From 20f7c0bf098d4aca27cf751832b79344eda5fe08 Mon Sep 17 00:00:00 2001
From: Jio Castillo <jcastillo@gitlab.com>
Date: Thu, 7 Nov 2024 12:32:56 -0800
Subject: [PATCH] Update audit event scope when a group disables 2FA for a user

Changelog: changed
EE: true
---
 doc/user/compliance/audit_event_types.md                 | 2 +-
 ee/app/services/ee/two_factor/destroy_service.rb         | 2 +-
 ee/config/audit_events/types/user_disable_two_factor.yml | 2 +-
 ee/spec/services/ee/two_factor/destroy_service_spec.rb   | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 3653d485c61aeb..89e5f1aa7792ad 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -554,7 +554,7 @@ Audit event types belong to the following product categories.
 | [`update_mismatched_group_saml_extern_uid`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104791) | Triggered when the external UID is changed on a SAML identity. | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/382256) | User |
 | [`user_access_locked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124169) | Event triggered when user access to the instance is locked | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/244) | User |
 | [`user_access_unlocked`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124973) | Event triggered when user access to the instance is unlocked | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [16.2](https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/244) | User |
-| [`user_disable_two_factor`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89598) | Audit event triggered when user disables two factor authentication | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/238177) | User |
+| [`user_disable_two_factor`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89598) | Audit event triggered when user disables two factor authentication | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/238177) | User, Group |
 | [`user_enable_admin_mode`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104754) | Event triggered on enabling Admin Mode | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/362101) | User |
 
 ### Team planning
diff --git a/ee/app/services/ee/two_factor/destroy_service.rb b/ee/app/services/ee/two_factor/destroy_service.rb
index 71a0feaec58045..507cf5bc24bd5c 100644
--- a/ee/app/services/ee/two_factor/destroy_service.rb
+++ b/ee/app/services/ee/two_factor/destroy_service.rb
@@ -19,7 +19,7 @@ def notify_on_success(user)
         audit_context = {
           name: 'user_disable_two_factor',
           author: current_user,
-          scope: user,
+          scope: group || user,
           target: user,
           message: 'Disabled two-factor authentication',
           created_at: DateTime.current
diff --git a/ee/config/audit_events/types/user_disable_two_factor.yml b/ee/config/audit_events/types/user_disable_two_factor.yml
index 8c856ae44fbbee..e20788b0b8c44d 100644
--- a/ee/config/audit_events/types/user_disable_two_factor.yml
+++ b/ee/config/audit_events/types/user_disable_two_factor.yml
@@ -7,4 +7,4 @@ milestone: '15.1'
 feature_category: system_access
 saved_to_database: true
 streamed: true
-scope: [User]
+scope: [User, Group]
diff --git a/ee/spec/services/ee/two_factor/destroy_service_spec.rb b/ee/spec/services/ee/two_factor/destroy_service_spec.rb
index 4839d1144a445d..18f90ac8dea7f4 100644
--- a/ee/spec/services/ee/two_factor/destroy_service_spec.rb
+++ b/ee/spec/services/ee/two_factor/destroy_service_spec.rb
@@ -43,7 +43,7 @@
 
         expect(AuditEvent.last).to have_attributes(
           author: current_user,
-          entity_id: user.id,
+          entity_id: group.id,
           target_id: user.id,
           target_type: current_user.class.name,
           target_details: user.name,
-- 
GitLab