PROD-972 ID-1324 Deduplicate group synchronization calls to google.

[Ghost-in-a-Jar]

Ticket: https://broadworkbench.atlassian.net/browse/ID-1324

What:

We make a LOT of calls to the google groups api, a lot of which are duplicated and unnecessary. This PR aims to reduce the number of calls to google group apis during the group syncing

Why:

We are hitting the quota for listing group memberships every day and ended up with a prod incident over the weekend.

How:

The plan is to record the last synchronized version and current version of group, only synchronize group if group version is greater than last synchronized version.

Pseudocode:

Pull message from pubsub, check current version of group against last synchronized version
if equal:
	do nothing
if the group version is greater than last synchronized version
	sychronize the group

	update last sycnronized version to the version of the group when the synchronization started

In DB migration set initial values of current group version to 1 and last synchronized version to 0

Testing/monitoring notes:

• can test manually by pushing our own messages into the queue
• add unit tests in GoogleExtensionSpec
• add some telemetry around no-ops and list group membership

---

PR checklist

• I've followed the instructions if I've made any changes to the API, especially if they're breaking changes
• I've filled out the Security Risk Assessment (requires Broad Internal network access) and attached the result to the JIRA ticket

[dvoet]

I think you also need to update the group version somewhere in or before GoogleExtension.onGroupUpdate. This is the logic that figures out all the policies related to an auth domain that must be synced. The related policies need to have their versions bumped so that the GoogleGroupSynchronizer doesn't ignore them.

[dvoet]

also need to update the group version in overwritePolicyMembersInternal

[Ghost-in-a-Jar]

This started failing because updateSynchronizedDateAndVersion was being called for the policy with the addition of the all users group in the policy. Still trying to get my head around exactly why. A lot is mocked out here and this test is really only focused around group emails so I think this change is fine.

[dvoet]

probably because the policy is set to public

[Ghost-in-a-Jar]

This updates all of the policies when an auth domain is added to a resource

[Ghost-in-a-Jar]

We want to pass in the group here so that we can use the version of the group that is held in memory when the sync started.

[Ghost-in-a-Jar]

This is needed to update the policies in resource service and it just creates a write db session and then calls updateGroupUpdatedDateAndVersion

[Ghost-in-a-Jar]

updateGroupUpdatedDateAndVersion is also only on PostgresGroupDAO which ResourceService doesnt have access to

[Ghost-in-a-Jar]

Defaulting these values (including in the other models) was to avoid having to change BasicWorkbenchGroup in a ton of places. With the proper tests in place I think this is ok.

[dvoet]

1 comment but don't hold this up based on it

[dvoet]

I don't really like handling this with an exception since this is not really an exceptional situation, we just want an early escape.

[dvoet]

probably because the policy is set to public

[samanehsan]

Thanks @Ghost-in-a-Jar! 🎉

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
10.1% Duplication on New Code

See analysis details on SonarCloud