Sourcegraph Accounts Management System (SAMS) is the single source of truth (aka. IdP) for Sourcegraph-operated services that require a Sourcegraph user account or machine-to-machine authentication and authorization, including but not limited to Sourcegraph.com, Cody PLG, Cody Analytics, Cody Gateway, Telemetry Gateway and Enterprise Portal.

The SAMS notifications distribution system aims to provide an automated, reliable, and unified mechanism to propagate SAMS (user) notifications to all downstream systems, so they can react accordingly based on their own interpretation.

System characteristics

The most important goal of the distribution system is to make it hard to miss a notification given the legal requirements of certain notification types (e.g. user deletion).

The system is built upon GCP Pub/Sub with following characteristics:

1. Pull subscription as the preferred mechanism, supported out-of-the-box by ‣.
2. Exactly-once delivery without message ordering.
3. Acknowledgement deadline is 10 minutes.
4. Message retention duration is 7 days.
   1. Keep the unprocessed notifications as long as possible in the event of system failure.

Security measures

1. Notification message authenticity
   1. Pub/Sub encrypts messages with Google-managed keys by default (source.
2. Precaution by double-checking the truth
   1. For all notifications, the subscriber MUST always double-check with SAMS using Clients API about the current “truth” (e.g. whether the user still associates with the given session ID or not, whether the user is actually created/deleted, etc.).
   2. SAMS will try to publish the notification in a way that is only enough for the subscriber to make the double-check requests, but not enough for taking the information and running with it.

Diagram

The diagram below illustrates the data flow of a user deletion notification (excalidraw):

In this diagram:

• Sourcegraph.com and SSC/Cody PLG would subscribe to user deletion notifications and delete the corresponding user from the system.
  • Some additional checks can be made for SSC/Cody PLG, e.g. checking whether the user is Cody Pro, if so, programmatically cancel the Cody Pro subscription.
• Support, Data Analytics and future systems would implement their own “operator” and subscribe to user deletion notifications, then react accordingly.

Integrate to MSP service

To integrate with a service running on the Sourcegraph Managed Services Platform (MSP):