Skip to content

Add projects_ids to set_runner_associated_projects audit event

What does this MR do and why?

Add projects_ids to set_runner_associated_projects audit event

This maybe helpful during debugging

Screenshots or screen recordings

The mutation which uses that service is not yet used in UI. And the additional details are not shown anywhere. The only way to access them is through rails/database console.

The purpose of this MR is to make it easier to debug potential security incidents. See more in https://gitlab.com/gitlab-org/gitlab/-/issues/409981+

How to set up and validate locally

  1. Create project runner

  2. Add this runner to another project using graphql:

    mutation runnerUpdate($input: RunnerUpdateInput!) {
      runnerUpdate(input: $input) {
        runner {
          id
          projects(membership: true) {
            nodes {
              id
            }
          }
        }
      }
    }

    variables(edit with correct IDs):

    {
      "input": {
        "id": "gid://gitlab/Ci::Runner/2",
        "associatedProjects": [
          "gid://gitlab/Project/20",
          "gid://gitlab/Project/21",
          "gid://gitlab/Project/24"
        ]
      }
    }
  3. access rails console:

    [1] pry(main)> AuditEvent.last
      AuditEvent Load (3.1ms)  SELECT "audit_events".* FROM "audit_events" ORDER BY "audit_events"."id" DESC LIMIT 1 /*application:console,db_config_name:main,console_hostname:Vladimirs-MacBook-Pro.local,console_username:vlad,line:(pry):1:in `__pry__'*/
    => #<AuditEvent:0x000000013e11dd40
     id: 93,
     author_id: 1,
     entity_id: 1,
     entity_type: "User",
     details:
      {:action=>:custom,
       :project_ids=>[20, 21, 24],
       :author_name=>"Administrator",
       :author_class=>"User",
       :target_id=>2,
       :target_type=>"Ci::Runner",
       :target_details=>"/root/main/-/runners/2",
       :custom_message=>"Changed CI runner project assignments",
       :ip_address=>"172.16.123.1",
       :entity_path=>"root"},
     ip_address: #<IPAddr: IPv4:172.16.123.1/255.255.255.255>,
     author_name: "Administrator",
     entity_path: "root",
     target_details: "/root/main/-/runners/2",
     created_at: Tue, 23 May 2023 10:54:19.086165000 UTC +00:00,
     target_type: "Ci::Runner",
     target_id: 2>

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Pedro Pombeiro

Merge request reports

Loading