Skip to content

Adapt Go Proxy API to consider the package registry access level

Jonas Wälter requested to merge siemens/gitlab:read_package/go-API into master

What does this MR do and why?

This MR is a step of #329253 (closed) (see implementation plan):

  • In !82808 (merged), we added a new Package Registry visiblity setting in the project settings to allow access to the package registry for everyone even in private projects - behind the package_registry_access_level feature flag.
  • In !90963 (merged) and !97001 (merged), we modified the package policies to consider the new setting - behind the read_package_policy_rule feature flag and cleaned up in !96767 (merged).

Now, we need to modify the APIs of all package types to the changes: This MR adapts the Go Proxy API.

Why do we need to modify the API if considering the new setting has already been implemented in the policies?

Currently, it checks in a first step if there's access to the project (:read_project permission). If not, the request is aborted prematurely. The :read_package permission is checked only in a second step. But with the new project settings, it's possible that there's NO access to the project itself (:read_project permission), but there's access to the package registry (:read_package permission). So we must not check for the :read_project permission first.

🛠 with at Siemens

/cc @bufferoverflow

How to set up and validate locally

  1. Enable the feature flags:

    Feature.enable(:go_proxy)
    Feature.enable(:read_package_policy_rule)
  2. Try to get a go list, info, mod or zip of a private project as anonymous (see docs): 401 Unauthorized

GET projects/:id/packages/go/:module_name/@v/list
GET projects/:id/packages/go/:module_name/@v/:module_version.info
GET projects/:id/packages/go/:module_name/@v/:module_version.mod
GET projects/:id/packages/go/:module_name/@v/:module_version.zip
  1. Change the package_registry_access_level of the private project to allow access for everyone:

    project = Project.find(2)
    project.project_feature.update!(package_registry_access_level: ProjectFeature::PUBLIC)
  2. Try to get a go list, info, mod or zip of a private project as anonymous (see docs): 200 OK

GET projects/:id/packages/go/:module_name/@v/list
GET projects/:id/packages/go/:module_name/@v/:module_version.info
GET projects/:id/packages/go/:module_name/@v/:module_version.mod
GET projects/:id/packages/go/:module_name/@v/:module_version.zip

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jonas Wälter

Merge request reports

Loading