Pass organization_id when creating OAuth Applications

What does this MR do?

Adds a DEFAULT_ORGANIZATION_ID constant (set to 1) to AuthorizeHelper and updates create_or_find_authorization to:

  1. New apps — pass organization_id: DEFAULT_ORGANIZATION_ID in the create! call so newly created OAuth applications always have an organization_id.
  2. Existing apps with NULL organization_id — when an existing app is found via by_uid_and_secret, immediately backfill its organization_id via update_column if it is nil.

This fixes a PG::CheckViolation on the check_77eda6baaa constraint of the oauth_applications table, enforced by the post-deploy migration add_not_null_constraint_to_oauth_applications_organization_id. During a 19.0 upgrade, gitlab-ctl reconfigure runs and calls create_or_find_authorization before post_deploy_db_migrations validates the constraint. The inline backfill ensures all rows managed by reconfigure are fixed in time.

How to verify

The fix must be verified via a real upgrade from 18.11 → 19.0 with Pages enabled, since that is the exact path that produces NULL organization_id rows and then runs the failing post-deploy migration.

Prerequisites:

  • A GitLab instance running 18.11.x with GitLab Pages enabled and access_control turned on (so the Pages OAuth app exists in oauth_applications)

Steps:

  1. On the 18.11 instance, confirm the Pages OAuth app has NULL organization_id:

    sudo gitlab-rails runner "puts Authn::OauthApplication.find_by(name: 'GitLab Pages').organization_id.inspect"
    # Expected: nil
  2. Install the 19.0.x omnibus package built from this branch (or the backport to 19-0-stable):

    # e.g. on Ubuntu
    sudo apt-get install gitlab-ee=19.0.x-ee.0
  3. Run gitlab-ctl reconfigure — this triggers create_or_find_authorization which will find the existing Pages app and backfill organization_id:

    sudo gitlab-ctl reconfigure
  4. Confirm organization_id has been backfilled before post-deploy migrations run:

    sudo gitlab-rails runner "puts Authn::OauthApplication.find_by(name: 'GitLab Pages').organization_id"
    # Expected: 1
  5. Run post-deploy migrations and confirm no PG::CheckViolation:

    sudo gitlab-rake db:migrate:up VERSION=20260417155126
    # Expected: completes without error

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.
  • The UBT version and corresponding checksum hash have been updated and referenced in the merge request if applicable.
    • UBT EE pipeline (Trigger:ee-package-ubt) is green

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated.
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.
Edited by João Alexandre Cunha

Merge request reports

Loading