Log audit events for denied artifacts in Maven virtual registry

Moaz Khalifarequested to merge
585125-audit-events-for-upstream-filtration-rules into master

What does this MR do and why?

When Maven virtual registry upstreams are filtered out by allow/deny rules, the event was silently dropped with no visibility for compliance purposes. This MR introduces audit event logging for denied upstream artifacts so administrators can track which package requests were blocked and by which upstream.

Changes

FiltrationService — the service previously only returned allowed_upstreams. It now also returns denied_upstreams by partitioning all upstreams against the computed denied IDs (which are memoized via strong_memoize_attr to avoid duplicate queries).

HandleFileRequestService — a new log_filtration_audit_events private method fires one audit event per denied upstream. The rescue is placed inside the each block so a failure on one upstream does not prevent the remaining upstreams from being audited, and does not halt the file request flow. Errors are tracked via Gitlab::ErrorTracking.

New audit event typevirtual_registries_packages_maven_upstream_artifact_denied registered in ee/config/audit_events/types/ and documented in doc/user/compliance/audit_event_types.md.

EE: true Changelog: added

References

Screenshots or screen recordings

Screenshot_2026-03-02_at_18.23.18

How to set up and validate locally

  1. Enable the feature flag : Feature.enable(:maven_virtual_registry).

  2. Have a PAT and a root group (any visiblity) ready.

  3. Create a registry and upstream

    r = ::VirtualRegistries::Packages::Maven::Registry.create!(group: <root_group>)
u = ::VirtualRegistries::Packages::Maven::Upstream.create!(group: <root_group>, url: 'https://repo1.maven.org/maven2')
VirtualRegistries::Packages::Maven::RegistryUpstream.create!(group: <root_group>, registry: r, upstream: u)

  4. Create a deny rule

    FactoryBot.create(:virtual_registries_packages_maven_upstream_rule, :group_id, :wildcard, :deny, pattern: 'org.spring*', remote_upstream: u, group: <root_group>)

  5. Pull a maven artifact:

    $ curl --header "Private-Token: <PAT>" "http://gdk.test:8000/api/v4/virtual_registries/packages/maven/<r.id>/org/springframework/spring-web/6.1.12/spring-web-6.1.12.pom"
    • you should get the error: {"message":"400 Bad request - All upstreams are filtered out because of existing allow/deny rules"}

  6. Navigate to http://gdk.test:3000/groups/<root_group_fullpath>/-/audit_events and you should find the audit event created for the denied artifact

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #585125 (closed)

Edited by Moaz Khalifa

Merge request reports