Skip to content

NuGet - Add Push Service

David Fernandez requested to merge 10io-nuget-push-delete-service into master

What does this MR do?

This MR adds the Push service endpoint in the NuGet API.

This API is meant to be used by the following tools: nuget and Visual Studio.

See the epic: &2271 (closed)

Related issue #36499 (closed) and #20050 (closed)

This MR changes the following:

  • Implements the push service for a NuGet Feed. Basically, an endpoint accepting package uploads. See https://docs.microsoft.com/en-us/nuget/api/package-publish-resource. Only the "push" part is implemented in this MR. The "delete" part will be added at a later time (see #36499 (comment 255275410))
    • Sidenote: this MR being part of the NuGet MVC. We currently allow multiple uploads of the same package file to simplify the first iteration of the implementation.
  • Reuse as many existing services as possible. The only one that is added in this MR is Packages::Nuget::CreatePackageService
  • Centralize code between the Conan endpoint and the Nuget endpoint. For example, all the workhorse upload process is shared. Specs will share common functions.
  • Add missing specs for API::Helpers::PackagesHelpers

Additional notes

  • nuget clients impose how the API has to be authenticated. Clients will make an anonymous request. Upon receiving unauthorized with the proper http header, it will make a second request but the proper credentials attached. This part has already been handled in the previous MR (!20825 (merged)).
  • the upload request lacks of any information about the package. Here is an example of such upload: Screenshot_2019-12-05_at_16.55.16
  • As you can see above, the request doesn't have the package name, the package version or any other information. As such, the upload endpoint will simply store the package archive file and that's it. That's why the package has a fixed name and version.
  • In a future MR, a job will be implemented to extract and analyze the package archive (see #36502 (closed)). That's where we will be able to set properly the package name and version.

Screenshots

Here is an upload action with nuget:

$ nuget push DummyProject.DummyPackage.1.0.0.nupkg -source local
WARNING: No API Key was provided and no API Key could be found for 'https://gitlab.local/api/v4/projects/19/packages/nuget'. To save an API Key for a source use the 'setApiKey' command.
Pushing DummyProject.DummyPackage.1.0.0.nupkg to 'https://gitlab.local/api/v4/projects/19/packages/nuget'...
  PUT https://gitlab.local/api/v4/projects/19/packages/nuget/
  Created https://gitlab.local/api/v4/projects/19/packages/nuget/ 37741ms
Your package was pushed.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Tim Rizzi

Merge request reports

Loading