Skip to content

Draft: Validation and handling of http audit event destinations

Hitesh Raghuvanshi requested to merge 436607-custom-http-handler into master

What does this MR do and why?

Added handling and validation of custom http audit event streaming destinations.

Following changes were added:

  1. Config json schema added for http destinations, which does following:
    1. Requires a field named url which should be a correct http or https url with max length of 255 characters.
    2. A json object headers, which can be null or empty or can contain hash of all headers in format { key: { value: 'value', active: true }} . There is limit of maximum 20 headers.
  2. Validation of HTTP url in config of destinations:
    1. For group level external audit event destinations:
      1. No two destinations belonging to same group can have same url in their configs.
      2. Two destinations can have same url in config if they belong to different groups.
    2. For instance level destinations, no two destinations can have same url in their configs.
  3. Secret token:
    1. Validation: If secret token is provided then the length should be between 16 to 24 characters.
    2. Auto generation of secret token for http destinations if not provided.
    3. Earlier secret token was a required field in ee/app/graphql/mutations/audit_events/group/audit_event_streaming_destinations/create.rb , now it is optional for destinations with category http, as in that case it can be auto generated too.
    4. Earlier we were not allowing secret_token to be queried for ee/app/graphql/types/audit_events/audit_event_streaming_destination_interface.rb , now for http destinations it will return the token and for other type of destinations it will return empty string.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Related to #436607

Edited by Hitesh Raghuvanshi

Merge request reports