Merge branch 'dblessing-remove-scim-identities-feature-flag' into 'master'

Remove `scim_identities` feature flag

See merge request gitlab-org/gitlab!43458

ee/app/finders/scim_finder.rb

@@ -21,22 +21,12 @@ class ScimFinder
 
   private
 
-  def scim_identities_enabled?
-    strong_memoize(:scim_identities_enabled) do
-      ::EE::Gitlab::Scim::Feature.scim_identities_enabled?(group)
-    end
-  end
-
   def null_identity
-    return ScimIdentity.none if scim_identities_enabled?
-
-    Identity.none
+    ScimIdentity.none
   end
 
   def all_identities
-    return group.scim_identities if scim_identities_enabled?
-
-    saml_provider.identities
+    group.scim_identities
   end
 
   def unfiltered?(params)
@@ -63,9 +53,7 @@ class ScimFinder
   end
 
   def by_extern_uid(extern_uid)
-    return group.scim_identities.with_extern_uid(extern_uid) if scim_identities_enabled?
-
-    Identity.where_group_saml_uid(saml_provider, extern_uid)
+    group.scim_identities.with_extern_uid(extern_uid)
   end
 
   def eq_filter_on_username?(parser)
@@ -79,9 +67,7 @@ class ScimFinder
       user ||= User.find_by_any_email(username) || User.find_by_username(email_local_part(username))
     end
 
-    return group.scim_identities.for_user(user) if scim_identities_enabled?
-
-    saml_provider.identities.for_user(user)
+    group.scim_identities.for_user(user)
   end
 
   def email?(email)

ee/config/feature_flags/development/scim_identities.yml

----
-name: scim_identities
-introduced_by_url: 
-rollout_issue_url: 
-group: 
-type: development
-default_enabled: true

ee/lib/api/scim.rb

@@ -97,23 +97,12 @@ module API
 
         def find_user_identity(group, extern_uid)
           return unless group.saml_provider
-          return group.scim_identities.with_extern_uid(extern_uid).first if scim_identities_enabled?
 
-          GroupSamlIdentityFinder.find_by_group_and_uid(group: group, uid: extern_uid)
-        end
-
-        def scim_identities_enabled?
-          strong_memoize(:scim_identities_enabled) do
-            ::EE::Gitlab::Scim::Feature.scim_identities_enabled?(@group)
-          end
+          group.scim_identities.with_extern_uid(extern_uid).first
         end
 
         def deprovision(identity)
-          if scim_identities_enabled?
           ::EE::Gitlab::Scim::DeprovisionService.new(identity).execute
-          else
-            GroupSaml::Identity::DestroyService.new(identity).execute(transactional: true)
-          end
 
           true
         rescue => e

ee/lib/ee/gitlab/scim/feature.rb

-# frozen_string_literal: true
-
-module EE
-  module Gitlab
-    module Scim
-      class Feature
-        def self.scim_identities_enabled?(group)
-          ::Feature.enabled?(:scim_identities, group, default_enabled: true)
-        end
-      end
-    end
-  end
-end

ee/lib/ee/gitlab/scim/provisioning_service.rb

@@ -50,24 +50,8 @@ module EE
           error_response(objects: [user, identity, member])
         end
 
-        def scim_identities_enabled?
-          strong_memoize(:scim_identities_enabled) do
-            ::EE::Gitlab::Scim::Feature.scim_identities_enabled?(@group)
-          end
-        end
-
-        def identity_provider
-          strong_memoize(:identity_provider) do
-            next ::Users::BuildService::GROUP_SCIM_PROVIDER if scim_identities_enabled?
-
-            ::Users::BuildService::GROUP_SAML_PROVIDER
-          end
-        end
-
         def identity
           strong_memoize(:identity) do
-            next saml_identity unless scim_identities_enabled?
-
             identity = @group.scim_identities.with_extern_uid(@parsed_hash[:extern_uid]).first
             next identity if identity
 
@@ -75,14 +59,8 @@ module EE
           end
         end
 
-        def saml_identity
-          ::Identity.with_extern_uid(identity_provider, @parsed_hash[:extern_uid]).first
-        end
-
         def user
           strong_memoize(:user) do
-            next build_user unless scim_identities_enabled?
-
             user = ::User.find_by_any_email(@parsed_hash[:email])
             next user if user
 
@@ -127,7 +105,7 @@ module EE
             hash[:skip_confirmation] = SKIP_EMAIL_CONFIRMATION
             hash[:saml_provider_id] = @group.saml_provider.id
             hash[:group_id] = @group.id
-            hash[:provider] = identity_provider
+            hash[:provider] = ::Users::BuildService::GROUP_SCIM_PROVIDER
             hash[:username] = valid_username
             hash[:password] = hash[:password_confirmation] = random_password
             hash[:password_automatically_set] = PASSWORD_AUTOMATICALLY_SET
@@ -161,7 +139,7 @@ module EE
         end
 
         def create_identity_only?
-          scim_identities_enabled? && existing_user? && existing_member?(user)
+          existing_user? && existing_member?(user)
         end
 
         def existing_identity_and_member?

ee/spec/finders/scim_finder_spec.rb

@@ -10,15 +10,7 @@ RSpec.describe ScimFinder do
 
   describe '#search' do
     context 'without a SAML provider' do
-      it 'returns an empty identity relation when scim_identities is disabled' do
-        stub_feature_flags(scim_identities: false)
-
-        expect(finder.search(unused_params)).to eq Identity.none
-      end
-
-      it 'returns an empty scim identity relation when scim_identities is enabled' do
-        stub_feature_flags(scim_identities: true)
-
+      it 'returns an empty scim identity relation' do
         expect(finder.search(unused_params)).to eq ScimIdentity.none
       end
     end
@@ -28,15 +20,7 @@ RSpec.describe ScimFinder do
         create(:saml_provider, group: group, enabled: false)
       end
 
-      it 'returns an empty identity relation when scim_identities is disabled' do
-        stub_feature_flags(scim_identities: false)
-
-        expect(finder.search(unused_params)).to eq Identity.none
-      end
-
-      it 'returns an empty scim identity relation when scim_identities is enabled' do
-        stub_feature_flags(scim_identities: true)
-
+      it 'returns an empty scim identity relation' do
         expect(finder.search(unused_params)).to eq ScimIdentity.none
       end
     end
@@ -45,7 +29,9 @@ RSpec.describe ScimFinder do
       let_it_be(:saml_provider) { create(:saml_provider, group: group) }
 
       context 'with an eq filter' do
-        shared_examples 'valid lookups' do
+        let_it_be(:user) { create(:user, username: 'foo', email: 'bar@example.com') }
+        let_it_be(:id) { create(:scim_identity, group: group, user: user) }
+
         it 'allows identity lookup by id/externalId' do
           expect(finder.search(filter: "id eq #{id.extern_uid}")).to be_a ActiveRecord::Relation
           expect(finder.search(filter: "id eq #{id.extern_uid}").first).to eq id
@@ -76,36 +62,8 @@ RSpec.describe ScimFinder do
         end
       end
 
-        context 'when scim_identities is disabled' do
-          before do
-            stub_feature_flags(scim_identities: false)
-          end
-          let_it_be(:id) { create(:group_saml_identity, saml_provider: saml_provider) }
-
-          it_behaves_like 'valid lookups'
-        end
-
-        context 'when scim_identities is enabled' do
-          before do
-            stub_feature_flags(scim_identities: true)
-          end
-          let_it_be(:user) { create(:user, username: 'foo', email: 'bar@example.com') }
-          let_it_be(:id) { create(:scim_identity, group: group, user: user) }
-
-          it_behaves_like 'valid lookups'
-        end
-      end
-
       context 'with no filter' do
-        it 'returns all related identities when scim_identities is disabled' do
-          stub_feature_flags(scim_identities: false)
-          create_list(:group_saml_identity, 2, saml_provider: saml_provider)
-
-          expect(finder.search({}).count).to eq 2
-        end
-
-        it 'returns all related identities when scim_identities is enabled' do
-          stub_feature_flags(scim_identities: true)
+        it 'returns all related scim_identities' do
           create_list(:scim_identity, 4, group: group)
 
           expect(finder.search({}).count).to eq 4

ee/spec/lib/ee/gitlab/scim/provisioning_service_spec.rb

@@ -27,7 +27,22 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
       end
     end
 
-    shared_examples 'scim provisioning' do
+    shared_examples 'existing user' do
+      it 'does not create a new user' do
+        expect { service.execute }.not_to change { User.count }
+      end
+
+      it_behaves_like 'success response'
+
+      it 'creates the SCIM identity' do
+        expect { service.execute }.to change { ScimIdentity.count }.by(1)
+      end
+
+      it 'does not create the SAML identity' do
+        expect { service.execute }.not_to change { Identity.count }
+      end
+    end
+
     context 'valid params' do
       let_it_be(:service_params) do
         {
@@ -107,69 +122,6 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
         expect(service.execute.message).to eq("Missing params: [:username]")
       end
     end
-    end
-
-    shared_examples 'existing user when scim identities are enabled' do
-      it 'does not create a new user' do
-        expect { service.execute }.not_to change { User.count }
-      end
-
-      it_behaves_like 'success response'
-
-      it 'creates the SCIM identity' do
-        expect { service.execute }.to change { ScimIdentity.count }.by(1)
-      end
-
-      it 'does not create the SAML identity' do
-        expect { service.execute }.not_to change { Identity.count }
-      end
-    end
-
-    context 'when scim_identities is disabled' do
-      before do
-        stub_feature_flags(scim_identities: false)
-      end
-
-      it_behaves_like 'scim provisioning'
-
-      let_it_be(:service_params) do
-        {
-          email: 'work@example.com',
-          name: 'Test Name',
-          extern_uid: 'test_uid',
-          username: 'username'
-        }
-      end
-
-      it 'creates the SAML identity' do
-        expect { service.execute }.to change { Identity.count }.by(1)
-      end
-
-      it 'does not create the SCIM identity' do
-        expect { service.execute }.not_to change { ScimIdentity.count }
-      end
-
-      context 'existing user' do
-        before do
-          create(:user, email: 'work@example.com')
-        end
-
-        it 'does not create a new user' do
-          expect { service.execute }.not_to change { User.count }
-        end
-
-        it 'fails with conflict' do
-          expect(service.execute.status).to eq(:conflict)
-        end
-      end
-    end
-
-    context 'when scim_identities is enabled' do
-      before do
-        stub_feature_flags(scim_identities: true)
-      end
-
-      it_behaves_like 'scim provisioning'
 
     let_it_be(:service_params) do
       {
@@ -188,14 +140,14 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
       expect { service.execute }.to change { Identity.count }.by(1)
     end
 
-      context 'existing user' do
+    context 'for an existing user' do
       before do
         create(:email, user: user, email: 'work@example.com')
       end
       let(:user) { create(:user) }
 
-        context 'when user is not an existing group member' do
-          it_behaves_like 'existing user when scim identities are enabled'
+      context 'when user is not a group member' do
+        it_behaves_like 'existing user'
 
         it 'creates the group member' do
           expect { service.execute }.to change { GroupMember.count }.by(1)
@@ -223,7 +175,7 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
           group.add_guest(user)
         end
 
-          it_behaves_like 'existing user when scim identities are enabled'
+        it_behaves_like 'existing user'
 
         it 'does not create the group member' do
           expect { service.execute }.not_to change { GroupMember.count }
@@ -231,5 +183,4 @@ RSpec.describe ::EE::Gitlab::Scim::ProvisioningService do
       end
     end
   end
-  end
 end