Merge branch '363089-saml-auth-audit-event-type' into 'master'

Event type information in saml auth audit event stream

See merge request !95172

ee/app/controllers/groups/omniauth_callbacks_controller.rb

@@ -162,7 +162,22 @@ def group_saml_failure_path(scope)
 
   override :log_audit_event
   def log_audit_event(user, options = {})
-    AuditEventService.new(user, @unauthenticated_group, options)
-      .for_authentication.security_event
+    return if options[:with].blank?
+
+    provider = options[:with]
+    audit_context = {
+      name: 'authenticated_with_group_saml',
+      author: user,
+      scope: @unauthenticated_group,
+      target: user,
+      message: "Signed in with #{provider.upcase} authentication",
+      authentication_event: true,
+      authentication_provider: provider,
+      additional_details: {
+        with: provider
+      }
+    }
+
+    ::Gitlab::Audit::Auditor.audit(audit_context)
   end
 end

ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb

@@ -69,14 +69,22 @@ def stub_last_request_id(id)
       end
 
       it 'logs group audit event for authentication' do
-        audit_event_service = instance_double(AuditEventService)
-
-        allow(AuditEventService).to receive(:new).and_call_original
-        expect(AuditEventService).to receive(:new).with(user, group, { with: provider })
-          .and_return(audit_event_service)
-        expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
-
-        post provider, params: { group_id: group }
+        expect(::Gitlab::Audit::Auditor).to receive(:audit).with(
+          {
+            name: 'authenticated_with_group_saml',
+            author: user,
+            scope: group,
+            target: user,
+            message: "Signed in with #{provider.upcase} authentication",
+            authentication_event: true,
+            authentication_provider: provider,
+            additional_details: {
+              with: provider
+            }
+          }
+        ).and_call_original
+
+        expect { post provider, params: { group_id: group } }.to change(AuthenticationEvent, :count).by(1)
       end
 
       include_examples 'works with session enforcement'
@@ -219,7 +227,6 @@ def stub_last_request_id(id)
         it 'logs group audit event for being added to the group' do
           audit_event_service = instance_double(AuditEventService)
 
-          expect(AuditEventService).to receive(:new).ordered.and_call_original
           expect(AuditEventService).to receive(:new).ordered.with(user, group, action: :create)
             .and_return(audit_event_service)
           expect(audit_event_service).to receive_message_chain(:for_member, :security_event)

lib/gitlab/audit/auditor.rb

@@ -117,7 +117,7 @@ def authentication_event_payload
           # Only capture real users for successful authentication events.
           user: author_if_user,
           user_name: @author.name,
-          ip_address: @ip_address,
+          ip_address: Gitlab::RequestContext.instance.client_ip || @author.current_sign_in_ip,
           result: AuthenticationEvent.results[:success],
           provider: @authentication_provider
         }

spec/lib/gitlab/audit/auditor_spec.rb

@@ -4,7 +4,7 @@
 
 RSpec.describe Gitlab::Audit::Auditor do
   let(:name) { 'audit_operation' }
-  let(:author) { create(:user) }
+  let(:author) { create(:user, :with_sign_ins) }
   let(:group) { create(:group) }
   let(:provider) { 'standard' }
   let(:context) do
@@ -37,6 +37,13 @@
         ).and_call_original
 
         audit!
+
+        authentication_event = AuthenticationEvent.last
+
+        expect(authentication_event.user).to eq(author)
+        expect(authentication_event.user_name).to eq(author.name)
+        expect(authentication_event.ip_address).to eq(author.current_sign_in_ip)
+        expect(authentication_event.provider).to eq(provider)
       end
 
       it 'logs audit events to database', :aggregate_failures do