Include source in composer json payload
🏠 Context
When working with Composer PHP packages, a user might run composer update
or composer req my-pkg:1.0.0
to install a package. There are multiple ways for the Composer client to then fetch the package. The default way is to let the Composer client request the package version metadata, and then use whatever URL the registry returns to retrieve the package. This is currently how the GitLab Composer registry operates. In the response to the request for package version metadata, we include a 'dist'
section, that includes a URL pointing to the download route for the archived package.
There is another option to allow users to download a package directly from source, meaning, directly from the git repository where the package code lives. This is the --prefer-source
option. So if a user uses composer update --prefer-source
, the Composer client knows to not use the 'dist'
url, but instead, favor the 'source
' url. The source url points to a git repository, has a reference (commit hash), and specifies that the source is a 'git' repository. With that information, the Composer client can then download the code directly from the repository.
The problem is, GitLab currently does not supply a 'source'
section in the metadata payload, so the GitLab registry does not support use of --prefer-source
.
🔍 What does this MR do?
Adds a 'source' section to the Composer version metadata response that contains the git repository URL. This allows users to use the --prefer-source
option when installing Composer packages.
📸 Screenshots (strongly suggested)
Without --prefer-source
option
→ composer update -vvv Reading ./composer.json (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.json) Loading config file /Users/steveabrams/.composer/config.json Loading config file /Users/steveabrams/.composer/auth.json Loading config file ./composer.json (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.json) Checked CA file /private/etc/ssl/cert.pem: validRunning 2.0.11 (2021-02-24 14:57:23) with PHP 7.3.11 on Darwin / 19.6.0 Loading composer repositories with package information Warning: Accessing gdk.test over http which is an insecure protocol. Using HTTP basic authentication with username "token" Downloading http://gdk.test:3001/api/v4/group/153/-/packages/composer/packages.json [200] http://gdk.test:3001/api/v4/group/153/-/packages/composer/packages.json Writing /Users/steveabrams/.composer/cache/repo/http---gdk.test-3001-api-v4-group-153---packages-composer-packages.json/packages.json into cache Downloading http://gdk.test:3001/api/v4/group/153/-/packages/composer/p2/foo/composer-test.json [200] http://gdk.test:3001/api/v4/group/153/-/packages/composer/p2/foo/composer-test.json Writing /Users/steveabrams/.composer/cache/repo/http---gdk.test-3001-api-v4-group-153---packages-composer-packages.json/provider-foo~composer-test.json into cache Updating dependencies Generating rules Resolving dependencies through SAT Looking at all rules.
Dependency resolution completed in 0.000 seconds Analyzed 86 packages to resolve dependencies Analyzed 86 rules to resolve dependencies Lock file operations: 1 install, 0 updates, 0 removals Installs: foo/composer-test:1.0.0 - Locking foo/composer-test (1.0.0) Writing lock file Installing dependencies from lock file (including require-dev) Reading ./composer.lock (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.lock) Package operations: 1 install, 0 updates, 0 removals Installs: foo/composer-test:1.0.0 - Downloading foo/composer-test (1.0.0) Downloading http://gdk.test:3001/api/v4/projects/61/packages/composer/archives/foo/composer-test.zip?sha=98298a129ca79d3c1c55a6651993ac01109e34ae [200] http://gdk.test:3001/api/v4/projects/61/packages/composer/archives/foo/composer-test.zip?sha=98298a129ca79d3c1c55a6651993ac01109e34ae Writing /Users/steveabrams/.composer/cache/files/foo/composer-test/587bfaa79eec55a422b392a5529929f8e5b816f3.zip into cache from /Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/composer/tmp-f523c084f1c57cef4b6570984c5c6ff5.zip - Installing foo/composer-test (1.0.0): Extracting archive Executing async command (CWD): unzip -qq -o '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/composer/tmp-f523c084f1c57cef4b6570984c5c6ff5.zip' -d '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/composer/db4aeeca' Executing command (CWD): rm -rf '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test' Executing command (CWD): rm -rf '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/composer/db4aeeca' Executing command (CWD): rm -rf '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/composer/' Generating autoload files
With --prefer-source
option
→ composer update -vvv --prefer-source Reading ./composer.json (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.json) Loading config file /Users/steveabrams/.composer/config.json Loading config file /Users/steveabrams/.composer/auth.json Loading config file ./composer.json (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.json) Checked CA file /private/etc/ssl/cert.pem: validRunning 2.0.11 (2021-02-24 14:57:23) with PHP 7.3.11 on Darwin / 19.6.0 Loading composer repositories with package information Warning: Accessing gdk.test over http which is an insecure protocol. Using HTTP basic authentication with username "token" Downloading http://gdk.test:3001/api/v4/group/153/-/packages/composer/packages.json [200] http://gdk.test:3001/api/v4/group/153/-/packages/composer/packages.json Writing /Users/steveabrams/.composer/cache/repo/http---gdk.test-3001-api-v4-group-153---packages-composer-packages.json/packages.json into cache Downloading http://gdk.test:3001/api/v4/group/153/-/packages/composer/p2/foo/composer-test.json [200] http://gdk.test:3001/api/v4/group/153/-/packages/composer/p2/foo/composer-test.json Writing /Users/steveabrams/.composer/cache/repo/http---gdk.test-3001-api-v4-group-153---packages-composer-packages.json/provider-foo~composer-test.json into cache Updating dependencies Generating rules Resolving dependencies through SAT Looking at all rules.
Dependency resolution completed in 0.000 seconds Analyzed 86 packages to resolve dependencies Analyzed 86 rules to resolve dependencies Lock file operations: 1 install, 0 updates, 0 removals Installs: foo/composer-test:1.0.0 - Locking foo/composer-test (1.0.0) Writing lock file Installing dependencies from lock file (including require-dev) Reading ./composer.lock (/Users/steveabrams/workspace/playground/composer/composer-local-install/composer.lock) Package operations: 1 install, 0 updates, 0 removals Installs: foo/composer-test:1.0.0 - Syncing foo/composer-test (1.0.0) into cache Cloning to cache at '/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/' Executing command (CWD): git clone --mirror 'http://gdk.test:3001/foo/cp-2.git' '/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/' Executing command (/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/): git rev-parse --git-dir Executing command (/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/): git rev-parse --quiet --verify '98298a129ca79d3c1c55a6651993ac01109e34ae^{commit}' - Installing foo/composer-test (1.0.0): Cloning 98298a129ca79d3c1c55a6651993ac01109e34ae from cache Executing command (CWD): git clone --no-checkout '/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/' '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test' --dissociate --reference '/Users/steveabrams/.composer/cache/vcs/http---gdk.test-3001-foo-cp-2.git/' && cd '/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test' && git remote set-url origin 'http://gdk.test:3001/foo/cp-2.git' && git remote add composer 'http://gdk.test:3001/foo/cp-2.git' Executing command (/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test): git branch -r Executing command (/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test): (git checkout '1.0.0' -- || git checkout -B '1.0.0' 'composer/1.0.0' --) && git reset --hard '98298a129ca79d3c1c55a6651993ac01109e34ae' -- Executing command (/Users/steveabrams/workspace/playground/composer/composer-local-install/vendor/foo/composer-test): git checkout '98298a129ca79d3c1c55a6651993ac01109e34ae' -- && git reset --hard '98298a129ca79d3c1c55a6651993ac01109e34ae' -- Generating autoload files
☑ Does this MR meet the acceptance criteria?
Conformity
-
📋 Does this MR need a changelog?-
I have included a changelog entry. - [-] I have not included a changelog entry because _____.
-
-
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team
Related to #247531 (closed)