diff --git a/ee/app/controllers/ee/passwords_controller.rb b/ee/app/controllers/ee/passwords_controller.rb
index b686286e1178efd3cb9d5a0f031488c52de59911..5c1282a2dc5a507d2485ce671be43e2d1fc88606 100644
--- a/ee/app/controllers/ee/passwords_controller.rb
+++ b/ee/app/controllers/ee/passwords_controller.rb
@@ -11,16 +11,18 @@ module PasswordsController
private
def log_audit_event
- ::AuditEventService.new(
- current_user,
- resource,
- action: :custom,
- custom_message: 'Ask for password reset',
+ unauth_author = ::Gitlab::Audit::UnauthenticatedAuthor.new
+ requester = resource || ::User.new(id: unauth_author.id)
+
+ ::Gitlab::Audit::Auditor.audit({
+ name: "password_reset_requested",
+ author: current_user || unauth_author,
+ scope: requester,
+ target: requester,
+ target_details: resource_params[:email],
+ message: "Ask for password reset",
ip_address: request.remote_ip
- ).for_user(
- full_path: resource_params[:email],
- entity_id: nil
- ).unauth_security_event
+ })
end
end
end
diff --git a/ee/config/audit_events/types/password_reset_requested.yml b/ee/config/audit_events/types/password_reset_requested.yml
new file mode 100644
index 0000000000000000000000000000000000000000..970a446287e115dbc9b5773bf386245e9eb9a20e
--- /dev/null
+++ b/ee/config/audit_events/types/password_reset_requested.yml
@@ -0,0 +1,10 @@
+---
+name: password_reset_requested
+description: Event triggered when a user requests a password reset using a registered
+ email address
+introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/374107
+introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/114548
+feature_category: compliance_management
+milestone: '15.11'
+saved_to_database: true
+streamed: false
diff --git a/ee/spec/controllers/passwords_controller_spec.rb b/ee/spec/controllers/passwords_controller_spec.rb
index 75ad364e3073af7f7509f0508868adc9ae4df52d..9c4d10497ddca0fdabf0c1c313c5a0c3186f3971 100644
--- a/ee/spec/controllers/passwords_controller_spec.rb
+++ b/ee/spec/controllers/passwords_controller_spec.rb
@@ -11,8 +11,60 @@
let_it_be(:user) { create(:user) }
- subject { post :create, params: { user: { email: user.email } } }
+ subject(:post_create) { post :create, params: { user: { email: email } } }
- it { expect { subject }.to change { AuditEvent.count }.by(1) }
+ context "when email exists" do
+ let(:email) { user.email }
+
+ it "generates an audit event" do
+ expect { post_create }.to change { AuditEvent.count }.by(1)
+
+ expect(AuditEvent.last).to have_attributes({
+ attributes: hash_including({
+ "entity_id" => user.id,
+ "entity_type" => "User",
+ "entity_path" => nil,
+ "author_name" => "An unauthenticated user",
+ "target_type" => "User",
+ "target_details" => user.email,
+ "target_id" => user.id
+ }),
+ details: hash_including({
+ custom_message: "Ask for password reset",
+ author_name: "An unauthenticated user",
+ target_type: "User",
+ target_details: user.email
+ })
+ })
+ end
+ end
+
+ context "when email does not exist" do
+ let(:email) { "#{user.email}.nonexistent" }
+
+ it "generates an audit event" do
+ nonuser = ::Gitlab::Audit::UnauthenticatedAuthor.new
+
+ expect { post_create }.to change { AuditEvent.count }.by(1)
+
+ expect(AuditEvent.last).to have_attributes({
+ attributes: hash_including({
+ "entity_id" => nonuser.id,
+ "entity_type" => "User",
+ "entity_path" => nil,
+ "author_name" => "An unauthenticated user",
+ "target_type" => "User",
+ "target_details" => email,
+ "target_id" => nonuser.id
+ }),
+ details: hash_including({
+ custom_message: "Ask for password reset",
+ author_name: "An unauthenticated user",
+ target_type: "User",
+ target_details: email
+ })
+ })
+ end
+ end
end
end