Ensure safe tag deletion by using expected_old_oid

Siddharth Asthanarequested to merge
issue_384022 into master

What does this MR do and why?

This MR aims to solve the issue #384022

This MR improves tag deletion by introducing an expected_old_oid check to prevent race conditions. It ensures that the tag being deleted matches the expected SHA, avoiding unintended removals.

How to set up and validate locally

I tested these changes carefully on my local setup. 

Creating and Deleting Tags

  • Created a new tag in Project Flightjs/Flight (api-test-tag):

    curl --request POST --header "PRIVATE-TOKEN: <token>" \
     --data "tag_name=api-test-tag&ref=master" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags"
    {"name":"api-test-tag","message":"","target":"f15b32277d2c55c6c595845a87109b09c913c556","commit":{"id":"f15b32277d2c55c6c595845a87109b09c913c556","short_id":"f15b3227","created_at":"2017-06-19T14:39:53.000-07:00","parent_ids":["8749d49930866a4871fa086adbd7d2057fcc3ebb"],.....

  • Verified tag creation (GET request):

    curl --header "PRIVATE-TOKEN: <token>" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"
    {"name":"api-test-tag","message":"","target":"f15b32277d2c55c6c595845a87109b09c913c556","commit":{"id":"f15b32277d2c55c6c595845a87109b09c913c556","short_id":"f15b3227","created_at":"2017-06-19T14:39:53.000-07:00","parent_ids":["8749d49930866a4871fa086adbd7d2057fcc3ebb"],"title":"v1.5.2",....

Testing Permission Checks

  • Tried deleting the tag with a user having insufficient permissions:

    curl --request DELETE --header "PRIVATE-TOKEN: <limited_user_token>" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"
    {"message":"403 Forbidden"}%

  • Deleted the tag successfully with correct permissions:

    curl --request DELETE --header "PRIVATE-TOKEN: <token>" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"

    Tag deleted.

  • Confirmed tag deletion:

    curl --header "PRIVATE-TOKEN: <token>" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"
    {"message":"404 Tag Not Found"}%

  • Deleting a non-existent tag returns correct response:

    curl --request DELETE --header "PRIVATE-TOKEN: <token>" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/non-existent-tag"
    {"message":"404 Tag Not Found"}%

Testing expected_old_oid Validation

  • Created tag again to test SHA validation:

    curl --request POST --header "PRIVATE-TOKEN: <token>" \
     --data "tag_name=api-test-tag&ref=master" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags"
    {"name":"api-test-tag","message":"","target":"f15b32277d2c55c6c595845a87109b09c913c556","commit":{"id":"f15b32277d2c55c6c595845a87109b09c913c556","short_id":"f15b3227","created_at":"2017-06-19T14:39:53.000-07:00","parent_ids":["8749d49930866a4871fa086adbd7d2057fcc3ebb"],"title":"v1.5.2"....

  • Attempted to delete with incorrect SHA (expected_old_oid):

    curl --request DELETE --header "PRIVATE-TOKEN: <token>" \
     --data "expected_old_oid=f15b32277d2c55c6c595845a87109b09c913c552" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"
    {"message":"expected_old_oid does not match the actual OID"}%

  • Deleted successfully when correct SHA provided:

    curl --request DELETE --header "PRIVATE-TOKEN: <token>" \
     --data "expected_old_oid=f15b32277d2c55c6c595845a87109b09c913c556" \
     "http://127.0.0.1:3000/api/v4/projects/7/repository/tags/api-test-tag"

    Tag deletion succeeded

Edited by Siddharth Asthana

Merge request reports