Merge branch 'bwill/update-sbom-occurrences-on-project-archived-event' into 'master'

Add worker to sync sbom_occurrences.archived See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144104 Merged-by: Jessie Young <jessieyoung@gitlab.com> Approved-by: Dylan Griffith <dyl.griffith@gmail.com> Approved-by: Jessie Young <jessieyoung@gitlab.com> Reviewed-by: Brian Williams <bwilliams@gitlab.com> Co-authored-by: Brian Williams <bwilliams@gitlab.com>

Merge branch 'bwill/update-sbom-occurrences-on-project-archived-event' into 'master'
07c03dca · Jessie Young · GitLab · f28139a3 · 64e01da4 · 07c03dca
--- a/config/sidekiq_queues.yml
+++ b/config/sidekiq_queues.yml
@@ -659,6 +659,8 @@
  - 1
 - - sbom_reports
  - 1
+- - sbom_sync_archived_status
+  - 1
 - - sbom_sync_project_traversal_ids
  - 1
 - - search_elastic_default_branch_changed

--- a/ee/app/services/sbom/sync_archived_status_service.rb
+++ b/ee/app/services/sbom/sync_archived_status_service.rb
+# frozen_string_literal: true
+
+module Sbom
+  class SyncArchivedStatusService
+    include Gitlab::Utils::StrongMemoize
+    include Gitlab::ExclusiveLeaseHelpers
+
+    BATCH_SIZE = 100
+    LEASE_TTL = 1.hour
+
+    def initialize(project_id)
+      @project_id = project_id
+    end
+
+    def execute
+      return unless project
+
+      in_lock(lease_key, ttl: LEASE_TTL) { update_archived_status }
+    end
+
+    private
+
+    attr_reader :project_id
+
+    def update_archived_status
+      project.sbom_occurrences.each_batch(of: BATCH_SIZE) do |batch|
+        batch.update_all(archived: project.archived)
+      end
+    end
+
+    def project
+      Project.find_by_id(project_id)
+    end
+    strong_memoize_attr :project
+
+    def lease_key
+      "sync_sbom_occurrences_archived:projects:#{project_id}"
+    end
+  end
+end
--- a/ee/app/workers/all_queues.yml
+++ b/ee/app/workers/all_queues.yml
@@ -1821,6 +1821,15 @@
  :weight: 1
  :idempotent: true
  :tags: []
+- :name: sbom_sync_archived_status
+  :worker_name: Sbom::SyncArchivedStatusWorker
+  :feature_category: :dependency_management
+  :has_external_dependencies: false
+  :urgency: :low
+  :resource_boundary: :unknown
+  :weight: 1
+  :idempotent: true
+  :tags: []
 - :name: sbom_sync_project_traversal_ids
  :worker_name: Sbom::SyncProjectTraversalIdsWorker
  :feature_category: :dependency_management

--- a/ee/app/workers/sbom/sync_archived_status_worker.rb
+++ b/ee/app/workers/sbom/sync_archived_status_worker.rb
+# frozen_string_literal: true
+
+module Sbom
+  class SyncArchivedStatusWorker
+    include Gitlab::EventStore::Subscriber
+
+    data_consistency :always
+    feature_category :dependency_management
+    idempotent!
+
+    def handle_event(event)
+      ::Sbom::SyncArchivedStatusService.new(event.data['project_id']).execute
+    end
+  end
+end
--- a/ee/config/feature_flags/gitlab_com_derisk/sync_project_archival_status_to_sbom_occurrences.yml
+++ b/ee/config/feature_flags/gitlab_com_derisk/sync_project_archival_status_to_sbom_occurrences.yml
+---
+name: sync_project_archival_status_to_sbom_occurrences
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/437636
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/143874
+rollout_issue_url: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17572
+milestone: '16.10'
+group: group::threat insights
+type: gitlab_com_derisk
+default_enabled: false
--- a/ee/lib/ee/gitlab/event_store.rb
+++ b/ee/lib/ee/gitlab/event_store.rb
@@ -63,6 +63,11 @@ def configure!(store)
                  ::Feature.enabled?(:update_vuln_reads_traversal_ids_via_event,
                    ::Group.find_by_id(event.data['group_id']), type: :gitlab_com_derisk)
                }
+          store.subscribe ::Sbom::SyncArchivedStatusWorker, to: ::Projects::ProjectArchivedEvent,
+            if: ->(event) do
+              project = ::Project.find_by_id(event.data['project_id'])
+              ::Feature.enabled?(:sync_project_archival_status_to_sbom_occurrences, project)
+            end
        end
      end
    end

--- a/ee/spec/services/sbom/sync_archived_status_service_spec.rb
+++ b/ee/spec/services/sbom/sync_archived_status_service_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Sbom::SyncArchivedStatusService, feature_category: :dependency_management do
+  let_it_be(:project) { create(:project, :archived) }
+  let_it_be(:sbom_occurrence) { create(:sbom_occurrence, project: project) }
+  let_it_be(:sbom_occurrence_2) { create(:sbom_occurrence, project: project) }
+
+  let(:project_id) { project.id }
+
+  subject(:sync) { described_class.new(project_id).execute }
+
+  it 'updates sbom_occurrences.archived' do
+    expect { sync }.to change { sbom_occurrence.reload.archived }.from(false).to(true)
+  end
+
+  context 'when project does not exist with id' do
+    let(:project_id) { non_existing_record_id }
+
+    it 'does not raise' do
+      expect { sync }.not_to raise_error
+    end
+  end
+
+  context 'when lease is taken' do
+    include ExclusiveLeaseHelpers
+
+    let_it_be(:other_project) { create(:project) }
+
+    let(:lease_key) { "sync_sbom_occurrences_archived:projects:#{project_id}" }
+    let(:lease_ttl) { 1.hour }
+
+    before do
+      stub_exclusive_lease_taken(lease_key, timeout: lease_ttl)
+    end
+
+    it 'does not permit parallel execution on the same project' do
+      expect { sync }.to raise_error(Gitlab::ExclusiveLeaseHelpers::FailedToObtainLockError)
+                          .and not_change { sbom_occurrence.reload.archived }
+    end
+
+    it 'allows parallel execution on different projects' do
+      expect { described_class.new(other_project.id).execute }.not_to raise_error
+    end
+  end
+end
--- a/ee/spec/workers/sbom/sync_archived_status_worker_spec.rb
+++ b/ee/spec/workers/sbom/sync_archived_status_worker_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Sbom::SyncArchivedStatusWorker, feature_category: :dependency_management, type: :worker do
+  let_it_be(:project) { create(:project) }
+  let_it_be(:sbom_occurrence) { create(:sbom_occurrence, project: project) }
+  let_it_be(:sbom_occurrence_outside_project) { create(:sbom_occurrence) }
+
+  let(:event) do
+    ::Projects::ProjectArchivedEvent.new(data: {
+      project_id: project.id,
+      namespace_id: project.namespace.id,
+      root_namespace_id: project.root_namespace.id
+    })
+  end
+
+  it_behaves_like 'worker with data consistency', described_class, data_consistency: :always
+  it_behaves_like 'subscribes to event'
+
+  subject(:use_event) { consume_event(subscriber: described_class, event: event) }
+
+  it 'updates sbom_occurrences archived status' do
+    project.update!(archived: true)
+
+    expect { use_event }.to change { sbom_occurrence.reload.archived }.from(false).to(true)
+      .and not_change { sbom_occurrence_outside_project.reload.archived }
+  end
+
+  context 'when sync_project_archival_status_to_sbom_occurrences is disabled' do
+    before do
+      stub_feature_flags(sync_project_archival_status_to_sbom_occurrences: false)
+    end
+
+    it_behaves_like 'ignores the published event'
+  end
+end