Commit c9f7a178 authored by Mathieu Parent's avatar Mathieu Parent

Add PyPI package endpoints for project and group path (escaped)

Changelog: added
parent 7dfd9546
...@@ -181,7 +181,9 @@ username = <your_personal_access_token_name> ...@@ -181,7 +181,9 @@ username = <your_personal_access_token_name>
password = <your_personal_access_token> password = <your_personal_access_token>
``` ```
- Your project ID is on your project's home page. The `<project_id>` is either the project's
[URL-encoded](../../../api/index.md#namespaced-path-encoding)
path (for example, `group%2Fproject`), or the project's ID (for example `42`).
### Authenticate with a deploy token ### Authenticate with a deploy token
...@@ -198,7 +200,9 @@ username = <deploy token username> ...@@ -198,7 +200,9 @@ username = <deploy token username>
password = <deploy token> password = <deploy token>
``` ```
Your project ID is on your project's home page. The `<project_id>` is either the project's
[URL-encoded](../../../api/index.md#namespaced-path-encoding)
path (for example, `group%2Fproject`), or the project's ID (for example `42`).
### Authenticate with a CI job token ### Authenticate with a CI job token
...@@ -335,7 +339,8 @@ pip install --index-url https://<personal_access_token_name>:<personal_access_to ...@@ -335,7 +339,8 @@ pip install --index-url https://<personal_access_token_name>:<personal_access_to
- `<package_name>` is the package name. - `<package_name>` is the package name.
- `<personal_access_token_name>` is a personal access token name with the `read_api` scope. - `<personal_access_token_name>` is a personal access token name with the `read_api` scope.
- `<personal_access_token>` is a personal access token with the `read_api` scope. - `<personal_access_token>` is a personal access token with the `read_api` scope.
- `<project_id>` is the project ID. - `<project_id>` is either the project's [URL-encoded](../../../api/index.md#namespaced-path-encoding)
path (for example, `group%2Fproject`), or the project's ID (for example `42`).
In these commands, you can use `--extra-index-url` instead of `--index-url`. However, using In these commands, you can use `--extra-index-url` instead of `--index-url`. However, using
`--extra-index-url` makes you vulnerable to dependency confusion attacks because it checks the PyPi `--extra-index-url` makes you vulnerable to dependency confusion attacks because it checks the PyPi
......
...@@ -40,7 +40,7 @@ module API ...@@ -40,7 +40,7 @@ module API
end end
params do params do
requires :id, type: Integer, desc: 'The ID of a group' requires :id, type: String, desc: 'The ID of a group'
end end
resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
after_validation do after_validation do
...@@ -96,7 +96,7 @@ module API ...@@ -96,7 +96,7 @@ module API
end end
params do params do
requires :id, type: Integer, desc: 'The ID of a project' requires :id, type: String, desc: 'The ID of a project'
end end
resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
......
...@@ -38,6 +38,12 @@ RSpec.describe API::PypiPackages do ...@@ -38,6 +38,12 @@ RSpec.describe API::PypiPackages do
end end
it_behaves_like 'deploy token for package GET requests' it_behaves_like 'deploy token for package GET requests'
context 'with group path as id' do
let(:url) { "/groups/#{CGI.escape(group.full_path)}/-/packages/pypi/simple/#{package.name}" }
it_behaves_like 'deploy token for package GET requests'
end
end end
context 'job token' do context 'job token' do
...@@ -61,6 +67,12 @@ RSpec.describe API::PypiPackages do ...@@ -61,6 +67,12 @@ RSpec.describe API::PypiPackages do
it_behaves_like 'rejects PyPI access with unknown project id' it_behaves_like 'rejects PyPI access with unknown project id'
it_behaves_like 'deploy token for package GET requests' it_behaves_like 'deploy token for package GET requests'
it_behaves_like 'job token for package GET requests' it_behaves_like 'job token for package GET requests'
context 'with project path as id' do
let(:url) { "/projects/#{CGI.escape(project.full_path)}/packages/pypi/simple/#{package.name}" }
it_behaves_like 'deploy token for package GET requests'
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment