Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43

9 files changed, 313 insertions, 9 deletions

diff --git a/qa/qa/specs/features/api/1_manage/project_access_token_spec.rb b/qa/qa/specs/features/api/1_manage/project_access_token_spec.rb
new file mode 100644
index 00000000000..6024c8658d5
--- /dev/null
+++ b/qa/qa/specs/features/api/1_manage/project_access_token_spec.rb
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'Project access token' do
+      before(:all) do
+        @project_access_token = QA::Resource::ProjectAccessToken.fabricate_via_api!
+        @user_api_client = Runtime::API::Client.new(:gitlab, personal_access_token: @project_access_token.token)
+      end
+
+      context 'for the same project' do
+        it 'can be used to create a file via the project API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1734' do
+          expect do
+            Resource::File.fabricate_via_api! do |file|
+              file.api_client = @user_api_client
+              file.project = @project_access_token.project
+              file.branch = 'new_branch'
+              file.commit_message = 'Add new file'
+              file.name = "text-#{SecureRandom.hex(8)}.txt"
+              file.content = 'New file'
+            end
+          end.not_to raise_error
+        end
+
+        it 'can be used to commit via the API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1735' do
+          expect do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.api_client = @user_api_client
+              commit.project = @project_access_token.project
+              commit.branch = 'new_branch'
+              commit.start_branch = @project_access_token.project.default_branch
+              commit.commit_message = 'Add new file'
+              commit.add_files([
+                { file_path: "text-#{SecureRandom.hex(8)}.txt", content: 'new file' }
+              ])
+            end
+          end.not_to raise_error
+        end
+      end
+
+      context 'for a different project' do
+        before(:all) do
+          @different_project = Resource::Project.fabricate!
+        end
+
+        it 'cannot be used to create a file via the project API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1736' do
+          expect do
+            Resource::File.fabricate_via_api! do |file|
+              file.api_client = @user_api_client
+              file.project = @different_project
+              file.branch = 'new_branch'
+              file.commit_message = 'Add new file'
+              file.name = "text-#{SecureRandom.hex(8)}.txt"
+              file.content = 'New file'
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden/)
+        end
+
+        it 'cannot be used to commit via the API', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1737' do
+          expect do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.api_client = @user_api_client
+              commit.project = @different_project
+              commit.branch = 'new_branch'
+              commit.start_branch = @different_project.default_branch
+              commit.commit_message = 'Add new file'
+              commit.add_files([
+                { file_path: "text-#{SecureRandom.hex(8)}.txt", content: 'new file' }
+              ])
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden - You are not allowed to push into this branch/)
+        end
+
+        after(:all) do
+          @different_project.remove_via_api!
+        end
+      end
+
+      after(:all) do
+        @project_access_token.remove_via_api!
+        @project_access_token.project.remove_via_api!
+      end
+    end
+  end
+end
diff --git a/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb b/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb
index b7f71ad5bcd..a069b94f4da 100644
--- a/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb
+++ b/qa/qa/specs/features/api/1_manage/user_access_termination_spec.rb
@@ -12,7 +12,9 @@ module QA
 
         @user_api_client = Runtime::API::Client.new(:gitlab, user: @user)
 
-        @group = Resource::Group.fabricate_via_api!
+        @group = QA::Resource::Group.fabricate_via_api! do |group|
+          group.path = "group-to-test-access-termination-#{SecureRandom.hex(8)}"
+        end
 
         @group.sandbox.add_member(@user)
 
@@ -73,11 +75,7 @@ module QA
       after(:all) do
         @user.remove_via_api!
         @project.remove_via_api!
-        begin
-          @group.remove_via_api!
-        rescue Resource::ApiFabricator::ResourceNotDeletedError
-          # It is ok if the group is already marked for deletion by another test
-        end
+        @group.remove_via_api!
       end
     end
   end
diff --git a/qa/qa/specs/features/api/3_create/gitaly/changing_repository_storage_spec.rb b/qa/qa/specs/features/api/3_create/gitaly/changing_repository_storage_spec.rb
index 631056ed52e..176f1139a7a 100644
--- a/qa/qa/specs/features/api/3_create/gitaly/changing_repository_storage_spec.rb
+++ b/qa/qa/specs/features/api/3_create/gitaly/changing_repository_storage_spec.rb
@@ -9,7 +9,7 @@ module QA
         it 'confirms a `finished` status after moving project repository storage' do
           expect(project).to have_file('README.md')
           expect { project.change_repository_storage(destination_storage[:name]) }.not_to raise_error
-          expect { praefect_manager.verify_storage_move(source_storage, destination_storage) }.not_to raise_error
+          expect { praefect_manager.verify_storage_move(source_storage, destination_storage, repo_type: :project) }.not_to raise_error
 
           Resource::Repository::ProjectPush.fabricate! do |push|
             push.project = project
@@ -45,7 +45,7 @@ module QA
       # Note: This test doesn't have the :orchestrated tag because it runs in the Test::Integration::Praefect
       # scenario with other tests that aren't considered orchestrated.
       # It also runs on staging using nfs-file07 as non-cluster storage and nfs-file22 as cluster/praefect storage
-      context 'when moving from Gitaly to Gitaly Cluster', :requires_praefect, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/974', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/284645', type: :investigating } do
+      context 'when moving from Gitaly to Gitaly Cluster', :requires_praefect, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1755', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/284645', type: :investigating } do
         let(:source_storage) { { type: :gitaly, name: QA::Runtime::Env.non_cluster_repository_storage } }
         let(:destination_storage) { { type: :praefect, name: QA::Runtime::Env.praefect_repository_storage } }
         let(:project) do
diff --git a/qa/qa/specs/features/api/3_create/repository/push_postreceive_idempotent_spec.rb b/qa/qa/specs/features/api/3_create/repository/push_postreceive_idempotent_spec.rb
new file mode 100644
index 00000000000..c06e3b9f162
--- /dev/null
+++ b/qa/qa/specs/features/api/3_create/repository/push_postreceive_idempotent_spec.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Create' do
+    describe 'PostReceive idempotent' do
+      # Tests that a push does not result in multiple changes from repeated PostReceive executions.
+      # One of the consequences would be duplicate push events
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'push-postreceive-idempotent'
+          project.initialize_with_readme = true
+        end
+      end
+
+      after do
+        project&.remove_via_api!
+      end
+
+      it 'pushes and creates a single push event three times', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1744' do
+        verify_single_event_per_push(repeat: 3)
+      end
+
+      it 'repeatedly pushes and creates a single push event several times', :transient, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1744' do
+        verify_single_event_per_push(repeat: Runtime::Env.transient_trials) do |i|
+          QA::Runtime::Logger.info("Transient bug test action - Trial #{i}")
+        end
+      end
+
+      def verify_single_event_per_push(repeat:)
+        repeat.times do |i|
+          yield i if block_given?
+
+          commit_message = "test post-receive idempotency #{SecureRandom.hex(8)}"
+
+          Resource::Repository::ProjectPush.fabricate! do |push|
+            push.project = project
+            push.new_branch = false
+            push.commit_message = commit_message
+          end
+
+          events = project.push_events(commit_message)
+
+          aggregate_failures do
+            expect(events.size).to eq(1), "An unexpected number of push events was created"
+            expect(events.first.dig(:push_data, :commit_title)).to eq(commit_message)
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/qa/qa/specs/features/api/3_create/snippet/snippet_repository_storage_move_spec.rb b/qa/qa/specs/features/api/3_create/snippet/snippet_repository_storage_move_spec.rb
index 4872acd1004..7b82a872fc0 100644
--- a/qa/qa/specs/features/api/3_create/snippet/snippet_repository_storage_move_spec.rb
+++ b/qa/qa/specs/features/api/3_create/snippet/snippet_repository_storage_move_spec.rb
@@ -24,7 +24,7 @@ module QA
       it 'moves snippet repository from one Gitaly storage to another', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1700' do
         expect(snippet).to have_file('original_file')
         expect { snippet.change_repository_storage(destination_storage[:name]) }.not_to raise_error
-        expect { praefect_manager.verify_storage_move(source_storage, destination_storage) }.not_to raise_error
+        expect { praefect_manager.verify_storage_move(source_storage, destination_storage, repo_type: :snippet) }.not_to raise_error
 
         # verifies you can push commits to the moved snippet
         Resource::Repository::Push.fabricate! do |push|
diff --git a/qa/qa/specs/features/api/4_verify/.gitkeep b/qa/qa/specs/features/api/4_verify/.gitkeep
deleted file mode 100644
index e69de29bb2d..00000000000
--- a/qa/qa/specs/features/api/4_verify/.gitkeep
+++ /dev/null
diff --git a/qa/qa/specs/features/api/4_verify/cancel_pipeline_when_block_user_spec.rb b/qa/qa/specs/features/api/4_verify/cancel_pipeline_when_block_user_spec.rb
new file mode 100644
index 00000000000..ecca0f94604
--- /dev/null
+++ b/qa/qa/specs/features/api/4_verify/cancel_pipeline_when_block_user_spec.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Verify', :requires_admin do
+    describe 'When user is blocked' do
+      let!(:admin_api_client) { Runtime::API::Client.as_admin }
+      let!(:user_api_client) { Runtime::API::Client.new(:gitlab, user: user) }
+
+      let(:user) do
+        Resource::User.fabricate_via_api! do |resource|
+          resource.api_client = admin_api_client
+        end
+      end
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'project-for-canceled-schedule'
+        end
+      end
+
+      before do
+        project.add_member(user, Resource::Members::AccessLevel::MAINTAINER)
+
+        Resource::PipelineSchedules.fabricate_via_api! do |schedule|
+          schedule.api_client = user_api_client
+          schedule.project = project
+        end
+
+        Support::Waiter.wait_until { !pipeline_schedule[:id].nil? && pipeline_schedule[:active] == true }
+      end
+
+      after do
+        user.remove_via_api!
+        project.remove_via_api!
+      end
+
+      it 'pipeline schedule is canceled', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1730' do
+        user.block!
+
+        expect(pipeline_schedule[:active]).not_to be_truthy, "Expected schedule active state to be false - active state #{pipeline_schedule[:active]}"
+      end
+
+      private
+
+      def pipeline_schedule
+        project.pipeline_schedules.first
+      end
+    end
+  end
+end
diff --git a/qa/qa/specs/features/api/5_package/.gitkeep b/qa/qa/specs/features/api/5_package/.gitkeep
deleted file mode 100644
index e69de29bb2d..00000000000
--- a/qa/qa/specs/features/api/5_package/.gitkeep
+++ /dev/null
diff --git a/qa/qa/specs/features/api/5_package/container_registry_spec.rb b/qa/qa/specs/features/api/5_package/container_registry_spec.rb
new file mode 100644
index 00000000000..57b059ffc02
--- /dev/null
+++ b/qa/qa/specs/features/api/5_package/container_registry_spec.rb
@@ -0,0 +1,119 @@
+# frozen_string_literal: true
+
+require 'airborne'
+
+module QA
+  RSpec.describe 'Package', only: { subdomain: :staging } do
+    include Support::Api
+
+    describe 'Container Registry' do
+      let(:api_client) { Runtime::API::Client.new(:gitlab) }
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'project-with-registry-api'
+          project.template_name = 'express'
+        end
+      end
+
+      let(:registry) do
+        Resource::RegistryRepository.new.tap do |repository|
+          repository.name = "#{project.path_with_namespace}"
+          repository.project = project
+          repository.tag_name = 'master'
+        end
+      end
+
+      let(:gitlab_ci_yaml) do
+        <<~YAML
+          stages:
+          - build
+          - test
+
+          build:
+            image: docker:19.03.12
+            stage: build
+            services:
+              - docker:19.03.12-dind
+            variables:
+              IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+            script:
+              - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+              - docker build -t $IMAGE_TAG .
+              - docker push $IMAGE_TAG
+              - docker pull $IMAGE_TAG
+
+          test:
+            image: dwdraju/alpine-curl-jq:latest
+            stage: test
+            variables:
+              MEDIA_TYPE: 'application/vnd.docker.distribution.manifest.v2+json'
+            before_script:
+              - token=$(curl -u "$CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD" "https://$CI_SERVER_HOST/jwt/auth?service=container_registry&scope=repository:$CI_PROJECT_PATH:pull,push,delete" | jq -r '.token')
+            script:
+              - 'digest=$(curl -L -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/manifests/master" | jq -r ".layers[0].digest")'
+              - 'curl -L -X DELETE -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/blobs/$digest"'
+              - 'curl -L --head -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/blobs/$digest"'
+              - 'digest=$(curl -L -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/manifests/master" | jq -r ".config.digest")'
+              - 'curl -L -X DELETE -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/manifests/$digest"'
+              - 'curl -L --head -H "Authorization: Bearer $token" -H "Accept: $MEDIA_TYPE" "https://$CI_REGISTRY/v2/$CI_PROJECT_PATH/manifests/$digest"'
+
+        YAML
+      end
+
+      after do
+        registry&.remove_via_api!
+      end
+
+      it 'pushes, pulls image to the registry and deletes image blob, manifest and tag', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1738' do
+        Resource::Repository::Commit.fabricate_via_api! do |commit|
+          commit.project = project
+          commit.commit_message = 'Add .gitlab-ci.yml'
+          commit.add_files([{
+                                file_path: '.gitlab-ci.yml',
+                                content: gitlab_ci_yaml
+                            }])
+        end
+
+        Support::Waiter.wait_until(max_duration: 10) { pipeline_is_triggered? }
+
+        Support::Retrier.retry_until(max_duration: 260, sleep_interval: 5) do
+          latest_pipeline_succeed?
+        end
+
+        expect(job_log).to have_content '404 Not Found'
+
+        expect(registry).to have_tag('master')
+
+        registry.delete_tag
+
+        expect(registry).not_to have_tag('master')
+      end
+
+      private
+
+      def pipeline_is_triggered?
+        !project.pipelines.empty?
+      end
+
+      def latest_pipeline_succeed?
+        latest_pipeline = project.pipelines.first
+        latest_pipeline[:status] == 'success'
+      end
+
+      def job_log
+        pipeline = project.pipelines.first
+        pipeline_id = pipeline[:id]
+
+        jobs = get Runtime::API::Request.new(api_client, "/projects/#{project.id}/pipelines/#{pipeline_id}/jobs").url
+        test_job = parse_body(jobs).first
+        test_job_id = test_job[:id]
+
+        log = get Runtime::API::Request.new(api_client, "/projects/#{project.id}/jobs/#{test_job_id}/trace").url
+        QA::Runtime::Logger.debug(" \n\n ------- Test job log: ------- \n\n #{log} \n -------")
+
+        log
+      end
+    end
+  end
+end