Fix user ingestion for GitlabOrgDiscoveryEntityProvider for GitLab.com

[sbarrypoppulo]

Hey, I just made a Pull Request!

Fixes an issue with user ingestion for GitLab.com by making the entity provider aware of the group config parameter and scoping the provider to this group. Previously, the Gitlab Org data entity provider attempted to fetch all users from Gitlab.com via the /users REST endpoint, which was undesirable.

Switched the user fetching for Gitlab.com to GraphQL API, scoped to the root Gitlab group for the Org, or via existing /users REST API for Gitlab Self-Managed.

Groups are fetched via GraphQL API for Gitlab.com and via existing /groups REST API for Gitlab Self-Managed.

Group members are fetched via existing GraphQL API for both instance types

Example provider configuration used to test with:

catalog:
  providers:
    gitlab:
      gitlabSaasOrgData:
        host: gitlab.com
        orgEnabled: true
        group: org/teams
        rules:
          - allow: [Group, User]

Relates to:

• 🚀 Feature: scope Gitlab Org Data integration to a single group #16025

✔️ Checklist

• A changeset describing the change and affected packages. (more info)
• Added or updated documentation
• Tests for new functionality and regression tests for bug fixes
• Screenshots attached (for UI changes)
• All your commits have a Signed-off-by line in the message. (more info)

[backstage-goalie]

Changed Packages

Package Name	Package Path	Changeset Bump	Current Version
@backstage/plugin-catalog-backend-module-gitlab	plugins/catalog-backend-module-gitlab	minor	v0.2.7-next.2

[github-actions]

Uffizzi Preview deployment-33585 was deleted.

[sbarrypoppulo]

Tested on GitLab Self-Managed (16.1.1) without group parameter:

• All User entities ingested from GitLab instance (all users have email on profile)
• All Group entities ingested from GitLab instance

Tested on GitLab.com w/ group parameter configured

• User entities ingested for users who are direct members of descendant GitLab groups of the configured group
• Group entities ingested for descendant GitLab groups of the configured group

[github-actions]

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

[sbarrypoppulo]

@freben @alde Would appreciate some reviews here, and if you can remove the stale label 🙏

I'm not 100% sure on the changeset version for this change. My gut feeling is minor, but will await your feedback. Thanks!

[sbarrypoppulo]

Thanks once again for the review @jamieklassen and the very helpful suggesstions 💪

I think we're very close here now, if you can take another look and hopefully over to @alde / @freben

We're hoping we can get this in for 1.18 release, as it's preventing us from enabling sign-in resolvers for user identity, which is blocking various options and plugins on out adoption journey 🤞

[jamieklassen]

awesome

[cthtrifork]

Very nice work! Also hoping for a 1.18.x release!

[mickfeech]

Great work! Anxiously waiting for the merge to use it!

[sbarrypoppulo]

@freben Any chance of a review here? Seems a few folks are awaiting this fix 😄

[freben]

Was this a conscious choice or "for technical reasons"? Seems like an unnecessary limitation.

[sbarrypoppulo]

As for the level within the hierarchy, it made sense that if you configure a group path, then the only groups ingested would be at that group level, or lower. Rather than in the other direction, higher up the hierarchy. Regarding ingestion of only groups with members, this was my understanding of how this always worked, but let me double check on that assumption.

[freben]

Suggested change

	entities will only be ingested for the configured group, or it's descendant groups,
	entities will only be ingested for the configured group, or its descendant groups,

[freben]

I want to call out the deletion of this one. I vaguely remember it being added for very good reason - it could be the case that the user was null sometimes in the response, for some corner cases. You may want to retain that check, right

[sbarrypoppulo]

Let me take another look here. This rings a bell, think I brought up this issue in #17735 and it slipped my mind

[angom1]

Hi @freben, would adding this check here work ?739b927

[freben]

Almost. I think it needs to be group?.id and user.user?.id or so to not throw an error

[freben]

Should we hold off waiting for the publicEmail question, or is this ready to go from your POV?

[sbarrypoppulo]

Should we hold off waiting for the publicEmail question, or is this ready to go from your POV?

We've switched to commitEmail it's is similarly not guaranteed to be populated or returned from the GraphQL API, but seems like a more sane default attribute in hindsight

Further details in the comment here - #18889 (comment)

[freben]

See above about group?.id and user.user?.id - besides that I think we are ready to 🚢

[github-actions]

Thank you for contributing to Backstage! The changes in this pull request will be part of the 1.18.0 release, scheduled for Tue, 19 Sep 2023.

[matteosilv]

Greate work guys!!!