Test Plan for "Automatically deprovision users when removed from a configured identity provider"
Test Plan
Introduction
This is a test plan for https://gitlab.com/gitlab-org/gitlab-ee/issues/5014
This issue is for implementing limited SCIM 2.0 API that would allow automatic deprovisioning of users by an identity provider.
Scope
- Includes
GET /groups/:group/users
endpoint - Includes
DELETE /groups/:group/users/:external_id
endpoint - Does not include any other endpoints from the SCIM protocol specification
ACC Matrix
The matrix below identifies the Attributes, Components, and Capabilities relevant to the scope of this test plan.
Attributes (columns) are adverbs or adjectives that describe (at a high level) the qualities testing is meant to ensure Components have.
Components (rows) are nouns that define major parts of the product being tested.
Capabilities link Attributes and Components. They are what your product needs to do to make sure a Component fulfils an Attribute
This feature includes the "API" and so it is included in the matrix.
For more information see the Google Testing Blog article about the 10 minute test plan and this wiki page from an open-source tool that implements the ACC model.
The numbers indicate the count of Capabilities at each intersection of Attribute and Component
Secure | Responsive | Intuitive | Reliable | |
---|---|---|---|---|
API | 1 | 1 | 2 |
Capabilities
- API is
- Secure
- It is only accessible with a valid SCIM Access token (or Personal Access Token until SCIM Access token is implemented)
- Intuitive
- It follows the SCIM Protocol Specification (RFC 7644)
- Reliable
-
GET /groups/:group/users
correctly lists users associated with the:group
and the idp. -
DELETE /groups/:group/users/:external_id
correctly removes the identity from the user and access to the group.
-
- Secure
Test Cases
Capabilities mentioned above can be used to guide the testing. Some cases not completely obvious from the capabilities are mentioned in below list. This list, however, should not be considered exhaustive and should only be used as a reference point for actual tests.
When adding new automated tests, please keep testing levels in mind.
Scenario 1: Re-link same user after DELETE
- Once a user has been deprovisioned with DELETE and then re-added to the idp system, they should be able to login to the group again with same credentials, perform Git operations and access private APIs.
Scenario 2: Access after DELETE
- Browser: Once a user has been deprovisioned with DELETE they should not be able to view the group and any of its data (e.g. comments, issues, MRs) using the browser.
- Once a user has been deprovisioned with DELETE they should not be able to perform Git operations on any repository in the group
- Once a user has been deprovisioned with DELETE they should not be able to access non-public APIs of the group.
Scenario 3: GET after DELETE
- Once a user has been deprovisioned with DELETE they should not be listed on the
GET /groups/:group/users
endpoint.
Scenario 4: Integration with Azure AD
- With a GitLab instance setup to integrate with Azure AD as SAML idp, all scenarios above should pass.