From 87546803798f732cfbbf1ff5afcb613a9ea784d2 Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Wed, 9 Oct 2024 14:12:51 +0530 Subject: [PATCH 01/10] Audit when multi project down stream pipeline is created This commit adds audit event when a multi project downstream pipeline is created EE: true Changelog: added --- .../ci/create_downstream_pipeline_service.rb | 7 ++ .../ci/create_downstream_pipeline_service.rb | 33 ++++++++ ...create_downstream_pipeline_service_spec.rb | 80 +++++++++++++++++++ 3 files changed, 120 insertions(+) create mode 100644 ee/app/services/ee/ci/create_downstream_pipeline_service.rb create mode 100644 ee/spec/services/ci/create_downstream_pipeline_service_spec.rb diff --git a/app/services/ci/create_downstream_pipeline_service.rb b/app/services/ci/create_downstream_pipeline_service.rb index efce1604276ba5..098235816f6745 100644 --- a/app/services/ci/create_downstream_pipeline_service.rb +++ b/app/services/ci/create_downstream_pipeline_service.rb @@ -41,12 +41,17 @@ def execute(bridge) .payload log_downstream_pipeline_creation(downstream_pipeline) + log_audit_event(downstream_pipeline) update_bridge_status!(@bridge, downstream_pipeline) rescue StandardError => e @bridge.reset.drop!(:data_integrity_failure) raise e end + def log_audit_event(downstream_pipeline) + # defined in EE + end + private def update_bridge_status!(bridge, pipeline) @@ -172,3 +177,5 @@ def config_checksum(pipeline) end end end + +Ci::CreateDownstreamPipelineService.prepend_mod_with('Ci::CreateDownstreamPipelineService') diff --git a/ee/app/services/ee/ci/create_downstream_pipeline_service.rb b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb new file mode 100644 index 00000000000000..0ecdc3e02ad2ff --- /dev/null +++ b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb @@ -0,0 +1,33 @@ +# frozen_string_literal: true + +module EE + module Ci + module CreateDownstreamPipelineService + extend ::Gitlab::Utils::Override + + override :log_audit_event + def log_audit_event(downstream_pipeline) + return unless downstream_pipeline&.persisted? + return if downstream_pipeline.parent_pipeline? + + root_pipeline = downstream_pipeline.upstream_root + + audit_context = { + name: "multi_project_downstream_pipeline_created", + author: current_user, + scope: downstream_pipeline.project, + target: downstream_pipeline, + target_details: downstream_pipeline.id.to_s, + stream_only: true, + message: "Multi-project downstream pipeline created.", + additional_details: { + upstream_root_pipeline_id: root_pipeline.id, + upstream_root_project_path: root_pipeline.project.full_path + } + } + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + end + end +end diff --git a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb new file mode 100644 index 00000000000000..6f80b0463c7c3b --- /dev/null +++ b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb @@ -0,0 +1,80 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Ci::CreateDownstreamPipelineService, feature_category: :continuous_integration do + let(:user) { create(:user) } + let(:upstream_project) { create(:project, :repository) } + let(:downstream_project) { create(:project, :repository) } + + let!(:upstream_pipeline) do + create(:ci_pipeline, :created, project: upstream_project) + end + + let(:trigger) do + { + trigger: { + project: downstream_project.full_path, + branch: 'feature' + } + } + end + + let(:bridge) do + create( + :ci_bridge, + status: :pending, + user: user, + options: trigger, + pipeline: upstream_pipeline + ) + end + + let(:service) { described_class.new(upstream_project, user) } + + before do + upstream_project.add_developer(user) + downstream_project.add_developer(user) + stub_ci_pipeline_yaml_file(YAML.dump(rspec: { script: 'rspec' })) + end + + subject(:execute) { service.execute(bridge) } + + context 'when multi project downstream pipeline is created ' do + before do + allow(::Gitlab::Audit::Auditor).to receive(:audit) + end + + it 'calls auditor with correct args' do + pipeline = execute.payload + + expect(::Gitlab::Audit::Auditor).to have_received(:audit).with( + name: "multi_project_downstream_pipeline_created", + author: user, + scope: pipeline.project, + target: pipeline, + target_details: pipeline.id.to_s, + stream_only: true, + message: "Multi-project downstream pipeline created.", + additional_details: { + upstream_root_pipeline_id: upstream_pipeline.id, + upstream_root_project_path: upstream_pipeline.project.full_path + } + ) + end + end + + context 'when parent child project downstream pipeline is created ' do + let(:downstream_project) { upstream_project } + + before do + allow(::Gitlab::Audit::Auditor).to receive(:audit) + end + + it 'does not calls auditor' do + execute.payload + + expect(::Gitlab::Audit::Auditor).not_to have_received(:audit) + end + end +end -- GitLab From 48206b022ade8de4d40c278332bb3b5f72a556ca Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Wed, 9 Oct 2024 14:24:18 +0530 Subject: [PATCH 02/10] Update audit event docs --- doc/user/compliance/audit_event_types.md | 6 ++++++ .../multi_project_downstream_pipeline_created.yml | 10 ++++++++++ 2 files changed, 16 insertions(+) create mode 100644 ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index e08821c3f68d91..8faff98003a371 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -197,6 +197,12 @@ Audit event types belong to the following product categories. | [`container_repository_deletion_marked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/152967) | Triggered when a project's container repository is marked for deletion | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project | | [`container_repository_tags_deleted`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156066) | Triggered when a project's container repository tag is deleted | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.2](https://gitlab.com/gitlab-org/gitlab/-/issues/362290) | Project | +### Continuous-integration + +| Name | Description | Saved to database | Streamed | Introduced in | Scope | +|:------------|:------------|:------------------|:---------|:--------------|:--------------| +| [`multi_project_downstream_pipeline_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546) | Triggered when multi project downstream pipeline is created | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.5](https://gitlab.com/gitlab-org/gitlab/-/issues/481325) | Project | + ### Continuous delivery | Name | Description | Saved to database | Streamed | Introduced in | Scope | diff --git a/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml new file mode 100644 index 00000000000000..f3f541f6f5ecd5 --- /dev/null +++ b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml @@ -0,0 +1,10 @@ +--- +name: multi_project_downstream_pipeline_created +description: Triggered when multi project downstream pipeline is created +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/481325 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546 +feature_category: continuous-integration +milestone: '17.5' +saved_to_database: false +streamed: true +scope: [Project] -- GitLab From 1b58be224cceaa86ee4aa7bd710c90d9d2c66009 Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Wed, 9 Oct 2024 14:52:40 +0530 Subject: [PATCH 03/10] Use let it be --- ...create_downstream_pipeline_service_spec.rb | 27 +++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb index 6f80b0463c7c3b..4068fb8463124d 100644 --- a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb +++ b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb @@ -3,13 +3,9 @@ require 'spec_helper' RSpec.describe Ci::CreateDownstreamPipelineService, feature_category: :continuous_integration do - let(:user) { create(:user) } - let(:upstream_project) { create(:project, :repository) } - let(:downstream_project) { create(:project, :repository) } - - let!(:upstream_pipeline) do - create(:ci_pipeline, :created, project: upstream_project) - end + let_it_be(:user) { create(:user) } + let_it_be(:upstream_project) { create(:project, :repository) } + let_it_be(:upstream_pipeline) { create(:ci_pipeline, :created, project: upstream_project) } let(:trigger) do { @@ -33,16 +29,18 @@ let(:service) { described_class.new(upstream_project, user) } before do - upstream_project.add_developer(user) - downstream_project.add_developer(user) stub_ci_pipeline_yaml_file(YAML.dump(rspec: { script: 'rspec' })) + allow(::Gitlab::Audit::Auditor).to receive(:audit) end subject(:execute) { service.execute(bridge) } context 'when multi project downstream pipeline is created ' do - before do - allow(::Gitlab::Audit::Auditor).to receive(:audit) + let_it_be(:downstream_project) { create(:project, :repository) } + + before_all do + upstream_project.add_developer(user) + downstream_project.add_developer(user) end it 'calls auditor with correct args' do @@ -65,10 +63,11 @@ end context 'when parent child project downstream pipeline is created ' do - let(:downstream_project) { upstream_project } + let_it_be(:downstream_project) { upstream_project } - before do - allow(::Gitlab::Audit::Auditor).to receive(:audit) + before_all do + upstream_project.add_developer(user) + downstream_project.add_developer(user) end it 'does not calls auditor' do -- GitLab From f6a8d6a95a8c1080b6dd6e643103af66f416b815 Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Fri, 11 Oct 2024 16:01:49 +0530 Subject: [PATCH 04/10] Remove stream only keyword --- ee/app/services/ee/ci/create_downstream_pipeline_service.rb | 1 - ee/spec/services/ci/create_downstream_pipeline_service_spec.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/ee/app/services/ee/ci/create_downstream_pipeline_service.rb b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb index 0ecdc3e02ad2ff..1fbad8eea1c02b 100644 --- a/ee/app/services/ee/ci/create_downstream_pipeline_service.rb +++ b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb @@ -18,7 +18,6 @@ def log_audit_event(downstream_pipeline) scope: downstream_pipeline.project, target: downstream_pipeline, target_details: downstream_pipeline.id.to_s, - stream_only: true, message: "Multi-project downstream pipeline created.", additional_details: { upstream_root_pipeline_id: root_pipeline.id, diff --git a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb index 4068fb8463124d..5b05c0206b7a98 100644 --- a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb +++ b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb @@ -52,7 +52,6 @@ scope: pipeline.project, target: pipeline, target_details: pipeline.id.to_s, - stream_only: true, message: "Multi-project downstream pipeline created.", additional_details: { upstream_root_pipeline_id: upstream_pipeline.id, -- GitLab From d06a24d261ec2a3c4c4402a4b0e461e3bbe37e75 Mon Sep 17 00:00:00 2001 From: Harsimar Sandhu Date: Thu, 17 Oct 2024 09:58:50 +0000 Subject: [PATCH 05/10] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Sam Figueroa --- .../types/multi_project_downstream_pipeline_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml index f3f541f6f5ecd5..2016b7c961f2f1 100644 --- a/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml +++ b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml @@ -4,7 +4,7 @@ description: Triggered when multi project downstream pipeline is created introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/481325 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546 feature_category: continuous-integration -milestone: '17.5' +milestone: '17.6' saved_to_database: false streamed: true scope: [Project] -- GitLab From 5b7b3235ad40b896d01ac96bcc1c9f189966f593 Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Thu, 17 Oct 2024 15:34:53 +0530 Subject: [PATCH 06/10] Update docs --- doc/user/compliance/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 8faff98003a371..fa98beb9d88d6d 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -201,7 +201,7 @@ Audit event types belong to the following product categories. | Name | Description | Saved to database | Streamed | Introduced in | Scope | |:------------|:------------|:------------------|:---------|:--------------|:--------------| -| [`multi_project_downstream_pipeline_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546) | Triggered when multi project downstream pipeline is created | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.5](https://gitlab.com/gitlab-org/gitlab/-/issues/481325) | Project | +| [`multi_project_downstream_pipeline_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546) | Triggered when multi project downstream pipeline is created | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.6](https://gitlab.com/gitlab-org/gitlab/-/issues/481325) | Project | ### Continuous delivery -- GitLab From df8354560dda5dfea0d970be199640656e24b700 Mon Sep 17 00:00:00 2001 From: Harsimar Sandhu Date: Fri, 18 Oct 2024 00:16:51 +0000 Subject: [PATCH 07/10] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Stan Hu --- ee/app/services/ee/ci/create_downstream_pipeline_service.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/app/services/ee/ci/create_downstream_pipeline_service.rb b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb index 1fbad8eea1c02b..6022b4ed3afd0f 100644 --- a/ee/app/services/ee/ci/create_downstream_pipeline_service.rb +++ b/ee/app/services/ee/ci/create_downstream_pipeline_service.rb @@ -21,7 +21,7 @@ def log_audit_event(downstream_pipeline) message: "Multi-project downstream pipeline created.", additional_details: { upstream_root_pipeline_id: root_pipeline.id, - upstream_root_project_path: root_pipeline.project.full_path + upstream_root_project_path: root_pipeline.project&.full_path } } -- GitLab From 88a60a23096cffe878d3eb0676e250462f06c169 Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Tue, 22 Oct 2024 19:17:12 +0530 Subject: [PATCH 08/10] Rubocop fixes --- .../services/ci/create_downstream_pipeline_service_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb index 5b05c0206b7a98..1886aadc42a7fb 100644 --- a/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb +++ b/ee/spec/services/ci/create_downstream_pipeline_service_spec.rb @@ -35,7 +35,7 @@ subject(:execute) { service.execute(bridge) } - context 'when multi project downstream pipeline is created ' do + context 'when multi project downstream pipeline is created' do let_it_be(:downstream_project) { create(:project, :repository) } before_all do @@ -61,7 +61,7 @@ end end - context 'when parent child project downstream pipeline is created ' do + context 'when parent child project downstream pipeline is created' do let_it_be(:downstream_project) { upstream_project } before_all do -- GitLab From 4a8db7392e5fda2b502e388a05f18b44b21792f9 Mon Sep 17 00:00:00 2001 From: Harsimar Sandhu Date: Thu, 24 Oct 2024 03:51:14 +0000 Subject: [PATCH 09/10] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Hitesh Raghuvanshi --- .../types/multi_project_downstream_pipeline_created.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml index 2016b7c961f2f1..99520701504ac7 100644 --- a/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml +++ b/ee/config/audit_events/types/multi_project_downstream_pipeline_created.yml @@ -2,7 +2,7 @@ name: multi_project_downstream_pipeline_created description: Triggered when multi project downstream pipeline is created introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/481325 -introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168626 feature_category: continuous-integration milestone: '17.6' saved_to_database: false -- GitLab From a7b48557ca8eb2cf26d291cd495d72fdef30e05b Mon Sep 17 00:00:00 2001 From: harsimarsandhu Date: Thu, 24 Oct 2024 09:41:47 +0530 Subject: [PATCH 10/10] Update MR URL --- doc/user/compliance/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index fa98beb9d88d6d..02ac911a8add47 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -201,7 +201,7 @@ Audit event types belong to the following product categories. | Name | Description | Saved to database | Streamed | Introduced in | Scope | |:------------|:------------|:------------------|:---------|:--------------|:--------------| -| [`multi_project_downstream_pipeline_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/164546) | Triggered when multi project downstream pipeline is created | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.6](https://gitlab.com/gitlab-org/gitlab/-/issues/481325) | Project | +| [`multi_project_downstream_pipeline_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/168626) | Triggered when multi project downstream pipeline is created | **{dotted-circle}** No | **{check-circle}** Yes | GitLab [17.6](https://gitlab.com/gitlab-org/gitlab/-/issues/481325) | Project | ### Continuous delivery -- GitLab