fix(identity): add API fallback for user search with cache bypass option (#1844)

Author: andypf

app/controllers/cache_controller.rb

@@ -227,55 +227,137 @@ def domain_projects
   end
 
   def users
-    items =
-      ObjectCache.find_objects(
+    # Skip cache for user lookups to prevent reassigning roles to outdated/deleted users.
+    # The ObjectCache may contain stale user records for users that have been deleted
+    # or deactivated in the identity service. By fetching directly from the API, we ensure
+    # only currently active and valid users can be found and assigned roles.
+    skip_cache = !!params[:nocache]
+    term = params[:term]
+    domain_id = params[:domain]
+
+    
+    # Try cache first unless skip_cache is true
+    items = unless skip_cache
+      cached_users = ObjectCache.find_objects(
         type: 'user',
-        term: params[:name] || params[:term] || '',
+        term: params[:name] || term || '',
         include_scope: false,
         paginate: false
       ) do |scope|
-        scope.where(domain_id: params[:domain]).order(:name)
+        scope.where(domain_id: domain_id).order(:name)
       end
-    
-    unless items.nil? || items.empty?
-      items = items.to_a.map do |u|
-        {
-          id: u.payload['description'],
-          name: u.name,
-          key: u.name,
-          uid: u.id,
-          full_name: u.payload['description'],
-          email: u.payload['email']
-        }
-      end
-    else   
-      # search live against API and then retry
-      filter = {domain_id: params[:domain]}
-      if params[:term]
-        filter[:name__contains] = params[:term]
+      
+      # Map cached results if found
+      if cached_users.present?
+        cached_users.to_a.map do |u|
+          {
+            id: u.payload['description'],
+            name: u.name,
+            key: u.name,
+            uid: u.id,
+            full_name: u.payload['description'],
+            email: u.payload['email']
+          }
+        end
       end
-      items = service_user.identity.users(filter, format: :raw)
-
-      if params[:term]
-        # find by id, for the case the term is an id instead of name
-        user = service_user.identity.find_user(params[:term], format: :raw)
-        items << user if user
+    end
+    
+    # If cache didn't return results, fetch from API
+    if items.blank?
+      # Try by ID first if term is provided
+      if term.present?
+        user = service_user.identity.find_user(term, format: :raw)
+        if user
+          items = [format_user(user)]
+          render json: items
+          return
+        end
       end
-
-      items = items.map do |u|
-        {
-          id: u['description'],
-          name: u['name'],
-          key: u['name'],
-          uid: u['id'],
-          full_name: u['description'],
-          email: u['email']
-        }
+      
+      # Build filter for users query
+      filter = { domain_id: domain_id }
+      
+      # If term provided, search by both name and description
+      all_users = if term.present?
+        # Get users matching name
+        items_by_name = service_user.identity.users(
+          filter.merge(name__contains: term),
+          format: :raw
+        )
+        
+        # Get users matching description
+        items_by_description = service_user.identity.users(
+          filter.merge(description__contains: term),
+          format: :raw
+        )
+        
+        # Combine and deduplicate by id
+        (items_by_name + items_by_description).uniq { |u| u['id'] }
+      else
+        # Get all users in domain
+        service_user.identity.users(filter, format: :raw)
       end
-    end  
+      
+      # Format results
+      items = all_users.map { |u| format_user(u) }
+    end
+    
     render json: items
   end
 
+
+
+
+  # def users
+  #   items =
+  #     ObjectCache.find_objects(
+  #       type: 'user',
+  #       term: params[:name] || params[:term] || '',
+  #       include_scope: false,
+  #       paginate: false
+  #     ) do |scope|
+  #       scope.where(domain_id: params[:domain]).order(:name)
+  #     end
+    
+  #   unless items.nil? || items.empty?
+  #     items = items.to_a.map do |u|
+  #       {
+  #         id: u.payload['description'],
+  #         name: u.name,
+  #         key: u.name,
+  #         uid: u.id,
+  #         full_name: u.payload['description'],
+  #         email: u.payload['email']
+  #       }
+  #     end
+  #   else   
+  #     # search live against API and then retry
+  #     filter = {domain_id: params[:domain]}
+  #     if params[:term]
+  #       filter[:name__contains] = params[:term]
+  #     end
+  #     items = service_user.identity.users(filter, format: :raw)
+
+  #     if params[:term]
+  #       # find by id, for the case the term is an id instead of name
+  #       user = service_user.identity.find_user(params[:term], format: :raw)
+  #       items << user if user
+  #     end
+
+  #     items = items.map do |u|
+  #       {
+  #         id: u['description'],
+  #         name: u['name'],
+  #         key: u['name'],
+  #         uid: u['id'],
+  #         full_name: u['description'],
+  #         email: u['email']
+  #       }
+  #     end
+  #   end  
+  #   render json: items
+  # end
+
   def groups
     items =
       ObjectCache.find_objects(
@@ -420,4 +502,17 @@ def where_current_token_scope(scope, enforce_scope = @enforce_scope)
       scope.where('domain_id IS NULL OR project_id IS NULL')
     end
   end
+
+  private 
+
+  def format_user(user)
+    {
+      id: user['description'],
+      name: user['name'],
+      key: user['name'],
+      uid: user['id'],
+      full_name: user['description'],
+      email: user['email']
+    }
+  end
 end

app/javascript/lib/components/autocomplete_field.jsx

@@ -37,12 +37,18 @@ export class AutocompleteField extends React.Component {
   // the identity to search for groups or users (ONLY FOR groups or users)
   handleSearch = (searchTerm) => {
     let path
+    let skipCache = false
     switch (this.props.type) {
       case "projects":
         path = "projects"
         break
       case "users":
         path = "users"
+        // Always bypass cache for user lookups (nocache=true).
+        // This prevents outdated or deleted users from appearing in search results
+        // and being reassigned to roles/projects. Only active users from the
+        // Identity API should be selectable.
+        skipCache = true
         break
       case "groups":
         path = "groups"
@@ -51,6 +57,7 @@ export class AutocompleteField extends React.Component {
 
     const params = { term: searchTerm }
     if (this.props.domainId) params["domain"] = this.props.domainId
+    if (skipCache) params["nocache"] = "true"
 
     this.setState({ isLoading: true, options: [] })
     ajaxHelper

config/environments/development.rb

@@ -1,16 +1,6 @@
 require "active_support/core_ext/integer/time"
 
 Rails.application.configure do
-
-  # Disable asset digests in development
-  config.assets.digest = false
-
-  # Don't compile assets on every request
-  config.assets.compile = true  # This should already be default
-
-  # Prevent asset recompilation
-  config.assets.check_precompiled_asset = false
-
   # Settings specified here will take precedence over those in config/application.rb.
 
   # In the development environment your application's code is reloaded any time

plugins/identity/app/javascript/widgets/role_assignments/components/application.jsx

@@ -7,32 +7,17 @@ import React from "react"
 const RoleAssignments = ({ activeTab, projectId, domainId }) => {
   // update browser address bar
   const handleSelect = useCallback((tab) => {
-    const newHref = window.location.href.replace(
-      /^(.*active_tab=)(.*)$/,
-      "$1" + tab
-    )
+    const newHref = window.location.href.replace(/^(.*active_tab=)(.*)$/, "$1" + tab)
     window.history.replaceState({}, "Tab " + tab, newHref)
   })
 
   return (
-    <Tabs
-      defaultActiveKey={activeTab || "userRoles"}
-      id="item_payload"
-      onSelect={handleSelect}
-    >
+    <Tabs defaultActiveKey={activeTab || "userRoles"} id="item_payload" onSelect={handleSelect}>
       <Tab eventKey="userRoles" title="User Role Assignments">
-        <ProjectRoleAssignments
-          projectId={projectId}
-          projectDomainId={domainId}
-          type="user"
-        />
+        <ProjectRoleAssignments projectId={projectId} projectDomainId={domainId} type="user" />
       </Tab>
       <Tab eventKey="groupRoles" title="Group Role Assignments">
-        <ProjectRoleAssignments
-          projectId={projectId}
-          projectDomainId={domainId}
-          type="group"
-        />
+        <ProjectRoleAssignments projectId={projectId} projectDomainId={domainId} type="group" />
       </Tab>
       <Tab eventKey="roleInfos" title="Role Infos">
         <RoleInfos />