Skip to content

New Audit Event: AuditEvents not being created when creating/deleting SSHKeys/GPGKeys via API

Problem to solve

Via the API, we allow users or admins to create/destroy SSH keys and GPG Keys. In the lib/api/users.rb, this is performed directly using ActiveRecord operations like say user.keys.new(ssh_key_params).save. With this approach, AuditEvents are not being created.

Proposal

We have services (like Keys::CreateService) which take in the required params and do the same operation, while also making sure that AuditEvents are being created for these operations. The API should use these services to ensure AuditEvents are created when creating/destroying GPG and SSH keys.

Further details

A non-exhaustive list of endpoints where changes are required:

SSH Keys

GPG Keys

  • POST ':id/gpg_keys'
    • Technical debt fix for using CreateService in this endpoint: !34737 (merged)
    • Record audit event fix: Instrument EE::GPGKeys::CreateService - !65973 (merged)
  • POST 'gpg_keys'
    • Technical debt fix for using CreateService in this endpoint: !34817 (merged)
    • Record audit event fix: Instrument EE::GPGKeys::CreateService - !65973 (merged)
  • DELETE ':id/gpg_keys/:key_id'
    • Technical debt fix for using DestroyService in this endpoint: !34935 (merged)
    • Record audit event fix: Instrument EE::GPGKeys::DestroyService - !65973 (merged)
  • DELETE 'gpg_keys/key_id'
    • Technical debt fix for using DestroyService in this endpoint: !35033 (merged)
    • Record audit event fix: Instrument EE::GPGKeys::DestroyService - !65973 (merged)

The changes could be big, so it would make sense to split these changes across multiple MRs (~ 3 MRs for 3 services).

Edited by Tan Le