Add latest changes from gitlab-org/gitlab@master

6 files changed, 79 insertions, 21 deletions

diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 09a84950755..629c1cbdc5c 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -3,12 +3,24 @@
 module Auth
   class ContainerRegistryAuthenticationService < BaseService
     AUDIENCE = 'container_registry'
+    REGISTRY_LOGIN_ABILITIES = [
+      :read_container_image,
+      :create_container_image,
+      :destroy_container_image,
+      :update_container_image,
+      :admin_container_image,
+      :build_read_container_image,
+      :build_create_container_image,
+      :build_destroy_container_image
+    ].freeze
 
     def execute(authentication_abilities:)
       @authentication_abilities = authentication_abilities
 
       return error('UNAVAILABLE', status: 404, message: 'registry not enabled') unless registry.enabled
 
+      return error('DENIED', status: 403, message: 'access forbidden') unless has_registry_ability?
+
       unless scopes.any? || current_user || project
         return error('DENIED', status: 403, message: 'access forbidden')
       end
@@ -197,5 +209,11 @@ module Auth
     def has_authentication_ability?(capability)
       @authentication_abilities.to_a.include?(capability)
     end
+
+    def has_registry_ability?
+      @authentication_abilities.any? do |ability|
+        REGISTRY_LOGIN_ABILITIES.include?(ability)
+      end
+    end
   end
 end
diff --git a/app/services/groups/group_links/destroy_service.rb b/app/services/groups/group_links/destroy_service.rb
index 29aa8de4e68..6835b6c4637 100644
--- a/app/services/groups/group_links/destroy_service.rb
+++ b/app/services/groups/group_links/destroy_service.rb
@@ -6,19 +6,17 @@ module Groups
       def execute(one_or_more_links)
         links = Array(one_or_more_links)
 
-        GroupGroupLink.transaction do
-          GroupGroupLink.delete(links)
+        if GroupGroupLink.delete(links)
+          Gitlab::AppLogger.info(
+            "GroupGroupLinks with ids: #{links.map(&:id)} have been deleted.")
 
           groups_to_refresh = links.map(&:shared_with_group)
           groups_to_refresh.uniq.each do |group|
             group.refresh_members_authorized_projects
           end
-
-          Gitlab::AppLogger.info("GroupGroupLinks with ids: #{links.map(&:id)} have been deleted.")
-        rescue => ex
-          Gitlab::AppLogger.error(ex)
-
-          raise
+        else
+          Gitlab::AppLogger.info(
+            "Failed to delete GroupGroupLinks with ids: #{links.map(&:id)}.")
         end
       end
     end
diff --git a/app/services/groups/group_links/update_service.rb b/app/services/groups/group_links/update_service.rb
new file mode 100644
index 00000000000..71b52cb616c
--- /dev/null
+++ b/app/services/groups/group_links/update_service.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Groups
+  module GroupLinks
+    class UpdateService < BaseService
+      def initialize(group_link, user = nil)
+        super(group_link.shared_group, user)
+
+        @group_link = group_link
+      end
+
+      def execute(group_link_params)
+        group_link.update!(group_link_params)
+
+        if requires_authorization_refresh?(group_link_params)
+          group_link.shared_with_group.refresh_members_authorized_projects
+        end
+      end
+
+      private
+
+      attr_accessor :group_link
+
+      def requires_authorization_refresh?(params)
+        params.include?(:group_access)
+      end
+    end
+  end
+end
diff --git a/app/services/projects/lfs_pointers/lfs_download_service.rb b/app/services/projects/lfs_pointers/lfs_download_service.rb
index bd70012c76c..52c73bcff03 100644
--- a/app/services/projects/lfs_pointers/lfs_download_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_download_service.rb
@@ -16,17 +16,14 @@ module Projects
         @lfs_download_object = lfs_download_object
       end
 
-      # rubocop: disable CodeReuse/ActiveRecord
       def execute
         return unless project&.lfs_enabled? && lfs_download_object
         return error("LFS file with oid #{lfs_oid} has invalid attributes") unless lfs_download_object.valid?
-        return if LfsObject.exists?(oid: lfs_oid)
 
         wrap_download_errors do
           download_lfs_file!
         end
       end
-      # rubocop: enable CodeReuse/ActiveRecord
 
       private
 
@@ -39,14 +36,24 @@ module Projects
       def download_lfs_file!
         with_tmp_file do |tmp_file|
           download_and_save_file!(tmp_file)
-          project.lfs_objects << LfsObject.new(oid: lfs_oid,
-                                               size: lfs_size,
-                                               file: tmp_file)
+
+          project.lfs_objects << find_or_create_lfs_object(tmp_file)
 
           success
         end
       end
 
+      def find_or_create_lfs_object(tmp_file)
+        lfs_obj = LfsObject.safe_find_or_create_by!(
+          oid:  lfs_oid,
+          size: lfs_size
+        )
+
+        lfs_obj.update!(file: tmp_file) unless lfs_obj.file.file
+
+        lfs_obj
+      end
+
       def download_and_save_file!(file)
         digester = Digest::SHA256.new
         response = Gitlab::HTTP.get(lfs_sanitized_url, download_headers) do |fragment|
diff --git a/app/services/projects/lfs_pointers/lfs_object_download_list_service.rb b/app/services/projects/lfs_pointers/lfs_object_download_list_service.rb
index d6e6480bdad..75106297043 100644
--- a/app/services/projects/lfs_pointers/lfs_object_download_list_service.rb
+++ b/app/services/projects/lfs_pointers/lfs_object_download_list_service.rb
@@ -26,12 +26,12 @@ module Projects
           return []
         end
 
-        # Getting all Lfs pointers already in the database and linking them to the project
-        linked_oids = LfsLinkService.new(project).execute(lfs_pointers_in_repository.keys)
-        # Retrieving those oids not present in the database which we need to download
-        missing_oids = lfs_pointers_in_repository.except(*linked_oids)
-        # Downloading the required information and gathering it inside a LfsDownloadObject for each oid
-        LfsDownloadLinkListService.new(project, remote_uri: current_endpoint_uri).execute(missing_oids)
+        # Downloading the required information and gathering it inside an
+        #   LfsDownloadObject for each oid
+        #
+        LfsDownloadLinkListService
+          .new(project, remote_uri: current_endpoint_uri)
+          .execute(lfs_pointers_in_repository)
       rescue LfsDownloadLinkListService::DownloadLinksError => e
         raise LfsObjectDownloadListError, "The LFS objects download list couldn't be imported. Error: #{e.message}"
       end
diff --git a/app/services/web_hook_service.rb b/app/services/web_hook_service.rb
index 514ba998d2c..178a321e20c 100644
--- a/app/services/web_hook_service.rb
+++ b/app/services/web_hook_service.rb
@@ -13,8 +13,14 @@ class WebHookService
     end
   end
 
+  GITLAB_EVENT_HEADER = 'X-Gitlab-Event'
+
   attr_accessor :hook, :data, :hook_name, :request_options
 
+  def self.hook_to_event(hook_name)
+    hook_name.to_s.singularize.titleize
+  end
+
   def initialize(hook, data, hook_name)
     @hook = hook
     @data = data
@@ -112,7 +118,7 @@ class WebHookService
     @headers ||= begin
       {
         'Content-Type' => 'application/json',
-        'X-Gitlab-Event' => hook_name.singularize.titleize
+        GITLAB_EVENT_HEADER => self.class.hook_to_event(hook_name)
       }.tap do |hash|
         hash['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(hook.token) if hook.token.present?
       end