Authentication type in audit events: Deploy keys
What does this MR do and why?
This MR addresses Authentication type in audit events: Deploy keys. Specifically, adding the following changes:
- Adding a new field
author_class
to the audit event structure that indicates the source of the event e.g. "User" did X, "Deploy Key" did X, "Deploy Token" did X, etc. - Adding a new
NullAuthor
class as aDeployKeyAuthor
to indicate that theaudit_event.author_id == -3
is originated from Deploy Key. This is same with how we approachedDeployToken
authentication type. - This change is behind
audit_event_streaming_git_operations_deploy_key_event
feature flag, which is disabled by default.
Screenshots or screen recordings
Event: SSH Git clone event (with Deploy key)
Previous payload
{
"id": 1658815236,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "shinya maeda",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "ssh",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T06:00:36.970Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
New payload
{
"id": 1658814233,
"author_id": -3,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "dep-key-test",
"author_class": "DeployKey",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "ssh",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "dep-key-test",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T05:43:53.662Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
Event: SSH Git clone event (with personal SSH key)
Previous payload
{
"id": 1658815315,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "shinya maeda",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "ssh",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T06:01:55.675Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
New payload
{
"id": 1658814131,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "shinya maeda",
"author_class": "User",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "ssh",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T05:42:11.529Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
Event: HTTP Git clone event (with personal username and password)
Previous payload
{
"id": 1658815367,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "shinya maeda",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "http",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T06:02:47.953Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
New payload
{
"id": 1658814298,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "shinya maeda",
"author_class": "User",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "http",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T05:44:58.563Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
Event: HTTP Git clone event (with Deploy Token)
Previous payload
{
"id": 1658815437,
"author_id": -2,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "dep-token-test",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "http",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "dep-token-test",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T06:03:57.159Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
New payload
{
"id": 1658814385,
"author_id": -2,
"entity_id": 22,
"entity_type": "Project",
"details": {
"author_name": "dep-token-test",
"author_class": "DeployToken",
"target_id": 22,
"target_type": "Project",
"target_details": "new_project",
"custom_message": {
"protocol": "http",
"action": "git-upload-pack"
},
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "dep-token-test",
"entity_path": "dosuken-org/new_project",
"target_details": "new_project",
"created_at": "2022-07-26T05:46:25.850Z",
"target_type": "Project",
"target_id": 22,
"event_type": "repository_git_operation"
}
Event: Added or removed deploy keys in Project-level setting UI
Previous payload
{
"id": 1658815414,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"action": "custom",
"author_name": "shinya maeda",
"target_id": 3,
"target_type": "DeployToken",
"target_details": "dep-token-test",
"custom_message": "Created project deploy token with name: dep-token-test with token_id: 3 with scopes: [:read_repository].",
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "dep-token-test",
"created_at": "2022-07-26T06:03:34.168Z",
"target_type": "DeployToken",
"target_id": 3,
"event_type": "deploy_token_created"
}
New payload
{
"id": 1658814345,
"author_id": 45,
"entity_id": 22,
"entity_type": "Project",
"details": {
"action": "custom",
"author_name": "shinya maeda",
"author_class": "User",
"target_id": 2,
"target_type": "DeployToken",
"target_details": "dep-token-test",
"custom_message": "Created project deploy token with name: dep-token-test with token_id: 2 with scopes: [:read_repository].",
"ip_address": "127.0.0.1",
"entity_path": "dosuken-org/new_project"
},
"ip_address": "127.0.0.1",
"author_name": "shinya maeda",
"entity_path": "dosuken-org/new_project",
"target_details": "dep-token-test",
"created_at": "2022-07-26T05:45:45.935Z",
"target_type": "DeployToken",
"target_id": 2,
"event_type": "deploy_token_created"
}
How to set up and validate locally
- Enable
audit_event_streaming_git_operations_deploy_key_event
feature flag. - Setup Audit Event streaming.
- Create a project deploy key.
- Perform a Git operation with the deploy key. For example,
git clone ssh://devkitkat@local.gitlab.test:2222/dosuken-org/new_project.git
Please note that these Git related events are available for streaming only. It's not persisted into the database i.e. you don't see the event records in GitLab UI.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Shinya Maeda