LDAP group sync leaves authorized_projects in inconstant state

Summary

When a user is removed from an LDAP group and LdapGroupSyncWorker is executed the user still has access to projects under the group. This is also the case when clicking, "Sync" in the GitLab UI (this simply executes LdapGroupSyncWorker)

Steps to reproduce

1. Ensure GitLab group (ldap-link) is linked with LDAP group - (developers = master)

2. Add user uid=chris,dc=example,dc=org to cn=developers,dc=example,dc=org (LDAP group)

3. Run LdapGroupSyncWorker.new.perform

4. Check ldap-link/project/settings/members

5. User chris exists

6. Remove uid=chris,dc=example,dc=org from cn=developers,dc=example,dc=org (LDAP group)

7. Execute LdapGroupSyncWorker.new.perform

8. Check ldap-link/project/settings/members

   1. User chris does not exist in the UI

9. User chris still has access to ldap-link/project

10. Project.find_by_full_path('ldap-link/project').team.members.map(&:username)

       ["john", "chris", "root"]

11. ProjectAuthorization.where(user_id: User.find_by_username('chris').id)

       => #<ActiveRecord::Relation [#<ProjectAuthorization user_id: 2, project_id: 1, access_level: 40>]>

12. Running User.find_by_username('chris').refresh_authorized_projects manually, removes the user

What is the current bug behavior?

Users authorized_projects is not updated on ldap group sync.

What is the expected correct behavior?

Update users authorized_projects on ldap group sync.

Video

Links

• https://gitlab.zendesk.com/agent/tickets/78607
• https://gitlab.com/gitlab-org/gitlab-ce/issues/30472