Merge branch 'audit_events' into 'master'

Audit feature / permission changes in log Audit events for membership changes of the group and project. See merge request !250

Merge branch 'audit_events' into 'master'
Audit feature / permission changes in log Audit events for membership changes of the group and project. See merge request !250
ac614ea1 · Valery Sizov · 991204ea · 4eaeb3b6 · ac614ea1 · ac614ea1
Commit ac614ea1 authored Nov 24, 2014 by Valery Sizov
19 changed files
--- a/app/controllers/audit_events_controller.rb
+++ b/app/controllers/audit_events_controller.rb
+class AuditEventsController < ApplicationController
+  # Authorize
+  before_filter :repository, only: :project_log
+  before_filter :authorize_admin_project!, only: :project_log
+  before_filter :group, only: :group_log
+  before_filter :authorize_admin_group!, only: :group_log
+
+  layout :determine_layout
+
+  def project_log
+    @events = AuditEvent.where(entity_type: "Project", entity_id: project.id).page(params[:page]).per(20)
+  end
+
+  def group_log
+    @events = AuditEvent.where(entity_type: "Group", entity_id: group.id).page(params[:page]).per(20)
+  end
+
+  private
+
+  def group
+    @group ||= Group.find_by(path: params[:group_id])
+  end
+
+  def authorize_admin_group!
+    render_404 unless can?(current_user, :manage_group, group)
+  end
+
+  def determine_layout
+    if @project
+      'project_settings'
+    elsif @group
+      'group'
+    end
+  end
+
+  def audit_events_params
+    params.permit(:project_id, :group_id)
+  end
+end
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -7,21 +7,59 @@ class Groups::GroupMembersController < ApplicationController
  layout 'group'

  def create
-    @group.add_users(params[:user_ids].split(','), params[:access_level])
+    access_level = params[:access_level]
+    user_ids = params[:user_ids].split(',')
+
+    @group.add_users(user_ids, access_level)
+
+    users = User.where(id: user_ids).pluck(:id, :name)
+    users.each do |user|
+      details = {
+        add: "user_access",
+        as: Gitlab::Access.options_with_owner.key(access_level.to_i),
+        target_id: user[0],
+        target_type: "User",
+        target_details: user[1],
+      }
+      AuditEventService.new(current_user, @group, details).security_event
+    end

    redirect_to members_group_path(@group), notice: 'Users were successfully added.'
  end

  def update
    @member = @group.group_members.find(params[:id])
-    @member.update_attributes(member_params)
+    old_access_level = @member.human_access
+
+    if @member.update_attributes(member_params)
+      details = {
+        change: "access_level",
+        from:  old_access_level,
+        to: @member.human_access,
+        target_id: @member.user_id,
+        target_type: "User",
+        target_details: @member.user.name,
+      }
+      AuditEventService.new(current_user, @group, details).security_event
+    end
  end

  def destroy
    @users_group = @group.group_members.find(params[:id])

    if can?(current_user, :destroy, @users_group)  # May fail if last owner.
-      @users_group.destroy
+      user_id = @users_group.id
+      user_name = @users_group.user.name
+      if @users_group.destroy
+        details = {
+          remove: "user_access",
+          target_id: user_id,
+          target_type: "User",
+          target_details: user_name,
+        }
+        AuditEventService.new(current_user, @group, details).security_event
+      end
+
      respond_to do |format|
        format.html { redirect_to members_group_path(@group), notice: 'User was  successfully removed from group.' }
        format.js { render nothing: true }

--- a/app/controllers/projects/team_members_controller.rb
+++ b/app/controllers/projects/team_members_controller.rb
@@ -16,8 +16,19 @@ class Projects::TeamMembersController < Projects::ApplicationController

  def create
    users = User.where(id: params[:user_ids].split(','))
-
-    @project.team << [users, params[:access_level]]
+    access_level = params[:access_level]
+    @project.team << [users, access_level]
+
+    users.each do |user|
+      details = {
+        add: "user_access",
+        as: Gitlab::Access.options_with_owner.key(access_level.to_i),
+        target_id: user.id,
+        target_type: "User",
+        target_details: user.name,
+      }
+      AuditEventService.new(current_user, @project, details).security_event
+    end

    if params[:redirect_to]
      redirect_to params[:redirect_to]
@@ -28,7 +39,19 @@ class Projects::TeamMembersController < Projects::ApplicationController

  def update
    @user_project_relation = @project.project_members.find_by(user_id: member)
-    @user_project_relation.update_attributes(member_params)
+    old_access_level = @user_project_relation.human_access
+
+    if @user_project_relation.update_attributes(member_params)
+      details = {
+        change: "access_level",
+        from:  old_access_level,
+        to: @user_project_relation.human_access,
+        target_id: @user_project_relation.user_id,
+        target_type: "User",
+        target_details: @user_project_relation.user.name,
+      }
+      AuditEventService.new(current_user, @project, details).security_event
+    end

    unless @user_project_relation.valid?
      flash[:alert] = "User should have at least one role"
@@ -38,7 +61,18 @@ class Projects::TeamMembersController < Projects::ApplicationController

  def destroy
    @user_project_relation = @project.project_members.find_by(user_id: member)
-    @user_project_relation.destroy
+    user_id = @user_project_relation.user_id
+    user_name = @user_project_relation.user.name
+
+    if @user_project_relation.destroy
+      details = {
+        remove: "user_access",
+        target_id: user_id,
+        target_type: "User",
+        target_details: user_name,
+      }
+      AuditEventService.new(current_user, @project, details).security_event
+    end

    respond_to do |format|
      format.html { redirect_to project_team_index_path(@project) }

--- a/app/helpers/audit_events_helper.rb
+++ b/app/helpers/audit_events_helper.rb
+module AuditEventsHelper
+
+  def human_text(details)
+    details.map{ |key, value| select_keys(key, value) }.join(" ").humanize
+  end
+
+  def select_keys(key, value)
+    if key.match(/^target_.*/)
+      ""
+    else
+      "#{key.to_s} <strong>#{value}</strong>"
+    end
+  end
+end
--- a/app/models/audit_event.rb
+++ b/app/models/audit_event.rb
+class AuditEvent < ActiveRecord::Base
+  serialize :details, Hash
+
+  belongs_to :user, foreign_key: :author_id
+
+  validates :author_id, presence: true
+  validates :entity_id, presence: true
+  validates :entity_type, presence: true
+
+  after_initialize :initialize_details
+
+  def initialize_details
+    self.details = {} if details.nil?
+  end
+
+  def author_name
+    self.user.name
+  end
+end
--- a/app/models/security_event.rb
+++ b/app/models/security_event.rb
+class SecurityEvent < AuditEvent
+end
--- a/app/services/audit_event_service.rb
+++ b/app/services/audit_event_service.rb
+class AuditEventService
+
+  def initialize(author, entity, details = {})
+    @author, @entity, @details = author, entity, details
+  end
+
+  def security_event
+    SecurityEvent.create(
+      author_id: @author.id,
+      entity_id: @entity.id,
+      entity_type: @entity.class.name,
+      details: @details
+    )
+  end
+end
--- a/app/views/audit_events/_event_table.html.haml
+++ b/app/views/audit_events/_event_table.html.haml
+- if defined?(events)
+  %table.table#audits
+    %thead
+      %tr
+        %th
+        %th
+        %th Author
+        %th
+        %th
+        %th Action
+        %th
+        %th Target
+        %th
+        %th At
+
+    %tbody
+      - events.each do |event|
+        %tr
+          %td
+          %td
+          %td #{event.author_name}
+          %td
+          %td
+          %td #{raw human_text(event.details)}
+          %td
+          %td #{event.details[:target_details]}
+          %td
+          %td #{event.created_at}
+      = paginate events
--- a/app/views/audit_events/group_log.html.haml
+++ b/app/views/audit_events/group_log.html.haml
+.row
+  .col-md-2
+    = render 'groups/settings_nav'
+
+  .col-md-10
+    %h3.page-title Group Audit Events
+    %p.light Events in #{@group.name}
+
+    = render 'event_table', events: @events
--- a/app/views/audit_events/project_log.html.haml
+++ b/app/views/audit_events/project_log.html.haml
+%h3.page-title Project Audit Events
+%p.light Events in #{@project.path_with_namespace}
+
+= render 'event_table', events: @events
--- a/app/views/groups/_settings_nav.html.haml
+++ b/app/views/groups/_settings_nav.html.haml
@@ -11,4 +11,8 @@
    = link_to group_ldap_group_links_path(@group) do
      %i.icon-exchange
      LDAP Groups
+  = nav_link(controller: :audit_events) do
+    = link_to group_audit_events_path(@group) do
+      %i.fa.fa-file-text-o
+      Audit Events

--- a/app/views/projects/_settings_nav.html.haml
+++ b/app/views/projects/_settings_nav.html.haml
@@ -31,3 +31,7 @@
    = link_to project_protected_branches_path(@project) do
      %i.fa.fa-lock
      Protected branches
+  = nav_link(controller: :audit_events) do
+    = link_to project_audit_events_path(@project) do
+      %i.fa.fa-file-text-o
+      Audit Events
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -184,6 +184,8 @@ Gitlab::Application.routes.draw do
      resource :avatar, only: [:destroy]
      resources :milestones
    end
+
+    get "/audit_events" => "audit_events#group_log"
  end

  get  'unsubscribes/:email', to: 'unsubscribes#show', as: :unsubscribe
@@ -358,6 +360,8 @@ Gitlab::Application.routes.draw do
        end
      end
    end
+
+    get "/audit_events" => "audit_events#project_log"
  end

  get ':id' => "namespaces#show", constraints: {id: /(?:[^.]|\.(?!atom$))+/, format: /atom/}

--- a/db/migrate/20141118150935_add_audit_event.rb
+++ b/db/migrate/20141118150935_add_audit_event.rb
+class AddAuditEvent < ActiveRecord::Migration
+  def change
+    create_table :audit_events do |t|
+      t.integer :author_id, null: false
+      t.string  :type, null: false
+
+      # "Namespace" where the change occurs
+      # eg. On a project, group or user
+      t.integer :entity_id, null: false
+      t.string  :entity_type, null: false
+
+      # Details for the event
+      t.text  :details
+
+      t.timestamps
+    end
+
+    add_index :audit_events, :author_id
+    add_index :audit_events, :type
+    add_index :audit_events, [:entity_id, :entity_type]
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20141103160516) do
+ActiveRecord::Schema.define(version: 20141118150935) do

  # These are extensions that must be enabled in order to support this database
  enable_extension "plpgsql"
@@ -25,6 +25,20 @@ ActiveRecord::Schema.define(version: 20141103160516) do
    t.datetime "updated_at"
  end

+  create_table "audit_events", force: true do |t|
+    t.integer  "author_id",   null: false
+    t.string   "type",        null: false
+    t.integer  "entity_id",   null: false
+    t.string   "entity_type", null: false
+    t.text     "details"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "audit_events", ["author_id"], name: "index_audit_events_on_author_id", using: :btree
+  add_index "audit_events", ["entity_id", "entity_type"], name: "index_audit_events_on_entity_id_and_entity_type", using: :btree
+  add_index "audit_events", ["type"], name: "index_audit_events_on_type", using: :btree
+
  create_table "broadcast_messages", force: true do |t|
    t.text     "message",    null: false
    t.datetime "starts_at"

--- a/features/groups.feature
+++ b/features/groups.feature
@@ -146,3 +146,14 @@ Feature: Groups
    And I click on one group milestone
    Then I should see group milestone with descriptions and expiry date
    And I should see group milestone with all issues and MRs assigned to that milestone
+
+  @javascript
+  Scenario: I should see audit events
+    Given User "Mary Jane" exists
+    When I visit group "Owned" members page
+    And I select user "Mary Jane" from list with role "Reporter"
+    And I change the role to "Developer"
+    And I click on the "Remove User From Group" button for "Mary Jane"
+    When I visit group "Owned" settings page
+    And I go to "Audit Events"
+    Then I should see the audit event listed
--- a/features/project/project.feature
+++ b/features/project/project.feature
@@ -49,3 +49,14 @@ Feature: Project
    Then I should see project "Forum" README
    And I visit project "Shop" page
    Then I should see project "Shop" README
+
+  @javascript
+  Scenario: I should see audit events
+    And gitlab user "Pete"
+    And "Pete" is "Shop" developer
+    When I visit project "Shop" settings page
+    And I go to "Members"
+    And I change "Pete" access level to master
+    When I visit project "Shop" settings page
+    And I go to "Audit Events"
+    Then I should see the audit event listed
--- a/features/steps/groups.rb
+++ b/features/steps/groups.rb
@@ -57,6 +57,33 @@ class Spinach::Features::Groups < Spinach::FeatureSteps
    projects_with_access.should_not have_content("Mary Jane")
  end

+  step 'I change the role to "Developer"' do
+    user = User.find_by(name: "Mary Jane")
+    member = Group.find_by(name: "Owned").members.where(user_id: user.id).first
+
+    within "#group_member_#{member.id}" do
+      find(".btn-tiny.btn.js-toggle-button").click
+      within "#edit_group_member_#{member.id}" do
+        select 'Developer', from: 'group_member_access_level'
+        click_on 'Save'
+      end
+    end
+  end
+
+  step 'I go to "Audit Events"' do
+    click_link 'Audit Events'
+  end
+
+  step 'I should see the audit event listed' do
+    within ('table#audits') do
+      page.should have_content 'Add user access as reporter'
+      page.should have_content 'Change access level from reporter to developer'
+      page.should have_content 'Remove user access'
+      page.should have_content('John Doe', count: 3)
+      page.should have_content('Mary Jane', count: 3)
+    end
+  end
+
  step 'project from group "Owned" has issues assigned to me' do
    create :issue,
      project: project,

--- a/features/steps/project/project.rb
+++ b/features/steps/project/project.rb
@@ -2,6 +2,7 @@ class Spinach::Features::Project < Spinach::FeatureSteps
  include SharedAuthentication
  include SharedProject
  include SharedPaths
+  include Select2Helper

  step 'change project settings' do
    fill_in 'project_name_edit', with: 'NewName'
@@ -69,4 +70,41 @@ class Spinach::Features::Project < Spinach::FeatureSteps
    page.should have_link "README.md"
    page.should have_content "testme"
  end
+
+  step 'gitlab user "Pete"' do
+    create(:user, name: "Pete")
+  end
+
+  step '"Pete" is "Shop" developer' do
+    user = User.find_by(name: "Pete")
+    project = Project.find_by(name: "Shop")
+    project.team << [user, :developer]
+  end
+
+  step 'I visit project "Shop" settings page' do
+    click_link 'Settings'
+  end
+
+  step 'I go to "Members"' do
+    click_link 'Members'
+  end
+
+  step 'I change "Pete" access level to master' do
+    user = User.find_by(name: "Pete")
+    within "#user_#{user.id}" do
+      select "Master", from: "project_member_access_level"
+    end
+  end
+
+  step 'I go to "Audit Events"' do
+    click_link 'Audit Events'
+  end
+
+  step 'I should see the audit event listed' do
+    within ('table#audits') do
+      page.should have_content "Change access level from developer to master"
+      page.should have_content(project.owner.name)
+      page.should have_content('Pete')
+    end
+  end
 end