# frozen_string_literal: true module API class NpmProjectPackages < ::API::Base ERROR_REASON_TO_HTTP_STATUS_MAPPTING = { ::Packages::Npm::CreatePackageService::ERROR_REASON_INVALID_PARAMETER => 400, ::Packages::Npm::CreatePackageService::ERROR_REASON_PACKAGE_EXISTS => 403, ::Packages::Npm::CreatePackageService::ERROR_REASON_PACKAGE_LEASE_TAKEN => 400, ::Packages::Npm::CreatePackageService::ERROR_REASON_PACKAGE_PROTECTED => 403, ::Packages::Npm::CreatePackageService::ERROR_REASON_UNAUTHORIZED => 403 }.freeze helpers ::API::Helpers::Packages::Npm helpers ::API::Helpers::Packages::DependencyProxyHelpers feature_category :package_registry urgency :low rescue_from ActiveRecord::RecordInvalid do |e| render_structured_api_error!({ message: e.message, error: e.message }, 400) end helpers do include Gitlab::Utils::StrongMemoize def error_reason_to_http_status(reason) ERROR_REASON_TO_HTTP_STATUS_MAPPTING.fetch(reason, 400) end def metadata_cache ::Packages::Npm::MetadataCache .find_by_package_name_and_project_id(params[:package_name], project.id) end strong_memoize_attr :metadata_cache def project user_project(action: :read_package) end def project_id_or_nil params[:id] end end params do requires :id, types: [String, Integer], desc: 'The ID or URL-encoded path of the project' end namespace 'projects/:id/packages/npm' do include ::API::Concerns::Packages::NpmEndpoints desc 'Download the NPM tarball' do detail 'This feature was introduced in GitLab 11.8' success code: 200 failure [ { code: 403, message: 'Forbidden' }, { code: 404, message: 'Not Found' } ] tags %w[npm_packages] end params do requires :package_name, type: String, desc: 'Package name' requires :file_name, type: String, desc: 'Package file name' end route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true route_setting :authorization, job_token_policies: :read_packages, allow_public_access_for_enabled_project_features: :package_registry get '*package_name/-/*file_name', format: false do authorize_read_package!(project) package = ::Packages::Npm::Package .for_projects(project) .by_name_and_file_name(params[:package_name], params[:file_name]) not_found!('Package') unless package package_file = ::Packages::PackageFileFinder .new(package, params[:file_name]).execute! track_package_event('pull_package', :npm, category: 'API::NpmPackages', project: project, namespace: project.namespace) present_package_file!(package_file) end desc 'Create or deprecate NPM package' do detail 'Create was introduced in GitLab 11.8 & deprecate suppport was added in 16.0' success code: 200 failure [ { code: 400, message: 'Bad Request' }, { code: 401, message: 'Unauthorized' }, { code: 403, message: 'Forbidden' }, { code: 404, message: 'Not Found' } ] tags %w[npm_packages] end params do requires :package_name, type: String, desc: 'Package name' requires :versions, type: Hash, desc: 'Package version info' end route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true route_setting :authorization, job_token_policies: :admin_packages put ':package_name', requirements: ::API::Helpers::Packages::Npm::NPM_ENDPOINT_REQUIREMENTS do if headers['Npm-Command'] == 'deprecate' authorize_destroy_package!(project) response = ::Packages::Npm::EnqueueDeprecatePackageWorkerService.new(project, nil, declared(params).to_hash).execute if response.error? && response.reason == :no_versions_to_deprecate bad_request_missing_attribute!('package versions to deprecate') end else authorize_create_package!(project) service_response = ::Packages::Npm::CreatePackageService .new(project, current_user, params.merge(build: current_authenticated_job)).execute if service_response.error? render_structured_api_error!({ message: service_response.message, error: service_response.message }, error_reason_to_http_status(service_response.reason)) end track_package_event('push_package', :npm, category: 'API::NpmPackages', project: project, namespace: project.namespace) service_response[:package] end end # Caution: This is a globbing wildcard for GET requests # Do not put other GET routes below this one desc 'NPM registry metadata endpoint' do detail 'This feature was introduced in GitLab 11.8' success [ { code: 200, model: ::API::Entities::NpmPackage, message: 'Ok' }, { code: 302, message: 'Found (redirect)' } ] failure [ { code: 400, message: 'Bad Request' }, { code: 401, message: 'Unauthorized' }, { code: 403, message: 'Forbidden' }, { code: 404, message: 'Not Found' } ] tags %w[npm_packages] end params do use :package_name end route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, authenticate_non_public: true route_setting :authorization, job_token_policies: :read_packages, allow_public_access_for_enabled_project_features: :package_registry get '*package_name', format: false, requirements: ::API::Helpers::Packages::Npm::NPM_ENDPOINT_REQUIREMENTS do package_name = declared_params[:package_name] packages = ::Packages::Npm::PackageFinder.new(project: project_or_nil, params: { package_name: package_name }).execute # In order to redirect a request, packages should not exist (without taking the user into account). redirect_request = project_or_nil.blank? || packages.empty? redirect_registry_request( forward_to_registry: redirect_request, package_type: :npm, target: project_or_nil, package_name: package_name ) do authorize_read_package!(project) not_found!('Packages') if packages.empty? if metadata_cache&.file&.exists? metadata_cache.touch_last_downloaded_at present_carrierwave_file!(metadata_cache.file) break end enqueue_sync_metadata_cache_worker(project, package_name) metadata = generate_metadata_service(packages).execute.payload present metadata, with: ::API::Entities::NpmPackage end end end end end