Merge branch 'pypi_project_slug' into 'master'

Add PyPI package endpoints for project and group path (escaped) See merge request gitlab-org/gitlab!66087

Merge branch 'pypi_project_slug' into 'master'
Add PyPI package endpoints for project and group path (escaped) See merge request gitlab-org/gitlab!66087
531514f0 · Dmitriy Zaporozhets (DZ) · c06c1d15 · c9f7a178 · 531514f0 · 531514f0
Commit 531514f0 authored Jul 28, 2021 by Dmitriy Zaporozhets (DZ)
3 changed files
--- a/doc/user/packages/pypi_repository/index.md
+++ b/doc/user/packages/pypi_repository/index.md
@@ -181,7 +181,9 @@ username = <your_personal_access_token_name>
 password = <your_personal_access_token>
 ```

- Your project ID is on your project's home page.
+The `<project_id>` is either the project's
+[URL-encoded](../../../api/index.md#namespaced-path-encoding)
+path (for example, `group%2Fproject`), or the project's ID (for example `42`).

 ### Authenticate with a deploy token

@@ -198,7 +200,9 @@ username = <deploy token username>
 password = <deploy token>
 ```

-Your project ID is on your project's home page.
+The `<project_id>` is either the project's
+[URL-encoded](../../../api/index.md#namespaced-path-encoding)
+path (for example, `group%2Fproject`), or the project's ID (for example `42`).

 ### Authenticate with a CI job token

@@ -335,7 +339,8 @@ pip install --index-url https://<personal_access_token_name>:<personal_access_to
 - `<package_name>` is the package name.
 - `<personal_access_token_name>` is a personal access token name with the `read_api` scope.
 - `<personal_access_token>` is a personal access token with the `read_api` scope.
- `<project_id>` is the project ID.
+- `<project_id>` is either the project's [URL-encoded](../../../api/index.md#namespaced-path-encoding)
+  path (for example, `group%2Fproject`), or the project's ID (for example `42`).

 In these commands, you can use `--extra-index-url` instead of `--index-url`. However, using
 `--extra-index-url` makes you vulnerable to dependency confusion attacks because it checks the PyPi

--- a/lib/api/pypi_packages.rb
+++ b/lib/api/pypi_packages.rb
@@ -40,7 +40,7 @@ module API
    end

    params do
-      requires :id, type: Integer, desc: 'The ID of a group'
+      requires :id, type: String, desc: 'The ID of a group'
    end
    resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      after_validation do
@@ -96,7 +96,7 @@ module API
    end

    params do
-      requires :id, type: Integer, desc: 'The ID of a project'
+      requires :id, type: String, desc: 'The ID of a project'
    end

    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do

--- a/spec/requests/api/pypi_packages_spec.rb
+++ b/spec/requests/api/pypi_packages_spec.rb
@@ -38,6 +38,12 @@ RSpec.describe API::PypiPackages do
        end

        it_behaves_like 'deploy token for package GET requests'
+
+        context 'with group path as id' do
+          let(:url) { "/groups/#{CGI.escape(group.full_path)}/-/packages/pypi/simple/#{package.name}" }
+
+          it_behaves_like 'deploy token for package GET requests'
+        end
      end

      context 'job token' do
@@ -61,6 +67,12 @@ RSpec.describe API::PypiPackages do
      it_behaves_like 'rejects PyPI access with unknown project id'
      it_behaves_like 'deploy token for package GET requests'
      it_behaves_like 'job token for package GET requests'
+
+      context 'with project path as id' do
+        let(:url) { "/projects/#{CGI.escape(project.full_path)}/packages/pypi/simple/#{package.name}" }
+
+        it_behaves_like 'deploy token for package GET requests'
+      end
    end
  end