Implement group secret rotation model

Erick Bajaorequested to merge
eb-group-secrets-rotation-reminder-part-1 into master

What does this MR do and why?

Adds the GroupSecretRotationInfo model and database migration to support rotation reminder intervals for group-level secrets, as part of #577344 (closed).

To avoid duplicating logic between SecretRotationInfo (project-scoped) and the new GroupSecretRotationInfo (group-scoped), this MR introduces a BaseSecretRotationInfo abstract base class following the existing BaseSecretsManager pattern. All shared behavior is lifted into the base class, and each subclass defines only the parent-specific template methods.

Implementation details

Database migration:

  • Creates group_secret_rotation_infos table mirroring secret_rotation_infos, using group_id instead of project_id
  • Adds a unique index on [group_id, secret_name, secret_metadata_version] and an index on next_reminder_at

Model refactoring:

  • Introduces BaseSecretRotationInfo abstract base class containing all shared logic: validations, #upsert, #notification_sent!, #status, #needs_attention?, scope :pending_reminders, and .for_secret
  • Refactors SecretRotationInfo to inherit from BaseSecretRotationInfo — now a thin subclass with only project-specific template methods
  • Adds GroupSecretRotationInfo inheriting from BaseSecretRotationInfo with group-specific template methods
  • Renames .for_project_secret to .for_secret since the class name already provides the scope

Template method pattern — each subclass defines 3 one-liner methods delegated to by the base class:

  • self.parent_id_column:project_id or :group_id
  • self.pending_reminders_includes{ project: :secrets_manager } or { group: :secrets_manager }
  • #parent_idproject_id or group_id

Specs:

  • Adds shared examples ('a secret rotation info') covering all shared behavior: validations, scopes, upsert, notification, and status
  • Both model specs are now thin: setup lets + it_behaves_like + association test

Series overview

Part of a series for #577344 (closed):

# MR Description
1 👉 You are here DB migration + GroupSecretRotationInfo model + BaseSecretRotationInfo base class
2 !225338 (merged) Rename SecretRotationInfoProjectSecretRotationInfo for naming consistency
3 !225562 (merged) CreateService + UpdateService + GraphQL mutations (add rotation_interval_days param)
4 !225935 (merged) List/Read services + GroupSecretType GraphQL type (add rotation info loading/field)
5 !226133 (merged) Background jobs for group and project secret rotation reminders

References

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Erick Bajao

Merge request reports