[DDO-3890] Add models.User.DeactivatedAt

[jack-r-warren]

Adds a currently read-only field to represent a models.User being deactivated. This PR adds the field and other related logic that reads it:

• Preventing a deactivated user from authenticating (to either API or OIDC)
• Preventing a user from modifying their own deactivated state (just an extra check)
• Preventing a role assignment being created for a deactivated user
• Automatically deleting role assignments for deactivated users (just like expired role assignments)
• Not adding deactivated users to auto-assign roles
• Hiding deactivated users by default when listing users

This PR also allows super admins to modify the user records of other users through the API. Users could previously only edit themselves and super admins had to go through the database. This is in preparation for the deactivation field being mutable via a super-admin-only procedure endpoint.

Note that propagation is unaffected here. That whole system is unaware of a user being deactivated and it's only concerned with role assignment state. That's why it's important that we delete role assignments for deactivated users.

Testing

Tests for each feature updated to add coverage. Sherlock's strategy of testing the API JSON-to-JSON means that we've got high existing coverage protecting against regressions.

Risk

Low, and this one's an easy one to roll back which is some of why I'm splitting this out.

[github-actions]

What's Changed

---

GET /api/users/v3

Parameters:

Added: deactivatedAt in query

If set, indicates that the user is currently deactivated

Added: include-deactivated in query

Include deactivated users in the results (default false)

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Added property deactivatedAt (string)

    If set, indicates that the user is currently deactivated

PUT /api/users/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Added property deactivatedAt (string)

    If set, indicates that the user is currently deactivated

Changed response : 201 Created

Created

• Changed content type : application/json

  • Added property deactivatedAt (string)

    If set, indicates that the user is currently deactivated

GET /api/users/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Added property deactivatedAt (string)

    If set, indicates that the user is currently deactivated

GET /api/app-versions/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

PUT /api/app-versions/v3

Return Type:

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/app-versions/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

PATCH /api/app-versions/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/chart-versions/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

PUT /api/chart-versions/v3

Return Type:

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/chart-versions/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

PATCH /api/chart-versions/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property authoredByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/environments/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property ownerInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

POST /api/environments/v3

Return Type:

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property ownerInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/environments/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property ownerInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

DELETE /api/environments/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property ownerInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

PATCH /api/environments/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property ownerInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/app-versions/procedures/v3/changelog

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property changelog (array)

    Changed items (object):

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

POST /api/changesets/procedures/v3/apply

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/changesets/procedures/v3/chart-release-history/{chart-release}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

POST /api/changesets/procedures/v3/plan

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

Changed response : 201 Created

Created

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

POST /api/changesets/procedures/v3/plan-and-apply

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

Changed response : 201 Created

Created

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/changesets/procedures/v3/version-history/{version-type}/{chart}/{version}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/changesets/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/changesets/v3/{id}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property appliedByInfo (object)

    • Added property deactivatedAt (string)

      If set, indicates that the user is currently deactivated

GET /api/chart-releases/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property appVersionInfo (object)

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

POST /api/chart-releases/v3

Return Type:

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property appVersionInfo (object)

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

GET /api/chart-releases/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property appVersionInfo (object)

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

DELETE /api/chart-releases/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property appVersionInfo (object)

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

PATCH /api/chart-releases/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property appVersionInfo (object)

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

GET /api/chart-versions/procedures/v3/changelog

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property changelog (array)

    Changed items (object):

    • Changed property authoredByInfo (object)

      • Added property deactivatedAt (string)

        If set, indicates that the user is currently deactivated

GET /api/database-instances/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  Changed items (object):

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

PUT /api/database-instances/v3

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

POST /api/database-instances/v3

Return Type:

Changed response : 201 Created

Created

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

GET /api/database-instances/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

DELETE /api/database-instances/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

PATCH /api/database-instances/v3/{selector}

Return Type:

Changed response : 200 OK

OK

• Changed content type : application/json

  • Changed property chartReleaseInfo (object)

    • Changed property appVersionInfo (object)

      • Changed property authoredByInfo (object)

        • Added property deactivatedAt (string)

          If set, indicates that the user is currently deactivated

[github-actions]

Published image from df35c65 (merge f83fcd7):

us-central1-docker.pkg.dev/dsp-artifact-registry/sherlock/sherlock:v1.6.4-f83fcd7
us-central1-docker.pkg.dev/dsp-devops-super-prod/sherlock/sherlock:v1.6.4-f83fcd7

[sonarqubecloud]

Quality Gate passed

Issues
9 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
3.7% Duplication on New Code

See analysis details on SonarCloud

[codecov]

Codecov Report

Attention: Patch coverage is 79.03226% with 13 lines in your changes missing coverage. Please review.

Project coverage is 67.52%. Comparing base (9878ab0) to head (df35c65).

Files with missing lines	Patch %	Lines
sherlock/internal/api/sherlock/users_v3_list.go	70.00%	2 Missing and 1 partial ⚠️
sherlock/internal/models/role_assignment.go	66.66%	1 Missing and 2 partials ⚠️
...ock/internal/models/role_assignment_auto_delete.go	70.00%	2 Missing and 1 partial ⚠️
...k/internal/middleware/authentication/middleware.go	0.00%	2 Missing ⚠️
sherlock/internal/models/test_data.go	80.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #683      +/-   ##
==========================================
- Coverage   67.79%   67.52%   -0.28%     
==========================================
  Files         291      291              
  Lines       13535    13584      +49     
==========================================
- Hits         9176     9172       -4     
- Misses       3455     3519      +64     
+ Partials      904      893      -11     

Files with missing lines	Coverage Δ
sherlock/internal/api/sherlock/users_v3.go	100.00% <100.00%> (ø)
sherlock/internal/boot/application.go	59.37% <100.00%> (ø)
...nternal/middleware/authentication/user_provider.go	21.51% <100.00%> (-15.25%)	⬇️
sherlock/internal/models/role_auto_assign.go	44.68% <100.00%> (ø)
sherlock/internal/models/user.go	89.24% <100.00%> (+2.43%)	⬆️
...k/internal/middleware/authentication/middleware.go	0.00% <0.00%> (-87.50%)	⬇️
sherlock/internal/models/test_data.go	98.05% <80.00%> (-0.17%)	⬇️
sherlock/internal/api/sherlock/users_v3_list.go	79.48% <70.00%> (-3.28%)	⬇️
sherlock/internal/models/role_assignment.go	81.29% <66.66%> (-0.91%)	⬇️
...ock/internal/models/role_assignment_auto_delete.go	53.33% <70.00%> (ø)

... and 1 file with indirect coverage changes