Skip to content

Authentication type in audit events: Deploy keys

Shinya Maeda requested to merge deploy-key-audit-event-streaming into master

What does this MR do and why?

This MR addresses Authentication type in audit events: Deploy keys. Specifically, adding the following changes:

  • Adding a new field author_class to the audit event structure that indicates the source of the event e.g. "User" did X, "Deploy Key" did X, "Deploy Token" did X, etc.
  • Adding a new NullAuthor class as a DeployKeyAuthor to indicate that the audit_event.author_id == -3 is originated from Deploy Key. This is same with how we approached DeployToken authentication type.
  • This change is behind audit_event_streaming_git_operations_deploy_key_event feature flag, which is disabled by default.

Screenshots or screen recordings

Event: SSH Git clone event (with Deploy key)

Previous payload
{
  "id": 1658815236,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T06:00:36.970Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
New payload
{
  "id": 1658814233,
  "author_id": -3,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "dep-key-test",
    "author_class": "DeployKey",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "dep-key-test",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T05:43:53.662Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

Event: SSH Git clone event (with personal SSH key)

Previous payload
{
  "id": 1658815315,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T06:01:55.675Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
New payload
{
  "id": 1658814131,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "author_class": "User",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T05:42:11.529Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

Event: HTTP Git clone event (with personal username and password)

Previous payload
{
  "id": 1658815367,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T06:02:47.953Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
New payload
{
  "id": 1658814298,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "author_class": "User",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T05:44:58.563Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

Event: HTTP Git clone event (with Deploy Token)

Previous payload
{
  "id": 1658815437,
  "author_id": -2,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "dep-token-test",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "dep-token-test",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T06:03:57.159Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
New payload
{
  "id": 1658814385,
  "author_id": -2,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "dep-token-test",
    "author_class": "DeployToken",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "dep-token-test",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-26T05:46:25.850Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

Event: Added or removed deploy keys in Project-level setting UI

Previous payload
{
  "id": 1658815414,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "action": "custom",
    "author_name": "shinya maeda",
    "target_id": 3,
    "target_type": "DeployToken",
    "target_details": "dep-token-test",
    "custom_message": "Created project deploy token with name: dep-token-test with token_id: 3 with scopes: [:read_repository].",
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "dep-token-test",
  "created_at": "2022-07-26T06:03:34.168Z",
  "target_type": "DeployToken",
  "target_id": 3,
  "event_type": "deploy_token_created"
}
New payload
{
  "id": 1658814345,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "action": "custom",
    "author_name": "shinya maeda",
    "author_class": "User",
    "target_id": 2,
    "target_type": "DeployToken",
    "target_details": "dep-token-test",
    "custom_message": "Created project deploy token with name: dep-token-test with token_id: 2 with scopes: [:read_repository].",
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "dep-token-test",
  "created_at": "2022-07-26T05:45:45.935Z",
  "target_type": "DeployToken",
  "target_id": 2,
  "event_type": "deploy_token_created"
}

How to set up and validate locally

  • Enable audit_event_streaming_git_operations_deploy_key_event feature flag.
  • Setup Audit Event streaming.
  • Create a project deploy key.
  • Perform a Git operation with the deploy key. For example, git clone ssh://devkitkat@local.gitlab.test:2222/dosuken-org/new_project.git

Please note that these Git related events are available for streaming only. It's not persisted into the database i.e. you don't see the event records in GitLab UI.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shinya Maeda

Merge request reports

Loading