Add instance-level audit event when admin status changes

Adds an entry to the instance-level audit log when an administrator sets a user as an administrator or changes an administrator to a user. Changelog: added EE: true

Add instance-level audit event when admin status changes
Adds an entry to the instance-level audit log when an administrator sets a user as an administrator or changes an administrator to a user. Changelog: added EE: true
6724b3e0 · Max Woolf · 99b8cb27 · 6724b3e0 · 6724b3e0 · 6724b3e0
Commit 6724b3e0 authored Jun 30, 2021 by Max Woolf
3 changed files
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -162,6 +162,7 @@ The following user actions are recorded:
 - Failed second-factor authentication attempt ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/16826) in GitLab 13.5)
 - A user's personal access token was successfully created or revoked ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6)
 - A failed attempt to create or revoke a user's personal access token ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276921) in GitLab 13.6)
+- Adding or removing an administrator ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323905) in GitLab 14.1)

 Instance events can also be accessed via the [Instance Audit Events API](../api/audit_events.md#instance-audit-events).


--- a/ee/app/services/ee/users/update_service.rb
+++ b/ee/app/services/ee/users/update_service.rb
@@ -24,6 +24,7 @@ module EE
        audit_changes(:email, as: 'email address')
        audit_changes(:encrypted_password, as: 'password', skip_changes: true)
        audit_changes(:username, as: 'username')
+        audit_changes(:admin, as: 'admin status')

        success
      end

--- a/ee/spec/services/ee/users/update_service_spec.rb
+++ b/ee/spec/services/ee/users/update_service_spec.rb
@@ -156,6 +156,28 @@ RSpec.describe Users::UpdateService do
        { name: 'John Doe', username: 'jduser', email: 'jd@example.com', password: 'mydummypass' }
      end

+      context 'updating administrator status' do
+        before do
+          stub_licensed_features(admin_audit_log: true)
+        end
+
+        it 'logs making a user an administrator' do
+          expect do
+            update_user_as(admin_user, user, admin: true)
+          end.to change { AuditEvent.count }.by(1)
+
+          expect(AuditEvent.last.present.action).to eq('Changed admin status from false to true')
+        end
+
+        it 'logs making an administrator a user' do
+          expect do
+            update_user_as(admin_user, create(:admin), admin: false)
+          end.to change { AuditEvent.count }.by(1)
+
+          expect(AuditEvent.last.present.action).to eq('Changed admin status from true to false')
+        end
+      end
+
      context 'allowed params' do
        context 'with identity' do
          let(:provider) { create(:saml_provider) }