From 86da1761b1662b3414c364a053dbb0ccae4dd52f Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Mon, 6 Feb 2023 15:29:00 -0600
Subject: [PATCH 1/3] Add audit event type for repository_download_started

---
 .../types/repository_download_started.yml         |  9 +++++++++
 ee/lib/ee/api/helpers.rb                          | 15 ++++++++++-----
 2 files changed, 19 insertions(+), 5 deletions(-)
 create mode 100644 ee/config/audit_events/types/repository_download_started.yml

diff --git a/ee/config/audit_events/types/repository_download_started.yml b/ee/config/audit_events/types/repository_download_started.yml
new file mode 100644
index 00000000000000..89f7045d823fff
--- /dev/null
+++ b/ee/config/audit_events/types/repository_download_started.yml
@@ -0,0 +1,9 @@
+---
+name: repository_download_started
+description: Event triggered when a Git repository for a project is downloaded
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374108
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111218
+feature_category: compliance_management
+milestone: '15.9'
+saved_to_database: true
+streamed: true
diff --git a/ee/lib/ee/api/helpers.rb b/ee/lib/ee/api/helpers.rb
index cf2151e27cb105..6d4b339ca717f4 100644
--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -119,11 +119,16 @@ def send_git_archive(repository, **kwargs)
         result = ::Users::Abuse::ProjectsDownloadBanCheckService.execute(current_user, repository.project)
         forbidden!(_('You are not allowed to download code from this project.')) if result.error?
 
-        ::AuditEvents::RepositoryDownloadStartedAuditEventService.new(
-          current_user,
-          repository.project,
-          ip_address
-        ).for_project.security_event
+        audit_context = {
+          name: 'repository_download_started',
+          ip_address: ip_address,
+          author: current_user,
+          target: repository.project,
+          scope: repository.project,
+          message: "Repository Download Started",
+          target_details: repository.project.full_path
+        }
+        ::Gitlab::Audit::Auditor.audit(audit_context)
 
         super
       end
-- 
GitLab


From 1c2837bb372b891f9661408336a1a3d222b4adae Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Fri, 10 Feb 2023 11:06:51 -0600
Subject: [PATCH 2/3] Rename audit event to repository_download_operation

---
 ..._started.yml => repository_download_operation.yml} |  2 +-
 ee/lib/ee/api/helpers.rb                              | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)
 rename ee/config/audit_events/types/{repository_download_started.yml => repository_download_operation.yml} (90%)

diff --git a/ee/config/audit_events/types/repository_download_started.yml b/ee/config/audit_events/types/repository_download_operation.yml
similarity index 90%
rename from ee/config/audit_events/types/repository_download_started.yml
rename to ee/config/audit_events/types/repository_download_operation.yml
index 89f7045d823fff..8eefb88dbd2a1a 100644
--- a/ee/config/audit_events/types/repository_download_started.yml
+++ b/ee/config/audit_events/types/repository_download_operation.yml
@@ -1,5 +1,5 @@
 ---
-name: repository_download_started
+name: repository_download_operation
 description: Event triggered when a Git repository for a project is downloaded
 introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374108
 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111218
diff --git a/ee/lib/ee/api/helpers.rb b/ee/lib/ee/api/helpers.rb
index 6d4b339ca717f4..17570479bbe9d7 100644
--- a/ee/lib/ee/api/helpers.rb
+++ b/ee/lib/ee/api/helpers.rb
@@ -119,14 +119,15 @@ def send_git_archive(repository, **kwargs)
         result = ::Users::Abuse::ProjectsDownloadBanCheckService.execute(current_user, repository.project)
         forbidden!(_('You are not allowed to download code from this project.')) if result.error?
 
+        project = repository.project
         audit_context = {
-          name: 'repository_download_started',
+          name: 'repository_download_operation',
           ip_address: ip_address,
-          author: current_user,
-          target: repository.project,
-          scope: repository.project,
+          author: current_user || ::Gitlab::Audit::UnauthenticatedAuthor.new,
+          target: project,
+          scope: project,
           message: "Repository Download Started",
-          target_details: repository.project.full_path
+          target_details: project.full_path
         }
         ::Gitlab::Audit::Auditor.audit(audit_context)
 
-- 
GitLab


From 33fddfa86d6deb0580725467328d644eea7fa6e8 Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Thu, 16 Feb 2023 13:47:35 -0600
Subject: [PATCH 3/3] Delete unused RepositoryDownloadStartedAuditEventService

---
 ...itory_download_started_audit_event_service.rb |  9 ---------
 ..._download_started_audit_event_service_spec.rb | 16 ----------------
 2 files changed, 25 deletions(-)
 delete mode 100644 ee/app/services/audit_events/repository_download_started_audit_event_service.rb
 delete mode 100644 ee/spec/services/audit_events/repository_download_started_audit_event_service_spec.rb

diff --git a/ee/app/services/audit_events/repository_download_started_audit_event_service.rb b/ee/app/services/audit_events/repository_download_started_audit_event_service.rb
deleted file mode 100644
index 5607e74258b392..00000000000000
--- a/ee/app/services/audit_events/repository_download_started_audit_event_service.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-# frozen_string_literal: true
-
-module AuditEvents
-  class RepositoryDownloadStartedAuditEventService < CustomAuditEventService
-    def initialize(author, entity, ip_address)
-      super(author, entity, ip_address, 'Repository Download Started')
-    end
-  end
-end
diff --git a/ee/spec/services/audit_events/repository_download_started_audit_event_service_spec.rb b/ee/spec/services/audit_events/repository_download_started_audit_event_service_spec.rb
deleted file mode 100644
index b49032769d8969..00000000000000
--- a/ee/spec/services/audit_events/repository_download_started_audit_event_service_spec.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe AuditEvents::RepositoryDownloadStartedAuditEventService do
-  describe '#security_event' do
-    include_examples 'logs the custom audit event' do
-      let(:user) { create(:user) }
-      let(:ip_address) { '127.0.0.1' }
-      let(:entity) { create(:project) }
-      let(:entity_type) { 'Project' }
-      let(:custom_message) { 'Repository Download Started' }
-      let(:service) { described_class.new(user, entity, ip_address) }
-    end
-  end
-end
-- 
GitLab