 0.0075s
-- add_column(:namespace_package_settings, :generic_duplicate_exception_regex, :text, {:null=>false, :default=>""})
-> 0.0022s
== 20210429192653 AddGenericPackageDuplicateSettingsToNamespacePackageSettings: migrated (0.0100s)
== 20210429193106 AddTextLimitToNamespacePackageSettingsGenericDuplicateExceptionRegex: migrating
-- transaction_open?()
-> 0.0000s
-- current_schema()
-> 0.0010s
-- execute("ALTER TABLE namespace_package_settings\nADD CONSTRAINT check_31340211b1\nCHECK ( char_length(generic_duplicate_exception_regex) <= 255 )\nNOT VALID;\n")
-> 0.0035s
-- current_schema()
-> 0.0006s
-- execute("SET statement_timeout TO 0")
-> 0.0012s
-- execute("ALTER TABLE namespace_package_settings VALIDATE CONSTRAINT check_31340211b1;")
-> 0.0040s
-- execute("RESET ALL")
-> 0.0015s
== 20210429193106 AddTextLimitToNamespacePackageSettingsGenericDuplicateExceptionRegex: migrated (0.0348s)
Migrations down:
== 20210429193106 AddTextLimitToNamespacePackageSettingsGenericDuplicateExceptionRegex: reverting
-- execute("ALTER TABLE namespace_package_settings\nDROP CONSTRAINT IF EXISTS check_b8eedf314d\n")
-> 0.0015s
== 20210429193106 AddTextLimitToNamespacePackageSettingsGenericDuplicateExceptionRegex: reverted (0.0098s)
== 20210429192653 AddGenericPackageDuplicateSettingsToNamespacePackageSettings: reverting
-- remove_column(:namespace_package_settings, :generic_duplicate_exception_regex, :text, {:null=>false, :default=>""})
-> 0.0039s
-- remove_column(:namespace_package_settings, :generic_duplicates_allowed, :boolean, {:null=>false, :default=>true})
-> 0.0011s
== 20210429192653 AddGenericPackageDuplicateSettingsToNamespacePackageSettings: reverted (0.0088s)
📸 Screenshots (strongly suggested)
The following requests were made in order, changing the settings before each set of requests as noted in the summary descriptions:
Uploads with generic_duplicates_allowed: true
$ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/foo.png" {"message":"201 Created"} $ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/foo.png" {"message":"201 Created"} $ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/bar.png" {"message":"201 Created"}
Uploads with generic_duplicates_allowed: false
and generic_duplicate_exception_regex: ""
$ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/foo.png" {"message":"400 Bad request - Duplicate package is not allowed"} $ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/baz.png" {"message":"201 Created"} $ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/your_package/0.0.1/foo.png" {"message":"201 Created"}
Uploads with generic_duplicates_allowed: false
and generic_duplicate_exception_regex: "my_.*"
$ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/foo.png" {"message":"201 Created"} $ curl --header "PRIVATE-TOKEN: $TOKEN" --upload-file /Users/steveabrams/workspace/foo.png "http://gdk.test:3001/api/v4/projects/82/packages/generic/my_package/0.0.1/bar.png" {"message":"400 Bad request - Duplicate package is not allowed"}
☑ Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. - [-] I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides - [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related to #293755 (closed)