Skip to content

Create API for instance level external audit events destination

Hitesh Raghuvanshi requested to merge 335175-external-instance-audit-events-gq-1 into master

What does this MR do and why?

Adding support for instance level external audit event destinations. This MR does the following:

  1. Adds a feature flag ff_external_audit_events.
  2. Adds a GraphQL mutation for creating a new entry in table audit_events_instance_external_audit_event_destinations.
  3. Feature is available for Ultimate licence only.

Relevant MRs and issues:

  1. Database changes and models were added in !116909 (merged)
  2. Since the whole graphql apis MR became huge to review, first sending create API then rest of the APIs are in original MR !115157 (merged).

GraphQL API

mutation {
  instanceExternalAuditEventDestinationCreate(input: { destinationUrl: "https://www.example.com"}) {
    errors
    instanceExternalAuditEventDestination {
      destinationUrl
      id
      verificationToken
    }
  }
}

Query plan

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/17952/commands/59720

Query

INSERT INTO "audit_events_instance_external_audit_event_destinations" (
  "created_at", "updated_at", "destination_url", 
  "encrypted_verification_token", 
  "encrypted_verification_token_iv"
) 
VALUES 
  (
    '2023-04-24 17:02:34.144301', '2023-04-24 17:02:34.144301', 
    'https://gitlab.com/example/testendpoint', 
    '\xb4a8476df243a57e207efc86d870a4657f47ffe7f7841ca1393b77ec7bce26578c91c1b3cd669557', 
    '\x0f600c461b970cef9c6a39be'
  ) RETURNING "id"

How to set up and validate locally

Happy flow:

  1. Go to rails console and enable the feature flag by running Feature.enable(:ff_external_audit_events).
  2. Login as an instance admin in the browser on http://localhost:3000.
  3. Go to http://localhost:3000/-/graphql-explorer and run the above GraphQl API, it should provide a success output with non nil verificationToken.
  4. Go to rails console and check if the corresponding entry has been made to database by running AuditEvents::InstanceExternalAuditEventDestination.all, you should receive atleast 1 entry in response to this.

Error scenarios:

  1. If you are an instance admin but the feature flag is disabled, you will get an error while running the mutation.
  2. If you are not logged in or not an instance admin then you will receive an error regardless of whether the feature flag is enabled or disabled.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #335175 (closed)

Edited by Hitesh Raghuvanshi

Merge request reports