SCIM: Add "is SCIM controlled" flag to site user, and "SCIM" badge on UI

[vdavid]

• This PR partially tackles https://github.com/sourcegraph/sourcegraph/issues/48427

Adds a "SCIMControlled" flag to SiteUser, and fetches that via GraphQL, then displays a small "SCIM" badge if the user is SCIM-enabled. It looks like this:

(To the design reviewer: check out the blue "SCIM" badges next to some users. It's new. It indicates that the user is created/modified through SCIM, from an external system. My question is whether this looks good or I should indicate this differently.)

And with the tooltip over the new badge:

This is a small PR because I want to get early feedback to make sure no one in IAM has problems with extending SiteUser for this purpose.
Note: I may want to add the same field to User later today, depending on UI requirements. Feedback is welcome on that thought as well! (I don't know if it's too dirty to mention "SCIM" in our general User model to the extent of an added boolean. It'd make things very easy, though!)

Test plan

• Tested that the badges appear for the right users. They do.
• Needs design review, so notifying design

[vdavid]

This is for live users

[vdavid]

This is for deleted users

[vdavid]

It cannot be >1 (a unique index below prevents that), but using >= rather than = here adds an extra layer of security in case we add multiple SCIM accounts later.

[vdavid]

We had no index on user_id and service_type, so this could be slow. I've added an index—see below.

[sg-e2e-regression-test-bob]

Bundle size report 📦

Initial size	Total size	Async size	Modules
0.00% (0.00 kb)	0.00% (+0.47 kb)	0.00% (+0.47 kb)	0.00% (0)

Look at the Statoscope report for a full comparison between the commits 7ec15a5 and eccbef8 or learn more.

Open explanation

• Initial size is the size of the initial bundle (the one that is loaded when you open the page)
• Total size is the size of the initial bundle + all the async loaded chunks
• Async size is the size of all the async loaded chunks
• Modules is the number of modules in the initial bundle

[vdavid]

We need this to ensure performance, but it has the additional benefit of making SCIM accounts unique.

[efritz]

Oh lol I think it requires ON to be on the same line. If you'd like to fix up the regex (read.go L232) so that it accepts newlines as the space charset you should be able to pass the migration as-is (unless I'm completely off base).

[vdavid]

I think \s matches the newline in the Go implementation of regexp (I'm pretty sure it usually matches newlines), so it should work, but I'll try.

[efritz]

You can slam a newline in one of the test cases and see if it still passes - if not you have the first 1/3d of TDD done!

[chwarwick]

I like the SCIMControlled naming you used in the PR description a little better, but thats about as minor as it gets.

[vdavid]

I've changed the naming to "controlled" everywhere, thanks!

[chwarwick]

nit/question - Is it expected that users will know what SCIM means? I hadn't heard of it until recently. Not what would be a better replacement that is short enough to not take over that space.

[vdavid]

Good point! Added a link to explain it. Thanks!

[kopancek]

I'm approving to unblock.

But I'm not completely sure adding a one-off for SCIM is the best way to go. Maybe we can instead show a column for externalAccounts in the users list? 🤔

[chwarwick]

But I'm not completely sure adding a one-off for SCIM is the best way to go. Maybe we can instead show a column for externalAccounts in the users list? 🤔

I was thinking in a similar way about it being tied to SCIM, but generally I think we can say it will always be True/False if the user account is controlled by some external system (in this case scim) and that is an indication of what can or can't be done with the sg ui.

[rrhyne]

Sorry I'm late to this @vdavid. There are some issues with the design:

• By placing the badge first, we are harming the scan ability of the list.
• By using a colored badge, we are bringing outsized importance to the item

Can we move the badge to the end of the name, right aligned to the table row and use the secondary or info badge instead?

[vdavid]

Absolutely, @rrhyne, will do, and ping you with a screenshot.

[danielmarquespt]

Ideally this should be a collumn, but the layout is too narrow for that. I also agree that the badge works after the name

[rrhyne]

Agree with @danielmarquespt but didn't want to make that change last minute. @vdavid DM me when complete!!!

[vdavid]

It's complete, see https://github.com/sourcegraph/sourcegraph/pull/49114