Add audit event for composite OAuth token creation

SAM FIGUEROArequested to merge
sf/feature/composite-oauth-token-audit-593023-g8 into master

What does this MR do and why?

Add audit event for composite OAuth token creation

  • Adds the composite_oauth_token_created audit event type and fires it from CreateCompositeOauthAccessTokenService after a token is successfully created.

    The event includes token scopes and TTL in additional_details, providing a full audit trail for ephemeral composite identity tokens generated during Duo workflow execution.

  • The audit event was originally scoped to [User] only, making it visible solely on the service account's admin audit log page. Since the token is always generated in the context of a workflow running against a project or group, scope it to [Group, Project, User] so the event surfaces in project and group audit logs where operators will actually look.

    To support this, add an optional container: parameter to CreateCompositeOauthAccessTokenService and pass it through from WorkflowContextGenerationService (which already holds @container). The scope resolves to the container or falls back to the service account when not.

  • Refs: https://gitlab.com/gitlab-org/gitlab/-/work_items/593023

Changelog: added EE: true

References

Screenshots or screen recordings

image

How to set up and validate locally

  1. check out feature branch
  2. make sure comp ident is enabled Feature.enable :duo_workflow_use_composite_identity
  3. amke sure duo flows are enabled and licensed on a group
  4. create a random MR
  5. assign GitLab Duo as a reviewer, wait for review to finish
  6. got to audit events see comp ID related audit event, or query the DB SELECT * FROM audit_events WHERE details LIKE '%composite_oauth_token_created%' ORDER BY id DESC LIMIT 5;

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports