SONAR-21413 Make provisioning groups ready to handle allowed groups

server/sonar-auth-gitlab/src/main/java/org/sonar/auth/gitlab/GitLabSettings.java

   public static final String GITLAB_AUTH_APPLICATION_ID = "sonar.auth.gitlab.applicationId.secured";
   public static final String GITLAB_AUTH_SECRET = "sonar.auth.gitlab.secret.secured";
   public static final String GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP = "sonar.auth.gitlab.allowUsersToSignUp";
+  public static final String GITLAB_AUTH_ALLOWED_GROUPS = "sonar.auth.gitlab.allowedGroups";
   public static final String GITLAB_AUTH_SYNC_USER_GROUPS = "sonar.auth.gitlab.groupsSync";
   public static final String GITLAB_AUTH_PROVISIONING_TOKEN = "provisioning.gitlab.token.secured";
-  public static final String GITLAB_AUTH_PROVISIONING_GROUPS = "provisioning.gitlab.groups";
   public static final String GITLAB_AUTH_PROVISIONING_ENABLED = "provisioning.gitlab.enabled";
 
   private static final String CATEGORY = "authentication";
     return configuration.getBoolean(GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP).orElse(false);
   }
 
+  public Set<String> allowedGroups() {
+    return Set.of(configuration.getStringArray(GITLAB_AUTH_ALLOWED_GROUPS));
+  }
+
   public boolean syncUserGroups() {
     return configuration.getBoolean(GITLAB_AUTH_SYNC_USER_GROUPS).orElse(false);
   }
     return configuration.get(GITLAB_AUTH_PROVISIONING_TOKEN).map(Strings::emptyToNull).orElse(null);
   }
 
-  public Set<String> provisioningGroups() {
-    return Set.of(configuration.getStringArray(GITLAB_AUTH_PROVISIONING_GROUPS));
-  }
-
   @Override
   public String getDevOpsPlatform() {
     return ALM.GITLAB.getId();
         .defaultValue(valueOf(true))
         .index(5)
         .build(),
+      PropertyDefinition.builder(GITLAB_AUTH_ALLOWED_GROUPS)
+        .name("Groups allowed")
+        .description("Only members of these groups (and sub-groups) will be allowed to authenticate. " +
+          "Please enter the group slug as it appears in the GitLab URL, for instance `my-gitlab-group`. " +
+          "If you use Auto-provisioning, only members of these groups (and sub-groups) will be provisioned")
+        .multiValues(true)
+        .category(CATEGORY)
+        .subCategory(SUBCATEGORY)
+        .index(6)
+        .build(),
       PropertyDefinition.builder(GITLAB_AUTH_SYNC_USER_GROUPS)
         .deprecatedKey("sonar.auth.gitlab.sync_user_groups")
         .name("Synchronize user groups")
         .subCategory(SUBCATEGORY)
         .type(PropertyType.BOOLEAN)
         .defaultValue(valueOf(false))
-        .index(6)
+        .index(7)
         .build(),
       PropertyDefinition.builder(GITLAB_AUTH_PROVISIONING_TOKEN)
         .name("Provisioning token")
         .category(CATEGORY)
         .subCategory(SUBCATEGORY)
         .type(PASSWORD)
-        .index(7)
-        .build(),
-      PropertyDefinition.builder(GITLAB_AUTH_PROVISIONING_GROUPS)
-        .name("Groups")
-        .description("Only members of these groups (and sub-groups) will be provisioned." +
-          " Please enter the group slug as it appears in the GitLab URL, for instance `my-gitlab-group`.")
-        .multiValues(true)
-        .category(CATEGORY)
-        .subCategory(SUBCATEGORY)
         .index(8)
         .build(),
       PropertyDefinition.builder(GITLAB_AUTH_PROVISIONING_ENABLED)

server/sonar-auth-gitlab/src/test/java/org/sonar/auth/gitlab/GitLabSettingsTest.java

 import org.sonar.api.utils.System2;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOWED_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_APPLICATION_ID;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ENABLED;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_ENABLED;
-import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_TOKEN;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SECRET;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SYNC_USER_GROUPS;
     settings.setProperty(GITLAB_AUTH_PROVISIONING_TOKEN, "token");
     assertThat(config.provisioningToken()).isEqualTo("token");
 
-    settings.setProperty(GITLAB_AUTH_PROVISIONING_GROUPS, new String[] {"Group1", "Group2"});
-    assertThat(config.provisioningGroups()).containsExactlyInAnyOrder("Group1", "Group2");
+    settings.setProperty(GITLAB_AUTH_ALLOWED_GROUPS, new String[] {"Group1", "Group2"});
+    assertThat(config.allowedGroups()).containsExactlyInAnyOrder("Group1", "Group2");
 
     assertThat(config.isProvisioningEnabled()).isFalse();
     settings.setProperty(GITLAB_AUTH_PROVISIONING_ENABLED, true);

server/sonar-webserver-common/src/it/java/org/sonar/server/common/gitlab/config/GitlabConfigurationServiceIT.java

 import static org.mockito.Mockito.when;
 import static org.sonar.alm.client.gitlab.GitlabGlobalSettingsValidator.ValidationMode.AUTH_ONLY;
 import static org.sonar.alm.client.gitlab.GitlabGlobalSettingsValidator.ValidationMode.COMPLETE;
+import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOWED_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_APPLICATION_ID;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ENABLED;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_ENABLED;
-import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_TOKEN;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SECRET;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SYNC_USER_GROUPS;
   @Test
   public void getConfiguration_whenConfigurationSetAndEmpty_returnsConfig() {
     dbTester.properties().insertProperty(GITLAB_AUTH_ENABLED, "true", null);
-    dbTester.properties().insertProperty(GITLAB_AUTH_PROVISIONING_GROUPS, "", null);
+    dbTester.properties().insertProperty(GITLAB_AUTH_ALLOWED_GROUPS, "", null);
 
     GitlabConfiguration configuration = gitlabConfigurationService.getConfiguration("gitlab-configuration");
 
     assertThat(configuration.url()).isEmpty();
     assertThat(configuration.secret()).isEmpty();
     assertThat(configuration.synchronizeGroups()).isFalse();
+    assertThat(configuration.allowedGroups()).isEmpty();
     assertThat(configuration.provisioningType()).isEqualTo(JIT);
     assertThat(configuration.allowUsersToSignUp()).isFalse();
     assertThat(configuration.provisioningToken()).isNull();
-    assertThat(configuration.provisioningGroups()).isEmpty();
   }
 
   @Test
       .url(withValueOrThrow("url"))
       .secret(withValueOrThrow("secret"))
       .synchronizeGroups(withValueOrThrow(true))
+      .allowedGroups(withValueOrThrow(new LinkedHashSet<>(List.of("group1", "group2", "group3"))))
       .provisioningType(withValueOrThrow(AUTO_PROVISIONING))
       .allowUserToSignUp(withValueOrThrow(true))
       .provisioningToken(withValueOrThrow("provisioningToken"))
-      .provisioningGroups(withValueOrThrow(new LinkedHashSet<>(List.of("group1", "group2", "group3"))))
       .build();
 
     GitlabConfiguration gitlabConfiguration = gitlabConfigurationService.updateConfiguration(updateRequest);
     verifySettingWasSet(GITLAB_AUTH_URL, "url");
     verifySettingWasSet(GITLAB_AUTH_SECRET, "secret");
     verifySettingWasSet(GITLAB_AUTH_SYNC_USER_GROUPS, "true");
+    verifySettingWasSet(GITLAB_AUTH_ALLOWED_GROUPS, "group1,group2,group3");
     verifySettingWasSet(GITLAB_AUTH_PROVISIONING_ENABLED, "true");
     verifySettingWasSet(GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP, "true");
     verifySettingWasSet(GITLAB_AUTH_PROVISIONING_TOKEN, "provisioningToken");
-    verifySettingWasSet(GITLAB_AUTH_PROVISIONING_GROUPS, "group1,group2,group3");
     verify(managedInstanceService).queueSynchronisationTask();
 
     assertConfigurationFields(gitlabConfiguration);
     assertThat(configuration.url()).isEqualTo("url");
     assertThat(configuration.secret()).isEqualTo("secret");
     assertThat(configuration.synchronizeGroups()).isTrue();
+    assertThat(configuration.allowedGroups()).containsExactlyInAnyOrder("group1", "group2", "group3");
     assertThat(configuration.provisioningType()).isEqualTo(AUTO_PROVISIONING);
     assertThat(configuration.allowUsersToSignUp()).isTrue();
     assertThat(configuration.provisioningToken()).isEqualTo("provisioningToken");
-    assertThat(configuration.provisioningGroups()).containsExactlyInAnyOrder("group1", "group2", "group3");
   }
 
   @Test
       "url",
       "secret",
       true,
-      AUTO_PROVISIONING,
+      Set.of("group1", "group2", "group3"),
       true,
-      null,
-      Set.of("group1", "group2", "group3"));
+      AUTO_PROVISIONING,
+      null
+    );
 
     assertThatThrownBy(() -> gitlabConfigurationService.createConfiguration(configuration))
       .isInstanceOf(IllegalStateException.class)
       "url",
       "secret",
       true,
-      JIT,
+      Set.of("group1", "group2", "group3"),
       true,
-      null,
-      Set.of("group1", "group2", "group3"));
+      JIT,
+      null
+    );
 
     GitlabConfiguration createdConfiguration = gitlabConfigurationService.createConfiguration(configuration);
 
     verifySettingWasSet(GITLAB_AUTH_URL, configuration.url());
     verifySettingWasSet(GITLAB_AUTH_SECRET, configuration.secret());
     verifySettingWasSet(GITLAB_AUTH_SYNC_USER_GROUPS, String.valueOf(configuration.synchronizeGroups()));
+    verifySettingWasSet(GITLAB_AUTH_ALLOWED_GROUPS, String.join(",", configuration.allowedGroups()));
     verifySettingWasSet(GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP, String.valueOf(configuration.allowUsersToSignUp()));
     verifySettingWasSet(GITLAB_AUTH_PROVISIONING_TOKEN, Strings.nullToEmpty(configuration.provisioningToken()));
-    verifySettingWasSet(GITLAB_AUTH_PROVISIONING_GROUPS, String.join(",", configuration.provisioningGroups()));
-    verifySettingWasSet(GITLAB_AUTH_PROVISIONING_ENABLED,
-      String.valueOf(configuration.provisioningType().equals(AUTO_PROVISIONING)));
+    verifySettingWasSet(GITLAB_AUTH_PROVISIONING_ENABLED, String.valueOf(configuration.provisioningType().equals(AUTO_PROVISIONING)));
   }
 
   private void verifySettingWasSet(String setting, @Nullable String value) {
     assertPropertyIsDeleted(GITLAB_AUTH_URL);
     assertPropertyIsDeleted(GITLAB_AUTH_SECRET);
     assertPropertyIsDeleted(GITLAB_AUTH_SYNC_USER_GROUPS);
+    assertPropertyIsDeleted(GITLAB_AUTH_ALLOWED_GROUPS);
     assertPropertyIsDeleted(GITLAB_AUTH_PROVISIONING_ENABLED);
     assertPropertyIsDeleted(GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP);
     assertPropertyIsDeleted(GITLAB_AUTH_PROVISIONING_TOKEN);
-    assertPropertyIsDeleted(GITLAB_AUTH_PROVISIONING_GROUPS);
 
     assertThat(dbTester.getDbClient().externalGroupDao().selectByIdentityProvider(dbTester.getSession(), GitLabIdentityProvider.KEY)).isEmpty();
   }
     when(gitlabConfiguration.url()).thenReturn("url");
     when(gitlabConfiguration.secret()).thenReturn("secret");
     when(gitlabConfiguration.synchronizeGroups()).thenReturn(true);
+    when(gitlabConfiguration.allowedGroups()).thenReturn(new LinkedHashSet<>(Set.of("group1", "group2", "group3")));
     when(gitlabConfiguration.provisioningType()).thenReturn(provisioningType);
     when(gitlabConfiguration.allowUsersToSignUp()).thenReturn(true);
     when(gitlabConfiguration.provisioningToken()).thenReturn("provisioningToken");
-    when(gitlabConfiguration.provisioningGroups()).thenReturn(new LinkedHashSet<>(Set.of("group1", "group2", "group3")));
     return gitlabConfiguration;
   }
 
     assertThat(actualConfiguration.url()).isEqualTo(expectedConfiguration.url());
     assertThat(actualConfiguration.secret()).isEqualTo(expectedConfiguration.secret());
     assertThat(actualConfiguration.synchronizeGroups()).isEqualTo(expectedConfiguration.synchronizeGroups());
+    assertThat(actualConfiguration.allowedGroups()).containsExactlyInAnyOrderElementsOf(expectedConfiguration.allowedGroups());
     assertThat(actualConfiguration.provisioningType()).isEqualTo(expectedConfiguration.provisioningType());
     assertThat(actualConfiguration.allowUsersToSignUp()).isEqualTo(expectedConfiguration.allowUsersToSignUp());
     assertThat(actualConfiguration.provisioningToken()).isEqualTo(expectedConfiguration.provisioningToken());
-    assertThat(actualConfiguration.provisioningGroups()).containsExactlyInAnyOrderElementsOf(expectedConfiguration.provisioningGroups());
   }
 }

server/sonar-webserver-common/src/main/java/org/sonar/server/common/gitlab/config/GitlabConfiguration.java

 
   boolean synchronizeGroups,
 
-  ProvisioningType provisioningType,
+  Set<String> allowedGroups,
 
   boolean allowUsersToSignUp,
 
+  ProvisioningType provisioningType,
+
   @Nullable
-  String provisioningToken,
+  String provisioningToken
 
-  Set<String> provisioningGroups
 ) {
 }

server/sonar-webserver-common/src/main/java/org/sonar/server/common/gitlab/config/GitlabConfigurationService.java

 import static org.sonar.alm.client.gitlab.GitlabGlobalSettingsValidator.ValidationMode.AUTH_ONLY;
 import static org.sonar.alm.client.gitlab.GitlabGlobalSettingsValidator.ValidationMode.COMPLETE;
 import static org.sonar.api.utils.Preconditions.checkState;
+import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOWED_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_APPLICATION_ID;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_ENABLED;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_ENABLED;
-import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_GROUPS;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_PROVISIONING_TOKEN;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SECRET;
 import static org.sonar.auth.gitlab.GitLabSettings.GITLAB_AUTH_SYNC_USER_GROUPS;
     GITLAB_AUTH_URL,
     GITLAB_AUTH_SECRET,
     GITLAB_AUTH_SYNC_USER_GROUPS,
+    GITLAB_AUTH_ALLOWED_GROUPS,
     GITLAB_AUTH_PROVISIONING_ENABLED,
     GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP,
-    GITLAB_AUTH_PROVISIONING_TOKEN,
-    GITLAB_AUTH_PROVISIONING_GROUPS);
+    GITLAB_AUTH_PROVISIONING_TOKEN);
 
   public static final String UNIQUE_GITLAB_CONFIGURATION_ID = "gitlab-configuration";
   private final DbClient dbClient;
       setIfDefined(dbSession, GITLAB_AUTH_URL, updateRequest.url());
       setIfDefined(dbSession, GITLAB_AUTH_SECRET, updateRequest.secret());
       setIfDefined(dbSession, GITLAB_AUTH_SYNC_USER_GROUPS, updateRequest.synchronizeGroups().map(String::valueOf));
+      setIfDefined(dbSession, GITLAB_AUTH_ALLOWED_GROUPS, updateRequest.allowedGroups().map(groups -> String.join(",", groups)));
       setIfDefined(dbSession, GITLAB_AUTH_PROVISIONING_ENABLED, provisioningEnabled.map(String::valueOf));
       setIfDefined(dbSession, GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP, updateRequest.allowUsersToSignUp().map(String::valueOf));
       setIfDefined(dbSession, GITLAB_AUTH_PROVISIONING_TOKEN, updateRequest.provisioningToken());
-      setIfDefined(dbSession, GITLAB_AUTH_PROVISIONING_GROUPS, updateRequest.provisioningGroups().map(groups -> String.join(",", groups)));
       boolean shouldTriggerProvisioning =
         provisioningEnabled.orElse(false) && !currentConfiguration.provisioningType().equals(AUTO_PROVISIONING);
       deleteExternalGroupsWhenDisablingAutoProvisioning(dbSession, currentConfiguration, updateRequest.provisioningType());
       setProperty(dbSession, GITLAB_AUTH_URL, configuration.url());
       setProperty(dbSession, GITLAB_AUTH_SECRET, configuration.secret());
       setProperty(dbSession, GITLAB_AUTH_SYNC_USER_GROUPS, String.valueOf(configuration.synchronizeGroups()));
+      setProperty(dbSession, GITLAB_AUTH_ALLOWED_GROUPS, String.join(",", configuration.allowedGroups()));
       setProperty(dbSession, GITLAB_AUTH_PROVISIONING_ENABLED, String.valueOf(enableAutoProvisioning));
       setProperty(dbSession, GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP, String.valueOf(configuration.allowUsersToSignUp()));
       setProperty(dbSession, GITLAB_AUTH_PROVISIONING_TOKEN, configuration.provisioningToken());
-      setProperty(dbSession, GITLAB_AUTH_PROVISIONING_GROUPS, String.join(",", configuration.provisioningGroups()));
       if (enableAutoProvisioning) {
         triggerRun(configuration);
       }
       getStringPropertyOrEmpty(dbSession, GITLAB_AUTH_URL),
       getStringPropertyOrEmpty(dbSession, GITLAB_AUTH_SECRET),
       getBooleanOrFalse(dbSession, GITLAB_AUTH_SYNC_USER_GROUPS),
-      toProvisioningType(getBooleanOrFalse(dbSession, GITLAB_AUTH_PROVISIONING_ENABLED)),
+      getAllowedGroups(dbSession),
       getBooleanOrFalse(dbSession, GITLAB_AUTH_ALLOW_USERS_TO_SIGNUP),
-      getStringPropertyOrNull(dbSession, GITLAB_AUTH_PROVISIONING_TOKEN),
-      getProvisioningGroups(dbSession)
+      toProvisioningType(getBooleanOrFalse(dbSession, GITLAB_AUTH_PROVISIONING_ENABLED)),
+      getStringPropertyOrNull(dbSession, GITLAB_AUTH_PROVISIONING_TOKEN)
     );
   }
 
-  private Set<String> getProvisioningGroups(DbSession dbSession) {
-    return Optional.ofNullable(dbClient.propertiesDao().selectGlobalProperty(dbSession, GITLAB_AUTH_PROVISIONING_GROUPS))
+  private Set<String> getAllowedGroups(DbSession dbSession) {
+    return Optional.ofNullable(dbClient.propertiesDao().selectGlobalProperty(dbSession, GITLAB_AUTH_ALLOWED_GROUPS))
       .map(dto -> Arrays.stream(dto.getValue().split(","))
         .filter(s -> !s.isEmpty())
         .collect(Collectors.toSet())

server/sonar-webserver-common/src/main/java/org/sonar/server/common/gitlab/config/UpdateGitlabConfigurationRequest.java

   NonNullUpdatedValue<String> url,
   NonNullUpdatedValue<String> secret,
   NonNullUpdatedValue<Boolean> synchronizeGroups,
-  NonNullUpdatedValue<ProvisioningType> provisioningType,
+  NonNullUpdatedValue<Set<String>> allowedGroups,
   NonNullUpdatedValue<Boolean> allowUsersToSignUp,
   UpdatedValue<String> provisioningToken,
-  NonNullUpdatedValue<Set<String>> provisioningGroups
+  NonNullUpdatedValue<ProvisioningType> provisioningType
 ) {
 
   public static Builder builder() {
     private NonNullUpdatedValue<String> url = NonNullUpdatedValue.undefined();
     private NonNullUpdatedValue<String> secret = NonNullUpdatedValue.undefined();
     private NonNullUpdatedValue<Boolean> synchronizeGroups = NonNullUpdatedValue.undefined();
+    private NonNullUpdatedValue<Set<String>> allowedGroups = NonNullUpdatedValue.undefined();
     private NonNullUpdatedValue<ProvisioningType> provisioningType = NonNullUpdatedValue.undefined();
     private NonNullUpdatedValue<Boolean> allowUserToSignUp = NonNullUpdatedValue.undefined();
     private UpdatedValue<String> provisioningToken = UpdatedValue.undefined();
-    private NonNullUpdatedValue<Set<String>> provisioningGroups = NonNullUpdatedValue.undefined();
 
     private Builder() {
     }
       return this;
     }
 
+    public Builder allowedGroups(NonNullUpdatedValue<Set<String>> allowedGroups) {
+      this.allowedGroups = allowedGroups;
+      return this;
+    }
+
     public Builder provisioningType(NonNullUpdatedValue<ProvisioningType> provisioningType) {
       this.provisioningType = provisioningType;
       return this;
       return this;
     }
 
-    public Builder provisioningGroups(NonNullUpdatedValue<Set<String>> provisioningGroups) {
-      this.provisioningGroups = provisioningGroups;
-      return this;
-    }
-
     public UpdateGitlabConfigurationRequest build() {
-      return new UpdateGitlabConfigurationRequest(gitlabConfigurationId, enabled, applicationId, url, secret, synchronizeGroups, provisioningType, allowUserToSignUp,
-        provisioningToken, provisioningGroups);
+      return new UpdateGitlabConfigurationRequest(gitlabConfigurationId, enabled, applicationId, url, secret, synchronizeGroups, allowedGroups, allowUserToSignUp,
+        provisioningToken, provisioningType
+      );
     }
   }
 }

server/sonar-webserver-webapi-v2/src/main/java/org/sonar/server/v2/api/gitlab/config/controller/DefaultGitlabConfigurationController.java

       createRestRequest.url(),
       createRestRequest.secret(),
       createRestRequest.synchronizeGroups(),
-      toProvisioningType(createRestRequest.provisioningType()),
+      Set.copyOf(createRestRequest.allowedGroups()),
       createRestRequest.allowUsersToSignUp() != null && createRestRequest.allowUsersToSignUp(),
-      createRestRequest.provisioningToken(),
-      createRestRequest.provisioningGroups() == null ? Set.of() : Set.copyOf(createRestRequest.provisioningGroups()));
+      toProvisioningType(createRestRequest.provisioningType()),
+      createRestRequest.provisioningToken()
+    );
   }
 
   private GitlabConfigurationResource getGitlabConfigurationResource(String id) {
       .url(updateRequest.getUrl().toNonNullUpdatedValue())
       .secret(updateRequest.getSecret().toNonNullUpdatedValue())
       .synchronizeGroups(updateRequest.getSynchronizeGroups().toNonNullUpdatedValue())
+      .allowedGroups(updateRequest.getAllowedGroups().map(DefaultGitlabConfigurationController::getGroups).toNonNullUpdatedValue())
       .provisioningType(updateRequest.getProvisioningType().map(DefaultGitlabConfigurationController::toProvisioningType).toNonNullUpdatedValue())
       .allowUserToSignUp(updateRequest.getAllowUsersToSignUp().toNonNullUpdatedValue())
       .provisioningToken(updateRequest.getProvisioningToken().toUpdatedValue())
-      .provisioningGroups(updateRequest.getProvisioningGroups().map(DefaultGitlabConfigurationController::getGroups).toNonNullUpdatedValue())
       .build();
   }
 
       configuration.applicationId(),
       configuration.url(),
       configuration.synchronizeGroups(),
-      toRestProvisioningType(configuration),
+      sortGroups(configuration.allowedGroups()),
       configuration.allowUsersToSignUp(),
-      sortGroups(configuration.provisioningGroups()),
+      toRestProvisioningType(configuration),
       configurationError.orElse(null)
     );
   }

server/sonar-webserver-webapi-v2/src/main/java/org/sonar/server/v2/api/gitlab/config/request/GitlabConfigurationCreateRestRequest.java

   @NotEmpty
   @Schema(description = "Gitlab Application id")
   String applicationId,
+
   @NotEmpty
   @Schema(description = "Url of Gitlab instance for authentication (for instance https://gitlab.com)")
   String url,
+
   @NotEmpty
   @Schema(accessMode = Schema.AccessMode.WRITE_ONLY,  description = "Secret of the application")
   String secret,
   @Schema(description = "Set whether to synchronize groups")
   Boolean synchronizeGroups,
 
+  @NotEmpty
+  @ArraySchema(arraySchema = @Schema(description = "GitLab groups allowed to authenticate and provisioned (for Auto-Provisioning only). Subgroups will automatically be included"))
+  List<String> allowedGroups,
+
   @NotNull
   @Schema(description = "Type of synchronization")
   ProvisioningType provisioningType,
 
   @Schema(description = "Allow user to sign up")
   @Nullable
-  Boolean allowUsersToSignUp,
-
-  @ArraySchema(arraySchema = @Schema(description = "Root GitLab groups to provision."))
-  @Nullable
-  List<String> provisioningGroups
+  Boolean allowUsersToSignUp
 ) {
 }

server/sonar-webserver-webapi-v2/src/main/java/org/sonar/server/v2/api/gitlab/config/request/GitlabConfigurationUpdateRestRequest.java

   private UpdateField<String> url = UpdateField.undefined();
   private UpdateField<String> secret = UpdateField.undefined();
   private UpdateField<Boolean> synchronizeGroups = UpdateField.undefined();
+  private UpdateField<List<String>> allowedGroups = UpdateField.undefined();
   private UpdateField<ProvisioningType> provisioningType = UpdateField.undefined();
   private UpdateField<Boolean> allowUsersToSignUp = UpdateField.undefined();
   private UpdateField<String> provisioningToken = UpdateField.undefined();
-  private UpdateField<List<String>> provisioningGroups = UpdateField.undefined();
 
   @Schema(implementation = Boolean.class, description = "Enable Gitlab authentication")
   public UpdateField<Boolean> getEnabled() {
     this.synchronizeGroups = UpdateField.withValue(synchronizeGroups);
   }
 
+  @ArraySchema(arraySchema = @Schema(description = "Root Gitlab groups allowed to authenticate and provisioned"), schema = @Schema(implementation = String.class))
+  public UpdateField<List<String>> getAllowedGroups() {
+    return allowedGroups;
+  }
+
+  public void setAllowedGroups(List<String> allowedGroups) {
+    this.allowedGroups = UpdateField.withValue(allowedGroups);
+  }
+
   @Schema(implementation = ProvisioningType.class, description = "Type of synchronization")
   public UpdateField<ProvisioningType> getProvisioningType() {
     return provisioningType;
   public void setProvisioningToken(String provisioningToken) {
     this.provisioningToken = UpdateField.withValue(provisioningToken);
   }
-
-  @ArraySchema(arraySchema = @Schema(description = "Root gitlab groups to provision."), schema = @Schema(implementation = String.class))
-  public UpdateField<List<String>> getProvisioningGroups() {
-    return provisioningGroups;
-  }
-
-  public void setProvisioningGroups(List<String> provisioningGroups) {
-    this.provisioningGroups = UpdateField.withValue(provisioningGroups);
-  }
 }

server/sonar-webserver-webapi-v2/src/main/java/org/sonar/server/v2/api/gitlab/config/resource/GitlabConfigurationResource.java

 
   boolean synchronizeGroups,
 
-  ProvisioningType provisioningType,
+  @Schema(description = "Root Gitlab groups allowed to authenticate and provisioned")
+  List<String> allowedGroups,
 
   boolean allowUsersToSignUp,
 
-  @Schema(description = "Root Gitlab groups to provision")
-  List<String> provisioningGroups,
+  ProvisioningType provisioningType,
 
   @Schema(accessMode = Schema.AccessMode.READ_ONLY, description = "In case the GitLab configuration is incorrect, error message")
   @Nullable

server/sonar-webserver-webapi-v2/src/test/java/org/sonar/server/v2/api/gitlab/config/DefaultGitlabConfigurationControllerTest.java

     "www.url.com",
     "secret",
     true,
-    AUTO_PROVISIONING,
+    Set.of("group1", "group2"),
     true,
-    "provisioning-token",
-    Set.of("provisioning-group2", "provisioning-group1"));
+    AUTO_PROVISIONING,
+    "provisioning-token"
+  );
+
   private static final GitlabConfigurationResource EXPECTED_GITLAB_CONF_RESOURCE = new GitlabConfigurationResource(
     GITLAB_CONFIGURATION.id(),
     GITLAB_CONFIGURATION.enabled(),
     GITLAB_CONFIGURATION.applicationId(),
     GITLAB_CONFIGURATION.url(),
     GITLAB_CONFIGURATION.synchronizeGroups(),
-    org.sonar.server.v2.api.gitlab.config.resource.ProvisioningType.valueOf(GITLAB_CONFIGURATION.provisioningType().name()),
+    List.of("group1", "group2"),
     GITLAB_CONFIGURATION.allowUsersToSignUp(),
-    List.of("provisioning-group1", "provisioning-group2"),
+    org.sonar.server.v2.api.gitlab.config.resource.ProvisioningType.valueOf(GITLAB_CONFIGURATION.provisioningType().name()),
     "error-message");
+
   private static final String EXPECTED_CONFIGURATION = """
     {
       "id": "existing-id",
       "applicationId": "application-id",
       "url": "www.url.com",
       "synchronizeGroups": true,
+      "allowedGroups": [
+        "group1",
+        "group2"
+      ],
       "provisioningType": "AUTO_PROVISIONING",
       "allowUsersToSignUp": true,
-      "provisioningGroups": [
-        "provisioning-group2",
-        "provisioning-group1"
-      ],
       "errorMessage": "error-message"
     }
     """;
             "url": "www.url.com",
             "secret": "newSecret",
             "synchronizeGroups": true,
+            "allowedGroups": [
+              "group1",
+              "group2"
+            ],
             "provisioningType": "AUTO_PROVISIONING",
             "allowUsersToSignUp": true,
-            "provisioningToken": "token",
-            "provisioningGroups": [
-              "provisioning-group2",
-              "provisioning-group1"
-            ]
+            "provisioningToken": "token"
       }
       """;
 
       NonNullUpdatedValue.withValueOrThrow("www.url.com"),
       NonNullUpdatedValue.withValueOrThrow("newSecret"),
       NonNullUpdatedValue.withValueOrThrow(true),
-      NonNullUpdatedValue.withValueOrThrow(AUTO_PROVISIONING),
+      NonNullUpdatedValue.withValueOrThrow(Set.of("group1", "group2")),
       NonNullUpdatedValue.withValueOrThrow(true),
       UpdatedValue.withValue("token"),
-      NonNullUpdatedValue.withValueOrThrow(Set.of("provisioning-group2", "provisioning-group1"))));
+      NonNullUpdatedValue.withValueOrThrow(AUTO_PROVISIONING)
+    ));
   }
 
   @Test
       NonNullUpdatedValue.undefined(),
       NonNullUpdatedValue.undefined(),
       NonNullUpdatedValue.undefined(),
-      NonNullUpdatedValue.withValueOrThrow(JIT),
-      NonNullUpdatedValue.withValueOrThrow(false),
-      UpdatedValue.withValue(null),
-      NonNullUpdatedValue.undefined()));
+      NonNullUpdatedValue.undefined(), NonNullUpdatedValue.withValueOrThrow(false), UpdatedValue.withValue(null), NonNullUpdatedValue.withValueOrThrow(JIT)
+    ));
   }
 
   @Test
                "url": "www.url.com",
                "secret": "123",
                "synchronizeGroups": true,
+               "allowedGroups": [
+                  "group1",
+                  "group2"
+                ],
                "provisioningType": "AUTO_PROVISIONING",
-               "allowUsersToSignUp": true,
-               "provisioningGroups": [
-                 "provisioning-group2",
-                 "provisioning-group1"
-               ]
+               "allowUsersToSignUp": true
              }
           """))
       .andExpectAll(
               "secret": "123",
               "url": "www.url.com",
               "synchronizeGroups": true,
+              "allowedGroups": [
+                "group1",
+                "group2"
+              ],
               "provisioningType": "AUTO_PROVISIONING",
-              "allowUsersToSignUp": true,
-              "provisioningGroups": [
-                "provisioning-group2",
-                "provisioning-group1"
-              ]
+              "allowUsersToSignUp": true
             }
 
           """))
             "applicationId": "application-id",
             "url": "www.url.com",
             "synchronizeGroups": true,
+            "allowedGroups": [
+              "group1",
+              "group2"
+            ],
             "provisioningType": "AUTO_PROVISIONING",
-            "allowUsersToSignUp": true,
-            "provisioningGroups": [
-              "provisioning-group2",
-              "provisioning-group1"
-            ]
+            "allowUsersToSignUp": true
           }
           """));
 
               "secret": "123",
               "url": "www.url.com",
               "synchronizeGroups": true,
+              "allowedGroups": [
+                "group1",
+                "group2"
+              ],
               "provisioningType": "AUTO_PROVISIONING"
             }
 
             "applicationId": "application-id",
             "url": "www.url.com",
             "synchronizeGroups": true,
+            "allowedGroups": [
+              "group1",
+              "group2"
+            ],
             "provisioningType": "AUTO_PROVISIONING",
-            "allowUsersToSignUp": true,
-            "provisioningGroups": [
-              "provisioning-group2",
-              "provisioning-group1"
-            ]
+            "allowUsersToSignUp": true
           }
           """));
 
             "applicationId": "application-id",
             "url": "www.url.com",
             "synchronizeGroups": true,
+            "allowedGroups": [
+              "group1",
+              "group2"
+            ],
             "provisioningType": "AUTO_PROVISIONING",
-            "allowUsersToSignUp": true,
-            "provisioningGroups": [
-              "provisioning-group2",
-              "provisioning-group1"
-            ]
+            "allowUsersToSignUp": true
           }
           """))
       .andExpectAll(

sonar-ws/src/main/java/org/sonarqube/ws/client/gitlab/configuration/GitlabConfiguration.java

 
 public record GitlabConfiguration(boolean enabled, String applicationId, String url, String secret, boolean synchronizeGroups,
                                   String provisioningType, boolean allowUsersToSignUp, String provisioningToken,
-                                  String singleProvisioningGroup) {
+                                  String singleAllowedGroup) {
 }

sonar-ws/src/main/java/org/sonarqube/ws/client/gitlab/configuration/GitlabConfigurationService.java

           "provisioningType": "%s",
           "allowUsersToSignUp": "%s",
           "provisioningToken": "%s",
-          "provisioningGroups": ["%s"]
+          "allowedGroups": ["%s"]
         }
         """, gitlabConfiguration.enabled(), gitlabConfiguration.applicationId(), gitlabConfiguration.url(), gitlabConfiguration.secret(),
       gitlabConfiguration.synchronizeGroups(), gitlabConfiguration.provisioningType(), gitlabConfiguration.allowUsersToSignUp(),
-      gitlabConfiguration.provisioningToken(), gitlabConfiguration.singleProvisioningGroup());
+      gitlabConfiguration.provisioningToken(), gitlabConfiguration.singleAllowedGroup());
     WsResponse response = call(
       new PostRequest(path()).setBody(body)
     );