Skip to content

Authentication type in audit events: Deploy keys

Problem to solve

Full context in parent epic.

Proposal

  • Update audit events to reflect the fact that a deploy key was used to authenticate to perform that action.
    • This could be a new value add as an enum with a deploy_key or similar name, rather than a magic number.
      • author_class field should be DeployKey.
      • author_name field should be deploy_key.title.
    • Should be in the same JSON record for the audit event - don't use a solution which requires a separate API for example.
  • Update the audit event development guide to reflect how to indicate this in an audit event if any changes are needed.
  • This uses Event streaming and audit Git operations. Specifically, audit_event_streaming_git_operations feature flag.
  • Event structure should be similar to Deploy Token's Git authentication.

Current event structure

The SSH authentication event from Deploy Key access has already been recorded in the Audit Event streaming. Here is an example payload:

{
  "id": 1657879517,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-15T10:05:17.347Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

New event structure

{
  "id": 1657888445,
  "author_id": -3,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "dep-key-test-2",
    "author_class": "DeployKey",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "Deploy Key",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-15T12:34:05.645Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}

PoC

PoC MR is available in !92547 (closed)

Technical discussion

@dennis took a look to see if we could implement attribution to deploy keys similar to how we did it for deploy tokens, but it doesn't seem to be an easy check of whether the author is an instance of DeployKey.

By the time the audit event build service receives the author information, it returns a class of User, so it seems that we need to move further upstream in order to determine whether a deploy key was used, as the audit event service has no way of making this distinction before sending the audit event out.

Intended users

Feature Usage Metrics

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Examples

SSH Git clone event (with personal SSH key) 
{
  "id": 1657879034,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "ssh",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-15T09:57:14.068Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
HTTP Git clone event (with personal username and password) 
{
  "id": 1657877947,
  "author_id": 45,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "shinya maeda",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "shinya maeda",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-15T09:39:07.005Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
HTTP Git clone event (with Deploy Token) 
{
  "id": 1657878131,
  "author_id": -2,
  "entity_id": 22,
  "entity_type": "Project",
  "details": {
    "author_name": "test",
    "target_id": 22,
    "target_type": "Project",
    "target_details": "new_project",
    "custom_message": {
      "protocol": "http",
      "action": "git-upload-pack"
    },
    "ip_address": "127.0.0.1",
    "entity_path": "dosuken-org/new_project"
  },
  "ip_address": "127.0.0.1",
  "author_name": "test",
  "entity_path": "dosuken-org/new_project",
  "target_details": "new_project",
  "created_at": "2022-07-15T09:42:11.014Z",
  "target_type": "Project",
  "target_id": 22,
  "event_type": "repository_git_operation"
}
Edited by Shinya Maeda