From 96fe9c1337059fa90f57124cc23e0cb0217eeb10 Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Thu, 26 Oct 2023 14:30:58 +0000 Subject: [PATCH 1/9] Audit pipeline delete action Log audit event for pipeline delete action Changelog: added MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255 EE: true --- app/services/ci/destroy_pipeline_service.rb | 2 ++ .../audit_event_types.md | 1 + .../ee/ci/destroy_pipeline_service.rb | 31 +++++++++++++++++ .../audit_events/types/destroy_pipeline.yml | 9 +++++ .../ci/destroy_pipeline_service_spec.rb | 34 +++++++++++++++---- 5 files changed, 70 insertions(+), 7 deletions(-) create mode 100644 ee/app/services/ee/ci/destroy_pipeline_service.rb create mode 100644 ee/config/audit_events/types/destroy_pipeline.yml diff --git a/app/services/ci/destroy_pipeline_service.rb b/app/services/ci/destroy_pipeline_service.rb index a9d2e17657e0d0..4aabe46eabb6ab 100644 --- a/app/services/ci/destroy_pipeline_service.rb +++ b/app/services/ci/destroy_pipeline_service.rb @@ -28,3 +28,5 @@ def execute(pipeline) end end end + +Ci::DestroyPipelineService.prepend_mod_with('Ci::DestroyPipelineService') diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md index 6e1436284d051e..b701067df3e1e6 100644 --- a/doc/administration/audit_event_streaming/audit_event_types.md +++ b/doc/administration/audit_event_streaming/audit_event_types.md @@ -172,6 +172,7 @@ Audit event types belong to the following product categories. | [`ci_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI variable is created at a project level| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | +| [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125846) | Event triggered when a pipeline is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | ### Deployment management diff --git a/ee/app/services/ee/ci/destroy_pipeline_service.rb b/ee/app/services/ee/ci/destroy_pipeline_service.rb new file mode 100644 index 00000000000000..6bbc89536b3cbc --- /dev/null +++ b/ee/app/services/ee/ci/destroy_pipeline_service.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +module EE + module Ci + module DestroyPipelineService + extend ::Gitlab::Utils::Override + + override :execute + def execute(pipeline) + response = super(pipeline) + log_audit_event(pipeline) if response.success? + response + end + + private + + def log_audit_event(pipeline) + audit_context = { + name: "destroy_pipeline", + author: current_user, + scope: project, + target: pipeline, + target_details: pipeline.id.to_s, + message: "Deleted pipeline with id #{pipeline.id}" + } + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + end + end +end diff --git a/ee/config/audit_events/types/destroy_pipeline.yml b/ee/config/audit_events/types/destroy_pipeline.yml new file mode 100644 index 00000000000000..97ed353ca9fe65 --- /dev/null +++ b/ee/config/audit_events/types/destroy_pipeline.yml @@ -0,0 +1,9 @@ +--- +name: destroy_pipeline +description: Event triggered when a pipeline is deleted. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339041 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255 +feature_category: continuous_integration +milestone: "16.6" +saved_to_database: true +streamed: true diff --git a/ee/spec/services/ci/destroy_pipeline_service_spec.rb b/ee/spec/services/ci/destroy_pipeline_service_spec.rb index b0dd0c9c4c3ca0..e8a2fad0d5fa9f 100644 --- a/ee/spec/services/ci/destroy_pipeline_service_spec.rb +++ b/ee/spec/services/ci/destroy_pipeline_service_spec.rb @@ -7,15 +7,35 @@ let!(:pipeline) { create(:ci_pipeline, project: project) } let(:user) { project.first_owner } - subject { described_class.new(project, user).execute(pipeline) } + subject(:service) { described_class.new(project, user) } - context 'when audit events is enabled' do - before do - stub_licensed_features(extended_audit_events: true, admin_audit_log: true) - end + describe '#execute' do + subject(:operation) { service.execute(pipeline) } + + context 'for audit events', :enable_admin_mode do + include_examples 'audit event logging' do + let(:operation) { service.execute(pipeline) } + + let(:fail_condition!) do + allow(pipeline).to receive(:destroy!).and_raise(ActiveRecord::RecordNotFound) + end - it 'does not log an audit event' do - expect { subject }.not_to change { AuditEvent.count } + let(:attributes) do + { + author_id: user.id, + entity_id: pipeline.id, + entity_type: 'Project', + details: { + author_class: 'User', + author_name: user.name, + custom_message: "Deleted pipeline with id #{pipeline.id}", + target_details: pipeline.id.to_s, + target_id: pipeline.id, + target_type: 'Ci::Pipeline' + } + } + end + end end end end -- GitLab From 12196c7c4b71f9cd89adeecfa182f6de281619a9 Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Thu, 26 Oct 2023 15:57:20 +0000 Subject: [PATCH 2/9] Add delete pipeline event --- ee/spec/requests/api/ci/pipelines_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/spec/requests/api/ci/pipelines_spec.rb b/ee/spec/requests/api/ci/pipelines_spec.rb index 8480b753c4d18d..8d390b93302909 100644 --- a/ee/spec/requests/api/ci/pipelines_spec.rb +++ b/ee/spec/requests/api/ci/pipelines_spec.rb @@ -24,8 +24,8 @@ stub_licensed_features(extended_audit_events: true, admin_audit_log: true) end - it 'does not log an audit event' do - expect { delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner) }.not_to change { AuditEvent.count } + it 'logs an audit event' do + expect { delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner) }.to change { AuditEvent.count } end end end -- GitLab From 4ff4af17a92c29d66a821a4bafeebd34efc8f5cf Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Thu, 26 Oct 2023 16:10:09 +0000 Subject: [PATCH 3/9] Refine pipeline delete event --- doc/administration/audit_event_streaming/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md index b701067df3e1e6..b236876a3f5638 100644 --- a/doc/administration/audit_event_streaming/audit_event_types.md +++ b/doc/administration/audit_event_streaming/audit_event_types.md @@ -172,7 +172,7 @@ Audit event types belong to the following product categories. | [`ci_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI variable is created at a project level| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | -| [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/125846) | Event triggered when a pipeline is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/404730) | +| [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255) | Event triggered when a pipeline is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/339041) | ### Deployment management -- GitLab From 3ee44fe4ace20d89f2128694d0facbd4259146d5 Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Fri, 27 Oct 2023 08:56:27 +0000 Subject: [PATCH 4/9] Include shared example variables --- ee/spec/services/ci/destroy_pipeline_service_spec.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ee/spec/services/ci/destroy_pipeline_service_spec.rb b/ee/spec/services/ci/destroy_pipeline_service_spec.rb index e8a2fad0d5fa9f..55c390d6048e3f 100644 --- a/ee/spec/services/ci/destroy_pipeline_service_spec.rb +++ b/ee/spec/services/ci/destroy_pipeline_service_spec.rb @@ -13,6 +13,9 @@ subject(:operation) { service.execute(pipeline) } context 'for audit events', :enable_admin_mode do + let(:audit_event_name) { "destroy_pipeline" } + let(:event_type) { "destroy_pipeline" } + include_examples 'audit event logging' do let(:operation) { service.execute(pipeline) } -- GitLab From 204a5243f56bb73390a2af02068f7c7c1d1e3a8d Mon Sep 17 00:00:00 2001 From: Eulyeon Ko <5961404-euko@users.noreply.gitlab.com> Date: Tue, 31 Oct 2023 05:21:21 +0000 Subject: [PATCH 5/9] Refine prepend definition --- app/services/ci/destroy_pipeline_service.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/services/ci/destroy_pipeline_service.rb b/app/services/ci/destroy_pipeline_service.rb index 4aabe46eabb6ab..7adf573687a638 100644 --- a/app/services/ci/destroy_pipeline_service.rb +++ b/app/services/ci/destroy_pipeline_service.rb @@ -29,4 +29,4 @@ def execute(pipeline) end end -Ci::DestroyPipelineService.prepend_mod_with('Ci::DestroyPipelineService') +Ci::DestroyPipelineService.prepend_mod -- GitLab From 7f7e80fbf82733f159f997e3ce5ba63f27d30c4e Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Tue, 31 Oct 2023 05:40:45 +0000 Subject: [PATCH 6/9] Refine pipeline delete event --- doc/administration/audit_event_streaming/audit_event_types.md | 2 +- ee/config/audit_events/types/destroy_pipeline.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md index b236876a3f5638..ac630c187171f4 100644 --- a/doc/administration/audit_event_streaming/audit_event_types.md +++ b/doc/administration/audit_event_streaming/audit_event_types.md @@ -172,7 +172,7 @@ Audit event types belong to the following product categories. | [`ci_variable_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a CI variable is created at a project level| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | | [`ci_variable_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91983) | Triggered when a project's CI variable is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363090) | -| [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255) | Event triggered when a pipeline is deleted.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/339041) | +| [`destroy_pipeline`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255) | Event triggered when a pipeline is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/339041) | ### Deployment management diff --git a/ee/config/audit_events/types/destroy_pipeline.yml b/ee/config/audit_events/types/destroy_pipeline.yml index 97ed353ca9fe65..58ad37239f1bbe 100644 --- a/ee/config/audit_events/types/destroy_pipeline.yml +++ b/ee/config/audit_events/types/destroy_pipeline.yml @@ -1,6 +1,6 @@ --- name: destroy_pipeline -description: Event triggered when a pipeline is deleted. +description: Event triggered when a pipeline is deleted introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/339041 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/135255 feature_category: continuous_integration -- GitLab From 2d0833df24c36896d0b58f2502acda701cd10c1c Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Tue, 31 Oct 2023 14:13:01 +0000 Subject: [PATCH 7/9] Fix entity details --- ee/spec/services/ci/destroy_pipeline_service_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/spec/services/ci/destroy_pipeline_service_spec.rb b/ee/spec/services/ci/destroy_pipeline_service_spec.rb index 55c390d6048e3f..74375e5f4c176e 100644 --- a/ee/spec/services/ci/destroy_pipeline_service_spec.rb +++ b/ee/spec/services/ci/destroy_pipeline_service_spec.rb @@ -26,7 +26,7 @@ let(:attributes) do { author_id: user.id, - entity_id: pipeline.id, + entity_id: project.id, entity_type: 'Project', details: { author_class: 'User', -- GitLab From 346d6ba5c39841055669c46754d9120c5d80c8ae Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Fri, 3 Nov 2023 02:38:57 +0000 Subject: [PATCH 8/9] Refine pipeline delete event text --- ee/app/services/ee/ci/destroy_pipeline_service.rb | 2 +- ee/spec/requests/api/ci/pipelines_spec.rb | 2 +- ee/spec/services/ci/destroy_pipeline_service_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ee/app/services/ee/ci/destroy_pipeline_service.rb b/ee/app/services/ee/ci/destroy_pipeline_service.rb index 6bbc89536b3cbc..789fb5ecaffb96 100644 --- a/ee/app/services/ee/ci/destroy_pipeline_service.rb +++ b/ee/app/services/ee/ci/destroy_pipeline_service.rb @@ -21,7 +21,7 @@ def log_audit_event(pipeline) scope: project, target: pipeline, target_details: pipeline.id.to_s, - message: "Deleted pipeline with id #{pipeline.id}" + message: "Deleted pipeline in #{pipeline.ref} with status #{pipeline.status} and SHA #{pipeline.sha}" } ::Gitlab::Audit::Auditor.audit(audit_context) diff --git a/ee/spec/requests/api/ci/pipelines_spec.rb b/ee/spec/requests/api/ci/pipelines_spec.rb index 8d390b93302909..f000d5b082fbe2 100644 --- a/ee/spec/requests/api/ci/pipelines_spec.rb +++ b/ee/spec/requests/api/ci/pipelines_spec.rb @@ -25,7 +25,7 @@ end it 'logs an audit event' do - expect { delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner) }.to change { AuditEvent.count } + expect { delete api("/projects/#{project.id}/pipelines/#{pipeline.id}", owner) }.to change { AuditEvent.count }.by(1) end end end diff --git a/ee/spec/services/ci/destroy_pipeline_service_spec.rb b/ee/spec/services/ci/destroy_pipeline_service_spec.rb index 74375e5f4c176e..77c51a8bf5e991 100644 --- a/ee/spec/services/ci/destroy_pipeline_service_spec.rb +++ b/ee/spec/services/ci/destroy_pipeline_service_spec.rb @@ -31,7 +31,7 @@ details: { author_class: 'User', author_name: user.name, - custom_message: "Deleted pipeline with id #{pipeline.id}", + custom_message: "Deleted pipeline in #{pipeline.ref} with status #{pipeline.status} and SHA #{pipeline.sha}", target_details: pipeline.id.to_s, target_id: pipeline.id, target_type: 'Ci::Pipeline' -- GitLab From d70e1b43a38d149819b05740552273cc3d5a49dc Mon Sep 17 00:00:00 2001 From: sameer shaik Date: Fri, 3 Nov 2023 03:44:45 +0000 Subject: [PATCH 9/9] Fix rubocop failures --- ee/spec/services/ci/destroy_pipeline_service_spec.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ee/spec/services/ci/destroy_pipeline_service_spec.rb b/ee/spec/services/ci/destroy_pipeline_service_spec.rb index 77c51a8bf5e991..5e4bb7b78e7fb1 100644 --- a/ee/spec/services/ci/destroy_pipeline_service_spec.rb +++ b/ee/spec/services/ci/destroy_pipeline_service_spec.rb @@ -31,7 +31,8 @@ details: { author_class: 'User', author_name: user.name, - custom_message: "Deleted pipeline in #{pipeline.ref} with status #{pipeline.status} and SHA #{pipeline.sha}", + custom_message: "Deleted pipeline in #{pipeline.ref} with status " \ + "#{pipeline.status} and SHA #{pipeline.sha}", target_details: pipeline.id.to_s, target_id: pipeline.id, target_type: 'Ci::Pipeline' -- GitLab