6 files changed, 109 insertions, 33 deletions

diff --git a/app/services/groups/create_service.rb b/app/services/groups/create_service.rb
index 0f74b2d9349..21d3c6499a0 100644
--- a/app/services/groups/create_service.rb
+++ b/app/services/groups/create_service.rb
@@ -35,10 +35,14 @@ module Groups
         @group.build_chat_team(name: response['name'], team_id: response['id'])
       end
 
-      Group.transaction do
-        if @group.save
-          @group.add_owner(current_user)
-          Integration.create_from_active_default_integrations(@group, :group_id)
+      Gitlab::Database::QueryAnalyzers::PreventCrossDatabaseModification.temporary_ignore_tables_in_transaction(
+        %w[routes redirect_routes], url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424281'
+      ) do
+        Group.transaction do
+          if @group.save
+            @group.add_owner(current_user)
+            Integration.create_from_active_default_integrations(@group, :group_id)
+          end
         end
       end
 
diff --git a/app/services/groups/destroy_service.rb b/app/services/groups/destroy_service.rb
index 45e8972213e..a896ca5cabc 100644
--- a/app/services/groups/destroy_service.rb
+++ b/app/services/groups/destroy_service.rb
@@ -14,8 +14,6 @@ module Groups
       # TODO - add a policy check here https://gitlab.com/gitlab-org/gitlab/-/issues/353082
       raise DestroyError, "You can't delete this group because you're blocked." if current_user.blocked?
 
-      group.prepare_for_destroy
-
       group.projects.includes(:project_feature).each do |project|
         # Execute the destruction of the models immediately to ensure atomic cleanup.
         success = ::Projects::DestroyService.new(project, current_user).execute
@@ -83,7 +81,10 @@ module Groups
 
     # rubocop:disable CodeReuse/ActiveRecord
     def destroy_group_bots
-      bot_ids = group.members_and_requesters.joins(:user).merge(User.project_bot).pluck(:user_id)
+      bot_ids = group.members_and_requesters.joins(:user)
+        .merge(User.project_bot)
+        .allow_cross_joins_across_databases(url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/422405')
+        .pluck(:user_id)
       current_user_id = current_user.id
 
       group.run_after_commit do
diff --git a/app/services/groups/ssh_certificates/create_service.rb b/app/services/groups/ssh_certificates/create_service.rb
new file mode 100644
index 00000000000..6890901c306
--- /dev/null
+++ b/app/services/groups/ssh_certificates/create_service.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Groups
+  module SshCertificates
+    class CreateService
+      def initialize(group, params)
+        @group = group
+        @params = params
+      end
+
+      def execute
+        key = params[:key]
+        fingerprint = generate_fingerprint(key)
+
+        return ServiceResponse.error(message: 'Group', reason: :forbidden) if group.has_parent?
+
+        # return a key error instead of fingerprint error, as the user has no knowledge of fingerprint.
+        unless fingerprint
+          return ServiceResponse.error(message: 'Validation failed: Invalid key',
+            reason: :unprocessable_entity)
+        end
+
+        result = group.ssh_certificates.create!(
+          key: key,
+          title: params[:title],
+          fingerprint: fingerprint
+        )
+
+        # title and key attributes are returned as [FILTERED]
+        # by config/application.rb#L181-233
+        # make attributes unfiltered by running find
+        ssh_certificate = group.ssh_certificates.find(result.id)
+        ServiceResponse.success(payload: ssh_certificate)
+
+      rescue ActiveRecord::RecordInvalid, ArgumentError => e
+        ServiceResponse.error(
+          message: e.message,
+          reason: :unprocessable_entity
+        )
+      end
+
+      private
+
+      attr_reader :group, :params
+
+      def generate_fingerprint(key)
+        Gitlab::SSHPublicKey.new(key).fingerprint_sha256&.delete_prefix('SHA256:')
+      end
+    end
+  end
+end
diff --git a/app/services/groups/ssh_certificates/destroy_service.rb b/app/services/groups/ssh_certificates/destroy_service.rb
new file mode 100644
index 00000000000..7a450d5bee6
--- /dev/null
+++ b/app/services/groups/ssh_certificates/destroy_service.rb
@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Groups
+  module SshCertificates
+    class DestroyService
+      def initialize(group, params)
+        @group = group
+        @params = params
+      end
+
+      def execute
+        ssh_certificate = group.ssh_certificates.find(params[:ssh_certificates_id])
+
+        ssh_certificate.destroy!
+        ServiceResponse.success
+
+      rescue ActiveRecord::RecordNotFound
+        ServiceResponse.error(
+          message: 'SSH Certificate not found',
+          reason: :not_found
+        )
+
+      rescue ActiveRecord::RecordNotDestroyed
+        ServiceResponse.error(
+          message: 'SSH Certificate could not be deleted',
+          reason: :method_not_allowed
+        )
+      end
+
+      private
+
+      attr_reader :group, :params
+    end
+  end
+end
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 64256e43ce3..6b979308d26 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -60,13 +60,17 @@ module Groups
       old_root_ancestor_id = @group.root_ancestor.id
       was_root_group = @group.root?
 
-      Group.transaction do
-        update_group_attributes
-        ensure_ownership
-        update_integrations
-        remove_issue_contacts(old_root_ancestor_id, was_root_group)
-        update_crm_objects(was_root_group)
-        remove_namespace_commit_emails(was_root_group)
+      Gitlab::Database::QueryAnalyzers::PreventCrossDatabaseModification.temporary_ignore_tables_in_transaction(
+        %w[routes redirect_routes], url: 'https://gitlab.com/gitlab-org/gitlab/-/issues/424280'
+      ) do
+        Group.transaction do
+          update_group_attributes
+          ensure_ownership
+          update_integrations
+          remove_issue_contacts(old_root_ancestor_id, was_root_group)
+          update_crm_objects(was_root_group)
+          remove_namespace_commit_emails(was_root_group)
+        end
       end
 
       post_update_hooks(@updated_project_ids, old_root_ancestor_id)
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 7d0142fc067..d91e09d212a 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -47,10 +47,6 @@ module Groups
     private
 
     def valid_path_change?
-      unless Feature.enabled?(:npm_package_registry_fix_group_path_validation)
-        return valid_path_change_with_npm_packages?
-      end
-
       return true unless group.packages_feature_enabled?
       return true if params[:path].blank?
       return true if group.has_parent?
@@ -68,21 +64,6 @@ module Groups
       false
     end
 
-    # TODO: delete this function along with npm_package_registry_fix_group_path_validation
-    def valid_path_change_with_npm_packages?
-      return true unless group.packages_feature_enabled?
-      return true if params[:path].blank?
-      return true if !group.has_parent? && group.path == params[:path]
-
-      npm_packages = ::Packages::GroupPackagesFinder.new(current_user, group, package_type: :npm).execute
-      if npm_packages.exists?
-        group.errors.add(:path, s_('GroupSettings|cannot change when group contains projects with NPM packages'))
-        return
-      end
-
-      true
-    end
-
     def before_assignment_hook(group, params)
       @full_path_before = group.full_path
       @path_before = group.path