Skip to content

chore: Delegate user sync to PDP#40836

Merged
dionisio-bot[bot] merged 15 commits into
developfrom
feat/abac-users-sync-strategy-agnostic
Jun 9, 2026
Merged

chore: Delegate user sync to PDP#40836
dionisio-bot[bot] merged 15 commits into
developfrom
feat/abac-users-sync-strategy-agnostic

Conversation

@KevLehman

@KevLehman KevLehman commented Jun 5, 2026

Copy link
Copy Markdown
Member

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC3-23

Steps to test or reproduce

Further comments

Summary by CodeRabbit

  • New Features

    • Added ABAC user reevaluation via the sync endpoint, accepting usernames, ids, emails, or ldapIds.
    • Local and external policy flows can trigger attribute refreshes and remove users from rooms when policies deny access.
    • Simplified licensing: ABAC sync now requires only the abac license.
  • Tests

    • Added end-to-end and unit tests covering disabled/enabled scenarios, strategy-agnostic cases, external PDP decisions, and edge cases.

@dionisio-bot

dionisio-bot Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Looks like this PR is ready to merge! 🎉
If you have any trouble, please check the PR guidelines

@changeset-bot

changeset-bot Bot commented Jun 5, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5230be5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c2f53fca-ce09-46e3-b71f-1e6521aa2088

📥 Commits

Reviewing files that changed from the base of the PR and between f10526b and 5230be5.

📒 Files selected for processing (1)
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
🚧 Files skipped from review as they are similar to previous changes (1)
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts

Walkthrough

Adds AbacService.reevaluateUsers, PDP bulk reevaluation (Local and Virtru), LDAPEEService bridging, updates POST /abac/users/sync to call Abac.reevaluateUsers, and extends unit and E2E tests for reevaluation outcomes and room membership removals.

Changes

ABAC User Reevaluation Flow

Layer / File(s) Summary
Type contracts for reevaluation
packages/core-typings/src/Abac.ts, ee/packages/abac/src/pdp/types.ts, packages/core-services/src/types/IAbacService.ts, packages/core-services/src/types/ILDAPEEService.ts
AbacUserIdentifiers and ReevaluationUser types model flexible user identifier inputs and PDP reevaluation users. IPolicyDecisionPoint, IAbacService, and ILDAPEEService interfaces extended with reevaluateUsers and syncUsersAbacAttributesByIds method signatures.
PDP reevaluation implementations
ee/packages/abac/src/pdp/LocalPDP.ts, ee/packages/abac/src/pdp/VirtruPDP.ts, ee/packages/abac/src/pdp/VirtruPDP.spec.ts
LocalPDP.reevaluateUsers delegates to LDAP enterprise sync via LDAPEnterprise.syncUsersAbacAttributesByIds. VirtruPDP.reevaluateUsers deduplicates room IDs from users, fetches ABAC-enabled private rooms, maps users to rooms, and delegates to evaluateUserRooms. Unit tests verify DENY removes users, PERMIT retains them, and empty inputs avoid DB calls.
Service-level reevaluation orchestration
ee/packages/abac/src/index.ts, apps/meteor/ee/server/local-services/ldap/service.ts, ee/packages/abac/src/service.spec.ts
AbacService.reevaluateUsers gates on PDP availability, loads matching users with __rooms, delegates to PDP, and removes non-compliant {user, room} pairs with concurrency limiting. LDAPEEService.syncUsersAbacAttributesByIds resolves user IDs to full user objects and forwards to LDAP sync. Unit tests mock Users and LDAPEnterprise for reevaluation paths.
API endpoint integration and tests
apps/meteor/ee/server/api/abac/index.ts, apps/meteor/tests/end-to-end/api/abac.ts
POST /abac/users/sync endpoint updated to call Abac.reevaluateUsers instead of direct LDAP sync; license requirement narrowed to ['abac']. E2E tests updated to use api() helper and include disabled-ABAC, strategy-agnostic handling, LDAP limit checks, and External PDP re-evaluation (DENY/PERMIT) cases.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

  • RocketChat/Rocket.Chat#40837: Prior refactor of POST /abac/users/sync to use LDAPEnterprise.syncUsersAbacAttributes; this PR evolves the endpoint to call Abac.reevaluateUsers.

Suggested labels

type: chore

Suggested reviewers

  • ricardogarim
  • tassoevan
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'chore: Delegate user sync to PDP' accurately describes the main architectural change across the pull request: refactoring user synchronization logic to delegate to policy decision points instead of directly calling LDAP, as evidenced by changes to ABAC service, PDP implementations, and endpoints.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • ABAC3-23: Request failed with status code 401

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Jun 5, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 64.00000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.15%. Comparing base (6d2e5ec) to head (5230be5).
⚠️ Report is 18 commits behind head on develop.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #40836      +/-   ##
===========================================
+ Coverage    70.09%   70.15%   +0.06%     
===========================================
  Files         3337     3342       +5     
  Lines       123509   123765     +256     
  Branches     22057    22120      +63     
===========================================
+ Hits         86574    86830     +256     
+ Misses       33594    33583      -11     
- Partials      3341     3352      +11     
Flag Coverage Δ
e2e 59.32% <ø> (-0.09%) ⬇️
e2e-api 46.32% <ø> (-0.80%) ⬇️
unit 70.99% <64.00%> (+0.12%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@KevLehman KevLehman force-pushed the feat/abac-users-sync-strategy-agnostic branch from 31ddb84 to 8bba69c Compare June 8, 2026 16:20
@KevLehman KevLehman added this to the 8.6.0 milestone Jun 8, 2026
@KevLehman KevLehman marked this pull request as ready for review June 8, 2026 19:58
@KevLehman KevLehman requested review from a team as code owners June 8, 2026 19:58
@coderabbitai coderabbitai Bot added type: feature Pull requests that introduces new feature area: authentication labels Jun 8, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@ee/packages/abac/src/index.ts`:
- Around line 979-981: The catch block that currently logs errors with
logger.error({ msg: 'Failed to reevaluate users', err }) swallows failures from
the reevaluation/removal flow so API-triggered sync can wrongly report success;
update the catch in ee/packages/abac/src/index.ts (the block that logs 'Failed
to reevaluate users') to re-throw the caught error after logging (or remove the
try/catch entirely) so the exception bubbles to callers and the API can surface
a failure.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5df85b7-b809-40f1-8c80-bb6b76f8f8d0

📥 Commits

Reviewing files that changed from the base of the PR and between 6d2e5ec and eb95f27.

📒 Files selected for processing (12)
  • apps/meteor/ee/server/api/abac/index.ts
  • apps/meteor/ee/server/local-services/ldap/service.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
  • ee/packages/abac/src/index.ts
  • ee/packages/abac/src/pdp/LocalPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.ts
  • ee/packages/abac/src/pdp/types.ts
  • ee/packages/abac/src/service.spec.ts
  • packages/core-services/src/types/IAbacService.ts
  • packages/core-services/src/types/ILDAPEEService.ts
  • packages/core-typings/src/Abac.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: cubic · AI code reviewer
  • GitHub Check: Hacktron Security Check
  • GitHub Check: 🔨 Test UI (EE) / MongoDB 8.0 coverage (1/5)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx,js}

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.{ts,tsx,js}: Write concise, technical TypeScript/JavaScript with accurate typing in Playwright tests
Avoid code comments in the implementation

Files:

  • packages/core-typings/src/Abac.ts
  • packages/core-services/src/types/IAbacService.ts
  • packages/core-services/src/types/ILDAPEEService.ts
  • ee/packages/abac/src/pdp/types.ts
  • apps/meteor/ee/server/local-services/ldap/service.ts
  • apps/meteor/ee/server/api/abac/index.ts
  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/index.ts
  • ee/packages/abac/src/pdp/LocalPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
**/*.spec.ts

📄 CodeRabbit inference engine (.cursor/rules/playwright.mdc)

**/*.spec.ts: Use descriptive test names that clearly communicate expected behavior in Playwright tests
Use .spec.ts extension for test files (e.g., login.spec.ts)

Files:

  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
🧠 Learnings (6)
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In the Rocket.Chat repository, do not reference Biome lint rules in code review feedback. Biome is not used even if biome.json exists; only reference Biome rules if there is explicit, project-wide usage documented. For TypeScript files, review lint implications without Biome guidance unless the project enables Biome rules.

Applied to files:

  • packages/core-typings/src/Abac.ts
  • packages/core-services/src/types/IAbacService.ts
  • packages/core-services/src/types/ILDAPEEService.ts
  • ee/packages/abac/src/pdp/types.ts
  • apps/meteor/ee/server/local-services/ldap/service.ts
  • apps/meteor/ee/server/api/abac/index.ts
  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/index.ts
  • ee/packages/abac/src/pdp/LocalPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
📚 Learning: 2026-02-26T19:25:44.063Z
Learnt from: gabriellsh
Repo: RocketChat/Rocket.Chat PR: 38778
File: packages/ui-voip/src/providers/useMediaSession.ts:192-192
Timestamp: 2026-02-26T19:25:44.063Z
Learning: In this repository (RocketChat/Rocket.Chat), Biome lint rules are not used even if a biome.json exists. When reviewing TypeScript files (e.g., packages/ui-voip/src/providers/useMediaSession.ts), ensure lint suggestions do not reference Biome-specific rules. Rely on general ESLint/TypeScript lint rules and project conventions instead.

Applied to files:

  • packages/core-typings/src/Abac.ts
  • packages/core-services/src/types/IAbacService.ts
  • packages/core-services/src/types/ILDAPEEService.ts
  • ee/packages/abac/src/pdp/types.ts
  • apps/meteor/ee/server/local-services/ldap/service.ts
  • apps/meteor/ee/server/api/abac/index.ts
  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/index.ts
  • ee/packages/abac/src/pdp/LocalPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
📚 Learning: 2026-05-06T12:21:44.083Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 40256
File: apps/meteor/client/components/CreateDiscussion/CreateDiscussion.tsx:121-149
Timestamp: 2026-05-06T12:21:44.083Z
Learning: Field wrappers in rocket.chat/fuselage-forms (Field, FieldLabel, FieldRow, FieldError, FieldHint) auto-create htmlFor/id associations, aria-describedby, and role="alert" for errors. Do not manually set htmlFor, id, aria-describedby, or role attributes when using these wrappers. This automatic wiring does not apply to plain rocket.chat/fuselage components, which require explicit ID wiring per the accessibility docs. In code reviews, prefer using fuselage-forms wrappers for form fields and verify there is no unnecessary manual ID/aria wiring in files that use these wrappers. If a component uses plain fuselage components, ensure proper id wiring as per docs.

Applied to files:

  • packages/core-typings/src/Abac.ts
  • packages/core-services/src/types/IAbacService.ts
  • packages/core-services/src/types/ILDAPEEService.ts
  • ee/packages/abac/src/pdp/types.ts
  • apps/meteor/ee/server/local-services/ldap/service.ts
  • apps/meteor/ee/server/api/abac/index.ts
  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/index.ts
  • ee/packages/abac/src/pdp/LocalPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
  • apps/meteor/tests/end-to-end/api/abac.ts
📚 Learning: 2025-12-10T21:00:43.645Z
Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37091
File: ee/packages/abac/jest.config.ts:4-7
Timestamp: 2025-12-10T21:00:43.645Z
Learning: Adopt the monorepo-wide Jest testMatch pattern: <rootDir>/src/**/*.spec.{ts,js,mjs} (represented here as '**/src/**/*.spec.{ts,js,mjs}') to ensure spec files under any package's src directory are picked up consistently across all packages in the Rocket.Chat monorepo. Apply this pattern in jest.config.ts for all relevant packages to maintain uniform test discovery.

Applied to files:

  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
📚 Learning: 2026-02-24T19:22:48.358Z
Learnt from: juliajforesti
Repo: RocketChat/Rocket.Chat PR: 38493
File: apps/meteor/tests/e2e/omnichannel/omnichannel-send-pdf-transcript.spec.ts:66-67
Timestamp: 2026-02-24T19:22:48.358Z
Learning: In Playwright end-to-end tests (e.g., under apps/meteor/tests/e2e/...), prefer locating elements by translated text (getByText) and ARIA roles (getByRole) over data-qa attributes. If translation values change, update the corresponding test locators accordingly. Never use data-qa locators. This guideline applies to all Playwright e2e test specs in the repository and helps keep tests robust to UI text changes and accessible semantics.

Applied to files:

  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
📚 Learning: 2026-03-06T18:10:15.268Z
Learnt from: tassoevan
Repo: RocketChat/Rocket.Chat PR: 39397
File: packages/gazzodown/src/code/CodeBlock.spec.tsx:47-68
Timestamp: 2026-03-06T18:10:15.268Z
Learning: In tests (especially those using testing-library/dom/jsdom) for Rocket.Chat components, the HTML <code> element has an implicit ARIA role of 'code'. Therefore, screen.getByRole('code') or screen.findByRole('code') will locate <code> elements even without a role attribute. Do not flag findByRole('code') as invalid in reviews; prefer using the implicit role instead of adding role="code" unless necessary for accessibility.

Applied to files:

  • ee/packages/abac/src/service.spec.ts
  • ee/packages/abac/src/pdp/VirtruPDP.spec.ts
🔇 Additional comments (12)
packages/core-typings/src/Abac.ts (1)

17-22: LGTM!

packages/core-services/src/types/ILDAPEEService.ts (1)

11-11: LGTM!

ee/packages/abac/src/pdp/VirtruPDP.ts (1)

4-4: LGTM!

Also applies to: 9-9, 354-378

ee/packages/abac/src/pdp/VirtruPDP.spec.ts (1)

473-503: LGTM!

apps/meteor/ee/server/api/abac/index.ts (1)

2-2: LGTM!

Also applies to: 5-5, 212-212, 228-228

apps/meteor/tests/end-to-end/api/abac.ts (1)

7-7: LGTM!

Also applies to: 193-193, 1454-1463, 1846-1865, 2538-2538, 2568-2568, 2582-2582, 2596-2596, 2610-2610, 2624-2624, 2702-2702, 3459-3569, 4092-4092

ee/packages/abac/src/pdp/types.ts (1)

31-32: LGTM!

Also applies to: 59-59

packages/core-services/src/types/IAbacService.ts (1)

10-10: LGTM!

Also applies to: 53-53

ee/packages/abac/src/pdp/LocalPDP.ts (1)

1-1: LGTM!

Also applies to: 7-7, 85-87

ee/packages/abac/src/index.ts (1)

15-15: LGTM!

apps/meteor/ee/server/local-services/ldap/service.ts (1)

3-3: LGTM!

Also applies to: 35-37

ee/packages/abac/src/service.spec.ts (1)

62-63: LGTM!

Also applies to: 95-95, 122-124, 1993-2033

Comment thread ee/packages/abac/src/index.ts

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 12 files

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread ee/packages/abac/src/index.ts
Comment thread ee/packages/abac/src/index.ts
@coderabbitai coderabbitai Bot added type: chore and removed type: feature Pull requests that introduces new feature area: authentication labels Jun 8, 2026

@hacktron-app hacktron-app Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file

Severity Count
HIGH 1

View full scan results

Comment thread ee/packages/abac/src/pdp/VirtruPDP.ts
@KevLehman KevLehman added the stat: QA assured Means it has been tested and approved by a company insider label Jun 8, 2026
@dionisio-bot dionisio-bot Bot added the stat: ready to merge PR tested and approved waiting for merge label Jun 8, 2026
Comment thread ee/packages/abac/src/pdp/VirtruPDP.ts Outdated
ricardogarim
ricardogarim previously approved these changes Jun 9, 2026
@dionisio-bot dionisio-bot Bot added this pull request to the merge queue Jun 9, 2026
@github-merge-queue github-merge-queue Bot removed this pull request from the merge queue due to failed status checks Jun 9, 2026
@dionisio-bot dionisio-bot Bot added this pull request to the merge queue Jun 9, 2026
Merged via the queue into develop with commit 5a8945d Jun 9, 2026
48 checks passed
@dionisio-bot dionisio-bot Bot deleted the feat/abac-users-sync-strategy-agnostic branch June 9, 2026 20:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

stat: QA assured Means it has been tested and approved by a company insider stat: ready to merge PR tested and approved waiting for merge type: chore

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants