Skip to content

Refactor audit events for Project Group Links

Aaron Huntsman requested to merge 374114-add-event-type-information-for-project-group-links-audit-events into master

What does this MR do and why?

Refactors Project Group Link services to use Gitlab::Audit::Auditor for creating audit events. Adds new audit event types under ee/config/audit_events/types.

How to set up and validate locally

  1. In GitLab, select a project.
  2. Click "Invite a group". Select a group to invite, a role, and optionally an expiry date.
  3. Navigate to that group's page, then on the left sidebar go to Security & Compliance > Audit Events.
  4. Verify the audit event for project_group_link_created appears in the group's audit events.
  5. Make changes to the group invite, then remove the invite. Verify these audit events appear as well.
  6. Verify streaming audit events using testing endpoints.

TODO

  • Create service
  • Update service
  • Delete service
  • Remove AuditEventService helpers related to ProjectGroupLinks

Reviewer notes

Need to clarify the following in review:

Existing tests mocked calls to Gitlab::Audit::Auditor.audit. This method no-ops when the given event type does not exist. As the previous code used arbitrary event types for project group links, it would appear these streaming events were not firing prior to this refactor. Lacking an explicit entry point for testing both logged and streamed audit events, it's unclear how these tests could be improved - though I do know work is underway to have this method raise an error on missing event types.

Related: documentation on streamed audit events for project group links refers to event types that were not yet explicitly created, and do not follow the more current convention of noun + past_tense_verb. Request input on whether to update existing documentation with the new types, or keep types consistent with docs. Also whether to use "delete" or "destroy" as a general rule.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #374114 (closed)

Edited by Aaron Huntsman

Merge request reports