Adapt Helm API to consider the package registry access level
What does this MR do and why?
This MR is a step of #329253 (closed) (see implementation plan):
- In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the
package_registry_access_level
feature flag. - In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the
read_package_policy_rule
feature flag and cleaned up in !96767 (merged).
Now, we need to modify the APIs of all package types to the changes: This MR adapts the Helm API.
Why do we need to modify the API if considering the new setting has already been implemented in the policies?
Currently, it checks in a first step if there's access to the project (:read_project
permission). If not, the request is aborted prematurely. The :read_package
permission is checked only in a second step.
But with the new project settings, it's possible that there's NO access to the project itself (:read_project
permission), but there's access to the package registry (:read_package
permission).
So we must not check for the :read_project
permission first.
/cc @bufferoverflow
How to set up and validate locally
-
Enable the feature flag:
Feature.enable(:package_registry_access_level)
-
Try to download a chart index or a chart of a private project as anonymous (see docs):
➡ 401 Unauthorized
GET projects/:id/packages/helm/:channel/index.yaml
GET projects/:id/packages/helm/:channel/charts/:file_name.tgz
-
Change the
package_registry_access_level
of the private project to allow access for everyone:project = Project.find(2) project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)
-
Try to download a chart index or a chart of a private project as anonymous (see docs):
➡ 200 OK
GET projects/:id/packages/helm/:channel/index.yaml
GET projects/:id/packages/helm/:channel/charts/:file_name.tgz
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.