Merge branch 'pedropombeiro/354894/fix-token-prefix-length-in-audit-log' into 'master'

Increase token preview length in runner audit logs See merge request gitlab-org/gitlab!82523

Merge branch 'pedropombeiro/354894/fix-token-prefix-length-in-audit-log' into 'master'
Increase token preview length in runner audit logs See merge request gitlab-org/gitlab!82523
2b27038d · Marc Shaw · 848fa973 · 6a880b3c · 2b27038d · 2b27038d
Commit 2b27038d authored Mar 17, 2022 by Marc Shaw
2 changed files
--- a/ee/app/services/audit_events/runner_audit_event_service.rb
+++ b/ee/app/services/audit_events/runner_audit_event_service.rb
@@ -2,6 +2,8 @@

 module AuditEvents
  class RunnerAuditEventService < ::AuditEventService
+    SAFE_TOKEN_LENGTH = 8
+
    # Logs an audit event related to a runner event
    #
    # @param [Ci::Runner] runner
@@ -21,14 +23,12 @@ module AuditEvents
      }
      details.merge!(entity_id: @token_scope.id, entity_type: @token_scope.class.name) if @token_scope

-      if author.is_a?(String)
-        author = author[0...8]
-        details[token_field] = author
-      end
+      safe_author = safe_author(author)
+      details[token_field] = safe_author if safe_author.is_a?(String)

      details[:errors] = @runner.errors.full_messages unless @runner.errors.empty?

-      super(author, token_scope, details)
+      super(safe_author, token_scope, details)
    end

    def track_event
@@ -40,6 +40,10 @@ module AuditEvents

    private

+    def token_field
+      raise NotImplementedError, "Please implement #{self.class}##{__method__}"
+    end
+
    def message
      raise NotImplementedError, "Please implement #{self.class}##{__method__}"
    end
@@ -59,5 +63,14 @@ module AuditEvents
        url_helpers.admin_runner_path(@runner)
      end
    end
+
+    def safe_author(author)
+      return author unless author.is_a?(String)
+
+      safe_token_length = SAFE_TOKEN_LENGTH
+      safe_token_length += ::RunnersTokenPrefixable::RUNNERS_TOKEN_PREFIX.length if author.start_with?(::RunnersTokenPrefixable::RUNNERS_TOKEN_PREFIX)
+
+      author[0...safe_token_length]
+    end
  end
 end
--- a/ee/spec/services/audit_events/register_runner_audit_event_service_spec.rb
+++ b/ee/spec/services/audit_events/register_runner_audit_event_service_spec.rb
@@ -56,7 +56,7 @@ RSpec.describe AuditEvents::RegisterRunnerAuditEventService do
          entity_path: nil,
          target_details: target_details,
          details: {
-            runner_registration_token: author[0...8],
+            runner_registration_token: author[0...described_class::SAFE_TOKEN_LENGTH],
            entity_path: nil,
            target_details: target_details
          }
@@ -90,13 +90,28 @@ RSpec.describe AuditEvents::RegisterRunnerAuditEventService do
      end

      context 'on persisted runner' do
-        let(:runner) { create(:ci_runner) }
+        let_it_be(:runner) { create(:ci_runner) }
+
        let(:target_details) { ::Gitlab::Routing.url_helpers.admin_runner_path(runner) }
        let(:extra_attrs) do
          { details: { custom_message: 'Registered instance CI runner' } }
        end

        it_behaves_like 'expected audit log'
+
+        context 'with registration token prefixed with RUNNERS_TOKEN_PREFIX' do
+          let(:author) { "#{::RunnersTokenPrefixable::RUNNERS_TOKEN_PREFIX}b6bce79c3a" }
+          let(:extra_attrs) do
+            {
+              details: {
+                custom_message: 'Registered instance CI runner',
+                runner_registration_token: author[0...::RunnersTokenPrefixable::RUNNERS_TOKEN_PREFIX.length + described_class::SAFE_TOKEN_LENGTH]
+              }
+            }
+          end
+
+          it_behaves_like 'expected audit log'
+        end
      end
    end

@@ -107,14 +122,14 @@ RSpec.describe AuditEvents::RegisterRunnerAuditEventService do
      let(:target_details) { }
      let(:attrs) do
        common_attrs.deep_merge(
-          author_name: author[0...8],
+          author_name: author[0...described_class::SAFE_TOKEN_LENGTH],
          entity_id: entity.id,
          entity_type: entity.class.name,
          entity_path: entity.full_path,
          target_details: target_details,
          details: {
-            author_name: author[0...8],
-            runner_registration_token: author[0...8],
+            author_name: author[0...described_class::SAFE_TOKEN_LENGTH],
+            runner_registration_token: author[0...described_class::SAFE_TOKEN_LENGTH],
            custom_message: 'Registered group CI runner',
            entity_id: entity.id,
            entity_type: entity.class.name,
@@ -167,14 +182,14 @@ RSpec.describe AuditEvents::RegisterRunnerAuditEventService do
        let(:target_details) { }
        let(:attrs) do
          common_attrs.deep_merge(
-            author_name: author[0...8],
+            author_name: author[0...described_class::SAFE_TOKEN_LENGTH],
            entity_id: entity.id,
            entity_type: entity.class.name,
            entity_path: entity.full_path,
            target_details: target_details,
            details: {
-              author_name: author[0...8],
-              runner_registration_token: author[0...8],
+              author_name: author[0...described_class::SAFE_TOKEN_LENGTH],
+              runner_registration_token: author[0...described_class::SAFE_TOKEN_LENGTH],
              entity_id: entity.id,
              entity_type: entity.class.name,
              entity_path: entity.full_path,