Add event type information for audit events using AuditEventService in `User`
Problem to solve
Some audit events are named audit_operation. This isn't a descriptive name and makes it difficult to differentiated from other events.
Additional context is available in this epic and in the parent epic.
Proposal
Add a meaningful name for the following events and actions that can be used to differentiate them from other events:
| Event | Action | Location |
|---|---|---|
email |
Create |
file |
Create user |
Create |
file |
Destroy user |
Delete |
file |
User impersonation at instance level |
unknown |
file |
Ask for password reset |
unknown |
file |
omniauth failed login |
unknown |
file |
Instance access request |
unknown |
file |
Instance access request approved |
unknown |
file |
Instance access request rejected |
unknown |
file |
block user |
unknown |
file |
OAuth application added |
unknown |
file |
Add user to group saml |
unknown |
file |
Added SSH key |
unknown |
file |
Naming should follow the noun_verb format and use the past tense. For example ci_variable_created.
For events created with audit_changes we can pass the event name using the event_type argument.
audit_changes(:email, as: 'email address', event_type: 'email_address_added')Consider this MR as an example of how to do this.
Implementation plan
- Add an meaningful event
namefor the events in theUsermodel listed in the proposal.- The name should follow the
noun_verbformat.
- The name should follow the
- Update the associated specs.
Validation Steps
User services
These services can be triggered through actions in Admin > Overview > Users:
- Create a user using the "New User" button.
- Delete a user (this may take a while to process).
- Block a user.
The above should each generate an audit event. To trigger approve/reject events, register a new user in the login page, then accept or reject that user through the admin role.
Passwords controller
This is an instance-level audit event and must be verified with admin access. This may only be possible in a local environment.
- Log out
- Click the password reset link
- Open the generated reset email and click the link
- Choose a new password
- Verify an audit event is created:
Omniauth failed login
- Log out
- Attempt to login via google. This should fail by default in a local GDK environment.
- Verify the audit event.
Registrations Controller
- Log out
- Click register to request a new account.
- Log in as admin
- Verify the audit event.
Notes
- For instructions on how to setup your development environment.
- For any questions regarding audit events reach out to a member of the compliance group.