call git_autid_event during git pull/clone if in need
Rationale
This MR succeeds !766 (closed) due to JiHu's personnel changes.
This MR resolves gitlab#384960, to distinguish git clone/pull in the streaming audit event.
sequenceDiagram
User->>+GitLabShell: git clone or pull (SSH)
GitLabShell->>Rails: request /allowed
Rails->>GitLabShell: authentication info (need an audit?)
GitLabShell->>Gitaly: UploadPackWithSidechannel
Gitaly->>GitLabShell: UploadPackWithSidechannelResponse(stats={Wants=9, Haves=0, ...})
GitLabShell-->>Rails: Report audit event if needed
GitLabShell->>-User: Return
Gitlab-shell requests /api/v4/internal/shellhorse/git_audit_event
, which depends on:
How to set up and validate locally
- Start GDK, making sure that the versions of GitLab Shell include this change. Rails should be running in Self-hosted mode with instances having an Ultimate license.
- Run
Feature.enable(:log_git_streaming_audit_events)
in the Rails console. - Create a new workflow in Pipedream. Create a single HTTP trigger for this workflow.
- According to the Audit event streaming documentation, enter the address of the Pipedream workflow into an web page addressed like
http://localhost:3000/groups/flightjs/-/audit_events?tab=streams
. - Trigger clone and pull separately using the http and ssh protocols. Check Pipedream's invocation logs.
Note that during the testing process, you may need to generate some commits on the web interface to ensure that the pull operation fetches the actual content.
Edited by LI Zhennan