diff --git a/doc/administration/audit_event_types.md b/doc/administration/audit_event_types.md index e40fa7f619f828e10f16bbae46773a28c6e7d6ba..e59e74ac79642b5fe542904b23867668f687a601 100644 --- a/doc/administration/audit_event_types.md +++ b/doc/administration/audit_event_types.md @@ -159,13 +159,14 @@ Audit event types belong to the following product categories. | [`project_restored`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117528) | Event triggered when a project is restored.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/374105) | Project | | [`project_unarchived`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117528) | Event triggered when a project is unarchived.| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/374105) | Project | | [`protected_branch_allow_force_push_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68869) | This audit event is created when a protected branch has its ability to allow force pushes is toggled| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [14.3](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) | Project | +| [`public_repository_download_operation`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149842) | Event triggered when a Git repository for a public project is downloaded| **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/383218) | Project | | [`registration_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123080) | Event triggered when a user registers for instance access| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/374107) | User | | [`release_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111080) | Event triggered when a release is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374111) | Project | | [`release_deleted_audit_event`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111080) | Event triggered when a release is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374111) | Project | | [`release_milestones_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111080) | Event triggered when a release's associated milestones are updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374111) | Project | | [`release_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111080) | Event triggered when a release is updated| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374111) | Project | | [`remove_gpg_key`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111744) | Event triggered when a GPG Key is destroyed| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373961) | User | -| [`repository_download_operation`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111218) | Event triggered when a Git repository for a project is downloaded| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374108) | Project | +| [`repository_download_operation`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111218) | Event triggered when a Git repository for a private or internal project is downloaded| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374108) | Project | | [`require_password_to_approve_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating require user password for approvals from group merge request setting| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | Group | | [`retain_approvals_on_push_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/102256) | Event triggered on updating require new approvals when new commits are added to an MR from group merge request setting| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.6](https://gitlab.com/gitlab-org/gitlab/-/issues/373949) | Group | | [`saml_group_links_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/110525) | Event triggered when a SAML Group Link is created| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373954) | Group | diff --git a/ee/app/controllers/ee/projects/repositories_controller.rb b/ee/app/controllers/ee/projects/repositories_controller.rb index 19184eb29d313d324166ed2c3736719048f8d4ef..54b0dad9b46c342b1dc5c5e19ed34c090649acf2 100644 --- a/ee/app/controllers/ee/projects/repositories_controller.rb +++ b/ee/app/controllers/ee/projects/repositories_controller.rb @@ -15,8 +15,9 @@ module RepositoriesController def log_audit_event project = repository.project + audit_event_type = project.public? ? 'public_repository_download_operation' : 'repository_download_operation' audit_context = { - name: 'repository_download_operation', + name: audit_event_type, author: current_user || ::Gitlab::Audit::UnauthenticatedAuthor.new, scope: project, target: project, diff --git a/ee/config/audit_events/types/public_repository_download_operation.yml b/ee/config/audit_events/types/public_repository_download_operation.yml new file mode 100644 index 0000000000000000000000000000000000000000..8bb5c3b32db505720c763feaa4b4c3d583d47f9d --- /dev/null +++ b/ee/config/audit_events/types/public_repository_download_operation.yml @@ -0,0 +1,10 @@ +--- +name: public_repository_download_operation +description: Event triggered when a Git repository for a public project is downloaded +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/383218 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/149842 +feature_category: compliance_management +milestone: '17.0' +saved_to_database: false +streamed: true +scope: [Project] diff --git a/ee/config/audit_events/types/repository_download_operation.yml b/ee/config/audit_events/types/repository_download_operation.yml index e544512dc6b22e5158f971273e22d3371bf9c3aa..5e490643572d6425c7eb52d385355fa5b2a5f1ce 100644 --- a/ee/config/audit_events/types/repository_download_operation.yml +++ b/ee/config/audit_events/types/repository_download_operation.yml @@ -1,6 +1,6 @@ --- name: repository_download_operation -description: Event triggered when a Git repository for a project is downloaded +description: Event triggered when a Git repository for a private or internal project is downloaded introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374108 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111218 feature_category: compliance_management diff --git a/ee/lib/ee/api/helpers.rb b/ee/lib/ee/api/helpers.rb index 11d4f418d18b31312b177f09f2f28d843ebb2b77..7624684a8acdbc143743554c602a40fda75ed617 100644 --- a/ee/lib/ee/api/helpers.rb +++ b/ee/lib/ee/api/helpers.rb @@ -142,8 +142,9 @@ def send_git_archive(repository, **kwargs) forbidden!(_('You are not allowed to download code from this project.')) if result.error? project = repository.project + audit_event_type = project.public? ? 'public_repository_download_operation' : 'repository_download_operation' audit_context = { - name: 'repository_download_operation', + name: audit_event_type, ip_address: ip_address, author: current_user || ::Gitlab::Audit::UnauthenticatedAuthor.new, target: project, diff --git a/ee/spec/controllers/projects/repositories_controller_spec.rb b/ee/spec/controllers/projects/repositories_controller_spec.rb index 7714cd05b3370d93af511b48fa890890b2310dc4..33df8e217e54d39ab1a27928aea97f8e698457d1 100644 --- a/ee/spec/controllers/projects/repositories_controller_spec.rb +++ b/ee/spec/controllers/projects/repositories_controller_spec.rb @@ -16,18 +16,6 @@ def set_group_destination stub_licensed_features(external_audit_events: true) end - shared_examples 'logs the audit event' do - it 'logs the audit event' do - expect { get_archive }.to change { AuditEvent.count }.by(1) - expect(AuditEvent.last.details).to include({ - author_name: user_name, - custom_message: "Repository Download Started", - target_id: project.id, - target_type: "Project" - }) - end - end - shared_examples 'sends the streaming audit event' do it 'sends the streaming event with audit event type' do expect(AuditEvents::AuditEventStreamingWorker).to receive(:perform_async).with( @@ -41,9 +29,10 @@ def set_group_destination end context 'when unauthenticated', 'for a public project' do - it_behaves_like 'logs the audit event' do - let_it_be(:project) { create(:project, :repository, :public) } - let_it_be(:user_name) { "An unauthenticated user" } + let_it_be(:project) { create(:project, :repository, :public) } + + it 'does not log audit event' do + expect { get_archive }.not_to change { AuditEvent.count } end context 'when group sets event destination' do @@ -53,7 +42,7 @@ def set_group_destination it_behaves_like 'sends the streaming audit event' do let_it_be(:project) { create(:project, :repository, :public, namespace: group) } - let_it_be(:event_type) { "repository_download_operation" } + let_it_be(:event_type) { "public_repository_download_operation" } let_it_be(:user_name) { "An unauthenticated user" } end end @@ -65,9 +54,16 @@ def set_group_destination sign_in(user) end - it_behaves_like 'logs the audit event' do - let_it_be(:user) { create(:user) } - let_it_be(:user_name) { user.name } + let_it_be(:user) { create(:user) } + let_it_be(:user_name) { user.name } + + it 'logs the audit event' do + expect { get_archive }.to change { AuditEvent.count }.by(1) + expect(AuditEvent.last.details).to include + { author_name: user_name, + custom_message: "Repository Download Started", + target_id: project.id, + target_type: "Project" } end context 'when group sets event destination' do @@ -77,9 +73,26 @@ def set_group_destination set_group_destination end - it_behaves_like 'sends the streaming audit event' do - let(:event_type) { "repository_download_operation" } - let_it_be(:user_name) { user.name } + context 'when project is public' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC) + end + + it_behaves_like 'sends the streaming audit event' do + let(:event_type) { "public_repository_download_operation" } + let_it_be(:user_name) { user.name } + end + end + + context 'when project is not public' do + before do + project.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + it_behaves_like 'sends the streaming audit event' do + let(:event_type) { "repository_download_operation" } + let_it_be(:user_name) { user.name } + end end end end diff --git a/ee/spec/requests/api/repositories_spec.rb b/ee/spec/requests/api/repositories_spec.rb index d5e34bf3c0faa9addcc42ec8f877b10b25c90266..6815b7e8356441a2e16ce1bea64e1b48e9ac2b94 100644 --- a/ee/spec/requests/api/repositories_spec.rb +++ b/ee/spec/requests/api/repositories_spec.rb @@ -28,9 +28,11 @@ end context 'when unauthenticated', 'and project is public' do - it_behaves_like 'an auditable and successful request' do - let_it_be(:project) { create(:project, :public, :repository) } - let(:current_user) { nil } + let_it_be(:project) { create(:project, :public, :repository) } + let_it_be(:user) { nil } + + it 'does not log audit event' do + expect { request }.not_to change { AuditEvent.count } end end