From 5595a2eca7eb1fd60c536df5a90984678a120d35 Mon Sep 17 00:00:00 2001 From: Sruthi Chandran Date: Wed, 13 Mar 2019 22:55:13 +0530 Subject: [PATCH] New upstream version 11.8.2 --- CHANGELOG.md | 42 ++ VERSION | 2 +- .../behaviors/markdown/render_mermaid.js | 19 + .../mr_widget_options.vue | 2 +- .../stylesheets/pages/merge_requests.scss | 1 - app/controllers/concerns/milestone_actions.rb | 2 +- .../google_api/authorizations_controller.rb | 32 +- .../profiles/active_sessions_controller.rb | 11 +- .../autocomplete_sources_controller.rb | 2 + app/controllers/projects/commit_controller.rb | 6 +- .../projects/group_links_controller.rb | 5 +- app/finders/merge_requests_finder.rb | 9 +- app/graphql/types/project_type.rb | 2 - app/mailers/emails/issues.rb | 1 + app/models/active_session.rb | 6 +- app/models/clusters/platforms/kubernetes.rb | 2 +- app/models/concerns/issuable.rb | 11 + app/models/concerns/milestoneish.rb | 23 +- app/models/merge_request.rb | 9 +- app/models/merge_request_diff.rb | 2 + app/models/project.rb | 2 +- app/models/project_feature.rb | 15 +- .../project_services/prometheus_service.rb | 6 +- app/policies/group_policy.rb | 5 +- app/policies/project_policy.rb | 4 +- app/services/issuable_base_service.rb | 6 + app/services/issues/build_service.rb | 4 +- app/services/merge_requests/build_service.rb | 1 + .../projects/group_links/create_service.rb | 10 +- app/uploaders/file_mover.rb | 8 + app/validators/sha_validator.rb | 9 + app/views/notify/issue_moved_email.html.haml | 11 +- app/views/notify/issue_moved_email.text.erb | 4 + .../active_sessions/_active_session.html.haml | 6 - .../viewers/_dependency_manager.html.haml | 5 - .../shared/milestones/_milestone.html.haml | 2 +- app/views/shared/milestones/_tabs.html.haml | 6 +- config/routes/git_http.rb | 2 +- doc/administration/index.md | 2 +- doc/administration/merge_request_diffs.md | 33 +- doc/install/requirements.md | 2 +- doc/user/profile/active_sessions.md | 8 +- doc/user/profile/img/active_sessions_list.png | Bin 22266 -> 19360 bytes lib/api/commits.rb | 10 +- lib/api/entities.rb | 9 +- lib/api/environments.rb | 8 +- lib/api/helpers/notes_helpers.rb | 14 +- lib/api/helpers/runner.rb | 2 +- lib/api/projects.rb | 39 +- lib/api/release/links.rb | 2 + lib/constraints/project_url_constrainer.rb | 3 +- lib/gitlab/dependency_linker/base_linker.rb | 18 + .../dependency_linker/composer_json_linker.rb | 4 +- .../dependency_linker/gemfile_linker.rb | 30 +- .../dependency_linker/gemspec_linker.rb | 2 +- lib/gitlab/dependency_linker/method_linker.rb | 10 +- lib/gitlab/dependency_linker/package.rb | 19 + .../dependency_linker/package_json_linker.rb | 19 +- .../dependency_linker/parser/gemfile.rb | 40 ++ .../dependency_linker/podfile_linker.rb | 11 +- .../dependency_linker/podspec_linker.rb | 2 +- .../import_export/merge_request_parser.rb | 11 + lib/gitlab/import_export/shared.rb | 2 +- lib/gitlab/kubernetes/kube_client.rb | 8 + locale/gitlab.pot | 3 + qa/Gemfile | 1 + qa/Gemfile.lock | 3 + .../push_mirroring_over_http_spec.rb | 3 +- qa/spec/spec_helper.rb | 12 + qa/spec/spec_helper_spec.rb | 51 ++ .../dashboard/milestones_controller_spec.rb | 2 +- .../authorizations_controller_spec.rb | 60 +- .../groups/shared_projects_controller_spec.rb | 2 + .../autocomplete_sources_controller_spec.rb | 37 ++ .../projects/group_links_controller_spec.rb | 37 ++ spec/controllers/snippets_controller_spec.rb | 4 + spec/features/issues_spec.rb | 4 +- .../merge_request/user_sees_versions_spec.rb | 6 +- .../user_lists_merge_requests_spec.rb | 4 +- .../features/profiles/active_sessions_spec.rb | 48 +- .../features/projects/blobs/blob_show_spec.rb | 5 +- .../projects/members/invite_group_spec.rb | 2 + .../settings/user_manages_group_links_spec.rb | 1 + .../security/group/private_access_spec.rb | 25 + spec/finders/merge_requests_finder_spec.rb | 566 +++++++++++------- .../project_url_constrainer_spec.rb | 4 + .../composer_json_linker_spec.rb | 4 +- .../dependency_linker/gemfile_linker_spec.rb | 9 +- .../dependency_linker/gemspec_linker_spec.rb | 4 +- .../package_json_linker_spec.rb | 18 +- .../dependency_linker/parser/gemfile_spec.rb | 42 ++ .../dependency_linker/podfile_linker_spec.rb | 5 +- .../dependency_linker/podspec_linker_spec.rb | 4 +- .../merge_request_parser_spec.rb | 16 + spec/lib/gitlab/import_export/shared_spec.rb | 10 + .../lib/gitlab/kubernetes/kube_client_spec.rb | 30 + spec/mailers/notify_spec.rb | 56 +- spec/models/active_session_spec.rb | 5 +- .../clusters/platforms/kubernetes_spec.rb | 16 + spec/models/concerns/issuable_spec.rb | 97 ++- spec/models/concerns/milestoneish_spec.rb | 142 ++++- spec/models/issue/metrics_spec.rb | 6 +- spec/models/merge_request_diff_spec.rb | 14 +- spec/models/milestone_spec.rb | 8 +- .../prometheus_service_spec.rb | 63 +- spec/models/project_spec.rb | 10 + spec/policies/commit_policy_spec.rb | 53 ++ spec/policies/group_policy_spec.rb | 36 +- spec/policies/note_policy_spec.rb | 94 ++- spec/policies/project_policy_spec.rb | 20 +- spec/requests/api/commits_spec.rb | 15 +- spec/requests/api/issues_spec.rb | 2 +- spec/requests/api/projects_spec.rb | 71 ++- spec/requests/api/release/links_spec.rb | 16 + spec/requests/api/runner_spec.rb | 9 + spec/requests/git_http_spec.rb | 134 +++-- .../common_system_notes_service_spec.rb | 4 +- spec/services/issues/build_service_spec.rb | 76 +-- spec/services/issues/update_service_spec.rb | 6 +- .../merge_requests/build_service_spec.rb | 9 + .../merge_requests/update_service_spec.rb | 6 +- .../group_links/create_service_spec.rb | 8 + spec/support/helpers/file_mover_helpers.rb | 12 + .../issuable_shared_examples.rb | 2 +- .../requests/api/discussions.rb | 31 + spec/uploaders/file_mover_spec.rb | 33 +- spec/validators/sha_validator_spec.rb | 40 ++ .../_merge_requests_status.html.haml_spec.rb | 6 + ..._pipeline_for_merge_request_worker_spec.rb | 2 +- 129 files changed, 2040 insertions(+), 687 deletions(-) create mode 100644 app/validators/sha_validator.rb create mode 100644 lib/gitlab/dependency_linker/package.rb create mode 100644 lib/gitlab/dependency_linker/parser/gemfile.rb create mode 100644 spec/controllers/projects/autocomplete_sources_controller_spec.rb create mode 100644 spec/lib/gitlab/dependency_linker/parser/gemfile_spec.rb create mode 100644 spec/policies/commit_policy_spec.rb create mode 100644 spec/support/helpers/file_mover_helpers.rb create mode 100644 spec/validators/sha_validator_spec.rb diff --git a/CHANGELOG.md b/CHANGELOG.md index feda5e0835..ef2ce0ab52 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,48 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.8.2 (2019-03-13) + +### Security (1 change) + +- Fixed ability to see private groups by users not belonging to given group. + +### Fixed (5 changes) + +- Fix import_jid error on project import. !25239 +- Properly handle multiple X-Forwarded-For addresses in runner IP. !25511 +- Fix error when viewing group issue boards when user doesn't have explicit group permissions. !25524 +- Fix method to mark a project repository as writable. !25546 +- Allow project members to see private group if the project is in the group namespace. + + +## 11.8.1 (2019-02-28) + +### Security (21 changes) + +- Stop linking to unrecognized package sources. !55518 +- Don't allow non-members to see private related MRs. +- Do not display impersonated sessions under active sessions and remove ability to revoke session. +- Display only information visible to current user on the Milestone page. +- Show only merge requests visible to user on milestone detail page. +- Disable issue boards API when issues are disabled. +- Don't show new issue link after move when a user does not have permissions. +- Fix git clone revealing private repo's presence. +- Fix blind SSRF in Prometheus integration by checking URL before querying. +- Check snippet attached file to be moved is within designated directory. +- Check if desired milestone for an issue is available. +- Fix arbitrary file read via diffs during import. +- Display the correct number of MRs a user has access to. +- Forbid creating discussions for users with restricted access. +- Do not disclose milestone titles for unauthorized users. +- Validate session key when authorizing with GCP to create a cluster. +- Block local URLs for Kubernetes integration. +- Limit mermaid rendering to 5K characters. +- Remove the possibility to share a project with a group that a user is not a member of. +- Fix leaking private repository information in API. +- Prevent releases links API to leak tag existance. + + ## 11.8.0 (2019-02-22) ### Security (7 changes, 1 of them is from the community) diff --git a/VERSION b/VERSION index 897063bb32..95da6166f2 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -11.8.0 +11.8.2 diff --git a/app/assets/javascripts/behaviors/markdown/render_mermaid.js b/app/assets/javascripts/behaviors/markdown/render_mermaid.js index 35380ca49f..798114b4b0 100644 --- a/app/assets/javascripts/behaviors/markdown/render_mermaid.js +++ b/app/assets/javascripts/behaviors/markdown/render_mermaid.js @@ -1,4 +1,5 @@ import flash from '~/flash'; +import { sprintf, __ } from '../../locale'; // Renders diagrams and flowcharts from text using Mermaid in any element with the // `js-render-mermaid` class. @@ -14,6 +15,9 @@ import flash from '~/flash'; // // +// This is an arbitary number; Can be iterated upon when suitable. +const MAX_CHAR_LIMIT = 5000; + export default function renderMermaid($els) { if (!$els.length) return; @@ -34,6 +38,21 @@ export default function renderMermaid($els) { $els.each((i, el) => { const source = el.textContent; + /** + * Restrict the rendering to a certain amount of character to + * prevent mermaidjs from hanging up the entire thread and + * causing a DoS. + */ + if (source && source.length > MAX_CHAR_LIMIT) { + el.textContent = sprintf( + __( + 'Cannot render the image. Maximum character count (%{charLimit}) has been exceeded.', + ), + { charLimit: MAX_CHAR_LIMIT }, + ); + return; + } + // Remove any extra spans added by the backend syntax highlighting. Object.assign(el, { textContent: source }); diff --git a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue index abbbe19c5e..57c4dfbe3b 100644 --- a/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue +++ b/app/assets/javascripts/vue_merge_request_widget/mr_widget_options.vue @@ -315,7 +315,7 @@ export default { :endpoint="mr.testResultsPath" /> -
+
diff --git a/app/assets/stylesheets/pages/merge_requests.scss b/app/assets/stylesheets/pages/merge_requests.scss index 790d438c7e..5624ac5192 100644 --- a/app/assets/stylesheets/pages/merge_requests.scss +++ b/app/assets/stylesheets/pages/merge_requests.scss @@ -82,7 +82,6 @@ } .mr-widget-body, -.mr-widget-section, .mr-widget-content, .mr-widget-footer { padding: $gl-padding; diff --git a/app/controllers/concerns/milestone_actions.rb b/app/controllers/concerns/milestone_actions.rb index eccbe35577..c0c0160a82 100644 --- a/app/controllers/concerns/milestone_actions.rb +++ b/app/controllers/concerns/milestone_actions.rb @@ -8,7 +8,7 @@ module MilestoneActions format.html { redirect_to milestone_redirect_path } format.json do render json: tabs_json("shared/milestones/_merge_requests_tab", { - merge_requests: @milestone.sorted_merge_requests, # rubocop:disable Gitlab/ModuleWithInstanceVariables + merge_requests: @milestone.sorted_merge_requests(current_user), # rubocop:disable Gitlab/ModuleWithInstanceVariables show_project_name: true }) end diff --git a/app/controllers/google_api/authorizations_controller.rb b/app/controllers/google_api/authorizations_controller.rb index dd9f5af61b..ed0995e7ff 100644 --- a/app/controllers/google_api/authorizations_controller.rb +++ b/app/controllers/google_api/authorizations_controller.rb @@ -2,6 +2,10 @@ module GoogleApi class AuthorizationsController < ApplicationController + include Gitlab::Utils::StrongMemoize + + before_action :validate_session_key! + def callback token, expires_at = GoogleApi::CloudPlatform::Client .new(nil, callback_google_api_auth_url) @@ -11,21 +15,27 @@ module GoogleApi session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at] = expires_at.to_s - state_redirect_uri = redirect_uri_from_session_key(params[:state]) - - if state_redirect_uri - redirect_to state_redirect_uri - else - redirect_to root_path - end + redirect_to redirect_uri_from_session end private - def redirect_uri_from_session_key(state) - key = GoogleApi::CloudPlatform::Client - .session_key_for_redirect_uri(params[:state]) - session[key] if key + def validate_session_key! + access_denied! unless redirect_uri_from_session.present? + end + + def redirect_uri_from_session + strong_memoize(:redirect_uri_from_session) do + if params[:state].present? + session[session_key_for_redirect_uri(params[:state])] + else + nil + end + end + end + + def session_key_for_redirect_uri(state) + GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(state) end end end diff --git a/app/controllers/profiles/active_sessions_controller.rb b/app/controllers/profiles/active_sessions_controller.rb index efe7ede5ef..c473023cac 100644 --- a/app/controllers/profiles/active_sessions_controller.rb +++ b/app/controllers/profiles/active_sessions_controller.rb @@ -2,15 +2,6 @@ class Profiles::ActiveSessionsController < Profiles::ApplicationController def index - @sessions = ActiveSession.list(current_user) - end - - def destroy - ActiveSession.destroy(current_user, params[:id]) - - respond_to do |format| - format.html { redirect_to profile_active_sessions_url, status: :found } - format.js { head :ok } - end + @sessions = ActiveSession.list(current_user).reject(&:is_impersonated) end end diff --git a/app/controllers/projects/autocomplete_sources_controller.rb b/app/controllers/projects/autocomplete_sources_controller.rb index 9c130af839..0e3f13045c 100644 --- a/app/controllers/projects/autocomplete_sources_controller.rb +++ b/app/controllers/projects/autocomplete_sources_controller.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class Projects::AutocompleteSourcesController < Projects::ApplicationController + before_action :authorize_read_milestone!, only: :milestones + def members render json: ::Projects::ParticipantsService.new(@project, current_user).execute(target) end diff --git a/app/controllers/projects/commit_controller.rb b/app/controllers/projects/commit_controller.rb index b13c0ae396..939a09d4fd 100644 --- a/app/controllers/projects/commit_controller.rb +++ b/app/controllers/projects/commit_controller.rb @@ -65,7 +65,11 @@ class Projects::CommitController < Projects::ApplicationController # rubocop: enable CodeReuse/ActiveRecord def merge_requests - @merge_requests = @commit.merge_requests.map do |mr| + @merge_requests = MergeRequestsFinder.new( + current_user, + project_id: @project.id, + commit_sha: @commit.sha + ).execute.map do |mr| { iid: mr.iid, path: merge_request_path(mr), title: mr.title } end diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 7c713c1976..bc942ba928 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -13,9 +13,10 @@ class Projects::GroupLinksController < Projects::ApplicationController group = Group.find(params[:link_group_id]) if params[:link_group_id].present? if group - return render_404 unless can?(current_user, :read_group, group) + result = Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + return render_404 if result[:http_status] == 404 - Projects::GroupLinks::CreateService.new(project, current_user, group_link_create_params).execute(group) + flash[:alert] = result[:message] if result[:http_status] == 409 else flash[:alert] = 'Please select a group.' end diff --git a/app/finders/merge_requests_finder.rb b/app/finders/merge_requests_finder.rb index b645011a3c..93bee3f148 100644 --- a/app/finders/merge_requests_finder.rb +++ b/app/finders/merge_requests_finder.rb @@ -37,13 +37,20 @@ class MergeRequestsFinder < IssuableFinder end def filter_items(_items) - items = by_source_branch(super) + items = by_commit(super) + items = by_source_branch(items) items = by_wip(items) by_target_branch(items) end private + def by_commit(items) + return items unless params[:commit_sha].presence + + items.by_commit_sha(params[:commit_sha]) + end + def source_branch @source_branch ||= params[:source_branch].presence end diff --git a/app/graphql/types/project_type.rb b/app/graphql/types/project_type.rb index 050706f97b..587e55c611 100644 --- a/app/graphql/types/project_type.rb +++ b/app/graphql/types/project_type.rb @@ -16,7 +16,6 @@ module Types field :description, GraphQL::STRING_TYPE, null: true - field :default_branch, GraphQL::STRING_TYPE, null: true field :tag_list, GraphQL::STRING_TYPE, null: true field :ssh_url_to_repo, GraphQL::STRING_TYPE, null: true @@ -59,7 +58,6 @@ module Types end field :import_status, GraphQL::STRING_TYPE, null: true - field :ci_config_path, GraphQL::STRING_TYPE, null: true field :only_allow_merge_if_pipeline_succeeds, GraphQL::BOOLEAN_TYPE, null: true field :request_access_enabled, GraphQL::BOOLEAN_TYPE, null: true diff --git a/app/mailers/emails/issues.rb b/app/mailers/emails/issues.rb index 654ae21131..d2e334fb85 100644 --- a/app/mailers/emails/issues.rb +++ b/app/mailers/emails/issues.rb @@ -74,6 +74,7 @@ module Emails @new_issue = new_issue @new_project = new_issue.project + @can_access_project = recipient.can?(:read_project, @new_project) mail_answer_thread(issue, issue_thread_options(updated_by_user.id, recipient.id, reason)) end diff --git a/app/models/active_session.rb b/app/models/active_session.rb index 0d9c6a4a1f..1e01f1d17e 100644 --- a/app/models/active_session.rb +++ b/app/models/active_session.rb @@ -5,7 +5,8 @@ class ActiveSession attr_accessor :created_at, :updated_at, :session_id, :ip_address, - :browser, :os, :device_name, :device_type + :browser, :os, :device_name, :device_type, + :is_impersonated def current?(session) return false if session_id.nil? || session.id.nil? @@ -31,7 +32,8 @@ class ActiveSession device_type: client.device_type, created_at: user.current_sign_in_at || timestamp, updated_at: timestamp, - session_id: session_id + session_id: session_id, + is_impersonated: request.session[:impersonator_id].present? ) redis.pipelined do diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb index c8969351ed..0e5928550e 100644 --- a/app/models/clusters/platforms/kubernetes.rb +++ b/app/models/clusters/platforms/kubernetes.rb @@ -41,7 +41,7 @@ module Clusters validate :no_namespace, unless: :allow_user_defined_namespace? # We expect to be `active?` only when enabled and cluster is created (the api_url is assigned) - validates :api_url, url: true, presence: true + validates :api_url, public_url: true, presence: true validates :token, presence: true validate :prevent_modification, on: :update diff --git a/app/models/concerns/issuable.rb b/app/models/concerns/issuable.rb index 0a77fbeba0..8918dc8f41 100644 --- a/app/models/concerns/issuable.rb +++ b/app/models/concerns/issuable.rb @@ -74,6 +74,7 @@ module Issuable validates :author, presence: true validates :title, presence: true, length: { maximum: 255 } + validate :milestone_is_valid scope :authored, ->(user) { where(author_id: user) } scope :recent, -> { reorder(id: :desc) } @@ -117,6 +118,16 @@ module Issuable def has_multiple_assignees? assignees.count > 1 end + + def milestone_available? + project_id == milestone&.project_id || project.ancestors_upto.compact.include?(milestone&.group) + end + + private + + def milestone_is_valid + errors.add(:milestone_id, message: "is invalid") if milestone_id.present? && !milestone_available? + end end class_methods do diff --git a/app/models/concerns/milestoneish.rb b/app/models/concerns/milestoneish.rb index 055ffe0464..e65bbb8ca0 100644 --- a/app/models/concerns/milestoneish.rb +++ b/app/models/concerns/milestoneish.rb @@ -46,12 +46,31 @@ module Milestoneish end end + def issue_participants_visible_by_user(user) + User.joins(:issue_assignees) + .where('issue_assignees.issue_id' => issues_visible_to_user(user).select(:id)) + .distinct + end + + def issue_labels_visible_by_user(user) + Label.joins(:label_links) + .where('label_links.target_id' => issues_visible_to_user(user).select(:id), 'label_links.target_type' => 'Issue') + .distinct + end + def sorted_issues(user) issues_visible_to_user(user).preload_associations.sort_by_attribute('label_priority') end - def sorted_merge_requests - merge_requests.sort_by_attribute('label_priority') + def sorted_merge_requests(user) + merge_requests_visible_to_user(user).sort_by_attribute('label_priority') + end + + def merge_requests_visible_to_user(user) + memoize_per_user(user, :merge_requests_visible_to_user) do + MergeRequestsFinder.new(user, issues_finder_params) + .execute.where(milestone_id: milestoneish_id) + end end def upcoming? diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 52cf151b70..0e49fd3c62 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -71,7 +71,7 @@ class MergeRequest < ActiveRecord::Base serialize :merge_params, Hash # rubocop:disable Cop/ActiveRecordSerialize - after_create :ensure_merge_request_diff, unless: :importing? + after_create :ensure_merge_request_diff after_update :clear_memoized_shas after_update :reload_diff_if_branch_changed after_save :ensure_metrics @@ -189,6 +189,9 @@ class MergeRequest < ActiveRecord::Base after_save :keep_around_commit + alias_attribute :project, :target_project + alias_attribute :project_id, :target_project_id + def self.reference_prefix '!' end @@ -837,10 +840,6 @@ class MergeRequest < ActiveRecord::Base target_project != source_project end - def project - target_project - end - # If the merge request closes any issues, save this information in the # `MergeRequestsClosingIssues` model. This is a performance optimization. # Calculating this information for a number of merge requests requires diff --git a/app/models/merge_request_diff.rb b/app/models/merge_request_diff.rb index 712347e76e..481be2da8a 100644 --- a/app/models/merge_request_diff.rb +++ b/app/models/merge_request_diff.rb @@ -25,6 +25,8 @@ class MergeRequestDiff < ActiveRecord::Base has_many :merge_request_diff_commits, -> { order(:merge_request_diff_id, :relative_order) } + validates :base_commit_sha, :head_commit_sha, :start_commit_sha, sha: true + state_machine :state, initial: :empty do event :clean do transition any => :without_files diff --git a/app/models/project.rb b/app/models/project.rb index 8f746f6e09..daa018d6f8 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -1830,7 +1830,7 @@ class Project < ActiveRecord::Base # Set repository as writable again def set_repository_writable! with_lock do - update_column(repository_read_only, false) + update_column(:repository_read_only, false) end end diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index f700090a49..e6787236c4 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -76,7 +76,7 @@ class ProjectFeature < ActiveRecord::Base # This feature might not be behind a feature flag at all, so default to true return false unless ::Feature.enabled?(feature, user, default_enabled: true) - get_permission(user, access_level(feature)) + get_permission(user, feature) end def access_level(feature) @@ -134,12 +134,12 @@ class ProjectFeature < ActiveRecord::Base (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")} end - def get_permission(user, level) - case level + def get_permission(user, feature) + case access_level(feature) when DISABLED false when PRIVATE - user && (project.team.member?(user) || user.full_private_access?) + team_access?(user, feature) when ENABLED true when PUBLIC @@ -148,4 +148,11 @@ class ProjectFeature < ActiveRecord::Base true end end + + def team_access?(user, feature) + return unless user + return true if user.full_private_access? + + project.team.member?(user, ProjectFeature.required_minimum_access_level(feature)) + end end diff --git a/app/models/project_services/prometheus_service.rb b/app/models/project_services/prometheus_service.rb index 60cb2d380d..c68a9d923c 100644 --- a/app/models/project_services/prometheus_service.rb +++ b/app/models/project_services/prometheus_service.rb @@ -71,7 +71,7 @@ class PrometheusService < MonitoringService end def prometheus_client - RestClient::Resource.new(api_url, max_redirects: 0) if api_url && manual_configuration? && active? + RestClient::Resource.new(api_url, max_redirects: 0) if should_return_client? end def prometheus_available? @@ -83,6 +83,10 @@ class PrometheusService < MonitoringService private + def should_return_client? + api_url && manual_configuration? && active? && valid? + end + def synchronize_service_state self.active = prometheus_available? || manual_configuration? diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index c25766a5af..db49d3bed9 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -26,7 +26,7 @@ class GroupPolicy < BasePolicy condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } condition(:has_projects) do - GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any? + GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true, only_owned: true }).execute.any? end condition(:has_clusters, scope: :subject) { clusterable_has_clusters? } @@ -53,8 +53,9 @@ class GroupPolicy < BasePolicy rule { admin }.enable :read_group rule { has_projects }.policy do - enable :read_group + enable :read_list enable :read_label + enable :read_group end rule { has_access }.enable :read_namespace diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index cadbc5ae00..85143c5d33 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -299,6 +299,8 @@ class ProjectPolicy < BasePolicy rule { issues_disabled }.policy do prevent(*create_read_update_admin_destroy(:issue)) + prevent(*create_read_update_admin_destroy(:board)) + prevent(*create_read_update_admin_destroy(:list)) end rule { merge_requests_disabled | repository_disabled }.policy do @@ -462,7 +464,7 @@ class ProjectPolicy < BasePolicy when ProjectFeature::DISABLED false when ProjectFeature::PRIVATE - guest? || admin? + admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature) else true end diff --git a/app/services/issuable_base_service.rb b/app/services/issuable_base_service.rb index ef991eaf23..1e1f2fbd08 100644 --- a/app/services/issuable_base_service.rb +++ b/app/services/issuable_base_service.rb @@ -387,4 +387,10 @@ class IssuableBaseService < BaseService def parent project end + + # we need to check this because milestone from milestone_id param is displayed on "new" page + # where private project milestone could leak without this check + def ensure_milestone_available(issuable) + issuable.milestone_id = nil unless issuable.milestone_available? + end end diff --git a/app/services/issues/build_service.rb b/app/services/issues/build_service.rb index 52b45f1b2c..77724e7897 100644 --- a/app/services/issues/build_service.rb +++ b/app/services/issues/build_service.rb @@ -6,7 +6,9 @@ module Issues def execute filter_resolve_discussion_params - @issue = project.issues.new(issue_params) + @issue = project.issues.new(issue_params).tap do |issue| + ensure_milestone_available(issue) + end end def issue_params_with_info_from_discussions diff --git a/app/services/merge_requests/build_service.rb b/app/services/merge_requests/build_service.rb index 48419da98a..109c964e57 100644 --- a/app/services/merge_requests/build_service.rb +++ b/app/services/merge_requests/build_service.rb @@ -19,6 +19,7 @@ module MergeRequests merge_request.target_project = find_target_project merge_request.target_branch = find_target_branch merge_request.can_be_created = projects_and_branches_valid? + ensure_milestone_available(merge_request) # compare branches only if branches are valid, otherwise # compare_branches may raise an error diff --git a/app/services/projects/group_links/create_service.rb b/app/services/projects/group_links/create_service.rb index 1392775f80..e3d5bea085 100644 --- a/app/services/projects/group_links/create_service.rb +++ b/app/services/projects/group_links/create_service.rb @@ -4,13 +4,19 @@ module Projects module GroupLinks class CreateService < BaseService def execute(group) - return false unless group + return error('Not Found', 404) unless group && can?(current_user, :read_namespace, group) - project.project_group_links.create( + link = project.project_group_links.new( group: group, group_access: params[:link_group_access], expires_at: params[:expires_at] ) + + if link.save + success(link: link) + else + error(link.errors.full_messages.to_sentence, 409) + end end end end diff --git a/app/uploaders/file_mover.rb b/app/uploaders/file_mover.rb index a7f8615e9b..236b7ed2b3 100644 --- a/app/uploaders/file_mover.rb +++ b/app/uploaders/file_mover.rb @@ -11,6 +11,8 @@ class FileMover end def execute + return unless valid? + move if update_markdown @@ -21,6 +23,12 @@ class FileMover private + def valid? + Pathname.new(temp_file_path).realpath.to_path.start_with?( + (Pathname(temp_file_uploader.root) + temp_file_uploader.base_dir).to_path + ) + end + def move FileUtils.mkdir_p(File.dirname(file_path)) FileUtils.move(temp_file_path, file_path) diff --git a/app/validators/sha_validator.rb b/app/validators/sha_validator.rb new file mode 100644 index 0000000000..085fca4d65 --- /dev/null +++ b/app/validators/sha_validator.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class ShaValidator < ActiveModel::EachValidator + def validate_each(record, attribute, value) + return if value.blank? || value.match(/\A\h{40}\z/) + + record.errors.add(attribute, 'is not a valid SHA') + end +end diff --git a/app/views/notify/issue_moved_email.html.haml b/app/views/notify/issue_moved_email.html.haml index 472c31e9a5..b766cb1a52 100644 --- a/app/views/notify/issue_moved_email.html.haml +++ b/app/views/notify/issue_moved_email.html.haml @@ -1,6 +1,9 @@ %p Issue was moved to another project. -%p - New issue: - = link_to project_issue_url(@new_project, @new_issue) do - = @new_issue.title +- if @can_access_project + %p + New issue: + = link_to project_issue_url(@new_project, @new_issue) do + = @new_issue.title +- else + You don't have access to the project. diff --git a/app/views/notify/issue_moved_email.text.erb b/app/views/notify/issue_moved_email.text.erb index 66ede43635..985e689aa9 100644 --- a/app/views/notify/issue_moved_email.text.erb +++ b/app/views/notify/issue_moved_email.text.erb @@ -1,4 +1,8 @@ Issue was moved to another project. +<% if @can_access_project %> New issue location: <%= project_issue_url(@new_project, @new_issue) %> +<% else %> +You don't have access to the project. +<% end %> diff --git a/app/views/profiles/active_sessions/_active_session.html.haml b/app/views/profiles/active_sessions/_active_session.html.haml index 23ef31a0c8..2bf514d72a 100644 --- a/app/views/profiles/active_sessions/_active_session.html.haml +++ b/app/views/profiles/active_sessions/_active_session.html.haml @@ -23,9 +23,3 @@ %strong Signed in on = l(active_session.created_at, format: :short) - - - unless is_current_session - .float-right - = link_to profile_active_session_path(active_session.session_id), data: { confirm: 'Are you sure? The device will be signed out of GitLab.' }, method: :delete, class: "btn btn-danger prepend-left-10" do - %span.sr-only Revoke - Revoke diff --git a/app/views/projects/blob/viewers/_dependency_manager.html.haml b/app/views/projects/blob/viewers/_dependency_manager.html.haml index 87aa7c1dbf..5970d41fda 100644 --- a/app/views/projects/blob/viewers/_dependency_manager.html.haml +++ b/app/views/projects/blob/viewers/_dependency_manager.html.haml @@ -3,9 +3,4 @@ This project manages its dependencies using %strong= viewer.manager_name - - if viewer.package_name - and defines a #{viewer.package_type} named - %strong< - = link_to_if viewer.package_url.present?, viewer.package_name, viewer.package_url, target: '_blank', rel: 'noopener noreferrer' - = link_to 'Learn more', viewer.manager_url, target: '_blank', rel: 'noopener noreferrer' diff --git a/app/views/shared/milestones/_milestone.html.haml b/app/views/shared/milestones/_milestone.html.haml index 40b8374848..e75f0a184e 100644 --- a/app/views/shared/milestones/_milestone.html.haml +++ b/app/views/shared/milestones/_milestone.html.haml @@ -32,7 +32,7 @@ = milestone_progress_bar(milestone) = link_to pluralize(milestone.total_issues_count(current_user), 'Issue'), issues_path · - = link_to pluralize(milestone.merge_requests.size, 'Merge Request'), merge_requests_path + = link_to pluralize(milestone.merge_requests_visible_to_user(current_user).size, 'Merge Request'), merge_requests_path .float-lg-right.light #{milestone.percent_complete(current_user)}% complete .col-sm-2 .milestone-actions.d-flex.justify-content-sm-start.justify-content-md-end diff --git a/app/views/shared/milestones/_tabs.html.haml b/app/views/shared/milestones/_tabs.html.haml index 55460acab8..b877f66c71 100644 --- a/app/views/shared/milestones/_tabs.html.haml +++ b/app/views/shared/milestones/_tabs.html.haml @@ -12,7 +12,7 @@ %li.nav-item = link_to '#tab-merge-requests', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do Merge Requests - %span.badge.badge-pill= milestone.merge_requests.size + %span.badge.badge-pill= milestone.merge_requests_visible_to_user(current_user).size - else %li.nav-item = link_to '#tab-merge-requests', class: 'nav-link active', 'data-toggle' => 'tab', 'data-endpoint': milestone_merge_request_tab_path(milestone) do @@ -21,11 +21,11 @@ %li.nav-item = link_to '#tab-participants', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_participants_tab_path(milestone) do Participants - %span.badge.badge-pill= milestone.participants.count + %span.badge.badge-pill= milestone.issue_participants_visible_by_user(current_user).count %li.nav-item = link_to '#tab-labels', class: 'nav-link', 'data-toggle' => 'tab', 'data-endpoint': milestone_labels_tab_path(milestone) do Labels - %span.badge.badge-pill= milestone.labels.count + %span.badge.badge-pill= milestone.issue_labels_visible_by_user(current_user).count - issues = milestone.sorted_issues(current_user) - show_project_name = local_assigns.fetch(:show_project_name, false) diff --git a/config/routes/git_http.rb b/config/routes/git_http.rb index ec5c68f81d..a959d40881 100644 --- a/config/routes/git_http.rb +++ b/config/routes/git_http.rb @@ -40,7 +40,7 @@ scope(path: '*namespace_id/:project_id', # /info/refs?service=git-receive-pack, but nothing else. # git_http_handshake = lambda do |request| - ::Constraints::ProjectUrlConstrainer.new.matches?(request) && + ::Constraints::ProjectUrlConstrainer.new.matches?(request, existence_check: false) && (request.query_string.blank? || request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/)) end diff --git a/doc/administration/index.md b/doc/administration/index.md index 12fec2753b..683c4921f3 100644 --- a/doc/administration/index.md +++ b/doc/administration/index.md @@ -48,7 +48,7 @@ Learn how to install, configure, update, and maintain your GitLab instance. - [Third party offers](../user/admin_area/settings/third_party_offers.md) - [Compliance](compliance.md): A collection of features from across the application that you may configure to help ensure that your GitLab instance and DevOps workflow meet compliance standards. - [Diff limits](../user/admin_area/diff_limits.md): Configure the diff rendering size limits of branch comparison pages. -- [Merge request diffs](merge_request_diffs.md): Configure the diffs shown on merge requests +- [Merge request diffs storage](merge_request_diffs.md): Configure merge requests diffs external storage. - [Broadcast Messages](../user/admin_area/broadcast_messages.md): Send messages to GitLab users through the UI. #### Customizing GitLab's appearance diff --git a/doc/administration/merge_request_diffs.md b/doc/administration/merge_request_diffs.md index 94620c3d3a..c34a9519ac 100644 --- a/doc/administration/merge_request_diffs.md +++ b/doc/administration/merge_request_diffs.md @@ -1,7 +1,6 @@ -# Merge request diffs administration +# Merge request diffs storage **[CORE ONLY]** -> **Notes:** -> - External merge request diffs introduced in GitLab 11.8 +> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/52568) in GitLab 11.8. Merge request diffs are size-limited copies of diffs associated with merge requests. When viewing a merge request, diffs are sourced from these copies @@ -16,9 +15,7 @@ large, in which case, switching to external storage is recommended. Merge request diffs can be stored on disk, or in object storage. In general, it is better to store the diffs in the database than on disk. -To enable external storage of merge request diffs: - ---- +To enable external storage of merge request diffs, follow the instructions below. **In Omnibus installations:** @@ -29,17 +26,15 @@ To enable external storage of merge request diffs: ``` 1. _The external diffs will be stored in in - `/var/opt/gitlab/gitlab-rails/shared/external-diffs`._ To change the path, - for example to `/mnt/storage/external-diffs`, edit `/etc/gitlab/gitlab.rb` + `/var/opt/gitlab/gitlab-rails/shared/external-diffs`._ To change the path, + for example, to `/mnt/storage/external-diffs`, edit `/etc/gitlab/gitlab.rb` and add the following line: ```ruby gitlab_rails['external_diffs_storage_path'] = "/mnt/storage/external-diffs" ``` -1. Save the file and [reconfigure GitLab][] for the changes to take effect. - ---- +1. Save the file and [reconfigure GitLab](restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect. **In installations from source:** @@ -52,7 +47,7 @@ To enable external storage of merge request diffs: ``` 1. _The external diffs will be stored in - `/home/git/gitlab/shared/external-diffs`._ To change the path, for example + `/home/git/gitlab/shared/external-diffs`._ To change the path, for example, to `/mnt/storage/external-diffs`, edit `/home/git/gitlab/config/gitlab.yml` and add or amend the following lines: @@ -62,18 +57,18 @@ To enable external storage of merge request diffs: storage_path: /mnt/storage/external-diffs ``` -1. Save the file and [restart GitLab][] for the changes to take effect. +1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect. ### Using object storage -Instead of storing the external diffs on disk, we recommended you use an object +Instead of storing the external diffs on disk, we recommended the use of an object store like AWS S3 instead. This configuration relies on valid AWS credentials to be configured already. ### Object Storage Settings For source installations, these settings are nested under `external_diffs:` and -then `object_store:`. On omnibus installs, they are prefixed by +then `object_store:`. On Omnibus installations, they are prefixed by `external_diffs_object_store_`. | Setting | Description | Default | @@ -118,7 +113,7 @@ The connection settings match those provided by [Fog](https://github.com/fog), a } ``` - NOTE: if you are using AWS IAM profiles, be sure to omit the + Note that, if you are using AWS IAM profiles, be sure to omit the AWS access key and secret access key/value pairs. For example: ```ruby @@ -129,9 +124,7 @@ The connection settings match those provided by [Fog](https://github.com/fog), a } ``` -1. Save the file and [reconfigure GitLab][] for the changes to take effect. - ---- +1. Save the file and [reconfigure GitLab](restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect. **In installations from source:** @@ -151,4 +144,4 @@ The connection settings match those provided by [Fog](https://github.com/fog), a region: eu-central-1 ``` -1. Save the file and [restart GitLab][] for the changes to take effect. +1. Save the file and [restart GitLab](restart_gitlab.md#installations-from-source) for the changes to take effect. diff --git a/doc/install/requirements.md b/doc/install/requirements.md index 1b7e0d1d0a..c1f2297f3b 100644 --- a/doc/install/requirements.md +++ b/doc/install/requirements.md @@ -33,7 +33,7 @@ Please consider using a virtual machine to run GitLab. ## Ruby versions -GitLab requires Ruby (MRI) 2.3. Support for Ruby versions below 2.3 (2.1, 2.2) will stop with GitLab 8.13. +GitLab requires Ruby (MRI) 2.5. Support for Ruby versions below 2.5 (2.3, 2.4) will stop with GitLab 11.6. You will have to use the standard MRI implementation of Ruby. We love [JRuby](https://www.jruby.org/) and [Rubinius](https://rubinius.com) but GitLab diff --git a/doc/user/profile/active_sessions.md b/doc/user/profile/active_sessions.md index 5119c0e30d..28e3f4904a 100644 --- a/doc/user/profile/active_sessions.md +++ b/doc/user/profile/active_sessions.md @@ -4,7 +4,7 @@ > in GitLab 10.8. GitLab lists all devices that have logged into your account. This allows you to -review the sessions and revoke any of it that you don't recognize. +review the sessions. ## Listing all active sessions @@ -12,9 +12,3 @@ review the sessions and revoke any of it that you don't recognize. 1. Navigate to the **Active Sessions** tab. ![Active sessions list](img/active_sessions_list.png) - -## Revoking a session - -1. Navigate to your [profile's](#profile-settings) **Settings > Active Sessions**. -1. Click on **Revoke** besides a session. The current session cannot be - revoked, as this would sign you out of GitLab. diff --git a/doc/user/profile/img/active_sessions_list.png b/doc/user/profile/img/active_sessions_list.png index 5d94dca69ccfded5543a6d1fc7413230faab0018..1e242ac47103c93d3f857db3ade6a05525317cb9 100644 GIT binary patch literal 19360 zcmc$`byOVR)-4LbnxKsYOOVDTXmAVe5FCPga1E}Z@!;;k-95OwJ3)fGyT2y+o%4O? z-fz73&%5J}0fXuuRlC++d)2PF=9-J3PqJbtukl|)K|!HNhzlz~LA?S)ez^cJkZ*zt z3Y;N-U`+&M1fZZQ!jT^I;2@ug4a5~>prBkSprE`VC*MK7^4@`h`pO6ewWkXO#gzaB zg=3TQQ=SJhklrV0C6VXn=exVRv$HcVFR$a{^AFmQT$`tb1B(9ocvp+QeipPQSzys{!Mukii*cS}plwzf7^RaI72R#8z= zH#fKY`}>KBiGzcK+1c5(wKZ8ex$*JwprD|ssVQb=W?fy~?CfkuCnslT=f1waot>Si zsHnKOxcK<^;o;%_{{EYrn~RGJJ3G7R=;-|Xd{a}?4<9~!{P^+b&z~kHUknWmIXF0! zm6fZjt0N;LpP!yuTU)iXwWXw_Mn*;g0|QS^PEym-j*gCsi;Ev0AJ^B{Gcz;&0|E~Z z59jCS8yg$1uC6>hJhHN~e*E~s$jB%uDap&r%f-dDv9a;#)2G|pTLuOO9v&WHVd15v zrOnOFoSYmN7uTAanu3A?c6N4eZ*P4AgYxq7uCA`;=H|qtq~PF?yu7^H+S-zm5+x<2 z-Q8UePp`4DvGeoug@uK$U%&eM`-_Q*`TF`+R8;iz^sun72nq_CTUe;6smaL5h)YOt zb8}BlP9`TO_xASw`t?glNGL2UOhrXSPfxGAyW7gjTK)6q#l=Md0fDNjs+5$JtGlPs zsaah;{oTXUv>%yKF>wbc7suz<^*@_;4o=oKcNbUIvvc!xboC@8C0p9N&adw;ZXPCP z=6eT*XXcj{mR2Wc7gpA`E^i-)$0iF)%1$qD%d2Wi$}8JCd%_~3Hg}Km3X4NR!#jKW zd-{h4N5*}8{cv${YwCVxWaaD~p8jlZi%(3Zrlv+fKtM)D24Y~q!op%~CDk#F9?U$hiLB{M%_7g*lyx48cLbyZvQ>(Kbv()#*X=aPHh5Cg*& zx);2CILOJe&9gmZI6`S++~KlC0xN+2Km8nq;F$s0?Pp*Sn zSuSifB&iVMria?5;9-D=HL-bCZ>y51Vm>~xSdId&5YPv}@iBTHC!Ip@<4RR@}GVSg*-`b2tmsgE=F!Zaqo&SVvR2*7p_G`fi z>QgkLOHDaArp+Bg$6TiuVd3)QwUUHVk0N5+cdm-;8AFLsUUL|UO98!Ob!Bj4d(@I>;E=eVN0kW% z=%AjSi&(++?buWGz>Xij zD;ja!lq-G7G!nIi^nt$!h#-i1B3fl)Gi@oG!CJ;neWJ{R5CL7TXC1qzs5*j#NjH(8Ty?DN!>bC#_ZM>Ers?X1b zwdOUG1$;L+ib2_Y?e>Ke@FJ{QGW6yO?3jv`@I|{Q>wZ_6A@K=Inxk!^v@!kPTRN){ zR@EUZgsq)_*=|HF7-@MWAw&`Xu%2pCnjJZuT9nQwqf$yeGB_?$&vQStobF==bSZJK#}gM^-Kmq`z+CWY*l+ofEigP6JU;*uf8&3K(0~S54 zfG(&4{Zafw6y29q)A!X%!liSgS^ho-uYk)9Kvr(S(HyBvrTkP{phpb_k0;|i>aa)C+&V?l+CbM6;U{wy%`&rd*( z=vK&G`6wW=t6Q_Kkgn&)D)|02&gbTNx`_MJLIENzOJ;o1$>dO7jRFB|jnMVA$+d67 z;vx$o;w){Lh8jqtWf-G)GAd)WdFRSP?Sw70%jF#+RPQTk=GnGEOmoDONiY_Hjex@; zqFYYy#jSU86@#aK%gf8|rRnPUbh-l-+bqL|qh+rWXbbt|;0&bmY>FYo9)wvky ziUdY{Rw}6%9iDT%yuv1hLO^EgtEM2(cXZT<^RE6kW>#IE!sfG+3SSP2E( z1(Sl+AOKoKjSx~^7#x6;D7>oO@^Gk{Rr@G{vOj~-`Pv-(*zM3`>#C!%<F2YavywcMS<`Z`q9lUw)+c1e1T%=`rdXe6EGL2 z@npvrpFQx5z{OhIr<(7hL5ATJYpRJ_e(zNVTbd|Z zW+GnWFeUX3BVx9HW_?b1Fj*c)QM38PFduZ_E!MZlS3>=!uG>PJlgAERm{2o?Q=ek^ zpkxUSid3mrTffZT)<`Dp6l4TW&A!53g&yAQ(s_$Mz`8R&3#EWU?yDPlM#7zuJCZPv zIr)3UTGE@GCWrj1+$hPmuHFyFAK1--Z!^p^MfwD;?)RmuEVW*t_wXh~p1fu+aR zacAn8rl&nh*zcidZIWjevK7>A`3zyr5I&EGyslo%k_Kl}NS*g2d%QwFX9{FAB+Et{ zR^Su675NacCo=!z_P0Cn<_Ar0K7+$%Xy94qPo_gZVR}J?=8xA&FP8-IVC~Tm}sqWpHNv1u&bAJ6{V4DU_db<%4>L3$wr5-0_RtnBN{1AbeYj5zGqPs8w$)jMJgI+(FO6S%Y7)>U*P2L2COkm2|%^zcHxi zROdtgFoNK3R79Yj4Y2j?F_aj>PLxP4lkF_%S?#^ihA)md@w>Cs@sKyz%J*gr`_%6x zu~A|p(Sh(dw!jf0dv%1mweacxzRUJKmK*FGSt4yO*X+i1SvpyAuU1Gqe|K`zz5c4y z7qjm9opM*I4&m$@8}eKjLC64sU~pZ^Zh3n2ekb~#0kA+`NaIYc=a86;|G;MndoBN4 znBihxASm;ZJC?-Ls6j?g%&ZSc&P)7szPQ0?Z~Kjt?UxXJI|h2ZsX3FJG>^-dPaWm-T*K@zyiD)%;pucp5pBJI#&zY_eHKGq7UA4%O$;FM!CU9x}nsDqL#Su%HbHLt?UIAC7hf{ImfJx*42aDkCr#1Z;t{JW7uBdFV|C}Z11G?Qi3kbKuL z%%mv9W%!Piz0jUkNkW$>^Zi#kyYM^IZ|BNxg+LeGJ*vHM&HO70I0d8JFiFoQUTqv} z#RFmGG)cl-fRyWi;({Dz)R*)X16~T25bN(?w~~VD0yWWoblGo>j%IClMu~Ypeh|CR z$OU7qCXVA+Qa2g+>vd;7aip0ps!eIcZLg=k7oiH_8SdamgY zj#hXGG4b;ICEwXCn)JI5dMcRgZ)>G5-3_@c1kxcM2vz5Vi5$tV2-vik$+2akO1~4y z+)tzoa}7+RVfm`GwhnZ1atS9DIaG(3n+@1xr`rgjv)_#WaNwj&*Xf=&#V+nq279{@ zLbf8yAnRwBW?uQ#o_5mRDWsb{I_>g6KuVATv9iB_Pkh3HwokFfLlfMr_!NdrEx16! z!0Gb2)T`nf8|tICInDo0tF{ zc4dfzeFjgZWIe(K;@3a6Sje%0&>&VDT}Fe8FVSOPtS;oedJa}RQhx?024Q8~Q22R9 zZeGiJN_2Xt8ig{hP@ zfK4?$H+8Ziek$6TzT+}^A=g<&_9NJwHEo3IjMq!>(p5Lhc4*t5#1~)`Inif#^k&Ob zBFF}ho3*-eux(BuV}%RK4w*j#h$9&%tKBzU(oA8y``j30dtFom(&?9~4m3g6(NubTBO+}PyJ$(p5g`v<#pl#6a1P{5a{7 zv58zX(`k2$?v!_836fyIG&}Xp-&lQcie-Sr>WhJqWZkph=xbaaR%g{2ewwbTOlv_W zzgGSII4lVU4?$i%(af^oMBeyOx9|aJ4+HkM>Mi1dHcQ_Oh2*EFm+jqe_!h>i^t7y+ zpQI#fiyGYFc=<Os<$<6I;8dFySW@v2n}n`y|LNTYbc+PGEKnp;E$v7OA;D!;dzE=pwg z{T9^8yoTYzxL~kgv6tS}LUcR6(m18E2 z9C?F;Pz>i&Mv3v5^t5IvfqU#-G z4>z_iIP~zzDe(1g3ta661dFn2!(HUdxsyUpF#5LzR{Yxp=2qrEo7DTE9#0LB!Z}S* zEfmP1n4~%^W{lpV@-OjBam>jHwQUC<*hYOq!(0MxGDXebWseI8A4#(1qJEEvxIO6M zJaShs=*zxpJXa06XpqqDc)+?%R&s`3P z&nk7tS=mCGCt!zj=#)2$$zaee%3}Hu0lO?%UCCPkTpW7`r>%O~vq^^MtyK^Z*2b#9 znfbo;xHJ9rT5+?XtXmQvtLCioZyGkMpDtJ{Zj+H=98S$`Pf^O?bEIjK;j2(I-d$Oc zcbsaI_R|ayV`gA(`2{mZYlnt{vY#>Oeh;gHhDN{H`zh`>yAZvVC7~^a&-D)oW?XbQ zFYo!8?hlqzlQad95K{PX?l^8Wm^h$ErjZsh+3Lpp{<9oIYz_+dOLs-WH;d4-3DoE8 zySZG0X(Fu52AiB*^b+lObu@IK)bH`vDAz`%v!A#f?M*3ldQ5s;> z;O79goBZMJou8j{F5Pv_>We7F!FqYg0jx8RAIKWI;X)T!{2O*VNXZxx9=|h$L!2<> z?&PsW!_O!>_QwsYEZEF{{owxMhpF4-?-c5KhPGOctdB{?5#G!qr~L zI&o_dNynx5m-gaAYOwec(RKBBF>RFaLvQN5 zzqDDahF2^gJsFl_NG`HfLTgk%Dh@74b;r+MEne#+4oi=tEE4%7?wG$!n8P3Cx?)@>Nnrd3RBZ#-f>Po8TDz2*Z*fW5&*y!&>XDpce@GlU?U!M!+GF}cmf|Ma0)7l? zVbK30!Qhw?PE!t{bdOtT#8SxvB|f#_82%2Fm;ThsCi{(}e?K;2Ym9i+~Kn z#{Dj)IgXm+gnFknO@;&yKk~RVwlHm1b(H&pOWw_zW z3sY*rs4ih~yHZy=k*tf5?$VwIqmNK5zQPGt^-Jr;!w3G#WUX-09&qy;aYCfSb_=I0fHV5yHqSnV@L0O)J97ku7z-wRj$jsUh2?c|kP% zjwb0CB=JD|pkS0tnkv()&Q7C}D&G{yNK{0ad^N0#Xc=)Yd$Qwha#3o41AOB_NU9~;a zskyd_Nd6>%8Fka3L&O=Qa8~_?j?1@*s^9oNk&+5E=bTjf+#3o?~oEkfD0~MrQ4Z_{dQAn$EMu@}!5-IyWpW1w?gq|sI z6U@p21fds$4Y@^>lzE{fvUSOYgHBQ!&1?LezTUj7S^=pCh0CWg^vyZonr5cHFKiGa zLx>jrcX^QraYiD{++sdlKww0!$8R+eyalNHo}d$aSigIw5&QQIz|qN%P*LLTl7U!y zNjdQmq_P;A26(?6^A=xvro(y;Cgi7WN zUREn&;tu#RyL@SJn2#>bK!1DgM009%nSE$+5Iil30vOKXqm18sGKGhzfRH;zvp!YH@|hEW`9a#7qrboU(5JIi)@ z=ZK?)OS^Y{q!jCYao>~J&2g&~n*Zlh_{BwX7$+4l$*x0C#$#2Jyu%uNH zG~bMG^ndL@A_4QUGP%{`rvY+BAReq&7)#!V*EqtOidzn=9>Gmx)R4Iis1BVyo_oiphsFieB z6%;P@5g91%v1u=4?@4$menvxTbC2XRJrpSHj7qktV8WrJ(mApVx+>rSZ-K}OUT=Zy z4W$&{tHIv%FDDE??{-HY)6 zScA*qmmg0QT_yZFJ-z7NN$gvH%r1tvU-ol<-rx79Gb*uGY;FGTZ+8 z$p_hwzAyrC2P(Fcln(g^7xy^%1U=ylZONX`@?-8clh#8~Gk3L09F3GpGXgc4uvLw; zY1Mfe!Gs@i=P@TMETh zdWu<1X3FINVrwLaXRw3E9FFcTywdgR4({(zxRe|hG~`;2o(I^ExtVl5kDv7nYK~9P zdLSOHHI3BaO%ONd4W)Q7x9dPVl==UUgCRnX{a@BYZ>AxU>C{buHbc3>I~Fq~M?64r zodwAAKiR%pf?Gc?J$jqI?eb$6AyVWfX_n=NT*mrwZciAtS!5d(e+|Mw%Fqd%p^=&E)ZO_^-XkuHy{S;a~oXXp&Y+Ivzsg zbuC{h4qUY6gL4Ml*2Nl2L<3KV%H}mqme20bo9Jf~p9`0kCR#35Dy=W?om@qFe$9B* zG7qP_udH$32CsNIj76P9^7n0R?>RkK&ud?LdECg*cO;MWV-W}26b5FupF-~cu)1}f z+A_=Uqw00DhTUqiPno{>dgCs<_Gx>o^^s=2VRtxviT}>8q?qLVAvMga)dgZj{_zUG zQK-kBQ~JY^eQ&s(wRO|pef+bLb0Q5=%PMDU)AmX~JeSk*uouIk_~gj(vU?|yVO1F6 zn#Q}bJN^@|A(5NST&E`=ko!eYe!DFVvSyf$4^a!|9g}vL>5&(&#a^Kfg|+F*?c=lT z36e&IlFQ1Nt*myKj>!yB-SdIdMmLy;Tv&%=F}P zAKu!s>Tw=3IoeF9-Ok^i#K-2A~#=bAD>vML~ibh9NLBZSUexKG^<)q#^Bs91HJkyh0k;RTAwKD zCXYuR*Yb*dpFe?+=N>A_6QNU1dnRh-D8WJX>g=s7dlxso za)SbLZ=5+AaJ^Q1;TqP>pFjag`k#GGor2&Ir@eilk+m9?jBB7fC|H&NATZ0E+V)GtLtHkGL2UoE+oA28K@i0x z2XRryt!k>qeL5D&f#(t1%9C4t*X6}PD`C1D!JdMZPKpM%nD1398kXQ}NS%@2is$3{ ztS+!6t>&V|HyyccGVC1s}099|1!L#?FNl za5)2elBp5K0Qxb_#+J#8huXV!8(&!b81dcLXO=K#5$XUpkDA9AnC zqLbqg(|Jp_)YZCQt)X8KxmQlS?hN9VzQz>>>xg&0kQe9Mb<0m{1{8uetq_jzANB%` z-c@Uwfd9O8czKx*N+-6%?P*r5dh`=`JlqqQHtTTK)0a36H`DqZH1y3cKsF>YVhQs| z^LF;I*wWtG$;xfFw)^t_+f*w7#(Vmk%j*q(F9Xm+tjyNW)#=}?6e+0p@_%>=CF#Am zQ50FVcQk^ItZcy%Pjcnn_i-4jC3H7-+Z(RdnE)Bk$)M!$E?(o^vs0;^mxe!m$I!*a zhLEGn;4IhmvjW3db;fzE%5k$+qxtM2n7`Qm+1hsbur=xFAvP#N_2*?7!!A|#=CwbT z9)y}WhSI*i*SUQ{@RZvDGYARyWo5yJoW$0-pU9C5KBK*G6aMq~!a&(q*LPA5=&e;^ zk^J*8{X||npofyAzX19kSnjILo8&Sb5sH@WP9lS87 zmJfie{SCjxCjYoNuoAtxwcMum`_<@!RKwrQyq_4D20c8Fs?%)g)ci;^cS9Y_c;|u+ zeCkP&0+&%f$9`VKd^)OeU4CW~{*#jT&AA9vAs@wnE-0CRcV61t6&6hry$X)3S0QQ& z?I8D}xg%S`ryVl)!`91|+tu`!E#^1$F=8hZo>rrz|EA}~OJw_qDS>_O!UMy(jGc7p zPQC=62-&iR!T&i~AZ4W!25q@w96bLH7fCb40Z8wB683_e+SGJ6VVcmX>1OJN;^2ZA z_c&~y%lwf#pP4ghKQlp|`+ox~!?XL{tWhGLAb3T;7i76;&n~?KZ5Q?YenZ|7%LVEM zd~F@b4+kbr<{1&?BL<0DP_XowOx}7=|E!BBB%7z|__9$d z_e`Me?TDK)2O}J4qc0Zu?CRBUOX`k;MxTNtD3J9&tOki?q;@%ZUfE8`!{XufcWo3aP<~t6Xr1LbzPt^WFZN) zt04x?`$ew5**UBTZu8>h?lbJ~B@G3wC*DuIx;_jsl!4D;Hlb~O`%n1g3mQtI^-ipHbse8Z_2KxK`8?*T{d5{fJmLJNQ%79Xvm zHj%Wz>uY~U*!$-6rh`FRUDHAm{J{hBt&U=gD`s36$HL5n{?5?zqUjepf%`iha}rY%VD&m`g-`5uXe?LWUG@QSlKDx22S0r2ns zO_^7Io0=bu>Iri!A8x?VVxHZ5VtaRa<>`{|rJY1~PKUvP(k#RuFtGG4?7TcqM-ZOs zxPNaJ>{}@6jC&#c3D2jywL(bNyhwdufwk(e_H_5{5$|?`U2$%ns$&=Ye?BGd_lk6D zKR6QnAC-hJUm7N%JK8w`$WD;zJ5P*#T)IEoDfy@f@Z zR9c#}@8eYKt8x^Sc_*{hUTLW28{1w~`0CptEl{MsrB&V3jL)##FetaX%7J?d!w&Jz zS2YwHeM7sxlXq3Spuit#tal>o?5D=7RIp~iyY?dg*8n@Y#noLkGnz?6bG4r<2!k$9 z_!K?+0kwu``S#wh&Xr4k0{6kRIV5oLX?)pZ zzf@_PpNIy|4|9(Wt}r>VI7j~lC!DWCXG$lB9P4c#(||j zD|u~*ezg*@Vbd8Bcc4fqCNm75?Y{nA)@hm zc8RfAZHlOu1%=?eh*rEMC(`h5C4bk{Lj6t1`@~-1{Hv@&l8WzGB!}1WDLn5HSbq)H15FOe?H49#c$G{~5A9*h zFlSE{36F~2rVPK)sJ2UrCT1(;fQdI4ucUdSVP`$1v=UzE-^C0KES+}d%Idp*Km@VC z5Ckap1s54|(&@o5_ywOZkD`%wFrPT{sN|1b{}877tkSJ7brhPkcP~F3p+-U6@fO|m zZb5U_IJUsrK`Xz^H7z*wu|u$Xbq^6^6~w6zZ&cOIyfd6VweOa%f=1C~)U0+OMpsbK zLZplmWYiN9!DnP~ppBJ>0?)`;wLWTl0{5L`gBCDWg) za?+g}11COATG`?t2q&}-2ssON;Qjq9^=9*Uyv|z zSA#a=J$l5hOnXX*$q*mBVN$dazpq!_$A9k(5smuQ4IKwUA2Xu|AjQQD^_M!Mn-vui zF};Pr#N;VN*0sVqZAFy7O zM(o3r?B(eZkpO7u%=sR?1FxI!=`*X`Y|Hrzo=U#K*vo7qvV&OguC+5wX5^bWtSHUy zOm4eH)T`gGqzL+7s$~&<``?|O0T_BUFuGw;1WU5z-t6gCXsCStAmI+;BgFL_z`D4I zMx%ks5)TJuX%WidVaNndIRGQR2Gufx|Hj`Ia`CGE=jLC;9rYiGcxdT+sRYT8*V4*m za7ff?7gwdaX59Ng*}yB{8^eI+i6o4kN79Y7a-!hxATqqMK#(v9!<{p?av!FbX5dpk zVBbu@-{JN4lb&8XHEKHrNrydSEu3yEeTVs&Tzc3(;Gaq9rvL~(W^tYhYlR7DhlLB2 zlqI<|1blt&^9%Wf8YX~IHlqYu@Vga$@|@(B}5?1rDF`bfK-fm`uhtU8v_ z3!jaujED5}HAT)egbgcfj)*u_dE+wW1@~|`N=os$^mBQwt~tzEz5>}atL|Pam(Hg{ zw5b0fOb?P=a~l}qgC*-hTsOcNl6Ky;8baS#R#)KBza&fr_VkkBl5`*r19o*x<{iFA zNHdYr=@>#}P{866I_9=wp5D+S$+XDyi9I#U&+mdvX_}x8%VWT&Oo*a^Hi9hw6jda; znI(Jl5;fcn$WqcA52w6?7^$7k^PSj6C96k|D+rMa!n!^f>1rvgoD?Upbmr2}L5e6= zBm=*|2cHk^I2r(niQ3W~@C17LQuQ6G_JwG{&14$vb(IBZOYh&T4Ap-;h|V*+uLo#V zm%Bt{&#P?wDi}a&Zl8{vGsgX44j*~cL7Cy2>L>TO{%24npK17?fJ=Q0>N)WoclNvK zJfogikV2m*>vh_BFOC&*7heJ8sU}!G_3KxOR70uWY7>z z86I^hUIR;lF?A9=YApThFR)Dz1V@mVm^>17t^#!XHdWIkK26B5<$36@EriTM(jgL7 zQCMtg;f5t!&fPcJvnM{pl4R%?*$t_ZSkSa$k=P^2FGD1;sXr;F^4?8AMuR2jcP!o5 z-GgH$ot6z~uE^WqE*6vQ{ij?Kp4Kc4j&A^5?)8260jZ95#Y`i>Km#X~T#_wx=_yD+ zO+9&a{wQn;cBE-}*rk_t2rimKvP{^?bc^^j9Ur6^NW|O^UJ=#5MJOa?lKrQ!DXpG3 zmWI!cj-GMGW(q}x#?WE2Okw{XE_1ix@a(b!q9{Rn{dzzzFu5dV>lJ;+E4ClG9dBx3 z9@~Y>!n(MUp+9(EF_#v@xpz&7JZ0)Karu9FA8+S~23oB3qP2CC2kkHD-qFJy=xBXyO-mh|1Qi zBtC&bG9S?EmOQ1A7@@KAIqzp)(a(|Se@Q&Z@tov1G&K(EmwQAK()Ewk6itf5q-jxS zqBl^f5`MnpY3f@RuZ}Xeb^Seobp)Ybq+#z_?5=C67omgE|Ch((&&LfCjDSTXV<(*d zER*~fQaG~-8pmMl(pik($zA-aE;eR-$h*GGE~0!0zg4j9h1sX(ky2wmTnSD30H!d^n%)keaus@Ezt!yFoVl~2T{&e{NN;m;5oyfmY?JV zO@_R0$$tVwivB`%Rl>oj|bI!MjCbX8!-8wECJb|A3j4ROO;|G`l(u5G*4>|89^^xv)@4g*&xtajFK3lMw7Ix{VO&)JNvJ6nMyx^=<7@cG*CVcS(%Z%`sJHs4 zS(I}nzfI#5XU{+-=yLV*Ry&*2h?ShyycwvXf#tmg4Pi6?^5ToSG6PSfWm^tcn97c! z6Qh^-w%PDi3zjg6?7 z8Em-=rNWJdnRh|~1A*nStcHaBj;!%z=%ic!fL#=j#ph{`&xP`d6n8UeRdy96bss7= z6bNl~_N<4rl1hbf%NwG)+2;RCooAfRVR+WJIomlvUuLYsMfrk#F~$C93XT0h@f&58 zroIT5h7c{`H9D}i(tn6_S0i->sisP8=|LHFut~j(_&>FKUfe>{Up>)PHD!)MwdIB- zGebVr?QYb8;elH^$K?mVe9$QRva`AZh;w~F!qNyLf&cF9;dvEPmhb$VO*HwEZEwVg zJ@GLzf{K)g@WC&xF!Ti?lN?qQH(G6{eUHQ?zAc{J%a?2x1G4#sqBwAlStTTwEpVXN zaAxzyiS(_dS`}5@6EA811BqHr-Izr)(`$iGz3Ye9R2`{M2eX@@PzW%It^{t$y`jY) zqz;SLKNOt2s_vW+FIkCZ!nmAj^XutO)Y8cRLhsz;82wk(7UgM}{qqYu$>nS_;q1Ct zQ<}LY_%FQPn2v&Cn~okVa zl^ben2ZXGoo9v)tkC>co5XPAk}`>NLg8Q^-*6D|40bDyk1e-Qc|dQR z9*98Y<)g1HEWE4Q+k!rSOL4DDt3XMGa zRQ*AVP%lLuL_o^aZyW*`z@ig$B-r}4M=k&|EVbne37KB#)xIfstTcSfcwYXjd;{MemChbgOqxA73E4;N7e`+dHIxQLfCiqqbQZ zBj(6Bt*}9+4$mlCGq#jq0ObeLye3sqMPgPeD2XmzavEj{g`+L`V~aFw3Qt6gb*g6+ zJ`?X@_Hr!^?bf#a!sU9N--?yyHG``gAVXtUCPac_aM1hJ*E&Z3Rw-$|fc0iXmJgnY z%qX9p2sFWeL3*|XB=OU60v5a~LU91@b(0B}V<=FsG>yE9umQo+j*~_kew~>n|N56x zjo5`uM)!}1Y1*O`lJ*s83a_;%Nf5FJN8m(5bXGe#-0=vF<1i7zuT=!6H1cscdkQO^ zEyhkxr6O>}Zmb!NHp@-#%p~>TKhWSrqLj-nVeWZ4;0;}px|d@_9cuO~{-;POJPpFY z5;LKlub|VD{DIpIffn8#>%!uHlvw2KH(*bp|I{Ek`k+Aw&mhy7XLv;wit4-`6j@<^)0A3qLV8vxF!d6Nu3Yn+OkCi`8@O&(YPNeiE|8QsYG8k;|4`V%VPnuveX*BV1`Q z?U3Z5#rskrf;qR2)djQOOE&rri2SI}VO^J3;>i13!7u2ROrpd<&5%i$_*@$VDnUcg zTzX_uIE9-_n=}z-%c2*UwcI4x3nuC5R}s zwisb{l|eiiYp&ov+Y?kS<(3k$uAjhDsvrd19V~Gikwwb>{<8-Trx2k2!MG;pL{%4G zQsh0&O-}j1L3k*Sq%g+nE)7&+qG#S@B2>9bj(?^+6!*upH0CQE*qsEig~E1YKdZQ` z_<_%0Nat8EIunKj*jE>rL}ExeHHD|BuJjiyWl664PvjSM^!~5j~{NO(KKE~Ys&u$Z!CD>#H3V;S!nkPyI<(ij1F^FJXe8a7y zS;16nGv~z?2!J+`zP}A!SG#lhNp*G-LE*2UU1TNgMgoM4ocIZR?@_)88I(D-yeA>b zSZxgJ82r}Gs^BZEVTdbrSq)(r1{MiM7Z?PgL%R~-gI}morfjf902~;rlf{A;p<1y$ zr%5H&d1!>~-kvlZ9RkYH(dc*(3H_A9%}Jl@uG6#Q69? z6U;d#JT^p%1qxo`M2mwKsjPMklK?YZ>QnGz%#ijzZT0U4z7xGXqZM*Kj9}Z zFyEJSLWDBHRdR2cU3jE{aThUp)#(&u<9w~XuF}SDR&e{#3}`KB;^di8&x^IVAp#lA zEov$%akl#|lIQ>|y{Zyd-Ixdit0Jca=N<8Ai@p+myDY9cL2?$1R76VJ*b;~?BN*#N z6~oxvwM8RK3ZY*&Y4~y+cKqp{+=s-Yb-DLGXObVW_&n*RCb4<#q8$ zw<5Jw4T;x3yoddky6sD`A_dvT8m?3LTWm;W&K2&H#3P2M^L8g?d$kqh)*1k_)@D-d z_thlP62I-U$wJ3^b9I8E1_8Ub!Cw`Bkr2mMvnx{UDz#WzluR8!J}3N zefW>Qo?$-Qz6}y#=a01SseDPITG(c55|yNY1B)X1?lJv;7+)!k7A2SX`2-4KXS}&% z9tAMxkK?kN&to}k;rtI=`+hfXtdt?b52gB<{n%IlVq&V^Rge$`8cByIn${=aL_kDn zYS#?;fT2~=OlPejv(&!A*TnZag-wbxl(7Ig^@6WLZnF9RTLTUCaL{SHp;hCPk^%av zJyi!Th}|@h86k{L2Uh5BzfV+QQSi*_?LYCpakj5#^wP7F8oiMDH6@6Y;k){0`YORlsWa92>ULk(%B^p`Zh?Oz>Yx6d zVyh>b0Hb9(eRMs$&?VLr!*};23(FP$t)|)ky*Gw@TqOUO!0pM5VE@#rz&UtngU?<4;{mrtw6x#=<&_v|yaTqurIOJWLzWL3%xhj88c$8kubNa;iC`54eu|tz{iybOEB6;7a z{w?Tx)6kuA*kS8i6-DED+ka*mb(*L=-0T1Dv&MuQ4>+bwJ8*eVJ!ngYdT7E{#yu|E zt>4^KVLiY)&FtdeO&y_&mCnphZvP=*EOz*b&XNg95fgJ-m+BsE$=l_Yup~%o(uaHM z-z!Btd;*@g{;2p6`r)7N=YyL+CY)92|NO3BSrjq^?I5Qg=DKFyY=1^=6~(mWiNcZ% zjGH)(#2eR6dNO%i+3_{IDhvE1z-Cng&HBLdM97HkuamFjg&mEoi|12IdWP1eJ_3!Yv$t$)!~;@Iye z`}&zWf!*Mf&o1nKD0%g7PROnYfp`6P-Bfn`3fz$x>C*A5lkHjijERzVzcPYYx0M8~ z<4tocl__5FIWmS3xKqS#=X;O~UcZ?*g*Eidh28aTox$0ARr0^hNbWRE?)y{dBDPT~ zR4?QGinEG}X+HXYpIE$6Q87LJSW0@S>r%h7;kQKu9#*`c{M(KTWe6KM5gOI#Cwn4f zv30(S)1QrHPR1-d%cqI-N9=V^e{oKFqJYwz3q2G5l}__L?gVTHa)6fipE*^0=f%1w zl8K{?6!XP*Eh%5JO z_M5W}oPqXSZb)ocC+XtnZ^?P}wa$h0zbif73p59_8()Sl;@?;K_tj-1WnhEX*2ps~ zJvKH-ojXiO3fQRQD`754IsXWkJ>GOqqKz0VT?3n@dkCXo0oi;amA!`K|-E-P| z!Z2*=(d6c~{`jUN7K=T@BqGmDnR;05qPL)tJ^xeLq=HugN-5x$HSQL!|7|D3=AHa( zOiD{ue&RERVL|TJ$5qnei6D);3OCGCDR(${(=r4RoZYuDFZ4>CU@4LoN^wZt`|BqgyV)hf9t6-Y4{85mmX8W`ysnTHry tS{WEv85wFD7y=nV5<(m(8glbfGSez?YfyGwwFRhw!PC{xWt~$(69CbP7$g7y literal 22266 zcmZ^L1yoyIvnVxaix-yyrA3MscPLie-91=<0>xd5TX7Pc;#z_ed+)n%EyBq4E9U%muP5c*mAN`>S$H* zA4lClQ&rTIKEJ;2;C{V(a4aJub8>P*N=mx9x%u$$Ffa6mjg9T*=BB8q=);E(oSd9o zTwHv7d<_i^9UUFAa&l5qQuFikJUl!?LP8=UA|F3~yt=x2xWDJ;=ik`aSX*0LT3+__ z^kipe&&e0gy zIXF&DO|7Y^k(89Qwzm2H{d;L?X=rGufq_9lK!AgT!`Rr^^z?LCSeT!mpOLZg)2C0B zRa7P?CnY2#OifJ#0|WQ>_j7Y|ySuy1Ei7O#SXx@z%*;$(U0ri?GZ+jO7Z*=TO1jzF zsHmub!{HeqP)|=!UO{1dd%LTvYinz(mX?-+f`YcTc361C!t(mV?M+lv^ySR>pFe+^ zT06dd`&I*~hmB6u*Vj+X%=!5TL_|bjU|?)-ZxpCFLFeb^yKw=dqoea8Z*_Hb4-XGVCTCXkB(rn#v9Pe(I)CH8dUbkv zySBNrxVYHW)4%`cbQ-=`Qc?niLdz{N8=DrTS(fBDZx8q0(9(V{ zDw(#?-gGg!Jvs;q`MT+3xbTsFd>S4d8^68(XK;Az?V2^XX>H8Zc_ zZfrwCqd}9C64&&c+s|B9Nzxq>wO0&M_M9WAtgPMnl;(Zu&!ddVmvyPpb#yAqc+TP45HQY7x6`dmcgX zne)T)NVh=o2r_dbG)-m1YdPNp56v{-&olq0XdM7FG$8taUU;9NnR20_{p(UghK2@y zgyu7kP;UKk%6GJ~I1eflHQ+&Ow*?Eml^bKj2I|9`2#;82dU)_#kE`AMufb=>I;GBL zw!tNt)s7VdECZs%HIAHq6Lx4FBlS>Le`m{d)e^2eAjIGinM zskUj|s^m|s`dV&Z`FLqosp%lfT6=~TzfwMTedKmbUjJ2uYhXGcty}1s9Io$t^5T}Z zftu2@#q9C$WXdmaYlE|QXr>C_5s|F&4CFURg_pVG`r{Q}N4+99xSYvzsP z&%u)4lHOMLlw6Kk_J;7kcRhP{l;LK4F4cR5{>?3-V0Fyia4tael5AZrYR*oA)oN*B z-DT~`u<{0hZIFwx;Vwfx(UcdfOw$M@8Kb53@52{mW@sJLytq%5Usa+nBqNA;F{Ui% zkeBnh#N5hrQ7~~q_{VZ=ZTTL#427`ao=c&_yzWygyG^sZ@2t1Lb^I4V^ewFBFDf<&&eM0qfw@86*d>7~HSZW#c}r9eciGw}Q-O zGZ)pZpo6dT)Vn8qOh)ZKt-VM?(K5!u^ zt*mgw^dYvFLlJs{#{0udW(b3o?BbZFwn1t?|)Ife`#PK%74yc zq5b>v-*k4R(b|<9%``r^l?*Mj?h)F5Xf5jU|A+aj?*G>Fzv>Pa3ySar=hgXuygSQNcT~In&=}fa z{62)prSZqrIttt!hS)ST`##ZB3Y)g?tR!J->)vk-Xf5#o^WARKq6IEOuDD&(ud+FD z+_eNjO%tK8M4}&+RK@(RZ^rmtdDM_@#eNOt8d>R$;fm5jb=|CP_O>=D}j0zwPA)3*Bdq28T4`W&>Mf#<5Q4?2SjmjTh7P)gQOuJQ?cvdHF@Qswgq4FYf zw2om1c@QY`q>OUzi+&JV^K^)$xDZAO7r41Qb$_LJS2G|@@^b%YE!*lUoJ5|N zCn0*n%GHWv6FOVSI#)n>sKJ94_*2-GeOo1}T8EP0 zt^I|gP5SboVj;S&9$$}Vt_zu;(=?;H&5MHi5$#1lHfvG4zrcgH6SyXaG1UIo&O%@c zb>8-(ge=IUQ(6B0aWSyy)396`U(2978)rb$)EjX0&?5CaeWQJD>JWOdd6%NPIlSlC)b7Wn;7>!g6Ev<<^;vx75Rn_T4#9>s#(;AJ^D=2VD_Nky^3 zGRT^^S|v+_F(*Ic)ly?d24tTDTV17dDcjV`+M!lJ>q*Bwq9aXctAm$!ImxG1%8Mo| zKmlIp=h8*AFb#B%2Cvt!fIOI-o11X=JO-<{HO!4;7eAoywdIx7r91H2oioThNzL%R zr42FZ1F$3CTYZic_?YaQY&Eh&L06XL%-=>f1xy|3oMbN)EHl`LM+aHCnH=r7!(T&M zkqD`|;EBWce%aPob<*12S?3m0JeCdc5_nDw*K+3($7LZ9J?F(B7KLW@$k{9oK}t#K zt5&|k?Uu&=`UI!b;GKNVE%jJ6^V6bas|aRB_#Vq3=+FAA4nU29CM3gIqsVw+@;NS7 zrm{7GYvmGH{odWZ$@7Qqk=&KUNI_Iso=u7v5!o6S$l6aqN4oyw0&VG4LLy(#fBd+dt|uniL%L9DY8n zA=__*QSZZ~WO#6?nYSzoR0>}K2Un|OjaN5Vvw25E?Pe>!F9g)wRm%Sm(8+A|`wQZG z-YT$ZW{k7UeNmb$)DhAv0G#rn)7aj4F}DEVaZ964vg3l$@nfc$9?jk6Jp4kmHt;Q{ z22eQdYP_eGS!C9`RXwtzeTY9X|WAp48(?Nn^=U0V4d-YdG0Yw3~M>#cK zBQ!FUNNj4QHqhF4lFLkjMQkF zh!93xuZW0CoXe(HUeC|S9$`L{@->|-dlVaKYtbr2puYRoznS_Ssd+vRsE3pXN`AK{ z)Z?UIP;}hTy5rz@=%0gOjn|#`vRH;R-uUwEXhZ4J*ZlGd(UmNNcMT=>oNkkr zMetc^o5QTFI%~?L9I6-Ap!odo83Urt;lX96*0!PrzaaKmj}!tOC*kIsgi+t7BfceO z+f;hiAzM-JCwC%EzFvFGn_?q}j03Sg1A}c_0k^f(6TWw2%wzuytFUczNA}onn)NzJ zLj$6L?C!!X(|3ky{&CHvK)*lBd<;_6-}OLsABxEMTAB)k(NO{Z>y@~ZwGx-JuP*qv zF(%w%stxC7dCwZQQ@9n9h}*cA?~w6v)P$i&u!%mx&G58WNtB1HCfKi31vRj)j+mpxXbF2guiDMO58CdDvjGTIz?_j^}wlN~vo~ye{?|EYj zeX^-zlSwZ1aTrJ}>JqobL1=CbN>x7p6J*P4$!SXb)~>6Zj`*Q}T=WwtT3thBSV?K| z-d#Odf-5k@3j4?}Kb8d+GE8fknoa^-qRvJD(%wE{PogcKuxR|#qd)7&lNuXYe3sQ; zAOp9MMYGIE>{F{5uX;y)QxClz-jGgCKLWbzVD-xEb6-9lB!9-OPjb&%=3g6Tyy{B7 zRlqh`Lw-P_bK{q?EoG3s!**4KH`IHQB9qwvP42)U=(qV&L3eJOCmT!tb5r2f{ZE2a z(h=IyR<;%WT!*U<*+k$a!L+2y@8Xx87GDuWn*viWT+#YYFH+~*En@o}h`te9z|+^J z`s_+3x0f$U@x<86U$e5Z-X->pNg{vsFtpjZg!Oim)s{SWZ?YG%vQ>gFNxX(t436Ou zNDjxb9W_iRdpURT^3bD~FI)CH&S%6Z*R_Z=7dY69S8r+HZAH^!xfPns1!dMyv7(=K zyPDxkqge=D^k)9~?Ma+5tRUtl7&v=kCd~W^;$Wfd1>}hz!lily(ktcElA0bU%d#3P zh$rrjOrtf)9!lpcZdm3>n-=@T4hM}u z{$r>gMu`^E`GOWh?-i1YHLPKr>WCO0o7tf<>uOzD*IYRIR|gqdkr3MQ-wBIzUC-|W zzI79R3IymU4iSAL`k;MK5k)2RE1y5oZr~;1k2R(vv(e!8L^AAtcI+V784a$9x5J*h zVtO5w1BBt|@KG3tPrI~=a;H?n)6`cWzJn`8e+K)yF<~RR`OUMX42Xc}obsM*kp&6g3& zz=zTJo7F!UM_1mu?RC*{u>v0;+>ci!Y~1irJ1a{LCB4$F+~4Obb|Q!MTD~3KYB)IB za*hr)J>FMj37){>CRx=$&$1~u(-*FN_qqRdBal|0HYU3(U*;*6)Q-z4{u6JI+rebc zX9uN)g`BYXc84V}Ca=Z2lI$0JO((!!IN{nH`X@p-5Sn#8 zA?Od>T5$O`!wg|d@U3@*}a`$QJcwv1)21%Z7jWxd3B2w)!_(p2I zP^73*QXFdcC^YsLxB~%bZPnkTaC+}~UbSD^iM#rGjp67p*b@rPoB2496<+OW-8EH_ z`AoR<4^%*MeYa*J<QM)OP zrXhs<7q9!>)NHx%F8%ct!wf1E7N zXV~0r^3UATGn5(*Fa42iR5&;PORsm~ya`%J8THD!M zK%zWHPL)UMlZvg9!XplHhR_?5)G8w>YJX4A^#GOM6#mwsvsvP7{Q(zMdrTH~j_G_LVNN(D4nc93rakB~i6Iv2^@vGqudqspRnmlN}E>A%bu*vNiTui6u|4bI{VP z`}yp2Gi6G6{Tg%6kcm~kz==fA7Pa-J(FZxC2_QUwFniL?&cK%5Cr#x+E{Xf0(7g(_ z3evA|D3k-y!N%YH^Y1Y1U@!`w-8!sDXupk-;? zEy)G7*P7=0tmGCU;7P={^B)rx55~*ShAERr zfLm-G_5>?kb`N;*Q%OmX;(la`d3ITlzBA}RxZT+zOA*aY;9Pm_C-D_M=YYWcYfDUh zZLC*~nnCnfW;oR}G)Rv~F(N$n$?=Z$X}&QFp=%Gpla6;;1!)s+Olo;|wy=~eSY}&- zieLn^u{Gu-p)Wp%Osh(?djM-9u{&`dDuR87C<4UD1nn@!7jU+od_vL~e~*;|`8?^S z8J}R%w7JxSZCF*LIG|(k+Su>d9G*UcFr_Cnlj$@SlW$A6>M|l?7|;XN1bb?z%U8!^|bn!;GpO7WFjVVv) zx?_LIR!VV4H8z6YT%|m{z#{weq8{M0S z#r`lwPHzlJ6yg&#5O+Mz4^nYO$Gu~3mX4|8PBCqF| z3s;BtxYUeJuW>Up)|I7w;pErsR!C~r+lHZgtFg0HzJ2#X*4(nSG;Mfna7VTCW0LPA!s1avuE%Dg4*+3w;(BsB~W{mYE7d!FoX!-rp$MD!a1o za#~#<#pSoHUvi4y--I*|uDhhATYR8Tl#rzf%*8X96lQ$+bYtpON#DoZXOXY)RI^`v z2wwTa$p18t=7ZvfD%egYI|*; z!v)0ocB&O`lfDda&`|`zh9vc3S|yTZ$wfzTYM}z%N(@apvzdu9r#iB#3Jw6jMY^4P zLQv`w$=vDLJf$FYv{psRy=WY$4_;%Wq9 zm%Iv$MTu&&eRE$A08-@~LSe4&N5Jss#FOe^f}QxG90|zxoDqVF*?@(=Q;|YVWzd}K zhQRHG;xkCk;zm)SfkbOeF{c>xI+z0xKm4P6XB*$5;Wm>3Mp}+=<5I}f^W^*`h$j%C zp5q`9cWXXja+4{HNt}7w-D4TetQiIarq_4{Gb+3uLSV*QFix$0ZgGS_IRq9;CoK!u z&woI3CgaSdU*7aL!I;vB8V6FjN35ntS>Xkhg)IdDi)8|mI$)9+QX z(=szI<_%uRWk1_Ug4rB#6mDHNZV>(%1b+L+Pc%)adQ8=>bJwGY-$s?ffz9taD-Iu; zY-U^&;kU?Ro=j>J(maL0GU;V_>+-&<#T5Uh$^JJ@RPWYJ6_ss>e%Jc-M~eTJ;`^Jf zJ0u4OC^w{S6eFP>u(5iQ!#Fe^2;7a!gn&GLFjEY?SLA+1uzVu%ljJ9iHzX(M8>ai> zB-p!}U9QQSe<8>o#Vn1R^-{=FM*WXQ4zeZt9Lv#SME>s~@@TI4oMp z1ruDkYP?1%{aKUL#3<`iRQPem*{L;rdp`jtqbDik({i_atwCWj45k6bO))(rbOpGy zwyDe;3MZQ$;p9&OM85YBCs=9s{j)q7&Smq8tU>DMMayCWqU&QFx$JnML(d3!M~a3b zsiKm0jDTp}=S55LHHI$qNwyF@n1uA#NFEEzGDZI>MpA)Lk>3{(j*%Fj+?|gBb{2wr zOu%7AS-JNtrW5lI`N{HE*!qjWMe)I{y_p~Sh8`CCnOf5)&(w`{XhQWHqLL30RWgFyCe9#4ig*y=AyUE-V+UgVAA zRh@y4=q%)^Uy$9XYv<4WiR{)>{bke4Qsgn#%|I4_;DwB+Hao0`uSUK9$7_2#Wax^ z;WvMIwjRZsKUvWv?GL7YC)0wU@JT39vH?pwb~Hh-goNzS3V|(uBz&e;UAUbvA~aj=rv>= z093gF7zRVxs=wG!#R}f8zeNUAZSn7yzk?bx*sG>X$#fpD!Dd_$&ojil4Jyf;0#2Wy zz-S&{Iw@IAe`$O9_Zix52~RQ3Uu?V~Imu5BptOMY4)2Nkw9&}hT zh4am;xUtV_e1Ea@%MR(y*IJBSj9J1D4$G-0?4L%oEdMij5*^%rOUx^i3M;pXuGQnp zc))J?Kc%FcU{T-I7wYY=<(R!@1X<}k{j z1H8kje-QUiyBL>qjs%lc!rn)agGuZHs$#UKo}{(GJ*Xd9jWn1(O4`Mx=388k z4w-lRqwdPQeRI+sEBT?2li)IcP_52uzqK3t!J&V~J)IvC<4D6TDb};HvU(ip20I$dm5m()s&(-wOe zFh`!36{P-)IyGNTiDBts*`+@Ftd?`0d0G=>ji1`qX(A4+qLck+<{yl62&)OUvfVT- zlLIk#P|m1mKx__axnP@;7-o@i$z`Vr=3h12cAcC1sBhG;4j$0xt;=Wyg3mqRaeiBk zN8{CeCSXMMS6B_1R2l5&-eX>!!Bt6XQ%oQ_zBzJ^+zNY$cH?;`0M8M8af-_Z7N+|- z#Pe2|*Gca4rf-qbh<`%Xqy+Kscl^9La);@?cW(wS1;g=2AL+a63Bn2sWi~03sg;bKct8EI2s`xRTFD(AW4vn(f>+K8-?^&=2VR^Tg;eKF=4kF$g_#pyLDcrt<6De1dgLIO_6_H!E#c{o^RIkkUb zMpjlQqm)gt_I!tJ=iTuyHO?9GO_1NG$q0~%6O0n+I2?rtb?S1&Is0YvYfAP@NNa2V z7xo>d)&m1Ny9sB$xk^1+bCb>Ih4Hhj2L79G1G6bmc$bC9rX7ZNYUi-t*T4uH_ zp9C!<4Pdy=)+s1%>K%e(_s`!5?>fVnpf7oXMm#zxkNO4CYVK1W6%_shzzBiS_X+V2~CjZ2gm70J_3$KH_0Qk$Xg8gtRe@&%bfv z;8ek}n2#2AGvzw>RR(~K^-fB}s1S~prCj_>#bu!76^(iMIUT8G9yI)@l596khBqCdoTq2&YX;&_Zyv2$#y6;s4SHFT8t+&okDGGbr~r*W$>f#6h#>xKkv*1568!_v3_ql zb95tMpq3I*KMPoIxAp<^C|el_vu=GS!#xaeqlqA@NsG_-q zCLZCWitIe8?!{=KxUoQekS{1@Avs~OF#KXMi3c^9u?H|StDLQ?JNs!$gQlS12P$>2 zlg;`Z&FXRJ$mp8}JL;WrTy&XkQvV`f;ki-K)I0(1#uYH&P-keDL35tof3N&vUkaIR zpVwNUJ(am+U6RwDLKs)Xos)}O@LD>7-9QzYCnXpGU_jXip+)?LLJPOw2McQ{t;E>1 z^@ZW@wq9=54u5e~vi|&SCDrg=s{kbk-`)F4TBirLM*9V#cRI=YM=49{b{(RV_Q7wa zPXzo2V~X^g%?zl=4ac{cX5{2u?Q+(+1VBk?gG#Igol( zc4#7wg1%+4UCR79Fdsjxl$p%?Ab4B@vUisq&k0cVXRCZTtDgI=q9Q-82DbDkz1ikKwtf?9qTos4P6z%UMO=77dl@%tg#7BMYJ?6|dN>Eo73l5{XEv zas*$#dVp^Jq8Isg-@3T~*d%#K@OLlVz2&K%_nlxS62%viH7-tK{oUuAn))c)8)K$J z{m1k;Ih|COQ-?osnCz=r@6AUwc-qtD+@<)r0sCqnO30E5;50o5n3(c{5FdDY0nH(x z{e4aLUAlXVm%exLW=;wLSSGq~+3(7>;_mh?DvHm14XuHe)1yd4@Uo7fW};JvyY{R< zcMo29MLQdre8xZeUVzRg3K&!eW>C=GPcSHk8Bj1pk*LIIBJcL)s0U+^-p9+vzd2Mcp z3>lbXTLI)Fix#N#3&XL4@P)tzRdOJR13FXJ?mat$DDnENK`}T93|Xrd!?)lPaytA; zodjH-RycPGc$0B@KS&Mq_Z3f-5Y7Aj)kDi)GikYO17H5uT7Zu;bPE?~&a55l$P?tQ1sXH{u;E)-iX zIhs=`pi)@vhGwGA^*SoZj-LMctF_=}^ZZr?B;n7seWO6zY~ZsFCfX7*SANhPzWeL> zJvZ+{S$W8eEki35gw(ojdK#A7TWqJC>I^&h?C#L|vaDN5C-A@&jbQl zf`bCJsDEO^k{BQHSm205(ukfC6nb3EeERJLSXmRkafW{{0Gri%avDU6MrYe9Lgwoo$;gqJ9uL;-E&+YDGp<&-^#g* ztM=jycpu2Fgt8=h!R)M9C_|&7;7O??W2%Z|&hr{6GxEDNFxFkbL}4<9b@AX-A{1Rv zcO{UbQ9e*|MGq&4#53UmhGCJ<>+gN+;jc4h_EQ_$@Q!5JQuLKKsN%$7C0<9KSZLC! z4IWc$d0t0r#?QjuEWdgh$sn#VRdzaECvehf*i4JODIaM#y2J`tF=E#CCpq8mLal@6 zC<}WOCm#DKB88~mw!n~oszCdQwm(I}RUF_rtNv%GVaCu;glJDv{)C}NyajGcf$B%MBh&xLc;g4%~HNPUl@)&1r z6zr+cq2PoML>LcdTMPdAeJA|NMUm~d-q(*8zwk|9&$#Se8xwA2O?wx!OMqrgv&JWwJ$X(tsIdjD0S3Cdok)M>nh#oyeWL*}89(66d0FBNtIBFFON`Ypnhb2^NHeg@wu~AVH0K_m($HVrHo9g8lOUNG{Zn{q15j`8AYKC;9IV=>MlP(iCa;O`sp-or#SGp5Z*pT)|StK+#W^ zXEUj@=3JR$Y~cFJ@lb%y#2d<?kn<;j<;1AUQO|gVH{Xe$*^SQ&4Xx(tuE}W$IH2d6Xl>~=VW@ub8Dk97AJhcq zMj>w@zs<3pE6RN4FUmd`A1qw9wpBRA?&-SAhRWA?rSw<$ZeGB`GQB2z^|cr-oA9X< z2KU_STa@R%qS7wyB;^juCRPj^nHyQxOl%$}@=>n*2|6o?o6=^~b|R*VWK2LIUhceG z93I{4$7cEXZWk?Ci>q5F_NB2q{|wOrKpLRGrV%a$&QXkg?9w$XKjS%tXo=R5|2+SH zI#B=Jy6W}%qz-Eftpjluv@WTone{UvqEK^*yq-tlOgF>p5zu%Gi>!UyH_xG{94=S+ zKBe(1gMB|6Gbei>Y%eplw$^EGV1P}Zw_14cAI^U|E%#ugY>Q~z2>h|;zw-IU<@Cfr zN07c7u#c{Fw&ATnj`coTQp)xCqjiuCQxo@VW}p&wIV|tse%J>lm2=%(dNnU@(G_uc!6SgOryM~nO zq`WtS!jH&nQV;CH79QE#Ia`+Njl6BlFXzEUS(O!-1KYL(bidgaoq&k^G>3(@2|nwy zsc(kwfNNaxT5(n}gh=LoZax#Wkz(4ytj$6x>3O#9_F0C_U>RN%Ysiv}&V*40AcU_G z+A=uxQ$=h-S(7n*>-RL2mGEa%j?KNzyA?*c+5Lsoy(lMH?DAOTtz7((qj^}`K~NPj zK3_bLmx70jzIoT{Z|2e|NAXA@^C?R2A6bXx9ChiT)p&`hlEcGIEK%9I|7kRIbrdu0 zy5&%$`yQz268Qf2l9uY9j?Nbpje zw^MkjEpG)0ctcVe;09`H&LO-x@=iM&BGsfzjchRktoiGdR8t*Yf5u*wlAEX1GIwlBd0aJ_xxQ{(Hoxzyg(gC9IKv~q5N^HZ z4e>B_#cr1R4nCC!!&1(lIAZo#lB3@AF#39XJCA+PqJs^lUSB6%pR)u@L&Gx#qmVe@ zPNABNvW$>N)%Rt#hN91+Hzyzw9v4rjUJMTNzHbIho(Kyvg)3pqHiPA7H{SmD%sAH18%r^;xcYF|&q6c}8xoxXf&ob~B*GJ9)&qmT^nLMOba7p&DGpo=e6;loI$wQF zELxcHgqc!zQC76r7rCZ9A5#lwCRgb$eRC1PMJvj->sN}39MA`8!o5}!O5ZQ8&(;Te z6X_NH#a$A)2nE7{JV{1jAKVD2G^+K-_DKLM3#3zndll;wgWU$7r1XqLx!8B5Co6$$ z2hYPV+(#>WVAhv0zU+IZ1E2reVp40z%=v2W#g4IPfcc}80R`*ldjO9|4vGzWJV_2= zAL^OdD-ye{E*uM}4zI<1fnO-9RgE_)%eX%PMJer^nC`Tv89Wn^~qP-`DT zu(zWtuqoRqg}0FrRjx#p5jGPWzw*gRTVJk+!ty7{epU6=ncDK|l(jr_N3GrZI$%G` z0M%(s-fKbQdsE;VM223(6+!t4588J}OOu=bNm}i#&R*eDH8oOIRYhF=CyDe$u?KHJ zc*n%czN4mc)D;3fqy_YLr`uGZ@{OX~8v#sz@y7T*9PVU<{|@3f&TpPnEz92?5}7fS_;g673{T{tNBuwaVb=s4d( zkMIji1#8uti5Y~ty_wuV8UGH5*Gg)5h{yl?5soRBC$lnJ4S4}?DDzC6f)W)UojYePic8Uawopx*QplvsmBcnZ^3}vF~=h@z?C-d9Qs9 zSs>cVn64GEoBs=NZ{!MV#kcT+NAxc&tX~1C7*1xRDZ-!db|GF2VO5<@s(B&C;-6VnmU=Ur9wWWjiBdP0}V#OmRRV%?`;av1j1G%;hDp{dTlIh-;4#@ z^cA4Oe!4uNCGleTZ?p0twq20qgsQZoK$N88TDjWmCb5{jnK}H-m^ZQXtX92J`Gaoi zD=4+CU1|=yzeHM`M4eTB7E1c)_KVj{+kH8G+ zutdlYO2x7HpVAJaT4@{sh9$T4O)4`RFLu=ZFrE@DBI3Ggyv*UkcoJWNV)N?0TK6~g zs7#f;S#yD=9%$;QshL^dkQpTrk6)ljKW&1MH1G77c$gujYN02wybQGy!@d#u8H1=d zfM)lGc66>MJWpG@~YpYMHpU036K8=tQ3zFvi|B#8wqF~fZ~ zJ6%9=X)_a0qDTm9+9Vv$li#nl$iynn3=U&GxS7r|)PXC&bXwyY0 z%`NBU9!vnA>Waw0>3XlzE|>vQNFaD?+|mKs0AtBN|TGKFhU9?w_k_O`w)7 z{Q`?jLA?++K6bOAPbE0=dfWli!bVrwQ~mkoy#01G)TkELuifH+vc*dXqJEg(H)(uB z2rWyxq7puS-V){c=gX;UKy0|rl6DWrF`2HSsKMN(N@~>Gica@SGUahOTo4q`GvKx%H{&D zvew!biY^rZDqp9tDzMQfUs?Wr??jY`9Xe&5YN3HOJqRry(UzqM&N^ksI84N zpDV4^a12+PYN8#4+$e8o*6v4Gl7*C^T~*7JdG|O=`K;j(+!)*ihqPakb!m_3ozU5r zEBx@h7KZ_xluMy*p)jfNKZLOy&e$rxcMtUfL+>1=z>$V$$Ufupy3#S<5ML77dR@zs zscU)YiFPzAZ}vFQ7)S_#SakV04A14Z|Kc$f-E?nu{Vk$kdo%TA+~k?TtLE8w*m5U= zWB1l3M#Ul^wD<=`E(}Q^J?*k}O_WKhq1Q4oF8MWwVM~6iOemRgs&Lw{gk?PHNPXnp zp*=mF&Ou&J$;d*oM#0dk$g`B3gDBS>AeF5B{DL{2-$+DehJA9SLp`=^_Yanrg2dCr zGYO^eeHa`>6OcS>FU;FGvan#D8P>>#76e-dLRuzS%j!upvF$Ymu%BTD@7!=2c>S0x zk$TS!bCktBCOn9x9~4!0nWD0b;l$OCjddmIhuG^UALK;KS|e5KCk&kj-uQ9-)*EFL z!zlPuaho%1NA^}sTZI!+%hG~8=lQtbGL_86^tqzm)H>hN16uZ4pE0GRKv)B zjft~OHzt$gykcNV*&LKmzbE`9D8P*!|-*J@5vCEP~l%r=F(>fuk zZ;T&DhzyO-i0o!a-VPm2fIbbKnaj@WbW$?af9Q4T+WSPU#Tf|umc8 z4Y(&*7zIzXgmVg&C-UyoxMbC*4`~Rp7Lkof4O+wBmRoE%A~QUiOQa?bo_i&BbG%Ya zWrJJ70ZtfKRy+o2Ec3Rj{C0qKOPzCkuaa+kcs`OS5-at4K*VPUV#4 z3%~>6(PY8Q^waDG0u267Bi9+$RMxG>@hU0`gM*+{5haLJfzUzeMM1hT5Tu0`U?6~i zAPPv4E}c-M*U&K zvDS0qn-bO{zipq4Dm0`C5`|;Co-2Bfx^XztZ9*=e{oJjw!1V58p2g*NpRRXaQ`h7_ z8%(@a>#Uh6U9xR20E-Z?`)hcg(!t^53z41=k#N4x5xAY59ylZcgJ(hE6zes5S=qBm>VEB*eDR?~COR^qj0c+yai?t!wrtblgizE!BJ+6Z1lZ zwr(@Xf{NXe5ap;%;h{k6M5jvF>NvnCfr!-A`p&!VaUlw&ray_xiRSv}9dEKVUk9i> zN#qQv!`1pX3fTEcOy;BE9<7CHPh@&(@9v62Az)2BMwH7NQjZGxEdQOyKoUKQv2N6Xxh*$Fv#fd;M zvNznUW2c3U@;M_~@=gPkx$$v=ZK=qQAHkHfRu7gM{0r5gu+HYt^V;IW8h33Q1$jKz zsrivqFQktews2H6b@@3aRIUmo6gMrm$#y_X+Ti5Yz`~5t|&}`V@jq zp!hpRdPoaP^r81R8q#81Qy)MZ(J@s^DUNvQdf=YH+GX?xEmI%wV#)zt$=9*;e$!b& zwoPDHOaTca;*M3B?D3hFPD)ZX@<8^Eh|Y%oP-XB)2vx|JtC1K>X=)`;GgMHj3HGVr zsQXqKzteVZS-axR4y1%k-OtF{S;~TpV$jJiN@e{6haO4`vzxjNU17*BXA zDQf;~5{%$c=Kcg1X9A29DFd?J4Qen=)7hEjzpS8Dx9Xe74j8e=Z~XmxLbisrZ=4+C zl&i6CFLk~GBPRPHch^X1iBtTQ6}kmNPDs!6E@PM`eJNaA7Tv)Eq5BTh91ed zd_%xyg+z3f@4y*+sMio!}RIba0styVcvUE3g;@&94)WdSN+~ym}BQcnVb!(S~ zhxFE~HyG>{CrX$Lx=Ix0h-VK)M%Lst$(g+Mht+D|2Y?g!K?z`b5wMniiCV@LVz*VpD`eVie7AC< z7oQpk8AR#{a&&F47?=M9bGo*8rc-|(=lW30F7m<`+W_OK%3{kuGp^DMbLSaIv1g!p zCK6yZQ3gvtZO*o0p0}<5ONWQ`&cyq7;NHNJ0k{=!^?eWC=m%hi{-}}Nms_2fkadx>R%^@xA@(e7D*k4_lW__X)=D#={9}rkG54ZE$Y2oa%xDP& zhxgl<2vT43T(zHzGjI@PV$Ye7L6slQD@EzP+snu)tfQ$ZrQN+tMcskT$!rk z(%T5O*#H3DpH5HFR-=;XyWp7y;BDJ7)A?(ZfB$wnz;Fa9&4I?z#lN_Z|Gt&|5?A@( zH|dw!!fCBL8ZPAfIAxaK*An<~^#7E9@D(|x+VrBf=K#v(1MTjkNps)>>BThgSE{dr z+DiM%`o*48LkBU?sWU$;gq1HnFiw(jxP-_SBtjfyloYCJ;LmG&(F#XRrm^tn8EGO zSWEgkfW<^@%od~S#y76@QGwgAl3n6U`+3j5w52U==8c;8Kyjwg`?ZI{d7W3ofbL7P z8cLF!+oM$%ZtmA-XyB*po)@6Mt?^LFL8>%2)Eot~M}ZawUhicROMBB6vA5Sx`Dx8V^Au(;`@Pk2NB#^W z94|6XPO~>;jkun*s;2i}FNoDba$k*|<#Nse&7rglC_nd@<>tb)6wmh=3VH$n

F(ION_eC5!ROnpJLyE z@ia^D@oZ+!IVxzt(Pa_Y2r&CrP7kkbBK*JzwG+)l8ixBYi9}Eq)n~J)xJPE3riT@W ztEoQA}`^h$R(?f%_cj$CYLv9Lvw3XOH(F2cZ4O=SqzXG+;M2URmt$0cwpSeg(vOYG`x3HiE?&h!2Dog`Phj}+r-kZ zYe;Yl?=!)*Dr>CD|22A9HMDs`CS56O`|P#R%L2in!GpFe3GQ8#*yV`60O_!i0S{Nn z^C&;956@Zz^y%%6jo|A}S)wu@-oI4=pw6F;$c^6S!+pFuM8d)R8S_dAu&>RYai(R= zVTG=s7M>7z7#UF`n!YVld`BxlI)Ff;6tGQM%TLmz{pB@E=&gK1j&rejpLA8*Fk!i8!UZr@9=Ze6}5nxRi%|!?*TXZtiP7mN;u6 znOq_^WXPh`;hbkwY?w>0^7>GqHI@nQ%DDm#nE_X6)7@V>(1+CPySCZy9RFDJ86y%? z#(y`vlpLP-z%TyutxJt(YAz%&JRH6wSYaXf0m2vIXcHX?=@5!^M_g{Dy%h*Uc((Ki z(2tL=aGoTf6dd~dyh=u zHdb*ESQs5$jkN4wk)Z8hf zD_%kqe5dwb7)A)Yw&t0RGdcO!%Pwrb+-~l#(I$N!_HjZA7l?LRG8Yh}6x~M=rGAPJ z6XpadTln!q5>MN!+2CqVOExSr}8z7t9N%!ifEEZO;CP%=^ zTQ~wYY?6V3Gg9pfB>=o<{>rWk;$`vCej`RZ>Rt}e&~uizVB91>+Cgx+PZn>9DQ?ro zvE&UCD-%@Yt;9(aUs&u)OBa`#jh?$d_fiZl&+Mi2q5i$9%P50;&faRWD&v&>IvSJt z7)>ZySGw#an?0w$9Aq;%>tas7HPyZP;7{*YdyxQy4KJ<l)R9M?j&8ha(-cFX&F_tT!)#Bh(c%8%UK z@??&fpKVkL9ldp&p{t%~UtD>cq#%LF(K_>7vbwsDy0o7lpc@ybROu?P8O9pZAn;q2lW$Gi14 zW*@k3vB~tP_GVqLpFSO--F}E(WYee!mTL)b+KRSJaUS2v$XAa#Qs)E%!y43K4yR&z zyT9URpERb?1zqRWEqSor0d!<-yeBAZV^0uh$lhowM4*ZJ{Oho5`oIhTv7v0$2O6cv zDGppq_B1PuzsONvmm!^lA-2pU4ZNg#d3+OiK9?U6MPXHFONTB66owqJOy3tl}G99mc8(!BWo4MRqTydW-8`ZlnYAC$wwirIEbdw$`#Z5{``Y+pSc4*?L$?oX2E4JTtdkrp5no z`F09^zW3D_aXI;lw)Nj^w}g!h z0_8M$kM5R;$R>#+(Hr~pkD zTUHsBn(&)D0*gHkPf2<@XB%L({;8P}ehS&wBj@{=C|j9D%c1pQ8DP%SU{?yGkm>=3 z<`$-Vg@+wRCevNP1}|F)W|;`+cRaE55P?!?Mt9lH7tUpaNe9r3q|J(7QJ!05hTRcI zcfIuPi_0uq&@eVvIt_EOE0xY-#i9{#Yo}Djn{%WE?T&@_B-cOo&*bOanes+HbTFN9 zO@Lzpg_9at>Q22n+T)7&+b7sKXp-svX?^k7NH-7$a%TZrcn9TLM?JfJjQ{VmZvR$~ i{15cDb (project, options) { Ability.allowed?(options[:current_user], :download_code, project) } # Avoids an N+1 query: https://github.com/mbleigh/acts-as-taggable-on/issues/91#issuecomment-168273770 expose :tag_list do |project| # project.tags.order(:name).pluck(:name) is the most suitable option @@ -261,7 +261,7 @@ module API expose :open_issues_count, if: lambda { |project, options| project.feature_available?(:issues, options[:current_user]) } expose :runners_token, if: lambda { |_project, options| options[:user_can_admin_project] } expose :public_builds, as: :public_jobs - expose :ci_config_path + expose :ci_config_path, if: -> (project, options) { Ability.allowed?(options[:current_user], :download_code, project) } expose :shared_with_groups do |project, options| SharedGroup.represent(project.project_group_links, options) end @@ -270,8 +270,9 @@ module API expose :only_allow_merge_if_all_discussions_are_resolved expose :printing_merge_request_link_enabled expose :merge_method - - expose :statistics, using: 'API::Entities::ProjectStatistics', if: :statistics + expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) { + options[:statistics] && Ability.allowed?(options[:current_user], :download_code, project) + } # rubocop: disable CodeReuse/ActiveRecord def self.preload_relation(projects_relation, options = {}) diff --git a/lib/api/environments.rb b/lib/api/environments.rb index 0278c6c54a..5b0f3b914c 100644 --- a/lib/api/environments.rb +++ b/lib/api/environments.rb @@ -22,7 +22,7 @@ module API get ':id/environments' do authorize! :read_environment, user_project - present paginate(user_project.environments), with: Entities::Environment + present paginate(user_project.environments), with: Entities::Environment, current_user: current_user end desc 'Creates a new environment' do @@ -40,7 +40,7 @@ module API environment = user_project.environments.create(declared_params) if environment.persisted? - present environment, with: Entities::Environment + present environment, with: Entities::Environment, current_user: current_user else render_validation_error!(environment) end @@ -63,7 +63,7 @@ module API update_params = declared_params(include_missing: false).extract!(:name, :external_url) if environment.update(update_params) - present environment, with: Entities::Environment + present environment, with: Entities::Environment, current_user: current_user else render_validation_error!(environment) end @@ -99,7 +99,7 @@ module API environment.stop_with_action!(current_user) status 200 - present environment, with: Entities::Environment + present environment, with: Entities::Environment, current_user: current_user end end end diff --git a/lib/api/helpers/notes_helpers.rb b/lib/api/helpers/notes_helpers.rb index 216b2c4574..795dca5cf0 100644 --- a/lib/api/helpers/notes_helpers.rb +++ b/lib/api/helpers/notes_helpers.rb @@ -70,14 +70,7 @@ module API def find_noteable(parent, noteables_str, noteable_id) noteable = public_send("find_#{parent}_#{noteables_str.singularize}", noteable_id) # rubocop:disable GitlabSecurity/PublicSend - readable = - if noteable.is_a?(Commit) - # for commits there is not :read_commit policy, check if user - # has :read_note permission on the commit's project - can?(current_user, :read_note, user_project) - else - can?(current_user, noteable_read_ability_name(noteable), noteable) - end + readable = can?(current_user, noteable_read_ability_name(noteable), noteable) return not_found!(noteables_str) unless readable @@ -89,12 +82,11 @@ module API end def create_note(noteable, opts) - policy_object = noteable.is_a?(Commit) ? user_project : noteable - authorize!(:create_note, policy_object) + authorize!(:create_note, noteable) parent = noteable_parent(noteable) - opts.delete(:created_at) unless current_user.can?(:set_note_created_at, policy_object) + opts.delete(:created_at) unless current_user.can?(:set_note_created_at, noteable) opts[:updated_at] = opts[:created_at] if opts[:created_at] diff --git a/lib/api/helpers/runner.rb b/lib/api/helpers/runner.rb index 16df8e830e..ff73a49d5e 100644 --- a/lib/api/helpers/runner.rb +++ b/lib/api/helpers/runner.rb @@ -26,7 +26,7 @@ module API end def get_runner_ip - { ip_address: request.env["HTTP_X_FORWARDED_FOR"] || request.ip } + { ip_address: env["action_dispatch.remote_ip"].to_s || request.ip } end def current_runner diff --git a/lib/api/projects.rb b/lib/api/projects.rb index 6a93ef9f3a..f8ffa76827 100644 --- a/lib/api/projects.rb +++ b/lib/api/projects.rb @@ -184,7 +184,8 @@ module API if project.saved? present project, with: Entities::Project, - user_can_admin_project: can?(current_user, :admin_project, project) + user_can_admin_project: can?(current_user, :admin_project, project), + current_user: current_user else if project.errors[:limit_reached].present? error!(project.errors[:limit_reached], 403) @@ -217,7 +218,8 @@ module API if project.saved? present project, with: Entities::Project, - user_can_admin_project: can?(current_user, :admin_project, project) + user_can_admin_project: can?(current_user, :admin_project, project), + current_user: current_user else render_validation_error!(project) end @@ -279,7 +281,8 @@ module API conflict!(forked_project.errors.messages) else present forked_project, with: Entities::Project, - user_can_admin_project: can?(current_user, :admin_project, forked_project) + user_can_admin_project: can?(current_user, :admin_project, forked_project), + current_user: current_user end end @@ -328,7 +331,8 @@ module API if result[:status] == :success present user_project, with: Entities::Project, - user_can_admin_project: can?(current_user, :admin_project, user_project) + user_can_admin_project: can?(current_user, :admin_project, user_project), + current_user: current_user else render_validation_error!(user_project) end @@ -342,7 +346,7 @@ module API ::Projects::UpdateService.new(user_project, current_user, archived: true).execute - present user_project, with: Entities::Project + present user_project, with: Entities::Project, current_user: current_user end desc 'Unarchive a project' do @@ -353,7 +357,7 @@ module API ::Projects::UpdateService.new(@project, current_user, archived: false).execute - present user_project, with: Entities::Project + present user_project, with: Entities::Project, current_user: current_user end desc 'Star a project' do @@ -366,7 +370,7 @@ module API current_user.toggle_star(user_project) user_project.reload - present user_project, with: Entities::Project + present user_project, with: Entities::Project, current_user: current_user end end @@ -378,7 +382,7 @@ module API current_user.toggle_star(user_project) user_project.reload - present user_project, with: Entities::Project + present user_project, with: Entities::Project, current_user: current_user else not_modified! end @@ -414,7 +418,7 @@ module API result = ::Projects::ForkService.new(fork_from_project, current_user).execute(user_project) if result - present user_project.reload, with: Entities::Project + present user_project.reload, with: Entities::Project, current_user: current_user else render_api_error!("Project already forked", 409) if user_project.forked? end @@ -436,27 +440,24 @@ module API end params do requires :group_id, type: Integer, desc: 'The ID of a group' - requires :group_access, type: Integer, values: Gitlab::Access.values, desc: 'The group access level' + requires :group_access, type: Integer, values: Gitlab::Access.values, as: :link_group_access, desc: 'The group access level' optional :expires_at, type: Date, desc: 'Share expiration date' end post ":id/share" do authorize! :admin_project, user_project group = Group.find_by_id(params[:group_id]) - unless group && can?(current_user, :read_group, group) - not_found!('Group') - end - unless user_project.allowed_to_share_with_group? break render_api_error!("The project sharing with group is disabled", 400) end - link = user_project.project_group_links.new(declared_params(include_missing: false)) + result = ::Projects::GroupLinks::CreateService.new(user_project, current_user, declared_params(include_missing: false)) + .execute(group) - if link.save - present link, with: Entities::ProjectGroupLink + if result[:status] == :success + present result[:link], with: Entities::ProjectGroupLink else - render_api_error!(link.errors.full_messages.first, 409) + render_api_error!(result[:message], result[:http_status]) end end @@ -520,7 +521,7 @@ module API result = ::Projects::TransferService.new(user_project, current_user).execute(namespace) if result - present user_project, with: Entities::Project + present user_project, with: Entities::Project, current_user: current_user else render_api_error!("Failed to transfer project #{user_project.errors.messages}", 400) end diff --git a/lib/api/release/links.rb b/lib/api/release/links.rb index e3072684ef..5d1b40e3bf 100644 --- a/lib/api/release/links.rb +++ b/lib/api/release/links.rb @@ -8,6 +8,8 @@ module API RELEASE_ENDPOINT_REQUIREMETS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS .merge(tag_name: API::NO_SLASH_URL_PART_REGEX) + before { authorize! :read_release, user_project } + params do requires :id, type: String, desc: 'The ID of a project' end diff --git a/lib/constraints/project_url_constrainer.rb b/lib/constraints/project_url_constrainer.rb index eadfbf7bc0..d41490d2eb 100644 --- a/lib/constraints/project_url_constrainer.rb +++ b/lib/constraints/project_url_constrainer.rb @@ -2,12 +2,13 @@ module Constraints class ProjectUrlConstrainer - def matches?(request) + def matches?(request, existence_check: true) namespace_path = request.params[:namespace_id] project_path = request.params[:project_id] || request.params[:id] full_path = [namespace_path, project_path].join('/') return false unless ProjectPathValidator.valid_path?(full_path) + return true unless existence_check # We intentionally allow SELECT(*) here so result of this query can be used # as cache for further Project.find_by_full_path calls within request diff --git a/lib/gitlab/dependency_linker/base_linker.rb b/lib/gitlab/dependency_linker/base_linker.rb index ac2efe598b..ffad00fa7d 100644 --- a/lib/gitlab/dependency_linker/base_linker.rb +++ b/lib/gitlab/dependency_linker/base_linker.rb @@ -4,6 +4,7 @@ module Gitlab module DependencyLinker class BaseLinker URL_REGEX = %r{https?://[^'" ]+}.freeze + GIT_INVALID_URL_REGEX = /^git\+#{URL_REGEX}/.freeze REPO_REGEX = %r{[^/'" ]+/[^/'" ]+}.freeze class_attribute :file_type @@ -29,8 +30,25 @@ module Gitlab highlighted_lines.join.html_safe end + def external_url(name, external_ref) + return if external_ref =~ GIT_INVALID_URL_REGEX + + case external_ref + when /\A#{URL_REGEX}\z/ + external_ref + when /\A#{REPO_REGEX}\z/ + github_url(external_ref) + else + package_url(name) + end + end + private + def package_url(_name) + raise NotImplementedError + end + def link_dependencies raise NotImplementedError end diff --git a/lib/gitlab/dependency_linker/composer_json_linker.rb b/lib/gitlab/dependency_linker/composer_json_linker.rb index 22d2bead89..4b8862b31e 100644 --- a/lib/gitlab/dependency_linker/composer_json_linker.rb +++ b/lib/gitlab/dependency_linker/composer_json_linker.rb @@ -8,8 +8,8 @@ module Gitlab private def link_packages - link_packages_at_key("require", &method(:package_url)) - link_packages_at_key("require-dev", &method(:package_url)) + link_packages_at_key("require") + link_packages_at_key("require-dev") end def package_url(name) diff --git a/lib/gitlab/dependency_linker/gemfile_linker.rb b/lib/gitlab/dependency_linker/gemfile_linker.rb index 8ab219c496..c6e02248b0 100644 --- a/lib/gitlab/dependency_linker/gemfile_linker.rb +++ b/lib/gitlab/dependency_linker/gemfile_linker.rb @@ -3,8 +3,14 @@ module Gitlab module DependencyLinker class GemfileLinker < MethodLinker + class_attribute :package_keyword + + self.package_keyword = :gem self.file_type = :gemfile + GITHUB_REGEX = /(github:|:github\s*=>)\s*['"](?[^'"]+)['"]/.freeze + GIT_REGEX = /(git:|:git\s*=>)\s*['"](?#{URL_REGEX})['"]/.freeze + private def link_dependencies @@ -14,21 +20,35 @@ module Gitlab def link_urls # Link `github: "user/repo"` to https://github.com/user/repo - link_regex(/(github:|:github\s*=>)\s*['"](?[^'"]+)['"]/, &method(:github_url)) + link_regex(GITHUB_REGEX, &method(:github_url)) # Link `git: "https://gitlab.example.com/user/repo"` to https://gitlab.example.com/user/repo - link_regex(/(git:|:git\s*=>)\s*['"](?#{URL_REGEX})['"]/, &:itself) + link_regex(GIT_REGEX, &:itself) # Link `source "https://rubygems.org"` to https://rubygems.org link_method_call('source', URL_REGEX, &:itself) end def link_packages - # Link `gem "package_name"` to https://rubygems.org/gems/package_name - link_method_call('gem') do |name| - "https://rubygems.org/gems/#{name}" + packages = parse_packages + + return if packages.blank? + + packages.each do |package| + link_method_call('gem', package.name) do + external_url(package.name, package.external_ref) + end end end + + def package_url(name) + "https://rubygems.org/gems/#{name}" + end + + def parse_packages + parser = Gitlab::DependencyLinker::Parser::Gemfile.new(plain_text) + parser.parse(keyword: self.class.package_keyword) + end end end end diff --git a/lib/gitlab/dependency_linker/gemspec_linker.rb b/lib/gitlab/dependency_linker/gemspec_linker.rb index b924ea86d8..94c2b375cf 100644 --- a/lib/gitlab/dependency_linker/gemspec_linker.rb +++ b/lib/gitlab/dependency_linker/gemspec_linker.rb @@ -11,7 +11,7 @@ module Gitlab link_method_call('homepage', URL_REGEX, &:itself) link_method_call('license', &method(:license_url)) - link_method_call(%w[name add_dependency add_runtime_dependency add_development_dependency]) do |name| + link_method_call(%w[add_dependency add_runtime_dependency add_development_dependency]) do |name| "https://rubygems.org/gems/#{name}" end end diff --git a/lib/gitlab/dependency_linker/method_linker.rb b/lib/gitlab/dependency_linker/method_linker.rb index d4d85bb339..33899a931c 100644 --- a/lib/gitlab/dependency_linker/method_linker.rb +++ b/lib/gitlab/dependency_linker/method_linker.rb @@ -23,18 +23,22 @@ module Gitlab # link_method_call('name') # # Will link `package` in `self.name = "package"` def link_method_call(method_name, value = nil, &url_proc) + regex = method_call_regex(method_name, value) + + link_regex(regex, &url_proc) + end + + def method_call_regex(method_name, value = nil) method_name = regexp_for_value(method_name) value = regexp_for_value(value) - regex = %r{ + %r{ #{method_name} # Method name \s* # Whitespace [(=]? # Opening brace or equals sign \s* # Whitespace ['"](?#{value})['"] # Package name in quotes }x - - link_regex(regex, &url_proc) end end end diff --git a/lib/gitlab/dependency_linker/package.rb b/lib/gitlab/dependency_linker/package.rb new file mode 100644 index 0000000000..8a509bbd56 --- /dev/null +++ b/lib/gitlab/dependency_linker/package.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module Gitlab + module DependencyLinker + class Package + attr_reader :name, :git_ref, :github_ref + + def initialize(name, git_ref, github_ref) + @name = name + @git_ref = git_ref + @github_ref = github_ref + end + + def external_ref + @git_ref || @github_ref + end + end + end +end diff --git a/lib/gitlab/dependency_linker/package_json_linker.rb b/lib/gitlab/dependency_linker/package_json_linker.rb index 578e25f806..6857f2a4fa 100644 --- a/lib/gitlab/dependency_linker/package_json_linker.rb +++ b/lib/gitlab/dependency_linker/package_json_linker.rb @@ -8,7 +8,6 @@ module Gitlab private def link_dependencies - link_json('name', json["name"], &method(:package_url)) link_json('license', &method(:license_url)) link_json(%w[homepage url], URL_REGEX, &:itself) @@ -16,25 +15,19 @@ module Gitlab end def link_packages - link_packages_at_key("dependencies", &method(:package_url)) - link_packages_at_key("devDependencies", &method(:package_url)) + link_packages_at_key("dependencies") + link_packages_at_key("devDependencies") end - def link_packages_at_key(key, &url_proc) + def link_packages_at_key(key) dependencies = json[key] return unless dependencies dependencies.each do |name, version| - link_json(name, version, link: :key, &url_proc) + external_url = external_url(name, version) - link_json(name) do |value| - case value - when /\A#{URL_REGEX}\z/ - value - when /\A#{REPO_REGEX}\z/ - github_url(value) - end - end + link_json(name, version, link: :key) { external_url } + link_json(name) { external_url } end end diff --git a/lib/gitlab/dependency_linker/parser/gemfile.rb b/lib/gitlab/dependency_linker/parser/gemfile.rb new file mode 100644 index 0000000000..7f755375ce --- /dev/null +++ b/lib/gitlab/dependency_linker/parser/gemfile.rb @@ -0,0 +1,40 @@ +# frozen_string_literal: true + +module Gitlab + module DependencyLinker + module Parser + class Gemfile < MethodLinker + GIT_REGEX = Gitlab::DependencyLinker::GemfileLinker::GIT_REGEX + GITHUB_REGEX = Gitlab::DependencyLinker::GemfileLinker::GITHUB_REGEX + + def initialize(plain_text) + @plain_text = plain_text + end + + # Returns a list of Gitlab::DependencyLinker::Package + # + # keyword - The package definition keyword, e.g. `:gem` for + # Gemfile parsing, `:pod` for Podfile. + def parse(keyword:) + plain_lines.each_with_object([]) do |line, packages| + name = fetch(line, method_call_regex(keyword)) + + next unless name + + git_ref = fetch(line, GIT_REGEX) + github_ref = fetch(line, GITHUB_REGEX) + + packages << Gitlab::DependencyLinker::Package.new(name, git_ref, github_ref) + end + end + + private + + def fetch(line, regex, group: :name) + match = line.match(regex) + match[group] if match + end + end + end + end +end diff --git a/lib/gitlab/dependency_linker/podfile_linker.rb b/lib/gitlab/dependency_linker/podfile_linker.rb index def9b04cca..a20d285da7 100644 --- a/lib/gitlab/dependency_linker/podfile_linker.rb +++ b/lib/gitlab/dependency_linker/podfile_linker.rb @@ -5,12 +5,21 @@ module Gitlab class PodfileLinker < GemfileLinker include Cocoapods + self.package_keyword = :pod self.file_type = :podfile private def link_packages - link_method_call('pod', &method(:package_url)) + packages = parse_packages + + return unless packages + + packages.each do |package| + link_method_call('pod', package.name) do + external_url(package.name, package.external_ref) + end + end end end end diff --git a/lib/gitlab/dependency_linker/podspec_linker.rb b/lib/gitlab/dependency_linker/podspec_linker.rb index 6b1758c5a4..14abd3999c 100644 --- a/lib/gitlab/dependency_linker/podspec_linker.rb +++ b/lib/gitlab/dependency_linker/podspec_linker.rb @@ -19,7 +19,7 @@ module Gitlab link_method_call('license', &method(:license_url)) link_regex(/license\s*=\s*\{\s*(type:|:type\s*=>)\s*#{STRING_REGEX}/, &method(:license_url)) - link_method_call(%w[name dependency], &method(:package_url)) + link_method_call('dependency', &method(:package_url)) end end end diff --git a/lib/gitlab/import_export/merge_request_parser.rb b/lib/gitlab/import_export/merge_request_parser.rb index 040a70d677..deb2f59f05 100644 --- a/lib/gitlab/import_export/merge_request_parser.rb +++ b/lib/gitlab/import_export/merge_request_parser.rb @@ -20,6 +20,17 @@ module Gitlab create_target_branch unless branch_exists?(@merge_request.target_branch) end + # The merge_request_diff associated with the current @merge_request might + # be invalid. Than means, when the @merge_request object is saved, the + # @merge_request.merge_request_diff won't. This can leave the merge request + # in an invalid state, because a merge request must have an associated + # merge request diff. + # In this change, if the associated merge request diff is invalid, we set + # it to nil. This change, in association with the after callback + # :ensure_merge_request_diff in the MergeRequest class, makes that + # when the merge request is going to be created and it doesn't have + # one, a default one will be generated. + @merge_request.merge_request_diff = nil unless @merge_request.merge_request_diff&.valid? @merge_request end diff --git a/lib/gitlab/import_export/shared.rb b/lib/gitlab/import_export/shared.rb index 947caaaefe..725c1101d7 100644 --- a/lib/gitlab/import_export/shared.rb +++ b/lib/gitlab/import_export/shared.rb @@ -61,7 +61,7 @@ module Gitlab def log_base_data { importer: 'Import/Export', - import_jid: @project&.import_state&.import_jid, + import_jid: @project&.import_state&.jid, project_id: @project&.id, project_path: @project&.full_path } diff --git a/lib/gitlab/kubernetes/kube_client.rb b/lib/gitlab/kubernetes/kube_client.rb index 624c2c6755..de14df5655 100644 --- a/lib/gitlab/kubernetes/kube_client.rb +++ b/lib/gitlab/kubernetes/kube_client.rb @@ -82,6 +82,8 @@ module Gitlab def initialize(api_prefix, **kubeclient_options) @api_prefix = api_prefix @kubeclient_options = kubeclient_options.merge(http_max_redirects: 0) + + validate_url! end def create_or_update_cluster_role_binding(resource) @@ -118,6 +120,12 @@ module Gitlab private + def validate_url! + return if Gitlab::CurrentSettings.allow_local_requests_from_hooks_and_services? + + Gitlab::UrlBlocker.validate!(api_prefix, allow_local_network: false) + end + def cluster_role_binding_exists?(resource) get_cluster_role_binding(resource.metadata.name) rescue ::Kubeclient::ResourceNotFoundError diff --git a/locale/gitlab.pot b/locale/gitlab.pot index c3349980d6..3a50ed4f78 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -1293,6 +1293,9 @@ msgstr "" msgid "Cannot modify managed Kubernetes cluster" msgstr "" +msgid "Cannot render the image. Maximum character count (%{charLimit}) has been exceeded." +msgstr "" + msgid "Certificate" msgstr "" diff --git a/qa/Gemfile b/qa/Gemfile index 873eac1013..f29006617e 100644 --- a/qa/Gemfile +++ b/qa/Gemfile @@ -8,3 +8,4 @@ gem 'rspec', '~> 3.7' gem 'selenium-webdriver', '~> 3.12' gem 'airborne', '~> 0.2.13' gem 'nokogiri', '~> 1.10.1' +gem 'rspec-retry', '~> 0.6.1' diff --git a/qa/Gemfile.lock b/qa/Gemfile.lock index 9f84bdc382..c3d9f558c2 100644 --- a/qa/Gemfile.lock +++ b/qa/Gemfile.lock @@ -76,6 +76,8 @@ GEM rspec-mocks (3.7.0) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.7.0) + rspec-retry (0.6.1) + rspec-core (> 3.3) rspec-support (3.7.0) rubyzip (1.2.2) selenium-webdriver (3.141.0) @@ -101,6 +103,7 @@ DEPENDENCIES pry-byebug (~> 3.5.1) rake (~> 12.3.0) rspec (~> 3.7) + rspec-retry (~> 0.6.1) selenium-webdriver (~> 3.12) BUNDLED WITH diff --git a/qa/qa/specs/features/browser_ui/3_create/repository/push_mirroring_over_http_spec.rb b/qa/qa/specs/features/browser_ui/3_create/repository/push_mirroring_over_http_spec.rb index 9d31a25ab3..208c45e7a6 100644 --- a/qa/qa/specs/features/browser_ui/3_create/repository/push_mirroring_over_http_spec.rb +++ b/qa/qa/specs/features/browser_ui/3_create/repository/push_mirroring_over_http_spec.rb @@ -1,7 +1,8 @@ # frozen_string_literal: true module QA - context 'Create' do + # https://gitlab.com/gitlab-org/quality/staging/issues/40 + context 'Create', :quarantine do describe 'Push mirror a repository over HTTP' do it 'configures and syncs a (push) mirrored repository' do Runtime::Browser.visit(:gitlab, Page::Main::Login) diff --git a/qa/spec/spec_helper.rb b/qa/spec/spec_helper.rb index cddaa6fc6e..021fe5fce5 100644 --- a/qa/spec/spec_helper.rb +++ b/qa/spec/spec_helper.rb @@ -1,4 +1,5 @@ require_relative '../qa' +require 'rspec/retry' Dir[::File.join(__dir__, 'support', '**', '*.rb')].each { |f| require f } @@ -43,6 +44,17 @@ RSpec.configure do |config| config.profile_examples = 10 config.order = :random Kernel.srand config.seed + + # show retry status in spec process + config.verbose_retry = true + + # show exception that triggers a retry if verbose_retry is set to true + config.display_try_failure_messages = true + + config.around do |example| + retry_times = example.metadata.keys.include?(:quarantine) ? 1 : 3 + example.run_with_retry retry: retry_times + end end # Skip tests in quarantine unless we explicitly focus on them. diff --git a/qa/spec/spec_helper_spec.rb b/qa/spec/spec_helper_spec.rb index 2427999e11..27ec1ec80f 100644 --- a/qa/spec/spec_helper_spec.rb +++ b/qa/spec/spec_helper_spec.rb @@ -28,6 +28,22 @@ describe 'rspec config tests' do end end + let(:group_2) do + RSpec.describe do + before(:all) do + @expectations = [1, 2, 3] + end + + example 'not in quarantine' do + expect(@expectations.shift).to be(3) + end + + example 'in quarantine', :quarantine do + expect(@expectations.shift).to be(3) + end + end + end + context 'with no tags focussed' do before do group.run @@ -301,4 +317,39 @@ describe 'rspec config tests' do end end end + + context 'rspec retry' do + context 'in an untagged context' do + before do + group_2.run + end + + it 'should run example :retry times' do + examples = group_2.descendant_filtered_examples + ex = examples.find { |e| e.description == 'not in quarantine' } + expect(ex.execution_result.status).to eq(:passed) + end + end + + context 'with :quarantine focussed' do + before do + RSpec.configure do |config| + config.inclusion_filter = :quarantine + end + group_2.run + end + + after do + RSpec.configure do |config| + config.inclusion_filter.clear + end + end + + it 'should run example once only' do + examples = group_2.descendant_filtered_examples + ex = examples.find { |e| e.description == 'in quarantine' } + expect(ex.execution_result.status).to eq(:failed) + end + end + end end diff --git a/spec/controllers/dashboard/milestones_controller_spec.rb b/spec/controllers/dashboard/milestones_controller_spec.rb index 4b164d0aa6..ab40b4eb17 100644 --- a/spec/controllers/dashboard/milestones_controller_spec.rb +++ b/spec/controllers/dashboard/milestones_controller_spec.rb @@ -13,7 +13,7 @@ describe Dashboard::MilestonesController do ) end let(:issue) { create(:issue, project: project, milestone: project_milestone) } - let(:group_issue) { create(:issue, milestone: group_milestone) } + let(:group_issue) { create(:issue, milestone: group_milestone, project: create(:project, group: group)) } let!(:label) { create(:label, project: project, title: 'Issue Label', issues: [issue]) } let!(:group_label) { create(:group_label, group: group, title: 'Group Issue Label', issues: [group_issue]) } diff --git a/spec/controllers/google_api/authorizations_controller_spec.rb b/spec/controllers/google_api/authorizations_controller_spec.rb index 1e8e82da4f..d9ba85cf56 100644 --- a/spec/controllers/google_api/authorizations_controller_spec.rb +++ b/spec/controllers/google_api/authorizations_controller_spec.rb @@ -6,7 +6,7 @@ describe GoogleApi::AuthorizationsController do let(:token) { 'token' } let(:expires_at) { 1.hour.since.strftime('%s') } - subject { get :callback, params: { code: 'xxx', state: @state } } + subject { get :callback, params: { code: 'xxx', state: state } } before do sign_in(user) @@ -15,35 +15,57 @@ describe GoogleApi::AuthorizationsController do .to receive(:get_token).and_return([token, expires_at]) end - it 'sets token and expires_at in session' do - subject + shared_examples_for 'access denied' do + it 'returns a 404' do + subject - expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token]) - .to eq(token) - expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]) - .to eq(expires_at) + expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token]).to be_nil + expect(response).to have_http_status(:not_found) + end end - context 'when redirect uri key is stored in state' do - set(:project) { create(:project) } - let(:redirect_uri) { project_clusters_url(project).to_s } + context 'session key is present' do + let(:session_key) { 'session-key' } + let(:redirect_uri) { 'example.com' } before do - @state = GoogleApi::CloudPlatform::Client - .new_session_key_for_redirect_uri do |key| - session[key] = redirect_uri + session[GoogleApi::CloudPlatform::Client.session_key_for_redirect_uri(session_key)] = redirect_uri + end + + context 'session key matches state param' do + let(:state) { session_key } + + it 'sets token and expires_at in session' do + subject + + expect(session[GoogleApi::CloudPlatform::Client.session_key_for_token]) + .to eq(token) + expect(session[GoogleApi::CloudPlatform::Client.session_key_for_expires_at]) + .to eq(expires_at) + end + + it 'redirects to the URL stored in state param' do + expect(subject).to redirect_to(redirect_uri) end end - it 'redirects to the URL stored in state param' do - expect(subject).to redirect_to(redirect_uri) + context 'session key does not match state param' do + let(:state) { 'bad-key' } + + it_behaves_like 'access denied' + end + + context 'state param is blank' do + let(:state) { '' } + + it_behaves_like 'access denied' end end - context 'when redirection url is not stored in state' do - it 'redirects to root_path' do - expect(subject).to redirect_to(root_path) - end + context 'state param is present, but session key is blank' do + let(:state) { 'session-key' } + + it_behaves_like 'access denied' end end end diff --git a/spec/controllers/groups/shared_projects_controller_spec.rb b/spec/controllers/groups/shared_projects_controller_spec.rb index dab7700cf6..b0c20fb5a9 100644 --- a/spec/controllers/groups/shared_projects_controller_spec.rb +++ b/spec/controllers/groups/shared_projects_controller_spec.rb @@ -6,6 +6,8 @@ describe Groups::SharedProjectsController do end def share_project(project) + group.add_developer(user) + Projects::GroupLinks::CreateService.new( project, user, diff --git a/spec/controllers/projects/autocomplete_sources_controller_spec.rb b/spec/controllers/projects/autocomplete_sources_controller_spec.rb new file mode 100644 index 0000000000..382e6d547d --- /dev/null +++ b/spec/controllers/projects/autocomplete_sources_controller_spec.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe Projects::AutocompleteSourcesController do + describe 'GET milestones' do + let(:user) { create(:user) } + let(:group) { create(:group, :public) } + let(:project) { create(:project, :public, namespace: group) } + let!(:project_milestone) { create(:milestone, project: project) } + let!(:group_milestone) { create(:milestone, group: group) } + + before do + sign_in(user) + end + + it 'lists milestones' do + group.add_owner(user) + + get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path } + + milestone_titles = json_response.map { |milestone| milestone["title"] } + expect(milestone_titles).to match_array([project_milestone.title, group_milestone.title]) + end + + context 'when user cannot read project issues and merge requests' do + it 'renders 404' do + project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE) + project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE) + + get :milestones, format: :json, params: { namespace_id: group.path, project_id: project.path } + + expect(response).to have_gitlab_http_status(404) + end + end + end +end diff --git a/spec/controllers/projects/group_links_controller_spec.rb b/spec/controllers/projects/group_links_controller_spec.rb index 675eeff8d1..ce021b2f08 100644 --- a/spec/controllers/projects/group_links_controller_spec.rb +++ b/spec/controllers/projects/group_links_controller_spec.rb @@ -65,8 +65,24 @@ describe Projects::GroupLinksController do end end + context 'when user does not have access to the public group' do + let(:group) { create(:group, :public) } + + include_context 'link project to group' + + it 'renders 404' do + expect(response.status).to eq 404 + end + + it 'does not share project with that group' do + expect(group.shared_projects).not_to include project + end + end + context 'when project group id equal link group id' do before do + group2.add_developer(user) + post(:create, params: { namespace_id: project.namespace, project_id: project, @@ -102,5 +118,26 @@ describe Projects::GroupLinksController do expect(flash[:alert]).to eq('Please select a group.') end end + + context 'when link is not persisted in the database' do + before do + allow(::Projects::GroupLinks::CreateService).to receive_message_chain(:new, :execute) + .and_return({ status: :error, http_status: 409, message: 'error' }) + + post(:create, params: { + namespace_id: project.namespace, + project_id: project, + link_group_id: group.id, + link_group_access: ProjectGroupLink.default_access + }) + end + + it 'redirects to project group links page' do + expect(response).to redirect_to( + project_project_members_path(project) + ) + expect(flash[:alert]).to eq('error') + end + end end end diff --git a/spec/controllers/snippets_controller_spec.rb b/spec/controllers/snippets_controller_spec.rb index 5c6858dc7b..77a94f26d8 100644 --- a/spec/controllers/snippets_controller_spec.rb +++ b/spec/controllers/snippets_controller_spec.rb @@ -205,6 +205,8 @@ describe SnippetsController do end context 'when the snippet description contains a file' do + include FileMoverHelpers + let(:picture_file) { '/-/system/temp/secret56/picture.jpg' } let(:text_file) { '/-/system/temp/secret78/text.txt' } let(:description) do @@ -215,6 +217,8 @@ describe SnippetsController do before do allow(FileUtils).to receive(:mkdir_p) allow(FileUtils).to receive(:move) + stub_file_mover(text_file) + stub_file_mover(picture_file) end subject { create_snippet({ description: description }, { files: [picture_file, text_file] }) } diff --git a/spec/features/issues_spec.rb b/spec/features/issues_spec.rb index 406e80e91a..9bc340ed4b 100644 --- a/spec/features/issues_spec.rb +++ b/spec/features/issues_spec.rb @@ -233,8 +233,8 @@ describe 'Issues' do created_at: Time.now - (index * 60)) end end - let(:newer_due_milestone) { create(:milestone, due_date: '2013-12-11') } - let(:later_due_milestone) { create(:milestone, due_date: '2013-12-12') } + let(:newer_due_milestone) { create(:milestone, project: project, due_date: '2013-12-11') } + let(:later_due_milestone) { create(:milestone, project: project, due_date: '2013-12-12') } it 'sorts by newest' do visit project_issues_path(project, sort: sort_value_created_date) diff --git a/spec/features/merge_request/user_sees_versions_spec.rb b/spec/features/merge_request/user_sees_versions_spec.rb index aa91ade46c..5c45e36399 100644 --- a/spec/features/merge_request/user_sees_versions_spec.rb +++ b/spec/features/merge_request/user_sees_versions_spec.rb @@ -1,7 +1,11 @@ require 'rails_helper' describe 'Merge request > User sees versions', :js do - let(:merge_request) { create(:merge_request, importing: true) } + let(:merge_request) do + create(:merge_request).tap do |mr| + mr.merge_request_diff.destroy + end + end let(:project) { merge_request.source_project } let(:user) { project.creator } let!(:merge_request_diff1) { merge_request.merge_request_diffs.create(head_commit_sha: '6f6d7e7ed97bb5f0054f2b1df789b39ca89b6ff9') } diff --git a/spec/features/merge_requests/user_lists_merge_requests_spec.rb b/spec/features/merge_requests/user_lists_merge_requests_spec.rb index ef7ae490b0..c691011b9c 100644 --- a/spec/features/merge_requests/user_lists_merge_requests_spec.rb +++ b/spec/features/merge_requests/user_lists_merge_requests_spec.rb @@ -13,7 +13,7 @@ describe 'Merge requests > User lists merge requests' do source_project: project, source_branch: 'fix', assignee: user, - milestone: create(:milestone, due_date: '2013-12-11'), + milestone: create(:milestone, project: project, due_date: '2013-12-11'), created_at: 1.minute.ago, updated_at: 1.minute.ago) create(:merge_request, @@ -21,7 +21,7 @@ describe 'Merge requests > User lists merge requests' do source_project: project, source_branch: 'markdown', assignee: user, - milestone: create(:milestone, due_date: '2013-12-12'), + milestone: create(:milestone, project: project, due_date: '2013-12-12'), created_at: 2.minutes.ago, updated_at: 2.minutes.ago) create(:merge_request, diff --git a/spec/features/profiles/active_sessions_spec.rb b/spec/features/profiles/active_sessions_spec.rb index d3050760c0..2aa0177af5 100644 --- a/spec/features/profiles/active_sessions_spec.rb +++ b/spec/features/profiles/active_sessions_spec.rb @@ -7,6 +7,8 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do end end + let(:admin) { create(:admin) } + around do |example| Timecop.freeze(Time.zone.parse('2018-03-12 09:06')) do example.run @@ -16,6 +18,7 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do it 'User sees their active sessions' do Capybara::Session.new(:session1) Capybara::Session.new(:session2) + Capybara::Session.new(:session3) # note: headers can only be set on the non-js (aka. rack-test) driver using_session :session1 do @@ -37,9 +40,27 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do gitlab_sign_in(user) end + # set an admin session impersonating the user + using_session :session3 do + Capybara.page.driver.header( + 'User-Agent', + 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36' + ) + + gitlab_sign_in(admin) + + visit admin_user_path(user) + + click_link 'Impersonate' + end + using_session :session1 do visit profile_active_sessions_path + expect(page).to( + have_selector('ul.list-group li.list-group-item', { text: 'Signed in on', + count: 2 })) + expect(page).to have_content( '127.0.0.1 ' \ 'This is your current session ' \ @@ -57,33 +78,8 @@ describe 'Profile > Active Sessions', :clean_gitlab_redis_shared_state do ) expect(page).to have_selector '[title="Smartphone"]', count: 1 - end - end - it 'User can revoke a session', :js, :redis_session_store do - Capybara::Session.new(:session1) - Capybara::Session.new(:session2) - - # set an additional session in another browser - using_session :session2 do - gitlab_sign_in(user) - end - - using_session :session1 do - gitlab_sign_in(user) - visit profile_active_sessions_path - - expect(page).to have_link('Revoke', count: 1) - - accept_confirm { click_on 'Revoke' } - - expect(page).not_to have_link('Revoke') - end - - using_session :session2 do - visit profile_active_sessions_path - - expect(page).to have_content('You need to sign in or sign up before continuing.') + expect(page).not_to have_content('Chrome on Windows') end end end diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb index 3edcc7ac2c..a7aa63018f 100644 --- a/spec/features/projects/blobs/blob_show_spec.rb +++ b/spec/features/projects/blobs/blob_show_spec.rb @@ -548,10 +548,7 @@ describe 'File blob', :js do it 'displays an auxiliary viewer' do aggregate_failures do # shows names of dependency manager and package - expect(page).to have_content('This project manages its dependencies using RubyGems and defines a gem named activerecord.') - - # shows a link to the gem - expect(page).to have_link('activerecord', href: 'https://rubygems.org/gems/activerecord') + expect(page).to have_content('This project manages its dependencies using RubyGems.') # shows a learn more link expect(page).to have_link('Learn more', href: 'https://rubygems.org/') diff --git a/spec/features/projects/members/invite_group_spec.rb b/spec/features/projects/members/invite_group_spec.rb index fceead0b45..b2d2dba55f 100644 --- a/spec/features/projects/members/invite_group_spec.rb +++ b/spec/features/projects/members/invite_group_spec.rb @@ -27,6 +27,7 @@ describe 'Project > Members > Invite group', :js do before do project.add_maintainer(maintainer) + group_to_share_with.add_guest(maintainer) sign_in(maintainer) end @@ -112,6 +113,7 @@ describe 'Project > Members > Invite group', :js do before do project.add_maintainer(maintainer) + group.add_guest(maintainer) sign_in(maintainer) visit project_settings_members_path(project) diff --git a/spec/features/projects/settings/user_manages_group_links_spec.rb b/spec/features/projects/settings/user_manages_group_links_spec.rb index 676659b90c..e5a58c44e4 100644 --- a/spec/features/projects/settings/user_manages_group_links_spec.rb +++ b/spec/features/projects/settings/user_manages_group_links_spec.rb @@ -10,6 +10,7 @@ describe 'Projects > Settings > User manages group links' do before do project.add_maintainer(user) + group_market.add_guest(user) sign_in(user) share_link = project.project_group_links.new(group_access: Gitlab::Access::MAINTAINER) diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb index 4705cd12d2..de38a2c020 100644 --- a/spec/features/security/group/private_access_spec.rb +++ b/spec/features/security/group/private_access_spec.rb @@ -93,4 +93,29 @@ describe 'Private Group access' do it { is_expected.to be_denied_for(:visitor) } it { is_expected.to be_denied_for(:external) } end + + describe 'GET /groups/:path for shared projects' do + let(:project) { create(:project, :public) } + + before do + Projects::GroupLinks::CreateService.new( + project, + create(:user), + link_group_access: ProjectGroupLink::DEVELOPER + ).execute(group) + end + + subject { group_path(group) } + + it { is_expected.to be_allowed_for(:admin) } + it { is_expected.to be_allowed_for(:owner).of(group) } + it { is_expected.to be_allowed_for(:maintainer).of(group) } + it { is_expected.to be_allowed_for(:developer).of(group) } + it { is_expected.to be_allowed_for(:reporter).of(group) } + it { is_expected.to be_allowed_for(:guest).of(group) } + it { is_expected.to be_denied_for(project_guest) } + it { is_expected.to be_denied_for(:user) } + it { is_expected.to be_denied_for(:external) } + it { is_expected.to be_denied_for(:visitor) } + end end diff --git a/spec/finders/merge_requests_finder_spec.rb b/spec/finders/merge_requests_finder_spec.rb index 107da08a0a..503b88fcba 100644 --- a/spec/finders/merge_requests_finder_spec.rb +++ b/spec/finders/merge_requests_finder_spec.rb @@ -13,275 +13,409 @@ describe MergeRequestsFinder do end end - let(:user) { create :user } - let(:user2) { create :user } + context "multiple projects with merge requests" do + let(:user) { create :user } + let(:user2) { create :user } - let(:group) { create(:group) } - let(:subgroup) { create(:group, parent: group) } - let(:project1) { create_project_without_n_plus_1(group: group) } - let(:project2) do - Gitlab::GitalyClient.allow_n_plus_1_calls do - fork_project(project1, user) + let(:group) { create(:group) } + let(:subgroup) { create(:group, parent: group) } + let(:project1) { create_project_without_n_plus_1(group: group) } + let(:project2) do + Gitlab::GitalyClient.allow_n_plus_1_calls do + fork_project(project1, user) + end end - end - let(:project3) do - Gitlab::GitalyClient.allow_n_plus_1_calls do - p = fork_project(project1, user) - p.update!(archived: true) - p + let(:project3) do + Gitlab::GitalyClient.allow_n_plus_1_calls do + p = fork_project(project1, user) + p.update!(archived: true) + p + end end - end - let(:project4) { create_project_without_n_plus_1(group: subgroup) } - let(:project5) { create_project_without_n_plus_1(group: subgroup) } - let(:project6) { create_project_without_n_plus_1(group: subgroup) } + let(:project4) { create_project_without_n_plus_1(:repository, group: subgroup) } + let(:project5) { create_project_without_n_plus_1(group: subgroup) } + let(:project6) { create_project_without_n_plus_1(group: subgroup) } - let!(:merge_request1) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project1) } - let!(:merge_request2) { create(:merge_request, :conflict, author: user, source_project: project2, target_project: project1, state: 'closed') } - let!(:merge_request3) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project2, state: 'locked', title: 'thing WIP thing') } - let!(:merge_request4) { create(:merge_request, :simple, author: user, source_project: project3, target_project: project3, title: 'WIP thing') } - let!(:merge_request5) { create(:merge_request, :simple, author: user, source_project: project4, target_project: project4, title: '[WIP]') } - let!(:merge_request6) { create(:merge_request, :simple, author: user, source_project: project5, target_project: project5, title: 'WIP: thing') } - let!(:merge_request7) { create(:merge_request, :simple, author: user, source_project: project6, target_project: project6, title: 'wip thing') } - let!(:merge_request8) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project1, title: '[wip] thing') } - let!(:merge_request9) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project2, title: 'wip: thing') } + let!(:merge_request1) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project1) } + let!(:merge_request2) { create(:merge_request, :conflict, author: user, source_project: project2, target_project: project1, state: 'closed') } + let!(:merge_request3) { create(:merge_request, :simple, author: user, source_project: project2, target_project: project2, state: 'locked', title: 'thing WIP thing') } + let!(:merge_request4) { create(:merge_request, :simple, author: user, source_project: project3, target_project: project3, title: 'WIP thing') } + let!(:merge_request5) { create(:merge_request, :simple, author: user, source_project: project4, target_project: project4, title: '[WIP]') } + let!(:merge_request6) { create(:merge_request, :simple, author: user, source_project: project5, target_project: project5, title: 'WIP: thing') } + let!(:merge_request7) { create(:merge_request, :simple, author: user, source_project: project6, target_project: project6, title: 'wip thing') } + let!(:merge_request8) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project1, title: '[wip] thing') } + let!(:merge_request9) { create(:merge_request, :simple, author: user, source_project: project1, target_project: project2, title: 'wip: thing') } - before do - project1.add_maintainer(user) - project2.add_developer(user) - project3.add_developer(user) - project2.add_developer(user2) - project4.add_developer(user) - project5.add_developer(user) - project6.add_developer(user) - end - - describe "#execute" do - it 'filters by scope' do - params = { scope: 'authored', state: 'opened' } - merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(7) + before do + project1.add_maintainer(user) + project2.add_developer(user) + project3.add_developer(user) + project2.add_developer(user2) + project4.add_developer(user) + project5.add_developer(user) + project6.add_developer(user) end - it 'filters by project' do - params = { project_id: project1.id, scope: 'authored', state: 'opened' } - merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(2) - end + describe '#execute' do + it 'filters by scope' do + params = { scope: 'authored', state: 'opened' } + merge_requests = described_class.new(user, params).execute + expect(merge_requests.size).to eq(7) + end - context 'filtering by group' do - it 'includes all merge requests when user has access' do - params = { group_id: group.id } + it 'filters by project' do + params = { project_id: project1.id, scope: 'authored', state: 'opened' } + merge_requests = described_class.new(user, params).execute + expect(merge_requests.size).to eq(2) + end + + it 'filters by commit sha' do + merge_requests = described_class.new( + user, + commit_sha: merge_request5.merge_request_diff.last_commit_sha + ).execute + + expect(merge_requests).to contain_exactly(merge_request5) + end + + context 'filtering by group' do + it 'includes all merge requests when user has access' do + params = { group_id: group.id } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests.size).to eq(3) + end + + it 'excludes merge requests from projects the user does not have access to' do + private_project = create_project_without_n_plus_1(:private, group: group) + private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project) + params = { group_id: group.id } + + private_project.add_guest(user) + merge_requests = described_class.new(user, params).execute + + expect(merge_requests.size).to eq(3) + expect(merge_requests).not_to include(private_mr) + end + + it 'filters by group including subgroups', :nested_groups do + params = { group_id: group.id, include_subgroups: true } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests.size).to eq(6) + end + end + + it 'filters by non_archived' do + params = { non_archived: true } + merge_requests = described_class.new(user, params).execute + expect(merge_requests.size).to eq(8) + end + + it 'filters by iid' do + params = { project_id: project1.id, iids: merge_request1.iid } merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(3) + expect(merge_requests).to contain_exactly(merge_request1) end - it 'excludes merge requests from projects the user does not have access to' do - private_project = create_project_without_n_plus_1(:private, group: group) - private_mr = create(:merge_request, :simple, author: user, source_project: private_project, target_project: private_project) - params = { group_id: group.id } - - private_project.add_guest(user) - merge_requests = described_class.new(user, params).execute - - expect(merge_requests.size).to eq(3) - expect(merge_requests).not_to include(private_mr) - end - - it 'filters by group including subgroups', :nested_groups do - params = { group_id: group.id, include_subgroups: true } + it 'filters by source branch' do + params = { source_branch: merge_request2.source_branch } merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(6) - end - end - - it 'filters by non_archived' do - params = { non_archived: true } - merge_requests = described_class.new(user, params).execute - expect(merge_requests.size).to eq(8) - end - - it 'filters by iid' do - params = { project_id: project1.id, iids: merge_request1.iid } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request1) - end - - it 'filters by source branch' do - params = { source_branch: merge_request2.source_branch } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request2) - end - - it 'filters by target branch' do - params = { target_branch: merge_request2.target_branch } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request2) - end - - it 'filters by state' do - params = { state: 'locked' } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request3) - end - - it 'filters by wip' do - params = { wip: 'yes' } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) - end - - it 'filters by not wip' do - params = { wip: 'no' } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3) - end - - it 'returns all items if no valid wip param exists' do - params = { wip: '' } - - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3, merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) - end - - it 'adds wip to scalar params' do - scalar_params = described_class.scalar_params - - expect(scalar_params).to include(:wip, :assignee_id) - end - - context 'filtering by group milestone' do - let!(:group) { create(:group, :public) } - let(:group_milestone) { create(:milestone, group: group) } - let!(:group_member) { create(:group_member, group: group, user: user) } - let(:params) { { milestone_title: group_milestone.title } } - - before do - project2.update(namespace: group) - merge_request2.update(milestone: group_milestone) - merge_request3.update(milestone: group_milestone) + expect(merge_requests).to contain_exactly(merge_request2) end - it 'returns issues assigned to that group milestone' do - merge_requests = described_class.new(user, params).execute - - expect(merge_requests).to contain_exactly(merge_request2, merge_request3) - end - end - - context 'filtering by created_at/updated_at' do - let(:new_project) { create(:project, forked_from_project: project1) } - - let!(:new_merge_request) do - create(:merge_request, - :simple, - author: user, - created_at: 1.week.from_now, - updated_at: 1.week.from_now, - source_project: new_project, - target_project: new_project) - end - - let!(:old_merge_request) do - create(:merge_request, - :simple, - author: user, - source_branch: 'feature_1', - created_at: 1.week.ago, - updated_at: 1.week.ago, - source_project: new_project, - target_project: new_project) - end - - before do - new_project.add_maintainer(user) - end - - it 'filters by created_after' do - params = { project_id: new_project.id, created_after: new_merge_request.created_at } + it 'filters by target branch' do + params = { target_branch: merge_request2.target_branch } merge_requests = described_class.new(user, params).execute - expect(merge_requests).to contain_exactly(new_merge_request) + expect(merge_requests).to contain_exactly(merge_request2) end - it 'filters by created_before' do - params = { project_id: new_project.id, created_before: old_merge_request.created_at } + it 'filters by state' do + params = { state: 'locked' } merge_requests = described_class.new(user, params).execute - expect(merge_requests).to contain_exactly(old_merge_request) + expect(merge_requests).to contain_exactly(merge_request3) end - it 'filters by created_after and created_before' do - params = { - project_id: new_project.id, - created_after: old_merge_request.created_at, - created_before: new_merge_request.created_at - } + it 'filters by wip' do + params = { wip: 'yes' } merge_requests = described_class.new(user, params).execute - expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) + expect(merge_requests).to contain_exactly(merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) end - it 'filters by updated_after' do - params = { project_id: new_project.id, updated_after: new_merge_request.updated_at } + it 'filters by not wip' do + params = { wip: 'no' } merge_requests = described_class.new(user, params).execute - expect(merge_requests).to contain_exactly(new_merge_request) + expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3) end - it 'filters by updated_before' do - params = { project_id: new_project.id, updated_before: old_merge_request.updated_at } + it 'returns all items if no valid wip param exists' do + params = { wip: '' } merge_requests = described_class.new(user, params).execute - expect(merge_requests).to contain_exactly(old_merge_request) + expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request3, merge_request4, merge_request5, merge_request6, merge_request7, merge_request8, merge_request9) end - it 'filters by updated_after and updated_before' do - params = { - project_id: new_project.id, - updated_after: old_merge_request.updated_at, - updated_before: new_merge_request.updated_at - } + it 'adds wip to scalar params' do + scalar_params = described_class.scalar_params - merge_requests = described_class.new(user, params).execute + expect(scalar_params).to include(:wip, :assignee_id) + end - expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) + context 'filtering by group milestone' do + let!(:group) { create(:group, :public) } + let(:group_milestone) { create(:milestone, group: group) } + let!(:group_member) { create(:group_member, group: group, user: user) } + let(:params) { { milestone_title: group_milestone.title } } + + before do + project2.update(namespace: group) + merge_request2.update(milestone: group_milestone) + merge_request3.update(milestone: group_milestone) + end + + it 'returns issues assigned to that group milestone' do + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(merge_request2, merge_request3) + end + end + + context 'filtering by created_at/updated_at' do + let(:new_project) { create(:project, forked_from_project: project1) } + + let!(:new_merge_request) do + create(:merge_request, + :simple, + author: user, + created_at: 1.week.from_now, + updated_at: 1.week.from_now, + source_project: new_project, + target_project: new_project) + end + + let!(:old_merge_request) do + create(:merge_request, + :simple, + author: user, + source_branch: 'feature_1', + created_at: 1.week.ago, + updated_at: 1.week.ago, + source_project: new_project, + target_project: new_project) + end + + before do + new_project.add_maintainer(user) + end + + it 'filters by created_after' do + params = { project_id: new_project.id, created_after: new_merge_request.created_at } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(new_merge_request) + end + + it 'filters by created_before' do + params = { project_id: new_project.id, created_before: old_merge_request.created_at } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(old_merge_request) + end + + it 'filters by created_after and created_before' do + params = { + project_id: new_project.id, + created_after: old_merge_request.created_at, + created_before: new_merge_request.created_at + } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) + end + + it 'filters by updated_after' do + params = { project_id: new_project.id, updated_after: new_merge_request.updated_at } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(new_merge_request) + end + + it 'filters by updated_before' do + params = { project_id: new_project.id, updated_before: old_merge_request.updated_at } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(old_merge_request) + end + + it 'filters by updated_after and updated_before' do + params = { + project_id: new_project.id, + updated_after: old_merge_request.updated_at, + updated_before: new_merge_request.updated_at + } + + merge_requests = described_class.new(user, params).execute + + expect(merge_requests).to contain_exactly(old_merge_request, new_merge_request) + end + end + end + + describe '#row_count', :request_store do + it 'returns the number of rows for the default state' do + finder = described_class.new(user) + + expect(finder.row_count).to eq(7) + end + + it 'returns the number of rows for a given state' do + finder = described_class.new(user, state: 'closed') + + expect(finder.row_count).to eq(1) end end end - describe '#row_count', :request_store do - it 'returns the number of rows for the default state' do - finder = described_class.new(user) + context 'when projects require different access levels for merge requests' do + let(:user) { create(:user) } - expect(finder.row_count).to eq(7) + let(:public_project) { create(:project, :public) } + let(:internal) { create(:project, :internal) } + let(:private_project) { create(:project, :private) } + let(:public_with_private_repo) { create(:project, :public, :repository, :repository_private) } + let(:internal_with_private_repo) { create(:project, :internal, :repository, :repository_private) } + + let(:merge_requests) { described_class.new(user, {}).execute } + + let!(:mr_public) { create(:merge_request, source_project: public_project) } + let!(:mr_private) { create(:merge_request, source_project: private_project) } + let!(:mr_internal) { create(:merge_request, source_project: internal) } + let!(:mr_private_repo_access) { create(:merge_request, source_project: public_with_private_repo) } + let!(:mr_internal_private_repo_access) { create(:merge_request, source_project: internal_with_private_repo) } + + context 'with admin user' do + let(:user) { create(:user, :admin) } + + it 'returns all merge requests' do + expect(merge_requests).to eq( + [mr_internal_private_repo_access, mr_private_repo_access, mr_internal, mr_private, mr_public] + ) + end end - it 'returns the number of rows for a given state' do - finder = described_class.new(user, state: 'closed') + context 'when project restricts merge requests' do + let(:non_member) { create(:user) } + let(:project) { create(:project, :repository, :public, :merge_requests_private) } + let!(:merge_request) { create(:merge_request, source_project: project) } - expect(finder.row_count).to eq(1) + it "returns nothing to to non members" do + merge_requests = described_class.new( + non_member, + project_id: project.id + ).execute + + expect(merge_requests).to be_empty + end + end + + context 'with external user' do + let(:user) { create(:user, :external) } + + it 'returns only public merge requests' do + expect(merge_requests).to eq([mr_public]) + end + end + + context 'with authenticated user' do + it 'returns public and internal merge requests' do + expect(merge_requests).to eq([mr_internal, mr_public]) + end + + context 'being added to the private project' do + context 'as a guest' do + before do + private_project.add_guest(user) + end + + it 'does not return merge requests from the private project' do + expect(merge_requests).to eq([mr_internal, mr_public]) + end + end + + context 'as a developer' do + before do + private_project.add_developer(user) + end + + it 'returns merge requests from the private project' do + expect(merge_requests).to eq([mr_internal, mr_private, mr_public]) + end + end + end + + context 'being added to the public project with private repo access' do + context 'as a guest' do + before do + public_with_private_repo.add_guest(user) + end + + it 'returns merge requests from the project' do + expect(merge_requests).to eq([mr_internal, mr_public]) + end + end + + context 'as a reporter' do + before do + public_with_private_repo.add_reporter(user) + end + + it 'returns merge requests from the project' do + expect(merge_requests).to eq([mr_private_repo_access, mr_internal, mr_public]) + end + end + end + + context 'being added to the internal project with private repo access' do + context 'as a guest' do + before do + internal_with_private_repo.add_guest(user) + end + + it 'returns merge requests from the project' do + expect(merge_requests).to eq([mr_internal, mr_public]) + end + end + + context 'as a reporter' do + before do + internal_with_private_repo.add_reporter(user) + end + + it 'returns merge requests from the project' do + expect(merge_requests).to eq([mr_internal_private_repo_access, mr_internal, mr_public]) + end + end + end end end end diff --git a/spec/lib/constraints/project_url_constrainer_spec.rb b/spec/lib/constraints/project_url_constrainer_spec.rb index c96e7ab849..3496b01ebc 100644 --- a/spec/lib/constraints/project_url_constrainer_spec.rb +++ b/spec/lib/constraints/project_url_constrainer_spec.rb @@ -16,6 +16,10 @@ describe Constraints::ProjectUrlConstrainer do let(:request) { build_request('foo', 'bar') } it { expect(subject.matches?(request)).to be_falsey } + + context 'existence_check is false' do + it { expect(subject.matches?(request, existence_check: false)).to be_truthy } + end end context "project id ending with .git" do diff --git a/spec/lib/gitlab/dependency_linker/composer_json_linker_spec.rb b/spec/lib/gitlab/dependency_linker/composer_json_linker_spec.rb index 4d222564fd..0ebd899463 100644 --- a/spec/lib/gitlab/dependency_linker/composer_json_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/composer_json_linker_spec.rb @@ -50,8 +50,8 @@ describe Gitlab::DependencyLinker::ComposerJsonLinker do %{#{name}} end - it 'links the module name' do - expect(subject).to include(link('laravel/laravel', 'https://packagist.org/packages/laravel/laravel')) + it 'does not link the module name' do + expect(subject).not_to include(link('laravel/laravel', 'https://packagist.org/packages/laravel/laravel')) end it 'links the homepage' do diff --git a/spec/lib/gitlab/dependency_linker/gemfile_linker_spec.rb b/spec/lib/gitlab/dependency_linker/gemfile_linker_spec.rb index a97803b119..f00f6b47b9 100644 --- a/spec/lib/gitlab/dependency_linker/gemfile_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/gemfile_linker_spec.rb @@ -41,13 +41,16 @@ describe Gitlab::DependencyLinker::GemfileLinker do end it 'links dependencies' do - expect(subject).to include(link('rails', 'https://rubygems.org/gems/rails')) expect(subject).to include(link('rails-deprecated_sanitizer', 'https://rubygems.org/gems/rails-deprecated_sanitizer')) - expect(subject).to include(link('responders', 'https://rubygems.org/gems/responders')) - expect(subject).to include(link('sprockets', 'https://rubygems.org/gems/sprockets')) expect(subject).to include(link('default_value_for', 'https://rubygems.org/gems/default_value_for')) end + it 'links to external dependencies' do + expect(subject).to include(link('rails', 'https://github.com/rails/rails')) + expect(subject).to include(link('responders', 'https://github.com/rails/responders')) + expect(subject).to include(link('sprockets', 'https://gitlab.example.com/gems/sprockets')) + end + it 'links GitHub repos' do expect(subject).to include(link('rails/rails', 'https://github.com/rails/rails')) expect(subject).to include(link('rails/responders', 'https://github.com/rails/responders')) diff --git a/spec/lib/gitlab/dependency_linker/gemspec_linker_spec.rb b/spec/lib/gitlab/dependency_linker/gemspec_linker_spec.rb index 24ad7d12f4..6c6a5d7057 100644 --- a/spec/lib/gitlab/dependency_linker/gemspec_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/gemspec_linker_spec.rb @@ -43,8 +43,8 @@ describe Gitlab::DependencyLinker::GemspecLinker do %{#{name}} end - it 'links the gem name' do - expect(subject).to include(link('gitlab_git', 'https://rubygems.org/gems/gitlab_git')) + it 'does not link the gem name' do + expect(subject).not_to include(link('gitlab_git', 'https://rubygems.org/gems/gitlab_git')) end it 'links the license' do diff --git a/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb b/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb index 1e8b72afb7..9050127af7 100644 --- a/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/package_json_linker_spec.rb @@ -33,7 +33,8 @@ describe Gitlab::DependencyLinker::PackageJsonLinker do "express": "4.2.x", "bigpipe": "bigpipe/pagelet", "plates": "https://github.com/flatiron/plates/tarball/master", - "karma": "^1.4.1" + "karma": "^1.4.1", + "random": "git+https://EdOverflow@github.com/example/example.git" }, "devDependencies": { "vows": "^0.7.0", @@ -51,8 +52,8 @@ describe Gitlab::DependencyLinker::PackageJsonLinker do %{#{name}} end - it 'links the module name' do - expect(subject).to include(link('module-name', 'https://npmjs.com/package/module-name')) + it 'does not link the module name' do + expect(subject).not_to include(link('module-name', 'https://npmjs.com/package/module-name')) end it 'links the homepage' do @@ -71,14 +72,21 @@ describe Gitlab::DependencyLinker::PackageJsonLinker do expect(subject).to include(link('primus', 'https://npmjs.com/package/primus')) expect(subject).to include(link('async', 'https://npmjs.com/package/async')) expect(subject).to include(link('express', 'https://npmjs.com/package/express')) - expect(subject).to include(link('bigpipe', 'https://npmjs.com/package/bigpipe')) - expect(subject).to include(link('plates', 'https://npmjs.com/package/plates')) expect(subject).to include(link('karma', 'https://npmjs.com/package/karma')) expect(subject).to include(link('vows', 'https://npmjs.com/package/vows')) expect(subject).to include(link('assume', 'https://npmjs.com/package/assume')) expect(subject).to include(link('pre-commit', 'https://npmjs.com/package/pre-commit')) end + it 'links dependencies to URL detected on value' do + expect(subject).to include(link('bigpipe', 'https://github.com/bigpipe/pagelet')) + expect(subject).to include(link('plates', 'https://github.com/flatiron/plates/tarball/master')) + end + + it 'does not link to NPM when invalid git URL' do + expect(subject).not_to include(link('random', 'https://npmjs.com/package/random')) + end + it 'links GitHub repos' do expect(subject).to include(link('bigpipe/pagelet', 'https://github.com/bigpipe/pagelet')) end diff --git a/spec/lib/gitlab/dependency_linker/parser/gemfile_spec.rb b/spec/lib/gitlab/dependency_linker/parser/gemfile_spec.rb new file mode 100644 index 0000000000..f81dbcf62d --- /dev/null +++ b/spec/lib/gitlab/dependency_linker/parser/gemfile_spec.rb @@ -0,0 +1,42 @@ +require 'rails_helper' + +describe Gitlab::DependencyLinker::Parser::Gemfile do + describe '#parse' do + let(:file_content) do + <<-CONTENT.strip_heredoc + source 'https://rubygems.org' + + gem "rails", '4.2.6', github: "rails/rails" + gem 'rails-deprecated_sanitizer', '~> 1.0.3' + gem 'responders', '~> 2.0', :github => 'rails/responders' + gem 'sprockets', '~> 3.6.0', git: 'https://gitlab.example.com/gems/sprockets' + gem 'default_value_for', '~> 3.0.0' + CONTENT + end + + subject { described_class.new(file_content).parse(keyword: 'gem') } + + def fetch_package(name) + subject.find { |package| package.name == name } + end + + it 'returns parsed packages' do + expect(subject.size).to eq(5) + expect(subject).to all(be_a(Gitlab::DependencyLinker::Package)) + end + + it 'packages respond to name and external_ref accordingly' do + expect(fetch_package('rails')).to have_attributes(name: 'rails', + github_ref: 'rails/rails', + git_ref: nil) + + expect(fetch_package('sprockets')).to have_attributes(name: 'sprockets', + github_ref: nil, + git_ref: 'https://gitlab.example.com/gems/sprockets') + + expect(fetch_package('default_value_for')).to have_attributes(name: 'default_value_for', + github_ref: nil, + git_ref: nil) + end + end +end diff --git a/spec/lib/gitlab/dependency_linker/podfile_linker_spec.rb b/spec/lib/gitlab/dependency_linker/podfile_linker_spec.rb index cdfd7ad982..8f1b523653 100644 --- a/spec/lib/gitlab/dependency_linker/podfile_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/podfile_linker_spec.rb @@ -43,7 +43,10 @@ describe Gitlab::DependencyLinker::PodfileLinker do it 'links packages' do expect(subject).to include(link('AFNetworking', 'https://cocoapods.org/pods/AFNetworking')) - expect(subject).to include(link('Interstellar/Core', 'https://cocoapods.org/pods/Interstellar')) + end + + it 'links external packages' do + expect(subject).to include(link('Interstellar/Core', 'https://github.com/ashfurrow/Interstellar.git')) end it 'links Git repos' do diff --git a/spec/lib/gitlab/dependency_linker/podspec_linker_spec.rb b/spec/lib/gitlab/dependency_linker/podspec_linker_spec.rb index ed60ab4595..bacec83010 100644 --- a/spec/lib/gitlab/dependency_linker/podspec_linker_spec.rb +++ b/spec/lib/gitlab/dependency_linker/podspec_linker_spec.rb @@ -42,8 +42,8 @@ describe Gitlab::DependencyLinker::PodspecLinker do %{#{name}} end - it 'links the gem name' do - expect(subject).to include(link('Reachability', 'https://cocoapods.org/pods/Reachability')) + it 'does not link the pod name' do + expect(subject).not_to include(link('Reachability', 'https://cocoapods.org/pods/Reachability')) end it 'links the license' do diff --git a/spec/lib/gitlab/import_export/merge_request_parser_spec.rb b/spec/lib/gitlab/import_export/merge_request_parser_spec.rb index 68eaa70e6b..4b234411a4 100644 --- a/spec/lib/gitlab/import_export/merge_request_parser_spec.rb +++ b/spec/lib/gitlab/import_export/merge_request_parser_spec.rb @@ -41,4 +41,20 @@ describe Gitlab::ImportExport::MergeRequestParser do expect(parsed_merge_request).to eq(merge_request) end + + context 'when the merge request has diffs' do + let(:merge_request) do + build(:merge_request, source_project: forked_project, target_project: project) + end + + context 'when the diff is invalid' do + let(:merge_request_diff) { build(:merge_request_diff, merge_request: merge_request, base_commit_sha: 'foobar') } + + it 'sets the diff to nil' do + expect(merge_request_diff).to be_invalid + expect(merge_request_diff.merge_request).to eq merge_request + expect(parsed_merge_request.merge_request_diff).to be_nil + end + end + end end diff --git a/spec/lib/gitlab/import_export/shared_spec.rb b/spec/lib/gitlab/import_export/shared_spec.rb index f2d750c659..2c288cff6e 100644 --- a/spec/lib/gitlab/import_export/shared_spec.rb +++ b/spec/lib/gitlab/import_export/shared_spec.rb @@ -14,6 +14,16 @@ describe Gitlab::ImportExport::Shared do expect(subject.errors).to eq(['Error importing into [FILTERED] Permission denied @ unlink_internal - [FILTERED]']) end + it 'updates the import JID' do + import_state = create(:import_state, project: project, jid: 'jid-test') + + expect_next_instance_of(Gitlab::Import::Logger) do |logger| + expect(logger).to receive(:error).with(hash_including(import_jid: import_state.jid)) + end + + subject.error(error) + end + it 'calls the error logger with the full message' do expect(subject).to receive(:log_error).with(hash_including(message: error.message)) diff --git a/spec/lib/gitlab/kubernetes/kube_client_spec.rb b/spec/lib/gitlab/kubernetes/kube_client_spec.rb index 02364e9214..978e64c440 100644 --- a/spec/lib/gitlab/kubernetes/kube_client_spec.rb +++ b/spec/lib/gitlab/kubernetes/kube_client_spec.rb @@ -50,6 +50,36 @@ describe Gitlab::Kubernetes::KubeClient do end end + describe '#initialize' do + shared_examples 'local address' do + it 'blocks local addresses' do + expect { client }.to raise_error(Gitlab::UrlBlocker::BlockedUrlError) + end + + context 'when local requests are allowed' do + before do + stub_application_setting(allow_local_requests_from_hooks_and_services: true) + end + + it 'allows local addresses' do + expect { client }.not_to raise_error + end + end + end + + context 'localhost address' do + let(:api_url) { 'http://localhost:22' } + + it_behaves_like 'local address' + end + + context 'private network address' do + let(:api_url) { 'http://192.168.1.2:3003' } + + it_behaves_like 'local address' + end + end + describe '#core_client' do subject { client.core_client } diff --git a/spec/mailers/notify_spec.rb b/spec/mailers/notify_spec.rb index 4f578c48d5..418f707a13 100644 --- a/spec/mailers/notify_spec.rb +++ b/spec/mailers/notify_spec.rb @@ -194,23 +194,53 @@ describe Notify do let(:new_issue) { create(:issue) } subject { described_class.issue_moved_email(recipient, issue, new_issue, current_user) } - it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do - let(:model) { issue } - end - it_behaves_like 'it should show Gmail Actions View Issue link' - it_behaves_like 'an unsubscribeable thread' + context 'when a user has permissions to access the new issue' do + before do + new_issue.project.add_developer(recipient) + end - it 'contains description about action taken' do - is_expected.to have_body_text 'Issue was moved to another project' + it_behaves_like 'an answer to an existing thread with reply-by-email enabled' do + let(:model) { issue } + end + it_behaves_like 'it should show Gmail Actions View Issue link' + it_behaves_like 'an unsubscribeable thread' + + it 'contains description about action taken' do + is_expected.to have_body_text 'Issue was moved to another project' + end + + it 'has the correct subject and body' do + new_issue_url = project_issue_path(new_issue.project, new_issue) + + aggregate_failures do + is_expected.to have_referable_subject(issue, reply: true) + is_expected.to have_body_text(new_issue_url) + is_expected.to have_body_text(project_issue_path(project, issue)) + end + end + + it 'contains the issue title' do + is_expected.to have_body_text new_issue.title + end end - it 'has the correct subject and body' do - new_issue_url = project_issue_path(new_issue.project, new_issue) + context 'when a user does not permissions to access the new issue' do + it 'has the correct subject and body' do + new_issue_url = project_issue_path(new_issue.project, new_issue) - aggregate_failures do - is_expected.to have_referable_subject(issue, reply: true) - is_expected.to have_body_text(new_issue_url) - is_expected.to have_body_text(project_issue_path(project, issue)) + aggregate_failures do + is_expected.to have_referable_subject(issue, reply: true) + is_expected.not_to have_body_text(new_issue_url) + is_expected.to have_body_text(project_issue_path(project, issue)) + end + end + + it 'does not contain the issue title' do + is_expected.not_to have_body_text new_issue.title + end + + it 'contains information about missing permissions' do + is_expected.to have_body_text "You don't have access to the project." end end end diff --git a/spec/models/active_session_spec.rb b/spec/models/active_session_spec.rb index 129b2f9268..e128fe8a4b 100644 --- a/spec/models/active_session_spec.rb +++ b/spec/models/active_session_spec.rb @@ -7,7 +7,10 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do end end - let(:session) { double(:session, id: '6919a6f1bb119dd7396fadc38fd18d0d') } + let(:session) do + double(:session, { id: '6919a6f1bb119dd7396fadc38fd18d0d', + '[]': {} }) + end let(:request) do double(:request, { diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb index c273fa7e16..8dfc9297d0 100644 --- a/spec/models/clusters/platforms/kubernetes_spec.rb +++ b/spec/models/clusters/platforms/kubernetes_spec.rb @@ -98,6 +98,22 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching it { expect(kubernetes.save).to be_truthy } end + + context 'when api_url is localhost' do + let(:api_url) { 'http://localhost:22' } + + it { expect(kubernetes.save).to be_falsey } + + context 'Application settings allows local requests' do + before do + allow(ApplicationSetting) + .to receive(:current) + .and_return(ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: true)) + end + + it { expect(kubernetes.save).to be_truthy } + end + end end context 'when validates token' do diff --git a/spec/models/concerns/issuable_spec.rb b/spec/models/concerns/issuable_spec.rb index 41159348e0..72c6161424 100644 --- a/spec/models/concerns/issuable_spec.rb +++ b/spec/models/concerns/issuable_spec.rb @@ -32,17 +32,56 @@ describe Issuable do end describe "Validation" do - subject { build(:issue) } + context 'general validations' do + subject { build(:issue) } - before do - allow(InternalId).to receive(:generate_next).and_return(nil) + before do + allow(InternalId).to receive(:generate_next).and_return(nil) + end + + it { is_expected.to validate_presence_of(:project) } + it { is_expected.to validate_presence_of(:iid) } + it { is_expected.to validate_presence_of(:author) } + it { is_expected.to validate_presence_of(:title) } + it { is_expected.to validate_length_of(:title).is_at_most(255) } end - it { is_expected.to validate_presence_of(:project) } - it { is_expected.to validate_presence_of(:iid) } - it { is_expected.to validate_presence_of(:author) } - it { is_expected.to validate_presence_of(:title) } - it { is_expected.to validate_length_of(:title).is_at_most(255) } + describe 'milestone' do + let(:project) { create(:project) } + let(:milestone_id) { create(:milestone, project: project).id } + let(:params) do + { + title: 'something', + project: project, + author: build(:user), + milestone_id: milestone_id + } + end + + subject { issuable_class.new(params) } + + context 'with correct params' do + it { is_expected.to be_valid } + end + + context 'with empty string milestone' do + let(:milestone_id) { '' } + + it { is_expected.to be_valid } + end + + context 'with nil milestone id' do + let(:milestone_id) { nil } + + it { is_expected.to be_valid } + end + + context 'with a milestone id from another project' do + let(:milestone_id) { create(:milestone).id } + + it { is_expected.to be_invalid } + end + end end describe "Scope" do @@ -66,6 +105,48 @@ describe Issuable do end end + describe '#milestone_available?' do + let(:group) { create(:group) } + let(:project) { create(:project, group: group) } + let(:issue) { create(:issue, project: project) } + + def build_issuable(milestone_id) + issuable_class.new(project: project, milestone_id: milestone_id) + end + + it 'returns true with a milestone from the issue project' do + milestone = create(:milestone, project: project) + + expect(build_issuable(milestone.id).milestone_available?).to be_truthy + end + + it 'returns true with a milestone from the issue project group' do + milestone = create(:milestone, group: group) + + expect(build_issuable(milestone.id).milestone_available?).to be_truthy + end + + it 'returns true with a milestone from the the parent of the issue project group', :nested_groups do + parent = create(:group) + group.update(parent: parent) + milestone = create(:milestone, group: parent) + + expect(build_issuable(milestone.id).milestone_available?).to be_truthy + end + + it 'returns false with a milestone from another project' do + milestone = create(:milestone) + + expect(build_issuable(milestone.id).milestone_available?).to be_falsey + end + + it 'returns false with a milestone from another group' do + milestone = create(:milestone, group: create(:group)) + + expect(build_issuable(milestone.id).milestone_available?).to be_falsey + end + end + describe ".search" do let!(:searchable_issue) { create(:issue, title: "Searchable awesome issue") } let!(:searchable_issue2) { create(:issue, title: 'Aw') } diff --git a/spec/models/concerns/milestoneish_spec.rb b/spec/models/concerns/milestoneish_spec.rb index 87bf731340..81ca5b638f 100644 --- a/spec/models/concerns/milestoneish_spec.rb +++ b/spec/models/concerns/milestoneish_spec.rb @@ -9,8 +9,10 @@ describe Milestone, 'Milestoneish' do let(:admin) { create(:admin) } let(:project) { create(:project, :public) } let(:milestone) { create(:milestone, project: project) } - let!(:issue) { create(:issue, project: project, milestone: milestone) } - let!(:security_issue_1) { create(:issue, :confidential, project: project, author: author, milestone: milestone) } + let(:label1) { create(:label, project: project) } + let(:label2) { create(:label, project: project) } + let!(:issue) { create(:issue, project: project, milestone: milestone, assignees: [member], labels: [label1]) } + let!(:security_issue_1) { create(:issue, :confidential, project: project, author: author, milestone: milestone, labels: [label2]) } let!(:security_issue_2) { create(:issue, :confidential, project: project, assignees: [assignee], milestone: milestone) } let!(:closed_issue_1) { create(:issue, :closed, project: project, milestone: milestone) } let!(:closed_issue_2) { create(:issue, :closed, project: project, milestone: milestone) } @@ -42,13 +44,102 @@ describe Milestone, 'Milestoneish' do end end + context 'attributes visibility' do + using RSpec::Parameterized::TableSyntax + + let(:users) do + { + anonymous: nil, + non_member: non_member, + guest: guest, + member: member, + assignee: assignee + } + end + + let(:project_visibility_levels) do + { + public: Gitlab::VisibilityLevel::PUBLIC, + internal: Gitlab::VisibilityLevel::INTERNAL, + private: Gitlab::VisibilityLevel::PRIVATE + } + end + + describe '#issue_participants_visible_by_user' do + where(:visibility, :user_role, :result) do + :public | nil | [:member] + :public | :non_member | [:member] + :public | :guest | [:member] + :public | :member | [:member, :assignee] + :internal | nil | [] + :internal | :non_member | [:member] + :internal | :guest | [:member] + :internal | :member | [:member, :assignee] + :private | nil | [] + :private | :non_member | [] + :private | :guest | [:member] + :private | :member | [:member, :assignee] + end + + with_them do + before do + project.update(visibility_level: project_visibility_levels[visibility]) + end + + it 'returns the proper participants' do + user = users[user_role] + participants = result.map { |role| users[role] } + + expect(milestone.issue_participants_visible_by_user(user)).to match_array(participants) + end + end + end + + describe '#issue_labels_visible_by_user' do + let(:labels) do + { + label1: label1, + label2: label2 + } + end + + where(:visibility, :user_role, :result) do + :public | nil | [:label1] + :public | :non_member | [:label1] + :public | :guest | [:label1] + :public | :member | [:label1, :label2] + :internal | nil | [] + :internal | :non_member | [:label1] + :internal | :guest | [:label1] + :internal | :member | [:label1, :label2] + :private | nil | [] + :private | :non_member | [] + :private | :guest | [:label1] + :private | :member | [:label1, :label2] + end + + with_them do + before do + project.update(visibility_level: project_visibility_levels[visibility]) + end + + it 'returns the proper participants' do + user = users[user_role] + expected_labels = result.map { |label| labels[label] } + + expect(milestone.issue_labels_visible_by_user(user)).to match_array(expected_labels) + end + end + end + end + describe '#sorted_merge_requests' do it 'sorts merge requests by label priority' do merge_request_1 = create(:labeled_merge_request, labels: [label_2], source_project: project, source_branch: 'branch_1', milestone: milestone) merge_request_2 = create(:labeled_merge_request, labels: [label_1], source_project: project, source_branch: 'branch_2', milestone: milestone) merge_request_3 = create(:labeled_merge_request, labels: [label_3], source_project: project, source_branch: 'branch_3', milestone: milestone) - merge_requests = milestone.sorted_merge_requests + merge_requests = milestone.sorted_merge_requests(member) expect(merge_requests.first).to eq(merge_request_2) expect(merge_requests.second).to eq(merge_request_1) @@ -56,6 +147,51 @@ describe Milestone, 'Milestoneish' do end end + describe '#merge_requests_visible_to_user' do + let(:merge_request) { create(:merge_request, source_project: project, milestone: milestone) } + + context 'when project is private' do + before do + project.update(visibility_level: Gitlab::VisibilityLevel::PRIVATE) + end + + it 'does not return any merge request for a non member' do + merge_requests = milestone.merge_requests_visible_to_user(non_member) + expect(merge_requests).to be_empty + end + + it 'returns milestone merge requests for a member' do + merge_requests = milestone.merge_requests_visible_to_user(member) + expect(merge_requests).to contain_exactly(merge_request) + end + end + + context 'when project is public' do + context 'when merge requests are available to anyone' do + it 'returns milestone merge requests for a non member' do + merge_requests = milestone.merge_requests_visible_to_user(non_member) + expect(merge_requests).to contain_exactly(merge_request) + end + end + + context 'when merge requests are available to project members' do + before do + project.project_feature.update(merge_requests_access_level: ProjectFeature::PRIVATE) + end + + it 'does not return any merge request for a non member' do + merge_requests = milestone.merge_requests_visible_to_user(non_member) + expect(merge_requests).to be_empty + end + + it 'returns milestone merge requests for a member' do + merge_requests = milestone.merge_requests_visible_to_user(member) + expect(merge_requests).to contain_exactly(merge_request) + end + end + end + end + describe '#closed_items_count' do it 'does not count confidential issues for non project members' do expect(milestone.closed_items_count(non_member)).to eq 2 diff --git a/spec/models/issue/metrics_spec.rb b/spec/models/issue/metrics_spec.rb index 1bf0ecb98a..b7291eebe6 100644 --- a/spec/models/issue/metrics_spec.rb +++ b/spec/models/issue/metrics_spec.rb @@ -9,7 +9,7 @@ describe Issue::Metrics do context "milestones" do it "records the first time an issue is associated with a milestone" do time = Time.now - Timecop.freeze(time) { subject.update(milestone: create(:milestone)) } + Timecop.freeze(time) { subject.update(milestone: create(:milestone, project: project)) } metrics = subject.metrics expect(metrics).to be_present @@ -18,9 +18,9 @@ describe Issue::Metrics do it "does not record the second time an issue is associated with a milestone" do time = Time.now - Timecop.freeze(time) { subject.update(milestone: create(:milestone)) } + Timecop.freeze(time) { subject.update(milestone: create(:milestone, project: project)) } Timecop.freeze(time + 2.hours) { subject.update(milestone: nil) } - Timecop.freeze(time + 6.hours) { subject.update(milestone: create(:milestone)) } + Timecop.freeze(time + 6.hours) { subject.update(milestone: create(:milestone, project: project)) } metrics = subject.metrics expect(metrics).to be_present diff --git a/spec/models/merge_request_diff_spec.rb b/spec/models/merge_request_diff_spec.rb index 1849d3bac1..e530e0302f 100644 --- a/spec/models/merge_request_diff_spec.rb +++ b/spec/models/merge_request_diff_spec.rb @@ -3,6 +3,18 @@ require 'spec_helper' describe MergeRequestDiff do let(:diff_with_commits) { create(:merge_request).merge_request_diff } + describe 'validations' do + subject { diff_with_commits } + + it 'checks sha format of base_commit_sha, head_commit_sha and start_commit_sha' do + subject.base_commit_sha = subject.head_commit_sha = subject.start_commit_sha = 'foobar' + + expect(subject.valid?).to be false + expect(subject.errors.count).to eq 3 + expect(subject.errors).to all(include('is not a valid SHA')) + end + end + describe 'create new record' do subject { diff_with_commits } @@ -78,7 +90,7 @@ describe MergeRequestDiff do it 'returns persisted diffs if cannot compare with diff refs' do expect(diff).to receive(:load_diffs).and_call_original - diff.update!(head_commit_sha: 'invalid-sha') + diff.update!(head_commit_sha: Digest::SHA1.hexdigest(SecureRandom.hex)) diff.diffs.diff_files end diff --git a/spec/models/milestone_spec.rb b/spec/models/milestone_spec.rb index af7e3d3a6c..77b7042424 100644 --- a/spec/models/milestone_spec.rb +++ b/spec/models/milestone_spec.rb @@ -182,7 +182,7 @@ describe Milestone do describe '#total_items_count' do before do create :closed_issue, milestone: milestone, project: project - create :merge_request, milestone: milestone + create :merge_request, milestone: milestone, source_project: project end it 'returns total count of issues and merge requests assigned to milestone' do @@ -192,10 +192,10 @@ describe Milestone do describe '#can_be_closed?' do before do - milestone = create :milestone - create :closed_issue, milestone: milestone + milestone = create :milestone, project: project + create :closed_issue, milestone: milestone, project: project - create :issue + create :issue, project: project end it 'returns true if milestone active and all nested issues closed' do diff --git a/spec/models/project_services/prometheus_service_spec.rb b/spec/models/project_services/prometheus_service_spec.rb index b6cf4c7245..e9c7c94ad7 100644 --- a/spec/models/project_services/prometheus_service_spec.rb +++ b/spec/models/project_services/prometheus_service_spec.rb @@ -33,18 +33,38 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do describe 'Validations' do context 'when manual_configuration is enabled' do before do - subject.manual_configuration = true + service.manual_configuration = true end - it { is_expected.to validate_presence_of(:api_url) } + it 'validates presence of api_url' do + expect(service).to validate_presence_of(:api_url) + end end context 'when manual configuration is disabled' do before do - subject.manual_configuration = false + service.manual_configuration = false end - it { is_expected.not_to validate_presence_of(:api_url) } + it 'does not validate presence of api_url' do + expect(service).not_to validate_presence_of(:api_url) + end + end + + context 'when the api_url domain points to localhost or local network' do + let(:domain) { Addressable::URI.parse(service.api_url).hostname } + + it 'cannot query' do + expect(service.can_query?).to be true + + aggregate_failures do + ['127.0.0.1', '192.168.2.3'].each do |url| + allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([Addrinfo.tcp(url, 80)]) + + expect(service.can_query?).to be false + end + end + end end end @@ -74,30 +94,35 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do end describe '#prometheus_client' do - context 'manual configuration is enabled' do - let(:api_url) { 'http://some_url' } + let(:api_url) { 'http://some_url' } - before do - subject.active = true - subject.manual_configuration = true - subject.api_url = api_url - end + before do + service.active = true + service.api_url = api_url + service.manual_configuration = manual_configuration + end + + context 'manual configuration is enabled' do + let(:manual_configuration) { true } it 'returns rest client from api_url' do - expect(subject.prometheus_client.url).to eq(api_url) + expect(service.prometheus_client.url).to eq(api_url) + end + + it 'calls valid?' do + allow(service).to receive(:valid?).and_call_original + + expect(service.prometheus_client).not_to be_nil + + expect(service).to have_received(:valid?) end end context 'manual configuration is disabled' do - let(:api_url) { 'http://some_url' } - - before do - subject.manual_configuration = false - subject.api_url = api_url - end + let(:manual_configuration) { false } it 'no client provided' do - expect(subject.prometheus_client).to be_nil + expect(service.prometheus_client).to be_nil end end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index c1767ed053..851b796c73 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -2487,6 +2487,16 @@ describe Project do end end + describe '#set_repository_writable!' do + it 'sets repository_read_only to false' do + project = create(:project, :read_only) + + expect { project.set_repository_writable! } + .to change(project, :repository_read_only) + .from(true).to(false) + end + end + describe '#pushes_since_gc' do let(:project) { create(:project) } diff --git a/spec/policies/commit_policy_spec.rb b/spec/policies/commit_policy_spec.rb new file mode 100644 index 0000000000..2259693cf0 --- /dev/null +++ b/spec/policies/commit_policy_spec.rb @@ -0,0 +1,53 @@ +require 'spec_helper' + +describe CommitPolicy do + describe '#rules' do + let(:user) { create(:user) } + let(:commit) { project.repository.head_commit } + let(:policy) { described_class.new(user, commit) } + + context 'when project is public' do + let(:project) { create(:project, :public, :repository) } + + it 'can read commit and create a note' do + expect(policy).to be_allowed(:read_commit) + end + + context 'when repository access level is private' do + let(:project) { create(:project, :public, :repository, :repository_private) } + + it 'can not read commit and create a note' do + expect(policy).to be_disallowed(:read_commit) + end + + context 'when the user is a project member' do + before do + project.add_developer(user) + end + + it 'can read commit and create a note' do + expect(policy).to be_allowed(:read_commit) + end + end + end + end + + context 'when project is private' do + let(:project) { create(:project, :private, :repository) } + + it 'can not read commit and create a note' do + expect(policy).to be_disallowed(:read_commit) + end + + context 'when the user is a project member' do + before do + project.add_developer(user) + end + + it 'can read commit and create a note' do + expect(policy).to be_allowed(:read_commit) + end + end + end + end +end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index be1804c5ce..34e9dbffee 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -74,6 +74,38 @@ describe GroupPolicy do end end + context 'with no user and public project' do + let(:project) { create(:project, :public) } + let(:user) { create(:user) } + let(:current_user) { nil } + + before do + Projects::GroupLinks::CreateService.new( + project, + user, + link_group_access: ProjectGroupLink::DEVELOPER + ).execute(group) + end + + it { expect_disallowed(:read_group) } + end + + context 'with foreign user and public project' do + let(:project) { create(:project, :public) } + let(:user) { create(:user) } + let(:current_user) { create(:user) } + + before do + Projects::GroupLinks::CreateService.new( + project, + user, + link_group_access: ProjectGroupLink::DEVELOPER + ).execute(group) + end + + it { expect_disallowed(:read_group) } + end + context 'has projects' do let(:current_user) { create(:user) } let(:project) { create(:project, namespace: group) } @@ -83,7 +115,7 @@ describe GroupPolicy do end it do - expect_allowed(:read_group, :read_label) + expect_allowed(:read_list, :read_label) end context 'in subgroups', :nested_groups do @@ -91,7 +123,7 @@ describe GroupPolicy do let(:project) { create(:project, namespace: subgroup) } it do - expect_allowed(:read_group, :read_label) + expect_allowed(:read_list, :read_label) end end end diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb index 0e848c7465..4be7a0266d 100644 --- a/spec/policies/note_policy_spec.rb +++ b/spec/policies/note_policy_spec.rb @@ -1,28 +1,15 @@ require 'spec_helper' -describe NotePolicy, mdoels: true do +describe NotePolicy do describe '#rules' do let(:user) { create(:user) } let(:project) { create(:project, :public) } let(:issue) { create(:issue, project: project) } - - def policies(noteable = nil) - return @policies if @policies - - noteable ||= issue - note = if noteable.is_a?(Commit) - create(:note_on_commit, commit_id: noteable.id, author: user, project: project) - else - create(:note, noteable: noteable, author: user, project: project) - end - - @policies = described_class.new(user, note) - end + let(:noteable) { issue } + let(:policy) { described_class.new(user, note) } + let(:note) { create(:note, noteable: noteable, author: user, project: project) } shared_examples_for 'a discussion with a private noteable' do - let(:noteable) { issue } - let(:policy) { policies(noteable) } - context 'when the note author can no longer see the noteable' do it 'can not edit nor read the note' do expect(policy).to be_disallowed(:admin_note) @@ -46,12 +33,21 @@ describe NotePolicy, mdoels: true do end end - context 'when the project is private' do - let(:project) { create(:project, :private, :repository) } + context 'when the noteable is a commit' do + let(:commit) { project.repository.head_commit } + let(:note) { create(:note_on_commit, commit_id: commit.id, author: user, project: project) } - context 'when the noteable is a commit' do - it_behaves_like 'a discussion with a private noteable' do - let(:noteable) { project.repository.head_commit } + context 'when the project is private' do + let(:project) { create(:project, :private, :repository) } + + it_behaves_like 'a discussion with a private noteable' + end + + context 'when the project is public' do + context 'when repository access level is private' do + let(:project) { create(:project, :public, :repository, :repository_private) } + + it_behaves_like 'a discussion with a private noteable' end end end @@ -59,44 +55,44 @@ describe NotePolicy, mdoels: true do context 'when the project is public' do context 'when the note author is not a project member' do it 'can edit a note' do - expect(policies).to be_allowed(:admin_note) - expect(policies).to be_allowed(:resolve_note) - expect(policies).to be_allowed(:read_note) + expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:resolve_note) + expect(policy).to be_allowed(:read_note) end end context 'when the noteable is a project snippet' do - it 'can edit note' do - policies = policies(create(:project_snippet, :public, project: project)) + let(:noteable) { create(:project_snippet, :public, project: project) } - expect(policies).to be_allowed(:admin_note) - expect(policies).to be_allowed(:resolve_note) - expect(policies).to be_allowed(:read_note) + it 'can edit note' do + expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:resolve_note) + expect(policy).to be_allowed(:read_note) end context 'when it is private' do - it_behaves_like 'a discussion with a private noteable' do - let(:noteable) { create(:project_snippet, :private, project: project) } - end + let(:noteable) { create(:project_snippet, :private, project: project) } + + it_behaves_like 'a discussion with a private noteable' end end context 'when the noteable is a personal snippet' do - it 'can edit note' do - policies = policies(create(:personal_snippet, :public)) + let(:noteable) { create(:personal_snippet, :public) } - expect(policies).to be_allowed(:admin_note) - expect(policies).to be_allowed(:resolve_note) - expect(policies).to be_allowed(:read_note) + it 'can edit note' do + expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:resolve_note) + expect(policy).to be_allowed(:read_note) end context 'when it is private' do - it 'can not edit nor read the note' do - policies = policies(create(:personal_snippet, :private)) + let(:noteable) { create(:personal_snippet, :private) } - expect(policies).to be_disallowed(:admin_note) - expect(policies).to be_disallowed(:resolve_note) - expect(policies).to be_disallowed(:read_note) + it 'can not edit nor read the note' do + expect(policy).to be_disallowed(:admin_note) + expect(policy).to be_disallowed(:resolve_note) + expect(policy).to be_disallowed(:read_note) end end end @@ -120,20 +116,20 @@ describe NotePolicy, mdoels: true do end it 'can edit a note' do - expect(policies).to be_allowed(:admin_note) - expect(policies).to be_allowed(:resolve_note) - expect(policies).to be_allowed(:read_note) + expect(policy).to be_allowed(:admin_note) + expect(policy).to be_allowed(:resolve_note) + expect(policy).to be_allowed(:read_note) end end context 'when the note author is not a project member' do it 'can not edit a note' do - expect(policies).to be_disallowed(:admin_note) - expect(policies).to be_disallowed(:resolve_note) + expect(policy).to be_disallowed(:admin_note) + expect(policy).to be_disallowed(:resolve_note) end it 'can read a note' do - expect(policies).to be_allowed(:read_note) + expect(policy).to be_allowed(:read_note) end end end diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 93a468f585..f8d581ef38 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -130,22 +130,26 @@ describe ProjectPolicy do subject { described_class.new(owner, project) } context 'when the feature is disabled' do - it 'does not include the issues permissions' do + before do project.issues_enabled = false project.save! + end + it 'does not include the issues permissions' do expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue end - end - context 'when the feature is disabled and external tracker configured' do - it 'does not include the issues permissions' do - create(:jira_service, project: project) + it 'disables boards and lists permissions' do + expect_disallowed :read_board, :create_board, :update_board, :admin_board + expect_disallowed :read_list, :create_list, :update_list, :admin_list + end - project.issues_enabled = false - project.save! + context 'when external tracker configured' do + it 'does not include the issues permissions' do + create(:jira_service, project: project) - expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + expect_disallowed :read_issue, :read_issue_iid, :create_issue, :update_issue, :admin_issue + end end end end diff --git a/spec/requests/api/commits_spec.rb b/spec/requests/api/commits_spec.rb index 6b9bc6eda6..c24e17fda3 100644 --- a/spec/requests/api/commits_spec.rb +++ b/spec/requests/api/commits_spec.rb @@ -1430,8 +1430,8 @@ describe API::Commits do end describe 'GET /projects/:id/repository/commits/:sha/merge_requests' do - let!(:project) { create(:project, :repository, :private) } - let!(:merged_mr) { create(:merge_request, source_project: project, source_branch: 'master', target_branch: 'feature') } + let(:project) { create(:project, :repository, :private) } + let(:merged_mr) { create(:merge_request, source_project: project, source_branch: 'master', target_branch: 'feature') } let(:commit) { merged_mr.merge_request_diff.commits.last } it 'returns the correct merge request' do @@ -1456,5 +1456,16 @@ describe API::Commits do expect(response).to have_gitlab_http_status(404) end + + context 'public project' do + let(:project) { create(:project, :repository, :public, :merge_requests_private) } + let(:non_member) { create(:user) } + + it 'responds 403 when only members are allowed to read merge requests' do + get api("/projects/#{project.id}/repository/commits/#{commit.id}/merge_requests", non_member) + + expect(response).to have_gitlab_http_status(403) + end + end end end diff --git a/spec/requests/api/issues_spec.rb b/spec/requests/api/issues_spec.rb index 04908378a2..46cd3ec88e 100644 --- a/spec/requests/api/issues_spec.rb +++ b/spec/requests/api/issues_spec.rb @@ -49,7 +49,7 @@ describe API::Issues do create(:label, title: 'label', color: '#FFAABB', project: project) end let!(:label_link) { create(:label_link, label: label, target: issue) } - set(:milestone) { create(:milestone, title: '1.0.0', project: project) } + let(:milestone) { create(:milestone, title: '1.0.0', project: project) } set(:empty_milestone) do create(:milestone, title: '2.0.0', project: project) end diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb index cfa7a1a31a..365d49ce2d 100644 --- a/spec/requests/api/projects_spec.rb +++ b/spec/requests/api/projects_spec.rb @@ -110,6 +110,7 @@ describe API::Projects do end let!(:public_project) { create(:project, :public, name: 'public_project') } + before do project project2 @@ -942,8 +943,16 @@ describe API::Projects do describe 'GET /projects/:id' do context 'when unauthenticated' do - it 'returns the public projects' do - public_project = create(:project, :public) + it 'does not return private projects' do + private_project = create(:project, :private) + + get api("/projects/#{private_project.id}") + + expect(response).to have_gitlab_http_status(404) + end + + it 'returns public projects' do + public_project = create(:project, :repository, :public) get api("/projects/#{public_project.id}") @@ -951,8 +960,34 @@ describe API::Projects do expect(json_response['id']).to eq(public_project.id) expect(json_response['description']).to eq(public_project.description) expect(json_response['default_branch']).to eq(public_project.default_branch) + expect(json_response['ci_config_path']).to eq(public_project.ci_config_path) expect(json_response.keys).not_to include('permissions') end + + context 'and the project has a private repository' do + let(:project) { create(:project, :repository, :public, :repository_private) } + let(:protected_attributes) { %w(default_branch ci_config_path) } + + it 'hides protected attributes of private repositories if user is not a member' do + get api("/projects/#{project.id}", user) + + expect(response).to have_gitlab_http_status(200) + protected_attributes.each do |attribute| + expect(json_response.keys).not_to include(attribute) + end + end + + it 'exposes protected attributes of private repositories if user is a member' do + project.add_developer(user) + + get api("/projects/#{project.id}", user) + + expect(response).to have_gitlab_http_status(200) + protected_attributes.each do |attribute| + expect(json_response.keys).to include(attribute) + end + end + end end context 'when authenticated' do @@ -1104,6 +1139,26 @@ describe API::Projects do expect(json_response).to include 'statistics' end + context "and the project has a private repository" do + let(:project) { create(:project, :public, :repository, :repository_private) } + + it "does not include statistics if user is not a member" do + get api("/projects/#{project.id}", user), params: { statistics: true } + + expect(response).to have_gitlab_http_status(200) + expect(json_response).not_to include 'statistics' + end + + it "includes statistics if user is a member" do + project.add_developer(user) + + get api("/projects/#{project.id}", user), params: { statistics: true } + + expect(response).to have_gitlab_http_status(200) + expect(json_response).to include 'statistics' + end + end + it "includes import_error if user can admin project" do get api("/projects/#{project.id}", user) @@ -1484,6 +1539,9 @@ describe API::Projects do describe "POST /projects/:id/share" do let(:group) { create(:group) } + before do + group.add_developer(user) + end it "shares project with group" do expires_at = 10.days.from_now.to_date @@ -1534,6 +1592,15 @@ describe API::Projects do expect(response).to have_gitlab_http_status(400) expect(json_response['error']).to eq 'group_access does not have a valid value' end + + it "returns a 409 error when link is not saved" do + allow(::Projects::GroupLinks::CreateService).to receive_message_chain(:new, :execute) + .and_return({ status: :error, http_status: 409, message: 'error' }) + + post api("/projects/#{project.id}/share", user), params: { group_id: group.id, group_access: Gitlab::Access::DEVELOPER } + + expect(response).to have_gitlab_http_status(409) + end end describe 'DELETE /projects/:id/share/:group_id' do diff --git a/spec/requests/api/release/links_spec.rb b/spec/requests/api/release/links_spec.rb index ba948e37e2..3a59052bb2 100644 --- a/spec/requests/api/release/links_spec.rb +++ b/spec/requests/api/release/links_spec.rb @@ -73,6 +73,22 @@ describe API::Release::Links do expect(response).to have_gitlab_http_status(:ok) end end + + context 'when project is public and the repository is private' do + let(:project) { create(:project, :repository, :public, :repository_private) } + + it_behaves_like '403 response' do + let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) } + end + + context 'when the release does not exists' do + let!(:release) { } + + it_behaves_like '403 response' do + let(:request) { get api("/projects/#{project.id}/releases/v0.1/assets/links", non_project_member) } + end + end + end end end diff --git a/spec/requests/api/runner_spec.rb b/spec/requests/api/runner_spec.rb index d7ddd97e8c..91981f7c56 100644 --- a/spec/requests/api/runner_spec.rb +++ b/spec/requests/api/runner_spec.rb @@ -526,6 +526,15 @@ describe API::Runner, :clean_gitlab_redis_shared_state do expect(runner.reload.ip_address).to eq('123.222.123.222') end + it "handles multiple X-Forwarded-For addresses" do + post api('/jobs/request'), + params: { token: runner.token }, + headers: { 'User-Agent' => user_agent, 'X-Forwarded-For' => '123.222.123.222, 127.0.0.1' } + + expect(response).to have_gitlab_http_status 201 + expect(runner.reload.ip_address).to eq('123.222.123.222') + end + context 'when concurrently updating a job' do before do expect_any_instance_of(Ci::Build).to receive(:run!) diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 5b625fd47b..bfa178f5ca 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -104,6 +104,70 @@ describe 'Git HTTP requests' do end end + shared_examples_for 'project path without .git suffix' do + context "GET info/refs" do + let(:path) { "/#{project_path}/info/refs" } + + context "when no params are added" do + before do + get path + end + + it "redirects to the .git suffix version" do + expect(response).to redirect_to("/#{project_path}.git/info/refs") + end + end + + context "when the upload-pack service is requested" do + let(:params) { { service: 'git-upload-pack' } } + + before do + get path, params: params + end + + it "redirects to the .git suffix version" do + expect(response).to redirect_to("/#{project_path}.git/info/refs?service=#{params[:service]}") + end + end + + context "when the receive-pack service is requested" do + let(:params) { { service: 'git-receive-pack' } } + + before do + get path, params: params + end + + it "redirects to the .git suffix version" do + expect(response).to redirect_to("/#{project_path}.git/info/refs?service=#{params[:service]}") + end + end + + context "when the params are anything else" do + let(:params) { { service: 'git-implode-pack' } } + + before do + get path, params: params + end + + it "redirects to the sign-in page" do + expect(response).to redirect_to(new_user_session_path) + end + end + end + + context "POST git-upload-pack" do + it "fails to find a route" do + expect { clone_post(project_path) }.to raise_error(ActionController::RoutingError) + end + end + + context "POST git-receive-pack" do + it "fails to find a route" do + expect { push_post(project_path) }.to raise_error(ActionController::RoutingError) + end + end + end + describe "User with no identities" do let(:user) { create(:user) } @@ -143,6 +207,10 @@ describe 'Git HTTP requests' do expect(response).to have_gitlab_http_status(:unprocessable_entity) end end + + it_behaves_like 'project path without .git suffix' do + let(:project_path) { "#{user.namespace.path}/project.git-project" } + end end end @@ -706,70 +774,8 @@ describe 'Git HTTP requests' do end end - context "when the project path doesn't end in .git" do - let(:project) { create(:project, :repository, :public, path: 'project.git-project') } - - context "GET info/refs" do - let(:path) { "/#{project.full_path}/info/refs" } - - context "when no params are added" do - before do - get path - end - - it "redirects to the .git suffix version" do - expect(response).to redirect_to("/#{project.full_path}.git/info/refs") - end - end - - context "when the upload-pack service is requested" do - let(:params) { { service: 'git-upload-pack' } } - - before do - get path, params: params - end - - it "redirects to the .git suffix version" do - expect(response).to redirect_to("/#{project.full_path}.git/info/refs?service=#{params[:service]}") - end - end - - context "when the receive-pack service is requested" do - let(:params) { { service: 'git-receive-pack' } } - - before do - get path, params: params - end - - it "redirects to the .git suffix version" do - expect(response).to redirect_to("/#{project.full_path}.git/info/refs?service=#{params[:service]}") - end - end - - context "when the params are anything else" do - let(:params) { { service: 'git-implode-pack' } } - - before do - get path, params: params - end - - it "redirects to the sign-in page" do - expect(response).to redirect_to(new_user_session_path) - end - end - end - - context "POST git-upload-pack" do - it "fails to find a route" do - expect { clone_post(project.full_path) }.to raise_error(ActionController::RoutingError) - end - end - - context "POST git-receive-pack" do - it "fails to find a route" do - expect { push_post(project.full_path) }.to raise_error(ActionController::RoutingError) - end - end + it_behaves_like 'project path without .git suffix' do + let(:project_path) { create(:project, :repository, :public, path: 'project.git-project').full_path } end context "retrieving an info/refs file" do diff --git a/spec/services/issuable/common_system_notes_service_spec.rb b/spec/services/issuable/common_system_notes_service_spec.rb index fa5d5ebac5..0edc9016c9 100644 --- a/spec/services/issuable/common_system_notes_service_spec.rb +++ b/spec/services/issuable/common_system_notes_service_spec.rb @@ -3,7 +3,7 @@ require 'spec_helper' describe Issuable::CommonSystemNotesService do let(:user) { create(:user) } let(:project) { create(:project) } - let(:issuable) { create(:issue) } + let(:issuable) { create(:issue, project: project) } context 'on issuable update' do it_behaves_like 'system note creation', { title: 'New title' }, 'changed title' @@ -70,7 +70,7 @@ describe Issuable::CommonSystemNotesService do end context 'on issuable create' do - let(:issuable) { build(:issue) } + let(:issuable) { build(:issue, project: project) } subject { described_class.new(project, user).execute(issuable, old_labels: [], is_update: false) } diff --git a/spec/services/issues/build_service_spec.rb b/spec/services/issues/build_service_spec.rb index 248e7d5a38..86e58fe06b 100644 --- a/spec/services/issues/build_service_spec.rb +++ b/spec/services/issues/build_service_spec.rb @@ -8,29 +8,29 @@ describe Issues::BuildService do project.add_developer(user) end + def build_issue(issue_params = {}) + described_class.new(project, user, issue_params).execute + end + context 'for a single discussion' do describe '#execute' do let(:merge_request) { create(:merge_request, title: "Hello world", source_project: project) } let(:discussion) { create(:diff_note_on_merge_request, project: project, noteable: merge_request, note: "Almost done").to_discussion } - let(:service) { described_class.new(project, user, merge_request_to_resolve_discussions_of: merge_request.iid, discussion_to_resolve: discussion.id) } + + subject { build_issue(merge_request_to_resolve_discussions_of: merge_request.iid, discussion_to_resolve: discussion.id) } it 'references the noteable title in the issue title' do - issue = service.execute - - expect(issue.title).to include('Hello world') + expect(subject.title).to include('Hello world') end it 'adds the note content to the description' do - issue = service.execute - - expect(issue.description).to include('Almost done') + expect(subject.description).to include('Almost done') end end end context 'for discussions in a merge request' do let(:merge_request) { create(:merge_request_with_diff_notes, source_project: project) } - let(:issue) { described_class.new(project, user, merge_request_to_resolve_discussions_of: merge_request.iid).execute } describe '#items_for_discussions' do it 'has an item for each discussion' do @@ -66,28 +66,30 @@ describe Issues::BuildService do end describe '#execute' do - it 'has the merge request reference in the title' do - expect(issue.title).to include(merge_request.title) + let(:base_params) { { merge_request_to_resolve_discussions_of: merge_request.iid } } + + context 'without additional params' do + subject { build_issue(base_params) } + + it 'has the merge request reference in the title' do + expect(subject.title).to include(merge_request.title) + end + + it 'has the reference of the merge request in the description' do + expect(subject.description).to include(merge_request.to_reference) + end end - it 'has the reference of the merge request in the description' do - expect(issue.description).to include(merge_request.to_reference) - end - - it 'does not assign title when a title was given' do - issue = described_class.new(project, user, - merge_request_to_resolve_discussions_of: merge_request, - title: 'What an issue').execute + it 'uses provided title if title param given' do + issue = build_issue(base_params.merge(title: 'What an issue')) expect(issue.title).to eq('What an issue') end - it 'does not assign description when a description was given' do - issue = described_class.new(project, user, - merge_request_to_resolve_discussions_of: merge_request, - description: 'Fix at your earliest conveignance').execute + it 'uses provided description if description param given' do + issue = build_issue(base_params.merge(description: 'Fix at your earliest convenience')) - expect(issue.description).to eq('Fix at your earliest conveignance') + expect(issue.description).to eq('Fix at your earliest convenience') end describe 'with multiple discussions' do @@ -96,20 +98,20 @@ describe Issues::BuildService do it 'mentions all the authors in the description' do authors = merge_request.resolvable_discussions.map(&:author) - expect(issue.description).to include(*authors.map(&:to_reference)) + expect(build_issue(base_params).description).to include(*authors.map(&:to_reference)) end it 'has a link for each unresolved discussion in the description' do notes = merge_request.resolvable_discussions.map(&:first_note) links = notes.map { |note| Gitlab::UrlBuilder.build(note) } - expect(issue.description).to include(*links) + expect(build_issue(base_params).description).to include(*links) end it 'mentions additional notes' do create_list(:diff_note_on_merge_request, 2, noteable: merge_request, project: merge_request.target_project, in_reply_to: diff_note) - expect(issue.description).to include('(+2 comments)') + expect(build_issue(base_params).description).to include('(+2 comments)') end end end @@ -120,7 +122,7 @@ describe Issues::BuildService do describe '#execute' do it 'mentions the merge request in the description' do - issue = described_class.new(project, user, merge_request_to_resolve_discussions_of: merge_request.iid).execute + issue = build_issue(merge_request_to_resolve_discussions_of: merge_request.iid) expect(issue.description).to include("Review the conversation in #{merge_request.to_reference}") end @@ -128,20 +130,18 @@ describe Issues::BuildService do end describe '#execute' do - let(:milestone) { create(:milestone, project: project) } - it 'builds a new issues with given params' do - issue = described_class.new( - project, - user, - title: 'Issue #1', - description: 'Issue description', - milestone_id: milestone.id - ).execute + milestone = create(:milestone, project: project) + issue = build_issue(milestone_id: milestone.id) - expect(issue.title).to eq('Issue #1') - expect(issue.description).to eq('Issue description') expect(issue.milestone).to eq(milestone) end + + it 'sets milestone to nil if it is not available for the project' do + milestone = create(:milestone, project: create(:project)) + issue = build_issue(milestone_id: milestone.id) + + expect(issue.milestone).to be_nil + end end end diff --git a/spec/services/issues/update_service_spec.rb b/spec/services/issues/update_service_spec.rb index 931e47d3a7..f168420972 100644 --- a/spec/services/issues/update_service_spec.rb +++ b/spec/services/issues/update_service_spec.rb @@ -356,7 +356,7 @@ describe Issues::UpdateService, :mailer do it_behaves_like 'system notes for milestones' it 'sends notifications for subscribers of changed milestone' do - issue.milestone = create(:milestone) + issue.milestone = create(:milestone, project: project) issue.save @@ -380,7 +380,7 @@ describe Issues::UpdateService, :mailer do end it 'marks todos as done' do - update_issue(milestone: create(:milestone)) + update_issue(milestone: create(:milestone, project: project)) expect(todo.reload.done?).to eq true end @@ -389,7 +389,7 @@ describe Issues::UpdateService, :mailer do it 'sends notifications for subscribers of changed milestone' do perform_enqueued_jobs do - update_issue(milestone: create(:milestone)) + update_issue(milestone: create(:milestone, project: project)) end should_email(subscriber) diff --git a/spec/services/merge_requests/build_service_spec.rb b/spec/services/merge_requests/build_service_spec.rb index 536d0d345a..057e8137a4 100644 --- a/spec/services/merge_requests/build_service_spec.rb +++ b/spec/services/merge_requests/build_service_spec.rb @@ -229,6 +229,15 @@ describe MergeRequests::BuildService do end end end + + context 'when a milestone is from another project' do + let(:milestone) { create(:milestone, project: create(:project)) } + let(:milestone_id) { milestone.id } + + it 'sets milestone to nil' do + expect(merge_request.milestone).to be_nil + end + end end end diff --git a/spec/services/merge_requests/update_service_spec.rb b/spec/services/merge_requests/update_service_spec.rb index 20580bf14b..8e367db031 100644 --- a/spec/services/merge_requests/update_service_spec.rb +++ b/spec/services/merge_requests/update_service_spec.rb @@ -328,7 +328,7 @@ describe MergeRequests::UpdateService, :mailer do it_behaves_like 'system notes for milestones' it 'sends notifications for subscribers of changed milestone' do - merge_request.milestone = create(:milestone) + merge_request.milestone = create(:milestone, project: project) merge_request.save @@ -352,7 +352,7 @@ describe MergeRequests::UpdateService, :mailer do end it 'marks pending todos as done' do - update_merge_request({ milestone: create(:milestone) }) + update_merge_request({ milestone: create(:milestone, project: project) }) expect(pending_todo.reload).to be_done end @@ -361,7 +361,7 @@ describe MergeRequests::UpdateService, :mailer do it 'sends notifications for subscribers of changed milestone' do perform_enqueued_jobs do - update_merge_request(milestone: create(:milestone)) + update_merge_request(milestone: create(:milestone, project: project)) end should_email(subscriber) diff --git a/spec/services/projects/group_links/create_service_spec.rb b/spec/services/projects/group_links/create_service_spec.rb index ffb270d277..68fd82b4cb 100644 --- a/spec/services/projects/group_links/create_service_spec.rb +++ b/spec/services/projects/group_links/create_service_spec.rb @@ -12,6 +12,10 @@ describe Projects::GroupLinks::CreateService, '#execute' do end let(:subject) { described_class.new(project, user, opts) } + before do + group.add_developer(user) + end + it 'adds group to project' do expect { subject.execute(group) }.to change { project.project_group_links.count }.from(0).to(1) end @@ -19,4 +23,8 @@ describe Projects::GroupLinks::CreateService, '#execute' do it 'returns false if group is blank' do expect { subject.execute(nil) }.not_to change { project.project_group_links.count } end + + it 'returns error if user is not allowed to share with a group' do + expect { subject.execute(create :group) }.not_to change { project.project_group_links.count } + end end diff --git a/spec/support/helpers/file_mover_helpers.rb b/spec/support/helpers/file_mover_helpers.rb new file mode 100644 index 0000000000..1ba7cc0335 --- /dev/null +++ b/spec/support/helpers/file_mover_helpers.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module FileMoverHelpers + def stub_file_mover(file_path, stub_real_path: nil) + file_name = File.basename(file_path) + allow(Pathname).to receive(:new).and_call_original + + expect_next_instance_of(Pathname, a_string_including(file_name)) do |pathname| + allow(pathname).to receive(:realpath) { stub_real_path || pathname.cleanpath } + end + end +end diff --git a/spec/support/shared_examples/issuable_shared_examples.rb b/spec/support/shared_examples/issuable_shared_examples.rb index c3d40c5b23..d97b21f71c 100644 --- a/spec/support/shared_examples/issuable_shared_examples.rb +++ b/spec/support/shared_examples/issuable_shared_examples.rb @@ -31,7 +31,7 @@ shared_examples 'system notes for milestones' do context 'project milestones' do it 'creates a system note' do expect do - update_issuable(milestone: create(:milestone)) + update_issuable(milestone: create(:milestone, project: project)) end.to change { Note.system.count }.by(1) end end diff --git a/spec/support/shared_examples/requests/api/discussions.rb b/spec/support/shared_examples/requests/api/discussions.rb index e44da4faa5..eff8e401ba 100644 --- a/spec/support/shared_examples/requests/api/discussions.rb +++ b/spec/support/shared_examples/requests/api/discussions.rb @@ -86,6 +86,37 @@ shared_examples 'discussions API' do |parent_type, noteable_type, id_name| expect(response).to have_gitlab_http_status(404) end end + + context 'when a project is public with private repo access' do + let!(:parent) { create(:project, :public, :repository, :repository_private, :snippets_private) } + let!(:user_without_access) { create(:user) } + + context 'when user is not a team member of private repo' do + before do + project.team.truncate + end + + context "creating a new note" do + before do + post api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions", user_without_access), params: { body: 'hi!' } + end + + it 'raises 404 error' do + expect(response).to have_gitlab_http_status(404) + end + end + + context "fetching a discussion" do + before do + get api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions/#{note.discussion_id}", user_without_access) + end + + it 'raises 404 error' do + expect(response).to have_gitlab_http_status(404) + end + end + end + end end describe "POST /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions/:discussion_id/notes" do diff --git a/spec/uploaders/file_mover_spec.rb b/spec/uploaders/file_mover_spec.rb index de29d0c943..e474a714b1 100644 --- a/spec/uploaders/file_mover_spec.rb +++ b/spec/uploaders/file_mover_spec.rb @@ -1,8 +1,9 @@ require 'spec_helper' describe FileMover do + include FileMoverHelpers + let(:filename) { 'banana_sample.gif' } - let(:file) { fixture_file_upload(File.join('spec', 'fixtures', filename)) } let(:temp_file_path) { File.join('uploads/-/system/temp', 'secret55', filename) } let(:temp_description) do @@ -12,7 +13,7 @@ describe FileMover do let(:file_path) { File.join('uploads/-/system/personal_snippet', snippet.id.to_s, 'secret55', filename) } let(:snippet) { create(:personal_snippet, description: temp_description) } - subject { described_class.new(file_path, snippet).execute } + subject { described_class.new(temp_file_path, snippet).execute } describe '#execute' do before do @@ -20,6 +21,8 @@ describe FileMover do expect(FileUtils).to receive(:move).with(a_string_including(temp_file_path), a_string_including(file_path)) allow_any_instance_of(CarrierWave::SanitizedFile).to receive(:exists?).and_return(true) allow_any_instance_of(CarrierWave::SanitizedFile).to receive(:size).and_return(10) + + stub_file_mover(temp_file_path) end context 'when move and field update successful' do @@ -66,4 +69,30 @@ describe FileMover do end end end + + context 'security' do + context 'when relative path is involved' do + let(:temp_file_path) { File.join('uploads/-/system/temp', '..', 'another_subdir_of_temp') } + + it 'does not trigger move if path is outside designated directory' do + stub_file_mover('uploads/-/system/another_subdir_of_temp') + expect(FileUtils).not_to receive(:move) + + subject + + expect(snippet.reload.description).to eq(temp_description) + end + end + + context 'when symlink is involved' do + it 'does not trigger move if path is outside designated directory' do + stub_file_mover(temp_file_path, stub_real_path: Pathname('/etc')) + expect(FileUtils).not_to receive(:move) + + subject + + expect(snippet.reload.description).to eq(temp_description) + end + end + end end diff --git a/spec/validators/sha_validator_spec.rb b/spec/validators/sha_validator_spec.rb new file mode 100644 index 0000000000..b9242ef931 --- /dev/null +++ b/spec/validators/sha_validator_spec.rb @@ -0,0 +1,40 @@ +require 'spec_helper' + +describe ShaValidator do + let(:validator) { described_class.new(attributes: [:base_commit_sha]) } + let(:merge_diff) { build(:merge_request_diff) } + + subject { validator.validate_each(merge_diff, :base_commit_sha, value) } + + context 'with empty value' do + let(:value) { nil } + + it 'does not add any error if value is empty' do + subject + + expect(merge_diff.errors).to be_empty + end + end + + context 'with valid sha' do + let(:value) { Digest::SHA1.hexdigest(SecureRandom.hex) } + + it 'does not add any error if value is empty' do + subject + + expect(merge_diff.errors).to be_empty + end + end + + context 'with invalid sha' do + let(:value) { 'foo' } + + it 'adds error to the record' do + expect(merge_diff.errors).to be_empty + + subject + + expect(merge_diff.errors).not_to be_empty + end + end +end diff --git a/spec/views/projects/issues/_merge_requests_status.html.haml_spec.rb b/spec/views/projects/issues/_merge_requests_status.html.haml_spec.rb index 02c225292c..9424795749 100644 --- a/spec/views/projects/issues/_merge_requests_status.html.haml_spec.rb +++ b/spec/views/projects/issues/_merge_requests_status.html.haml_spec.rb @@ -2,6 +2,12 @@ require 'spec_helper' describe 'projects/issues/_merge_requests_status.html.haml' do + around do |ex| + Timecop.freeze(Date.new(2018, 7, 22)) do + ex.run + end + end + it 'shows date of status change in tooltip' do merge_request = create(:merge_request, created_at: 1.month.ago) diff --git a/spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb b/spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb index 963237cead..f29e49f202 100644 --- a/spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb +++ b/spec/workers/update_head_pipeline_for_merge_request_worker_spec.rb @@ -18,7 +18,7 @@ describe UpdateHeadPipelineForMergeRequestWorker do context 'when merge request sha does not equal pipeline sha' do before do - merge_request.merge_request_diff.update(head_commit_sha: 'different_sha') + merge_request.merge_request_diff.update(head_commit_sha: Digest::SHA1.hexdigest(SecureRandom.hex)) end it 'does not update head pipeline' do