[Organizations] Clone existing API keys to org admin on account transform #5589
Conversation
scottbommarito
requested review from
joelverhagen,
agr,
loic-sharma,
xavierdecoster,
shishirx34,
nugetlurker,
ryuyu,
anangaur,
chenriksson,
cristinamanum and
skofman1
| public async Task TransferApiKeysScopedToUser(User userWithKeys, User userToOwnKeys) | ||
| { | ||
| var eligibleApiKeys = userWithKeys.Credentials | ||
| .Where(c => c.IsApiKey() && c.Scopes.All(k => k.Owner == null || k.Owner == userWithKeys)).ToArray(); |
There was a problem hiding this comment.
can there be api keys for a user with the scope owned by someone else?
There was a problem hiding this comment.
This is in case the user has API keys scoped to another user or organization.
E.g.
User A is a member of organization B.
A makes API keys scoped to its own packages.
A makes API keys scoped to B's packages.
A leaves B.
A transforms into an organization with user C as admin.
We copy the API keys that A has that are scoped to its own packages but not B's.
|
|
||
| return await EntitiesContext.TransformUserToOrganization(accountToTransform, adminUser, token); | ||
| } | ||
|
|
||
| public async Task TransferApiKeysScopedToUser(User userWithKeys, User userToOwnKeys) |
There was a problem hiding this comment.
You could also do this in MigrateUserToOrganization.sql, which woudl allow you to keep it in the same transaction as the transform.
There was a problem hiding this comment.
I was considering that, but given that
1 - I'm less knowledgeable about SQL so this would have been harder for me to write
2 - we're trying to get this change out quickly for the next deployment
3 - if cloning the keys succeeds but transforming the org fails, the worst case scenario is that the admin user has some useless keys
I thought this was fine for now.
With this PR, when an account is transformed into an organization, its API keys are now cloned to the new admin.
This prevents breaking existing CI scenarios upon organization transformation.