From 1f5b0aab1a36a10fe47b9dc3b9edeca6e9d87a28 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Tue, 26 Nov 2024 16:46:10 +0200 Subject: [PATCH 01/13] Add audit events for removal of users with inactive SCIM id from group --- doc/user/compliance/audit_event_types.md | 1 + .../audit_events/types/inactive_scim_removal.yml | 10 ++++++++++ .../gitlab/auth/group_saml/membership_enforcer.rb | 13 +++++++++++++ 3 files changed, 24 insertions(+) create mode 100644 ee/config/audit_events/types/inactive_scim_removal.yml diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 687fb18e3f8aa3..b5d7bd2cec07fa 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -588,6 +588,7 @@ Audit event types belong to the following product categories. | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Triggered when successfully signing in with SAML authentication. | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group | | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | Triggered when a user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Triggered when a user's membership is updated | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group | +| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | User, Group | | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | Triggered when a password reset fails for a user | **{dotted-circle}** No | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User | | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | Event triggered on user unban action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | Event triggered on user unblock action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | diff --git a/ee/config/audit_events/types/inactive_scim_removal.yml b/ee/config/audit_events/types/inactive_scim_removal.yml new file mode 100644 index 00000000000000..fd64f2b3a8a912 --- /dev/null +++ b/ee/config/audit_events/types/inactive_scim_removal.yml @@ -0,0 +1,10 @@ +--- +name: inactive_scim_user_removal +description: Triggered for user removal from a group during SAML authentication when their SCIM identity is inactive +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/422582 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab +feature_category: compliance_management +milestone: '17.7' +saved_to_database: true +streamed: true +scope: [User, Group] diff --git a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb index 37b4e34ea4ee65..e61a120172e6c5 100644 --- a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb +++ b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb @@ -32,6 +32,19 @@ def inactive_scim_identity_for_group?(user) def user_provisioned_by_group?(user) user.provisioned_by_group_id == root_group.id end + + def log_audit_event(group) + audit_context = { + name: "inacive_scim_user_removal", + author: user, + scope: [user, group], + target: user, + target_details: user.username, + message: " User removed due to inactive SCIM identity" + } + ::Gitlab::Audit::Auditor.audit(audit_context) + end + end end end -- GitLab From 3ca918098c512ae21d1f2b1022da4ef5cdd44205 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Wed, 27 Nov 2024 17:35:25 +0200 Subject: [PATCH 02/13] Fix file name --- .../{inactive_scim_removal.yml => inactive_scim_user_removal.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename ee/config/audit_events/types/{inactive_scim_removal.yml => inactive_scim_user_removal.yml} (100%) diff --git a/ee/config/audit_events/types/inactive_scim_removal.yml b/ee/config/audit_events/types/inactive_scim_user_removal.yml similarity index 100% rename from ee/config/audit_events/types/inactive_scim_removal.yml rename to ee/config/audit_events/types/inactive_scim_user_removal.yml -- GitLab From f951e8c5d849dd296e79a8b53c87945452571e5d Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Wed, 27 Nov 2024 17:39:58 +0200 Subject: [PATCH 03/13] Update MR link in files --- doc/user/compliance/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index b5d7bd2cec07fa..e2288efd3ed7c0 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -588,7 +588,7 @@ Audit event types belong to the following product categories. | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Triggered when successfully signing in with SAML authentication. | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group | | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | Triggered when a user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Triggered when a user's membership is updated | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group | -| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | User, Group | +| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | User, Group | | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | Triggered when a password reset fails for a user | **{dotted-circle}** No | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User | | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | Event triggered on user unban action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | Event triggered on user unblock action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | -- GitLab From 567e42fd7c620781336bfb19c2f1312c259e35b7 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Wed, 27 Nov 2024 19:32:46 +0200 Subject: [PATCH 04/13] Update MR link --- ee/config/audit_events/types/inactive_scim_user_removal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/config/audit_events/types/inactive_scim_user_removal.yml b/ee/config/audit_events/types/inactive_scim_user_removal.yml index fd64f2b3a8a912..b0773e2427777c 100644 --- a/ee/config/audit_events/types/inactive_scim_user_removal.yml +++ b/ee/config/audit_events/types/inactive_scim_user_removal.yml @@ -2,7 +2,7 @@ name: inactive_scim_user_removal description: Triggered for user removal from a group during SAML authentication when their SCIM identity is inactive introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/422582 -introduced_by_mr: https://gitlab.com/gitlab-org/gitlab +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879 feature_category: compliance_management milestone: '17.7' saved_to_database: true -- GitLab From 14af9f1777b5e12202b65fbe1a68254b977c976a Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Fri, 29 Nov 2024 13:20:58 +0000 Subject: [PATCH 05/13] Fix the scope and call the function to log the event --- doc/user/compliance/audit_event_types.md | 2 +- .../types/inactive_scim_user_removal.yml | 2 +- .../gitlab/auth/group_saml/membership_enforcer.rb | 14 +++++++++----- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index e2288efd3ed7c0..b3aefdf8c18696 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -588,7 +588,7 @@ Audit event types belong to the following product categories. | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Triggered when successfully signing in with SAML authentication. | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group | | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | Triggered when a user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Triggered when a user's membership is updated | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group | -| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | User, Group | +| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | Triggered when a password reset fails for a user | **{dotted-circle}** No | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User | | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | Event triggered on user unban action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | Event triggered on user unblock action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | diff --git a/ee/config/audit_events/types/inactive_scim_user_removal.yml b/ee/config/audit_events/types/inactive_scim_user_removal.yml index b0773e2427777c..a057a73ce06869 100644 --- a/ee/config/audit_events/types/inactive_scim_user_removal.yml +++ b/ee/config/audit_events/types/inactive_scim_user_removal.yml @@ -7,4 +7,4 @@ feature_category: compliance_management milestone: '17.7' saved_to_database: true streamed: true -scope: [User, Group] +scope: Group \ No newline at end of file diff --git a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb index e61a120172e6c5..b0522c0cad8654 100644 --- a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb +++ b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb @@ -12,7 +12,11 @@ def can_add_user?(user) return true unless root_group.saml_provider&.enforced_sso? return true if user.project_bot? || user.security_policy_bot? return true if user.service_account? && user_provisioned_by_group?(user) - return false if inactive_scim_identity_for_group?(user) + + if inactive_scim_identity_for_group?(user) + log_audit_event(user, root_group) + return false + end GroupSamlIdentityFinder.new(user: user).find_linked(group: root_group) end @@ -33,14 +37,14 @@ def user_provisioned_by_group?(user) user.provisioned_by_group_id == root_group.id end - def log_audit_event(group) + def log_audit_event(user, root_group) audit_context = { - name: "inacive_scim_user_removal", + name: "inactive_scim_user_removal", author: user, - scope: [user, group], + scope: root_group, target: user, target_details: user.username, - message: " User removed due to inactive SCIM identity" + message: "User cannot be added to group due to inactive SCIM identity" } ::Gitlab::Audit::Auditor.audit(audit_context) end -- GitLab From 2a0500e1e25bd327623c670317f593115e6f6f8f Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Fri, 29 Nov 2024 16:08:42 +0000 Subject: [PATCH 06/13] Fixing scope, and adding test --- .../types/inactive_scim_user_removal.yml | 2 +- .../group_saml/membership_enforcer_spec.rb | 31 +++++++++++++++++-- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/ee/config/audit_events/types/inactive_scim_user_removal.yml b/ee/config/audit_events/types/inactive_scim_user_removal.yml index a057a73ce06869..ac349e44dc243f 100644 --- a/ee/config/audit_events/types/inactive_scim_user_removal.yml +++ b/ee/config/audit_events/types/inactive_scim_user_removal.yml @@ -7,4 +7,4 @@ feature_category: compliance_management milestone: '17.7' saved_to_database: true streamed: true -scope: Group \ No newline at end of file +scope: [Group] \ No newline at end of file diff --git a/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb b/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb index 9eb1facd58f92b..7ac9a03a011d41 100644 --- a/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb +++ b/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb @@ -20,10 +20,35 @@ expect(described_class.new(group).can_add_user?(non_saml_user)).to be_falsey end - it 'does not allow adding a user with an inactive scim identity for the group' do - create(:scim_identity, group: group, user: user, active: false) - expect(described_class.new(group).can_add_user?(user)).to be_falsey + context 'when the user has an inactive scim identity' do + before do + stub_licensed_features(extended_audit_events: true) + create(:scim_identity, group: group, user: user, active: false) + end + + it 'does not allow adding a user with an inactive scim identity for the group' do + expect(described_class.new(group).can_add_user?(user)).to be_falsey + end + + it 'logs an audit event' do + expect { described_class.new(group).can_add_user?(user) }.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last).to have_attributes({ + attributes: hash_including({ + "entity_id" => group.id, + "entity_type" => "Group", + "author_id" => user.id, + "target_details" => user.username, + "target_id" => user.id + }), + details: hash_including({ + custom_message: "User cannot be added to group due to inactive SCIM identity", + target_type: "User", + target_details: user.username + }) + }) + end end it 'does allow adding a user with an active scim identity for the group' do -- GitLab From 3836d0b87a82625ec725d353bb9eb749d2fd0b0e Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Fri, 29 Nov 2024 16:52:11 +0000 Subject: [PATCH 07/13] Remove extra spaces --- ee/lib/gitlab/auth/group_saml/membership_enforcer.rb | 1 - ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb | 3 +-- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb index b0522c0cad8654..44041a34fb1353 100644 --- a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb +++ b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb @@ -48,7 +48,6 @@ def log_audit_event(user, root_group) } ::Gitlab::Audit::Auditor.audit(audit_context) end - end end end diff --git a/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb b/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb index 7ac9a03a011d41..f4a8af740e542a 100644 --- a/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb +++ b/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb @@ -20,12 +20,11 @@ expect(described_class.new(group).can_add_user?(non_saml_user)).to be_falsey end - context 'when the user has an inactive scim identity' do before do stub_licensed_features(extended_audit_events: true) create(:scim_identity, group: group, user: user, active: false) - end + end it 'does not allow adding a user with an inactive scim identity for the group' do expect(described_class.new(group).can_add_user?(user)).to be_falsey -- GitLab From c6a6d4bc55153cb125300a748cf1ac09a7e7f235 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Fri, 29 Nov 2024 21:28:18 +0200 Subject: [PATCH 08/13] Update Audit event types documentation --- doc/user/compliance/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index b3aefdf8c18696..6bd96ec2be2ac9 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -163,6 +163,7 @@ Audit event types belong to the following product categories. | [`group_saml_provider_create`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | Triggered when a group SAML provider is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`group_saml_provider_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | Triggered when a group SAML provider is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`inactive_project_scheduled_for_deletion`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130699) | Triggered when an inactive project is scheduled for deletion | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/423263) | Project | +| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered for user removal from a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`member_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_destroyed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is destroyed | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | @@ -588,7 +589,6 @@ Audit event types belong to the following product categories. | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Triggered when successfully signing in with SAML authentication. | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group | | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | Triggered when a user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | Triggered when a user's membership is updated | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group | -| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when a user is removed from group during SAML authentication due to inactive SCIM identity | **{check-circle}** Yes | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | Triggered when a password reset fails for a user | **{dotted-circle}** No | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User | | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | Event triggered on user unban action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | Event triggered on user unblock action | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | -- GitLab From fdb77f1b7a4b866e5fc990d30314ea0c4b33693e Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Mon, 9 Dec 2024 18:28:05 +0200 Subject: [PATCH 09/13] Change the feature name to match the issue description --- doc/user/compliance/audit_event_types.md | 4 ++-- ...r_removal.yml => inactive_scim_user_cannot_be_added.yml} | 6 +++--- ee/lib/gitlab/auth/group_saml/membership_enforcer.rb | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) rename ee/config/audit_events/types/{inactive_scim_user_removal.yml => inactive_scim_user_cannot_be_added.yml} (58%) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 6bd96ec2be2ac9..b265dae4bd2bcc 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -20,7 +20,7 @@ DETAILS: **Tier:** Premium, Ultimate **Offering:** GitLab.com, Self-managed, GitLab Dedicated -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172757) in GitLab 17.7, all audit events can be streamed. +- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172757) in GitLab 17.7, all audit events can be streamed. Audit event types are used to filter streamed audit events: @@ -163,7 +163,7 @@ Audit event types belong to the following product categories. | [`group_saml_provider_create`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | Triggered when a group SAML provider is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`group_saml_provider_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | Triggered when a group SAML provider is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`inactive_project_scheduled_for_deletion`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130699) | Triggered when an inactive project is scheduled for deletion | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/423263) | Project | -| [`inactive_scim_user_removal`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered for user removal from a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | +| [`inactive_scim_user_cannot_be_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when user cannot be added to a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`member_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_destroyed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is destroyed | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | Triggered when a membership is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | diff --git a/ee/config/audit_events/types/inactive_scim_user_removal.yml b/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml similarity index 58% rename from ee/config/audit_events/types/inactive_scim_user_removal.yml rename to ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml index ac349e44dc243f..ab4996d6e856ab 100644 --- a/ee/config/audit_events/types/inactive_scim_user_removal.yml +++ b/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml @@ -1,10 +1,10 @@ --- -name: inactive_scim_user_removal -description: Triggered for user removal from a group during SAML authentication when their SCIM identity is inactive +name: inactive_scim_user_cannot_be_added +description: Triggered when user cannot be added to a group during SAML authentication when their SCIM identity is inactive introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/422582 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879 feature_category: compliance_management milestone: '17.7' saved_to_database: true streamed: true -scope: [Group] \ No newline at end of file +scope: [Group] diff --git a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb index 44041a34fb1353..bb0ca4f4ba8824 100644 --- a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb +++ b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb @@ -39,7 +39,7 @@ def user_provisioned_by_group?(user) def log_audit_event(user, root_group) audit_context = { - name: "inactive_scim_user_removal", + name: "inactive_scim_user_cannot_be_added", author: user, scope: root_group, target: user, -- GitLab From 758a824e2489954850a47c965ca5fee39585262d Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Mon, 9 Dec 2024 18:34:03 +0200 Subject: [PATCH 10/13] Update audit events docs --- doc/user/compliance/audit_event_types.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index b265dae4bd2bcc..fd5bb59e456be0 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -20,7 +20,7 @@ DETAILS: **Tier:** Premium, Ultimate **Offering:** GitLab.com, Self-managed, GitLab Dedicated -- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172757) in GitLab 17.7, all audit events can be streamed. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/172757) in GitLab 17.7, all audit events can be streamed. Audit event types are used to filter streamed audit events: -- GitLab From 4bea824fd1b99401d45c787f8fd992e520161448 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Mon, 9 Dec 2024 23:38:33 +0200 Subject: [PATCH 11/13] Update audit events docs --- doc/user/compliance/audit_event_types.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 8e00ba8bfe082c..7a5ba63f98c246 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -587,6 +587,7 @@ Audit event types belong to the following product categories. | [`authenticated_with_group_saml`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28575) | Successfully signing in with SAML authentication | **{check-circle}** Yes | GitLab [12.10](https://gitlab.com/gitlab-org/gitlab/-/issues/35710) | Group | | [`ban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116103) | A user is banned, unbanned, blocked, or unblocked | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`change_membership_state`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87924) | A user's membership is updated | **{check-circle}** Yes | GitLab [15.1](https://gitlab.com/gitlab-org/gitlab/-/issues/362200) | Group | +| [`inactive_scim_user_cannot_be_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | A user cannot be added to a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`password_reset_failed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129079) | A password reset fails for a user | **{dotted-circle}** No | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/377762) | User | | [`unban_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/116221) | A user is unbanned | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | | [`unblock_user`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115727) | A user is banned | **{check-circle}** Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/377620) | User | -- GitLab From 9b6591f67ef366400f058a0381bbb48dce4a6db4 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Tue, 10 Dec 2024 00:09:36 +0200 Subject: [PATCH 12/13] Fix lint --- doc/user/compliance/audit_event_types.md | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index 7a5ba63f98c246..ca05296f017613 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -160,6 +160,7 @@ Audit event types belong to the following product categories. | [`group_saml_provider_create`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | A group SAML provider is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`group_saml_provider_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | A group SAML provider is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`inactive_project_scheduled_for_deletion`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130699) | An inactive project is scheduled for deletion | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/423263) | Project | +| [`inactive_scim_user_cannot_be_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when user cannot be added to a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`member_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_destroyed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is destroyed | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | -- GitLab From 2dd7772323e700baf829545e3f069d81a4518711 Mon Sep 17 00:00:00 2001 From: Asmaa Hassan Date: Tue, 10 Dec 2024 01:43:36 +0200 Subject: [PATCH 13/13] Fix docs, and feature category --- doc/user/compliance/audit_event_types.md | 1 - .../audit_events/types/inactive_scim_user_cannot_be_added.yml | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md index ca05296f017613..7a5ba63f98c246 100644 --- a/doc/user/compliance/audit_event_types.md +++ b/doc/user/compliance/audit_event_types.md @@ -160,7 +160,6 @@ Audit event types belong to the following product categories. | [`group_saml_provider_create`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | A group SAML provider is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`group_saml_provider_update`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/111227) | A group SAML provider is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/373964) | Group | | [`inactive_project_scheduled_for_deletion`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/130699) | An inactive project is scheduled for deletion | **{check-circle}** Yes | GitLab [16.4](https://gitlab.com/gitlab-org/gitlab/-/issues/423263) | Project | -| [`inactive_scim_user_cannot_be_added`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879) | Triggered when user cannot be added to a group during SAML authentication when their SCIM identity is inactive | **{check-circle}** Yes | GitLab [17.7](https://gitlab.com/gitlab-org/gitlab/-/issues/422582) | Group | | [`member_created`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is created | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_destroyed`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is destroyed | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | | [`member_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/109711) | A membership is updated | **{check-circle}** Yes | GitLab [15.9](https://gitlab.com/gitlab-org/gitlab/-/issues/374112) | Group, Project | diff --git a/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml b/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml index ab4996d6e856ab..ec12853f5613ed 100644 --- a/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml +++ b/ee/config/audit_events/types/inactive_scim_user_cannot_be_added.yml @@ -1,9 +1,9 @@ --- name: inactive_scim_user_cannot_be_added -description: Triggered when user cannot be added to a group during SAML authentication when their SCIM identity is inactive +description: A user cannot be added to a group during SAML authentication when their SCIM identity is inactive introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/422582 introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173879 -feature_category: compliance_management +feature_category: user_management milestone: '17.7' saved_to_database: true streamed: true -- GitLab