Move virtual registry API classes to EE and add license check

We move the Maven virtual registry feature from CE to EE and implement
a license check to restrict access to Premium tier and above.

In this MR, we start by moving the API classes and adding the
license check when accessing any related endpoint.

ee/app/models/gitlab_subscriptions/features.rb

@@ -150,6 +150,7 @@ class Features
       microsoft_group_sync
       operations_dashboard
       package_forwarding
+      packages_virtual_registry
       pages_size_limit
       pages_multiple_versions
       productivity_analytics

ee/lib/api/concerns/virtual_registries/packages/maven/shared_setup.rb

+# frozen_string_literal: true
+
+module API
+  module Concerns
+    module VirtualRegistries
+      module Packages
+        module Maven
+          module SharedSetup
+            extend ActiveSupport::Concern
+            include ::API::Helpers::Authentication
+
+            included do
+              feature_category :virtual_registry
+              urgency :low
+
+              authenticate_with do |accept|
+                accept.token_types(:personal_access_token).sent_through(:http_private_token_header)
+                accept.token_types(:deploy_token).sent_through(:http_deploy_token_header)
+                accept.token_types(:job_token).sent_through(:http_job_token_header)
+              end
+
+              after_validation do
+                not_found! unless ::Feature.enabled?(:virtual_registry_maven, current_user)
+                not_found! unless ::Gitlab.config.dependency_proxy.enabled
+                not_found! unless target_group.licensed_feature_available?(:packages_virtual_registry)
+
+                authenticate!
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

lib/api/virtual_registries/packages/maven/cache/entries.rb → ee/lib/api/virtual_registries/packages/maven/cache/entries.rb

@@ -6,23 +6,14 @@ module Packages
       module Maven
         module Cache
           class Entries < ::API::Base
-            include ::API::Helpers::Authentication
+            include ::API::Concerns::VirtualRegistries::Packages::Maven::SharedSetup
             include ::API::PaginationParams
 
-            feature_category :virtual_registry
-            urgency :low
-
-            authenticate_with do |accept|
-              accept.token_types(:personal_access_token).sent_through(:http_private_token_header)
-              accept.token_types(:deploy_token).sent_through(:http_deploy_token_header)
-              accept.token_types(:job_token).sent_through(:http_job_token_header)
-            end
-
             helpers do
               include ::Gitlab::Utils::StrongMemoize
 
-              def require_dependency_proxy_enabled!
-                not_found! unless ::Gitlab.config.dependency_proxy.enabled
+              def target_group
+                request.path.include?('/upstreams') ? upstream.group : cache_entry.group
               end
 
               def upstream
@@ -42,14 +33,6 @@ def cache_entry
               strong_memoize_attr :cache_entry
             end
 
-            after_validation do
-              not_found! unless Feature.enabled?(:virtual_registry_maven, current_user)
-
-              require_dependency_proxy_enabled!
-
-              authenticate!
-            end
-
             namespace 'virtual_registries/packages/maven' do
               namespace :upstreams do
                 route_param :id, type: Integer, desc: 'The ID of the maven virtual registry upstream' do

lib/api/virtual_registries/packages/maven/endpoints.rb → ee/lib/api/virtual_registries/packages/maven/endpoints.rb

@@ -5,13 +5,10 @@ module VirtualRegistries
     module Packages
       module Maven
         class Endpoints < ::API::Base
-          include ::API::Helpers::Authentication
+          include ::API::Concerns::VirtualRegistries::Packages::Maven::SharedSetup
           include ::API::Concerns::VirtualRegistries::Packages::Endpoint
           include ::API::APIGuard
 
-          feature_category :virtual_registry
-          urgency :low
-
           AUTHENTICATE_REALM_HEADER = 'WWW-Authenticate'
           AUTHENTICATE_REALM_NAME = 'Basic realm="GitLab Virtual Registry"'
 
@@ -36,10 +33,7 @@ class Endpoints < ::API::Base
             include ::Gitlab::Utils::StrongMemoize
 
             delegate :group, :upstream, :registry_upstream, to: :registry
-
-            def require_dependency_proxy_enabled!
-              not_found! unless ::Gitlab.config.dependency_proxy.enabled
-            end
+            alias_method :target_group, :group
 
             def registry
               ::VirtualRegistries::Packages::Maven::Registry.find(params[:id])
@@ -71,14 +65,6 @@ def unauthorized!(reason = nil)
             end
           end
 
-          after_validation do
-            not_found! unless Feature.enabled?(:virtual_registry_maven, current_user)
-
-            require_dependency_proxy_enabled!
-
-            authenticate!
-          end
-
           namespace 'virtual_registries/packages/maven/:id/*path' do
             desc 'Download endpoint of the Maven virtual registry.' do
               detail 'This feature was introduced in GitLab 17.3. \
@@ -137,7 +123,7 @@ def unauthorized!(reason = nil)
               require_gitlab_workhorse!
               authorize!(:read_virtual_registry, registry)
 
-              etag, content_type, upstream_gid = request.headers.fetch_values(
+              etag, content_type, upstream_gid = headers.fetch_values(
                 'Etag',
                 ::Gitlab::Workhorse::SEND_DEPENDENCY_CONTENT_TYPE_HEADER,
                 UPSTREAM_GID_HEADER

lib/api/virtual_registries/packages/maven/registries.rb → ee/lib/api/virtual_registries/packages/maven/registries.rb

@@ -5,20 +5,15 @@ module VirtualRegistries
     module Packages
       module Maven
         class Registries < ::API::Base
-          include ::API::Helpers::Authentication
-
-          feature_category :virtual_registry
-          urgency :low
-
-          authenticate_with do |accept|
-            accept.token_types(:personal_access_token).sent_through(:http_private_token_header)
-            accept.token_types(:deploy_token).sent_through(:http_deploy_token_header)
-            accept.token_types(:job_token).sent_through(:http_job_token_header)
-          end
+          include ::API::Concerns::VirtualRegistries::Packages::Maven::SharedSetup
 
           helpers do
             include ::Gitlab::Utils::StrongMemoize
 
+            def target_group
+              request.path.include?('/groups') ? group : registry.group
+            end
+
             def group
               find_group!(params[:id])
             end
@@ -32,18 +27,6 @@ def registry
             def policy_subject
               ::VirtualRegistries::Packages::Policies::Group.new(group)
             end
-
-            def require_dependency_proxy_enabled!
-              not_found! unless ::Gitlab.config.dependency_proxy.enabled
-            end
-          end
-
-          after_validation do
-            not_found! unless Feature.enabled?(:virtual_registry_maven, current_user)
-
-            require_dependency_proxy_enabled!
-
-            authenticate!
           end
 
           resource :groups, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do

lib/api/virtual_registries/packages/maven/upstreams.rb → ee/lib/api/virtual_registries/packages/maven/upstreams.rb

@@ -5,24 +5,15 @@ module VirtualRegistries
     module Packages
       module Maven
         class Upstreams < ::API::Base
-          include ::API::Helpers::Authentication
-
-          feature_category :virtual_registry
-          urgency :low
-
-          authenticate_with do |accept|
-            accept.token_types(:personal_access_token).sent_through(:http_private_token_header)
-            accept.token_types(:deploy_token).sent_through(:http_deploy_token_header)
-            accept.token_types(:job_token).sent_through(:http_job_token_header)
-          end
+          include ::API::Concerns::VirtualRegistries::Packages::Maven::SharedSetup
 
           helpers do
             include ::Gitlab::Utils::StrongMemoize
 
             delegate :group, :registry_upstream, to: :registry
 
-            def require_dependency_proxy_enabled!
-              not_found! unless Gitlab.config.dependency_proxy.enabled
+            def target_group
+              request.path.include?('/registries') ? group : upstream.group
             end
 
             def registry
@@ -36,14 +27,6 @@ def upstream
             strong_memoize_attr :upstream
           end
 
-          after_validation do
-            not_found! unless Feature.enabled?(:virtual_registry_maven, current_user)
-
-            require_dependency_proxy_enabled!
-
-            authenticate!
-          end
-
           namespace 'virtual_registries/packages/maven' do
             namespace :registries do
               route_param :id, type: Integer, desc: 'The ID of the maven virtual registry' do

ee/lib/ee/api/api.rb

@@ -80,6 +80,10 @@ module API
         mount ::API::Chat
         mount ::API::DuoCodeReview
         mount ::API::SecurityScans
+        mount ::API::VirtualRegistries::Packages::Maven::Registries
+        mount ::API::VirtualRegistries::Packages::Maven::Upstreams
+        mount ::API::VirtualRegistries::Packages::Maven::Cache::Entries
+        mount ::API::VirtualRegistries::Packages::Maven::Endpoints
 
         mount ::API::Internal::AppSec::Dast::SiteValidations
         mount ::API::Internal::Search::Zoekt

spec/features/api/virtual_registries/packages/maven_spec.rb → ee/spec/features/virtual_registries/packages/maven_spec.rb

@@ -10,6 +10,7 @@
   let_it_be(:user) { create(:user, owner_of: group) }
   let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
   let_it_be(:registry) { create(:virtual_registries_packages_maven_registry, group: group) }
+  let_it_be(:upstream) { create(:virtual_registries_packages_maven_upstream, registry: registry) }
 
   let_it_be(:external_server) do
     handler = ->(env) do
@@ -23,10 +24,6 @@
     run_server(handler)
   end
 
-  let_it_be(:upstream) do
-    create(:virtual_registries_packages_maven_upstream, registry: registry)
-  end
-
   let(:api_path) { "/virtual_registries/packages/maven/#{registry.id}/file" }
   let(:url) { capybara_url(api(api_path)) }
   let(:authorization) do
@@ -38,6 +35,7 @@
   before do
     upstream.update_column(:url, external_server.base_url) # avoids guard that rejects local urls
     stub_config(dependency_proxy: { enabled: true })
+    stub_licensed_features(packages_virtual_registry: true)
     allow(Gitlab::CurrentSettings).to receive(:allow_local_requests_from_web_hooks_and_services?).and_return(true)
   end
 

spec/requests/api/virtual_registries/packages/maven/cache/entries_spec.rb → ee/spec/requests/api/virtual_registries/packages/maven/cache/entries_spec.rb

@@ -41,6 +41,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with invalid upstream' do
       where(:upstream_id, :status) do
@@ -132,6 +133,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'for different user roles' do
       where(:user_role, :status) do

spec/requests/api/virtual_registries/packages/maven/endpoints_spec.rb → ee/spec/requests/api/virtual_registries/packages/maven/endpoints_spec.rb

@@ -212,6 +212,7 @@
     end
 
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
   end
 
   describe 'POST /api/v4/virtual_registries/packages/maven/:id/*path/upload' do
@@ -311,5 +312,6 @@
     end
 
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
   end
 end

spec/requests/api/virtual_registries/packages/maven/registries_spec.rb → ee/spec/requests/api/virtual_registries/packages/maven/registries_spec.rb

@@ -26,6 +26,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid group_id' do
       it_behaves_like 'successful response'
@@ -98,6 +99,7 @@
       it_behaves_like 'disabled virtual_registry_maven feature flag'
       it_behaves_like 'maven virtual registry disabled dependency proxy'
       it_behaves_like 'maven virtual registry not authenticated user'
+      it_behaves_like 'maven virtual registry feature not licensed'
 
       where(:user_role, :status) do
         :owner      | :created
@@ -210,6 +212,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid registry_id' do
       it_behaves_like 'successful response'
@@ -276,6 +279,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid registry_id' do
       where(:user_role, :status) do

spec/requests/api/virtual_registries/packages/maven/upstreams_spec.rb → ee/spec/requests/api/virtual_registries/packages/maven/upstreams_spec.rb

@@ -26,6 +26,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid registry' do
       it_behaves_like 'successful response'
@@ -103,6 +104,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid params' do
       where(:user_role, :status) do
@@ -220,6 +222,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'with valid params' do
       it_behaves_like 'successful response'
@@ -271,6 +274,7 @@
       it_behaves_like 'disabled virtual_registry_maven feature flag'
       it_behaves_like 'maven virtual registry disabled dependency proxy'
       it_behaves_like 'maven virtual registry not authenticated user'
+      it_behaves_like 'maven virtual registry feature not licensed'
 
       where(:user_role, :status) do
         :owner      | :ok
@@ -353,6 +357,7 @@
     it_behaves_like 'disabled virtual_registry_maven feature flag'
     it_behaves_like 'maven virtual registry disabled dependency proxy'
     it_behaves_like 'maven virtual registry not authenticated user'
+    it_behaves_like 'maven virtual registry feature not licensed'
 
     context 'for different user roles' do
       where(:user_role, :status) do

spec/support/shared_contexts/requests/api/maven_vreg_shared_context.rb → ee/spec/support/shared_contexts/maven_vreg_shared_context.rb

@@ -23,6 +23,7 @@
 
   before do
     stub_config(dependency_proxy: { enabled: true }) # not enabled by default
+    stub_licensed_features(packages_virtual_registry: true)
   end
 
   def token_header(token)