Enable Git streaming audit events in all offerings
What does this MR do and why?
Currently, the needs_audit field controls if we should use the new workflow of Git clone/fetch streaming audit events.
According to the implementation plan, the logic behind this field does the following:
- If SaaS, then returns false (we just support Self Managed now)
- Only when FF is opened and project group has set the streaming audit event,then returns true
- All any other case return false
We want to change this logic since:
- This audit event should NOT only exist for self-managed, so we would like to remove the SaaS validation.
- We don't need to validate if
project.group.external_audit_event_destinationsexists in this step. Currently, we support two types of audit streaming events: For instances and top-level groups. We should delegate this validation to the AuditEvents::ExternalDestinationStreamer class that determines if the stream audit event is streamable (if it is created by an instance or top-level group, has the licensing capabilities, active audit event destinations, etc.) in this step.
References
- Discussion: #415138 (comment 2589130360)
- Feature: Support to detect git clone/pull audit event (!123486 - merged)
How to set up and validate locally
- Enable the
log_git_streaming_audit_eventsFF. - Set up the audit event streaming for HTTP destination (https://docs.gitlab.com/user/compliance/audit_event_streaming/#add-a-new-http-destination). You can use https://webhook.site for this purpose.
- Perform a Git clone operation of a local repository.
- Check https://webhook.site. The Git stream audit event should be created and the
verbfield included.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #553801 (closed)
Edited by Javiera Tapia