Merge branch...

Merge branch 'sf/bugfix/259159-group-level-audit-logging-shows-incorrect-ip-address-when-saml-actions-affect-user' into 'master' Resolve Logging shows incorrect IP address See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155754 Merged-by: Jessie Young <jessieyoung@gitlab.com> Approved-by: Jessie Young <jessieyoung@gitlab.com> Co-authored-by: Sam Figueroa <sfigueroa@gitlab.com>

Merge branch...
Merge branch 'sf/bugfix/259159-group-level-audit-logging-shows-incorrect-ip-address-when-saml-actions-affect-user' into 'master' Resolve Logging shows incorrect IP address See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/155754 Merged-by: Jessie Young <jessieyoung@gitlab.com> Approved-by: Jessie Young <jessieyoung@gitlab.com> Co-authored-by: Sam Figueroa <sfigueroa@gitlab.com>
c92c4257 · Jessie Young · GitLab · 2158ff88 · 12a7c5ca · c92c4257
--- a/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
@@ -37,7 +37,11 @@ def execute
          def remove_group_access
            return unless group_membership

-            ::Members::DestroyService.new(user).execute(group_membership, skip_saml_identity: true)
+            ::Members::DestroyService.new.execute(
+              group_membership,
+              skip_saml_identity: true,
+              skip_authorization: true
+            )
          end

          def group_membership

--- a/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
@@ -15,6 +15,51 @@
        create(:group_member, group: group, user: user, access_level: GroupMember::REPORTER)
      end

+      context 'when auditing' do
+        let(:request_ip_address) { '192.168.188.69' }
+        let(:sign_in_ip) { '175.29.19.1' }
+
+        before do
+          allow(::Gitlab::RequestContext.instance).to receive(:client_ip).and_return(request_ip_address)
+          user.update! current_sign_in_ip: sign_in_ip
+        end
+
+        around do |example|
+          RequestStore.begin!
+          example.run
+          RequestStore.end!
+          RequestStore.clear!
+        end
+
+        def destroy_audits
+          AuditEvent.where %q("details" LIKE '%:event_name: member_destroyed%')
+        end
+
+        context 'without admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: false)
+          end
+
+          it 'audits the access removal without an IP address' do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+
+            expect(destroy_audits.last.ip_address).to be_nil
+          end
+        end
+
+        context 'with admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: true)
+          end
+
+          it "audits the access removal with the request's IP address" do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+
+            expect(destroy_audits.last.ip_address).to eq(request_ip_address)
+          end
+        end
+      end
+
      it 'deactivates scim identity' do
        expect { service.execute }.to change { identity.active }.from(true).to(false)
      end