Add latest changes from gitlab-org/security/gitlab@14-7-stable-ee

8 files changed, 244 insertions, 7 deletions

diff --git a/spec/models/concerns/integrations/enable_ssl_verification_spec.rb b/spec/models/concerns/integrations/enable_ssl_verification_spec.rb
new file mode 100644
index 00000000000..802e950c0c2
--- /dev/null
+++ b/spec/models/concerns/integrations/enable_ssl_verification_spec.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Integrations::EnableSslVerification do
+  let(:described_class) do
+    Class.new(Integration) do
+      prepend Integrations::EnableSslVerification
+
+      def fields
+        [
+          { name: 'main_url' },
+          { name: 'other_url' },
+          { name: 'username' }
+        ]
+      end
+    end
+  end
+
+  let(:integration) { described_class.new }
+
+  include_context Integrations::EnableSslVerification
+end
diff --git a/spec/models/integrations/bamboo_spec.rb b/spec/models/integrations/bamboo_spec.rb
index 60ff6685c3d..b5684d153f2 100644
--- a/spec/models/integrations/bamboo_spec.rb
+++ b/spec/models/integrations/bamboo_spec.rb
@@ -23,6 +23,8 @@ RSpec.describe Integrations::Bamboo, :use_clean_rails_memory_store_caching do
     )
   end
 
+  include_context Integrations::EnableSslVerification
+
   describe 'Validations' do
     context 'when active' do
       before do
diff --git a/spec/models/integrations/drone_ci_spec.rb b/spec/models/integrations/drone_ci_spec.rb
index 062e23d628e..dd64dcfc52c 100644
--- a/spec/models/integrations/drone_ci_spec.rb
+++ b/spec/models/integrations/drone_ci_spec.rb
@@ -5,6 +5,8 @@ require 'spec_helper'
 RSpec.describe Integrations::DroneCi, :use_clean_rails_memory_store_caching do
   include ReactiveCachingHelpers
 
+  subject(:integration) { described_class.new }
+
   describe 'validations' do
     context 'active' do
       before do
@@ -59,6 +61,52 @@ RSpec.describe Integrations::DroneCi, :use_clean_rails_memory_store_caching do
     end
   end
 
+  include_context Integrations::EnableSslVerification do
+    describe '#enable_ssl_verification' do
+      before do
+        allow(integration).to receive(:new_record?).and_return(false)
+      end
+
+      it 'returns true for a known hostname' do
+        integration.drone_url = 'https://cloud.drone.io'
+
+        expect(integration.enable_ssl_verification).to be(true)
+      end
+
+      it 'returns true for new records' do
+        allow(integration).to receive(:new_record?).and_return(true)
+        integration.drone_url = 'http://example.com'
+
+        expect(integration.enable_ssl_verification).to be(true)
+      end
+
+      it 'returns false for an unknown hostname' do
+        integration.drone_url = 'https://example.com'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns false for a HTTP URL' do
+        integration.drone_url = 'http://cloud.drone.io'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns false for an invalid URL' do
+        integration.drone_url = 'https://example.com:foo'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns the persisted value if present' do
+        integration.drone_url = 'https://cloud.drone.io'
+        integration.enable_ssl_verification = false
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+    end
+  end
+
   it_behaves_like Integrations::HasWebHook do
     include_context :drone_ci_integration
 
diff --git a/spec/models/integrations/jenkins_spec.rb b/spec/models/integrations/jenkins_spec.rb
index 9286d026290..3d6393f2793 100644
--- a/spec/models/integrations/jenkins_spec.rb
+++ b/spec/models/integrations/jenkins_spec.rb
@@ -24,6 +24,10 @@ RSpec.describe Integrations::Jenkins do
 
   let(:jenkins_authorization) { "Basic " + ::Base64.strict_encode64(jenkins_username + ':' + jenkins_password) }
 
+  include_context Integrations::EnableSslVerification do
+    let(:integration) { described_class.new(jenkins_params) }
+  end
+
   it_behaves_like Integrations::HasWebHook do
     let(:integration) { described_class.new(jenkins_params) }
     let(:hook_url) { "http://#{ERB::Util.url_encode jenkins_username}:#{ERB::Util.url_encode jenkins_password}@jenkins.example.com/project/my_project" }
diff --git a/spec/models/integrations/jira_spec.rb b/spec/models/integrations/jira_spec.rb
index e80fa6e3b70..6ce84c28044 100644
--- a/spec/models/integrations/jira_spec.rb
+++ b/spec/models/integrations/jira_spec.rb
@@ -130,6 +130,23 @@ RSpec.describe Integrations::Jira do
     end
   end
 
+  describe '.valid_jira_cloud_url?' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:url, :result) do
+      'https://abc.atlassian.net' | true
+      'abc.atlassian.net'         | false # This is how it behaves currently, but we may need to consider adding scheme if missing
+      'https://somethingelse.com' | false
+      nil                         | false
+    end
+
+    with_them do
+      specify do
+        expect(described_class.valid_jira_cloud_url?(url)).to eq(result)
+      end
+    end
+  end
+
   describe '#create' do
     let(:params) do
       {
diff --git a/spec/models/integrations/mock_ci_spec.rb b/spec/models/integrations/mock_ci_spec.rb
new file mode 100644
index 00000000000..d29c63b3a97
--- /dev/null
+++ b/spec/models/integrations/mock_ci_spec.rb
@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Integrations::MockCi do
+  let_it_be(:project) { build(:project) }
+
+  subject(:integration) { described_class.new(project: project, mock_service_url: generate(:url)) }
+
+  include_context Integrations::EnableSslVerification
+
+  describe '#commit_status' do
+    let(:sha) { generate(:sha) }
+
+    def stub_request(*args)
+      WebMock.stub_request(:get, integration.commit_status_path(sha)).to_return(*args)
+    end
+
+    def commit_status
+      integration.commit_status(sha, 'master')
+    end
+
+    it 'returns allowed states' do
+      described_class::ALLOWED_STATES.each do |state|
+        stub_request(status: 200, body: { status: state }.to_json)
+
+        expect(commit_status).to eq(state)
+      end
+    end
+
+    it 'returns :pending for 404 responses' do
+      stub_request(status: 404)
+
+      expect(commit_status).to eq(:pending)
+    end
+
+    it 'returns :error for responses other than 200 or 404' do
+      stub_request(status: 500)
+
+      expect(commit_status).to eq(:error)
+    end
+
+    it 'returns :error for unknown states' do
+      stub_request(status: 200, body: { status: 'unknown' }.to_json)
+
+      expect(commit_status).to eq(:error)
+    end
+
+    it 'returns :error for invalid JSON' do
+      stub_request(status: 200, body: '')
+
+      expect(commit_status).to eq(:error)
+    end
+
+    it 'returns :error for non-hash JSON responses' do
+      stub_request(status: 200, body: 23.to_json)
+
+      expect(commit_status).to eq(:error)
+    end
+
+    it 'returns :error for JSON responses without a status' do
+      stub_request(status: 200, body: { foo: :bar }.to_json)
+
+      expect(commit_status).to eq(:error)
+    end
+
+    it 'returns :error when connection is refused' do
+      stub_request(status: 500).to_raise(Errno::ECONNREFUSED)
+
+      expect(commit_status).to eq(:error)
+    end
+  end
+end
diff --git a/spec/models/integrations/teamcity_spec.rb b/spec/models/integrations/teamcity_spec.rb
index 0713141ea08..e1f4e577503 100644
--- a/spec/models/integrations/teamcity_spec.rb
+++ b/spec/models/integrations/teamcity_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe Integrations::Teamcity, :use_clean_rails_memory_store_caching do
   include ReactiveCachingHelpers
   include StubRequests
 
-  let(:teamcity_url) { 'http://gitlab.com/teamcity' }
-  let(:teamcity_full_url) { 'http://gitlab.com/teamcity/httpAuth/app/rest/builds/branch:unspecified:any,revision:123' }
+  let(:teamcity_url) { 'https://gitlab.teamcity.com' }
+  let(:teamcity_full_url) { 'https://gitlab.teamcity.com/httpAuth/app/rest/builds/branch:unspecified:any,revision:123' }
   let(:project) { create(:project) }
 
   subject(:integration) do
@@ -22,6 +22,52 @@ RSpec.describe Integrations::Teamcity, :use_clean_rails_memory_store_caching do
     )
   end
 
+  include_context Integrations::EnableSslVerification do
+    describe '#enable_ssl_verification' do
+      before do
+        allow(integration).to receive(:new_record?).and_return(false)
+      end
+
+      it 'returns true for a known hostname' do
+        integration.teamcity_url = 'https://example.teamcity.com'
+
+        expect(integration.enable_ssl_verification).to be(true)
+      end
+
+      it 'returns true for new records' do
+        allow(integration).to receive(:new_record?).and_return(true)
+        integration.teamcity_url = 'http://example.com'
+
+        expect(integration.enable_ssl_verification).to be(true)
+      end
+
+      it 'returns false for an unknown hostname' do
+        integration.teamcity_url = 'https://sub.example.teamcity.com'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns false for a HTTP URL' do
+        integration.teamcity_url = 'http://example.teamcity.com'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns false for an invalid URL' do
+        integration.teamcity_url = 'https://example.com:foo'
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+
+      it 'returns the persisted value if present' do
+        integration.teamcity_url = 'https://example.teamcity.com'
+        integration.enable_ssl_verification = false
+
+        expect(integration.enable_ssl_verification).to be(false)
+      end
+    end
+  end
+
   describe 'Validations' do
     context 'when integration is active' do
       before do
@@ -140,22 +186,22 @@ RSpec.describe Integrations::Teamcity, :use_clean_rails_memory_store_caching do
       it 'returns a specific URL when status is 500' do
         stub_request(status: 500)
 
-        is_expected.to eq('http://gitlab.com/teamcity/viewLog.html?buildTypeId=foo')
+        is_expected.to eq("#{teamcity_url}/viewLog.html?buildTypeId=foo")
       end
 
       it 'returns a build URL when teamcity_url has no trailing slash' do
         stub_request(body: %q({"build":{"id":"666"}}))
 
-        is_expected.to eq('http://gitlab.com/teamcity/viewLog.html?buildId=666&buildTypeId=foo')
+        is_expected.to eq("#{teamcity_url}/viewLog.html?buildId=666&buildTypeId=foo")
       end
 
       context 'teamcity_url has trailing slash' do
-        let(:teamcity_url) { 'http://gitlab.com/teamcity/' }
+        let(:teamcity_url) { 'https://gitlab.teamcity.com/' }
 
         it 'returns a build URL' do
           stub_request(body: %q({"build":{"id":"666"}}))
 
-          is_expected.to eq('http://gitlab.com/teamcity/viewLog.html?buildId=666&buildTypeId=foo')
+          is_expected.to eq('https://gitlab.teamcity.com/viewLog.html?buildId=666&buildTypeId=foo')
         end
       end
 
@@ -299,7 +345,7 @@ RSpec.describe Integrations::Teamcity, :use_clean_rails_memory_store_caching do
   end
 
   def stub_post_to_build_queue(branch:)
-    teamcity_full_url = 'http://gitlab.com/teamcity/httpAuth/app/rest/buildQueue'
+    teamcity_full_url = "#{teamcity_url}/httpAuth/app/rest/buildQueue"
     body ||= %Q(<build branchName=\"#{branch}\"><buildType id=\"foo\"/></build>)
     auth = %w(mic password)
 
diff --git a/spec/models/packages/package_spec.rb b/spec/models/packages/package_spec.rb
index 122340f7bec..0cb92f81da2 100644
--- a/spec/models/packages/package_spec.rb
+++ b/spec/models/packages/package_spec.rb
@@ -1201,6 +1201,30 @@ RSpec.describe Packages::Package, type: :model do
     end
   end
 
+  describe '#mark_package_files_for_destruction' do
+    let_it_be(:package) { create(:npm_package, :pending_destruction) }
+
+    subject { package.mark_package_files_for_destruction }
+
+    it 'enqueues a sync worker job' do
+      expect(::Packages::MarkPackageFilesForDestructionWorker)
+        .to receive(:perform_async).with(package.id)
+
+      subject
+    end
+
+    context 'for a package non pending destruction' do
+      let_it_be(:package) { create(:npm_package) }
+
+      it 'does not enqueues a sync worker job' do
+        expect(::Packages::MarkPackageFilesForDestructionWorker)
+        .not_to receive(:perform_async).with(package.id)
+
+        subject
+      end
+    end
+  end
+
   describe '#create_build_infos!' do
     let_it_be(:package) { create(:package) }
     let_it_be(:pipeline) { create(:ci_pipeline) }