Add latest changes from gitlab-org/gitlab@master

app/graphql/resolvers/ci/template_resolver.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Resolvers
+  module Ci
+    class TemplateResolver < BaseResolver
+      type Types::Ci::TemplateType, null: true
+
+      argument :name, GraphQL::STRING_TYPE, required: true,
+        description: 'Name of the CI/CD template to search for.'
+
+      alias_method :project, :object
+
+      def resolve(name: nil)
+        ::TemplateFinder.new(:gitlab_ci_ymls, project, name: name).execute
+      end
+    end
+  end
+end

app/graphql/types/ci/template_type.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module Types
+  module Ci
+    # rubocop: disable Graphql/AuthorizeTypes
+    class TemplateType < BaseObject
+      graphql_name 'CiTemplate'
+      description 'GitLab CI/CD configuration template.'
+
+      field :name, GraphQL::STRING_TYPE, null: false,
+        description: 'Name of the CI template.'
+      field :content, GraphQL::STRING_TYPE, null: false,
+        description: 'Contents of the CI template.'
+    end
+  end
+end

app/graphql/types/project_type.rb

@@ -337,6 +337,10 @@ module Types
           description: 'Pipeline analytics.',
           resolver: Resolvers::ProjectPipelineStatisticsResolver
 
+    field :ci_template, Types::Ci::TemplateType, null: true,
+          description: 'Find a single CI/CD template by name.',
+          resolver: Resolvers::Ci::TemplateResolver
+
     def label(title:)
       BatchLoader::GraphQL.for(title).batch(key: project) do |titles, loader, args|
         LabelsFinder

changelogs/unreleased/271242_fix_n_1_in_custom_emoji_filter.yml

@@ -0,0 +1,5 @@
+---
+title: Fix N+1 problem in CustomEmojiFilter
+merge_request: 60910
+author:
+type: performance

changelogs/unreleased/mc-feature-add-ci-templates-graphql.yml

@@ -0,0 +1,5 @@
+---
+title: Add CI template field to project GraphQL type.
+merge_request: 60276
+author:
+type: added

doc/api/graphql/reference/index.md

@@ -7298,6 +7298,17 @@ Represents the total number of issues and their weights for a particular day.
 | <a id="cistagejobs"></a>`jobs` | [`CiJobConnection`](#cijobconnection) | Jobs for the stage. (see [Connections](#connections)) |
 | <a id="cistagename"></a>`name` | [`String`](#string) | Name of the stage. |
 
+### `CiTemplate`
+
+GitLab CI/CD configuration template.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="citemplatecontent"></a>`content` | [`String!`](#string) | Contents of the CI template. |
+| <a id="citemplatename"></a>`name` | [`String!`](#string) | Name of the CI template. |
+
 ### `ClusterAgent`
 
 #### Fields
@@ -10815,6 +10826,18 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | ---- | ---- | ----------- |
 | <a id="projectboardsid"></a>`id` | [`BoardID`](#boardid) | Find a board by its ID. |
 
+##### `Project.ciTemplate`
+
+Find a single CI/CD template by name.
+
+Returns [`CiTemplate`](#citemplate).
+
+###### Arguments
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="projectcitemplatename"></a>`name` | [`String!`](#string) | Name of the CI/CD template to search for. |
+
 ##### `Project.clusterAgent`
 
 Find a single cluster agent by name.

doc/user/application_security/api_fuzzing/create_har_files.md

@@ -0,0 +1,234 @@
+---
+stage: Secure
+group: Fuzz Testing
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers
+type: howto
+---
+
+# HTTP Archive format
+
+HTTP Archive (HAR) format files are an industry standard for exchanging information about HTTP
+requests and HTTP responses. A HAR file's content is JSON formatted, containing browser interactions
+with a web site. The file extension `.har` is commonly used.
+
+The HAR files can be used to perform [web API Fuzz Testing](index.md#http-archive-har) as part of
+your [GitLab CI/CD](../../../ci/README.md) pipelines.
+
+WARNING:
+**DANGER** A HAR file stores information exchanged between web client and web server. It could also
+store sensitive information such as authentication tokens, API keys, and session cookies. We
+recommend that you review the HAR file contents before adding them to a repository.
+
+## HAR file creation
+
+You can create HAR files manually or by using a specialized tool for recording web sessions. We
+recommend using a specialized tool. However, it is important to make sure files created by these
+tools do not expose sensitive information, and can be safely used.
+
+The following tools can be used generate a HAR file based on your network activity. They
+automatically record your network activity and generate the HAR file:
+
+1. [GitLab HAR Recorder](#gitlab-har-recorder).
+1. [Insomnia API Client](#insomnia-api-client).
+1. [Fiddler debugging proxy](#fiddler-debugging-proxy).
+1. [Safari web browser](#safari-web-browser).
+1. [Chrome web browser](#chrome-web-browser).
+1. [Firefox web browser](#firefox-web-browser).
+
+WARNING:
+**DANGER** HAR files may contain sensitive information such as authentication tokens, API keys, and
+session cookies. We recommend that you review the HAR file contents before adding them to a
+repository.
+
+### GitLab HAR Recorder
+
+[GitLab HAR Recorder](https://gitlab.com/gitlab-org/security-products/har-recorder) is a command
+line tool for recording HTTP messages and saving them to HTTP Archive (HAR) files. For more details
+about the GitLab HAR Recorder, see the [homepage](https://gitlab.com/gitlab-org/security-products/har-recorder).
+
+#### Install GitLab HAR Recorder
+
+Prerequisites:
+
+- Install Python 3.6 or greater.
+- For Microsoft Windows, you must also install `Microsoft Visual C++ 14.0`. It's included with
+  *Build Tools for Visual Studio* from [Visual Studio Downloads page](https://visualstudio.microsoft.com/downloads/).
+- Install HAR Recorder.
+
+Install GitLab HAR Recorder:
+
+  ```shell
+  pip install gitlab-har-recorder --extra-index-url https://gitlab.com/api/v4/projects/22441624/packages/pypi/simple
+  ```
+
+#### Create a HAR file with GitLab HAR Recorder
+
+1. Start recorder with the proxy port and HAR filename.
+1. Complete the browser actions, using the proxy.
+   1. Make sure proxy is used!
+1. Stop the recorder.
+
+To verify the HAR contains all requests, use the [HAR Viewer (online)](http://www.softwareishard.com/har/viewer/).
+[Google Admin Toolbox HAR Analyzer](https://toolbox.googleapps.com/apps/har_analyzer/)
+
+### Insomnia API Client
+
+[Insomnia API Client](https://insomnia.rest/) is an API design tool that among many uses, helps
+you to design, describe, and test your API. You can also use it to generate HAR files that can be
+used in [Web API Fuzz Testing](index.md#http-archive-har).
+
+#### Create a HAR file with the Insomnia API Client
+
+1. Define or import your API.
+   - Postman v2.
+   - Curl.
+   - OpenAPI v2, v3.
+1. Verify each API call works.
+   - If you imported an OpenAPI specification, go through and add working data.
+1. Select **API > Import/Export**.
+1. Select **Export Data > Current Workspace**.
+1. Select requests to include in the HAR file.
+1. Select **Export**.
+1. In the **Select Export Type** dropdown select **HAR -- HTTP Archive Format**.
+1. Select **Done**.
+1. Enter a location and filename for the HAR file.
+
+### Fiddler debugging proxy
+
+[Fiddler](https://www.telerik.com/fiddler) is a web debugger tool. It captures HTTP and HTTP(S)
+network traffic and allows you to examine each request. It also lets you export the requests and
+responses in HAR format.
+
+#### Create a HAR file with Fiddler
+
+1. Go to the [Fiddler home page](https://www.telerik.com/fiddler) and sign in. If you don't already
+have an account, first create an account.
+1. Browse pages that call an API. Fiddler automatically captures the requests.
+1. Select one or more requests, then from the context menu, select **Export > Selected Sessions**.
+1. In the **Choose Format** dropdown select **HTTPArchive v1.2**.
+1. Enter a filename and select **Save**.
+
+Fiddler shows a popup message confirming the export has succeeded.
+
+### Safari web browser
+
+[Safari](https://www.apple.com/safari/) is a web browser maintained by Apple. As web development
+evolves, browsers support new capabilities. With Safari you can explore network traffic and
+export it as a HAR file.
+
+#### Create a HAR file with Safari
+
+Prerequisites:
+
+- Enable the `Develop` menu item.
+  1. Open Safari's preferences. Press <kbd>Command</kbd>+<kbd>,</kbd> or from the menu, select
+     **Safari > Preferences...**.
+  1. Select **Advanced** tab, then select `Show Develop menu item in menu bar`.
+  1. Close the **Preferences** window.
+
+1. Open the **Web Inspector**. Press <kbd>Option</kbd>+<kbd>Command</kbd>+<kbd>i</kbd>, or from the
+   menu, select **Develop > Show Web Inspector**.
+1. Select the **Network** tab, and select **Preserve Log**.
+1. Browse pages that call the API.
+1. Open the **Web Inspector** and select the **Network** tab
+1. Right-click on the request to export and select **Export HAR**.
+1. Enter a filename and select **Save**.
+
+### Chrome web browser
+
+[Chrome](https://www.google.com/chrome/) is a web browser maintained by Google. As web development
+evolves, browsers support new capabilities. With Chrome you can explore network traffic and
+export it as a HAR file.
+
+#### Create a HAR file with Chrome
+
+1. From the Chrome context menu, select **Inspect**.
+1. Select the **Network** tab.
+1. Select **Preserve log**.
+1. Browse pages that call the API.
+1. Select one or more requests.
+1. Right click and select **Save all as HAR with content**.
+1. Enter a filename and select **Save**.
+1. To append additional requests, select and save them to the same file.
+
+### Firefox Web Browser
+
+[Firefox](https://www.mozilla.org/en-US/firefox/new/) is a web browser maintained by Mozilla. As web
+development evolves, browsers support new capabilities. With Firefox you can explore network traffic
+and export it as a HAR file.
+
+#### Create a HAR file with Firefox
+
+1. From the Firefox context menu, select **Inspect**.
+1. Select the **Network** tab.
+1. Browse pages that call the API.
+1. Check the **Network** tab and confirm requests are being recorded. If there is a message
+   `Perform a request or Reload the page to see detailed information about network activity`,
+   select **Reload** to start recording requests.
+1. Select one or more requests.
+1. Right click and select **Save All As HAR**.
+1. Enter a filename and select **Save**.
+1. To append additional requests, select and save them to the same file.
+
+## HAR verification
+
+Before using HAR files it's important to make sure they don't expose any sensitive information.
+
+For each HAR file you should:
+
+- View the HAR file's content
+- Review the HAR file for sensitive information
+- Edit or remove sensitive information
+
+### View HAR file contents
+
+We recommend viewing a HAR file's content in a tool that can present its content in a structured
+way. Several HAR file viewers are available online. If you would prefer not to upload the HAR file,
+you can use a tool installed on your computer. HAR files used JSON format, so can also be viewed in
+a text editor.
+
+Tools recommended for viewing HAR files include:
+
+- [HAR Viewer](http://www.softwareishard.com/har/viewer/) - (online)
+- [Google Admin Toolbox HAR Analyzer](https://toolbox.googleapps.com/apps/har_analyzer/) - (online)
+- [Fiddler](https://www.telerik.com/fiddler) - local
+- [Insomnia API Client](https://insomnia.rest/) - local
+
+## Review HAR file content
+
+Review the HAR file for any of the following:
+
+- Information that could help to grant access to your application, for example: authentication
+  tokens, authentication tokens, cookies, API keys.
+- [Personally Identifiable Information (PII)](https://en.wikipedia.org/wiki/Personal_data).
+
+We strongly recommended that you [edit or remove it](#edit-or-remove-sensitive-information) any
+sensitive information.
+
+Use the following as a checklist to start with. Note that it's not an exhaustive list.
+
+- Look for secrets. For example: if your application requires authentication, check common locations
+  or authentication information:
+  - Authentication related headers. For example: cookies, authorization. These headers could contain
+    valid information.
+  - A request related to authentication. The body of these requests might contain information such
+    as user credentials or tokens.
+  - Session tokens. Session tokens could grant access to your application. The location of these
+    token could vary. They could be in headers, query parameters or body.
+- Look for Personally Identifiable Information
+  - For example, if your application retrieves a list of users and their personal data: phones,
+    names, emails.
+  - Authentication information might also contain personal information.
+
+## Edit or remove sensitive information
+
+Edit or remove sensitive information found during the [HAR file content review](#review-har-file-content).
+HAR files are JSON files and can be edited in any text editor.
+
+After editing the HAR file, open it in a HAR file viewer to verify its formatting and structure are
+intact.
+
+The following example demonstrates use of [Visual Studio Code](https://code.visualstudio.com/) text
+editor to edit an Authorization token found in a header.
+
+![Authorization token edited in Visual Studio Code](img/vscode_har_edit_auth_header.png)

doc/user/application_security/api_fuzzing/index.md

@@ -194,13 +194,7 @@ is an archive file format for logging HTTP transactions. When used with the GitL
 must contain records of calling the web API to test. The API fuzzer extracts all the requests and
 uses them to perform testing.
 
-You can use various tools to generate HAR files:
-
-- [Fiddler](https://www.telerik.com/fiddler): Web debugging proxy
-- [Insomnia Core](https://insomnia.rest/): API client
-- [Chrome](https://www.google.com/chrome/): Browser
-- [Firefox](https://www.mozilla.org/en-US/firefox/): Browser
-- [GitLab HAR Recorder](https://gitlab.com/gitlab-org/security-products/har-recorder): Command line
+For more details, including how to create a HAR file, see [HTTP Archive format](create_har_files.md).
 
 WARNING:
 HAR files may contain sensitive information such as authentication tokens, API keys, and session

lib/api/award_emoji.rb

@@ -4,23 +4,18 @@ module API
   class AwardEmoji < ::API::Base
     include PaginationParams
 
-    before { authenticate! }
-    AWARDABLES = [
-      { type: 'issue', find_by: :iid, feature_category: :issue_tracking },
-      { type: 'merge_request', find_by: :iid, feature_category: :code_review },
-      { type: 'snippet', find_by: :id, feature_category: :snippets }
-    ].freeze
+    helpers ::API::Helpers::AwardEmoji
 
-    params do
-      requires :id, type: String, desc: 'The ID of a project'
-    end
-    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
-      AWARDABLES.each do |awardable_params|
+    before { authenticate! }
+
+    Helpers::AwardEmoji.awardables.each do |awardable_params|
+      resource awardable_params[:resource], requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
         awardable_string = awardable_params[:type].pluralize
         awardable_id_string = "#{awardable_params[:type]}_#{awardable_params[:find_by]}"
 
         params do
-          requires :"#{awardable_id_string}", type: Integer, desc: "The ID of an Issue, Merge Request or Snippet"
+          requires :id, type: String, desc: "The ID of a #{awardable_params[:resource] == :projects ? 'project' : 'group'}"
+          requires :"#{awardable_id_string}", type: Integer, desc: Helpers::AwardEmoji.awardable_id_desc
         end
 
         [
@@ -104,25 +99,6 @@ module API
         awardable.user_can_award?(current_user)
       end
 
-      # rubocop: disable CodeReuse/ActiveRecord
-      def awardable
-        @awardable ||=
-          begin
-            if params.include?(:note_id)
-              note_id = params.delete(:note_id)
-
-              awardable.notes.find(note_id)
-            elsif params.include?(:issue_iid)
-              user_project.issues.find_by!(iid: params[:issue_iid])
-            elsif params.include?(:merge_request_iid)
-              user_project.merge_requests.find_by!(iid: params[:merge_request_iid])
-            else
-              user_project.snippets.find(params[:snippet_id])
-            end
-          end
-      end
-      # rubocop: enable CodeReuse/ActiveRecord
-
       def read_ability(awardable)
         case awardable
         when Note

lib/api/helpers/award_emoji.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module API
+  module Helpers
+    module AwardEmoji
+      def self.awardables
+        [
+          { type: 'issue', resource: :projects, find_by: :iid, feature_category: :issue_tracking },
+          { type: 'merge_request', resource: :projects, find_by: :iid, feature_category: :code_review },
+          { type: 'snippet', resource: :projects, find_by: :id, feature_category: :snippets }
+        ]
+      end
+
+      def self.awardable_id_desc
+        "The ID of an Issue, Merge Request or Snippet"
+      end
+
+      # rubocop: disable CodeReuse/ActiveRecord
+      def awardable
+        @awardable ||=
+          begin
+            if params.include?(:note_id)
+              note_id = params.delete(:note_id)
+
+              awardable.notes.find(note_id)
+            elsif params.include?(:issue_iid)
+              user_project.issues.find_by!(iid: params[:issue_iid])
+            elsif params.include?(:merge_request_iid)
+              user_project.merge_requests.find_by!(iid: params[:merge_request_iid])
+            elsif params.include?(:snippet_id)
+              user_project.snippets.find(params[:snippet_id])
+            end
+          end
+      end
+      # rubocop: enable CodeReuse/ActiveRecord
+    end
+  end
+end
+
+API::Helpers::AwardEmoji.prepend_if_ee('EE::API::Helpers::AwardEmoji')

lib/banzai/filter/custom_emoji_filter.rb

@@ -3,6 +3,8 @@
 module Banzai
   module Filter
     class CustomEmojiFilter < HTML::Pipeline::Filter
+      include Gitlab::Utils::StrongMemoize
+
       IGNORED_ANCESTOR_TAGS = %w(pre code tt).to_set
 
       def call
@@ -14,7 +16,7 @@ module Banzai
 
           next if has_ancestor?(node, IGNORED_ANCESTOR_TAGS)
           next unless content.include?(':')
-          next unless namespace && namespace.custom_emoji.any?
+          next unless has_custom_emoji?
 
           html = custom_emoji_name_element_filter(content)
 
@@ -46,6 +48,12 @@ module Banzai
 
       private
 
+      def has_custom_emoji?
+        strong_memoize(:has_custom_emoji) do
+          namespace&.custom_emoji&.any?
+        end
+      end
+
       def namespace
         context[:project].namespace.root_ancestor
       end

spec/graphql/resolvers/ci/template_resolver_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Resolvers::Ci::TemplateResolver do
+  include GraphqlHelpers
+
+  describe '#resolve' do
+    let(:user) { create(:user) }
+    let(:project) { create(:project) }
+
+    subject(:resolve_subject) { resolve(described_class, obj: project, ctx: { current_user: user }, args: { name: template_name }) }
+
+    context 'when template exists' do
+      let(:template_name) { 'Android' }
+
+      it 'returns the found template' do
+        found_template = resolve_subject
+
+        expect(found_template).to be_an_instance_of(Gitlab::Template::GitlabCiYmlTemplate)
+        expect(found_template.name).to eq('Android')
+      end
+    end
+
+    context 'when template does not exist' do
+      let(:template_name) { 'invalidname' }
+
+      it 'returns nil' do
+        expect(resolve_subject).to eq(nil)
+      end
+    end
+  end
+end

spec/graphql/types/ci/template_type_spec.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Types::Ci::TemplateType do
+  specify { expect(described_class.graphql_name).to eq('CiTemplate') }
+
+  it 'exposes the expected fields' do
+    expected_fields = %i[
+      name
+      content
+    ]
+
+    expect(described_class).to have_graphql_fields(*expected_fields)
+  end
+end

spec/graphql/types/project_type_spec.rb

@@ -32,6 +32,7 @@ RSpec.describe GitlabSchema.types['Project'] do
       issue_status_counts terraform_states alert_management_integrations
       container_repositories container_repositories_count
       pipeline_analytics squash_read_only sast_ci_configuration
+      ci_template
     ]
 
     expect(described_class).to include_graphql_fields(*expected_fields)
@@ -379,4 +380,11 @@ RSpec.describe GitlabSchema.types['Project'] do
     it { is_expected.to have_graphql_type(Types::Ci::JobType.connection_type) }
     it { is_expected.to have_graphql_arguments(:statuses) }
   end
+
+  describe 'ci_template field' do
+    subject { described_class.fields['ciTemplate'] }
+
+    it { is_expected.to have_graphql_type(Types::Ci::TemplateType) }
+    it { is_expected.to have_graphql_arguments(:name) }
+  end
 end

spec/lib/banzai/filter/custom_emoji_filter_spec.rb

@@ -53,7 +53,7 @@ RSpec.describe Banzai::Filter::CustomEmojiFilter do
     end
 
     expect do
-      filter('<p>:tanuki: :party-parrot:</p>')
+      filter('<p>:tanuki:</p> <p>:party-parrot:</p>')
     end.not_to exceed_all_query_limit(control_count.count)
   end
 end

spec/requests/api/graphql/ci/template_spec.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+require 'spec_helper'
+
+RSpec.describe 'Querying CI template' do
+  include GraphqlHelpers
+
+  let_it_be(:project) { create(:project, :public) }
+  let_it_be(:user) { create(:user) }
+
+  let(:query) do
+    <<~QUERY
+    {
+      project(fullPath: "#{project.full_path}") {
+        name
+        ciTemplate(name: "#{template_name}") {
+          name
+          content
+        }
+      }
+    }
+    QUERY
+  end
+
+  before do
+    post_graphql(query, current_user: user)
+  end
+
+  context 'when the template exists' do
+    let(:template_name) { 'Android' }
+
+    it_behaves_like 'a working graphql query'
+
+    it 'returns correct data' do
+      expect(graphql_data.dig('project', 'ciTemplate', 'name')).to eq(template_name)
+      expect(graphql_data.dig('project', 'ciTemplate', 'content')).not_to be_blank
+    end
+  end
+
+  context 'when the template does not exist' do
+    let(:template_name) { 'doesnotexist' }
+
+    it_behaves_like 'a working graphql query'
+
+    it 'returns correct data' do
+      expect(graphql_data.dig('project', 'ciTemplate')).to eq(nil)
+    end
+  end
+end