Skip to content

Log audit events for virtual registry cleanup policy

Context

This MR implements audit event logging for virtual registry clean-up policy operations, providing visibility and compliance tracking when cache entries are automatically marked for deletion.

What does this MR do and why?

  1. Adds audit event capability for virtual registry cache entries:
    • Makes both VirtualRegistries::Container::Cache::Entry and VirtualRegistries::Packages::Maven::Cache::Entry auditable by including the ::Auditable module
    • Creates a new audit event type virtual_registry_cache_entry_deleted
  2. Implements audit event creation service:
    • Creates VirtualRegistries::Cleanup::CreateAuditEventsService to generate audit events for deleted cache entries
    • Captures essential information: which entries were marked for deletion, and when
    • Uses the group's first owner as the audit event author (or UnauthenticatedAuthor if no owner exists)
  3. Integrates with clean-up policy execution:
    • Modifies VirtualRegistries::Cleanup::ExecutePolicyService to collect paths of entries being deleted
    • Updates the SQL query to return both size and relative_path (previously only returned size)
    • Calls the audit service after marking entries for destruction
  4. Provides comprehensive audit trail:
    • Each deleted cache entry generates a separate audit event
    • Events include target details showing the specific path that was marked for deletion
    • Events are scoped to the root group level
  • The virtual registry clean-up policy feature is gated behind a feature flag, which means audit events won't be created after merging this MR unless we enabled the feature.

References

Screenshots or screen recordings

Screenshot_2025-10-22_at_19.46.41

How to set up and validate locally

  1. Create a virtual registry clean-up policy for a group:

    group = Group.all.detect(&:root?)
    policy = VirtualRegistries::Cleanup::Policy.create!(group: group, keep_n_days_after_download: 30)
  2. Create some test Maven cache entries with old download dates:

    upstream = FactoryBot.create(:virtual_registries_packages_maven_upstream, group: group)
    
    # stub file upload
    def fixture_file_upload(*args, **kwargs)
      Rack::Test::UploadedFile.new(*args, **kwargs)
    end
    
    old_entry1 = FactoryBot.create(:virtual_registries_packages_maven_cache_entry, upstream: upstream, downloaded_at: Time.current - 35.days)
    old_entry2 = FactoryBot.create(:virtual_registries_packages_maven_cache_entry, upstream: upstream, downloaded_at: Time.current - 40.days)
  3. Execute the clean-up policy:

    RequestStore.begin! # this is needed so that audit events can be stored and pulled from `Gitlab::Audit::EventQueue`
    
    VirtualRegistries::Cleanup::ExecutePolicyService.new(policy).execute
    => #<ServiceResponse:0x000000014aad1f10
     @http_status=:ok,
     @message=nil,
     @payload={:maven=>{:deleted_entries_count=>2, :deleted_size=>2048}, :container=>{:deleted_entries_count=>0, :deleted_size=>0}},
     @reason=nil,
     @status=:success>
  4. Navigate to the group audit events page in the UI. Two audit events for the two marked for destruction cache entries should be displayed on the page.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #577531

Edited by Moaz Khalifa

Merge request reports

Loading