zulip/tools
Zixuan James Li a081428ad2 user_groups: Make locks required for updating user group memberships.
**Background**

User groups are expected to comply with the DAG constraint for the
many-to-many inter-group membership. The check for this constraint has
to be performed recursively so that we can find all direct and indirect
subgroups of the user group to be added.

This kind of check is vulnerable to phantom reads which is possible at
the default read committed isolation level because we cannot guarantee
that the check is still valid when we are adding the subgroups to the
user group.

**Solution**

To avoid having another transaction concurrently update one of the
to-be-subgroup after the recursive check is done, and before the subgroup
is added, we use SELECT FOR UPDATE to lock the user group rows.

The lock needs to be acquired before a group membership change is about
to occur before any check has been conducted.

Suppose that we are adding subgroup B to supergroup A, the locking protocol
is specified as follows:

1. Acquire a lock for B and all its direct and indirect subgroups.
2. Acquire a lock for A.

For the removal of user groups, we acquire a lock for the user group to
be removed with all its direct and indirect subgroups. This is the special
case A=B, which is still complaint with the protocol.

**Error handling**

We currently rely on Postgres' deadlock detection to abort transactions
and show an error for the users. In the future, we might need some
recovery mechanism or at least better error handling.

**Notes**

An important note is that we need to reuse the recursive CTE query that
finds the direct and indirect subgroups when applying the lock on the
rows. And the lock needs to be acquired the same way for the addition and
removal of direct subgroups.

User membership change (as opposed to user group membership) is not
affected. Read-only queries aren't either. The locks only protect
critical regions where the user group dependency graph might violate
the DAG constraint, where users are not participating.

**Testing**

We implement a transaction test case targeting some typical scenarios
when an internal server error is expected to happen (this means that the
user group view makes the correct decision to abort the transaction when
something goes wrong with locks).

To achieve this, we add a development view intended only for unit tests.
It has a global BARRIER that can be shared across threads, so that we
can synchronize them to consistently reproduce certain potential race
conditions prevented by the database locks.

The transaction test case lanuches pairs of threads initiating possibly
conflicting requests at the same time. The tests are set up such that exactly N
of them are expected to succeed with a certain error message (while we don't
know each one).

**Security notes**

get_recursive_subgroups_for_groups will no longer fetch user groups from
other realms. As a result, trying to add/remove a subgroup from another
realm results in a UserGroup not found error response.

We also implement subgroup-specific checks in has_user_group_access to
keep permission managing in a single place. Do note that the API
currently don't have a way to violate that check because we are only
checking the realm ID now.
2023-08-24 17:21:08 -07:00
..
ci build-pgroonga: Upgrade PGroonga from 3.0.3 to 3.1.0. 2023-07-25 17:33:42 -07:00
documentation_crawler documentation: Remove duplicate heading IDs on server side. 2023-08-21 17:25:14 -07:00
droplets ruff: Fix UP032 Use f-string instead of `format` call. 2023-08-02 15:58:55 -07:00
i18n provision: Disable compilemessages searching for locale directories. 2023-05-03 17:20:16 -07:00
lib provision: Add provision support for Fedora 38. 2023-08-22 11:26:29 -07:00
linter_lib user_groups: Make locks required for updating user group memberships. 2023-08-24 17:21:08 -07:00
node_lib node_tests: Move to web/tests. 2023-02-23 16:04:17 -08:00
oneclickapps tools: Use subprocess.check_call where appropriate. 2023-08-17 17:05:34 -07:00
setup generate emoji: Use hex_codepoint_to_emoji. 2023-08-23 16:18:15 -07:00
test-install install: Support Ubuntu 22.04. 2022-02-25 14:49:07 -08:00
tests ruff: Fix RUF015 Prefer `next(...)` over single element slice. 2023-07-23 15:20:53 -07:00
zulip-export
README.md
__init__.py
build-docs tools: Use root-based absolute import for tools.lib, etc. 2021-07-05 12:21:52 -07:00
build-release-tarball emails: Inline CSS in emails in build_email. 2023-04-05 12:22:29 -07:00
cache-zulip-git-version build-release-tarball: Override merge-base for full official releases. 2022-11-15 12:50:41 -08:00
check-capitalization tools: Use subprocess.check_call where appropriate. 2023-08-17 17:05:34 -07:00
check-frontend-i18n tools: Use subprocess.check_call where appropriate. 2023-08-17 17:05:34 -07:00
check-issue-labels ruff: Fix PERF401 Use a list comprehension to create a transformed list. 2023-08-07 17:23:55 -07:00
check-openapi eslint: Expand no-unused-vars check to all function parameters. 2023-07-02 16:16:38 -07:00
check-provision
check-schemas node_tests: Move to web/tests. 2023-02-23 16:04:17 -08:00
check-templates emails: Inline CSS in emails in build_email. 2023-04-05 12:22:29 -07:00
check-thirdparty check-thirdparty: License under GPLv2+. 2022-06-26 17:33:11 -07:00
clean-branches Rename default branch to ‘main’. 2021-09-06 12:56:35 -07:00
commit-message-lint commit-message-lint: Take release branches into account. 2022-07-22 10:39:05 -07:00
commit-msg commit-msg: Don’t change the current directory for non-Vagrant. 2023-05-23 12:24:44 -07:00
conf.ini-template
coveragerc coverage: Clean up coverage configuration. 2023-05-31 13:53:04 -07:00
deploy-branch Rename default branch to ‘main’. 2021-09-06 12:56:35 -07:00
diagnose provision: Avoid distutils; keep PROVISION_VERSION as a tuple. 2022-07-20 22:03:30 -07:00
documentation.vnufilter dependencies: Upgrade JavaScript dependencies. 2023-04-25 22:18:48 -07:00
duplicate_commits.json
fetch-contributor-data web: Save a needless 301 redirect from /team to /team/. 2023-03-24 14:51:01 -07:00
fetch-pull-request
fetch-rebase-pull-request Rename default branch to ‘main’. 2021-09-06 12:56:35 -07:00
find-unused-css web: Move web app to ‘web’ directory. 2023-02-23 16:04:17 -08:00
generate-integration-docs-screenshot ruff: Fix UP032 Use f-string instead of `format` call. 2023-08-02 15:58:55 -07:00
lint mailmap: Put sorted list back in order. 2023-08-02 17:19:05 -07:00
message-screenshot.js tools: Make screenshot tool work with the modern web client. 2023-07-17 09:23:01 -07:00
pre-commit
provision docs: Rename setup-vagrant.md -> setup-recommended.md. 2022-09-15 15:54:14 -07:00
push-to-pull-request scripts: Pass --retry 3 to curl. 2022-11-08 08:07:36 -08:00
rebuild-dev-database
rebuild-test-database
release release: Release 8.0-prereleases from `main`. 2023-07-06 16:16:11 -07:00
release-tarball-exclude.txt puppeteer_tests: Move to web/e2e-tests. 2023-02-23 16:04:17 -08:00
renumber-migrations black: Reformat with Black 23. 2023-02-02 10:40:13 -08:00
reset-to-pull-request
review python: Use Python 3.8 shlex.join function. 2022-04-27 12:57:49 -07:00
run-codespell dependencies: Switch to pnpm. 2023-03-20 15:48:29 -07:00
run-dev ruff: Fix PERF401 Use a list comprehension to create a transformed list. 2023-08-07 17:23:55 -07:00
run-mypy tools: Support running mypy daemon for better performance. 2022-07-06 17:33:13 -07:00
run-tsc
semgrep.yml python: Convert translated positional {} fields to {named} fields. 2023-07-18 15:19:07 -07:00
setup-git-repo
show-profile-results
stop-run-dev
tail-ses ruff: Fix RSE102 Unnecessary parentheses on raised exception. 2023-02-04 16:34:55 -08:00
test-all install-shellcheck: Upgrade ShellCheck to 0.9.0. 2023-01-04 14:01:34 -08:00
test-api test_helpers: Rename reset_emails_in_zulip_realm. 2023-03-01 12:17:11 -08:00
test-backend tests: Defer writing coverage report. 2023-08-10 14:02:17 -07:00
test-documentation
test-help-documentation tools: Use root-based absolute import for tools.lib, etc. 2021-07-05 12:21:52 -07:00
test-js-with-node narrow: Save blue box position and restore on navigation. 2023-08-23 13:40:26 -07:00
test-js-with-puppeteer dependencies: Switch to pnpm. 2023-03-20 15:48:29 -07:00
test-locked-requirements test-locked-requirements: Rename may_be_setup_cache to maybe_set_up_cache. 2022-01-12 13:21:35 -08:00
test-migrations
test-queue-worker-reload run-dev: Drop .py from script name. 2023-03-03 18:02:37 -08:00
test-run-dev run-dev: Drop .py from script name. 2023-03-03 18:02:37 -08:00
test-tools tools: Use root-based absolute import for tools.lib, etc. 2021-07-05 12:21:52 -07:00
total-contributions total-contributions: Add zulip-flutter to the list of repos. 2023-05-22 16:04:26 -07:00
update-locked-requirements requirements: Remove unused mypy.txt lock file. 2022-09-08 11:08:06 -07:00
update-prod-static provision: Disable compilemessages searching for locale directories. 2023-05-03 17:20:16 -07:00
update-zuliprc-api-field python: Replace universal_newlines with text. 2022-01-23 22:16:01 -08:00
upload-release upload-release: Update SHA256SUM for existing files if changed. 2023-01-23 17:41:29 -08:00
webpack ruff: Fix FLY002 Consider f"…" instead of string join. 2023-08-07 17:12:41 -07:00
zanitizer
zanitizer_config.pm.sample

README.md

This directory contains scripts that are used in building, managing, testing, and other forms of work in a Zulip development environment. Note that tools that are also useful in production belong in scripts/ or should be Django management commands.

For more details, see https://zulip.readthedocs.io/en/latest/overview/directory-structure.html.