Update project_limit and can_create_groups for Enterprise Users on all SSO responses
Release notes
Problem to solve
We introduced the ability to set the project_limit and can_create_groups attributes on users created via SAML. This does not cover users created via SCIM or updates to these values if they are changed later in the IdP.
Proposal
We should allow updates to these values for all Enterprise users with the data received in the subsequent SAML response. With each SAML response, we should get the latest values from the IdP and update the user in GitLab. This ensures that the IdP is the source of truth for this information.
Refinement assessment
Changes will be isolated to https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/auth/group_saml/user.rb, probably in the find_and_update!
method. The #save
method passes the gl_user
object to the Users::UpdateService
so we should update those attributes on gl_user
before save.
NOTE: ONLY do this for users who's attribute provisioned_by_group_id
is set and matches the group they're signing in to. We shouldn't update attributes if the user wasn't provisioned by the current group.
Note: We should verify that find_and_update
is indeed called when a user is sent through the auth flow after the 1 day session expiry. I think they are. If not, it could cause the code location to change slightly, but still within this class probably.
Availability & Testing
What risks does this change pose to our availability?
This is low risk to GitLab.com and self managed availability.
What additional test coverage or changes to tests will be needed?
- Ensure that only the user intended for the SSO response gets updated. Other users that were provisioned by the IDP doesn't get updated.
No end-to-end test update required.