Skip to content
Snippets Groups Projects
Commit f167b39c authored by George Koltsov's avatar George Koltsov :two:
Browse files

Merge branch 'add-instance-audit-event-for-enabling_admin_mode' into 'master'

Add instance audit event for enabling admin mode

See merge request !104754



Merged-by: default avatarGeorge Koltsov <gkoltsov@gitlab.com>
Approved-by: default avatarSmriti Garg <sgarg@gitlab.com>
Approved-by: default avatarGeorge Koltsov <gkoltsov@gitlab.com>
Co-authored-by: Bogdan Denkovych's avatarBogdan Denkovych <bdenkovych@gitlab.com>
parents 88819423 d1c82d51
No related branches found
No related tags found
1 merge request!104754Add instance audit event for enabling admin mode
Pipeline #703530844 passed
......@@ -227,6 +227,7 @@ The following user actions on a GitLab instance generate instance audit events:
- Removed SSH key ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220127) in GitLab 14.1)
- Added or removed GPG key ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/220127) in GitLab 14.1)
- A user's two-factor authentication was disabled ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/238177) in GitLab 15.1)
- Enabled Admin Mode ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/362101) in GitLab 15.7)
Instance events can also be accessed via the [Instance Audit Events API](../api/audit_events.md#instance-audit-events).
......
---
name: user_enable_admin_mode
description: Event triggered on enabling admin mode
introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/362101
introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104754
group: "group::authentication and authorization"
milestone: "15.7"
saved_to_database: true
streamed: true
# frozen_string_literal: true
module EE
module Gitlab
module Auth
module CurrentUserMode
extend ::Gitlab::Utils::Override
private
override :audit_user_enable_admin_mode
def audit_user_enable_admin_mode
audit_context = {
name: 'user_enable_admin_mode',
author: user,
scope: user,
target: user,
message: 'Enabled admin mode',
created_at: DateTime.current
}
::Gitlab::Audit::Auditor.audit(audit_context)
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Auth::CurrentUserMode, :request_store do
let_it_be(:user) { create(:user, :admin) }
subject { described_class.new(user) }
context 'when session is available' do
include_context 'custom session'
before do
allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session])
end
describe '#enable_admin_mode!' do
before do
stub_licensed_features(extended_audit_events: true)
end
context 'when enabling admin mode succeeds' do
it 'creates an audit event', :aggregate_failures do
subject.request_admin_mode!
expect do
subject.enable_admin_mode!(password: user.password)
end.to change { AuditEvent.count }.by(1)
expect(AuditEvent.last).to have_attributes(
author: user,
entity: user,
target_id: user.id,
target_type: user.class.name,
target_details: user.name,
details: include(custom_message: 'Enabled admin mode')
)
end
end
context 'when enabling admin mode fails' do
it 'does not create an audit event' do
subject.request_admin_mode!
expect do
subject.enable_admin_mode!(password: 'wrong password')
end.not_to change { AuditEvent.count }
end
end
end
end
end
......@@ -106,8 +106,8 @@ def admin_mode_requested?
end
def enable_admin_mode!(password: nil, skip_password_validation: false)
return unless user&.admin?
return unless skip_password_validation || user&.valid_password?(password)
return false unless user&.admin?
return false unless skip_password_validation || user&.valid_password?(password)
raise NotRequestedError unless admin_mode_requested?
......@@ -115,6 +115,10 @@ def enable_admin_mode!(password: nil, skip_password_validation: false)
current_session_data[ADMIN_MODE_REQUESTED_TIME_KEY] = nil
current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now
audit_user_enable_admin_mode
true
end
def disable_admin_mode!
......@@ -175,6 +179,10 @@ def reset_request_store_cache_entries
def privileged_runtime?
Gitlab::Runtime.rake? || Gitlab::Runtime.rails_runner? || Gitlab::Runtime.console?
end
def audit_user_enable_admin_mode; end
end
end
end
Gitlab::Auth::CurrentUserMode.prepend_mod_with('Gitlab::Auth::CurrentUserMode')
......@@ -194,10 +194,41 @@
it 'creates a timestamp in the session' do
subject.request_admin_mode!
subject.enable_admin_mode!(password: user.password)
expect(session).to include(expected_session_entry(be_within(1.second).of(Time.now)))
end
it 'returns true after successful enable' do
subject.request_admin_mode!
expect(subject.enable_admin_mode!(password: user.password)).to eq(true)
end
it 'returns false after unsuccessful enable' do
subject.request_admin_mode!
expect(subject.enable_admin_mode!(password: 'wrong password')).to eq(false)
end
context 'when user is not an admin' do
let(:user) { build_stubbed(:user) }
it 'returns false' do
subject.request_admin_mode!
expect(subject.enable_admin_mode!(password: user.password)).to eq(false)
end
end
context 'when admin mode is not requested' do
it 'raises error' do
expect do
subject.enable_admin_mode!(password: user.password)
end.to raise_error(Gitlab::Auth::CurrentUserMode::NotRequestedError)
end
end
end
describe '#disable_admin_mode!' do
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment