From eef3e83de0e76bbf6beb0846dcf6046cb7e06a17 Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@blessing.io>
Date: Wed, 1 Apr 2020 10:04:59 -0500
Subject: [PATCH] Group-level audit event for Group SAML SSO

Create a group-level audit event when a user signs in via Group
SAML. The current audit event was a user audit event and only
appeared to individual users and to administrators in the
instance audit events.
---
 doc/administration/audit_events.md                     |  1 +
 .../groups/omniauth_callbacks_controller.rb            |  6 ++++++
 .../dblessing-group-audit-events-saml-sso.yml          |  5 +++++
 .../groups/omniauth_callbacks_controller_spec.rb       | 10 ++++++++++
 4 files changed, 22 insertions(+)
 create mode 100644 ee/changelogs/unreleased/dblessing-group-audit-events-saml-sso.yml

diff --git a/doc/administration/audit_events.md b/doc/administration/audit_events.md
index aa70890d3cd3ec..26b4434de77784 100644
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -41,6 +41,7 @@ From there, you can see the following actions:
 - Group created or deleted
 - Group changed visibility
 - User was added to group and with which [permissions]
+- User sign-in via [Group SAML](../user/group/saml_sso/index.md)
 - Permissions changes of a user assigned to a group
 - Removed user from group
 - Project added to group and with which visibility level
diff --git a/ee/app/controllers/groups/omniauth_callbacks_controller.rb b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
index fec36e228b2651..9c7c261ccf509b 100644
--- a/ee/app/controllers/groups/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/groups/omniauth_callbacks_controller.rb
@@ -153,4 +153,10 @@ def group_saml_failure_path(scope)
       sso_group_saml_providers_path(group)
     end
   end
+
+  override :log_audit_event
+  def log_audit_event(user, options = {})
+    AuditEventService.new(user, @unauthenticated_group, options)
+      .for_authentication.security_event
+  end
 end
diff --git a/ee/changelogs/unreleased/dblessing-group-audit-events-saml-sso.yml b/ee/changelogs/unreleased/dblessing-group-audit-events-saml-sso.yml
new file mode 100644
index 00000000000000..6589756e207c37
--- /dev/null
+++ b/ee/changelogs/unreleased/dblessing-group-audit-events-saml-sso.yml
@@ -0,0 +1,5 @@
+---
+title: Create group-level audit event for Group SAML SSO sign in
+merge_request: 28575
+author:
+type: added
diff --git a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
index eda8050729a7c2..b594927c9f1734 100644
--- a/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb
@@ -68,6 +68,16 @@ def stub_last_request_id(id)
         expect(response).to redirect_to('/explore')
       end
 
+      it 'logs group audit event for authentication' do
+        audit_event_service = instance_double(AuditEventService)
+
+        expect(AuditEventService).to receive(:new).with(user, group, with: provider)
+          .and_return(audit_event_service)
+        expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
+
+        post provider, params: { group_id: group }
+      end
+
       include_examples 'works with session enforcement'
     end
 
-- 
GitLab