Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee

33 files changed, 397 insertions, 132 deletions

diff --git a/Gemfile.lock b/Gemfile.lock
index 69bd5235472..6201be00000 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1138,7 +1138,7 @@ GEM
       railties (>= 3.2.0)
     websocket-driver (0.7.1)
       websocket-extensions (>= 0.1.0)
-    websocket-extensions (0.1.4)
+    websocket-extensions (0.1.5)
     wikicloth (0.8.1)
       builder
       expression_parser
diff --git a/app/controllers/clusters/clusters_controller.rb b/app/controllers/clusters/clusters_controller.rb
index 46dec5f3287..e0b65fec94e 100644
--- a/app/controllers/clusters/clusters_controller.rb
+++ b/app/controllers/clusters/clusters_controller.rb
@@ -36,8 +36,7 @@ class Clusters::ClustersController < Clusters::BaseController
 
   def new
     if params[:provider] == 'aws'
-      @aws_role = current_user.aws_role || Aws::Role.new
-      @aws_role.ensure_role_external_id!
+      @aws_role = Aws::Role.create_or_find_by!(user: current_user)
       @instance_types = load_instance_types.to_json
 
     elsif params[:provider] == 'gcp'
@@ -271,7 +270,7 @@ class Clusters::ClustersController < Clusters::BaseController
   end
 
   def aws_role_params
-    params.require(:cluster).permit(:role_arn, :role_external_id)
+    params.require(:cluster).permit(:role_arn)
   end
 
   def generate_gcp_authorize_url
diff --git a/app/finders/ci/auth_job_finder.rb b/app/finders/ci/auth_job_finder.rb
new file mode 100644
index 00000000000..aee7dd16341
--- /dev/null
+++ b/app/finders/ci/auth_job_finder.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Ci
+  class AuthJobFinder
+    AuthError = Class.new(StandardError)
+    NotRunningJobError = Class.new(AuthError)
+    ErasedJobError = Class.new(AuthError)
+    DeletedProjectError = Class.new(AuthError)
+
+    def initialize(token:)
+      @token = token
+    end
+
+    def execute!
+      find_job_by_token.tap do |job|
+        next unless job
+
+        validate_job!(job)
+      end
+    end
+
+    def execute
+      execute!
+    rescue AuthError
+    end
+
+    private
+
+    attr_reader :token, :require_running, :raise_on_missing
+
+    def find_job_by_token
+      ::Ci::Build.find_by_token(token)
+    end
+
+    def validate_job!(job)
+      validate_running_job!(job)
+      validate_job_not_erased!(job)
+      validate_project_presence!(job)
+
+      true
+    end
+
+    def validate_running_job!(job)
+      raise NotRunningJobError, 'Job is not running' unless job.running?
+    end
+
+    def validate_job_not_erased!(job)
+      raise ErasedJobError, 'Job has been erased!' if job.erased?
+    end
+
+    def validate_project_presence!(job)
+      if job.project.nil? || job.project.pending_delete?
+        raise DeletedProjectError, 'Project has been deleted!'
+      end
+    end
+  end
+end
diff --git a/app/models/aws/role.rb b/app/models/aws/role.rb
index 54132be749d..7d34665082d 100644
--- a/app/models/aws/role.rb
+++ b/app/models/aws/role.rb
@@ -9,6 +9,7 @@ module Aws
     validates :role_external_id, uniqueness: true, length: { in: 1..64 }
     validates :role_arn,
       length: 1..2048,
+      allow_nil: true,
       format: {
         with: Gitlab::Regex.aws_arn_regex,
         message: Gitlab::Regex.aws_arn_regex_message
diff --git a/app/services/ci/pipeline_trigger_service.rb b/app/services/ci/pipeline_trigger_service.rb
index 37b9b4c362c..d9f41b7040e 100644
--- a/app/services/ci/pipeline_trigger_service.rb
+++ b/app/services/ci/pipeline_trigger_service.rb
@@ -10,6 +10,9 @@ module Ci
       elsif job_from_token
         create_pipeline_from_job(job_from_token)
       end
+
+    rescue Ci::AuthJobFinder::AuthError => e
+      error(e.message, 401)
     end
 
     private
@@ -41,8 +44,6 @@ module Ci
       # this check is to not leak the presence of the project if user cannot read it
       return unless can?(job.user, :read_project, project)
 
-      return error("400 Job has to be running", 400) unless job.running?
-
       pipeline = Ci::CreatePipelineService.new(project, job.user, ref: params[:ref])
         .execute(:pipeline, ignore_skip_ci: true) do |pipeline|
           source = job.sourced_pipelines.build(
@@ -64,7 +65,7 @@ module Ci
 
     def job_from_token
       strong_memoize(:job) do
-        Ci::Build.find_by_token(params[:token].to_s)
+        Ci::AuthJobFinder.new(token: params[:token].to_s).execute!
       end
     end
 
diff --git a/app/services/clusters/aws/authorize_role_service.rb b/app/services/clusters/aws/authorize_role_service.rb
index 6eafce0597e..73e31c417ed 100644
--- a/app/services/clusters/aws/authorize_role_service.rb
+++ b/app/services/clusters/aws/authorize_role_service.rb
@@ -9,6 +9,7 @@ module Clusters
 
       ERRORS = [
         ActiveRecord::RecordInvalid,
+        ActiveRecord::RecordNotFound,
         Clusters::Aws::FetchCredentialsService::MissingRoleError,
         ::Aws::Errors::MissingCredentialsError,
         ::Aws::STS::Errors::ServiceError
@@ -20,7 +21,8 @@ module Clusters
       end
 
       def execute
-        @role = create_or_update_role!
+        ensure_role_exists!
+        update_role_arn!
 
         Response.new(:ok, credentials)
       rescue *ERRORS
@@ -31,14 +33,12 @@ module Clusters
 
       attr_reader :role, :params
 
-      def create_or_update_role!
-        if role = user.aws_role
-          role.update!(params)
+      def ensure_role_exists!
+        @role = ::Aws::Role.find_by_user_id!(user.id)
+      end
 
-          role
-        else
-          user.create_aws_role!(params)
-        end
+      def update_role_arn!
+        role.update!(params)
       end
 
       def credentials
diff --git a/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml b/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml
new file mode 100644
index 00000000000..febfcd7fc13
--- /dev/null
+++ b/changelogs/unreleased/security-api-auth-use-job-token-for-running-jobs.yml
@@ -0,0 +1,5 @@
+---
+title: Allow only running job tokens for API authentication
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-fix-conan-workhorse-params.yml b/changelogs/unreleased/security-fix-conan-workhorse-params.yml
new file mode 100644
index 00000000000..cc2ec3452f7
--- /dev/null
+++ b/changelogs/unreleased/security-fix-conan-workhorse-params.yml
@@ -0,0 +1,5 @@
+---
+title: Change conan api to use proper workhorse validation
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml b/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml
new file mode 100644
index 00000000000..c6b8331d103
--- /dev/null
+++ b/changelogs/unreleased/security-prevent-aws-external-id-manipulation.yml
@@ -0,0 +1,5 @@
+---
+title: Persist EKS External ID before presenting it to the user
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-projectmaintainer-edit-badges.yml b/changelogs/unreleased/security-projectmaintainer-edit-badges.yml
new file mode 100644
index 00000000000..936931d7f6b
--- /dev/null
+++ b/changelogs/unreleased/security-projectmaintainer-edit-badges.yml
@@ -0,0 +1,5 @@
+---
+title: Prevent project maintainers from editing group badges
+merge_request:
+author:
+type: security
diff --git a/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml b/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml
new file mode 100644
index 00000000000..b2f1776f153
--- /dev/null
+++ b/changelogs/unreleased/security-websocket-extensions-update-0-1-5.yml
@@ -0,0 +1,5 @@
+---
+title: Update websocket-extensions gem to 0.1.5
+merge_request:
+author: Vitor Meireles De Sousa
+type: security
diff --git a/db/migrate/20200717040735_change_aws_roles_role_arn_null.rb b/db/migrate/20200717040735_change_aws_roles_role_arn_null.rb
new file mode 100644
index 00000000000..707cfe96a7c
--- /dev/null
+++ b/db/migrate/20200717040735_change_aws_roles_role_arn_null.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class ChangeAwsRolesRoleArnNull < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+  EXAMPLE_ARN = 'arn:aws:iam::000000000000:role/example-role'
+
+  def up
+    change_column_null :aws_roles, :role_arn, true
+  end
+
+  def down
+    # Records may now exist with nulls, so we must fill them with a dummy value
+    change_column_null :aws_roles, :role_arn, false, EXAMPLE_ARN
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
index fbcbcfc0f16..f7c1737c20c 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -733,7 +733,7 @@ CREATE TABLE public.aws_roles (
     user_id integer NOT NULL,
     created_at timestamp with time zone NOT NULL,
     updated_at timestamp with time zone NOT NULL,
-    role_arn character varying(2048) NOT NULL,
+    role_arn character varying(2048),
     role_external_id character varying(64) NOT NULL
 );
 
@@ -13999,5 +13999,6 @@ COPY "schema_migrations" (version) FROM STDIN;
 20200615121217
 20200615123055
 20200615232735
+20200717040735
 \.
 
diff --git a/lib/api/badges.rb b/lib/api/badges.rb
index d2152fad07b..f04621cdb4c 100644
--- a/lib/api/badges.rb
+++ b/lib/api/badges.rb
@@ -109,9 +109,10 @@ module API
         end
         put ":id/badges/:badge_id" do
           source = find_source_if_admin(source_type)
+          badge = find_badge(source)
 
           badge = ::Badges::UpdateService.new(declared_params(include_missing: false))
-                                         .execute(find_badge(source))
+                                         .execute(badge)
 
           if badge.valid?
             present_badges(source, badge)
@@ -130,10 +131,6 @@ module API
           source = find_source_if_admin(source_type)
           badge = find_badge(source)
 
-          if badge.is_a?(GroupBadge) && source.is_a?(Project)
-            error!('To delete a Group badge please use the Group endpoint', 403)
-          end
-
           destroy_conditionally!(badge)
         end
       end
diff --git a/lib/api/helpers/badges_helpers.rb b/lib/api/helpers/badges_helpers.rb
index 46ce5b4e7b5..f402c603c87 100644
--- a/lib/api/helpers/badges_helpers.rb
+++ b/lib/api/helpers/badges_helpers.rb
@@ -6,7 +6,13 @@ module API
       include ::API::Helpers::MembersHelpers
 
       def find_badge(source)
-        source.badges.find(params[:badge_id])
+        badge_id = params[:badge_id]
+
+        if source.is_a?(Project)
+          source.project_badges.find(badge_id)
+        else
+          source.badges.find(badge_id)
+        end
       end
 
       def present_badges(source, records, options = {})
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 93342fbad51..9bb655d3e07 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -63,9 +63,7 @@ module Gitlab
           current_request.env[JOB_TOKEN_HEADER].presence
         return unless token
 
-        job = ::Ci::Build.find_by_token(token)
-        raise UnauthorizedError unless job
-
+        job = find_valid_running_job_by_token!(token)
         @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
 
         job.user
@@ -78,9 +76,7 @@ module Gitlab
         return unless login.present? && password.present?
         return unless ::Ci::Build::CI_REGISTRY_USER == login
 
-        job = ::Ci::Build.find_by_token(password)
-        raise UnauthorizedError unless job
-
+        job = find_valid_running_job_by_token!(password)
         job.user
       end
 
@@ -268,6 +264,12 @@ module Gitlab
       def blob_request?
         current_request.path.include?('/raw/')
       end
+
+      def find_valid_running_job_by_token!(token)
+        ::Ci::AuthJobFinder.new(token: token).execute.tap do |job|
+          raise UnauthorizedError unless job
+        end
+      end
     end
   end
 end
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index 4caff8ae679..bc6cced2bf0 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -6,11 +6,6 @@ module Gitlab
       CONAN_RECIPE_FILES = %w[conanfile.py conanmanifest.txt].freeze
       CONAN_PACKAGE_FILES = %w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
 
-      def conan_file_name_regex
-        @conan_file_name_regex ||=
-          %r{\A#{(CONAN_RECIPE_FILES + CONAN_PACKAGE_FILES).join("|")}\z}.freeze
-      end
-
       def conan_package_reference_regex
         @conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}.freeze
       end
diff --git a/spec/controllers/admin/clusters_controller_spec.rb b/spec/controllers/admin/clusters_controller_spec.rb
index d899e86ae5f..805f0e047bc 100644
--- a/spec/controllers/admin/clusters_controller_spec.rb
+++ b/spec/controllers/admin/clusters_controller_spec.rb
@@ -99,7 +99,9 @@ RSpec.describe Admin::ClustersController do
   end
 
   describe 'GET #new' do
-    def get_new(provider: 'gcp')
+    let(:user) { admin }
+
+    def go(provider: 'gcp')
       get :new, params: { provider: provider }
     end
 
@@ -112,7 +114,7 @@ RSpec.describe Admin::ClustersController do
 
         context 'when selected provider is gke and no valid gcp token exists' do
           it 'redirects to gcp authorize_url' do
-            get_new
+            go
 
             expect(response).to redirect_to(assigns(:authorize_url))
           end
@@ -125,7 +127,7 @@ RSpec.describe Admin::ClustersController do
         end
 
         it 'does not have authorize_url' do
-          get_new
+          go
 
           expect(assigns(:authorize_url)).to be_nil
         end
@@ -137,7 +139,7 @@ RSpec.describe Admin::ClustersController do
         end
 
         it 'has new object' do
-          get_new
+          go
 
           expect(assigns(:gcp_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
         end
@@ -158,16 +160,18 @@ RSpec.describe Admin::ClustersController do
 
     describe 'functionality for existing cluster' do
       it 'has new object' do
-        get_new
+        go
 
         expect(assigns(:user_cluster)).to be_an_instance_of(Clusters::ClusterPresenter)
       end
     end
 
+    include_examples 'GET new cluster shared examples'
+
     describe 'security' do
-      it { expect { get_new }.to be_allowed_for(:admin) }
-      it { expect { get_new }.to be_denied_for(:user) }
-      it { expect { get_new }.to be_denied_for(:external) }
+      it { expect { go }.to be_allowed_for(:admin) }
+      it { expect { go }.to be_denied_for(:user) }
+      it { expect { go }.to be_denied_for(:external) }
     end
   end
 
@@ -391,14 +395,13 @@ RSpec.describe Admin::ClustersController do
   end
 
   describe 'POST authorize AWS role for EKS cluster' do
-    let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
-    let(:role_external_id) { '12345' }
+    let!(:role) { create(:aws_role, user: admin) }
 
+    let(:role_arn) { 'arn:new-role' }
     let(:params) do
       {
         cluster: {
-          role_arn: role_arn,
-          role_external_id: role_external_id
+          role_arn: role_arn
         }
       }
     end
@@ -412,28 +415,32 @@ RSpec.describe Admin::ClustersController do
         .and_return(double(execute: double))
     end
 
-    it 'creates an Aws::Role record' do
-      expect { go }.to change { Aws::Role.count }
+    it 'updates the associated role with the supplied ARN' do
+      go
 
       expect(response).to have_gitlab_http_status(:ok)
-
-      role = Aws::Role.last
-      expect(role.user).to eq admin
-      expect(role.role_arn).to eq role_arn
-      expect(role.role_external_id).to eq role_external_id
+      expect(role.reload.role_arn).to eq(role_arn)
     end
 
-    context 'role cannot be created' do
+    context 'supplied role is invalid' do
       let(:role_arn) { 'invalid-role' }
 
-      it 'does not create a record' do
-        expect { go }.not_to change { Aws::Role.count }
+      it 'does not update the associated role' do
+        expect { go }.not_to change { role.role_arn }
 
         expect(response).to have_gitlab_http_status(:unprocessable_entity)
       end
     end
 
     describe 'security' do
+      before do
+        allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
+          response = double(status: :ok, body: double)
+
+          allow(service).to receive(:execute).and_return(response)
+        end
+      end
+
       it { expect { go }.to be_allowed_for(:admin) }
       it { expect { go }.to be_denied_for(:user) }
       it { expect { go }.to be_denied_for(:external) }
diff --git a/spec/controllers/groups/clusters_controller_spec.rb b/spec/controllers/groups/clusters_controller_spec.rb
index 6765cf0990a..d8f592e5a75 100644
--- a/spec/controllers/groups/clusters_controller_spec.rb
+++ b/spec/controllers/groups/clusters_controller_spec.rb
@@ -180,6 +180,8 @@ RSpec.describe Groups::ClustersController do
       end
     end
 
+    include_examples 'GET new cluster shared examples'
+
     describe 'security' do
       it { expect { go }.to be_allowed_for(:admin) }
       it { expect { go }.to be_allowed_for(:owner).of(group) }
@@ -453,14 +455,13 @@ RSpec.describe Groups::ClustersController do
   end
 
   describe 'POST authorize AWS role for EKS cluster' do
-    let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
-    let(:role_external_id) { '12345' }
+    let!(:role) { create(:aws_role, user: user) }
 
+    let(:role_arn) { 'arn:new-role' }
     let(:params) do
       {
         cluster: {
-          role_arn: role_arn,
-          role_external_id: role_external_id
+          role_arn: role_arn
         }
       }
     end
@@ -474,28 +475,32 @@ RSpec.describe Groups::ClustersController do
         .and_return(double(execute: double))
     end
 
-    it 'creates an Aws::Role record' do
-      expect { go }.to change { Aws::Role.count }
+    it 'updates the associated role with the supplied ARN' do
+      go
 
       expect(response).to have_gitlab_http_status(:ok)
-
-      role = Aws::Role.last
-      expect(role.user).to eq user
-      expect(role.role_arn).to eq role_arn
-      expect(role.role_external_id).to eq role_external_id
+      expect(role.reload.role_arn).to eq(role_arn)
     end
 
-    context 'role cannot be created' do
+    context 'supplied role is invalid' do
       let(:role_arn) { 'invalid-role' }
 
-      it 'does not create a record' do
-        expect { go }.not_to change { Aws::Role.count }
+      it 'does not update the associated role' do
+        expect { go }.not_to change { role.role_arn }
 
         expect(response).to have_gitlab_http_status(:unprocessable_entity)
       end
     end
 
     describe 'security' do
+      before do
+        allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
+          response = double(status: :ok, body: double)
+
+          allow(service).to receive(:execute).and_return(response)
+        end
+      end
+
       it { expect { go }.to be_allowed_for(:admin) }
       it { expect { go }.to be_allowed_for(:owner).of(group) }
       it { expect { go }.to be_allowed_for(:maintainer).of(group) }
diff --git a/spec/controllers/projects/clusters_controller_spec.rb b/spec/controllers/projects/clusters_controller_spec.rb
index 5645e25b741..71f78edb083 100644
--- a/spec/controllers/projects/clusters_controller_spec.rb
+++ b/spec/controllers/projects/clusters_controller_spec.rb
@@ -183,6 +183,8 @@ RSpec.describe Projects::ClustersController do
       end
     end
 
+    include_examples 'GET new cluster shared examples'
+
     describe 'security' do
       it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
         expect { go }.to be_allowed_for(:admin)
@@ -479,14 +481,13 @@ RSpec.describe Projects::ClustersController do
   end
 
   describe 'POST authorize AWS role for EKS cluster' do
-    let(:role_arn) { 'arn:aws:iam::123456789012:role/role-name' }
-    let(:role_external_id) { '12345' }
+    let!(:role) { create(:aws_role, user: user) }
 
+    let(:role_arn) { 'arn:new-role' }
     let(:params) do
       {
         cluster: {
-          role_arn: role_arn,
-          role_external_id: role_external_id
+          role_arn: role_arn
         }
       }
     end
@@ -500,28 +501,32 @@ RSpec.describe Projects::ClustersController do
         .and_return(double(execute: double))
     end
 
-    it 'creates an Aws::Role record' do
-      expect { go }.to change { Aws::Role.count }
+    it 'updates the associated role with the supplied ARN' do
+      go
 
       expect(response).to have_gitlab_http_status(:ok)
-
-      role = Aws::Role.last
-      expect(role.user).to eq user
-      expect(role.role_arn).to eq role_arn
-      expect(role.role_external_id).to eq role_external_id
+      expect(role.reload.role_arn).to eq(role_arn)
     end
 
-    context 'role cannot be created' do
+    context 'supplied role is invalid' do
       let(:role_arn) { 'invalid-role' }
 
-      it 'does not create a record' do
-        expect { go }.not_to change { Aws::Role.count }
+      it 'does not update the associated role' do
+        expect { go }.not_to change { role.role_arn }
 
         expect(response).to have_gitlab_http_status(:unprocessable_entity)
       end
     end
 
     describe 'security' do
+      before do
+        allow_next_instance_of(Clusters::Aws::AuthorizeRoleService) do |service|
+          response = double(status: :ok, body: double)
+
+          allow(service).to receive(:execute).and_return(response)
+        end
+      end
+
       it 'is allowed for admin when admin mode enabled', :enable_admin_mode do
         expect { go }.to be_allowed_for(:admin)
       end
diff --git a/spec/finders/ci/auth_job_finder_spec.rb b/spec/finders/ci/auth_job_finder_spec.rb
new file mode 100644
index 00000000000..6cd58f5cd01
--- /dev/null
+++ b/spec/finders/ci/auth_job_finder_spec.rb
@@ -0,0 +1,64 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+RSpec.describe Ci::AuthJobFinder do
+  let_it_be(:job, reload: true) { create(:ci_build, status: :running) }
+
+  let(:token) { job.token }
+
+  subject(:finder) do
+    described_class.new(token: token)
+  end
+
+  describe '#execute!' do
+    subject(:execute) { finder.execute! }
+
+    it { is_expected.to eq(job) }
+
+    it 'raises error if the job is not running' do
+      job.success!
+
+      expect { execute }.to raise_error described_class::NotRunningJobError, 'Job is not running'
+    end
+
+    it 'raises error if the job is erased' do
+      expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
+      expect(job).to receive(:erased?).and_return(true)
+
+      expect { execute }.to raise_error described_class::ErasedJobError, 'Job has been erased!'
+    end
+
+    it 'raises error if the the project is missing' do
+      expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
+      expect(job).to receive(:project).and_return(nil)
+
+      expect { execute }.to raise_error described_class::DeletedProjectError, 'Project has been deleted!'
+    end
+
+    it 'raises error if the the project is being removed' do
+      project = double(Project)
+
+      expect(::Ci::Build).to receive(:find_by_token).with(job.token).and_return(job)
+      expect(job).to receive(:project).twice.and_return(project)
+      expect(project).to receive(:pending_delete?).and_return(true)
+
+      expect { execute }.to raise_error described_class::DeletedProjectError, 'Project has been deleted!'
+    end
+
+    context 'with wrong job token' do
+      let(:token) { 'missing' }
+
+      it { is_expected.to be_nil }
+    end
+  end
+
+  describe '#execute' do
+    subject(:execute) { finder.execute }
+
+    before do
+      job.success!
+    end
+
+    it { is_expected.to be_nil }
+  end
+end
diff --git a/spec/lib/gitlab/auth/auth_finders_spec.rb b/spec/lib/gitlab/auth/auth_finders_spec.rb
index 2aef206c7fd..4b6c928edcc 100644
--- a/spec/lib/gitlab/auth/auth_finders_spec.rb
+++ b/spec/lib/gitlab/auth/auth_finders_spec.rb
@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-describe Gitlab::Auth::AuthFinders do
+RSpec.describe Gitlab::Auth::AuthFinders do
   include described_class
   include HttpBasicAuthHelpers
 
@@ -499,7 +499,7 @@ describe Gitlab::Auth::AuthFinders do
     context 'with CI username' do
       let(:username) { ::Ci::Build::CI_REGISTRY_USER }
       let(:user) { create(:user) }
-      let(:build) { create(:ci_build, user: user) }
+      let(:build) { create(:ci_build, user: user, status: :running) }
 
       it 'returns nil without password' do
         set_basic_auth_header(username, nil)
@@ -518,6 +518,13 @@ describe Gitlab::Auth::AuthFinders do
 
         expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
       end
+
+      it 'returns exception if the job is not running' do
+        set_basic_auth_header(username, build.token)
+        build.success!
+
+        expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
     end
   end
 
@@ -567,7 +574,7 @@ describe Gitlab::Auth::AuthFinders do
   end
 
   describe '#find_user_from_job_token' do
-    let(:job) { create(:ci_build, user: user) }
+    let(:job) { create(:ci_build, user: user, status: :running) }
     let(:route_authentication_setting) { { job_token_allowed: true } }
 
     subject { find_user_from_job_token }
@@ -592,6 +599,13 @@ describe Gitlab::Auth::AuthFinders do
         expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
       end
 
+      it 'returns exception if the job is not running' do
+        set_header(described_class::JOB_TOKEN_HEADER, job.token)
+        job.success!
+
+        expect { subject }.to raise_error(Gitlab::Auth::UnauthorizedError)
+      end
+
       context 'when route is not allowed to be authenticated' do
         let(:route_authentication_setting) { { job_token_allowed: false } }
 
diff --git a/spec/lib/gitlab/auth/request_authenticator_spec.rb b/spec/lib/gitlab/auth/request_authenticator_spec.rb
index 87c96803c3a..0e6a6e836fd 100644
--- a/spec/lib/gitlab/auth/request_authenticator_spec.rb
+++ b/spec/lib/gitlab/auth/request_authenticator_spec.rb
@@ -87,7 +87,7 @@ describe Gitlab::Auth::RequestAuthenticator do
 
   describe '#find_user_from_job_token' do
     let!(:user) { build(:user) }
-    let!(:job) { build(:ci_build, user: user) }
+    let!(:job) { build(:ci_build, user: user, status: :running) }
 
     before do
       env[Gitlab::Auth::AuthFinders::JOB_TOKEN_HEADER] = 'token'
@@ -96,13 +96,18 @@ describe Gitlab::Auth::RequestAuthenticator do
     context 'with API requests' do
       before do
         env['SCRIPT_NAME'] = '/api/endpoint'
+        expect(::Ci::Build).to receive(:find_by_token).with('token').and_return(job)
       end
 
       it 'tries to find the user' do
-        expect(::Ci::Build).to receive(:find_by_token).and_return(job)
-
         expect(subject.find_sessionless_user([:api])).to eq user
       end
+
+      it 'returns nil if the job is not running' do
+        job.status = :success
+
+        expect(subject.find_sessionless_user([:api])).to be_blank
+      end
     end
 
     context 'without API requests' do
diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb
index 2f220272651..340ede6e36c 100644
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -164,15 +164,6 @@ describe Gitlab::Regex do
     it { is_expected.not_to match('foo/bar') }
   end
 
-  describe '.conan_file_name_regex' do
-    subject { described_class.conan_file_name_regex }
-
-    it { is_expected.to match('conanfile.py') }
-    it { is_expected.to match('conan_package.tgz') }
-    it { is_expected.not_to match('foo.txt') }
-    it { is_expected.not_to match('!!()()') }
-  end
-
   describe '.conan_package_reference_regex' do
     subject { described_class.conan_package_reference_regex }
 
diff --git a/spec/models/aws/role_spec.rb b/spec/models/aws/role_spec.rb
index d4165567146..bb1a22f5060 100644
--- a/spec/models/aws/role_spec.rb
+++ b/spec/models/aws/role_spec.rb
@@ -29,6 +29,12 @@ describe Aws::Role do
 
         it { is_expected.to be_truthy }
       end
+
+      context 'ARN is nil' do
+        let(:role_arn) { }
+
+        it { is_expected.to be_truthy }
+      end
     end
   end
 
diff --git a/spec/requests/api/badges_spec.rb b/spec/requests/api/badges_spec.rb
index d7f9b7d010b..8a7b429d7f2 100644
--- a/spec/requests/api/badges_spec.rb
+++ b/spec/requests/api/badges_spec.rb
@@ -332,10 +332,32 @@ describe API::Badges do
 
   context 'when deleting a badge' do
     context 'and the source is a project' do
+      let(:badge) { project.group.badges.first }
+
       it 'cannot delete badges owned by the project group' do
-        delete api("/projects/#{project.id}/badges/#{project_group.badges.first.id}", maintainer)
+        expect do
+          delete api("/projects/#{project.id}/badges/#{badge.id}", maintainer)
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end.not_to change { badge.reload.persisted? }
+      end
+    end
+  end
+
+  context 'when updating a badge' do
+    context 'and the source is a project' do
+      let(:badge) { project.group.badges.first }
+      let(:example_name) { 'BadgeName' }
+      let(:example_url) { 'http://www.example.com' }
+      let(:example_url2) { 'http://www.example1.com' }
+
+      it 'cannot update badges owned by the project group' do
+        expect do
+          put api("/projects/#{project.id}/badges/#{badge.id}", maintainer),
+            params: { name: example_name, link_url: example_url, image_url: example_url2 }
 
-        expect(response).to have_gitlab_http_status(:forbidden)
+          expect(response).to have_gitlab_http_status(:not_found)
+        end.not_to change { badge.reload.updated_at }
       end
     end
   end
diff --git a/spec/requests/api/releases_spec.rb b/spec/requests/api/releases_spec.rb
index f4cb7f25990..4b7013a56b7 100644
--- a/spec/requests/api/releases_spec.rb
+++ b/spec/requests/api/releases_spec.rb
@@ -653,12 +653,20 @@ describe API::Releases do
       end
 
       context 'when a valid token is provided' do
-        it 'creates the release' do
+        it 'creates the release for a running job' do
+          job.update!(status: :running)
           post api("/projects/#{project.id}/releases"), params: params.merge(job_token: job.token)
 
           expect(response).to have_gitlab_http_status(:created)
           expect(project.releases.last.description).to eq('Another nice release')
         end
+
+        it 'returns an :unauthorized error for a completed job' do
+          job.success!
+          post api("/projects/#{project.id}/releases"), params: params.merge(job_token: job.token)
+
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
       end
     end
 
diff --git a/spec/requests/api/terraform/state_spec.rb b/spec/requests/api/terraform/state_spec.rb
index ec9db5566e3..b1fbf67b84b 100644
--- a/spec/requests/api/terraform/state_spec.rb
+++ b/spec/requests/api/terraform/state_spec.rb
@@ -71,7 +71,7 @@ describe API::Terraform::State do
       let(:auth_header) { job_basic_auth_header(job) }
 
       context 'with maintainer permissions' do
-        let(:job) { create(:ci_build, project: project, user: maintainer) }
+        let(:job) { create(:ci_build, status: :running, project: project, user: maintainer) }
 
         it 'returns terraform state belonging to a project of given state name' do
           request
@@ -80,6 +80,13 @@ describe API::Terraform::State do
           expect(response.body).to eq(state.file.read)
         end
 
+        it 'returns unauthorized if the the job is not running' do
+          job.update!(status: :failed)
+          request
+
+          expect(response).to have_gitlab_http_status(:unauthorized)
+        end
+
         context 'for a project that does not exist' do
           let(:project_id) { '0000' }
 
@@ -92,7 +99,7 @@ describe API::Terraform::State do
       end
 
       context 'with developer permissions' do
-        let(:job) { create(:ci_build, project: project, user: developer) }
+        let(:job) { create(:ci_build, status: :running, project: project, user: developer) }
 
         it 'returns forbidden if the user cannot access the state' do
           request
diff --git a/spec/services/ci/pipeline_trigger_service_spec.rb b/spec/services/ci/pipeline_trigger_service_spec.rb
index 44ce1ff699b..4792c8eca8d 100644
--- a/spec/services/ci/pipeline_trigger_service_spec.rb
+++ b/spec/services/ci/pipeline_trigger_service_spec.rb
@@ -106,9 +106,23 @@ describe Ci::PipelineTriggerService do
         let(:params) { { token: job.token, ref: 'master', variables: nil } }
         let(:job) { create(:ci_build, :success, pipeline: pipeline, user: user) }
 
-        it 'does nothing' do
+        it 'does nothing', :aggregate_failures do
+          expect { result }.not_to change { Ci::Pipeline.count }
+          expect(result[:message]).to eq('Job is not running')
+          expect(result[:http_status]).to eq(401)
+        end
+      end
+
+      context 'when job does not have a project' do
+        let(:params) { { token: job.token, ref: 'master', variables: nil } }
+        let(:job) { create(:ci_build, status: :running, pipeline: pipeline, user: user) }
+
+        it 'does nothing', :aggregate_failures do
+          job.update!(project: nil)
+
           expect { result }.not_to change { Ci::Pipeline.count }
-          expect(result[:message]).to eq('400 Job has to be running')
+          expect(result[:message]).to eq('Project has been deleted!')
+          expect(result[:http_status]).to eq(401)
         end
       end
 
diff --git a/spec/services/clusters/aws/authorize_role_service_spec.rb b/spec/services/clusters/aws/authorize_role_service_spec.rb
index 3ef332558a2..5033076e192 100644
--- a/spec/services/clusters/aws/authorize_role_service_spec.rb
+++ b/spec/services/clusters/aws/authorize_role_service_spec.rb
@@ -3,47 +3,34 @@
 require 'spec_helper'
 
 describe Clusters::Aws::AuthorizeRoleService do
-  let(:user) { create(:user) }
+  subject { described_class.new(user, params: params).execute }
+
+  let(:role) { create(:aws_role) }
+  let(:user) { role.user }
   let(:credentials) { instance_double(Aws::Credentials) }
   let(:credentials_service) { instance_double(Clusters::Aws::FetchCredentialsService, execute: credentials) }
 
+  let(:role_arn) { 'arn:my-role' }
   let(:params) do
     params = ActionController::Parameters.new({
       cluster: {
-        role_arn: 'arn:my-role',
-        role_external_id: 'external-id'
+        role_arn: role_arn
       }
     })
 
-    params.require(:cluster).permit(:role_arn, :role_external_id)
+    params.require(:cluster).permit(:role_arn)
   end
 
-  subject { described_class.new(user, params: params).execute }
-
   before do
     allow(Clusters::Aws::FetchCredentialsService).to receive(:new)
       .with(instance_of(Aws::Role)).and_return(credentials_service)
   end
 
-  context 'role does not exist' do
-    it 'creates an Aws::Role record and returns a set of credentials' do
-      expect(user).to receive(:create_aws_role!)
-        .with(params).and_call_original
-
-      expect(subject.status).to eq(:ok)
-      expect(subject.body).to eq(credentials)
-    end
-  end
-
-  context 'role already exists' do
-    let(:role) { create(:aws_role, user: user) }
-
+  context 'role exists' do
     it 'updates the existing Aws::Role record and returns a set of credentials' do
-      expect(role).to receive(:update!)
-        .with(params).and_call_original
-
       expect(subject.status).to eq(:ok)
       expect(subject.body).to eq(credentials)
+      expect(role.reload.role_arn).to eq(role_arn)
     end
   end
 
@@ -55,11 +42,14 @@ describe Clusters::Aws::AuthorizeRoleService do
       end
     end
 
-    context 'cannot create role' do
-      before do
-        allow(user).to receive(:create_aws_role!)
-          .and_raise(ActiveRecord::RecordInvalid.new(user))
-      end
+    context 'role does not exist' do
+      let(:user) { create(:user) }
+
+      include_examples 'bad request'
+    end
+
+    context 'supplied ARN is invalid' do
+      let(:role_arn) { 'invalid' }
 
       include_examples 'bad request'
     end
diff --git a/spec/support/shared_examples/controllers/clusters_controller_shared_examples.rb b/spec/support/shared_examples/controllers/clusters_controller_shared_examples.rb
new file mode 100644
index 00000000000..aa17e72d08e
--- /dev/null
+++ b/spec/support/shared_examples/controllers/clusters_controller_shared_examples.rb
@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+RSpec.shared_examples 'GET new cluster shared examples' do
+  describe 'EKS cluster' do
+    context 'user already has an associated AWS role' do
+      let!(:role) { create(:aws_role, user: user) }
+
+      it 'does not create an Aws::Role record' do
+        expect { go(provider: 'aws') }.not_to change { Aws::Role.count }
+
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(assigns(:aws_role)).to eq(role)
+      end
+    end
+
+    context 'user does not have an associated AWS role' do
+      it 'creates an Aws::Role record' do
+        expect { go(provider: 'aws') }.to change { Aws::Role.count }
+
+        expect(response).to have_gitlab_http_status(:ok)
+
+        role = assigns(:aws_role)
+        expect(role.user).to eq(user)
+        expect(role.role_arn).to be_nil
+        expect(role.role_external_id).to be_present
+      end
+    end
+  end
+end
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
index 259148fa18f..259148fa18f 100755..100644
--- a/vendor/gitignore/C++.gitignore
+++ b/vendor/gitignore/C++.gitignore
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
index a1c2a238a96..a1c2a238a96 100755..100644
--- a/vendor/gitignore/Java.gitignore
+++ b/vendor/gitignore/Java.gitignore