[go: up one dir, main page]
Skip to content

Protected packages: Integrate delete protection for existing package types

Gerardo Navarrorequested to merge
gitlab-community/gitlab-org/gitlab:323970-323971-323975-gerardo-navarro-protected-packages-integrate-deletion-protection into master

What does this MR do and why?

Protected packages: Integrate delete protection

In GitLab 17.6, the package protection feature was made generally available. But, this realease did not include the deletion package protection, see #472655 (closed) .

The attribute minimum_access_level_for_delete that was introduced in the MR: !179739 (merged) . This attribute minimum_access_level_for_delete is integrated in this MR in order to prevent deleting a protected packages.

The deletion protection check has been integrated when:

  1. The user attempts to delete a protected package through the REST API, see the endpoint DELETE /projects/:id/packages/:package_id
  2. The user attempts to delete a protected package through the REST API that is part of a protected package, see the endpoint DELETE /projects/:id/packages/:package_id/package_files/:package_file_id.
  3. The GraphQL API does not have a mutation that deletes a package => therefore, the deletion protection check is not integrated there.

At the moment, the attribute minimum_access_level_for_delete cannot be updated via UI, REST nor GraphQL API. This possibility will be added in a future iteration.

Changelog: added

🛠️ with ❤️ at Siemens

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

Screenshots or screen recordings

Before this MR

DELETE /projects/:id/packages/:package_id

curl -i --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42 \
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'
HTTP/1.1 204 No Content
Cache-Control: no-cache
Content-Security-Policy: default-src 'none'
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"01JN27KKMY93ERK1F6W2A8W9FJ","version":"1"}
X-Request-Id: 01JN27KKMY93ERK1F6W2A8W9FJ
X-Runtime: 0.163437
Date: Wed, 26 Feb 2025 22:56:28 GMT

DELETE /projects/:id/packages/:package_id/package_files/:package_file_id

curl -i --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42/package_files/113 \
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'
HTTP/1.1 204 No Content
Cache-Control: no-cache
Content-Security-Policy: default-src 'none'
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"01JN27J8Z3TSVP6RP86DZ5N5TM","version":"1"}
X-Request-Id: 01JN27J8Z3TSVP6RP86DZ5N5TM
X-Runtime: 5.258553
Date: Wed, 26 Feb 2025 22:55:49 GMT

After this MR

DELETE /projects/:id/packages/:package_id

curl -i --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42 \         
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Length: 60
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"01JN27BSTM3P4JSJNJ4HAH5C7X","version":"1"}
X-Request-Id: 01JN27BSTM3P4JSJNJ4HAH5C7X
X-Runtime: 0.074950
Date: Wed, 26 Feb 2025 22:52:12 GMT

{"message":"403 Forbidden - Package is deletion protected."}%

DELETE /projects/:id/packages/:package_id/package_files/:package_file_id

curl -i --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42/package_files/113 \
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Length: 60
Content-Security-Policy: default-src 'none'
Content-Type: application/json
Vary: Origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Gitlab-Meta: {"correlation_id":"01JN27AHARMZTQBM3TJCKSGCZJ","version":"1"}
X-Request-Id: 01JN27AHARMZTQBM3TJCKSGCZJ
X-Runtime: 0.365543
Date: Wed, 26 Feb 2025 22:51:31 GMT

{"message":"403 Forbidden - Package is deletion protected."}%

How to set up and validate locally

  1. Enable the feature flag
Feature.enable(:packages_protected_packages_delete)
  1. Publish a package for the (seeded) project flightjs/flight, e.g. a npm package with the name @flightjs/flight-npm-protected
  2. Create a package protection rule for the newly created package and set the attribute minimum_access_level_for_delete to 'admin'
Packages::Protection::Rule.find_or_create_by(
  project: Project.find_by_full_path('flightjs/Flight'),
  package_name_pattern: '@flightjs/flight-npm-protected',
  package_type: :npm,
  minimum_access_level_for_delete: :admin,
  minimum_access_level_for_push: :admin
)
  1. Try to delete the npm package via the REST API, see https://docs.gitlab.com/api/packages/#delete-a-project-package => you should receive an error 403 Forbidden 💥 
curl --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42 \
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'
  1. Try to delete one of the published package file, see https://docs.gitlab.com/api/packages/#delete-a-package-file => you should receive an error 403 Forbidden 💥 
curl -i --request DELETE \
  --url http://gdk.test:3000/api/v4/projects/7/packages/42/package_files/113 \
  --header 'PRIVATE-TOKEN: {{patWithoutAdminScope}}'

Related to #323970 (closed)

Edited by Gerardo Navarro

Merge request reports