feat: update users on SAML setup and destroy [CW-2958][CW-5612] (#12346)

spec/enterprise/builders/saml_user_builder_spec.rb

@@ -109,6 +109,56 @@ RSpec.describe SamlUserBuilder do
 
         expect { builder.perform }.not_to change(AccountUser, :count)
       end
+
+      context 'when user is not confirmed' do
+        let(:unconfirmed_email) { 'unconfirmed_saml_user@example.com' }
+        let(:unconfirmed_auth_hash) do
+          {
+            'provider' => 'saml',
+            'uid' => 'saml-uid-123',
+            'info' => {
+              'email' => unconfirmed_email,
+              'name' => 'SAML User',
+              'first_name' => 'SAML',
+              'last_name' => 'User'
+            },
+            'extra' => {
+              'raw_info' => {
+                'groups' => %w[Administrators Users]
+              }
+            }
+          }
+        end
+        let(:unconfirmed_builder) { described_class.new(unconfirmed_auth_hash, account.id) }
+        let!(:existing_user) do
+          user = build(:user, email: unconfirmed_email)
+          user.confirmed_at = nil
+          user.save!(validate: false)
+          user
+        end
+
+        it 'confirms unconfirmed user after SAML authentication' do
+          expect(existing_user.confirmed?).to be false
+
+          unconfirmed_builder.perform
+
+          expect(existing_user.reload.confirmed?).to be true
+        end
+      end
+
+      context 'when user is already confirmed' do
+        let!(:existing_user) { create(:user, email: email, confirmed_at: Time.current) }
+
+        it 'keeps already confirmed user confirmed' do
+          expect(existing_user.confirmed?).to be true
+          original_confirmed_at = existing_user.confirmed_at
+
+          builder.perform
+
+          expect(existing_user.reload.confirmed?).to be true
+          expect(existing_user.reload.confirmed_at).to be_within(2.seconds).of(original_confirmed_at)
+        end
+      end
     end
 
     context 'with role mappings' do

spec/enterprise/jobs/saml/update_account_users_provider_job_spec.rb

@@ -0,0 +1,65 @@
+require 'rails_helper'
+
+RSpec.describe Saml::UpdateAccountUsersProviderJob, type: :job do
+  let(:account) { create(:account) }
+  let!(:user1) { create(:user, accounts: [account], provider: 'email') }
+  let!(:user2) { create(:user, accounts: [account], provider: 'email') }
+  let!(:user3) { create(:user, accounts: [account], provider: 'google') }
+
+  describe '#perform' do
+    context 'when setting provider to saml' do
+      it 'updates all account users to saml provider' do
+        described_class.new.perform(account.id, 'saml')
+
+        expect(user1.reload.provider).to eq('saml')
+        expect(user2.reload.provider).to eq('saml')
+        expect(user3.reload.provider).to eq('saml')
+      end
+    end
+
+    context 'when resetting provider to email' do
+      before do
+        # rubocop:disable Rails/SkipsModelValidations
+        user1.update_column(:provider, 'saml')
+        user2.update_column(:provider, 'saml')
+        user3.update_column(:provider, 'saml')
+        # rubocop:enable Rails/SkipsModelValidations
+      end
+
+      context 'when users have no other SAML accounts' do
+        it 'updates all account users to email provider' do
+          described_class.new.perform(account.id, 'email')
+
+          expect(user1.reload.provider).to eq('email')
+          expect(user2.reload.provider).to eq('email')
+          expect(user3.reload.provider).to eq('email')
+        end
+      end
+
+      context 'when users belong to other accounts with SAML enabled' do
+        let(:other_account) { create(:account) }
+
+        before do
+          create(:account_saml_settings, account: other_account)
+          user1.account_users.create!(account: other_account, role: :agent)
+        end
+
+        it 'preserves SAML provider for users with other SAML accounts' do
+          described_class.new.perform(account.id, 'email')
+
+          expect(user1.reload.provider).to eq('saml')
+          expect(user2.reload.provider).to eq('email')
+          expect(user3.reload.provider).to eq('email')
+        end
+      end
+    end
+
+    context 'when account does not exist' do
+      it 'raises ActiveRecord::RecordNotFound' do
+        expect do
+          described_class.new.perform(999_999, 'saml')
+        end.to raise_error(ActiveRecord::RecordNotFound)
+      end
+    end
+  end
+end

spec/enterprise/models/account_saml_settings_spec.rb

@@ -114,4 +114,21 @@ RSpec.describe AccountSamlSettings, type: :model do
       expect(fingerprint.count(':')).to eq(19) # 20 bytes = 19 colons
     end
   end
+
+  describe 'callbacks' do
+    describe 'after_create_commit' do
+      it 'queues job to set account users to saml provider' do
+        expect(Saml::UpdateAccountUsersProviderJob).to receive(:perform_later).with(account.id, 'saml')
+        create(:account_saml_settings, account: account)
+      end
+    end
+
+    describe 'after_destroy_commit' do
+      it 'queues job to reset account users provider' do
+        settings = create(:account_saml_settings, account: account)
+        expect(Saml::UpdateAccountUsersProviderJob).to receive(:perform_later).with(account.id, 'email')
+        settings.destroy
+      end
+    end
+  end
 end