From c533a11d780a1cc23fa065d11fe3324c79298761 Mon Sep 17 00:00:00 2001
From: Nate Rosandich <nrosandich@gitlab.com>
Date: Fri, 5 Sep 2025 14:34:57 +1200
Subject: [PATCH] Migrate ghost records migrate audit events to Auditor

Changelog: changed
EE: true
---
 doc/user/compliance/audit_event_types.md      |  1 +
 .../migrate_records_to_ghost_user_service.rb  | 21 ++++++--
 .../types/user_records_migrated_to_ghost.yml  | 10 ++++
 ...rate_records_to_ghost_user_service_spec.rb | 51 ++++++++++++-------
 4 files changed, 59 insertions(+), 24 deletions(-)
 create mode 100644 ee/config/audit_events/types/user_records_migrated_to_ghost.yml

diff --git a/doc/user/compliance/audit_event_types.md b/doc/user/compliance/audit_event_types.md
index 16816f03c6da52..4f408638dd89be 100644
--- a/doc/user/compliance/audit_event_types.md
+++ b/doc/user/compliance/audit_event_types.md
@@ -695,6 +695,7 @@ Audit event types belong to the following product categories.
 | [`user_impersonation`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79340) | An instance administrator starts or stops impersonating a user | {{< icon name="check-circle" >}} Yes | GitLab [14.8](https://gitlab.com/gitlab-org/gitlab/-/issues/300961) | User, Group |
 | [`user_password_updated`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/106086) | A user password is updated | {{< icon name="check-circle" >}} Yes | GitLab [15.7](https://gitlab.com/gitlab-org/gitlab/-/issues/369330) | User |
 | [`user_provisioned_by_scim`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/174040) | A user is provisioned by SCIM | {{< icon name="check-circle" >}} Yes | GitLab [17.8](https://gitlab.com/gitlab-org/gitlab/-/issues/423322) | Group |
+| [`user_records_migrated_to_ghost`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203756) | Event triggered when user records are migrated to ghost user during batch processing | {{< icon name="check-circle" >}} Yes | GitLab [18.4](https://gitlab.com/gitlab-org/gitlab/-/issues/567635) | User |
 | [`user_rejected`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/113784) | A user registration is rejected | {{< icon name="check-circle" >}} Yes | GitLab [15.11](https://gitlab.com/gitlab-org/gitlab/-/issues/374107) | User |
 
 ### User profile
diff --git a/ee/app/services/ee/users/migrate_records_to_ghost_user_service.rb b/ee/app/services/ee/users/migrate_records_to_ghost_user_service.rb
index dac970d888a36f..a69d682af81682 100644
--- a/ee/app/services/ee/users/migrate_records_to_ghost_user_service.rb
+++ b/ee/app/services/ee/users/migrate_records_to_ghost_user_service.rb
@@ -54,11 +54,22 @@ def migrate_resource_link_events
       end
 
       def log_audit_event(user)
-        ::AuditEventService.new(
-          initiator_user,
-          user,
-          action: :destroy
-        ).for_user.security_event
+        audit_context = {
+          name: 'user_records_migrated_to_ghost',
+          author: initiator_user,
+          scope: user,
+          target: user,
+          target_details: user.full_path,
+          message: 'User records migrated to ghost user',
+          additional_details: {
+            action: 'migrate_to_ghost',
+            author_name: initiator_user.name,
+            target_id: user.id,
+            target_type: 'User'
+          }
+        }
+
+        ::Gitlab::Audit::Auditor.audit(audit_context)
       end
     end
   end
diff --git a/ee/config/audit_events/types/user_records_migrated_to_ghost.yml b/ee/config/audit_events/types/user_records_migrated_to_ghost.yml
new file mode 100644
index 00000000000000..2ba3be699d3626
--- /dev/null
+++ b/ee/config/audit_events/types/user_records_migrated_to_ghost.yml
@@ -0,0 +1,10 @@
+---
+name: user_records_migrated_to_ghost
+description: Event triggered when user records are migrated to ghost user during batch processing
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/567635
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203756
+feature_category: user_management
+milestone: '18.4'
+saved_to_database: true
+streamed: true
+scope: [User]
diff --git a/ee/spec/services/ee/users/migrate_records_to_ghost_user_service_spec.rb b/ee/spec/services/ee/users/migrate_records_to_ghost_user_service_spec.rb
index 18d97da118c6a3..39891edc41c09b 100644
--- a/ee/spec/services/ee/users/migrate_records_to_ghost_user_service_spec.rb
+++ b/ee/spec/services/ee/users/migrate_records_to_ghost_user_service_spec.rb
@@ -8,6 +8,11 @@
   let(:execution_tracker) { instance_double(::Gitlab::Utils::ExecutionTracker, over_limit?: false) }
 
   let_it_be(:admin) { create(:admin) }
+  let_it_be(:ghost_user) { create(:user, :ghost) }
+
+  before do
+    allow(Users::Internal).to receive(:ghost).and_return(ghost_user)
+  end
 
   context "when migrating a user's associated records to the ghost user" do
     context 'for epics' do
@@ -88,26 +93,34 @@
     subject(:operation) { service.execute }
 
     describe 'audit events' do
-      include_examples 'audit event logging' do
-        let(:fail_condition!) do
-          expect(user).to receive(:destroy).and_return(user)
-          expect(user).to receive(:destroyed?).and_return(false)
-        end
-
-        let(:attributes) do
-          {
-            author_id: admin.id,
-            entity_id: user.id,
-            entity_type: 'User',
-            details: {
-              remove: 'user',
-              author_name: admin.name,
-              target_id: user.id,
-              target_type: 'User',
-              target_details: user.full_path
-            }
+      it 'sends the audit event for user migration to ghost' do
+        audit_context = {
+          name: 'user_records_migrated_to_ghost',
+          author: admin,
+          scope: user,
+          target: user,
+          target_details: user.full_path,
+          message: 'User records migrated to ghost user',
+          additional_details: {
+            action: 'migrate_to_ghost',
+            author_name: admin.name,
+            target_id: user.id,
+            target_type: 'User'
           }
-        end
+        }
+
+        expect(::Gitlab::Audit::Auditor).to receive(:audit).with(audit_context)
+
+        operation
+      end
+
+      it 'does not send audit event when user is not destroyed' do
+        expect(user).to receive(:destroy).and_return(user)
+        expect(user).to receive(:destroyed?).and_return(false)
+
+        expect(::Gitlab::Audit::Auditor).not_to receive(:audit)
+
+        operation
       end
     end
   end
-- 
GitLab