Create one audit event per SAML config change

d7ad2b5b · Max Woolf · 490388aa · d7ad2b5b · d7ad2b5b
Commit d7ad2b5b authored Nov 15, 2021 by Max Woolf
2 changed files
--- a/ee/app/services/group_saml/saml_provider/base_service.rb
+++ b/ee/app/services/group_saml/saml_provider/base_service.rb
@@ -9,6 +9,10 @@ module GroupSaml
      delegate :group, to: :saml_provider
+      AUDIT_LOG_ALLOWLIST = %w[
+        enabled certificate_fingerprint sso_url enforced_sso enforced_group_managed_accounts prohibited_outer_forks default_membership_role git_check_enforced
+      ].freeze
      def initialize(current_user, saml_provider, params:)
        @saml_provider = saml_provider
        @current_user = current_user
@@ -26,14 +30,18 @@ module GroupSaml
          end
        end
-        if saml_provider.previous_changes.present?
+        saml_provider.previous_changes.each do |attribute, changes|
-          ::Gitlab::Audit::Auditor.audit(
+          next unless AUDIT_LOG_ALLOWLIST.include?(attribute)
+          audit_context = {
            name: audit_name,
            author: current_user,
            scope: saml_provider.group,
            target: saml_provider.group,
-            message: message
+            message: message(attribute, changes)
-          )
+          }
+          ::Gitlab::Audit::Auditor.audit(audit_context)
        end
      end
@@ -55,19 +63,12 @@ module GroupSaml
        raise ActiveRecord::Rollback
      end
-      def message
+      def message(attribute, changes)
-        audit_logs_allowlist = %w[enabled certificate_fingerprint sso_url enforced_sso enforced_group_managed_accounts prohibited_outer_forks default_membership_role git_check_enforced]
+        change_text = if changes[0].nil?
-        change_text = saml_provider
+                        "#{attribute} changed to #{changes[1]}. "
-                        .previous_changes
+                      else
-                        .map do |k, v|
+                        "#{attribute} changed from #{changes[0]} to #{changes[1]}. "
-          next unless audit_logs_allowlist.include?(k)
+                      end
-          if v[0].nil?
-            "#{k} changed to #{v[1]}. "
-          else
-            "#{k} changed from #{v[0]} to #{v[1]}. "
-          end
-        end.join
        "Group SAML SSO configuration changed: #{change_text}"
      end

--- a/ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb
@@ -24,7 +24,7 @@ RSpec.shared_examples 'base SamlProvider service' do
            author: current_user,
            scope: group,
            target: group })
-      ).and_call_original
+      ).exactly(4).times.and_call_original
    expect do
      service.execute
@@ -33,13 +33,7 @@ RSpec.shared_examples 'base SamlProvider service' do
             .and change { group.saml_provider&.certificate_fingerprint }.to(fingerprint)
             .and change { group.saml_provider&.enabled? }.to(true)
             .and change { group.saml_provider&.enforced_sso? }.to(true)
-             .and change { AuditEvent.count }.by(1)
+             .and change { AuditEvent.count }.by(4)
-    expect(AuditEvent.last.details[:custom_message])
-      .to match(%r{enabled changed([\w\s]*)to true})
-      .and match(%r{enforced_sso changed([\w\s]*)to true})
-      .and match(%r{https:\/\/test})
-      .and match(%r{#{fingerprint}})
  end
 end