Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: delete users from specific identity provider #3398

Merged
merged 5 commits into from
Oct 11, 2022
Merged

fix: delete users from specific identity provider #3398

merged 5 commits into from
Oct 11, 2022

Conversation

BruceMacD
Copy link
Collaborator

@BruceMacD BruceMacD commented Oct 5, 2022
edited

  • infra users command adds/removes from the infra identity provider specifically
  • consolidate identity deletion logic
  • delete identity when it no longer exists in any identity provider

Summary

When a user is deleted using infra users add or infra users rm only delete the resources associated with the identity through the Infra provider. Users from other identity providers can be removed by removing the associated provider, or through SCIM (soon).

Checklist

  • Wrote appropriate unit tests
  • Considered security implications of the change
  • Updated associated configuration where necessary
  • Change is backwards compatible if it needs to be (user can upgrade without manual steps?)
  • Nothing sensitive logged
  • Considered data migrations for smooth upgrades

Related Issues

Resolves #3397
Resolves #2838

@BruceMacD
fix: delete users from specific identity provider
31697f5 
- infra users command adds/removes from the infra identity provider specifically
- consolidate identity deletion logic
- delete identity when it no longer exists in any identity provider
@BruceMacD BruceMacD mentioned this pull request Oct 5, 2022
Merged
5 tasks
dnephin
dnephin reviewed Oct 6, 2022
View reviewed changes
Copy link
Contributor

@dnephin dnephin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! I think this will resolves a couple problems.

There are a lot of calls to DeleteIdentity so I think I'll need another pass to think through all those scenarios and see how it matches up to our test coverage. Left a few questions from my first pass.

internal/access/identity_test.go Show resolved Hide resolved
internal/access/identity.go Show resolved Hide resolved
internal/server/config.go
@@ -902,6 +902,12 @@ func (s Server) loadUser(db data.GormTxn, input User) (*models.Identity, error)
if err := data.CreateIdentity(db, identity); err != nil {
return nil, err
}

_, err = data.CreateProviderUser(db, data.InfraProvider(db), identity)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at where we call CreateProviderUser, it seems like the majority of the time it's either accompanied by CreateCredential, or by CreateIdentity.

I wonder if we should have CreateCredential call this automatically for us (since a credential doesn't work without this record, and the call is idempontent), and add a CreateInfraUser that creates both the identity and provider_user.

Probably not for this PR, but it's something I've been wondering for a bit now. Maybe that'll make it easier to ensure that tests correctly reflect production without having to remember to call both.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CreateCredential creating the provider user would make a lot of sense, but the limitation there at the moment is that user can be declared in grants without having a credential linked to them.

Ex:

infra grants add dne@example.com infra --role admin --force
Created user "dne@example.com"
Created grant to "infra" for "dne@example.com"

internal/server/data/identity.go Outdated Show resolved Hide resolved
@BruceMacD
fix: delete users from specific identity provider
6b1f50b 
- do not delete credential when identity is not deleted from infra provider
- test credential not deleted in infra provider
- assert provider user is deleted in test
@BruceMacD
fix: delete users from specific identity provider
3b511df 
- update UI
dnephin
dnephin approved these changes Oct 7, 2022
View reviewed changes
Copy link
Contributor

@dnephin dnephin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

DeleteIdentities does a lot of things, and I think we might be missing assertions for the conditional removal of grants and groups. With that test coverage I think this looks great!

Should access.UpdateIdentityInfoFromProvider be calling data.DeleteIdentities now to clean up? It's currently only deleting the access key and provider_user, but I would expect it to need to do more if that was the last provider.

internal/server/data/identity_test.go Show resolved Hide resolved
internal/server/data/identity.go Outdated Show resolved Hide resolved
@BruceMacD BruceMacD enabled auto-merge (squash) October 11, 2022 15:05
@BruceMacD BruceMacD merged commit 234de56 into main Oct 11, 2022
@BruceMacD BruceMacD deleted the brucemacd/delete_identity_tracking branch October 11, 2022 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dnephin dnephin dnephin approved these changes

@jmorganca jmorganca Awaiting requested review from jmorganca

@pdevine pdevine Awaiting requested review from pdevine

@hoyyeva hoyyeva Awaiting requested review from hoyyeva

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@BruceMacD @dnephin