Add latest changes from gitlab-org/gitlab@master

spec/lib/gitlab/usage_data_spec.rb

@@ -297,6 +297,24 @@ describe Gitlab::UsageData do
     end
   end
+  describe '#ingress_modsecurity_usage' do
+    subject { described_class.ingress_modsecurity_usage }
+
+    it 'gathers variable data' do
+      allow_any_instance_of(
+        ::Clusters::Applications::IngressModsecurityUsageService
+      ).to receive(:execute).and_return(
+        {
+          ingress_modsecurity_blocking: 1,
+          ingress_modsecurity_disabled: 2
+        }
+      )
+
+      expect(subject[:ingress_modsecurity_blocking]).to eq(1)
+      expect(subject[:ingress_modsecurity_disabled]).to eq(2)
+    end
+  end
+
   describe '#license_usage_data' do
     subject { described_class.license_usage_data }

spec/models/active_session_spec.rb

@@ -329,6 +329,35 @@ RSpec.describe ActiveSession, :clean_gitlab_redis_shared_state do
           )
         end
       end
+
+      context 'when the number of active sessions is lower than the limit' do
+        before do
+          Gitlab::Redis::SharedState.with do |redis|
+            ((max_number_of_sessions_plus_two - 4)..max_number_of_sessions_plus_two).each do |number|
+              redis.del("session:user:gitlab:#{user.id}:#{number}")
+            end
+          end
+        end
+
+        it 'does not remove active session entries, but removes lookup entries' do
+          lookup_entries_before_cleanup = Gitlab::Redis::SharedState.with do |redis|
+            redis.smembers("session:lookup:user:gitlab:#{user.id}")
+          end
+
+          sessions_before_cleanup = Gitlab::Redis::SharedState.with do |redis|
+            redis.scan_each(match: "session:user:gitlab:#{user.id}:*").to_a
+          end
+
+          ActiveSession.cleanup(user)
+
+          Gitlab::Redis::SharedState.with do |redis|
+            lookup_entries = redis.smembers("session:lookup:user:gitlab:#{user.id}")
+            sessions = redis.scan_each(match: "session:user:gitlab:#{user.id}:*").to_a
+            expect(sessions.count).to eq(sessions_before_cleanup.count)
+            expect(lookup_entries.count).to be < lookup_entries_before_cleanup.count
+          end
+        end
+      end
     end
   end
 end

spec/models/clusters/cluster_spec.rb

@@ -976,4 +976,38 @@ describe Clusters::Cluster, :use_clean_rails_memory_store_caching do
       expect(cluster.kubernetes_namespaces).to be_empty
     end
   end
+
+  describe '#clusterable' do
+    subject { cluster.clusterable }
+
+    context 'project type' do
+      let(:cluster) { create(:cluster, :project) }
+
+      it { is_expected.to eq(cluster.project) }
+    end
+
+    context 'group type' do
+      let(:cluster) { create(:cluster, :group) }
+
+      it { is_expected.to eq(cluster.group) }
+    end
+
+    context 'instance type' do
+      let(:cluster) { create(:cluster, :instance) }
+
+      it { is_expected.to be_a(Clusters::Instance) }
+    end
+
+    context 'unknown type' do
+      let(:cluster) { create(:cluster, :project) }
+
+      before do
+        allow(cluster).to receive(:cluster_type).and_return('unknown_type')
+      end
+
+      it 'raises NotImplementedError' do
+        expect { subject }.to raise_error(NotImplementedError)
+      end
+    end
+  end
 end

spec/rubocop/cop/put_group_routes_under_scope_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'rubocop'
+require_relative '../../../rubocop/cop/put_group_routes_under_scope'
+
+describe RuboCop::Cop::PutGroupRoutesUnderScope do
+  include CopHelper
+
+  subject(:cop) { described_class.new }
+
+  before do
+    allow(cop).to receive(:in_group_routes?).and_return(true)
+  end
+
+  it 'registers an offense when route is outside scope' do
+    expect_offense(<<~PATTERN.strip_indent)
+      scope(path: 'groups/*group_id/-', module: :groups) do
+        resource :issues
+      end
+
+      resource :notes
+      ^^^^^^^^^^^^^^^ Put new group routes under /-/ scope
+    PATTERN
+  end
+
+  it 'does not register an offense when resource inside the scope' do
+    expect_no_offenses(<<~PATTERN.strip_indent)
+      scope(path: 'groups/*group_id/-', module: :groups) do
+        resource :issues
+        resource :notes
+      end
+    PATTERN
+  end
+
+  it 'does not register an offense when resource is deep inside the scope' do
+    expect_no_offenses(<<~PATTERN.strip_indent)
+      scope(path: 'groups/*group_id/-', module: :groups) do
+        resource :issues
+        resource :projects do
+          resource :issues do
+            resource :notes
+          end
+        end
+      end
+    PATTERN
+  end
+end

spec/services/clusters/applications/ingress_modsecurity_usage_service_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Clusters::Applications::IngressModsecurityUsageService do
+  describe '#execute' do
+    ADO_MODSEC_KEY = Clusters::Applications::IngressModsecurityUsageService::ADO_MODSEC_KEY
+
+    let(:project_with_ci_var) { create(:environment).project }
+    let(:project_with_pipeline_var) { create(:environment).project }
+
+    subject { described_class.new.execute }
+
+    context 'with multiple projects' do
+      let(:pipeline1) { create(:ci_pipeline, :with_job, project: project_with_pipeline_var) }
+      let(:pipeline2) { create(:ci_pipeline, :with_job, project: project_with_ci_var) }
+
+      let!(:deployment_with_pipeline_var) do
+        create(
+          :deployment,
+          :success,
+          environment: project_with_pipeline_var.environments.first,
+          project: project_with_pipeline_var,
+          deployable: pipeline1.builds.last
+        )
+      end
+      let!(:deployment_with_project_var) do
+        create(
+          :deployment,
+          :success,
+          environment: project_with_ci_var.environments.first,
+          project: project_with_ci_var,
+          deployable: pipeline2.builds.last
+        )
+      end
+
+      context 'mixed data' do
+        let!(:ci_variable) { create(:ci_variable, project: project_with_ci_var, key: ADO_MODSEC_KEY, value: "On") }
+        let!(:pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline1, key: ADO_MODSEC_KEY, value: "Off") }
+
+        it 'gathers variable data' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(1)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(1)
+        end
+      end
+
+      context 'blocking' do
+        let(:modsec_values) { { key: ADO_MODSEC_KEY, value: "On" } }
+
+        let!(:ci_variable) { create(:ci_variable, project: project_with_ci_var, **modsec_values) }
+        let!(:pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline1, **modsec_values) }
+
+        it 'gathers variable data' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(2)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(0)
+        end
+      end
+
+      context 'disabled' do
+        let(:modsec_values) { { key: ADO_MODSEC_KEY, value: "Off" } }
+
+        let!(:ci_variable) { create(:ci_variable, project: project_with_ci_var, **modsec_values) }
+        let!(:pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline1, **modsec_values) }
+
+        it 'gathers variable data' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(0)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(2)
+        end
+      end
+    end
+
+    context 'when set as both ci and pipeline variables' do
+      let(:modsec_values) { { key: ADO_MODSEC_KEY, value: "Off" } }
+
+      let(:pipeline) { create(:ci_pipeline, :with_job, project: project_with_ci_var) }
+      let!(:deployment) do
+        create(
+          :deployment,
+          :success,
+          environment: project_with_ci_var.environments.first,
+          project: project_with_ci_var,
+          deployable: pipeline.builds.last
+        )
+      end
+
+      let!(:ci_variable) { create(:ci_variable, project: project_with_ci_var, **modsec_values) }
+      let!(:pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline, **modsec_values) }
+
+      it 'wont double-count projects' do
+        expect(subject[:ingress_modsecurity_blocking]).to eq(0)
+        expect(subject[:ingress_modsecurity_disabled]).to eq(1)
+      end
+
+      it 'gives precedence to pipeline variable' do
+        pipeline_variable.update(value: "On")
+
+        expect(subject[:ingress_modsecurity_blocking]).to eq(1)
+        expect(subject[:ingress_modsecurity_disabled]).to eq(0)
+      end
+    end
+
+    context 'when a project has multiple environments' do
+      let(:modsec_values) { { key: ADO_MODSEC_KEY, value: "On" } }
+
+      let!(:env1) { project_with_pipeline_var.environments.first }
+      let!(:env2) { create(:environment, project: project_with_pipeline_var) }
+
+      let!(:pipeline_with_2_deployments) do
+        create(:ci_pipeline, :with_job, project: project_with_ci_var).tap do |pip|
+          pip.builds << build(:ci_build, pipeline: pip, project: project_with_pipeline_var)
+        end
+      end
+
+      let!(:deployment1) do
+        create(
+          :deployment,
+          :success,
+          environment: env1,
+          project: project_with_pipeline_var,
+          deployable: pipeline_with_2_deployments.builds.last
+        )
+      end
+      let!(:deployment2) do
+        create(
+          :deployment,
+          :success,
+          environment: env2,
+          project: project_with_pipeline_var,
+          deployable: pipeline_with_2_deployments.builds.last
+        )
+      end
+
+      context 'when set as ci variable' do
+        let!(:ci_variable) { create(:ci_variable, project: project_with_pipeline_var, **modsec_values) }
+
+        it 'gathers variable data' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(2)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(0)
+        end
+      end
+
+      context 'when set as pipeline variable' do
+        let!(:pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline_with_2_deployments, **modsec_values) }
+
+        it 'gathers variable data' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(2)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(0)
+        end
+      end
+    end
+
+    context 'when an environment has multiple deployments' do
+      let!(:env) { project_with_pipeline_var.environments.first }
+
+      let!(:pipeline_first) do
+        create(:ci_pipeline, :with_job, project: project_with_pipeline_var).tap do |pip|
+          pip.builds << build(:ci_build, pipeline: pip, project: project_with_pipeline_var)
+        end
+      end
+      let!(:pipeline_last) do
+        create(:ci_pipeline, :with_job, project: project_with_pipeline_var).tap do |pip|
+          pip.builds << build(:ci_build, pipeline: pip, project: project_with_pipeline_var)
+        end
+      end
+
+      let!(:deployment_first) do
+        create(
+          :deployment,
+          :success,
+          environment: env,
+          project: project_with_pipeline_var,
+          deployable: pipeline_first.builds.last
+        )
+      end
+      let!(:deployment_last) do
+        create(
+          :deployment,
+          :success,
+          environment: env,
+          project: project_with_pipeline_var,
+          deployable: pipeline_last.builds.last
+        )
+      end
+
+      context 'when set as pipeline variable' do
+        let!(:first_pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline_first, key: ADO_MODSEC_KEY, value: "On") }
+        let!(:last_pipeline_variable) { create(:ci_pipeline_variable, pipeline: pipeline_last, key: ADO_MODSEC_KEY, value: "Off") }
+
+        it 'gives precedence to latest deployment' do
+          expect(subject[:ingress_modsecurity_blocking]).to eq(0)
+          expect(subject[:ingress_modsecurity_disabled]).to eq(1)
+        end
+      end
+    end
+  end
+end