Skip to content

Add an API endpoint for Groups to get users related to the group

Drew Blessing requested to merge dblessing_group_saml_users_endpoint into master

What does this MR do and why?

Adds a new group user endpoint. This will allow us to query for both SAML users and service accounts together in a more targeted way rather than using the global /users endpoint.

More specifically, when SSO enforcement is enabled, the invite member modal will only allow adding users who have a SAML identity, or service accounts provisioned by the group. See the related issue for why this new endpoint is necessary.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/424505

Database

Union query: This query was already reviewed in !126059 (diffs). If this experiment is successful we will remove the other occurrence so no duplication will be present. See the related issue for why this new endpoint is necessary - the other MR essentially addressed a stop gap while we evaluated this new endpoint.

Explain: https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/23540/commands/75719

SELECT
    users.id,
    users.email,
    ...
    users.otp_secret_expires_at,
    users.onboarding_in_progress
FROM
    (
        (
            SELECT
                users.id,
                users.email,
                ...
                users.otp_secret_expires_at,
                users.onboarding_in_progress
            FROM
                users
                JOIN identities ON identities.user_id = users.id
            WHERE
                users.state NOT IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
                identities.saml_provider_id = 3
        )
        UNION
        (
            SELECT
                users.id,
                users.email,
                ...
                users.otp_secret_expires_at,
                users.onboarding_in_progress
            FROM
                users
                JOIN user_details AS user_detail ON user_detail.user_id = users.id
            WHERE
                users.state NOT IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
                users.user_type = 13 AND
                user_detail.provisioned_by_group_id = 10
        )
    ) AS users;

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports