From 6724b3e03cc3a9aca261cec28b9e3db92a1517a6 Mon Sep 17 00:00:00 2001 From: Max Woolf Date: Wed, 30 Jun 2021 15:20:30 +0100 Subject: [PATCH 1/2] Add instance-level audit event when admin status changes Adds an entry to the instance-level audit log when an administrator sets a user as an administrator or changes an administrator to a user. Changelog: added EE: true --- doc/administration/audit_events.md | 1 + ee/app/services/ee/users/update_service.rb | 1 + .../services/ee/users/update_service_spec.rb | 22 +++++++++++++++++++ 3 files changed, 24 insertions(+) diff --git a/doc/administration/audit_events.md b/doc/administration/audit_events.md index 7fab424ac936c1..57506b1f3ccf0b 100644 --- a/doc/administration/audit_events.md +++ b/doc/administration/audit_events.md @@ -162,6 +162,7 @@ The following user actions are recorded: - Failed second-factor authentication attempt ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16826) in GitLab 13.5) - A user's personal access token was successfully created or revoked ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6) - A failed attempt to create or revoke a user's personal access token ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6) +- Adding or removing an administrator ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323905) in GitLab 14.1) Instance events can also be accessed via the [Instance Audit Events API](../api/audit_events.md#instance-audit-events). diff --git a/ee/app/services/ee/users/update_service.rb b/ee/app/services/ee/users/update_service.rb index 169e58a0f26a74..eaa3957eda4694 100644 --- a/ee/app/services/ee/users/update_service.rb +++ b/ee/app/services/ee/users/update_service.rb @@ -24,6 +24,7 @@ def notify_success(user_exists) audit_changes(:email, as: 'email address') audit_changes(:encrypted_password, as: 'password', skip_changes: true) audit_changes(:username, as: 'username') + audit_changes(:admin, as: 'admin status') success end diff --git a/ee/spec/services/ee/users/update_service_spec.rb b/ee/spec/services/ee/users/update_service_spec.rb index 77f9ce7ecc4ce1..41248f6844ae4d 100644 --- a/ee/spec/services/ee/users/update_service_spec.rb +++ b/ee/spec/services/ee/users/update_service_spec.rb @@ -156,6 +156,28 @@ { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass' } end + context 'updating administrator status' do + before do + stub_licensed_features(admin_audit_log: true) + end + + it 'logs making a user an administrator' do + expect do + update_user_as(admin_user, user, admin: true) + end.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last.present.action).to eq('Changed admin status from false to true') + end + + it 'logs making an administrator a user' do + expect do + update_user_as(admin_user, create(:admin), admin: false) + end.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last.present.action).to eq('Changed admin status from true to false') + end + end + context 'allowed params' do context 'with identity' do let(:provider) { create(:saml_provider) } -- GitLab From 03f0de493f2a4a1422ddf1c6fbc3bd653ed96598 Mon Sep 17 00:00:00 2001 From: Evan Read Date: Thu, 1 Jul 2021 07:38:01 +0000 Subject: [PATCH 2/2] Apply 1 suggestion(s) to 1 file(s) --- doc/administration/audit_events.md | 2 +- .../services/ee/users/update_service_spec.rb | 42 +++++++++---------- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/doc/administration/audit_events.md b/doc/administration/audit_events.md index 57506b1f3ccf0b..3cfbc8ae74b25e 100644 --- a/doc/administration/audit_events.md +++ b/doc/administration/audit_events.md @@ -162,7 +162,7 @@ The following user actions are recorded: - Failed second-factor authentication attempt ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16826) in GitLab 13.5) - A user's personal access token was successfully created or revoked ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6) - A failed attempt to create or revoke a user's personal access token ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6) -- Adding or removing an administrator ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323905) in GitLab 14.1) +- Administrator added or removed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323905) in GitLab 14.1) Instance events can also be accessed via the [Instance Audit Events API](../api/audit_events.md#instance-audit-events). diff --git a/ee/spec/services/ee/users/update_service_spec.rb b/ee/spec/services/ee/users/update_service_spec.rb index 41248f6844ae4d..e1079774ead11f 100644 --- a/ee/spec/services/ee/users/update_service_spec.rb +++ b/ee/spec/services/ee/users/update_service_spec.rb @@ -101,6 +101,26 @@ stub_licensed_features(admin_audit_log: true) end + context 'updating administrator status' do + let_it_be(:admin_user) { create(:admin) } + + it 'logs making a user an administrator' do + expect do + update_user_as(admin_user, user, admin: true) + end.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last.present.action).to eq('Changed admin status from false to true') + end + + it 'logs making an administrator a user' do + expect do + update_user_as(admin_user, create(:admin), admin: false) + end.to change { AuditEvent.count }.by(1) + + expect(AuditEvent.last.present.action).to eq('Changed admin status from true to false') + end + end + context 'updating username' do it 'logs audit event' do previous_username = user.username @@ -156,28 +176,6 @@ { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass' } end - context 'updating administrator status' do - before do - stub_licensed_features(admin_audit_log: true) - end - - it 'logs making a user an administrator' do - expect do - update_user_as(admin_user, user, admin: true) - end.to change { AuditEvent.count }.by(1) - - expect(AuditEvent.last.present.action).to eq('Changed admin status from false to true') - end - - it 'logs making an administrator a user' do - expect do - update_user_as(admin_user, create(:admin), admin: false) - end.to change { AuditEvent.count }.by(1) - - expect(AuditEvent.last.present.action).to eq('Changed admin status from true to false') - end - end - context 'allowed params' do context 'with identity' do let(:provider) { create(:saml_provider) } -- GitLab