Add latest changes from gitlab-org/gitlab@14-6-stable-eev14.6.0-rc42

8 files changed, 160 insertions, 20 deletions

diff --git a/spec/support/shared_examples/requests/api/composer_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/composer_packages_shared_examples.rb
index e45be21f152..9f4fdcf7ba1 100644
--- a/spec/support/shared_examples/requests/api/composer_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/composer_packages_shared_examples.rb
@@ -173,3 +173,65 @@ RSpec.shared_examples 'rejects Composer access with unknown project id' do
     end
   end
 end
+
+RSpec.shared_examples 'Composer access with deploy tokens' do
+  shared_examples 'a deploy token for Composer GET requests' do
+    context 'with deploy token headers' do
+      let(:headers) { basic_auth_header(deploy_token.username, deploy_token.token) }
+
+      before do
+        group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+      end
+
+      context 'valid token' do
+        it_behaves_like 'returning response status', :success
+      end
+
+      context 'invalid token' do
+        let(:headers) { basic_auth_header(deploy_token.username, 'bar') }
+
+        it_behaves_like 'returning response status', :not_found
+      end
+    end
+  end
+
+  context 'group deploy token' do
+    let(:deploy_token) { deploy_token_for_group }
+
+    it_behaves_like 'a deploy token for Composer GET requests'
+  end
+
+  context 'project deploy token' do
+    let(:deploy_token) { deploy_token_for_project }
+
+    it_behaves_like 'a deploy token for Composer GET requests'
+  end
+end
+
+RSpec.shared_examples 'Composer publish with deploy tokens' do
+  shared_examples 'a deploy token for Composer publish requests' do
+    let(:headers) { basic_auth_header(deploy_token.username, deploy_token.token) }
+
+    context 'valid token' do
+      it_behaves_like 'returning response status', :success
+    end
+
+    context 'invalid token' do
+      let(:headers) { basic_auth_header(deploy_token.username, 'bar') }
+
+      it_behaves_like 'returning response status', :unauthorized
+    end
+  end
+
+  context 'group deploy token' do
+    let(:deploy_token) { deploy_token_for_group }
+
+    it_behaves_like 'a deploy token for Composer publish requests'
+  end
+
+  context 'group deploy token' do
+    let(:deploy_token) { deploy_token_for_project }
+
+    it_behaves_like 'a deploy token for Composer publish requests'
+  end
+end
diff --git a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
index 20606ae942d..71f3a0235be 100644
--- a/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/conan_packages_shared_examples.rb
@@ -178,6 +178,54 @@ RSpec.shared_examples 'rejects invalid recipe' do
   end
 end
 
+RSpec.shared_examples 'handling empty values for username and channel' do
+  using RSpec::Parameterized::TableSyntax
+
+  let(:recipe_path) { "#{package.name}/#{package.version}/#{package_username}/#{channel}" }
+
+  where(:username, :channel, :status) do
+    'username' | 'channel' | :ok
+    'username' | '_'       | :bad_request
+    '_'        | 'channel' | :bad_request_or_not_found
+    '_'        | '_'       | :ok_or_not_found
+  end
+
+  with_them do
+    let(:package_username) do
+      if username == 'username'
+        package.conan_metadatum.package_username
+      else
+        username
+      end
+    end
+
+    before do
+      project.add_maintainer(user) # avoid any permission issue
+    end
+
+    it 'returns the correct status code' do |example|
+      project_level = example.full_description.include?('api/v4/projects')
+
+      expected_status = case status
+                        when :ok_or_not_found
+                          project_level ? :ok : :not_found
+                        when :bad_request_or_not_found
+                          project_level ? :bad_request : :not_found
+                        else
+                          status
+                        end
+
+      if expected_status == :ok
+        package.conan_metadatum.update!(package_username: package_username, package_channel: channel)
+      end
+
+      subject
+
+      expect(response).to have_gitlab_http_status(expected_status)
+    end
+  end
+end
+
 RSpec.shared_examples 'rejects invalid file_name' do |invalid_file_name|
   let(:file_name) { invalid_file_name }
 
@@ -300,6 +348,7 @@ RSpec.shared_examples 'recipe snapshot endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects recipe for invalid project'
   it_behaves_like 'empty recipe for not found package'
+  it_behaves_like 'handling empty values for username and channel'
 
   context 'with existing package' do
     it 'returns a hash of files with their md5 hashes' do
@@ -324,6 +373,7 @@ RSpec.shared_examples 'package snapshot endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects recipe for invalid project'
   it_behaves_like 'empty recipe for not found package'
+  it_behaves_like 'handling empty values for username and channel'
 
   context 'with existing package' do
     it 'returns a hash of md5 values for the files' do
@@ -344,12 +394,14 @@ RSpec.shared_examples 'recipe download_urls endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects recipe for invalid project'
   it_behaves_like 'recipe download_urls'
+  it_behaves_like 'handling empty values for username and channel'
 end
 
 RSpec.shared_examples 'package download_urls endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects recipe for invalid project'
   it_behaves_like 'package download_urls'
+  it_behaves_like 'handling empty values for username and channel'
 end
 
 RSpec.shared_examples 'recipe upload_urls endpoint' do
@@ -362,6 +414,7 @@ RSpec.shared_examples 'recipe upload_urls endpoint' do
 
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects invalid upload_url params'
+  it_behaves_like 'handling empty values for username and channel'
 
   it 'returns a set of upload urls for the files requested' do
     subject
@@ -423,6 +476,7 @@ RSpec.shared_examples 'package upload_urls endpoint' do
 
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects invalid upload_url params'
+  it_behaves_like 'handling empty values for username and channel'
 
   it 'returns a set of upload urls for the files requested' do
     expected_response = {
@@ -458,6 +512,7 @@ RSpec.shared_examples 'delete package endpoint' do
   let(:recipe_path) { package.conan_recipe_path }
 
   it_behaves_like 'rejects invalid recipe'
+  it_behaves_like 'handling empty values for username and channel'
 
   it 'returns unauthorized for users without valid permission' do
     subject
@@ -568,12 +623,14 @@ RSpec.shared_examples 'recipe file download endpoint' do
   it_behaves_like 'a public project with packages'
   it_behaves_like 'an internal project with packages'
   it_behaves_like 'a private project with packages'
+  it_behaves_like 'handling empty values for username and channel'
 end
 
 RSpec.shared_examples 'package file download endpoint' do
   it_behaves_like 'a public project with packages'
   it_behaves_like 'an internal project with packages'
   it_behaves_like 'a private project with packages'
+  it_behaves_like 'handling empty values for username and channel'
 
   context 'tracking the conan_package.tgz download' do
     let(:package_file) { package.package_files.find_by(file_name: ::Packages::Conan::FileMetadatum::PACKAGE_BINARY) }
@@ -598,6 +655,7 @@ RSpec.shared_examples 'workhorse authorize endpoint' do
   it_behaves_like 'rejects invalid recipe'
   it_behaves_like 'rejects invalid file_name', 'conanfile.py.git%2fgit-upload-pack'
   it_behaves_like 'workhorse authorization'
+  it_behaves_like 'handling empty values for username and channel'
 end
 
 RSpec.shared_examples 'workhorse recipe file upload endpoint' do
@@ -619,6 +677,7 @@ RSpec.shared_examples 'workhorse recipe file upload endpoint' do
   it_behaves_like 'rejects invalid file_name', 'conanfile.py.git%2fgit-upload-pack'
   it_behaves_like 'uploads a package file'
   it_behaves_like 'creates build_info when there is a job'
+  it_behaves_like 'handling empty values for username and channel'
 end
 
 RSpec.shared_examples 'workhorse package file upload endpoint' do
@@ -640,6 +699,7 @@ RSpec.shared_examples 'workhorse package file upload endpoint' do
   it_behaves_like 'rejects invalid file_name', 'conaninfo.txttest'
   it_behaves_like 'uploads a package file'
   it_behaves_like 'creates build_info when there is a job'
+  it_behaves_like 'handling empty values for username and channel'
 
   context 'tracking the conan_package.tgz upload' do
     let(:file_name) { ::Packages::Conan::FileMetadatum::PACKAGE_BINARY }
diff --git a/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb b/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb
index 62dbac3fd4d..8bffd1f71e9 100644
--- a/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb
@@ -18,19 +18,19 @@ RSpec.shared_examples 'snippet edit usage data counters' do
     end
   end
 
-  context 'when user is not sessionless' do
+  context 'when user is not sessionless', :clean_gitlab_redis_sessions do
     before do
       session_id = Rack::Session::SessionId.new('6919a6f1bb119dd7396fadc38fd18d0d')
       session_hash = { 'warden.user.user.key' => [[current_user.id], current_user.encrypted_password[0, 29]] }
 
-      Gitlab::Redis::SharedState.with do |redis|
+      Gitlab::Redis::Sessions.with do |redis|
         redis.set("session:gitlab:#{session_id.private_id}", Marshal.dump(session_hash))
       end
 
       cookies[Gitlab::Application.config.session_options[:key]] = session_id.public_id
     end
 
-    it 'tracks usage data actions', :clean_gitlab_redis_shared_state do
+    it 'tracks usage data actions', :clean_gitlab_redis_sessions do
       expect(::Gitlab::UsageDataCounters::EditorUniqueCounter).to receive(:track_snippet_editor_edit_action)
 
       post_graphql_mutation(mutation)
diff --git a/spec/support/shared_examples/requests/api/graphql/packages/group_and_project_packages_list_shared_examples.rb b/spec/support/shared_examples/requests/api/graphql/packages/group_and_project_packages_list_shared_examples.rb
index 367c6d4fa3a..882c79cb03f 100644
--- a/spec/support/shared_examples/requests/api/graphql/packages/group_and_project_packages_list_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/graphql/packages/group_and_project_packages_list_shared_examples.rb
@@ -55,7 +55,7 @@ RSpec.shared_examples 'group and project packages query' do
     end
 
     it 'deals with metadata' do
-      expect(target_shas).to contain_exactly(composer_metadatum.target_sha)
+      expect(target_shas.compact).to contain_exactly(composer_metadatum.target_sha)
     end
 
     it 'returns the count of the packages' do
diff --git a/spec/support/shared_examples/requests/api/issuable_participants_examples.rb b/spec/support/shared_examples/requests/api/issuable_participants_examples.rb
index 673d7741017..c5e5803c0a7 100644
--- a/spec/support/shared_examples/requests/api/issuable_participants_examples.rb
+++ b/spec/support/shared_examples/requests/api/issuable_participants_examples.rb
@@ -28,4 +28,34 @@ RSpec.shared_examples 'issuable participants endpoint' do
 
     expect(response).to have_gitlab_http_status(:not_found)
   end
+
+  context 'with a confidential note' do
+    let!(:note) do
+      create(
+        :note,
+        :confidential,
+        project: project,
+        noteable: entity,
+        author: create(:user)
+      )
+    end
+
+    it 'returns a full list of participants' do
+      get api("/projects/#{project.id}/#{area}/#{entity.iid}/participants", user)
+
+      expect(response).to have_gitlab_http_status(:ok)
+      participant_ids = json_response.map { |el| el['id'] }
+      expect(participant_ids).to match_array([entity.author_id, note.author_id])
+    end
+
+    context 'when user cannot see a confidential note' do
+      it 'returns a limited list of participants' do
+        get api("/projects/#{project.id}/#{area}/#{entity.iid}/participants", create(:user))
+
+        expect(response).to have_gitlab_http_status(:ok)
+        participant_ids = json_response.map { |el| el['id'] }
+        expect(participant_ids).to match_array([entity.author_id])
+      end
+    end
+  end
 end
diff --git a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
index 19677e92001..8d6d85732be 100644
--- a/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/npm_packages_shared_examples.rb
@@ -41,19 +41,6 @@ RSpec.shared_examples 'handling get metadata requests' do |scope: :project|
       # query count can slightly change between the examples so we're using a custom threshold
       expect { get(url, headers: headers) }.not_to exceed_query_limit(control).with_threshold(4)
     end
-
-    context 'with packages_npm_abbreviated_metadata disabled' do
-      before do
-        stub_feature_flags(packages_npm_abbreviated_metadata: false)
-      end
-
-      it 'calls the presenter without including metadata' do
-        expect(::Packages::Npm::PackagePresenter)
-          .to receive(:new).with(anything, anything, include_metadata: false).and_call_original
-
-        subject
-      end
-    end
   end
 
   shared_examples 'reject metadata request' do |status:|
diff --git a/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
index 878cbc10a24..6568d51b90e 100644
--- a/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/nuget_packages_shared_examples.rb
@@ -391,7 +391,7 @@ RSpec.shared_examples 'rejects nuget access with invalid target id' do
   context 'with a target id with invalid integers' do
     using RSpec::Parameterized::TableSyntax
 
-    let(:target) { OpenStruct.new(id: id) }
+    let(:target) { double(id: id) }
 
     where(:id, :status) do
       '/../'       | :bad_request
@@ -411,7 +411,7 @@ end
 
 RSpec.shared_examples 'rejects nuget access with unknown target id' do
   context 'with an unknown target' do
-    let(:target) { OpenStruct.new(id: 1234567890) }
+    let(:target) { double(id: 1234567890) }
 
     context 'as anonymous' do
       it_behaves_like 'rejects nuget packages access', :anonymous, :unauthorized
diff --git a/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb b/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb
index 06c51add438..aff086d1ba3 100644
--- a/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/pypi_packages_shared_examples.rb
@@ -346,7 +346,8 @@ RSpec.shared_examples 'a pypi user namespace endpoint' do
   end
 
   with_them do
-    let_it_be_with_reload(:group) { create(:namespace) }
+    # only groups are supported, so this "group" is actually the wrong namespace type
+    let_it_be_with_reload(:group) { create(:user_namespace) }
     let(:headers) { user_role == :anonymous ? {} : basic_auth_header(user.username, personal_access_token.token) }
 
     before do