Save user ID and username in Grape API log (api_json.log)

This will enable admins to identify who actually made the API request.

Relates to #36960
This commit is contained in:
Stan Hu 2018-01-06 00:41:13 -08:00
parent 7b2f9af448
commit eaf9088ba8
5 changed files with 38 additions and 1 deletions

View file

@ -0,0 +1,5 @@
---
title: Save user ID and username in Grape API log (api_json.log)
merge_request:
author:
type: changed

View file

@ -13,7 +13,8 @@ module API
formatter: Gitlab::GrapeLogging::Formatters::LogrageWithTimestamp.new,
include: [
GrapeLogging::Loggers::FilterParameters.new,
GrapeLogging::Loggers::ClientEnv.new
GrapeLogging::Loggers::ClientEnv.new,
Gitlab::GrapeLogging::Loggers::UserLogger.new
]
allow_access_with_scope :api

View file

@ -5,6 +5,7 @@ module API
SUDO_HEADER = "HTTP_SUDO".freeze
SUDO_PARAM = :sudo
API_USER_ENV = 'gitlab.api.user'.freeze
def declared_params(options = {})
options = { include_parent_namespaces: false }.merge(options)
@ -48,10 +49,16 @@ module API
validate_access_token!(scopes: scopes_registered_for_endpoint) unless sudo?
save_current_user_in_env(@current_user) if @current_user
@current_user
end
# rubocop:enable Gitlab/ModuleWithInstanceVariables
def save_current_user_in_env(user)
env[API_USER_ENV] = { user_id: user.id, username: user.username }
end
def sudo?
initial_current_user != current_user
end

View file

@ -0,0 +1,18 @@
# This grape_logging module (https://github.com/aserafin/grape_logging) makes it
# possible to log the user who performed the Grape API action by retrieving
# the user context from the request environment.
module Gitlab
module GrapeLogging
module Loggers
class UserLogger < ::GrapeLogging::Loggers::Base
def parameters(request, _)
params = request.env[::API::Helpers::API_USER_ENV]
return {} unless params
params.slice(:user_id, :username)
end
end
end
end
end

View file

@ -68,6 +68,12 @@ describe API::Helpers do
end
it { is_expected.to eq(user) }
it 'sets the environment with data of the current user' do
subject
expect(env[API::Helpers::API_USER_ENV]).to eq({ user_id: subject.id, username: subject.username })
end
end
context "HEAD request" do