Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-26 00:09:19 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-11-26 00:09:19 +0300
commit: 53b40a871dc13d9c1d743b1f57fcf50eceb0a64f (patch)
tree: 89dcf6d8dd885bfd5d0f3f15e6a5b99e0073b671
parent: d612723c35d7fdaeb8b09e91232053e04850c2ae (diff)
14 files changed, 86 insertions, 36 deletions
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md
index 93912f5cefb..334bcb16023 100644
--- a/.gitlab/merge_request_templates/Security Release.md
+++ b/.gitlab/merge_request_templates/Security Release.md
@@ -25,7 +25,7 @@ See [the general developer security release guidelines](https://gitlab.com/gitla
 - [ ] For a backport MR targeting a versioned stable branch (`X-Y-stable-ee`).
   - [ ] Milestone is set to the version this backport applies to. A closed milestone can be assigned via [quick actions].
   - [ ] Ensure it's approved by a maintainer.
-- [ ] Ensure this issue and all related MRs have a `~severity::x` label
+- [ ] Ensure this merge request and the related security issue have a `~severity::x` label
 
 **Note:** Reviewer/maintainer should not be a Release Manager.
 
@@ -33,7 +33,7 @@ See [the general developer security release guidelines](https://gitlab.com/gitla
 
 - [ ] Correct milestone is applied and the title is matching across all backports.
 - [ ] Assigned (_not_ as reviewer) to `@gitlab-release-tools-bot` with passing CI pipelines.
-- [ ] Correct `~severity::x` label is applied to this issue and all related MRs
+- [ ] Correct `~severity::x` label is applied to this merge request and the related security issue.
 
 /label ~security
 
diff --git a/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js b/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js
index 2e295f7565b..f9f4e981863 100644
--- a/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js
+++ b/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js
@@ -27,23 +27,16 @@ export const OPERATORS_IS_NOT_OR = [...OPERATORS_IS, ...OPERATORS_NOT, ...OPERAT
 export const OPTION_NONE = { value: FILTER_NONE, text: __('None'), title: __('None') };
 export const OPTION_ANY = { value: FILTER_ANY, text: __('Any'), title: __('Any') };
 export const OPTION_CURRENT = { value: FILTER_CURRENT, text: __('Current') };
-
-export const OPTIONS_NONE_ANY = [OPTION_NONE, OPTION_ANY];
-
-export const DEFAULT_MILESTONE_UPCOMING = {
+export const OPTION_STARTED = { value: FILTER_STARTED, text: __('Started'), title: __('Started') };
+export const OPTION_UPCOMING = {
   value: FILTER_UPCOMING,
   text: __('Upcoming'),
   title: __('Upcoming'),
 };
-export const DEFAULT_MILESTONE_STARTED = {
-  value: FILTER_STARTED,
-  text: __('Started'),
-  title: __('Started'),
-};
-export const DEFAULT_MILESTONES = OPTIONS_NONE_ANY.concat([
-  DEFAULT_MILESTONE_UPCOMING,
-  DEFAULT_MILESTONE_STARTED,
-]);
+
+export const OPTIONS_NONE_ANY = [OPTION_NONE, OPTION_ANY];
+
+export const DEFAULT_MILESTONES = OPTIONS_NONE_ANY.concat([OPTION_UPCOMING, OPTION_STARTED]);
 
 export const SORT_DIRECTION = {
   descending: 'descending',
diff --git a/app/controllers/concerns/lfs_request.rb b/app/controllers/concerns/lfs_request.rb
index 97df3c7caea..8acbba0621b 100644
--- a/app/controllers/concerns/lfs_request.rb
+++ b/app/controllers/concerns/lfs_request.rb
@@ -85,8 +85,7 @@ module LfsRequest
 
   def deploy_token_can_download_code?
     deploy_token.present? &&
-      deploy_token.project == project &&
-      deploy_token.active? &&
+      deploy_token.has_access_to?(project) &&
       deploy_token.read_repository?
   end
 
diff --git a/app/services/clusters/agents/refresh_authorization_service.rb b/app/services/clusters/agents/refresh_authorization_service.rb
index 54b90a7304c..53b14ab54da 100644
--- a/app/services/clusters/agents/refresh_authorization_service.rb
+++ b/app/services/clusters/agents/refresh_authorization_service.rb
@@ -83,11 +83,7 @@ module Clusters
       end
 
       def allowed_projects
-        if group_root_ancestor?
-          root_ancestor.all_projects
-        else
-          ::Project.id_in(project.id)
-        end
+        root_ancestor.all_projects
       end
 
       def allowed_groups
diff --git a/doc/user/clusters/agent/ci_cd_workflow.md b/doc/user/clusters/agent/ci_cd_workflow.md
index 454be3c53c7..7645398e84e 100644
--- a/doc/user/clusters/agent/ci_cd_workflow.md
+++ b/doc/user/clusters/agent/ci_cd_workflow.md
@@ -60,6 +60,7 @@ Authorization configuration can take one or two minutes to propagate.
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4.
 > - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6.
+> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/356831) to allow authorizing projects in a user namespace in GitLab 15.7.
 
 To authorize the agent to access the GitLab project where you keep Kubernetes manifests:
 
@@ -73,7 +74,7 @@ To authorize the agent to access the GitLab project where you keep Kubernetes ma
        - id: path/to/project
    ```
 
-   - Authorized projects must have the same root group as the agent's configuration project.
+   - Authorized projects must have the same root group or user namespace as the agent's configuration project.
    - You can install additional agents into the same cluster to accommodate additional hierarchies.
    - You can authorize up to 100 projects.
 
diff --git a/lib/api/api.rb b/lib/api/api.rb
index 2a671c240cb..8bc01cef625 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -202,6 +202,7 @@ module API
         mount ::API::Environments
         mount ::API::ErrorTracking::ClientKeys
         mount ::API::ErrorTracking::ProjectSettings
+        mount ::API::Events
         mount ::API::FeatureFlags
         mount ::API::FeatureFlagsUserLists
         mount ::API::Features
@@ -294,7 +295,6 @@ module API
       mount ::API::DebianProjectPackages
       mount ::API::Discussions
       mount ::API::ErrorTracking::Collector
-      mount ::API::Events
       mount ::API::GenericPackages
       mount ::API::GroupBoards
       mount ::API::GroupDebianDistributions
diff --git a/lib/api/clusters/agent_tokens.rb b/lib/api/clusters/agent_tokens.rb
index 04e9d421228..68eef21903d 100644
--- a/lib/api/clusters/agent_tokens.rb
+++ b/lib/api/clusters/agent_tokens.rb
@@ -84,8 +84,7 @@ module API
               authorize! :admin_cluster, user_project
 
               agent = ::Clusters::AgentsFinder.new(user_project, current_user).find(params[:agent_id])
-
-              token = agent.agent_tokens.find(params[:token_id])
+              token = ::Clusters::AgentTokensFinder.new(agent, current_user).find(params[:token_id])
 
               # Skipping explicit error handling and relying on exceptions
               token.revoked!
diff --git a/lib/api/entities/event.rb b/lib/api/entities/event.rb
index f750d728e03..e81e89a8393 100644
--- a/lib/api/entities/event.rb
+++ b/lib/api/entities/event.rb
@@ -3,11 +3,15 @@
 module API
   module Entities
     class Event < Grape::Entity
-      expose :id
-      expose :project_id, :action_name
-      expose :target_id, :target_iid, :target_type, :author_id
-      expose :target_title
-      expose :created_at
+      expose :id, documentation: { type: 'integer', example: 1 }
+      expose :project_id, documentation: { type: 'integer', example: 2 }
+      expose :action_name, documentation: { type: 'string', example: 'closed' }
+      expose :target_id, documentation: { type: 'integer', example: 160 }
+      expose :target_iid, documentation: { type: 'integer', example: 157 }
+      expose :target_type, documentation: { type: 'string', example: 'Issue' }
+      expose :author_id, documentation: { type: 'integer', example: 25 }
+      expose :target_title, documentation: { type: 'string', example: 'Public project search field' }
+      expose :created_at, documentation: { type: 'string', example: '2017-02-09T10:43:19.667Z' }
       expose :note, using: Entities::Note, if: ->(event, options) { event.note? }
       expose :author, using: Entities::UserBasic, if: ->(event, options) { event.author }
       expose :wiki_page, using: Entities::WikiPageBasic, if: ->(event, _options) { event.wiki_page? }
@@ -17,7 +21,7 @@ module API
         using: Entities::PushEventPayload,
         if: -> (event, _) { event.push_action? }
 
-      expose :author_username do |event, options|
+      expose :author_username, documentation: { type: 'string', example: 'root' } do |event, options|
         event.author&.username
       end
     end
diff --git a/lib/api/entities/push_event_payload.rb b/lib/api/entities/push_event_payload.rb
index 6aad5f10177..2d8f0d9344c 100644
--- a/lib/api/entities/push_event_payload.rb
+++ b/lib/api/entities/push_event_payload.rb
@@ -3,8 +3,14 @@
 module API
   module Entities
     class PushEventPayload < Grape::Entity
-      expose :commit_count, :action, :ref_type, :commit_from, :commit_to, :ref,
-             :commit_title, :ref_count
+      expose :commit_count, documentation: { type: 'integer', example: 1 }
+      expose :action, documentation: { type: 'string', example: 'pushed' }
+      expose :ref_type, documentation: { type: 'string', example: 'branch' }
+      expose :commit_from, documentation: { type: 'string', example: '50d4420237a9de7be1304607147aec22e4a14af7' }
+      expose :commit_to, documentation: { type: 'string', example: 'c5feabde2d8cd023215af4d2ceeb7a64839fc428' }
+      expose :ref, documentation: { type: 'string', example: 'master' }
+      expose :commit_title, documentation: { type: 'string', example: 'Add simple search to projects in public area' }
+      expose :ref_count, documentation: { type: 'integer', example: 1 }
     end
   end
 end
diff --git a/lib/api/events.rb b/lib/api/events.rb
index 0a0141484ef..d3e8892f3bc 100644
--- a/lib/api/events.rb
+++ b/lib/api/events.rb
@@ -15,8 +15,15 @@ module API
       desc "List currently authenticated user's events" do
         detail 'This feature was introduced in GitLab 9.3.'
         success Entities::Event
+        is_array true
+        failure [
+          { code: 401, message: 'Unauthorized' }
+        ]
       end
       params do
+        optional :scope, type: String,
+                         desc: 'Include all events across a user’s projects',
+                         documentation: { example: 'all' }
         use :pagination
         use :event_filter_params
         use :sort_params
@@ -32,12 +39,17 @@ module API
     end
 
     params do
-      requires :id, type: String, desc: 'The ID or Username of the user'
+      requires :id, type: String, desc: 'The ID or username of the user'
     end
     resource :users do
       desc 'Get the contribution events of a specified user' do
         detail 'This feature was introduced in GitLab 8.13.'
         success Entities::Event
+        tags %w[events]
+        is_array true
+        failure [
+          { code: 404, message: 'Not found' }
+        ]
       end
       params do
         use :pagination
diff --git a/spec/requests/api/clusters/agent_tokens_spec.rb b/spec/requests/api/clusters/agent_tokens_spec.rb
index 7b9aed80e9d..ecf94ef7c50 100644
--- a/spec/requests/api/clusters/agent_tokens_spec.rb
+++ b/spec/requests/api/clusters/agent_tokens_spec.rb
@@ -181,6 +181,21 @@ RSpec.describe API::Clusters::AgentTokens do
       expect(agent_token_one.reload).to be_revoked
     end
 
+    it 'returns a success response when revoking an already revoked agent token', :aggregate_failures do
+      delete api("/projects/#{project.id}/cluster_agents/#{agent.id}/tokens/#{revoked_agent_token.id}", user)
+
+      expect(response).to have_gitlab_http_status(:no_content)
+      expect(revoked_agent_token.reload).to be_revoked
+    end
+
+    it 'returns a 404 error when given agent_id does not exist' do
+      path = "/projects/#{project.id}/cluster_agents/#{non_existing_record_id}/tokens/#{non_existing_record_id}"
+
+      delete api(path, user)
+
+      expect(response).to have_gitlab_http_status(:not_found)
+    end
+
     it 'returns a 404 error when revoking non existent agent token' do
       delete api("/projects/#{project.id}/cluster_agents/#{agent.id}/tokens/#{non_existing_record_id}", user)
 
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index ce6140d8da8..c94bc1e1bac 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -1236,7 +1236,7 @@ RSpec.describe API::Groups do
           expect(json_response.length).to eq(6)
         end
 
-        it 'avoids N+1 queries', :use_sql_query_cache do
+        it 'avoids N+1 queries', :use_sql_query_cache, quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/383788' do
           control = ActiveRecord::QueryRecorder.new(skip_cached: false) do
             get api("/groups/#{group1.id}/projects", user1), params: { include_subgroups: true }
           end
diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb
index 310ee24c2a8..c072e6d48db 100644
--- a/spec/requests/lfs_http_spec.rb
+++ b/spec/requests/lfs_http_spec.rb
@@ -378,6 +378,21 @@ RSpec.describe 'Git LFS API and storage' do
               it_behaves_like 'LFS http 401 response'
             end
 
+            context 'when deploy token is from an unrelated group to the project' do
+              let(:group) { create(:group) }
+              let(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
+
+              it_behaves_like 'LFS http 401 response'
+            end
+
+            context 'when deploy token is from a parent group of the project and valid' do
+              let(:group) { create(:group) }
+              let(:project) { create(:project, group: group) }
+              let(:deploy_token) { create(:deploy_token, :group, groups: [group]) }
+
+              it_behaves_like 'an authorized request', renew_authorization: false
+            end
+
             # TODO: We should fix this test case that causes flakyness by alternating the result of the above test cases.
             context 'when Deploy Token is valid' do
               let(:deploy_token) { create(:deploy_token, projects: [project]) }
diff --git a/spec/services/clusters/agents/refresh_authorization_service_spec.rb b/spec/services/clusters/agents/refresh_authorization_service_spec.rb
index 09bec7ae0e8..fa38bc202e7 100644
--- a/spec/services/clusters/agents/refresh_authorization_service_spec.rb
+++ b/spec/services/clusters/agents/refresh_authorization_service_spec.rb
@@ -113,6 +113,16 @@ RSpec.describe Clusters::Agents::RefreshAuthorizationService do
         expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' })
       end
 
+      context 'project does not belong to a group, and is in the same namespace as the agent' do
+        let(:root_ancestor) { create(:namespace) }
+        let(:added_project) { create(:project, namespace: root_ancestor) }
+
+        it 'creates an authorization record for the project' do
+          expect(subject).to be_truthy
+          expect(agent.authorized_projects).to contain_exactly(added_project)
+        end
+      end
+
       context 'project does not belong to a group, and is authorizing itself' do
         let(:root_ancestor) { create(:namespace) }
         let(:added_project) { project }
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-26 00:09:19 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-11-26 00:09:19 +0300
commit	53b40a871dc13d9c1d743b1f57fcf50eceb0a64f (patch)
tree	89dcf6d8dd885bfd5d0f3f15e6a5b99e0073b671
parent	d612723c35d7fdaeb8b09e91232053e04850c2ae (diff)