mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
f275bf70d9
When syncing identities from an identity, we have logic in place that resurrects any soft-deleted identities in order to maintain their session history, group memberships and any other relevant data. Users can be temporarily suspended from their identity provider and then resumed. Groups, however, based on cursory research, can never be temporarily suspended at the identity provider. However, this doesn't mean that we can't see the group disappear and reappear at a later point in time. This can happen due to a temporary sync issue, or in the upcoming Group Filters PR: #8381. This PR adds more robust testing to ensure we can in fact resurrect identities as expected. It also updates the group sync logic to similarly resurrect soft-deleted groups if they are seen again in a subsequent sync. To achieve this, we need to update the `UNIQUE CONSTRAINT` used in the upsert clause during the sync. Before, it was possible for two (or more) groups to exist with the same provider_identifier and provider_id, if `deleted_at IS NOT NULL`. Now, we need to ensure that only one group with the same `account_id, provider_id, provider_identifier` can exist, since we want to resurrect and not recreate these. To do this, we use a migration that does the following: 1. Ensures any potentially problematic data is permanently deleted 2. Drops the existing unique constraint 3. Recreates it, omitting `WHERE DELETED_AT IS NULL` from the partial index. Based on exploring the production DB data, this should not cause any issues, but it would be a good idea to double-check before rolling this out to prod. Lastly, the final missing piece to the resurrection story is Policies. This is saved for a future PR since we need to first define the difference between a policy that was soft-deleted via a sync job, and a policy that was "perma" deleted by a user. Related: #8187