fix: When SCIM is disabled, clear Team.idp_provisioned flags (#71767)

Fix a bug where, after SCIM is disabled, teams are left in a state where
team membership can no longer be managed.

Should resolve https://github.com/getsentry/sentry/issues/71218.

src/sentry/services/hybrid_cloud/organization/impl.py

@@ -555,6 +555,9 @@ class DatabaseBackedOrganizationService(OrganizationService):
                 .bitand(~OrganizationMember.flags["idp:role-restricted"])
             )
 
+        with unguarded_write(using=router.db_for_write(Team)):
+            Team.objects.filter(organization_id=organization_id).update(idp_provisioned=False)
+
     def update_region_user(self, *, user: RpcRegionUser, region_name: str) -> None:
         # Normally, calling update on a QS for organization member fails because we need to ensure that updates to
         # OrganizationMember objects produces outboxes.  In this case, it is safe to do the update directly because

tests/sentry/web/frontend/test_organization_auth_settings.py

@@ -25,6 +25,7 @@ from sentry.models.integrations.sentry_app_installation_for_provider import (
 )
 from sentry.models.organization import Organization
 from sentry.models.organizationmember import OrganizationMember
+from sentry.models.team import Team
 from sentry.models.user import User
 from sentry.services.hybrid_cloud.organization import organization_service
 from sentry.signals import receivers_raise_on_send
@@ -32,7 +33,7 @@ from sentry.silo.base import SiloMode
 from sentry.testutils.cases import AuthProviderTestCase, PermissionTestCase
 from sentry.testutils.helpers.features import with_feature
 from sentry.testutils.outbox import outbox_runner
-from sentry.testutils.silo import assume_test_silo_mode, control_silo_test
+from sentry.testutils.silo import assume_test_silo_mode, assume_test_silo_mode_of, control_silo_test
 from sentry.web.frontend.organization_auth_settings import get_scim_url
 
 
@@ -341,11 +342,15 @@ class OrganizationAuthSettingsTest(AuthProviderTestCase):
         auth_provider.flags.scim_enabled = True
         auth_provider.save()
 
-        member = self.create_om_and_link_sso(organization)
-        with assume_test_silo_mode(SiloMode.REGION):
+        with assume_test_silo_mode_of(OrganizationMember, Team):
+            member = self.create_om_and_link_sso(organization)
             member.flags["idp:provisioned"] = True
             member.save()
 
+            team = self.create_team(organization, members=[self.user])
+            team.idp_provisioned = True
+            team.save()
+
         assert not SentryAppInstallationForProvider.objects.filter(provider=auth_provider).exists()
 
         path = reverse("sentry-organization-auth-provider-settings", args=[organization.slug])
@@ -360,10 +365,13 @@ class OrganizationAuthSettingsTest(AuthProviderTestCase):
         ]
         assert not AuthProvider.objects.filter(organization_id=organization.id).exists()
 
-        with assume_test_silo_mode(SiloMode.REGION):
+        with assume_test_silo_mode_of(OrganizationMember, Team):
             member.refresh_from_db()
             assert not member.flags["idp:provisioned"], "member should not be idp controlled now"
 
+            team.refresh_from_db()
+            assert not team.idp_provisioned, "team should not be idp controlled now"
+
     def test_superuser_disable_provider(self):
         organization, auth_provider = self.create_org_and_auth_provider()
         with self.feature("organizations:sso-scim"), assume_test_silo_mode(SiloMode.CONTROL):