Fix misleading IP address in audit

- Previously when members were removed from a group via SCIM the member's last know IP address was used int he audit event making it seem as though the member removed themselves whereas it is actually done via SCIM. https://docs.gitlab.com/ee/development/internal_api/index.html#instance-scim-api - Refs: https://gitlab.com/gitlab-org/gitlab/-/issues/259159 Changelog: fixed EE: true Add spec for destroy audit

Fix misleading IP address in audit
12a7c5ca · Sam Figueroa · c0576e03 · 12a7c5ca · 12a7c5ca
--- a/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
@@ -37,7 +37,11 @@ def execute
          def remove_group_access
            return unless group_membership
-            ::Members::DestroyService.new(user).execute(group_membership, skip_saml_identity: true)
+            ::Members::DestroyService.new.execute(
+              group_membership,
+              skip_saml_identity: true,
+              skip_authorization: true
+            )
          end
          def group_membership

--- a/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
@@ -15,6 +15,51 @@
        create(:group_member, group: group, user: user, access_level: GroupMember::REPORTER)
      end
+      context 'when auditing' do
+        let(:request_ip_address) { '192.168.188.69' }
+        let(:sign_in_ip) { '175.29.19.1' }
+        before do
+          allow(::Gitlab::RequestContext.instance).to receive(:client_ip).and_return(request_ip_address)
+          user.update! current_sign_in_ip: sign_in_ip
+        end
+        around do |example|
+          RequestStore.begin!
+          example.run
+          RequestStore.end!
+          RequestStore.clear!
+        end
+        def destroy_audits
+          AuditEvent.where %q("details" LIKE '%:event_name: member_destroyed%')
+        end
+        context 'without admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: false)
+          end
+          it 'audits the access removal without an IP address' do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+            expect(destroy_audits.last.ip_address).to be_nil
+          end
+        end
+        context 'with admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: true)
+          end
+          it "audits the access removal with the request's IP address" do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+            expect(destroy_audits.last.ip_address).to eq(request_ip_address)
+          end
+        end
+      end
      it 'deactivates scim identity' do
        expect { service.execute }.to change { identity.active }.from(true).to(false)
      end