Add latest changes from gitlab-org/gitlab@master

app/models/group.rb

@@ -18,6 +18,10 @@ class Group < Namespace
   include EachBatch
   include BulkMemberAccessLoad
 
+  def self.sti_name
+    'Group'
+  end
+
   has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
   has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
   alias_method :members, :group_members

app/models/namespace.rb

@@ -18,6 +18,11 @@ class Namespace < ApplicationRecord
 
   ignore_column :delayed_project_removal, remove_with: '14.1', remove_after: '2021-05-22'
 
+  # Tells ActiveRecord not to store the full class name, in order to space some space
+  # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/69794
+  self.store_full_sti_class = false
+  self.store_full_class_name = false
+
   # Prevent users from creating unreasonably deep level of nesting.
   # The number 20 was taken based on maximum nesting level of
   # Android repo (15) + some extra backup.
@@ -131,6 +136,21 @@ class Namespace < ApplicationRecord
   attr_writer :root_ancestor, :emails_disabled_memoized
 
   class << self
+    def sti_class_for(type_name)
+      case type_name
+      when 'Group'
+        Group
+      when 'Project'
+        Namespaces::ProjectNamespace
+      when 'User'
+        # TODO: We create a normal Namespace until
+        #       https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68894 is ready
+        Namespace
+      else
+        Namespace
+      end
+    end
+
     def by_path(path)
       find_by('lower(path) = :value', value: path.downcase)
     end
@@ -227,15 +247,23 @@ class Namespace < ApplicationRecord
   end
 
   def kind
-    type == 'Group' ? 'group' : 'user'
+    return 'group' if group?
-  end
+    return 'project' if project?
 
-  def user?
+    'user' # defaults to user
-    kind == 'user'
   end
 
   def group?
-    type == 'Group'
+    type == Group.sti_name
+  end
+
+  def project?
+    type == Namespaces::ProjectNamespace.sti_name
+  end
+
+  def user?
+    # That last bit ensures we're considered a user namespace as a default
+    type.nil? || type == Namespaces::UserNamespace.sti_name || !(group? || project?)
   end
 
   def find_fork_of(project)

app/models/namespaces/project_namespace.rb

@@ -3,5 +3,9 @@
 module Namespaces
   class ProjectNamespace < Namespace
     has_one :project, foreign_key: :project_namespace_id, inverse_of: :project_namespace
+
+    def self.sti_name
+      'Project'
+    end
   end
 end

app/models/namespaces/user_namespace.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+# TODO: currently not created/mapped in the database, will be done in another issue
+#       https://gitlab.com/gitlab-org/gitlab/-/issues/337102
+module Namespaces
+  class UserNamespace < Namespace
+    def self.sti_name
+      'User'
+    end
+  end
+end

app/models/repository.rb

@@ -627,7 +627,12 @@ class Repository
   def license
     return unless license_key
 
-    Licensee::License.new(license_key)
+    licensee_object = Licensee::License.new(license_key)
+
+    return if licensee_object.name.blank?
+
+    licensee_object
+  rescue Licensee::InvalidLicense
   end
   memoize_method :license
 

db/post_migrate/20210806131706_finalize_taggins_bigint_conversion.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+class FinalizeTagginsBigintConversion < ActiveRecord::Migration[6.1]
+  include Gitlab::Database::MigrationHelpers
+
+  disable_ddl_transaction!
+
+  TABLE_NAME = 'taggings'
+
+  def up
+    ensure_batched_background_migration_is_finished(
+      job_class_name: 'CopyColumnUsingBackgroundMigrationJob',
+      table_name: TABLE_NAME,
+      column_name: 'id',
+      job_arguments: [%w[id taggable_id], %w[id_convert_to_bigint taggable_id_convert_to_bigint]]
+    )
+
+    swap
+  end
+
+  def down
+    swap
+  end
+
+  private
+
+  def swap
+    # rubocop:disable Migration/PreventIndexCreation
+    add_concurrent_index TABLE_NAME, :id_convert_to_bigint, unique: true, name: 'index_taggings_on_id_convert_to_bigint'
+
+    # This is to replace the existing "index_taggings_on_taggable_id_and_taggable_type" btree (taggable_id, taggable_type)
+    add_concurrent_index TABLE_NAME, [:taggable_id_convert_to_bigint, :taggable_type], name: 'i_taggings_on_taggable_id_convert_to_bigint_and_taggable_type'
+
+    # This is to replace the existing "index_taggings_on_taggable_id_and_taggable_type_and_context" btree (taggable_id, taggable_type, context)
+    add_concurrent_index TABLE_NAME, [:taggable_id_convert_to_bigint, :taggable_type, :context], name: 'i_taggings_on_taggable_bigint_and_taggable_type_and_context'
+
+    # This is to replace the existing "taggings_idx" btree (tag_id, taggable_id, taggable_type, context, tagger_id, tagger_type)
+    add_concurrent_index TABLE_NAME, [:tag_id, :taggable_id_convert_to_bigint, :taggable_type, :context, :tagger_id, :tagger_type], unique: true, name: 'taggings_idx_tmp'
+
+    # This is to replace the existing "tmp_index_taggings_on_id_where_taggable_type_project" btree (id) WHERE taggable_type::text = 'Project'::text
+    add_concurrent_index TABLE_NAME, :id_convert_to_bigint, where: "taggable_type = 'Project'", name: 'tmp_index_taggings_on_id_bigint_where_taggable_type_project'
+    # rubocop:enable Migration/PreventIndexCreation
+
+    with_lock_retries(raise_on_exhaustion: true) do
+      # We'll need  ACCESS EXCLUSIVE lock on the related tables,
+      # lets make sure it can be acquired from the start
+      execute "LOCK TABLE #{TABLE_NAME} IN ACCESS EXCLUSIVE MODE"
+
+      # Swap column names
+      temp_name = 'taggable_id_tmp'
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(:taggable_id)} TO #{quote_column_name(temp_name)}"
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(:taggable_id_convert_to_bigint)} TO #{quote_column_name(:taggable_id)}"
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(temp_name)} TO #{quote_column_name(:taggable_id_convert_to_bigint)}"
+
+      temp_name = 'id_tmp'
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(:id)} TO #{quote_column_name(temp_name)}"
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(:id_convert_to_bigint)} TO #{quote_column_name(:id)}"
+      execute "ALTER TABLE #{quote_table_name(TABLE_NAME)} RENAME COLUMN #{quote_column_name(temp_name)} TO #{quote_column_name(:id_convert_to_bigint)}"
+
+      # We need to update the trigger function in order to make PostgreSQL to
+      # regenerate the execution plan for it. This is to avoid type mismatch errors like
+      # "type of parameter 15 (bigint) does not match that when preparing the plan (integer)"
+      function_name = Gitlab::Database::UnidirectionalCopyTrigger.on_table(TABLE_NAME).name([:id, :taggable_id], [:id_convert_to_bigint, :taggable_id_convert_to_bigint])
+      execute "ALTER FUNCTION #{quote_table_name(function_name)} RESET ALL"
+
+      # Swap defaults
+      execute "ALTER SEQUENCE taggings_id_seq OWNED BY #{TABLE_NAME}.id"
+      change_column_default TABLE_NAME, :id, -> { "nextval('taggings_id_seq'::regclass)" }
+      change_column_default TABLE_NAME, :id_convert_to_bigint, 0
+
+      # Swap PK constraint
+      execute "ALTER TABLE #{TABLE_NAME} DROP CONSTRAINT taggings_pkey CASCADE"
+      rename_index TABLE_NAME, 'index_taggings_on_id_convert_to_bigint', 'taggings_pkey'
+      execute "ALTER TABLE #{TABLE_NAME} ADD CONSTRAINT taggings_pkey PRIMARY KEY USING INDEX taggings_pkey"
+
+      # Rename the index on the `bigint` column to match the new column name
+      # (we already hold an exclusive lock, so no need to use DROP INDEX CONCURRENTLY here)
+      execute 'DROP INDEX index_taggings_on_taggable_id_and_taggable_type'
+      rename_index TABLE_NAME, 'i_taggings_on_taggable_id_convert_to_bigint_and_taggable_type', 'index_taggings_on_taggable_id_and_taggable_type'
+      execute 'DROP INDEX index_taggings_on_taggable_id_and_taggable_type_and_context'
+      rename_index TABLE_NAME, 'i_taggings_on_taggable_bigint_and_taggable_type_and_context', 'index_taggings_on_taggable_id_and_taggable_type_and_context'
+      execute 'DROP INDEX taggings_idx'
+      rename_index TABLE_NAME, 'taggings_idx_tmp', 'taggings_idx'
+      execute 'DROP INDEX tmp_index_taggings_on_id_where_taggable_type_project'
+      rename_index TABLE_NAME, 'tmp_index_taggings_on_id_bigint_where_taggable_type_project', 'tmp_index_taggings_on_id_where_taggable_type_project'
+    end
+  end
+end

db/schema_migrations/20210806131706

@@ -0,0 +1 @@
+2539e3e09682f1d7a0902b495a140151a5debef40623348d3cc552d4ba00722f

db/structure.sql

@@ -19412,16 +19412,16 @@ CREATE SEQUENCE system_note_metadata_id_seq
 ALTER SEQUENCE system_note_metadata_id_seq OWNED BY system_note_metadata.id;
 
 CREATE TABLE taggings (
-    id integer NOT NULL,
+    id_convert_to_bigint integer DEFAULT 0 NOT NULL,
     tag_id integer,
-    taggable_id integer,
+    taggable_id_convert_to_bigint integer,
     taggable_type character varying,
     tagger_id integer,
     tagger_type character varying,
     context character varying,
     created_at timestamp without time zone,
-    id_convert_to_bigint bigint DEFAULT 0 NOT NULL,
+    id bigint NOT NULL,
-    taggable_id_convert_to_bigint bigint
+    taggable_id bigint
 );
 
 CREATE SEQUENCE taggings_id_seq

doc/administration/auth/ldap/google_secure_ldap.md

@@ -215,7 +215,7 @@ values obtained during the LDAP client configuration earlier:
 ## Using encrypted credentials
 
 You can optionally store the `bind_dn` and `password` in a separate encrypted configuration file using the
-[same steps as the regular LDAP integration](index.md#using-encrypted-credentials).
+[same steps as the regular LDAP integration](index.md#use-encrypted-credentials).
 
 <!-- ## Troubleshooting
 

doc/administration/auth/ldap/index.md

@@ -12,24 +12,22 @@ to support user authentication.
 
 This integration works with most LDAP-compliant directory servers, including:
 
-- Microsoft Active Directory
+- Microsoft Active Directory.
-  - [Microsoft Active Directory Trusts](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10)) are not supported.
+  [Microsoft Active Directory Trusts](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10))
-- Apple Open Directory
+  are not supported.
-- Open LDAP
+- Apple Open Directory.
-- 389 Server
+- Open LDAP.
+- 389 Server.
 
 Users added through LDAP take a [licensed seat](../../../subscriptions/self_managed/index.md#billable-users).
 
-GitLab Enterprise Editions (EE) include enhanced integration,
-including group membership syncing and multiple LDAP server support.
-
 ## Security
 
 GitLab assumes that LDAP users:
 
 - Are not able to change their LDAP `mail`, `email`, or `userPrincipalName` attributes.
   An LDAP user allowed to change their email on the LDAP server can potentially
-  [take over any account](#enabling-ldap-sign-in-for-existing-gitlab-users)
+  [take over any account](#enable-ldap-sign-in-for-existing-gitlab-users)
   on your GitLab server.
 - Have unique email addresses. If not, it's possible for LDAP users with the same
   email address to share the same GitLab account.
@@ -42,7 +40,7 @@ the LDAP server, or share email addresses.
 
 Users deleted from the LDAP server are immediately blocked from signing in
 to GitLab. However, there's an LDAP check cache time of one hour (which is
-[configurable](#adjusting-ldap-user-sync-schedule) for GitLab Premium users).
+[configurable](#adjust-ldap-user-sync-schedule) for GitLab Premium users).
 This means users already signed-in or who are using Git over SSH can access
 GitLab for up to one hour. Manually block the user in the GitLab Admin Area
 to immediately block all access.
@@ -53,7 +51,7 @@ LDAP-enabled users can authenticate with Git using their GitLab username or
 email and LDAP password, even if password authentication for Git is disabled
 in the application settings.
 
-## Enabling LDAP sign-in for existing GitLab users
+## Enable LDAP sign-in for existing GitLab users
 
 When a user signs in to GitLab with LDAP for the first time and their LDAP
 email address is the primary email address of an existing GitLab user, the
@@ -155,7 +153,7 @@ production:
         ...
 ```
 
-### Basic Configuration Settings
+### Basic configuration settings
 
 | Setting            | Description | Required | Examples |
 |--------------------|-------------|----------|----------|
@@ -174,7 +172,7 @@ production:
 | `base` | Base where we can search for users. | **{check-circle}** Yes | `'ou=people,dc=gitlab,dc=example'` or `'DC=mydomain,DC=com'` |
 | `user_filter`      | Filter LDAP users. Format: [RFC 4515](https://tools.ietf.org/search/rfc4515) Note: GitLab does not support `omniauth-ldap`'s custom filter syntax. | **{dotted-circle}** No | For examples, read [Examples of user filters](#examples-of-user-filters). |
 | `lowercase_usernames` | If enabled, GitLab converts the name to lower case. | **{dotted-circle}** No | boolean |
-| `retry_empty_result_with_codes` | An array of LDAP query response code that will attempt to retry the operation if the result/content is empty. For Google Secure LDAP, set this value to `[80]`. | **{dotted-circle}** No | `[80]` |
+| `retry_empty_result_with_codes` | An array of LDAP query response code that attempt to retry the operation if the result/content is empty. For Google Secure LDAP, set this value to `[80]`. | **{dotted-circle}** No | `[80]` |
 
 #### Examples of user filters
 
@@ -183,7 +181,7 @@ Some examples of the `user_filter` field syntax:
 - `'(employeeType=developer)'`
 - `'(&(objectclass=user)(|(samaccountname=momo)(samaccountname=toto)))'`
 
-### SSL Configuration Settings
+### SSL configuration settings
 
 | Setting       | Description | Required | Examples |
 |---------------|-------------|----------|----------|
@@ -193,7 +191,7 @@ Some examples of the `user_filter` field syntax:
 | `cert`        | Client certificate. | **{dotted-circle}** No | `'-----BEGIN CERTIFICATE----- <REDACTED> -----END CERTIFICATE -----'` |
 | `key`         | Client private key. | **{dotted-circle}** No | `'-----BEGIN PRIVATE KEY----- <REDACTED> -----END PRIVATE KEY -----'` |
 
-### Attribute Configuration Settings
+### Attribute configuration settings
 
 LDAP attributes that GitLab uses to create an account for the LDAP user. The specified
 attribute can either be the attribute name as a string (for example, `'mail'`), or an
@@ -208,7 +206,7 @@ The user's LDAP sign-in is the attribute specified as `uid` above.
 | `first_name` | LDAP attribute for user first name. Used when the attribute configured for `name` does not exist. | **{dotted-circle}** No | `'givenName'` |
 | `last_name`  | LDAP attribute for user last name. Used when the attribute configured for `name` does not exist. | **{dotted-circle}** No | `'sn'` |
 
-### LDAP Sync Configuration Settings **(PREMIUM SELF)**
+### LDAP Sync configuration settings **(PREMIUM SELF)**
 
 | Setting           | Description | Required | Examples |
 |-------------------|-------------|----------|----------|
@@ -261,7 +259,7 @@ Support for nested members in the user filter shouldn't be confused with
 
 GitLab does not support the custom filter syntax used by OmniAuth LDAP.
 
-#### Escaping special characters
+#### Escape special characters
 
 The `user_filter` DN can contain special characters. For example:
 
@@ -292,7 +290,7 @@ The `user_filter` DN can contain special characters. For example:
   OU=Gitlab \28Inc\29,DC=gitlab,DC=com
   ```
 
-### Enabling LDAP username lowercase
+### Enable LDAP username lowercase
 
 Some LDAP servers, depending on their configurations, can return uppercase usernames.
 This can lead to several confusing issues such as creating links or namespaces with uppercase names.
@@ -362,7 +360,7 @@ This does not disable [using LDAP credentials for Git access](#git-password-auth
 
 1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect.
 
-### Using encrypted credentials
+### Use encrypted credentials
 
 Instead of having the LDAP integration credentials stored in plaintext in the configuration files, you can optionally
 use an encrypted file for the LDAP credentials. To use this feature, first you must enable
@@ -451,7 +449,7 @@ If initially your LDAP configuration looked like:
 
 ## Encryption
 
-### TLS Server Authentication
+### TLS server authentication
 
 There are two encryption methods, `simple_tls` and `start_tls`.
 
@@ -461,7 +459,7 @@ exchanged but no validation of the LDAP server's SSL certificate is performed.
 
 ### Limitations
 
-#### TLS Client Authentication
+#### TLS client authentication
 
 Not implemented by `Net::LDAP`.
 
@@ -555,7 +553,7 @@ The LDAP sync process:
 - Updates existing users.
 - Creates new users on first sign in.
 
-### Adjusting LDAP user sync schedule **(PREMIUM SELF)**
+### Adjust LDAP user sync schedule **(PREMIUM SELF)**
 
 By default, GitLab runs a worker once per day at 01:30 a.m. server time to
 check and update GitLab users against LDAP.
@@ -592,7 +590,7 @@ sync to run once every 12 hours at the top of the hour.
 
 If your LDAP supports the `memberof` property, when the user signs in for the
 first time GitLab triggers a sync for groups the user should be a member of.
-That way they don't need to wait for the hourly sync to be granted
+That way they don't have to wait for the hourly sync to be granted
 access to their groups and projects.
 
 A group sync process runs every hour on the hour, and `group_base` must be set
@@ -636,9 +634,9 @@ following.
 1. [Restart GitLab](../../restart_gitlab.md#installations-from-source) for the changes to take effect.
 
 To take advantage of group sync, group owners or maintainers must [create one
-or more LDAP group links](#adding-group-links).
+or more LDAP group links](#add-group-links).
 
-### Adding group links **(PREMIUM SELF)**
+### Add group links **(PREMIUM SELF)**
 
 For information on adding group links by using CNs and filters, refer to the
 [GitLab groups documentation](../../../user/group/index.md#manage-group-memberships-via-ldap).
@@ -710,7 +708,7 @@ To enable it, you must:
 1. Expand the **Visibility and access controls** section.
 1. Ensure the **Lock memberships to LDAP synchronization** checkbox is selected.
 
-### Adjusting LDAP group sync schedule **(PREMIUM SELF)**
+### Adjust LDAP group sync schedule **(PREMIUM SELF)**
 
 By default, GitLab runs a group sync process every hour, on the hour.
 The values shown are in cron format. If needed, you can use a

doc/administration/auth/ldap/ldap-troubleshooting.md

@@ -345,7 +345,7 @@ things to check to debug the situation.
 - Ensure LDAP configuration has a `group_base` specified.
   [This configuration](index.md#group-sync) is required for group sync to work properly.
 - Ensure the correct [LDAP group link is added to the GitLab
-  group](index.md#adding-group-links).
+  group](index.md#add-group-links).
 - Check that the user has an LDAP identity:
   1. Sign in to GitLab as an administrator user.
   1. On the top bar, select **Menu > Admin**.
@@ -356,7 +356,7 @@ things to check to debug the situation.
      an LDAP DN as the 'Identifier'. If not, this user hasn't signed in with
      LDAP yet and must do so first.
 - You've waited an hour or [the configured
-  interval](index.md#adjusting-ldap-group-sync-schedule) for the group to
+  interval](index.md#adjust-ldap-group-sync-schedule) for the group to
   sync. To speed up the process, either go to the GitLab group **Group information > Members**
   and press **Sync now** (sync one group) or [run the group sync Rake
   task](../../raketasks/ldap.md#run-a-group-sync) (sync all groups).

doc/administration/encrypted_configuration.md

@@ -11,8 +11,8 @@ type: reference
 
 GitLab can read settings for certain features from encrypted settings files. The supported features are:
 
-- [LDAP `user_bn` and `password`](auth/ldap/index.md#using-encrypted-credentials)
+- [LDAP `user_bn` and `password`](auth/ldap/index.md#use-encrypted-credentials).
-- [SMTP `user_name` and `password`](raketasks/smtp.md#secrets)
+- [SMTP `user_name` and `password`](raketasks/smtp.md#secrets).
 
 In order to enable the encrypted configuration settings, a new base key needs to be generated for
 `encrypted_settings_key_base`. The secret can be generated in the following ways:
@@ -35,4 +35,4 @@ The new secret can be generated by running:
 bundle exec rake gitlab:env:info RAILS_ENV=production GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true
 ```
 
-This prints general information on the GitLab instance, but also causes the key to be generated in `<path-to-gitlab-rails>/config/secrets.yml`
+This prints general information on the GitLab instance, but also causes the key to be generated in `<path-to-gitlab-rails>/config/secrets.yml`.

doc/administration/raketasks/ldap.md

@@ -44,7 +44,7 @@ waiting for the next scheduled group sync to be run.
 
 NOTE:
 If you'd like to change the frequency at which a group sync is performed,
-[adjust the cron schedule](../auth/ldap/index.md#adjusting-ldap-group-sync-schedule)
+[adjust the cron schedule](../auth/ldap/index.md#adjust-ldap-group-sync-schedule)
 instead.
 
 **Omnibus Installation**
@@ -151,7 +151,8 @@ sudo gitlab-rake gitlab:ldap:rename_provider[old_provider,new_provider] force=ye
 
 ## Secrets
 
-GitLab can use [LDAP configuration secrets](../auth/ldap/index.md#using-encrypted-credentials) to read from an encrypted file. The following Rake tasks are provided for updating the contents of the encrypted file.
+GitLab can use [LDAP configuration secrets](../auth/ldap/index.md#use-encrypted-credentials) to read from an encrypted file.
+The following Rake tasks are provided for updating the contents of the encrypted file.
 
 ### Show secret
 

doc/subscriptions/bronze_starter.md

@@ -51,13 +51,13 @@ the tiers are no longer mentioned in GitLab documentation:
   - Syncing information through LDAP:
     - Groups: [one group](../administration/auth/ldap/ldap-troubleshooting.md#sync-one-group),
       [all groups programmatically](../administration/auth/ldap/index.md#group-sync),
-      [group sync schedule](../administration/auth/ldap/index.md#adjusting-ldap-group-sync-schedule), and
+      [group sync schedule](../administration/auth/ldap/index.md#adjust-ldap-group-sync-schedule), and
       [all groups manually](../administration/auth/ldap/ldap-troubleshooting.md#sync-all-groups)
     - [Configuration settings](../administration/auth/ldap/index.md#ldap-sync-configuration-settings)
     - Users: [all users](../administration/auth/ldap/index.md#user-sync),
       [administrators](../administration/auth/ldap/index.md#administrator-sync),
-      [user sync schedule](../administration/auth/ldap/index.md#adjusting-ldap-user-sync-schedule)
+      [user sync schedule](../administration/auth/ldap/index.md#adjust-ldap-user-sync-schedule)
-    - [Adding group links](../administration/auth/ldap/index.md#adding-group-links)
+    - [Adding group links](../administration/auth/ldap/index.md#add-group-links)
     - [Lock memberships to LDAP synchronization](../administration/auth/ldap/index.md#global-group-memberships-lock)
     - Rake tasks for [LDAP tasks](../administration/raketasks/ldap.md), including
       [syncing groups](../administration/raketasks/ldap.md#run-a-group-sync)

doc/user/project/repository/index.md

@@ -34,7 +34,7 @@ You can [commit your changes](https://git-scm.com/book/en/v2/Git-Basics-Recordin
 to a branch in the repository. When you use the command line, you can commit multiple times before you push.
 
 - **Commit message:**
-  A commit message identities what is being changed and why.
+  A commit message identifies what is being changed and why.
   In GitLab, you can add keywords to the commit
   message to perform one of the following actions:
   - **Trigger a GitLab CI/CD pipeline:**

spec/models/namespace_spec.rb

@@ -157,6 +157,63 @@ RSpec.describe Namespace do
     end
   end
 
+  describe 'handling STI', :aggregate_failures do
+    let(:namespace_type) { nil }
+    let(:namespace) { Namespace.find(create(:namespace, type: namespace_type).id) }
+
+    context 'creating a Group' do
+      let(:namespace_type) { 'Group' }
+
+      it 'is valid' do
+        expect(namespace).to be_a(Group)
+        expect(namespace.kind).to eq('group')
+        expect(namespace.group?).to be_truthy
+      end
+    end
+
+    context 'creating a ProjectNamespace' do
+      let(:namespace_type) { 'Project' }
+
+      it 'is valid' do
+        expect(Namespace.find(namespace.id)).to be_a(Namespaces::ProjectNamespace)
+        expect(namespace.kind).to eq('project')
+        expect(namespace.project?).to be_truthy
+      end
+    end
+
+    context 'creating a UserNamespace' do
+      let(:namespace_type) { 'User' }
+
+      it 'is valid' do
+        # TODO: We create a normal Namespace until
+        #       https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68894 is ready
+        expect(Namespace.find(namespace.id)).to be_a(Namespace)
+        expect(namespace.kind).to eq('user')
+        expect(namespace.user?).to be_truthy
+      end
+    end
+
+    context 'creating a default Namespace' do
+      let(:namespace_type) { nil }
+
+      it 'is valid' do
+        expect(Namespace.find(namespace.id)).to be_a(Namespace)
+        expect(namespace.kind).to eq('user')
+        expect(namespace.user?).to be_truthy
+      end
+    end
+
+    context 'creating an unknown Namespace type' do
+      let(:namespace_type) { 'One' }
+
+      it 'defaults to a Namespace' do
+        expect(Namespace.find(namespace.id)).to be_a(Namespace)
+        expect(namespace.kind).to eq('user')
+        expect(namespace.user?).to be_truthy
+      end
+    end
+  end
+
   describe 'scopes', :aggregate_failures do
     let_it_be(:namespace1) { create(:group, name: 'Namespace 1', path: 'namespace-1') }
     let_it_be(:namespace2) { create(:group, name: 'Namespace 2', path: 'namespace-2') }

spec/models/repository_spec.rb

@@ -1338,6 +1338,12 @@ RSpec.describe Repository do
       expect(repository.license).to be_nil
     end
 
+    it 'returns nil when license_key is not recognized' do
+      expect(repository).to receive(:license_key).twice.and_return('not-recognized')
+
+      expect(repository.license).to be_nil
+    end
+
     it 'returns other when the content is not recognizable' do
       license = Licensee::License.new('other')
       repository.create_file(user, 'LICENSE', 'Gitlab B.V.',