diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 42b3f2759b43ddc8b9c42d93b70124904599d2c1..b186bdd4664a0e78f9a87b9dcabdb300fdc55ab9 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -296,11 +296,20 @@ Audit event types belong to the following product categories. | Name | Description | Saved to database | Streamed | Introduced in | Scope | |:------------|:------------|:------------------|:---------|:--------------|:--------------| +| [`allow_mfa_for_subgroups_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting for Subgroups can set up their own two-factor authentication rules updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`allow_runner_registration_token_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Allow members of projects and groups to create runners with runner registration tokens is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.0](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group, Project | | [`create_ssh_certificate`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134556) | Triggered when an SSH certificate is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/427413) | Group | +| [`default_branch_name_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when default branch name for the group repository is changed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`delete_ssh_certificate`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134556) | Triggered when an SSH certificate is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.6](https://gitlab.com/gitlab-org/gitlab/-/issues/427413) | Group | +| [`disable_personal_access_tokens_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Disable personal access tokens is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`emails_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Enable email notifications is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`enabled_git_access_protocol_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Enabled Git access protocols is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`enforce_ssh_certificates_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Enforce SSH Certificates is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`group_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/121005) | Triggered when a group is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.3](https://gitlab.com/gitlab-org/gitlab/-/issues/411595) | Group | +| [`group_description_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973/) | Triggered when group description is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`group_lfs_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when LFS enabled for a group is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369323) | Group | | [`group_membership_lock_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when membership lock for a group is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369323) | Group | +| [`group_mentions_disabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when a group's setting to notify group members on group mention is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`group_merge_request_approval_setting_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87880) | Triggered when merge request approval settings are added to a group | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/356152) | Group | | [`group_name_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when a group's name is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369320) | Group | | [`group_path_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when a group's path is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369321) | Group | @@ -312,9 +321,13 @@ Audit event types belong to the following product categories. | [`group_share_with_group_link_removed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112719) | Triggered when you remove a group from another group by using the group's membership page | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/327909) | Group | | [`group_share_with_group_link_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/112719) | Triggered when you update a group's access settings to another group by using the group's membership page | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.10](https://gitlab.com/gitlab-org/gitlab/-/issues/327909) | Group | | [`group_shared_runners_minutes_limit_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when a group's shared runners minutes limit is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369324) | Group | +| [`group_shared_with_group_lock_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973/) | Triggered when group can be shared with other group setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`group_two_factor_grace_period_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when a group's two factor grace period is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369326) | Group | | [`group_visibility_level_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106079) | Triggered when a group's visibility level is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369322) | Group | | [`merge_commit_template_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107533) | Triggered when merge commit template is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/369314) | Project | +| [`new_user_signups_cap_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Number of users for user cap is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`prevent_forking_outside_group_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting for Prevent forking outside current group is changed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`prevent_sharing_groups_outside_hierarchy_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when a group's setting to Members cannot invite groups outside of group and its sugroup updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | | [`project_cicd_merge_pipelines_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107428) | Triggered when the CI/CD merge pipelines setting for a project is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/369317) | Project | | [`project_cicd_merge_trains_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107428) | Triggered when the CI/CD merge trains settings for a project is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/369317) | Project | | [`project_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/117543) | Triggered when a project is created | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.0](https://gitlab.com/gitlab-org/gitlab/-/issues/374105) | Project | @@ -356,6 +369,13 @@ Audit event types belong to the following product categories. | [`project_resolve_outdated_diff_discussions_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106652) | Triggered when a project's resolve outdated diff discussions setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369288) | Project | | [`project_security_setting_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/150767) | Triggered when a project's security setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.0](https://gitlab.com/gitlab-org/gitlab/-/issues/457024) | Project | | [`project_visibility_level_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106652) | Triggered when a project's visiblity level setting is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369288) | Project | +| [`remove_dormant_members_period_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Days of inactivity before removal is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`remove_dormant_members_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Dormant members is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`resource_access_token_creation_allowed_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting for Users can create project access tokens and group access tokens in this group changed | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group, Project | +| [`runner_registration_enabled_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Runner registration is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`seat_control_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Seat control is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`service_access_tokens_expiration_enforced_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Service account token expiration is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group | +| [`show_diff_preview_in_email_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973) | Triggered when setting Email notification to include diff preview is updated | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.4](https://gitlab.com/gitlab-org/gitlab/-/issues/486532) | Group, Project | | [`squash_commit_template_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107533) | Event triggered on updating the merge request squash commit template for a project | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.8](https://gitlab.com/gitlab-org/gitlab/-/issues/369314) | Project | | [`squash_option_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/84624) | Triggered when squash option setting has been changed. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.0](https://gitlab.com/gitlab-org/gitlab/-/issues/301124) | Project | diff --git a/ee/config/audit_events/types/allow_mfa_for_subgroups_updated.yml b/ee/config/audit_events/types/allow_mfa_for_subgroups_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..2ed9f5274a8536b9d79a3714e6fa388aaf93da88 --- /dev/null +++ b/ee/config/audit_events/types/allow_mfa_for_subgroups_updated.yml @@ -0,0 +1,10 @@ +--- +name: allow_mfa_for_subgroups_updated +description: Triggered when setting for Subgroups can set up their own two-factor authentication rules updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/allow_runner_registration_token_updated.yml b/ee/config/audit_events/types/allow_runner_registration_token_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..f5140b4cd716a63ac3b87d2aab851e6f928827c7 --- /dev/null +++ b/ee/config/audit_events/types/allow_runner_registration_token_updated.yml @@ -0,0 +1,10 @@ +--- +name: allow_runner_registration_token_updated +description: Triggered when setting Allow members of projects and groups to create runners with runner registration tokens is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '16.0' +saved_to_database: true +streamed: true +scope: [Group, Project] diff --git a/ee/config/audit_events/types/default_branch_name_updated.yml b/ee/config/audit_events/types/default_branch_name_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..fe049f1bedbb173af1b82cef95e203877d7b84e7 --- /dev/null +++ b/ee/config/audit_events/types/default_branch_name_updated.yml @@ -0,0 +1,10 @@ +--- +name: default_branch_name_updated +description: Triggered when default branch name for the group repository is changed +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/disable_personal_access_tokens_updated.yml b/ee/config/audit_events/types/disable_personal_access_tokens_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..42591e30b38fac60acd36128d185f49348e0ab3a --- /dev/null +++ b/ee/config/audit_events/types/disable_personal_access_tokens_updated.yml @@ -0,0 +1,10 @@ +--- +name: disable_personal_access_tokens_updated +description: Triggered when setting Disable personal access tokens is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/emails_enabled_updated.yml b/ee/config/audit_events/types/emails_enabled_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..cee49d4cf393bae19032c464547b49efc091fb47 --- /dev/null +++ b/ee/config/audit_events/types/emails_enabled_updated.yml @@ -0,0 +1,10 @@ +--- +name: emails_enabled_updated +description: Triggered when setting Enable email notifications is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/enabled_git_access_protocol_updated.yml b/ee/config/audit_events/types/enabled_git_access_protocol_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..4511371980d681576704c5a29015e46f73c81502 --- /dev/null +++ b/ee/config/audit_events/types/enabled_git_access_protocol_updated.yml @@ -0,0 +1,10 @@ +--- +name: enabled_git_access_protocol_updated +description: Triggered when setting Enabled Git access protocols is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/enforce_ssh_certificates_updated.yml b/ee/config/audit_events/types/enforce_ssh_certificates_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..6c6407e599d35b4f107f5e2075ad4e01981f66ec --- /dev/null +++ b/ee/config/audit_events/types/enforce_ssh_certificates_updated.yml @@ -0,0 +1,10 @@ +--- +name: enforce_ssh_certificates_updated +description: Triggered when setting Enforce SSH Certificates is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/group_description_updated.yml b/ee/config/audit_events/types/group_description_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..0adfb4a824fd7aad63793a37c992174f1c3cb02d --- /dev/null +++ b/ee/config/audit_events/types/group_description_updated.yml @@ -0,0 +1,10 @@ +--- +name: group_description_updated +description: Triggered when group description is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973/ +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/group_mentions_disabled_updated.yml b/ee/config/audit_events/types/group_mentions_disabled_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..32c08edc8dc35bc82548e1bfd0ba122b8f578935 --- /dev/null +++ b/ee/config/audit_events/types/group_mentions_disabled_updated.yml @@ -0,0 +1,10 @@ +--- +name: group_mentions_disabled_updated +description: Triggered when a group's setting to notify group members on group mention is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/group_shared_with_group_lock_updated.yml b/ee/config/audit_events/types/group_shared_with_group_lock_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..67252a38a88541fda4d2f85e1b71e324f3eaf50b --- /dev/null +++ b/ee/config/audit_events/types/group_shared_with_group_lock_updated.yml @@ -0,0 +1,10 @@ +--- +name: group_shared_with_group_lock_updated +description: Triggered when group can be shared with other group setting is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973/ +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/new_user_signups_cap_updated.yml b/ee/config/audit_events/types/new_user_signups_cap_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..68a55b3180871ee352cb8cb796b5805c305e9491 --- /dev/null +++ b/ee/config/audit_events/types/new_user_signups_cap_updated.yml @@ -0,0 +1,10 @@ +--- +name: new_user_signups_cap_updated +description: Triggered when setting Number of users for user cap is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/prevent_forking_outside_group_updated.yml b/ee/config/audit_events/types/prevent_forking_outside_group_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..1dee7330e5508bace2b5acfa754eaf5d3c8f2739 --- /dev/null +++ b/ee/config/audit_events/types/prevent_forking_outside_group_updated.yml @@ -0,0 +1,10 @@ +--- +name: prevent_forking_outside_group_updated +description: Triggered when setting for Prevent forking outside current group is changed +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/prevent_sharing_groups_outside_hierarchy_updated.yml b/ee/config/audit_events/types/prevent_sharing_groups_outside_hierarchy_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..7af38918c88c0d5cb51edebd9b2beaa169823d35 --- /dev/null +++ b/ee/config/audit_events/types/prevent_sharing_groups_outside_hierarchy_updated.yml @@ -0,0 +1,10 @@ +--- +name: prevent_sharing_groups_outside_hierarchy_updated +description: Triggered when a group's setting to Members cannot invite groups outside of group and its sugroup updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/remove_dormant_members_period_updated.yml b/ee/config/audit_events/types/remove_dormant_members_period_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..744f33e5d65c0d8fa6eef245d5deb0a4bc56e46b --- /dev/null +++ b/ee/config/audit_events/types/remove_dormant_members_period_updated.yml @@ -0,0 +1,10 @@ +--- +name: remove_dormant_members_period_updated +description: Triggered when setting Days of inactivity before removal is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/remove_dormant_members_updated.yml b/ee/config/audit_events/types/remove_dormant_members_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..4c6447d8b33a6cbffbc6a1e9cc0e412715131eee --- /dev/null +++ b/ee/config/audit_events/types/remove_dormant_members_updated.yml @@ -0,0 +1,10 @@ +--- +name: remove_dormant_members_updated +description: Triggered when setting Dormant members is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/resource_access_token_creation_allowed_updated.yml b/ee/config/audit_events/types/resource_access_token_creation_allowed_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..7195e174c80d53cfa1b61ba25d8e14d66c1c93d5 --- /dev/null +++ b/ee/config/audit_events/types/resource_access_token_creation_allowed_updated.yml @@ -0,0 +1,10 @@ +--- +name: resource_access_token_creation_allowed_updated +description: Triggered when setting for Users can create project access tokens and group access tokens in this group changed +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group, Project] diff --git a/ee/config/audit_events/types/runner_registration_enabled_updated.yml b/ee/config/audit_events/types/runner_registration_enabled_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..7e8da89f1b4d198faefd541566e3955453eee522 --- /dev/null +++ b/ee/config/audit_events/types/runner_registration_enabled_updated.yml @@ -0,0 +1,10 @@ +--- +name: runner_registration_enabled_updated +description: Triggered when setting Runner registration is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/seat_control_updated.yml b/ee/config/audit_events/types/seat_control_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..499616af5849a4de987308f84c7b1c6fa212fabe --- /dev/null +++ b/ee/config/audit_events/types/seat_control_updated.yml @@ -0,0 +1,10 @@ +--- +name: seat_control_updated +description: Triggered when setting Seat control is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/service_access_tokens_expiration_enforced_updated.yml b/ee/config/audit_events/types/service_access_tokens_expiration_enforced_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..a9a633eea6b9d7962925f07bb2dd9cede701859c --- /dev/null +++ b/ee/config/audit_events/types/service_access_tokens_expiration_enforced_updated.yml @@ -0,0 +1,10 @@ +--- +name: service_access_tokens_expiration_enforced_updated +description: Triggered when setting Service account token expiration is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group] diff --git a/ee/config/audit_events/types/show_diff_preview_in_email_updated.yml b/ee/config/audit_events/types/show_diff_preview_in_email_updated.yml new file mode 100644 index 0000000000000000000000000000000000000000..18e83c2dddf4f356278a2c0aa6268e1b64db904c --- /dev/null +++ b/ee/config/audit_events/types/show_diff_preview_in_email_updated.yml @@ -0,0 +1,10 @@ +--- +name: show_diff_preview_in_email_updated +description: Triggered when setting Email notification to include diff preview is updated +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/486532 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164973 +feature_category: groups_and_projects +milestone: '17.4' +saved_to_database: true +streamed: true +scope: [Group, Project] diff --git a/ee/lib/audit/group_changes_auditor.rb b/ee/lib/audit/group_changes_auditor.rb index 2ae6bcbb11787d659e9adb201b09403b31992c4b..3f357e00e4649268ae76432cebe76523f4bc0044 100644 --- a/ee/lib/audit/group_changes_auditor.rb +++ b/ee/lib/audit/group_changes_auditor.rb @@ -13,11 +13,14 @@ class GroupChangesAuditor < BaseChangesAuditor visibility_level: 'group_visibility_level_updated', request_access_enabled: 'group_request_access_enabled_updated', membership_lock: 'group_membership_lock_updated', + share_with_group_lock: 'group_shared_with_group_lock_updated', + description: 'group_description_updated', lfs_enabled: 'group_lfs_enabled_updated', shared_runners_minutes_limit: 'group_shared_runners_minutes_limit_updated', require_two_factor_authentication: 'group_require_two_factor_authentication_updated', two_factor_grace_period: 'group_two_factor_grace_period_updated', - project_creation_level: 'group_project_creation_level_updated' + project_creation_level: 'group_project_creation_level_updated', + mentions_disabled: 'group_mentions_disabled_updated' }.freeze def execute diff --git a/ee/lib/audit/namespace_setting_changes_auditor.rb b/ee/lib/audit/namespace_setting_changes_auditor.rb index c35059d4bbf8b013da6497f5b03b20c7e1826dc1..577e2e861d7add4f688d32c5e6efb213ba322aa7 100644 --- a/ee/lib/audit/namespace_setting_changes_auditor.rb +++ b/ee/lib/audit/namespace_setting_changes_auditor.rb @@ -4,7 +4,24 @@ module Audit class NamespaceSettingChangesAuditor < BaseChangesAuditor EVENT_NAME_PER_COLUMN = { duo_features_enabled: 'duo_features_enabled_updated', - experiment_features_enabled: 'experiment_features_enabled_updated' + experiment_features_enabled: 'experiment_features_enabled_updated', + prevent_forking_outside_group: 'prevent_forking_outside_group_updated', + allow_mfa_for_subgroups: 'allow_mfa_for_subgroups_updated', + default_branch_name: 'default_branch_name_updated', + resource_access_token_creation_allowed: 'resource_access_token_creation_allowed_updated', + new_user_signups_cap: 'new_user_signups_cap_updated', + show_diff_preview_in_email: 'show_diff_preview_in_email_updated', + enabled_git_access_protocol: 'enabled_git_access_protocol_updated', + runner_registration_enabled: 'runner_registration_enabled_updated', + allow_runner_registration_token: 'allow_runner_registration_token_updated', + emails_enabled: 'emails_enabled_updated', + service_access_tokens_expiration_enforced: 'service_access_tokens_expiration_enforced_updated', + enforce_ssh_certificates: 'enforce_ssh_certificates_updated', + disable_personal_access_tokens: 'disable_personal_access_tokens_updated', + remove_dormant_members: 'remove_dormant_members_updated', + remove_dormant_members_period: 'remove_dormant_members_period_updated', + prevent_sharing_groups_outside_hierarchy: 'prevent_sharing_groups_outside_hierarchy_updated', + seat_control: 'seat_control_updated' }.freeze def initialize(current_user, namespace_setting, group) diff --git a/ee/spec/lib/audit/group_changes_auditor_spec.rb b/ee/spec/lib/audit/group_changes_auditor_spec.rb index 8619d453a622bb0fe8d07437bc073af16112ffd1..879e51e87265db910133414a69243cb674c2d770 100644 --- a/ee/spec/lib/audit/group_changes_auditor_spec.rb +++ b/ee/spec/lib/audit/group_changes_auditor_spec.rb @@ -7,6 +7,7 @@ let!(:user) { create(:user) } let!(:group) { create(:group, visibility_level: 0) } let(:foo_instance) { described_class.new(user, group) } + let_it_be(:audited_group_column_keys) { described_class::EVENT_NAME_PER_COLUMN.keys } before do stub_licensed_features(extended_audit_events: true, external_audit_events: true) @@ -42,7 +43,7 @@ it 'creates an event when attributes change' do # Exclude special cases covered from above - columns = described_class::EVENT_NAME_PER_COLUMN.keys - + columns = audited_group_column_keys - described_class::COLUMN_HUMAN_NAME.keys - [:project_creation_level] columns.each do |column| @@ -74,9 +75,7 @@ end it 'does not create event when there is no change in attribute value' do - columns = described_class::EVENT_NAME_PER_COLUMN.keys - - columns.each do |column| + audited_group_column_keys.each do |column| group.update_attribute(column, group.attributes[column.to_s]) expect(AuditEvents::AuditEventStreamingWorker).not_to receive(:perform_async) @@ -84,26 +83,19 @@ end end - context 'when namespace setting is updated' do - context 'when experiment_features_enabled is changed' do - before do - stub_ee_application_setting(should_check_namespace_plan: true) - allow(group).to receive(:licensed_feature_available?).with(:experimental_features).and_return(true) - group.namespace_settings.update!(experiment_features_enabled: true) - end - - it 'creates an audit event' do - group.namespace_settings.update!(experiment_features_enabled: false) + it 'audits all the columns except the ones denylisted' do + columns_not_to_audit = %w[created_at updated_at id owner_id type avatar ldap_sync_status + ldap_sync_error ldap_sync_last_update_at ldap_sync_last_successful_update_at ldap_sync_last_sync_at + description_html parent_id cached_markdown_version runners_token file_template_project_id + saml_discovery_token runners_token_encrypted custom_project_templates_group_id auto_devops_enabled + extra_shared_runners_minutes_limit last_ci_minutes_notification_at last_ci_minutes_usage_notification_level + subgroup_creation_level max_pages_size max_artifacts_size default_branch_protection + max_personal_access_token_lifetime push_rule_id shared_runners_enabled + allow_descendants_override_disabled_shared_runners traversal_ids organization_id] - expect { foo_instance.execute }.to change { AuditEvent.count }.by(1) - end + columns_to_audit = audited_group_column_keys.map(&:to_s) - it 'does not create audit event if the value is unchanged' do - group.namespace_settings.update!(experiment_features_enabled: true) - - expect { foo_instance.execute }.not_to change(AuditEvent, :count) - end - end + expect(Group.columns.map(&:name) - columns_not_to_audit).to match_array(columns_to_audit) end end end diff --git a/ee/spec/lib/audit/namespace_setting_changes_auditor_spec.rb b/ee/spec/lib/audit/namespace_setting_changes_auditor_spec.rb index 18b42a3f853b1197e17da5ff45b9f9fc0df2af1e..deaabe43c663b1a9c5ca332ee517c7a69e665e6e 100644 --- a/ee/spec/lib/audit/namespace_setting_changes_auditor_spec.rb +++ b/ee/spec/lib/audit/namespace_setting_changes_auditor_spec.rb @@ -14,19 +14,20 @@ before do stub_licensed_features(extended_audit_events: true, external_audit_events: true) + group.external_audit_event_destinations.create!(destination_url: 'http://example.com') end - shared_examples 'audited setting' do |attribute, event_name| + shared_examples 'audited setting' do before do - group.namespace_settings.update!(attribute => prev_value) + group.namespace_settings.update!(column_name => prev_value) end it 'creates an audit event' do - group.namespace_settings.update!(attribute => new_value) + group.namespace_settings.update!(column_name => new_value) expect { auditor.execute }.to change { AuditEvent.count }.by(1) audit_details = { - change: attribute, + change: column_name, from: prev_value, to: new_value, target_details: group.full_path @@ -35,31 +36,46 @@ end it 'streams correct audit event stream' do - group.namespace_settings.update!(attribute => new_value) + group.namespace_settings.update!(column_name => new_value) expect(AuditEvents::AuditEventStreamingWorker).to receive(:perform_async).with( - event_name, anything, anything) + described_class::EVENT_NAME_PER_COLUMN[column_name], anything, anything) auditor.execute end context 'when attribute is not changed' do it 'does not create an audit event' do - group.namespace_settings.update!(attribute => prev_value) + group.namespace_settings.update!(column_name => prev_value) expect { auditor.execute }.not_to change { AuditEvent.count } end end end - context 'for boolean changes' do - where(:prev_value, :new_value) do - true | false - false | true + context 'for all columns' do + where(:column_name, :prev_value, :new_value) do + :duo_features_enabled | true | false + :experiment_features_enabled | false | true + :prevent_forking_outside_group | false | true + :allow_mfa_for_subgroups | false | true + :default_branch_name | "branch1" | "branch2" + :resource_access_token_creation_allowed | true | false + :show_diff_preview_in_email | false | true + :enabled_git_access_protocol | "all" | "ssh" + :runner_registration_enabled | false | true + :allow_runner_registration_token | false | true + :emails_enabled | false | true + :service_access_tokens_expiration_enforced | false | true + :enforce_ssh_certificates | false | true + :disable_personal_access_tokens | false | true + :remove_dormant_members | false | true + :remove_dormant_members_period | 90 | 100 + :prevent_sharing_groups_outside_hierarchy | false | true end with_them do - context 'when ai-related settings are changed', :saas do + context 'when settings are changed for saas', :saas do let_it_be(:group) { create(:group_with_plan, plan: :ultimate_plan, trial_ends_on: Date.tomorrow) } let_it_be(:destination) { create(:external_audit_event_destination, group: group) } @@ -72,10 +88,44 @@ stub_ee_application_setting(should_check_namespace_plan: true) end - it_behaves_like 'audited setting', :experiment_features_enabled, 'experiment_features_enabled_updated' - it_behaves_like 'audited setting', :duo_features_enabled, 'duo_features_enabled_updated' + it_behaves_like 'audited setting' end + + context 'when settings are changed for self-managed' do + it_behaves_like 'audited setting' + end + end + end + + context 'when attribute is new_user_signup_cap' do + let(:prev_value) { 0 } + let(:new_value) { 1 } + let(:column_name) { :new_user_signups_cap } + + before do + allow(group).to receive(:user_cap_available?).and_return true + group.namespace_settings.update!(seat_control: :user_cap, new_user_signups_cap: 0) end + + it_behaves_like 'audited setting' + end + + it 'audits all the columns except the ones denylisted' do + columns_not_to_audit = %w[created_at updated_at namespace_id repository_read_only last_dormant_member_review_at + setup_for_company jobs_to_be_done runner_token_expiration_interval + subgroup_runner_token_expiration_interval project_runner_token_expiration_interval product_analytics_enabled + unique_project_download_limit unique_project_download_limit_interval_in_seconds math_rendering_limits_enabled + unique_project_download_limit_allowlist early_access_program_joined_by_id default_branch_protection_defaults + allow_merge_on_skipped_pipeline default_compliance_framework_id unique_project_download_limit_alertlist + only_allow_merge_if_all_discussions_are_resolved enterprise_users_extensions_marketplace_opt_in_status + default_branch_protection_defaults allow_merge_without_pipeline auto_ban_user_on_excessive_projects_download + lock_math_rendering_limits_enabled enable_auto_assign_gitlab_duo_pro_seats early_access_program_participant + lock_duo_features_enabled allow_merge_without_pipeline only_allow_merge_if_pipeline_succeeds + lock_spp_repository_pipeline_access spp_repository_pipeline_access] + + columns_to_audit = Audit::NamespaceSettingChangesAuditor::EVENT_NAME_PER_COLUMN.keys.map(&:to_s) + + expect(NamespaceSetting.columns.map(&:name) - columns_not_to_audit).to match_array(columns_to_audit) end end end