Merge branch '251-record-user-add-audit-event' into 'master'

Record audit event when user is added See merge request gitlab-org/gitlab!24855

Merge branch '251-record-user-add-audit-event' into 'master'
Record audit event when user is added See merge request gitlab-org/gitlab!24855
09adce61 · Thong Kuah · 53294dd8 · b4ee92f2 · 09adce61 · 09adce61
Commit 09adce61 authored Feb 14, 2020 by Thong Kuah
6 changed files
--- a/app/services/users/create_service.rb
+++ b/app/services/users/create_service.rb
@@ -11,12 +11,19 @@ module Users
    def execute(skip_authorization: false)
      user = Users::BuildService.new(current_user, params).execute(skip_authorization: skip_authorization)
+      reset_token = user.generate_reset_token if user.recently_sent_password_reset?
-      @reset_token = user.generate_reset_token if user.recently_sent_password_reset?
+      after_create_hook(user, reset_token) if user.save
-      notify_new_user(user, @reset_token) if user.save
      user
    end
+    private
+    def after_create_hook(user, reset_token)
+      notify_new_user(user, reset_token)
+    end
  end
 end
+Users::CreateService.prepend_if_ee('EE::Users::CreateService')
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -107,6 +107,7 @@ recorded:
 - Started/stopped user impersonation
 - Changed username ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/7797) in GitLab 12.8)
 - User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
+- User was added ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 It is possible to filter particular actions by choosing an audit data type from

--- a/ee/app/services/ee/users/create_service.rb
+++ b/ee/app/services/ee/users/create_service.rb
+# frozen_string_literal: true
+module EE
+  module Users
+    module CreateService
+      extend ::Gitlab::Utils::Override
+      override :after_create_hook
+      def after_create_hook(user, reset_token)
+        super
+        log_audit_event(user) if audit_required?
+      end
+      private
+      def log_audit_event(user)
+        ::AuditEventService.new(
+          current_user,
+          user,
+          action: :create
+        ).for_user.security_event
+      end
+      def audit_required?
+        current_user.present?
+      end
+    end
+  end
+end
--- a/ee/changelogs/unreleased/251-record-user-add-audit-event.yml
+++ b/ee/changelogs/unreleased/251-record-user-add-audit-event.yml
+---
+title: Record audit event when user is added
+merge_request: 24855
+author:
+type: added
--- a/ee/spec/services/ee/users/create_service_spec.rb
+++ b/ee/spec/services/ee/users/create_service_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe Users::CreateService do
+  let(:current_user) { create(:admin) }
+  let(:params) do
+    {
+      name: 'John Doe',
+      username: 'jduser',
+      email: 'jd@example.com',
+      password: 'mydummypass'
+    }
+  end
+  subject(:service) { described_class.new(current_user, params) }
+  context 'audit events' do
+    let(:operation) { service.execute }
+    include_examples 'audit event logging' do
+      let(:fail_condition!) do
+        expect_any_instance_of(User)
+          .to receive(:save).and_return(false)
+      end
+      let(:attributes) do
+        {
+           author_id: current_user.id,
+           entity_id: @resource.id,
+           entity_type: 'User',
+           details: {
+             add: 'user',
+             author_name: current_user.name,
+             target_id: @resource.full_path,
+             target_type: 'User',
+             target_details: @resource.full_path
+           }
+         }
+      end
+    end
+    context 'when audit is not required' do
+      let(:current_user) { nil }
+      it 'does not log audit event' do
+        expect { operation }.not_to change(AuditEvent, :count)
+      end
+    end
+  end
+end
--- a/ee/spec/support/shared_examples/services/audit_event_logging_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/audit_event_logging_shared_examples.rb
@@ -5,19 +5,19 @@ RSpec.shared_examples 'audit event logging' do
    stub_licensed_features(extended_audit_events: true)
  end
-  context 'if operation succeed' do
+  context 'when operation succeeds' do
-    it 'logs an audit event if operation succeed' do
+    it 'logs an audit event' do
      expect { operation }.to change(AuditEvent, :count).by(1)
    end
-    it 'logs the project info' do
+    it 'logs the audit event info' do
      @resource = operation
      expect(AuditEvent.last).to have_attributes(attributes)
    end
  end
-  it 'does not log audit event if project operation fails' do
+  it 'does not log audit event if operation fails' do
    fail_condition!
    expect { operation }.not_to change(AuditEvent, :count)