Commit 3dd6cae6 authored by David Fernandez's avatar David Fernandez

Add npm package requests forwarding

When a client (npm or yarn) asks for an npm package metadata, GitLab can
redirect this request to npmjs.org if the ApplicationSetting
`npm_package_requests_forwarding` is enabled.
parent a797fdfa
# frozen_string_literal: true
module API
module Helpers
module Packages
module DependencyProxyHelpers
REGISTRY_BASE_URLS = {
npm: 'https://registry.npmjs.org/'
}.freeze
def redirect_registry_request(forward_to_registry, package_type, options)
if redirect_registry_request_available? && forward_to_registry
redirect(registry_url(package_type, options))
else
yield
end
end
def registry_url(package_type, options)
base_url = REGISTRY_BASE_URLS[package_type]
raise ArgumentError, "Can't build registry_url for package_type #{package_type}" unless base_url
case package_type
when :npm
"#{base_url}#{options[:package_name]}"
end
end
def redirect_registry_request_available?
Feature.enabled?(:forward_npm_package_registry_requests) &&
::Gitlab::CurrentSettings.current_application_settings.npm_package_requests_forwarding
end
end
end
end
end
# frozen_string_literal: true
module API
class NpmPackages < Grape::API
helpers ::API::Helpers::PackagesHelpers
helpers ::API::Helpers::Packages::DependencyProxyHelpers
NPM_ENDPOINT_REQUIREMENTS = {
package_name: API::NO_SLASH_URL_PART_REGEX
}.freeze
......@@ -14,8 +17,6 @@ module API
authenticate_non_get!
end
helpers ::API::Helpers::PackagesHelpers
helpers do
def project_by_package_name
strong_memoize(:project_by_package_name) do
......@@ -109,6 +110,7 @@ module API
get 'packages/npm/*package_name', format: false, requirements: NPM_ENDPOINT_REQUIREMENTS do
package_name = params[:package_name]
redirect_registry_request(project_by_package_name.blank?, :npm, package_name: package_name) do
authorize_read_package!(project_by_package_name)
authorize_packages_feature!(project_by_package_name)
......@@ -118,6 +120,7 @@ module API
present ::Packages::Npm::PackagePresenter.new(package_name, packages),
with: EE::API::Entities::NpmPackage
end
end
params do
requires :id, type: String, desc: 'The ID of a project'
......
# frozen_string_literal: true
require 'spec_helper'
describe API::Helpers::Packages::DependencyProxyHelpers do
let_it_be(:helper) { Class.new.include(described_class).new }
describe 'redirect_registry_request' do
using RSpec::Parameterized::TableSyntax
let(:options) { {} }
subject { helper.redirect_registry_request(forward_to_registry, package_type, options) { helper.fallback } }
shared_examples 'executing fallback' do
it 'redirects to package registry' do
expect(helper).to receive(:registry_url).never
expect(helper).to receive(:redirect).never
expect(helper).to receive(:fallback).once
subject
end
end
shared_examples 'executing redirect' do
it 'redirects to package registry' do
expect(helper).to receive(:registry_url).once
expect(helper).to receive(:redirect).once
expect(helper).to receive(:fallback).never
subject
end
end
context 'with npm packages' do
let(:package_type) { :npm }
where(:feature_flag, :application_setting, :forward_to_registry, :example_name) do
true | true | true | 'executing redirect'
true | true | false | 'executing fallback'
true | false | true | 'executing fallback'
true | false | false | 'executing fallback'
false | true | true | 'executing fallback'
false | true | false | 'executing fallback'
false | false | true | 'executing fallback'
false | false | false | 'executing fallback'
end
with_them do
before do
stub_feature_flags(forward_npm_package_registry_requests: { enabled: feature_flag })
stub_application_setting(npm_package_requests_forwarding: application_setting)
end
it_behaves_like params[:example_name]
end
end
context 'with non-forwardable packages' do
let(:forward_to_registry) { true }
before do
stub_feature_flags(forward_npm_package_registry_requests: { enabled: true })
stub_application_setting(npm_package_requests_forwarding: true)
end
Packages::Package.package_types.keys.without('npm').each do |pkg_type|
context "#{pkg_type}" do
let(:package_type) { pkg_type }
it 'raises an error' do
expect { subject }.to raise_error(ArgumentError, "Can't build registry_url for package_type #{package_type}")
end
end
end
end
end
end
......@@ -41,21 +41,74 @@ describe API::NpmPackages do
let!(:package_dependency_link3) { create(:packages_dependency_link, package: package, dependency_type: :bundleDependencies) }
let!(:package_dependency_link4) { create(:packages_dependency_link, package: package, dependency_type: :peerDependencies) }
context 'a public project' do
it 'returns the package info without oauth token' do
shared_examples 'returning the npm package info' do
it 'returns the package info' do
get_package(package)
expect_a_valid_package_response
end
end
context 'project path with a dot' do
let(:project) { create(:project, :public, namespace: group, path: 'foo.bar') }
shared_examples 'returning forbidden for unknown package' do
context 'with an unknown package' do
it 'returns forbidden' do
get api("/packages/npm/unknown")
it 'returns the package info' do
get_package(package)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
expect_a_valid_package_response
context 'a public project' do
it_behaves_like 'returning the npm package info'
context 'with forward_npm_package_registry_requests enabled' do
before do
stub_feature_flags(forward_npm_package_registry_requests: { enabled: true })
end
context 'with application setting enabled' do
before do
stub_application_setting(npm_package_requests_forwarding: true)
end
it_behaves_like 'returning the npm package info'
context 'with unknown package' do
it 'returns a redirect' do
get api("/packages/npm/unknown")
expect(response).to have_gitlab_http_status(:found)
expect(response.headers['Location']).to eq('https://registry.npmjs.org/unknown')
end
end
end
context 'with application setting disabled' do
before do
stub_application_setting(npm_package_requests_forwarding: false)
end
it_behaves_like 'returning the npm package info'
it_behaves_like 'returning forbidden for unknown package'
end
end
context 'with forward_npm_package_registry_requests disabled' do
before do
stub_feature_flags(forward_npm_package_registry_requests: { enabled: false })
end
it_behaves_like 'returning the npm package info'
it_behaves_like 'returning forbidden for unknown package'
end
context 'project path with a dot' do
let(:project) { create(:project, :public, namespace: group, path: 'foo.bar') }
it_behaves_like 'returning the npm package info'
end
end
......
......@@ -14,6 +14,7 @@ RSpec.shared_examples 'returns package tags' do |user_type|
using RSpec::Parameterized::TableSyntax
before do
stub_feature_flags(forward_npm_package_registry_requests: { enabled: false })
project.send("add_#{user_type}", user) unless user_type == :no_type
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment