Update audit event to include policies when CI allowlist is deleted
What does this MR do and why?
- Follows from !167872 (merged)
- Updates the existing allowlist add/remove audit events to store which job token permissions were attached to the allowlist entry.
- Also adds missing unit tests, per #498831
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
How to set up and validate locally
- Ensure that you are on an Ultimate subscription, and enable feature-flag in rails console:
Feature.enable(:add_policies_to_ci_job_token)
- Navigate to GraphQL explorer,
/-/graphql-explorer
- Create an allowlist with a project as the target, using the following query:
mutation {
ciJobTokenScopeAddGroupOrProject(input: {
projectPath: "flightjs/Flight",
targetPath: "gitlab-org/gitlab-test",
jobTokenPolicies: [READ_PROJECT, READ_PACKAGE]
}) {
errors
}
}
- As an admin, navigate to audit events
/admin/audit_logs
- Repeat steps 3 and 4 to check the audit events are created when creating an allowlist with a group as the target, and deleting both the allowlists.
mutation {
ciJobTokenScopeAddGroupOrProject(input: {
projectPath: "flightjs/Flight",
targetPath: "gitlab-org",
jobTokenPolicies: [READ_GROUP, READ_PROJECT]
}) {
errors
}
}
mutation {
ciJobTokenScopeRemoveProject(input: {
projectPath: "flightjs/Flight",
targetProjectPath: "gitlab-org/gitlab-test",
direction: INBOUND
}) {
errors
}
}
mutation {
ciJobTokenScopeRemoveGroup(input: {
projectPath: "flightjs/Flight",
targetGroupPath: "gitlab-org"
}) {
errors
}
}
Related to #495144
Edited by Hinam Mehra