Add latest changes from gitlab-org/gitlab@master

app/models/note.rb

@@ -93,7 +93,7 @@ class Note < ApplicationRecord
   accepts_nested_attributes_for :note_metadata
 
   validates :project, presence: true, if: :for_project_noteable?
-  validates :namespace, presence: true, unless: :for_abuse_report?
+  validates :namespace, presence: true
 
   # Attachments are deprecated and are handled by Markdown uploader
   validates :attachment, file_size: { maximum: :max_attachment_size }

db/post_migrate/20240604205241_delete_abuse_report_records_from_notes.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+class DeleteAbuseReportRecordsFromNotes < Gitlab::Database::Migration[2.2]
+  disable_ddl_transaction!
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+  milestone '17.2'
+
+  def up
+    notes = define_batchable_model('notes')
+    abuse_reports = define_batchable_model('abuse_reports')
+
+    abuse_reports.each_batch do |batch|
+      notes.where(noteable_type: 'AbuseReport', noteable_id: batch.pluck(:id)).delete_all
+    end
+  end
+
+  def down
+    # noop
+  end
+end

db/schema_migrations/20240604205241

@@ -0,0 +1 @@
+8ed2c4fbe3893152438c63685d5d30b8647fc39a3f1b45e987720d5d5788baaa

doc/user/application_security/api_fuzzing/configuration/variables.md

@@ -33,6 +33,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 |[`FUZZAPI_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides)                        | JSON string containing headers to override. |
 |[`FUZZAPI_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides)                        | Overrides command. |
 |[`FUZZAPI_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides)                | When set to any value. It shows overrides command output as part of the job output. |
+|`FUZZAPI_PER_REQUEST_SCRIPT`                          | Full path and filename for a per-request script. [See demo project for examples.](https://gitlab.com/gitlab-org/security-products/demos/api-dast/auth-with-request-example) [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/13691) in GitLab 17.2. |
 |`FUZZAPI_PRE_SCRIPT`                                         | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
 |`FUZZAPI_POST_SCRIPT`                                        | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
 |[`FUZZAPI_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides)                   | How often to run overrides command in seconds. Defaults to `0` (once). |

doc/user/application_security/api_security_testing/configuration/variables.md

@@ -42,6 +42,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 |[`APISEC_OVERRIDES_ENV`](customizing_analyzer_settings.md#overrides)                 | JSON string containing headers to override. |
 |[`APISEC_OVERRIDES_CMD`](customizing_analyzer_settings.md#overrides)                 | Overrides command. |
 |[`APISEC_OVERRIDES_CMD_VERBOSE`](customizing_analyzer_settings.md#overrides)         | When set to any value. It shows overrides command output as part of the job output. |
+|`APISEC_PER_REQUEST_SCRIPT`                          | Full path and filename for a per-request script. [See demo project for examples.](https://gitlab.com/gitlab-org/security-products/demos/api-dast/auth-with-request-example) [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/13691) in GitLab 17.2. |
 |`APISEC_PRE_SCRIPT`                                  | Run user command or script before scan session starts. `sudo` must be used for privileged operations like installing packages. |
 |`APISEC_POST_SCRIPT`                                 | Run user command or script after scan session has finished. `sudo` must be used for privileged operations like installing packages. |
 |[`APISEC_OVERRIDES_INTERVAL`](customizing_analyzer_settings.md#overrides)            | How often to run overrides command in seconds. Defaults to `0` (once). |

spec/factories/notes.rb

@@ -18,7 +18,6 @@ FactoryBot.define do
     factory :note_on_personal_snippet,   traits: [:on_personal_snippet]
     factory :note_on_design,             traits: [:on_design]
     factory :note_on_alert,              traits: [:on_alert]
-    factory :note_on_abuse_report, traits: [:on_abuse_report]
     factory :system_note, traits: [:system]
 
     factory :discussion_note, class: 'DiscussionNote'
@@ -40,8 +39,6 @@ FactoryBot.define do
 
     factory :discussion_note_on_project_snippet, traits: [:on_project_snippet], class: 'DiscussionNote'
 
-    factory :discussion_note_on_abuse_report, traits: [:on_abuse_report], class: 'DiscussionNote'
-
     factory :legacy_diff_note_on_commit, traits: [:on_commit, :legacy_diff_note], class: 'LegacyDiffNote'
 
     factory :legacy_diff_note_on_merge_request, traits: [:on_merge_request, :legacy_diff_note], class: 'LegacyDiffNote' do
@@ -174,11 +171,6 @@ FactoryBot.define do
       noteable { association(:alert_management_alert, project: project) }
     end
 
-    trait :on_abuse_report do
-      noteable { association(:abuse_report) }
-      project { nil }
-    end
-
     trait :resolved do
       resolved_at { Time.now }
       resolved_by { association(:user) }

spec/factories/snippets.rb

@@ -50,6 +50,8 @@ FactoryBot.define do
   end
 
   factory :personal_snippet, parent: :snippet, class: :PersonalSnippet do
+    author { association(:author, :with_namespace) }
+
     trait :secret do
       visibility_level { Snippet::PUBLIC }
       secret { true }

spec/lib/gitlab/url_builder_spec.rb

@@ -61,7 +61,6 @@ RSpec.describe Gitlab::UrlBuilder do
       :discussion_note_on_project_snippet  | ->(note) { "/#{note.project.full_path}/-/snippets/#{note.noteable_id}#note_#{note.id}" }
       :discussion_note_on_personal_snippet | ->(note) { "/-/snippets/#{note.noteable_id}#note_#{note.id}" }
       :note_on_personal_snippet            | ->(note) { "/-/snippets/#{note.noteable_id}#note_#{note.id}" }
-      :note_on_abuse_report | ->(note) { "/admin/abuse_reports/#{note.noteable_id}#note_#{note.id}" }
       :package | ->(package) { "/#{package.project.full_path}/-/packages/#{package.id}" }
     end
 

spec/migrations/20240604205241_delete_abuse_report_records_from_notes_spec.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_migration!
+
+RSpec.describe DeleteAbuseReportRecordsFromNotes, feature_category: :code_review_workflow do
+  let!(:namespace) { table(:namespaces).create!(name: 'namespace', path: 'namespace') }
+  let!(:project) { table(:projects).create!(namespace_id: namespace.id, project_namespace_id: namespace.id) }
+  let!(:merge_request) do
+    table(:merge_requests).create!(target_project_id: project.id, target_branch: 'main', source_branch: 'feature')
+  end
+
+  let!(:notes) { table(:notes) }
+  let!(:abuse_report1) { table(:abuse_reports).create! }
+  let!(:abuse_report2) { table(:abuse_reports).create! }
+
+  describe '#up' do
+    before do
+      notes.create!(noteable_type: 'AbuseReport', noteable_id: abuse_report1.id)
+      notes.create!(noteable_type: 'AbuseReport', noteable_id: abuse_report2.id)
+      notes.create!(noteable_type: 'MergeRequest', noteable_id: merge_request.id)
+
+      stub_const("#{described_class}::BATCH_SIZE", 1)
+    end
+
+    it 'deletes abuse report notes' do
+      migrate!
+
+      expect(notes.count).to eq(1)
+      expect(notes.first).to have_attributes(
+        noteable_type: 'MergeRequest',
+        noteable_id: merge_request.id
+      )
+    end
+  end
+end

spec/models/discussion_note_spec.rb

@@ -8,12 +8,4 @@ RSpec.describe DiscussionNote do
 
     it { is_expected.to eq('note') }
   end
-
-  describe 'validations' do
-    context 'when noteable is an abuse report' do
-      subject { build(:discussion_note, noteable: build_stubbed(:abuse_report)) }
-
-      it { is_expected.to be_valid }
-    end
-  end
 end

spec/models/note_spec.rb

@@ -89,6 +89,14 @@ RSpec.describe Note, feature_category: :team_planning do
       end
     end
 
+    context 'when noteable is an abuse report' do
+      subject { build(:note, noteable: build_stubbed(:abuse_report), project: nil, namespace: nil) }
+
+      it 'is not valid without project or namespace' do
+        is_expected.to be_invalid
+      end
+    end
+
     describe 'max notes limit' do
       let_it_be(:noteable) { create(:issue) }
       let_it_be(:existing_note) { create(:note, project: noteable.project, noteable: noteable) }

spec/requests/api/graphql/abuse_report_spec.rb

@@ -66,54 +66,4 @@ RSpec.describe 'Querying an Abuse Report', feature_category: :insider_threat do
       )
     end
   end
-
-  describe 'notes' do
-    let_it_be(:note) { create(:note, noteable: abuse_report, author: current_user) }
-
-    let(:notes_response) do
-      graphql_data_at(:abuse_report, :notes, :nodes)
-    end
-
-    let(:abuse_report_fields) do
-      <<~GRAPHQL
-        notes {
-          nodes {
-            #{all_graphql_fields_for('Note', max_depth: 2)}
-          }
-        }
-      GRAPHQL
-    end
-
-    it 'returns notes' do
-      expect(notes_response).to contain_exactly(
-        a_graphql_entity_for(note)
-      )
-    end
-  end
-
-  describe 'discussions' do
-    let_it_be(:discussion) do
-      create(:discussion_note_on_abuse_report, noteable: abuse_report, author: current_user).to_discussion
-    end
-
-    let(:discussions_response) do
-      graphql_data_at(:abuse_report, :discussions, :nodes)
-    end
-
-    let(:abuse_report_fields) do
-      <<~GRAPHQL
-        discussions {
-          nodes {
-            #{all_graphql_fields_for('Discussion', max_depth: 2)}
-          }
-        }
-      GRAPHQL
-    end
-
-    it 'returns discussions' do
-      expect(discussions_response).to contain_exactly(
-        a_graphql_entity_for(discussion)
-      )
-    end
-  end
 end