Git services: allow updating a single repository (#12429)

When syncing permissions for SSO, we don't need to sync all repositories
the user has access to, we just need to update the permissions of the
repositories that are connected to projects that belong to SSO
organizations. So this adds a way to just update one single repository
at a time for all providers. We don't need to do this for GH app
projects, since they are kept up to date via a webhook.

Since this task should be faster now, we could run it more frequently,
so permissions are reflected faster on RTD.

Author: stsewd

readthedocs/oauth/services/base.py

@@ -15,6 +15,7 @@
 
 from readthedocs.core.permissions import AdminPermission
 from readthedocs.oauth.clients import get_oauth2_client
+from readthedocs.oauth.models import RemoteRepository
 
 
 log = structlog.get_logger(__name__)
@@ -68,6 +69,19 @@ def sync(self):
         """
         raise NotImplementedError
 
+    def update_repository(self, remote_repository: RemoteRepository):
+        """
+        Update a repository using the service API.
+
+        This also updates the user relationship with the repository,
+        if user is an admin or not, and in case the user no longer has access
+        to the repository, the relationship is removed.
+        In the case of services that aren't linked to a user (GitHub Apps),
+        this method will update the permissions of all users that have access
+        to the repository.
+        """
+        raise NotImplementedError
+
     def setup_webhook(self, project, integration=None) -> bool:
         """
         Setup webhook for project.

readthedocs/oauth/services/bitbucket.py

@@ -145,6 +145,43 @@ def create_repository(self, fields, privacy=None):
             repository=fields["name"],
         )
 
+    def update_repository(self, remote_repository: RemoteRepository):
+        # Bitbucket doesn't return the admin status of the user,
+        # so we need to infer it by filtering the repositories the user has admin/read access to.
+        repo_from_admin_access = self._get_repository(remote_repository, role="admin")
+        repo_from_member_access = self._get_repository(remote_repository, role="member")
+        repo = repo_from_admin_access or repo_from_member_access
+        relation = remote_repository.get_remote_repository_relation(self.user, self.account)
+        if not repo:
+            log.info(
+                "User no longer has access to the repository, removing remote relationship.",
+                remote_repository_id=remote_repository.remote_id,
+            )
+            relation.delete()
+            return
+
+        self._update_repository_from_fields(remote_repository, repo)
+        relation.admin = bool(repo_from_admin_access)
+        relation.save()
+
+    def _get_repository(self, remote_repository, role):
+        """
+        Get a single repository by its remote ID where the user has a specific role.
+
+        Bitbucket doesn't provide an endpoint to get a single repository by its ID (it requires the group ID as well),
+        and it also doesn't return the user's role in the repository, so we filter the repositories by role
+        and then look for the repository with the matching ID.
+        """
+        repos = self.paginate(
+            f"{self.base_api_url}/2.0/repositories/",
+            role=role,
+            q=f'uuid="{remote_repository.remote_id}"',
+        )
+        for repo in repos:
+            if repo["uuid"] == remote_repository.remote_id:
+                return repo
+        return None
+
     def _update_repository_from_fields(self, repo, fields):
         # All repositories are created under a workspace,
         # which we consider an organization.

readthedocs/oauth/services/github.py

@@ -82,6 +82,59 @@ def sync_organizations(self):
 
         return organization_remote_ids, []
 
+    def _has_access_to_repository(self, fields):
+        """Check if the user has access to the repository, and if they are an admin."""
+        permissions = fields.get("permissions", {})
+        # If the repo is public, the user can still access it,
+        # so we need to check if the user has any access
+        # to the repository, even if they are not an admin.
+        has_access = any(
+            permissions.get(key, False) for key in ["admin", "maintain", "push", "triage"]
+        )
+        is_admin = permissions.get("admin", False)
+        return has_access, is_admin
+
+    def update_repository(self, remote_repository: RemoteRepository):
+        resp = self.session.get(f"{self.base_api_url}/repositories/{remote_repository.remote_id}")
+
+        # The repo was deleted, or the user does not have access to it.
+        # In any case, we remove the user relationship.
+        if resp.status_code in [403, 404]:
+            log.info(
+                "User no longer has access to the repository, removing remote relationship.",
+                remote_repository=remote_repository.remote_id,
+            )
+            remote_repository.get_remote_repository_relation(self.user, self.account).delete()
+            return
+
+        if resp.status_code != 200:
+            log.warning(
+                "Error fetching repository from GitHub",
+                remote_repository=remote_repository.remote_id,
+                status_code=resp.status_code,
+            )
+            return
+
+        data = resp.json()
+        self._update_repository_from_fields(remote_repository, data)
+
+        has_access, is_admin = self._has_access_to_repository(data)
+        relation = remote_repository.get_remote_repository_relation(
+            self.user,
+            self.account,
+        )
+        if not has_access:
+            # If the user no longer has access to the repository,
+            # we remove the remote relationship.
+            log.info(
+                "User no longer has access to the repository, removing remote relationship.",
+                remote_repository=remote_repository.remote_id,
+            )
+            relation.delete()
+        else:
+            relation.admin = is_admin
+            relation.save()
+
     def create_repository(self, fields, privacy=None):
         """
         Update or create a repository from GitHub API response.
@@ -106,7 +159,8 @@ def create_repository(self, fields, privacy=None):
             remote_repository_relation = repo.get_remote_repository_relation(
                 self.user, self.account
             )
-            remote_repository_relation.admin = fields.get("permissions", {}).get("admin", False)
+            _, is_admin = self._has_access_to_repository(fields)
+            remote_repository_relation.admin = is_admin
             remote_repository_relation.save()
 
             return repo

readthedocs/oauth/services/githubapp.py

@@ -240,6 +240,18 @@ def sync(self):
         ).values_list("remote_id", flat=True)
         self.installation.delete_repositories(repos_to_delete)
 
+    def update_repository(self, remote_repository: RemoteRepository):
+        """
+        Update a single repository from the given remote repository.
+
+        .. note::
+
+           Unlike the other providers, this method doesn't update the
+           `remote_repository` object itself. If you need the updated object,
+           fetch it again from the database.
+        """
+        self.update_or_create_repositories([remote_repository.remote_id])
+
     def update_or_create_repositories(self, repository_ids: list[int]):
         """Update or create repositories from the given list of repository IDs."""
         repositories_to_delete = []

readthedocs/oauth/services/gitlab.py

@@ -139,6 +139,62 @@ def sync_organizations(self):
 
         return organization_remote_ids, []
 
+    def _has_access_to_repository(self, fields):
+        """Check if the user has access to the repository, and if they are an admin."""
+        permissions = fields.get("permissions", {})
+        project_access = permissions.get("project_access") or {}
+        project_access_level = project_access.get("access_level", self.PERMISSION_NO_ACCESS)
+        group_access = permissions.get("group_access") or {}
+        group_access_level = group_access.get("access_level", self.PERMISSION_NO_ACCESS)
+        has_access = (
+            group_access_level != self.PERMISSION_NO_ACCESS
+            or project_access_level != self.PERMISSION_NO_ACCESS
+        )
+        project_admin = project_access_level in (self.PERMISSION_MAINTAINER, self.PERMISSION_OWNER)
+        group_admin = group_access_level in (self.PERMISSION_MAINTAINER, self.PERMISSION_OWNER)
+        return has_access, project_admin or group_admin
+
+    def update_repository(self, remote_repository: RemoteRepository):
+        resp = self.session.get(
+            f"{self.base_api_url}/api/v4/projects/{remote_repository.remote_id}"
+        )
+
+        if resp.status_code in [403, 404]:
+            log.info(
+                "User no longer has access to the repository, removing remote relationship.",
+                remote_repository_id=remote_repository.remote_id,
+            )
+            remote_repository.get_remote_repository_relation(self.user, self.account).delete()
+            return
+
+        if resp.status_code != 200:
+            log.warning(
+                "Error fetching repository from GitLab",
+                remote_repository_id=remote_repository.remote_id,
+                status_code=resp.status_code,
+            )
+            return
+
+        data = resp.json()
+        self._update_repository_from_fields(remote_repository, data)
+
+        has_access, is_admin = self._has_access_to_repository(data)
+        relation = remote_repository.get_remote_repository_relation(
+            self.user,
+            self.account,
+        )
+        if not has_access:
+            # If the user no longer has access to the repository,
+            # we remove the remote relationship.
+            log.info(
+                "User no longer has access to the repository, removing remote relationship.",
+                remote_repository=remote_repository.remote_id,
+            )
+            relation.delete()
+        else:
+            relation.admin = is_admin
+            relation.save()
+
     def create_repository(self, fields, privacy=None):
         """
         Update or create a repository from GitLab API response.
@@ -168,23 +224,8 @@ def create_repository(self, fields, privacy=None):
             remote_repository_relation = repo.get_remote_repository_relation(
                 self.user, self.account
             )
-
-            project_access_level = group_access_level = self.PERMISSION_NO_ACCESS
-
-            project_access = fields.get("permissions", {}).get("project_access", {})
-            if project_access:
-                project_access_level = project_access.get("access_level", self.PERMISSION_NO_ACCESS)
-
-            group_access = fields.get("permissions", {}).get("group_access", {})
-            if group_access:
-                group_access_level = group_access.get("access_level", self.PERMISSION_NO_ACCESS)
-
-            remote_repository_relation.admin = any(
-                [
-                    project_access_level in (self.PERMISSION_MAINTAINER, self.PERMISSION_OWNER),
-                    group_access_level in (self.PERMISSION_MAINTAINER, self.PERMISSION_OWNER),
-                ]
-            )
+            _, is_admin = self._has_access_to_repository(fields)
+            remote_repository_relation.admin = is_admin
             remote_repository_relation.save()
 
             return repo

readthedocs/oauth/tasks.py

@@ -10,7 +10,6 @@
 from django.utils import timezone
 
 from readthedocs.api.v2.views.integrations import ExternalVersionData
-from readthedocs.core.permissions import AdminPermission
 from readthedocs.core.utils.tasks import PublicTask
 from readthedocs.core.utils.tasks import user_id_matches_or_superuser
 from readthedocs.core.views.hooks import VersionInfo
@@ -21,13 +20,14 @@
 from readthedocs.core.views.hooks import trigger_sync_versions
 from readthedocs.notifications.models import Notification
 from readthedocs.oauth.clients import get_gh_app_client
+from readthedocs.oauth.constants import GITHUB_APP
 from readthedocs.oauth.models import GitHubAppInstallation
+from readthedocs.oauth.models import RemoteRepository
 from readthedocs.oauth.notifications import MESSAGE_OAUTH_WEBHOOK_INVALID
 from readthedocs.oauth.notifications import MESSAGE_OAUTH_WEBHOOK_NO_ACCOUNT
 from readthedocs.oauth.notifications import MESSAGE_OAUTH_WEBHOOK_NO_PERMISSIONS
 from readthedocs.oauth.services.base import SyncServiceError
 from readthedocs.oauth.utils import SERVICE_MAP
-from readthedocs.organizations.models import Organization
 from readthedocs.projects.models import Project
 from readthedocs.sso.models import SSOIntegration
 from readthedocs.vcs_support.backends.git import parse_version_from_ref
@@ -70,49 +70,40 @@ def sync_remote_repositories(user_id):
 
 
 @app.task(queue="web")
-def sync_remote_repositories_organizations(organization_slugs=None):
+def sync_remote_repositories_from_sso_organizations():
     """
-    Re-sync users member of organizations.
+    Re-sync all remote repositories from organizations with SSO enabled.
 
-    It will trigger one `sync_remote_repositories` task per user.
+    This is useful, so all the remote repositories are up to date with the
+    latest permissions from their providers.
 
-    :param organization_slugs: list containg organization's slugs to sync. If
-    not passed, all organizations with ALLAUTH SSO enabled will be synced
-
-    :type organization_slugs: list
+    We ignore repositories from GitHub App installations, since they are kept
+    up to date via webhooks. For all the other services, we need to sync the
+    repository for each user that has access to it, since we need to check for
+    their permissions individually.
     """
-    if organization_slugs:
-        query = Organization.objects.filter(slug__in=organization_slugs)
-        log.info(
-            "Triggering SSO re-sync for organizations.",
-            organization_slugs=organization_slugs,
-            count=query.count(),
-        )
-    else:
-        organization_ids = SSOIntegration.objects.filter(
-            provider=SSOIntegration.PROVIDER_ALLAUTH
-        ).values_list("organization", flat=True)
-        query = Organization.objects.filter(id__in=organization_ids)
-        log.info(
-            "Triggering SSO re-sync for all organizations.",
-            count=query.count(),
-        )
-
-    n_task = -1
-    for organization in query:
-        members = AdminPermission.members(organization)
-        log.info(
-            "Triggering SSO re-sync for organization.",
-            organization_slug=organization.slug,
-            count=members.count(),
+    repositories = (
+        RemoteRepository.objects.filter(
+            projects__organizations__ssointegration__provider=SSOIntegration.PROVIDER_ALLAUTH,
         )
-        for user in members:
-            n_task += 1
-            sync_remote_repositories.apply_async(
-                args=[user.pk],
-                # delay the task by 0, 5, 10, 15, ... seconds
-                countdown=n_task * 5,
-            )
+        .exclude(vcs_provider=GITHUB_APP)
+        .distinct()
+    )
+    for repository in repositories.iterator():
+        service_class = repository.get_service_class()
+        relations = repository.remote_repository_relations.select_related("user", "account")
+        for relation in relations.iterator():
+            service = service_class(user=relation.user, account=relation.account)
+            try:
+                service.update_repository(repository)
+            except Exception:
+                log.info(
+                    "There was a problem updating repository for user.",
+                    user_username=relation.user.username,
+                    account_uid=relation.account.uid,
+                    repository_remote_id=repository.remote_id,
+                    repository_name=repository.full_name,
+                )
 
 
 @app.task(