From 8e9d5273d432c1f4bcdc98c60635a2bb9c16f162 Mon Sep 17 00:00:00 2001
From: Niklas <mc.taucher2003@gmail.com>
Date: Fri, 17 Nov 2023 09:34:38 +0000
Subject: [PATCH] Add logging for read_namespace usages

---
 app/models/ability.rb                         |  9 +++++
 .../development/log_read_namespace_usages.yml |  8 +++++
 spec/models/ability_spec.rb                   | 34 +++++++++++++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 config/feature_flags/development/log_read_namespace_usages.yml

diff --git a/app/models/ability.rb b/app/models/ability.rb
index b8433191d84fd..f1db4be8eb445 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -78,6 +78,15 @@ def allowed?(user, ability, subject = :global, opts = {})
 
       policy = policy_for(user, subject)
 
+      # https://gitlab.com/gitlab-org/gitlab/-/issues/421150#note_1638311666
+      if ability == :read_namespace && Feature.enabled?(:log_read_namespace_usages, Feature.current_request)
+        Gitlab::AppLogger.info(
+          message: 'Ability is in use',
+          ability: ability,
+          caller_locations: caller_locations(1, 5).map(&:to_s)
+        )
+      end
+
       before_check(policy, ability.to_sym, user, subject, opts)
 
       case opts[:scope]
diff --git a/config/feature_flags/development/log_read_namespace_usages.yml b/config/feature_flags/development/log_read_namespace_usages.yml
new file mode 100644
index 0000000000000..fd844a9c9f5a8
--- /dev/null
+++ b/config/feature_flags/development/log_read_namespace_usages.yml
@@ -0,0 +1,8 @@
+---
+name: log_read_namespace_usages
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136617
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/421150
+milestone: '16.7'
+type: development
+group: group::tenant scale
+default_enabled: false
diff --git a/spec/models/ability_spec.rb b/spec/models/ability_spec.rb
index a808cb1c823e5..35ce678e3a61c 100644
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -483,4 +483,38 @@ def check_ability
       end
     end
   end
+
+  describe '.allowed?' do
+    context 'when used with :read_namespace' do
+      subject(:allowed?) { described_class.allowed?(nil, :read_namespace) }
+
+      before do
+        allow(Gitlab::AppLogger).to receive(:info)
+      end
+
+      it 'logs the usage', :aggregate_failures do
+        allowed?
+
+        expect(Gitlab::AppLogger).to have_received(:info) do |args|
+          expect(args[:message]).to eq('Ability is in use')
+          expect(args[:ability]).to eq(:read_namespace)
+          expect(args[:caller_locations].first)
+            .to include('/spec/models/ability_spec.rb:489:in `block (4 levels) in <top (required)>')
+          expect(args[:caller_locations].length).to eq(5)
+        end
+      end
+
+      context 'when :log_read_namespace_usages feature flag is disabled' do
+        before do
+          stub_feature_flags(log_read_namespace_usages: false)
+        end
+
+        it 'does not log the usage' do
+          allowed?
+
+          expect(Gitlab::AppLogger).not_to have_received(:info)
+        end
+      end
+    end
+  end
 end
-- 
GitLab