From cd02d5d9db3f1c449dc8b5e6ce0e2f71e7ea2384 Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Tue, 11 Jun 2024 16:41:49 -0500
Subject: [PATCH 1/4] Create audit event for container repository tag deletion

Adds audit event `container_repository_tags_delete`. Updates
Projects::ContainerRepository::DeleteTagsService to audit when
tags are marked for deletion.

Changelog: added
EE: true
---
 .../delete_tags_service.rb                    |  4 ++-
 doc/user/compliance/audit_event_types.md      |  4 +++
 .../delete_tags_service.rb                    | 33 +++++++++++++++++++
 .../container_repository_tags_deleted.yml     | 10 ++++++
 4 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 ee/app/services/ee/projects/container_repository/delete_tags_service.rb
 create mode 100644 ee/config/audit_events/types/container_repository_tags_deleted.yml

diff --git a/app/services/projects/container_repository/delete_tags_service.rb b/app/services/projects/container_repository/delete_tags_service.rb
index 6e323fae2bc0ce..23814edf19b5da 100644
--- a/app/services/projects/container_repository/delete_tags_service.rb
+++ b/app/services/projects/container_repository/delete_tags_service.rb
@@ -13,7 +13,7 @@ def execute(container_repository)
         end
 
         @tag_names = params[:tags]
-        return error('not tags specified') if @tag_names.blank?
+        return error('no tags specified') if @tag_names.blank?
 
         delete_tags
       end
@@ -56,3 +56,5 @@ def container_expiration_policy?
     end
   end
 end
+
+Projects::ContainerRepository::DeleteTagsService.prepend_mod_with('Projects::ContainerRepository::DeleteTagsService')
diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 22e2f23064d3eb..82334ad76f6c56 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -190,8 +190,12 @@ Audit event types belong to the following product categories.
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
+<<<<<<< HEAD
 | [`container_repository_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152967) | Triggered when a project's container registry is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
 | [`container_repository_deletion_marked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152967) | Triggered when a project's container repository is marked for deletion| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
+=======
+| [`container_repository_tags_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066) | Triggered when a project's container repository tag is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
+>>>>>>> 6907044d08a0 (Create audit event for container repository tag deletion)
 
 ### Continuous delivery
 
diff --git a/ee/app/services/ee/projects/container_repository/delete_tags_service.rb b/ee/app/services/ee/projects/container_repository/delete_tags_service.rb
new file mode 100644
index 00000000000000..f1f8392763aaad
--- /dev/null
+++ b/ee/app/services/ee/projects/container_repository/delete_tags_service.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module EE
+  module Projects
+    module ContainerRepository
+      module DeleteTagsService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute(container_repository)
+          super(container_repository)
+
+          audit_event(container_repository, params[:tags])
+        end
+
+        private
+
+        def audit_event(repository, tags)
+          message = "Container repository tags marked for deletion: #{tags.join(', ')}"
+
+          audit_context = {
+            name: "container_repository_tags_deleted",
+            author: current_user,
+            scope: project,
+            target: repository,
+            message: message
+          }
+          ::Gitlab::Audit::Auditor.audit(audit_context)
+        end
+      end
+    end
+  end
+end
diff --git a/ee/config/audit_events/types/container_repository_tags_deleted.yml b/ee/config/audit_events/types/container_repository_tags_deleted.yml
new file mode 100644
index 00000000000000..b5b2058c90c24b
--- /dev/null
+++ b/ee/config/audit_events/types/container_repository_tags_deleted.yml
@@ -0,0 +1,10 @@
+---
+name: container_repository_tags_deleted
+description: Triggered when a project's container repository tag is deleted
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/362290
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066
+feature_category: container_registry
+milestone: '17.1'
+saved_to_database: true
+streamed: true
+scope: [Project]
-- 
GitLab


From 0aab08d1a9b9aeeb32ff41f50b801473ab778a28 Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Thu, 13 Jun 2024 21:14:11 -0500
Subject: [PATCH 2/4] add specs

---
 .../delete_tags_service.rb                    |  6 ++-
 .../delete_tags_service_spec.rb               | 49 +++++++++++++++++++
 2 files changed, 53 insertions(+), 2 deletions(-)
 create mode 100644 ee/spec/services/projects/container_repository/delete_tags_service_spec.rb

diff --git a/ee/app/services/ee/projects/container_repository/delete_tags_service.rb b/ee/app/services/ee/projects/container_repository/delete_tags_service.rb
index f1f8392763aaad..23ae6d9337ec88 100644
--- a/ee/app/services/ee/projects/container_repository/delete_tags_service.rb
+++ b/ee/app/services/ee/projects/container_repository/delete_tags_service.rb
@@ -8,9 +8,11 @@ module DeleteTagsService
 
         override :execute
         def execute(container_repository)
-          super(container_repository)
+          result = super(container_repository)
 
-          audit_event(container_repository, params[:tags])
+          audit_event(container_repository, params[:tags]) if result[:status] == :success
+
+          result
         end
 
         private
diff --git a/ee/spec/services/projects/container_repository/delete_tags_service_spec.rb b/ee/spec/services/projects/container_repository/delete_tags_service_spec.rb
new file mode 100644
index 00000000000000..a965118e70267a
--- /dev/null
+++ b/ee/spec/services/projects/container_repository/delete_tags_service_spec.rb
@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::ContainerRepository::DeleteTagsService, feature_category: :container_registry do
+  describe '#resolve' do
+    using RSpec::Parameterized::TableSyntax
+
+    include_context 'container repository delete tags service shared context'
+
+    let(:tags) { %w[a b c] }
+    let(:subject) { described_class.new(project, user, params) }
+
+    before do
+      allow(repository.client).to receive(:supports_tag_delete?).and_return(true)
+      stub_delete_reference_requests(tags)
+      project.add_developer(user)
+    end
+
+    include_examples 'audit event logging' do
+      let(:operation) { subject.execute(repository) }
+      let(:event_type) { 'container_repository_tags_deleted' }
+      let(:fail_condition!) do
+        allow_next_instance_of(::Projects::ContainerRepository::Gitlab::DeleteTagsService) do |instance|
+          allow(instance).to receive(:execute).and_return({ status: :error })
+        end
+      end
+
+      let(:author) { user }
+
+      let(:attributes) do
+        {
+          author_id: author.id,
+          entity_id: repository.project.id,
+          entity_type: 'Project',
+          details: {
+            event_name: "container_repository_tags_deleted",
+            author_class: author.class.to_s,
+            author_name: author.name,
+            custom_message: "Container repository tags marked for deletion: #{tags.join(', ')}",
+            target_details: repository.name,
+            target_id: repository.id,
+            target_type: repository.class.to_s
+          }
+        }
+      end
+    end
+  end
+end
-- 
GitLab


From a979aedaac4574f908017bd62d5b8264c3a44bff Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Tue, 18 Jun 2024 07:59:34 +0000
Subject: [PATCH 3/4] Apply 1 suggestion(s) to 1 file(s)

Co-authored-by: Hitesh Raghuvanshi <hraghuvanshi@gitlab.com>
---
 .../audit_events/types/container_repository_tags_deleted.yml    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ee/config/audit_events/types/container_repository_tags_deleted.yml b/ee/config/audit_events/types/container_repository_tags_deleted.yml
index b5b2058c90c24b..92e678ea314a20 100644
--- a/ee/config/audit_events/types/container_repository_tags_deleted.yml
+++ b/ee/config/audit_events/types/container_repository_tags_deleted.yml
@@ -4,7 +4,7 @@ description: Triggered when a project's container repository tag is deleted
 introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/362290
 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066
 feature_category: container_registry
-milestone: '17.1'
+milestone: '17.2'
 saved_to_database: true
 streamed: true
 scope: [Project]
-- 
GitLab


From 83b024665ce7975682ad8b047bf0aac449fbda25 Mon Sep 17 00:00:00 2001
From: Aaron Huntsman <ahuntsman@gitlab.com>
Date: Tue, 18 Jun 2024 05:00:31 -0500
Subject: [PATCH 4/4] update milestone in docs

---
 doc/user/compliance/audit_event_types.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 82334ad76f6c56..1b95280b1ad4ae 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -190,12 +190,9 @@ Audit event types belong to the following product categories.
 
 | Name | Description | Saved to database | Streamed | Introduced in | Scope |
 |:------------|:------------|:------------------|:---------|:--------------|:--------------|
-<<<<<<< HEAD
 | [`container_repository_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152967) | Triggered when a project's container registry is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
 | [`container_repository_deletion_marked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152967) | Triggered when a project's container repository is marked for deletion| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
-=======
-| [`container_repository_tags_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066) | Triggered when a project's container repository tag is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
->>>>>>> 6907044d08a0 (Create audit event for container repository tag deletion)
+| [`container_repository_tags_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066) | Triggered when a project's container repository tag is deleted| **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project |
 
 ### Continuous delivery
 
-- 
GitLab