Resolve "Set `vulnerability_occurrences` schema to`gitlab_sec`"

02087f7d · Gregory Havenga · GitLab · 73ff1406 · 02087f7d · 02087f7d
Verified Commit 02087f7d authored 5 months ago by Gregory Havenga Committed by GitLab 5 months ago
--- a/config/gitlab_loose_foreign_keys.yml
+++ b/config/gitlab_loose_foreign_keys.yml
@@ -592,6 +592,9 @@ vulnerability_occurrences:
  - table: ci_pipelines
    column: latest_pipeline_id
    on_delete: async_nullify
+  - table: projects
+    column: project_id
+    on_delete: async_delete
 vulnerability_remediations:
  - table: projects
    column: project_id

--- a/db/docs/vulnerability_occurrences.yml
+++ b/db/docs/vulnerability_occurrences.yml
@@ -7,8 +7,6 @@ feature_categories:
 description: Stores information about findings for a given vulnerability
 introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/6896
 milestone: '11.4'
-gitlab_schema: gitlab_main_cell
-allow_cross_foreign_keys:
- gitlab_main_clusterwide
+gitlab_schema: gitlab_sec
 sharding_key:
  project_id: projects
--- a/db/gitlab_schemas/gitlab_sec.yaml
+++ b/db/gitlab_schemas/gitlab_sec.yaml
@@ -2,6 +2,9 @@ name: gitlab_sec
 description: Schema for all Cell-local Security features.
 allow_cross_joins:
  - gitlab_shared
+  - gitlab_main:
+      specific_tables:
+      - vulnerability_state_transitions
  - gitlab_main_cell:
      specific_tables:
      - security_findings
@@ -51,6 +54,9 @@ allow_cross_joins:
 allow_cross_transactions:
  - gitlab_internal
  - gitlab_shared
+  - gitlab_main:
+      specific_tables:
+      - vulnerability_state_transitions
  - gitlab_main_cell:
      specific_tables:
      - security_findings
@@ -98,6 +104,9 @@ allow_cross_transactions:
      - dast_site_validations
      - dast_sites
 allow_cross_foreign_keys:
+  - gitlab_main:
+      specific_tables:
+      - vulnerability_state_transitions
  - gitlab_main_cell:
      specific_tables:
      - security_findings

--- a/db/post_migrate/20240514030609_queue_backfill_finding_initial_pipeline_id.rb
+++ b/db/post_migrate/20240514030609_queue_backfill_finding_initial_pipeline_id.rb
@@ -12,17 +12,21 @@ class QueueBackfillFindingInitialPipelineId < Gitlab::Database::Migration[2.2]
  restrict_gitlab_migration gitlab_schema: :gitlab_main

  def up
-    queue_batched_background_migration(
-      MIGRATION,
-      :vulnerability_occurrences,
-      :id,
-      job_interval: DELAY_INTERVAL,
-      batch_size: BATCH_SIZE,
-      sub_batch_size: SUB_BATCH_SIZE
-    )
+    Gitlab::Database::QueryAnalyzers::RestrictAllowedSchemas.with_suppressed do
+      queue_batched_background_migration(
+        MIGRATION,
+        :vulnerability_occurrences,
+        :id,
+        job_interval: DELAY_INTERVAL,
+        batch_size: BATCH_SIZE,
+        sub_batch_size: SUB_BATCH_SIZE
+      )
+    end
  end

  def down
-    delete_batched_background_migration(MIGRATION, :vulnerability_occurrences, :id, [])
+    Gitlab::Database::QueryAnalyzers::RestrictAllowedSchemas.with_suppressed do
+      delete_batched_background_migration(MIGRATION, :vulnerability_occurrences, :id, [])
+    end
  end
 end
--- a/db/post_migrate/20240830140656_remove_projects_vulnerability_occurrences_project_id_fk.rb
+++ b/db/post_migrate/20240830140656_remove_projects_vulnerability_occurrences_project_id_fk.rb
+# frozen_string_literal: true
+
+class RemoveProjectsVulnerabilityOccurrencesProjectIdFk < Gitlab::Database::Migration[2.2]
+  milestone '17.4'
+  disable_ddl_transaction!
+
+  FOREIGN_KEY_NAME = "fk_rails_90fed4faba"
+
+  def up
+    with_lock_retries do
+      remove_foreign_key_if_exists(:vulnerability_occurrences, :projects,
+        name: FOREIGN_KEY_NAME, reverse_lock_order: true)
+    end
+  end
+
+  def down
+    add_concurrent_foreign_key(:vulnerability_occurrences, :projects,
+      name: FOREIGN_KEY_NAME, column: :project_id,
+      target_column: :id, on_delete: :cascade)
+  end
+end
--- a/db/schema_migrations/20240830140656
+++ b/db/schema_migrations/20240830140656
+24496cfd69cb3d72d386592047f6053ac343aaa6d9966ecf420a7b3c101b3e12
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -35609,9 +35609,6 @@ ALTER TABLE ONLY ci_pipelines_config
 ALTER TABLE ONLY approval_project_rules_groups
    ADD CONSTRAINT fk_rails_9071e863d1 FOREIGN KEY (approval_project_rule_id) REFERENCES approval_project_rules(id) ON DELETE CASCADE;
  
-ALTER TABLE ONLY vulnerability_occurrences
-    ADD CONSTRAINT fk_rails_90fed4faba FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
-
 ALTER TABLE ONLY project_error_tracking_settings
    ADD CONSTRAINT fk_rails_910a2b8bd9 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
  
--- a/ee/app/models/vulnerabilities/finding.rb
+++ b/ee/app/models/vulnerabilities/finding.rb
 # frozen_string_literal: true

 module Vulnerabilities
-  class Finding < ApplicationRecord
+  class Finding < Gitlab::Database::SecApplicationRecord
    include ShaAttribute
    include ::Gitlab::Utils::StrongMemoize
    include Presentable

--- a/ee/spec/models/vulnerabilities/finding_spec.rb
+++ b/ee/spec/models/vulnerabilities/finding_spec.rb
@@ -1722,4 +1722,11 @@
      expect(finding.ai_resolution_available?).to be false
    end
  end
+
+  context 'with loose foreign key on vulnerability_occurrences.project_id' do
+    it_behaves_like 'cleanup by a loose foreign key' do
+      let_it_be(:parent) { create(:project) }
+      let_it_be(:model) { create(:vulnerabilities_finding, vulnerability_project: parent) }
+    end
+  end
 end
--- a/spec/lib/gitlab/database/migration_helpers/restrict_gitlab_schema_spec.rb
+++ b/spec/lib/gitlab/database/migration_helpers/restrict_gitlab_schema_spec.rb
@@ -412,7 +412,7 @@ def down
              ci: :runtime_error
            },
            gitlab_schema_gitlab_main: {
-              main: :success,
+              main: :dml_access_denied,
              ci: :skipped
            }
          }