From 1f5318f1e15311f64fd74e89fa2734c12be0dfb1 Mon Sep 17 00:00:00 2001
From: Sashi Kumar Kumaresan <skumar@gitlab.com>
Date: Fri, 21 Oct 2022 20:42:58 +0000
Subject: [PATCH 1/2] Draft: Audit policy project changes

---
 .../services/security/orchestration/assign_service.rb | 11 +++++++++++
 .../security/orchestration/unassign_service.rb        | 11 ++++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/ee/app/services/security/orchestration/assign_service.rb b/ee/app/services/security/orchestration/assign_service.rb
index e3d4b3bd63412a..2ffe19eaf2d2fe 100644
--- a/ee/app/services/security/orchestration/assign_service.rb
+++ b/ee/app/services/security/orchestration/assign_service.rb
@@ -20,6 +20,7 @@ def create_or_update_security_policy_configuration
         if policy_project_id.blank? && has_existing_policy?
           return unassign_policy_project
         end
+        audit_message = ''
 
         policy_project = Project.find(policy_project_id)
 
@@ -27,11 +28,21 @@ def create_or_update_security_policy_configuration
           container.security_orchestration_policy_configuration.update!(
             security_policy_management_project_id: policy_project.id
           )
+          audit_message = "Removed and added new policy project"
         else
           container.create_security_orchestration_policy_configuration! do |p|
             p.security_policy_management_project_id = policy_project.id
           end
+          audit_message = "Added new policy project"
         end
+
+        ::Gitlab::Audit::Auditor.audit(
+          name: 'policy_project_updated',
+          author: current_user,
+          scope: container,
+          target: policy_project,
+          message: audit_message
+        )
       end
 
       def unassign_policy_project
diff --git a/ee/app/services/security/orchestration/unassign_service.rb b/ee/app/services/security/orchestration/unassign_service.rb
index 8ff033788dff3e..e8fe7907209ff7 100644
--- a/ee/app/services/security/orchestration/unassign_service.rb
+++ b/ee/app/services/security/orchestration/unassign_service.rb
@@ -9,7 +9,16 @@ def execute
         security_orchestration_policy_configuration.delete_scan_finding_rules # To be removed in https://gitlab.com/gitlab-org/gitlab/-/issues/369473#feature-update
 
         result = security_orchestration_policy_configuration.delete
-        return success if result
+        if result
+          ::Gitlab::Audit::Auditor.audit(
+            name: 'policy_project_updated',
+            author: current_user,
+            scope: container,
+            target: container,
+            message: "Removed policy project"
+          )
+          return success
+        end
 
         error(container.security_orchestration_policy_configuration.errors.full_messages.to_sentence)
       end
-- 
GitLab


From 0562266828eb0c86049c2979bceb20183d5bc378 Mon Sep 17 00:00:00 2001
From: Sashi Kumar Kumaresan <skumar@gitlab.com>
Date: Fri, 21 Oct 2022 20:44:18 +0000
Subject: [PATCH 2/2] Rubocop fixes

---
 ee/app/services/security/orchestration/assign_service.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ee/app/services/security/orchestration/assign_service.rb b/ee/app/services/security/orchestration/assign_service.rb
index 2ffe19eaf2d2fe..0829dab6c3b7ee 100644
--- a/ee/app/services/security/orchestration/assign_service.rb
+++ b/ee/app/services/security/orchestration/assign_service.rb
@@ -20,6 +20,7 @@ def create_or_update_security_policy_configuration
         if policy_project_id.blank? && has_existing_policy?
           return unassign_policy_project
         end
+
         audit_message = ''
 
         policy_project = Project.find(policy_project_id)
-- 
GitLab