Prepare GitAuditEvent to handle deploy token actors
What does this MR do and why?
This MR prepares the Rails side to handle deploy token actors in the git audit event flow. It is the third step in a four-part plan to fix the 404/401 errors that caused the log_git_streaming_audit_events feature flag to be reverted.
Background
When a deploy token performs a git operation (e.g. git clone), Workhorse sends an audit event request to the /internal/shellhorse/git_audit_event endpoint. This fails with a 404 because the endpoint cannot resolve the deploy token actor.
Plan
The fix consists of four MRs, deployed in this order:
-
!223145 (merged) (merged) - Fix the deserializer (
Gitlab::Identifier#identifyandGitAccessActor.from_identifier) to resolve"deploy-token-{id}"back to aDeployTokenobject. -
!222599 (merged) (merged) - Fix the serializer (
Gitlab::GlId.gl_id) to produce"deploy-token-{id}"instead of"user-{id}"for deploy tokens. -
This MR - Prepare the shellhorse endpoint and
GitAuditEventto handle deploy token actors:- Update
enabled?andsend_audit_eventto checkauthor.blank?instead ofuser.blank?, since deploy token actors haveuserset tonil - Rename
deploy_key_or_usertoresolved_identityto reflect it can returnDeployToken,DeployKey, orUser - Add deploy token to
key_or_userso the shellhorse access check (access_checker_for) can resolve deploy token actors - Prioritize
identifieroverusernameinfrom_paramsso deploy token identifiers are resolved correctly when Workhorse sends both params
- Update
-
Next MR - Send
GL_IDasidentifierfrom Workhorse to the shellhorse audit event endpoint. This is the final MR that completes the fix for the HTTP path.
References
- Parent issue: #562516
- Task: #570236 (closed)
- Epic: gitlab-org#20506
- Step 1 (deserializer): !223145 (merged)
- Step 2 (serializer): !222599 (merged)
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.