Protected packages: Maven package push protection

What does this MR do and why?

• ✅ Package push protection for Maven packages
• ✅ Maven package type support in protection rules
• ❌ Maven package deletion protection (out of scope)

Technical Implementation Details

• Extends package protection rule validation to Maven format
• Implements Maven-specific protection rule checks
• Integrates with existing package protection infrastructure

🛠️ with ❤️ at Siemens

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

• Part of EPIC: Identify packages as protected to prevent accid... (&5574)
• Previous discussion about service extraction: MR #157098 Implementation approach based on @10io's suggestion

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the merge request performance guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Test publish of maven package in master branch, i.e. mvn deploy -s settings.xml -X
• Manual testing to publish maven package in this MR branch

Screenshots or screen recordings

Before

In the project settings, the package protection rules only allow the package type npm and pypi.

In the backend, maven packages can uploaded as usual to the package registry.

After

Regarding frontend, there is only a minimal change. As discussed in a previous MR, a UX review should not be necessary for this.

The main changes of the MR are related to the backend. When a package protection rule (for the package type maven) is defined, then the maven package is protected and cannot be uploaded (published). The following console output shows that mvn deploy command fails when the maven package is protected.

Click to expand the console output for the command `mvn -s settings.xml deploy`

➜  flight git:(main) ✗ mvn -s settings.xml deploy 
[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------------< flightjs:flight >---------------------------
[INFO] Building flight 1.7
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ flight ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/src/main/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ flight ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 1 source file to /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/target/classes
[INFO] 
[INFO] --- maven-resources-plugin:2.6:testResources (default-testResources) @ flight ---
[WARNING] Using platform encoding (UTF-8 actually) to copy filtered resources, i.e. build is platform dependent!
[INFO] skip non existing resourceDirectory /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/src/test/resources
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @ flight ---
[INFO] Changes detected - recompiling the module!
[WARNING] File encoding has not been set, using platform encoding UTF-8, i.e. build is platform dependent!
[INFO] Compiling 1 source file to /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/target/test-classes
[INFO] 
[INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @ flight ---
[INFO] Surefire report directory: /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/target/surefire-reports

-------------------------------------------------------
 T E S T S
-------------------------------------------------------
Running flightjs.AppTest
Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.023 sec

Results :

Tests run: 1, Failures: 0, Errors: 0, Skipped: 0

[INFO] 
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ flight ---
[INFO] Building jar: /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/target/flight-1.7.jar
[INFO] 
[INFO] --- maven-install-plugin:2.4:install (default-install) @ flight ---
[INFO] Installing /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/target/flight-1.7.jar to /Users/client-siemens/.m2/repository/flightjs/flight/1.7/flight-1.7.jar
[INFO] Installing /Users/client-siemens/Development/protected-packages-examples/maven_package/flight/pom.xml to /Users/client-siemens/.m2/repository/flightjs/flight/1.7/flight-1.7.pom
[INFO] 
[INFO] --- maven-deploy-plugin:2.7:deploy (default-deploy) @ flight ---
Uploading to gitlab-maven: http://gdk.test:3000/api/v4/projects/7/packages/maven/flightjs/flight/1.7/flight-1.7.jar
Uploading to gitlab-maven: http://gdk.test:3000/api/v4/projects/7/packages/maven/flightjs/flight/1.7/flight-1.7.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  2.000 s
[INFO] Finished at: 2025-01-29T14:47:27+01:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.7:deploy (default-deploy) on project flight: Failed to deploy artifacts: Could not transfer artifact flightjs:flight:jar:1.7 from/to gitlab-maven (http://gdk.test:3000/api/v4/projects/7/packages/maven): Authorization failed for http://gdk.test:3000/api/v4/projects/7/packages/maven/flightjs/flight/1.7/flight-1.7.jar 403 Forbidden -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Note: As shown in the console output, the command fails with the error Authorization failed for http://gdk.test:3000/api/v4/projects/7/packages/maven/flightjs/flight/1.7/flight-1.7.jar 403 Forbidden. Unfortunately, it does not include the reason for the 403 forbidden error Package protected. that has been defined in the backend code, see !147055 (diffs). It would be helpful to include this message in the maven client output in order to point the user in the right direction. Until now, I have not found out what the backend REST API needs to respond to the maven client in order to show the message in the output.

How to set up and validate locally

1. In rails console, enable the feature flag :packages_protected_packages_maven

Feature.enable(:packages_protected_packages_maven)

2. Go to the package settings page of the seeded project "flightjs/Flight": http://gdk.test:3000/flightjs/Flight/-/settings/packages_and_registries . Add a package protection rule with package_name_pattern value flightjs/flight for the field Package name pattern
3. Create a maven package as explained in the GitLab package guide

mvn archetype:generate -DgroupId=flightjs -DartifactId=flight -DarchetypeArtifactId=maven-archetype-quickstart -DinteractiveMode=false

4. Configure maven remote with your local gdk package registry, see https://docs.gitlab.com/ee/user/packages/maven_repository/#authenticate-to-the-package-registry
5. Create and upload the maven package with the following commands

 mvn -s settings.xml clean deploy 

6. Go to the project's package overview list: http://gdk.test:3000/flightjs/Flight/-/packages
7. The maven package (flightjs/flight) should not be in the list because the package is protected and was not successfully uploaded, see console output above 💥
8. Change the artifactId entry in the pom.xml to other-flight
9. Upload the maven package again

 mvn -s settings.xml clean deploy 

10. The maven package will now be successfully uploaded 🚀

Related to #323969 (closed)