feat: add audit trail for sign_in and sign_out (#7158)

* feat: add audit_trail for sign_in event * chore: ignore unrelated User model columns for auditing * chore: fix prepend call for webhook/automation rule * chore: add spec for sign_in event * chore: refactor sign_in auditlog method to enterprise namespace * feat: add sign_out audit trail * feat: review comments
2023-05-25 14:27:30 +05:30
parent 88cef88d80
commit 123fc73394
8 changed files with 98 additions and 3 deletions
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -784,8 +784,8 @@ GEM
 PLATFORMS
  arm64-darwin-20
  arm64-darwin-22
  arm64-darwin-21
  arm64-darwin-22
  ruby
  x86_64-darwin-18
  x86_64-darwin-20
--- a/app/controllers/devise_overrides/sessions_controller.rb
+++ b/app/controllers/devise_overrides/sessions_controller.rb
@@ -37,3 +37,5 @@ class DeviseOverrides::SessionsController < DeviseTokenAuth::SessionsController
    @resource = user if user&.valid_sso_auth_token?(params[:sso_auth_token])
  end
 end
 DeviseOverrides::SessionsController.prepend_mod_with('DeviseOverrides::SessionsController')
--- a/app/models/automation_rule.rb
+++ b/app/models/automation_rule.rb
@@ -77,4 +77,4 @@ class AutomationRule < ApplicationRecord
  end
 end
-AutomationRule.include_mod_with('Audit::Inbox')
+AutomationRule.include_mod_with('Audit::AutomationRule')
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -166,3 +166,5 @@ class User < ApplicationRecord
    macros.personal.destroy_all
  end
 end
 User.include_mod_with('Audit::User')
--- a/app/models/webhook.rb
+++ b/app/models/webhook.rb
@@ -38,4 +38,4 @@ class Webhook < ApplicationRecord
  end
 end
-Webhook.include_mod_with('Audit::Inbox')
+Webhook.include_mod_with('Audit::Webhook')
--- a/enterprise/app/controllers/enterprise/devise_overrides/sessions_controller.rb
+++ b/enterprise/app/controllers/enterprise/devise_overrides/sessions_controller.rb
@@ -0,0 +1,25 @@
 module Enterprise::DeviseOverrides::SessionsController
  def render_create_success
    create_audit_event('sign_in')
    super
  end
  def destroy
    create_audit_event('sign_out')
    super
  end
  def create_audit_event(action)
    return unless @resource
    associated_type = 'Account'
    @resource.accounts.each do |account|
      @resource.audits.create(
        action: action,
        user_id: @resource.id,
        associated_id: account.id,
        associated_type: associated_type
      )
    end
  end
 end
--- a/enterprise/app/models/enterprise/audit/user.rb
+++ b/enterprise/app/models/enterprise/audit/user.rb
@@ -0,0 +1,13 @@
 module Enterprise::Audit::User
  extend ActiveSupport::Concern
  included do
    audited only: [
      :availability,
      :display_name,
      :email,
      :name
    ]
    audited associated_with: :account
  end
 end
--- a/spec/enterprise/controllers/enterprise/devise_overrides/session_controller_spec.rb
+++ b/spec/enterprise/controllers/enterprise/devise_overrides/session_controller_spec.rb
@@ -0,0 +1,53 @@
 require 'rails_helper'
 RSpec.describe 'Enterprise Audit API', type: :request do
  let!(:account) { create(:account) }
  let!(:user) { create(:user, password: 'Password1!', account: account) }
  describe 'POST /sign_in' do
    it 'creates a sign_in audit event wwith valid credentials' do
      params = { email: user.email, password: 'Password1!' }
      expect do
        post new_user_session_url,
             params: params,
             as: :json
      end.to change(Enterprise::AuditLog, :count).by(1)
      expect(response).to have_http_status(:success)
      expect(response.body).to include(user.email)
      # Check if the sign_in event is created
      user.reload
      expect(user.audits.last.action).to eq('sign_in')
      expect(user.audits.last.associated_id).to eq(account.id)
      expect(user.audits.last.associated_type).to eq('Account')
    end
    it 'will not create a sign_in audit event with invalid credentials' do
      params = { email: user.email, password: 'invalid' }
      expect do
        post new_user_session_url,
             params: params,
             as: :json
      end.not_to change(Enterprise::AuditLog, :count)
    end
  end
  describe 'DELETE /sign_out' do
    context 'when it is an authenticated user' do
      it 'signs out the user and creates an audit event' do
        expect do
          delete '/auth/sign_out', headers: user.create_new_auth_token
        end.to change(Enterprise::AuditLog, :count).by(1)
        expect(response).to have_http_status(:success)
        user.reload
        expect(user.audits.last.action).to eq('sign_out')
        expect(user.audits.last.associated_id).to eq(account.id)
        expect(user.audits.last.associated_type).to eq('Account')
      end
    end
  end
 end