Add SyncScimGroupMembersWorker for SCIM group membership
Part of #509428 (closed).
What does this MR do?
This MR adds a new background worker Authn::SyncScimGroupMembersWorker that processes SCIM group membership operations asynchronously. The worker supports both adding and removing users from groups associated with SCIM IDs.
The motivation for doing this came from this comment.
Why is it needed?
Some of the SCIM group synchronization endpoints (i.e. PATCH /Groups/:id and PUT /Groups/:id) need to process membership changes that could potentially include many users and groups. Processing these operations synchronously could lead to timeouts, especially with large groups. This worker handles that by providing a consistent implementation that can be used by both PATCH and PUT endpoints. Additionally, it also ensures proper handling of access levels when multiple SAML group links exist, which was a concern raised here.
A note for reviewers
In order to make the reviews easier, this MR only covers the introduction of the worker, which will be unused until Implement `PUT /Groups/:id` SCIM endpoint for s... (!186309 - merged) and Update `PATCH /Groups/:id` SCIM endpoint to use... (!187056 - merged) are updated to include it.
How to verify
You can test this locally by:
- Creating SAML group links with SCIM IDs
- Creating SCIM user identities
- Manually triggering the worker from the Rails console:
group_links = SamlGroupLink.where(scim_group_uid: 'your-scim-id')
user_ids = User.where(username: ['user1', 'user2']).pluck(:id)
Authn::SyncScimGroupMembersWorker.new.perform(group_links.pluck(:id), user_ids, 'add')MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.