Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee

11 files changed, 166 insertions, 46 deletions

diff --git a/.rubocop_todo/layout/line_length.yml b/.rubocop_todo/layout/line_length.yml
index a9200ee9fba..6eebd8b1040 100644
--- a/.rubocop_todo/layout/line_length.yml
+++ b/.rubocop_todo/layout/line_length.yml
@@ -1974,7 +1974,6 @@ Layout/LineLength:
     - 'ee/spec/features/groups/iterations/user_edits_iteration_spec.rb'
     - 'ee/spec/features/groups/iterations/user_views_iteration_cadence_spec.rb'
     - 'ee/spec/features/groups/iterations/user_views_iteration_spec.rb'
-    - 'ee/spec/features/groups/members/manage_groups_spec.rb'
     - 'ee/spec/features/groups/members/manage_members_spec.rb'
     - 'ee/spec/features/groups/members/override_ldap_memberships_spec.rb'
     - 'ee/spec/features/groups/saml_providers_spec.rb'
diff --git a/app/finders/packages/conan/package_finder.rb b/app/finders/packages/conan/package_finder.rb
index 8ebdd358ba6..210b37635b3 100644
--- a/app/finders/packages/conan/package_finder.rb
+++ b/app/finders/packages/conan/package_finder.rb
@@ -25,7 +25,7 @@ module Packages
       end
 
       def projects_visible_to_current_user
-        ::Project.public_or_visible_to_user(current_user)
+        ::Project.public_or_visible_to_user(current_user, ::Gitlab::Access::REPORTER)
       end
     end
   end
diff --git a/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
new file mode 100644
index 00000000000..b26d1f5429a
--- /dev/null
+++ b/db/migrate/20220520120637_add_installable_conan_packages_index_to_packages.rb
@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class AddInstallableConanPackagesIndexToPackages < Gitlab::Database::Migration[2.0]
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'idx_installable_conan_pkgs_on_project_id_id'
+  # as defined by Packages::Package.package_types
+  CONAN_PACKAGE_TYPE = 3
+
+  # as defined by Packages::Package::INSTALLABLE_STATUSES
+  DEFAULT_STATUS = 0
+  HIDDEN_STATUS = 1
+
+  def up
+    where = "package_type = #{CONAN_PACKAGE_TYPE} AND status IN (#{DEFAULT_STATUS}, #{HIDDEN_STATUS})"
+    add_concurrent_index :packages_packages,
+                         [:project_id, :id],
+                         where: where,
+                         name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name :packages_packages, INDEX_NAME
+  end
+end
diff --git a/db/schema_migrations/20220520120637 b/db/schema_migrations/20220520120637
new file mode 100644
index 00000000000..f379ef0d581
--- /dev/null
+++ b/db/schema_migrations/20220520120637
@@ -0,0 +1 @@
+1fdb60b1c72b687aa8bede083ac7038097d538dc815e334d74296b1d39c2acb8
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index fa9d9e8f778..165f501120e 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -26607,6 +26607,8 @@ CREATE UNIQUE INDEX idx_environment_merge_requests_unique_index ON deployment_me
 
 CREATE INDEX idx_geo_con_rep_updated_events_on_container_repository_id ON geo_container_repository_updated_events USING btree (container_repository_id);
 
+CREATE INDEX idx_installable_conan_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id) WHERE ((package_type = 3) AND (status = ANY (ARRAY[0, 1])));
+
 CREATE INDEX idx_installable_helm_pkgs_on_project_id_id ON packages_packages USING btree (project_id, id);
 
 CREATE INDEX idx_installable_npm_pkgs_on_project_id_name_version_id ON packages_packages USING btree (project_id, name, version, id) WHERE ((package_type = 2) AND (status = 0));
diff --git a/doc/user/group/index.md b/doc/user/group/index.md
index 87146329031..e99dfc738cf 100644
--- a/doc/user/group/index.md
+++ b/doc/user/group/index.md
@@ -644,6 +644,7 @@ To restrict group access by IP address:
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7297) in GitLab 12.2.
 > - Support for specifying multiple email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/33143) in GitLab 13.1.
 > - Support for restricting access to projects in the group [added](https://gitlab.com/gitlab-org/gitlab/-/issues/14004) in GitLab 14.1.2.
+> - Support for restricting group memberships to groups with a subset of the allowed email domains [added](https://gitlab.com/gitlab-org/gitlab/-/issues/354791) in GitLab 15.0.1
 
 You can prevent users with email addresses in specific domains from being added to a group and its projects.
 
@@ -666,6 +667,8 @@ The most popular public email domains cannot be restricted, such as:
 - `hotmail.com`, `hotmail.co.uk`, `hotmail.fr`
 - `msn.com`, `live.com`, `outlook.com`
 
+When you share a group, both the source and target namespaces must allow the domains of the members' email addresses.
+
 ## Group file templates **(PREMIUM)**
 
 Use group file templates to share a set of templates for common file
diff --git a/lib/gitlab/jira/dvcs.rb b/lib/gitlab/jira/dvcs.rb
index ddf2cd76709..41a039674b3 100644
--- a/lib/gitlab/jira/dvcs.rb
+++ b/lib/gitlab/jira/dvcs.rb
@@ -38,7 +38,8 @@ module Gitlab
       # @param [String] namespace
       def self.restore_full_path(namespace:, project:)
         if project.include?(ENCODED_SLASH)
-          project.gsub(ENCODED_SLASH, SLASH)
+          # Replace multiple slashes with single ones to make sure the redirect stays on the same host
+          project.gsub(ENCODED_SLASH, SLASH).gsub(%r{\/{2,}}, '/')
         else
           "#{namespace}/#{project}"
         end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 96137675f03..58da605053b 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -21039,6 +21039,9 @@ msgstr ""
 msgid "Invited"
 msgstr ""
 
+msgid "Invited group allowed email domains must contain a subset of the allowed email domains of the root ancestor group. Go to the group's 'Settings &gt; General' page and check 'Restrict membership by email domain'."
+msgstr ""
+
 msgid "IrkerService|Channels and users separated by whitespaces. %{recipients_docs_link}"
 msgstr ""
 
diff --git a/spec/finders/packages/conan/package_finder_spec.rb b/spec/finders/packages/conan/package_finder_spec.rb
index b26f8900090..6848786818b 100644
--- a/spec/finders/packages/conan/package_finder_spec.rb
+++ b/spec/finders/packages/conan/package_finder_spec.rb
@@ -2,22 +2,53 @@
 require 'spec_helper'
 
 RSpec.describe ::Packages::Conan::PackageFinder do
+  using RSpec::Parameterized::TableSyntax
+
+  let_it_be_with_reload(:project) { create(:project) }
   let_it_be(:user) { create(:user) }
-  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:private_project) { create(:project, :private) }
+
+  let_it_be(:conan_package) { create(:conan_package, project: project) }
+  let_it_be(:conan_package2) { create(:conan_package, project: project) }
+  let_it_be(:errored_package) { create(:conan_package, :error, project: project) }
+  let_it_be(:private_package) { create(:conan_package, project: private_project) }
 
   describe '#execute' do
-    let!(:conan_package) { create(:conan_package, project: project) }
-    let!(:conan_package2) { create(:conan_package, project: project) }
+    let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+    let(:finder) { described_class.new(user, query: query) }
+
+    subject { finder.execute }
+
+    where(:visibility, :role, :packages_visible) do
+      :private  | :maintainer | true
+      :private  | :developer  | true
+      :private  | :reporter   | true
+      :private  | :guest      | false
+      :private  | :anonymous  | false
+
+      :internal | :maintainer | true
+      :internal | :developer  | true
+      :internal | :reporter   | true
+      :internal | :guest      | true
+      :internal | :anonymous  | false
+
+      :public   | :maintainer | true
+      :public   | :developer  | true
+      :public   | :reporter   | true
+      :public   | :guest      | true
+      :public   | :anonymous  | true
+    end
 
-    subject { described_class.new(user, query: query).execute }
+    with_them do
+      let(:expected_packages) { packages_visible ? [conan_package, conan_package2] : [] }
+      let(:user) { role == :anonymous ? nil : super() }
 
-    context 'packages that are not installable' do
-      let!(:conan_package3) { create(:conan_package, :error, project: project) }
-      let!(:non_visible_project) { create(:project, :private) }
-      let!(:non_visible_conan_package) { create(:conan_package, project: non_visible_project) }
-      let(:query) { "#{conan_package.name.split('/').first[0, 3]}%" }
+      before do
+        project.update_column(:visibility_level, Gitlab::VisibilityLevel.string_options[visibility.to_s])
+        project.add_user(user, role) unless role == :anonymous
+      end
 
-      it { is_expected.to eq [conan_package, conan_package2] }
+      it { is_expected.to eq(expected_packages) }
     end
   end
 end
diff --git a/spec/requests/jira_routing_spec.rb b/spec/requests/jira_routing_spec.rb
index a627eea33a8..e0e170044de 100644
--- a/spec/requests/jira_routing_spec.rb
+++ b/spec/requests/jira_routing_spec.rb
@@ -25,27 +25,49 @@ RSpec.describe 'Jira referenced paths', type: :request do
     expect(response).to redirect_to(redirect_path)
   end
 
-  context 'with encoded subgroup path' do
-    where(:jira_path, :redirect_path) do
-      '/group/group@sub_group@sub_group_project'                | '/group/sub_group/sub_group_project'
-      '/group@sub_group/group@sub_group@sub_group_project'      | '/group/sub_group/sub_group_project'
-      '/group/group@sub_group@sub_group_project/commit/1234567' | '/group/sub_group/sub_group_project/commit/1234567'
-      '/group/group@sub_group@sub_group_project/tree/1234567'   | '/group/sub_group/sub_group_project/-/tree/1234567'
+  shared_examples 'redirects to jira path' do
+    it 'redirects to canonical path with legacy prefix' do
+      redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
     end
 
-    with_them do
-      context 'with legacy prefix' do
-        it 'redirects to canonical path' do
-          redirects_to_canonical_path "/-/jira#{jira_path}", redirect_path
-        end
-      end
-
-      it 'redirects to canonical path' do
-        redirects_to_canonical_path jira_path, redirect_path
-      end
+    it 'redirects to canonical path' do
+      redirects_to_canonical_path jira_path, redirect_path
     end
   end
 
+  let(:jira_path) { '/group/group@sub_group@sub_group_project' }
+  let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+  it_behaves_like 'redirects to jira path'
+
+  context 'contains @ before the first /' do
+    let(:jira_path) { '/group@sub_group/group@sub_group@sub_group_project' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including commit path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/commit/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/commit/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'including tree path' do
+    let(:jira_path) { '/group/group@sub_group@sub_group_project/tree/1234567' }
+    let(:redirect_path) { '/group/sub_group/sub_group_project/-/tree/1234567' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
+  context 'malicious path' do
+    let(:jira_path) { '/group/@@malicious.server' }
+    let(:redirect_path) { '/malicious.server' }
+
+    it_behaves_like 'redirects to jira path'
+  end
+
   context 'regular paths with legacy prefix' do
     where(:jira_path, :redirect_path) do
       '/-/jira/group/group_project'                | '/group/group_project'
diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
index 135fa4cf5a4..e6b0772aec1 100644
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -19,33 +19,66 @@ RSpec.shared_examples 'conan ping endpoint' do
 end
 
 RSpec.shared_examples 'conan search endpoint' do
-  before do
-    project.update_column(:visibility_level, Gitlab::VisibilityLevel::PUBLIC)
-
-    # Do not pass the HTTP_AUTHORIZATION header,
-    # in order to test that this public project's packages
-    # are visible to anonymous search.
-    get api(url), params: params
-  end
+  using RSpec::Parameterized::TableSyntax
 
   subject { json_response['results'] }
 
-  context 'returns packages with a matching name' do
-    let(:params) { { q: package.conan_recipe } }
+  context 'with a public project' do
+    before do
+      project.update!(visibility: 'public')
+
+      # Do not pass the HTTP_AUTHORIZATION header,
+      # in order to test that this public project's packages
+      # are visible to anonymous search.
+      get api(url), params: params
+    end
+
+    context 'returns packages with a matching name' do
+      let(:params) { { q: package.conan_recipe } }
+
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'returns packages using a * wildcard' do
+      let(:params) { { q: "#{package.name[0, 3]}*" } }
 
-    it { is_expected.to contain_exactly(package.conan_recipe) }
+      it { is_expected.to contain_exactly(package.conan_recipe) }
+    end
+
+    context 'does not return non-matching packages' do
+      let(:params) { { q: "foo" } }
+
+      it { is_expected.to be_blank }
+    end
   end
 
-  context 'returns packages using a * wildcard' do
+  context 'with a private project' do
     let(:params) { { q: "#{package.name[0, 3]}*" } }
 
-    it { is_expected.to contain_exactly(package.conan_recipe) }
-  end
+    where(:role, :packages_visible) do
+      :maintainer | true
+      :developer  | true
+      :reporter   | true
+      :guest      | false
+      :anonymous  | false
+    end
 
-  context 'does not return non-matching packages' do
-    let(:params) { { q: "foo" } }
+    with_them do
+      before do
+        project.update!(visibility: 'private')
+        project.team.truncate
+        user.project_authorizations.delete_all
+        project.add_user(user, role) unless role == :anonymous
+
+        get api(url), params: params, headers: headers
+      end
 
-    it { is_expected.to be_blank }
+      if params[:packages_visible]
+        it { is_expected.to contain_exactly(package.conan_recipe) }
+      else
+        it { is_expected.to be_blank }
+      end
+    end
   end
 end