Class: Gitlab::Audit::Auditor

Inherits:

Object

• Object
• Gitlab::Audit::Auditor

Includes:

Logging

Defined in:

lib/gitlab/audit/auditor.rb

Constant Summary

PERMITTED_TARGET_CLASSES =

[
  ::Operations::FeatureFlag
].freeze

Constants included from Logging

Logging::ENTITY_TYPE_TO_CLASS

Instance Attribute Summary

• #name ⇒ Object readonly

  Returns the value of attribute name.

• #scope ⇒ Object readonly

  Returns the value of attribute scope.

Class Method Summary

• .audit(context, &block) ⇒ Object

  Record audit events.

Instance Method Summary

• #audit_enabled? ⇒ Boolean
• #authentication_event? ⇒ Boolean
• #authentication_event_payload ⇒ Object
• #author_if_user ⇒ Object
• #build_event(message_or_attrs) ⇒ Object
• #initialize(context = {}) ⇒ Auditor constructor

  A new instance of Auditor.

• #log_authentication_event ⇒ Object
• #log_events_and_stream(events) ⇒ Object
• #log_to_database(events) ⇒ Object
• #log_to_file(events) ⇒ Object
• #log_to_file_and_stream(events) ⇒ Object
• #multiple_audit ⇒ Object
• #permitted_target? ⇒ Boolean
• #record(events) ⇒ Object
• #send_to_stream(events) ⇒ Object
• #single_audit ⇒ Object
• #stream_only? ⇒ Boolean

Methods included from Logging

#log_to_new_tables

Constructor Details

#initialize(context = {}) ⇒ Auditor

Returns a new instance of Auditor.

Raises:

• (StandardError)

# File 'lib/gitlab/audit/auditor.rb', line 66

def initialize(context = {})
  @context = context

  @name = @context.fetch(:name, 'audit_operation')
  @is_audit_event_yaml_defined = Gitlab::Audit::Type::Definition.defined?(@name)
  @stream_only = stream_only?
  @author = @context.fetch(:author)
  @scope = @context.fetch(:scope)
  @target = @context.fetch(:target)
  @created_at = @context.fetch(:created_at, DateTime.current)
  @message = @context.fetch(:message, '')
  @additional_details = @context.fetch(:additional_details, {})
  @additional_details[:event_name] = @name
  @ip_address = @context[:ip_address]
  @target_details = @context[:target_details]
  @authentication_event = @context.fetch(:authentication_event, false)
  @authentication_provider = @context[:authentication_provider]
  @organization = @context[:organization]

  return if @is_audit_event_yaml_defined

  raise StandardError, "Audit event type YML file is not defined for #{@name}. Please read " \
    "https://docs.gitlab.com/ee/development/audit_event_guide/" \
    "#how-to-instrument-new-audit-events for adding a new audit event"
end

Instance Attribute Details

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/gitlab/audit/auditor.rb', line 6

def name
  @name
end

#scope ⇒ Object (readonly)

Returns the value of attribute scope.

# File 'lib/gitlab/audit/auditor.rb', line 6

def scope
  @scope
end

Class Method Details

.audit(context, &block) ⇒ Object

Record audit events

Examples:

Using block (useful when events are emitted deep in the call stack)

i.e. multiple audit events

audit_context = {
  name: 'merge_approval_rule_updated',
  author: current_user,
  scope: project_alpha,
  target: merge_approval_rule,
  message: 'a user has attempted to update an approval rule'
}

# in the initiating service
Gitlab::Audit::Auditor.audit(audit_context) do
  service.execute
end

# in the model
Auditable.push_audit_event('an approver has been added')
Auditable.push_audit_event('an approval group has been removed')

Using standard method call

i.e. single audit event

merge_approval_rule.save
Gitlab::Audit::Auditor.audit(audit_context)

Options Hash (context):

• :name (String) —

  the operation name to be audited, used for error tracking

• :author (User) —

  the user who authors the change

• :scope (User, Project, Group) —

  the scope which audit event belongs to

• :target (Object) —

  the target object being audited

• :message (String) —

  the message describing the action

• :additional_details (Hash) —

  the additional details we want to merge into audit event details.

• :created_at (Time) —

  the time that the event occurred (defaults to the current time)

# File 'lib/gitlab/audit/auditor.rb', line 52

def self.audit(context, &block)
  auditor = new(context)

  if block
    return yield unless auditor.audit_enabled?

    auditor.multiple_audit(&block)
  else
    return unless auditor.audit_enabled?

    auditor.single_audit
  end
end

Instance Method Details

#audit_enabled? ⇒ Boolean

# File 'lib/gitlab/audit/auditor.rb', line 124

def audit_enabled?
  authentication_event? || permitted_target?
end

#authentication_event? ⇒ Boolean

# File 'lib/gitlab/audit/auditor.rb', line 132

def authentication_event?
  @authentication_event
end

#authentication_event_payload ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 153

def authentication_event_payload
  {
    # @author can be a User or various Gitlab::Audit authors.
    # Only capture real users for successful authentication events.
    user: author_if_user,
    user_name: @author.name,
    ip_address: Gitlab::RequestContext.instance.client_ip || @author.current_sign_in_ip,
    result: AuthenticationEvent.results[:success],
    provider: @authentication_provider,
    organization: @organization
  }
end

#author_if_user ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 166

def author_if_user
  @author if @author.is_a?(User)
end

#build_event(message_or_attrs) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 174

def build_event(message_or_attrs)
  params = {
    author: @author,
    scope: @scope,
    target: @target,
    created_at: @created_at,
    message: message_or_attrs,
    additional_details: @additional_details,
    ip_address: @ip_address,
    target_details: @target_details
  }

  params.merge!(message_or_attrs.slice(*params.keys)) if message_or_attrs.is_a?(Hash)

  AuditEvents::BuildService.new(**params).execute
end

#log_authentication_event ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 144

def log_authentication_event
  return unless Gitlab::Database.read_write? && authentication_event?

  event = AuthenticationEvent.new(authentication_event_payload)
  event.save!
rescue ActiveRecord::RecordInvalid => e
  ::Gitlab::ErrorTracking.track_exception(e, audit_operation: @name)
end

#log_events_and_stream(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 107

def log_events_and_stream(events)
  log_authentication_event
  saved_events = log_to_database(events)
  log_to_new_tables(saved_events, @name)

  # we only want to override events with saved_events when it successfully saves into database.
  # we are doing so to ensure events in memory reflects events saved in database and have id column.
  events = saved_events if saved_events.present?

  log_to_file_and_stream(events)
end

#log_to_database(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 191

def log_to_database(events)
  if events.one?
    events.first.save!
    events
  else
    event_ids = AuditEvent.bulk_insert!(events, returns: :ids)
    AuditEvent.id_in(event_ids)
  end
rescue ActiveRecord::RecordInvalid => e
  ::Gitlab::ErrorTracking.track_exception(e, audit_operation: @name)

  nil
end

#log_to_file(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 205

def log_to_file(events)
  file_logger = ::Gitlab::AuditJsonLogger.build

  events.each { |event| file_logger.info(log_payload(event)) }
end

#log_to_file_and_stream(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 119

def log_to_file_and_stream(events)
  log_to_file(events)
  send_to_stream(events)
end

#multiple_audit ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 98

def multiple_audit
  # For now we dont have any need to implement multiple audit event functionality in CE
  # Defined in EE
end

#permitted_target? ⇒ Boolean

# File 'lib/gitlab/audit/auditor.rb', line 128

def permitted_target?
  @target.class.in? PERMITTED_TARGET_CLASSES
end

#record(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 103

def record(events)
  @stream_only ? send_to_stream(events) : log_events_and_stream(events)
end

#send_to_stream(events) ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 170

def send_to_stream(events)
  # Defined in EE
end

#single_audit ⇒ Object

# File 'lib/gitlab/audit/auditor.rb', line 92

def single_audit
  events = [build_event(@message)]

  record(events)
end

#stream_only? ⇒ Boolean

# File 'lib/gitlab/audit/auditor.rb', line 136

def stream_only?
  if @is_audit_event_yaml_defined
    Gitlab::Audit::Type::Definition.stream_only?(@name)
  else
    @context.fetch(:stream_only, false)
  end
end