debian-mirror-gitlab/app/services/users/refresh_authorized_projects_service.rb

144 lines
5 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2017-08-17 22:00:37 +05:30
module Users
# Service for refreshing the authorized projects of a user.
#
# This particular service class can not be used to update data for the same
# user concurrently. Doing so could lead to an incorrect state. To ensure this
# doesn't happen a caller must synchronize access (e.g. using
# `Gitlab::ExclusiveLease`).
#
# Usage:
#
# user = User.find_by(username: 'alice')
# service = Users::RefreshAuthorizedProjectsService.new(some_user)
# service.execute
class RefreshAuthorizedProjectsService
2021-03-11 19:13:27 +05:30
attr_reader :user, :source
2017-08-17 22:00:37 +05:30
LEASE_TIMEOUT = 1.minute.to_i
# user - The User for which to refresh the authorized projects.
2021-03-11 19:13:27 +05:30
def initialize(user, source: nil, incorrect_auth_found_callback: nil, missing_auth_found_callback: nil)
2017-08-17 22:00:37 +05:30
@user = user
2021-03-11 19:13:27 +05:30
@source = source
2020-02-15 18:32:13 +05:30
@incorrect_auth_found_callback = incorrect_auth_found_callback
@missing_auth_found_callback = missing_auth_found_callback
2017-08-17 22:00:37 +05:30
# We need an up to date User object that has access to all relations that
# may have been created earlier. The only way to ensure this is to reload
# the User object.
2019-07-31 22:56:46 +05:30
user.reset
2017-08-17 22:00:37 +05:30
end
def execute
lease_key = "refresh_authorized_projects:#{user.id}"
lease = Gitlab::ExclusiveLease.new(lease_key, timeout: LEASE_TIMEOUT)
until uuid = lease.try_obtain
# Keep trying until we obtain the lease. If we don't do so we may end up
# not updating the list of authorized projects properly. To prevent
# hammering Redis too much we'll wait for a bit between retries.
2017-09-10 17:25:29 +05:30
sleep(0.1)
2017-08-17 22:00:37 +05:30
end
begin
execute_without_lease
ensure
Gitlab::ExclusiveLease.cancel(lease_key, uuid)
end
end
# This method returns the updated User object.
def execute_without_lease
current = current_authorizations_per_project
fresh = fresh_access_levels_per_project
2020-10-24 23:57:45 +05:30
# Delete projects that have more than one authorizations associated with
# the user. The correct authorization is added to the ``add`` array in the
# next stage.
remove = projects_with_duplicates
current.except!(*projects_with_duplicates)
remove |= current.each_with_object([]) do |(project_id, row), array|
2017-08-17 22:00:37 +05:30
# rows not in the new list or with a different access level should be
# removed.
if !fresh[project_id] || fresh[project_id] != row.access_level
2020-02-15 18:32:13 +05:30
if incorrect_auth_found_callback
incorrect_auth_found_callback.call(project_id, row.access_level)
end
2017-08-17 22:00:37 +05:30
array << row.project_id
end
end
add = fresh.each_with_object([]) do |(project_id, level), array|
# rows not in the old list or with a different access level should be
# added.
if !current[project_id] || current[project_id].access_level != level
2020-02-15 18:32:13 +05:30
if missing_auth_found_callback
missing_auth_found_callback.call(project_id, level)
end
2017-08-17 22:00:37 +05:30
array << [user.id, project_id, level]
end
end
update_authorizations(remove, add)
end
# Updates the list of authorizations for the current user.
#
# remove - The IDs of the authorization rows to remove.
# add - Rows to insert in the form `[user id, project id, access level]`
def update_authorizations(remove = [], add = [])
2021-03-11 19:13:27 +05:30
log_refresh_details(remove.length, add.length)
2017-08-17 22:00:37 +05:30
User.transaction do
user.remove_project_authorizations(remove) unless remove.empty?
ProjectAuthorization.insert_authorizations(add) unless add.empty?
end
# Since we batch insert authorization rows, Rails' associations may get
# out of sync. As such we force a reload of the User object.
2019-07-31 22:56:46 +05:30
user.reset
2017-08-17 22:00:37 +05:30
end
2021-03-11 19:13:27 +05:30
def log_refresh_details(rows_deleted, rows_added)
Gitlab::AppJsonLogger.info(event: 'authorized_projects_refresh',
'authorized_projects_refresh.source': source,
'authorized_projects_refresh.rows_deleted': rows_deleted,
'authorized_projects_refresh.rows_added': rows_added)
end
2017-08-17 22:00:37 +05:30
def fresh_access_levels_per_project
fresh_authorizations.each_with_object({}) do |row, hash|
hash[row.project_id] = row.access_level
end
end
def current_authorizations_per_project
current_authorizations.index_by(&:project_id)
end
def current_authorizations
2020-10-24 23:57:45 +05:30
@current_authorizations ||= user.project_authorizations.select(:project_id, :access_level)
2017-08-17 22:00:37 +05:30
end
def fresh_authorizations
2019-10-12 21:52:04 +05:30
Gitlab::ProjectAuthorizations.new(user).calculate
2017-08-17 22:00:37 +05:30
end
2020-02-15 18:32:13 +05:30
private
attr_reader :incorrect_auth_found_callback, :missing_auth_found_callback
2020-10-24 23:57:45 +05:30
def projects_with_duplicates
@projects_with_duplicates ||= current_authorizations
.group_by(&:project_id)
.select { |project_id, authorizations| authorizations.count > 1 }
.keys
end
2017-08-17 22:00:37 +05:30
end
end