PermsSyncer: report exact state of each provider in each job

[bobheadxi]

Right now there are three ways to try and determine if an authz/authorization provider is happy, each with caveats:

• through metrics and logs exported by each individual provider implementation. This is very inconsistent, up to each implementation, and difficult to programmatically assess
• through PermsSyncer job results, which only reports the overall state of a sync job run in a single error. It sometimes doesn't report any error from the provider at all, swallowing the provider's error with special handling
• through PermsSyncer metrics and logs. This gets us ~almost there, but is difficult to programmatically assess, requires infrastructure access, and requires knowledge of how PermsSyncer is implemented.

This makes assessing the health of authz difficult when:

• attempting to validate a particular authz provider is behaving correctly - e.g. when restoring from a backup, we want to be able to select a particular provider to ensure permissions sync jobs are correctly involving the provider and succeeding
• hypothetically, when multiple authz providers are configured

This change propagates the "real" state of each individual provider from the various runSync implementations, so that we can see the state of each provider involved in a permissions sync job. As a simple proof-of-concept, I've added a log field that lists the providers that failed when a job fails, and added some assertions to a few tests to demonstrate what the output looks like.

On top of this, we can then implement a cache that tracks recent permission sync job outcomes: #44258, which can then open the door to allowing us to render these results via the GraphQL API, similarly to the external service sync status API.

Part of https://github.com/sourcegraph/customer/issues/1534
Stacked on https://github.com/sourcegraph/sourcegraph/pull/44251

Test plan

Updated unit and integration tests pass

[bobheadxi]

Current dependencies on/for this PR:

• main
  • PR PermsSyncer: refactor fetchUserPermsViaExternalAccounts results #44251
    • PR PermsSyncer: report exact state of each provider in each job #44257 👈
      • PR PermsSyncer: track recent job states in redis #44258
        • PR graphqlbackend: add permissionsSyncJobs query #44387

This comment was auto-generated by Graphite.

[unknwon]

The approach does seem to make sense to me, will do a thorough review once marked as ready 👍

[kopancek]

I don't see any write to providerStates in this method. Do you plan to add it?

[bobheadxi]

There are several writes, e.g. on line 843:

			providerStates = append(providerStates, providerState{

[kopancek]

Should we add a log.Debug statement that would give us the provider states even if there is no error? E.g. something like "All providers succeeded"?

[bobheadxi]

Added!

[sourcegraph-bot]

Codenotify: Notifying subscribers in CODENOTIFY files for diff 9322c58...e09ee8e.

Notify	File(s)
@indradhanush	enterprise/cmd/repo-updater/internal/authz/integration_test.go enterprise/cmd/repo-updater/internal/authz/perms_syncer.go enterprise/cmd/repo-updater/internal/authz/perms_syncer_test.go enterprise/cmd/repo-updater/internal/authz/provider_state.go
@unknwon	enterprise/cmd/repo-updater/internal/authz/integration_test.go enterprise/cmd/repo-updater/internal/authz/perms_syncer.go enterprise/cmd/repo-updater/internal/authz/perms_syncer_test.go enterprise/cmd/repo-updater/internal/authz/provider_state.go

[unknwon]

I think we should just declare a const type ProviderState, and use the type everywhere ProviderStateError/ProviderStateSuccess

[bobheadxi]

We would need one for the job state as well, which feels a bit duplicative, and I'm not sure if there's a naming that would make this suitable for both 🤔

[bobheadxi]

I will leave this out for now: setting and checking are both internal implementation details, there are no consumers of this yet. Can revisit in a follow-up if the need arises!