New Audit Event: AuditEvents not being created when creating/deleting SSHKeys/GPGKeys via API
Problem to solve
Via the API, we allow users or admins to create/destroy SSH keys and GPG Keys. In the lib/api/users.rb,
this is performed directly using ActiveRecord operations like say user.keys.new(ssh_key_params).save
. With this approach, AuditEvents are not being created.
Proposal
We have services (like Keys::CreateService
) which take in the required params and do the same operation, while also making sure that AuditEvents are being created for these operations. The API should use these services to ensure AuditEvents are created when creating/destroying GPG and SSH keys.
Further details
A non-exhaustive list of endpoints where changes are required:
SSH Keys
-
POST :id/keys
- Fix: !33859 (merged) -
POST keys
- Fix: !34645 (merged) -
DELETE :id/keys/:key_id
-
Technical debt fix for using DestroyService
in this endpoint - !34535 (merged) -
Record audit event via EE::Keys::DestroyService
- !65615 (merged)
-
-
DELETE keys/:key_id
-
Technical debt fix for using DestroyService
in this endpoint: !34718 (merged) -
Record audit event via EE::Keys::DestroyService
- !65615 (merged)
-
GPG Keys
-
POST ':id/gpg_keys'
-
Technical debt fix for using CreateService
in this endpoint: !34737 (merged) -
Record audit event fix: Instrument EE::GPGKeys::CreateService
- !65973 (merged)
-
-
POST 'gpg_keys'
-
Technical debt fix for using CreateService
in this endpoint: !34817 (merged) -
Record audit event fix: Instrument EE::GPGKeys::CreateService
- !65973 (merged)
-
-
DELETE ':id/gpg_keys/:key_id'
-
Technical debt fix for using DestroyService
in this endpoint: !34935 (merged) -
Record audit event fix: Instrument EE::GPGKeys::DestroyService
- !65973 (merged)
-
-
DELETE 'gpg_keys/key_id'
-
Technical debt fix for using DestroyService
in this endpoint: !35033 (merged) -
Record audit event fix: Instrument EE::GPGKeys::DestroyService
- !65973 (merged)
-
The changes could be big, so it would make sense to split these changes across multiple MRs (~ 3 MRs for 3 services).
Edited by Tan Le