Merge branch 'fix-deploy-key-audit-event' into 'main'

Pass key_id to git_audit_event endpoint for deploy key auth

See merge request https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/1411

Merged-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Approved-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Reviewed-by: Vasilii Iakliushin <viakliushin@gitlab.com>
Reviewed-by: GitLab Duo <gitlab-duo@gitlab.com>
Co-authored-by: Emma Park <epark@gitlab.com>

Author: 2 people

internal/command/gitauditevent/audit.go

@@ -33,7 +33,12 @@ func Audit(ctx context.Context, args *commandargs.Shell, c *config.Config, respo
 		return
 	}
 
-	errOnlyLog = gitAuditClient.Audit(ctx, response.Username, args, response.Repo, packfileStats)
+	errOnlyLog = gitAuditClient.Audit(ctx, gitauditevent.AuditParams{
+		Username:      response.Username,
+		KeyID:         response.KeyID,
+		Repo:          response.Repo,
+		PackfileStats: packfileStats,
+	}, args)
 	if errOnlyLog != nil {
 		slog.ErrorContext(ctx, fmt.Sprintf("failed to audit git event: %v", errOnlyLog))
 		return

internal/command/gitauditevent/audit_test.go

@@ -20,41 +20,64 @@ import (
 var (
 	testUsername = "gitlab-shell"
 	testRepo     = "project-1"
+	testKeyID    = 123
 )
 
 func TestGitAudit(t *testing.T) {
-	called := false
-
-	requests := []testserver.TestRequestHandler{
-		{
-			Path: "/api/v4/internal/shellhorse/git_audit_event",
-			Handler: func(w http.ResponseWriter, r *http.Request) {
-				called = true
-
-				body, err := io.ReadAll(r.Body)
-				assert.NoError(t, err)
-				defer r.Body.Close()
-
-				var request *gitauditevent.Request
-				assert.NoError(t, json.Unmarshal(body, &request))
-				assert.Equal(t, testUsername, request.Username)
-				assert.Equal(t, testRepo, request.Repo)
-
-				w.WriteHeader(http.StatusOK)
-			},
-		},
+	tests := []struct {
+		name        string
+		keyID       int
+		expectKeyID bool
+	}{
+		{name: "with deploy key", keyID: testKeyID, expectKeyID: true},
+		{name: "without deploy key", keyID: 0, expectKeyID: false},
 	}
 
-	args := &commandargs.Shell{
-		CommandType: commandargs.UploadArchive,
-		Env:         sshenv.Env{RemoteAddr: "18.245.0.42"},
-	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			called := false
+			requests := []testserver.TestRequestHandler{{
+				Path: "/api/v4/internal/shellhorse/git_audit_event",
+				Handler: func(w http.ResponseWriter, r *http.Request) {
+					called = true
+
+					body, err := io.ReadAll(r.Body)
+					assert.NoError(t, err)
+					defer r.Body.Close()
+
+					var rawJSON map[string]interface{}
+					assert.NoError(t, json.Unmarshal(body, &rawJSON))
+					_, hasKeyID := rawJSON["key_id"]
+					assert.Equal(t, tt.expectKeyID, hasKeyID)
+
+					if tt.expectKeyID {
+						keyIDFloat, ok := rawJSON["key_id"].(float64)
+						assert.True(t, ok, "key_id should be a number")
+						assert.Equal(t, tt.keyID, int(keyIDFloat))
+					}
 
-	url := testserver.StartSocketHTTPServer(t, requests)
-	Audit(context.Background(), args, &config.Config{GitlabURL: url}, &accessverifier.Response{
-		Username: testUsername,
-		Repo:     testRepo,
-	}, nil)
+					var request *gitauditevent.Request
+					assert.NoError(t, json.Unmarshal(body, &request))
+					assert.Equal(t, testUsername, request.Username)
+					assert.Equal(t, testRepo, request.Repo)
 
-	require.True(t, called)
+					w.WriteHeader(http.StatusOK)
+				},
+			}}
+
+			args := &commandargs.Shell{
+				CommandType: commandargs.UploadArchive,
+				Env:         sshenv.Env{RemoteAddr: "18.245.0.42"},
+			}
+
+			url := testserver.StartSocketHTTPServer(t, requests)
+			Audit(context.Background(), args, &config.Config{GitlabURL: url}, &accessverifier.Response{
+				Username: testUsername,
+				Repo:     testRepo,
+				KeyID:    tt.keyID,
+			}, nil)
+
+			require.True(t, called)
+		})
+	}
 }

internal/gitlabnet/gitauditevent/client.go

@@ -36,19 +36,29 @@ type Request struct {
 	Protocol      string                            `json:"protocol"`
 	Repo          string                            `json:"gl_repository"`
 	Username      string                            `json:"username"`
+	KeyID         int                               `json:"key_id,omitempty"`
 	PackfileStats *pb.PackfileNegotiationStatistics `json:"packfile_stats,omitempty"`
 	CheckIP       string                            `json:"check_ip,omitempty"`
 	Changes       string                            `json:"changes"`
 }
 
+// AuditParams contains parameters for sending an audit event.
+type AuditParams struct {
+	Username      string
+	KeyID         int
+	Repo          string
+	PackfileStats *pb.PackfileNegotiationStatistics
+}
+
 // Audit sends an audit event to the GitLab API.
-func (c *Client) Audit(ctx context.Context, username string, args *commandargs.Shell, repo string, packfileStats *pb.PackfileNegotiationStatistics) error {
+func (c *Client) Audit(ctx context.Context, params AuditParams, args *commandargs.Shell) error {
 	request := &Request{
 		Action:        args.CommandType,
-		Repo:          repo,
+		Repo:          params.Repo,
 		Protocol:      "ssh",
-		Username:      username,
-		PackfileStats: packfileStats,
+		Username:      params.Username,
+		KeyID:         params.KeyID,
+		PackfileStats: params.PackfileStats,
 		CheckIP:       gitlabnet.ParseIP(args.Env.RemoteAddr),
 		Changes:       "_any",
 	}

internal/gitlabnet/gitauditevent/client_test.go

@@ -18,6 +18,7 @@ import (
 
 var (
 	testUsername            = "gitlab-shell"
+	testKeyID               = 123
 	testRepo                = "gitlab-org/gitlab-shell"
 	testPackfileWants int64 = 100
 	testPackfileHaves int64 = 100
@@ -28,26 +29,57 @@ var (
 )
 
 func TestAudit(t *testing.T) {
-	client := setup(t, http.StatusOK)
+	tests := []struct {
+		name        string
+		keyID       int
+		expectKeyID bool
+	}{
+		{
+			name:        "with key_id",
+			keyID:       testKeyID,
+			expectKeyID: true,
+		},
+		{
+			name:        "without key_id",
+			keyID:       0,
+			expectKeyID: false,
+		},
+	}
 
-	err := client.Audit(context.Background(), testUsername, testArgs, testRepo, &pb.PackfileNegotiationStatistics{
-		Wants: testPackfileWants,
-		Haves: testPackfileHaves,
-	})
-	require.NoError(t, err)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client := setup(t, http.StatusOK, tt.keyID, tt.expectKeyID)
+
+			err := client.Audit(context.Background(), AuditParams{
+				Username: testUsername,
+				KeyID:    tt.keyID,
+				Repo:     testRepo,
+				PackfileStats: &pb.PackfileNegotiationStatistics{
+					Wants: testPackfileWants,
+					Haves: testPackfileHaves,
+				},
+			}, testArgs)
+			require.NoError(t, err)
+		})
+	}
 }
 
 func TestAuditFailed(t *testing.T) {
-	client := setup(t, http.StatusBadRequest)
+	client := setup(t, http.StatusBadRequest, testKeyID, true)
 
-	err := client.Audit(context.Background(), testUsername, testArgs, testRepo, &pb.PackfileNegotiationStatistics{
-		Wants: testPackfileWants,
-		Haves: testPackfileHaves,
-	})
+	err := client.Audit(context.Background(), AuditParams{
+		Username: testUsername,
+		KeyID:    testKeyID,
+		Repo:     testRepo,
+		PackfileStats: &pb.PackfileNegotiationStatistics{
+			Wants: testPackfileWants,
+			Haves: testPackfileHaves,
+		},
+	}, testArgs)
 	require.Error(t, err)
 }
 
-func setup(t *testing.T, responseStatus int) *Client {
+func setup(t *testing.T, responseStatus int, keyID int, expectKeyID bool) *Client {
 	requests := []testserver.TestRequestHandler{
 		{
 			Path: uri,
@@ -56,9 +88,20 @@ func setup(t *testing.T, responseStatus int) *Client {
 				assert.NoError(t, err)
 				defer r.Body.Close()
 
+				// Check if key_id is present/absent in raw JSON
+				var rawJSON map[string]interface{}
+				assert.NoError(t, json.Unmarshal(body, &rawJSON))
+				_, hasKeyID := rawJSON["key_id"]
+				if expectKeyID {
+					assert.True(t, hasKeyID, "key_id should be present in JSON")
+				} else {
+					assert.False(t, hasKeyID, "key_id should not be present in JSON")
+				}
+
 				var request *Request
 				assert.NoError(t, json.Unmarshal(body, &request))
 				assert.Equal(t, testUsername, request.Username)
+				assert.Equal(t, keyID, request.KeyID)
 				assert.Equal(t, testArgs.Env.RemoteAddr, request.CheckIP)
 				assert.Equal(t, testArgs.CommandType, request.Action)
 				assert.Equal(t, testRepo, request.Repo)