Add latest changes from gitlab-org/gitlab@master

9 files changed, 253 insertions, 111 deletions

diff --git a/spec/lib/api/helpers_spec.rb b/spec/lib/api/helpers_spec.rb
index 5d343ec2777..21b3b8e6927 100644
--- a/spec/lib/api/helpers_spec.rb
+++ b/spec/lib/api/helpers_spec.rb
@@ -1327,4 +1327,79 @@ RSpec.describe API::Helpers, feature_category: :shared do
       end
     end
   end
+
+  describe '#authenticate_by_gitlab_shell_or_workhorse_token!' do
+    include GitlabShellHelpers
+    include WorkhorseHelpers
+
+    include_context 'workhorse headers'
+
+    let(:headers) { {} }
+    let(:params) { {} }
+
+    context 'when request from gitlab shell' do
+      let(:valid_secret_token) { 'valid' }
+      let(:invalid_secret_token) { 'invalid' }
+
+      before do
+        allow(helper).to receive_messages(headers: headers)
+      end
+
+      context 'with invalid token' do
+        let(:headers) { gitlab_shell_internal_api_request_header(secret_token: invalid_secret_token) }
+
+        it 'unauthorized' do
+          expect(helper).to receive(:unauthorized!)
+
+          helper.authenticate_by_gitlab_shell_or_workhorse_token!
+        end
+      end
+
+      context 'with valid token' do
+        let(:headers) { gitlab_shell_internal_api_request_header }
+
+        it 'authorized' do
+          expect(helper).not_to receive(:unauthorized!)
+
+          helper.authenticate_by_gitlab_shell_or_workhorse_token!
+        end
+      end
+    end
+
+    context 'when request from gitlab workhorse' do
+      let(:env) { {} }
+      let(:request) { ActionDispatch::Request.new(env) }
+
+      before do
+        allow_any_instance_of(ActionDispatch::Request).to receive(:headers).and_return(headers)
+        allow(helper).to receive(:request).and_return(request)
+        allow(helper).to receive_messages(params: params, headers: headers, env: env)
+      end
+
+      context 'with invalid token' do
+        let(:headers) { { Gitlab::Workhorse::INTERNAL_API_REQUEST_HEADER => JWT.encode({ 'iss' => 'gitlab-workhorse' }, 'wrongkey', 'HS256') } }
+
+        before do
+          allow(JWT).to receive(:decode).and_return([{ 'iss' => 'gitlab-workhorse' }])
+        end
+
+        it 'unauthorized' do
+          expect(helper).to receive(:forbidden!)
+
+          helper.authenticate_by_gitlab_shell_or_workhorse_token!
+        end
+      end
+
+      context 'with valid token' do
+        let(:headers) { workhorse_headers }
+        let(:env) { { 'HTTP_GITLAB_WORKHORSE' => 1 } }
+
+        it 'authorized' do
+          expect(helper).not_to receive(:forbidden!)
+
+          helper.authenticate_by_gitlab_shell_or_workhorse_token!
+        end
+      end
+    end
+  end
 end
diff --git a/spec/lib/gitlab/git_audit_event_spec.rb b/spec/lib/gitlab/git_audit_event_spec.rb
deleted file mode 100644
index c533b39f550..00000000000
--- a/spec/lib/gitlab/git_audit_event_spec.rb
+++ /dev/null
@@ -1,79 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Gitlab::GitAuditEvent, feature_category: :source_code_management do
-  let_it_be(:player) { create(:user) }
-  let_it_be(:group) { create(:group, :public) }
-  let_it_be(:project) { create(:project) }
-
-  subject { described_class.new(player, project) }
-
-  describe '#send_audit_event' do
-    let(:msg) { 'valid_msg' }
-
-    context 'with successfully sending' do
-      let_it_be(:project) { create(:project, namespace: group) }
-
-      before do
-        allow(::Gitlab::Audit::Auditor).to receive(:audit)
-      end
-
-      context 'when player is a regular user' do
-        it 'sends git audit event' do
-          expect(::Gitlab::Audit::Auditor).to receive(:audit).with(a_hash_including(
-            name: 'repository_git_operation',
-            stream_only: true,
-            author: player,
-            scope: project,
-            target: project,
-            message: msg
-          )).once
-
-          subject.send_audit_event(msg)
-        end
-      end
-
-      context 'when player is ::API::Support::GitAccessActor' do
-        let_it_be(:user) { player }
-        let_it_be(:key) { create(:key, user: user) }
-        let_it_be(:git_access_actor) { ::API::Support::GitAccessActor.new(user: user, key: key) }
-
-        subject { described_class.new(git_access_actor, project) }
-
-        it 'sends git audit event' do
-          expect(::Gitlab::Audit::Auditor).to receive(:audit).with(a_hash_including(
-            name: 'repository_git_operation',
-            stream_only: true,
-            author: git_access_actor.deploy_key_or_user,
-            scope: project,
-            target: project,
-            message: msg
-          )).once
-
-          subject.send_audit_event(msg)
-        end
-      end
-    end
-
-    context 'when user is blank' do
-      let_it_be(:player) { nil }
-
-      it 'does not send git audit event' do
-        expect(::Gitlab::Audit::Auditor).not_to receive(:audit)
-
-        subject.send_audit_event(msg)
-      end
-    end
-
-    context 'when project is blank' do
-      let_it_be(:project) { nil }
-
-      it 'does not send git audit event' do
-        expect(::Gitlab::Audit::Auditor).not_to receive(:audit)
-
-        subject.send_audit_event(msg)
-      end
-    end
-  end
-end
diff --git a/spec/lib/gitlab/workhorse_spec.rb b/spec/lib/gitlab/workhorse_spec.rb
index cca18cb05c7..d77763f89be 100644
--- a/spec/lib/gitlab/workhorse_spec.rb
+++ b/spec/lib/gitlab/workhorse_spec.rb
@@ -226,7 +226,8 @@ RSpec.describe Gitlab::Workhorse, feature_category: :shared do
         GL_ID: "user-#{user.id}",
         GL_USERNAME: user.username,
         GL_REPOSITORY: "project-#{project.id}",
-        ShowAllRefs: false
+        ShowAllRefs: false,
+        NeedAudit: false
       }
     end
 
@@ -277,6 +278,12 @@ RSpec.describe Gitlab::Workhorse, feature_category: :shared do
         it { is_expected.to include(ShowAllRefs: true) }
       end
 
+      context 'need_audit enabled' do
+        subject { described_class.git_http_ok(repository, Gitlab::GlRepository::PROJECT, user, action, show_all_refs: true, need_audit: true) }
+
+        it { is_expected.to include(NeedAudit: true) }
+      end
+
       context 'when a feature flag is set for a single project' do
         before do
           stub_feature_flags(gitaly_mep_mep: project)
diff --git a/spec/models/ci/catalog/resource_spec.rb b/spec/models/ci/catalog/resource_spec.rb
index 4e292fc0ec0..cb9152cfd74 100644
--- a/spec/models/ci/catalog/resource_spec.rb
+++ b/spec/models/ci/catalog/resource_spec.rb
@@ -53,19 +53,31 @@ RSpec.describe Ci::Catalog::Resource, feature_category: :pipeline_composition do
   end
 
   describe '.order_by_name_desc' do
-    it 'returns catalog resources sorted by descending name' do
-      ordered_resources = described_class.order_by_name_desc
+    subject(:ordered_resources) { described_class.order_by_name_desc }
 
+    it 'returns catalog resources sorted by descending name' do
       expect(ordered_resources.pluck(:name)).to eq(%w[Z L A])
     end
+
+    it 'returns catalog resources sorted by descending name with nulls last' do
+      resource.update!(name: nil)
+
+      expect(ordered_resources.pluck(:name)).to eq(['Z', 'L', nil])
+    end
   end
 
   describe '.order_by_name_asc' do
-    it 'returns catalog resources sorted by ascending name' do
-      ordered_resources = described_class.order_by_name_asc
+    subject(:ordered_resources) { described_class.order_by_name_asc }
 
+    it 'returns catalog resources sorted by ascending name' do
       expect(ordered_resources.pluck(:name)).to eq(%w[A L Z])
     end
+
+    it 'returns catalog resources sorted by ascending name with nulls last' do
+      resource.update!(name: nil)
+
+      expect(ordered_resources.pluck(:name)).to eq(['L', 'Z', nil])
+    end
   end
 
   describe '.order_by_latest_released_at_desc' do
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 5acf03e09d7..d4e23823f23 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2127,28 +2127,6 @@ RSpec.describe Project, factory_default: :keep, feature_category: :groups_and_pr
     end
   end
 
-  describe 'sorting by name' do
-    let_it_be(:project1) { create(:project, name: 'A') }
-    let_it_be(:project2) { create(:project, name: 'Z') }
-    let_it_be(:project3) { create(:project, name: 'L') }
-
-    context 'when using .sort_by_name_desc' do
-      it 'reorders the projects by descending name order' do
-        projects = described_class.sorted_by_name_desc
-
-        expect(projects.pluck(:name)).to eq(%w[Z L A])
-      end
-    end
-
-    context 'when using .sort_by_name_asc' do
-      it 'reorders the projects by ascending name order' do
-        projects = described_class.sorted_by_name_asc
-
-        expect(projects.pluck(:name)).to eq(%w[A L Z])
-      end
-    end
-  end
-
   describe '.with_shared_runners_enabled' do
     subject { described_class.with_shared_runners_enabled }
 
diff --git a/spec/requests/api/ci/pipelines_spec.rb b/spec/requests/api/ci/pipelines_spec.rb
index 3544a6dd72a..f823da9fb2d 100644
--- a/spec/requests/api/ci/pipelines_spec.rb
+++ b/spec/requests/api/ci/pipelines_spec.rb
@@ -1107,6 +1107,78 @@ RSpec.describe API::Ci::Pipelines, feature_category: :continuous_integration do
     end
   end
 
+  describe 'PUT /projects/:id/pipelines/:pipeline_id/name' do
+    let_it_be(:pipeline_creator) { create(:user) }
+    let(:pipeline) { create(:ci_pipeline, project: project, user: pipeline_creator) }
+    let(:name) { 'A new pipeline name' }
+
+    subject(:execute) do
+      put api("/projects/#{project.id}/pipelines/#{pipeline.id}/metadata", current_user), params: { name: name }
+    end
+
+    context 'authorized user' do
+      let(:current_user) { create(:user) }
+
+      before do
+        project.add_developer(current_user)
+      end
+
+      it 'renames pipeline when name is valid', :aggregate_failures do
+        expect { execute }.to change { pipeline.reload.name }.to(name)
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+
+      context 'when name is invalid' do
+        let(:name) { 'a' * 256 }
+
+        it 'does not rename pipeline', :aggregate_failures do
+          expect { execute }.not_to change { pipeline.reload.name }
+          expect(response).to have_gitlab_http_status(:bad_request)
+          expect(json_response['message']).to eq('Failed to update pipeline - Name is too long (maximum is 255 characters)')
+        end
+      end
+    end
+
+    context 'unauthorized user' do
+      let(:current_user) { create(:user) }
+
+      context 'when user is not a member' do
+        it 'does not rename pipeline', :aggregate_failures do
+          expect { execute }.not_to change { pipeline.reload.name }
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+
+      context 'when user is a member' do
+        before do
+          project.add_reporter(current_user)
+        end
+
+        it 'does not rename pipeline', :aggregate_failures do
+          expect { execute }.not_to change { pipeline.reload.name }
+          expect(response).to have_gitlab_http_status(:forbidden)
+        end
+      end
+    end
+
+    context 'when authorized with job token' do
+      let(:job) { create(:ci_build, :running, pipeline: pipeline, project: project, user: pipeline.user) }
+
+      before do
+        project.add_developer(pipeline.user)
+      end
+
+      subject(:execute) do
+        put api("/projects/#{project.id}/pipelines/#{pipeline.id}/metadata", nil, job_token: job.token), params: { name: name }
+      end
+
+      it 'renames pipeline when name is valid', :aggregate_failures do
+        expect { execute }.to change { pipeline.reload.name }.to(name)
+        expect(response).to have_gitlab_http_status(:ok)
+      end
+    end
+  end
+
   describe 'POST /projects/:id/pipelines/:pipeline_id/retry' do
     context 'authorized user' do
       let_it_be(:pipeline) do
diff --git a/spec/requests/api/internal/base_spec.rb b/spec/requests/api/internal/base_spec.rb
index cf0cd9a2e85..95d620a55ae 100644
--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -744,6 +744,17 @@ RSpec.describe API::Internal::Base, feature_category: :system_access do
             expect(json_response["gitaly"]["features"]).to eq('gitaly-feature-mep-mep' => 'false')
           end
         end
+
+        context 'with audit event' do
+          it 'does not send a git streaming audit event' do
+            expect(::Gitlab::Audit::Auditor).not_to receive(:audit)
+
+            pull(key, project)
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response["need_audit"]).to be_falsy
+          end
+        end
       end
 
       context "git push" do
@@ -757,6 +768,7 @@ RSpec.describe API::Internal::Base, feature_category: :system_access do
             expect(json_response["gl_project_path"]).to eq(project.full_path)
             expect(json_response["gl_key_type"]).to eq("key")
             expect(json_response["gl_key_id"]).to eq(key.id)
+            expect(json_response["need_audit"]).to be_falsy
             expect(json_response["gitaly"]).not_to be_nil
             expect(json_response["gitaly"]["repository"]).not_to be_nil
             expect(json_response["gitaly"]["repository"]["storage_name"]).to eq(project.repository.gitaly_repository.storage_name)
diff --git a/spec/services/ci/pipelines/update_metadata_service_spec.rb b/spec/services/ci/pipelines/update_metadata_service_spec.rb
new file mode 100644
index 00000000000..939ce7f5785
--- /dev/null
+++ b/spec/services/ci/pipelines/update_metadata_service_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Ci::Pipelines::UpdateMetadataService, feature_category: :continuous_integration do
+  subject(:execute) { described_class.new(pipeline, { name: name }).execute }
+
+  let(:name) { 'Some random pipeline name' }
+
+  context 'when pipeline has no name' do
+    let(:pipeline) { create(:ci_pipeline) }
+
+    it 'updates the name' do
+      expect { execute }.to change { pipeline.reload.name }.to(name)
+    end
+  end
+
+  context 'when pipeline has a name' do
+    let(:pipeline) { create(:ci_pipeline, name: 'Some other name') }
+
+    it 'updates the name' do
+      expect { execute }.to change { pipeline.reload.name }.to(name)
+    end
+  end
+
+  context 'when new name is too long' do
+    let(:pipeline) { create(:ci_pipeline) }
+    let(:name) { 'a' * 256 }
+
+    it 'does not update the name' do
+      expect { execute }.not_to change { pipeline.reload.name }
+    end
+  end
+end
diff --git a/spec/support/shared_examples/sends_git_audit_streaming_event_shared_examples.rb b/spec/support/shared_examples/sends_git_audit_streaming_event_shared_examples.rb
index 2c2be0152a0..f91cf22f27e 100644
--- a/spec/support/shared_examples/sends_git_audit_streaming_event_shared_examples.rb
+++ b/spec/support/shared_examples/sends_git_audit_streaming_event_shared_examples.rb
@@ -14,7 +14,7 @@ RSpec.shared_examples 'sends git audit streaming event' do
     let(:project) { create(:project, :public, :repository, namespace: group) }
 
     before do
-      group.external_audit_event_destinations.create!(destination_url: 'http://example.com')
+      create(:external_audit_event_destination, group: group)
       project.add_developer(user)
     end
 
@@ -38,7 +38,7 @@ RSpec.shared_examples 'sends git audit streaming event' do
     let(:project) { create(:project, :private, :repository, namespace: group) }
 
     before do
-      group.external_audit_event_destinations.create!(destination_url: 'http://example.com')
+      create(:external_audit_event_destination, group: group)
       project.add_developer(user)
       sign_in(user)
     end
@@ -52,9 +52,40 @@ RSpec.shared_examples 'sends git audit streaming event' do
           request.headers.merge! auth_env(user.username, password, nil)
         end
       end
-      it 'sends the audit streaming event' do
-        expect(AuditEvents::AuditEventStreamingWorker).to receive(:perform_async).once
-        subject
+
+      context 'when log_git_streaming_audit_events is enable' do
+        it 'does not send the audit streaming event' do
+          expect(AuditEvents::AuditEventStreamingWorker).not_to receive(:perform_async)
+          subject
+        end
+
+        it 'respond the need audit to be true' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:ok)
+
+          audit_flag = json_response["need_audit"] || json_response["NeedAudit"]
+          expect(audit_flag).to be_truthy
+        end
+      end
+
+      context 'when log_git_streaming_audit_events is disable' do
+        before do
+          stub_feature_flags(log_git_streaming_audit_events: false)
+        end
+
+        it "sends git streaming audit event" do
+          expect(AuditEvents::AuditEventStreamingWorker).to receive(:perform_async).once
+
+          subject
+        end
+
+        it 'respond the need audit to be false' do
+          subject
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(json_response["need_audit"]).to be_falsy
+        end
       end
     end
   end