Draft: New Audit Event for custom HTTP header changes

This is the part 2 to this [refactor MR][0] This implements [issue 366350][1] We want to emit audit events whenever the custom streaming event headers are creating/updated/destroyed This is a draft as there are some audit and spec related specifics I need to get some clarity on [0]:!91992 [1]:#366350

Draft: New Audit Event for custom HTTP header changes
62da29b2 · Michael Becker · b0f51948 · 62da29b2 · 62da29b2 · 62da29b2
Commit 62da29b2 authored 2 years ago by Michael Becker
--- a/ee/app/graphql/mutations/audit_events/streaming/headers/create.rb
+++ b/ee/app/graphql/mutations/audit_events/streaming/headers/create.rb
@@ -27,7 +27,8 @@ class Create < BaseMutation
          def resolve(destination_id:, key:, value:)
            response = ::AuditEvents::Streaming::Headers::CreateService.new(
              destination: authorized_find!(destination_id),
-              params: { key: key, value: value }
+              params: { key: key, value: value },
+              current_user: current_user
            ).execute

            if response.success?

--- a/ee/app/graphql/mutations/audit_events/streaming/headers/destroy.rb
+++ b/ee/app/graphql/mutations/audit_events/streaming/headers/destroy.rb
@@ -17,7 +17,8 @@ def resolve(header_id:)

            response = ::AuditEvents::Streaming::Headers::DestroyService.new(
              destination: header.external_audit_event_destination,
-              params: { header: header }
+              params: { header: header },
+              current_user: current_user
            ).execute

            if response.success?

--- a/ee/app/graphql/mutations/audit_events/streaming/headers/update.rb
+++ b/ee/app/graphql/mutations/audit_events/streaming/headers/update.rb
@@ -29,7 +29,8 @@ def resolve(header_id:, key:, value:)

            response = ::AuditEvents::Streaming::Headers::UpdateService.new(
              destination: header.external_audit_event_destination,
-              params: { header: header, key: key, value: value }
+              params: { header: header, key: key, value: value },
+              current_user: current_user
            ).execute

            if response.success?

--- a/ee/app/services/audit_events/streaming/headers/base.rb
+++ b/ee/app/services/audit_events/streaming/headers/base.rb
@@ -32,6 +32,20 @@ def destination_error
        def feature_enabled?
          Feature.enabled?(:streaming_audit_event_headers, group)
        end
+
+        def audit(
+          action:, header:, author: current_user,
+              message: "#{action}: a custom http header with key #{header.key}")
+          audit_context = {
+            name: "audit_events_streaming_headers_#{action}",
+            author: author,
+            scope: group,
+            target: header,
+            message: message
+          }
+
+          ::Gitlab::Audit::Auditor.audit(audit_context)
+        end
      end
    end
  end

--- a/ee/app/services/audit_events/streaming/headers/create_service.rb
+++ b/ee/app/services/audit_events/streaming/headers/create_service.rb
@@ -9,6 +9,7 @@ def execute
          header = destination.headers.new(key: params[:key], value: params[:value])

          if header.save
+            audit(action: :create, header: header)
            ServiceResponse.success(payload: { header: header, errors: [] })
          else
            ServiceResponse.error(message: Array(header.errors))

--- a/ee/app/services/audit_events/streaming/headers/destroy_service.rb
+++ b/ee/app/services/audit_events/streaming/headers/destroy_service.rb
@@ -10,6 +10,7 @@ def execute
          return header_error if header.blank?

          if header.destroy
+            audit(action: :destroy, header: header)
            ServiceResponse.success
          else
            ServiceResponse.error(message: Array(header.errors))

--- a/ee/app/services/audit_events/streaming/headers/update_service.rb
+++ b/ee/app/services/audit_events/streaming/headers/update_service.rb
@@ -9,7 +9,10 @@ def execute
          header = params[:header]
          return header_error if header.blank?

+          audit_message = audit_message(header.key, params[:key])
+
          if header.update(key: params[:key], value: params[:value])
+            audit(action: :update, header: header, message: audit_message)
            ServiceResponse.success(payload: { header: header, errors: [] })
          else
            ServiceResponse.error(message: Array(header.errors))
@@ -21,6 +24,10 @@ def execute
        def header_error
          ServiceResponse.error(message: "missing header param")
        end
+
+        def audit_message(old_key, new_key)
+          "update: a custom http header key changed from #{old_key} to #{new_key}"
+        end
      end
    end
  end

--- a/ee/spec/services/audit_events/streaming/headers/create_service_spec.rb
+++ b/ee/spec/services/audit_events/streaming/headers/create_service_spec.rb
@@ -3,11 +3,14 @@
 require 'spec_helper'

 RSpec.describe AuditEvents::Streaming::Headers::CreateService do
-  let(:destination) { create(:external_audit_event_destination) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:destination) { create(:external_audit_event_destination) }
+
  let(:params) { {} }

  subject(:service) do
    described_class.new(
+      current_user: user,
      destination: destination,
      params: params
    )
@@ -33,6 +36,20 @@
        expect(response.payload[:header].key).to eq 'a_key'
        expect(response.payload[:header].value).to eq 'a_value'
      end
+
+      it 'sends the audit streaming event' do
+        audit_context = {
+          name: 'audit_events_streaming_headers_create',
+          # stream_only: true,
+          author: user,
+          scope: destination.group,
+          message: "create: a custom http header with key a_key"
+        }
+
+        expect(::Gitlab::Audit::Auditor).to receive(:audit)
+                                              .with(hash_including(audit_context))
+        response
+      end
    end
  end
 end
--- a/ee/spec/services/audit_events/streaming/headers/destroy_service_spec.rb
+++ b/ee/spec/services/audit_events/streaming/headers/destroy_service_spec.rb
@@ -3,11 +3,18 @@
 require 'spec_helper'

 RSpec.describe AuditEvents::Streaming::Headers::DestroyService do
-  let(:header) { create(:audit_events_streaming_header) }
-  let(:destination) { header.external_audit_event_destination }
-  let(:params) { {  destination: destination, header: header } }
-
-  subject(:service) { described_class.new(destination: destination, params: params ) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:header) { create(:audit_events_streaming_header) }
+  let_it_be(:destination) { header.external_audit_event_destination }
+  let_it_be(:params) { {  destination: destination, header: header } }
+
+  subject(:service) do
+    described_class.new(
+      destination: destination,
+      current_user: user,
+      params: params
+    )
+  end

  describe '#execute' do
    context 'when no header is provided' do
@@ -32,6 +39,20 @@
        expect { response }.to change { destination.headers.count }.by(-1)
        expect(response).to be_success
      end
+
+      it 'sends the audit streaming event' do
+        audit_context = {
+          name: 'audit_events_streaming_headers_destroy',
+          # stream_only: true,
+          author: user,
+          scope: destination.group,
+          target: header,
+          message: "destroy: a custom http header with key #{header.key}"
+        }
+
+        expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context)
+        response
+      end
    end
  end
 end
--- a/ee/spec/services/audit_events/streaming/headers/update_service_spec.rb
+++ b/ee/spec/services/audit_events/streaming/headers/update_service_spec.rb
@@ -4,7 +4,9 @@

 RSpec.describe AuditEvents::Streaming::Headers::UpdateService do
  let_it_be(:header) { create(:audit_events_streaming_header, key: 'old', value: 'old') }
+  let_it_be(:user) { create(:user) }

+  let(:header) { create(:audit_events_streaming_header, key: 'old', value: 'old') }
  let(:destination) { header.external_audit_event_destination }
  let(:params) do
    {
@@ -14,7 +16,13 @@
    }
  end

-  subject(:service) { described_class.new(destination: destination, params: params) }
+  subject(:service) do
+    described_class.new(
+      current_user: user,
+      destination: destination,
+      params: params
+    )
+  end

  describe '#execute' do
    subject(:response) { service.execute }
@@ -39,6 +47,20 @@
        expect(header.reload.key).to eq 'new'
        expect(header.value).to eq 'new'
      end
+
+      it 'sends the audit streaming event' do
+        audit_context = {
+          name: 'audit_events_streaming_headers_update',
+          # stream_only: true,
+          author: user,
+          scope: destination.group,
+          target: header,
+          message: "update: a custom http header key changed from old to new"
+        }
+
+        expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context)
+        response
+      end
    end
  end
 end