1 files changed, 44 insertions, 39 deletions

diff --git a/lib/api/maven_packages.rb b/lib/api/maven_packages.rb
index 411a53a481b..e075a917fa9 100644
--- a/lib/api/maven_packages.rb
+++ b/lib/api/maven_packages.rb
@@ -23,8 +23,14 @@ module API
 
     helpers ::API::Helpers::PackagesHelpers
     helpers ::API::Helpers::Packages::DependencyProxyHelpers
+    helpers ::API::Helpers::Packages::Maven::BasicAuthHelpers
 
     helpers do
+      params :path_and_file_name do
+        requires :path, type: String, desc: 'Package path', documentation: { example: 'foo/bar/mypkg/1.0-SNAPSHOT' }
+        requires :file_name, type: String, desc: 'Package file name', documentation: { example: 'mypkg-1.0-SNAPSHOT.jar' }
+      end
+
       def path_exists?(path)
         return false if path.blank?
 
@@ -159,10 +165,9 @@ module API
       tags %w[maven_packages]
     end
     params do
-      requires :path, type: String, desc: 'Package path', documentation: { example: 'foo/bar/mypkg/1.0-SNAPSHOT' }
-      requires :file_name, type: String, desc: 'Package file name', documentation: { example: 'mypkg-1.0-SNAPSHOT.jar' }
+      use :path_and_file_name
     end
-    route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true
+    route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, basic_auth_personal_access_token: true
     get 'packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
       # return a similar failure to authorize_read_package!(project)
 
@@ -191,6 +196,7 @@ module API
         package_file.file_sha1
       else
         track_package_event('pull_package', :maven, project: project, namespace: project.namespace) if jar_file?(format)
+
         present_carrierwave_file_with_head_support!(package_file)
       end
     end
@@ -213,13 +219,12 @@ module API
     end
     resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
       params do
-        requires :path, type: String, desc: 'Package path', documentation: { example: 'foo/bar/mypkg/1.0-SNAPSHOT' }
-        requires :file_name, type: String, desc: 'Package file name', documentation: { example: 'mypkg-1.0-SNAPSHOT.jar' }
+        use :path_and_file_name
       end
-      route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true
+      route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, basic_auth_personal_access_token: true
       get ':id/-/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
         # return a similar failure to group = find_group(params[:id])
-        group = find_group(params[:id])
+        group = find_authorized_group!
 
         if Feature.disabled?(:maven_central_request_forwarding, group&.root_ancestor)
           not_found!('Group') unless path_exists?(params[:path])
@@ -240,7 +245,7 @@ module API
       requires :id, types: [String, Integer], desc: 'The ID or URL-encoded path of the project'
     end
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
-      desc 'Download the maven package file' do
+      desc 'Download the maven package file at a project level' do
         detail 'This feature was introduced in GitLab 11.3'
         success [
           { code: 200 },
@@ -254,12 +259,11 @@ module API
         tags %w[maven_packages]
       end
       params do
-        requires :path, type: String, desc: 'Package path', documentation: { example: 'foo/bar/mypkg/1.0-SNAPSHOT' }
-        requires :file_name, type: String, desc: 'Package file name', documentation: { example: 'mypkg-1.0-SNAPSHOT.jar' }
+        use :path_and_file_name
       end
-      route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true
+      route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true, basic_auth_personal_access_token: true
       get ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
-        project = user_project(action: :read_package)
+        project = authorized_user_project(action: :read_package)
 
         # return a similar failure to user_project
         unless Feature.enabled?(:maven_central_request_forwarding, project&.root_ancestor)
@@ -318,42 +322,43 @@ module API
       end
       route_setting :authentication, job_token_allowed: true, deploy_token_allowed: true
       put ':id/packages/maven/*path/:file_name', requirements: MAVEN_ENDPOINT_REQUIREMENTS do
-        unprocessable_entity! if Gitlab::FIPS.enabled? && params['file.md5']
+        unprocessable_entity! if Gitlab::FIPS.enabled? && params[:file].md5
         authorize_upload!
         bad_request!('File is too large') if user_project.actual_limits.exceeded?(:maven_max_file_size, params[:file].size)
 
         file_name, format = extract_format(params[:file_name])
 
-        result = ::Packages::Maven::FindOrCreatePackageService
-          .new(user_project, current_user, params.merge(build: current_authenticated_job)).execute
+        ::Gitlab::Database::LoadBalancing::Session.current.use_primary do
+          result = ::Packages::Maven::FindOrCreatePackageService
+                     .new(user_project, current_user, params.merge(build: current_authenticated_job)).execute
 
-        bad_request!(result.errors.first) if result.error?
+          bad_request!(result.errors.first) if result.error?
 
-        package = result.payload[:package]
+          package = result.payload[:package]
 
-        case format
-        when 'sha1'
-          # After uploading a file, Maven tries to upload a sha1 and md5 version of it.
-          # Since we store md5/sha1 in database we simply need to validate our hash
-          # against one uploaded by Maven. We do this for `sha1` format.
-          package_file = ::Packages::PackageFileFinder
-            .new(package, file_name).execute!
+          case format
+          when 'sha1'
+            # After uploading a file, Maven tries to upload a sha1 and md5 version of it.
+            # Since we store md5/sha1 in database we simply need to validate our hash
+            # against one uploaded by Maven. We do this for `sha1` format.
+            package_file = ::Packages::PackageFileFinder
+              .new(package, file_name).execute!
 
-          verify_package_file(package_file, params[:file])
-        when 'md5'
-          ''
-        else
-          file_params = {
-            file: params[:file],
-            size: params['file.size'],
-            file_name: file_name,
-            file_type: params['file.type'],
-            file_sha1: params['file.sha1'],
-            file_md5: params['file.md5']
-          }
-
-          ::Packages::CreatePackageFileService.new(package, file_params.merge(build: current_authenticated_job)).execute
-          track_package_event('push_package', :maven, user: current_user, project: user_project, namespace: user_project.namespace) if jar_file?(format)
+            verify_package_file(package_file, params[:file])
+          when 'md5'
+            ''
+          else
+            file_params = {
+              file: params[:file],
+              size: params[:file].size,
+              file_name: file_name,
+              file_sha1: params[:file].sha1,
+              file_md5: params[:file].md5
+            }
+
+            ::Packages::CreatePackageFileService.new(package, file_params.merge(build: current_authenticated_job)).execute
+            track_package_event('push_package', :maven, project: user_project, namespace: user_project.namespace) if jar_file?(format)
+          end
         end
       end
     end