Test Plan for "Automatically deprovision users when removed from a configured identity provider"

Test Plan

Introduction

This is a test plan for https://gitlab.com/gitlab-org/gitlab-ee/issues/5014

This issue is for implementing limited SCIM 2.0 API that would allow automatic deprovisioning of users by an identity provider.

Scope

Includes GET /groups/:group/users endpoint
Includes DELETE /groups/:group/users/:external_id endpoint
Does not include any other endpoints from the SCIM protocol specification

ACC Matrix

The matrix below identifies the Attributes, Components, and Capabilities relevant to the scope of this test plan.

Attributes (columns) are adverbs or adjectives that describe (at a high level) the qualities testing is meant to ensure Components have.

Components (rows) are nouns that define major parts of the product being tested.

Capabilities link Attributes and Components. They are what your product needs to do to make sure a Component fulfils an Attribute

This feature includes the "API" and so it is included in the matrix.

For more information see the Google Testing Blog article about the 10 minute test plan and this wiki page from an open-source tool that implements the ACC model.

The numbers indicate the count of Capabilities at each intersection of Attribute and Component

	Secure	Responsive	Intuitive	Reliable
API	1		1	2

Capabilities

API is
- Secure
  - It is only accessible with a valid SCIM Access token (or Personal Access Token until SCIM Access token is implemented)
- Intuitive
  - It follows the SCIM Protocol Specification (RFC 7644)
- Reliable
  - GET /groups/:group/users correctly lists users associated with the :group and the idp.
  - DELETE /groups/:group/users/:external_id correctly removes the identity from the user and access to the group.

Test Cases

Capabilities mentioned above can be used to guide the testing. Some cases not completely obvious from the capabilities are mentioned in below list. This list, however, should not be considered exhaustive and should only be used as a reference point for actual tests.

When adding new automated tests, please keep testing levels in mind.

Scenario 1: Re-link same user after DELETE

Once a user has been deprovisioned with DELETE and then re-added to the idp system, they should be able to login to the group again with same credentials, perform Git operations and access private APIs.

Scenario 2: Access after DELETE

Browser: Once a user has been deprovisioned with DELETE they should not be able to view the group and any of its data (e.g. comments, issues, MRs) using the browser.
Once a user has been deprovisioned with DELETE they should not be able to perform Git operations on any repository in the group
Once a user has been deprovisioned with DELETE they should not be able to access non-public APIs of the group.

Scenario 3: GET after DELETE

Once a user has been deprovisioned with DELETE they should not be listed on the GET /groups/:group/users endpoint.

Scenario 4: Integration with Azure AD

With a GitLab instance setup to integrate with Azure AD as SAML idp, all scenarios above should pass.

Edited Mar 19, 2019 by Sanad Liaquat