Return HTTP 409 (Conflict) for Sequential Bundle Race Condition (#5592)

* test: add theory1 transaction conflict repro

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: return conflict for enlisted SQL merge conflicts

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* test: address transaction conflict review feedback

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Scope SQL conflict fail-fast to ambient transactions only

The earlier fix gated the fail-fast 409 on MergeOptions.EnlistInTransaction,
but regular single-resource upserts also set enlistTransaction: true. That
caused concurrent no-ETag upserts (which should retry to a last-write-wins
outcome) to surface as ResourceConflictException (409) instead of retrying,
breaking GivenASavedResource_WhenConcurrentlyUpsertingWithNoETagHeader_ThenTheExistingResourceIsUpdated.

A SQL conflict (50409) only zombies the transaction when the command actually
enlisted in an ambient C# transaction scope (the condition used in
MergeResourcesWrapperAsync). Gate the fail-fast on
EnlistInTransaction && SqlTransactionScope != null, captured before the merge
attempt, so only sequential transaction bundles fail fast while regular and
batch-bundle upserts keep retrying.

Updated the enlisted unit test to set up a real ambient scope via
BeginTransaction(), and added a regression test asserting enlist:true without
an ambient scope still retries.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Document 50424 fail-fast gap for ambient transactions

Add a comment noting that a SurrogateIdCollision (50424) inside an ambient C#
transaction zombies the transaction the same way a 50409 conflict does, so the
retries there are futile and still surface as a 500. Intentionally left
unhandled since 50424 is rare and C# transactions are being deprecated.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Add explanatory comments for transaction conflict 500 vs 409 paths

Document why a zombied-at-commit transaction returns 500 (root cause lost) while an inner-request conflict surfaces a precise 409 before commit. Condense data-store comments.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* Remove trailing whitespace (SA1028)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: mikaelweave

src/Microsoft.Health.Fhir.Core/Features/Persistence/ResourceConflictException.cs

@@ -4,6 +4,7 @@
 // -------------------------------------------------------------------------------------------------
 
 using System.Diagnostics;
+using EnsureThat;
 using Microsoft.Health.Fhir.Core.Exceptions;
 using Microsoft.Health.Fhir.Core.Models;
 
@@ -20,5 +21,15 @@ public ResourceConflictException(WeakETag etag)
                     OperationOutcomeConstants.IssueType.Conflict,
                     string.Format(Core.Resources.ResourceVersionConflict, etag?.VersionId)));
         }
+
+        public ResourceConflictException(string message)
+        {
+            EnsureArg.IsNotNullOrWhiteSpace(message, nameof(message));
+
+            Issues.Add(new OperationOutcomeIssue(
+                    OperationOutcomeConstants.IssueSeverity.Error,
+                    OperationOutcomeConstants.IssueType.Conflict,
+                    message));
+        }
     }
 }

src/Microsoft.Health.Fhir.Shared.Api.UnitTests/Features/Resources/Bundle/BundleHandlerTests.cs

@@ -7,6 +7,7 @@
 using System.Collections.Generic;
 using System.Globalization;
 using System.Linq;
+using System.Net;
 using System.Threading;
 using Hl7.Fhir.Model;
 using Hl7.Fhir.Serialization;
@@ -62,6 +63,7 @@ public class BundleHandlerTests
         private readonly BundleConfiguration _bundleConfiguration;
         private readonly IMediator _mediator;
         private readonly IBundleMetricHandler _bundleMetricHandler;
+        private readonly ITransactionHandler _transactionHandler;
         private DefaultFhirRequestContext _fhirRequestContext;
         private readonly IProvideProfilesForValidation _profilesResolver;
 
@@ -114,7 +116,7 @@ public BundleHandlerTests()
             };
             httpContextAccessor.HttpContext.Returns(httpContext);
 
-            var transactionHandler = Substitute.For<ITransactionHandler>();
+            _transactionHandler = Substitute.For<ITransactionHandler>();
 
             var resourceIdProvider = new ResourceIdProvider();
 
@@ -132,7 +134,7 @@ public BundleHandlerTests()
                 fhirRequestContextAccessor,
                 fhirJsonSerializer,
                 fhirJsonParser,
-                transactionHandler,
+                _transactionHandler,
                 bundleHttpContextAccessor,
                 bundleOrchestrator,
                 resourceIdProvider,
@@ -467,6 +469,130 @@ public async Task GivenATransaction_WithACrashDuringCSharpTransaction_ReturnAPro
             Assert.True(fhirTfe.ResponseStatusCode == System.Net.HttpStatusCode.InternalServerError);
         }
 
+        // Scenario: the inner requests succeed, but committing the C# transaction throws because the
+        // ambient SqlTransaction was already zombied (e.g. by a SQL error during an earlier entry that
+        // was not surfaced before reaching Complete()). At that point the real cause is gone and we only
+        // see a generic "This SqlTransaction has completed" InvalidOperationException, so the handler maps
+        // it to a 500. This is the fallback path - contrast with the 409 test below, where the conflict is
+        // surfaced by an inner request before commit and can be mapped to a precise status.
+        [Fact]
+        public async Task GivenATransaction_WhenTransactionIsZombiedAtCommit_ThenHttp500IsReturned()
+        {
+            _bundleConfiguration.TransactionDefaultProcessingLogic = BundleProcessingLogic.Sequential;
+
+            var bundle = new Hl7.Fhir.Model.Bundle
+            {
+                Type = BundleType.Transaction,
+                Entry = new List<EntryComponent>
+                {
+                    new EntryComponent
+                    {
+                        Request = new RequestComponent
+                        {
+                            Method = HTTPVerb.POST,
+                            Url = "/Observation",
+                        },
+                        Resource = new Observation(),
+                    },
+                    new EntryComponent
+                    {
+                        Request = new RequestComponent
+                        {
+                            Method = HTTPVerb.POST,
+                            Url = "/Observation",
+                        },
+                        Resource = new Observation(),
+                    },
+                },
+            };
+
+            ITransactionScope transactionScope = Substitute.For<ITransactionScope>();
+            _transactionHandler.BeginTransaction().Returns(transactionScope);
+            transactionScope
+                .When(scope => scope.Complete())
+                .Do(_ => throw new InvalidOperationException("This SqlTransaction has completed; it is no longer usable."));
+
+            _router.When(r => r.RouteAsync(Arg.Any<RouteContext>()))
+                .Do(info =>
+                {
+                    info.Arg<RouteContext>().Handler = context =>
+                    {
+                        context.Response.StatusCode = StatusCodes.Status201Created;
+                        return Task.CompletedTask;
+                    };
+                });
+
+            var bundleRequest = new BundleRequest(bundle.ToResourceElement());
+            FhirTransactionFailedException fhirTfe = await Assert.ThrowsAsync<FhirTransactionFailedException>(() => _bundleHandler.Handle(bundleRequest, default));
+
+            Assert.Equal(HttpStatusCode.InternalServerError, fhirTfe.ResponseStatusCode);
+        }
+
+        // Scenario: an inner request fails fast with a 409 conflict (as the SQL data store now does for a
+        // concurrency conflict inside an ambient transaction, throwing ResourceConflictException). Because
+        // the conflict is surfaced as an entry response before the transaction is committed, the handler can
+        // propagate the precise 409 to the caller instead of the generic 500 from the zombied-at-commit path
+        // above. This is the user-facing behavior that the SqlServerFhirDataStore fail-fast enables.
+        [Fact]
+        public async Task GivenATransaction_WhenInnerRequestReturnsConflictOperationOutcome_ThenHttp409IsReturned()
+        {
+            _bundleConfiguration.TransactionDefaultProcessingLogic = BundleProcessingLogic.Sequential;
+
+            var bundle = new Hl7.Fhir.Model.Bundle
+            {
+                Type = BundleType.Transaction,
+                Entry = new List<EntryComponent>
+                {
+                    new EntryComponent
+                    {
+                        Request = new RequestComponent
+                        {
+                            Method = HTTPVerb.POST,
+                            Url = "/Observation",
+                        },
+                        Resource = new Observation(),
+                    },
+                    new EntryComponent
+                    {
+                        Request = new RequestComponent
+                        {
+                            Method = HTTPVerb.POST,
+                            Url = "/Observation",
+                        },
+                        Resource = new Observation(),
+                    },
+                },
+            };
+
+            _router.When(r => r.RouteAsync(Arg.Any<RouteContext>()))
+                .Do(info =>
+                {
+                    info.Arg<RouteContext>().Handler = async context =>
+                    {
+                        var outcome = new OperationOutcome
+                        {
+                            Issue = new List<OperationOutcome.IssueComponent>
+                            {
+                                new OperationOutcome.IssueComponent
+                                {
+                                    Severity = OperationOutcome.IssueSeverity.Error,
+                                    Code = OperationOutcome.IssueType.Conflict,
+                                    Diagnostics = "Resource has been recently updated or added",
+                                },
+                            },
+                        };
+
+                        context.Response.StatusCode = StatusCodes.Status409Conflict;
+                        await context.Response.WriteAsync(outcome.ToJson());
+                    };
+                });
+
+            var bundleRequest = new BundleRequest(bundle.ToResourceElement());
+            FhirTransactionFailedException fhirTfe = await Assert.ThrowsAsync<FhirTransactionFailedException>(() => _bundleHandler.Handle(bundleRequest, default));
+
+            Assert.Equal(HttpStatusCode.Conflict, fhirTfe.ResponseStatusCode);
+        }
+
         [Fact]
         public async Task GivenATransaction_WithACancellationHappens_ReturnAProperError()
         {

src/Microsoft.Health.Fhir.SqlServer.UnitTests/Features/Storage/SqlServerFhirDataStoreUnitTests.cs

@@ -197,11 +197,12 @@ private static bool InvokeChangesAreOnlyInMetadata(ResourceWrapper inputWrapper,
         // This method is indirectly tested through integration tests (UpdateTests, FhirPathPatchTests)
 
         [Fact]
-        public async Task MergeAsync_OnSqlConflict_WithAtomicOptions_ThrowsPreconditionFailedException()
+        public async Task MergeAsync_OnSqlConflict_WhenEnlistedInAmbientTransaction_ThrowsResourceConflictExceptionWithoutRetry()
         {
             // Arrange
             var sqlRetryService = Substitute.For<ISqlRetryService>();
             var sqlException = SqlExceptionFactory.GetSqlException(SqlErrorCodes.Conflict, "SQL Conflict");
+            using var cts = new CancellationTokenSource();
 
             sqlRetryService.ExecuteReaderAsync(
                 Arg.Any<SqlCommand>(),
@@ -212,12 +213,67 @@ public async Task MergeAsync_OnSqlConflict_WithAtomicOptions_ThrowsPreconditionF
                 Arg.Any<bool>())
             .Throws(sqlException);
 
+            sqlRetryService
+                .TryLogEvent(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime?>(), Arg.Any<CancellationToken>())
+                .Returns(async callInfo =>
+                {
+                    // Tripwire: if the retry loop is incorrectly entered, cancellation makes the test fail fast rather than hang.
+                    cts.Cancel();
+                    await Task.CompletedTask;
+                });
+
+            // An ambient C# transaction (as opened by a sequential transaction bundle) is the condition that
+            // zombies on a SQL conflict, so the data store must fail fast rather than retry within it.
+            var transactionHandler = new SqlTransactionHandler();
+            using var transactionScope = transactionHandler.BeginTransaction();
+
+            var dataStore = CreateSqlServerFhirDataStore(sqlRetryService, transactionHandler);
+            var resources = CreateResourceWrapperOperations();
+
+            // Act & Assert
+            await Assert.ThrowsAsync<ResourceConflictException>(
+                () => dataStore.MergeAsync(resources, new MergeOptions(enlistTransaction: true, ensureAtomicOperations: true), cts.Token));
+
+            await sqlRetryService.DidNotReceive()
+                .TryLogEvent("MergeAsync", "Warn", Arg.Any<string>(), Arg.Any<DateTime?>(), Arg.Any<CancellationToken>());
+        }
+
+        [Fact]
+        public async Task MergeAsync_OnSqlConflict_WhenEnlistTransactionWithoutAmbientScope_RetriesBeforeThrowing()
+        {
+            // Arrange - a regular (non-bundle) upsert sets enlistTransaction: true but runs without an ambient
+            // C# transaction scope. There is nothing to zombie, so a SQL conflict must still be retried
+            // (last-write-wins), not converted into a fail-fast 409.
+            var sqlRetryService = Substitute.For<ISqlRetryService>();
+            var sqlException = SqlExceptionFactory.GetSqlException(SqlErrorCodes.Conflict, "SQL Conflict");
+            using var cts = new CancellationTokenSource();
+
+            sqlRetryService.ExecuteReaderAsync(
+                Arg.Any<SqlCommand>(),
+                Arg.Any<Func<SqlDataReader, ResourceWrapper>>(),
+                Arg.Any<ILogger>(),
+                Arg.Any<string>(),
+                Arg.Any<CancellationToken>(),
+                Arg.Any<bool>())
+            .Throws(sqlException);
+
+            sqlRetryService
+                .TryLogEvent(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(), Arg.Any<DateTime?>(), Arg.Any<CancellationToken>())
+                .Returns(async callInfo =>
+                {
+                    cts.Cancel();
+                    await Task.CompletedTask;
+                });
+
             var dataStore = CreateSqlServerFhirDataStore(sqlRetryService);
             var resources = CreateResourceWrapperOperations();
 
             // Act & Assert
-            await Assert.ThrowsAsync<PreconditionFailedException>(
-                () => dataStore.MergeAsync(resources, new MergeOptions(enlistTransaction: true, ensureAtomicOperations: true), CancellationToken.None));
+            await Assert.ThrowsAsync<TaskCanceledException>(
+                () => dataStore.MergeAsync(resources, new MergeOptions(enlistTransaction: true, ensureAtomicOperations: false), cts.Token));
+
+            await sqlRetryService.Received(1)
+                .TryLogEvent("MergeAsync", "Warn", Arg.Any<string>(), Arg.Any<DateTime?>(), Arg.Any<CancellationToken>());
         }
 
         [Fact]
@@ -315,8 +371,10 @@ public void GivenUnknownResourceType_WhenGettingResourceTypeId_ThenResourceNotFo
             Assert.Contains("is not a known resource type", exception.Message, StringComparison.Ordinal);
         }
 
-        private static SqlServerFhirDataStore CreateSqlServerFhirDataStore(ISqlRetryService sqlRetryService)
+        private static SqlServerFhirDataStore CreateSqlServerFhirDataStore(ISqlRetryService sqlRetryService, SqlTransactionHandler sqlTransactionHandler = null)
         {
+            sqlTransactionHandler ??= new SqlTransactionHandler();
+
             ModelInfoProvider.SetProvider(MockModelInfoProviderBuilder.Create(FhirSpecification.R4).AddKnownTypes(KnownResourceTypes.Group).Build());
 
             var schemaInfo = new SchemaInformation(SchemaVersionConstants.Min, SchemaVersionConstants.Max)
@@ -370,7 +428,7 @@ private static SqlServerFhirDataStore CreateSqlServerFhirDataStore(ISqlRetryServ
 
             var sqlServerDataStoreConfiguration = new SqlServerDataStoreConfiguration() { ConnectionString = sqlConnection.ConnectionString };
 
-            var sqlConnectionWrapperFactory = new SqlConnectionWrapperFactory(new SqlTransactionHandler(), sqlConnectionBuilder, sqlRetryLogicBaseProvider, Options.Create(sqlServerDataStoreConfiguration));
+            var sqlConnectionWrapperFactory = new SqlConnectionWrapperFactory(sqlTransactionHandler, sqlConnectionBuilder, sqlRetryLogicBaseProvider, Options.Create(sqlServerDataStoreConfiguration));
 
             var dataStore = new SqlServerFhirDataStore(
                 model,
@@ -381,7 +439,7 @@ private static SqlServerFhirDataStore CreateSqlServerFhirDataStore(ISqlRetryServ
                     NullLogger<BundleOrchestrator>.Instance),
                 sqlRetryService,
                 sqlConnectionWrapperFactory,
-                new SqlTransactionHandler(),
+                sqlTransactionHandler,
                 Substitute.For<ICompressedRawResourceConverter>(),
                 NullLogger<SqlServerFhirDataStore>.Instance,
                 schemaInfo,

src/Microsoft.Health.Fhir.SqlServer/Features/Storage/SqlServerFhirDataStore.cs

@@ -156,6 +156,9 @@ public async Task<MergeOutcome> MergeAsync(IReadOnlyList<ResourceWrapperOperatio
             {
                 cancellationToken.ThrowIfCancellationRequested();
 
+                // Capture whether this attempt is enlisted in an ambient C# transaction (e.g. a sequential transaction bundle).
+                bool wasEnlistedInAmbientTransaction = mergeOptions.EnlistInTransaction && _sqlTransactionHandler.SqlTransactionScope != null;
+
                 try
                 {
                     var results = await MergeInternalAsync(
@@ -180,6 +183,13 @@ public async Task<MergeOutcome> MergeAsync(IReadOnlyList<ResourceWrapperOperatio
 
                         if (sqlEx.Number == SqlErrorCodes.Conflict)
                         {
+                            if (wasEnlistedInAmbientTransaction)
+                            {
+                                // The ambient SqlTransaction is now zombied by this conflict; retrying within it is futile. Fail fast with a 409 so the client can retry the whole transaction bundle.
+                                _logger.LogWarning(e, "Conflict: ResourceConcurrentUpdateConflict in ambient transaction; failing fast (SQL error {SqlErrorNumber}).", sqlEx.Number);
+                                throw new ResourceConflictException(Resources.ResourceConcurrentUpdateConflict);
+                            }
+
                             if (retries++ >= maxRetries)
                             {
                                 _logger.LogInformation("PreconditionFailed: ResourceConcurrentUpdateConflict");