Merge branch 'track-users-do-crud-release-without-protected-tag-access' into 'master'

Measure the impact of the Release permission model change See merge request gitlab-org/gitlab!65331

Merge branch 'track-users-do-crud-release-without-protected-tag-access' into 'master'
Measure the impact of the Release permission model change See merge request gitlab-org/gitlab!65331
1c9a3538 · Heinrich Lee Yu · 309aa868 · 6f4b0524 · 1c9a3538 · 1c9a3538
Commit 1c9a3538 authored Jul 05, 2021 by Heinrich Lee Yu
7 changed files
--- a/app/services/releases/base_service.rb
+++ b/app/services/releases/base_service.rb
@@ -5,6 +5,8 @@ module Releases
    include BaseServiceUtility
    include Gitlab::Utils::StrongMemoize

+    ReleaseProtectedTagAccessError = Class.new(StandardError)
+
    attr_accessor :project, :current_user, :params

    def initialize(project, user = nil, params = {})
@@ -81,6 +83,15 @@ module Releases
      release.execute_hooks(action)
    end

+    def track_protected_tag_access_error!
+      unless ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name)
+        Gitlab::ErrorTracking.log_exception(
+          ReleaseProtectedTagAccessError.new,
+          project_id: project.id,
+          user_id: current_user.id)
+      end
+    end
+
    # overridden in EE
    def project_group_id; end
  end

--- a/app/services/releases/create_service.rb
+++ b/app/services/releases/create_service.rb
@@ -7,6 +7,8 @@ module Releases
      return error('Release already exists', 409) if release
      return error("Milestone(s) not found: #{inexistent_milestones.join(', ')}", 400) if inexistent_milestones.any?

+      track_protected_tag_access_error!
+
      # should be found before the creation of new tag
      # because tag creation can spawn new pipeline
      # which won't have any data for evidence yet

--- a/app/services/releases/destroy_service.rb
+++ b/app/services/releases/destroy_service.rb
@@ -6,6 +6,8 @@ module Releases
      return error('Release does not exist', 404) unless release
      return error('Access Denied', 403) unless allowed?

+      track_protected_tag_access_error!
+
      if release.destroy
        success(tag: existing_tag, release: release)
      else

--- a/app/services/releases/update_service.rb
+++ b/app/services/releases/update_service.rb
@@ -7,6 +7,8 @@ module Releases
        return error
      end

+      track_protected_tag_access_error!
+
      if param_for_milestone_titles_provided?
        previous_milestones = release.milestones.map(&:title)
        params[:milestones] = milestones

--- a/spec/services/releases/create_service_spec.rb
+++ b/spec/services/releases/create_service_spec.rb
@@ -44,6 +44,21 @@ RSpec.describe Releases::CreateService do

    it_behaves_like 'a successful release creation'

+    context 'when tag is protected and user does not have access to it' do
+      let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+
+      it 'track the error event' do
+        stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+
+        expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+          kind_of(described_class::ReleaseProtectedTagAccessError),
+          project_id: project.id,
+          user_id: user.id)
+
+        service.execute
+      end
+    end
+
    context 'when the tag does not exist' do
      let(:tag_name) { 'non-exist-tag' }


--- a/spec/services/releases/destroy_service_spec.rb
+++ b/spec/services/releases/destroy_service_spec.rb
@@ -28,6 +28,21 @@ RSpec.describe Releases::DestroyService do
      it 'returns the destroyed object' do
        is_expected.to include(status: :success, release: release)
      end
+
+      context 'when tag is protected and user does not have access to it' do
+        let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+
+        it 'track the error event' do
+          stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+
+          expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+            kind_of(described_class::ReleaseProtectedTagAccessError),
+            project_id: project.id,
+            user_id: user.id)
+
+          service.execute
+        end
+      end
    end

    context 'when tag does not exist in the repository' do

--- a/spec/services/releases/update_service_spec.rb
+++ b/spec/services/releases/update_service_spec.rb
@@ -38,6 +38,21 @@ RSpec.describe Releases::UpdateService do
      service.execute
    end

+    context 'when tag is protected and user does not have access to it' do
+      let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+
+      it 'track the error event' do
+        stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+
+        expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+          kind_of(described_class::ReleaseProtectedTagAccessError),
+          project_id: project.id,
+          user_id: user.id)
+
+        service.execute
+      end
+    end
+
    context 'when the tag does not exists' do
      let(:tag_name) { 'foobar' }