{{ $options.i18n.contentChange }}
diff --git a/app/assets/javascripts/pipeline_editor/constants.js b/app/assets/javascripts/pipeline_editor/constants.js
index 4b07045e638..dd25c4d433b 100644
--- a/app/assets/javascripts/pipeline_editor/constants.js
+++ b/app/assets/javascripts/pipeline_editor/constants.js
@@ -75,6 +75,8 @@ export const pipelineEditorTrackingOptions = {
[CI_YAML_LINK]: 'visit_help_drawer_link_yaml',
},
openHelpDrawer: 'open_help_drawer',
+ resimulatePipeline: 'resimulate_pipeline',
+ simulatePipeline: 'simulate_pipeline',
},
};
diff --git a/app/controllers/projects/alerting/notifications_controller.rb b/app/controllers/projects/alerting/notifications_controller.rb
index 82fff287c4a..f3283c88740 100644
--- a/app/controllers/projects/alerting/notifications_controller.rb
+++ b/app/controllers/projects/alerting/notifications_controller.rb
@@ -13,8 +13,6 @@ module Projects
prepend_before_action :repository, :project_without_auth
feature_category :incident_management
- # Goal is to increase the urgency to medium.
- # See https://gitlab.com/gitlab-org/gitlab/-/issues/361310.
urgency :low, [:create]
def create
diff --git a/app/controllers/projects/jobs_controller.rb b/app/controllers/projects/jobs_controller.rb
index 8570bbf1dbd..7878ace5015 100644
--- a/app/controllers/projects/jobs_controller.rb
+++ b/app/controllers/projects/jobs_controller.rb
@@ -18,7 +18,6 @@ class Projects::JobsController < Projects::ApplicationController
before_action :verify_api_request!, only: :terminal_websocket_authorize
before_action :authorize_create_proxy_build!, only: :proxy_websocket_authorize
before_action :verify_proxy_request!, only: :proxy_websocket_authorize
- before_action :push_job_log_search, only: [:show]
before_action :push_job_log_jump_to_failures, only: [:show]
before_action :reject_if_build_artifacts_size_refreshing!, only: [:erase]
@@ -250,10 +249,6 @@ class Projects::JobsController < Projects::ApplicationController
::Gitlab::Workhorse.channel_websocket(service)
end
- def push_job_log_search
- push_frontend_feature_flag(:job_log_search, @project)
- end
-
def push_job_log_jump_to_failures
push_frontend_feature_flag(:job_log_jump_to_failures, @project)
end
diff --git a/app/views/projects/labels/index.html.haml b/app/views/projects/labels/index.html.haml
index 647464b31f8..f7a02c521f5 100644
--- a/app/views/projects/labels/index.html.haml
+++ b/app/views/projects/labels/index.html.haml
@@ -11,14 +11,14 @@
.labels-container.gl-mt-5
- if can_admin_label && search.blank?
%p.text-muted
- = _('Labels can be applied to issues and merge requests.')
- %br
- = _('Star a label to make it a priority label. Order the prioritized labels to change their relative priority, by dragging.')
+ = _('Labels can be applied to issues and merge requests. Star a label to make it a priority label.')
-# Only show it in the first page
- hide = @available_labels.empty? || (params[:page].present? && params[:page] != '1')
.prioritized-labels.gl-mb-7{ class: [('hide' if hide), ('is-not-draggable' unless can_admin_label)] }
%h4.gl-mt-3= _('Prioritized Labels')
+ %p.text-muted
+ = _('Drag to reorder prioritized labels and change their relative priority.')
.manage-labels-list.js-prioritized-labels{ data: { url: set_priorities_project_labels_path(@project), sortable: can_admin_label } }
#js-priority-labels-empty-state.priority-labels-empty-state{ class: "#{'hidden' unless @prioritized_labels.empty? && search.blank?}" }
= render 'shared/empty_states/priority_labels'
diff --git a/app/views/shared/_label_row.html.haml b/app/views/shared/_label_row.html.haml
index 252f9c26f06..c351ea29c7c 100644
--- a/app/views/shared/_label_row.html.haml
+++ b/app/views/shared/_label_row.html.haml
@@ -3,11 +3,11 @@
- show_label_issues_link = subject_or_group_defined && show_label_issuables_link?(label, :issues)
- show_label_merge_requests_link = subject_or_group_defined && show_label_issuables_link?(label, :merge_requests)
-.label-name.gl-flex-shrink-0.gl-mt-2.gl-mr-3
+.label-name.gl-flex-shrink-0.gl-mt-2.gl-mr-5
= render_label(label, tooltip: false)
.label-description.gl-overflow-hidden.gl-w-full
.gl-display-flex.gl-align-items-stretch.gl-flex-wrap.gl-mt-2
- .gl-flex-basis-half.gl-flex-grow-1.gl-overflow-hidden.gl-mr-2
+ .gl-flex-basis-half.gl-flex-grow-1.gl-overflow-hidden.gl-mr-5
- if label.description.present?
= markdown_field(label, :description)
- elsif show_labels_full_path?(@project, @group)
diff --git a/config/feature_flags/development/job_log_search.yml b/config/feature_flags/development/job_log_search.yml
deleted file mode 100644
index b6f1cec26f6..00000000000
--- a/config/feature_flags/development/job_log_search.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-name: job_log_search
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91293
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/366455
-milestone: '15.2'
-type: development
-group: group::pipeline execution
-default_enabled: false
diff --git a/db/post_migrate/20220616171355_update_vulnerabilities_project_id_id_active_cis_index.rb b/db/post_migrate/20220616171355_update_vulnerabilities_project_id_id_active_cis_index.rb
new file mode 100644
index 00000000000..047ae0d1132
--- /dev/null
+++ b/db/post_migrate/20220616171355_update_vulnerabilities_project_id_id_active_cis_index.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+class UpdateVulnerabilitiesProjectIdIdActiveCisIndex < Gitlab::Database::Migration[2.0]
+ disable_ddl_transaction!
+
+ NEW_INDEX_NAME = 'idx_vulnerabilities_on_project_id_and_id_active_cis_dft_branch'
+ OLD_INDEX_NAME = 'index_vulnerabilities_on_project_id_and_id_active_cis'
+ OLD_INDEX_FILTER_CONDITION = 'report_type = 7 AND state = ANY(ARRAY[1, 4])'
+ NEW_INDEX_FILTER_CONDITION = 'report_type = 7 AND state = ANY(ARRAY[1, 4]) AND present_on_default_branch IS TRUE'
+
+ def up
+ add_concurrent_index :vulnerabilities, [:project_id, :id],
+ where: NEW_INDEX_FILTER_CONDITION,
+ name: NEW_INDEX_NAME
+
+ remove_concurrent_index_by_name(:vulnerabilities, OLD_INDEX_NAME)
+ end
+
+ def down
+ add_concurrent_index :vulnerabilities, [:project_id, :id], where: OLD_INDEX_FILTER_CONDITION, name: OLD_INDEX_NAME
+
+ remove_concurrent_index_by_name(:vulnerabilities, NEW_INDEX_NAME)
+ end
+end
diff --git a/db/schema_migrations/20220616171355 b/db/schema_migrations/20220616171355
new file mode 100644
index 00000000000..cd212025f70
--- /dev/null
+++ b/db/schema_migrations/20220616171355
@@ -0,0 +1 @@
+63ec85b4f8b7eb15c232c4a25c1e63027c38c23caf81a89c4d05227a6be00e4b
\ No newline at end of file
diff --git a/db/structure.sql b/db/structure.sql
index b055d831ce6..aff91f735e7 100644
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -27472,6 +27472,8 @@ CREATE UNIQUE INDEX idx_vuln_signatures_on_occurrences_id_and_signature_sha ON v
CREATE UNIQUE INDEX idx_vuln_signatures_uniqueness_signature_sha ON vulnerability_finding_signatures USING btree (finding_id, algorithm_type, signature_sha);
+CREATE INDEX idx_vulnerabilities_on_project_id_and_id_active_cis_dft_branch ON vulnerabilities USING btree (project_id, id) WHERE ((report_type = 7) AND (state = ANY (ARRAY[1, 4])) AND (present_on_default_branch IS TRUE));
+
CREATE INDEX idx_vulnerabilities_partial_devops_adoption_and_default_branch ON vulnerabilities USING btree (project_id, created_at, present_on_default_branch) WHERE (state <> 1);
CREATE UNIQUE INDEX idx_vulnerability_ext_issue_links_on_vulne_id_and_ext_issue ON vulnerability_external_issue_links USING btree (vulnerability_id, external_type, external_project_key, external_issue_key);
@@ -30364,8 +30366,6 @@ CREATE INDEX index_vulnerabilities_on_last_edited_by_id ON vulnerabilities USING
CREATE INDEX index_vulnerabilities_on_milestone_id ON vulnerabilities USING btree (milestone_id);
-CREATE INDEX index_vulnerabilities_on_project_id_and_id_active_cis ON vulnerabilities USING btree (project_id, id) WHERE ((report_type = 7) AND (state = ANY (ARRAY[1, 4])));
-
CREATE INDEX index_vulnerabilities_on_project_id_and_state_and_severity ON vulnerabilities USING btree (project_id, state, severity);
CREATE INDEX index_vulnerabilities_on_resolved_by_id ON vulnerabilities USING btree (resolved_by_id);
diff --git a/doc/administration/audit_events.md b/doc/administration/audit_events.md
index 0aa766aa0d4..92504c226fb 100644
--- a/doc/administration/audit_events.md
+++ b/doc/administration/audit_events.md
@@ -152,6 +152,7 @@ From there, you can see the following actions:
- Added, removed, or updated protected branches
- Release was added to a project
- Release was updated
+- Release was deleted ([introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/94793/) in GitLab 13.5)
- Release milestone associations changed
- Permission to approve merge requests by committers was updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7531) in GitLab 12.9)
- Permission to approve merge requests by committers was updated.
diff --git a/doc/api/packages.md b/doc/api/packages.md
index 9d9c21546cd..3cd93bd09c1 100644
--- a/doc/api/packages.md
+++ b/doc/api/packages.md
@@ -6,6 +6,8 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# Packages API **(FREE)**
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/349418) support for [GitLab CI/CD job token](../ci/jobs/ci_job_token.md) authentication for the project-level API in GitLab 15.3.
+
This is the API documentation of [GitLab Packages](../administration/packages/index.md).
## List packages
diff --git a/doc/ci/jobs/ci_job_token.md b/doc/ci/jobs/ci_job_token.md
index 9567bc9cd65..93f22da648a 100644
--- a/doc/ci/jobs/ci_job_token.md
+++ b/doc/ci/jobs/ci_job_token.md
@@ -13,6 +13,7 @@ You can use a GitLab CI/CD job token to authenticate with specific API endpoints
- Packages:
- [Package Registry](../../user/packages/package_registry/index.md#use-gitlab-cicd-to-build-packages).
+ - [Packages API](../../api/packages.md) (project-level).
- [Container Registry](../../user/packages/container_registry/index.md#build-and-push-by-using-gitlab-cicd)
(the `$CI_REGISTRY_PASSWORD` is `$CI_JOB_TOKEN`).
- [Container Registry API](../../api/container_registry.md)
diff --git a/doc/ci/jobs/job_control.md b/doc/ci/jobs/job_control.md
index e2a1751f279..0d5357e63ad 100644
--- a/doc/ci/jobs/job_control.md
+++ b/doc/ci/jobs/job_control.md
@@ -567,6 +567,9 @@ In blocking manual jobs:
enabled can't be merged with a blocked pipeline.
- The pipeline shows a status of **blocked**.
+When using manual jobs in triggered pipelines with [`strategy: depend`](../yaml/index.md#triggerstrategy),
+the type of manual job can affect the trigger job's status while the pipeline runs.
+
### Run a manual job
To run a manual job, you must have permission to merge to the assigned branch:
diff --git a/doc/ci/pipelines/multi_project_pipelines.md b/doc/ci/pipelines/multi_project_pipelines.md
index 81c0639817f..a71af78f410 100644
--- a/doc/ci/pipelines/multi_project_pipelines.md
+++ b/doc/ci/pipelines/multi_project_pipelines.md
@@ -341,8 +341,8 @@ If you use [`only/except`](../yaml/index.md#only--except) to control job behavio
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11238) in GitLab Premium 12.3.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/199224) to GitLab Free in 12.8.
-You can mirror the pipeline status from the triggered pipeline to the source
-trigger job by using `strategy: depend`. For example:
+You can mirror the pipeline status from the triggered pipeline to the source trigger job
+by using [`strategy: depend`](../yaml/index.md#triggerstrategy). For example:
```yaml
trigger_job:
diff --git a/doc/ci/yaml/index.md b/doc/ci/yaml/index.md
index 466cfc5e6ba..0b434e7013c 100644
--- a/doc/ci/yaml/index.md
+++ b/doc/ci/yaml/index.md
@@ -3966,6 +3966,17 @@ trigger_job:
In this example, jobs from subsequent stages wait for the triggered pipeline to
successfully complete before starting.
+**Additional details**:
+
+- [Optional manual jobs](../jobs/job_control.md#types-of-manual-jobs) in the downstream pipeline
+ do not affect the status of the downstream pipeline or the upstream trigger job.
+ The downstream pipeline can complete successfully without running any optional manual jobs.
+- [Blocking manual jobs](../jobs/job_control.md#types-of-manual-jobs) in the downstream pipeline
+ must run before the trigger job is marked as successful or failed. The trigger job
+ shows **pending** (**{status_pending}**) if the downstream pipeline status is
+ **waiting for manual action** (**{status_manual}**) due to manual jobs. By default,
+ jobs in later stages do not start until the trigger job completes.
+
#### `trigger:forward`
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213729) in GitLab 14.9 [with a flag](../../administration/feature_flags.md) named `ci_trigger_forward_variables`. Disabled by default.
diff --git a/doc/user/admin_area/settings/visibility_and_access_controls.md b/doc/user/admin_area/settings/visibility_and_access_controls.md
index 361a14be75c..118d375da01 100644
--- a/doc/user/admin_area/settings/visibility_and_access_controls.md
+++ b/doc/user/admin_area/settings/visibility_and_access_controls.md
@@ -53,6 +53,7 @@ By default both administrators and anyone with the **Owner** role can delete a p
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/255449) in GitLab 14.2 for groups created after August 12, 2021.
> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/352960) from default delayed project deletion in GitLab 15.1.
> - [Enabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89466) in GitLab 15.1.
+> - [Disabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95495) in GitLab 15.3.
Instance-level protection against accidental deletion of groups and projects.
diff --git a/doc/user/project/settings/index.md b/doc/user/project/settings/index.md
index 5a3a7e13205..b973a0f56d1 100644
--- a/doc/user/project/settings/index.md
+++ b/doc/user/project/settings/index.md
@@ -447,9 +447,10 @@ in GitLab 12.6, and then to [immediate deletion](https://gitlab.com/gitlab-org/g
### Delayed project deletion **(PREMIUM)**
-> [Enabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89466) in GitLab 15.1.
+> - [Enabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89466) in GitLab 15.1.
+> - [Disabled for projects in personal namespaces](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95495) in GitLab 15.3.
-Projects can be deleted after a delay period. Multiple settings can affect whether
+Projects in a group (not a personal namespace) can be deleted after a delay period. Multiple settings can affect whether
delayed project deletion is enabled for a particular project:
- Self-managed instance [settings](../../admin_area/settings/visibility_and_access_controls.md#delayed-project-deletion).
diff --git a/lib/api/project_packages.rb b/lib/api/project_packages.rb
index 21b2b17d234..800966408fc 100644
--- a/lib/api/project_packages.rb
+++ b/lib/api/project_packages.rb
@@ -36,6 +36,7 @@ module API
optional :status, type: String, values: Packages::Package.statuses.keys,
desc: 'Return packages with specified status'
end
+ route_setting :authentication, job_token_allowed: true
get ':id/packages' do
packages = ::Packages::PackagesFinder.new(
user_project,
@@ -52,6 +53,7 @@ module API
params do
requires :package_id, type: Integer, desc: 'The ID of a package'
end
+ route_setting :authentication, job_token_allowed: true
get ':id/packages/:package_id' do
package = ::Packages::PackageFinder
.new(user_project, params[:package_id]).execute
@@ -65,6 +67,7 @@ module API
params do
requires :package_id, type: Integer, desc: 'The ID of a package'
end
+ route_setting :authentication, job_token_allowed: true
delete ':id/packages/:package_id' do
authorize_destroy_package!(user_project)
diff --git a/lib/api/releases.rb b/lib/api/releases.rb
index d7e497bddf3..10e879ec70b 100644
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
@@ -186,6 +186,8 @@ module API
.execute
if result[:status] == :success
+ log_release_deleted_audit_event
+
present result[:release], with: Entities::Release, current_user: current_user
else
render_api_error!(result[:message], result[:http_status])
@@ -238,6 +240,10 @@ module API
# extended in EE
end
+ def log_release_deleted_audit_event
+ # extended in EE
+ end
+
def log_release_milestones_updated_audit_event
# extended in EE
end
diff --git a/lib/gitlab/ci/config/entry/processable.rb b/lib/gitlab/ci/config/entry/processable.rb
index 78794f524f4..975da8662e1 100644
--- a/lib/gitlab/ci/config/entry/processable.rb
+++ b/lib/gitlab/ci/config/entry/processable.rb
@@ -120,7 +120,7 @@ module Gitlab
stage: stage_value,
extends: extends,
rules: rules_value,
- job_variables: variables_value.to_h,
+ job_variables: variables_entry.value_with_data,
root_variables_inheritance: root_variables_inheritance,
only: only_value,
except: except_value,
diff --git a/lib/gitlab/ci/config/entry/variables.rb b/lib/gitlab/ci/config/entry/variables.rb
index efb469ee32a..3130aec0446 100644
--- a/lib/gitlab/ci/config/entry/variables.rb
+++ b/lib/gitlab/ci/config/entry/variables.rb
@@ -18,7 +18,9 @@ module Gitlab
end
def value
- @config.to_h { |key, value| [key.to_s, expand_value(value)[:value]] }
+ @config.to_h do |key, data|
+ [key.to_s, expand_data(data)[:value]]
+ end
end
def self.default(**)
@@ -26,7 +28,9 @@ module Gitlab
end
def value_with_data
- @config.to_h { |key, value| [key.to_s, expand_value(value)] }
+ @config.to_h do |key, data|
+ [key.to_s, expand_data(data)]
+ end
end
def use_value_data?
@@ -35,11 +39,11 @@ module Gitlab
private
- def expand_value(value)
- if value.is_a?(Hash)
- { value: value[:value].to_s, description: value[:description] }
+ def expand_data(data)
+ if data.is_a?(Hash)
+ { value: data[:value].to_s, description: data[:description] }.compact
else
- { value: value.to_s, description: nil }
+ { value: data.to_s }
end
end
end
diff --git a/lib/gitlab/ci/variables/helpers.rb b/lib/gitlab/ci/variables/helpers.rb
index 7cc727bb3ea..300b2708e6d 100644
--- a/lib/gitlab/ci/variables/helpers.rb
+++ b/lib/gitlab/ci/variables/helpers.rb
@@ -6,26 +6,24 @@ module Gitlab
module Helpers
class << self
def merge_variables(current_vars, new_vars)
- current_vars = transform_from_yaml_variables(current_vars)
- new_vars = transform_from_yaml_variables(new_vars)
+ return current_vars if new_vars.blank?
- transform_to_yaml_variables(
- current_vars.merge(new_vars)
- )
+ current_vars = transform_to_array(current_vars) if current_vars.is_a?(Hash)
+ new_vars = transform_to_array(new_vars) if new_vars.is_a?(Hash)
+
+ (new_vars + current_vars).uniq { |var| var[:key] }
end
- def transform_to_yaml_variables(vars)
- vars.to_h.map do |key, value|
- { key: key.to_s, value: value, public: true }
+ def transform_to_array(vars)
+ vars.to_h.map do |key, data|
+ if data.is_a?(Hash)
+ { key: key.to_s, **data.except(:key) }
+ else
+ { key: key.to_s, value: data }
+ end
end
end
- def transform_from_yaml_variables(vars)
- return vars.stringify_keys.transform_values(&:to_s) if vars.is_a?(Hash)
-
- vars.to_a.to_h { |var| [var[:key].to_s, var[:value]] }
- end
-
def inherit_yaml_variables(from:, to:, inheritance:)
merge_variables(apply_inheritance(from, inheritance), to)
end
@@ -35,7 +33,7 @@ module Gitlab
def apply_inheritance(variables, inheritance)
case inheritance
when true then variables
- when false then {}
+ when false then []
when Array then variables.select { |var| inheritance.include?(var[:key]) }
end
end
diff --git a/lib/gitlab/ci/yaml_processor/result.rb b/lib/gitlab/ci/yaml_processor/result.rb
index 4bd1ac3b67f..f203f88442d 100644
--- a/lib/gitlab/ci/yaml_processor/result.rb
+++ b/lib/gitlab/ci/yaml_processor/result.rb
@@ -43,7 +43,7 @@ module Gitlab
end
def root_variables
- @root_variables ||= transform_to_yaml_variables(variables)
+ @root_variables ||= transform_to_array(variables)
end
def jobs
@@ -70,7 +70,7 @@ module Gitlab
environment: job[:environment_name],
coverage_regex: job[:coverage],
# yaml_variables is calculated with using job_variables in Seed::Build
- job_variables: transform_to_yaml_variables(job[:job_variables]),
+ job_variables: transform_to_array(job[:job_variables]),
root_variables_inheritance: job[:root_variables_inheritance],
needs_attributes: job.dig(:needs, :job),
interruptible: job[:interruptible],
@@ -114,7 +114,7 @@ module Gitlab
Gitlab::Ci::Variables::Helpers.inherit_yaml_variables(
from: root_variables,
- to: transform_to_yaml_variables(job[:job_variables]),
+ to: job[:job_variables],
inheritance: job.fetch(:root_variables_inheritance, true)
)
end
@@ -137,8 +137,8 @@ module Gitlab
job[:release]
end
- def transform_to_yaml_variables(variables)
- ::Gitlab::Ci::Variables::Helpers.transform_to_yaml_variables(variables)
+ def transform_to_array(variables)
+ ::Gitlab::Ci::Variables::Helpers.transform_to_array(variables)
end
end
end
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 8e7d31fd88e..b86d02d5627 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -13929,6 +13929,9 @@ msgstr ""
msgid "Draft: %{filename}"
msgstr ""
+msgid "Drag to reorder prioritized labels and change their relative priority."
+msgstr ""
+
msgid "Drag your designs here or %{linkStart}click to upload%{linkEnd}."
msgstr ""
@@ -22949,7 +22952,7 @@ msgstr ""
msgid "Labels can be applied to issues and merge requests to categorize them."
msgstr ""
-msgid "Labels can be applied to issues and merge requests."
+msgid "Labels can be applied to issues and merge requests. Star a label to make it a priority label."
msgstr ""
msgid "Labels with no issues in this iteration:"
@@ -37306,9 +37309,6 @@ msgstr ""
msgid "Standard"
msgstr ""
-msgid "Star a label to make it a priority label. Order the prioritized labels to change their relative priority, by dragging."
-msgstr ""
-
msgid "Star labels to start sorting by priority"
msgstr ""
diff --git a/package.json b/package.json
index a601c5804fc..ecd30dd2560 100644
--- a/package.json
+++ b/package.json
@@ -205,7 +205,6 @@
"@types/jest": "^27.5.1",
"@vue/test-utils": "1.3.0",
"@vue/vue2-jest": "^27.0.0",
- "acorn": "^6.3.0",
"ajv": "^8.10.0",
"ajv-formats": "^2.1.1",
"axios-mock-adapter": "^1.15.0",
diff --git a/spec/features/merge_request/user_creates_merge_request_spec.rb b/spec/features/merge_request/user_creates_merge_request_spec.rb
index c8b22bb3125..0ae4ef18649 100644
--- a/spec/features/merge_request/user_creates_merge_request_spec.rb
+++ b/spec/features/merge_request/user_creates_merge_request_spec.rb
@@ -1,111 +1,164 @@
# frozen_string_literal: true
-require "spec_helper"
+require 'spec_helper'
-RSpec.describe "User creates a merge request", :js do
+RSpec.describe 'User creates a merge request', :js do
include ProjectForksHelper
- let_it_be(:project) { create(:project, :repository) }
- let_it_be(:user) { create(:user) }
-
- let(:title) { "Some feature" }
-
- before do
- project.add_maintainer(user)
- sign_in(user)
- end
-
- it "creates a merge request" do
- visit(project_new_merge_request_path(project))
-
- find(".js-source-branch").click
- click_link("fix")
-
- find(".js-target-branch").click
- click_link("feature")
-
- click_button("Compare branches")
-
- page.within('.merge-request-form') do
- expect(page.find('#merge_request_description')['placeholder']).to eq 'Describe the goal of the changes and what reviewers should be aware of.'
- end
-
- fill_in("Title", with: title)
- click_button("Create merge request")
-
- page.within(".merge-request") do
- expect(page).to have_content(title)
- end
- end
-
- context "XSS branch name exists" do
- before do
- project.repository.create_branch("
", "master")
- end
-
- it "doesn't execute the dodgy branch name" do
+ shared_examples 'creates a merge request' do
+ specify do
visit(project_new_merge_request_path(project))
- find(".js-source-branch").click
- click_link("")
+ compare_source_and_target('fix', 'feature')
- find(".js-target-branch").click
- click_link("feature")
+ page.within('.merge-request-form') do
+ expect(page.find('#merge_request_description')['placeholder']).to eq 'Describe the goal of the changes and what reviewers should be aware of.'
+ end
- click_button("Compare branches")
+ fill_in('Title', with: title)
+ click_button('Create merge request')
- expect { page.driver.browser.switch_to.alert }.to raise_error(Selenium::WebDriver::Error::NoSuchAlertError)
+ page.within('.merge-request') do
+ expect(page).to have_content(title)
+ end
end
end
- context "to a forked project" do
- let(:forked_project) { fork_project(project, user, namespace: user.namespace, repository: true) }
+ shared_examples 'renders not found' do
+ specify do
+ visit project_new_merge_request_path(project)
- it "creates a merge request", :sidekiq_might_not_need_inline do
- visit(project_new_merge_request_path(forked_project))
-
- expect(page).to have_content("Source branch").and have_content("Target branch")
- expect(find("#merge_request_target_project_id", visible: false).value).to eq(project.id.to_s)
-
- click_button("Compare branches and continue")
-
- expect(page).to have_content("You must select source and target branch")
-
- first(".js-source-project").click
- first(".dropdown-source-project a", text: forked_project.full_path)
-
- first(".js-target-project").click
- first(".dropdown-target-project a", text: project.full_path)
-
- first(".js-source-branch").click
-
- wait_for_requests
-
- source_branch = "fix"
-
- first(".js-source-branch-dropdown .dropdown-content a", text: source_branch).click
-
- click_button("Compare branches and continue")
-
- expect(page).to have_text _('New merge request')
-
- page.within("form#new_merge_request") do
- fill_in("Title", with: title)
- end
-
- expect(find(".js-assignee-search")["data-project-id"]).to eq(project.id.to_s)
- find('.js-assignee-search').click
-
- page.within(".dropdown-menu-user") do
- expect(page).to have_content("Unassigned")
- .and have_content(user.name)
- .and have_content(project.users.first.name)
- end
- find('.js-assignee-search').click
-
- click_button("Create merge request")
-
- expect(page).to have_content(title).and have_content("requested to merge #{forked_project.full_path}:#{source_branch} into master")
+ expect(page).to have_title('Not Found')
+ expect(page).to have_content('Page Not Found')
end
end
+
+ context 'when user is a direct project member' do
+ let_it_be(:project) { create(:project, :repository) }
+ let_it_be(:user) { create(:user) }
+
+ let(:title) { 'Some feature' }
+
+ before do
+ project.add_maintainer(user)
+ sign_in(user)
+ end
+
+ it_behaves_like 'creates a merge request'
+
+ context 'with XSS branch name' do
+ before do
+ project.repository.create_branch("", 'master')
+ end
+
+ it 'does not execute the suspicious branch name' do
+ visit(project_new_merge_request_path(project))
+
+ compare_source_and_target("", 'feature')
+
+ expect { page.driver.browser.switch_to.alert }.to raise_error(Selenium::WebDriver::Error::NoSuchAlertError)
+ end
+ end
+
+ context 'to a forked project' do
+ let(:forked_project) { fork_project(project, user, namespace: user.namespace, repository: true) }
+
+ it 'creates a merge request', :sidekiq_might_not_need_inline do
+ visit(project_new_merge_request_path(forked_project))
+
+ expect(page).to have_content('Source branch').and have_content('Target branch')
+ expect(find('#merge_request_target_project_id', visible: false).value).to eq(project.id.to_s)
+
+ click_button('Compare branches and continue')
+
+ expect(page).to have_content('You must select source and target branch')
+
+ first('.js-source-project').click
+ first('.dropdown-source-project a', text: forked_project.full_path)
+
+ first('.js-target-project').click
+ first('.dropdown-target-project a', text: project.full_path)
+
+ first('.js-source-branch').click
+
+ wait_for_requests
+
+ source_branch = 'fix'
+
+ first('.js-source-branch-dropdown .dropdown-content a', text: source_branch).click
+
+ click_button('Compare branches and continue')
+
+ expect(page).to have_text _('New merge request')
+
+ page.within('form#new_merge_request') do
+ fill_in('Title', with: title)
+ end
+
+ expect(find('.js-assignee-search')['data-project-id']).to eq(project.id.to_s)
+ find('.js-assignee-search').click
+
+ page.within('.dropdown-menu-user') do
+ expect(page).to have_content('Unassigned')
+ .and have_content(user.name)
+ .and have_content(project.users.first.name)
+ end
+ find('.js-assignee-search').click
+
+ click_button('Create merge request')
+
+ expect(page).to have_content(title).and have_content("requested to merge #{forked_project.full_path}:#{source_branch} into master")
+ end
+ end
+ end
+
+ context 'when user is an inherited member from the group' do
+ let_it_be(:group) { create(:group, :public) }
+
+ let(:user) { create(:user) }
+
+ context 'when project is public and merge requests are private' do
+ let_it_be(:project) do
+ create(:project,
+ :public,
+ :repository,
+ group: group,
+ merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ context 'and user is a guest' do
+ before do
+ group.add_guest(user)
+ sign_in(user)
+ end
+
+ it_behaves_like 'renders not found'
+ end
+ end
+
+ context 'when project is private' do
+ let_it_be(:project) { create(:project, :private, :repository, group: group) }
+
+ context 'and user is a guest' do
+ before do
+ group.add_guest(user)
+ sign_in(user)
+ end
+
+ it_behaves_like 'renders not found'
+ end
+ end
+ end
+
+ private
+
+ def compare_source_and_target(source_branch, target_branch)
+ find('.js-source-branch').click
+ click_link(source_branch)
+
+ find('.js-target-branch').click
+ click_link(target_branch)
+
+ click_button('Compare branches')
+ end
end
diff --git a/spec/frontend/jobs/components/job_log_controllers_spec.js b/spec/frontend/jobs/components/job_log_controllers_spec.js
index 4075abd24d5..aa85253a177 100644
--- a/spec/frontend/jobs/components/job_log_controllers_spec.js
+++ b/spec/frontend/jobs/components/job_log_controllers_spec.js
@@ -34,7 +34,7 @@ describe('Job log controllers', () => {
jobLog: mockJobLog,
};
- const createWrapper = (props, { jobLogSearch = false, jobLogJumpToFailures = false } = {}) => {
+ const createWrapper = (props, { jobLogJumpToFailures = false } = {}) => {
wrapper = mount(JobLogControllers, {
propsData: {
...defaultProps,
@@ -42,7 +42,6 @@ describe('Job log controllers', () => {
},
provide: {
glFeatures: {
- jobLogSearch,
jobLogJumpToFailures,
},
},
@@ -290,38 +289,27 @@ describe('Job log controllers', () => {
});
describe('Job log search', () => {
- describe('with feature flag off', () => {
- it('does not display job log search', () => {
- createWrapper();
-
- expect(findJobLogSearch().exists()).toBe(false);
- expect(findSearchHelp().exists()).toBe(false);
- });
+ beforeEach(() => {
+ createWrapper();
});
- describe('with feature flag on', () => {
- beforeEach(() => {
- createWrapper({}, { jobLogSearch: true });
- });
+ it('displays job log search', () => {
+ expect(findJobLogSearch().exists()).toBe(true);
+ expect(findSearchHelp().exists()).toBe(true);
+ });
- it('displays job log search', () => {
- expect(findJobLogSearch().exists()).toBe(true);
- expect(findSearchHelp().exists()).toBe(true);
- });
+ it('emits search results', () => {
+ const expectedSearchResults = [[[mockJobLog[6].lines[1], mockJobLog[6].lines[2]]]];
- it('emits search results', () => {
- const expectedSearchResults = [[[mockJobLog[6].lines[1], mockJobLog[6].lines[2]]]];
+ findJobLogSearch().vm.$emit('submit');
- findJobLogSearch().vm.$emit('submit');
+ expect(wrapper.emitted('searchResults')).toEqual(expectedSearchResults);
+ });
- expect(wrapper.emitted('searchResults')).toEqual(expectedSearchResults);
- });
+ it('clears search results', () => {
+ findJobLogSearch().vm.$emit('clear');
- it('clears search results', () => {
- findJobLogSearch().vm.$emit('clear');
-
- expect(wrapper.emitted('searchResults')).toEqual([[[]]]);
- });
+ expect(wrapper.emitted('searchResults')).toEqual([[[]]]);
});
});
});
diff --git a/spec/frontend/lib/utils/text_markdown_spec.js b/spec/frontend/lib/utils/text_markdown_spec.js
index 733d89fe08c..8d179baa505 100644
--- a/spec/frontend/lib/utils/text_markdown_spec.js
+++ b/spec/frontend/lib/utils/text_markdown_spec.js
@@ -586,6 +586,33 @@ describe('init markdown', () => {
);
});
+ it('only converts valid URLs', () => {
+ const notValidUrl = 'group::label';
+ const expectedUrlValue = 'url';
+ const expectedText = `other [${notValidUrl}](${expectedUrlValue}) text`;
+ const initialValue = `other ${notValidUrl} text`;
+
+ textArea.value = initialValue;
+ selectedIndex = initialValue.indexOf(notValidUrl);
+ textArea.setSelectionRange(selectedIndex, selectedIndex + notValidUrl.length);
+
+ insertMarkdownText({
+ textArea,
+ text: textArea.value,
+ tag,
+ blockTag: null,
+ selected: notValidUrl,
+ wrap: false,
+ select,
+ });
+
+ expect(textArea.value).toEqual(expectedText);
+ expect(textArea.selectionStart).toEqual(expectedText.indexOf(expectedUrlValue, 1));
+ expect(textArea.selectionEnd).toEqual(
+ expectedText.indexOf(expectedUrlValue, 1) + expectedUrlValue.length,
+ );
+ });
+
it('adds block tags on line above and below selection', () => {
selected = 'this text\nis multiple\nlines';
text = `before \n${selected}\nafter `;
diff --git a/spec/frontend/pipeline_editor/components/validate/ci_validate_spec.js b/spec/frontend/pipeline_editor/components/validate/ci_validate_spec.js
index b8fbc2b2460..09d4f9736ad 100644
--- a/spec/frontend/pipeline_editor/components/validate/ci_validate_spec.js
+++ b/spec/frontend/pipeline_editor/components/validate/ci_validate_spec.js
@@ -2,6 +2,7 @@ import { GlAlert, GlDropdown, GlIcon, GlLoadingIcon, GlPopover } from '@gitlab/u
import { nextTick } from 'vue';
import { createLocalVue } from '@vue/test-utils';
import VueApollo from 'vue-apollo';
+import { mockTracking, unmockTracking } from 'helpers/tracking_helper';
import { shallowMountExtended } from 'helpers/vue_test_utils_helper';
import createMockApollo from 'helpers/mock_apollo_helper';
import CiLintResults from '~/pipeline_editor/components/lint/ci_lint_results.vue';
@@ -9,6 +10,7 @@ import CiValidate, { i18n } from '~/pipeline_editor/components/validate/ci_valid
import ValidatePipelinePopover from '~/pipeline_editor/components/popovers/validate_pipeline_popover.vue';
import getBlobContent from '~/pipeline_editor/graphql/queries/blob_content.query.graphql';
import lintCIMutation from '~/pipeline_editor/graphql/mutations/client/lint_ci.mutation.graphql';
+import { pipelineEditorTrackingOptions } from '~/pipeline_editor/constants';
import {
mockBlobContentQueryResponse,
mockCiLintPath,
@@ -24,6 +26,7 @@ describe('Pipeline Editor Validate Tab', () => {
let wrapper;
let mockApollo;
let mockBlobContentData;
+ let trackingSpy;
const createComponent = ({
props,
@@ -140,9 +143,24 @@ describe('Pipeline Editor Validate Tab', () => {
mockBlobContentData.mockResolvedValue(mockBlobContentQueryResponse);
await createComponentWithApollo();
+ trackingSpy = mockTracking(undefined, wrapper.element, jest.spyOn);
jest.spyOn(wrapper.vm.$apollo, 'mutate').mockResolvedValue(mockLintDataValid);
});
+ afterEach(() => {
+ unmockTracking();
+ });
+
+ it('tracks the simulation event', () => {
+ const {
+ label,
+ actions: { simulatePipeline },
+ } = pipelineEditorTrackingOptions;
+ findCta().vm.$emit('click');
+
+ expect(trackingSpy).toHaveBeenCalledWith(undefined, simulatePipeline, { label });
+ });
+
it('renders loading state while simulation is ongoing', async () => {
findCta().vm.$emit('click');
await nextTick();
@@ -224,10 +242,27 @@ describe('Pipeline Editor Validate Tab', () => {
mockBlobContentData.mockResolvedValue(mockBlobContentQueryResponse);
await createComponentWithApollo();
+ trackingSpy = mockTracking(undefined, wrapper.element, jest.spyOn);
jest.spyOn(wrapper.vm.$apollo, 'mutate').mockResolvedValue(mockLintDataValid);
await findCta().vm.$emit('click');
});
+ afterEach(() => {
+ unmockTracking();
+ });
+
+ it('tracks the second simulation event', async () => {
+ const {
+ label,
+ actions: { resimulatePipeline },
+ } = pipelineEditorTrackingOptions;
+
+ await wrapper.setProps({ ciFileContent: 'new yaml content' });
+ findResultsCta().vm.$emit('click');
+
+ expect(trackingSpy).toHaveBeenCalledWith(undefined, resimulatePipeline, { label });
+ });
+
it('renders content change status', async () => {
await wrapper.setProps({ ciFileContent: 'new yaml content' });
diff --git a/spec/graphql/mutations/merge_requests/create_spec.rb b/spec/graphql/mutations/merge_requests/create_spec.rb
index e1edb60e4ff..6e593a5f4be 100644
--- a/spec/graphql/mutations/merge_requests/create_spec.rb
+++ b/spec/graphql/mutations/merge_requests/create_spec.rb
@@ -7,8 +7,7 @@ RSpec.describe Mutations::MergeRequests::Create do
subject(:mutation) { described_class.new(object: nil, context: context, field: nil) }
- let_it_be(:project) { create(:project, :public, :repository) }
- let_it_be(:user) { create(:user) }
+ let(:user) { create(:user) }
let(:context) do
GraphQL::Query::Context.new(
@@ -38,62 +37,106 @@ RSpec.describe Mutations::MergeRequests::Create do
let(:mutated_merge_request) { subject[:merge_request] }
- it 'raises an error if the resource is not accessible to the user' do
- expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
- end
-
- context 'when user does not have enough permissions to create a merge request' do
- before do
- project.add_guest(user)
- end
-
- it 'raises an error if the resource is not accessible to the user' do
+ shared_examples 'resource not available' do
+ it 'raises an error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
end
end
- context 'when the user can create a merge request' do
- before_all do
- project.add_developer(user)
+ context 'when user is not a project member' do
+ let_it_be(:project) { create(:project, :public, :repository) }
+
+ it_behaves_like 'resource not available'
+ end
+
+ context 'when user is a direct project member' do
+ let_it_be(:project) { create(:project, :public, :repository) }
+
+ context 'and user is a guest' do
+ before do
+ project.add_guest(user)
+ end
+
+ it_behaves_like 'resource not available'
end
- it 'creates a new merge request' do
- expect { mutated_merge_request }.to change(MergeRequest, :count).by(1)
- end
+ context 'and user is a developer' do
+ before do
+ project.add_developer(user)
+ end
- it 'returns a new merge request' do
- expect(mutated_merge_request.title).to eq(title)
- expect(subject[:errors]).to be_empty
- end
+ it 'creates a new merge request' do
+ expect { mutated_merge_request }.to change(MergeRequest, :count).by(1)
+ end
- context 'when optional description field is set' do
- let(:description) { 'content' }
-
- it 'returns a new merge request with a description' do
- expect(mutated_merge_request.description).to eq(description)
+ it 'returns a new merge request' do
+ expect(mutated_merge_request.title).to eq(title)
expect(subject[:errors]).to be_empty
end
+
+ context 'when optional description field is set' do
+ let(:description) { 'content' }
+
+ it 'returns a new merge request with a description' do
+ expect(mutated_merge_request.description).to eq(description)
+ expect(subject[:errors]).to be_empty
+ end
+ end
+
+ context 'when optional labels field is set' do
+ let(:labels) { %w[label-1 label-2] }
+
+ it 'returns a new merge request with labels' do
+ expect(mutated_merge_request.labels.map(&:title)).to eq(labels)
+ expect(subject[:errors]).to be_empty
+ end
+ end
+
+ context 'when service cannot create a merge request' do
+ let(:title) { nil }
+
+ it 'does not create a new merge request' do
+ expect { mutated_merge_request }.not_to change(MergeRequest, :count)
+ end
+
+ it 'returns errors' do
+ expect(mutated_merge_request).to be_nil
+ expect(subject[:errors]).to match_array(['Title can\'t be blank'])
+ end
+ end
end
+ end
- context 'when optional labels field is set' do
- let(:labels) { %w[label-1 label-2] }
+ context 'when user is an inherited member from the group' do
+ let_it_be(:group) { create(:group, :public) }
- it 'returns a new merge request with labels' do
- expect(mutated_merge_request.labels.map(&:title)).to eq(labels)
- expect(subject[:errors]).to be_empty
+ context 'when project is public with private merge requests' do
+ let_it_be(:project) do
+ create(:project,
+ :public,
+ :repository,
+ group: group,
+ merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ context 'and user is a guest' do
+ before do
+ group.add_guest(user)
+ end
+
+ it_behaves_like 'resource not available'
end
end
- context 'when service cannot create a merge request' do
- let(:title) { nil }
+ context 'when project is private' do
+ let_it_be(:project) { create(:project, :private, :repository, group: group) }
- it 'does not create a new merge request' do
- expect { mutated_merge_request }.not_to change(MergeRequest, :count)
- end
+ context 'and user is a guest' do
+ before do
+ group.add_guest(user)
+ end
- it 'returns errors' do
- expect(mutated_merge_request).to be_nil
- expect(subject[:errors]).to eq(['Title can\'t be blank'])
+ it_behaves_like 'resource not available'
end
end
end
diff --git a/spec/lib/gitlab/ci/config/entry/root_spec.rb b/spec/lib/gitlab/ci/config/entry/root_spec.rb
index 55ad119ea21..1f8543227c9 100644
--- a/spec/lib/gitlab/ci/config/entry/root_spec.rb
+++ b/spec/lib/gitlab/ci/config/entry/root_spec.rb
@@ -155,7 +155,7 @@ RSpec.describe Gitlab::Ci::Config::Entry::Root do
services: [{ name: "postgres:9.1" }, { name: "mysql:5.5" }],
cache: [{ key: "k", untracked: true, paths: ["public/"], policy: "pull-push", when: 'on_success' }],
only: { refs: %w(branches tags) },
- job_variables: { 'VAR' => 'job' },
+ job_variables: { 'VAR' => { value: 'job' } },
root_variables_inheritance: true,
after_script: [],
ignore: false,
@@ -215,7 +215,7 @@ RSpec.describe Gitlab::Ci::Config::Entry::Root do
services: [{ name: 'postgres:9.1' }, { name: 'mysql:5.5' }],
stage: 'test',
cache: [{ key: 'k', untracked: true, paths: ['public/'], policy: 'pull-push', when: 'on_success' }],
- job_variables: { 'VAR' => 'job' },
+ job_variables: { 'VAR' => { value: 'job' } },
root_variables_inheritance: true,
ignore: false,
after_script: ['make clean'],
diff --git a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
index 890ba51157a..75f6a773c2d 100644
--- a/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
+++ b/spec/lib/gitlab/ci/pipeline/seed/build_spec.rb
@@ -97,15 +97,15 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
let(:attributes) do
{ name: 'rspec',
ref: 'master',
- job_variables: [{ key: 'VAR1', value: 'var 1', public: true },
- { key: 'VAR2', value: 'var 2', public: true }],
+ job_variables: [{ key: 'VAR1', value: 'var 1' },
+ { key: 'VAR2', value: 'var 2' }],
rules: [{ if: '$VAR == null', variables: { VAR1: 'new var 1', VAR3: 'var 3' } }] }
end
it do
- is_expected.to include(yaml_variables: [{ key: 'VAR1', value: 'new var 1', public: true },
- { key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }])
+ is_expected.to include(yaml_variables: [{ key: 'VAR1', value: 'new var 1' },
+ { key: 'VAR3', value: 'var 3' },
+ { key: 'VAR2', value: 'var 2' }])
end
end
@@ -114,13 +114,13 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
{
name: 'rspec',
ref: 'master',
- job_variables: [{ key: 'VARIABLE', value: 'value', public: true }],
+ job_variables: [{ key: 'VARIABLE', value: 'value' }],
tag_list: ['static-tag', '$VARIABLE', '$NO_VARIABLE']
}
end
it { is_expected.to include(tag_list: ['static-tag', 'value', '$NO_VARIABLE']) }
- it { is_expected.to include(yaml_variables: [{ key: 'VARIABLE', value: 'value', public: true }]) }
+ it { is_expected.to include(yaml_variables: [{ key: 'VARIABLE', value: 'value' }]) }
end
context 'with cache:key' do
@@ -257,19 +257,19 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
let(:attributes) do
{ name: 'rspec',
ref: 'master',
- yaml_variables: [{ key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }],
- job_variables: [{ key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }],
+ yaml_variables: [{ key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' }],
+ job_variables: [{ key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' }],
root_variables_inheritance: root_variables_inheritance }
end
context 'when the pipeline has variables' do
let(:root_variables) do
- [{ key: 'VAR1', value: 'var overridden pipeline 1', public: true },
- { key: 'VAR2', value: 'var pipeline 2', public: true },
- { key: 'VAR3', value: 'var pipeline 3', public: true },
- { key: 'VAR4', value: 'new var pipeline 4', public: true }]
+ [{ key: 'VAR1', value: 'var overridden pipeline 1' },
+ { key: 'VAR2', value: 'var pipeline 2' },
+ { key: 'VAR3', value: 'var pipeline 3' },
+ { key: 'VAR4', value: 'new var pipeline 4' }]
end
context 'when root_variables_inheritance is true' do
@@ -277,10 +277,10 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
it 'returns calculated yaml variables' do
expect(subject[:yaml_variables]).to match_array(
- [{ key: 'VAR1', value: 'var overridden pipeline 1', public: true },
- { key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true },
- { key: 'VAR4', value: 'new var pipeline 4', public: true }]
+ [{ key: 'VAR1', value: 'var overridden pipeline 1' },
+ { key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' },
+ { key: 'VAR4', value: 'new var pipeline 4' }]
)
end
end
@@ -290,8 +290,8 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
it 'returns job variables' do
expect(subject[:yaml_variables]).to match_array(
- [{ key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }]
+ [{ key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' }]
)
end
end
@@ -301,9 +301,9 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
it 'returns calculated yaml variables' do
expect(subject[:yaml_variables]).to match_array(
- [{ key: 'VAR1', value: 'var overridden pipeline 1', public: true },
- { key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }]
+ [{ key: 'VAR1', value: 'var overridden pipeline 1' },
+ { key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' }]
)
end
end
@@ -314,8 +314,8 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
it 'returns seed yaml variables' do
expect(subject[:yaml_variables]).to match_array(
- [{ key: 'VAR2', value: 'var 2', public: true },
- { key: 'VAR3', value: 'var 3', public: true }])
+ [{ key: 'VAR2', value: 'var 2' },
+ { key: 'VAR3', value: 'var 3' }])
end
end
end
@@ -324,8 +324,8 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
let(:attributes) do
{ name: 'rspec',
ref: 'master',
- yaml_variables: [{ key: 'VAR1', value: 'var 1', public: true }],
- job_variables: [{ key: 'VAR1', value: 'var 1', public: true }],
+ yaml_variables: [{ key: 'VAR1', value: 'var 1' }],
+ job_variables: [{ key: 'VAR1', value: 'var 1' }],
root_variables_inheritance: root_variables_inheritance,
rules: rules }
end
@@ -338,14 +338,14 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
end
it 'recalculates the variables' do
- expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'overridden var 1', public: true },
- { key: 'VAR2', value: 'new var 2', public: true })
+ expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'overridden var 1' },
+ { key: 'VAR2', value: 'new var 2' })
end
end
context 'when the rules use root variables' do
let(:root_variables) do
- [{ key: 'VAR2', value: 'var pipeline 2', public: true }]
+ [{ key: 'VAR2', value: 'var pipeline 2' }]
end
let(:rules) do
@@ -353,15 +353,15 @@ RSpec.describe Gitlab::Ci::Pipeline::Seed::Build do
end
it 'recalculates the variables' do
- expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'overridden var 1', public: true },
- { key: 'VAR2', value: 'overridden var 2', public: true })
+ expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'overridden var 1' },
+ { key: 'VAR2', value: 'overridden var 2' })
end
context 'when the root_variables_inheritance is false' do
let(:root_variables_inheritance) { false }
it 'does not recalculate the variables' do
- expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'var 1', public: true })
+ expect(subject[:yaml_variables]).to contain_exactly({ key: 'VAR1', value: 'var 1' })
end
end
end
diff --git a/spec/lib/gitlab/ci/variables/helpers_spec.rb b/spec/lib/gitlab/ci/variables/helpers_spec.rb
index fc1055751bd..2a1cdaeb3a7 100644
--- a/spec/lib/gitlab/ci/variables/helpers_spec.rb
+++ b/spec/lib/gitlab/ci/variables/helpers_spec.rb
@@ -15,21 +15,27 @@ RSpec.describe Gitlab::Ci::Variables::Helpers do
end
let(:result) do
- [{ key: 'key1', value: 'value1', public: true },
- { key: 'key2', value: 'value22', public: true },
- { key: 'key3', value: 'value3', public: true }]
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
end
subject { described_class.merge_variables(current_variables, new_variables) }
- it { is_expected.to eq(result) }
+ it { is_expected.to match_array(result) }
context 'when new variables is a hash' do
let(:new_variables) do
{ 'key2' => 'value22', 'key3' => 'value3' }
end
- it { is_expected.to eq(result) }
+ let(:result) do
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
+ end
+
+ it { is_expected.to match_array(result) }
end
context 'when new variables is a hash with symbol keys' do
@@ -37,79 +43,72 @@ RSpec.describe Gitlab::Ci::Variables::Helpers do
{ key2: 'value22', key3: 'value3' }
end
- it { is_expected.to eq(result) }
+ let(:result) do
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
+ end
+
+ it { is_expected.to match_array(result) }
end
context 'when new variables is nil' do
let(:new_variables) {}
let(:result) do
- [{ key: 'key1', value: 'value1', public: true },
- { key: 'key2', value: 'value2', public: true }]
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value2' }]
end
- it { is_expected.to eq(result) }
+ it { is_expected.to match_array(result) }
end
end
- describe '.transform_to_yaml_variables' do
- let(:variables) do
- { 'key1' => 'value1', 'key2' => 'value2' }
+ describe '.transform_to_array' do
+ subject { described_class.transform_to_array(variables) }
+
+ context 'when values are strings' do
+ let(:variables) do
+ { 'key1' => 'value1', 'key2' => 'value2' }
+ end
+
+ let(:result) do
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value2' }]
+ end
+
+ it { is_expected.to match_array(result) }
end
- let(:result) do
- [{ key: 'key1', value: 'value1', public: true },
- { key: 'key2', value: 'value2', public: true }]
- end
-
- subject { described_class.transform_to_yaml_variables(variables) }
-
- it { is_expected.to eq(result) }
-
context 'when variables is nil' do
let(:variables) {}
- it { is_expected.to eq([]) }
- end
- end
-
- describe '.transform_from_yaml_variables' do
- let(:variables) do
- [{ key: 'key1', value: 'value1', public: true },
- { key: 'key2', value: 'value2', public: true }]
+ it { is_expected.to match_array([]) }
end
- let(:result) do
- { 'key1' => 'value1', 'key2' => 'value2' }
- end
-
- subject { described_class.transform_from_yaml_variables(variables) }
-
- it { is_expected.to eq(result) }
-
- context 'when variables is nil' do
- let(:variables) {}
-
- it { is_expected.to eq({}) }
- end
-
- context 'when variables is a hash' do
+ context 'when values are hashes' do
let(:variables) do
- { key1: 'value1', 'key2' => 'value2' }
+ { 'key1' => { value: 'value1', description: 'var 1' }, 'key2' => { value: 'value2' } }
end
- it { is_expected.to eq(result) }
- end
-
- context 'when variables contain integers and symbols' do
- let(:variables) do
- { key1: 1, key2: :value2 }
+ let(:result) do
+ [{ key: 'key1', value: 'value1', description: 'var 1' },
+ { key: 'key2', value: 'value2' }]
end
- let(:result1) do
- { 'key1' => '1', 'key2' => 'value2' }
- end
+ it { is_expected.to match_array(result) }
- it { is_expected.to eq(result1) }
+ context 'when a value data has `key` as a key' do
+ let(:variables) do
+ { 'key1' => { value: 'value1', key: 'new_key1' }, 'key2' => { value: 'value2' } }
+ end
+
+ let(:result) do
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value2' }]
+ end
+
+ it { is_expected.to match_array(result) }
+ end
end
end
@@ -127,35 +126,35 @@ RSpec.describe Gitlab::Ci::Variables::Helpers do
let(:inheritance) { true }
let(:result) do
- [{ key: 'key1', value: 'value1', public: true },
- { key: 'key2', value: 'value22', public: true },
- { key: 'key3', value: 'value3', public: true }]
+ [{ key: 'key1', value: 'value1' },
+ { key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
end
subject { described_class.inherit_yaml_variables(from: from, to: to, inheritance: inheritance) }
- it { is_expected.to eq(result) }
+ it { is_expected.to match_array(result) }
context 'when inheritance is false' do
let(:inheritance) { false }
let(:result) do
- [{ key: 'key2', value: 'value22', public: true },
- { key: 'key3', value: 'value3', public: true }]
+ [{ key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
end
- it { is_expected.to eq(result) }
+ it { is_expected.to match_array(result) }
end
context 'when inheritance is array' do
let(:inheritance) { ['key2'] }
let(:result) do
- [{ key: 'key2', value: 'value22', public: true },
- { key: 'key3', value: 'value3', public: true }]
+ [{ key: 'key2', value: 'value22' },
+ { key: 'key3', value: 'value3' }]
end
- it { is_expected.to eq(result) }
+ it { is_expected.to match_array(result) }
end
end
end
diff --git a/spec/lib/gitlab/ci/yaml_processor/result_spec.rb b/spec/lib/gitlab/ci/yaml_processor/result_spec.rb
index 8416501e949..f7a0905d9da 100644
--- a/spec/lib/gitlab/ci/yaml_processor/result_spec.rb
+++ b/spec/lib/gitlab/ci/yaml_processor/result_spec.rb
@@ -72,8 +72,8 @@ module Gitlab
it 'returns calculated variables with root and job variables' do
is_expected.to match_array([
- { key: 'VAR1', value: 'value 11', public: true },
- { key: 'VAR2', value: 'value 2', public: true }
+ { key: 'VAR1', value: 'value 11' },
+ { key: 'VAR2', value: 'value 2' }
])
end
diff --git a/spec/lib/gitlab/ci/yaml_processor_spec.rb b/spec/lib/gitlab/ci/yaml_processor_spec.rb
index 35af9ae6201..3477fe837b4 100644
--- a/spec/lib/gitlab/ci/yaml_processor_spec.rb
+++ b/spec/lib/gitlab/ci/yaml_processor_spec.rb
@@ -448,7 +448,7 @@ module Gitlab
it 'parses the root:variables as #root_variables' do
expect(subject.root_variables)
- .to contain_exactly({ key: 'SUPPORTED', value: 'parsed', public: true })
+ .to contain_exactly({ key: 'SUPPORTED', value: 'parsed' })
end
end
@@ -490,7 +490,7 @@ module Gitlab
it 'parses the root:variables as #root_variables' do
expect(subject.root_variables)
- .to contain_exactly({ key: 'SUPPORTED', value: 'parsed', public: true })
+ .to contain_exactly({ key: 'SUPPORTED', value: 'parsed' })
end
end
@@ -1098,8 +1098,8 @@ module Gitlab
it 'returns job variables' do
expect(job_variables).to contain_exactly(
- { key: 'VAR1', value: 'value1', public: true },
- { key: 'VAR2', value: 'value2', public: true }
+ { key: 'VAR1', value: 'value1' },
+ { key: 'VAR2', value: 'value2' }
)
expect(root_variables_inheritance).to eq(true)
end
@@ -1203,21 +1203,21 @@ module Gitlab
expect(config_processor.builds[0]).to include(
name: 'test1',
options: { script: ['test'] },
- job_variables: [{ key: 'VAR1', value: 'test1 var 1', public: true },
- { key: 'VAR2', value: 'test2 var 2', public: true }]
+ job_variables: [{ key: 'VAR1', value: 'test1 var 1' },
+ { key: 'VAR2', value: 'test2 var 2' }]
)
expect(config_processor.builds[1]).to include(
name: 'test2',
options: { script: ['test'] },
- job_variables: [{ key: 'VAR1', value: 'base var 1', public: true },
- { key: 'VAR2', value: 'test2 var 2', public: true }]
+ job_variables: [{ key: 'VAR1', value: 'base var 1' },
+ { key: 'VAR2', value: 'test2 var 2' }]
)
expect(config_processor.builds[2]).to include(
name: 'test3',
options: { script: ['test'] },
- job_variables: [{ key: 'VAR1', value: 'base var 1', public: true }]
+ job_variables: [{ key: 'VAR1', value: 'base var 1' }]
)
expect(config_processor.builds[3]).to include(
diff --git a/spec/policies/merge_request_policy_spec.rb b/spec/policies/merge_request_policy_spec.rb
index dd42e1b9313..7e1af132b1d 100644
--- a/spec/policies/merge_request_policy_spec.rb
+++ b/spec/policies/merge_request_policy_spec.rb
@@ -7,24 +7,18 @@ RSpec.describe MergeRequestPolicy do
let_it_be(:guest) { create(:user) }
let_it_be(:author) { create(:user) }
+ let_it_be(:reporter) { create(:user) }
let_it_be(:developer) { create(:user) }
let_it_be(:non_team_member) { create(:user) }
- let(:project) { create(:project, :public) }
-
def permissions(user, merge_request)
described_class.new(user, merge_request)
end
- before do
- project.add_guest(guest)
- project.add_guest(author)
- project.add_developer(developer)
- end
-
mr_perms = %i[create_merge_request_in
create_merge_request_from
read_merge_request
+ update_merge_request
create_todo
approve_merge_request
create_note
@@ -40,7 +34,28 @@ RSpec.describe MergeRequestPolicy do
end
end
- shared_examples_for 'a user with access' do
+ shared_examples_for 'a user with reporter access' do
+ using RSpec::Parameterized::TableSyntax
+
+ where(:policy, :is_allowed) do
+ :create_merge_request_in | true
+ :read_merge_request | true
+ :create_todo | true
+ :create_note | true
+ :update_subscription | true
+ :create_merge_request_from | false
+ :approve_merge_request | false
+ :update_merge_request | false
+ end
+
+ with_them do
+ specify do
+ is_allowed ? (is_expected.to be_allowed(policy)) : (is_expected.to be_disallowed(policy))
+ end
+ end
+ end
+
+ shared_examples_for 'a user with full access' do
let(:perms) { permissions(subject, merge_request) }
mr_perms.each do |thing|
@@ -50,199 +65,304 @@ RSpec.describe MergeRequestPolicy do
end
end
- context 'when merge request is public' do
+ context 'when user is a direct project member' do
+ let(:project) { create(:project, :public) }
+
+ before do
+ project.add_guest(guest)
+ project.add_guest(author)
+ project.add_developer(developer)
+ end
+
+ context 'when merge request is public' do
+ let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
+ let(:user) { author }
+
+ context 'and user is author' do
+ subject { permissions(user, merge_request) }
+
+ context 'and the user is a guest' do
+ let(:user) { guest }
+
+ it do
+ is_expected.to be_allowed(:update_merge_request)
+ end
+
+ it do
+ is_expected.to be_allowed(:reopen_merge_request)
+ end
+
+ it do
+ is_expected.to be_allowed(:approve_merge_request)
+ end
+ end
+ end
+ end
+
+ context 'when merge requests have been disabled' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+ before do
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ describe 'the author' do
+ subject { author }
+
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a guest' do
+ subject { guest }
+
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+
+ it_behaves_like 'a denied user'
+ end
+ end
+
+ context 'when merge requests are private' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+ end
+
+ describe 'the author' do
+ subject { author }
+
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+
+ it_behaves_like 'a user with full access'
+ end
+ end
+
+ context 'when merge request is unlocked' do
+ let(:merge_request) { create(:merge_request, :closed, source_project: project, target_project: project, author: author) }
+
+ it 'allows author to reopen merge request' do
+ expect(permissions(author, merge_request)).to be_allowed(:reopen_merge_request)
+ end
+
+ it 'allows developer to reopen merge request' do
+ expect(permissions(developer, merge_request)).to be_allowed(:reopen_merge_request)
+ end
+
+ it 'prevents guest from reopening merge request' do
+ expect(permissions(guest, merge_request)).to be_disallowed(:reopen_merge_request)
+ end
+ end
+
+ context 'when merge request is locked' do
+ let(:merge_request_locked) { create(:merge_request, :closed, discussion_locked: true, source_project: project, target_project: project, author: author) }
+
+ it 'prevents author from reopening merge request' do
+ expect(permissions(author, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+ end
+
+ it 'prevents developer from reopening merge request' do
+ expect(permissions(developer, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+ end
+
+ it 'prevents guests from reopening merge request' do
+ expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request)
+ end
+
+ context 'when the user is project member, with at least guest access' do
+ let(:user) { guest }
+
+ it 'can create a note' do
+ expect(permissions(user, merge_request_locked)).to be_allowed(:create_note)
+ end
+ end
+ end
+
+ context 'with external authorization enabled' do
+ let(:user) { create(:user) }
+ let(:project) { create(:project, :public) }
+ let(:merge_request) { create(:merge_request, source_project: project) }
+ let(:policies) { described_class.new(user, merge_request) }
+
+ before do
+ enable_external_authorization_service_check
+ end
+
+ it 'can read the issue iid without accessing the external service' do
+ expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
+
+ expect(policies).to be_allowed(:read_merge_request_iid)
+ end
+ end
+ end
+
+ context 'when user is an inherited member from the parent group' do
+ let_it_be(:group) { create(:group, :public) }
+
+ let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
+
+ before_all do
+ group.add_guest(guest)
+ group.add_guest(author)
+ group.add_reporter(reporter)
+ group.add_developer(developer)
+ end
+
+ context 'when project is public' do
+ let(:project) { create(:project, :public, group: group) }
+
+ describe 'the merge request author' do
+ subject { permissions(author, merge_request) }
+
+ specify do
+ is_expected.to be_allowed(:approve_merge_request)
+ end
+ end
+
+ context 'and merge requests are private' do
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+ end
+
+ describe 'a guest' do
+ subject { guest }
+
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a reporter' do
+ subject { permissions(reporter, merge_request) }
+
+ it_behaves_like 'a user with reporter access'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+
+ it_behaves_like 'a user with full access'
+ end
+ end
+ end
+
+ context 'when project is private' do
+ let(:project) { create(:project, :private, group: group) }
+
+ describe 'a guest' do
+ subject { guest }
+
+ it_behaves_like 'a denied user'
+ end
+
+ describe 'a reporter' do
+ subject { permissions(reporter, merge_request) }
+
+ it_behaves_like 'a user with reporter access'
+ end
+
+ describe 'a developer' do
+ subject { developer }
+
+ it_behaves_like 'a user with full access'
+ end
+ end
+ end
+
+ context 'when user is an inherited member from a shared group' do
+ let(:project) { create(:project, :public) }
let(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) }
let(:user) { author }
- context 'and user is anonymous' do
+ before do
+ project.add_guest(author)
+ end
+
+ context 'and group is given developer access' do
+ let(:user) { non_team_member }
+
+ subject { permissions(user, merge_request) }
+
+ before do
+ group = create(:group)
+ project.project_group_links.create!(
+ group: group,
+ group_access: Gitlab::Access::DEVELOPER)
+
+ group.add_guest(non_team_member)
+ end
+
+ specify do
+ is_expected.to be_allowed(:approve_merge_request)
+ end
+ end
+ end
+
+ context 'when user is not a project member' do
+ let(:project) { create(:project, :public) }
+
+ context 'when merge request is public' do
+ let(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+
+ subject { permissions(non_team_member, merge_request) }
+
+ specify do
+ is_expected.not_to be_allowed(:approve_merge_request)
+ end
+ end
+
+ context 'when merge requests are disabled' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+
+ before do
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ subject { non_team_member }
+
+ it_behaves_like 'a denied user'
+ end
+
+ context 'when merge requests are private' do
+ let!(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+
+ before do
+ project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
+ project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+ end
+
+ subject { non_team_member }
+
+ it_behaves_like 'a denied user'
+ end
+
+ context 'when merge request is locked' do
+ let(:merge_request) { create(:merge_request, :closed, discussion_locked: true, source_project: project, target_project: project) }
+
+ it 'cannot create a note' do
+ expect(permissions(non_team_member, merge_request)).to be_disallowed(:create_note)
+ end
+ end
+ end
+
+ context 'when user is anonymous' do
+ let(:project) { create(:project, :public) }
+
+ context 'when merge request is public' do
+ let(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+
subject { permissions(nil, merge_request) }
- it do
+ specify do
is_expected.to be_disallowed(:create_todo, :update_subscription)
end
end
-
- context 'and user is author' do
- subject { permissions(user, merge_request) }
-
- context 'and the user is a guest' do
- let(:user) { guest }
-
- it do
- is_expected.to be_allowed(:update_merge_request)
- end
-
- it do
- is_expected.to be_allowed(:reopen_merge_request)
- end
-
- it do
- is_expected.to be_allowed(:approve_merge_request)
- end
- end
-
- context 'and the user is a group member' do
- let(:project) { create(:project, :public, group: group) }
- let(:group) { create(:group) }
- let(:user) { non_team_member }
-
- before do
- group.add_guest(non_team_member)
- end
-
- it do
- is_expected.to be_allowed(:approve_merge_request)
- end
- end
-
- context 'and the user is a member of a shared group' do
- let(:user) { non_team_member }
-
- before do
- group = create(:group)
- project.project_group_links.create!(
- group: group,
- group_access: Gitlab::Access::DEVELOPER)
-
- group.add_guest(non_team_member)
- end
-
- it do
- is_expected.to be_allowed(:approve_merge_request)
- end
- end
-
- context 'and the user is not a project member' do
- let(:user) { non_team_member }
-
- it do
- is_expected.not_to be_allowed(:approve_merge_request)
- end
- end
- end
- end
-
- context 'when merge requests have been disabled' do
- let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
-
- before do
- project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
- end
-
- describe 'the author' do
- subject { author }
-
- it_behaves_like 'a denied user'
- end
-
- describe 'a guest' do
- subject { guest }
-
- it_behaves_like 'a denied user'
- end
-
- describe 'a developer' do
- subject { developer }
-
- it_behaves_like 'a denied user'
- end
-
- describe 'any other user' do
- subject { non_team_member }
-
- it_behaves_like 'a denied user'
- end
- end
-
- context 'when merge requests are private' do
- let!(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: author) }
-
- before do
- project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
- project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
- end
-
- describe 'a non-team-member' do
- subject { non_team_member }
-
- it_behaves_like 'a denied user'
- end
-
- describe 'the author' do
- subject { author }
-
- it_behaves_like 'a denied user'
- end
-
- describe 'a developer' do
- subject { developer }
-
- it_behaves_like 'a user with access'
- end
- end
-
- context 'when merge request is unlocked' do
- let(:merge_request) { create(:merge_request, :closed, source_project: project, target_project: project, author: author) }
-
- it 'allows author to reopen merge request' do
- expect(permissions(author, merge_request)).to be_allowed(:reopen_merge_request)
- end
-
- it 'allows developer to reopen merge request' do
- expect(permissions(developer, merge_request)).to be_allowed(:reopen_merge_request)
- end
-
- it 'prevents guest from reopening merge request' do
- expect(permissions(guest, merge_request)).to be_disallowed(:reopen_merge_request)
- end
- end
-
- context 'when merge request is locked' do
- let(:merge_request_locked) { create(:merge_request, :closed, discussion_locked: true, source_project: project, target_project: project, author: author) }
-
- it 'prevents author from reopening merge request' do
- expect(permissions(author, merge_request_locked)).to be_disallowed(:reopen_merge_request)
- end
-
- it 'prevents developer from reopening merge request' do
- expect(permissions(developer, merge_request_locked)).to be_disallowed(:reopen_merge_request)
- end
-
- it 'prevents guests from reopening merge request' do
- expect(permissions(guest, merge_request_locked)).to be_disallowed(:reopen_merge_request)
- end
-
- context 'when the user is not a project member' do
- let(:user) { create(:user) }
-
- it 'cannot create a note' do
- expect(permissions(user, merge_request_locked)).to be_disallowed(:create_note)
- end
- end
-
- context 'when the user is project member, with at least guest access' do
- let(:user) { guest }
-
- it 'can create a note' do
- expect(permissions(user, merge_request_locked)).to be_allowed(:create_note)
- end
- end
- end
-
- context 'with external authorization enabled' do
- let(:user) { create(:user) }
- let(:project) { create(:project, :public) }
- let(:merge_request) { create(:merge_request, source_project: project) }
- let(:policies) { described_class.new(user, merge_request) }
-
- before do
- enable_external_authorization_service_check
- end
-
- it 'can read the issue iid without accessing the external service' do
- expect(::Gitlab::ExternalAuthorization).not_to receive(:access_allowed?)
-
- expect(policies).to be_allowed(:read_merge_request_iid)
- end
end
end
diff --git a/spec/requests/api/merge_requests_spec.rb b/spec/requests/api/merge_requests_spec.rb
index 2a03ae89389..320e9e0cd66 100644
--- a/spec/requests/api/merge_requests_spec.rb
+++ b/spec/requests/api/merge_requests_spec.rb
@@ -1120,6 +1120,44 @@ RSpec.describe API::MergeRequests do
end.not_to exceed_query_limit(control)
end
end
+
+ context 'when user is an inherited member from the group' do
+ let_it_be(:group) { create(:group) }
+
+ shared_examples 'user cannot view merge requests' do
+ it 'returns 403 forbidden' do
+ get api("/projects/#{group_project.id}/merge_requests", inherited_user)
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'and user is a guest' do
+ let_it_be(:inherited_user) { create(:user) }
+
+ before_all do
+ group.add_guest(inherited_user)
+ end
+
+ context 'when project is public with private merge requests' do
+ let(:group_project) do
+ create(:project,
+ :public,
+ :repository,
+ group: group,
+ merge_requests_access_level: ProjectFeature::DISABLED)
+ end
+
+ it_behaves_like 'user cannot view merge requests'
+ end
+
+ context 'when project is private' do
+ let(:group_project) { create(:project, :private, :repository, group: group) }
+
+ it_behaves_like 'user cannot view merge requests'
+ end
+ end
+ end
end
describe "GET /groups/:id/merge_requests" do
@@ -2219,6 +2257,59 @@ RSpec.describe API::MergeRequests do
expect(response).to have_gitlab_http_status(:created)
end
end
+
+ context 'when user is an inherited member from the group' do
+ let_it_be(:group) { create(:group) }
+
+ shared_examples 'user cannot create merge requests' do
+ it 'returns 403 forbidden' do
+ post api("/projects/#{group_project.id}/merge_requests", inherited_user), params: params
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+ end
+
+ context 'and user is a guest' do
+ let_it_be(:inherited_user) { create(:user) }
+ let_it_be(:params) do
+ {
+ title: 'Test merge request',
+ source_branch: 'feature_conflict',
+ target_branch: 'master',
+ author_id: inherited_user.id
+ }
+ end
+
+ before_all do
+ group.add_guest(inherited_user)
+ end
+
+ context 'when project is public with private merge requests' do
+ let(:group_project) do
+ create(:project,
+ :public,
+ :repository,
+ group: group,
+ merge_requests_access_level: ProjectFeature::DISABLED,
+ only_allow_merge_if_pipeline_succeeds: false)
+ end
+
+ it_behaves_like 'user cannot create merge requests'
+ end
+
+ context 'when project is private' do
+ let(:group_project) do
+ create(:project,
+ :private,
+ :repository,
+ group: group,
+ only_allow_merge_if_pipeline_succeeds: false)
+ end
+
+ it_behaves_like 'user cannot create merge requests'
+ end
+ end
+ end
end
describe 'PUT /projects/:id/merge_requests/:merge_request_iid' do
diff --git a/spec/requests/api/project_packages_spec.rb b/spec/requests/api/project_packages_spec.rb
index 5f4b8899a33..7a05da8e13f 100644
--- a/spec/requests/api/project_packages_spec.rb
+++ b/spec/requests/api/project_packages_spec.rb
@@ -86,6 +86,18 @@ RSpec.describe API::ProjectPackages do
expect(json_response).to include(a_hash_including('_links' => a_hash_including('web_path' => include(nested_project.namespace.full_path))))
end
end
+
+ context 'with JOB-TOKEN auth' do
+ let(:job) { create(:ci_build, :running, user: user) }
+
+ subject { get api(url, job_token: job.token) }
+
+ it_behaves_like 'returns packages', :project, :maintainer
+ it_behaves_like 'returns packages', :project, :developer
+ it_behaves_like 'returns packages', :project, :reporter
+ it_behaves_like 'returns packages', :project, :no_type
+ it_behaves_like 'returns packages', :project, :guest
+ end
end
context 'project is private' do
@@ -116,6 +128,19 @@ RSpec.describe API::ProjectPackages do
end
end
end
+
+ context 'with JOB-TOKEN auth' do
+ let(:job) { create(:ci_build, :running, user: user) }
+
+ subject { get api(url, job_token: job.token) }
+
+ it_behaves_like 'returns packages', :project, :maintainer
+ it_behaves_like 'returns packages', :project, :developer
+ it_behaves_like 'returns packages', :project, :reporter
+ it_behaves_like 'rejects packages access', :project, :no_type, :not_found
+ # TODO uncomment when https://gitlab.com/gitlab-org/gitlab/-/issues/370998 is resolved
+ # it_behaves_like 'rejects packages access', :project, :guest, :not_found
+ end
end
context 'with pagination params' do
@@ -177,6 +202,8 @@ RSpec.describe API::ProjectPackages do
end
describe 'GET /projects/:id/packages/:package_id' do
+ let(:single_package_schema) { 'public_api/v4/packages/package' }
+
subject { get api(package_url, user) }
shared_examples 'no destroy url' do
@@ -217,7 +244,7 @@ RSpec.describe API::ProjectPackages do
subject
expect(response).to have_gitlab_http_status(:ok)
- expect(response).to match_response_schema('public_api/v4/packages/package')
+ expect(response).to match_response_schema(single_package_schema)
end
it 'returns 404 when the package does not exist' do
@@ -233,6 +260,18 @@ RSpec.describe API::ProjectPackages do
end
it_behaves_like 'no destroy url'
+
+ context 'with JOB-TOKEN auth' do
+ let(:job) { create(:ci_build, :running, user: user) }
+
+ subject { get api(package_url, job_token: job.token) }
+
+ it_behaves_like 'returns package', :project, :maintainer
+ it_behaves_like 'returns package', :project, :developer
+ it_behaves_like 'returns package', :project, :reporter
+ it_behaves_like 'returns package', :project, :no_type
+ it_behaves_like 'returns package', :project, :guest
+ end
end
context 'project is private' do
@@ -259,7 +298,7 @@ RSpec.describe API::ProjectPackages do
subject
expect(response).to have_gitlab_http_status(:ok)
- expect(response).to match_response_schema('public_api/v4/packages/package')
+ expect(response).to match_response_schema(single_package_schema)
end
it_behaves_like 'no destroy url'
@@ -273,6 +312,19 @@ RSpec.describe API::ProjectPackages do
it_behaves_like 'destroy url'
end
+ context 'with JOB-TOKEN auth' do
+ let(:job) { create(:ci_build, :running, user: user) }
+
+ subject { get api(package_url, job_token: job.token) }
+
+ it_behaves_like 'returns package', :project, :maintainer
+ it_behaves_like 'returns package', :project, :developer
+ it_behaves_like 'returns package', :project, :reporter
+ # TODO uncomment when https://gitlab.com/gitlab-org/gitlab/-/issues/370998 is resolved
+ # it_behaves_like 'rejects packages access', :project, :guest, :not_found
+ it_behaves_like 'rejects packages access', :project, :no_type, :not_found
+ end
+
context 'with pipeline' do
let!(:package1) { create(:npm_package, :with_build, project: project) }
@@ -355,6 +407,26 @@ RSpec.describe API::ProjectPackages do
expect(response).to have_gitlab_http_status(:no_content)
end
+
+ context 'with JOB-TOKEN auth' do
+ let(:job) { create(:ci_build, :running, user: user) }
+
+ it 'returns 403 for a user without enough permissions' do
+ project.add_developer(user)
+
+ expect { delete api(package_url, job_token: job.token) }.not_to change { ::Packages::Package.pending_destruction.count }
+
+ expect(response).to have_gitlab_http_status(:forbidden)
+ end
+
+ it 'returns 204' do
+ project.add_maintainer(user)
+
+ expect { delete api(package_url, job_token: job.token) }.to change { ::Packages::Package.pending_destruction.count }.by(1)
+
+ expect(response).to have_gitlab_http_status(:no_content)
+ end
+ end
end
context 'with a maven package' do
diff --git a/spec/services/ci/create_pipeline_service/parent_child_pipeline_spec.rb b/spec/services/ci/create_pipeline_service/parent_child_pipeline_spec.rb
index 4326fa5533f..cc808b7e61c 100644
--- a/spec/services/ci/create_pipeline_service/parent_child_pipeline_spec.rb
+++ b/spec/services/ci/create_pipeline_service/parent_child_pipeline_spec.rb
@@ -36,7 +36,7 @@ RSpec.describe Ci::CreatePipelineService, '#execute' do
expect(pipeline.statuses).to match_array [test, bridge]
expect(bridge.options).to eq(expected_bridge_options)
expect(bridge.yaml_variables)
- .to include(key: 'CROSS', value: 'downstream', public: true)
+ .to include(key: 'CROSS', value: 'downstream')
end
end
diff --git a/spec/services/ci/list_config_variables_service_spec.rb b/spec/services/ci/list_config_variables_service_spec.rb
index 1735f4cfc97..4953b18bfcc 100644
--- a/spec/services/ci/list_config_variables_service_spec.rb
+++ b/spec/services/ci/list_config_variables_service_spec.rb
@@ -40,8 +40,8 @@ RSpec.describe Ci::ListConfigVariablesService, :use_clean_rails_memory_store_cac
it 'returns variable list' do
expect(subject['KEY1']).to eq({ value: 'val 1', description: 'description 1' })
expect(subject['KEY2']).to eq({ value: 'val 2', description: '' })
- expect(subject['KEY3']).to eq({ value: 'val 3', description: nil })
- expect(subject['KEY4']).to eq({ value: 'val 4', description: nil })
+ expect(subject['KEY3']).to eq({ value: 'val 3' })
+ expect(subject['KEY4']).to eq({ value: 'val 4' })
end
end
diff --git a/spec/support/shared_examples/services/packages_shared_examples.rb b/spec/support/shared_examples/services/packages_shared_examples.rb
index 6bc4f171d9c..704a4bbe0b8 100644
--- a/spec/support/shared_examples/services/packages_shared_examples.rb
+++ b/spec/support/shared_examples/services/packages_shared_examples.rb
@@ -81,6 +81,26 @@ RSpec.shared_examples 'returns packages' do |container_type, user_type|
end
end
+RSpec.shared_examples 'returns package' do |container_type, user_type|
+ context "for #{user_type}" do
+ before do
+ send(container_type)&.send("add_#{user_type}", user) unless user_type == :no_type
+ end
+
+ it 'returns success response' do
+ subject
+
+ expect(response).to have_gitlab_http_status(:success)
+ end
+
+ it 'returns a valid response schema' do
+ subject
+
+ expect(response).to match_response_schema(single_package_schema)
+ end
+ end
+end
+
RSpec.shared_examples 'returns packages with subgroups' do |container_type, user_type|
context "with subgroups for #{user_type}" do
before do
diff --git a/vendor/gems/omniauth-azure-oauth2/.gitlab-ci.yml b/vendor/gems/omniauth-azure-oauth2/.gitlab-ci.yml
new file mode 100644
index 00000000000..575fec39767
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/.gitlab-ci.yml
@@ -0,0 +1,28 @@
+workflow:
+ rules:
+ - if: $CI_MERGE_REQUEST_ID
+
+.rspec:
+ cache:
+ key: omniauth-azure-oauth2
+ paths:
+ - vendor/gems/omniauth-azure-oauth2/vendor/ruby
+ before_script:
+ - cd vendor/gems/omniauth-azure-oauth2
+ - ruby -v # Print out ruby version for debugging
+ - gem install bundler --no-document # Bundler is not installed with the image
+ - bundle config set --local path 'vendor' # Install dependencies into ./vendor/ruby
+ - bundle config set with 'development'
+ - bundle config set --local frozen 'true' # Disallow Gemfile.lock changes on CI
+ - bundle config # Show bundler configuration
+ - bundle install -j $(nproc)
+ script:
+ - bundle exec rspec
+
+rspec-2.7:
+ image: "ruby:2.7"
+ extends: .rspec
+
+rspec-3.0:
+ image: "ruby:3.0"
+ extends: .rspec
diff --git a/vendor/gems/omniauth-azure-oauth2/CHANGELOG.md b/vendor/gems/omniauth-azure-oauth2/CHANGELOG.md
new file mode 100644
index 00000000000..ca274303b18
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/CHANGELOG.md
@@ -0,0 +1,31 @@
+# Version 0.0.9
+* Expand JWT dep. Thanks @ronaldsalas
+
+# Version 0.0.9
+* Added support for dynamic tenant urls. Thanks @marcus-fellinger-esc
+
+# Version 0.0.8
+* Upgrade to omniauth-oauth2 1.4.0 and fix callback url issue
+* Allow prompt parameter, thanks @hilu
+* Add tenant id to info
+* Updated base url
+
+# Version 0.0.6
+* Use 'name' from Azure for name, and 'unique_name' for nickname per Auth Hash spec. Thanks @jayme-github
+
+# Version 0.0.5
+* loosen jwt requirement
+
+# Version 0.0.5
+* loosen jwt requirement
+
+# VERSION 0.0.4
+* fix for JWT scoping, thanks @tobsher
+
+# VERSION 0.0.3
+* added common endpoint and removed mandatory requirement for tenant-id
+* upgraded jwt
+
+# VERSION 0.0.1
+
+* Initial build
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/Gemfile b/vendor/gems/omniauth-azure-oauth2/Gemfile
new file mode 100644
index 00000000000..ef2f8b4147f
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/Gemfile
@@ -0,0 +1,8 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in omniauth-azure-oauth2.gemspec
+gemspec
+
+group :example do
+ gem 'sinatra'
+end
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/Gemfile.lock b/vendor/gems/omniauth-azure-oauth2/Gemfile.lock
new file mode 100644
index 00000000000..0bd5d401175
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/Gemfile.lock
@@ -0,0 +1,73 @@
+PATH
+ remote: .
+ specs:
+ omniauth-azure-oauth2 (0.0.10)
+ jwt (>= 1.0, < 3.0)
+ omniauth (~> 1.0, < 3)
+ omniauth-oauth2 (~> 1.4)
+
+GEM
+ remote: https://rubygems.org/
+ specs:
+ diff-lcs (1.5.0)
+ faraday (2.5.2)
+ faraday-net_http (>= 2.0, < 3.1)
+ ruby2_keywords (>= 0.0.4)
+ faraday-net_http (3.0.0)
+ hashie (5.0.0)
+ jwt (2.4.1)
+ multi_xml (0.6.0)
+ mustermann (2.0.2)
+ ruby2_keywords (~> 0.0.1)
+ oauth2 (2.0.6)
+ faraday (>= 0.17.3, < 3.0)
+ jwt (>= 1.0, < 3.0)
+ multi_xml (~> 0.5)
+ rack (>= 1.2, < 3)
+ rash_alt (>= 0.4, < 1)
+ version_gem (~> 1.1)
+ omniauth (1.9.1)
+ hashie (>= 3.4.6)
+ rack (>= 1.6.2, < 3)
+ omniauth-oauth2 (1.7.3)
+ oauth2 (>= 1.4, < 3)
+ omniauth (>= 1.9, < 3)
+ rack (2.2.4)
+ rack-protection (2.2.2)
+ rack
+ rake (13.0.6)
+ rash_alt (0.4.12)
+ hashie (>= 3.4)
+ rspec (3.11.0)
+ rspec-core (~> 3.11.0)
+ rspec-expectations (~> 3.11.0)
+ rspec-mocks (~> 3.11.0)
+ rspec-core (3.11.0)
+ rspec-support (~> 3.11.0)
+ rspec-expectations (3.11.0)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.11.0)
+ rspec-mocks (3.11.1)
+ diff-lcs (>= 1.2.0, < 2.0)
+ rspec-support (~> 3.11.0)
+ rspec-support (3.11.0)
+ ruby2_keywords (0.0.5)
+ sinatra (2.2.2)
+ mustermann (~> 2.0)
+ rack (~> 2.2)
+ rack-protection (= 2.2.2)
+ tilt (~> 2.0)
+ tilt (2.0.11)
+ version_gem (1.1.0)
+
+PLATFORMS
+ ruby
+
+DEPENDENCIES
+ omniauth-azure-oauth2!
+ rake
+ rspec (>= 2.14.0)
+ sinatra
+
+BUNDLED WITH
+ 2.3.20
diff --git a/vendor/gems/omniauth-azure-oauth2/LICENSE b/vendor/gems/omniauth-azure-oauth2/LICENSE
new file mode 100644
index 00000000000..57ecd3eabb9
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/LICENSE
@@ -0,0 +1,22 @@
+Copyright (c) 2014 Deltek
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/README.md b/vendor/gems/omniauth-azure-oauth2/README.md
new file mode 100644
index 00000000000..a28e9ffdfd2
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/README.md
@@ -0,0 +1,161 @@
+# OmniAuth Windows Azure Active Directory Strategy
+
+This is fork of [omniauth-azure-oauth2](https://github.com/marknadig/omniauth-azure-oauth2) to support:
+
+1. OmniAuth v1 and v2. OmniAuth v2 disables GET requests by default
+ and defaults to POST. GitLab already has patched v1 to use POST,
+ but other dependencies need to be updated:
+ https://gitlab.com/gitlab-org/gitlab/-/issues/30073.
+2. We may deprecate this library entirely in the future:
+ https://gitlab.com/gitlab-org/gitlab/-/issues/366212
+
+[](https://travis-ci.org/KonaTeam/omniauth-azure-oauth2)
+
+This gem provides a simple way to authenticate to Windows Azure Active Directory (WAAD) over OAuth2 using OmniAuth.
+
+One of the unique challenges of WAAD OAuth is that WAAD is multi tenant. Any given tenant can have multiple active
+directories. The CLIENT-ID, REPLY-URL and keys will be unique to the tenant/AD/application combination. This gem simply
+provides hooks for determining those unique values for each call.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'omniauth-azure-oauth2'
+```
+
+## Usage
+
+First, you will need to add your site as an application in WAAD.:
+[Adding, Updating, and Removing an Application](http://msdn.microsoft.com/en-us/library/azure/dn132599.aspx)
+
+Summary:
+Select your Active Directory in https://manage.windowsazure.com/ of type 'Web Application'. Name, sign-on url,
+logo are not important. You will need the CLIENT-ID from the application configuration and you will need to generate
+an expiring key (aka 'client secret'). REPLY URL is the oauth redirect uri which will be the omniauth callback path
+https://example.com/users/auth/azure_oauth2/callback. The APP ID UI just needs to be unique to that tenant and identify
+your site and isn't needed to configure the gem.
+Permissions need Delegated Permissions to at least have "Enable sign-on and read user's profiles".
+
+Note: Seems like the terminology is still fluid, so follow the MS guidance (buwahaha) to set this up.
+
+The TenantInfo information can be a hash or class. It must provide client_id and client_secret.
+Optionally a domain_hint and tenant_id. For a simple single-tenant app, this could be:
+
+```ruby
+use OmniAuth::Builder do
+ provider :azure_oauth2,
+ {
+ client_id: ENV['AZURE_CLIENT_ID'],
+ client_secret: ENV['AZURE_CLIENT_SECRET'],
+ tenant_id: ENV['AZURE_TENANT_ID']
+ }
+end
+```
+
+Or the alternative format for use with [devise](https://github.com/plataformatec/devise):
+
+```ruby
+config.omniauth :azure_oauth2, client_id: ENV['AZURE_CLIENT_ID'],
+ client_secret: ENV['AZURE_CLIENT_SECRET'], tenant_id: ENV['AZURE_TENANT_ID']
+```
+
+For multi-tenant apps where you don't know the tenant_id in advance, simply leave out the tenant_id to use the
+[common endpoint](http://msdn.microsoft.com/en-us/library/azure/dn645542.aspx).
+
+```ruby
+use OmniAuth::Builder do
+ provider :azure_oauth2,
+ {
+ client_id: ENV['AZURE_CLIENT_ID'],
+ client_secret: ENV['AZURE_CLIENT_SECRET']
+ }
+end
+```
+
+For dynamic tenant assignment, pass a class that supports those same attributes and accepts the strategy as a parameter
+
+```ruby
+class YouTenantProvider
+ def initialize(strategy)
+ @strategy = strategy
+ end
+
+ def client_id
+ tenant.azure_client_id
+ end
+
+ def client_secret
+ tenant.azure_client_secret
+ end
+
+ def tenant_id
+ tenant.azure_tanant_id
+ end
+
+ def domain_hint
+ tenant.azure_domain_hint
+ end
+
+ private
+
+ def tenant
+ # whatever strategy you want to figure out the right tenant from params/session
+ @tenant ||= Customer.find(@strategy.session[:customer_id])
+ end
+end
+
+use OmniAuth::Builder do
+ provider :azure_oauth2, YourTenantProvider
+end
+```
+
+The base_azure_url can be overridden in the provider configuration for different locales; e.g. `base_azure_url: "https://login.microsoftonline.de"`
+
+
+## Auth Hash Schema
+
+The following information is provided back to you for this provider:
+
+```ruby
+{
+ uid: '12345',
+ info: {
+ name: 'some one',
+ first_name: 'some',
+ last_name: 'one',
+ email: 'someone@example.com'
+ },
+ credentials: {
+ token: 'thetoken',
+ refresh_token: 'refresh'
+ },
+ extra: { raw_info: raw_api_response }
+}
+```
+## notes
+
+When you make a request to WAAD you must specify a resource. The gem currently assumes this is the AD identified as '00000002-0000-0000-c000-000000000000'.
+This can be passed in as part of the config. It currently isn't designed to be dynamic.
+
+```ruby
+use OmniAuth::Builder do
+ provider :azure_oauth2, TenantInfo, resource: 'myresource'
+end
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Make your changes, add tests, run tests (`rake`)
+4. Commit your changes and tests (`git commit -am 'Added some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create new Pull Request
+
+
+## Misc
+Run tests `bundle exec rake`
+Push to rubygems `bundle exec rake release`.
+
diff --git a/vendor/gems/omniauth-azure-oauth2/Rakefile b/vendor/gems/omniauth-azure-oauth2/Rakefile
new file mode 100644
index 00000000000..965431eb7c9
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/Rakefile
@@ -0,0 +1,6 @@
+require File.join('bundler', 'gem_tasks')
+require File.join('rspec', 'core', 'rake_task')
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/examples/sinatra.rb b/vendor/gems/omniauth-azure-oauth2/examples/sinatra.rb
new file mode 100644
index 00000000000..3db9e5fe435
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/examples/sinatra.rb
@@ -0,0 +1,31 @@
+$:.push File.dirname(__FILE__) + '/../lib'
+
+require 'omniauth-azure-oauth2'
+require 'sinatra'
+
+class MyAzureProvider
+ def self.client_id
+ ENV['AZURE_CLIENT_ID']
+ end
+
+ def self.client_secret
+ ENV['AZURE_CLIENT_SECRET']
+ end
+
+ def self.tenant_id
+ ENV['AZURE_TENANT_ID']
+ end
+
+end
+
+use Rack::Session::Cookie
+use OmniAuth::Strategies::Azure, MyAzureProvider
+
+get '/' do
+ "Log in with Azure"
+end
+
+get '/auth/azure_oauth2/callback' do
+ content_type 'text/plain'
+ request.env['omniauth.auth'].inspect
+end
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/lib/omniauth-azure-oauth2.rb b/vendor/gems/omniauth-azure-oauth2/lib/omniauth-azure-oauth2.rb
new file mode 100644
index 00000000000..121c26842aa
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/lib/omniauth-azure-oauth2.rb
@@ -0,0 +1 @@
+require File.join('omniauth', 'azure_oauth2')
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2.rb b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2.rb
new file mode 100644
index 00000000000..69651ede9e7
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2.rb
@@ -0,0 +1 @@
+require File.join('omniauth', 'strategies', 'azure_oauth2')
\ No newline at end of file
diff --git a/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2/version.rb b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2/version.rb
new file mode 100644
index 00000000000..cfaa9ddd458
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/azure_oauth2/version.rb
@@ -0,0 +1,5 @@
+module OmniAuth
+ module AzureOauth2
+ VERSION = "0.0.10"
+ end
+end
diff --git a/vendor/gems/omniauth-azure-oauth2/lib/omniauth/strategies/azure_oauth2.rb b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/strategies/azure_oauth2.rb
new file mode 100644
index 00000000000..f18babc0619
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/lib/omniauth/strategies/azure_oauth2.rb
@@ -0,0 +1,73 @@
+require 'omniauth/strategies/oauth2'
+require 'jwt'
+
+module OmniAuth
+ module Strategies
+ class AzureOauth2 < OmniAuth::Strategies::OAuth2
+ BASE_AZURE_URL = 'https://login.microsoftonline.com'
+
+ option :name, 'azure_oauth2'
+
+ option :tenant_provider, nil
+
+ # AD resource identifier
+ option :resource, '00000002-0000-0000-c000-000000000000'
+
+ # tenant_provider must return client_id, client_secret and optionally tenant_id and base_azure_url
+ args [:tenant_provider]
+
+ def client
+ if options.tenant_provider
+ provider = options.tenant_provider.new(self)
+ else
+ provider = options # if pass has to config, get mapped right on to options
+ end
+
+ options.client_id = provider.client_id
+ options.client_secret = provider.client_secret
+ options.tenant_id =
+ provider.respond_to?(:tenant_id) ? provider.tenant_id : 'common'
+ options.base_azure_url =
+ provider.respond_to?(:base_azure_url) ? provider.base_azure_url : BASE_AZURE_URL
+
+ options.authorize_params = provider.authorize_params if provider.respond_to?(:authorize_params)
+ options.authorize_params.domain_hint = provider.domain_hint if provider.respond_to?(:domain_hint) && provider.domain_hint
+ options.authorize_params.prompt = request.params['prompt'] if request.params['prompt']
+ options.client_options.authorize_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/authorize"
+ options.client_options.token_url = "#{options.base_azure_url}/#{options.tenant_id}/oauth2/token"
+ super
+ end
+
+ uid {
+ raw_info['sub']
+ }
+
+ info do
+ {
+ name: raw_info['name'],
+ nickname: raw_info['unique_name'],
+ first_name: raw_info['given_name'],
+ last_name: raw_info['family_name'],
+ email: raw_info['email'] || raw_info['upn'],
+ oid: raw_info['oid'],
+ tid: raw_info['tid']
+ }
+ end
+
+ def token_params
+ azure_resource = request.env['omniauth.params'] && request.env['omniauth.params']['azure_resource']
+ super.merge(resource: azure_resource || options.resource)
+ end
+
+ def callback_url
+ full_host + script_name + callback_path
+ end
+
+ def raw_info
+ # it's all here in JWT http://msdn.microsoft.com/en-us/library/azure/dn195587.aspx
+ @raw_info ||= ::JWT.decode(access_token.token, nil, false).first
+ end
+
+ end
+ end
+end
diff --git a/vendor/gems/omniauth-azure-oauth2/omniauth-azure-oauth2.gemspec b/vendor/gems/omniauth-azure-oauth2/omniauth-azure-oauth2.gemspec
new file mode 100644
index 00000000000..6e1bc583881
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/omniauth-azure-oauth2.gemspec
@@ -0,0 +1,25 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path(File.join('..', 'lib', 'omniauth', 'azure_oauth2', 'version'), __FILE__)
+
+Gem::Specification.new do |gem|
+ gem.authors = ["Mark Nadig"]
+ gem.email = ["mark@nadigs.net"]
+ gem.description = %q{An Windows Azure Active Directory OAuth2 strategy for OmniAuth}
+ gem.summary = %q{An Windows Azure Active Directory OAuth2 strategy for OmniAuth}
+ gem.homepage = "https://github.com/KonaTeam/omniauth-azure-oauth2"
+
+ gem.files = Dir.glob("lib/**/*.*")
+ gem.test_files = Dir.glob("spec/**/**/*.*")
+ gem.name = "omniauth-azure-oauth2"
+ gem.require_paths = ["lib"]
+ gem.version = OmniAuth::AzureOauth2::VERSION
+ gem.license = "MIT"
+
+ gem.add_runtime_dependency 'omniauth', '~> 1.0', '< 3'
+ gem.add_dependency 'jwt', ['>= 1.0', '< 3.0']
+
+ gem.add_runtime_dependency 'omniauth-oauth2', '~> 1.4'
+
+ gem.add_development_dependency 'rspec', '>= 2.14.0'
+ gem.add_development_dependency 'rake'
+end
diff --git a/vendor/gems/omniauth-azure-oauth2/spec/omniauth/strategies/azure_oauth2_spec.rb b/vendor/gems/omniauth-azure-oauth2/spec/omniauth/strategies/azure_oauth2_spec.rb
new file mode 100644
index 00000000000..d171d88ac6c
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/spec/omniauth/strategies/azure_oauth2_spec.rb
@@ -0,0 +1,332 @@
+require 'spec_helper'
+require 'omniauth-azure-oauth2'
+
+module OmniAuth
+ module Strategies
+ module JWT; end
+ end
+end
+
+describe OmniAuth::Strategies::AzureOauth2 do
+ let(:request) { double('Request', :params => {}, :cookies => {}, :env => {}) }
+ let(:app) {
+ lambda do
+ [200, {}, ["Hello."]]
+ end
+ }
+
+ before do
+ OmniAuth.config.test_mode = true
+ end
+
+ after do
+ OmniAuth.config.test_mode = false
+ end
+
+ describe 'static configuration' do
+ let(:options) { @options || {} }
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, {client_id: 'id', client_secret: 'secret', tenant_id: 'tenant'}.merge(options))
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ allow(subject).to receive(:request) { request }
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.com/tenant/oauth2/authorize')
+ end
+
+ it 'has correct authorize params' do
+ allow(subject).to receive(:request) { request }
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to be_nil
+ end
+
+ it 'has correct token url' do
+ allow(subject).to receive(:request) { request }
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.com/tenant/oauth2/token')
+ end
+
+ describe "overrides" do
+ it 'should override domain_hint' do
+ @options = {domain_hint: 'hint'}
+ allow(subject).to receive(:request) { request }
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to eql('hint')
+ end
+ end
+ end
+
+ end
+
+ describe 'static configuration - german' do
+ let(:options) { @options || {} }
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, {client_id: 'id', client_secret: 'secret', tenant_id: 'tenant', base_azure_url: 'https://login.microsoftonline.de'}.merge(options))
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ allow(subject).to receive(:request) { request }
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.de/tenant/oauth2/authorize')
+ end
+
+ it 'has correct authorize params' do
+ allow(subject).to receive(:request) { request }
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to be_nil
+ end
+
+ it 'has correct token url' do
+ allow(subject).to receive(:request) { request }
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.de/tenant/oauth2/token')
+ end
+
+ it 'has correct token params' do
+ allow(subject).to receive(:request) { request }
+ subject.client
+ expect(subject.token_params[:resource]).to eql('00000002-0000-0000-c000-000000000000')
+ end
+
+ describe "overrides" do
+ it 'should override domain_hint' do
+ @options = {domain_hint: 'hint'}
+ allow(subject).to receive(:request) { request }
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to eql('hint')
+ end
+ end
+ end
+ end
+
+ describe 'static common configuration' do
+ let(:options) { @options || {} }
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, {client_id: 'id', client_secret: 'secret'}.merge(options))
+ end
+
+ before do
+ allow(subject).to receive(:request) { request }
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.com/common/oauth2/authorize')
+ end
+
+ it 'has correct token url' do
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.com/common/oauth2/token')
+ end
+ end
+ end
+
+ describe 'dynamic configuration' do
+ let(:provider_klass) {
+ Class.new {
+ def initialize(strategy)
+ end
+
+ def client_id
+ 'id'
+ end
+
+ def client_secret
+ 'secret'
+ end
+
+ def tenant_id
+ 'tenant'
+ end
+
+ def authorize_params
+ { custom_option: 'value' }
+ end
+ }
+ }
+
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, provider_klass)
+ end
+
+ before do
+ allow(subject).to receive(:request) { request }
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.com/tenant/oauth2/authorize')
+ end
+
+ it 'has correct authorize params' do
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to be_nil
+ expect(subject.authorize_params[:custom_option]).to eql('value')
+ end
+
+ it 'has correct token url' do
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.com/tenant/oauth2/token')
+ end
+
+ it 'has correct token params' do
+ subject.client
+ expect(subject.token_params[:resource]).to eql('00000002-0000-0000-c000-000000000000')
+ end
+
+ # todo: how to get this working?
+ # describe "overrides" do
+ # it 'should override domain_hint' do
+ # provider_klass.domain_hint = 'hint'
+ # subject.client
+ # expect(subject.authorize_params[:domain_hint]).to eql('hint')
+ # end
+ # end
+ end
+
+ end
+
+ describe 'dynamic configuration - german' do
+ let(:provider_klass) {
+ Class.new {
+ def initialize(strategy)
+ end
+
+ def client_id
+ 'id'
+ end
+
+ def client_secret
+ 'secret'
+ end
+
+ def tenant_id
+ 'tenant'
+ end
+
+ def base_azure_url
+ 'https://login.microsoftonline.de'
+ end
+ }
+ }
+
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, provider_klass)
+ end
+
+ before do
+ allow(subject).to receive(:request) { request }
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.de/tenant/oauth2/authorize')
+ end
+
+ it 'has correct authorize params' do
+ subject.client
+ expect(subject.authorize_params[:domain_hint]).to be_nil
+ end
+
+ it 'has correct token url' do
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.de/tenant/oauth2/token')
+ end
+
+ it 'has correct token params' do
+ subject.client
+ expect(subject.token_params[:resource]).to eql('00000002-0000-0000-c000-000000000000')
+ end
+
+ # todo: how to get this working?
+ # describe "overrides" do
+ # it 'should override domain_hint' do
+ # provider_klass.domain_hint = 'hint'
+ # subject.client
+ # expect(subject.authorize_params[:domain_hint]).to eql('hint')
+ # end
+ # end
+ end
+
+ end
+
+ describe 'dynamic common configuration' do
+ let(:provider_klass) {
+ Class.new {
+ def initialize(strategy)
+ end
+
+ def client_id
+ 'id'
+ end
+
+ def client_secret
+ 'secret'
+ end
+ }
+ }
+
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, provider_klass)
+ end
+
+ before do
+ allow(subject).to receive(:request) { request }
+ end
+
+ describe '#client' do
+ it 'has correct authorize url' do
+ expect(subject.client.options[:authorize_url]).to eql('https://login.microsoftonline.com/common/oauth2/authorize')
+ end
+
+ it 'has correct token url' do
+ expect(subject.client.options[:token_url]).to eql('https://login.microsoftonline.com/common/oauth2/token')
+ end
+ end
+ end
+
+ describe "raw_info" do
+ subject do
+ OmniAuth::Strategies::AzureOauth2.new(app, {client_id: 'id', client_secret: 'secret'})
+ end
+
+ let(:token) do
+ JWT.encode({"some" => "payload"}, "secret")
+ end
+
+ let(:access_token) do
+ double(:token => token)
+ end
+
+ before do
+ allow(subject).to receive(:access_token) { access_token }
+ allow(subject).to receive(:request) { request }
+ end
+
+ it "does not clash if JWT strategy is used" do
+ expect do
+ subject.info
+ end.to_not raise_error
+ end
+ end
+
+ describe 'token_params' do
+ let(:strategy) { OmniAuth::Strategies::AzureOauth2.new(app, client_id: 'id', client_secret: 'secret') }
+ let(:request) { double('Request', env: env) }
+ let(:env) { {} }
+
+ subject { strategy.token_params }
+
+ before { allow(strategy).to receive(:request).and_return request }
+
+ it { is_expected.to be_a OmniAuth::Strategy::Options }
+ it 'has default resource' do
+ expect(subject.resource).to eq '00000002-0000-0000-c000-000000000000'
+ end
+
+ context 'when custom crm url' do
+ let(:crm_url) { 'https://mydomain.crm.dynamics.com/' }
+ let(:env) { { 'omniauth.params' => { 'azure_resource' => crm_url } } }
+
+ it 'has resource from url params' do
+ expect(subject.resource).to eq crm_url
+ end
+ end
+ end
+end
diff --git a/vendor/gems/omniauth-azure-oauth2/spec/spec_helper.rb b/vendor/gems/omniauth-azure-oauth2/spec/spec_helper.rb
new file mode 100644
index 00000000000..9d0890421a2
--- /dev/null
+++ b/vendor/gems/omniauth-azure-oauth2/spec/spec_helper.rb
@@ -0,0 +1,2 @@
+require File.join('bundler', 'setup')
+require 'rspec'
\ No newline at end of file
diff --git a/vendor/gems/omniauth_crowd/.gitlab-ci.yml b/vendor/gems/omniauth_crowd/.gitlab-ci.yml
index 1ad51409803..08a5da1a3d1 100644
--- a/vendor/gems/omniauth_crowd/.gitlab-ci.yml
+++ b/vendor/gems/omniauth_crowd/.gitlab-ci.yml
@@ -4,7 +4,7 @@ workflow:
.rspec:
cache:
- key: omniauth-gitlab-ruby
+ key: omniauth_crowd
paths:
- vendor/gems/omniauth_crowd/vendor/ruby
before_script:
diff --git a/workhorse/go.mod b/workhorse/go.mod
index 18dba215038..e2191c1a749 100644
--- a/workhorse/go.mod
+++ b/workhorse/go.mod
@@ -129,6 +129,7 @@ exclude (
// CVE-2021-42576
github.com/microcosm-cc/bluemonday v1.0.2
+ github.com/nats-io/jwt v0.3.0
// CVE-2020-26892
github.com/nats-io/nats-server/v2 v2.1.2
diff --git a/workhorse/go.sum b/workhorse/go.sum
index e98e18e96e5..d143f62f812 100644
--- a/workhorse/go.sum
+++ b/workhorse/go.sum
@@ -873,7 +873,6 @@ github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb/go.mod h1:wL8QJ
github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
-github.com/nats-io/jwt v0.3.0/go.mod h1:fRYCDE99xlTsqUzISS1Bi75UBJ6ljOJQOAAu5VglpSg=
github.com/nats-io/nats.go v1.8.1/go.mod h1:BrFz9vVn0fU3AcH9Vn4Kd7W0NpJ651tD5omQ3M8LwxM=
github.com/nats-io/nats.go v1.9.1/go.mod h1:ZjDU1L/7fJ09jvUSRVBR2e7+RnLiiIQyqyzEE/Zbp4w=
github.com/nats-io/nkeys v0.0.2/go.mod h1:dab7URMsZm6Z/jp9Z5UGa87Uutgc2mVpXLC4B7TDb/4=
diff --git a/yarn.lock b/yarn.lock
index 137b5fdc073..c143f007aec 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2488,7 +2488,7 @@ acorn-walk@^8.0.0:
resolved "https://registry.yarnpkg.com/acorn-walk/-/acorn-walk-8.0.2.tgz#d4632bfc63fd93d0f15fd05ea0e984ffd3f5a8c3"
integrity sha512-+bpA9MJsHdZ4bgfDcpk0ozQyhhVct7rzOmO0s1IIr0AGGgKBljss8n2zp11rRP2wid5VGeh04CgeKzgat5/25A==
-acorn@^6.3.0, acorn@^6.4.1:
+acorn@^6.4.1:
version "6.4.2"
resolved "https://registry.yarnpkg.com/acorn/-/acorn-6.4.2.tgz#35866fd710528e92de10cf06016498e47e39e1e6"
integrity sha512-XtGIhXwF8YM8bJhGxG5kXgjkEuNGLTkoYqVE+KMR+aspr4KGYmKYg7yUe3KghyQ9yheNwLnjmzh/7+gfDBmHCQ==