Commit c20e990d authored by Ash McKenzie's avatar Ash McKenzie

Merge branch 'jej/audit-log-group-saml-membership' into 'master'

Log AuditEvent when GroupSAML adds member to group

Closes #217954

See merge request gitlab-org/gitlab!32333
parents 454c8f25 8a9b0255
---
title: Log Audit Event when Group SAML adds a user to a group
merge_request: 32333
author:
type: changed
...@@ -16,7 +16,9 @@ module Gitlab ...@@ -16,7 +16,9 @@ module Gitlab
def execute def execute
return if group.member?(@user) return if group.member?(@user)
group.add_user(@user, default_membership_level) member = group.add_user(@user, default_membership_level)
log_audit_event(member: member)
end end
private private
...@@ -24,6 +26,14 @@ module Gitlab ...@@ -24,6 +26,14 @@ module Gitlab
def default_membership_level def default_membership_level
:guest :guest
end end
def log_audit_event(member:)
::AuditEventService.new(
@user,
member.source,
action: :create
).for_member(member).security_event
end
end end
end end
end end
......
...@@ -71,6 +71,7 @@ describe Groups::OmniauthCallbacksController do ...@@ -71,6 +71,7 @@ describe Groups::OmniauthCallbacksController do
it 'logs group audit event for authentication' do it 'logs group audit event for authentication' do
audit_event_service = instance_double(AuditEventService) audit_event_service = instance_double(AuditEventService)
allow(AuditEventService).to receive(:new).and_call_original
expect(AuditEventService).to receive(:new).with(user, group, with: provider) expect(AuditEventService).to receive(:new).with(user, group, with: provider)
.and_return(audit_event_service) .and_return(audit_event_service)
expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event) expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
...@@ -160,6 +161,17 @@ describe Groups::OmniauthCallbacksController do ...@@ -160,6 +161,17 @@ describe Groups::OmniauthCallbacksController do
expect(flash[:notice]).to match(/SAML for .* was added/) expect(flash[:notice]).to match(/SAML for .* was added/)
end end
it 'logs group audit event for being added to the group' do
audit_event_service = instance_double(AuditEventService)
expect(AuditEventService).to receive(:new).ordered.and_call_original
expect(AuditEventService).to receive(:new).ordered.with(user, group, action: :create)
.and_return(audit_event_service)
expect(audit_event_service).to receive_message_chain(:for_member, :security_event)
post provider, params: { group_id: group }
end
context 'with IdP initiated request' do context 'with IdP initiated request' do
let(:last_request_id) { '99999' } let(:last_request_id) { '99999' }
......
...@@ -28,4 +28,12 @@ describe Gitlab::Auth::GroupSaml::MembershipUpdater do ...@@ -28,4 +28,12 @@ describe Gitlab::Auth::GroupSaml::MembershipUpdater do
expect(group.members.pluck(:access_level)).to eq([Gitlab::Access::MAINTAINER]) expect(group.members.pluck(:access_level)).to eq([Gitlab::Access::MAINTAINER])
end end
it "logs an audit event" do
expect do
described_class.new(user, saml_provider).execute
end.to change { AuditEvent.by_entity('Group', group).count }.by(1)
expect(AuditEvent.last.details).to include(add: 'user_access', target_details: user.name, as: 'Guest')
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment