From d0e8e97f4bc275486eff055ebc7c68f12221dd14 Mon Sep 17 00:00:00 2001 From: nrosandich Date: Mon, 16 Jun 2025 16:44:38 +1200 Subject: [PATCH 1/2] Audit creating an OAuth application Changelog: added EE: true --- .../types/oauth_application_created.yml | 10 +++++ doc/user/compliance/audit_event_types.md | 1 + .../ee/applications/create_service.rb | 27 ++++++++---- .../applications/create_service_spec.rb | 44 +++++++++++++++++-- 4 files changed, 71 insertions(+), 11 deletions(-) create mode 100644 config/audit_events/types/oauth_application_created.yml diff --git a/config/audit_events/types/oauth_application_created.yml b/config/audit_events/types/oauth_application_created.yml new file mode 100644 index 00000000000000..174e3fe82fb1dc --- /dev/null +++ b/config/audit_events/types/oauth_application_created.yml @@ -0,0 +1,10 @@ +--- +name: oauth_application_created +description: User creates an OAuth application +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/547847 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187 +feature_category: authorization +milestone: '18.2' +saved_to_database: true +streamed: true +scope: [User] diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 90ecb8469049b5..81df15a20a07d4 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -103,6 +103,7 @@ Audit event types belong to the following product categories. | Type name | Event triggered when | Saved to database | Introduced in | Scope | |:----------|:---------------------|:------------------|:--------------|:------| +| [`oauth_application_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187) | User creates an OAuth application | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/547847) | User | | [`secure_ci_job_token_policies_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170930) | Permissions are updated for a CI_JOB_TOKEN scope | {{< icon name="check-circle" >}} Yes | GitLab [17.6](https://gitlab.com/gitlab-org/gitlab/-/issues/495144) | Project | | [`user_authorized_oauth_application`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187) | User authorized an OAuth application | {{< icon name="check-circle" >}} Yes | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/514152) | User | diff --git a/ee/app/services/ee/applications/create_service.rb b/ee/app/services/ee/applications/create_service.rb index 1c4f10f633c5cb..8d7bd804d75278 100644 --- a/ee/app/services/ee/applications/create_service.rb +++ b/ee/app/services/ee/applications/create_service.rb @@ -24,17 +24,28 @@ def disable_ropc_available? override :execute def execute(request) super.tap do |application| - entity = application.owner || current_user - audit_event_service(entity, request.remote_ip).for_user(full_path: application.name, entity_id: application.id).security_event + audit_oauth_application_creation(application, request.remote_ip) end end - def audit_event_service(entity, ip_address) - ::AuditEventService.new(current_user, - entity, - action: :custom, - custom_message: 'OAuth application added', - ip_address: ip_address) + private + + def audit_oauth_application_creation(application, ip_address) + entity = application.owner || current_user + + ::Gitlab::Audit::Auditor.audit( + name: 'oauth_application_created', + author: current_user, + scope: entity, + target: application, + message: 'OAuth application added', + additional_details: { + application_name: application.name, + application_id: application.id, + scopes: application.scopes.to_a + }, + ip_address: ip_address + ) end end end diff --git a/ee/spec/services/applications/create_service_spec.rb b/ee/spec/services/applications/create_service_spec.rb index 21978de674b6f4..92258f38b59dc8 100644 --- a/ee/spec/services/applications/create_service_spec.rb +++ b/ee/spec/services/applications/create_service_spec.rb @@ -9,11 +9,15 @@ let_it_be(:user) { create(:user) } let(:group) { create(:group) } - let(:params) { attributes_for(:application, scopes: ['read_user']) } + let(:params) { attributes_for(:application, scopes: %w[read_user]) } subject(:service) { described_class.new(user, params) } - describe '#audit_event_service' do + describe '#audit_oauth_application_creation' do + let(:application) { create(:application, owner: owner, scopes: %w[api read_user]) } + let(:ip_address) { '127.0.0.1' } + let(:owner) { nil } + where(:case_name, :owner, :entity_type) do 'instance application' | nil | 'User' 'group application' | ref(:group) | 'Group' @@ -26,11 +30,45 @@ params[:owner] = owner end + it 'creates audit event with correct parameters' do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with( + name: 'oauth_application_created', + author: user, + scope: owner || user, + target: instance_of(::Doorkeeper::Application), + message: 'OAuth application added', + additional_details: hash_including( + application_name: anything, + application_id: anything, + scopes: %w[read_user] + ), + ip_address: test_request.remote_ip + ) + + service.execute(test_request) + end + it 'creates AuditEvent with correct entity type' do - expect { subject.execute(test_request) }.to change(AuditEvent, :count).by(1) + expect { service.execute(test_request) }.to change(AuditEvent, :count).by(1) expect(AuditEvent.last.entity_type).to eq(entity_type) end end + + context 'when application has multiple scopes' do + let(:params) { attributes_for(:application, scopes: %w[api read_user read_repository]) } + + it 'includes all scopes in audit details' do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with( + hash_including( + additional_details: hash_including( + scopes: %w[api read_user read_repository] + ) + ) + ) + + service.execute(test_request) + end + end end context 'for ROPC' do -- GitLab From 364055fdfc36f9fc19d32aacc6d3be893e112489 Mon Sep 17 00:00:00 2001 From: nrosandich Date: Thu, 19 Jun 2025 14:43:20 +1200 Subject: [PATCH 2/2] Add redirect and update links --- config/audit_events/types/oauth_application_created.yml | 4 ++-- doc/user/compliance/audit_event_types.md | 2 +- ee/app/services/ee/applications/create_service.rb | 3 ++- ee/spec/services/applications/create_service_spec.rb | 4 ---- 4 files changed, 5 insertions(+), 8 deletions(-) diff --git a/config/audit_events/types/oauth_application_created.yml b/config/audit_events/types/oauth_application_created.yml index 174e3fe82fb1dc..b4b8b1deb43bb4 100644 --- a/config/audit_events/types/oauth_application_created.yml +++ b/config/audit_events/types/oauth_application_created.yml @@ -1,8 +1,8 @@ --- name: oauth_application_created description: User creates an OAuth application -introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/547847 -introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187 +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/550321 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194557 feature_category: authorization milestone: '18.2' saved_to_database: true diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 81df15a20a07d4..a8e973448ebfa2 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -103,7 +103,7 @@ Audit event types belong to the following product categories. | Type name | Event triggered when | Saved to database | Introduced in | Scope | |:----------|:---------------------|:------------------|:--------------|:------| -| [`oauth_application_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187) | User creates an OAuth application | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/547847) | User | +| [`oauth_application_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194557) | User creates an OAuth application | {{< icon name="check-circle" >}} Yes | GitLab [18.2](https://gitlab.com/gitlab-org/gitlab/-/issues/550321) | User | | [`secure_ci_job_token_policies_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/170930) | Permissions are updated for a CI_JOB_TOKEN scope | {{< icon name="check-circle" >}} Yes | GitLab [17.6](https://gitlab.com/gitlab-org/gitlab/-/issues/495144) | Project | | [`user_authorized_oauth_application`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179187) | User authorized an OAuth application | {{< icon name="check-circle" >}} Yes | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/514152) | User | diff --git a/ee/app/services/ee/applications/create_service.rb b/ee/app/services/ee/applications/create_service.rb index 8d7bd804d75278..4b6b5a56c075c5 100644 --- a/ee/app/services/ee/applications/create_service.rb +++ b/ee/app/services/ee/applications/create_service.rb @@ -42,7 +42,8 @@ def audit_oauth_application_creation(application, ip_address) additional_details: { application_name: application.name, application_id: application.id, - scopes: application.scopes.to_a + scopes: application.scopes.to_a, + redirect_uri: application.redirect_uri[0, 100] }, ip_address: ip_address ) diff --git a/ee/spec/services/applications/create_service_spec.rb b/ee/spec/services/applications/create_service_spec.rb index 92258f38b59dc8..aedc932e8b9764 100644 --- a/ee/spec/services/applications/create_service_spec.rb +++ b/ee/spec/services/applications/create_service_spec.rb @@ -14,10 +14,6 @@ subject(:service) { described_class.new(user, params) } describe '#audit_oauth_application_creation' do - let(:application) { create(:application, owner: owner, scopes: %w[api read_user]) } - let(:ip_address) { '127.0.0.1' } - let(:owner) { nil } - where(:case_name, :owner, :entity_type) do 'instance application' | nil | 'User' 'group application' | ref(:group) | 'Group' -- GitLab