Spike: Investigate how to add and iterate on the dependency firewall

Background

As part of the epic "MVC Dependency Firewall: Deny List for Maven Registry", we need to investigate the implementation of a Minimum Viable Change (MVC) for the dependency firewall, focusing on a deny list for the Maven virtual registry.

Objective

Investigate and outline the necessary steps to implement a basic deny list feature for the Maven virtual registry, which will serve as the foundation for a more sophisticated allow/deny list system in the future.

Investigation Points

API Design:
- Explore the structure for a simple API to create and manage deny rules
- Consider how to handle basic rule creation, updating, and deletion
Rule Matching:
- Assess the complexity of adding simple regular expression support
Rule Application:
- Research methods for applying deny rules in real-time to incoming package requests
- Evaluate performance implications and potential optimizations
Logging:
- Explore options for basic audit logging of denied access attempts
- Consider what information should be logged (e.g., package name, version, timestamp, rule applied)
Rule Management:
- Investigate a simple mechanism for exporting and importing deny rules
- Consider format options (e.g., JSON, YAML) for rule export/import
User Interface:
- Sketch out a basic UI design for managing deny rules within the GitLab interface
- Consider how to integrate this with existing package management views
- We have some already validated designs here: #466047
Testing Strategy:
- Outline a strategy for unit and integration testing of the deny list feature
- Consider how to test rule application without impacting actual package access

Deliverables

Technical design document outlining the proposed implementation approach
List of potential challenges and limitations of the MVC approach
Rough estimate of effort required for implementation
Recommendations for future enhancements beyond the MVC

Edited Dec 03, 2024 by Tim Rizzi