Merge branch 'smriti-393747/db_migration_scim_oauth_saml_providers' into 'master'

ScimToken and SamlProvider to be deleted for non root group See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/115640 Merged-by: Imre Farkas <ifarkas@gitlab.com> Approved-by: Imre Farkas <ifarkas@gitlab.com> Approved-by: Bogdan Denkovych <bdenkovych@gitlab.com> Reviewed-by: Imre Farkas <ifarkas@gitlab.com> Reviewed-by: Adam Hegyi <ahegyi@gitlab.com> Reviewed-by: Bogdan Denkovych <bdenkovych@gitlab.com> Co-authored-by: Bogdan Denkovych <bdenkovych@gitlab.com> Co-authored-by: smriti <sgarg@gitlab.com>

Merge branch 'smriti-393747/db_migration_scim_oauth_saml_providers' into 'master'
e1a4f0f0 · Imre Farkas · ab4b145c · cfc2e5ce · e1a4f0f0 · e1a4f0f0
--- a/db/post_migrate/20230405132104_remove_saml_provider_and_identities_non_root_group.rb
+++ b/db/post_migrate/20230405132104_remove_saml_provider_and_identities_non_root_group.rb
+# frozen_string_literal: true
+
+class RemoveSamlProviderAndIdentitiesNonRootGroup < Gitlab::Database::Migration[2.1]
+  BATCH_SIZE = 500
+
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    each_batch_range('saml_providers', scope: ->(table) { table.all }, of: BATCH_SIZE) do |min, max|
+      execute <<~SQL
+        DELETE FROM identities
+        WHERE identities.saml_provider_id
+        IN
+        (
+          SELECT saml_providers.id FROM saml_providers
+          INNER JOIN namespaces ON namespaces.id=saml_providers.group_id
+          AND namespaces.type='Group' AND namespaces.parent_id IS NOT NULL
+          AND saml_providers.id BETWEEN #{min} AND #{max}
+        );
+
+        DELETE FROM saml_providers
+        USING namespaces
+        WHERE namespaces.id=saml_providers.group_id
+        AND namespaces.type='Group' AND namespaces.parent_id IS NOT NULL
+        AND saml_providers.id BETWEEN #{min} AND #{max};
+      SQL
+    end
+  end
+
+  def down
+    # noop
+  end
+end
--- a/db/post_migrate/20230405132855_remove_scim_token_and_scim_identity_non_root_group.rb
+++ b/db/post_migrate/20230405132855_remove_scim_token_and_scim_identity_non_root_group.rb
+# frozen_string_literal: true
+
+class RemoveScimTokenAndScimIdentityNonRootGroup < Gitlab::Database::Migration[2.1]
+  BATCH_SIZE = 500
+
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  def up
+    each_batch_range('scim_oauth_access_tokens', scope: ->(table) { table.all }, of: BATCH_SIZE) do |min, max|
+      execute <<~SQL
+        DELETE FROM scim_identities
+        WHERE scim_identities.group_id
+        IN
+        (
+          SELECT namespaces.id FROM scim_oauth_access_tokens
+          INNER JOIN namespaces ON namespaces.id=scim_oauth_access_tokens.group_id
+          WHERE namespaces.type='Group' AND namespaces.parent_id IS NOT NULL
+          AND scim_oauth_access_tokens.id BETWEEN #{min} AND #{max}
+        );
+
+        DELETE FROM scim_oauth_access_tokens
+        USING namespaces
+        WHERE namespaces.id=scim_oauth_access_tokens.group_id
+        AND namespaces.type='Group' AND namespaces.parent_id IS NOT NULL
+        AND scim_oauth_access_tokens.id BETWEEN #{min} AND #{max};
+      SQL
+    end
+  end
+
+  def down
+    # noop
+  end
+end
--- a/db/schema_migrations/20230405132104
+++ b/db/schema_migrations/20230405132104
+eae464c7583b909d975c379d196b7ae5301580f7195907a476ca1a146d8cb6b1
\ No newline at end of file
--- a/db/schema_migrations/20230405132855
+++ b/db/schema_migrations/20230405132855
+a7928284883d79b1204bb39a2a2d34b173771ce6dc484cefdb1c7ec3e9e9477a
\ No newline at end of file
--- a/spec/migrations/remove_saml_provider_and_identities_non_root_group_spec.rb
+++ b/spec/migrations/remove_saml_provider_and_identities_non_root_group_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe RemoveSamlProviderAndIdentitiesNonRootGroup, feature_category: :system_access do
+  let(:namespaces) { table(:namespaces) }
+  let(:saml_providers) { table(:saml_providers) }
+  let(:identities) { table(:identities) }
+  let(:root_group) do
+    namespaces.create!(name: 'root_group', path: 'foo', parent_id: nil, type: 'Group')
+  end
+
+  let(:non_root_group) do
+    namespaces.create!(name: 'non_root_group', path: 'non_root', parent_id: root_group.id, type: 'Group')
+  end
+
+  it 'removes saml_providers that belong to non-root group and related identities' do
+    provider_root_group = saml_providers.create!(
+      group_id: root_group.id,
+      sso_url: 'https://saml.example.com/adfs/ls',
+      certificate_fingerprint: '55:44:33:22:11:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99',
+      default_membership_role: ::Gitlab::Access::GUEST,
+      enabled: true
+    )
+
+    identity_root_group = identities.create!(
+      saml_provider_id: provider_root_group.id,
+      extern_uid: "12345"
+    )
+
+    provider_non_root_group = saml_providers.create!(
+      group_id: non_root_group.id,
+      sso_url: 'https://saml.example.com/adfs/ls',
+      certificate_fingerprint: '55:44:33:22:11:aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99',
+      default_membership_role: ::Gitlab::Access::GUEST,
+      enabled: true
+    )
+
+    identity_non_root_group = identities.create!(
+      saml_provider_id: provider_non_root_group.id,
+      extern_uid: "12345"
+    )
+
+    expect { migrate! }.to change { saml_providers.count }.from(2).to(1)
+
+    expect(identities.find_by_id(identity_non_root_group.id)).to be_nil
+    expect(saml_providers.find_by_id(provider_non_root_group.id)).to be_nil
+
+    expect(identities.find_by_id(identity_root_group.id)).not_to be_nil
+    expect(saml_providers.find_by_id(provider_root_group.id)).not_to be_nil
+  end
+end
--- a/spec/migrations/remove_scim_token_and_scim_identity_non_root_group_spec.rb
+++ b/spec/migrations/remove_scim_token_and_scim_identity_non_root_group_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe RemoveScimTokenAndScimIdentityNonRootGroup, feature_category: :system_access do
+  let(:namespaces) { table(:namespaces) }
+  let(:scim_oauth_access_tokens) { table(:scim_oauth_access_tokens) }
+  let(:scim_identities) { table(:scim_identities) }
+  let(:users) { table(:users) }
+  let(:root_group) do
+    namespaces.create!(name: 'root_group', path: 'foo', parent_id: nil, type: 'Group')
+  end
+
+  let(:non_root_group) do
+    namespaces.create!(name: 'non_root_group', path: 'non_root', parent_id: root_group.id, type: 'Group')
+  end
+
+  let(:root_group_user) do
+    users.create!(name: 'Example User', email: 'user@example.com', projects_limit: 0)
+  end
+
+  let(:non_root_group_user) do
+    users.create!(username: 'user2', email: 'user2@example.com', projects_limit: 10)
+  end
+
+  it 'removes scim_oauth_access_tokens that belong to non-root group and related scim_identities' do
+    scim_oauth_access_token_root_group = scim_oauth_access_tokens.create!(
+      group_id: root_group.id,
+      token_encrypted: Gitlab::CryptoHelper.aes256_gcm_encrypt(SecureRandom.hex(50))
+    )
+    scim_oauth_access_token_non_root_group = scim_oauth_access_tokens.create!(
+      group_id: non_root_group.id,
+      token_encrypted: Gitlab::CryptoHelper.aes256_gcm_encrypt(SecureRandom.hex(50))
+    )
+
+    scim_identity_root_group = scim_identities.create!(
+      group_id: root_group.id,
+      extern_uid: "12345",
+      user_id: root_group_user.id,
+      active: true
+    )
+
+    scim_identity_non_root_group = scim_identities.create!(
+      group_id: non_root_group.id,
+      extern_uid: "12345",
+      user_id: non_root_group_user.id,
+      active: true
+    )
+
+    expect { migrate! }.to change { scim_oauth_access_tokens.count }.from(2).to(1)
+    expect(scim_oauth_access_tokens.find_by_id(scim_oauth_access_token_non_root_group.id)).to be_nil
+    expect(scim_identities.find_by_id(scim_identity_non_root_group.id)).to be_nil
+
+    expect(scim_oauth_access_tokens.find_by_id(scim_oauth_access_token_root_group.id)).not_to be_nil
+    expect(scim_identities.find_by_id(scim_identity_root_group.id)).not_to be_nil
+  end
+end