Merge branch '402173-auditevents-missing-attribute' into 'master'

Resolve audit event missing attribute error See merge request !117273 Merged-by: Rajendra Kadam <rkadam@gitlab.com> Approved-by: Rajendra Kadam <rkadam@gitlab.com> Approved-by: Sashi Kumar Kumaresan <skumar@gitlab.com> Reviewed-by: Rajendra Kadam <rkadam@gitlab.com> Co-authored-by: Bala Kumar <sbalakumar@gitlab.com>

Merge branch '402173-auditevents-missing-attribute' into 'master'
e2ff33c5 · Rajendra Kadam · 6dca9fc6 · c2be121a · e2ff33c5 · e2ff33c5
Commit e2ff33c5 authored 1 year ago by Rajendra Kadam 2️⃣
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -389,6 +389,7 @@ Some events are not tracked in audit events. The following epics and issues prop
 - [Group settings and activity](https://gitlab.com/groups/gitlab-org/-/epics/475).
 - [Instance-level settings and activity](https://gitlab.com/groups/gitlab-org/-/epics/476).
 - [Deployment Approval activity](https://gitlab.com/gitlab-org/gitlab/-/issues/354782).
+- [Approval rules processing by a non GitLab user](https://gitlab.com/gitlab-org/gitlab/-/issues/407384).

 If you don't see the event you want in any of the epics, you can either:


--- a/ee/app/services/concerns/approval_rules/updater.rb
+++ b/ee/app/services/concerns/approval_rules/updater.rb
@@ -9,6 +9,8 @@ def action
      filter_eligible_groups!
      filter_eligible_protected_branches!

+      return save_rule_without_audit unless current_user
+
      if with_audit_logged { rule.update(params) }
        log_audit_event(rule)
        rule.reset
@@ -21,6 +23,16 @@ def action

    private

+    def save_rule_without_audit
+      if rule.update(params)
+        rule.reset
+
+        success
+      else
+        error(rule.errors.messages)
+      end
+    end
+
    def with_audit_logged(&block)
      name = rule.new_record? ? 'approval_rule_created' : 'update_approval_rules'
      audit_context = {

--- a/ee/spec/services/approval_rules/create_service_spec.rb
+++ b/ee/spec/services/approval_rules/create_service_spec.rb
@@ -132,6 +132,49 @@
      end
    end

+    # Possible when policy configuration last commit user email is not present in GitLab.
+    # See: https://gitlab.com/gitlab-org/gitlab/-/issues/402173#note_1348667122
+    context 'when user is not present in GitLab' do
+      let_it_be(:non_existing_user) { nil }
+      let_it_be(:name) { 'security' }
+
+      let(:result) do
+        described_class.new(target, non_existing_user, {
+          name: name,
+          skip_authorization: true,
+          approvals_required: 1,
+          user_ids: new_approvers.map(&:id).append(user.id),
+          group_ids: new_groups.map(&:id)
+        }).execute
+      end
+
+      it 'creates approval, excluding non-eligible users and groups', :aggregate_failures do
+        expect(result[:status]).to eq(:success)
+
+        rule = result[:rule]
+
+        expect(rule.name).to eq('security')
+        expect(rule.approvals_required).to eq(1)
+        expect(rule.users).to match_array([user])
+        expect(rule.groups).to be_empty
+      end
+
+      it 'creates approval without audit' do
+        expect(::Gitlab::Audit::Auditor).not_to receive(:audit)
+
+        expect(result[:status]).to eq(:success)
+      end
+
+      context 'validation failure' do
+        let_it_be(:name) { nil }
+
+        it 'returns error message' do
+          expect(result[:status]).to eq(:error)
+          expect(result[:message][:name].first).to eq("can't be blank")
+        end
+      end
+    end
+
    context 'when approval rule with empty users and groups is being created' do
      subject { described_class.new(target, user, { user_ids: [], group_ids: [] }) }