Add audit event for group deploy tokens

* Add an audit even when: * a new group deploy token is created. * a group deploy token is revoked via UI. * a group deploy token is deleted via API. Changelog: added EE: true

Add audit event for group deploy tokens
* Add an audit even when: * a new group deploy token is created. * a group deploy token is revoked via UI. * a group deploy token is deleted via API. Changelog: added EE: true
eea53648 · huzaifaiftikhar1 · 007ad73d · eea53648 · eea53648 · eea53648
Commit eea53648 authored Mar 05, 2022 by huzaifaiftikhar1
10 changed files
--- a/app/controllers/groups/deploy_tokens_controller.rb
+++ b/app/controllers/groups/deploy_tokens_controller.rb
@@ -12,3 +12,5 @@ class Groups::DeployTokensController < Groups::ApplicationController
    redirect_to group_settings_repository_path(@group, anchor: 'js-deploy-tokens')
  end
 end
+
+Groups::DeployTokensController.prepend_mod
--- a/app/services/groups/deploy_tokens/create_service.rb
+++ b/app/services/groups/deploy_tokens/create_service.rb
@@ -13,3 +13,5 @@ module Groups
    end
  end
 end
+
+Groups::DeployTokens::CreateService.prepend_mod
--- a/app/services/groups/deploy_tokens/destroy_service.rb
+++ b/app/services/groups/deploy_tokens/destroy_service.rb
@@ -11,3 +11,5 @@ module Groups
    end
  end
 end
+
+Groups::DeployTokens::DestroyService.prepend_mod
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -109,6 +109,8 @@ From there, you can see the following actions:
 - Compliance framework created, updated, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/340649) in GitLab 14.5.
 - Event streaming destination created, updated, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/344664) in GitLab 14.6.
 - Instance administrator started or stopped impersonation of a group member. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300961) in GitLab 14.8.
+- Group deploy token was successfully created, revoked or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.
+- Failed attempt to create a group deploy token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.

 Group events can also be accessed via the [Group Audit Events API](../api/audit_events.md#group-audit-events)


--- a/ee/app/controllers/ee/groups/deploy_tokens_controller.rb
+++ b/ee/app/controllers/ee/groups/deploy_tokens_controller.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokensController
+      extend ::Gitlab::Utils::Override
+
+      override :revoke
+      def revoke
+        super
+
+        log_audit_event
+      end
+
+      private
+
+      def log_audit_event
+        # rubocop:disable Gitlab/ModuleWithInstanceVariables
+        message = "Revoked group deploy token with name: #{@token.name} with token_id: #{@token.id} with scopes: #{@token.scopes}."
+
+        ::AuditEventService.new(
+          current_user,
+          @group,
+          target_id: @token.id,
+          target_type: @token.class.name,
+          target_details: @token.name,
+          action: :custom,
+          custom_message: message
+        ).security_event
+        # rubocop:enable Gitlab/ModuleWithInstanceVariables
+      end
+    end
+  end
+end
--- a/ee/app/services/ee/groups/deploy_tokens/create_service.rb
+++ b/ee/app/services/ee/groups/deploy_tokens/create_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokens
+      module CreateService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute
+          super.tap do |result|
+            audit_event_service(result[:deploy_token], result)
+          end
+        end
+
+        private
+
+        def audit_event_service(deploy_token, result)
+          message = if result[:status] == :success
+                      "Created group deploy token with name: #{deploy_token.name} with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}."
+                    else
+                      "Attempted to create group deploy token but failed with message: #{result[:message]}"
+                    end
+
+          ::AuditEventService.new(
+            current_user,
+            group,
+            target_id: deploy_token.id,
+            target_type: deploy_token.class.name,
+            target_details: deploy_token.name,
+            action: :custom,
+            custom_message: message
+          ).security_event
+        end
+      end
+    end
+  end
+end
--- a/ee/app/services/ee/groups/deploy_tokens/destroy_service.rb
+++ b/ee/app/services/ee/groups/deploy_tokens/destroy_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Groups
+    module DeployTokens
+      module DestroyService
+        extend ::Gitlab::Utils::Override
+
+        override :execute
+        def execute
+          super.tap do |deploy_token|
+            audit_event_service(deploy_token)
+          end
+        end
+
+        private
+
+        def audit_event_service(deploy_token)
+          message = "Destroyed group deploy token with name: #{deploy_token.name} with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}."
+
+          ::AuditEventService.new(
+            current_user,
+            group,
+            target_id: deploy_token.id,
+            target_type: deploy_token.class.name,
+            target_details: deploy_token.name,
+            action: :custom,
+            custom_message: message
+          ).security_event
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/requests/ee/groups/deploy_tokens_controller_spec.rb
+++ b/ee/spec/requests/ee/groups/deploy_tokens_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokensController do
+  let_it_be(:group) { create(:group) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
+  let_it_be(:params) do
+    { id: deploy_token.id, group_id: group }
+  end
+
+  before do
+    group.add_owner(user)
+
+    sign_in(user)
+  end
+
+  describe 'PUT /groups/:group_path_with_namespace/-/deploy_tokens/:id/revoke' do
+    subject(:put_revoke) do
+      put "/groups/#{group.full_path}/-/deploy_tokens/#{deploy_token.id}/revoke", params: params
+    end
+
+    it 'creates an audit event' do
+      expect { put_revoke }.to change { AuditEvent.count }.by(1)
+
+      expect(response).to redirect_to(group_settings_repository_path(group, anchor: 'js-deploy-tokens'))
+
+      expected_message = <<~MESSAGE.squish
+        Revoked group deploy token with name: #{deploy_token.name}
+        with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}.
+      MESSAGE
+
+      expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+    end
+  end
+end
--- a/ee/spec/services/ee/groups/deploy_tokens/create_service_spec.rb
+++ b/ee/spec/services/ee/groups/deploy_tokens/create_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::CreateService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:user) { create(:user) }
+
+  let(:deploy_token_params) { attributes_for(:deploy_token) }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    context 'when the deploy token is valid' do
+      it 'creates an audit event' do
+        expect { subject }.to change { AuditEvent.count }.by(1)
+
+        expected_message = <<~MESSAGE.squish
+          Created group deploy token with name: #{subject[:deploy_token].name}
+          with token_id: #{subject[:deploy_token].id} with scopes: #{subject[:deploy_token].scopes}.
+        MESSAGE
+
+        expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+      end
+    end
+
+    context 'when the deploy token is invalid' do
+      let(:deploy_token_params) { attributes_for(:deploy_token, read_repository: false, read_registry: false, write_registry: false) }
+
+      it 'creates an audit event' do
+        expect { subject }.to change { AuditEvent.count }.by(1)
+
+        expected_message = "Attempted to create group deploy token but failed with message: Scopes can't be blank"
+
+        expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+      end
+    end
+  end
+end
--- a/ee/spec/services/ee/groups/deploy_tokens/destroy_service_spec.rb
+++ b/ee/spec/services/ee/groups/deploy_tokens/destroy_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Groups::DeployTokens::DestroyService do
+  let_it_be(:entity) { create(:group) }
+  let_it_be(:deploy_token) { create(:deploy_token, :group, groups: [entity]) }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:deploy_token_params) { { token_id: deploy_token.id } }
+
+  describe '#execute' do
+    subject { described_class.new(entity, user, deploy_token_params).execute }
+
+    it "destroys a token record and it's associated DeployToken" do
+      expect { subject }.to change { GroupDeployToken.count }.by(-1)
+                                                             .and change { DeployToken.count }.by(-1)
+    end
+
+    it "creates an audit event" do
+      expect { subject }.to change { AuditEvent.count }.by(1)
+
+      expected_message = <<~MESSAGE.squish
+        Destroyed group deploy token with name: #{deploy_token.name}
+        with token_id: #{deploy_token.id} with scopes: #{deploy_token.scopes}.
+      MESSAGE
+
+      expect(AuditEvent.last.details[:custom_message]).to eq(expected_message)
+    end
+  end
+end