Merge branch '325869-improve-maven-packages-group-level-api' into 'master'

Improvements to the Maven API files endpoints [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!57600

Merge branch '325869-improve-maven-packages-group-level-api' into 'master'
Improvements to the Maven API files endpoints [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!57600
02ef45a2 · Heinrich Lee Yu · 743959dd · 5fcc203d · 02ef45a2 · 02ef45a2
Commit 02ef45a2 authored Mar 30, 2021 by Heinrich Lee Yu
7 changed files
--- a/app/finders/packages/maven/package_finder.rb
+++ b/app/finders/packages/maven/package_finder.rb
@@ -3,13 +3,15 @@
 module Packages
  module Maven
    class PackageFinder
-      attr_reader :path, :current_user, :project, :group
+      include ::Packages::FinderHelper
+      include Gitlab::Utils::StrongMemoize
-      def initialize(path, current_user, project: nil, group: nil)
+      def initialize(path, current_user, project: nil, group: nil, order_by_package_file: false)
        @path = path
        @current_user = current_user
        @project = project
        @group = group
+        @order_by_package_file = order_by_package_file
      end
      def execute
@@ -23,9 +25,9 @@ module Packages
      private
      def base
-        if project
+        if @project
          packages_for_a_single_project
-        elsif group
+        elsif @group
          packages_for_multiple_projects
        else
          ::Packages::Package.none
@@ -33,8 +35,13 @@ module Packages
      end
      def packages_with_path
-        matching_packages = base.only_maven_packages_with_path(path, use_cte: group.present?)
+        matching_packages = base.only_maven_packages_with_path(@path, use_cte: @group.present?)
-        matching_packages = matching_packages.order_by_package_file if versionless_package?(matching_packages)
+        if group_level_improvements?
+          matching_packages = matching_packages.order_by_package_file if @order_by_package_file
+        else
+          matching_packages = matching_packages.order_by_package_file if versionless_package?(matching_packages)
+        end
        matching_packages
      end
@@ -48,19 +55,29 @@ module Packages
      # Produces a query that retrieves packages from a single project.
      def packages_for_a_single_project
-        project.packages
+        @project.packages
      end
      # Produces a query that retrieves packages from multiple projects that
      # the current user can view within a group.
      def packages_for_multiple_projects
-        ::Packages::Package.for_projects(projects_visible_to_current_user)
+        if group_level_improvements?
+          packages_visible_to_user(@current_user, within_group: @group)
+        else
+          ::Packages::Package.for_projects(projects_visible_to_current_user)
+        end
      end
      # Returns the projects that the current user can view within a group.
      def projects_visible_to_current_user
-        group.all_projects
+        @group.all_projects
-             .public_or_visible_to_user(current_user)
+              .public_or_visible_to_user(@current_user)
+      end
+      def group_level_improvements?
+        strong_memoize(:group_level_improvements) do
+          Feature.enabled?(:maven_packages_group_level_improvements)
+        end
      end
    end
  end

--- a/app/models/packages/package.rb
+++ b/app/models/packages/package.rb
@@ -136,7 +136,9 @@ class Packages::Package < ApplicationRecord
  after_commit :update_composer_cache, on: :destroy, if: -> { composer? }
  def self.for_projects(projects)
-    return none unless projects.any?
+    unless Feature.enabled?(:maven_packages_group_level_improvements)
+      return none unless projects.any?
+    end
    where(project_id: projects)
  end

--- a/config/feature_flags/development/maven_packages_group_level_improvements.yml
+++ b/config/feature_flags/development/maven_packages_group_level_improvements.yml
+---
+name: maven_packages_group_level_improvements
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/57600
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/326099
+milestone: '13.11'
+type: development
+group: group::package
+default_enabled: false
--- a/lib/api/maven_packages.rb
+++ b/lib/api/maven_packages.rb
@@ -77,6 +77,22 @@ module API
          request.head? &&
          file.fog_credentials[:provider] == 'AWS'
      end
+      def fetch_package(file_name:, project: nil, group: nil)
+        order_by_package_file = false
+        if Feature.enabled?(:maven_packages_group_level_improvements)
+          order_by_package_file = file_name.include?(::Packages::Maven::Metadata.filename) &&
+                                    !params[:path].include?(::Packages::Maven::FindOrCreatePackageService::SNAPSHOT_TERM)
+        end
+        ::Packages::Maven::PackageFinder.new(
+          params[:path],
+          current_user,
+          project: project,
+          group: group,
+          order_by_package_file: order_by_package_file
+        ).execute!
+      end
    end
    desc 'Download the maven package file at instance level' do
@@ -97,8 +113,7 @@ module API
      authorize_read_package!(project)
-      package = ::Packages::Maven::PackageFinder
+      package = fetch_package(file_name: file_name, project: project)
-        .new(params[:path], current_user, project: project).execute!
      package_file = ::Packages::PackageFileFinder
        .new(package, file_name).execute!
@@ -133,8 +148,7 @@ module API
        not_found!('Group') unless can?(current_user, :read_group, group)
-        package = ::Packages::Maven::PackageFinder
+        package = fetch_package(file_name: file_name, group: group)
-          .new(params[:path], current_user, group: group).execute!
        authorize_read_package!(package.project)
@@ -171,8 +185,7 @@ module API
        file_name, format = extract_format(params[:file_name])
-        package = ::Packages::Maven::PackageFinder
+        package = fetch_package(file_name: file_name, project: user_project)
-          .new(params[:path], current_user, project: user_project).execute!
        package_file = ::Packages::PackageFileFinder
          .new(package, file_name).execute!

--- a/spec/finders/packages/maven/package_finder_spec.rb
+++ b/spec/finders/packages/maven/package_finder_spec.rb
@@ -11,7 +11,8 @@ RSpec.describe ::Packages::Maven::PackageFinder do
  let(:param_path) { nil }
  let(:param_project) { nil }
  let(:param_group) { nil }
-  let(:finder) { described_class.new(param_path, user, project: param_project, group: param_group) }
+  let(:param_order_by_package_file) { false }
+  let(:finder) { described_class.new(param_path, user, project: param_project, group: param_group, order_by_package_file: param_order_by_package_file) }
  before do
    group.add_developer(user)
@@ -46,7 +47,23 @@ RSpec.describe ::Packages::Maven::PackageFinder do
      context 'within a group' do
        let(:param_group) { group }
-        it_behaves_like 'handling valid and invalid paths'
+        context 'with maven_packages_group_level_improvements enabled' do
+          before do
+            stub_feature_flags(maven_packages_group_level_improvements: true)
+            expect(finder).to receive(:packages_visible_to_user).with(user, within_group: group).and_call_original
+          end
+          it_behaves_like 'handling valid and invalid paths'
+        end
+        context 'with maven_packages_group_level_improvements disabled' do
+          before do
+            stub_feature_flags(maven_packages_group_level_improvements: false)
+            expect(finder).not_to receive(:packages_visible_to_user)
+          end
+          it_behaves_like 'handling valid and invalid paths'
+        end
      end
      context 'across all projects' do
@@ -76,7 +93,39 @@ RSpec.describe ::Packages::Maven::PackageFinder do
          create(:package_file, :xml, package: package2)
        end
-        it { is_expected.to eq(package2) }
+        context 'with maven_packages_group_level_improvements enabled' do
+          before do
+            stub_feature_flags(maven_packages_group_level_improvements: true)
+            expect(finder).not_to receive(:versionless_package?)
+          end
+          context 'without order by package file' do
+            it { is_expected.to eq(package3) }
+          end
+          context 'with order by package file' do
+            let(:param_order_by_package_file) { true }
+            it { is_expected.to eq(package2) }
+          end
+        end
+        context 'with maven_packages_group_level_improvements disabled' do
+          before do
+            stub_feature_flags(maven_packages_group_level_improvements: false)
+            expect(finder).to receive(:versionless_package?).and_call_original
+          end
+          context 'without order by package file' do
+            it { is_expected.to eq(package2) }
+          end
+          context 'with order by package file' do
+            let(:param_order_by_package_file) { true }
+            it { is_expected.to eq(package2) }
+          end
+        end
      end
    end
  end

--- a/spec/models/packages/package_spec.rb
+++ b/spec/models/packages/package_spec.rb
@@ -99,6 +99,34 @@ RSpec.describe Packages::Package, type: :model do
    end
  end
+  describe '.for_projects' do
+    let_it_be(:package1) { create(:maven_package) }
+    let_it_be(:package2) { create(:maven_package) }
+    let_it_be(:package3) { create(:maven_package) }
+    let(:projects) { ::Project.id_in([package1.project_id, package2.project_id]) }
+    subject { described_class.for_projects(projects.select(:id)) }
+    it 'returns package1 and package2' do
+      expect(projects).not_to receive(:any?)
+      expect(subject).to match_array([package1, package2])
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
+      it 'returns package1 and package2' do
+        expect(projects).to receive(:any?).and_call_original
+        expect(subject).to match_array([package1, package2])
+      end
+    end
+  end
  describe 'validations' do
    subject { build(:package) }

--- a/spec/requests/api/maven_packages_spec.rb
+++ b/spec/requests/api/maven_packages_spec.rb
@@ -147,118 +147,136 @@ RSpec.describe API::MavenPackages do
  end
  describe 'GET /api/v4/packages/maven/*path/:file_name' do
-    context 'a public project' do
+    shared_examples 'handling all conditions' do
-      subject { download_file(package_file.file_name) }
+      context 'a public project' do
+        subject { download_file(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
-      it 'returns sha1 of the file' do
+        it 'returns sha1 of the file' do
-        download_file(package_file.file_name + '.sha1')
+          download_file(package_file.file_name + '.sha1')
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('text/plain')
+          expect(response.media_type).to eq('text/plain')
-        expect(response.body).to eq(package_file.file_sha1)
+          expect(response.body).to eq(package_file.file_sha1)
+        end
      end
-    end
-    context 'internal project' do
+      context 'internal project' do
-      before do
+        before do
-        project.team.truncate
+          project.team.truncate
-        project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
-      end
+        end
-      subject { download_file_with_token(package_file.file_name) }
+        subject { download_file_with_token(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
-      it 'denies download when no private token' do
+        it 'denies download when no private token' do
-        download_file(package_file.file_name)
+          download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+        it_behaves_like 'downloads with a job token'
+        it_behaves_like 'downloads with a deploy token'
      end
-      it_behaves_like 'downloads with a job token'
+      context 'private project' do
+        subject { download_file_with_token(package_file.file_name) }
-      it_behaves_like 'downloads with a deploy token'
+        before do
-    end
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+        end
-    context 'private project' do
+        it_behaves_like 'tracking the file download event'
-      subject { download_file_with_token(package_file.file_name) }
-      before do
+        it 'returns the file' do
-        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+          subject
-      end
-      it_behaves_like 'tracking the file download event'
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.media_type).to eq('application/octet-stream')
+        end
-      it 'returns the file' do
+        it 'denies download when not enough permissions' do
-        subject
+          project.add_guest(user)
-        expect(response).to have_gitlab_http_status(:ok)
+          subject
-        expect(response.media_type).to eq('application/octet-stream')
-      end
-      it 'denies download when not enough permissions' do
+          expect(response).to have_gitlab_http_status(:forbidden)
-        project.add_guest(user)
+        end
-        subject
+        it 'denies download when no private token' do
+          download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:forbidden)
-      end
+        end
-      it 'denies download when no private token' do
+        it_behaves_like 'downloads with a job token'
-        download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:forbidden)
+        it_behaves_like 'downloads with a deploy token'
-      end
-      it_behaves_like 'downloads with a job token'
+        it 'does not allow download by a unauthorized deploy token with same id as a user with access' do
+          unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true)
-      it_behaves_like 'downloads with a deploy token'
+          another_user = create(:user)
+          project.add_developer(another_user)
-      it 'does not allow download by a unauthorized deploy token with same id as a user with access' do
+          # We force the id of the deploy token and the user to be the same
-        unauthorized_deploy_token = create(:deploy_token, read_package_registry: true, write_package_registry: true)
+          unauthorized_deploy_token.update!(id: another_user.id)
-        another_user = create(:user)
+          download_file(
-        project.add_developer(another_user)
+            package_file.file_name,
+            {},
+            Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token
+          )
-        # We force the id of the deploy token and the user to be the same
+          expect(response).to have_gitlab_http_status(:forbidden)
-        unauthorized_deploy_token.update!(id: another_user.id)
+        end
+      end
-        download_file(
+      context 'project name is different from a package name' do
-          package_file.file_name,
+        before do
-          {},
+          maven_metadatum.update!(path: "wrong_name/#{package.version}")
-          Gitlab::Auth::AuthFinders::DEPLOY_TOKEN_HEADER => unauthorized_deploy_token.token
+        end
-        )
-        expect(response).to have_gitlab_http_status(:forbidden)
+        it 'rejects request' do
+          download_file(package_file.file_name)
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
      end
    end
-    context 'project name is different from a package name' do
+    context 'with maven_packages_group_level_improvements enabled' do
      before do
-        maven_metadatum.update!(path: "wrong_name/#{package.version}")
+        stub_feature_flags(maven_packages_group_level_improvements: true)
      end
-      it 'rejects request' do
+      it_behaves_like 'handling all conditions'
-        download_file(package_file.file_name)
+    end
-        expect(response).to have_gitlab_http_status(:forbidden)
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
      end
+      it_behaves_like 'handling all conditions'
    end
    def download_file(file_name, params = {}, request_headers = headers)
@@ -274,6 +292,22 @@ RSpec.describe API::MavenPackages do
    let(:url) { "/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" }
    it_behaves_like 'processing HEAD requests'
+    context 'with maven_packages_group_level_improvements enabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: true)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
  end
  describe 'GET /api/v4/groups/:id/-/packages/maven/*path/:file_name' do
@@ -282,110 +316,182 @@ RSpec.describe API::MavenPackages do
      group.add_developer(user)
    end
-    context 'a public project' do
+    shared_examples 'handling all conditions' do
-      subject { download_file(package_file.file_name) }
+      context 'a public project' do
+        subject { download_file(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
-      it 'returns sha1 of the file' do
+        it 'returns sha1 of the file' do
-        download_file(package_file.file_name + '.sha1')
+          download_file(package_file.file_name + '.sha1')
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('text/plain')
+          expect(response.media_type).to eq('text/plain')
-        expect(response.body).to eq(package_file.file_sha1)
+          expect(response.body).to eq(package_file.file_sha1)
+        end
      end
-    end
-    context 'internal project' do
+      context 'internal project' do
-      before do
+        before do
-        group.group_member(user).destroy!
+          group.group_member(user).destroy!
-        project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
+          project.update!(visibility_level: Gitlab::VisibilityLevel::INTERNAL)
-      end
+        end
-      subject { download_file_with_token(package_file.file_name) }
+        subject { download_file_with_token(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
+        it 'denies download when no private token' do
+          download_file(package_file.file_name)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
-      it 'denies download when no private token' do
+        it_behaves_like 'downloads with a job token'
-        download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:not_found)
+        it_behaves_like 'downloads with a deploy token'
      end
-      it_behaves_like 'downloads with a job token'
+      context 'private project' do
+        before do
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+        end
-      it_behaves_like 'downloads with a deploy token'
+        subject { download_file_with_token(package_file.file_name) }
-    end
-    context 'private project' do
+        it_behaves_like 'tracking the file download event'
-      before do
-        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
-      end
-      subject { download_file_with_token(package_file.file_name) }
+        it 'returns the file' do
+          subject
-      it_behaves_like 'tracking the file download event'
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response.media_type).to eq('application/octet-stream')
+        end
-      it 'returns the file' do
+        it 'denies download when not enough permissions' do
-        subject
+          group.add_guest(user)
-        expect(response).to have_gitlab_http_status(:ok)
+          subject
-        expect(response.media_type).to eq('application/octet-stream')
-      end
-      it 'denies download when not enough permissions' do
+          status = Feature.enabled?(:maven_packages_group_level_improvements) ? :not_found : :forbidden
-        group.add_guest(user)
+          expect(response).to have_gitlab_http_status(status)
+        end
-        subject
+        it 'denies download when no private token' do
+          download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:not_found)
-      end
+        end
+        it_behaves_like 'downloads with a job token'
+        it_behaves_like 'downloads with a deploy token'
+        context 'with group deploy token' do
+          subject { download_file_with_token(package_file.file_name, {}, group_deploy_token_headers) }
+          it 'returns the file' do
+            subject
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response.media_type).to eq('application/octet-stream')
+          end
-      it 'denies download when no private token' do
+          it 'returns the file with only write_package_registry scope' do
-        download_file(package_file.file_name)
+            deploy_token_for_group.update!(read_package_registry: false)
-        expect(response).to have_gitlab_http_status(:not_found)
+            subject
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(response.media_type).to eq('application/octet-stream')
+          end
+        end
      end
-      it_behaves_like 'downloads with a job token'
+      context 'maven metadata file' do
+        let_it_be(:sub_group1) { create(:group, parent: group) }
+        let_it_be(:sub_group2)   { create(:group, parent: group) }
+        let_it_be(:project1) { create(:project, :private, group: sub_group1) }
+        let_it_be(:project2) { create(:project, :private, group: sub_group2) }
+        let_it_be(:project3) { create(:project, :private, group: sub_group1) }
+        let_it_be(:package_name) { 'foo' }
+        let_it_be(:package1) { create(:maven_package, project: project1, name: package_name, version: nil) }
+        let_it_be(:package_file1) { create(:package_file, :xml, package: package1, file_name: 'maven-metadata.xml') }
+        let_it_be(:package2) { create(:maven_package, project: project2, name: package_name, version: nil) }
+        let_it_be(:package_file2) { create(:package_file, :xml, package: package2, file_name: 'maven-metadata.xml') }
+        let_it_be(:package3) { create(:maven_package, project: project3, name: package_name, version: nil) }
+        let_it_be(:package_file3) { create(:package_file, :xml, package: package3, file_name: 'maven-metadata.xml') }
-      it_behaves_like 'downloads with a deploy token'
+        let(:maven_metadatum) { package3.maven_metadatum }
-      context 'with group deploy token' do
+        subject { download_file_with_token(package_file3.file_name) }
-        subject { download_file_with_token(package_file.file_name, {}, group_deploy_token_headers) }
-        it 'returns the file' do
+        before do
-          subject
+          sub_group1.add_developer(user)
+          sub_group2.add_developer(user)
+          # the package with the most recently published file should be returned
+          create(:package_file, :xml, package: package2)
+        end
-          expect(response).to have_gitlab_http_status(:ok)
+        context 'in multiple versionless packages' do
-          expect(response.media_type).to eq('application/octet-stream')
+          it 'downloads the file' do
+            expect(::Packages::PackageFileFinder)
+              .to receive(:new).with(package2, 'maven-metadata.xml').and_call_original
+            subject
+          end
        end
-        it 'returns the file with only write_package_registry scope' do
+        context 'in multiple snapshot packages' do
-          deploy_token_for_group.update!(read_package_registry: false)
+          before do
+            version = '1.0.0-SNAPSHOT'
+            [package1, package2, package3].each do |pkg|
+              pkg.update!(version: version)
-          subject
+              pkg.maven_metadatum.update!(path: "#{pkg.name}/#{pkg.version}")
+            end
+          end
-          expect(response).to have_gitlab_http_status(:ok)
+          it 'downloads the file' do
-          expect(response.media_type).to eq('application/octet-stream')
+            expect(::Packages::PackageFileFinder)
+              .to receive(:new).with(package3, 'maven-metadata.xml').and_call_original
+            subject
+          end
        end
      end
    end
+    context 'with maven_packages_group_level_improvements enabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: true)
+      end
+      it_behaves_like 'handling all conditions'
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
+      it_behaves_like 'handling all conditions'
+    end
    def download_file(file_name, params = {}, request_headers = headers)
      get api("/groups/#{group.id}/-/packages/maven/#{maven_metadatum.path}/#{file_name}"), params: params, headers: request_headers
    end
@@ -398,64 +504,96 @@ RSpec.describe API::MavenPackages do
  describe 'HEAD /api/v4/groups/:id/-/packages/maven/*path/:file_name' do
    let(:url) { "/groups/#{group.id}/-/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" }
-    it_behaves_like 'processing HEAD requests'
+    context 'with maven_packages_group_level_improvements enabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: true)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
  end
  describe 'GET /api/v4/projects/:id/packages/maven/*path/:file_name' do
-    context 'a public project' do
+    shared_examples 'handling all conditions' do
-      subject { download_file(package_file.file_name) }
+      context 'a public project' do
+        subject { download_file(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
-      it 'returns sha1 of the file' do
+        it 'returns sha1 of the file' do
-        download_file(package_file.file_name + '.sha1')
+          download_file(package_file.file_name + '.sha1')
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('text/plain')
+          expect(response.media_type).to eq('text/plain')
-        expect(response.body).to eq(package_file.file_sha1)
+          expect(response.body).to eq(package_file.file_sha1)
+        end
      end
-    end
-    context 'private project' do
+      context 'private project' do
-      before do
+        before do
-        project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+          project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
-      end
+        end
-      subject { download_file_with_token(package_file.file_name) }
+        subject { download_file_with_token(package_file.file_name) }
-      it_behaves_like 'tracking the file download event'
+        it_behaves_like 'tracking the file download event'
-      it 'returns the file' do
+        it 'returns the file' do
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to have_gitlab_http_status(:ok)
-        expect(response.media_type).to eq('application/octet-stream')
+          expect(response.media_type).to eq('application/octet-stream')
-      end
+        end
-      it 'denies download when not enough permissions' do
+        it 'denies download when not enough permissions' do
-        project.add_guest(user)
+          project.add_guest(user)
-        subject
+          subject
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:forbidden)
-      end
+        end
-      it 'denies download when no private token' do
+        it 'denies download when no private token' do
-        download_file(package_file.file_name)
+          download_file(package_file.file_name)
-        expect(response).to have_gitlab_http_status(:not_found)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+        it_behaves_like 'downloads with a job token'
+        it_behaves_like 'downloads with a deploy token'
+      end
+    end
+    context 'with maven_packages_group_level_improvements enabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: true)
      end
-      it_behaves_like 'downloads with a job token'
+      it_behaves_like 'handling all conditions'
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
-      it_behaves_like 'downloads with a deploy token'
+      it_behaves_like 'handling all conditions'
    end
    def download_file(file_name, params = {}, request_headers = headers)
@@ -471,7 +609,21 @@ RSpec.describe API::MavenPackages do
  describe 'HEAD /api/v4/projects/:id/packages/maven/*path/:file_name' do
    let(:url) { "/projects/#{project.id}/packages/maven/#{package.maven_metadatum.path}/#{package_file.file_name}" }
-    it_behaves_like 'processing HEAD requests'
+    context 'with maven_packages_group_level_improvements enabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: true)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
+    context 'with maven_packages_group_level_improvements disabled' do
+      before do
+        stub_feature_flags(maven_packages_group_level_improvements: false)
+      end
+      it_behaves_like 'processing HEAD requests'
+    end
  end
  describe 'PUT /api/v4/projects/:id/packages/maven/*path/:file_name/authorize' do