[keyserver] Migration to recalculate all permissions
Summary:
In order to update the permissions to fix ENG-8953, it's necessary to recalculate all of them.
We normally try to sync changes like this with client migrations to avoid introducing inconsistencies. However, in this case it's too hard for the keyserver to be able to respond differently to old clients versus new changes. Because the permissions changes here affect propagation from parent to child, the keyserver would either need to maintain two sets of permissions in MariaDB, or else to calculate the permissions on-the-fly by fetching all of a thread's ancestors.
Calling updateRolesAndPermissionsForAllThreads should generate UPDATE_THREAD updates for every single (Comm user, Comm thread) pair. That's a lot of updates, but it will make sure that permissions are fixed. We've run migrations like this before (in fact, the very last one)... experience is that it usually causes about 15min of downtime.
Depends on D13018
Test Plan:
The whole stack was tested as follows:
- Unit tests from D9686, which toggle user-surfaced permissions on and off and make sure no difference is caught. This ensures that the original issue introduced in D9686 isn't reintroduced
- Careful review of each descendant permission removed in D9686
- Create a community as userA and add userB. Grant tagging permissions to all members. Make sure userB can tag inside non-root channels
- Do above, then create a channel without userB, and make sure userB can't tag there either (or do anything other than view). This is the repro described here
- Do above, but also create a thread inside the channel (as userA) and make sure userB can't do anything inside the thread other than view, until they join the parent channel
Reviewers: tomek, inka
Reviewed By: tomek
Differential Revision: https://phab.comm.dev/D13019