fix: check if OIDC is activated before deleting users (#1029)

* fix: check if OIDC is activated before deleting users

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* chore: bump versions

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* chore: bump chart version

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* chore: unbump chart version

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

* chore: bump chart version

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

---------

Signed-off-by: Guilhem Barthés <guilhem.barthes@owkin.com>

Author: guilhem-barthes

CHANGELOG.md

@@ -6,7 +6,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 <!-- towncrier release notes start -->
-
 ## [1.0.0](https://github.com/Substra/substra-backend/releases/tag/1.0.0) - 2024-10-14
 
 ### Added

backend/users/management/commands/sync_users.py

@@ -1,9 +1,12 @@
+import os
+
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.password_validation import validate_password
 from django.core.exceptions import ValidationError
 from django.db import models
 
+from backend.settings.deps.utils import to_bool
 from organization.management.commands.base_sync import BaseSyncCommand
 from organization.management.commands.base_sync import Element
 from users.models import UserChannel
@@ -52,6 +55,9 @@ def update_password(self, element: UserElement) -> models.Model:
         return user
 
     def delete(self, discarded_keys: set[str]) -> None:
-        # Prevent the deletion of virtual users
-        discarded_keys.difference_update(settings.VIRTUAL_USERNAMES.values())
-        super().delete(discarded_keys)
+        if to_bool(os.environ.get("OIDC_ENABLED", "false")):
+            self.stdout.write("Not deleting users that are not in the file to avoid removing OIDC users.")
+        else:
+            # Prevent the deletion of virtual users
+            discarded_keys.difference_update(settings.VIRTUAL_USERNAMES.values())
+            super().delete(discarded_keys)

changes/1029.fixed

@@ -0,0 +1 @@
+User migration check OIDC activation before removing users

charts/substra-backend/CHANGELOG.md

@@ -1,6 +1,10 @@
 # Changelog
 
 <!-- towncrier release notes start -->
+## [26.15.2] - 2025-02-17
+
+Inject OIDC config in migration job & bump app version to 1.0.1
+
 ## [26.15.1] - 2025-01-06
 
 Fix missing role on builder pod

charts/substra-backend/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: substra-backend
 home: https://github.com/Substra
-version: 26.15.1
+version: 26.15.2
 appVersion: 1.0.0
 kubeVersion: '>= 1.19.0-0'
 description: Main package for Substra

charts/substra-backend/templates/job-migrations.yaml

@@ -61,6 +61,8 @@ spec:
               name: {{ include "substra.fullname" . }}-orchestrator
           - configMapRef:
               name: {{ include "substra.fullname" . }}-database
+          - configMapRef:
+              name: {{ include "substra.fullname" . }}-oidc
           - secretRef:
               name: {{ include "substra-backend.database.secret-name" . }}
         env: