chore: Run ABAC LDAP sync on license/setting changes

[KevLehman]

Proposed changes (including videos or screenshots)

Issue(s)

https://rocketchat.atlassian.net/browse/ABAC-36

Steps to test or reproduce

Further comments

Summary by CodeRabbit

Release Notes

• Refactor
  • Improved ABAC feature lifecycle management with proper initialization and shutdown mechanisms.
  • Enhanced LDAP user attribute synchronization for ABAC when enabled, with better integration between systems.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: aaebfd8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The changes implement a lifecycle-managed ABAC feature activation system, replacing the previous License.onLicense approach with License.onToggledFeature. This adds up/down handlers for initialization and cleanup, where enablement sets up ABAC hooks and watchers that trigger LDAP user attribute synchronization, while disablement performs graceful cleanup. A settings signature is also updated to return a Promise.

Changes

Cohort / File(s)	Summary
ABAC Feature Lifecycle apps/meteor/ee/server/configuration/abac.ts	Replaces License.onLicense flow with License.onToggledFeature to manage ABAC feature toggles. Adds up handler initializing settings, permissions, and ABAC hooks, plus a watcher on ABAC_Enabled that triggers LDAP user attribute sync. Adds down handler to stop the watcher. Introduces imports for Users, settings, and LDAPEE modules.
LDAP Synchronization apps/meteor/ee/server/lib/ldap/Manager.ts	Adds a debug log entry ("Starting ABAC attributes sync for LDAP users") before iterating over users in ABAC attribute synchronization.
Settings Configuration apps/meteor/ee/server/settings/abac.ts	Updates addSettings() function signature to return Promise<void> instead of void, and adds a return statement for the settingsRegistry.addGroup() call, converting from fire-and-forget to promise-based flow.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant License
    participant Config as ABAC Config
    participant Settings as Settings Registry
    participant Watcher
    participant LDAPEE
    participant Manager as LDAP Manager

    License->>Config: onToggledFeature (up)
    Config->>Settings: initialize & loadSettings
    Config->>Config: loadABACHooks()
    Config->>Watcher: watch ABAC_Enabled
    
    Note over License,Manager: ABAC becomes enabled
    Watcher->>LDAPEE: syncAbacAttributes(users)
    LDAPEE->>Manager: perform sync
    Manager->>Manager: log "Starting ABAC attributes sync..."
    Manager->>Manager: iterate & update users
    
    Note over License,Manager: ABAC becomes disabled
    License->>Config: onToggledFeature (down)
    Config->>Watcher: stopWatcher()

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• apps/meteor/ee/server/configuration/abac.ts: Review the lifecycle handlers carefully, ensuring the watcher is properly initialized and cleaned up without memory leaks; validate that the LDAP sync trigger conditions are correct and avoid duplicate executions.
• apps/meteor/ee/server/settings/abac.ts: Verify that callers of addSettings() properly await the returned Promise or handle it correctly in the initialization chain.
• Integration points: Confirm that the new License.onToggledFeature flow correctly replaces the old License.onLicense behavior and that LDAP sync is invoked at the right lifecycle moments.

Possibly related PRs

• feat: ABAC Attributes LDAP integration #37379: Implements LDAPEEManager.syncAbacAttributes() and related LDAP sync logic that directly complements the sync trigger added in this PR.
• feat: New setting for showing ABAC attributes in rooms #37465: Modifies the same apps/meteor/ee/server/settings/abac.ts file with ABAC settings additions that may interact with the Promise return type change.
• feat: Prevent LDAP sync from adding users to abac rooms/teams #37299: Updates apps/meteor/ee/server/lib/ldap/Manager.ts for related LDAP sync logic and ABAC-protected room/team handling.

Suggested reviewers

• tassoevan
• MartinSchoeler

Poem

🐰 When ABAC wakes from slumber deep,
Our watcher guards, no bugs to reap,
LDAP syncs with graceful flow,
Settings promise, watch it grow! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main objective of the PR: triggering ABAC LDAP sync when licenses or settings change, which matches the changeset.
Linked Issues check	✅ Passed	The PR implements lifecycle management for ABAC feature toggling with automatic LDAP attribute sync triggers on license/setting changes, addressing all acceptance criteria from ABAC-36.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing ABAC LDAP sync on license/setting changes; no out-of-scope modifications detected in the three modified files.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/sync-on-event

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

📦 Docker Image Size Report

📈 Changes

Service	Current	Baseline	Change	Percent
sum of all images	1.2GiB	1.2GiB	+12MiB
rocketchat	367MiB	355MiB	+12MiB
omnichannel-transcript-service	141MiB	141MiB	+4.0KiB
queue-worker-service	141MiB	141MiB	+3.1KiB
ddp-streamer-service	127MiB	127MiB	+725B
account-service	114MiB	114MiB	-84B
authorization-service	111MiB	111MiB	+49KiB
stream-hub-service	111MiB	111MiB	+81B
presence-service	111MiB	111MiB	-1.4KiB

📊 Historical Trend

---
config:
  theme: "dark"
  xyChart:
    width: 900
    height: 400
---
xychart
  title "Image Size Evolution by Service (Last 30 Days + This PR)"
  x-axis ["11/15 22:28", "11/16 01:28", "11/17 23:50", "11/18 22:53", "11/19 23:02", "11/20 21:27 (PR)"]
  y-axis "Size (GB)" 0 --> 0.5
  line "account-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "authorization-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "ddp-streamer-service" [0.12, 0.12, 0.12, 0.12, 0.12, 0.12]
  line "omnichannel-transcript-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.14]
  line "presence-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11]
  line "queue-worker-service" [0.14, 0.14, 0.14, 0.14, 0.14, 0.14]
  line "rocketchat" [0.36, 0.36, 0.35, 0.35, 0.35, 0.36]
  line "stream-hub-service" [0.11, 0.11, 0.11, 0.11, 0.11, 0.11]

Loading

Statistics (last 5 days):

• 📊 Average: 1.4GiB
• ⬇️ Minimum: 1.2GiB
• ⬆️ Maximum: 1.6GiB
• 🎯 Current PR: 1.2GiB

ℹ️ About this report

This report compares Docker image sizes from this build against the develop baseline.

• Tag: pr-37562
• Baseline: develop
• Timestamp: 2025-11-20 21:27:23 UTC
• Historical data points: 5

---

Updated: Thu, 20 Nov 2025 21:27:24 GMT

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 26cc66a and aaebfd8.

📒 Files selected for processing (3)

• apps/meteor/ee/server/configuration/abac.ts (1 hunks)
• apps/meteor/ee/server/lib/ldap/Manager.ts (1 hunks)
• apps/meteor/ee/server/settings/abac.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

📚 Learning: 2025-11-07T14:50:33.544Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37423
File: packages/i18n/src/locales/en.i18n.json:18-18
Timestamp: 2025-11-07T14:50:33.544Z
Learning: Rocket.Chat settings: in apps/meteor/ee/server/settings/abac.ts, the Abac_Cache_Decision_Time_Seconds setting uses invalidValue: 0 as the fallback when ABAC is unlicensed. With a valid license, admins can still set the value to 0 to intentionally disable the ABAC decision cache.

Applied to files:

• apps/meteor/ee/server/configuration/abac.ts
• apps/meteor/ee/server/settings/abac.ts

📚 Learning: 2025-10-27T14:38:46.994Z

Learnt from: KevLehman
Repo: RocketChat/Rocket.Chat PR: 37303
File: apps/meteor/tests/end-to-end/api/abac.ts:1125-1137
Timestamp: 2025-10-27T14:38:46.994Z
Learning: In Rocket.Chat ABAC feature, when ABAC is disabled globally (ABAC_Enabled setting is false), room-level ABAC attributes are not evaluated when changing room types. This means converting a private room to public will succeed even if the room has ABAC attributes, as long as the global ABAC setting is disabled.

Applied to files:

• apps/meteor/ee/server/configuration/abac.ts

📚 Learning: 2025-11-05T20:53:57.761Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 37357
File: apps/meteor/ee/server/startup/federation.ts:39-74
Timestamp: 2025-11-05T20:53:57.761Z
Learning: In Rocket.Chat (apps/meteor/app/settings/server/CachedSettings.ts), the settings.watchMultiple() method immediately invokes its callback with current values if all requested settings exist in the store, then continues watching for subsequent changes. It does not wait for a setting to change before the first invocation.

Applied to files:

• apps/meteor/ee/server/configuration/abac.ts

📚 Learning: 2025-11-05T21:04:35.787Z

Learnt from: sampaiodiego
Repo: RocketChat/Rocket.Chat PR: 37357
File: ee/packages/federation-matrix/src/setup.ts:103-120
Timestamp: 2025-11-05T21:04:35.787Z
Learning: In Rocket.Chat's federation-matrix setup (ee/packages/federation-matrix/src/setup.ts and apps/meteor/ee/server/startup/federation.ts), configureFederationMatrixSettings does not need to be called before setupFederationMatrix. The SDK's init() establishes infrastructure (database, event handlers, APIs) first, and the configuration can be applied later via settings watchers before actual federation events are processed. The config only matters when events actually occur, at which point all infrastructure is already configured.

Applied to files:

• apps/meteor/ee/server/configuration/abac.ts

🧬 Code graph analysis (1)

apps/meteor/ee/server/configuration/abac.ts (3)

packages/core-services/src/index.ts (1)

• License (164-164)

apps/meteor/ee/server/settings/abac.ts (1)

• addSettings (3-35)

apps/meteor/ee/server/lib/abac/index.ts (1)

• createPermissions (3-9)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (18)

• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.2 [legacy watchers] coverage (3/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.2 [legacy watchers] coverage (5/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (3/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.2 [legacy watchers] coverage (4/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.2 [legacy watchers] coverage (2/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 8.2 [legacy watchers] coverage (1/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (4/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (5/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (1/5)
• GitHub Check: 🔨 Test UI (EE) / MongoDB 5.0 (2/5)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.2 (4/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.2 (3/4)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.2 (1/4)
• GitHub Check: 🔨 Test API (CE) / MongoDB 8.2 (1/1)
• GitHub Check: 🔨 Test UI (CE) / MongoDB 8.2 (2/4)
• GitHub Check: 🔨 Test API (EE) / MongoDB 5.0 (1/1)
• GitHub Check: 🔨 Test Federation Matrix
• GitHub Check: 🔨 Test API (EE) / MongoDB 8.2 coverage (1/1)

🔇 Additional comments (4)

apps/meteor/ee/server/lib/ldap/Manager.ts (1)

141-141: LGTM: Helpful observability addition.

The debug log clearly indicates when ABAC attribute synchronization begins for LDAP users, improving troubleshooting and monitoring capabilities.

apps/meteor/ee/server/configuration/abac.ts (2)

7-29: Good architectural improvement with lifecycle management.

The migration from License.onLicense to License.onToggledFeature with explicit up/down handlers provides better lifecycle control. The cleanup via stopWatcher?.() ensures the setting watcher is properly removed when the feature is disabled.

---

19-23: Async callback behavior is acceptable; no deduplication mechanism needed based on code inspection.

Analysis of settings.watch() reveals the callback is not awaited when invoked (line 220 of CachedSettings.ts), but LDAPEE.syncUsersAbacAttributes() has robust internal error handling with try-catch logging. The callback will fire immediately if ABAC_Enabled is already true when the watcher is registered, which is expected behavior from this watch implementation.

No internal deduplication mechanism exists in syncUsersAbacAttributes, but the sync operation is safe to invoke multiple times—it simply updates user attributes. Concurrent invocations are unlikely given the synchronous watch registration timing within the feature lifecycle.

apps/meteor/ee/server/settings/abac.ts (1)

3-4: LGTM: Proper async signature for lifecycle management.

Changing the signature to return Promise<void> and explicitly returning the result of settingsRegistry.addGroup() allows callers to properly await initialization. This aligns well with the new lifecycle approach in apps/meteor/ee/server/configuration/abac.ts (line 14).

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (feat/abac@26cc66a). Learn more about missing BASE report.

Additional details and impacted files

@@             Coverage Diff              @@
##             feat/abac   #37562   +/-   ##
============================================
  Coverage             ?   54.25%           
============================================
  Files                ?     2659           
  Lines                ?    49968           
  Branches             ?    11125           
============================================
  Hits                 ?    27109           
  Misses               ?    20727           
  Partials             ?     2132           

Flag	Coverage Δ
e2e	57.39% <ø> (?)
e2e-api	42.87% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.