Skip to content

Fix Conan package presenter to find correct files

Steve Abrams requested to merge 208830-download-urls-conan-reference into master

What does this MR do?

When the Conan Package manager client makes a request to the GitLab Package registry to fetch a package (using conan install), a sequence of requests is made:

  1. The client requests a list of URLs to download the package files
  2. The client requests a list of md5 hashes to verify against each downloaded file
  3. The client requests each file using the URLs returned in request 1

The logic to build the responses to request 1 and 2 resides in Packages::Conan::PackagePresenter where #recipe_urls and #package_urls build the response to request 1, and #recipe_snapshot and #package_snapshot build the response to request 2.

A conan package is actually a series of packages that is grouped by a package recipe. Say I have package foo, I may publish a Debug build and a Release build. Each build has it's own set of 3 files unique to the build. But both builds share a few files common to foo called the recipe files. The Debug and Release files have the same file names, so to differentiate between them a conan_package_reference is used.

Currently, no matter which conan_package_reference is requested, Packages::Conan::PackagePresenter returns the first set of files it finds. This MR updates the presenter logic to find the files that match the conan_package_reference supplied in the request params.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

Related #208830 (closed)

Edited by Nick Thomas

Merge request reports

Loading