Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/gitlab/strong_memoize_attr.yml

@@ -127,9 +127,6 @@ Gitlab/StrongMemoizeAttr:
     - 'app/models/namespaces/traversal/linear.rb'
     - 'app/models/namespaces/traversal/recursive.rb'
     - 'app/models/note.rb'
-    - 'app/models/packages/go/module.rb'
-    - 'app/models/packages/go/module_version.rb'
-    - 'app/models/packages/package.rb'
     - 'app/models/pages/lookup_path.rb'
     - 'app/models/project.rb'
     - 'app/models/release.rb'
@@ -151,9 +148,6 @@ Gitlab/StrongMemoizeAttr:
     - 'app/presenters/ci/pipeline_presenter.rb'
     - 'app/presenters/clusters/cluster_presenter.rb'
     - 'app/presenters/merge_request_presenter.rb'
-    - 'app/presenters/packages/conan/package_presenter.rb'
-    - 'app/presenters/packages/nuget/packages_metadata_presenter.rb'
-    - 'app/presenters/packages/nuget/search_results_presenter.rb'
     - 'app/presenters/project_presenter.rb'
     - 'app/presenters/projects/settings/deploy_keys_presenter.rb'
     - 'app/serializers/ci/pipeline_entity.rb'
@@ -509,10 +503,6 @@ Gitlab/StrongMemoizeAttr:
     - 'lib/api/container_repositories.rb'
     - 'lib/api/entities/basic_project_details.rb'
     - 'lib/api/helpers/authentication.rb'
-    - 'lib/api/helpers/packages/basic_auth_helpers.rb'
-    - 'lib/api/helpers/packages/conan/api_helpers.rb'
-    - 'lib/api/helpers/packages/npm.rb'
-    - 'lib/api/helpers/packages_helpers.rb'
     - 'lib/api/terraform/modules/v1/packages.rb'
     - 'lib/api/unleash.rb'
     - 'lib/atlassian/jira_connect/jwt/asymmetric.rb'

GITLAB_KAS_VERSION

@@ -1 +1 @@
-v16.0.1
+v16.1.0

app/models/packages/go/module.rb

@@ -14,8 +14,9 @@ module Packages
       end
 
       def versions
-        strong_memoize(:versions) { Packages::Go::VersionFinder.new(self).execute }
+        Packages::Go::VersionFinder.new(self).execute
       end
+      strong_memoize_attr :versions
 
       def version_by(ref: nil, commit: nil)
         raise ArgumentError, 'no filter specified' unless ref || commit

app/models/packages/go/module_version.rb

@@ -46,16 +46,15 @@ module Packages
       end
 
       def gomod
-        strong_memoize(:gomod) do
-          if strong_memoized?(:blobs)
-            blob_at(@mod.path + '/go.mod')
-          elsif @mod.path.empty?
-            @mod.project.repository.blob_at(@commit.sha, 'go.mod')&.data
-          else
-            @mod.project.repository.blob_at(@commit.sha, @mod.path + '/go.mod')&.data
-          end
+        if strong_memoized?(:blobs)
+          blob_at(@mod.path + '/go.mod')
+        elsif @mod.path.empty?
+          @mod.project.repository.blob_at(@commit.sha, 'go.mod')&.data
+        else
+          @mod.project.repository.blob_at(@commit.sha, @mod.path + '/go.mod')&.data
         end
       end
+      strong_memoize_attr :gomod
 
       def archive
         suffix_len = @mod.path == '' ? 0 : @mod.path.length + 1
@@ -69,18 +68,16 @@ module Packages
       end
 
       def files
-        strong_memoize(:files) do
-          ls_tree.filter { |e| !excluded.any? { |n| e.start_with? n } }
-        end
+        ls_tree.filter { |e| !excluded.any? { |n| e.start_with? n } }
       end
+      strong_memoize_attr :files
 
       def excluded
-        strong_memoize(:excluded) do
-          ls_tree
+        ls_tree
             .filter { |f| f.end_with?('/go.mod') && f != @mod.path + '/go.mod' }
             .map    { |f| f[0..-7] }
-        end
       end
+      strong_memoize_attr :excluded
 
       def valid?
         # assume the module version is valid if a corresponding Package exists
@@ -100,21 +97,20 @@ module Packages
       end
 
       def blobs
-        strong_memoize(:blobs) { @mod.project.repository.batch_blobs(files.map { |x| [@commit.sha, x] }) }
+        @mod.project.repository.batch_blobs(files.map { |x| [@commit.sha, x] })
       end
+      strong_memoize_attr :blobs
 
       def ls_tree
-        strong_memoize(:ls_tree) do
-          path =
-            if @mod.path.empty?
-              '.'
-            else
-              @mod.path
-            end
+        path = if @mod.path.empty?
+                 '.'
+               else
+                 @mod.path
+               end
 
-          @mod.project.repository.gitaly_repository_client.search_files_by_name(@commit.sha, path)
-        end
+        @mod.project.repository.gitaly_repository_client.search_files_by_name(@commit.sha, path)
       end
+      strong_memoize_attr :ls_tree
     end
   end
 end

app/models/packages/package.rb

@@ -329,10 +329,9 @@ class Packages::Package < ApplicationRecord
   end
 
   def package_settings
-    strong_memoize(:package_settings) do
-      project.namespace.package_settings
-    end
+    project.namespace.package_settings
   end
+  strong_memoize_attr :package_settings
 
   def sync_maven_metadata(user)
     return unless maven? && version? && user

app/presenters/packages/conan/package_presenter.rb

@@ -80,10 +80,9 @@ module Packages
       def package_files
         return unless @package
 
-        strong_memoize(:package_files) do
-          @package.installable_package_files.preload_conan_file_metadata
-        end
+        @package.installable_package_files.preload_conan_file_metadata
       end
+      strong_memoize_attr :package_files
 
       def matching_reference?(package_file)
         package_file.conan_file_metadatum.conan_package_reference == conan_package_reference

app/presenters/packages/nuget/packages_metadata_presenter.rb

@@ -59,11 +59,10 @@ module Packages
       end
 
       def sorted_versions
-        strong_memoize(:sorted_versions) do
-          versions = @packages.map(&:version).compact
-          VersionSorter.sort(versions)
-        end
+        versions = @packages.map(&:version).compact
+        VersionSorter.sort(versions)
       end
+      strong_memoize_attr :sorted_versions
     end
   end
 end

app/presenters/packages/nuget/search_results_presenter.rb

@@ -14,26 +14,25 @@ module Packages
       end
 
       def data
-        strong_memoize(:data) do
-          @search.results.group_by(&:name).map do |package_name, packages|
-            latest_version = latest_version(packages)
-            latest_package = packages.find { |pkg| pkg.version == latest_version }
+        @search.results.group_by(&:name).map do |package_name, packages|
+          latest_version = latest_version(packages)
+          latest_package = packages.find { |pkg| pkg.version == latest_version }
 
-            {
-              type: 'Package',
-              authors: '',
-              name: package_name,
-              version: latest_version,
-              versions: build_package_versions(packages),
-              summary: '',
-              total_downloads: 0,
-              verified: true,
-              tags: tags_for(latest_package),
-              metadatum: metadatum_for(latest_package)
-            }
-          end
+          {
+            type: 'Package',
+            authors: '',
+            name: package_name,
+            version: latest_version,
+            versions: build_package_versions(packages),
+            summary: '',
+            total_downloads: 0,
+            verified: true,
+            tags: tags_for(latest_package),
+            metadatum: metadatum_for(latest_package)
+          }
         end
       end
+      strong_memoize_attr :data
 
       private
 

doc/administration/geo/setup/index.md

@@ -18,7 +18,8 @@ type: howto
 
 - Ensure the **primary** site has a [GitLab Premium or Ultimate](https://about.gitlab.com/pricing/) subscription to unlock Geo. You only need one license for all the sites.
 - Confirm the [requirements for running Geo](../index.md#requirements-for-running-geo) are met by all sites. For example, sites must use the same GitLab version, and sites must be able to communicate with each other over certain ports.
-- Confirm the **primary** and **secondary** site storage configurations match. If the primary Geo site uses object storage, the secondary Geo site must use it too. See [Geo with Object storage] (../object_storage.md) for more details.
+- Confirm the **primary** and **secondary** site storage configurations match. If the primary Geo site uses object storage, the secondary Geo site must use it too. See [Geo with Object storage] (../replication/object_storage.md) for more details.
+- Ensure clocks are synchronized between the **primary** site and the **secondary** site. Synchronized clocks are required for Geo to function correctly. For example, if the clock drift between the **primary** and **secondary** sites exceeds 1 minute, replication will fail.
 
 ## Using Omnibus GitLab
 
@@ -34,6 +35,7 @@ If both Geo sites are based on the [1K reference architecture](../../reference_a
 1. Optional: [Configure Object storage](../../object_storage.md)
 1. Optional: [Configure a secondary LDAP server](../../auth/ldap/index.md) for the **secondary** sites. See [notes on LDAP](../index.md#ldap).
 1. Optional: [Configure Geo secondary proxying](../secondary_proxy/index.md) to use a single, unified URL for all Geo sites. This step is recommended to accelerate most read requests while transparently proxying writes to the primary Geo site.
+1. Optional: [Configure Container Registry for the secondary site](../replication/container_registry.md).
 1. Follow the [Using a Geo Site](../replication/usage.md) guide.
 
 ### Multi-node Geo sites

doc/api/integrations.md

@@ -93,6 +93,7 @@ Parameters:
 | `app_store_issuer_id` | string | true | The Apple App Store Connect Issuer ID. |
 | `app_store_key_id` | string | true | The Apple App Store Connect Key ID. |
 | `app_store_private_key` | string | true | The Apple App Store Connect Private Key. |
+| `app_store_protected_refs` | boolean | false | Set variables only on protected branches and tags. Defaults to `true` (enabled). |
 
 ### Disable Apple App Store integration
 

doc/user/application_security/sast/index.md

@@ -868,7 +868,7 @@ This occurs when Flawfinder encounters an invalid UTF-8 character. To fix this,
 
 ### Semgrep slowness, unexpected results, or other errors
 
-If Semgrep is slow, reports too many false positives or false negatives, crashes, fails, or is otherwise broken, see the Semgrep docs for [troubleshooting GitLab SAST](https://semgrep.dev/docs/troubleshooting/gitlab-sast/).
+If Semgrep is slow, reports too many false positives or false negatives, crashes, fails, or is otherwise broken, see the Semgrep docs for [troubleshooting GitLab SAST](https://semgrep.dev/docs/troubleshooting/semgrep-ci/#troubleshooting-gitlab-sast).
 
 ### SAST job fails with message `strconv.ParseUint: parsing "0.0": invalid syntax`
 

doc/user/group/manage.md

@@ -395,7 +395,7 @@ To enable this setting:
 > - [Feature flag `group_merge_request_approval_settings_feature_flag`](https://gitlab.com/gitlab-org/gitlab/-/issues/343872) removed in GitLab 14.9.
 
 Group approval settings manage [project merge request approval settings](../project/merge_requests/approvals/settings.md)
-at the top-level group level. These settings [cascade to all projects](../project/merge_requests/approvals/settings.md#settings-cascading)
+for all projects in a top-level group. These settings [cascade to all projects](../project/merge_requests/approvals/settings.md#settings-cascading)
 that belong to the group.
 
 To view the merge request approval settings for a group:
@@ -406,7 +406,9 @@ To view the merge request approval settings for a group:
 1. Select the settings you want.
 1. Select **Save changes**.
 
-Support for group-level settings for merge request approval rules is tracked in this [epic](https://gitlab.com/groups/gitlab-org/-/epics/4367).
+Approval settings should not be confused with [approval rules](../project/merge_requests/approvals/rules.md). Support
+for the ability to set merge request approval rules for groups is tracked in
+[epic 4367](https://gitlab.com/groups/gitlab-org/-/epics/4367).
 
 ## Enable Code Suggestions **(FREE SAAS)**
 

lib/api/helpers/packages/basic_auth_helpers.rb

@@ -41,16 +41,15 @@ module API
         end
 
         def find_authorized_group!
-          strong_memoize(:authorized_group) do
-            group = find_group(params[:id])
+          group = find_group(params[:id])
 
-            unless group && can?(current_user, :read_group, group)
-              next unauthorized_or! { not_found! }
-            end
-
-            group
+          unless group && can?(current_user, :read_group, group)
+            return unauthorized_or! { not_found! }
           end
+
+          group
         end
+        strong_memoize_attr :find_authorized_group!
 
         def authorize!(action, subject = :global, reason = nil)
           return if can?(current_user, action, subject)

lib/api/helpers/packages/conan/api_helpers.rb

@@ -125,20 +125,18 @@ module API
           end
 
           def project
-            strong_memoize(:project) do
-              case package_scope
-              when :project
-                user_project(action: :read_package)
-              when :instance
-                full_path = ::Packages::Conan::Metadatum.full_path_from(package_username: params[:package_username])
-                find_project!(full_path)
-              end
+            case package_scope
+            when :project
+              user_project(action: :read_package)
+            when :instance
+              full_path = ::Packages::Conan::Metadatum.full_path_from(package_username: params[:package_username])
+              find_project!(full_path)
             end
           end
+          strong_memoize_attr :project
 
           def package
-            strong_memoize(:package) do
-              project.packages
+            project.packages
                 .conan
                 .with_name(params[:package_name])
                 .with_version(params[:package_version])
@@ -147,18 +145,17 @@ module API
                 .order_created
                 .not_pending_destruction
                 .last
-            end
           end
+          strong_memoize_attr :package
 
           def token
-            strong_memoize(:token) do
-              token = nil
-              token = ::Gitlab::ConanToken.from_personal_access_token(find_personal_access_token.user_id, access_token_from_request) if find_personal_access_token
-              token = ::Gitlab::ConanToken.from_deploy_token(deploy_token_from_request) if deploy_token_from_request
-              token = ::Gitlab::ConanToken.from_job(find_job_from_token) if find_job_from_token
-              token
-            end
+            token = nil
+            token = ::Gitlab::ConanToken.from_personal_access_token(find_personal_access_token.user_id, access_token_from_request) if find_personal_access_token
+            token = ::Gitlab::ConanToken.from_deploy_token(deploy_token_from_request) if deploy_token_from_request
+            token = ::Gitlab::ConanToken.from_job(find_job_from_token) if find_job_from_token
+            token
           end
+          strong_memoize_attr :token
 
           def download_package_file(file_type)
             authorize_read_package!(project)
@@ -227,17 +224,15 @@ module API
           # We override this method from auth_finders because we need to
           # extract the token from the Conan JWT which is specific to the Conan API
           def find_personal_access_token
-            strong_memoize(:find_personal_access_token) do
-              PersonalAccessToken.find_by_token(access_token_from_request)
-            end
+            PersonalAccessToken.find_by_token(access_token_from_request)
           end
+          strong_memoize_attr :find_personal_access_token
 
           def access_token_from_request
-            strong_memoize(:access_token_from_request) do
-              find_personal_access_token_from_conan_jwt ||
-                find_password_from_basic_auth
-            end
+            find_personal_access_token_from_conan_jwt ||
+              find_password_from_basic_auth
           end
+          strong_memoize_attr :access_token_from_request
 
           def find_password_from_basic_auth
             return unless route_authentication_setting[:basic_auth_personal_access_token]

lib/api/helpers/packages/npm.rb

@@ -12,22 +12,21 @@ module API
         }.freeze
 
         def project
-          strong_memoize(:project) do
-            case endpoint_scope
-            when :project
-              user_project(action: :read_package)
-            when :instance, :group
-              # Simulate the same behavior as #user_project by re-using #find_project!
-              # but take care if the project_id is nil as #find_project! is not designed
-              # to handle it.
-              project_id = project_id_or_nil
+          case endpoint_scope
+          when :project
+            user_project(action: :read_package)
+          when :instance, :group
+            # Simulate the same behavior as #user_project by re-using #find_project!
+            # but take care if the project_id is nil as #find_project! is not designed
+            # to handle it.
+            project_id = project_id_or_nil
 
-              not_found!('Project') unless project_id
+            not_found!('Project') unless project_id
 
-              find_project!(project_id)
-            end
+            find_project!(project_id)
           end
         end
+        strong_memoize_attr :project
 
         def finder_for_endpoint_scope(package_name)
           case endpoint_scope
@@ -43,51 +42,49 @@ module API
         def project_or_nil
           # mainly used by the metadata endpoint where we need to get a project
           # and return nil if not found (no errors should be raised)
-          strong_memoize(:project_or_nil) do
-            next unless project_id_or_nil
+          return unless project_id_or_nil
 
-            find_project(project_id_or_nil)
-          end
+          find_project(project_id_or_nil)
         end
+        strong_memoize_attr :project_or_nil
 
         def project_id_or_nil
-          strong_memoize(:project_id_or_nil) do
-            case endpoint_scope
-            when :project
-              params[:id]
-            when :group
-              finder = ::Packages::Npm::PackageFinder.new(
-                params[:package_name],
-                namespace: group,
-                last_of_each_version: false
-              )
+          case endpoint_scope
+          when :project
+            params[:id]
+          when :group
+            finder = ::Packages::Npm::PackageFinder.new(
+              params[:package_name],
+              namespace: group,
+              last_of_each_version: false
+            )
 
-              finder.last&.project_id
-            when :instance
-              package_name = params[:package_name]
+            finder.last&.project_id
+          when :instance
+            package_name = params[:package_name]
 
-              namespace =
-                if Feature.enabled?(:npm_allow_packages_in_multiple_projects)
-                  top_namespace_from(package_name)
-                else
-                  namespace_path = ::Packages::Npm.scope_of(package_name)
-                  next unless namespace_path
+            namespace =
+              if Feature.enabled?(:npm_allow_packages_in_multiple_projects)
+                top_namespace_from(package_name)
+              else
+                namespace_path = ::Packages::Npm.scope_of(package_name)
+                return unless namespace_path
 
-                  Namespace.top_most.by_path(namespace_path)
-                end
+                Namespace.top_most.by_path(namespace_path)
+              end
 
-              next unless namespace
+            return unless namespace
 
-              finder = ::Packages::Npm::PackageFinder.new(
-                package_name,
-                namespace: namespace,
-                last_of_each_version: false
-              )
+            finder = ::Packages::Npm::PackageFinder.new(
+              package_name,
+              namespace: namespace,
+              last_of_each_version: false
+            )
 
-              finder.last&.project_id
-            end
+            finder.last&.project_id
           end
         end
+        strong_memoize_attr :project_id_or_nil
 
         private
 

lib/api/helpers/packages_helpers.rb

@@ -4,6 +4,7 @@ module API
   module Helpers
     module PackagesHelpers
       extend ::Gitlab::Utils::Override
+      include ::Gitlab::Utils::StrongMemoize
 
       MAX_PACKAGE_FILE_SIZE = 50.megabytes.freeze
       ALLOWED_REQUIRED_PERMISSIONS = %i[read_package read_group].freeze
@@ -71,19 +72,18 @@ module API
 
       # This function is similar to the `find_project!` function, but it considers the `read_package` ability.
       def user_project_with_read_package
-        strong_memoize(:user_project_with_read_package) do
-          project = find_project(params[:id])
+        project = find_project(params[:id])
 
-          next forbidden! unless authorized_project_scope?(project)
+        return forbidden! unless authorized_project_scope?(project)
 
-          next project if can?(current_user, :read_package, project&.packages_policy_subject)
-          # guest users can have :read_project but not :read_package
-          next forbidden! if can?(current_user, :read_project, project)
-          next unauthorized! if authenticate_non_public?
+        return project if can?(current_user, :read_package, project&.packages_policy_subject)
+        # guest users can have :read_project but not :read_package
+        return forbidden! if can?(current_user, :read_project, project)
+        return unauthorized! if authenticate_non_public?
 
-          not_found!('Project')
-        end
+        not_found!('Project')
       end
+      strong_memoize_attr :user_project_with_read_package
 
       def track_package_event(action, scope, **args)
         service = ::Packages::CreateEventService.new(nil, current_user, event_name: action, scope: scope)

spec/models/packages/go/module_version_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Packages::Go::ModuleVersion, type: :model do
+RSpec.describe Packages::Go::ModuleVersion, type: :model, feature_category: :package_registry do
   include_context 'basic Go module'
 
   let_it_be(:mod) { create :go_module, project: project }
@@ -57,9 +57,30 @@ RSpec.describe Packages::Go::ModuleVersion, type: :model do
     end
 
     context 'with go.mod present' do
-      let_it_be(:version) { create :go_module_version, :tagged, mod: mod, name: 'v1.0.1' }
+      let!(:version) { create :go_module_version, :tagged, mod: mod, name: name }
+      let(:name) { 'v1.0.1' }
 
-      it('returns the contents of go.mod') { expect(version.gomod).to eq("module #{mod.name}\n") }
+      shared_examples 'returns the contents of go.mod' do
+        it { expect(version.gomod).to eq("module #{mod.name}\n") }
+      end
+
+      it_behaves_like 'returns the contents of go.mod'
+
+      context 'with cached blobs' do
+        before do
+          version.send(:blobs)
+        end
+
+        it_behaves_like 'returns the contents of go.mod'
+      end
+
+      context 'with the submodule\'s path' do
+        let_it_be(:mod) { create :go_module, project: project, path: 'mod' }
+
+        let(:name) { 'v1.0.3' }
+
+        it_behaves_like 'returns the contents of go.mod'
+      end
     end
   end