Record audit event when user is created

We only create audit event when user is created by an authorized user, but not via system trigger (e.g. SmartCard authentication).

Record audit event when user is created
We only create audit event when user is created by an authorized user, but not via system trigger (e.g. SmartCard authentication).
b4ee92f2 · Tan Le · Thong Kuah · 8301bed3 · b4ee92f2 · b4ee92f2
Commit b4ee92f2 authored Feb 14, 2020 by Tan Le Committed by Thong Kuah Feb 14, 2020
6 changed files
--- a/app/services/users/create_service.rb
+++ b/app/services/users/create_service.rb
@@ -11,12 +11,19 @@ module Users

    def execute(skip_authorization: false)
      user = Users::BuildService.new(current_user, params).execute(skip_authorization: skip_authorization)
+      reset_token = user.generate_reset_token if user.recently_sent_password_reset?

-      @reset_token = user.generate_reset_token if user.recently_sent_password_reset?
-
-      notify_new_user(user, @reset_token) if user.save
+      after_create_hook(user, reset_token) if user.save

      user
    end
+
+    private
+
+    def after_create_hook(user, reset_token)
+      notify_new_user(user, reset_token)
+    end
  end
 end
+
+Users::CreateService.prepend_if_ee('EE::Users::CreateService')
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -107,6 +107,7 @@ recorded:
 - Started/stopped user impersonation
 - Changed username ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/7797) in GitLab 12.8)
 - User was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
+- User was added ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)
 - User was blocked via Admin Area ([introduced](https://gitlab.com/gitlab-org/gitlab/issues/251) in GitLab 12.8)

 It is possible to filter particular actions by choosing an audit data type from

--- a/ee/app/services/ee/users/create_service.rb
+++ b/ee/app/services/ee/users/create_service.rb
+# frozen_string_literal: true
+
+module EE
+  module Users
+    module CreateService
+      extend ::Gitlab::Utils::Override
+
+      override :after_create_hook
+      def after_create_hook(user, reset_token)
+        super
+
+        log_audit_event(user) if audit_required?
+      end
+
+      private
+
+      def log_audit_event(user)
+        ::AuditEventService.new(
+          current_user,
+          user,
+          action: :create
+        ).for_user.security_event
+      end
+
+      def audit_required?
+        current_user.present?
+      end
+    end
+  end
+end
--- a/ee/changelogs/unreleased/251-record-user-add-audit-event.yml
+++ b/ee/changelogs/unreleased/251-record-user-add-audit-event.yml
+---
+title: Record audit event when user is added
+merge_request: 24855
+author:
+type: added
--- a/ee/spec/services/ee/users/create_service_spec.rb
+++ b/ee/spec/services/ee/users/create_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Users::CreateService do
+  let(:current_user) { create(:admin) }
+  let(:params) do
+    {
+      name: 'John Doe',
+      username: 'jduser',
+      email: 'jd@example.com',
+      password: 'mydummypass'
+    }
+  end
+
+  subject(:service) { described_class.new(current_user, params) }
+
+  context 'audit events' do
+    let(:operation) { service.execute }
+
+    include_examples 'audit event logging' do
+      let(:fail_condition!) do
+        expect_any_instance_of(User)
+          .to receive(:save).and_return(false)
+      end
+
+      let(:attributes) do
+        {
+           author_id: current_user.id,
+           entity_id: @resource.id,
+           entity_type: 'User',
+           details: {
+             add: 'user',
+             author_name: current_user.name,
+             target_id: @resource.full_path,
+             target_type: 'User',
+             target_details: @resource.full_path
+           }
+         }
+      end
+    end
+
+    context 'when audit is not required' do
+      let(:current_user) { nil }
+
+      it 'does not log audit event' do
+        expect { operation }.not_to change(AuditEvent, :count)
+      end
+    end
+  end
+end
--- a/ee/spec/support/shared_examples/services/audit_event_logging_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/audit_event_logging_shared_examples.rb
@@ -5,19 +5,19 @@ RSpec.shared_examples 'audit event logging' do
    stub_licensed_features(extended_audit_events: true)
  end

-  context 'if operation succeed' do
-    it 'logs an audit event if operation succeed' do
+  context 'when operation succeeds' do
+    it 'logs an audit event' do
      expect { operation }.to change(AuditEvent, :count).by(1)
    end

-    it 'logs the project info' do
+    it 'logs the audit event info' do
      @resource = operation

      expect(AuditEvent.last).to have_attributes(attributes)
    end
  end

-  it 'does not log audit event if project operation fails' do
+  it 'does not log audit event if operation fails' do
    fail_condition!

    expect { operation }.not_to change(AuditEvent, :count)