Add latest changes from gitlab-org/gitlab@master

app/controllers/admin/application_settings_controller.rb

@@ -179,6 +179,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
       *::ApplicationSettingsHelper.visible_attributes,
       *::ApplicationSettingsHelper.external_authorization_service_attributes,
       *ApplicationSetting.kroki_formats_attributes.keys.map { |key| "kroki_formats_#{key}".to_sym },
+      :can_create_organization,
       :lets_encrypt_notification_email,
       :lets_encrypt_terms_of_service_accepted,
       :domain_denylist_file,

app/models/application_setting.rb

@@ -468,7 +468,11 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord
   validates :invisible_captcha_enabled,
     inclusion: { in: [true, false], message: N_('must be a boolean value') }
 
-  validates :invitation_flow_enforcement, :can_create_group, :allow_project_creation_for_guest_and_below, :user_defaults_to_private_profile,
+  validates :invitation_flow_enforcement,
+    :can_create_group,
+    :can_create_organization,
+    :allow_project_creation_for_guest_and_below,
+    :user_defaults_to_private_profile,
     allow_nil: false,
     inclusion: { in: [true, false], message: N_('must be a boolean value') }
 

app/models/application_setting_implementation.rb

@@ -263,6 +263,7 @@ module ApplicationSettingImplementation
         users_get_by_id_limit: 300,
         users_get_by_id_limit_allowlist: [],
         can_create_group: true,
+        can_create_organization: true,
         bulk_import_enabled: false,
         bulk_import_max_download_file_size: 5120,
         allow_runner_registration_token: true,

app/models/key.rb

@@ -21,6 +21,7 @@ class Key < ApplicationRecord
 
   validates :key,
     presence: true,
+    ssh_key: true,
     length: { maximum: 5000 },
     format: { with: /\A(#{Gitlab::SSHPublicKey.supported_algorithms.join('|')})/ }
 
@@ -28,7 +29,6 @@ class Key < ApplicationRecord
     uniqueness: true,
     presence: { message: 'cannot be generated' }
 
-  validate :key_meets_restrictions
   validate :expiration, on: :create
   validate :banned_key, if: :key_changed?
 
@@ -154,16 +154,6 @@ class Key < ApplicationRecord
     self.fingerprint_sha256 = public_key.fingerprint_sha256.gsub("SHA256:", "")
   end
 
-  def key_meets_restrictions
-    restriction = Gitlab::CurrentSettings.key_restriction_for(public_key.type)
-
-    if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE
-      errors.add(:key, forbidden_key_type_message)
-    elsif public_key.bits < restriction
-      errors.add(:key, "must be at least #{restriction} bits")
-    end
-  end
-
   def banned_key
     return unless public_key.banned?
 
@@ -179,12 +169,6 @@ class Key < ApplicationRecord
     )
   end
 
-  def forbidden_key_type_message
-    allowed_types = Gitlab::CurrentSettings.allowed_key_types.map(&:upcase)
-
-    "type is forbidden. Must be #{Gitlab::Sentence.to_exclusive_sentence(allowed_types)}"
-  end
-
   def expiration
     errors.add(:key, message: 'has expired') if expired?
   end

app/policies/base_policy.rb

@@ -57,11 +57,9 @@ class BasePolicy < DeclarativePolicy::Base
   with_options scope: :user, score: 0
   condition(:can_create_group) { @user&.can_create_group }
 
-  # TODO: update to check application setting
-  # https://gitlab.com/gitlab-org/gitlab/-/issues/423302
   desc 'User can create an organization'
-  with_options scope: :user, score: 0
-  condition(:can_create_organization) { true }
+  with_options scope: :global, score: 0
+  condition(:can_create_organization) { Gitlab::CurrentSettings.can_create_organization }
 
   desc "The application is restricted from public visibility"
   condition(:restricted_public_level, scope: :global) do

app/validators/ssh_key_validator.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+# SshKeyValidator
+#
+# Custom validator for SSH keys.
+#
+#   class Project < ActiveRecord::Base
+#     validates :key, ssh_key: true
+#   end
+#
+class SshKeyValidator < ActiveModel::EachValidator # rubocop:disable Gitlab/NamespacedClass -- Allow setting ssh_key by convention
+  def validate_each(record, attribute, value)
+    public_key = Gitlab::SSHPublicKey.new(value)
+
+    restriction = Gitlab::CurrentSettings.key_restriction_for(public_key.type)
+
+    if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE
+      record.errors.add(attribute, forbidden_key_type_message)
+    elsif public_key.bits < restriction
+      record.errors.add(attribute, "must be at least #{restriction} bits")
+    end
+  end
+
+  private
+
+  def forbidden_key_type_message
+    allowed_types = Gitlab::CurrentSettings.allowed_key_types.map(&:upcase)
+
+    "type is forbidden. Must be #{Gitlab::Sentence.to_exclusive_sentence(allowed_types)}"
+  end
+end

app/views/admin/application_settings/_user_restrictions.html.haml

@@ -3,6 +3,8 @@
 .form-group
   = label_tag _('User restrictions')
   = render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: form
+  - if Feature.enabled?(:ui_for_organizations, current_user)
+    = form.gitlab_ui_checkbox_component :can_create_organization, _("Allow users to create organizations")
   = form.gitlab_ui_checkbox_component :can_create_group, _("Allow new users to create top-level groups")
   = form.gitlab_ui_checkbox_component :user_defaults_to_private_profile, _("Make new users' profiles private by default")
   = render_if_exists 'admin/application_settings/allow_account_deletion', form: form

db/migrate/20231114100444_add_can_create_organization_to_application_settings.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddCanCreateOrganizationToApplicationSettings < Gitlab::Database::Migration[2.2]
+  milestone '16.7'
+
+  def change
+    add_column(:application_settings, :can_create_organization, :boolean, default: true, null: false)
+  end
+end

db/schema_migrations/20231114100444

@@ -0,0 +1 @@
+37b3fa70babc9524396c2b9a53f6d6c3a5964d7a9b3e5bc6c15357b991bd1a02

db/structure.sql

@@ -12200,6 +12200,7 @@ CREATE TABLE application_settings (
     allow_project_creation_for_guest_and_below boolean DEFAULT true NOT NULL,
     update_namespace_name_rate_limit smallint DEFAULT 120 NOT NULL,
     pre_receive_secret_detection_enabled boolean DEFAULT false NOT NULL,
+    can_create_organization boolean DEFAULT true NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
     CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),

doc/administration/settings/account_and_limit_settings.md

@@ -294,6 +294,21 @@ When this ability is disabled, GitLab administrators can still use the
 [Admin Area](../../administration/admin_area.md#administering-users) or the
 [API](../../api/users.md#user-modification) to update usernames.
 
+## Prevent users from creating organizations **(EXPERIMENT)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/423302) in GitLab 16.7 [with a flag](../feature_flags.md) named `ui_for_organizations`. Disabled by default.
+
+FLAG:
+On self-managed GitLab, by default this feature is not available. To make it available, an administrator can [enable the feature flag](../feature_flags.md) named `ui_for_organizations`. On GitLab.com, this feature is not available. This feature is not ready for production use.
+
+By default, users can create organizations. GitLab administrators can prevent users from creating organizations.
+
+1. On the left sidebar, select **Search or go to**.
+1. Select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand **Account and limit**.
+1. Clear the **Allow users to create organizations** checkbox.
+
 ## Prevent new users from creating top-level groups
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5.

doc/api/members.md

@@ -30,8 +30,7 @@ In GitLab 14.8 and earlier, projects in personal namespaces have an `access_leve
 The `group_saml_identity` attribute is only visible to group owners for [SSO-enabled groups](../user/group/saml_sso/index.md).
 
 The `email` attribute is only visible to group owners for users provisioned by the group with [SCIM](../user/group/saml_sso/scim_setup.md).
-In GitLab 16.7 and later, the attribute is only visible to group owners for all [enterprise users](../user/enterprise_user/index.md).
-For more information, see [issue 391453](https://gitlab.com/gitlab-org/gitlab/-/issues/391453).
+[Issue 391453](https://gitlab.com/gitlab-org/gitlab/-/issues/391453) proposes to change the criteria for access to the `email` attribute from provisioned users to [enterprise users](../user/enterprise_user/index.md).
 
 ## List all members of a group or project
 

doc/development/documentation/styleguide/index.md

@@ -350,10 +350,10 @@ Some contractions, however, should be avoided:
 
 | Do not use a contraction      | Example                                          | Use instead                                                      |
 |-------------------------------|--------------------------------------------------|------------------------------------------------------------------|
-| With a proper noun and a verb | The **Container Registry's** a powerful feature. | The **Container Registry** is a powerful feature.                |
+| With a proper noun and a verb | **Terraform's** a helpful tool.                  | **Terraform** is a helpful tool.                                  |
 | To emphasize a negative       | **Don't** install X with Y.                      | **Do not** install X with Y.                                     |
 | In reference documentation    | **Don't** set a limit.                           | **Do not** set a limit.                                          |
-| In error messages             | Requests to localhost **aren't** allowed.        | Requests to localhost **are not** allowed.                        |
+| In error messages             | Requests to localhost **aren't** allowed.        | Requests to localhost **are not** allowed.                       |
 
 <!-- vale gitlab.Possessive = YES -->
 
@@ -559,9 +559,13 @@ about styling cURL commands.
 
 ## Lists
 
+Use lists to present information in a format that is easier to scan.
+
+- Make all items in the list parallel.
+  For example, do not start some bullets with nouns and others with verbs.
 - Do not use a period if the phrase is not a full sentence.
 - Use a period after every sentence. Do not use semicolons or commas.
-- Majority rules. All items should have the same punctuation.
+- Give all items the same punctuation.
 - Start list items with a capital letter.
 - Separate the introductory phrase from explanatory text with a colon (`:`). For example:
 

doc/user/enterprise_user/index.md

@@ -212,8 +212,7 @@ A top-level group Owner can use the [group and project members API](../../api/me
 users' information. For users provisioned by the group with [SCIM](../group/saml_sso/scim_setup.md),
 this information includes users' email addresses.
 
-In GitLab 16.7 and later, a top-level group Owner can use this API to access all enterprise users' email addresses.
-For more information, see [issue 391453](https://gitlab.com/gitlab-org/gitlab/-/issues/391453).
+[Issue 391453](https://gitlab.com/gitlab-org/gitlab/-/issues/391453) proposes to change the criteria for access to email addresses from provisioned users to enterprise users.
 
 ## Troubleshooting
 

locale/gitlab.pot

@@ -4908,6 +4908,9 @@ msgstr ""
 msgid "Allow use of licensed EE features"
 msgstr ""
 
+msgid "Allow users to create organizations"
+msgstr ""
+
 msgid "Allow users to extend their session"
 msgstr ""
 

spec/controllers/admin/application_settings_controller_spec.rb

@@ -258,6 +258,7 @@ RSpec.describe Admin::ApplicationSettingsController, :do_not_mock_admin_mode_set
 
       it_behaves_like 'updates boolean attribute', :user_defaults_to_private_profile
       it_behaves_like 'updates boolean attribute', :can_create_group
+      it_behaves_like 'updates boolean attribute', :can_create_organization
       it_behaves_like 'updates boolean attribute', :admin_mode
       it_behaves_like 'updates boolean attribute', :require_admin_approval_after_user_signup
       it_behaves_like 'updates boolean attribute', :remember_me_enabled

spec/models/application_setting_spec.rb

@@ -162,6 +162,8 @@ RSpec.describe ApplicationSetting, feature_category: :shared, type: :model do
 
     it { is_expected.to validate_inclusion_of(:user_defaults_to_private_profile).in_array([true, false]) }
 
+    it { is_expected.to validate_inclusion_of(:can_create_organization).in_array([true, false]) }
+
     it { is_expected.to validate_inclusion_of(:allow_project_creation_for_guest_and_below).in_array([true, false]) }
 
     it { is_expected.to validate_inclusion_of(:deny_all_requests_except_allowed).in_array([true, false]) }

spec/models/key_spec.rb

@@ -348,56 +348,10 @@ RSpec.describe Key, :mailer do
     end
   end
 
-  context 'validate it meets key restrictions' do
-    where(:factory, :minimum, :result) do
-      forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
+  context 'ssh key' do
+    subject { build(:key) }
 
-      [
-        [:rsa_key_2048,       0, true],
-        [:dsa_key_2048,       0, true],
-        [:ecdsa_key_256,      0, true],
-        [:ed25519_key_256,    0, true],
-        [:ecdsa_sk_key_256,   0, true],
-        [:ed25519_sk_key_256, 0, true],
-
-        [:rsa_key_2048, 1024, true],
-        [:rsa_key_2048, 2048, true],
-        [:rsa_key_2048, 4096, false],
-
-        [:dsa_key_2048, 1024, true],
-        [:dsa_key_2048, 2048, true],
-        [:dsa_key_2048, 4096, false],
-
-        [:ecdsa_key_256, 256, true],
-        [:ecdsa_key_256, 384, false],
-
-        [:ed25519_key_256, 256, true],
-        [:ed25519_key_256, 384, false],
-
-        [:ecdsa_sk_key_256, 256, true],
-        [:ecdsa_sk_key_256, 384, false],
-
-        [:ed25519_sk_key_256, 256, true],
-        [:ed25519_sk_key_256, 384, false],
-
-        [:rsa_key_2048,       forbidden, false],
-        [:dsa_key_2048,       forbidden, false],
-        [:ecdsa_key_256,      forbidden, false],
-        [:ed25519_key_256,    forbidden, false],
-        [:ecdsa_sk_key_256,   forbidden, false],
-        [:ed25519_sk_key_256, forbidden, false]
-      ]
-    end
-
-    with_them do
-      subject(:key) { build(factory) }
-
-      before do
-        stub_application_setting("#{key.public_key.type}_key_restriction" => minimum)
-      end
-
-      it { expect(key.valid?).to eq(result) }
-    end
+    it_behaves_like 'meets ssh key restrictions'
   end
 
   context 'callbacks' do

spec/policies/global_policy_spec.rb

@@ -694,6 +694,14 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       let(:current_user) { user }
 
       it { is_expected.to be_allowed(:create_organization) }
+
+      context 'when disallowed by admin' do
+        before do
+          stub_application_setting(can_create_organization: false)
+        end
+
+        it { is_expected.to be_disallowed(:create_organization) }
+      end
     end
 
     context 'with anonymous' do

spec/support/shared_examples/keys/meets_ssh_key_restrictions_shared_examples.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+# Requires a context with:
+# - subject
+#
+RSpec.shared_examples 'meets ssh key restrictions' do
+  where(:factory, :minimum, :result) do
+    forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
+
+    [
+      [:rsa_key_2048,       0, true],
+      [:dsa_key_2048,       0, true],
+      [:ecdsa_key_256,      0, true],
+      [:ed25519_key_256,    0, true],
+      [:ecdsa_sk_key_256,   0, true],
+      [:ed25519_sk_key_256, 0, true],
+
+      [:rsa_key_2048, 1024, true],
+      [:rsa_key_2048, 2048, true],
+      [:rsa_key_2048, 4096, false],
+
+      [:dsa_key_2048, 1024, true],
+      [:dsa_key_2048, 2048, true],
+      [:dsa_key_2048, 4096, false],
+
+      [:ecdsa_key_256, 256, true],
+      [:ecdsa_key_256, 384, false],
+
+      [:ed25519_key_256, 256, true],
+      [:ed25519_key_256, 384, false],
+
+      [:ecdsa_sk_key_256, 256, true],
+      [:ecdsa_sk_key_256, 384, false],
+
+      [:ed25519_sk_key_256, 256, true],
+      [:ed25519_sk_key_256, 384, false],
+
+      [:rsa_key_2048,       forbidden, false],
+      [:dsa_key_2048,       forbidden, false],
+      [:ecdsa_key_256,      forbidden, false],
+      [:ed25519_key_256,    forbidden, false],
+      [:ecdsa_sk_key_256,   forbidden, false],
+      [:ed25519_sk_key_256, forbidden, false]
+    ]
+  end
+
+  with_them do
+    let(:ssh_key) { build(factory).key }
+    let(:type) { Gitlab::SSHPublicKey.new(ssh_key).type }
+
+    before do
+      stub_application_setting("#{type}_key_restriction" => minimum)
+    end
+
+    it 'validates that the key is valid' do
+      subject.key = ssh_key
+
+      expect(subject.valid?).to eq(result)
+    end
+  end
+end

spec/validators/ip_cidr_array_validator_spec.rb

@@ -17,7 +17,7 @@ RSpec.describe IpCidrArrayValidator, feature_category: :shared do
 
   using RSpec::Parameterized::TableSyntax
 
-  # noinspection RubyMismatchedArgumentType - RubyMine is resolving `#|` from Array, instead of Rspec::Parameterized
+  # noinspection RubyMismatchedArgumentType - https://handbook.gitlab.com/handbook/tools-and-tips/editors-and-ides/jetbrains-ides/tracked-jetbrains-issues/#ruby-32041
   where(:cidr_array, :validity, :errors) do
     # rubocop:disable Layout/LineLength -- The RSpec table syntax often requires long lines for errors
     nil                                               | false | { cidr_array: ["must be an array of CIDR values"] }