Add latest changes from gitlab-org/gitlab@master

9 files changed, 93 insertions, 20 deletions

diff --git a/data/deprecations/15-4-non-expiring-access-tokens.yml b/data/deprecations/15-4-non-expiring-access-tokens.yml
index 8363e2e8818..1f1cfd3e0c0 100644
--- a/data/deprecations/15-4-non-expiring-access-tokens.yml
+++ b/data/deprecations/15-4-non-expiring-access-tokens.yml
@@ -2,7 +2,7 @@
   announcement_milestone: "15.4"
   announcement_date: "2022-09-22"
   removal_milestone: "16.0"
-  removal_date: "2022-05-22"
+  removal_date: "2023-05-22"
   breaking_change: true
   reporter: hsutor
   body: |  # Do not modify this line, instead modify the lines below.
diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md
index 0e67d5d24ae..dbf54319345 100644
--- a/doc/api/graphql/reference/index.md
+++ b/doc/api/graphql/reference/index.md
@@ -21331,6 +21331,12 @@ A `CiBuildID` is a global ID. It is encoded as a string.
 
 An example `CiBuildID` is: `"gid://gitlab/Ci::Build/1"`.
 
+### `CiJobArtifactID`
+
+A `CiJobArtifactID` is a global ID. It is encoded as a string.
+
+An example `CiJobArtifactID` is: `"gid://gitlab/Ci::JobArtifact/1"`.
+
 ### `CiPipelineID`
 
 A `CiPipelineID` is a global ID. It is encoded as a string.
diff --git a/doc/development/ruby3_gotchas.md b/doc/development/ruby3_gotchas.md
index dbe6fa13eee..db328b0b1a5 100644
--- a/doc/development/ruby3_gotchas.md
+++ b/doc/development/ruby3_gotchas.md
@@ -163,3 +163,40 @@ For Ruby 3 compliance, this should be changed to one of the following invocation
 
 - `f(**{k: v})`
 - `f(k: v)`
+
+## RSpec `with` argument matcher fails for shorthand Hash syntax
+
+Because keyword arguments ("kwargs") are a first-class concept in Ruby 3, keyword arguments are not
+converted into internal `Hash` instances anymore. This leads to RSpec method argument matchers failing
+when the receiver takes a positional options hash instead of kwargs:
+
+```ruby
+def m(options={}); end
+```
+
+```ruby
+expect(subject).to receive(:m).with(a: 42)
+```
+
+In Ruby 3 this expectations fails with the following error:
+
+```plaintext
+  Failure/Error:
+
+     #<subject> received :m with unexpected arguments
+       expected: ({:a=>42})
+            got: ({:a=>42})
+```
+
+This happens because RSpec uses a kwargs argument matcher here, but the method takes a hash.
+It works in Ruby 2, because `a: 42` is converted to a hash first and RSpec will use a hash argument matcher.
+
+A workaround is to not use the shorthand syntax and pass an actual `Hash` instead whenever we know a method
+to take an options hash:
+
+```ruby
+# Note the braces around the key-value pair.
+expect(subject).to receive(:m).with({ a: 42 })
+```
+
+For more information, see [the official issue report for RSpec](https://github.com/rspec/rspec-mocks/issues/1460).
diff --git a/doc/integration/kerberos.md b/doc/integration/kerberos.md
index 257ba4e6708..da854582c12 100644
--- a/doc/integration/kerberos.md
+++ b/doc/integration/kerberos.md
@@ -368,6 +368,15 @@ GitLab supports, authentication fails with a message like this in the log:
 OmniauthKerberosSpnegoController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error
 ```
 
+There are a number of potential causes and solutions for this error message.
+
+#### Kerberos integration not using a dedicated port
+
+GitLab CI/CD doesn’t work with a Kerberos-enabled GitLab instance unless the Kerberos integration 
+is configured to [use a dedicated port](kerberos.md#http-git-access-with-kerberos-token-passwordless-authentication). 
+
+#### Lack of connectivity between client machine and Kerberos server
+
 This is usually seen when the browser is unable to contact the Kerberos server
 directly. It falls back to an unsupported mechanism known as
 [`IAKERB`](https://k5wiki.kerberos.org/wiki/Projects/IAKERB), which tries to use
@@ -377,6 +386,8 @@ If you're experiencing this error, ensure there is connectivity between the
 client machine and the Kerberos server - this is a prerequisite! Traffic may be
 blocked by a firewall, or the DNS records may be incorrect.
 
+#### Mismatched forward and reverse DNS records for GitLab instance hostname
+
 Another failure mode occurs when the forward and reverse DNS records for the
 GitLab server do not match. Often, Windows clients work in this case while
 Linux clients fail. They use reverse DNS while detecting the Kerberos
@@ -389,6 +400,8 @@ match. So for instance, if you access GitLab as `gitlab.example.com`, resolving
 to IP address `1.2.3.4`, then `4.3.2.1.in-addr.arpa` must be a `PTR` record for
 `gitlab.example.com`.
 
+#### Missing Kerberos libraries on browser or client machine
+
 Finally, it's possible that the browser or client machine lack Kerberos support
 completely. Ensure that the Kerberos libraries are installed and that you can
 authenticate to other Kerberos services.
diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md
index 505b247cbd7..ad565fbc3e7 100644
--- a/doc/update/deprecations.md
+++ b/doc/update/deprecations.md
@@ -51,7 +51,7 @@ sole discretion of GitLab Inc.
 
 ### Non-expiring access tokens
 
-Planned removal: GitLab <span class="removal-milestone">16.0</span> (2022-05-22)
+Planned removal: GitLab <span class="removal-milestone">16.0</span> (2023-05-22)
 
 WARNING:
 This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
diff --git a/doc/user/application_security/get-started-security.md b/doc/user/application_security/get-started-security.md
index 9d98675c2df..f66530314b6 100644
--- a/doc/user/application_security/get-started-security.md
+++ b/doc/user/application_security/get-started-security.md
@@ -6,6 +6,9 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 
 # Get started with GitLab application security **(ULTIMATE)**
 
+<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
+For an overview, see [Adopting GitLab application security](https://www.youtube.com/watch?v=5QlxkiKR04k).
+
 The following steps will help you get the most from GitLab application security tools. These steps are a recommended order of operations. You can choose to implement capabilities in a different order or omit features that do not apply to your specific needs.
 
 1. Enable [Secret Detection](secret_detection/index.md) and [Dependency Scanning](dependency_scanning/index.md)
diff --git a/lib/gitlab/database/tables_truncate.rb b/lib/gitlab/database/tables_truncate.rb
index b629bff52ce..164520fbab3 100644
--- a/lib/gitlab/database/tables_truncate.rb
+++ b/lib/gitlab/database/tables_truncate.rb
@@ -61,12 +61,10 @@ module Gitlab
       def truncate_tables_in_batches(connection, tables_sorted, min_batch_size)
         truncated_tables = []
 
-        unless dry_run
-          tables_sorted.flatten.compact.each do |table|
-            sql_statement = "SELECT set_config('lock_writes.#{table}', 'false', false)"
-            logger&.info sql_statement
-            connection.execute(sql_statement)
-          end
+        tables_sorted.flatten.each do |table|
+          sql_statement = "SELECT set_config('lock_writes.#{table}', 'false', false)"
+          logger&.info(sql_statement)
+          connection.execute(sql_statement) unless dry_run
         end
 
         # We do the truncation in stages to avoid high IO
@@ -74,14 +72,23 @@ module Gitlab
         # tables before. That's because PostgreSQL doesn't allow to truncate any table (A)
         # without truncating any other table (B) that has a Foreign Key pointing to the table (A).
         # even if table (B) is empty, because it has been already truncated in a previous stage.
-        tables_sorted.in_groups_of(min_batch_size).each do |tables_groups|
-          new_tables_to_truncate = tables_groups.flatten.compact
+        tables_sorted.in_groups_of(min_batch_size, false).each do |tables_groups|
+          new_tables_to_truncate = tables_groups.flatten
           logger&.info "= New tables to truncate: #{new_tables_to_truncate.join(', ')}"
           truncated_tables.push(*new_tables_to_truncate).tap(&:sort!)
-          sql_statement = "TRUNCATE TABLE #{truncated_tables.join(', ')} RESTRICT"
+          sql_statements = [
+            "SET LOCAL statement_timeout = 0",
+            "SET LOCAL lock_timeout = 0",
+            "TRUNCATE TABLE #{truncated_tables.join(', ')} RESTRICT"
+          ]
 
-          logger&.info sql_statement
-          connection.execute(sql_statement) unless dry_run
+          sql_statements.each { |sql_statement| logger&.info(sql_statement) }
+
+          next if dry_run
+
+          connection.transaction do
+            sql_statements.each { |sql_statement| connection.execute(sql_statement) }
+          end
         end
       end
     end
diff --git a/qa/qa/specs/features/api/1_manage/user_inherited_access_spec.rb b/qa/qa/specs/features/api/1_manage/user_inherited_access_spec.rb
index 444d86f63d3..9f0e2664213 100644
--- a/qa/qa/specs/features/api/1_manage/user_inherited_access_spec.rb
+++ b/qa/qa/specs/features/api/1_manage/user_inherited_access_spec.rb
@@ -71,7 +71,12 @@ module QA
         it(
           'is allowed to commit to sub-group project via the API',
           :reliable,
-          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363349'
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363349',
+          quarantine: {
+            only: { subdomain: %i[staging staging-ref] },
+            type: :investigating,
+            issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/370282'
+          }
         ) do
           expect do
             Resource::Repository::Commit.fabricate_via_api! do |commit|
diff --git a/spec/lib/gitlab/database/tables_truncate_spec.rb b/spec/lib/gitlab/database/tables_truncate_spec.rb
index 08f4ee50ef1..01af9efd782 100644
--- a/spec/lib/gitlab/database/tables_truncate_spec.rb
+++ b/spec/lib/gitlab/database/tables_truncate_spec.rb
@@ -53,8 +53,8 @@ RSpec.describe Gitlab::Database::TablesTruncate, :reestablished_active_record_ba
         );
       SQL
 
-      ApplicationRecord.connection.execute(main_tables_sql)
-      Ci::ApplicationRecord.connection.execute(main_tables_sql)
+      main_connection.execute(main_tables_sql)
+      ci_connection.execute(main_tables_sql)
 
       ci_tables_sql = <<~SQL
         CREATE TABLE _test_gitlab_ci_items (id serial NOT NULL PRIMARY KEY);
@@ -66,15 +66,15 @@ RSpec.describe Gitlab::Database::TablesTruncate, :reestablished_active_record_ba
         );
       SQL
 
-      ApplicationRecord.connection.execute(ci_tables_sql)
-      Ci::ApplicationRecord.connection.execute(ci_tables_sql)
+      main_connection.execute(ci_tables_sql)
+      ci_connection.execute(ci_tables_sql)
 
       internal_tables_sql = <<~SQL
         CREATE TABLE _test_gitlab_shared_items (id serial NOT NULL PRIMARY KEY);
       SQL
 
-      ApplicationRecord.connection.execute(internal_tables_sql)
-      Ci::ApplicationRecord.connection.execute(internal_tables_sql)
+      main_connection.execute(internal_tables_sql)
+      ci_connection.execute(internal_tables_sql)
 
       # Filling the tables
       5.times do |i|
@@ -138,6 +138,8 @@ RSpec.describe Gitlab::Database::TablesTruncate, :reestablished_active_record_ba
       end
 
       it 'logs the sql statements to the logger' do
+        expect(logger).to receive(:info).with("SET LOCAL lock_timeout = 0")
+        expect(logger).to receive(:info).with("SET LOCAL statement_timeout = 0")
         expect(logger).to receive(:info)
                       .with(/TRUNCATE TABLE #{legacy_tables_models.map(&:table_name).sort.join(', ')} RESTRICT/)
         truncate_legacy_tables