Allow SCIM deprovisioning for minimal access users

Serena Fangrequested to merge
sfang-deprovision-service-error into master

What does this MR do?

After configuring SCIM with GitLab, some customers are reporting that deprovisioning users in their IdP does not remove that user from their GitLab group. Through some investigation and discussion in the issue, it was determined that the users that failed to deprovision were minimal access users.

Minimal access users are excluded from group.members: #325729 (comment 538201926). Because we were determining group membership with group.group_member(user), minimal access users were considered to not have group membership, and thus were not deprovisioned. Additionally, due to some Rails weirdness, the deprovision transaction did not roll back, and the user's SCIM identity was set to false. We were also not returning specific error messages when deprovisioning failed.

This MR:

  • Determines group membership with ::GroupMember.find_by(source_id: group.id, user_id: user.id), so that minimal access users are considered to have group membership. Note: the fact that group.group_member(minimal_access_user) is nil is possibly a bug: #325729 (comment 538283206)
  • Does not update the SCIM identity if deprovisioning preconditions fail, and returns specific error messages
  • Fixes some specs that were passing when they shouldn't have been

Screenshots (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Serena Fang

Merge request reports