Commit b4ee92f2 authored by Tan Le's avatar Tan Le Committed by Thong Kuah

Record audit event when user is created

We only create audit event when user is created by an authorized user,
but not via system trigger (e.g. SmartCard authentication).
parent 8301bed3
...@@ -11,12 +11,19 @@ module Users ...@@ -11,12 +11,19 @@ module Users
def execute(skip_authorization: false) def execute(skip_authorization: false)
user = Users::BuildService.new(current_user, params).execute(skip_authorization: skip_authorization) user = Users::BuildService.new(current_user, params).execute(skip_authorization: skip_authorization)
reset_token = user.generate_reset_token if user.recently_sent_password_reset?
@reset_token = user.generate_reset_token if user.recently_sent_password_reset? after_create_hook(user, reset_token) if user.save
notify_new_user(user, @reset_token) if user.save
user user
end end
private
def after_create_hook(user, reset_token)
notify_new_user(user, reset_token)
end
end end
end end
Users::CreateService.prepend_if_ee('EE::Users::CreateService')
...@@ -107,6 +107,7 @@ recorded: ...@@ -107,6 +107,7 @@ recorded:
- Started/stopped user impersonation - Started/stopped user impersonation
- Changed username ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/7797) in GitLab 12.8) - Changed username ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/7797) in GitLab 12.8)
- User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8) - User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
- User was added ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
- User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8) - User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
It is possible to filter particular actions by choosing an audit data type from It is possible to filter particular actions by choosing an audit data type from
......
# frozen_string_literal: true
module EE
module Users
module CreateService
extend ::Gitlab::Utils::Override
override :after_create_hook
def after_create_hook(user, reset_token)
super
log_audit_event(user) if audit_required?
end
private
def log_audit_event(user)
::AuditEventService.new(
current_user,
user,
action: :create
).for_user.security_event
end
def audit_required?
current_user.present?
end
end
end
end
---
title: Record audit event when user is added
merge_request: 24855
author:
type: added
# frozen_string_literal: true
require 'spec_helper'
describe Users::CreateService do
let(:current_user) { create(:admin) }
let(:params) do
{
name: 'John Doe',
username: 'jduser',
email: 'jd@example.com',
password: 'mydummypass'
}
end
subject(:service) { described_class.new(current_user, params) }
context 'audit events' do
let(:operation) { service.execute }
include_examples 'audit event logging' do
let(:fail_condition!) do
expect_any_instance_of(User)
.to receive(:save).and_return(false)
end
let(:attributes) do
{
author_id: current_user.id,
entity_id: @resource.id,
entity_type: 'User',
details: {
add: 'user',
author_name: current_user.name,
target_id: @resource.full_path,
target_type: 'User',
target_details: @resource.full_path
}
}
end
end
context 'when audit is not required' do
let(:current_user) { nil }
it 'does not log audit event' do
expect { operation }.not_to change(AuditEvent, :count)
end
end
end
end
...@@ -5,19 +5,19 @@ RSpec.shared_examples 'audit event logging' do ...@@ -5,19 +5,19 @@ RSpec.shared_examples 'audit event logging' do
stub_licensed_features(extended_audit_events: true) stub_licensed_features(extended_audit_events: true)
end end
context 'if operation succeed' do context 'when operation succeeds' do
it 'logs an audit event if operation succeed' do it 'logs an audit event' do
expect { operation }.to change(AuditEvent, :count).by(1) expect { operation }.to change(AuditEvent, :count).by(1)
end end
it 'logs the project info' do it 'logs the audit event info' do
@resource = operation @resource = operation
expect(AuditEvent.last).to have_attributes(attributes) expect(AuditEvent.last).to have_attributes(attributes)
end end
end end
it 'does not log audit event if project operation fails' do it 'does not log audit event if operation fails' do
fail_condition! fail_condition!
expect { operation }.not_to change(AuditEvent, :count) expect { operation }.not_to change(AuditEvent, :count)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment