Allow any GitLab user to search for nuget packages in public registries
Context
In GitLab package registry, there's a project-level setting that can allow anyone to pull from the package registry, regardless of project visibility.
That works fine for the project-level endpoints. However, it's not supported for the group-level endpoints.
In Allow anyone to pull public NuGet packages on g... (!155119 - merged), we started to add the support for this setting on the group-level endpoints. We chose NuGet Repository to start with.
In NuGet Repository, we have three group-level endpoints that we need to support the setting in:
-
Metadata Service
➡ Done in !155119 (merged) -
Version Metadata Service
➡ Done in !155119 (merged) -
Search Service
➡ Done in this MR
What does this MR do?
- Modify
Packages::Nuget::SearchService
&Packages::FinderHelper
so that they use the correct database query to fetch packages in public registries. - Add related specs.
- Some cleanup.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
-
Make sure you have a private project in a private group to use it as the package registry.
-
Open rails console:
# Enable the ~"feature flag" Feature.enable(:allow_anyone_to_pull_public_nuget_packages_on_group_level) # Enable `package_registry_allow_anyone_to_pull_option` application setting ApplicationSetting.last.update(package_registry_allow_anyone_to_pull_option: true) # Enable Allow anyone to pull from Package Registry in the private project from step 1 Project.find(<id>).project_feature.update(package_registry_access_level: ::ProjectFeature::PUBLIC) # Create an external user that we are sure they dont have access to the group or project user = FactoryBot.create(:user, :external) # Keep the username of the user, we will use it later user.username # Create PAT for the external user, we will use it later pat = FactoryBot.create(:personal_access_token, user: ext).token # stub file upload def fixture_file_upload(*args, **kwargs) Rack::Test::UploadedFile.new(*args, **kwargs) end # Create a nuget package in the private project from step 1 package = FactoryBot.create(:nuget_package, project_id: <private_project_id>) # Keep the package name, we will use it later package.name
-
Add the private group as your nuget source feed:
nuget sources add -name private-group -source http://gdk.test:3000/api/v4/groups/<group_id>/-/packages/nuget/index.json -username < external_user_username > -password < PAT > -StorePasswordInClearText
-
We can now try searching for the package using NuGet CLI (make sure you have
nuget
installed):nuget search -Source private-group
We should see the package name we created previously appears as a result.
-
On master, if we tried to search for packages in the private group/project, a
404 (Not Found)
response will be returned.
Related to #467396 (closed)