Resolve IP address from RequestContext for audit

Callers of AuditEventService does not always have access to IP address (e.g. Service classes). In addition, acquiring this piece of information should not be the responsibility of the callers. IP address can be retrieved from RequestContext and injected directly on AuditEventService. This approach helps keeping the interface to AuditEventService small and be more user-friendly.

Resolve IP address from RequestContext for audit
Callers of AuditEventService does not always have access to IP address (e.g. Service classes). In addition, acquiring this piece of information should not be the responsibility of the callers. IP address can be retrieved from RequestContext and injected directly on AuditEventService. This approach helps keeping the interface to AuditEventService small and be more user-friendly.
816032b2 · Tan Le · 894d255e · 816032b2 · 816032b2 · 816032b2
Commit 816032b2 authored Oct 26, 2020 by Tan Le
3 changed files
--- a/app/services/audit_event_service.rb
+++ b/app/services/audit_event_service.rb
@@ -16,7 +16,7 @@ class AuditEventService
    @author = build_author(author)
    @entity = entity
    @details = details
-    @ip_address = (@details[:ip_address].presence || @author.current_sign_in_ip)
+    @ip_address = resolve_ip_address(@details, @author)
  end
  # Builds the @details attribute for authentication
@@ -64,6 +64,12 @@ class AuditEventService
    end
  end
+  def resolve_ip_address(details, author)
+    details[:ip_address].presence ||
+      Gitlab::RequestContext.instance.client_ip ||
+      author.current_sign_in_ip
+  end
  def base_payload
    {
      author_id: @author.id,

--- a/changelogs/unreleased/239305-resolve-ip-address-for-audit.yml
+++ b/changelogs/unreleased/239305-resolve-ip-address-for-audit.yml
+---
+title: Resolve request IP address on audit event
+merge_request: 46114
+author:
+type: changed
--- a/spec/services/audit_event_service_spec.rb
+++ b/spec/services/audit_event_service_spec.rb
@@ -3,17 +3,13 @@
 require 'spec_helper'
 RSpec.describe AuditEventService do
-  let(:project) { create(:project) }
+  let_it_be(:project) { create(:project) }
-  let(:user) { create(:user, :with_sign_ins) }
+  let_it_be(:user) { create(:user, :with_sign_ins) }
-  let(:project_member) { create(:project_member, user: user) }
+  let_it_be(:project_member) { create(:project_member, user: user) }
  let(:service) { described_class.new(user, project, { action: :destroy }) }
  let(:logger) { instance_double(Gitlab::AuditJsonLogger) }
  describe '#security_event' do
-    before do
-      stub_licensed_features(admin_audit_log: false)
-    end
    it 'creates an event and logs to a file' do
      expect(service).to receive(:file_logger).and_return(logger)
      expect(logger).to receive(:info).with(author_id: user.id,
@@ -78,6 +74,31 @@ RSpec.describe AuditEventService do
        audit_service.for_authentication.security_event
      end
+      context 'with IP address', :request_store do
+        using RSpec::Parameterized::TableSyntax
+        where(:from_caller, :from_context, :from_author_sign_in, :output) do
+          '192.168.0.1' | '192.168.0.2' | '192.168.0.3' | '192.168.0.1'
+          nil           | '192.168.0.2' | '192.168.0.3' | '192.168.0.2'
+          nil           | nil           | '192.168.0.3' | '192.168.0.3'
+        end
+        with_them do
+          let(:user) { create(:user, current_sign_in_ip: from_author_sign_in) }
+          let(:audit_service) { described_class.new(user, user, with: 'standard', ip_address: from_caller) }
+          before do
+            allow(Gitlab::RequestContext.instance).to receive(:client_ip).and_return(from_context)
+          end
+          specify do
+            expect(AuthenticationEvent).to receive(:new).with(hash_including(ip_address: output))
+            audit_service.for_authentication.security_event
+          end
+        end
+      end
    end
  end