Fix GraphQL pagination for vulnerabilities

The pagination was returning vulnerabilities in wrong order with the `vulnerability_reads_table` FF enabled. This commit changes the PK of the `Vulnerabilities::Read` model to fix the ordering issue. Changelog: fixed EE: true

Fix GraphQL pagination for vulnerabilities
The pagination was returning vulnerabilities in wrong order with the `vulnerability_reads_table` FF enabled. This commit changes the PK of the `Vulnerabilities::Read` model to fix the ordering issue. Changelog: fixed EE: true
bc304711 · Mehmet Emin INAC · 005e961d · bc304711 · bc304711 · bc304711
Commit bc304711 authored Mar 22, 2022 by Mehmet Emin INAC
3 changed files
--- a/app/models/vulnerability.rb
+++ b/app/models/vulnerability.rb
@@ -5,6 +5,8 @@ class Vulnerability < ApplicationRecord
  include EachBatch
  include IgnorableColumns

+  alias_attribute :vulnerability_id, :id
+
  def self.link_reference_pattern
    nil
  end

--- a/ee/app/models/vulnerabilities/read.rb
+++ b/ee/app/models/vulnerabilities/read.rb
@@ -3,6 +3,7 @@
 module Vulnerabilities
  class Read < ApplicationRecord
    self.table_name = "vulnerability_reads"
+    self.primary_key = :vulnerability_id

    belongs_to :vulnerability
    belongs_to :project

--- a/ee/spec/graphql/api/vulnerabilities_spec.rb
+++ b/ee/spec/graphql/api/vulnerabilities_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'vulnerabilities' do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:user) { project.first_owner }
+  let_it_be(:vulnerability_1) { create(:vulnerability, project: project) }
+  let_it_be(:vulnerability_2) { create(:vulnerability, project: project) }
+
+  let(:field_args) { nil }
+  let(:query) do
+    %(
+      query {
+        project(fullPath: "#{project.full_path}") {
+          name
+          vulnerabilities#{field_args} {
+            nodes {
+              id
+            }
+            pageInfo {
+              endCursor
+            }
+          }
+        }
+      }
+    )
+  end
+
+  let(:vulnerabilities) { execute.dig('data', 'project', 'vulnerabilities') }
+
+  subject(:execute) { GitlabSchema.execute(query, context: { current_user: user }).as_json }
+
+  before do
+    stub_licensed_features(security_dashboard: true, sast_fp_reduction: true)
+
+    # Creating the findings in different order will force the triggers to
+    # create the `vulnerability_reads` records in specific order.
+    create(:vulnerabilities_finding, vulnerability: vulnerability_2, project: project)
+    create(:vulnerabilities_finding, vulnerability: vulnerability_1, project: project)
+  end
+
+  describe 'nodes' do
+    let(:nodes) { vulnerabilities['nodes'] }
+    let(:vulnerability_ids) { nodes.map { |node| node['id'] } }
+
+    describe 'ordering' do
+      it 'returns the records in correct order' do
+        expect(vulnerability_ids).to eq([vulnerability_2.to_global_id.to_s, vulnerability_1.to_global_id.to_s])
+      end
+    end
+
+    describe 'pagination' do
+      let(:cursor_attributes) { { severity: vulnerability_2.severity, vulnerability_id: vulnerability_2.id.to_s } }
+      let(:end_cursor) { Base64.encode64(cursor_attributes.to_json).chomp }
+      let(:field_args) { "(after: \"#{end_cursor}\")" }
+
+      it 'returns the correct record' do
+        expect(vulnerability_ids).to match_array(vulnerability_1.to_global_id.to_s)
+      end
+    end
+  end
+
+  describe 'pageInfo' do
+    describe 'endCursor' do
+      let(:end_cursor_hash) do
+        vulnerabilities.dig('pageInfo', 'endCursor')
+                       .then { |end_cursor| Base64.decode64(end_cursor) }
+                       .then { |decoded_end_cursor| Gitlab::Json.parse(decoded_end_cursor) }
+      end
+
+      it 'encodes last `vulnerability_id` into the `endCursor`' do
+        expect(end_cursor_hash).to include('vulnerability_id' => vulnerability_1.id.to_s)
+      end
+    end
+  end
+end