diff --git a/ee/app/controllers/ee/omniauth_callbacks_controller.rb b/ee/app/controllers/ee/omniauth_callbacks_controller.rb index 9691f33bd0d5a7ab99ea314333f554f4bb51f8e2..091c759eae11a18b87c54a514ba8f7c410e4242f 100644 --- a/ee/app/controllers/ee/omniauth_callbacks_controller.rb +++ b/ee/app/controllers/ee/omniauth_callbacks_controller.rb @@ -22,11 +22,20 @@ def openid_connect override :log_failed_login def log_failed_login(author, provider) - ::AuditEventService.new( - author, - nil, - with: provider - ).for_failed_login.unauth_security_event + unauth_author = ::Gitlab::Audit::UnauthenticatedAuthor.new(name: author) + user = ::User.new(id: unauth_author.id, name: author) + ::Gitlab::Audit::Auditor.audit({ + name: "omniauth_login_failed", + author: unauth_author, + scope: user, + target: user, + additional_details: { + failed_login: provider.upcase, + author_name: user.name, + target_details: user.name + }, + message: "#{provider.upcase} login failed" + }) end override :after_sign_up_path diff --git a/ee/app/controllers/ee/registrations_controller.rb b/ee/app/controllers/ee/registrations_controller.rb index 163c22dd151782b164435b6b6e0eed8543d8f39b..223cdef4e312c92faf6f7b1e280e9e946f17772d 100644 --- a/ee/app/controllers/ee/registrations_controller.rb +++ b/ee/app/controllers/ee/registrations_controller.rb @@ -99,12 +99,14 @@ def ensure_can_remove_self def log_audit_event(user) return unless user&.persisted? - ::AuditEventService.new( - user, - user, - action: :custom, - custom_message: _('Instance access request') - ).for_user.security_event + ::Gitlab::Audit::Auditor.audit({ + name: "registration_created", + author: user, + scope: user, + target: user, + target_details: user.username, + message: _("Instance access request") + }) end override :after_sign_up_path diff --git a/ee/config/audit_events/types/omniauth_login_failed.yml b/ee/config/audit_events/types/omniauth_login_failed.yml new file mode 100644 index 0000000000000000000000000000000000000000..5355354e5bb49cdd6e17a18549e3808d247f830e --- /dev/null +++ b/ee/config/audit_events/types/omniauth_login_failed.yml @@ -0,0 +1,9 @@ +--- +name: omniauth_login_failed +description: Event triggered when an OmniAuth login fails +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123080 +feature_category: compliance_management +milestone: '16.3' +saved_to_database: true +streamed: true diff --git a/ee/config/audit_events/types/registration_created.yml b/ee/config/audit_events/types/registration_created.yml new file mode 100644 index 0000000000000000000000000000000000000000..4a228d15cf80a206ba0f8fdfd0183d563bad8470 --- /dev/null +++ b/ee/config/audit_events/types/registration_created.yml @@ -0,0 +1,9 @@ +--- +name: registration_created +description: Event triggered when a user registers for instance access +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/123080 +feature_category: compliance_management +milestone: '16.3' +saved_to_database: true +streamed: true diff --git a/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb b/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb index 9461ce3635b0e7cee926d064cb374eb875dcddf1..2008e981fc6204460c627ad7ec2feb0a9365804d 100644 --- a/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb +++ b/ee/spec/controllers/ee/omniauth_callbacks_controller_spec.rb @@ -28,9 +28,28 @@ ) end - it 'audits provider failed login when licensed' do + it 'audits provider failed login when licensed', :aggregate_failures do stub_licensed_features(extended_audit_events: true) + + expect(::Gitlab::Audit::Auditor).to receive(:audit).with(hash_including({ + name: "omniauth_login_failed" + })).and_call_original + expect { subject.failure }.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last).to have_attributes( + attributes: hash_including({ + "author_name" => user.username, + "entity_type" => "User", + "target_details" => user.username + }), + details: hash_including({ + failed_login: "LDAP", + author_name: user.username, + target_details: user.username, + custom_message: "LDAP login failed" + }) + ) end it 'does not audit provider failed login when unlicensed' do diff --git a/ee/spec/controllers/ee/registrations_controller_spec.rb b/ee/spec/controllers/ee/registrations_controller_spec.rb index 1162d221da2c0a937530a06f34af78952b74c2e5..09921af8240fe001ae4f4ea88007bc6bb2d621d0 100644 --- a/ee/spec/controllers/ee/registrations_controller_spec.rb +++ b/ee/spec/controllers/ee/registrations_controller_spec.rb @@ -120,14 +120,30 @@ end it 'logs the audit event info', :aggregate_failures do + expect(::Gitlab::Audit::Auditor).to receive(:audit).with(hash_including({ + name: "registration_created" + })).and_call_original + subject created_user = User.find_by(email: new_user_email) audit_event = AuditEvent.where(author_id: created_user.id).last - expect(audit_event.ip_address).to eq(created_user.current_sign_in_ip) - expect(audit_event.details[:target_details]).to eq(created_user.username) - expect(audit_event.details[:custom_message]).to eq('Instance access request') + expect(audit_event).to have_attributes( + entity: created_user, + author: created_user, + ip_address: created_user.current_sign_in_ip, + attributes: hash_including({ + "target_details" => created_user.username, + "target_id" => created_user.id, + "target_type" => "User", + "entity_path" => created_user.full_path + }), + details: hash_including({ + target_details: created_user.username, + custom_message: "Instance access request" + }) + ) end context 'with invalid user' do