Save user ID and username in Grape API log (api_json.log)

This will enable admins to identify who actually made the API request. Relates to #36960
2018-01-06 00:41:13 -08:00 · 2018-01-06 00:41:13 -08:00 · eaf9088ba8
commit eaf9088ba8
parent 7b2f9af448
5 changed files with 38 additions and 1 deletions
--- a/changelogs/unreleased/sh-store-user-in-api-logs.yml
+++ b/changelogs/unreleased/sh-store-user-in-api-logs.yml
@ -0,0 +1,5 @@
+---
+title: Save user ID and username in Grape API log (api_json.log)
+merge_request:
+author:
+type: changed
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@ -13,7 +13,8 @@ module API
        formatter: Gitlab::GrapeLogging::Formatters::LogrageWithTimestamp.new,
        include: [
          GrapeLogging::Loggers::FilterParameters.new,
-          GrapeLogging::Loggers::ClientEnv.new
+          GrapeLogging::Loggers::ClientEnv.new,
+          Gitlab::GrapeLogging::Loggers::UserLogger.new
        ]

    allow_access_with_scope :api
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@ -5,6 +5,7 @@ module API

    SUDO_HEADER = "HTTP_SUDO".freeze
    SUDO_PARAM = :sudo
+    API_USER_ENV = 'gitlab.api.user'.freeze

    def declared_params(options = {})
      options = { include_parent_namespaces: false }.merge(options)
@ -48,10 +49,16 @@ module API

      validate_access_token!(scopes: scopes_registered_for_endpoint) unless sudo?

+      save_current_user_in_env(@current_user) if @current_user
+
      @current_user
    end
    # rubocop:enable Gitlab/ModuleWithInstanceVariables

+    def save_current_user_in_env(user)
+      env[API_USER_ENV] = { user_id: user.id, username: user.username }
+    end
+
    def sudo?
      initial_current_user != current_user
    end
--- a/lib/gitlab/grape_logging/loggers/user_logger.rb
+++ b/lib/gitlab/grape_logging/loggers/user_logger.rb
@ -0,0 +1,18 @@
+# This grape_logging module (https://github.com/aserafin/grape_logging) makes it
+# possible to log the user who performed the Grape API action by retrieving
+# the user context from the request environment.
+module Gitlab
+  module GrapeLogging
+    module Loggers
+      class UserLogger < ::GrapeLogging::Loggers::Base
+        def parameters(request, _)
+          params = request.env[::API::Helpers::API_USER_ENV]
+
+          return {} unless params
+
+          params.slice(:user_id, :username)
+        end
+      end
+    end
+  end
+end
--- a/spec/requests/api/helpers_spec.rb
+++ b/spec/requests/api/helpers_spec.rb
@ -68,6 +68,12 @@ describe API::Helpers do
          end

          it { is_expected.to eq(user) }
+
+          it 'sets the environment with data of the current user' do
+            subject
+
+            expect(env[API::Helpers::API_USER_ENV]).to eq({ user_id: subject.id, username: subject.username })
+          end
        end

        context "HEAD request" do