B2B: Update Keycloak org membership when a user redeems an enrollment code

[jkachel]

What are the relevant tickets?

Closes mitodl/hq#8655

Description (What does it do?)

We're working to make Keycloak the source of truth for organization data, including memberships. MITx Online allows users to join an organization by supplying an enrollment code (either through the checkout process or via a separate "attach" API the user can get to via Learn). These joins need to be represented in Keycloak too, or the user will be removed from the organization when they do anything else in the system. (Org membership is evaluated any time the user hits the system, and orgs the user's joined on their own won't show up in the list that we get back from APISIX, so this will signal the auth middleware to remove them from those orgs.)

So, this PR adds code to hit the Keycloak admin API's organization members endpoint to add the user to the Keycloak organization when we process an enrollment code. When a user either completes checkout of a contract courserun and uses an enrollment code, or uses the attach API, the system will now POST the user's global ID to organizations/<org id>/members/ which should add them to the organization in question.

This also does some other backend shoring up that was needed:

• We now have a hard link between users and organizations. Previously, we calculated this based on contract membership.
  • This allows us to flag organization records on MITx Online's end that have been manually processed by it.
  • Every place that the system added contract membership was updated to ensure the org memberships were also correct.
• The integration_type field on contracts has changed to membership_type.
  • integration_type wasn't a reasonable name for the field anymore - we don't use it to determine whether or not the contract/org has an SSO integration, we use it to determine when we should automatically manage the membership of the contract.
  • This also adds auto, managed, and code as options for this field. managed and auto correspond to the sso type before, and code corresponds to the non-sso type. (There are two auto ones for a future PR.)
  • The migration that changes this should preserve the field values for existing contracts.

How can this be tested?

Automated tests should pass.

To test, your setup needs to have:

• MITx Online configured properly to hit the Keycloak admin API. See
• An org that is set up in Keycloak and has a matching org in MITx Online (use sync_keycloak_orgs management command)
• A B2B contract that is configured for the org and is a non-sso/code contract (so you get enrollment codes).
• A course for that contract (so you get enrollment codes - it does not necessarily need to exist in edX).
• Ideally: Learn also running, so you can easily hit the attach API. Alternatively, you can work out the URL for that manually or you can go through the checkout process to attach to the contract/org. (But Learn is highly recommended since it has the org dashboard in it.)

1. Log in as your test user.
2. Attach the user to your contract using an enrollment code - either by using the cart process or the attach URL.
3. Check the user in MITx Online. It should have the org attached to it, and the "keep until seen" flag should be True.
4. Check the user in Keycloak. They should be in the org.
5. Continue doing things in MITx Online. The user's org membership should remain stable.
6. Log out and then back in again.
7. Check the user in MITx Online. The org membership should not have any changes, but the "keep until seen" flag should be cleared.
8. Removing the user from the org in Keycloak should result in them being removed from the org in MITx Online. However, you have to log out and back in for that change to take effect.

Additional Context

The managed and auto types are to cover two cases: when we want a contract to be available to all users in the org without exception, and when we want a contract to be available to users in the org who arrive there via federation (i.e. they log in via their host organization). At the moment, there's no real distinction between these two; that will come in a later PR. (Basically, we'll need to add a flag to the org membership in MITx Online to determine if they came in with an enrollment code or not - if they did, they won't get managed contracts automatically.)

The "keep until seen" flag works around an issue with reconciling the user's org memberships based on the user data from APISIX. APISIX's user data payload includes the organizations the user belongs to. However, this user data is cached - it retrieves the user data from Keycloak when the user logs in, and then it never updates it. So until the APISIX session is cleared, the org list for the user won't change either (even though we've changed it in Keycloak). The "keep until seen" flag means that the reconciliation code should skip this particular membership until it's actually seen in the APISIX user data. This is also why you have to log out and back in if you remove a user from the org in Keycloak for the change to take effect in MITx Online.

[jkachel]

Final test failure here is one of the flaky ones - see https://github.com/mitodl/hq/issues/8744

[rhysyngsun]

Should this be [value[0] for value in CONTRACT_MEMBERSHIP_CHOICES] instead so we don't risk them getting out of sync if other types are added or removed?

[rhysyngsun]

Should there maybe not be a default and require it to be explicitly specified to avoid user error?

[rhysyngsun]

This wasn't ever implemented, so there's permanent data loss on a rollback.

[jkachel]

I changed this to do an AlterField on the column rather than creating a new one and dropping the old; seemed more straightforward that way since the "use" of the column really doesn't change any.

[rhysyngsun]

The rename would actually cause issues w/ an in-flight requests at the time though, right? Even the original code actually had this issue so I'm thinking in this PR you should only add the field and copy the values over, and then in a follow up PR after the next release remove the old field. Normally I think we'd just roll with it but I think there's extra sensitivity around this given the users it'd impact?

[jkachel]

Makes sense. Reworked this in ee9a451.

[rhysyngsun]

Nit: all() is unnecessary here. Same for the next query, but I'll only comment here.

[rhysyngsun]

This (through line 830, github is not doing the diff well) could just be simplified down to use update_or_create and perform 1 less query per org unless the log statement is important:

Suggested change

	new_membership, created = UserOrganization.objects.get_or_create(
	user=user,
	organization=add_org,
	defaults={"keep_until_seen": False},
	)
	contracts_to_remove = user_contracts_qs.filter(organization__in=no_orgs).all()
	if not created and new_membership.keep_until_seen:
	new_membership.keep_until_seen = False
	new_membership.save()
	log.info(
	"reconcile_user_orgs: cleared keep_until_seen for user %s org %s",
	user.id,
	add_org,
	)
	new_membership, _ = UserOrganization.objects.update_or_create(
	user=user,
	organization=add_org,
	defaults={"keep_until_seen": False},
	)

[rhysyngsun]

Unnecessary write to the user

[rhysyngsun]

I feel that this model should live in the b2b app since it is specific to that.

[rhysyngsun]

With the exception of logo, these could all be regular typed fields w/ source= specified, e.g. id = serializers.IntegerField(source="organization.id").

[rhysyngsun]

This should probably not be an actually resolvable hostname to guarantee that we catch when a request is made that hasn't been mocked.

[rhysyngsun]

These methods don't access cls or self so to follow the pattern we typically use these should live in b2b/api.py instead

[jkachel]

Last few commits also fix an unrelated N+1 error that was popping up in the test runs.

[jkachel]

Requesting re-review on this - I have reworked how the ManyToMany relationship works per request and the tests seem to pass. They don't appear to be running here, though, but as of this comment GH status says webhook performance is degraded, so... maybe eventually they will. Tests pass locally though.

[rhysyngsun]

LGTM