Fix the npm instance level API with subgroups

The backend will now consider only root namespaces which will
properly exclude subgroups.

app/models/namespace.rb

@@ -164,6 +164,10 @@ class Namespace < ApplicationRecord
       name = host.delete_suffix(gitlab_host)
       Namespace.where(parent_id: nil).by_path(name)
     end
+
+    def top_most
+      where(parent_id: nil)
+    end
   end
 
   def package_settings

changelogs/unreleased/321958-fix-npm-instance-level-api-with-scoped-packages.yml

+---
+title: Fix the npm instance level API to exclude subgroups
+merge_request: 54554
+author:
+type: fixed

ee/app/models/ee/namespace.rb

@@ -37,8 +37,6 @@ module EE
       scope :include_gitlab_subscription_with_hosted_plan, -> { includes(gitlab_subscription: :hosted_plan) }
       scope :join_gitlab_subscription, -> { joins("LEFT OUTER JOIN gitlab_subscriptions ON gitlab_subscriptions.namespace_id=namespaces.id") }
 
-      scope :top_most, -> { where(parent_id: nil) }
-
       scope :in_active_trial, -> do
         left_joins(gitlab_subscription: :hosted_plan)
           .where(gitlab_subscriptions: { trial: true, trial_ends_on: Date.today.. })

ee/spec/models/ee/namespace_spec.rb

@@ -174,17 +174,6 @@ RSpec.describe Namespace do
       end
     end
 
-    describe '.top_most' do
-      let_it_be(:namespace) { create(:namespace) }
-      let_it_be(:sub_namespace) { create(:namespace, parent: namespace) }
-
-      subject { described_class.top_most.ids }
-
-      it 'only contains root namespace' do
-        is_expected.to eq([namespace.id])
-      end
-    end
-
     describe '.in_active_trial' do
       let_it_be(:namespaces) do
         [

lib/api/helpers/packages/npm.rb

@@ -52,7 +52,8 @@ module API
               namespace_path = namespace_path_from_package_name
               next unless namespace_path
 
-              namespace = namespace_from_path(namespace_path)
+              namespace = Namespace.top_most
+                                   .by_path(namespace_path)
               next unless namespace
 
               finder = ::Packages::Npm::PackageFinder.new(params[:package_name], namespace: namespace)
@@ -70,13 +71,6 @@ module API
 
           package_name.match(Gitlab::Regex.npm_package_name_regex)&.captures&.first
         end
-
-        def namespace_from_path(path)
-          group = Group.by_path(path)
-          return group if group
-
-          Namespace.for_user.by_path(path)
-        end
       end
     end
   end

spec/models/namespace_spec.rb

@@ -285,6 +285,17 @@ RSpec.describe Namespace do
     end
   end
 
+  describe '.top_most' do
+    let_it_be(:namespace) { create(:namespace) }
+    let_it_be(:sub_namespace) { create(:namespace, parent: namespace) }
+
+    subject { described_class.top_most.ids }
+
+    it 'only contains root namespace' do
+      is_expected.to eq([namespace.id])
+    end
+  end
+
   describe '#ancestors_upto' do
     let(:parent) { create(:group) }
     let(:child) { create(:group, parent: parent) }

spec/requests/api/npm_instance_packages_spec.rb

@@ -3,6 +3,11 @@
 require 'spec_helper'
 
 RSpec.describe API::NpmInstancePackages do
+  # We need to create a subgroup with the same name as the hosting group.
+  # It has to be created first to exhibit this bug: https://gitlab.com/gitlab-org/gitlab/-/issues/321958
+  let_it_be(:another_namespace) { create(:group, :public) }
+  let_it_be(:similarly_named_group) { create(:group, :public, parent: another_namespace, name: 'test-group') }
+
   include_context 'npm api setup'
 
   describe 'GET /api/v4/packages/npm/*package_name' do

spec/support/shared_contexts/requests/api/npm_packages_shared_context.rb

@@ -5,8 +5,9 @@ RSpec.shared_context 'npm api setup' do
   include HttpBasicAuthHelpers
 
   let_it_be(:user, reload: true) { create(:user) }
-  let_it_be(:group) { create(:group) }
-  let_it_be(:project, reload: true) { create(:project, :public, namespace: group) }
+  let_it_be(:group) { create(:group, name: 'test-group') }
+  let_it_be(:namespace) { group }
+  let_it_be(:project, reload: true) { create(:project, :public, namespace: namespace) }
   let_it_be(:package, reload: true) { create(:npm_package, project: project, name: "@#{group.path}/scoped_package") }
   let_it_be(:token) { create(:oauth_access_token, scopes: 'api', resource_owner: user) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }

spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb

@@ -45,220 +45,234 @@ RSpec.shared_examples 'handling get metadata requests' do |scope: :project|
     end
   end
 
-  where(:auth, :package_name_type, :request_forward, :visibility, :user_role, :expected_result, :expected_status) do
-    nil                    | :scoped_naming_convention    | true  | :public   | nil       | :accept   | :ok
-    nil                    | :scoped_naming_convention    | false | :public   | nil       | :accept   | :ok
-    nil                    | :scoped_no_naming_convention | true  | :public   | nil       | :accept   | :ok
-    nil                    | :scoped_no_naming_convention | false | :public   | nil       | :accept   | :ok
-    nil                    | :unscoped                    | true  | :public   | nil       | :accept   | :ok
-    nil                    | :unscoped                    | false | :public   | nil       | :accept   | :ok
-    nil                    | :non_existing                | true  | :public   | nil       | :redirect | :redirected
-    nil                    | :non_existing                | false | :public   | nil       | :reject   | :not_found
-    nil                    | :scoped_naming_convention    | true  | :private  | nil       | :reject   | :not_found
-    nil                    | :scoped_naming_convention    | false | :private  | nil       | :reject   | :not_found
-    nil                    | :scoped_no_naming_convention | true  | :private  | nil       | :reject   | :not_found
-    nil                    | :scoped_no_naming_convention | false | :private  | nil       | :reject   | :not_found
-    nil                    | :unscoped                    | true  | :private  | nil       | :reject   | :not_found
-    nil                    | :unscoped                    | false | :private  | nil       | :reject   | :not_found
-    nil                    | :non_existing                | true  | :private  | nil       | :redirect | :redirected
-    nil                    | :non_existing                | false | :private  | nil       | :reject   | :not_found
-    nil                    | :scoped_naming_convention    | true  | :internal | nil       | :reject   | :not_found
-    nil                    | :scoped_naming_convention    | false | :internal | nil       | :reject   | :not_found
-    nil                    | :scoped_no_naming_convention | true  | :internal | nil       | :reject   | :not_found
-    nil                    | :scoped_no_naming_convention | false | :internal | nil       | :reject   | :not_found
-    nil                    | :unscoped                    | true  | :internal | nil       | :reject   | :not_found
-    nil                    | :unscoped                    | false | :internal | nil       | :reject   | :not_found
-    nil                    | :non_existing                | true  | :internal | nil       | :redirect | :redirected
-    nil                    | :non_existing                | false | :internal | nil       | :reject   | :not_found
-
-    :oauth                 | :scoped_naming_convention    | true  | :public   | :guest    | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | true  | :public   | :reporter | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | false | :public   | :guest    | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | false | :public   | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | true  | :public   | :guest    | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | true  | :public   | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | false | :public   | :guest    | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | false | :public   | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | true  | :public   | :guest    | :accept   | :ok
-    :oauth                 | :unscoped                    | true  | :public   | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | false | :public   | :guest    | :accept   | :ok
-    :oauth                 | :unscoped                    | false | :public   | :reporter | :accept   | :ok
-    :oauth                 | :non_existing                | true  | :public   | :guest    | :redirect | :redirected
-    :oauth                 | :non_existing                | true  | :public   | :reporter | :redirect | :redirected
-    :oauth                 | :non_existing                | false | :public   | :guest    | :reject   | :not_found
-    :oauth                 | :non_existing                | false | :public   | :reporter | :reject   | :not_found
-    :oauth                 | :scoped_naming_convention    | true  | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :scoped_naming_convention    | true  | :private  | :reporter | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | false | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :scoped_naming_convention    | false | :private  | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | true  | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :scoped_no_naming_convention | true  | :private  | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | false | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :scoped_no_naming_convention | false | :private  | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | true  | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :unscoped                    | true  | :private  | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | false | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :unscoped                    | false | :private  | :reporter | :accept   | :ok
-    :oauth                 | :non_existing                | true  | :private  | :guest    | :redirect | :redirected
-    :oauth                 | :non_existing                | true  | :private  | :reporter | :redirect | :redirected
-    :oauth                 | :non_existing                | false | :private  | :guest    | :reject   | :forbidden
-    :oauth                 | :non_existing                | false | :private  | :reporter | :reject   | :not_found
-    :oauth                 | :scoped_naming_convention    | true  | :internal | :guest    | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | true  | :internal | :reporter | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | false | :internal | :guest    | :accept   | :ok
-    :oauth                 | :scoped_naming_convention    | false | :internal | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | true  | :internal | :guest    | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | true  | :internal | :reporter | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | false | :internal | :guest    | :accept   | :ok
-    :oauth                 | :scoped_no_naming_convention | false | :internal | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | true  | :internal | :guest    | :accept   | :ok
-    :oauth                 | :unscoped                    | true  | :internal | :reporter | :accept   | :ok
-    :oauth                 | :unscoped                    | false | :internal | :guest    | :accept   | :ok
-    :oauth                 | :unscoped                    | false | :internal | :reporter | :accept   | :ok
-    :oauth                 | :non_existing                | true  | :internal | :guest    | :redirect | :redirected
-    :oauth                 | :non_existing                | true  | :internal | :reporter | :redirect | :redirected
-    :oauth                 | :non_existing                | false | :internal | :guest    | :reject   | :not_found
-    :oauth                 | :non_existing                | false | :internal | :reporter | :reject   | :not_found
-
-    :personal_access_token | :scoped_naming_convention    | true  | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | true  | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | false | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | false | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | true  | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | true  | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | false | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | false | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | true  | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :unscoped                    | true  | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | false | :public   | :guest    | :accept   | :ok
-    :personal_access_token | :unscoped                    | false | :public   | :reporter | :accept   | :ok
-    :personal_access_token | :non_existing                | true  | :public   | :guest    | :redirect | :redirected
-    :personal_access_token | :non_existing                | true  | :public   | :reporter | :redirect | :redirected
-    :personal_access_token | :non_existing                | false | :public   | :guest    | :reject   | :not_found
-    :personal_access_token | :non_existing                | false | :public   | :reporter | :reject   | :not_found
-    :personal_access_token | :scoped_naming_convention    | true  | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :scoped_naming_convention    | true  | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | false | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :scoped_naming_convention    | false | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | true  | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :scoped_no_naming_convention | true  | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | false | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :scoped_no_naming_convention | false | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | true  | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :unscoped                    | true  | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | false | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :unscoped                    | false | :private  | :reporter | :accept   | :ok
-    :personal_access_token | :non_existing                | true  | :private  | :guest    | :redirect | :redirected
-    :personal_access_token | :non_existing                | true  | :private  | :reporter | :redirect | :redirected
-    :personal_access_token | :non_existing                | false | :private  | :guest    | :reject   | :forbidden
-    :personal_access_token | :non_existing                | false | :private  | :reporter | :reject   | :not_found
-    :personal_access_token | :scoped_naming_convention    | true  | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | true  | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | false | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_naming_convention    | false | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | true  | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | true  | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | false | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :scoped_no_naming_convention | false | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | true  | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :unscoped                    | true  | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :unscoped                    | false | :internal | :guest    | :accept   | :ok
-    :personal_access_token | :unscoped                    | false | :internal | :reporter | :accept   | :ok
-    :personal_access_token | :non_existing                | true  | :internal | :guest    | :redirect | :redirected
-    :personal_access_token | :non_existing                | true  | :internal | :reporter | :redirect | :redirected
-    :personal_access_token | :non_existing                | false | :internal | :guest    | :reject   | :not_found
-    :personal_access_token | :non_existing                | false | :internal | :reporter | :reject   | :not_found
-
-    :job_token             | :scoped_naming_convention    | true  | :public   | :developer | :accept   | :ok
-    :job_token             | :scoped_naming_convention    | false | :public   | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | true  | :public   | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | false | :public   | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | true  | :public   | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | false | :public   | :developer | :accept   | :ok
-    :job_token             | :non_existing                | true  | :public   | :developer | :redirect | :redirected
-    :job_token             | :non_existing                | false | :public   | :developer | :reject   | :not_found
-    :job_token             | :scoped_naming_convention    | true  | :private  | :developer | :accept   | :ok
-    :job_token             | :scoped_naming_convention    | false | :private  | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | true  | :private  | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | false | :private  | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | true  | :private  | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | false | :private  | :developer | :accept   | :ok
-    :job_token             | :non_existing                | true  | :private  | :developer | :redirect | :redirected
-    :job_token             | :non_existing                | false | :private  | :developer | :reject   | :not_found
-    :job_token             | :scoped_naming_convention    | true  | :internal | :developer | :accept   | :ok
-    :job_token             | :scoped_naming_convention    | false | :internal | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | true  | :internal | :developer | :accept   | :ok
-    :job_token             | :scoped_no_naming_convention | false | :internal | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | true  | :internal | :developer | :accept   | :ok
-    :job_token             | :unscoped                    | false | :internal | :developer | :accept   | :ok
-    :job_token             | :non_existing                | true  | :internal | :developer | :redirect | :redirected
-    :job_token             | :non_existing                | false | :internal | :developer | :reject   | :not_found
-
-    :deploy_token          | :scoped_naming_convention    | true  | :public   | nil        | :accept   | :ok
-    :deploy_token          | :scoped_naming_convention    | false | :public   | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | true  | :public   | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | false | :public   | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | true  | :public   | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | false | :public   | nil        | :accept   | :ok
-    :deploy_token          | :non_existing                | true  | :public   | nil        | :redirect | :redirected
-    :deploy_token          | :non_existing                | false | :public   | nil        | :reject   | :not_found
-    :deploy_token          | :scoped_naming_convention    | true  | :private  | nil        | :accept   | :ok
-    :deploy_token          | :scoped_naming_convention    | false | :private  | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | true  | :private  | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | false | :private  | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | true  | :private  | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | false | :private  | nil        | :accept   | :ok
-    :deploy_token          | :non_existing                | true  | :private  | nil        | :redirect | :redirected
-    :deploy_token          | :non_existing                | false | :private  | nil        | :reject   | :not_found
-    :deploy_token          | :scoped_naming_convention    | true  | :internal | nil        | :accept   | :ok
-    :deploy_token          | :scoped_naming_convention    | false | :internal | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | true  | :internal | nil        | :accept   | :ok
-    :deploy_token          | :scoped_no_naming_convention | false | :internal | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | true  | :internal | nil        | :accept   | :ok
-    :deploy_token          | :unscoped                    | false | :internal | nil        | :accept   | :ok
-    :deploy_token          | :non_existing                | true  | :internal | nil        | :redirect | :redirected
-    :deploy_token          | :non_existing                | false | :internal | nil        | :reject   | :not_found
-  end
+  shared_examples 'handling all conditions' do
+    where(:auth, :package_name_type, :request_forward, :visibility, :user_role, :expected_result, :expected_status) do
+      nil                    | :scoped_naming_convention    | true  | :public   | nil       | :accept   | :ok
+      nil                    | :scoped_naming_convention    | false | :public   | nil       | :accept   | :ok
+      nil                    | :scoped_no_naming_convention | true  | :public   | nil       | :accept   | :ok
+      nil                    | :scoped_no_naming_convention | false | :public   | nil       | :accept   | :ok
+      nil                    | :unscoped                    | true  | :public   | nil       | :accept   | :ok
+      nil                    | :unscoped                    | false | :public   | nil       | :accept   | :ok
+      nil                    | :non_existing                | true  | :public   | nil       | :redirect | :redirected
+      nil                    | :non_existing                | false | :public   | nil       | :reject   | :not_found
+      nil                    | :scoped_naming_convention    | true  | :private  | nil       | :reject   | :not_found
+      nil                    | :scoped_naming_convention    | false | :private  | nil       | :reject   | :not_found
+      nil                    | :scoped_no_naming_convention | true  | :private  | nil       | :reject   | :not_found
+      nil                    | :scoped_no_naming_convention | false | :private  | nil       | :reject   | :not_found
+      nil                    | :unscoped                    | true  | :private  | nil       | :reject   | :not_found
+      nil                    | :unscoped                    | false | :private  | nil       | :reject   | :not_found
+      nil                    | :non_existing                | true  | :private  | nil       | :redirect | :redirected
+      nil                    | :non_existing                | false | :private  | nil       | :reject   | :not_found
+      nil                    | :scoped_naming_convention    | true  | :internal | nil       | :reject   | :not_found
+      nil                    | :scoped_naming_convention    | false | :internal | nil       | :reject   | :not_found
+      nil                    | :scoped_no_naming_convention | true  | :internal | nil       | :reject   | :not_found
+      nil                    | :scoped_no_naming_convention | false | :internal | nil       | :reject   | :not_found
+      nil                    | :unscoped                    | true  | :internal | nil       | :reject   | :not_found
+      nil                    | :unscoped                    | false | :internal | nil       | :reject   | :not_found
+      nil                    | :non_existing                | true  | :internal | nil       | :redirect | :redirected
+      nil                    | :non_existing                | false | :internal | nil       | :reject   | :not_found
+
+      :oauth                 | :scoped_naming_convention    | true  | :public   | :guest    | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | true  | :public   | :reporter | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | false | :public   | :guest    | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | false | :public   | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | true  | :public   | :guest    | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | true  | :public   | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | false | :public   | :guest    | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | false | :public   | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | true  | :public   | :guest    | :accept   | :ok
+      :oauth                 | :unscoped                    | true  | :public   | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | false | :public   | :guest    | :accept   | :ok
+      :oauth                 | :unscoped                    | false | :public   | :reporter | :accept   | :ok
+      :oauth                 | :non_existing                | true  | :public   | :guest    | :redirect | :redirected
+      :oauth                 | :non_existing                | true  | :public   | :reporter | :redirect | :redirected
+      :oauth                 | :non_existing                | false | :public   | :guest    | :reject   | :not_found
+      :oauth                 | :non_existing                | false | :public   | :reporter | :reject   | :not_found
+      :oauth                 | :scoped_naming_convention    | true  | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :scoped_naming_convention    | true  | :private  | :reporter | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | false | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :scoped_naming_convention    | false | :private  | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | true  | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :scoped_no_naming_convention | true  | :private  | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | false | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :scoped_no_naming_convention | false | :private  | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | true  | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :unscoped                    | true  | :private  | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | false | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :unscoped                    | false | :private  | :reporter | :accept   | :ok
+      :oauth                 | :non_existing                | true  | :private  | :guest    | :redirect | :redirected
+      :oauth                 | :non_existing                | true  | :private  | :reporter | :redirect | :redirected
+      :oauth                 | :non_existing                | false | :private  | :guest    | :reject   | :forbidden
+      :oauth                 | :non_existing                | false | :private  | :reporter | :reject   | :not_found
+      :oauth                 | :scoped_naming_convention    | true  | :internal | :guest    | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | true  | :internal | :reporter | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | false | :internal | :guest    | :accept   | :ok
+      :oauth                 | :scoped_naming_convention    | false | :internal | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | true  | :internal | :guest    | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | true  | :internal | :reporter | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | false | :internal | :guest    | :accept   | :ok
+      :oauth                 | :scoped_no_naming_convention | false | :internal | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | true  | :internal | :guest    | :accept   | :ok
+      :oauth                 | :unscoped                    | true  | :internal | :reporter | :accept   | :ok
+      :oauth                 | :unscoped                    | false | :internal | :guest    | :accept   | :ok
+      :oauth                 | :unscoped                    | false | :internal | :reporter | :accept   | :ok
+      :oauth                 | :non_existing                | true  | :internal | :guest    | :redirect | :redirected
+      :oauth                 | :non_existing                | true  | :internal | :reporter | :redirect | :redirected
+      :oauth                 | :non_existing                | false | :internal | :guest    | :reject   | :not_found
+      :oauth                 | :non_existing                | false | :internal | :reporter | :reject   | :not_found
+
+      :personal_access_token | :scoped_naming_convention    | true  | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | true  | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | false | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | false | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | true  | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | true  | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | false | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | false | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | true  | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :unscoped                    | true  | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | false | :public   | :guest    | :accept   | :ok
+      :personal_access_token | :unscoped                    | false | :public   | :reporter | :accept   | :ok
+      :personal_access_token | :non_existing                | true  | :public   | :guest    | :redirect | :redirected
+      :personal_access_token | :non_existing                | true  | :public   | :reporter | :redirect | :redirected
+      :personal_access_token | :non_existing                | false | :public   | :guest    | :reject   | :not_found
+      :personal_access_token | :non_existing                | false | :public   | :reporter | :reject   | :not_found
+      :personal_access_token | :scoped_naming_convention    | true  | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :scoped_naming_convention    | true  | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | false | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :scoped_naming_convention    | false | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | true  | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :scoped_no_naming_convention | true  | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | false | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :scoped_no_naming_convention | false | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | true  | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :unscoped                    | true  | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | false | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :unscoped                    | false | :private  | :reporter | :accept   | :ok
+      :personal_access_token | :non_existing                | true  | :private  | :guest    | :redirect | :redirected
+      :personal_access_token | :non_existing                | true  | :private  | :reporter | :redirect | :redirected
+      :personal_access_token | :non_existing                | false | :private  | :guest    | :reject   | :forbidden
+      :personal_access_token | :non_existing                | false | :private  | :reporter | :reject   | :not_found
+      :personal_access_token | :scoped_naming_convention    | true  | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | true  | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | false | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_naming_convention    | false | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | true  | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | true  | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | false | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :scoped_no_naming_convention | false | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | true  | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :unscoped                    | true  | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :unscoped                    | false | :internal | :guest    | :accept   | :ok
+      :personal_access_token | :unscoped                    | false | :internal | :reporter | :accept   | :ok
+      :personal_access_token | :non_existing                | true  | :internal | :guest    | :redirect | :redirected
+      :personal_access_token | :non_existing                | true  | :internal | :reporter | :redirect | :redirected
+      :personal_access_token | :non_existing                | false | :internal | :guest    | :reject   | :not_found
+      :personal_access_token | :non_existing                | false | :internal | :reporter | :reject   | :not_found
+
+      :job_token             | :scoped_naming_convention    | true  | :public   | :developer | :accept   | :ok
+      :job_token             | :scoped_naming_convention    | false | :public   | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | true  | :public   | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | false | :public   | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | true  | :public   | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | false | :public   | :developer | :accept   | :ok
+      :job_token             | :non_existing                | true  | :public   | :developer | :redirect | :redirected
+      :job_token             | :non_existing                | false | :public   | :developer | :reject   | :not_found
+      :job_token             | :scoped_naming_convention    | true  | :private  | :developer | :accept   | :ok
+      :job_token             | :scoped_naming_convention    | false | :private  | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | true  | :private  | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | false | :private  | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | true  | :private  | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | false | :private  | :developer | :accept   | :ok
+      :job_token             | :non_existing                | true  | :private  | :developer | :redirect | :redirected
+      :job_token             | :non_existing                | false | :private  | :developer | :reject   | :not_found
+      :job_token             | :scoped_naming_convention    | true  | :internal | :developer | :accept   | :ok
+      :job_token             | :scoped_naming_convention    | false | :internal | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | true  | :internal | :developer | :accept   | :ok
+      :job_token             | :scoped_no_naming_convention | false | :internal | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | true  | :internal | :developer | :accept   | :ok
+      :job_token             | :unscoped                    | false | :internal | :developer | :accept   | :ok
+      :job_token             | :non_existing                | true  | :internal | :developer | :redirect | :redirected
+      :job_token             | :non_existing                | false | :internal | :developer | :reject   | :not_found
+
+      :deploy_token          | :scoped_naming_convention    | true  | :public   | nil        | :accept   | :ok
+      :deploy_token          | :scoped_naming_convention    | false | :public   | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | true  | :public   | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | false | :public   | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | true  | :public   | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | false | :public   | nil        | :accept   | :ok
+      :deploy_token          | :non_existing                | true  | :public   | nil        | :redirect | :redirected
+      :deploy_token          | :non_existing                | false | :public   | nil        | :reject   | :not_found
+      :deploy_token          | :scoped_naming_convention    | true  | :private  | nil        | :accept   | :ok
+      :deploy_token          | :scoped_naming_convention    | false | :private  | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | true  | :private  | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | false | :private  | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | true  | :private  | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | false | :private  | nil        | :accept   | :ok
+      :deploy_token          | :non_existing                | true  | :private  | nil        | :redirect | :redirected
+      :deploy_token          | :non_existing                | false | :private  | nil        | :reject   | :not_found
+      :deploy_token          | :scoped_naming_convention    | true  | :internal | nil        | :accept   | :ok
+      :deploy_token          | :scoped_naming_convention    | false | :internal | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | true  | :internal | nil        | :accept   | :ok
+      :deploy_token          | :scoped_no_naming_convention | false | :internal | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | true  | :internal | nil        | :accept   | :ok
+      :deploy_token          | :unscoped                    | false | :internal | nil        | :accept   | :ok
+      :deploy_token          | :non_existing                | true  | :internal | nil        | :redirect | :redirected
+      :deploy_token          | :non_existing                | false | :internal | nil        | :reject   | :not_found
+    end
 
-  with_them do
-    include_context 'set package name from package name type'
-
-    let(:headers) do
-      case auth
-      when :oauth
-        build_token_auth_header(token.token)
-      when :personal_access_token
-        build_token_auth_header(personal_access_token.token)
-      when :job_token
-        build_token_auth_header(job.token)
-      when :deploy_token
-        build_token_auth_header(deploy_token.token)
-      else
-        {}
+    with_them do
+      include_context 'set package name from package name type'
+
+      let(:headers) do
+        case auth
+        when :oauth
+          build_token_auth_header(token.token)
+        when :personal_access_token
+          build_token_auth_header(personal_access_token.token)
+        when :job_token
+          build_token_auth_header(job.token)
+        when :deploy_token
+          build_token_auth_header(deploy_token.token)
+        else
+          {}
+        end
       end
-    end
 
-    before do
-      project.send("add_#{user_role}", user) if user_role
-      project.update!(visibility: visibility.to_s)
-      package.update!(name: package_name) unless package_name == 'non-existing-package'
-      stub_application_setting(npm_package_requests_forwarding: request_forward)
-    end
+      before do
+        project.send("add_#{user_role}", user) if user_role
+        project.update!(visibility: visibility.to_s)
+        package.update!(name: package_name) unless package_name == 'non-existing-package'
+        stub_application_setting(npm_package_requests_forwarding: request_forward)
+      end
 
-    example_name = "#{params[:expected_result]} metadata request"
-    status = params[:expected_status]
+      example_name = "#{params[:expected_result]} metadata request"
+      status = params[:expected_status]
 
-    if scope == :instance && params[:package_name_type] != :scoped_naming_convention
-      if params[:request_forward]
-        example_name = 'redirect metadata request'
-        status = :redirected
-      else
-        example_name = 'reject metadata request'
-        status = :not_found
+      if scope == :instance && params[:package_name_type] != :scoped_naming_convention
+        if params[:request_forward]
+          example_name = 'redirect metadata request'
+          status = :redirected
+        else
+          example_name = 'reject metadata request'
+          status = :not_found
+        end
       end
+
+      it_behaves_like example_name, status: status
     end
+  end
 
-    it_behaves_like example_name, status: status
+  context 'with a group namespace' do
+    it_behaves_like 'handling all conditions'
+  end
+
+  if scope != :project
+    context 'with a user namespace' do
+      let_it_be(:namespace) { user.namespace }
+
+      it_behaves_like 'handling all conditions'
+    end
   end
 
   context 'with a developer' do
@@ -371,16 +385,30 @@ RSpec.shared_examples 'handling get dist tags requests' do |scope: :project|
     end
   end
 
-  context 'with oauth token' do
-    let(:headers) { build_token_auth_header(token.token) }
+  shared_examples 'handling all conditions' do
+    context 'with oauth token' do
+      let(:headers) { build_token_auth_header(token.token) }
+
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
+
+    context 'with personal access token' do
+      let(:headers) { build_token_auth_header(personal_access_token.token) }
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
   end
 
-  context 'with personal access token' do
-    let(:headers) { build_token_auth_header(personal_access_token.token) }
+  context 'with a group namespace' do
+    it_behaves_like 'handling all conditions'
+  end
+
+  if scope != :project
+    context 'with a user namespace' do
+      let_it_be(:namespace) { user.namespace }
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+      it_behaves_like 'handling all conditions'
+    end
   end
 end
 
@@ -467,16 +495,30 @@ RSpec.shared_examples 'handling create dist tag requests' do |scope: :project|
     end
   end
 
-  context 'with oauth token' do
-    let(:headers) { build_token_auth_header(token.token) }
+  shared_examples 'handling all conditions' do
+    context 'with oauth token' do
+      let(:headers) { build_token_auth_header(token.token) }
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
+
+    context 'with personal access token' do
+      let(:headers) { build_token_auth_header(personal_access_token.token) }
+
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
   end
 
-  context 'with personal access token' do
-    let(:headers) { build_token_auth_header(personal_access_token.token) }
+  context 'with a group namespace' do
+    it_behaves_like 'handling all conditions'
+  end
+
+  if scope != :project
+    context 'with a user namespace' do
+      let_it_be(:namespace) { user.namespace }
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+      it_behaves_like 'handling all conditions'
+    end
   end
 end
 
@@ -561,15 +603,29 @@ RSpec.shared_examples 'handling delete dist tag requests' do |scope: :project|
     end
   end
 
-  context 'with oauth token' do
-    let(:headers) { build_token_auth_header(token.token) }
+  shared_examples 'handling all conditions' do
+    context 'with oauth token' do
+      let(:headers) { build_token_auth_header(token.token) }
+
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
+
+    context 'with personal access token' do
+      let(:headers) { build_token_auth_header(personal_access_token.token) }
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+      it_behaves_like 'handling different package names, visibilities and user roles'
+    end
   end
 
-  context 'with personal access token' do
-    let(:headers) { build_token_auth_header(personal_access_token.token) }
+  context 'with a group namespace' do
+    it_behaves_like 'handling all conditions'
+  end
 
-    it_behaves_like 'handling different package names, visibilities and user roles'
+  if scope != :project
+    context 'with a user namespace' do
+      let_it_be(:namespace) { user.namespace }
+
+      it_behaves_like 'handling all conditions'
+    end
   end
 end