Implement npm group level endpoints: CRUD tags and security audit
Context
In !119073 (merged) we added the support for package metadata endpoint on the group level.
Now it's time to add the rest.
What does this MR do and why?
This MR makes the following endpoints available on the group-level:
Dist-Tags
docs)
List tags (GET /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags
docs)
Create or update a tag (PUT /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags/:tag
docs)
Delete a tag (DELETE /api/v4/groups/:id/-/packages/npm/-/package/:package_name/dist-tags/:tag
Audit endpoints
POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/advisories/bulk
POST /api/v4/groups/:id/-/packages/npm/-/npm/v1/security/audits/quick
Screenshots or screen recordings
No.
How to set up and validate locally
-
Create a new npm package that will be installed using the group-level endpoint. For that in rails console run the following:
def fixture_file_upload(*args, **kwargs) Rack::Test::UploadedFile.new(*args, **kwargs) end project = Project.first package = FactoryBot.create(:npm_package, project: project, name: "@#{project.namespace.path}/hello_world", version: '1.0.0') project.namespace_id # note it down, we'll be using it later project.namespace.path # node it down, we'll be using it later Feature.enable(:npm_group_level_endpoints, Namespace.find(project.namespace_id)) # enable the feature flag for selected namespace
-
Create an empty npm package where we will test all endpoints:
$ mkdir npm-test-group-level && cd $_ $ touch .tool-versions $ echo nodejs 18.16.0 > .tool-versions $ npm init
-
Create
.npmrc
file in the same directory with a group-level endpoint:$ touch .npmrc $ echo @scope:registry=http://gdk.test:3000/api/v4/groups/<group_id>/-/packages/npm/ >> .npmrc $ echo //gdk.test:3000/api/v4/groups/<group_id>/-/packages/npm/:_authToken="${TOKEN}" >> .npmrc
Note: Replace
scope
withnamespace.path
and<group_id>
withnamespace_id
from the step 1. -
Install the package:
$ TOKEN=<your_token> npm i @scope/hello_world
Note: Replace
<your_token>
with a valid token andscope
withnamespace.path
from the step 1. -
Create a new tag
$ TOKEN=<your_token> npm dist-tag add @scope/hello_world@1.0.0 my-tag
Note: Replace
<your_token>
with a valid token andscope
withnamespace.path
from the step 1. -
List existing tags
$ TOKEN=<your_token> npm dist-tag ls @scope/hello_world
Note: Replace
<your_token>
with a valid token andscope
withnamespace.path
from the step 1. -
Delete a tag
$ TOKEN=<your_token> npm dist-tag rm @scope/hello_world@1.0.0 my-tag
Note: Replace
<your_token>
with a valid token andscope
withnamespace.path
from the step 1. -
List existing tags
$ TOKEN=<your_token> npm dist-tag ls @scope/hello_world
Note: Replace
<your_token>
with a valid token andscope
withnamespace.path
from the step 1. -
Run audit using GitLab npm Registry and check the report
$ TOKEN=<your_token> npm audit --registry http://gdk.test:3000/api/v4/groups/:group_id/-/packages/npm/
Note: Replace
<your_token>
with a valid token andgroup_id
withnamespace_id
from the step 1.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #299834 (closed)