Add latest changes from gitlab-org/gitlab@master

Gemfile

@@ -187,9 +187,9 @@ gem 'seed-fu', '~> 2.3.7'
 gem 'elasticsearch-model', '~> 7.2'
 gem 'elasticsearch-rails', '~> 7.2', require: 'elasticsearch/rails/instrumentation'
 gem 'elasticsearch-api',   '7.13.3'
-gem 'aws-sdk-core', '~> 3.180.3'
+gem 'aws-sdk-core', '~> 3.181.0'
 gem 'aws-sdk-cloudformation', '~> 1'
-gem 'aws-sdk-s3', '~> 1.132.1'
+gem 'aws-sdk-s3', '~> 1.133.0'
 gem 'faraday_middleware-aws-sigv4', '~>0.3.0'
 gem 'typhoeus', '~> 1.4.0' # Used with Elasticsearch to support http keep-alive connections
 

Gemfile.checksum

@@ -37,9 +37,9 @@
 {"name":"aws-eventstream","version":"1.2.0","platform":"ruby","checksum":"ffa53482c92880b001ff2fb06919b9bb82fd847cbb0fa244985d2ebb6dd0d1df"},
 {"name":"aws-partitions","version":"1.761.0","platform":"ruby","checksum":"291e444e1edfc92c5521a6dbdd1236ccc3f122b3520163b2be6ec5b6ef350ef2"},
 {"name":"aws-sdk-cloudformation","version":"1.41.0","platform":"ruby","checksum":"31e47539719734413671edf9b1a31f8673fbf9688549f50c41affabbcb1c6b26"},
-{"name":"aws-sdk-core","version":"3.180.3","platform":"ruby","checksum":"829915d511bb018acab0905d860c1831c4a7f7e8daba1afd546225b2c9918351"},
+{"name":"aws-sdk-core","version":"3.181.0","platform":"ruby","checksum":"711cdf9483e48c63cd16b063b5f55d7ea23c4c432ce6123b287c356a1c4b5c76"},
 {"name":"aws-sdk-kms","version":"1.64.0","platform":"ruby","checksum":"40de596c95047bfc6e1aacea24f3df6241aa716b6f7ce08ac4c5f7e3120395ad"},
-{"name":"aws-sdk-s3","version":"1.132.1","platform":"ruby","checksum":"cac01fbba5d717907b8df7b4e482447678c8392c7a4707ba09956d10e3549145"},
+{"name":"aws-sdk-s3","version":"1.133.0","platform":"ruby","checksum":"b510d143942af52af7f7eb7c242724b59b757ae7dd154e4baa6a5b6e4b90d57b"},
 {"name":"aws-sigv4","version":"1.6.0","platform":"ruby","checksum":"ca9e6a15cd424f1f32b524b9760995331459bc22e67d3daad4fcf0c0084b087d"},
 {"name":"axe-core-api","version":"4.6.0","platform":"ruby","checksum":"1b0ddec3353f108dc10363baf2282f43a5ff7f13d4e25f99071294e78f8a6c62"},
 {"name":"axe-core-rspec","version":"4.6.0","platform":"ruby","checksum":"11c25bc9dd388c137ba4e5e63d64d20092bf22c884d8ffc829a22acfbacd747f"},

Gemfile.lock

@@ -265,7 +265,7 @@ GEM
     aws-sdk-cloudformation (1.41.0)
       aws-sdk-core (~> 3, >= 3.99.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.180.3)
+    aws-sdk-core (3.181.0)
       aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.651.0)
       aws-sigv4 (~> 1.5)
@@ -273,8 +273,8 @@ GEM
     aws-sdk-kms (1.64.0)
       aws-sdk-core (~> 3, >= 3.165.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.132.1)
-      aws-sdk-core (~> 3, >= 3.179.0)
+    aws-sdk-s3 (1.133.0)
+      aws-sdk-core (~> 3, >= 3.181.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.6)
     aws-sigv4 (1.6.0)
@@ -1737,8 +1737,8 @@ DEPENDENCIES
   autoprefixer-rails (= 10.2.5.1)
   awesome_print
   aws-sdk-cloudformation (~> 1)
-  aws-sdk-core (~> 3.180.3)
-  aws-sdk-s3 (~> 1.132.1)
+  aws-sdk-core (~> 3.181.0)
+  aws-sdk-s3 (~> 1.133.0)
   axe-core-rspec
   babosa (~> 2.0)
   base32 (~> 0.3.0)
@@ -2038,4 +2038,4 @@ DEPENDENCIES
   yajl-ruby (~> 1.4.3)
 
 BUNDLED WITH
-   2.4.18
+   2.4.19

db/docs/workspace_variables.yml

@@ -0,0 +1,10 @@
+---
+table_name: workspace_variables
+classes:
+- RemoteDevelopment::WorkspaceVariable
+feature_categories:
+- remote_development
+description: Remote Development Workspace variables
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/129688
+milestone: '16.4'
+gitlab_schema: gitlab_main

db/migrate/20230821000001_create_workspace_variables.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+class CreateWorkspaceVariables < Gitlab::Database::Migration[2.1]
+  def change
+    create_table :workspace_variables do |t|
+      t.references :workspace, index: true, null: false, foreign_key: { on_delete: :cascade }
+      t.integer :variable_type, null: false, limit: 2
+      t.timestamps_with_timezone null: false
+      t.text :key, null: false, limit: 255
+      t.binary :encrypted_value, null: false
+      t.binary :encrypted_value_iv, null: false
+    end
+  end
+end

db/migrate/20230821000002_add_personal_access_token_id_to_workspaces.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+class AddPersonalAccessTokenIdToWorkspaces < Gitlab::Database::Migration[2.1]
+  disable_ddl_transaction!
+
+  INDEX_NAME = "index_workspaces_on_personal_access_token_id"
+
+  def up
+    with_lock_retries do
+      add_column :workspaces, :personal_access_token_id, :bigint
+    end
+
+    add_concurrent_index :workspaces, :personal_access_token_id, name: INDEX_NAME
+
+    # Personal Access Tokens are revokable and are soft deleted, so the record should never actually be deleted.
+    # Therefore, `restrict` is the appropriate choice, because if a record ever is attempted to be deleted
+    # outside of Rails, this should be prevented, because `nullify` would result in an invalid state for the workspace,
+    # and `cascade` would delete the workspace.
+    add_concurrent_foreign_key :workspaces,
+      :personal_access_tokens,
+      column: :personal_access_token_id,
+      on_delete: :restrict
+  end
+
+  def down
+    remove_concurrent_index_by_name :workspaces, INDEX_NAME
+    remove_foreign_key_if_exists :workspaces, column: :personal_access_tokens
+
+    with_lock_retries do
+      remove_column :workspaces, :personal_access_token_id, if_exists: true
+    end
+  end
+end

db/migrate/20230821000003_add_config_version_to_workspaces.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+class AddConfigVersionToWorkspaces < Gitlab::Database::Migration[2.1]
+  def change
+    add_column :workspaces, :config_version, :integer, default: 1, null: false
+  end
+end

db/schema_migrations/20230821000001

@@ -0,0 +1 @@
+30eb1215fb4411780a722c0d49b7e30316200459dd91f67525f4ae5894aa1acc

db/schema_migrations/20230821000002

@@ -0,0 +1 @@
+ff4aafeb32b4e09ec8344afa8684fda2fd2131a8d4b8f82806a0ca5341beef59

db/schema_migrations/20230821000003

@@ -0,0 +1 @@
+5ece2c99a97204a2888f5951d4cd2b16a75e47e395c8a09fa16f151e7d28e16c

db/structure.sql

@@ -25102,6 +25102,27 @@ CREATE SEQUENCE work_item_widget_definitions_id_seq
 
 ALTER SEQUENCE work_item_widget_definitions_id_seq OWNED BY work_item_widget_definitions.id;
 
+CREATE TABLE workspace_variables (
+    id bigint NOT NULL,
+    workspace_id bigint NOT NULL,
+    variable_type smallint NOT NULL,
+    created_at timestamp with time zone NOT NULL,
+    updated_at timestamp with time zone NOT NULL,
+    key text NOT NULL,
+    encrypted_value bytea NOT NULL,
+    encrypted_value_iv bytea NOT NULL,
+    CONSTRAINT check_5545042100 CHECK ((char_length(key) <= 255))
+);
+
+CREATE SEQUENCE workspace_variables_id_seq
+    START WITH 1
+    INCREMENT BY 1
+    NO MINVALUE
+    NO MAXVALUE
+    CACHE 1;
+
+ALTER SEQUENCE workspace_variables_id_seq OWNED BY workspace_variables.id;
+
 CREATE TABLE workspaces (
     id bigint NOT NULL,
     created_at timestamp with time zone NOT NULL,
@@ -25123,6 +25144,8 @@ CREATE TABLE workspaces (
     processed_devfile text,
     url text NOT NULL,
     deployment_resource_version text,
+    personal_access_token_id bigint,
+    config_version integer DEFAULT 1 NOT NULL,
     CONSTRAINT check_15543fb0fa CHECK ((char_length(name) <= 64)),
     CONSTRAINT check_157d5f955c CHECK ((char_length(namespace) <= 64)),
     CONSTRAINT check_2b401b0034 CHECK ((char_length(deployment_resource_version) <= 64)),
@@ -26420,6 +26443,8 @@ ALTER TABLE ONLY work_item_types ALTER COLUMN id SET DEFAULT nextval('work_item_
 
 ALTER TABLE ONLY work_item_widget_definitions ALTER COLUMN id SET DEFAULT nextval('work_item_widget_definitions_id_seq'::regclass);
 
+ALTER TABLE ONLY workspace_variables ALTER COLUMN id SET DEFAULT nextval('workspace_variables_id_seq'::regclass);
+
 ALTER TABLE ONLY workspaces ALTER COLUMN id SET DEFAULT nextval('workspaces_id_seq'::regclass);
 
 ALTER TABLE ONLY x509_certificates ALTER COLUMN id SET DEFAULT nextval('x509_certificates_id_seq'::regclass);
@@ -29037,6 +29062,9 @@ ALTER TABLE ONLY work_item_types
 ALTER TABLE ONLY work_item_widget_definitions
     ADD CONSTRAINT work_item_widget_definitions_pkey PRIMARY KEY (id);
 
+ALTER TABLE ONLY workspace_variables
+    ADD CONSTRAINT workspace_variables_pkey PRIMARY KEY (id);
+
 ALTER TABLE ONLY workspaces
     ADD CONSTRAINT workspaces_pkey PRIMARY KEY (id);
 
@@ -34067,10 +34095,14 @@ CREATE UNIQUE INDEX index_work_item_widget_definitions_on_namespace_type_and_nam
 
 CREATE INDEX index_work_item_widget_definitions_on_work_item_type_id ON work_item_widget_definitions USING btree (work_item_type_id);
 
+CREATE INDEX index_workspace_variables_on_workspace_id ON workspace_variables USING btree (workspace_id);
+
 CREATE INDEX index_workspaces_on_cluster_agent_id ON workspaces USING btree (cluster_agent_id);
 
 CREATE UNIQUE INDEX index_workspaces_on_name ON workspaces USING btree (name);
 
+CREATE INDEX index_workspaces_on_personal_access_token_id ON workspaces USING btree (personal_access_token_id);
+
 CREATE INDEX index_workspaces_on_project_id ON workspaces USING btree (project_id);
 
 CREATE INDEX index_workspaces_on_user_id ON workspaces USING btree (user_id);
@@ -36980,6 +37012,9 @@ ALTER TABLE ONLY pages_domains
 ALTER TABLE ONLY catalog_resource_components
     ADD CONSTRAINT fk_ec417536da FOREIGN KEY (catalog_resource_id) REFERENCES catalog_resources(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY workspaces
+    ADD CONSTRAINT fk_ec70695b2c FOREIGN KEY (personal_access_token_id) REFERENCES personal_access_tokens(id) ON DELETE RESTRICT;
+
 ALTER TABLE ONLY merge_requests_compliance_violations
     ADD CONSTRAINT fk_ec881c1c6f FOREIGN KEY (violating_user_id) REFERENCES users(id) ON DELETE CASCADE;
 
@@ -37646,6 +37681,9 @@ ALTER TABLE ONLY elastic_group_index_statuses
 ALTER TABLE ONLY bulk_import_configurations
     ADD CONSTRAINT fk_rails_536b96bff1 FOREIGN KEY (bulk_import_id) REFERENCES bulk_imports(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY workspace_variables
+    ADD CONSTRAINT fk_rails_539844891e FOREIGN KEY (workspace_id) REFERENCES workspaces(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY x509_commit_signatures
     ADD CONSTRAINT fk_rails_53fe41188f FOREIGN KEY (x509_certificate_id) REFERENCES x509_certificates(id) ON DELETE CASCADE;
 

doc/user/application_security/sast/index.md

@@ -158,6 +158,7 @@ Advanced vulnerability tracking is available in a subset of the [supported langu
 - Go, in the Semgrep-based analyzer only
 - Java, in the mobsf, Semgrep-based and SpotBugs analyzers
 - JavaScript, in the Semgrep-based and NodeJS-Scan analyzers
+- PHP, in the phpcs-security-audit analyzer
 - Python, in the Semgrep-based analyzer only
 - Ruby, in the Brakeman-based analyzer
 

lib/api/helpers/packages/maven.rb

@@ -16,6 +16,66 @@ module API
             desc: 'Package file name',
             documentation: { example: 'mypkg-1.0-SNAPSHOT.jar' }
         end
+
+        def extract_format(file_name)
+          name, _, format = file_name.rpartition('.')
+
+          if %w[md5 sha1].include?(format)
+            unprocessable_entity! if Gitlab::FIPS.enabled? && format == 'md5'
+
+            [name, format]
+          else
+            [file_name, format]
+          end
+        end
+
+        def fetch_package(file_name:, project: nil, group: nil)
+          order_by_package_file = file_name.include?(::Packages::Maven::Metadata.filename) &&
+            params[:path].exclude?(::Packages::Maven::FindOrCreatePackageService::SNAPSHOT_TERM)
+
+          ::Packages::Maven::PackageFinder.new(
+            current_user,
+            project || group,
+            path: params[:path],
+            order_by_package_file: order_by_package_file
+          ).execute
+        end
+
+        def project
+          nil
+        end
+
+        def group
+          nil
+        end
+
+        def present_carrierwave_file_with_head_support!(package_file, supports_direct_download: true)
+          package_file.package.touch_last_downloaded_at
+          file = package_file.file
+
+          if head_request_on_aws_file?(file, supports_direct_download) && !file.file_storage?
+            return redirect(signed_head_url(file))
+          end
+
+          present_carrierwave_file!(file, supports_direct_download: supports_direct_download)
+        end
+
+        def signed_head_url(file)
+          fog_storage = ::Fog::Storage.new(file.fog_credentials)
+          fog_dir = fog_storage.directories.new(key: file.fog_directory)
+          fog_file = fog_dir.files.new(key: file.path)
+          expire_at = ::Fog::Time.now + file.fog_authenticated_url_expiration
+
+          fog_file.collection.head_url(fog_file.key, expire_at)
+        end
+
+        def head_request_on_aws_file?(file, supports_direct_download)
+          Gitlab.config.packages.object_store.enabled &&
+            supports_direct_download &&
+            file.class.direct_download_enabled? &&
+            request.head? &&
+            file.fog_credentials[:provider] == 'AWS'
+        end
       end
     end
   end

lib/api/maven_packages.rb

@@ -34,18 +34,6 @@ module API
                                   .exists?
       end
 
-      def extract_format(file_name)
-        name, _, format = file_name.rpartition('.')
-
-        if %w(md5 sha1).include?(format)
-          unprocessable_entity! if Gitlab::FIPS.enabled? && format == 'md5'
-
-          [name, format]
-        else
-          [file_name, format]
-        end
-      end
-
       # The sha verification done by the maven api is between:
       # - the sha256 set by workhorse helpers
       # - the sha256 of the sha1 of the uploaded package file
@@ -69,46 +57,6 @@ module API
         format == 'jar'
       end
 
-      def present_carrierwave_file_with_head_support!(package_file, supports_direct_download: true)
-        package_file.package.touch_last_downloaded_at
-        file = package_file.file
-
-        if head_request_on_aws_file?(file, supports_direct_download) && !file.file_storage?
-          return redirect(signed_head_url(file))
-        end
-
-        present_carrierwave_file!(file, supports_direct_download: supports_direct_download)
-      end
-
-      def signed_head_url(file)
-        fog_storage = ::Fog::Storage.new(file.fog_credentials)
-        fog_dir = fog_storage.directories.new(key: file.fog_directory)
-        fog_file = fog_dir.files.new(key: file.path)
-        expire_at = ::Fog::Time.now + file.fog_authenticated_url_expiration
-
-        fog_file.collection.head_url(fog_file.key, expire_at)
-      end
-
-      def head_request_on_aws_file?(file, supports_direct_download)
-        Gitlab.config.packages.object_store.enabled &&
-          supports_direct_download &&
-          file.class.direct_download_enabled? &&
-          request.head? &&
-          file.fog_credentials[:provider] == 'AWS'
-      end
-
-      def fetch_package(file_name:, project: nil, group: nil)
-        order_by_package_file = file_name.include?(::Packages::Maven::Metadata.filename) &&
-          !params[:path].include?(::Packages::Maven::FindOrCreatePackageService::SNAPSHOT_TERM)
-
-        ::Packages::Maven::PackageFinder.new(
-          current_user,
-          project || group,
-          path: params[:path],
-          order_by_package_file: order_by_package_file
-        ).execute
-      end
-
       def find_and_present_package_file(package, file_name, format, params)
         project = package&.project
         package_file = nil

lib/quality/seeders/issues.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require './spec/support/sidekiq_middleware'
+
 # rubocop:disable CodeReuse/ActiveRecord
 module Quality
   module Seeders
@@ -71,7 +73,10 @@ module Quality
           project.add_owner(user)
         end
 
-        AuthorizedProjectUpdate::ProjectRecalculateService.new(project).execute
+        Sidekiq::Worker.skipping_transaction_check do
+          AuthorizedProjectUpdate::ProjectRecalculateService.new(project).execute
+        end
+
         # Refind object toreload ProjectTeam association which is memoized at Project model
         @project = Project.find(project.id)
       end

qa/qa/specs/features/browser_ui/1_manage/login/register_spec.rb

@@ -2,7 +2,12 @@
 
 module QA
   RSpec.shared_examples 'registration and login' do
-    it 'allows the user to register and login' do
+    it 'allows the user to register and login',
+      quarantine: {
+        only: { job: 'airgapped' },
+        issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/414247',
+        type: :investigating
+      } do
       Runtime::Browser.visit(:gitlab, Page::Main::Login)
 
       Resource::User.fabricate_via_browser_ui! do |user_resource|
@@ -75,7 +80,12 @@ module QA
           end
 
           it 'allows recreating with same credentials', :reliable,
-            testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347868' do
+            testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347868',
+            quarantine: {
+              only: { job: 'airgapped' },
+              issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/414247',
+              type: :investigating
+            } do
             expect(Page::Main::Menu.perform(&:signed_in?)).to be_falsy
 
             Flow::Login.sign_in(as: user, skip_page_validation: true)
@@ -122,7 +132,12 @@ module QA
         end
 
         it 'allows user login after approval',
-          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347871' do
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347871',
+          quarantine: {
+            only: { job: 'airgapped' },
+            issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/414247',
+            type: :investigating
+          } do
           user # sign up user
 
           expect(page).to have_text(signed_up_waiting_approval_text)