11 files changed, 136 insertions, 33 deletions

diff --git a/spec/requests/api/ci/job_artifacts_spec.rb b/spec/requests/api/ci/job_artifacts_spec.rb
index 2bf242f06ed..da9eb6b2216 100644
--- a/spec/requests/api/ci/job_artifacts_spec.rb
+++ b/spec/requests/api/ci/job_artifacts_spec.rb
@@ -389,8 +389,7 @@ RSpec.describe API::Ci::JobArtifacts do
             end
           end
 
-          context 'when Google CDN is enabled' do
-            let(:cdn_enabled) { true }
+          context 'when Google CDN is configured' do
             let(:cdn_config) do
               {
                 'provider' => 'Google',
@@ -401,7 +400,6 @@ RSpec.describe API::Ci::JobArtifacts do
             end
 
             before do
-              stub_feature_flags(ci_job_artifacts_cdn: cdn_enabled)
               stub_object_storage_uploader(config: Gitlab.config.artifacts.object_store,
                                            uploader: JobArtifactUploader,
                                            proxy_download: proxy_download,
@@ -418,18 +416,6 @@ RSpec.describe API::Ci::JobArtifacts do
 
               expect(response.redirect_url).to start_with("https://cdn.example.org/#{artifact.file.path}")
             end
-
-            context 'when ci_job_artifacts_cdn feature flag is disabled' do
-              let(:cdn_enabled) { false }
-
-              it 'returns the file remote URL' do
-                expect(Gitlab::ApplicationContext).to receive(:push).with(artifact_used_cdn: false).and_call_original
-
-                subject
-
-                expect(response).to redirect_to(artifact.file.url)
-              end
-            end
           end
 
           context 'authorized user' do
diff --git a/spec/requests/api/ci/jobs_spec.rb b/spec/requests/api/ci/jobs_spec.rb
index 0e17db516f4..c1b7461f444 100644
--- a/spec/requests/api/ci/jobs_spec.rb
+++ b/spec/requests/api/ci/jobs_spec.rb
@@ -606,6 +606,32 @@ RSpec.describe API::Ci::Jobs do
         end
       end
     end
+
+    context 'when ci_debug_services is set to true' do
+      before_all do
+        create(:ci_instance_variable, key: 'CI_DEBUG_SERVICES', value: true)
+      end
+
+      where(:public_builds, :user_project_role, :expected_status) do
+        true         | 'developer'     | :ok
+        true         | 'guest'         | :forbidden
+        false        | 'developer'     | :ok
+        false        | 'guest'         | :forbidden
+      end
+
+      with_them do
+        before do
+          project.update!(public_builds: public_builds)
+          project.add_role(user, user_project_role)
+
+          get api("/projects/#{project.id}/jobs/#{job.id}/trace", api_user)
+        end
+
+        it 'renders successfully to authorized users' do
+          expect(response).to have_gitlab_http_status(expected_status)
+        end
+      end
+    end
   end
 
   describe 'POST /projects/:id/jobs/:job_id/cancel' do
diff --git a/spec/requests/api/ci/pipelines_spec.rb b/spec/requests/api/ci/pipelines_spec.rb
index 697fe16e222..c9d06f37c8b 100644
--- a/spec/requests/api/ci/pipelines_spec.rb
+++ b/spec/requests/api/ci/pipelines_spec.rb
@@ -940,7 +940,12 @@ RSpec.describe API::Ci::Pipelines do
           subject
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response).to contain_exactly({ "variable_type" => "env_var", "key" => "foo", "value" => "bar" })
+          expect(json_response).to contain_exactly({
+                                                     "variable_type" => "env_var",
+                                                     "key" => "foo",
+                                                     "value" => "bar",
+                                                     "raw" => false
+                                                   })
         end
       end
     end
@@ -961,7 +966,12 @@ RSpec.describe API::Ci::Pipelines do
           subject
 
           expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response).to contain_exactly({ "variable_type" => "env_var", "key" => "foo", "value" => "bar" })
+          expect(json_response).to contain_exactly({
+                                                     "variable_type" => "env_var",
+                                                     "key" => "foo",
+                                                     "value" => "bar",
+                                                     "raw" => false
+                                                   })
         end
       end
 
diff --git a/spec/requests/api/ci/resource_groups_spec.rb b/spec/requests/api/ci/resource_groups_spec.rb
index 87df71f6096..2a67a3e4322 100644
--- a/spec/requests/api/ci/resource_groups_spec.rb
+++ b/spec/requests/api/ci/resource_groups_spec.rb
@@ -56,6 +56,31 @@ RSpec.describe API::Ci::ResourceGroups do
       expect(Time.parse(json_response['updated_at'])).to be_like_time(resource_group.updated_at)
     end
 
+    context 'when resource group key contains multiple dots' do
+      let!(:resource_group) { create(:ci_resource_group, project: project, key: 'test..test') }
+
+      it 'returns the resource group', :aggregate_failures do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['id']).to eq(resource_group.id)
+        expect(json_response['key']).to eq(resource_group.key)
+      end
+    end
+
+    context 'when resource group key contains a slash' do
+      let!(:resource_group) { create(:ci_resource_group, project: project, key: 'test/test') }
+      let(:key) { 'test%2Ftest' }
+
+      it 'returns the resource group', :aggregate_failures do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['id']).to eq(resource_group.id)
+        expect(json_response['key']).to eq(resource_group.key)
+      end
+    end
+
     context 'when user is reporter' do
       let(:user) { reporter }
 
@@ -98,6 +123,25 @@ RSpec.describe API::Ci::ResourceGroups do
       expect(json_response[0]['status']).to eq(upcoming_processable.status)
     end
 
+    context 'when resource group key contains a slash' do
+      let_it_be(:resource_group) { create(:ci_resource_group, project: project, key: 'test/test') }
+      let_it_be(:upcoming_processable) do
+        create(:ci_processable,
+               :waiting_for_resource,
+               resource_group: resource_group)
+      end
+
+      let(:key) { 'test%2Ftest' }
+
+      it 'returns the resource group', :aggregate_failures do
+        subject
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response[0]['id']).to eq(upcoming_processable.id)
+        expect(json_response[0]['name']).to eq(upcoming_processable.name)
+      end
+    end
+
     context 'when user is reporter' do
       let(:user) { reporter }
 
diff --git a/spec/requests/api/ci/runner/jobs_artifacts_spec.rb b/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
index cd8c3dd2806..9af0541bd2c 100644
--- a/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
+++ b/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
@@ -238,7 +238,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
 
         context 'authorization token is invalid' do
           it 'responds with forbidden' do
-            authorize_artifacts(token: 'invalid', filesize: 100 )
+            authorize_artifacts(token: 'invalid', filesize: 100)
 
             expect(response).to have_gitlab_http_status(:forbidden)
           end
@@ -881,11 +881,11 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
             end
           end
 
-          shared_examples 'forbidden request' do
-            it 'responds with forbidden' do
+          shared_examples 'unauthorized request' do
+            it 'responds with unauthorized' do
               download_artifact
 
-              expect(response).to have_gitlab_http_status(:forbidden)
+              expect(response).to have_gitlab_http_status(:unauthorized)
             end
           end
 
@@ -899,7 +899,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
                 job.success!
               end
 
-              it_behaves_like 'successful artifact download'
+              it_behaves_like 'unauthorized request'
             end
           end
 
@@ -916,7 +916,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
                 dependent_job.success!
               end
 
-              it_behaves_like 'forbidden request'
+              it_behaves_like 'unauthorized request'
             end
           end
 
@@ -942,7 +942,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
 
             let(:token) { ci_build.token }
 
-            it_behaves_like 'forbidden request'
+            it_behaves_like 'unauthorized request'
           end
 
           context 'when using a token from a cross pipeline build' do
@@ -981,19 +981,23 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
             let!(:unrelated_ci_build) { create(:ci_build, :running, user: create(:user)) }
             let(:token) { unrelated_ci_build.token }
 
-            it_behaves_like 'forbidden request'
+            it 'responds with forbidden' do
+              download_artifact
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
           end
 
           context 'when using runnners token' do
             let(:token) { job.project.runners_token }
 
-            it_behaves_like 'forbidden request'
+            it_behaves_like 'unauthorized request'
           end
 
           context 'when using an invalid token' do
             let(:token) { 'invalid-token' }
 
-            it_behaves_like 'forbidden request'
+            it_behaves_like 'unauthorized request'
           end
         end
 
diff --git a/spec/requests/api/ci/runner/jobs_request_post_spec.rb b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
index d4f734e7bdd..1cb4cc93ea5 100644
--- a/spec/requests/api/ci/runner/jobs_request_post_spec.rb
+++ b/spec/requests/api/ci/runner/jobs_request_post_spec.rb
@@ -462,7 +462,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
             request_job info: { 'config' => { 'gpus' => 'all', 'ignored' => 'hello' } }
 
             expect(response).to have_gitlab_http_status(:created)
-            expect(runner.reload.config).to eq( { 'gpus' => 'all' } )
+            expect(runner.reload.config).to eq({ 'gpus' => 'all' })
           end
 
           it "sets the runner's ip_address" do
diff --git a/spec/requests/api/ci/runners_reset_registration_token_spec.rb b/spec/requests/api/ci/runners_reset_registration_token_spec.rb
index e1dc347f8dd..b8e4370fd46 100644
--- a/spec/requests/api/ci/runners_reset_registration_token_spec.rb
+++ b/spec/requests/api/ci/runners_reset_registration_token_spec.rb
@@ -118,7 +118,7 @@ RSpec.describe API::Ci::Runners do
       end
 
       include_context 'when authorized', 'group' do
-        let_it_be(:user) { create_default(:group_member, :owner, user: create(:user), group: group ).user }
+        let_it_be(:user) { create_default(:group_member, :owner, user: create(:user), group: group).user }
 
         def get_token
           group.reload.runners_token
diff --git a/spec/requests/api/ci/runners_spec.rb b/spec/requests/api/ci/runners_spec.rb
index 69f26d3f257..dd9894f2972 100644
--- a/spec/requests/api/ci/runners_spec.rb
+++ b/spec/requests/api/ci/runners_spec.rb
@@ -399,7 +399,7 @@ RSpec.describe API::Ci::Runners do
         it 'unrelated runner attribute on an existing runner with too many tags' do
           # This test ensures that it is possible to update any attribute on a runner that currently fails the
           # validation that ensures that there aren't too many tags associated with a runner
-          existing_invalid_shared_runner = build(:ci_runner, :instance, tag_list: (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" } )
+          existing_invalid_shared_runner = build(:ci_runner, :instance, tag_list: (1..::Ci::Runner::TAG_LIST_MAX_LENGTH + 1).map { |i| "tag#{i}" })
           existing_invalid_shared_runner.save!(validate: false)
 
           active = existing_invalid_shared_runner.active
diff --git a/spec/requests/api/ci/secure_files_spec.rb b/spec/requests/api/ci/secure_files_spec.rb
index 0b8116d5e20..b0bca6e9125 100644
--- a/spec/requests/api/ci/secure_files_spec.rb
+++ b/spec/requests/api/ci/secure_files_spec.rb
@@ -143,6 +143,18 @@ RSpec.describe API::Ci::SecureFiles do
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(json_response['name']).to eq(secure_file.name)
+        expect(json_response['expires_at']).to be nil
+        expect(json_response['metadata']).to be nil
+      end
+
+      it 'returns project secure file details with metadata when supported' do
+        secure_file_with_metadata = create(:ci_secure_file_with_metadata, project: project)
+        get api("/projects/#{project.id}/secure_files/#{secure_file_with_metadata.id}", maintainer)
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(json_response['name']).to eq(secure_file_with_metadata.name)
+        expect(json_response['expires_at']).to eq('2022-04-26T19:20:40.000Z')
+        expect(json_response['metadata'].keys).to match_array(%w[id issuer subject expires_at])
       end
 
       it 'responds with 404 Not Found if requesting non-existing secure file' do
diff --git a/spec/requests/api/ci/triggers_spec.rb b/spec/requests/api/ci/triggers_spec.rb
index 953dcb8a483..f9b7880a4c4 100644
--- a/spec/requests/api/ci/triggers_spec.rb
+++ b/spec/requests/api/ci/triggers_spec.rb
@@ -81,7 +81,7 @@ RSpec.describe API::Ci::Triggers do
         end
 
         it 'validates variables needs to be a map of key-valued strings' do
-          post api("/projects/#{project.id}/trigger/pipeline"), params: options.merge(variables: { key: %w(1 2) }, ref: 'master')
+          post api("/projects/#{project.id}/trigger/pipeline"), params: options.merge(variables: { 'TRIGGER_KEY' => %w(1 2) }, ref: 'master')
 
           expect(response).to have_gitlab_http_status(:bad_request)
           expect(json_response['message']).to eq('variables needs to be a map of key-valued strings')
diff --git a/spec/requests/api/ci/variables_spec.rb b/spec/requests/api/ci/variables_spec.rb
index 74ed8c1551d..cafb841995d 100644
--- a/spec/requests/api/ci/variables_spec.rb
+++ b/spec/requests/api/ci/variables_spec.rb
@@ -46,6 +46,7 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq(variable.value)
         expect(json_response['protected']).to eq(variable.protected?)
         expect(json_response['masked']).to eq(variable.masked?)
+        expect(json_response['raw']).to eq(variable.raw?)
         expect(json_response['variable_type']).to eq('env_var')
       end
 
@@ -115,7 +116,7 @@ RSpec.describe API::Ci::Variables do
     context 'authorized user with proper permissions' do
       it 'creates variable' do
         expect do
-          post api("/projects/#{project.id}/variables", user), params: { key: 'TEST_VARIABLE_2', value: 'PROTECTED_VALUE_2', protected: true, masked: true }
+          post api("/projects/#{project.id}/variables", user), params: { key: 'TEST_VARIABLE_2', value: 'PROTECTED_VALUE_2', protected: true, masked: true, raw: true }
         end.to change { project.variables.count }.by(1)
 
         expect(response).to have_gitlab_http_status(:created)
@@ -123,12 +124,22 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq('PROTECTED_VALUE_2')
         expect(json_response['protected']).to be_truthy
         expect(json_response['masked']).to be_truthy
+        expect(json_response['raw']).to be_truthy
         expect(json_response['variable_type']).to eq('env_var')
       end
 
+      it 'masks the new value when logging' do
+        masked_params = { 'key' => 'VAR_KEY', 'value' => '[FILTERED]', 'protected' => 'true', 'masked' => 'true' }
+
+        expect(::API::API::LOGGER).to receive(:info).with(include(params: include(masked_params)))
+
+        post api("/projects/#{project.id}/variables", user),
+          params: { key: 'VAR_KEY', value: 'SENSITIVE', protected: true, masked: true }
+      end
+
       it 'creates variable with optional attributes' do
         expect do
-          post api("/projects/#{project.id}/variables", user), params: { variable_type: 'file',  key: 'TEST_VARIABLE_2', value: 'VALUE_2' }
+          post api("/projects/#{project.id}/variables", user), params: { variable_type: 'file', key: 'TEST_VARIABLE_2', value: 'VALUE_2' }
         end.to change { project.variables.count }.by(1)
 
         expect(response).to have_gitlab_http_status(:created)
@@ -136,6 +147,7 @@ RSpec.describe API::Ci::Variables do
         expect(json_response['value']).to eq('VALUE_2')
         expect(json_response['protected']).to be_falsey
         expect(json_response['masked']).to be_falsey
+        expect(json_response['raw']).to be_falsey
         expect(json_response['variable_type']).to eq('file')
       end
 
@@ -206,6 +218,15 @@ RSpec.describe API::Ci::Variables do
         expect(updated_variable.variable_type).to eq('file')
       end
 
+      it 'masks the new value when logging' do
+        masked_params = { 'value' => '[FILTERED]', 'protected' => 'true' }
+
+        expect(::API::API::LOGGER).to receive(:info).with(include(params: include(masked_params)))
+
+        put api("/projects/#{project.id}/variables/#{variable.key}", user),
+          params: { value: 'SENSITIVE', protected: true }
+      end
+
       it 'responds with 404 Not Found if requesting non-existing variable' do
         put api("/projects/#{project.id}/variables/non_existing_variable", user)