Measure create, update and delete operation error on Release

This commit measures the write operations on Release entries by lacking protected tag access.

Measure create, update and delete operation error on Release
This commit measures the write operations on Release entries by lacking protected tag access.
6f4b0524 · Shinya Maeda · 3ccbb949 · 6f4b0524 · 6f4b0524 · 6f4b0524
Commit 6f4b0524 authored Jul 02, 2021 by Shinya Maeda
7 changed files
--- a/app/services/releases/base_service.rb
+++ b/app/services/releases/base_service.rb
@@ -5,6 +5,8 @@ module Releases
    include BaseServiceUtility
    include Gitlab::Utils::StrongMemoize
+    ReleaseProtectedTagAccessError = Class.new(StandardError)
    attr_accessor :project, :current_user, :params
    def initialize(project, user = nil, params = {})
@@ -81,6 +83,15 @@ module Releases
      release.execute_hooks(action)
    end
+    def track_protected_tag_access_error!
+      unless ::Gitlab::UserAccess.new(current_user, container: project).can_create_tag?(tag_name)
+        Gitlab::ErrorTracking.log_exception(
+          ReleaseProtectedTagAccessError.new,
+          project_id: project.id,
+          user_id: current_user.id)
+      end
+    end
    # overridden in EE
    def project_group_id; end
  end

--- a/app/services/releases/create_service.rb
+++ b/app/services/releases/create_service.rb
@@ -7,6 +7,8 @@ module Releases
      return error('Release already exists', 409) if release
      return error("Milestone(s) not found: #{inexistent_milestones.join(', ')}", 400) if inexistent_milestones.any?
+      track_protected_tag_access_error!
      # should be found before the creation of new tag
      # because tag creation can spawn new pipeline
      # which won't have any data for evidence yet

--- a/app/services/releases/destroy_service.rb
+++ b/app/services/releases/destroy_service.rb
@@ -6,6 +6,8 @@ module Releases
      return error('Release does not exist', 404) unless release
      return error('Access Denied', 403) unless allowed?
+      track_protected_tag_access_error!
      if release.destroy
        success(tag: existing_tag, release: release)
      else

--- a/app/services/releases/update_service.rb
+++ b/app/services/releases/update_service.rb
@@ -7,6 +7,8 @@ module Releases
        return error
      end
+      track_protected_tag_access_error!
      if param_for_milestone_titles_provided?
        previous_milestones = release.milestones.map(&:title)
        params[:milestones] = milestones

--- a/spec/services/releases/create_service_spec.rb
+++ b/spec/services/releases/create_service_spec.rb
@@ -44,6 +44,21 @@ RSpec.describe Releases::CreateService do
    it_behaves_like 'a successful release creation'
+    context 'when tag is protected and user does not have access to it' do
+      let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+      it 'track the error event' do
+        stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+        expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+          kind_of(described_class::ReleaseProtectedTagAccessError),
+          project_id: project.id,
+          user_id: user.id)
+        service.execute
+      end
+    end
    context 'when the tag does not exist' do
      let(:tag_name) { 'non-exist-tag' }

--- a/spec/services/releases/destroy_service_spec.rb
+++ b/spec/services/releases/destroy_service_spec.rb
@@ -28,6 +28,21 @@ RSpec.describe Releases::DestroyService do
      it 'returns the destroyed object' do
        is_expected.to include(status: :success, release: release)
      end
+      context 'when tag is protected and user does not have access to it' do
+        let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+        it 'track the error event' do
+          stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+          expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+            kind_of(described_class::ReleaseProtectedTagAccessError),
+            project_id: project.id,
+            user_id: user.id)
+          service.execute
+        end
+      end
    end
    context 'when tag does not exist in the repository' do

--- a/spec/services/releases/update_service_spec.rb
+++ b/spec/services/releases/update_service_spec.rb
@@ -38,6 +38,21 @@ RSpec.describe Releases::UpdateService do
      service.execute
    end
+    context 'when tag is protected and user does not have access to it' do
+      let!(:protected_tag) { create(:protected_tag, :no_one_can_create, name: '*', project: project) }
+      it 'track the error event' do
+        stub_feature_flags(evalute_protected_tag_for_release_permissions: false)
+        expect(Gitlab::ErrorTracking).to receive(:log_exception).with(
+          kind_of(described_class::ReleaseProtectedTagAccessError),
+          project_id: project.id,
+          user_id: user.id)
+        service.execute
+      end
+    end
    context 'when the tag does not exists' do
      let(:tag_name) { 'foobar' }