pypi_packages.rb 4.55 KB
Newer Older
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
1 2 3 4 5 6 7 8
# frozen_string_literal: true

# PyPI Package Manager Client API
#
# These API endpoints are not meant to be consumed directly by users. They are
# called by the PyPI package manager client when users run commands
# like `pip install` or `twine upload`.
module API
Stan Hu's avatar
Stan Hu committed
9
  class PypiPackages < Grape::API::Instance
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
10 11 12 13 14 15 16 17 18 19 20
    helpers ::API::Helpers::PackagesManagerClientsHelpers
    helpers ::API::Helpers::RelatedResourcesHelpers
    helpers ::API::Helpers::Packages::BasicAuthHelpers
    include ::API::Helpers::Packages::BasicAuthHelpers::Constants

    default_format :json

    rescue_from ArgumentError do |e|
      render_api_error!(e.message, 400)
    end

Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
21 22 23 24
    rescue_from ActiveRecord::RecordInvalid do |e|
      render_api_error!(e.message, 400)
    end

25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
    rescue_from ActiveRecord::RecordInvalid do |e|
      render_api_error!(e.message, 400)
    end

    helpers do
      def packages_finder(project = authorized_user_project)
        project
          .packages
          .pypi
          .has_version
          .processed
      end

      def find_package_versions
        packages = packages_finder
          .with_name(params[:package_name])

        not_found!('Package') if packages.empty?

        packages
      end
    end

Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
48 49 50 51 52 53 54 55 56 57
    before do
      require_packages_enabled!
    end

    params do
      requires :id, type: Integer, desc: 'The ID of a project'
    end

    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      before do
58
        authorize_packages_feature!(unauthorized_user_project!)
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
59 60 61 62 63 64 65 66
      end

      namespace ':id/packages/pypi' do
        desc 'The PyPi package download endpoint' do
          detail 'This feature was introduced in GitLab 12.10'
        end

        params do
67
          requires :file_identifier, type: String, desc: 'The PyPi package file identifier', file_path: true
68
          requires :sha256, type: String, desc: 'The PyPi package sha256 check sum'
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
69 70
        end

71
        route_setting :authentication, deploy_token_allowed: true
72
        get 'files/:sha256/*file_identifier' do
73
          project = unauthorized_user_project!
74 75 76 77 78 79

          filename = "#{params[:file_identifier]}.#{params[:format]}"
          package = packages_finder(project).by_file_name_and_sha256(filename, params[:sha256])
          package_file = ::Packages::PackageFileFinder.new(package, filename, with_file_name_like: false).execute

          present_carrierwave_file!(package_file.file, supports_direct_download: true)
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
80 81 82 83 84 85 86
        end

        desc 'The PyPi Simple Endpoint' do
          detail 'This feature was introduced in GitLab 12.10'
        end

        params do
87
          requires :package_name, type: String, file_path: true, desc: 'The PyPi package name'
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
88 89
        end

90 91
        # An Api entry point but returns an HTML file instead of JSON.
        # PyPi simple API returns the package descriptor as a simple HTML file.
92
        route_setting :authentication, deploy_token_allowed: true
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
93 94
        get 'simple/*package_name', format: :txt do
          authorize_read_package!(authorized_user_project)
95 96 97 98 99 100 101 102 103 104

          packages = find_package_versions
          presenter = ::Packages::Pypi::PackagePresenter.new(packages, authorized_user_project)

          # Adjusts grape output format
          # to be HTML
          content_type "text/html; charset=utf-8"
          env['api.format'] = :binary

          body presenter.body
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
105 106 107 108 109 110 111
        end

        desc 'The PyPi Package upload endpoint' do
          detail 'This feature was introduced in GitLab 12.10'
        end

        params do
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
112 113 114 115 116 117
          requires :content, type: ::API::Validations::Types::WorkhorseFile, desc: 'The package file to be published (generated by Multipart middleware)'
          requires :requires_python, type: String
          requires :name, type: String
          requires :version, type: String
          optional :md5_digest, type: String
          optional :sha256_digest, type: String
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
118 119
        end

120
        route_setting :authentication, deploy_token_allowed: true
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
121 122 123
        post do
          authorize_upload!(authorized_user_project)

Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
124 125 126 127
          ::Packages::Pypi::CreatePackageService
            .new(authorized_user_project, current_user, declared_params)
            .execute

Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
128 129 130 131 132 133 134
          created!
        rescue ObjectStorage::RemoteStoreError => e
          Gitlab::ErrorTracking.track_exception(e, extra: { file_name: params[:name], project_id: authorized_user_project.id })

          forbidden!
        end

135
        route_setting :authentication, deploy_token_allowed: true
Giorgenes Gelatti's avatar
Giorgenes Gelatti committed
136 137 138 139 140 141 142
        post 'authorize' do
          authorize_workhorse!(subject: authorized_user_project, has_length: false)
        end
      end
    end
  end
end