Merge branch '211824-fix-failed-ldap-login-audit' into 'master'

Fix audit event that weren't being created for failed LDAP log-in tries Closes #211824 See merge request gitlab-org/gitlab!27608

Merge branch '211824-fix-failed-ldap-login-audit' into 'master'
Fix audit event that weren't being created for failed LDAP log-in tries Closes #211824 See merge request gitlab-org/gitlab!27608
2ab7bedd · Douglas Barbosa Alexandre · 2dd3fb1d · becc14f7 · 2ab7bedd · 2ab7bedd
Commit 2ab7bedd authored Apr 17, 2020 by Douglas Barbosa Alexandre
3 changed files
--- a/changelogs/unreleased/211824-fix-failed-ldap-login-audit.yml
+++ b/changelogs/unreleased/211824-fix-failed-ldap-login-audit.yml
+---
+title: Fix audit event that weren't being created for failed LDAP log-in tries
+merge_request: 27608
+author:
+type: fixed
--- a/ee/app/controllers/ee/ldap/omniauth_callbacks_controller.rb
+++ b/ee/app/controllers/ee/ldap/omniauth_callbacks_controller.rb
@@ -13,6 +13,15 @@ module EE
        super
      end

+      override :fail_login
+      def fail_login(user)
+        # This is the same implementation as EE::OmniauthCallbacksController#fail_login but we need to add it here since
+        # we're overriding Ldap::OmniauthCallbacksController#fail_login, not EE::OmniauthCallbacksController#fail_login.
+        log_failed_login(user.username, oauth['provider'])
+
+        super
+      end
+
      private

      def show_ldap_sync_flash

--- a/ee/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
+++ b/ee/spec/controllers/ldap/omniauth_callbacks_controller_spec.rb
@@ -22,7 +22,9 @@ describe Ldap::OmniauthCallbacksController do
  context 'access denied' do
    let(:valid_login?) { false }

-    it 'logs a failure event' do
+    # This test used to pass on retry only, masking an actual bug. We want to
+    # make sure it passes on the first try.
+    it 'logs a failure event', retry: 0 do
      stub_licensed_features(extended_audit_events: true)

      expect { post provider }.to change(SecurityEvent, :count).by(1)