Merge branch 'helm_index_yaml' into 'master'

Helm charts index API endpoint

See merge request gitlab-org/gitlab!62757

app/finders/packages/helm/package_files_finder.rb

@@ -3,6 +3,9 @@
 module Packages
   module Helm
     class PackageFilesFinder
+      DEFAULT_PACKAGE_FILES_COUNT = 20
+      MAX_PACKAGE_FILES_COUNT = 1000
+
       def initialize(project, channel, params = {})
         @project = project
         @channel = channel
@@ -10,12 +13,18 @@ module Packages
       end
 
       def execute
-        package_files = Packages::PackageFile.for_helm_with_channel(@project, @channel).preload_helm_file_metadata
+        package_files = Packages::PackageFile.for_helm_with_channel(@project, @channel)
+                                             .limit_recent(limit)
         by_file_name(package_files)
       end
 
       private
 
+      def limit
+        limit_param = @params[:limit] || DEFAULT_PACKAGE_FILES_COUNT
+        [limit_param, MAX_PACKAGE_FILES_COUNT].min
+      end
+
       def by_file_name(files)
         return files unless @params[:file_name]
 

app/models/packages/package_file.rb

@@ -27,6 +27,7 @@ class Packages::PackageFile < ApplicationRecord
   validates :file_name, uniqueness: { scope: :package }, if: -> { package&.pypi? }
 
   scope :recent, -> { order(id: :desc) }
+  scope :limit_recent, ->(limit) { recent.limit(limit) }
   scope :for_package_ids, ->(ids) { where(package_id: ids) }
   scope :with_file_name, ->(file_name) { where(file_name: file_name) }
   scope :with_file_name_like, ->(file_name) { where(arel_table[:file_name].matches(file_name)) }

app/presenters/packages/helm/index_presenter.rb

+# frozen_string_literal: true
+
+module Packages
+  module Helm
+    class IndexPresenter
+      include API::Helpers::RelatedResourcesHelpers
+
+      API_VERSION = 'v1'
+      CHANNEL = 'channel'
+      INDEX_YAML_SUFFIX = "/#{CHANNEL}/index.yaml"
+
+      def initialize(project, project_id_param, package_files)
+        @project = project
+        @project_id_param = project_id_param
+        @package_files = package_files
+      end
+
+      def api_version
+        API_VERSION
+      end
+
+      def entries
+        files = @package_files.preload_helm_file_metadata
+        result = Hash.new { |h, k| h[k] = [] }
+
+        files.find_each do |package_file|
+          name = package_file.helm_metadata['name']
+          result[name] << package_file.helm_metadata.merge({
+            'created' => package_file.created_at.utc.strftime('%Y-%m-%dT%H:%M:%S.%NZ'),
+            'digest' => package_file.file_sha256,
+            'urls' => ["charts/#{package_file.file_name}"]
+          })
+        end
+
+        result
+      end
+
+      def generated
+        Time.zone.now.utc.strftime('%Y-%m-%dT%H:%M:%S.%NZ')
+      end
+
+      def server_info
+        path = api_v4_projects_packages_helm_index_yaml_path(
+          id: ERB::Util.url_encode(@project_id_param),
+          channel: CHANNEL
+        )
+        {
+          'contextPath' => expose_url(path.delete_suffix(INDEX_YAML_SUFFIX))
+        }
+      end
+    end
+  end
+end

lib/api/entities/helm/index.rb

+# frozen_string_literal: true
+
+module API
+  module Entities
+    module Helm
+      class Index < Grape::Entity
+        expose :api_version, as: :apiVersion
+        expose :entries
+        expose :generated
+        expose :server_info, as: :serverInfo
+      end
+    end
+  end
+end

lib/api/helm_packages.rb

@@ -15,6 +15,9 @@ module API
     }.freeze
 
     content_type :binary, 'application/octet-stream'
+    content_type :yaml, 'text/yaml'
+
+    formatter :yaml, -> (object, _) { object.serializable_hash.stringify_keys.to_yaml }
 
     authenticate_with do |accept|
       accept.token_types(:personal_access_token, :deploy_token, :job_token)
@@ -34,6 +37,28 @@ module API
     end
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
       namespace ':id/packages/helm' do
+        desc 'Download a chart index' do
+          detail 'This feature was introduced in GitLab 14.0'
+        end
+        params do
+          requires :channel, type: String, desc: 'Helm channel', regexp: Gitlab::Regex.helm_channel_regex
+        end
+
+        get ":channel/index.yaml" do
+          authorize_read_package!(authorized_user_project)
+
+          package_files = Packages::Helm::PackageFilesFinder.new(
+            authorized_user_project,
+            params[:channel],
+            order_by: 'created_at',
+            sort: 'desc'
+          ).execute
+
+          env['api.format'] = :yaml
+          present ::Packages::Helm::IndexPresenter.new(authorized_user_project, params[:id], package_files),
+                      with: ::API::Entities::Helm::Index
+        end
+
         desc 'Download a chart' do
           detail 'This feature was introduced in GitLab 14.0'
         end

spec/factories/packages/helm/file_metadatum.rb

@@ -3,7 +3,7 @@
 FactoryBot.define do
   factory :helm_file_metadatum, class: 'Packages::Helm::FileMetadatum' do
     package_file { association(:helm_package_file, without_loaded_metadatum: true) }
-    channel { 'stable' }
+    sequence(:channel) { |n| "#{FFaker::Lorem.word}-#{n}" }
     metadata { { 'name': package_file.package.name, 'version': package_file.package.version, 'apiVersion': 'v2' } }
   end
 end

spec/factories/packages/package_file.rb

@@ -205,6 +205,7 @@ FactoryBot.define do
       package { association(:helm_package, without_package_files: true) }
       file_name { "#{package.name}-#{package.version}.tgz" }
       file_fixture { "spec/fixtures/packages/helm/rook-ceph-v1.5.8.tgz" }
+      file_sha256 { 'fd2b2fa0329e80a2a602c2bb3b40608bcd6ee5cf96cf46fd0d2800a4c129c9db' }
 
       transient do
         without_loaded_metadatum { false }

spec/requests/api/helm_packages_spec.rb

@@ -9,13 +9,16 @@ RSpec.describe API::HelmPackages do
   let_it_be_with_reload(:project) { create(:project, :public) }
   let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
   let_it_be(:project_deploy_token) { create(:project_deploy_token, deploy_token: deploy_token, project: project) }
+  let_it_be(:package) { create(:helm_package, project: project) }
 
-  describe 'GET /api/v4/projects/:id/packages/helm/:channel/charts/:file_name.tgz' do
-    let_it_be(:package) { create(:helm_package, project: project) }
-
-    let(:channel) { package.package_files.first.helm_channel }
+  describe 'GET /api/v4/projects/:id/packages/helm/:channel/index.yaml' do
+    it_behaves_like 'handling helm chart index requests' do
+      let(:url) { "/projects/#{project.id}/packages/helm/#{package.package_files.first.helm_channel}/index.yaml" }
+    end
+  end
 
-    let(:url) { "/projects/#{project.id}/packages/helm/#{channel}/charts/#{package.name}-#{package.version}.tgz" }
+  describe 'GET /api/v4/projects/:id/packages/helm/:channel/charts/:file_name.tgz' do
+    let(:url) { "/projects/#{project.id}/packages/helm/#{package.package_files.first.helm_channel}/charts/#{package.name}-#{package.version}.tgz" }
 
     subject { get api(url) }
 

spec/support/shared_examples/requests/api/helm_packages_shared_examples.rb

@@ -18,6 +18,37 @@ RSpec.shared_examples 'rejects helm packages access' do |user_type, status, add_
   end
 end
 
+RSpec.shared_examples 'process helm service index request' do |user_type, status, add_member = true|
+  context "for user type #{user_type}" do
+    before do
+      project.send("add_#{user_type}", user) if add_member && user_type != :anonymous
+    end
+
+    it_behaves_like 'returning response status', status
+
+    it 'returns a valid YAML response', :aggregate_failures do
+      subject
+
+      expect(response.media_type).to eq('text/yaml')
+      expect(response.body).to start_with("---\napiVersion: v1\nentries:\n")
+
+      yaml_response = YAML.safe_load(response.body)
+
+      expect(yaml_response.keys).to contain_exactly('apiVersion', 'entries', 'generated', 'serverInfo')
+      expect(yaml_response['entries']).to be_a(Hash)
+      expect(yaml_response['entries'].keys).to contain_exactly(package.name)
+      expect(yaml_response['serverInfo']).to eq({ 'contextPath' => "http://localhost/api/v4/projects/#{project.id}/packages/helm" })
+
+      package_entry = yaml_response['entries'][package.name]
+
+      expect(package_entry.length).to eq(1)
+      expect(package_entry.first.keys).to contain_exactly('name', 'version', 'apiVersion', 'created', 'digest', 'urls')
+      expect(package_entry.first['digest']).to eq('fd2b2fa0329e80a2a602c2bb3b40608bcd6ee5cf96cf46fd0d2800a4c129c9db')
+      expect(package_entry.first['urls']).to eq(["charts/#{package.name}-#{package.version}.tgz"])
+    end
+  end
+end
+
 RSpec.shared_examples 'process helm download content request' do |user_type, status, add_member = true|
   context "for user type #{user_type}" do
     before do
@@ -51,3 +82,89 @@ RSpec.shared_examples 'rejects helm access with unknown project id' do
     end
   end
 end
+
+RSpec.shared_examples 'handling helm chart index requests' do |anonymous_requests_example_name: 'process helm service index request', anonymous_requests_status: :success|
+  context 'with valid project' do
+    using RSpec::Parameterized::TableSyntax
+
+    context 'personal token' do
+      where(:visibility, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+        :public  | :developer  | true  | true  | 'process helm service index request' | :success
+        :public  | :guest      | true  | true  | 'process helm service index request' | :success
+        :public  | :developer  | true  | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :guest      | true  | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :developer  | false | true  | 'process helm service index request' | :success
+        :public  | :guest      | false | true  | 'process helm service index request' | :success
+        :public  | :developer  | false | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :guest      | false | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :anonymous  | false | true  | anonymous_requests_example_name      | anonymous_requests_status
+        :private | :developer  | true  | true  | 'process helm service index request' | :success
+        :private | :guest      | true  | true  | 'rejects helm packages access'       | :forbidden
+        :private | :developer  | true  | false | 'rejects helm packages access'       | :unauthorized
+        :private | :guest      | true  | false | 'rejects helm packages access'       | :unauthorized
+        :private | :developer  | false | true  | 'rejects helm packages access'       | :not_found
+        :private | :guest      | false | true  | 'rejects helm packages access'       | :not_found
+        :private | :developer  | false | false | 'rejects helm packages access'       | :unauthorized
+        :private | :guest      | false | false | 'rejects helm packages access'       | :unauthorized
+        :private | :anonymous  | false | true  | 'rejects helm packages access'       | :unauthorized
+      end
+
+      with_them do
+        let(:token) { user_token ? personal_access_token.token : 'wrong' }
+        let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, token) }
+
+        subject { get api(url), headers: headers }
+
+        before do
+          project.update!(visibility: visibility.to_s)
+        end
+
+        it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+      end
+    end
+
+    context 'with job token' do
+      where(:visibility, :user_role, :member, :user_token, :shared_examples_name, :expected_status) do
+        :public  | :developer  | true  | true  | 'process helm service index request' | :success
+        :public  | :guest      | true  | true  | 'process helm service index request' | :success
+        :public  | :developer  | true  | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :guest      | true  | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :developer  | false | true  | 'process helm service index request' | :success
+        :public  | :guest      | false | true  | 'process helm service index request' | :success
+        :public  | :developer  | false | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :guest      | false | false | 'rejects helm packages access'       | :unauthorized
+        :public  | :anonymous  | false | true  | anonymous_requests_example_name      | anonymous_requests_status
+        :private | :developer  | true  | true  | 'process helm service index request' | :success
+        :private | :guest      | true  | true  | 'rejects helm packages access'       | :forbidden
+        :private | :developer  | true  | false | 'rejects helm packages access'       | :unauthorized
+        :private | :guest      | true  | false | 'rejects helm packages access'       | :unauthorized
+        :private | :developer  | false | true  | 'rejects helm packages access'       | :not_found
+        :private | :guest      | false | true  | 'rejects helm packages access'       | :not_found
+        :private | :developer  | false | false | 'rejects helm packages access'       | :unauthorized
+        :private | :guest      | false | false | 'rejects helm packages access'       | :unauthorized
+        :private | :anonymous  | false | true  | 'rejects helm packages access'       | :unauthorized
+      end
+
+      with_them do
+        let_it_be(:ci_build) { create(:ci_build, project: project, user: user, status: :running) }
+
+        let(:job) { user_token ? ci_build : double(token: 'wrong') }
+        let(:headers) { user_role == :anonymous ? {} : job_basic_auth_header(job) }
+
+        subject { get api(url), headers: headers }
+
+        before do
+          project.update!(visibility: visibility.to_s)
+        end
+
+        it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+      end
+    end
+  end
+
+  it_behaves_like 'deploy token for package GET requests'
+
+  it_behaves_like 'rejects helm access with unknown project id' do
+    subject { get api(url) }
+  end
+end