Add logging for Dependency Proxy IP traffic

Steve Abramsrequested to merge
dependency_proxy_ip_logging into master

What does this MR do and why?

We are planning on releasing #363827 (closed) in 15.4. Due to the breaking nature of that change (that issue is confidential so please be aware when reading through it and discussing here), we have first decided to add some logging so we can identify any customers who may be affected by that update and proactively notify them. See this internal thread for why we have decided to take this implementation path.

This MR adds logging to the Dependency Proxy when used with the Group IP restriction feature.

Screenshots or screen recordings

Pull from an IP restricted group with a developer out of range

~ docker login gdk.test:3000
Username: bob
Password:

Login Succeeded
~ docker pull gdk.test:3000/mygroup1/dependency_proxy/containers/alpine:latest
latest: Pulling from mygroup1/dependency_proxy/containers/alpine
213ec9aee27d: Pull complete
Digest: sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870
Status: Downloaded newer image for gdk.test:3000/mygroup1/dependency_proxy/containers/alpine:latest
gdk.test:3000/mygroup1/dependency_proxy/containers/alpine:latest

View log/auth.log

{
   "severity":"WARN",
   "time":"2022-08-26T14:23:59.191Z",
   "correlation_id":"01GBD8KH4RKY84A60B1VWVMHMB",
   "class":"Groups::DependencyProxyForContainersController",
   "message":"IP restriction violation",
   "authenticated_subject_id":45,
   "authenticated_subject_type":"User",
   "authenticated_subject_username":"bob",
   "group_id":84,
   "group_path":"mygroup1",
   "ip":"127.0.0.1"
}

How to set up and validate locally

To test this, you will need:

  1. Create a new user and add them as a Developer to the group.

  2. Using your admin user, go to the Group settings -> General -> Permissions and group features, and add an IP address that is not your loopback address to the Restrict access by IP address field. I used 192.168.200.200.

  3. Log into the Dependency Proxy with the Developer user (username/password or username/PAT will work):

    docker login gdk.test:3000

  4. Try to pull an image through the Dependency Proxy with your Developer user:

    docker pull gdk.test:3000/<group_path>/dependency_proxy/containers/alpine:latest

  5. Tail or view the end of the the log/auth.log file.

  6. The warning should be present.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Steve Abrams

Merge request reports