Add projects_ids to set_runner_associated_projects audit event
What does this MR do and why?
Add projects_ids to set_runner_associated_projects audit event
This maybe helpful during debugging
Screenshots or screen recordings
The mutation which uses that service is not yet used in UI. And the additional details are not shown anywhere. The only way to access them is through rails/database console.
The purpose of this MR is to make it easier to debug potential security incidents. See more in https://gitlab.com/gitlab-org/gitlab/-/issues/409981+
How to set up and validate locally
-
Create project runner
-
Add this runner to another project using graphql:
mutation runnerUpdate($input: RunnerUpdateInput!) { runnerUpdate(input: $input) { runner { id projects(membership: true) { nodes { id } } } } }
variables(edit with correct IDs):
{ "input": { "id": "gid://gitlab/Ci::Runner/2", "associatedProjects": [ "gid://gitlab/Project/20", "gid://gitlab/Project/21", "gid://gitlab/Project/24" ] } }
-
access rails console:
[1] pry(main)> AuditEvent.last AuditEvent Load (3.1ms) SELECT "audit_events".* FROM "audit_events" ORDER BY "audit_events"."id" DESC LIMIT 1 /*application:console,db_config_name:main,console_hostname:Vladimirs-MacBook-Pro.local,console_username:vlad,line:(pry):1:in `__pry__'*/ => #<AuditEvent:0x000000013e11dd40 id: 93, author_id: 1, entity_id: 1, entity_type: "User", details: {:action=>:custom, :project_ids=>[20, 21, 24], :author_name=>"Administrator", :author_class=>"User", :target_id=>2, :target_type=>"Ci::Runner", :target_details=>"/root/main/-/runners/2", :custom_message=>"Changed CI runner project assignments", :ip_address=>"172.16.123.1", :entity_path=>"root"}, ip_address: #<IPAddr: IPv4:172.16.123.1/255.255.255.255>, author_name: "Administrator", entity_path: "root", target_details: "/root/main/-/runners/2", created_at: Tue, 23 May 2023 10:54:19.086165000 UTC +00:00, target_type: "Ci::Runner", target_id: 2>
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Pedro Pombeiro