Rubygems dependencies endpoint

Adds rubygems dependency resolver service and route to return dependencies for requested gems.

Rubygems dependencies endpoint
Adds rubygems dependency resolver service and route to return dependencies for requested gems.
914dd34b · Steve Abrams · Michael Kozono · 6f95667d · 914dd34b · 914dd34b
Commit 914dd34b authored Mar 11, 2021 by Steve Abrams Committed by Michael Kozono Mar 11, 2021
6 changed files
--- a/app/services/packages/rubygems/dependency_resolver_service.rb
+++ b/app/services/packages/rubygems/dependency_resolver_service.rb
+# frozen_string_literal: true
+
+module Packages
+  module Rubygems
+    class DependencyResolverService < BaseService
+      include Gitlab::Utils::StrongMemoize
+
+      DEFAULT_PLATFORM = 'ruby'
+
+      def execute
+        return ServiceResponse.error(message: "forbidden", http_status: :forbidden) unless Ability.allowed?(current_user, :read_package, project)
+        return ServiceResponse.error(message: "#{gem_name} not found", http_status: :not_found) if packages.empty?
+
+        payload = packages.map do |package|
+          dependencies = package.dependency_links.map do |link|
+            [link.dependency.name, link.dependency.version_pattern]
+          end
+
+          {
+            name: gem_name,
+            number: package.version,
+            platform: DEFAULT_PLATFORM,
+            dependencies: dependencies
+          }
+        end
+
+        ServiceResponse.success(payload: payload)
+      end
+
+      private
+
+      def packages
+        strong_memoize(:packages) do
+          project.packages.with_name(gem_name)
+        end
+      end
+
+      def gem_name
+        params[:gem_name]
+      end
+    end
+  end
+end
--- a/lib/api/rubygem_packages.rb
+++ b/lib/api/rubygem_packages.rb
@@ -26,7 +26,7 @@ module API

    before do
      require_packages_enabled!
-      authenticate!
+      authenticate_non_get!
      not_found! unless Feature.enabled?(:rubygem_packages, user_project)
    end

@@ -118,11 +118,24 @@ module API
            detail 'This feature was introduced in GitLab 13.9'
          end
          params do
-            optional :gems, type: String, desc: 'Comma delimited gem names'
+            optional :gems, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma delimited gem names'
          end
          get 'dependencies' do
-            # To be implemented in https://gitlab.com/gitlab-org/gitlab/-/issues/299282
-            not_found!
+            authorize_read_package!
+
+            if params[:gems].blank?
+              status :ok
+            else
+              results = params[:gems].map do |gem_name|
+                service_result = Packages::Rubygems::DependencyResolverService.new(user_project, current_user, gem_name: gem_name).execute
+                render_api_error!(service_result.message, service_result.http_status) if service_result.error?
+
+                service_result.payload
+              end
+
+              content_type 'application/octet-stream'
+              Marshal.dump(results.flatten)
+            end
          end
        end
      end

--- a/spec/factories/packages.rb
+++ b/spec/factories/packages.rb
@@ -277,6 +277,10 @@ FactoryBot.define do
  factory :packages_dependency, class: 'Packages::Dependency' do
    sequence(:name) { |n| "@test/package-#{n}"}
    sequence(:version_pattern) { |n| "~6.2.#{n}" }
+
+    trait(:rubygems) do
+      sequence(:name) { |n| "gem-dependency-#{n}"}
+    end
  end

  factory :packages_dependency_link, class: 'Packages::DependencyLink' do
@@ -289,6 +293,11 @@ FactoryBot.define do
        link.nuget_metadatum = build(:nuget_dependency_link_metadatum)
      end
    end
+
+    trait(:rubygems) do
+      package { association(:rubygems_package) }
+      dependency { association(:packages_dependency, :rubygems) }
+    end
  end

  factory :nuget_dependency_link_metadatum, class: 'Packages::Nuget::DependencyLinkMetadatum' do

--- a/spec/requests/api/rubygem_packages_spec.rb
+++ b/spec/requests/api/rubygem_packages_spec.rb
@@ -44,7 +44,7 @@ RSpec.describe API::RubygemPackages do
  end

  shared_examples 'without authentication' do
-    it_behaves_like 'returning response status', :unauthorized
+    it_behaves_like 'returning response status', :not_found
  end

  shared_examples 'with authentication' do
@@ -276,10 +276,65 @@ RSpec.describe API::RubygemPackages do
  end

  describe 'GET /api/v4/projects/:project_id/packages/rubygems/api/v1/dependencies' do
+    let_it_be(:package) { create(:rubygems_package, project: project) }
+
    let(:url) { api("/projects/#{project.id}/packages/rubygems/api/v1/dependencies") }

-    subject { get(url, headers: headers) }
+    subject { get(url, headers: headers, params: params) }

-    it_behaves_like 'an unimplemented route'
+    context 'with valid project' do
+      where(:visibility, :user_role, :member, :token_type, :valid_token, :shared_examples_name, :expected_status) do
+        :public  | :developer  | true  | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :public  | :guest      | true  | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :public  | :developer  | true  | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :guest      | true  | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :developer  | false | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :public  | :guest      | false | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :public  | :developer  | false | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :guest      | false | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :anonymous  | false | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :private | :developer  | true  | :personal_access_token | true  | 'dependency endpoint success'      | :success
+        :private | :guest      | true  | :personal_access_token | true  | 'rejects rubygems packages access' | :forbidden
+        :private | :developer  | true  | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :guest      | true  | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :developer  | false | :personal_access_token | true  | 'rejects rubygems packages access' | :not_found
+        :private | :guest      | false | :personal_access_token | true  | 'rejects rubygems packages access' | :not_found
+        :private | :developer  | false | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :guest      | false | :personal_access_token | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :anonymous  | false | :personal_access_token | true  | 'rejects rubygems packages access' | :not_found
+        :public  | :developer  | true  | :job_token             | true  | 'dependency endpoint success'      | :success
+        :public  | :guest      | true  | :job_token             | true  | 'dependency endpoint success'      | :success
+        :public  | :developer  | true  | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :guest      | true  | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :developer  | false | :job_token             | true  | 'dependency endpoint success'      | :success
+        :public  | :guest      | false | :job_token             | true  | 'dependency endpoint success'      | :success
+        :public  | :developer  | false | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :guest      | false | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :developer  | true  | :job_token             | true  | 'dependency endpoint success'      | :success
+        :private | :guest      | true  | :job_token             | true  | 'rejects rubygems packages access' | :forbidden
+        :private | :developer  | true  | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :guest      | true  | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :developer  | false | :job_token             | true  | 'rejects rubygems packages access' | :not_found
+        :private | :guest      | false | :job_token             | true  | 'rejects rubygems packages access' | :not_found
+        :private | :developer  | false | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :guest      | false | :job_token             | false | 'rejects rubygems packages access' | :unauthorized
+        :public  | :developer  | true  | :deploy_token          | true  | 'dependency endpoint success'      | :success
+        :public  | :developer  | true  | :deploy_token          | false | 'rejects rubygems packages access' | :unauthorized
+        :private | :developer  | true  | :deploy_token          | true  | 'dependency endpoint success'      | :success
+        :private | :developer  | true  | :deploy_token          | false | 'rejects rubygems packages access' | :unauthorized
+      end
+
+      with_them do
+        let(:token) { valid_token ? tokens[token_type] : 'invalid-token123' }
+        let(:headers) { user_role == :anonymous ? {} : { 'HTTP_AUTHORIZATION' => token } }
+        let(:params) { {} }
+
+        before do
+          project.update!(visibility: visibility.to_s)
+        end
+
+        it_behaves_like params[:shared_examples_name], params[:user_role], params[:expected_status], params[:member]
+      end
+    end
  end
 end
--- a/spec/services/packages/rubygems/dependency_resolver_service_spec.rb
+++ b/spec/services/packages/rubygems/dependency_resolver_service_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+
+RSpec.describe Packages::Rubygems::DependencyResolverService do
+  let_it_be(:project) { create(:project, :private) }
+  let_it_be(:package) { create(:package, project: project) }
+  let_it_be(:user) { create(:user) }
+  let(:gem_name) { package.name }
+  let(:service) { described_class.new(project, user, gem_name: gem_name) }
+
+  describe '#execute' do
+    subject { service.execute }
+
+    context 'user without access' do
+      it 'returns a service error' do
+        expect(subject.error?).to be(true)
+        expect(subject.message).to eq('forbidden')
+      end
+    end
+
+    context 'user with access' do
+      before do
+        project.add_developer(user)
+      end
+
+      context 'when no package is found' do
+        let(:gem_name) { nil }
+
+        it 'returns a service error', :aggregate_failures do
+          expect(subject.error?).to be(true)
+          expect(subject.message).to eq("#{gem_name} not found")
+        end
+      end
+
+      context 'package without dependencies' do
+        it 'returns an empty dependencies array' do
+          expected_result = [{
+            name: package.name,
+            number: package.version,
+            platform: described_class::DEFAULT_PLATFORM,
+            dependencies: []
+          }]
+
+          expect(subject.payload).to eq(expected_result)
+        end
+      end
+
+      context 'package with dependencies' do
+        let(:dependency_link) { create(:packages_dependency_link, :rubygems, package: package)}
+        let(:dependency_link2) { create(:packages_dependency_link, :rubygems, package: package)}
+        let(:dependency_link3) { create(:packages_dependency_link, :rubygems, package: package)}
+
+        it 'returns a set of dependencies' do
+          expected_result = [{
+            name: package.name,
+            number: package.version,
+            platform: described_class::DEFAULT_PLATFORM,
+            dependencies: [
+              [dependency_link.dependency.name, dependency_link.dependency.version_pattern],
+              [dependency_link2.dependency.name, dependency_link2.dependency.version_pattern],
+              [dependency_link3.dependency.name, dependency_link3.dependency.version_pattern]
+            ]
+          }]
+
+          expect(subject.payload).to eq(expected_result)
+        end
+      end
+
+      context 'package with multiple versions' do
+        let(:dependency_link) { create(:packages_dependency_link, :rubygems, package: package)}
+        let(:dependency_link2) { create(:packages_dependency_link, :rubygems, package: package)}
+        let(:dependency_link3) { create(:packages_dependency_link, :rubygems, package: package)}
+        let(:package2) { create(:package, project: project, name: package.name, version: '9.9.9') }
+        let(:dependency_link4) { create(:packages_dependency_link, :rubygems, package: package2)}
+
+        it 'returns a set of dependencies' do
+          expected_result = [{
+            name: package.name,
+            number: package.version,
+            platform: described_class::DEFAULT_PLATFORM,
+            dependencies: [
+              [dependency_link.dependency.name, dependency_link.dependency.version_pattern],
+              [dependency_link2.dependency.name, dependency_link2.dependency.version_pattern],
+              [dependency_link3.dependency.name, dependency_link3.dependency.version_pattern]
+            ]
+          }, {
+            name: package2.name,
+            number: package2.version,
+            platform: described_class::DEFAULT_PLATFORM,
+            dependencies: [
+              [dependency_link4.dependency.name, dependency_link4.dependency.version_pattern]
+            ]
+          }]
+
+          expect(subject.payload).to eq(expected_result)
+        end
+      end
+    end
+  end
+end
--- a/spec/support/shared_examples/requests/api/rubygems_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/rubygems_packages_shared_examples.rb
@@ -128,3 +128,50 @@ RSpec.shared_examples 'process rubygems upload' do |user_type, status, add_membe
    end
  end
 end
+
+RSpec.shared_examples 'dependency endpoint success' do |user_type, status, add_member = true|
+  context "for user type #{user_type}" do
+    before do
+      project.send("add_#{user_type}", user) if add_member && user_type != :anonymous
+    end
+
+    raise 'Status is not :success' if status != :success
+
+    context 'with no params', :aggregate_failures do
+      it 'returns empty' do
+        subject
+
+        expect(response.body).to eq('200')
+        expect(response).to have_gitlab_http_status(status)
+      end
+    end
+
+    context 'with gems params' do
+      let(:params) { { gems: 'foo,bar' } }
+      let(:expected_response) { Marshal.dump(%w(result result)) }
+
+      it 'returns successfully', :aggregate_failures do
+        service_result = double('DependencyResolverService', execute: ServiceResponse.success(payload: 'result'))
+
+        expect(Packages::Rubygems::DependencyResolverService).to receive(:new).with(project, anything, gem_name: 'foo').and_return(service_result)
+        expect(Packages::Rubygems::DependencyResolverService).to receive(:new).with(project, anything, gem_name: 'bar').and_return(service_result)
+
+        subject
+
+        expect(response.body).to eq(expected_response) # rubocop:disable Security/MarshalLoad
+        expect(response).to have_gitlab_http_status(status)
+      end
+
+      it 'rejects if the service fails', :aggregate_failures do
+        service_result = double('DependencyResolverService', execute: ServiceResponse.error(message: 'rejected', http_status: :bad_request))
+
+        expect(Packages::Rubygems::DependencyResolverService).to receive(:new).with(project, anything, gem_name: 'foo').and_return(service_result)
+
+        subject
+
+        expect(response.body).to match(/rejected/)
+        expect(response).to have_gitlab_http_status(:bad_request)
+      end
+    end
+  end
+end