[VI-867] Audit Log - User Login

[bramleyjl]

Summary

• Integrates UserAuditLogger logging into SiS & SSOe successful login auth flows to create UserAction records for user login.
  • SiS: TokenResponseGenerator service calls UserAuditLogger after session creation.
  • SSOe: At end of saml_callback process UserAuditLogger is called after user is redirected.
• Also updates UserAuditLogger to create a Rails log on successful UserAction creation & some basic error handling.
• UserActionEvent records with attributes matching this PR's update to the config/audit_log/user_action_events.yml file have been created in dev, sandbox, staging, and prod environments.

Related issue(s)

• https://jira.devops.va.gov/browse/VI-866
  • [VI-866] User Action Event creation #20956
• https://jira.devops.va.gov/browse/VI-867

Testing done

• New code is covered by unit tests

Login flow UserAction creation

• Ensure your UserActionEvent record is up to date: delete all UserAction & UserActionEvent records and repopulate the DB with rails db:seed before testing.
• Success testing can be confirmed by looking up the UserActionEvent & UserAction in a rails console following authentication.
• Failure testing can be performed by monkey patching the UserAuditLogger invocation in the SiS or SSOe flow:

      UserAuditLogger.new(user_action_event_identifier: 'user_login',
                          # subject_user_verification: user_verification,
                          subject_user_verification: nil,
                          # status: :success,
                          status: nil,
                          acting_ip_address: request_attributes[:remote_ip],
                          acting_user_agent: request_attributes[:user_agent]).perform

SiS Testing

• perform a SiS authentication, you should see the following logs
  - success: User audit log created -- { :user_action_event => 13, :user_action_event_details => "Sign in on VA.gov", :status => :success, :user_action => "a4bc236f-3fba-4dd4-9274-593c8a94c1c7" }
  - You can also perform a SiS mobile/API authentication to confirm that acting_ip_address & acting_user_agent values are properly set.
  - error: [UserAuditLogger] error -- { :error => "undefined method 'validate!' for nil" }
  - the /token request should still succeed & return tokens

SSOe Testing

• perform a SSOe authentication, you should see the following logs
  - success: User audit log created -- { :user_action_event => 13, :user_action_event_details => "Sign in on VA.gov", :status => :success, :user_action => "80563770-88c5-48e3-8cf0-1fda9ae3b2f2" }
  - error: [UserAuditLogger] error -- { :error => "Validation failed: Status is not included in the list" }
  - authentication should still be successful

What areas of the site does it impact?

SSOe & SiS PKCE authentication

Acceptance criteria

• I fixed|updated|added unit tests and integration tests for each feature (if applicable).
• No error nor warning in the console.
• Events are being sent to the appropriate logging solution
• Documentation has been updated (link to documentation)
• No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
• Feature/bug has a monitor built into Datadog (if applicable)
• If app impacted requires authentication, did you login to a local build and verify all authenticated routes work as expected

[github-actions]

Error: A file (or its parent directories) does not have a CODEOWNERS entry. Please update the .github/CODEOWNERS file and add the entry for the Offending file: app/services/user_audit_logger_service.rb

[github-actions]

Error: A file (or its parent directories) does not have a CODEOWNERS entry. Please update the .github/CODEOWNERS file and add the entry for the Offending file: app/services/user_audit_logger_service.rb

[github-actions]

Error: A file (or its parent directories) does not have a CODEOWNERS entry. Please update the .github/CODEOWNERS file and add the entry for the Offending file: spec/services/user_audit_logger_service_spec.rb

[github-actions]

1 Warning

⚠️

This PR changes 278 LoC (not counting whitespace/newlines). In order to ensure each PR receives the proper attention it deserves, we recommend not exceeding 200. Expect some delays getting reviews. File Summary Files app/controllers/v0/sign_in_controller.rb (+4/-1) app/controllers/v1/sessions_controller.rb (+9/-0) app/services/sign_in/token_response_generator.rb (+13/-2) app/services/user_audit_logger.rb (+20/-25) config/audit_log/user_action_events.yml (+3/-3) spec/controllers/v1/sessions_controller_spec.rb (+54/-0) spec/services/sign_in/token_response_generator_spec.rb (+28/-2) spec/services/user_audit_logger_spec.rb (+71/-43) Note: We exclude files matching the following when considering PR size: *.csv, *.json, *.tsv, *.txt, *.md, Gemfile.lock, app/swagger, modules/mobile/docs, spec/fixtures/, spec/support/vcr_cassettes/, modules/mobile/spec/support/vcr_cassettes/, db/seeds, modules/vaos/app/docs, modules/meb_api/app/docs, modules/appeals_api/app/swagger/, *.bru, *.pdf Big PRs are difficult to review, often become stale, and cause delays.

Generated by 🚫 Danger

[bosawt]

Confirmed I was able to log in and see a new user action created. Also, confirmed if the database was not properly seeded, an error occurred but the user was still able to sign in