Fix secrets manager audit logging issues
Why this MR ?
-
This MR is to fix 2 issues that we noticed while testing audit logging in a Cloud native environment with proper setup of authentication token as a Kubernetes Secret. See Gitlab charts MR
-
First issue is that we noticed that the rails root dir on a chart install is
/srv/gitlabwhich is NOT within the root directory of the Rails app. It is/etc/gitlab/openbao/.gitlab_openbao_authentication_token_secret. In Rails, we have a check that checks if the file path is within the Rails root path to prevent symlink based path traversal attack. This check logic needs to be adapated -
Second issue is that after we added
namespacingto Secrets Manager, the structure of audit log JSON has changed causing the project details parsing logic in Rails to fail. This also needs to be fixed -
Before we added namespacing, it was :
"namespace"=>{"id"=>"root"},
"path"=>"user_3/project_99/secrets/kv/data/explicit/my_test_secret"Now, after we added namespacing, it is :
"namespace"=>{"id"=>"M0zDLE", "path"=>"user_3/project_118/"},
"path"=>"secrets/kv/data/explicit/sadsasd",What does this MR do ?
- Modify the root path check for auth token file path to consider the case for CNG and Omnibus installations
- Update the JSON parsing logic to get the project details to consider the namespace related changes
References
- https://gitlab.slack.com/archives/C09GSEDT50U/p1762509725909409
- gitlab-org/charts/gitlab!4549 (comment 2869604889)
Screenshots (Audit logs working after we updated the JSON parsing logic)
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.