Skip to content

Add specs to detect extra audit events

Michael Becker requested to merge fix/370703 into master

What does this MR do and why?

We have an epic, "Don't create audit events when there is no change"

In short, we want to make sure we do NOT emit audit events for API update calls that end up not resulting in an actual data change

As part of this epic, EE::Projects::UpdateService audit events where identified as a potential place where the behavior described in the epic was occurring.

While working on on that issue, I added a spec to check for the duplicate audit event behavior. It turned out that this audit event source already does the correct thing.

As such, this commit just adds the aforementioned specs to prevent possible future regressions

closes: #370703 (closed)

Screenshots or screen recordings

Here is the state of the audit event UI after running the reproduction steps described below

audit event UI
Screenshot_from_2022-08-25_10-10-36

|

How to set up and validate locally

  1. create an access token to use with the REST API
  2. In a terminal, curl a real update 
    curl --request PUT --header "PRIVATE-TOKEN: ACCESS_TOKEN" "http://localhost:3000/api/v4/projects/1?name=GitlabTest"
  3. Use the rails console to see the audit event
  4. Use the audit event UI to see the update: http://localhost:3000/gitlab-org/gitlab-test/-/audit_events
  5. In a terminal, repeat the curl to create a noOp update 
    curl --request PUT --header "PRIVATE-TOKEN: ACCESS_TOKEN" "http://localhost:3000/api/v4/projects/1?name=GitlabTest"
  6. Use the rails console and audit event UI to verify no new audit event was created
  7. In a terminal, reset the attribute to generate another real update 
    curl --request PUT --header "PRIVATE-TOKEN: ACCESS_TOKEN" "http://localhost:3000/api/v4/projects/1?name=Gitlab%20Test"
  8. Use the rails console to see the audit event
  9. Use the audit event UI to see the update: http://localhost:3000/gitlab-org/gitlab-test/-/audit_events

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Michael Becker

Merge request reports