Merge branch 'incubation-5mp-tracking' into 'master'

Track `Projects::GoogleCloud` events with Snowplow

See merge request gitlab-org/gitlab!81890

app/controllers/projects/google_cloud/base_controller.rb

@@ -10,18 +10,25 @@ class Projects::GoogleCloud::BaseController < Projects::ApplicationController
   private
 
   def admin_project_google_cloud!
-    access_denied! unless can?(current_user, :admin_project_google_cloud, project)
+    unless can?(current_user, :admin_project_google_cloud, project)
+      track_event('admin_project_google_cloud!', 'access_denied', 'invalid_user')
+      access_denied!
+    end
   end
 
   def google_oauth2_enabled!
     config = Gitlab::Auth::OAuth::Provider.config_for('google_oauth2')
     if config.app_id.blank? || config.app_secret.blank?
+      track_event('google_oauth2_enabled!', 'access_denied', { reason: 'google_oauth2_not_configured', config: config })
       access_denied! 'This GitLab instance not configured for Google Oauth2.'
     end
   end
 
   def feature_flag_enabled!
-    access_denied! unless Feature.enabled?(:incubation_5mp_google_cloud, project)
+    unless Feature.enabled?(:incubation_5mp_google_cloud, project)
+      track_event('feature_flag_enabled!', 'access_denied', 'feature_flag_not_enabled')
+      access_denied!
+    end
   end
 
   def validate_gcp_token!
@@ -53,9 +60,21 @@ class Projects::GoogleCloud::BaseController < Projects::ApplicationController
     session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]
   end
 
-  def handle_gcp_error(error, project)
-    Gitlab::ErrorTracking.track_exception(error, project_id: project.id)
+  def handle_gcp_error(action, error)
+    track_event(action, 'gcp_error', error)
     @js_data = { screen: 'gcp_error', error: error.to_s }.to_json
     render status: :unauthorized, template: 'projects/google_cloud/errors/gcp_error'
   end
+
+  def track_event(action, label, property)
+    options = { label: label, project: project, user: current_user }
+
+    if property.is_a?(String)
+      options[:property] = property
+    else
+      options[:extra] = property
+    end
+
+    Gitlab::Tracking.event('Projects::GoogleCloud', action, **options)
+  end
 end

app/controllers/projects/google_cloud/deployments_controller.rb

@@ -9,6 +9,7 @@ class Projects::GoogleCloud::DeploymentsController < Projects::GoogleCloud::Base
                                   .new(project, current_user, params).execute
 
     if enable_cloud_run_response[:status] == :error
+      track_event('deployments#cloud_run', 'enable_cloud_run_error', enable_cloud_run_response)
       flash[:error] = enable_cloud_run_response[:message]
       redirect_to project_google_cloud_index_path(project)
     else
@@ -17,15 +18,17 @@ class Projects::GoogleCloud::DeploymentsController < Projects::GoogleCloud::Base
                                      .new(project, current_user, params).execute
 
       if generate_pipeline_response[:status] == :error
+        track_event('deployments#cloud_run', 'generate_pipeline_error', generate_pipeline_response)
         flash[:error] = 'Failed to generate pipeline'
         redirect_to project_google_cloud_index_path(project)
       else
         cloud_run_mr_params = cloud_run_mr_params(generate_pipeline_response[:branch_name])
+        track_event('deployments#cloud_run', 'cloud_run_success', cloud_run_mr_params)
         redirect_to project_new_merge_request_path(project, merge_request: cloud_run_mr_params)
       end
     end
   rescue Google::Apis::ClientError => error
-    handle_gcp_error(error, project)
+    handle_gcp_error('deployments#cloud_run', error)
   end
 
   def cloud_storage

app/controllers/projects/google_cloud/gcp_regions_controller.rb

@@ -18,13 +18,13 @@ class Projects::GoogleCloud::GcpRegionsController < Projects::GoogleCloud::BaseC
       refs: refs,
       cancelPath: project_google_cloud_index_path(project)
     }.to_json
+    track_event('gcp_regions#index', 'form_render', @js_data)
   end
 
   def create
     permitted_params = params.permit(:ref, :gcp_region)
-
-    GoogleCloud::GcpRegionAddOrReplaceService.new(project).execute(permitted_params[:ref], permitted_params[:gcp_region])
-
+    response = GoogleCloud::GcpRegionAddOrReplaceService.new(project).execute(permitted_params[:ref], permitted_params[:gcp_region])
+    track_event('gcp_regions#create', 'form_submit', response)
     redirect_to project_google_cloud_index_path(project), notice: _('GCP region configured')
   end
 end

app/controllers/projects/google_cloud/service_accounts_controller.rb

@@ -10,6 +10,7 @@ class Projects::GoogleCloud::ServiceAccountsController < Projects::GoogleCloud::
 
     if gcp_projects.empty?
       @js_data = { screen: 'no_gcp_projects' }.to_json
+      track_event('service_accounts#index', 'form_error', 'no_gcp_projects')
       render status: :unauthorized, template: 'projects/google_cloud/errors/no_gcp_projects'
     else
       params = { per_page: 50 }
@@ -22,9 +23,11 @@ class Projects::GoogleCloud::ServiceAccountsController < Projects::GoogleCloud::
         refs: refs,
         cancelPath: project_google_cloud_index_path(project)
       }.to_json
+
+      track_event('service_accounts#index', 'form_success', @js_data)
     end
   rescue Google::Apis::ClientError => error
-    handle_gcp_error(error, project)
+    handle_gcp_error('service_accounts#index', error)
   end
 
   def create
@@ -38,8 +41,9 @@ class Projects::GoogleCloud::ServiceAccountsController < Projects::GoogleCloud::
       environment_name: permitted_params[:ref]
     ).execute
 
+    track_event('service_accounts#create', 'form_submit', response)
     redirect_to project_google_cloud_index_path(project), notice: response.message
   rescue Google::Apis::ClientError, Google::Apis::ServerError, Google::Apis::AuthorizationError => error
-    handle_gcp_error(error, project)
+    handle_gcp_error('service_accounts#create', error)
   end
 end

app/controllers/projects/google_cloud_controller.rb

@@ -14,6 +14,7 @@ class Projects::GoogleCloudController < Projects::GoogleCloud::BaseController
       configureGcpRegionsUrl: project_google_cloud_gcp_regions_path(project),
       gcpRegions: gcp_regions
     }.to_json
+    track_event('google_cloud#index', 'index', @js_data)
   end
 
   private

spec/requests/projects/google_cloud/deployments_controller_spec.rb

@@ -22,13 +22,21 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
     project.add_maintainer(user_maintainer)
   end
 
-  describe "Routes must be restricted behind Google OAuth2" do
+  describe "Routes must be restricted behind Google OAuth2", :snowplow do
     context 'when a public request is made' do
       it 'returns not found on GET request' do
         urls_list.each do |url|
           get url
 
           expect(response).to have_gitlab_http_status(:not_found)
+          expect_snowplow_event(
+            category: 'Projects::GoogleCloud',
+            action: 'admin_project_google_cloud!',
+            label: 'access_denied',
+            property: 'invalid_user',
+            project: project,
+            user: nil
+          )
         end
       end
     end
@@ -40,6 +48,14 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
             get url
 
             expect(response).to have_gitlab_http_status(:not_found)
+            expect_snowplow_event(
+              category: 'Projects::GoogleCloud',
+              action: 'admin_project_google_cloud!',
+              label: 'access_denied',
+              property: 'invalid_user',
+              project: project,
+              user: nil
+            )
           end
         end
       end
@@ -60,7 +76,7 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
     end
   end
 
-  describe 'Authorized GET project/-/google_cloud/deployments/cloud_run' do
+  describe 'Authorized GET project/-/google_cloud/deployments/cloud_run', :snowplow do
     let_it_be(:url) { "#{project_google_cloud_deployments_cloud_run_path(project)}" }
 
     before do
@@ -72,25 +88,39 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
     end
 
     it 'redirects to google_cloud home on enable service error' do
-      # since GPC_PROJECT_ID is not set, enable cloud run service should return an error
-
       get url
 
       expect(response).to redirect_to(project_google_cloud_index_path(project))
+      # since GPC_PROJECT_ID is not set, enable cloud run service should return an error
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'deployments#cloud_run',
+        label: 'enable_cloud_run_error',
+        extra: { message: 'No GCP projects found. Configure a service account or GCP_PROJECT_ID ci variable.',
+                 status: :error },
+        project: project,
+        user: user_maintainer
+      )
     end
 
-    it 'tracks error and redirects to gcp_error' do
-      mock_google_error = Google::Apis::ClientError.new('some_error')
+    it 'redirects to gcp_error' do
+      mock_gcp_error = Google::Apis::ClientError.new('some_error')
 
       allow_next_instance_of(GoogleCloud::EnableCloudRunService) do |service|
-        allow(service).to receive(:execute).and_raise(mock_google_error)
+        allow(service).to receive(:execute).and_raise(mock_gcp_error)
       end
 
-      expect(Gitlab::ErrorTracking).to receive(:track_exception).with(mock_google_error, { project_id: project.id })
-
       get url
 
       expect(response).to render_template(:gcp_error)
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'deployments#cloud_run',
+        label: 'gcp_error',
+        extra: mock_gcp_error,
+        project: project,
+        user: user_maintainer
+      )
     end
 
     context 'GCP_PROJECT_IDs are defined' do
@@ -106,6 +136,14 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
         get url
 
         expect(response).to redirect_to(project_google_cloud_index_path(project))
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'deployments#cloud_run',
+          label: 'generate_pipeline_error',
+          extra: { status: :error },
+          project: project,
+          user: user_maintainer
+        )
       end
 
       it 'redirects to create merge request form' do
@@ -121,11 +159,24 @@ RSpec.describe Projects::GoogleCloud::DeploymentsController do
 
         expect(response).to have_gitlab_http_status(:found)
         expect(response.location).to include(project_new_merge_request_path(project))
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'deployments#cloud_run',
+          label: 'cloud_run_success',
+          extra: { "title": "Enable deployments to Cloud Run",
+                   "description": "This merge request includes a Cloud Run deployment job in the pipeline definition (.gitlab-ci.yml).\n\nThe `deploy-to-cloud-run` job:\n* Requires the following environment variables\n    * `GCP_PROJECT_ID`\n    * `GCP_SERVICE_ACCOUNT_KEY`\n* Job definition can be found at: https://gitlab.com/gitlab-org/incubation-engineering/five-minute-production/library\n\nThis pipeline definition has been committed to the branch ``.\nYou may modify the pipeline definition further or accept the changes as-is if suitable.\n",
+                   "source_project_id": project.id,
+                   "target_project_id": project.id,
+                   "source_branch": nil,
+                   "target_branch": project.default_branch },
+          project: project,
+          user: user_maintainer
+        )
       end
     end
   end
 
-  describe 'Authorized GET project/-/google_cloud/deployments/cloud_storage' do
+  describe 'Authorized GET project/-/google_cloud/deployments/cloud_storage', :snowplow do
     let_it_be(:url) { "#{project_google_cloud_deployments_cloud_storage_path(project)}" }
 
     before do

spec/requests/projects/google_cloud/gcp_regions_controller_spec.rb

@@ -6,6 +6,65 @@ RSpec.describe Projects::GoogleCloud::GcpRegionsController do
   let_it_be(:project) { create(:project, :public, :repository) }
   let_it_be(:repository) { project.repository }
 
+  let(:user_guest) { create(:user) }
+  let(:user_maintainer) { create(:user) }
+
+  RSpec.shared_examples "should track not_found event" do
+    it "tracks event" do
+      is_expected.to be(404)
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'admin_project_google_cloud!',
+        label: 'access_denied',
+        property: 'invalid_user',
+        project: project,
+        user: nil
+      )
+    end
+  end
+
+  RSpec.shared_examples "should track access_denied event" do
+    it "tracks event" do
+      is_expected.to be(404)
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'admin_project_google_cloud!',
+        label: 'access_denied',
+        property: 'invalid_user',
+        project: project,
+        user: nil
+      )
+    end
+  end
+
+  RSpec.shared_examples "should track feature_flag_disabled event" do |user|
+    it "tracks event" do
+      is_expected.to be(404)
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'feature_flag_enabled!',
+        label: 'access_denied',
+        property: 'feature_flag_not_enabled',
+        project: project,
+        user: user_maintainer
+      )
+    end
+  end
+
+  RSpec.shared_examples "should track gcp_error event" do |config|
+    it "tracks event" do
+      is_expected.to be(403)
+      expect_snowplow_event(
+        category: 'Projects::GoogleCloud',
+        action: 'google_oauth2_enabled!',
+        label: 'access_denied',
+        extra: { reason: 'google_oauth2_not_configured', config: config },
+        project: project,
+        user: user_maintainer
+      )
+    end
+  end
+
   RSpec.shared_examples "should be not found" do
     it 'returns not found' do
       is_expected.to be(404)
@@ -20,27 +79,25 @@ RSpec.describe Projects::GoogleCloud::GcpRegionsController do
 
   RSpec.shared_examples "public request should 404" do
     it_behaves_like "should be not found"
+    it_behaves_like "should track not_found event"
   end
 
   RSpec.shared_examples "unauthorized access should 404" do
-    let(:user_guest) { create(:user) }
-
     before do
       project.add_guest(user_guest)
     end
 
     it_behaves_like "should be not found"
+    it_behaves_like "should track access_denied event"
   end
 
-  describe 'GET #index' do
+  describe 'GET #index', :snowplow do
     subject { get project_google_cloud_gcp_regions_path(project) }
 
     it_behaves_like "public request should 404"
     it_behaves_like "unauthorized access should 404"
 
     context 'when authorized members make requests' do
-      let(:user_maintainer) { create(:user) }
-
       before do
         project.add_maintainer(user_maintainer)
         sign_in(user_maintainer)
@@ -51,15 +108,17 @@ RSpec.describe Projects::GoogleCloud::GcpRegionsController do
       end
 
       context 'but gitlab instance is not configured for google oauth2' do
-        before do
         unconfigured_google_oauth2 = Struct.new(:app_id, :app_secret)
                                            .new('', '')
+
+        before do
           allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
                                                     .with('google_oauth2')
                                                     .and_return(unconfigured_google_oauth2)
         end
 
         it_behaves_like "should be forbidden"
+        it_behaves_like "should track gcp_error event", unconfigured_google_oauth2
       end
 
       context 'but feature flag is disabled' do
@@ -68,19 +127,18 @@ RSpec.describe Projects::GoogleCloud::GcpRegionsController do
         end
 
         it_behaves_like "should be not found"
+        it_behaves_like "should track feature_flag_disabled event"
       end
     end
   end
 
-  describe 'POST #index' do
+  describe 'POST #index', :snowplow do
     subject { post project_google_cloud_gcp_regions_path(project), params: { gcp_region: 'region1', environment: 'env1' } }
 
     it_behaves_like "public request should 404"
     it_behaves_like "unauthorized access should 404"
 
     context 'when authorized members make requests' do
-      let(:user_maintainer) { create(:user) }
-
       before do
         project.add_maintainer(user_maintainer)
         sign_in(user_maintainer)

spec/requests/projects/google_cloud/service_accounts_controller_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
   let_it_be(:project) { create(:project, :public) }
 
-  describe 'GET index' do
+  describe 'GET index', :snowplow do
     let_it_be(:url) { "#{project_google_cloud_service_accounts_path(project)}" }
 
     let(:user_guest) { create(:user) }
@@ -27,6 +27,14 @@ RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
         get url
 
         expect(response).to have_gitlab_http_status(:not_found)
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'admin_project_google_cloud!',
+          label: 'access_denied',
+          property: 'invalid_user',
+          project: project,
+          user: nil
+        )
       end
 
       it 'returns not found on POST request' do
@@ -42,6 +50,14 @@ RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
           sign_in(unauthorized_member)
 
           get url
+          expect_snowplow_event(
+            category: 'Projects::GoogleCloud',
+            action: 'admin_project_google_cloud!',
+            label: 'access_denied',
+            property: 'invalid_user',
+            project: project,
+            user: unauthorized_member
+          )
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
@@ -52,6 +68,14 @@ RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
           sign_in(unauthorized_member)
 
           post url
+          expect_snowplow_event(
+            category: 'Projects::GoogleCloud',
+            action: 'admin_project_google_cloud!',
+            label: 'access_denied',
+            property: 'invalid_user',
+            project: project,
+            user: unauthorized_member
+          )
 
           expect(response).to have_gitlab_http_status(:not_found)
         end
@@ -80,11 +104,43 @@ RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
       end
 
       context 'and user has successfully completed the google oauth2 flow' do
+        context 'but the user does not have gcp projects' do
           before do
             allow_next_instance_of(GoogleApi::CloudPlatform::Client) do |client|
               mock_service_account = Struct.new(:project_id, :unique_id, :email).new(123, 456, 'em@ai.l')
+              allow(client).to receive(:list_projects).and_return([])
               allow(client).to receive(:validate_token).and_return(true)
+              allow(client).to receive(:create_service_account).and_return(mock_service_account)
+              allow(client).to receive(:create_service_account_key).and_return({})
+              allow(client).to receive(:grant_service_account_roles)
+            end
+          end
+
+          it 'renders no_gcp_projects' do
+            authorized_members.each do |authorized_member|
+              allow_next_instance_of(BranchesFinder) do |branches_finder|
+                allow(branches_finder).to receive(:execute).and_return([])
+              end
+
+              allow_next_instance_of(TagsFinder) do |branches_finder|
+                allow(branches_finder).to receive(:execute).and_return([])
+              end
+
+              sign_in(authorized_member)
+
+              get url
+
+              expect(response).to render_template('projects/google_cloud/errors/no_gcp_projects')
+            end
+          end
+        end
+
+        context 'user has three gcp_projects' do
+          before do
+            allow_next_instance_of(GoogleApi::CloudPlatform::Client) do |client|
+              mock_service_account = Struct.new(:project_id, :unique_id, :email).new(123, 456, 'em@ai.l')
               allow(client).to receive(:list_projects).and_return([{}, {}, {}])
+              allow(client).to receive(:validate_token).and_return(true)
               allow(client).to receive(:create_service_account).and_return(mock_service_account)
               allow(client).to receive(:create_service_account_key).and_return({})
               allow(client).to receive(:grant_service_account_roles)
@@ -119,6 +175,7 @@ RSpec.describe Projects::GoogleCloud::ServiceAccountsController do
             end
           end
         end
+      end
 
       context 'but google returns client error' do
         before do

spec/requests/projects/google_cloud_controller_spec.rb

@@ -8,7 +8,7 @@ MockGoogleOAuth2Credentials = Struct.new(:app_id, :app_secret)
 RSpec.describe Projects::GoogleCloudController do
   let_it_be(:project) { create(:project, :public) }
 
-  describe 'GET index' do
+  describe 'GET index', :snowplow do
     let_it_be(:url) { "#{project_google_cloud_index_path(project)}" }
 
     context 'when a public request is made' do
@@ -16,6 +16,13 @@ RSpec.describe Projects::GoogleCloudController do
         get url
 
         expect(response).to have_gitlab_http_status(:not_found)
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'admin_project_google_cloud!',
+          label: 'access_denied',
+          property: 'invalid_user',
+          project: project,
+          user: nil)
       end
     end
 
@@ -29,6 +36,14 @@ RSpec.describe Projects::GoogleCloudController do
         get url
 
         expect(response).to have_gitlab_http_status(:not_found)
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'admin_project_google_cloud!',
+          label: 'access_denied',
+          property: 'invalid_user',
+          project: project,
+          user: user
+        )
       end
     end
 
@@ -42,6 +57,14 @@ RSpec.describe Projects::GoogleCloudController do
         get url
 
         expect(response).to have_gitlab_http_status(:not_found)
+        expect_snowplow_event(
+          category: 'Projects::GoogleCloud',
+          action: 'admin_project_google_cloud!',
+          label: 'access_denied',
+          property: 'invalid_user',
+          project: project,
+          user: user
+        )
       end
     end
 
@@ -74,19 +97,26 @@ RSpec.describe Projects::GoogleCloudController do
       let(:user) { project.creator }
 
       context 'but gitlab instance is not configured for google oauth2' do
-        before do
+        it 'returns forbidden' do
           unconfigured_google_oauth2 = MockGoogleOAuth2Credentials.new('', '')
           allow(Gitlab::Auth::OAuth::Provider).to receive(:config_for)
                                                     .with('google_oauth2')
                                                     .and_return(unconfigured_google_oauth2)
-        end
 
-        it 'returns forbidden' do
           sign_in(user)
 
           get url
 
           expect(response).to have_gitlab_http_status(:forbidden)
+          expect_snowplow_event(
+            category: 'Projects::GoogleCloud',
+            action: 'google_oauth2_enabled!',
+            label: 'access_denied',
+            extra: { reason: 'google_oauth2_not_configured',
+                     config: unconfigured_google_oauth2 },
+            project: project,
+            user: user
+          )
         end
       end
 
@@ -101,6 +131,14 @@ RSpec.describe Projects::GoogleCloudController do
           get url
 
           expect(response).to have_gitlab_http_status(:not_found)
+          expect_snowplow_event(
+            category: 'Projects::GoogleCloud',
+            action: 'feature_flag_enabled!',
+            label: 'access_denied',
+            property: 'feature_flag_not_enabled',
+            project: project,
+            user: user
+          )
         end
       end
     end