Skip to content

Protected packages: Add basic model and migrations for protecting packages

Context

  • In &5574 (comment 1425176209), we already discussed the scope and implementation details for the initial version of the package protection feature
  • This issue wants to cover the first steps of the proposed implementation plan involving:
    • Introducing FF <= initially, we saw the need to introduce the feature flag as part of this issue. During the MR review, we noticed that this was not necessary.
    • Adding the basics for protecting packages, see #416382

🛠 with at Siemens

Proposal

  • We want to implement this feature with backward compatility in mind => this means that we do not want to migrate any existing data
  • We want to maintain the current permissions for interacting with the package registry => therefore, the model Packages::PackageProtectionRule is an additional permission => hence, we do not need to migrate the existing data model
  • When a package-specific Packages::PackageProtectionRule exists then this policy is enforced,
  • When no package-specific Packages::PackageProtectionRule exists then the default package permissions are applied => this ensures backward compatibility
  • The field push_protected_up_to_access_level represents the (mininum) user access level for which the package is protected, i.e. the package is protected from any user access level less than or equal to this field
  • The field package_name_pattern should be unique per project_id and package_type 
classDiagram
  class `Packages::PackageProtectionRule` {
    id bigint,
    package_name_pattern string // wildcard style similar to protected branches
    package_type smallint // for now, we can use a fixed value
    push_protected_up_to_access_level Gitlab::Access // describing the min 
    project_id bigint
  }
  `Packages::PackageProtectionRule` --> `Project`
  `Project` --> `Group (Namespace)`

Here is an example for the

project_id package_name_pattern push_protected_up_to_access_level Meaning
7 "@flightjs/test-npm-package" 0 (= Gitlab::Access::NO_ACCESS) New package named equal to @flightjs/test-npm-package will be protected from all user roles pushed by any user. Not even Gitlab::Access::OWNER.
7 "@flightjs/test-npm-package-2" 40 (= Gitlab::Access::MAINTAINER) New package named equal to @flightjs/test-npm-package2 will be protected from user role MAINTAINER or lower. OWNER would be able to push a new package.
7 "@flightjs/test-npm-package-*" 20 (= Gitlab::Access::DEVELOPER) New packages starting with @flightjs/test-npm-package- will be proteced from user role DEVELOPER or lower. MAINTAINER or OWNER will be able to push a new package.

Checklist

  • Add data model
  • Add database migration
  • Add tests for data model
Edited by Gerardo Navarro