Merge branch '353452_add_audit_events_for_group_deploy_tokens' into 'master'

Add audit event for group deploy tokens See merge request gitlab-org/gitlab!82251

Merge branch '353452_add_audit_events_for_group_deploy_tokens' into 'master'
Add audit event for group deploy tokens See merge request gitlab-org/gitlab!82251
d9849068 · Bob Van Landuyt · b1a56a95 · d02322e8 · d9849068 · d9849068
Commit d9849068 authored Mar 09, 2022 by Bob Van Landuyt
13 changed files
--- a/app/controllers/groups/deploy_tokens_controller.rb
+++ b/app/controllers/groups/deploy_tokens_controller.rb
@@ -6,8 +6,7 @@ class Groups::DeployTokensController < Groups::ApplicationController
  feature_category :continuous_delivery

  def revoke
-    @token = @group.deploy_tokens.find(params[:id])
-    @token.revoke!
+    Groups::DeployTokens::RevokeService.new(@group, current_user, params).execute

    redirect_to group_settings_repository_path(@group, anchor: 'js-deploy-tokens')
  end

--- a/app/services/groups/deploy_tokens/create_service.rb
+++ b/app/services/groups/deploy_tokens/create_service.rb
@@ -13,3 +13,5 @@ module Groups
    end
  end
 end
+
+Groups::DeployTokens::CreateService.prepend_mod
--- a/app/services/groups/deploy_tokens/destroy_service.rb
+++ b/app/services/groups/deploy_tokens/destroy_service.rb
@@ -11,3 +11,5 @@ module Groups
    end
  end
 end
+
+Groups::DeployTokens::DestroyService.prepend_mod
--- a/app/services/groups/deploy_tokens/revoke_service.rb
+++ b/app/services/groups/deploy_tokens/revoke_service.rb
+# frozen_string_literal: true
+
+module Groups
+  module DeployTokens
+    class RevokeService < BaseService
+      attr_accessor :token
+
+      def execute
+        @token = group.deploy_tokens.find(params[:id])
+        @token.revoke!
+      end
+    end
+  end
+end
+
+Groups::DeployTokens::RevokeService.prepend_mod
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -109,6 +109,8 @@ From there, you can see the following actions:
 - Compliance framework created, updated, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/340649) in GitLab 14.5.
 - Event streaming destination created, updated, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) in GitLab 14.6.
 - Instance administrator started or stopped impersonation of a group member. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300961) in GitLab 14.8.
+- Group deploy token was successfully created, revoked, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.
+- Failed attempt to create a group deploy token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.

 Group events can also be accessed via the [Group Audit Events API](../api/audit_events.md#group-audit-events)


--- a/ee/app/services/ee/groups/deploy_tokens/create_service.rb
+++ b/ee/app/services/ee/groups/deploy_tokens/create_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokens
+      module CreateService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute
+          super.tap do |result|
+            audit_event_service(result[:deploy_token], result)
+          end
+        end
+
+        private
+
+        def audit_event_service(deploy_token, result)
+          message = if result[:status] == :success
+                      "Created group deploy token with name: #{deploy_token.name} with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}."
+                    else
+                      "Attempted to create group deploy token but failed with message: #{result[:message]}"
+                    end
+
+          ::AuditEventService.new(
+            current_user,
+            group,
+            target_id: deploy_token.id,
+            target_type: deploy_token.class.name,
+            target_details: deploy_token.name,
+            action: :custom,
+            custom_message: message
+          ).security_event
+        end
+      end
+    end
+  end
+end
--- a/ee/app/services/ee/groups/deploy_tokens/destroy_service.rb
+++ b/ee/app/services/ee/groups/deploy_tokens/destroy_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokens
+      module DestroyService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute
+          super.tap do |deploy_token|
+            audit_event_service(deploy_token)
+          end
+        end
+
+        private
+
+        def audit_event_service(deploy_token)
+          message = "Destroyed group deploy token with name: #{deploy_token.name} with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}."
+
+          ::AuditEventService.new(
+            current_user,
+            group,
+            target_id: deploy_token.id,
+            target_type: deploy_token.class.name,
+            target_details: deploy_token.name,
+            action: :custom,
+            custom_message: message
+          ).security_event
+        end
+      end
+    end
+  end
+end
--- a/ee/app/services/ee/groups/deploy_tokens/revoke_service.rb
+++ b/ee/app/services/ee/groups/deploy_tokens/revoke_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokens
+      module RevokeService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute
+          super.tap { log_audit_event }
+        end
+
+        private
+
+        def log_audit_event
+          message = "Revoked group deploy token with name: #{token.name} with token_id: #{token.id} with scopes: #{token.scopes}."
+
+          ::AuditEventService.new(
+            current_user,
+            group,
+            target_id: token.id,
+            target_type: token.class.name,
+            target_details: token.name,
+            action: :custom,
+            custom_message: message
+          ).security_event
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/services/ee/groups/deploy_tokens/create_service_spec.rb
+++ b/ee/spec/services/ee/groups/deploy_tokens/create_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::CreateService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:user) { create(:user) }
+
+  let(:deploy_token_params) { attributes_for(:deploy_token) }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    context 'when the deploy token is valid' do
+      it 'creates an audit event' do
+        expect { subject }.to change { AuditEvent.count }.by(1)
+
+        expected_message = <<~MESSAGE.squish
+          Created group deploy token with name: #{subject[:deploy_token].name}
+          with token_id: #{subject[:deploy_token].id} with scopes: #{subject[:deploy_token].scopes}.
+        MESSAGE
+
+        expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+      end
+    end
+
+    context 'when the deploy token is invalid' do
+      let(:deploy_token_params) { attributes_for(:deploy_token, read_repository: false, read_registry: false, write_registry: false) }
+
+      it 'creates an audit event' do
+        expect { subject }.to change { AuditEvent.count }.by(1)
+
+        expected_message = "Attempted to create group deploy token but failed with message: Scopes can't be blank"
+
+        expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+      end
+    end
+  end
+end
--- a/ee/spec/services/ee/groups/deploy_tokens/destroy_service_spec.rb
+++ b/ee/spec/services/ee/groups/deploy_tokens/destroy_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::DestroyService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [entity]) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token_params) { { token_id: deploy_token.id } }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    it "creates an audit event" do
+      expect { subject }.to change { AuditEvent.count }.by(1)
+
+      expected_message = <<~MESSAGE.squish
+        Destroyed group deploy token with name: #{deploy_token.name}
+        with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}.
+      MESSAGE
+
+      expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+    end
+  end
+end
--- a/ee/spec/services/ee/groups/deploy_tokens/revoke_service_spec.rb
+++ b/ee/spec/services/ee/groups/deploy_tokens/revoke_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::RevokeService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [entity]) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token_params) { { id: deploy_token.id } }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    it "creates an audit event" do
+      expect { subject }.to change { AuditEvent.count }.by(1)
+
+      expected_message = <<~MESSAGE.squish
+        Revoked group deploy token with name: #{deploy_token.name}
+        with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}.
+      MESSAGE
+
+      expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+    end
+  end
+end
--- a/spec/requests/groups/deploy_tokens_controller_spec.rb
+++ b/spec/requests/groups/deploy_tokens_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokensController do
+  let_it_be(:group) { create(:group) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
+  let_it_be(:params) do
+    { id: deploy_token.id, group_id: group }
+  end
+
+  before do
+    group.add_owner(user)
+
+    sign_in(user)
+  end
+
+  describe 'PUT /groups/:group_path_with_namespace/-/deploy_tokens/:id/revoke' do
+    subject(:put_revoke) do
+      put "/groups/#{group.full_path}/-/deploy_tokens/#{deploy_token.id}/revoke", params: params
+    end
+
+    it 'invokes the Groups::DeployTokens::RevokeService' do
+      expect(deploy_token.revoked).to eq(false)
+      expect(Groups::DeployTokens::RevokeService).to receive(:new).and_call_original
+
+      put_revoke
+
+      expect(deploy_token.reload.revoked).to eq(true)
+    end
+
+    it 'redirects to group repository settings with correct anchor' do
+      put_revoke
+
+      expect(response).to have_gitlab_http_status(:redirect)
+      expect(response).to redirect_to(group_settings_repository_path(group, anchor: 'js-deploy-tokens'))
+    end
+  end
+end
--- a/spec/services/groups/deploy_tokens/revoke_service_spec.rb
+++ b/spec/services/groups/deploy_tokens/revoke_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::RevokeService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [entity]) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token_params) { { id: deploy_token.id } }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    it "revokes a group deploy token" do
+      expect(deploy_token.revoked).to eq(false)
+
+      expect { subject }.to change { deploy_token.reload.revoked }.to eq(true)
+    end
+
+    context 'invalid token id' do
+      let(:deploy_token_params) { { token_id: non_existing_record_id } }
+
+      it 'raises an error' do
+        expect { subject }.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
+end