[go: up one dir, main page]

Allow deploy tokens to stream Git audit events via shellhorse

Javiera Tapiarequested to merge
jtapiab/562516-fix-authentication-parameters-for-git-streaming-audit-events-http-requests into master

What does this MR do and why?

This MR enables deploy tokens to stream Git audit events via the /shellhorse API by extending the authentication mechanism to properly handle deploy token identification in Git over HTTP operations.

Key changes:

  • Modified GitAuditEvent to accept deploy tokens as valid actors alongside users.
  • Updated the shellhorse API to accept and process the deploy_token_id parameter.
  • Enhanced Workhorse to include GLDeployTokenID in responses when audit events are needed.
  • Refactored validation logic to check for either user presence or deploy token authentication.

This ensures that Git operations performed using deploy tokens are properly audited, maintaining security compliance for automated deployments and CI/CD workflows.

References

How to set up and validate locally

  1. Enable the feature flag in the Rails console:

    Feature.enable(:log_git_streaming_audit_events)

  2. Set up the audit event streaming for HTTP destination (https://docs.gitlab.com/user/compliance/audit_event_streaming/#add-a-new-http-destination). You can use https://webhook.site for this purpose.

  3. Create a deploy token for a project (https://docs.gitlab.com/user/project/deploy_tokens/#create-a-deploy-token).

  4. Perform a Git operation using the deploy token over HTTP:

    git clone https://gitlab+deploy-token-1:TOKEN@gitlab.com/your-group/your-project.git
# or
git push https://gitlab+deploy-token-1:TOKEN@gitlab.com/your-group/your-project.git

  5. Check https://webhook.site. The Git stream audit event should be created and the verb field included. gdk tail workhorse should not show an error like the following:

2025-09-05_03:44:57.11685 gitlab-workhorse      : {"action":"git-upload-pack","correlation_id":"01K4BZMC30CEDZJPKFBHTCG4NP","error":"SendGitAuditEvent: response status: 404 Not Found","level":"error","msg":"failed to send git audit event","repo":"project-5","time":"2025-09-04T23:44:57-04:00","username":"deploy-test-with-ff"}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #562516

Edited by Javiera Tapia

Merge request reports