Adapt Conan API to consider the package registry access level
What does this MR do and why?
This MR is a step of #329253 (closed) (see implementation plan):
- In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the
package_registry_access_level
feature flag. - In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the
read_package_policy_rule
feature flag and cleaned up in !96767 (merged).
Now, we need to modify the APIs of all package types to the changes: This MR adapts the Conan API.
Why do we need to modify the API if considering the new setting has already been implemented in the policies?
Currently, it checks in a first step if there's access to the project (:read_project
permission). If not, the request is aborted prematurely. The :read_package
permission is checked only in a second step.
But with the new project settings, it's possible that there's NO access to the project itself (:read_project
permission), but there's access to the package registry (:read_package
permission).
So we must not check for the :read_project
permission first.
/cc @bufferoverflow
How to set up and validate locally
-
Enable the feature flag:
Feature.enable(:read_package_policy_rule)
-
Try to use the Conan API (
GET
requests) of a private project as anonymous (see docs):➡ 404 Project Not Found
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/digest
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/digest
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/download_urls
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/download_urls
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name
-
Change the
package_registry_access_level
of the private project to allow access for everyone:project = Project.find(2) project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)
-
Try to use the Conan API (
GET
requests) of a private project as anonymous (see docs):➡ 200 OK
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/digest
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/digest
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/download_urls
GET /projects/:id/packages/conan/v1/conans/:package_name/:package_version/:package_username/:package_channel/packages/:conan_package_reference/download_urls
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/export/:file_name
GET /projects/:id/packages/conan/v1/files/:package_name/:package_version/:package_username/:package_channel/:recipe_revision/package/:conan_package_reference/:package_revision/:file_name
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.