Enabling Audit event when default branch changes for a project

This commit adds an event in audit events table whenever a default
branch is being changed using project repository settings. Also,
added relevant section in the doc for administrating audit events.

app/services/projects/update_service.rb

@@ -56,11 +56,25 @@ module Projects
         raise ValidationError.new(s_('UpdateProject|Cannot rename project because it contains container registry tags!'))
       end
 
-      if changing_default_branch?
-        raise ValidationError.new(s_("UpdateProject|Could not set the default branch")) unless project.change_head(params[:default_branch])
+      validate_default_branch_change
+    end
+
+    def validate_default_branch_change
+      return unless changing_default_branch?
+
+      previous_default_branch = project.default_branch
+
+      if project.change_head(params[:default_branch])
+        after_default_branch_change(previous_default_branch)
+      else
+        raise ValidationError.new(s_("UpdateProject|Could not set the default branch"))
       end
     end
 
+    def after_default_branch_change(previous_default_branch)
+      # overridden by EE module
+    end
+
     def remove_unallowed_params
       params.delete(:emails_disabled) unless can?(current_user, :set_emails_disabled, project)
     end

doc/administration/audit_events.md

@@ -101,6 +101,7 @@ From there, you can see the following actions:
 - Project CI/CD variable added, removed, or protected status changed ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/30857) in GitLab 13.4)
 - Project access token was successfully created or revoked ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/230007) in GitLab 13.9)
 - Failed attempt to create or revoke a project access token ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/230007) in GitLab 13.9)
+- When default branch changes for a project ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/52339) in GitLab 13.9)
 
 Project events can also be accessed via the [Project Audit Events API](../api/audit_events.md#project-audit-events).
 

ee/app/services/ee/projects/update_service.rb

@@ -48,6 +48,16 @@ module EE
 
       private
 
+      override :after_default_branch_change
+      def after_default_branch_change(previous_default_branch)
+        ::AuditEventService.new(
+          current_user,
+          project,
+          action: :custom,
+          custom_message: "Default branch changed from #{previous_default_branch} to #{project.default_branch}"
+        ).for_project.security_event
+      end
+
       # A user who changes any aspect of pull mirroring settings must be made
       # into the mirror user, to prevent them from acquiring capabilities
       # owned by the previous user, such as writing to a protected branch.

ee/changelogs/unreleased/shaheed121-audit_event_for_default_branch_change.yml

+---
+title: Adding audit event for default branch change
+merge_request: 52339
+author: Abdul Shaheed
+type: other

ee/spec/services/projects/update_service_spec.rb

@@ -108,6 +108,25 @@ RSpec.describe Projects::UpdateService, '#execute' do
       end
     end
 
+    describe '#default_branch' do
+      include_examples 'audit event logging' do
+        let(:operation) { update_project(project, user, default_branch: 'feature') }
+        let(:fail_condition!) do
+          allow_next_instance_of(Project) do |project|
+            allow(project).to receive(:change_head).and_return(false)
+          end
+        end
+
+        let(:attributes) do
+          audit_event_params.tap do |param|
+            param[:details].merge!(
+              custom_message: "Default branch changed from master to feature"
+            )
+          end
+        end
+      end
+    end
+
     describe '#visibility' do
       include_examples 'audit event logging' do
         let(:operation) do