diff --git a/app/controllers/groups/settings/ci_cd_controller.rb b/app/controllers/groups/settings/ci_cd_controller.rb index 875c2d521e2a8313256cc2a1df054e527740e169..f32adc6b05782f8d473afeaf4029032dcaeda369 100644 --- a/app/controllers/groups/settings/ci_cd_controller.rb +++ b/app/controllers/groups/settings/ci_cd_controller.rb @@ -23,6 +23,8 @@ class CiCdController < Groups::ApplicationController def show @entity = :group @variable_limit = ::Plan.default.actual_limits.group_ci_variables + + audit_group_cicd_settings_access end def update @@ -51,6 +53,24 @@ def update_auto_devops private + def audit_group_cicd_settings_access + audit_context = { + name: 'group_ci_cd_settings_accessed', + author: current_user, + scope: group, + target: group, + message: 'User accessed CI/CD settings for a group', + additional_details: { + group_path: group.full_path, + group_id: group.id, + timestamp: Time.current.iso8601, + action: 'group_ci_cd_settings_page_viewed' + } + } + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + def authorize_show_cicd_settings! return if can_any?(current_user, [ :admin_cicd_variables, diff --git a/app/controllers/projects/settings/ci_cd_controller.rb b/app/controllers/projects/settings/ci_cd_controller.rb index 778d4d276df45ec4de358d8ea231a95381d9d820..6ca167d1b69eaa93c808084bf31229067812bba0 100644 --- a/app/controllers/projects/settings/ci_cd_controller.rb +++ b/app/controllers/projects/settings/ci_cd_controller.rb @@ -36,6 +36,8 @@ def show @triggers_json = Gitlab::Json.dump(triggers) + audit_project_cicd_settings_access + render end @@ -100,6 +102,25 @@ def export_job_token_authorizations private + def audit_project_cicd_settings_access + audit_context = { + name: 'project_ci_cd_settings_accessed', + author: current_user, + scope: project, + target: project, + message: 'User accessed CI/CD settings for project', + additional_details: { + project_path: project.full_path, + project_id: project.id, + ip_address: request.remote_ip, + timestamp: Time.current.iso8601, + action: 'project_ci_cd_settings_page_viewed' + } + } + + ::Gitlab::Audit::Auditor.audit(audit_context) + end + def authorize_reset_cache! return if can_any?(current_user, [ :admin_pipeline, diff --git a/config/audit_events/types/group_ci_cd_settings_accessed.yml b/config/audit_events/types/group_ci_cd_settings_accessed.yml new file mode 100644 index 0000000000000000000000000000000000000000..0b6c94ad68503f50bcde118e5e0aa2ec0d80495d --- /dev/null +++ b/config/audit_events/types/group_ci_cd_settings_accessed.yml @@ -0,0 +1,10 @@ +--- +name: group_ci_cd_settings_accessed +description: Log an audit event when a user loads the CI/CD Settings page of a group. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/555959 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203540 +feature_category: ci_variables +milestone: '18.4' +saved_to_database: false +streamed: true +scope: [Group] diff --git a/config/audit_events/types/project_ci_cd_settings_accessed.yml b/config/audit_events/types/project_ci_cd_settings_accessed.yml new file mode 100644 index 0000000000000000000000000000000000000000..488dd613f17552da160d439f3d167515c810df49 --- /dev/null +++ b/config/audit_events/types/project_ci_cd_settings_accessed.yml @@ -0,0 +1,10 @@ +--- +name: project_ci_cd_settings_accessed +description: Log an audit event when a user loads the CI/CD Settings page of a project. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/555959 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203540 +feature_category: ci_variables +milestone: '18.4' +saved_to_database: false +streamed: true +scope: [Project] diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 538e1a676a37c297acca9aa2aa8d8f3fb4d559cf..06cc564dfaab64ea24e24878db31049538a7dc75 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -124,6 +124,8 @@ Audit event types belong to the following product categories. | Type name | Event triggered when | Saved to database | Introduced in | Scope | |:----------|:---------------------|:------------------|:--------------|:------| | [`variable_viewed_api`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197385) | A CI/CD variable is accessed with the API | {{< icon name="dotted-circle" >}} No | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/555960) | Project, Group | +| [`group_ci_cd_settings_accessed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203540) | Log an audit event when a user loads the CI/CD Settings page of a group. | {{< icon name="dotted-circle" >}} No | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/555959) | Group | +| [`project_ci_cd_settings_accessed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203540) | Log an audit event when a user loads the CI/CD Settings page of a project. | {{< icon name="dotted-circle" >}} No | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/555959) | Project | ### Code review diff --git a/spec/controllers/groups/settings/ci_cd_controller_spec.rb b/spec/controllers/groups/settings/ci_cd_controller_spec.rb index 20a04c59bcfcc2fa49f792b7d0434df80ab55163..45939720e4336aac3dec9b2a38513ae66e0e539f 100644 --- a/spec/controllers/groups/settings/ci_cd_controller_spec.rb +++ b/spec/controllers/groups/settings/ci_cd_controller_spec.rb @@ -50,6 +50,31 @@ expect(response).to have_gitlab_http_status(:ok) end end + + context 'when accessing CI/CD Settings page for a group' do + before do + enable_external_authorization_service_check + group.add_owner(user) + end + + it 'creates a streaming audit event' do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with({ + name: 'group_ci_cd_settings_accessed', + author: user, + scope: group, + target: group, + message: 'User accessed CI/CD settings for a group', + additional_details: hash_including( + group_path: group.full_path, + group_id: group.id, + timestamp: kind_of(String), + action: 'group_ci_cd_settings_page_viewed' + ) + }) + + get :show, params: { group_id: group } + end + end end describe 'PATCH #update_auto_devops' do diff --git a/spec/controllers/projects/settings/ci_cd_controller_spec.rb b/spec/controllers/projects/settings/ci_cd_controller_spec.rb index e1ef738b240cb1708587b85ddf0769e5a966acc4..be15427d52d94c693f69bf807048d6cc76f1853a 100644 --- a/spec/controllers/projects/settings/ci_cd_controller_spec.rb +++ b/spec/controllers/projects/settings/ci_cd_controller_spec.rb @@ -142,6 +142,27 @@ def show expect(response).to have_gitlab_http_status(:not_found) end end + + context 'when accessing CI/CD Settings page for a project' do + it 'creates a streaming audit event' do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with({ + name: 'project_ci_cd_settings_accessed', + author: user, + scope: project, + target: project, + message: 'User accessed CI/CD settings for project', + additional_details: hash_including( + project_path: project.full_path, + project_id: project.id, + ip_address: '0.0.0.0', + timestamp: kind_of(String), + action: 'project_ci_cd_settings_page_viewed' + ) + }) + + get :show, params: { namespace_id: project.namespace, project_id: project } + end + end end describe 'POST reset_cache' do