Skip to content

Fix race condition while creating protected branch rules

Sashi Kumar Kumaresan requested to merge sk/335661-fix-race-condition into master

What does this MR do?

Addresses: #335661 (closed) and #335256 (closed)

While creating a security policy project via the GraphQL mutation, we also create protected branch rules for the default branch with no one having push access and only maintainers having merge access. Since the project is created with a default branch and README file, BranchHookService is executed via post_receive API which also creates protected branch rules for default branch with maintainer having both push and merge access.

Since these 2 execution are independent, they could run in any order. So, there are 2 different branch protection created for the default main branch sometimes: Screenshot_2021-06-29_at_12.32.09_PM

Sometimes branch protection with multiple push and merge accesses are created for default main branch: Screenshot_2021-07-09_at_1.16.01_PM because ProtectedBranch model has accepts_nested_attributes_for push_access_levels and merge_push_levels, so while updating it will create new push_access_levels and merge_push_levels.

Fix

  • Instead of updating the protected branch in Security::SecurityOrchestrationPolicies::ProjectCreateService, delete and recreate it with push and merge access rules
  • Wrap them in a transaction

This MR also addresses 2 other things:

Changelog is not needed because this is still behind a feature flag and it's not enabled by default.

Screenshots or Screencasts (strongly suggested)

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by Sashi Kumar Kumaresan

Merge request reports

Loading