Email inherited project and group members for access token expiry

Andrew Evansrequested to merge
463016-atevans-prat-expiry-inherited-notifications into master

What does this MR do and why?

Email inherited project and group members for access token expiry

Incorporates the new instance and group settings, as well as a feature flag, to expand notifications about expiring resource access tokens for groups and projects. Inherited project owners and maintainers, and inherited group owners, will be included by default in the list of recipients for the notification emails.

Part 3 of 3 MRs for this feature

  1. Instance-wide setting
  2. Group setting
  3. Implementation using settings and feature flags: this MR

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

  1. Enable the feature flag for the group or instance-wide: Feature.enable(:pat_expiry_inherited_members_notification, :instance)
  2. Instance and group settings default to true ; if you disabled them while reviewing a previous MR, please re-enable them.
  3. Create or visit a group with an Ultimate license
  4. Create a sub-group: test-subgroup
  5. Create a project in the sub-group: test-project
  6. Add another member to the top-level group: alice
  7. Create a project access token on test-project expiring in 5 days
  8. Create a group access token on test-group expiring in 5 days
  9. Run the PersonalAccessTokens::ExpiringWorker either via the Rails console ( PersonalAccessTokens::ExpiringWorker.new.perform ) or via selecting Enqueue now in the Sidekiq page: https://gdk.test:3443/admin/sidekiq/cron/personal_access_tokens_expiring_worker
  10. Check letter-opener to ensure the emails are sent to user alice , who is not a direct member of test-subgroup or test-project

Validate settings:

Group setting:

  1. After creating the group hierarchy above, go to settings for test-subgroup : https://gdk.test:3443/groups/test-group/test-subgroup/-/edit
  2. Under Expiry notification emails about group and project access tokens within this group should be sent to: , select Only direct members of the group or project
  3. Hit "Save changes"
  4. Create a new group access token expiring in 7 days or less
  5. Enqueue the cron job
  6. Check letter-opener to see that alice did not receive an email

Parent group setting:

  1. Change the setting back to All direct and inherited members of the group or project for test-subgroup
  2. Change the setting to Only direct members of the group or project for the parent group, test-group
  3. Create a new group access token expiring in 7 days or less
  4. Enqueue the cron job
  5. Check letter-opener to see that alice did not receive an email about the new token

Instance setting:

  1. Change the setting back to All direct and inherited members of the group or project for test-group
  2. Go to Admin Settings Preferences
  3. Expand the Email section
  4. Under Expiry notification emails about group and project access tokens should be sent to: , select Only direct members of the group or project
  5. Hit "Save changes"
  6. Create a new group access token on group test-subgroup
  7. Enqueue the cron job
  8. Check letter-opener to see that alice did not receive an email about the new token

Related to #463016 (closed)

Edited by Andrew Evans

Merge request reports