diff --git a/ee/app/services/ee/audit_event_service.rb b/ee/app/services/ee/audit_event_service.rb index 21c18ca3430a0295b9da5f54fc20f050bd137872..cf807a128ce5cef8c55b9bda9dff46482452f4fe 100644 --- a/ee/app/services/ee/audit_event_service.rb +++ b/ee/app/services/ee/audit_event_service.rb @@ -68,24 +68,6 @@ def for_member(member) self end - # Builds the @details attribute for project group link - # - # This expects [String] :action of :destroy, :create, :update to be - # specified in @details attribute - # - # @param [ProjectGroupLink] group_link object being audited - # - # @return [AuditEventService] - def for_project_group_link(group_link) - @details = custom_project_link_group_attributes(group_link) - .merge(author_name: @author.name, - target_id: group_link.project.id, - target_type: 'Project', - target_details: group_link.project.full_path) - - self - end - # Builds the @details attribute for a failed login # # @return [AuditEventService] @@ -310,23 +292,6 @@ def add_impersonation_details! end end - def custom_project_link_group_attributes(group_link) - case @details[:action] - when :destroy - { remove: 'project_access' } - when :create - { - add: 'project_access', - as: group_link.human_access - } - when :update - { - change: 'access_level', - from: @details[:old_access_level], - to: group_link.human_access - } - end - end # rubocop:enable Gitlab/ModuleWithInstanceVariables end end diff --git a/ee/app/services/ee/projects/group_links/create_service.rb b/ee/app/services/ee/projects/group_links/create_service.rb index a89ecc54cc15b52306ce84db24345ebfaf61f1f3..09d9faf592256e51fd3cc161b14ff899eb1527bb 100644 --- a/ee/app/services/ee/projects/group_links/create_service.rb +++ b/ee/app/services/ee/projects/group_links/create_service.rb @@ -18,8 +18,7 @@ def execute def after_successful_save super - log_audit_event - project_stream_audit_event + send_audit_event end def allowed_to_be_shared_with? @@ -39,22 +38,18 @@ def error_message _('This group cannot be invited to a project inside a group with enforced SSO') end - def log_audit_event - ::AuditEventService.new( - current_user, - link.group, - action: :create - ).for_project_group_link(link).security_event - end - - def project_stream_audit_event + def send_audit_event audit_context = { - name: 'project_group_link_create', - stream_only: true, + name: 'project_group_link_created', author: current_user, - scope: project, - target: link.group, - message: "Added project group link" + scope: link.group, + target: project, + target_details: project.full_path, + message: 'Added project group link', + additional_details: { + add: 'project_access', + as: link.human_access + } } ::Gitlab::Audit::Auditor.audit(audit_context) diff --git a/ee/app/services/ee/projects/group_links/destroy_service.rb b/ee/app/services/ee/projects/group_links/destroy_service.rb index 1aa5b8eb6a56134d15553946974d363cb3705c44..6fbea796ba364f1bf64c2e73ce3ad6ed65728343 100644 --- a/ee/app/services/ee/projects/group_links/destroy_service.rb +++ b/ee/app/services/ee/projects/group_links/destroy_service.rb @@ -9,33 +9,25 @@ module DestroyService override :execute def execute(group_link) super.tap do |link| - if link && !link&.persisted? - log_audit_event(link) - project_stream_audit_event(link) - end + send_audit_event(link) if link && !link&.persisted? end end private - def log_audit_event(group_link) - ::AuditEventService.new( - current_user, - group_link.group, - action: :destroy - ).for_project_group_link(group_link).security_event - end - - def project_stream_audit_event(group_link) + def send_audit_event(group_link) return unless current_user audit_context = { - name: 'project_group_link_destroy', - stream_only: true, + name: 'project_group_link_deleted', author: current_user, - scope: project, - target: group_link.group, - message: "Removed project group link" + scope: group_link.group, + target: project, + target_details: project.full_path, + message: 'Removed project group link', + additional_details: { + remove: 'project_access' + } } ::Gitlab::Audit::Auditor.audit(audit_context) diff --git a/ee/app/services/ee/projects/group_links/update_service.rb b/ee/app/services/ee/projects/group_links/update_service.rb index cf0e0790230604c626109c0dfc4ad577ba5095da..33a7739b2e5ecc49f51fdfaacb45b9bb7b21b94d 100644 --- a/ee/app/services/ee/projects/group_links/update_service.rb +++ b/ee/app/services/ee/projects/group_links/update_service.rb @@ -10,21 +10,23 @@ module UpdateService def execute(group_link_params) super - project_stream_audit_event(group_link) + send_audit_event end private - def project_stream_audit_event(group_link) + def send_audit_event return unless saved_changes_present? + message, details = audit_message + audit_context = { - name: 'project_group_link_update', - stream_only: true, + name: 'project_group_link_updated', author: current_user, scope: project, target: group_link.group, - message: audit_message(group_link) + message: message, + additional_details: details } ::Gitlab::Audit::Auditor.audit(audit_context) @@ -34,22 +36,25 @@ def saved_changes_present? group_link.saved_changes['group_access'].present? || group_link.saved_changes['expires_at'].present? end - def audit_message(group_link) + def audit_message changes = [] + details = { change: {} } if group_link.saved_changes['group_access'].present? old_value, new_value = group_link.saved_changes['group_access'].map { |v| ::Gitlab::Access.human_access(v) } property = :group_access changes << "profile #{property} from #{old_value} to #{new_value}" + details[:change].update({ access_level: { from: old_value, to: new_value } }) end if group_link.saved_changes['expires_at'].present? old_value, new_value = group_link.saved_changes['expires_at'] property = :expires_at changes << "profile #{property} from #{old_value || 'nil'} to #{new_value || 'nil'}" + details[:change].update({ invite_expiry: { from: old_value || 'nil', to: new_value || 'nil' } }) end - "Changed project group link #{changes.join(' ')}" + ["Changed project group link #{changes.join(' ')}", details] end end end diff --git a/ee/config/audit_events/types/project_group_link_created.yml b/ee/config/audit_events/types/project_group_link_created.yml new file mode 100644 index 0000000000000000000000000000000000000000..ecf6071adb82b4d0be9bc53a4ab2346ca955adf2 --- /dev/null +++ b/ee/config/audit_events/types/project_group_link_created.yml @@ -0,0 +1,9 @@ +--- +name: project_group_link_created +description: Event triggered when a group is invited to a project +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374114 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/108918 +feature_category: compliance_management +milestone: '15.9' +saved_to_database: true +streamed: true diff --git a/ee/config/audit_events/types/project_group_link_deleted.yml b/ee/config/audit_events/types/project_group_link_deleted.yml new file mode 100644 index 0000000000000000000000000000000000000000..a9fc9c0ef139d712e6a82346e7e7f0903c1432dd --- /dev/null +++ b/ee/config/audit_events/types/project_group_link_deleted.yml @@ -0,0 +1,9 @@ +--- +name: project_group_link_deleted +description: Event triggered when a project group link is deleted +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374114 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/108918 +feature_category: compliance_management +milestone: '15.9' +saved_to_database: true +streamed: true diff --git a/ee/config/audit_events/types/project_group_link_updated.yml b/ee/config/audit_events/types/project_group_link_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..f024e13c87065b5fac08e0129548e7d4c297fc5d --- /dev/null +++ b/ee/config/audit_events/types/project_group_link_updated.yml @@ -0,0 +1,9 @@ +--- +name: project_group_link_updated +description: Event triggered when a project group link is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374114 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/108918 +feature_category: compliance_management +milestone: '15.9' +saved_to_database: true +streamed: true diff --git a/ee/spec/services/audit_event_service_spec.rb b/ee/spec/services/audit_event_service_spec.rb index e95e7a631ccfea597d920111f05de483350fc47e..40a591e34895f1caa54d0ffae4e9eb167cd20e04 100644 --- a/ee/spec/services/audit_event_service_spec.rb +++ b/ee/spec/services/audit_event_service_spec.rb @@ -347,22 +347,6 @@ end end - describe '#for_project_group_link' do - let_it_be(:current_user) { create(:user) } - let_it_be(:project) { create(:project) } - let_it_be(:group) { create(:group) } - let_it_be(:link) { create(:project_group_link, group: group, project: project) } - - let(:options) { { action: :create } } - - subject(:event) { described_class.new(current_user, project, options).for_project_group_link(link).security_event } - - it 'sets the target_type attribute' do - expect(event.details[:target_type]).to eq('Project') - expect(event.target_type).to eq('Project') - end - end - describe '#for_user' do let(:current_user) { create(:user) } let(:user) { create(:user) } diff --git a/ee/spec/services/projects/group_links/create_service_spec.rb b/ee/spec/services/projects/group_links/create_service_spec.rb index fcf37fd9030926324ba213eba2bdcc1ca5575cac..5a54140e9c52edfd374fa867431f7328990c2424 100644 --- a/ee/spec/services/projects/group_links/create_service_spec.rb +++ b/ee/spec/services/projects/group_links/create_service_spec.rb @@ -32,6 +32,8 @@ add: 'project_access', as: 'Developer', author_name: user.name, + author_class: 'User', + custom_message: 'Added project group link', target_id: project.id, target_type: 'Project', target_details: project.full_path @@ -42,12 +44,16 @@ it 'sends the audit streaming event' do audit_context = { - name: 'project_group_link_create', - stream_only: true, + name: 'project_group_link_created', author: user, - scope: project, - target: group, - message: "Added project group link" + scope: group, + target: project, + target_details: project.full_path, + message: 'Added project group link', + additional_details: { + add: 'project_access', + as: 'Developer' + } } expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context) diff --git a/ee/spec/services/projects/group_links/destroy_service_spec.rb b/ee/spec/services/projects/group_links/destroy_service_spec.rb index 669d727b69f83e0c0fed593836b74e4c96376849..4591a3912c28a28b709cb48cf9cf18a93ff2e1aa 100644 --- a/ee/spec/services/projects/group_links/destroy_service_spec.rb +++ b/ee/spec/services/projects/group_links/destroy_service_spec.rb @@ -26,9 +26,11 @@ details: { remove: 'project_access', author_name: user.name, + author_class: 'User', target_id: project.id, target_type: 'Project', - target_details: project.full_path + target_details: project.full_path, + custom_message: 'Removed project group link' } } end @@ -36,12 +38,15 @@ it 'sends the audit streaming event' do audit_context = { - name: 'project_group_link_destroy', - stream_only: true, + name: 'project_group_link_deleted', author: user, - scope: project, - target: group, - message: "Removed project group link" + scope: group, + target: project, + target_details: project.full_path, + message: 'Removed project group link', + additional_details: { + remove: 'project_access' + } } expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context) diff --git a/ee/spec/services/projects/group_links/update_service_spec.rb b/ee/spec/services/projects/group_links/update_service_spec.rb index 366538abdd809018a4638a4c2edfae057b2057a9..6a1407084d5934b8003caf1c1761a09b981e722a 100644 --- a/ee/spec/services/projects/group_links/update_service_spec.rb +++ b/ee/spec/services/projects/group_links/update_service_spec.rb @@ -24,13 +24,18 @@ context 'audit events' do it 'sends the audit streaming event' do audit_context = { - name: 'project_group_link_update', - stream_only: true, + name: 'project_group_link_updated', author: user, scope: project, target: group, message: "Changed project group link profile group_access from Developer to Guest \ -profile expires_at from nil to #{expiry_date}" +profile expires_at from nil to #{expiry_date}", + additional_details: { + change: { + access_level: { from: 'Developer', to: 'Guest' }, + invite_expiry: { from: 'nil', to: expiry_date } + } + } } expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context) @@ -44,12 +49,16 @@ it 'sends the audit streaming event' do audit_context = { - name: 'project_group_link_update', - stream_only: true, + name: 'project_group_link_updated', author: user, scope: project, target: group, - message: "Changed project group link profile expires_at from nil to #{expiry_date}" + message: "Changed project group link profile expires_at from nil to #{expiry_date}", + additional_details: { + change: { + invite_expiry: { from: 'nil', to: expiry_date } + } + } } expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context) @@ -80,12 +89,16 @@ it 'sends the audit streaming event' do audit_context = { - name: 'project_group_link_update', - stream_only: true, + name: 'project_group_link_updated', author: user, scope: project, target: group, - message: "Changed project group link profile group_access from Developer to Guest" + message: "Changed project group link profile group_access from Developer to Guest", + additional_details: { + change: { + access_level: { from: 'Developer', to: 'Guest' } + } + } } expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context)