From 995ae06a6e02b7fb1938bb7ac2a1d5fe10be55b1 Mon Sep 17 00:00:00 2001 From: Wayne Starr Date: Wed, 9 Nov 2022 00:00:09 -0600 Subject: [PATCH] Allow for resolution of NPM registry paths that match upstream (#21568) (#21723) Backport (#21568) This PR fixes issue #21567 allowing for package tarball URLs to match the upstream registry (and GitLab/JFrog Artifactory URLs). It uses a regex to parse the filename (which contains the NPM version) and does a fuzzy search to pull it out. The regex was built/expanded from http://json.schemastore.org/package, https://github.com/Masterminds/semver, and https://docs.npmjs.com/cli/v6/using-npm/semver and is testable here: https://regex101.com/r/OydBJq/5 Co-authored-by: Lunny Xiao --- integrations/api_packages_npm_test.go | 8 ++++- routers/api/packages/api.go | 2 ++ routers/api/packages/npm/npm.go | 43 +++++++++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) diff --git a/integrations/api_packages_npm_test.go b/integrations/api_packages_npm_test.go index bd65a2586..02e513850 100644 --- a/integrations/api_packages_npm_test.go +++ b/integrations/api_packages_npm_test.go @@ -123,10 +123,16 @@ func TestPackageNpm(t *testing.T) { b, _ := base64.StdEncoding.DecodeString(data) assert.Equal(t, b, resp.Body.Bytes()) + req = NewRequest(t, "GET", fmt.Sprintf("%s/-/%s", root, filename)) + req = addTokenAuthHeader(req, token) + resp = MakeRequest(t, req, http.StatusOK) + + assert.Equal(t, b, resp.Body.Bytes()) + pvs, err := packages.GetVersionsByPackageType(db.DefaultContext, user.ID, packages.TypeNpm) assert.NoError(t, err) assert.Len(t, pvs, 1) - assert.Equal(t, int64(1), pvs[0].DownloadCount) + assert.Equal(t, int64(2), pvs[0].DownloadCount) }) t.Run("PackageMetadata", func(t *testing.T) { diff --git a/routers/api/packages/api.go b/routers/api/packages/api.go index 0df6012b5..35ac3540b 100644 --- a/routers/api/packages/api.go +++ b/routers/api/packages/api.go @@ -199,11 +199,13 @@ func Routes() *web.Route { r.Get("", npm.PackageMetadata) r.Put("", reqPackageAccess(perm.AccessModeWrite), npm.UploadPackage) r.Get("/-/{version}/{filename}", npm.DownloadPackageFile) + r.Get("/-/{filename}", npm.DownloadPackageFileByName) }) r.Group("/{id}", func() { r.Get("", npm.PackageMetadata) r.Put("", reqPackageAccess(perm.AccessModeWrite), npm.UploadPackage) r.Get("/-/{version}/{filename}", npm.DownloadPackageFile) + r.Get("/-/{filename}", npm.DownloadPackageFileByName) }) r.Group("/-/package/@{scope}/{id}/dist-tags", func() { r.Get("", npm.ListPackageTags) diff --git a/routers/api/packages/npm/npm.go b/routers/api/packages/npm/npm.go index d127134d4..57b24e3a8 100644 --- a/routers/api/packages/npm/npm.go +++ b/routers/api/packages/npm/npm.go @@ -105,6 +105,49 @@ func DownloadPackageFile(ctx *context.Context) { ctx.ServeStream(s, pf.Name) } +// DownloadPackageFileByName finds the version and serves the contents of a package +func DownloadPackageFileByName(ctx *context.Context) { + filename := ctx.Params("filename") + + pvs, _, err := packages_model.SearchVersions(ctx, &packages_model.PackageSearchOptions{ + OwnerID: ctx.Package.Owner.ID, + Type: packages_model.TypeNpm, + Name: packages_model.SearchValue{ + ExactMatch: true, + Value: packageNameFromParams(ctx), + }, + HasFileWithName: filename, + IsInternal: false, + }) + if err != nil { + apiError(ctx, http.StatusInternalServerError, err) + return + } + if len(pvs) != 1 { + apiError(ctx, http.StatusNotFound, nil) + return + } + + s, pf, err := packages_service.GetFileStreamByPackageVersion( + ctx, + pvs[0], + &packages_service.PackageFileInfo{ + Filename: filename, + }, + ) + if err != nil { + if err == packages_model.ErrPackageFileNotExist { + apiError(ctx, http.StatusNotFound, err) + return + } + apiError(ctx, http.StatusInternalServerError, err) + return + } + defer s.Close() + + ctx.ServeStream(s, pf.Name) +} + // UploadPackage creates a new package func UploadPackage(ctx *context.Context) { npmPackage, err := npm_module.ParsePackage(ctx.Req.Body)