Track usage of CI Secrets Management (Vault secrets)

Implement usage ping for Vault secrets using Reds HLL counters. See https://gitlab.com/gitlab-org/gitlab/-/issues/235758.

Track usage of CI Secrets Management (Vault secrets)
Implement usage ping for Vault secrets using Reds HLL counters. See https://gitlab.com/gitlab-org/gitlab/-/issues/235758.
fabac744 · Krasimir Angelov · 5ebdd826 · fabac744 · fabac744 · fabac744
Commit fabac744 authored Oct 30, 2020 by Krasimir Angelov
7 changed files
--- a/changelogs/unreleased/235758-track-ci-secrets-management-vault-usage.yml
+++ b/changelogs/unreleased/235758-track-ci-secrets-management-vault-usage.yml
+---
+title: Track usage of CI Secrets Management (Vault secrets)
+merge_request: 46515
+author:
+type: added
--- a/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml
+++ b/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml
+---
+name: usage_data_i_ci_secrets_management_vault_build_created
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46515
+rollout_issue_url:
+milestone: '13.6'
+type: development
+group: group::release management
+default_enabled: true
--- a/ee/app/models/ee/ci/build.rb
+++ b/ee/app/models/ee/ci/build.rb
@@ -31,6 +31,7 @@ module EE
        has_many :security_scans, class_name: 'Security::Scan'

        after_save :stick_build_if_status_changed
+        after_commit :track_ci_secrets_management_usage, on: :create
        delegate :service_specification, to: :runner_session, allow_nil: true

        scope :license_scan, -> { joins(:job_artifacts).merge(::Ci::JobArtifact.license_scanning_reports) }
@@ -135,6 +136,8 @@ module EE
      end

      def ci_secrets_management_available?
+        return false unless project
+
        project.feature_available?(:ci_secrets_management)
      end

@@ -172,6 +175,13 @@ module EE
          end.keys
        end
      end
+
+      def track_ci_secrets_management_usage
+        return unless ::Feature.enabled?(:usage_data_i_ci_secrets_management_vault_build_created, default_enabled: true)
+        return unless ci_secrets_management_available? && secrets?
+
+        ::Gitlab::UsageDataCounters::HLLRedisCounter.track_event(user_id, 'i_ci_secrets_management_vault_build_created')
+      end
    end
  end
 end
--- a/ee/spec/models/ci/build_spec.rb
+++ b/ee/spec/models/ci/build_spec.rb
@@ -15,6 +15,17 @@ RSpec.describe Ci::Build do

  let(:job) { create(:ci_build, pipeline: pipeline) }
  let(:artifact) { create(:ee_ci_job_artifact, :sast, job: job, project: job.project) }
+  let(:valid_secrets) do
+    {
+      DATABASE_PASSWORD: {
+        vault: {
+          engine: { name: 'kv-v2', path: 'kv-v2' },
+          path: 'production/db',
+          field: 'password'
+        }
+      }
+    }
+  end

  describe '.license_scan' do
    subject(:build) { described_class.license_scan.first }
@@ -475,7 +486,15 @@ RSpec.describe Ci::Build do
  end

  describe 'ci_secrets_management_available?' do
-    subject(:build) { job.ci_secrets_management_available? }
+    subject { job.ci_secrets_management_available? }
+
+    context 'when build has no project' do
+      before do
+        job.update!(project: nil)
+      end
+
+      it { is_expected.to be false }
+    end

    context 'when secrets management feature is available' do
      before do
@@ -495,18 +514,6 @@ RSpec.describe Ci::Build do
  end

  describe '#runner_required_feature_names' do
-    let(:valid_secrets) do
-      {
-        DATABASE_PASSWORD: {
-          vault: {
-            engine: { name: 'kv-v2', path: 'kv-v2' },
-            path: 'production/db',
-            field: 'password'
-          }
-        }
-      }
-    end
-
    let(:build) { create(:ci_build, secrets: secrets) }

    subject { build.runner_required_feature_names }
@@ -547,4 +554,56 @@ RSpec.describe Ci::Build do
      end
    end
  end
+
+  describe "secrets management usage data" do
+    context 'when secrets management feature is not available' do
+      before do
+        stub_licensed_features(ci_secrets_management: false)
+      end
+
+      it 'does not track unique users' do
+        expect(Gitlab::UsageDataCounters::HLLRedisCounter).not_to receive(:track_event)
+
+        create(:ci_build, secrets: valid_secrets)
+      end
+    end
+
+    context 'when secrets management feature is available' do
+      before do
+        stub_licensed_features(ci_secrets_management: true)
+      end
+
+      context 'when there are secrets defined' do
+        context 'on create' do
+          it 'tracks unique users' do
+            ci_build = build(:ci_build, secrets: valid_secrets)
+
+            expect(Gitlab::UsageDataCounters::HLLRedisCounter).to receive(:track_event).with(ci_build.user_id, 'i_ci_secrets_management_vault_build_created')
+
+            ci_build.save!
+          end
+        end
+
+        context 'on update' do
+          it 'does not track unique users' do
+            ci_build = create(:ci_build, secrets: valid_secrets)
+
+            expect(Gitlab::UsageDataCounters::HLLRedisCounter).not_to receive(:track_event)
+
+            ci_build.success
+          end
+        end
+      end
+    end
+
+    context 'when there are no secrets defined' do
+      let(:secrets) { {} }
+
+      it 'does not track unique users' do
+        expect(Gitlab::UsageDataCounters::HLLRedisCounter).not_to receive(:track_event)
+
+        create(:ci_build, secrets: {})
+      end
+    end
+  end
 end
--- a/lib/gitlab/usage_data_counters/known_events.yml
+++ b/lib/gitlab/usage_data_counters/known_events.yml
@@ -319,3 +319,8 @@
  category: issues_edit
  redis_slot: project_management
  aggregation: daily
+# Secrets Management
+- name: i_ci_secrets_management_vault_build_created
+  category: ci_secrets_management
+  redis_slot: ci_secrets_management
+  aggregation: weekly
--- a/spec/lib/gitlab/usage_data_counters/hll_redis_counter_spec.rb
+++ b/spec/lib/gitlab/usage_data_counters/hll_redis_counter_spec.rb
@@ -20,7 +20,10 @@ RSpec.describe Gitlab::UsageDataCounters::HLLRedisCounter, :clean_gitlab_redis_s

  describe '.categories' do
    it 'gets all unique category names' do
-      expect(described_class.categories).to contain_exactly('analytics', 'compliance', 'ide_edit', 'search', 'source_code', 'incident_management', 'issues_edit', 'testing')
+      expect(described_class.categories).to contain_exactly(
+        'analytics', 'compliance', 'ide_edit', 'search', 'source_code',
+        'incident_management', 'issues_edit', 'testing', 'ci_secrets_management'
+      )
    end
  end


--- a/spec/lib/gitlab/usage_data_spec.rb
+++ b/spec/lib/gitlab/usage_data_spec.rb
@@ -1216,7 +1216,7 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do
    subject { described_class.redis_hll_counters }

    let(:categories) { ::Gitlab::UsageDataCounters::HLLRedisCounter.categories }
-    let(:ineligible_total_categories) { %w[source_code testing] }
+    let(:ineligible_total_categories) { %w[source_code testing ci_secrets_management] }

    it 'has all known_events' do
      expect(subject).to have_key(:redis_hll_counters)