From 46187330a411ac11df377bfca5bcc82c4396ddfd Mon Sep 17 00:00:00 2001 From: huzaifaiftikhar1 Date: Thu, 21 Sep 2023 14:29:29 +0530 Subject: [PATCH 1/3] Add API for creating amazon_s3_configurations for audit event streaming Changelog: added EE: true --- .../graphql_shared/possible_types.json | 3 + .../audit_event_types.md | 1 + doc/api/graphql/reference/index.md | 57 +++++++ ee/app/graphql/ee/types/mutation_type.rb | 1 + .../amazon_s3_configurations/base.rb | 24 +++ .../amazon_s3_configurations/create.rb | 69 ++++++++ .../amazon_s3_configuration_interface.rb | 33 ++++ .../amazon_s3_configuration_type.rb | 17 ++ .../amazon_s3_configuration_policy.rb | 7 + .../types/amazon_s3_configuration_created.yml | 9 ++ .../amazon_s3_configurations/create_spec.rb | 152 ++++++++++++++++++ 11 files changed, 373 insertions(+) create mode 100644 ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb create mode 100644 ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb create mode 100644 ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb create mode 100644 ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb create mode 100644 ee/app/policies/audit_events/amazon_s3_configuration_policy.rb create mode 100644 ee/config/audit_events/types/amazon_s3_configuration_created.yml create mode 100644 ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb diff --git a/app/assets/javascripts/graphql_shared/possible_types.json b/app/assets/javascripts/graphql_shared/possible_types.json index 37c1674cc5aa22..4e0b1413f7117b 100644 --- a/app/assets/javascripts/graphql_shared/possible_types.json +++ b/app/assets/javascripts/graphql_shared/possible_types.json @@ -3,6 +3,9 @@ "AlertManagementHttpIntegration", "AlertManagementPrometheusIntegration" ], + "AmazonS3ConfigurationInterface": [ + "AmazonS3ConfigurationType" + ], "BaseHeaderInterface": [ "AuditEventStreamingHeader", "AuditEventsStreamingInstanceHeader" diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md index 5c27dabe378649..e914eacc689428 100644 --- a/doc/administration/audit_event_streaming/audit_event_types.md +++ b/doc/administration/audit_event_streaming/audit_event_types.md @@ -37,6 +37,7 @@ audit events to external destinations. | [`allow_committer_approval_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent merge request approval from committers from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | | [`allow_merge_on_skipped_pipeline_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83922) | There is a project setting which toggles the ability to merge when a pipeline is skipped. This audit event tracks changes to that setting. This MR adds a setting to allow this (like previous GitLab versions). | **{check-circle}** Yes | **{check-circle}** Yes | `continuous_integration` | GitLab [14.10](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) | | [`allow_overrides_to_approver_list_per_merge_request_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent users from modifying MR approval rules in merge requests from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | +| [`amazon_s3_configuration_created`](https://gitlab.com) | Triggered when Amazon S3 configuration for audit events streaming is created | **{check-circle}** Yes | **{check-circle}** Yes | `audit_events` | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423229) | | [`application_setting_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124639) | Triggered when Application setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | `system_access` | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/282428) | | [`approval_rule_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89939) | Triggered when a merge request approval rule is created | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363092) | | [`approval_rule_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82297) | Triggered on successful approval rule deletion | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [14.9](https://gitlab.com/gitlab-org/gitlab/-/issues/329514) | diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 65736f10ba9103..74b531edb72162 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -1274,6 +1274,30 @@ Input type: `AlertTodoCreateInput` | `issue` | [`Issue`](#issue) | Issue created after mutation. | | `todo` | [`Todo`](#todo) | To-do item after mutation. | +### `Mutation.amazonS3ConfigurationCreate` + +Input type: `AmazonS3ConfigurationCreateInput` + +#### Arguments + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. | +| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. | +| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `groupPath` | [`ID!`](#id) | Group path. | +| `name` | [`String`](#string) | Destination name. | +| `secretAccessKey` | [`String!`](#string) | Secret access key of the Amazon S3 account. | + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `amazonS3Configuration` | [`AmazonS3ConfigurationType`](#amazons3configurationtype) | configuration created. | +| `clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| `errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | + ### `Mutation.approveDeployment` Input type: `ApproveDeploymentInput` @@ -13270,6 +13294,22 @@ An endpoint and credentials used to accept Prometheus alerts for a project. | `type` | [`AlertManagementIntegrationType!`](#alertmanagementintegrationtype) | Type of integration. | | `url` | [`String`](#string) | Endpoint which accepts alert notifications. | +### `AmazonS3ConfigurationType` + +Stores Amazon S3 configurations. + +#### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. | +| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. | +| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. | +| `group` | [`Group!`](#group) | Group the configuration belongs to. | +| `id` | [`ID!`](#id) | ID of the configuration. | +| `name` | [`String!`](#string) | Name of the external destination to send audit events to. | +| `secretAccessKey` | [`String!`](#string) | Secret access of the Amazon S3 account. | + ### `ApiFuzzingCiConfiguration` Data associated with configuring API fuzzing scans in GitLab CI. @@ -30162,6 +30202,23 @@ Implementations: | `type` | [`AlertManagementIntegrationType!`](#alertmanagementintegrationtype) | Type of integration. | | `url` | [`String`](#string) | Endpoint which accepts alert notifications. | +#### `AmazonS3ConfigurationInterface` + +Implementations: + +- [`AmazonS3ConfigurationType`](#amazons3configurationtype) + +##### Fields + +| Name | Type | Description | +| ---- | ---- | ----------- | +| `accessKeyXid` | [`String!`](#string) | Access key ID of the Amazon S3 account. | +| `awsRegion` | [`String!`](#string) | AWS region where the bucket is created. | +| `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. | +| `id` | [`ID!`](#id) | ID of the configuration. | +| `name` | [`String!`](#string) | Name of the external destination to send audit events to. | +| `secretAccessKey` | [`String!`](#string) | Secret access of the Amazon S3 account. | + #### `BaseHeaderInterface` Implementations: diff --git a/ee/app/graphql/ee/types/mutation_type.rb b/ee/app/graphql/ee/types/mutation_type.rb index 5332505397e41b..d82d589a519938 100644 --- a/ee/app/graphql/ee/types/mutation_type.rb +++ b/ee/app/graphql/ee/types/mutation_type.rb @@ -122,6 +122,7 @@ module MutationType mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Create mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Destroy mount_mutation ::Mutations::AuditEvents::GoogleCloudLoggingConfigurations::Update + mount_mutation ::Mutations::AuditEvents::AmazonS3Configurations::Create mount_mutation ::Mutations::AuditEvents::Instance::GoogleCloudLoggingConfigurations::Create mount_mutation ::Mutations::Forecasting::BuildForecast, alpha: { milestone: '16.0' } mount_mutation ::Mutations::AuditEvents::Streaming::InstanceHeaders::Create diff --git a/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb new file mode 100644 index 00000000000000..f6c70d16704a31 --- /dev/null +++ b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/base.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +module Mutations + module AuditEvents + module AmazonS3Configurations + class Base < BaseMutation + private + + def audit(config, action:) + audit_context = { + name: "amazon_s3_configuration_#{action}", + author: current_user, + scope: config.group, + target: config.group, + message: "#{action.capitalize} Amazon S3 configuration with name: #{config.name} bucket: " \ + "#{config.bucket_name} and AWS region: #{config.aws_region}" + } + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + end + end + end +end diff --git a/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb new file mode 100644 index 00000000000000..51fd0baa827aa4 --- /dev/null +++ b/ee/app/graphql/mutations/audit_events/amazon_s3_configurations/create.rb @@ -0,0 +1,69 @@ +# frozen_string_literal: true + +module Mutations + module AuditEvents + module AmazonS3Configurations + class Create < Base + graphql_name 'AmazonS3ConfigurationCreate' + + authorize :admin_external_audit_events + + argument :name, GraphQL::Types::String, + required: false, + description: 'Destination name.' + + argument :group_path, GraphQL::Types::ID, + required: true, + description: 'Group path.' + + argument :access_key_xid, GraphQL::Types::String, + required: true, + description: 'Access key ID of the Amazon S3 account.' + + argument :secret_access_key, GraphQL::Types::String, + required: true, + description: 'Secret access key of the Amazon S3 account.' + + argument :bucket_name, GraphQL::Types::String, + required: true, + description: 'Name of the bucket where the audit events would be logged.' + + argument :aws_region, GraphQL::Types::String, + required: true, + description: 'AWS region where the bucket is created.' + + field :amazon_s3_configuration, ::Types::AuditEvents::AmazonS3ConfigurationType, + null: true, + description: 'configuration created.' + + def resolve(group_path:, access_key_xid:, secret_access_key:, bucket_name:, aws_region:, name: nil) + group = authorized_find!(group_path) + config_attributes = { + group: group, + access_key_xid: access_key_xid, + secret_access_key: secret_access_key, + bucket_name: bucket_name, + aws_region: aws_region, + name: name + } + + config = ::AuditEvents::AmazonS3Configuration.new(config_attributes) + + if config.save + audit(config, action: :created) + + { amazon_s3_configuration: config, errors: [] } + else + { amazon_s3_configuration: nil, errors: Array(config.errors) } + end + end + + private + + def find_object(group_path) + ::Group.find_by_full_path(group_path) + end + end + end + end +end diff --git a/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb new file mode 100644 index 00000000000000..2d0f7b17024345 --- /dev/null +++ b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module Types + module AuditEvents + module AmazonS3ConfigurationInterface + include Types::BaseInterface + + field :id, GraphQL::Types::ID, + null: false, + description: 'ID of the configuration.' + + field :name, GraphQL::Types::String, + null: false, + description: 'Name of the external destination to send audit events to.' + + field :access_key_xid, GraphQL::Types::String, + null: false, + description: 'Access key ID of the Amazon S3 account.' + + field :secret_access_key, GraphQL::Types::String, + null: false, + description: 'Secret access of the Amazon S3 account.' + + field :bucket_name, GraphQL::Types::String, + null: false, + description: 'Name of the bucket where the audit events would be logged.' + + field :aws_region, GraphQL::Types::String, + null: false, + description: 'AWS region where the bucket is created.' + end + end +end diff --git a/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb b/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb new file mode 100644 index 00000000000000..6d1cabd5102565 --- /dev/null +++ b/ee/app/graphql/types/audit_events/amazon_s3_configuration_type.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +module Types + module AuditEvents + class AmazonS3ConfigurationType < ::Types::BaseObject + graphql_name 'AmazonS3ConfigurationType' + description 'Stores Amazon S3 configurations.' + authorize :admin_external_audit_events + + implements AmazonS3ConfigurationInterface + + field :group, ::Types::GroupType, + null: false, + description: 'Group the configuration belongs to.' + end + end +end diff --git a/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb b/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb new file mode 100644 index 00000000000000..665a316ad79b13 --- /dev/null +++ b/ee/app/policies/audit_events/amazon_s3_configuration_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module AuditEvents + class AmazonS3ConfigurationPolicy < ::BasePolicy + delegate { @subject.group } + end +end diff --git a/ee/config/audit_events/types/amazon_s3_configuration_created.yml b/ee/config/audit_events/types/amazon_s3_configuration_created.yml new file mode 100644 index 00000000000000..e0e62071a75720 --- /dev/null +++ b/ee/config/audit_events/types/amazon_s3_configuration_created.yml @@ -0,0 +1,9 @@ +--- +name: amazon_s3_configuration_created +description: Triggered when Amazon S3 configuration for audit events streaming is created +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423229 +introduced_by_mr: https://gitlab.com +feature_category: audit_events +milestone: '16.5' +saved_to_database: true +streamed: true diff --git a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb new file mode 100644 index 00000000000000..14953be98ca0bc --- /dev/null +++ b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb @@ -0,0 +1,152 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'Create Amazon S3 configuration', feature_category: :audit_events do + include GraphqlHelpers + + let_it_be(:group) { create(:group) } + let_it_be(:owner) { create(:user) } + let_it_be(:destination_name) { 'test_aws_s3_destination' } + let_it_be(:access_key_id) { 'AKIARANDOMID1234' } + let_it_be(:secret_access_key) { 'TEST/SECRET/XYZ' } + let_it_be(:bucket_name) { 'test-bucket' } + let_it_be(:aws_region) { 'us-east-1' } + + let(:current_user) { owner } + let(:mutation) { graphql_mutation(:amazon_s3_configuration_create, input) } + let(:mutation_response) { graphql_mutation_response(:amazon_s3_configuration_create) } + + let(:input) do + { + name: destination_name, + groupPath: group.full_path, + accessKeyXid: access_key_id, + secretAccessKey: secret_access_key, + bucketName: bucket_name, + awsRegion: aws_region + } + end + + subject(:mutate) { post_graphql_mutation(mutation, current_user: owner) } + + shared_examples 'creates an audit event' do + before do + allow(Gitlab::Audit::Auditor).to receive(:audit) + end + + it 'audits the creation' do + subject + + expect(Gitlab::Audit::Auditor).to have_received(:audit) do |args| + expect(args[:name]).to eq('amazon_s3_configuration_created') + expect(args[:author]).to eq(current_user) + expect(args[:scope]).to eq(group) + expect(args[:target]).to eq(group) + expect(args[:message]).to eq("Created Amazon S3 configuration with name: #{destination_name} " \ + "bucket: #{bucket_name} and AWS region: #{aws_region}") + end + end + end + + shared_examples 'a mutation that does not create a configuration' do + it 'does not create the configuration' do + expect { mutate } + .not_to change { AuditEvents::AmazonS3Configuration.count } + end + + it 'does not create audit event' do + expect { mutate }.not_to change { AuditEvent.count } + end + end + + shared_examples 'an unauthorized mutation that does not create a configuration' do + it_behaves_like 'a mutation on an unauthorized resource' + it_behaves_like 'a mutation that does not create a configuration' + end + + context 'when feature is licensed' do + before do + stub_licensed_features(external_audit_events: true) + end + + context 'when current user is a group owner' do + before_all do + group.add_owner(owner) + end + + it 'resolves group by full path' do + expect(::Group).to receive(:find_by_full_path).with(group.full_path) + + mutate + end + + it 'creates the configuration' do + expect { mutate } + .to change { AuditEvents::AmazonS3Configuration.count }.by(1) + + config = AuditEvents::AmazonS3Configuration.last + expect(config.group).to eq(group) + expect(config.name).to eq(destination_name) + expect(config.access_key_xid).to eq(access_key_id) + expect(config.secret_access_key).to eq(secret_access_key) + expect(config.bucket_name).to eq(bucket_name) + expect(config.aws_region).to eq(aws_region) + end + + it_behaves_like 'creates an audit event', 'audit_events' + + context 'when there is error while saving' do + before do + allow_next_instance_of(AuditEvents::AmazonS3Configuration) do |s3_configuration| + allow(s3_configuration).to receive(:save).and_return(false) + + errors = ActiveModel::Errors.new(s3_configuration).tap { |e| e.add(:aws_region, 'error message') } + allow(s3_configuration).to receive(:errors).and_return(errors) + end + end + + it 'does not create the configuration and returns the error' do + expect { mutate } + .not_to change { AuditEvents::AmazonS3Configuration.count } + + expect(mutation_response).to include( + 'amazonS3Configuration' => nil, + 'errors' => ["Aws region error message"]) + end + end + end + + context 'when current user is a group maintainer' do + before_all do + group.add_maintainer(owner) + end + + it_behaves_like 'an unauthorized mutation that does not create a configuration' + end + + context 'when current user is a group developer' do + before_all do + group.add_developer(owner) + end + + it_behaves_like 'an unauthorized mutation that does not create a configuration' + end + + context 'when current user has guest access' do + before_all do + group.add_guest(owner) + end + + it_behaves_like 'an unauthorized mutation that does not create a configuration' + end + end + + context 'when feature is unlicensed' do + before do + stub_licensed_features(external_audit_events: false) + end + + it_behaves_like 'an unauthorized mutation that does not create a configuration' + end +end -- GitLab From 7008f1644397b796825bbfd7c087c3980b0a4bde Mon Sep 17 00:00:00 2001 From: huzaifaiftikhar1 Date: Tue, 26 Sep 2023 18:04:57 +0530 Subject: [PATCH 2/3] Refactor RSpecs --- .../audit_event_streaming/audit_event_types.md | 2 +- .../types/amazon_s3_configuration_created.yml | 2 +- .../amazon_s3_configurations/create_spec.rb | 13 ++++++------- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/doc/administration/audit_event_streaming/audit_event_types.md b/doc/administration/audit_event_streaming/audit_event_types.md index e914eacc689428..b48bbefae964c2 100644 --- a/doc/administration/audit_event_streaming/audit_event_types.md +++ b/doc/administration/audit_event_streaming/audit_event_types.md @@ -37,7 +37,7 @@ audit events to external destinations. | [`allow_committer_approval_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent merge request approval from committers from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | | [`allow_merge_on_skipped_pipeline_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/83922) | There is a project setting which toggles the ability to merge when a pipeline is skipped. This audit event tracks changes to that setting. This MR adds a setting to allow this (like previous GitLab versions). | **{check-circle}** Yes | **{check-circle}** Yes | `continuous_integration` | GitLab [14.10](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) | | [`allow_overrides_to_approver_list_per_merge_request_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating prevent users from modifying MR approval rules in merge requests from group merge request setting | **{check-circle}** Yes | **{check-circle}** Yes | `compliance_management` | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | -| [`amazon_s3_configuration_created`](https://gitlab.com) | Triggered when Amazon S3 configuration for audit events streaming is created | **{check-circle}** Yes | **{check-circle}** Yes | `audit_events` | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423229) | +| [`amazon_s3_configuration_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132443) | Triggered when Amazon S3 configuration for audit events streaming is created | **{check-circle}** Yes | **{check-circle}** Yes | `audit_events` | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/423229) | | [`application_setting_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124639) | Triggered when Application setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | `system_access` | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/282428) | | [`approval_rule_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89939) | Triggered when a merge request approval rule is created | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [15.2](https://gitlab.com/gitlab-org/gitlab/-/issues/363092) | | [`approval_rule_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82297) | Triggered on successful approval rule deletion | **{check-circle}** Yes | **{check-circle}** Yes | `source_code_management` | GitLab [14.9](https://gitlab.com/gitlab-org/gitlab/-/issues/329514) | diff --git a/ee/config/audit_events/types/amazon_s3_configuration_created.yml b/ee/config/audit_events/types/amazon_s3_configuration_created.yml index e0e62071a75720..e8095f90ccd655 100644 --- a/ee/config/audit_events/types/amazon_s3_configuration_created.yml +++ b/ee/config/audit_events/types/amazon_s3_configuration_created.yml @@ -2,7 +2,7 @@ name: amazon_s3_configuration_created description: Triggered when Amazon S3 configuration for audit events streaming is created introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/423229 -introduced_by_mr: https://gitlab.com +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132443 feature_category: audit_events milestone: '16.5' saved_to_database: true diff --git a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb index 14953be98ca0bc..dc4508451787e0 100644 --- a/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/audit_events/amazon_s3_configurations/create_spec.rb @@ -6,14 +6,13 @@ include GraphqlHelpers let_it_be(:group) { create(:group) } - let_it_be(:owner) { create(:user) } + let_it_be(:current_user) { create(:user) } let_it_be(:destination_name) { 'test_aws_s3_destination' } let_it_be(:access_key_id) { 'AKIARANDOMID1234' } let_it_be(:secret_access_key) { 'TEST/SECRET/XYZ' } let_it_be(:bucket_name) { 'test-bucket' } let_it_be(:aws_region) { 'us-east-1' } - let(:current_user) { owner } let(:mutation) { graphql_mutation(:amazon_s3_configuration_create, input) } let(:mutation_response) { graphql_mutation_response(:amazon_s3_configuration_create) } @@ -28,7 +27,7 @@ } end - subject(:mutate) { post_graphql_mutation(mutation, current_user: owner) } + subject(:mutate) { post_graphql_mutation(mutation, current_user: current_user) } shared_examples 'creates an audit event' do before do @@ -72,7 +71,7 @@ context 'when current user is a group owner' do before_all do - group.add_owner(owner) + group.add_owner(current_user) end it 'resolves group by full path' do @@ -119,7 +118,7 @@ context 'when current user is a group maintainer' do before_all do - group.add_maintainer(owner) + group.add_maintainer(current_user) end it_behaves_like 'an unauthorized mutation that does not create a configuration' @@ -127,7 +126,7 @@ context 'when current user is a group developer' do before_all do - group.add_developer(owner) + group.add_developer(current_user) end it_behaves_like 'an unauthorized mutation that does not create a configuration' @@ -135,7 +134,7 @@ context 'when current user has guest access' do before_all do - group.add_guest(owner) + group.add_guest(current_user) end it_behaves_like 'an unauthorized mutation that does not create a configuration' -- GitLab From 50adea01cdb73dcb35ac4d1f9cbc1a85ab393b56 Mon Sep 17 00:00:00 2001 From: huzaifaiftikhar1 Date: Wed, 4 Oct 2023 11:30:47 +0530 Subject: [PATCH 3/3] Remove secret_access_key from GraphQL API response --- doc/api/graphql/reference/index.md | 2 -- .../types/audit_events/amazon_s3_configuration_interface.rb | 4 ---- 2 files changed, 6 deletions(-) diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 74b531edb72162..5b35f7dc3917a8 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -13308,7 +13308,6 @@ Stores Amazon S3 configurations. | `group` | [`Group!`](#group) | Group the configuration belongs to. | | `id` | [`ID!`](#id) | ID of the configuration. | | `name` | [`String!`](#string) | Name of the external destination to send audit events to. | -| `secretAccessKey` | [`String!`](#string) | Secret access of the Amazon S3 account. | ### `ApiFuzzingCiConfiguration` @@ -30217,7 +30216,6 @@ Implementations: | `bucketName` | [`String!`](#string) | Name of the bucket where the audit events would be logged. | | `id` | [`ID!`](#id) | ID of the configuration. | | `name` | [`String!`](#string) | Name of the external destination to send audit events to. | -| `secretAccessKey` | [`String!`](#string) | Secret access of the Amazon S3 account. | #### `BaseHeaderInterface` diff --git a/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb index 2d0f7b17024345..51c0e8a8453585 100644 --- a/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb +++ b/ee/app/graphql/types/audit_events/amazon_s3_configuration_interface.rb @@ -17,10 +17,6 @@ module AmazonS3ConfigurationInterface null: false, description: 'Access key ID of the Amazon S3 account.' - field :secret_access_key, GraphQL::Types::String, - null: false, - description: 'Secret access of the Amazon S3 account.' - field :bucket_name, GraphQL::Types::String, null: false, description: 'Name of the bucket where the audit events would be logged.' -- GitLab