Add latest changes from gitlab-org/gitlab@master

.gitlab/CODEOWNERS

@@ -26,3 +26,10 @@ lib/gitlab/github_import/ @gitlab-org/maintainers/database
 /lib/gitlab/ci/templates/Security/ @plafoucriere @gonzoyumo @twoodham @sethgitlab
 /ee/app/models/project_alias.rb @patrickbajao
 /ee/lib/api/project_aliases.rb @patrickbajao
+
+# Engineering Productivity owned files
+/.gitlab-ci.yml @gl-quality/eng-prod
+/.gitlab/ci/ @gl-quality/eng-prod
+Dangerfile @gl-quality/eng-prod
+/danger/ @gl-quality/eng-prod
+/scripts/ @gl-quality/eng-prod

app/controllers/projects/git_http_controller.rb

@@ -6,10 +6,10 @@ class Projects::GitHttpController < Projects::GitHttpClientController
   before_action :access_check
   prepend_before_action :deny_head_requests, only: [:info_refs]
 
-  rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403
-  rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404
-  rescue_from Gitlab::GitAccess::ProjectCreationError, with: :render_422
-  rescue_from Gitlab::GitAccess::TimeoutError, with: :render_503
+  rescue_from Gitlab::GitAccess::UnauthorizedError, with: :render_403_with_exception
+  rescue_from Gitlab::GitAccess::NotFoundError, with: :render_404_with_exception
+  rescue_from Gitlab::GitAccess::ProjectCreationError, with: :render_422_with_exception
+  rescue_from Gitlab::GitAccess::TimeoutError, with: :render_503_with_exception
 
   # GET /foo/bar.git/info/refs?service=git-upload-pack (git pull)
   # GET /foo/bar.git/info/refs?service=git-receive-pack (git push)
@@ -58,19 +58,19 @@ class Projects::GitHttpController < Projects::GitHttpClientController
     render json: Gitlab::Workhorse.git_http_ok(repository, repo_type, user, action_name)
   end
 
-  def render_403(exception)
+  def render_403_with_exception(exception)
     render plain: exception.message, status: :forbidden
   end
 
-  def render_404(exception)
+  def render_404_with_exception(exception)
     render plain: exception.message, status: :not_found
   end
 
-  def render_422(exception)
+  def render_422_with_exception(exception)
     render plain: exception.message, status: :unprocessable_entity
   end
 
-  def render_503(exception)
+  def render_503_with_exception(exception)
     render plain: exception.message, status: :service_unavailable
   end
 

app/helpers/diff_helper.rb

@@ -60,11 +60,16 @@ module DiffHelper
     if line.blank?
       " ".html_safe
     else
-      # We can't use `sub` because the HTML-safeness of `line` will not survive.
-      line[0] = '' if line.start_with?('+', '-', ' ')
+      # `sub` and substring-ing would destroy HTML-safeness of `line`
+      if line.start_with?('+', '-', ' ')
+        line.dup.tap do |line|
+          line[0] = ''
+        end
+      else
         line
       end
     end
+  end
 
   def parallel_diff_discussions(left, right, diff_file)
     return unless @grouped_diff_discussions

app/models/namespace.rb

@@ -316,6 +316,12 @@ class Namespace < ApplicationRecord
     Pages::VirtualDomain.new(all_projects_with_pages, trim_prefix: full_path)
   end
 
+  def closest_setting(name)
+    self_and_ancestors(hierarchy_order: :asc)
+      .find { |n| !n.read_attribute(name).nil? }
+      .try(name)
+  end
+
   private
 
   def all_projects_with_pages

app/models/project.rb

@@ -2250,8 +2250,23 @@ class Project < ApplicationRecord
     Pages::LookupPath.new(self, trim_prefix: trim_prefix, domain: domain)
   end
 
+  def closest_setting(name)
+    setting = read_attribute(name)
+    setting = closest_namespace_setting(name) if setting.nil?
+    setting = app_settings_for(name) if setting.nil?
+    setting
+  end
+
   private
 
+  def closest_namespace_setting(name)
+    namespace.closest_setting(name)
+  end
+
+  def app_settings_for(name)
+    Gitlab::CurrentSettings.send(name) # rubocop:disable GitlabSecurity/PublicSend
+  end
+
   def merge_requests_allowing_collaboration(source_branch = nil)
     relation = source_of_merge_requests.opened.where(allow_collaboration: true)
     relation = relation.where(source_branch: source_branch) if source_branch

lib/api/helpers.rb

@@ -350,7 +350,7 @@ module API
       render_api_error!(message || '409 Conflict', 409)
     end
 
-    def file_to_large!
+    def file_too_large!
       render_api_error!('413 Request Entity Too Large', 413)
     end
 

lib/api/helpers/runner.rb

@@ -59,8 +59,9 @@ module API
         token && job.valid_token?(token)
       end
 
-      def max_artifacts_size
-        Gitlab::CurrentSettings.max_artifacts_size.megabytes.to_i
+      def max_artifacts_size(job)
+        max_size = job.project.closest_setting(:max_artifacts_size)
+        max_size.megabytes.to_i
       end
 
       def job_forbidden!(job, reason)

lib/api/runner.rb

@@ -221,14 +221,16 @@ module API
         job = authenticate_job!
         forbidden!('Job is not running') unless job.running?
 
+        max_size = max_artifacts_size(job)
+
         if params[:filesize]
           file_size = params[:filesize].to_i
-          file_to_large! unless file_size < max_artifacts_size
+          file_too_large! unless file_size < max_size
         end
 
         status 200
         content_type Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE
-        JobArtifactUploader.workhorse_authorize(has_length: false, maximum_size: max_artifacts_size)
+        JobArtifactUploader.workhorse_authorize(has_length: false, maximum_size: max_size)
       end
 
       desc 'Upload artifacts for job' do
@@ -268,7 +270,7 @@ module API
         metadata = UploadedFile.from_params(params, :metadata, JobArtifactUploader.workhorse_local_upload_path)
 
         bad_request!('Missing artifacts file!') unless artifacts
-        file_to_large! unless artifacts.size < max_artifacts_size
+        file_too_large! unless artifacts.size < max_artifacts_size(job)
 
         expire_in = params['expire_in'] ||
           Gitlab::CurrentSettings.current_application_settings.default_artifacts_expire_in

spec/config/smime_signature_settings_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe SmimeSignatureSettings do

spec/controllers/projects/git_http_controller_spec.rb

@@ -22,5 +22,30 @@ describe Projects::GitHttpController do
 
       expect(response.status).to eq(401)
     end
+
+    context 'with exceptions' do
+      let(:project) { create(:project, :public, :repository) }
+
+      before do
+        allow(controller).to receive(:verify_workhorse_api!).and_return(true)
+      end
+
+      it 'returns 503 with GRPC Unavailable' do
+        allow(controller).to receive(:access_check).and_raise(GRPC::Unavailable)
+
+        get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+
+        expect(response.status).to eq(503)
+      end
+
+      it 'returns 503 with timeout error' do
+        allow(controller).to receive(:access_check).and_raise(Gitlab::GitAccess::TimeoutError)
+
+        get :info_refs, params: { service: 'git-upload-pack', namespace_id: project.namespace.to_param, project_id: project.path + '.git' }
+
+        expect(response.status).to eq(503)
+        expect(response.body).to eq 'Gitlab::GitAccess::TimeoutError'
+      end
+    end
   end
 end

spec/helpers/diff_helper_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe DiffHelper do

spec/models/namespace_spec.rb

@@ -954,4 +954,52 @@ describe Namespace do
       expect(group.has_parent?).to be_falsy
     end
   end
+
+  describe '#closest_setting' do
+    using RSpec::Parameterized::TableSyntax
+
+    shared_examples_for 'fetching closest setting' do
+      let!(:root_namespace) { create(:namespace) }
+      let!(:namespace) { create(:namespace, parent: root_namespace) }
+
+      let(:setting) { namespace.closest_setting(setting_name) }
+
+      before do
+        root_namespace.update_attribute(setting_name, root_setting)
+        namespace.update_attribute(setting_name, child_setting)
+      end
+
+      it 'returns closest non-nil value' do
+        expect(setting).to eq(result)
+      end
+    end
+
+    context 'when setting is of non-boolean type' do
+      where(:root_setting, :child_setting, :result) do
+        100 | 200 | 200
+        100 | nil | 100
+        nil | nil | nil
+      end
+
+      with_them do
+        let(:setting_name) { :max_artifacts_size }
+
+        it_behaves_like 'fetching closest setting'
+      end
+    end
+
+    context 'when setting is of boolean type' do
+      where(:root_setting, :child_setting, :result) do
+        true | false | false
+        true | nil   | true
+        nil  | nil   | nil
+      end
+
+      with_them do
+        let(:setting_name) { :lfs_enabled }
+
+        it_behaves_like 'fetching closest setting'
+      end
+    end
+  end
 end

spec/models/project_spec.rb

@@ -5121,6 +5121,53 @@ describe Project do
     end
   end
 
+  describe '#closest_setting' do
+    using RSpec::Parameterized::TableSyntax
+
+    shared_examples_for 'fetching closest setting' do
+      let!(:namespace) { create(:namespace) }
+      let!(:project) { create(:project, namespace: namespace) }
+
+      let(:setting_name) { :some_setting }
+      let(:setting) { project.closest_setting(setting_name) }
+
+      before do
+        allow(project).to receive(:read_attribute).with(setting_name).and_return(project_setting)
+        allow(namespace).to receive(:closest_setting).with(setting_name).and_return(group_setting)
+        allow(Gitlab::CurrentSettings).to receive(setting_name).and_return(global_setting)
+      end
+
+      it 'returns closest non-nil value' do
+        expect(setting).to eq(result)
+      end
+    end
+
+    context 'when setting is of non-boolean type' do
+      where(:global_setting, :group_setting, :project_setting, :result) do
+        100 | 200 | 300 | 300
+        100 | 200 | nil | 200
+        100 | nil | nil | 100
+        nil | nil | nil | nil
+      end
+
+      with_them do
+        it_behaves_like 'fetching closest setting'
+      end
+    end
+
+    context 'when setting is of boolean type' do
+      where(:global_setting, :group_setting, :project_setting, :result) do
+        true | true  | false | false
+        true | false | nil   | false
+        true | nil   | nil   | true
+      end
+
+      with_them do
+        it_behaves_like 'fetching closest setting'
+      end
+    end
+  end
+
   def rugged_config
     rugged_repo(project.repository).config
   end

spec/requests/api/runner_spec.rb

@@ -308,7 +308,9 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
   end
 
   describe '/api/v4/jobs' do
-    let(:project) { create(:project, shared_runners_enabled: false) }
+    let(:root_namespace) { create(:namespace) }
+    let(:namespace) { create(:namespace, parent: root_namespace) }
+    let(:project) { create(:project, namespace: namespace, shared_runners_enabled: false) }
     let(:pipeline) { create(:ci_pipeline_without_jobs, project: project, ref: 'master') }
     let(:runner) { create(:ci_runner, :project, projects: [project]) }
     let(:job) do
@@ -1412,15 +1414,57 @@ describe API::Runner, :clean_gitlab_redis_shared_state do
             end
           end
 
-          it 'fails to post too large artifact' do
-            stub_application_setting(max_artifacts_size: 0)
+          context 'when artifact is too large' do
+            let(:sample_max_size) { 100 }
 
-            authorize_artifacts_with_token_in_params(filesize: 100)
+            shared_examples_for 'rejecting too large artifacts' do
+              it 'fails to post' do
+                authorize_artifacts_with_token_in_params(filesize: sample_max_size.megabytes.to_i)
 
                 expect(response).to have_gitlab_http_status(413)
               end
             end
 
+            context 'based on application setting' do
+              before do
+                stub_application_setting(max_artifacts_size: sample_max_size)
+              end
+
+              it_behaves_like 'rejecting too large artifacts'
+            end
+
+            context 'based on root namespace setting' do
+              before do
+                stub_application_setting(max_artifacts_size: 200)
+                root_namespace.update!(max_artifacts_size: sample_max_size)
+              end
+
+              it_behaves_like 'rejecting too large artifacts'
+            end
+
+            context 'based on child namespace setting' do
+              before do
+                stub_application_setting(max_artifacts_size: 200)
+                root_namespace.update!(max_artifacts_size: 200)
+                namespace.update!(max_artifacts_size: sample_max_size)
+              end
+
+              it_behaves_like 'rejecting too large artifacts'
+            end
+
+            context 'based on project setting' do
+              before do
+                stub_application_setting(max_artifacts_size: 200)
+                root_namespace.update!(max_artifacts_size: 200)
+                namespace.update!(max_artifacts_size: 200)
+                project.update!(max_artifacts_size: sample_max_size)
+              end
+
+              it_behaves_like 'rejecting too large artifacts'
+            end
+          end
+        end
+
         context 'when using token as header' do
           it 'authorizes posting artifacts to running job' do
             authorize_artifacts_with_token_in_headers

spec/views/admin/dashboard/index.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'admin/dashboard/index.html.haml' do

spec/views/admin/sessions/new.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'admin/sessions/new.html.haml' do

spec/views/ci/status/_badge.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'ci/status/_badge' do

spec/views/dashboard/projects/_blank_state_admin_welcome.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'dashboard/projects/_blank_state_admin_welcome.html.haml' do

spec/views/dashboard/projects/_nav.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'dashboard/projects/_nav.html.haml' do

spec/views/devise/shared/_signin_box.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'devise/shared/_signin_box' do

spec/views/errors/access_denied.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'errors/access_denied' do

spec/views/events/event/_push.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'events/event/_push.html.haml' do

spec/views/groups/_home_panel.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'groups/_home_panel' do

spec/views/groups/edit.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'groups/edit.html.haml' do

spec/views/help/instance_configuration.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'help/instance_configuration' do

spec/views/layouts/_head.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'layouts/_head' do

spec/views/layouts/nav/sidebar/_admin.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'layouts/nav/sidebar/_admin' do

spec/views/layouts/nav/sidebar/_project.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'layouts/nav/sidebar/_project' do

spec/views/notify/pipeline_failed_email.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'notify/pipeline_failed_email.html.haml' do

spec/views/notify/pipeline_success_email.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'notify/pipeline_success_email.html.haml' do

spec/views/profiles/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'profiles/show' do

spec/views/projects/_home_panel.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/_home_panel' do

spec/views/projects/blob/_viewer.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/blob/_viewer.html.haml' do

spec/views/projects/buttons/_dropdown.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/buttons/_dropdown' do

spec/views/projects/ci/lints/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/ci/lints/show' do

spec/views/projects/commit/_commit_box.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/commit/_commit_box.html.haml' do

spec/views/projects/commit/branches.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/commit/branches.html.haml' do

spec/views/projects/commit/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/commit/show.html.haml' do

spec/views/projects/commits/_commit.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/commits/_commit.html.haml' do

spec/views/projects/diffs/_stats.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/diffs/_stats.html.haml' do

spec/views/projects/diffs/_viewer.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/diffs/_viewer.html.haml' do

spec/views/projects/edit.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/edit' do

spec/views/projects/environments/terminal.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/environments/terminal' do

spec/views/projects/imports/new.html.haml_spec.rb

+# frozen_string_literal: true
+
 require "spec_helper"
 
 describe "projects/imports/new.html.haml" do

spec/views/projects/issues/_related_branches.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/issues/_related_branches' do

spec/views/projects/jobs/_build.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/ci/jobs/_build' do

spec/views/projects/jobs/_generic_commit_status.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/generic_commit_statuses/_generic_commit_status.html.haml' do

spec/views/projects/jobs/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/jobs/show' do

spec/views/projects/merge_requests/_commits.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/merge_requests/_commits.html.haml' do

spec/views/projects/merge_requests/creations/_new_submit.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/merge_requests/creations/_new_submit.html.haml' do

spec/views/projects/merge_requests/diffs/_diffs.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/merge_requests/diffs/_diffs.html.haml' do

spec/views/projects/merge_requests/edit.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/merge_requests/edit.html.haml' do

spec/views/projects/merge_requests/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/merge_requests/show.html.haml' do

spec/views/projects/notes/_more_actions_dropdown.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/notes/_more_actions_dropdown' do

spec/views/projects/pages_domains/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/pages_domains/show' do

spec/views/projects/pipeline_schedules/_pipeline_schedule.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/pipeline_schedules/_pipeline_schedule' do

spec/views/projects/pipelines/_stage.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/pipelines/_stage' do

spec/views/projects/services/_form.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/services/_form' do

spec/views/projects/settings/ci_cd/_autodevops_form.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/settings/ci_cd/_autodevops_form' do

spec/views/projects/tags/index.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/tags/index' do

spec/views/projects/tree/_tree_row.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/tree/_tree_row' do

spec/views/projects/tree/show.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'projects/tree/show' do

spec/views/shared/milestones/_issuable.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'shared/milestones/_issuable.html.haml' do

spec/views/shared/milestones/_issuables.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'shared/milestones/_issuables.html.haml' do

spec/views/shared/milestones/_top.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'shared/milestones/_top.html.haml' do

spec/views/shared/notes/_form.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'shared/notes/_form' do

spec/views/shared/projects/_project.html.haml_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe 'shared/projects/_project.html.haml' do

spec/workers/update_project_statistics_worker_spec.rb

+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe UpdateProjectStatisticsWorker do