Skip to content

Add audit logs for ai_workflows actions

Jan Provaznikrequested to merge
jp-audit-scope into master

What does this MR do and why?

Adds audit logs for any API requests which were authenticated using a token with ai_workflows scope. Audit log is created no matter if request was successful or not (even if request fails later after authentication for any reason) - IOW we log any API request attempts done with the token.

References

Related to #499461 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

request_logging

How to set up and validate locally

There are two options:

  • Either setup and use Duo Workflow locally (instructions in https://docs.gitlab.com/ee/development/duo_workflow/), then run a workflow and check events in audit log
  • Update scopes for an existing token - set only ai_workflows scope for the token (this scope is used also by Duo Workflow) - this can be done in console with PersonalAccessToken.find(22).update_column(:scopes, ["ai_workflows"]). Then run any API request for which token with this scope is allowed, for example: curl --header "PRIVATE-TOKEN: <token>" "http://192.168.1.8:3000/api/v4/projects/1/issues/3"
Edited by Jan Provaznik

Merge request reports