From a8281ac43424e4b820286823bdb48f068b21d7d3 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 11 Jan 2022 15:15:55 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 .../oauth/token_info_controller_spec.rb            | 24 +++++-----
 spec/factories/clusters/agent_tokens.rb            |  4 ++
 .../features/issues/user_comments_on_issue_spec.rb |  1 +
 spec/features/markdown/mermaid_spec.rb             |  4 ++
 spec/features/markdown/sandboxed_mermaid_spec.rb   | 32 +++++++++++++
 .../clusters/agent_tokens_resolver_spec.rb         |  9 ++++
 .../resolvers/concerns/resolves_pipelines_spec.rb  | 20 ++------
 .../types/clusters/agent_token_status_enum_spec.rb |  8 ++++
 spec/lib/backup/manager_spec.rb                    |  6 +--
 spec/lib/backup/object_backup_spec.rb              | 36 +++++++++++++++
 spec/lib/backup/terraform_state_spec.rb            | 27 -----------
 .../content_security_policy/config_loader_spec.rb  |  6 +--
 spec/lib/gitlab/usage_data_spec.rb                 |  7 +--
 spec/models/ci/runner_spec.rb                      |  2 +-
 spec/models/clusters/agent_token_spec.rb           | 16 +++++--
 spec/models/namespace_setting_spec.rb              | 53 ----------------------
 spec/requests/sandbox_controller_spec.rb           | 14 ++++++
 spec/routing/routing_spec.rb                       |  6 +++
 .../cross-database-modification-allowlist.yml      |  1 -
 spec/support/helpers/test_env.rb                   |  5 ++
 spec/tasks/gitlab/backup_rake_spec.rb              | 20 +++++---
 21 files changed, 171 insertions(+), 130 deletions(-)
 create mode 100644 spec/features/markdown/sandboxed_mermaid_spec.rb
 create mode 100644 spec/graphql/types/clusters/agent_token_status_enum_spec.rb
 create mode 100644 spec/lib/backup/object_backup_spec.rb
 delete mode 100644 spec/lib/backup/terraform_state_spec.rb
 create mode 100644 spec/requests/sandbox_controller_spec.rb

(limited to 'spec')

diff --git a/spec/controllers/oauth/token_info_controller_spec.rb b/spec/controllers/oauth/token_info_controller_spec.rb
index 6d01a534673..b66fff4d4e9 100644
--- a/spec/controllers/oauth/token_info_controller_spec.rb
+++ b/spec/controllers/oauth/token_info_controller_spec.rb
@@ -5,11 +5,11 @@ require 'spec_helper'
 RSpec.describe Oauth::TokenInfoController do
   describe '#show' do
     context 'when the user is not authenticated' do
-      it 'responds with a 400' do
+      it 'responds with a 401' do
         get :show
 
-        expect(response).to have_gitlab_http_status(:bad_request)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
       end
     end
 
@@ -36,11 +36,11 @@ RSpec.describe Oauth::TokenInfoController do
     end
 
     context 'when the doorkeeper_token is not recognised' do
-      it 'responds with a 400' do
+      it 'responds with a 401' do
         get :show, params: { access_token: 'unknown_token' }
 
-        expect(response).to have_gitlab_http_status(:bad_request)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
       end
     end
 
@@ -49,22 +49,22 @@ RSpec.describe Oauth::TokenInfoController do
         create(:oauth_access_token, created_at: 2.days.ago, expires_in: 10.minutes)
       end
 
-      it 'responds with a 400' do
+      it 'responds with a 401' do
         get :show, params: { access_token: access_token.token }
 
-        expect(response).to have_gitlab_http_status(:bad_request)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
       end
     end
 
     context 'when the token is revoked' do
       let(:access_token) { create(:oauth_access_token, revoked_at: 2.days.ago) }
 
-      it 'responds with a 400' do
+      it 'responds with a 401' do
         get :show, params: { access_token: access_token.token }
 
-        expect(response).to have_gitlab_http_status(:bad_request)
-        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_request')
+        expect(response).to have_gitlab_http_status(:unauthorized)
+        expect(Gitlab::Json.parse(response.body)).to include('error' => 'invalid_token')
       end
     end
   end
diff --git a/spec/factories/clusters/agent_tokens.rb b/spec/factories/clusters/agent_tokens.rb
index c49d197c3cd..03f765123db 100644
--- a/spec/factories/clusters/agent_tokens.rb
+++ b/spec/factories/clusters/agent_tokens.rb
@@ -7,5 +7,9 @@ FactoryBot.define do
     token_encrypted { Gitlab::CryptoHelper.aes256_gcm_encrypt(SecureRandom.hex(50)) }
 
     sequence(:name) { |n| "agent-token-#{n}" }
+
+    trait :revoked do
+      status { :revoked }
+    end
   end
 end
diff --git a/spec/features/issues/user_comments_on_issue_spec.rb b/spec/features/issues/user_comments_on_issue_spec.rb
index 09d3ad15641..fc1146bde5e 100644
--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -11,6 +11,7 @@ RSpec.describe "User comments on issue", :js do
 
   before do
     stub_feature_flags(tribute_autocomplete: false)
+    stub_feature_flags(sandboxed_mermaid: false)
     project.add_guest(user)
     sign_in(user)
 
diff --git a/spec/features/markdown/mermaid_spec.rb b/spec/features/markdown/mermaid_spec.rb
index e080c7ffb3f..6a91d4e03c1 100644
--- a/spec/features/markdown/mermaid_spec.rb
+++ b/spec/features/markdown/mermaid_spec.rb
@@ -5,6 +5,10 @@ require 'spec_helper'
 RSpec.describe 'Mermaid rendering', :js do
   let_it_be(:project) { create(:project, :public) }
 
+  before do
+    stub_feature_flags(sandboxed_mermaid: false)
+  end
+
   it 'renders Mermaid diagrams correctly' do
     description = <<~MERMAID
       ```mermaid
diff --git a/spec/features/markdown/sandboxed_mermaid_spec.rb b/spec/features/markdown/sandboxed_mermaid_spec.rb
new file mode 100644
index 00000000000..f118fb3db66
--- /dev/null
+++ b/spec/features/markdown/sandboxed_mermaid_spec.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Sandboxed Mermaid rendering', :js do
+  let_it_be(:project) { create(:project, :public) }
+
+  before do
+    stub_feature_flags(sandboxed_mermaid: true)
+  end
+
+  it 'includes mermaid frame correctly' do
+    description = <<~MERMAID
+      ```mermaid
+      graph TD;
+        A-->B;
+        A-->C;
+        B-->D;
+        C-->D;
+      ```
+    MERMAID
+
+    issue = create(:issue, project: project, description: description)
+
+    visit project_issue_path(project, issue)
+
+    wait_for_requests
+
+    expected = %(<iframe src="/-/sandbox/mermaid" sandbox="allow-scripts" frameborder="0" scrolling="no")
+    expect(page.html).to include(expected)
+  end
+end
diff --git a/spec/graphql/resolvers/clusters/agent_tokens_resolver_spec.rb b/spec/graphql/resolvers/clusters/agent_tokens_resolver_spec.rb
index 6b8b88928d8..9b54d466681 100644
--- a/spec/graphql/resolvers/clusters/agent_tokens_resolver_spec.rb
+++ b/spec/graphql/resolvers/clusters/agent_tokens_resolver_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe Resolvers::Clusters::AgentTokensResolver do
 
   it { expect(described_class.type).to eq(Types::Clusters::AgentTokenType) }
   it { expect(described_class.null).to be_truthy }
+  it { expect(described_class.arguments.keys).to contain_exactly('status') }
 
   describe '#resolve' do
     let(:agent) { create(:cluster_agent) }
@@ -23,6 +24,14 @@ RSpec.describe Resolvers::Clusters::AgentTokensResolver do
       expect(subject).to eq([matching_token2, matching_token1])
     end
 
+    context 'token status is specified' do
+      let!(:revoked_token) { create(:cluster_agent_token, :revoked, agent: agent) }
+
+      subject { resolve(described_class, obj: agent, ctx: ctx, args: { status: 'revoked' }) }
+
+      it { is_expected.to contain_exactly(revoked_token) }
+    end
+
     context 'user does not have permission' do
       let(:user) { create(:user, developer_projects: [agent.project]) }
 
diff --git a/spec/graphql/resolvers/concerns/resolves_pipelines_spec.rb b/spec/graphql/resolvers/concerns/resolves_pipelines_spec.rb
index 3fcfa967452..9fe4c78f551 100644
--- a/spec/graphql/resolvers/concerns/resolves_pipelines_spec.rb
+++ b/spec/graphql/resolvers/concerns/resolves_pipelines_spec.rb
@@ -62,24 +62,12 @@ RSpec.describe ResolvesPipelines do
   context 'filtering by source' do
     let_it_be(:source_pipeline) { create(:ci_pipeline, project: project, source: 'web') }
 
-    context 'when `dast_view_scans` feature flag is disabled' do
-      before do
-        stub_feature_flags(dast_view_scans: false)
-      end
-
-      it 'does not filter by source' do
-        expect(resolve_pipelines(source: 'web')).to contain_exactly(*all_pipelines, source_pipeline)
-      end
+    it 'does filter by source' do
+      expect(resolve_pipelines(source: 'web')).to contain_exactly(source_pipeline)
     end
 
-    context 'when `dast_view_scans` feature flag is enabled' do
-      it 'does filter by source' do
-        expect(resolve_pipelines(source: 'web')).to contain_exactly(source_pipeline)
-      end
-
-      it 'returns all the pipelines' do
-        expect(resolve_pipelines).to contain_exactly(*all_pipelines, source_pipeline)
-      end
+    it 'returns all the pipelines' do
+      expect(resolve_pipelines).to contain_exactly(*all_pipelines, source_pipeline)
     end
   end
 
diff --git a/spec/graphql/types/clusters/agent_token_status_enum_spec.rb b/spec/graphql/types/clusters/agent_token_status_enum_spec.rb
new file mode 100644
index 00000000000..071e4050cfb
--- /dev/null
+++ b/spec/graphql/types/clusters/agent_token_status_enum_spec.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Types::Clusters::AgentTokenStatusEnum do
+  it { expect(described_class.graphql_name).to eq('AgentTokenStatus') }
+  it { expect(described_class.values.keys).to match_array(Clusters::AgentToken.statuses.keys.map(&:upcase)) }
+end
diff --git a/spec/lib/backup/manager_spec.rb b/spec/lib/backup/manager_spec.rb
index 0e26e2faa5c..31cc3012eb1 100644
--- a/spec/lib/backup/manager_spec.rb
+++ b/spec/lib/backup/manager_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe Backup::Manager do
   end
 
   describe '#pack' do
-    let(:expected_backup_contents) { %w(repositories db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz backup_information.yml) }
+    let(:expected_backup_contents) { %w(repositories db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz packages.tar.gz backup_information.yml) }
     let(:tar_file) { '1546300800_2019_01_01_12.3_gitlab_backup.tar' }
     let(:tar_system_options) { { out: [tar_file, 'w', Gitlab.config.backup.archive_permissions] } }
     let(:tar_cmdline) { ['tar', '-cf', '-', *expected_backup_contents, tar_system_options] }
@@ -57,7 +57,7 @@ RSpec.describe Backup::Manager do
     end
 
     context 'when skipped is set in backup_information.yml' do
-      let(:expected_backup_contents) { %w{db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz backup_information.yml} }
+      let(:expected_backup_contents) { %w{db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz packages.tar.gz backup_information.yml} }
       let(:backup_information) do
         {
           backup_created_at: Time.zone.parse('2019-01-01'),
@@ -74,7 +74,7 @@ RSpec.describe Backup::Manager do
     end
 
     context 'when a directory does not exist' do
-      let(:expected_backup_contents) { %w{db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz backup_information.yml} }
+      let(:expected_backup_contents) { %w{db uploads.tar.gz builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz packages.tar.gz backup_information.yml} }
 
       before do
         expect(Dir).to receive(:exist?).with(File.join(Gitlab.config.backup.path, 'repositories')).and_return(false)
diff --git a/spec/lib/backup/object_backup_spec.rb b/spec/lib/backup/object_backup_spec.rb
new file mode 100644
index 00000000000..6192b5c3482
--- /dev/null
+++ b/spec/lib/backup/object_backup_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_examples 'backup object' do |setting|
+  let(:progress) { StringIO.new }
+  let(:backup_path) { "/var/#{setting}" }
+
+  subject(:backup) { described_class.new(progress) }
+
+  describe '#dump' do
+    before do
+      allow(File).to receive(:realpath).and_call_original
+      allow(File).to receive(:realpath).with(backup_path).and_return(backup_path)
+      allow(File).to receive(:realpath).with("#{backup_path}/..").and_return('/var')
+      allow(Settings.send(setting)).to receive(:storage_path).and_return(backup_path)
+    end
+
+    it 'uses the correct storage dir in tar command and excludes tmp', :aggregate_failures do
+      expect(backup.app_files_dir).to eq(backup_path)
+      expect(backup).to receive(:tar).and_return('blabla-tar')
+      expect(backup).to receive(:run_pipeline!).with([%W(blabla-tar --exclude=lost+found --exclude=./tmp -C #{backup_path} -cf - .), 'gzip -c -1'], any_args).and_return([[true, true], ''])
+      expect(backup).to receive(:pipeline_succeeded?).and_return(true)
+
+      backup.dump
+    end
+  end
+end
+
+RSpec.describe Backup::Packages do
+  it_behaves_like 'backup object', 'packages'
+end
+
+RSpec.describe Backup::TerraformState do
+  it_behaves_like 'backup object', 'terraform_state'
+end
diff --git a/spec/lib/backup/terraform_state_spec.rb b/spec/lib/backup/terraform_state_spec.rb
deleted file mode 100644
index 56051501204..00000000000
--- a/spec/lib/backup/terraform_state_spec.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-# frozen_string_literal: true
-
-require 'spec_helper'
-
-RSpec.describe Backup::TerraformState do
-  let(:progress) { StringIO.new }
-
-  subject(:backup) { described_class.new(progress) }
-
-  describe '#dump' do
-    before do
-      allow(File).to receive(:realpath).and_call_original
-      allow(File).to receive(:realpath).with('/var/terraform_state').and_return('/var/terraform_state')
-      allow(File).to receive(:realpath).with('/var/terraform_state/..').and_return('/var')
-      allow(Settings.terraform_state).to receive(:storage_path).and_return('/var/terraform_state')
-    end
-
-    it 'uses the correct storage dir in tar command and excludes tmp', :aggregate_failures do
-      expect(backup.app_files_dir).to eq('/var/terraform_state')
-      expect(backup).to receive(:tar).and_return('blabla-tar')
-      expect(backup).to receive(:run_pipeline!).with([%w(blabla-tar --exclude=lost+found --exclude=./tmp -C /var/terraform_state -cf - .), 'gzip -c -1'], any_args).and_return([[true, true], ''])
-      expect(backup).to receive(:pipeline_succeeded?).and_return(true)
-
-      backup.dump
-    end
-  end
-end
diff --git a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
index 56e3fc269e6..08d29f7842c 100644
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -85,7 +85,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
         expect(directives['style_src']).to eq("'self' 'unsafe-inline' https://cdn.example.com")
         expect(directives['font_src']).to eq("'self' https://cdn.example.com")
         expect(directives['worker_src']).to eq('http://localhost/assets/ blob: data: https://cdn.example.com')
-        expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " https://cdn.example.com http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html")
+        expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " https://cdn.example.com http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid")
       end
     end
 
@@ -113,7 +113,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
         end
 
         it 'does not add CUSTOMER_PORTAL_URL to CSP' do
-          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html")
+          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid")
         end
       end
 
@@ -123,7 +123,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
         end
 
         it 'adds CUSTOMER_PORTAL_URL to CSP' do
-          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/rails/letter_opener/ https://customers.example.com http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html")
+          expect(directives['frame_src']).to eq(::Gitlab::ContentSecurityPolicy::Directives.frame_src + " http://localhost/rails/letter_opener/ https://customers.example.com http://localhost/admin/ http://localhost/assets/ http://localhost/-/speedscope/index.html http://localhost/-/sandbox/mermaid")
         end
       end
     end
diff --git a/spec/lib/gitlab/usage_data_spec.rb b/spec/lib/gitlab/usage_data_spec.rb
index 68322978eb3..9e9cc2cfab6 100644
--- a/spec/lib/gitlab/usage_data_spec.rb
+++ b/spec/lib/gitlab/usage_data_spec.rb
@@ -161,7 +161,6 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do
         another_project = create(:project, :repository, creator: another_user)
         create(:remote_mirror, project: another_project, enabled: false)
         create(:snippet, author: user)
-        create(:suggestion, note: create(:note, project: project))
       end
 
       expect(described_class.usage_activity_by_stage_create({})).to include(
@@ -171,8 +170,7 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do
         projects_with_disable_overriding_approvers_per_merge_request: 2,
         projects_without_disable_overriding_approvers_per_merge_request: 6,
         remote_mirrors: 2,
-        snippets: 2,
-        suggestions: 2
+        snippets: 2
       )
       expect(described_class.usage_activity_by_stage_create(described_class.monthly_time_range_db_params)).to include(
         deploy_keys: 1,
@@ -181,8 +179,7 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do
         projects_with_disable_overriding_approvers_per_merge_request: 1,
         projects_without_disable_overriding_approvers_per_merge_request: 3,
         remote_mirrors: 1,
-        snippets: 1,
-        suggestions: 1
+        snippets: 1
       )
     end
   end
diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb
index 9ea73a3688b..e3816c31f1c 100644
--- a/spec/models/ci/runner_spec.rb
+++ b/spec/models/ci/runner_spec.rb
@@ -48,7 +48,7 @@ RSpec.describe Ci::Runner do
       let(:runner) { create(:ci_runner, :group, groups: [group]) }
 
       it 'disallows assigning group if already assigned to a group' do
-        runner.runner_namespaces << build(:ci_runner_namespace)
+        runner.runner_namespaces << create(:ci_runner_namespace)
 
         expect(runner).not_to be_valid
         expect(runner.errors.full_messages).to include('Runner needs to be assigned to exactly one group')
diff --git a/spec/models/clusters/agent_token_spec.rb b/spec/models/clusters/agent_token_spec.rb
index 462050b575a..2e17d8487f0 100644
--- a/spec/models/clusters/agent_token_spec.rb
+++ b/spec/models/clusters/agent_token_spec.rb
@@ -13,15 +13,25 @@ RSpec.describe Clusters::AgentToken do
 
   describe 'scopes' do
     describe '.order_last_used_at_desc' do
-      let_it_be(:token_1) { create(:cluster_agent_token, last_used_at: 7.days.ago) }
-      let_it_be(:token_2) { create(:cluster_agent_token, last_used_at: nil) }
-      let_it_be(:token_3) { create(:cluster_agent_token, last_used_at: 2.days.ago) }
+      let_it_be(:agent) { create(:cluster_agent) }
+      let_it_be(:token_1) { create(:cluster_agent_token, agent: agent, last_used_at: 7.days.ago) }
+      let_it_be(:token_2) { create(:cluster_agent_token, agent: agent, last_used_at: nil) }
+      let_it_be(:token_3) { create(:cluster_agent_token, agent: agent, last_used_at: 2.days.ago) }
 
       it 'sorts by last_used_at descending, with null values at last' do
         expect(described_class.order_last_used_at_desc)
           .to eq([token_3, token_1, token_2])
       end
     end
+
+    describe '.with_status' do
+      let!(:active_token) { create(:cluster_agent_token) }
+      let!(:revoked_token) { create(:cluster_agent_token, :revoked) }
+
+      subject { described_class.with_status(:active) }
+
+      it { is_expected.to contain_exactly(active_token) }
+    end
   end
 
   describe '#token' do
diff --git a/spec/models/namespace_setting_spec.rb b/spec/models/namespace_setting_spec.rb
index 429727c2360..c9f8a1bcdc2 100644
--- a/spec/models/namespace_setting_spec.rb
+++ b/spec/models/namespace_setting_spec.rb
@@ -126,57 +126,4 @@ RSpec.describe NamespaceSetting, type: :model do
       end
     end
   end
-
-  describe 'hooks related to group user cap update' do
-    let(:settings) { create(:namespace_settings, new_user_signups_cap: user_cap) }
-    let(:group) { create(:group, namespace_settings: settings) }
-
-    before do
-      allow(group).to receive(:root?).and_return(true)
-    end
-
-    context 'when updating a group with a user cap' do
-      let(:user_cap) { nil }
-
-      it 'also sets share_with_group_lock and prevent_sharing_groups_outside_hierarchy to true' do
-        expect(group.new_user_signups_cap).to be_nil
-        expect(group.share_with_group_lock).to be_falsey
-        expect(settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
-
-        settings.update!(new_user_signups_cap: 10)
-        group.reload
-
-        expect(group.new_user_signups_cap).to eq(10)
-        expect(group.share_with_group_lock).to be_truthy
-        expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
-      end
-
-      it 'has share_with_group_lock and prevent_sharing_groups_outside_hierarchy returning true for descendent groups' do
-        descendent = create(:group, parent: group)
-        desc_settings = descendent.namespace_settings
-
-        expect(descendent.share_with_group_lock).to be_falsey
-        expect(desc_settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
-
-        settings.update!(new_user_signups_cap: 10)
-
-        expect(descendent.reload.share_with_group_lock).to be_truthy
-        expect(desc_settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
-      end
-    end
-
-    context 'when removing a user cap from namespace settings' do
-      let(:user_cap) { 10 }
-
-      it 'leaves share_with_group_lock and prevent_sharing_groups_outside_hierarchy set to true to the related group' do
-        expect(group.share_with_group_lock).to be_truthy
-        expect(settings.prevent_sharing_groups_outside_hierarchy).to be_truthy
-
-        settings.update!(new_user_signups_cap: nil)
-
-        expect(group.reload.share_with_group_lock).to be_truthy
-        expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
-      end
-    end
-  end
 end
diff --git a/spec/requests/sandbox_controller_spec.rb b/spec/requests/sandbox_controller_spec.rb
new file mode 100644
index 00000000000..4fc26580123
--- /dev/null
+++ b/spec/requests/sandbox_controller_spec.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe SandboxController do
+  describe 'GET #mermaid' do
+    it 'renders page without template' do
+      get sandbox_mermaid_path
+
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(response).to render_template(layout: nil)
+    end
+  end
+end
diff --git a/spec/routing/routing_spec.rb b/spec/routing/routing_spec.rb
index e7ea5b79897..79edfdd2b3f 100644
--- a/spec/routing/routing_spec.rb
+++ b/spec/routing/routing_spec.rb
@@ -364,6 +364,12 @@ RSpec.describe AutocompleteController, 'routing' do
   end
 end
 
+RSpec.describe SandboxController, 'routing' do
+  it 'to #mermaid' do
+    expect(get("/-/sandbox/mermaid")).to route_to('sandbox#mermaid')
+  end
+end
+
 RSpec.describe Snippets::BlobsController, "routing" do
   it "to #raw" do
     expect(get('/-/snippets/1/raw/master/lib/version.rb'))
diff --git a/spec/support/database/cross-database-modification-allowlist.yml b/spec/support/database/cross-database-modification-allowlist.yml
index d6e74349069..4e901308f2f 100644
--- a/spec/support/database/cross-database-modification-allowlist.yml
+++ b/spec/support/database/cross-database-modification-allowlist.yml
@@ -17,7 +17,6 @@
 - "./spec/lib/gitlab/email/handler/create_note_on_issuable_handler_spec.rb"
 - "./spec/models/ci/build_trace_chunk_spec.rb"
 - "./spec/models/ci/job_artifact_spec.rb"
-- "./spec/models/ci/runner_spec.rb"
 - "./spec/models/clusters/applications/runner_spec.rb"
 - "./spec/models/design_management/version_spec.rb"
 - "./spec/models/hooks/system_hook_spec.rb"
diff --git a/spec/support/helpers/test_env.rb b/spec/support/helpers/test_env.rb
index 294e5bdd085..0ea51785863 100644
--- a/spec/support/helpers/test_env.rb
+++ b/spec/support/helpers/test_env.rb
@@ -150,6 +150,7 @@ module TestEnv
     FileUtils.mkdir_p(artifacts_path)
     FileUtils.mkdir_p(lfs_path)
     FileUtils.mkdir_p(terraform_state_path)
+    FileUtils.mkdir_p(packages_path)
   end
 
   def setup_gitlab_shell
@@ -424,6 +425,10 @@ module TestEnv
     Gitlab.config.terraform_state.storage_path
   end
 
+  def packages_path
+    Gitlab.config.packages.storage_path
+  end
+
   # When no cached assets exist, manually hit the root path to create them
   #
   # Otherwise they'd be created by the first test, often timing out and
diff --git a/spec/tasks/gitlab/backup_rake_spec.rb b/spec/tasks/gitlab/backup_rake_spec.rb
index 27e9da3c6df..c5e73aa3b45 100644
--- a/spec/tasks/gitlab/backup_rake_spec.rb
+++ b/spec/tasks/gitlab/backup_rake_spec.rb
@@ -4,7 +4,7 @@ require 'rake_helper'
 
 RSpec.describe 'gitlab:app namespace rake task', :delete do
   let(:enable_registry) { true }
-  let(:backup_types) { %w{db repo uploads builds artifacts pages lfs terraform_state registry} }
+  let(:backup_types) { %w{db repo uploads builds artifacts pages lfs terraform_state registry packages} }
 
   def tars_glob
     Dir.glob(File.join(Gitlab.config.backup.path, '*_gitlab_backup.tar'))
@@ -15,7 +15,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
   end
 
   def backup_files
-    %w(backup_information.yml artifacts.tar.gz builds.tar.gz lfs.tar.gz terraform_state.tar.gz pages.tar.gz)
+    %w(backup_information.yml artifacts.tar.gz builds.tar.gz lfs.tar.gz terraform_state.tar.gz pages.tar.gz packages.tar.gz)
   end
 
   def backup_directories
@@ -137,6 +137,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
         expect(Rake::Task['gitlab:backup:lfs:restore']).to receive(:invoke)
         expect(Rake::Task['gitlab:backup:terraform_state:restore']).to receive(:invoke)
         expect(Rake::Task['gitlab:backup:registry:restore']).to receive(:invoke)
+        expect(Rake::Task['gitlab:backup:packages:restore']).to receive(:invoke)
         expect(Rake::Task['gitlab:shell:setup']).to receive(:invoke)
       end
 
@@ -213,7 +214,8 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
           expect(Gitlab::BackupLogger).to receive(:info).with(message: "Dumping lfs objects ... ")
           expect(Gitlab::BackupLogger).to receive(:info).with(message: "Dumping terraform states ... ")
           expect(Gitlab::BackupLogger).to receive(:info).with(message: "Dumping container registry images ... ")
-          expect(Gitlab::BackupLogger).to receive(:info).with(message: "done").exactly(8).times
+          expect(Gitlab::BackupLogger).to receive(:info).with(message: "Dumping packages ... ")
+          expect(Gitlab::BackupLogger).to receive(:info).with(message: "done").exactly(9).times
 
           backup_types.each do |task|
             run_rake_task("gitlab:backup:#{task}:create")
@@ -279,9 +281,11 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
         expect { run_rake_task('gitlab:backup:create') }.to output.to_stdout_from_any_process
 
         tar_contents, exit_status = Gitlab::Popen.popen(
-          %W{tar -tvf #{backup_tar} db uploads.tar.gz repositories builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz registry.tar.gz}
+          %W{tar -tvf #{backup_tar} db uploads.tar.gz repositories builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz registry.tar.gz packages.tar.gz}
         )
 
+        puts "CONTENT: #{tar_contents}"
+
         expect(exit_status).to eq(0)
         expect(tar_contents).to match('db')
         expect(tar_contents).to match('uploads.tar.gz')
@@ -292,6 +296,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
         expect(tar_contents).to match('lfs.tar.gz')
         expect(tar_contents).to match('terraform_state.tar.gz')
         expect(tar_contents).to match('registry.tar.gz')
+        expect(tar_contents).to match('packages.tar.gz')
         expect(tar_contents).not_to match(%r{^.{4,9}[rwx].* (database.sql.gz|uploads.tar.gz|repositories|builds.tar.gz|pages.tar.gz|artifacts.tar.gz|registry.tar.gz)/$})
       end
 
@@ -299,7 +304,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
         expect { run_rake_task('gitlab:backup:create') }.to output.to_stdout_from_any_process
 
         temp_dirs = Dir.glob(
-          File.join(Gitlab.config.backup.path, '{db,repositories,uploads,builds,artifacts,pages,lfs,terraform_state,registry}')
+          File.join(Gitlab.config.backup.path, '{db,repositories,uploads,builds,artifacts,pages,lfs,terraform_state,registry,packages}')
         )
 
         expect(temp_dirs).to be_empty
@@ -461,7 +466,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
       expect { run_rake_task('gitlab:backup:create') }.to output.to_stdout_from_any_process
 
       tar_contents, _exit_status = Gitlab::Popen.popen(
-        %W{tar -tvf #{backup_tar} db uploads.tar.gz repositories builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz registry.tar.gz}
+        %W{tar -tvf #{backup_tar} db uploads.tar.gz repositories builds.tar.gz artifacts.tar.gz pages.tar.gz lfs.tar.gz terraform_state.tar.gz registry.tar.gz packages.tar.gz}
       )
 
       expect(tar_contents).to match('db/')
@@ -472,6 +477,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
       expect(tar_contents).to match('terraform_state.tar.gz')
       expect(tar_contents).to match('pages.tar.gz')
       expect(tar_contents).to match('registry.tar.gz')
+      expect(tar_contents).to match('packages.tar.gz')
       expect(tar_contents).not_to match('repositories/')
       expect(tar_contents).to match('repositories: Not found in archive')
     end
@@ -492,6 +498,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
       expect(Rake::Task['gitlab:backup:lfs:restore']).to receive :invoke
       expect(Rake::Task['gitlab:backup:terraform_state:restore']).to receive :invoke
       expect(Rake::Task['gitlab:backup:registry:restore']).to receive :invoke
+      expect(Rake::Task['gitlab:backup:packages:restore']).to receive :invoke
       expect(Rake::Task['gitlab:shell:setup']).to receive :invoke
       expect { run_rake_task('gitlab:backup:restore') }.to output.to_stdout_from_any_process
     end
@@ -519,6 +526,7 @@ RSpec.describe 'gitlab:app namespace rake task', :delete do
         'terraform_state.tar.gz',
         'pages.tar.gz',
         'registry.tar.gz',
+        'packages.tar.gz',
         'repositories'
       )
     end
-- 
cgit v1.2.3