92 lines
2.7 KiB
Org Mode
92 lines
2.7 KiB
Org Mode
|
# Created 2020-09-29 Tue 14:55
|
||
|
#+TITLE: Work Time Tracker
|
||
|
#+AUTHOR: Yann Esposito
|
||
|
* add idp-mapping to existing orgs
|
||
|
- ref :: https://github.com/threatgrid/iroh/issues/4049
|
||
|
|
||
|
** Context
|
||
|
|
||
|
The =Org= schema contains an optional field named =idp-mapping=:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
(st/open-schema
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
:organization-id (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")}))
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str}
|
||
|
(st/optional-keys
|
||
|
{,,,
|
||
|
:idp-mapping OrgIdPMapping
|
||
|
,,
|
||
|
})))
|
||
|
#+end_src
|
||
|
|
||
|
To support CSA Migration it should be replaced by:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
:organization-id (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str
|
||
|
:idp-mapping OrgIdPMapping}
|
||
|
(st/optional-keys
|
||
|
{:old-idp-mapping OrgIdPMapping
|
||
|
,,,
|
||
|
})))
|
||
|
#+end_src
|
||
|
|
||
|
This issue is about a second step toward this goal (cf.
|
||
|
https://github.com/threatgrid/iroh/issues/4204).
|
||
|
|
||
|
So at the end of this issue the schemas should be:
|
||
|
|
||
|
#+begin_src clojure
|
||
|
(s/defschema OrgIdPMapping
|
||
|
{:idp (describe s/Str "Internal idp-id")
|
||
|
(s/optional-key :organization-id) (describe s/Str "the organization id provided by the IdP")
|
||
|
:enabled? (describe s/Bool "Do we allow the connection through this IdP?")})
|
||
|
|
||
|
(s/defschema NewOrg
|
||
|
"Org before being saved to DB"
|
||
|
(st/merge
|
||
|
{:id s/Str
|
||
|
:idp-mapping OrgIdPMapping}
|
||
|
(st/optional-keys
|
||
|
{,,,})))
|
||
|
#+end_src
|
||
|
|
||
|
** Migration task
|
||
|
|
||
|
The migration service should be used to create a new migration task.
|
||
|
The main algorithm should be something like:
|
||
|
|
||
|
For every existing org =O= that do not have any =idp-mapping=;
|
||
|
Retrieve all the =idp-mappings= of every users of this org.
|
||
|
Keep the fields =idp-id= and =organization-id= of those mapping.
|
||
|
Use the most present couple =idp-id=, =organization-id= as new IdPMapping
|
||
|
from the =org=.
|
||
|
|
||
|
In the current state, you should always consider =enabled?= of the
|
||
|
IdPMapping is true and ignore this field.
|
||
|
|
||
|
Also note migration tasks often fail during TEST environment due to QA
|
||
|
testing that could create entities with the wrong schema.
|
||
|
Most of the time, we should only logs such errors and not make the
|
||
|
migration fail.
|
||
|
|
||
|
Most of the time we use a heuristic, if we detect too much errors we make
|
||
|
the migration fail.
|
||
|
Recently we also introduced migration that could write to another table to
|
||
|
minimize the risk of data loss.
|
||
|
I'm not sure this will be much needed here.
|