Merge branch...

Merge branch '322442-create-specialized-worker-for-refreshing-project-authorizations-during-project-share-update' into 'master'

Use specialized worker to refresh authorizations on project-group share update

See merge request gitlab-org/gitlab!61964

app/services/projects/group_links/update_service.rb

@@ -12,15 +12,29 @@ module Projects
       def execute(group_link_params)
         group_link.update!(group_link_params)
 
-        if requires_authorization_refresh?(group_link_params)
-          group_link.group.refresh_members_authorized_projects
-        end
+        refresh_authorizations if requires_authorization_refresh?(group_link_params)
       end
 
       private
 
       attr_reader :group_link
 
+      def refresh_authorizations
+        if Feature.enabled?(:specialized_worker_for_project_share_update_auth_recalculation)
+          AuthorizedProjectUpdate::ProjectRecalculateWorker.perform_async(project.id)
+
+          # Until we compare the inconsistency rates of the new specialized worker and
+          # the old approach, we still run AuthorizedProjectsWorker
+          # but with some delay and lower urgency as a safety net.
+          group_link.group.refresh_members_authorized_projects(
+            blocking: false,
+            priority: UserProjectAccessChangedService::LOW_PRIORITY
+          )
+        else
+          group_link.group.refresh_members_authorized_projects
+        end
+      end
+
       def requires_authorization_refresh?(params)
         params.include?(:group_access)
       end

config/feature_flags/development/specialized_worker_for_project_share_update_auth_recalculation.yml

+---
+name: specialized_worker_for_project_share_update_auth_recalculation
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61964
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/334234
+milestone: '14.1'
+type: development
+group: group::access
+default_enabled: false

spec/services/projects/group_links/update_service_spec.rb

@@ -32,25 +32,87 @@ RSpec.describe Projects::GroupLinks::UpdateService, '#execute' do
     expect(link.expires_at).to eq(expiry_date)
   end
 
-  it 'updates project permissions' do
-    expect { subject }.to change { user.can?(:create_release, project) }.from(true).to(false)
-  end
+  context 'project authorizations update' do
+    context 'when the feature flag `specialized_worker_for_project_share_update_auth_recalculation` is enabled' do
+      before do
+        stub_feature_flags(specialized_worker_for_project_share_update_auth_recalculation: true)
+      end
+
+      it 'calls AuthorizedProjectUpdate::ProjectRecalculateWorker to update project authorizations' do
+        expect(AuthorizedProjectUpdate::ProjectRecalculateWorker)
+          .to receive(:perform_async).with(link.project.id)
+
+        subject
+      end
+
+      it 'calls AuthorizedProjectUpdate::UserRefreshFromReplicaWorker with a delay to update project authorizations' do
+        expect(AuthorizedProjectUpdate::UserRefreshFromReplicaWorker).to(
+          receive(:bulk_perform_in)
+            .with(1.hour,
+                  [[user.id]],
+                  batch_delay: 30.seconds, batch_size: 100)
+        )
+
+        subject
+      end
 
-  it 'executes UserProjectAccessChangedService' do
-    expect_next_instance_of(UserProjectAccessChangedService) do |service|
-      expect(service).to receive(:execute)
+      it 'updates project authorizations of users who had access to the project via the group share', :sidekiq_inline do
+        group.add_maintainer(user)
+
+        expect { subject }.to(
+          change { Ability.allowed?(user, :create_release, project) }
+            .from(true).to(false))
+      end
     end
 
-    subject
+    context 'when the feature flag `specialized_worker_for_project_share_update_auth_recalculation` is disabled' do
+      before do
+        stub_feature_flags(specialized_worker_for_project_share_update_auth_recalculation: false)
+      end
+
+      it 'calls UserProjectAccessChangedService to update project authorizations' do
+        expect_next_instance_of(UserProjectAccessChangedService, [user.id]) do |service|
+          expect(service).to receive(:execute)
+        end
+
+        subject
+      end
+
+      it 'updates project authorizations of users who had access to the project via the group share' do
+        group.add_maintainer(user)
+
+        expect { subject }.to(
+          change { Ability.allowed?(user, :create_release, project) }
+            .from(true).to(false))
+      end
+    end
   end
 
   context 'with only param not requiring authorization refresh' do
     let(:group_link_params) { { expires_at: Date.tomorrow } }
 
-    it 'does not execute UserProjectAccessChangedService' do
-      expect(UserProjectAccessChangedService).not_to receive(:new)
+    context 'when the feature flag `specialized_worker_for_project_share_update_auth_recalculation` is enabled' do
+      before do
+        stub_feature_flags(specialized_worker_for_project_share_update_auth_recalculation: true)
+      end
+
+      it 'does not perform any project authorizations update using `AuthorizedProjectUpdate::ProjectRecalculateWorker`' do
+        expect(AuthorizedProjectUpdate::ProjectRecalculateWorker).not_to receive(:perform_async)
+
+        subject
+      end
+    end
+
+    context 'when the feature flag `specialized_worker_for_project_share_update_auth_recalculation` is disabled' do
+      before do
+        stub_feature_flags(specialized_worker_for_project_share_update_auth_recalculation: false)
+      end
+
+      it 'does not perform any project authorizations update using `UserProjectAccessChangedService`' do
+        expect(UserProjectAccessChangedService).not_to receive(:new)
 
-      subject
+        subject
+      end
     end
   end
 end