"Empty" project level approval rule created when using `user_ids` or `group_ids` when using the API
Summary
"Empty" (and invalid?) project level approval rule created when using user_ids or group_ids when using the API.
Steps to reproduce
- Create a new project
- Use the API to create new approval rules
# Using `group_ids` - Doesn't work
$ curl --request POST --header "PRIVATE-TOKEN: <TOKEN>" --header 'Content-Type: application/json' --data '{"name": "test5", "approvals_required": 1, "rule_type": "regular", "group_ids": [68871993]}' https://gitlab.com/api/v4/projects/46873013/approval_rules
{"id":15789224,"name":"test5","rule_type":"regular","eligible_approvers":[],"approvals_required":1,"users":[],"groups":[],"contains_hidden_groups":false,"protected_branches":[],"applies_to_all_protected_branches":false}
# Using `groups` - Works
$ curl --request POST --header "PRIVATE-TOKEN: <TOKEN>" --header 'Content-Type: application/json' --data '{"name": "test4", "approvals_required": 1, "rule_type": "regular", "groups": [68871993]}' https://gitlab.com/api/v4/projects/46873013/approval_rules
{"id":15789123,"name":"test4","rule_type":"regular","eligible_approvers":[{"id":7685703,"username":"kenneth","name":"Kenneth Chu","state":"active"...<REDACTED for simplicity>...}
# Using `user_ids` - Doesn't work
$ curl --request POST --header "PRIVATE-TOKEN: TOKEN" --header 'Content-Type: application/json' --data '{"name": "userids_test", "approvals_required": 1, "rule_type": "regular", "user_ids": [9323986, 7685703]}' https://gitlab.com/api/v4/projects/46873013/approval_rules
{"id":15789763,"name":"userids_test","rule_type":"regular","eligible_approvers":[],"approvals_required":1,"users":[],"groups":[],"contains_hidden_groups":false,"protected_branches":[],"applies_to_all_protected_branches":false}- In addition, there is a weird behaviour when the rule_type is
any_approver, where the API returns that the rule was successfully created, but doesn't show up in the UI at all.
$ curl --request POST --header "PRIVATE-TOKEN: TOKEN" --header 'Content-Type: application/json' --data '{"name": "test7", "approvals_required": 1, "rule_type": "any_approver", "groups": [68871993, 16207900]}' https://gitlab.com/api/v4/projects/46873013/approval_rules
{"id":15789963,"name":"test7","rule_type":"any_approver","eligible_approvers":[{"id":7685703,"username":"kenneth","name":"Kenneth Chu","state":"active"...<REDACTED for simplicity>...}Example Project
For GitLab team members, they can look at the project here: https://gitlab.com/gitlab-silver/kenneth-silver/zd418859-project/-/settings/merge_requests
What is the current bug behavior?
Project level approval rules created with user_ids or group_ids creates an "empty" rule.
What is the expected correct behavior?
Project level approval rules created with user_ids or group_ids creates a valid rule.
Relevant logs and/or screenshots
- API response: (
GETon https://gitlab.com/api/v4/projects/46873013/approval_rules)
[
{
"id": 15789963,
"name": "test7",
"rule_type": "any_approver",
"eligible_approvers": [
{
"username": "kenneth",
"name": "Kenneth Chu",
...
...
},
{
"id": 9323986,
"username": "kenneth-auditor",
"name": "Kenneth Chu",
...
...
},
{
"id": 9671016,
"username": "dkua1",
"name": "Daphne Kua",
...
...
}
],
"approvals_required": 1,
"users": [],
"groups": [],
"contains_hidden_groups": false,
"protected_branches": [],
"applies_to_all_protected_branches": false
},
{
"id": 15789123,
"name": "test4",
"rule_type": "regular",
"eligible_approvers": [
{
"id": 7685703,
"username": "kenneth",
"name": "Kenneth Chu",
...
...
},
{
"id": 9323986,
"username": "kenneth-auditor",
"name": "Kenneth Chu",
...
...
}
],
"approvals_required": 1,
"users": [],
"groups": [
{
"id": 68871993,
"web_url": "https://gitlab.com/groups/gitlab-silver/kenneth-silver/zd418859-approvers",
"name": "ZD418859-approvers",
"path": "zd418859-approvers",
...
}
],
"contains_hidden_groups": false,
"protected_branches": [],
"applies_to_all_protected_branches": false
},
{
"id": 15789224,
"name": "test5",
"rule_type": "regular",
"eligible_approvers": [],
"approvals_required": 1,
"users": [],
"groups": [],
"contains_hidden_groups": false,
"protected_branches": [],
"applies_to_all_protected_branches": false
},
{
"id": 15789760,
"name": "test6",
"rule_type": "regular",
"eligible_approvers": [],
"approvals_required": 1,
"users": [],
"groups": [],
"contains_hidden_groups": false,
"protected_branches": [],
"applies_to_all_protected_branches": false
},
{
"id": 15789763,
"name": "userids_test",
"rule_type": "regular",
"eligible_approvers": [],
"approvals_required": 1,
"users": [],
"groups": [],
"contains_hidden_groups": false,
"protected_branches": [],
"applies_to_all_protected_branches": false
}
]- Rules are created in the UI, but show up with no approvers. NOTE that the
test7rule does not show up in the UI at all.
Output of checks
This bug happens on GitLab.com - GitLab Enterprise Edition 16.1.0-pre 1033acf5311
Possible fixes
I've tried to do a bit of digging as to what may have changed, here is what I've found so far.
- API code: https://gitlab.com/gitlab-org/gitlab/-/blob/b8d4ff88fe70c9f4b13e356cf6c3c7c771bb5e3d/ee/lib/api/project_approval_rules.rb#L39-41
- Which uses this helper: https://gitlab.com/gitlab-org/gitlab/-/blob/9177cc2445744b584ff24e81c62839c6500f3f04/ee/lib/api/helpers/project_approval_rules_helpers.rb#L13
- Which uses this validation: https://gitlab.com/gitlab-org/gitlab/-/blob/9177cc2445744b584ff24e81c62839c6500f3f04/lib/api/validations/types/comma_separated_to_integer_array.rb
- And going by the commit history (and mentioned in the helper file), the validation uses the functions from the
grapegem.
I found this MR that updates the grape gem, and the update was deployed to gitlab.com on June 13th, which seems to fit the timeframe of when the customer I was helping mentioned this started.
Workaround
use groups and users rather than group_ids and user_ids
Activity
SaaS customer with premium license ran into this issue, stating they started noticing this issue "yesterday" -- no set timeframe. (The ticket was created at approximately 19:00 June 14th UTC)
Going by the release tools bot in Update `grape` gem to version 1.7.0 (!112854 - merged), the update to the grape gem was deployed to gitlab.com at 19:21 June 12th UTC, so that somewhat fits the time.
Internal ZD ticket: https://gitlab.zendesk.com/agent/tickets/418859
Edited by Kenneth Chu
The second test below fails using Grape
1.7.0and passes if Grape is downgraded to1.5.2diff --git a/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb b/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb index 6733904609e9..f933a776badb 100644 --- a/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb +++ b/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb @@ -182,6 +182,20 @@ end end + context 'with a group' do + it 'returns a group' do + post api(url, current_user), params: params.merge!(groups: [group.id]) + expect(json_response['groups'].size).to be 1 + end + + context 'using an alias' do + it 'returns a group' do + post api(url, current_user), params: params.merge!(group_ids: [group.id]) + expect(json_response['groups'].size).to be 1 + end + end + end + context 'with valid scanners' do let(:scanners) { ['sast'] }-
Perhaps it is related to https://github.com/ruby-grape/grape/blob/master/UPGRADING.md#parameter-renaming-with-as
WDYT @vyaklushin ?
Thanks for the ping and a test for confirm this problem @jay_mccure!
I think you are right, I see usage of
asfor this endpoint: https://gitlab.com/gitlab-org/security/gitlab/blob/f250f01a596837ed480240fe08db99816bc2f405/ee/lib/api/helpers/project_approval_rules_helpers.rb#L12.I will work on the fix now.
-
The fix is ready: !123779 (merged).
assigned to @vyaklushin
changed milestone to %16.1
added workflowin dev label
added workflowin review label and removed workflowin dev label
mentioned in commit bdd30c47
mentioned in merge request !123779 (merged)
mentioned in commit 00f5fcc4
mentioned in commit 954485c0
Setting label(s) Category:Source Code Management based on groupsource code.
added Category:Source Code Management label
A large customer is facing this issue, and it is impacting their ability to manage projects.
Zendesk ticket (internal only): https://gitlab.zendesk.com/agent/tickets/419468
GitLab Premium customer is impacted by the issue - ZD(Internal)
mentioned in merge request !123159 (merged)
FYI, this issue is potentially impacting the gitlab-terraform-provider as well, causing nightly tests to fail due to returning an empty payload on one of the attributes
Hello @PatrickRice, this issue has already had an impact on the terraform provider. We are waiting for a release to fix the terraform provider.
from what I see in the lib go used, it's the
group_idsattribute used. https://github.com/xanzy/go-gitlab/blob/85fa21c71b6efd2cb0466eac689f528bfb679c50/projects.go#LL1808C2-L1808C10Hey @matthieu.cuny - Looks like based on @vyaklushin 's comment that this should be resolved now, and indeed I'm seeing green on the terraform provider pipeline that ran after it was merged. This only impacted nightly builds (or SaaS), and should be working properly via TF now if you attempt to re-run your configuration even without an update to the terraform provider.
If there is another issue, would you mind opening a bug report on the terraform provider so we can investigate? Thanks for the report!
added workflowverification label and removed workflowin review label
-
Update
The fix was deployed on GitLab.com: !123779 (merged). If it still doesn't work for you, please let me know.
added workflowcomplete label and removed workflowverification label
