Merge branch '33494-delete-stale-deploy-access-levels-by-group' into 'master'

Delete any stale deploy access levels  by group

See merge request gitlab-org/gitlab!20689

db/post_migrate/20191125024005_cleanup_deploy_access_levels_for_removed_groups.rb

+# frozen_string_literal: true
+
+class CleanupDeployAccessLevelsForRemovedGroups < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def up
+    return unless Gitlab.ee?
+
+    delete = <<~SQL
+      DELETE FROM protected_environment_deploy_access_levels d
+      USING protected_environments p
+      WHERE d.protected_environment_id=p.id
+        AND d.group_id IS NOT NULL
+        AND NOT EXISTS (SELECT 1 FROM project_group_links WHERE project_id=p.project_id AND group_id=d.group_id)
+      RETURNING *
+    SQL
+
+    # At the time of writing there are 4 such records on GitLab.com,
+    # execution time is expected to be around 15ms.
+    records = execute(delete)
+
+    logger = Gitlab::BackgroundMigration::Logger.build
+    records.to_a.each do |record|
+      logger.info record.as_json.merge(message: "protected_environments_deploy_access_levels was deleted")
+    end
+  end
+
+  def down
+    # There is no pragmatic way to restore
+    # the records deleted in the `#up` method above.
+  end
+end

ee/changelogs/unreleased/33494-delete-stale-deploy-access-levels-by-group.yml

+---
+title: Delete any stale deploy access levels by group
+merge_request: 20689
+author:
+type: other

ee/spec/migrations/cleanup_deploy_access_levels_for_removed_groups_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require Rails.root.join('db', 'post_migrate', '20191125024005_cleanup_deploy_access_levels_for_removed_groups.rb')
+
+describe CleanupDeployAccessLevelsForRemovedGroups, :migration do
+  let(:namespaces) { table(:namespaces) }
+  let(:projects) { table(:projects) }
+  let(:groups) { table(:namespaces) }
+  let(:project_group_links) { table(:project_group_links) }
+  let(:protected_environments) { table(:protected_environments) }
+  let(:deploy_access_levels) { table(:protected_environment_deploy_access_levels) }
+
+  it 'removes deploy access levels for removed groups and keeps the rest' do
+    namespace = namespaces.create!(name: 'gitlab', path: 'gitlab')
+    project = projects.create!(namespace_id: namespace.id)
+    protected_environment = protected_environments.create!(project_id: project.id, name: 'production')
+
+    removed_group = namespaces.create!(name: 'removed-group', path: 'removed-group', type: 'Group')
+    legit_group = namespaces.create!(name: 'legit-group', path: 'legit-group', type: 'Group')
+    project_group_links.create!(project_id: project.id, group_id: legit_group.id)
+
+    deploy_access_level_for_removed_group = deploy_access_levels.create!(protected_environment_id: protected_environment.id, group_id: removed_group.id)
+    deploy_access_level_for_legit_group = deploy_access_levels.create!(protected_environment_id: protected_environment.id, group_id: legit_group.id)
+    deploy_access_level_for_access_level = deploy_access_levels.create!(protected_environment_id: protected_environment.id, access_level: Gitlab::Access::MAINTAINER)
+
+    expect { migrate! }.to change { deploy_access_levels.count }.from(3).to(2)
+
+    expect(deploy_access_levels.where(protected_environment_id: protected_environment.id))
+      .to contain_exactly(deploy_access_level_for_legit_group, deploy_access_level_for_access_level)
+
+    expect(deploy_access_levels.find_by_id(deploy_access_level_for_removed_group.id)).to be_nil
+  end
+end