diff --git a/app/models/deploy_key.rb b/app/models/deploy_key.rb
index 4ed38f578ee3d7b573525fef3836d464b4f3bec6..f9acd398374a999d0b2971bbfaa6d6511305a4e6 100644
--- a/app/models/deploy_key.rb
+++ b/app/models/deploy_key.rb
@@ -40,6 +40,10 @@ def user
super || User.ghost
end
+ def audit_details
+ title
+ end
+
def has_access_to?(project)
deploy_keys_project_for(project).present?
end
diff --git a/ee/app/services/ee/deploy_keys/create_service.rb b/ee/app/services/ee/deploy_keys/create_service.rb
index 353791322d5034782d0e5b629c6da1ffe7a20e0e..8354218bf69caf361f230a671815de6a66812b3b 100644
--- a/ee/app/services/ee/deploy_keys/create_service.rb
+++ b/ee/app/services/ee/deploy_keys/create_service.rb
@@ -9,16 +9,24 @@ module CreateService
def execute(project: nil)
super.tap do |key|
if project && key.persisted?
- log_audit_event(key.title, project, action: :create)
+ log_audit_event(key, project)
end
end
end
private
- def log_audit_event(key_title, project, options = {})
- ::AuditEventService.new(user, project, options)
- .for_deploy_key(key_title).security_event
+ def log_audit_event(key, project)
+ audit_context = {
+ name: 'deploy_key_added',
+ author: user,
+ scope: project,
+ target: key,
+ message: "Added deploy key",
+ additional_details: { add: "deploy_key" }
+ }
+
+ ::Gitlab::Audit::Auditor.audit(audit_context)
end
end
end
diff --git a/ee/app/services/ee/projects/disable_deploy_key_service.rb b/ee/app/services/ee/projects/disable_deploy_key_service.rb
index deab70c26e7a6e4890bd91c92bbf0967e0b3de3c..6f284d97b72e7c63e9202184c2f3126c72baefc0 100644
--- a/ee/app/services/ee/projects/disable_deploy_key_service.rb
+++ b/ee/app/services/ee/projects/disable_deploy_key_service.rb
@@ -9,14 +9,22 @@ def execute
super.tap do |deploy_key_project|
break unless deploy_key_project
- log_audit_event(deploy_key_project.deploy_key.title, action: :destroy)
+ log_audit_event(deploy_key_project.deploy_key)
end
end
private
- def log_audit_event(key_title, options = {})
- AuditEventService.new(current_user, project, options)
- .for_deploy_key(key_title).security_event
+ def log_audit_event(key)
+ audit_context = {
+ name: 'deploy_key_removed',
+ author: current_user,
+ scope: project,
+ target: key,
+ message: "Removed deploy key",
+ additional_details: { remove: "deploy_key" }
+ }
+
+ ::Gitlab::Audit::Auditor.audit(audit_context)
end
end
diff --git a/ee/app/services/ee/projects/enable_deploy_key_service.rb b/ee/app/services/ee/projects/enable_deploy_key_service.rb
index 2e966b121304fb33ab8df7b1c8991b6ae3a0065c..284c8e67b76fa168b01e4fbc23d2cca734f7c9b9 100644
--- a/ee/app/services/ee/projects/enable_deploy_key_service.rb
+++ b/ee/app/services/ee/projects/enable_deploy_key_service.rb
@@ -9,14 +9,22 @@ def execute
super.tap do |key|
break unless key
- log_audit_event(key.title, action: :create)
+ log_audit_event(key)
end
end
private
- def log_audit_event(key_title, options = {})
- AuditEventService.new(current_user, project, options)
- .for_deploy_key(key_title).security_event
+ def log_audit_event(key)
+ audit_context = {
+ name: 'deploy_key_added',
+ author: current_user,
+ scope: project,
+ target: key,
+ message: "Added deploy key",
+ additional_details: { add: "deploy_key" }
+ }
+
+ ::Gitlab::Audit::Auditor.audit(audit_context)
end
end
diff --git a/ee/spec/services/deploy_keys/create_service_spec.rb b/ee/spec/services/deploy_keys/create_service_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..48c2d3659095922e026e767d200bc514c6e640b1
--- /dev/null
+++ b/ee/spec/services/deploy_keys/create_service_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe DeployKeys::CreateService do
+ let_it_be(:group) { create(:group) }
+ let_it_be(:destination) { create(:external_audit_event_destination, group: group) }
+ let_it_be(:project) { create(:project, :repository, group: group) }
+ let_it_be(:user) { create(:user) }
+ let_it_be(:params) { attributes_for(:deploy_key) }
+
+ subject { described_class.new(user, params).execute(project: project) }
+
+ before do
+ stub_licensed_features(audit_events: true, external_audit_events: true)
+ end
+
+ it "creates a deploy key" do
+ expect { subject }.to change { DeployKey.where(params.merge(user: user)).count }.by(1)
+ end
+
+ it 'records an audit event', :aggregate_failures do
+ expect { subject }.to change { AuditEvent.count }.by(1)
+ audit_event = AuditEvent.last
+
+ expect(audit_event.author_id).to eq(user.id)
+ expect(audit_event.entity_id).to eq(project.id)
+ expect(audit_event.entity_type).to eq(project.class.name)
+ expect(audit_event.details).to include({
+ add: "deploy_key",
+ author_name: user.name,
+ custom_message: "Added deploy key",
+ target_details: params[:title],
+ target_type: "DeployKey"
+ })
+ end
+
+ it_behaves_like 'sends correct event type in audit event stream' do
+ let_it_be(:event_type) { "deploy_key_added" }
+ end
+end
diff --git a/ee/spec/services/projects/disable_deploy_key_service_spec.rb b/ee/spec/services/projects/disable_deploy_key_service_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..cb322f352f46754edc2fed00f8740960f023b8f4
--- /dev/null
+++ b/ee/spec/services/projects/disable_deploy_key_service_spec.rb
@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::DisableDeployKeyService do
+ let_it_be(:group) { create(:group) }
+ let_it_be(:destination) { create(:external_audit_event_destination, group: group) }
+ let_it_be(:deploy_key) { create(:deploy_key) }
+ let_it_be(:project) { create(:project, group: group) }
+ let_it_be(:deploy_key_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
+ let_it_be(:user) { project.creator }
+ let_it_be(:params) { { id: deploy_key.id } }
+
+ let_it_be(:service) { described_class.new(project, user, params) }
+
+ before do
+ stub_licensed_features(audit_events: true, external_audit_events: true)
+ end
+
+ it 'records an audit event' do
+ expect { service.execute }.to change { AuditEvent.count }.by(1)
+
+ audit_event = AuditEvent.last
+
+ expect(audit_event.author_id).to eq(user.id)
+ expect(audit_event.entity_id).to eq(project.id)
+ expect(audit_event.entity_type).to eq(project.class.name)
+ expect(audit_event.details).to include({
+ remove: "deploy_key",
+ author_name: user.name,
+ custom_message: "Removed deploy key",
+ target_details: deploy_key.title,
+ target_type: "DeployKey"
+ })
+ end
+
+ it_behaves_like 'sends correct event type in audit event stream' do
+ let(:subject) { service.execute }
+
+ let_it_be(:event_type) { "deploy_key_removed" }
+ end
+end
diff --git a/ee/spec/services/projects/enable_deploy_key_service_spec.rb b/ee/spec/services/projects/enable_deploy_key_service_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..a2f42a23321c3ed912cfdd01cf1ec57e797c42f1
--- /dev/null
+++ b/ee/spec/services/projects/enable_deploy_key_service_spec.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Projects::EnableDeployKeyService do
+ let_it_be(:group) { create(:group) }
+ let_it_be(:destination) { create(:external_audit_event_destination, group: group) }
+ let_it_be(:deploy_key) { create(:deploy_key, public: true) }
+ let_it_be(:project) { create(:project, group: group) }
+ let_it_be(:user) { project.creator }
+ let_it_be(:params) { { key_id: deploy_key.id } }
+
+ let_it_be(:service) { described_class.new(project, user, params) }
+
+ before do
+ stub_licensed_features(audit_events: true, external_audit_events: true)
+ end
+
+ it 'records an audit event' do
+ expect { service.execute }.to change { AuditEvent.count }.by(1)
+
+ audit_event = AuditEvent.last
+
+ expect(audit_event.author_id).to eq(user.id)
+ expect(audit_event.entity_id).to eq(project.id)
+ expect(audit_event.entity_type).to eq(project.class.name)
+ expect(audit_event.details).to include({
+ add: "deploy_key",
+ author_name: user.name,
+ custom_message: "Added deploy key",
+ target_details: deploy_key.title,
+ target_type: "DeployKey"
+ })
+ end
+
+ it_behaves_like 'sends correct event type in audit event stream' do
+ let(:subject) { service.execute }
+
+ let_it_be(:event_type) { "deploy_key_added" }
+ end
+end
diff --git a/spec/models/deploy_key_spec.rb b/spec/models/deploy_key_spec.rb
index c22bad0e062441f0b06698af0741403dd6c57b7e..8c3b02427ae992c74405d1712cb5b86c9311ff7d 100644
--- a/spec/models/deploy_key_spec.rb
+++ b/spec/models/deploy_key_spec.rb
@@ -146,4 +146,10 @@
end
end
end
+
+ describe '#audit_details' do
+ it "equals to the key's title" do
+ expect(subject.audit_details).to eq(subject.title)
+ end
+ end
end