SAML Group Sync Worker and Service
What does this MR do?
Adds a SAML Group Sync worker and service to add users to groups. The next MR will trigger this worker during Group SAML sign-in, when the SAML response contains a list of groups the user belongs to. If the group hierarchy contains any SamlGroupLink
s that match the group names sent in the SAML response, those group links will be handed to this worker so the user is added to the associated groups at the correct level.
Changelog
There is no changelog since this feature is currently behind a feature flag. The next MR will hook this worker up to the Group SAML sign-in process and default-enable the feature flag. Then we will have documentation and a changelog entry.
Database
For scope by_id_and_group_id
:
Query:
SELECT "saml_group_links".* FROM "saml_group_links" WHERE "saml_group_links"."id" IN (1,2,3,4,5) AND "saml_group_links"."group_id" = 123;
https://explain.depesz.com/s/S4Bq
Explain: Bitmap Heap Scan on public.saml_group_links (cost=4.22..5.74 rows=1 width=66) (actual time=0.059..0.060 rows=0 loops=1)
Buffers: shared hit=4
-> BitmapAnd (cost=4.22..4.22 rows=1 width=0) (actual time=0.057..0.058 rows=0 loops=1)
Buffers: shared hit=4
-> Bitmap Index Scan using index_saml_group_links_on_group_id_and_saml_group_name (cost=0.00..1.68 rows=4 width=0) (actual time=0.056..0.056 rows=0 loops=1)
Index Cond: (saml_group_links.group_id = 123)
Buffers: shared hit=4
-> Bitmap Index Scan using saml_group_links_pkey (cost=0.00..2.29 rows=5 width=0) (actual time=0.000..0.000 rows=0 loops=0)
Index Cond: (saml_group_links.id = ANY ('{1,2,3,4,5}'::bigint[]))
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team