Skip to content

500 when viewing audit logs for releases created through API

Summary

When creating a release through API, there is a release created audit event logged.

This, however, when viewed in the admin/audit_logs page, returns a 500.

Initially encountered by a Large Premium customer in ZD (internal-only)

Steps to reproduce

  1. Have a gitlab-ee test instance with admin access
  2. Create a project, and a Personal Access Token (PAT) for the API
  3. Create a release: curl -H 'PRIVATE-TOKEN: $token' "https://$instance/api/v4/projects/1/releases" -i --data "tag_name=1.0&ref=master"
  4. Browse the admin page at /admin/audit_logs and notice the 500.

What is the current bug behavior?

The audit event can't be parsed and a 500 error is thrown in the admin page.

What is the expected correct behavior?

The audit event should be correctly displayed.

Relevant logs and/or screenshots

{"method":"GET","path":"/admin/audit_logs","format":"html","controller":"Admin::AuditLogsController","action":"index","status":500,"duration":79.26,"view":0.0,"db":7.84,"time":"2020-04-21T13:46:30.705Z","params":[],"remote_ip":"127.0.0.1","user_id":1,"username":"root","ua":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36","queue_duration":3.1,"redis_calls":7,"redis_duration_ms":1.48,"correlation_id":"1QEPoeXkfE9","cpu_s":0.08218736000003446,"exception.class":"ActionView::Template::Error","exception.message":"undefined method `strip' for :custom:Symbol","exception.backtrace":["ee/app/views/admin/audit_logs/index.html.haml:75","ee/app/views/admin/audit_logs/index.html.haml:63:in `each'","ee/app/views/admin/audit_logs/index.html.haml:63","app/controllers/application_controller.rb:125:in `render'","ee/lib/gitlab/ip_address_state.rb:10:in `with'","ee/app/controllers/ee/application_controller.rb:43:in `set_current_ip_address'","app/controllers/application_controller.rb:479:in `set_current_admin'","lib/gitlab/session.rb:11:in `with_session'","app/controllers/application_controller.rb:470:in `set_session_storage'","app/controllers/application_controller.rb:464:in `set_locale'","lib/gitlab/error_tracking.rb:34:in `with_context'","app/controllers/application_controller.rb:555:in `sentry_context'","lib/gitlab/application_context.rb:48:in `block in use'","lib/gitlab/application_context.rb:48:in `use'","lib/gitlab/application_context.rb:20:in `with_context'","app/controllers/application_controller.rb:455:in `set_current_context'","ee/lib/gitlab/jira/middleware.rb:19:in `call'"]}

Possible fixes

This happens because Audit::Details#humanize will try to use the first key in the details object - however for custom messages related to the release API, it will be a symbol instead of a string (:action: instead of :custom_message) since the object looks like:

{
  :action=>:custom,
  :custom_message=>"Created Release 1.0",
  :ip_address=>"127.0.0.1",
  :target_id=>1,
  :target_type=>"Release",
  :target_details=>"1.0",
  :entity_path=>"root/test-project"
}

Maybe we should change that method to look for details[:custom_message] instead of details.each_value.first? Not sure how that affects other types of events though.

Edited by Dan Jensen