Automatic merge of gitlab-org/gitlab master

app/assets/javascripts/vue_shared/components/filtered_search_bar/filtered_search_bar_root.vue

@@ -332,7 +332,7 @@ export default {
       v-if="showCheckbox"
       class="gl-align-self-center"
       :checked="checkboxChecked"
-      @input="$emit('checked-input', $event)"
+      @change="$emit('checked-input', $event)"
     >
       <span class="gl-sr-only">{{ __('Select all') }}</span>
     </gl-form-checkbox>

app/helpers/application_settings_helper.rb

@@ -144,36 +144,39 @@ module ApplicationSettingsHelper
   end
 
   def external_authorization_description
-    _("If enabled, access to projects will be validated on an external service"\
+    s_("ExternalAuthorization|Access to projects is validated on an external service"\
         " using their classification label.")
   end
 
   def external_authorization_timeout_help_text
-    _("Time in seconds GitLab will wait for a response from the external "\
-        "service. When the service does not respond in time, access will be "\
-        "denied.")
+    s_("ExternalAuthorization|Period GitLab waits for a response from the external "\
+        "service. If there is no response, access is denied. Default: 0.5 seconds.")
   end
 
   def external_authorization_url_help_text
-    _("When leaving the URL blank, classification labels can still be "\
-        "specified without disabling cross project features or performing "\
-        "external authorization checks.")
+    s_("ExternalAuthorization|URL to which the projects make authorization requests. If the URL is blank, cross-project "\
+      "features are available and can still specify classification "\
+      "labels for projects.")
   end
 
   def external_authorization_client_certificate_help_text
-    _("The X509 Certificate to use when mutual TLS is required to communicate "\
-        "with the external authorization service. If left blank, the server "\
-        "certificate is still validated when accessing over HTTPS.")
+    s_("ExternalAuthorization|Certificate used to authenticate with the external authorization service. "\
+        "If blank, the server certificate is validated when accessing over HTTPS.")
   end
 
   def external_authorization_client_key_help_text
-    _("The private key to use when a client certificate is provided. This value "\
-        "is encrypted at rest.")
+    s_("ExternalAuthorization|Private key of client authentication certificate. "\
+        "Encrypted when stored.")
   end
 
   def external_authorization_client_pass_help_text
-    _("The passphrase required to decrypt the private key. This is optional "\
-        "and the value is encrypted at rest.")
+    s_("ExternalAuthorization|Passphrase required to decrypt the private key. "\
+        "Encrypted when stored.")
+  end
+
+  def external_authorization_client_url_help_text
+    s_("ExternalAuthorization|Classification label to use when requesting authorization if no specific "\
+      " label is defined on the project.")
   end
 
   def sidekiq_job_limiter_mode_help_text

app/models/group.rb

@@ -634,11 +634,16 @@ class Group < Namespace
       group_members.find_by(user_id: user)
     end
   end
+  alias_method :resource_member, :group_member
 
   def highest_group_member(user)
     GroupMember.where(source_id: self_and_ancestors_ids, user_id: user.id).order(:access_level).last
   end
 
+  def bots
+    users.project_bot
+  end
+
   def related_group_ids
     [id,
      *ancestors.pluck(:id),

app/models/project.rb

@@ -1667,6 +1667,7 @@ class Project < ApplicationRecord
       project_members.find_by(user_id: user)
     end
   end
+  alias_method :resource_member, :project_member
 
   def membership_locked?
     false

app/policies/group_policy.rb

@@ -23,6 +23,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
   condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
 
+  desc "User is a project bot"
+  condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
+
   condition(:has_projects) do
     group_projects_for(user: @user, group: @subject).any?
   end
@@ -250,6 +253,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :admin_dependency_proxy
   end
 
+  rule { project_bot }.enable :project_bot_access
+
   rule { can?(:admin_group) & resource_access_token_feature_available }.policy do
     enable :read_resource_access_tokens
     enable :destroy_resource_access_tokens
@@ -260,6 +265,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :create_resource_access_tokens
   end
 
+  rule { can?(:project_bot_access) }.policy do
+    prevent :create_resource_access_tokens
+  end
+
   rule { support_bot & has_project_with_service_desk_enabled }.policy do
     enable :read_label
   end

app/services/resource_access_tokens/create_service.rb

@@ -63,7 +63,7 @@ module ResourceAccessTokens
         name: params[:name] || "#{resource.name.to_s.humanize} bot",
         email: generate_email,
         username: generate_username,
-        user_type: "#{resource_type}_bot".to_sym,
+        user_type: :project_bot,
         skip_confirmation: true # Bot users should always have their emails confirmed.
       }
     end

app/views/admin/application_settings/_external_authorization_service_form.html.haml

 %section.settings.as-external-auth.no-animate#js-external-auth-settings{ class: ('expanded' if expanded) }
   .settings-header
     %h4
-      = _('External authentication')
+      = s_('ExternalAuthorization|External authorization')
     %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
       = expanded ? 'Collapse' : 'Expand'
     %p
-      = _('External Classification Policy Authorization')
+      = s_('ExternalAuthorization|External classification policy authorization.')
+      = link_to _('Learn more.'), help_page_path('user/admin_area/settings/external_authorization'), target: '_blank', rel: 'noopener noreferrer'
   .settings-content
 
     = form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-external-auth-settings'), html: { class: 'fieldset-form', id: 'external-auth-settings' } do |f|
@@ -16,35 +17,37 @@
           .form-check
             = f.check_box :external_authorization_service_enabled, class: 'form-check-input'
             = f.label :external_authorization_service_enabled, class: 'form-check-label' do
-              = _('Enable classification control using an external service')
+              = s_('ExternalAuthorization|Enable classification control using an external service')
           %span.form-text.text-muted
             = external_authorization_description
-            = link_to sprite_icon('question-o'), help_page_path('user/admin_area/settings/external_authorization')
         .form-group
-          = f.label :external_authorization_service_url, _('Service URL'), class: 'label-bold'
+          = f.label :external_authorization_service_url, s_('ExternalAuthorization|Service URL'), class: 'label-bold'
           = f.text_field :external_authorization_service_url, class: 'form-control gl-form-input'
           %span.form-text.text-muted
             = external_authorization_url_help_text
         .form-group
-          = f.label :external_authorization_service_timeout, _('External authorization request timeout'), class: 'label-bold'
+          = f.label :external_authorization_service_timeout, s_('ExternalAuthorization|External authorization request timeout (seconds)'), class: 'label-bold'
           = f.number_field :external_authorization_service_timeout, class: 'form-control gl-form-input', min: 0.001, max: 10, step: 0.001
           %span.form-text.text-muted
             = external_authorization_timeout_help_text
-          = f.label :external_auth_client_cert, _('Client authentication certificate'), class: 'label-bold'
+        .form-group
+          = f.label :external_auth_client_cert, s_('ExternalAuthorization|Client authorization certificate'), class: 'label-bold'
           = f.text_area :external_auth_client_cert, class: 'form-control gl-form-input'
           %span.form-text.text-muted
             = external_authorization_client_certificate_help_text
         .form-group
-          = f.label :external_auth_client_key, _('Client authentication key'), class: 'label-bold'
+          = f.label :external_auth_client_key, s_('ExternalAuthorization|Client authorization key'), class: 'label-bold'
           = f.text_area :external_auth_client_key, class: 'form-control gl-form-input'
           %span.form-text.text-muted
             = external_authorization_client_key_help_text
         .form-group
-          = f.label :external_auth_client_key_pass, _('Client authentication key password'), class: 'label-bold'
+          = f.label :external_auth_client_key_pass, s_('ExternalAuthorization|Client authorization key password (optional)'), class: 'label-bold'
           = f.password_field :external_auth_client_key_pass, class: 'form-control gl-form-input'
           %span.form-text.text-muted
             = external_authorization_client_pass_help_text
         .form-group
-          = f.label :external_authorization_service_default_label, _('Default classification label'), class: 'label-bold'
+          = f.label :external_authorization_service_default_label, s_('ExternalAuthorization|Default classification label'), class: 'label-bold'
           = f.text_field :external_authorization_service_default_label, class: 'form-control gl-form-input'
+          %span.form-text.text-muted
+            = external_authorization_client_url_help_text
       = f.submit _('Save changes'), class: "gl-button btn btn-confirm"

doc/api/api_resources.md

@@ -25,7 +25,7 @@ The following API resources are available in the project context:
 | Resource                                                                | Available endpoints |
 |:------------------------------------------------------------------------|:--------------------|
 | [Access requests](access_requests.md)                                   | `/projects/:id/access_requests` (also available for groups) |
-| [Access tokens](resource_access_tokens.md)                              | `/projects/:id/access_tokens` |
+| [Access tokens](resource_access_tokens.md)                              | `/projects/:id/access_tokens` (also available for groups) |
 | [Award emoji](award_emoji.md)                                           | `/projects/:id/issues/.../award_emoji`, `/projects/:id/merge_requests/.../award_emoji`, `/projects/:id/snippets/.../award_emoji` |
 | [Branches](branches.md)                                                 | `/projects/:id/repository/branches/`, `/projects/:id/repository/merged_branches` |
 | [Commits](commits.md)                                                   | `/projects/:id/repository/commits`, `/projects/:id/statuses` |
@@ -100,6 +100,7 @@ The following API resources are available in the group context:
 | Resource                                                         | Available endpoints |
 |:-----------------------------------------------------------------|:--------------------|
 | [Access requests](access_requests.md)                            | `/groups/:id/access_requests/` (also available for projects) |
+| [Access tokens](group_access_tokens.md)                          | `/groups/:id/access_tokens` (also available for projects) |
 | [Custom attributes](custom_attributes.md)                        | `/groups/:id/custom_attributes` (also available for projects and users) |
 | [Debian distributions](packages/debian_group_distributions.md)   | `/groups/:id/-/packages/debian` (also available for projects) |
 | [Deploy tokens](deploy_tokens.md)                                | `/groups/:id/deploy_tokens` (also available for projects and standalone) |

doc/api/group_access_tokens.md

+---
+stage: Manage
+group: Authentication & Authorization
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Group access tokens API **(FREE)**
+
+You can read more about [group access tokens](../user/project/settings/project_access_tokens.md#group-access-tokens).
+
+## List group access tokens
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
+
+Get a list of [group access tokens](../user/project/settings/project_access_tokens.md#group-access-tokens).
+
+```plaintext
+GET groups/:id/access_tokens
+```
+
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
+
+```shell
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens"
+```
+
+```json
+[
+   {
+      "user_id" : 141,
+      "scopes" : [
+         "api"
+      ],
+      "name" : "token",
+      "expires_at" : "2021-01-31",
+      "id" : 42,
+      "active" : true,
+      "created_at" : "2021-01-20T22:11:48.151Z",
+      "revoked" : false,
+      "access_level": 40
+   }
+]
+```
+
+## Create a group access token
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
+
+Create a [group access token](../user/project/settings/project_access_tokens.md#group-access-tokens).
+
+```plaintext
+POST groups/:id/access_tokens
+```
+
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
+| `name` | String | yes | The name of the group access token  |
+| `scopes` | `Array[String]` | yes | [List of scopes](../user/project/settings/project_access_tokens.md#scopes-for-a-project-access-token) |
+| `access_level` | Integer | no | A valid access level. Default value is 40 (Maintainer). Other allowed values are 10 (Guest), 20 (Reporter), and 30 (Developer). |
+| `expires_at` | Date | no | The token expires at midnight UTC on that date |
+
+```shell
+curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
+--header "Content-Type:application/json" \
+--data '{ "name":"test_token", "scopes":["api", "read_repository"], "expires_at":"2021-01-31", "access_level": 30 }' \
+"https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens"
+```
+
+```json
+{
+   "scopes" : [
+      "api",
+      "read_repository"
+   ],
+   "active" : true,
+   "name" : "test",
+   "revoked" : false,
+   "created_at" : "2021-01-21T19:35:37.921Z",
+   "user_id" : 166,
+   "id" : 58,
+   "expires_at" : "2021-01-31",
+   "token" : "D4y...Wzr",
+   "access_level": 30
+}
+```
+
+## Revoke a group access token
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/77236) in GitLab 14.7.
+
+Revoke a [group access token](../user/project/settings/project_access_tokens.md#group-access-tokens).
+
+```plaintext
+DELETE groups/:id/access_tokens/:token_id
+```
+
+| Attribute | Type    | required | Description         |
+|-----------|---------|----------|---------------------|
+| `id` | integer or string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) |
+| `token_id` | integer or string | yes | The ID of the group access token |
+
+```shell
+curl --request DELETE --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/groups/<group_id>/access_tokens/<token_id>"
+```
+
+### Responses
+
+- `204: No Content` if successfully revoked.
+- `400 Bad Request` or `404 Not Found` if not revoked successfully.

doc/user/admin_area/settings/external_authorization.md

@@ -29,39 +29,13 @@ functionality that render cross-project data. That includes:
   Labels, Milestones, Merge requests).
 - Global and Group search are disabled.
 
-This is to prevent performing to many requests at once to the external
+This is to prevent performing too many requests at once to the external
 authorization service.
 
 Whenever access is granted or denied this is logged in a log file called
 `external-policy-access-control.log`. Read more about the logs GitLab keeps in
 the [Omnibus GitLab documentation](https://docs.gitlab.com/omnibus/settings/logs.html).
 
-## Configuration
-
-The external authorization service can be enabled by an administrator:
-
-1. On the top bar, select **Menu > Admin**.
-1. On the left sidebar, select **Settings > General**:
-   ![Enable external authorization service](img/external_authorization_service_settings.png)
-
-The available required properties are:
-
-- **Service URL**: The URL to make authorization requests to. When leaving the
-  URL blank, cross project features remain available while still being able
-  to specify classification labels for projects.
-- **External authorization request timeout**: The timeout after which an
-  authorization request is aborted. When a request times out, access is denied
-  to the user.
-- **Client authentication certificate**: The certificate to use to authenticate
-  with the external authorization service.
-- **Client authentication key**: Private key for the certificate when
-  authentication is required for the external authorization service, this is
-  encrypted when stored.
-- **Client authentication key password**: Passphrase to use for the private key
-  when authenticating with the external service this is encrypted when stored.
-- **Default classification label**: The classification label to use when
-  requesting authorization if no specific label is defined on the project
-
 When using TLS Authentication with a self signed certificate, the CA certificate
 needs to be trusted by the OpenSSL installation. When using GitLab installed
 using Omnibus, learn to install a custom CA in the
@@ -69,6 +43,16 @@ using Omnibus, learn to install a custom CA in the
 Alternatively, learn where to install custom certificates by using
 `openssl version -d`.
 
+## Configuration
+
+The external authorization service can be enabled by an administrator:
+
+1. On the top bar, select **Menu > Admin**.
+1. On the left sidebar, select **Settings > General**.
+1. Expand **External authorization**.
+1. Complete the fields.
+1. Select **Save changes**.
+
 ## How it works
 
 When GitLab requests access, it sends a JSON POST request to the external

lib/api/entities/resource_access_token.rb

@@ -4,7 +4,7 @@ module API
   module Entities
     class ResourceAccessToken < Entities::PersonalAccessToken
       expose :access_level do |token, options|
-        options[:project].project_member(token.user).access_level
+        options[:resource].resource_member(token.user).access_level
       end
     end
   end

lib/api/resource_access_tokens.rb

@@ -8,7 +8,7 @@ module API
 
     feature_category :authentication_and_authorization
 
-    %w[project].each do |source_type|
+    %w[project group].each do |source_type|
       resource source_type.pluralize, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
         desc 'Get list of all access tokens for the specified resource' do
           detail 'This feature was introduced in GitLab 13.9.'
@@ -23,8 +23,8 @@ module API
 
           tokens = PersonalAccessTokensFinder.new({ user: resource.bots, impersonation: false }).execute.preload_users
 
-          resource.project_members.load
-          present paginate(tokens), with: Entities::ResourceAccessToken, project: resource
+          resource.members.load
+          present paginate(tokens), with: Entities::ResourceAccessToken, resource: resource
         end
 
         desc 'Revoke a resource access token' do
@@ -58,7 +58,7 @@ module API
           requires :id, type: String, desc: "The #{source_type} ID"
           requires :name, type: String, desc: "Resource access token name"
           requires :scopes, type: Array[String], desc: "The permissions of the token"
-          optional :access_level, type: Integer, desc: "The access level of the token in the project"
+          optional :access_level, type: Integer, desc: "The access level of the token in the #{source_type}"
           optional :expires_at, type: Date, desc: "The expiration date of the token"
         end
         post ':id/access_tokens' do
@@ -71,7 +71,7 @@ module API
           ).execute
 
           if token_response.success?
-            present token_response.payload[:access_token], with: Entities::ResourceAccessTokenWithToken, project: resource
+            present token_response.payload[:access_token], with: Entities::ResourceAccessTokenWithToken, resource: resource
           else
             bad_request!(token_response.message)
           end

locale/gitlab.pot

@@ -7386,15 +7386,6 @@ msgstr ""
 msgid "Click to reveal"
 msgstr ""
 
-msgid "Client authentication certificate"
-msgstr ""
-
-msgid "Client authentication key"
-msgstr ""
-
-msgid "Client authentication key password"
-msgstr ""
-
 msgid "Client request timeout"
 msgstr ""
 
@@ -11335,9 +11326,6 @@ msgstr ""
 msgid "Default branch protection"
 msgstr ""
 
-msgid "Default classification label"
-msgstr ""
-
 msgid "Default delayed project deletion"
 msgstr ""
 
@@ -13207,9 +13195,6 @@ msgstr ""
 msgid "Enable automatic repository housekeeping"
 msgstr ""
 
-msgid "Enable classification control using an external service"
-msgstr ""
-
 msgid "Enable container expiration and retention policies for projects created earlier than GitLab 12.7."
 msgstr ""
 
@@ -14492,9 +14477,6 @@ msgstr ""
 msgid "Exported requirements"
 msgstr ""
 
-msgid "External Classification Policy Authorization"
-msgstr ""
-
 msgid "External ID"
 msgstr ""
 
@@ -14504,15 +14486,9 @@ msgstr ""
 msgid "External User:"
 msgstr ""
 
-msgid "External authentication"
-msgstr ""
-
 msgid "External authorization denied access to this project"
 msgstr ""
 
-msgid "External authorization request timeout"
-msgstr ""
-
 msgid "External storage URL"
 msgstr ""
 
@@ -14528,6 +14504,54 @@ msgstr ""
 msgid "ExternalAuthorizationService|When no classification label is set the default label `%{default_label}` will be used."
 msgstr ""
 
+msgid "ExternalAuthorization|Access to projects is validated on an external service using their classification label."
+msgstr ""
+
+msgid "ExternalAuthorization|Certificate used to authenticate with the external authorization service. If blank, the server certificate is validated when accessing over HTTPS."
+msgstr ""
+
+msgid "ExternalAuthorization|Classification label to use when requesting authorization if no specific  label is defined on the project."
+msgstr ""
+
+msgid "ExternalAuthorization|Client authorization certificate"
+msgstr ""
+
+msgid "ExternalAuthorization|Client authorization key"
+msgstr ""
+
+msgid "ExternalAuthorization|Client authorization key password (optional)"
+msgstr ""
+
+msgid "ExternalAuthorization|Default classification label"
+msgstr ""
+
+msgid "ExternalAuthorization|Enable classification control using an external service"
+msgstr ""
+
+msgid "ExternalAuthorization|External authorization"
+msgstr ""
+
+msgid "ExternalAuthorization|External authorization request timeout (seconds)"
+msgstr ""
+
+msgid "ExternalAuthorization|External classification policy authorization."
+msgstr ""
+
+msgid "ExternalAuthorization|Passphrase required to decrypt the private key. Encrypted when stored."
+msgstr ""
+
+msgid "ExternalAuthorization|Period GitLab waits for a response from the external service. If there is no response, access is denied. Default: 0.5 seconds."
+msgstr ""
+
+msgid "ExternalAuthorization|Private key of client authentication certificate. Encrypted when stored."
+msgstr ""
+
+msgid "ExternalAuthorization|Service URL"
+msgstr ""
+
+msgid "ExternalAuthorization|URL to which the projects make authorization requests. If the URL is blank, cross-project features are available and can still specify classification labels for projects."
+msgstr ""
+
 msgid "ExternalIssueIntegration|Not all data may be displayed here. To view more details or make changes to this issue, go to %{linkStart}%{trackerName}%{linkEnd}."
 msgstr ""
 
@@ -17829,9 +17853,6 @@ msgstr ""
 msgid "If enabled, GitLab will handle Object Storage replication using Geo. %{linkStart}Learn more%{linkEnd}"
 msgstr ""
 
-msgid "If enabled, access to projects will be validated on an external service using their classification label."
-msgstr ""
-
 msgid "If enabled, only protected branches will be mirrored."
 msgstr ""
 
@@ -32383,9 +32404,6 @@ msgstr ""
 msgid "Service Desk allows people to create issues in your GitLab instance without their own user account. It provides a unique email address for end users to create issues in a project. Replies can be sent either through the GitLab interface or by email. End users only see threads through email."
 msgstr ""
 
-msgid "Service URL"
-msgstr ""
-
 msgid "Service account generated successfully"
 msgstr ""
 
@@ -35274,9 +35292,6 @@ msgstr ""
 msgid "The URLs for connecting to Elasticsearch. For clustering, add the URLs separated by commas."
 msgstr ""
 
-msgid "The X509 Certificate to use when mutual TLS is required to communicate with the external authorization service. If left blank, the server certificate is still validated when accessing over HTTPS."
-msgstr ""
-
 msgid "The application will be used where the client secret can be kept confidential. Native mobile apps and Single Page Apps are considered non-confidential."
 msgstr ""
 
@@ -35552,9 +35567,6 @@ msgstr ""
 msgid "The parent epic is confidential and can only contain confidential epics and issues"
 msgstr ""
 
-msgid "The passphrase required to decrypt the private key. This is optional and the value is encrypted at rest."
-msgstr ""
-
 msgid "The password for the Jenkins server."
 msgstr ""
 
@@ -35570,9 +35582,6 @@ msgstr ""
 msgid "The pipelines schedule runs pipelines in the future, repeatedly, for specific branches or tags. Those scheduled pipelines will inherit limited project access based on their associated user."
 msgstr ""
 
-msgid "The private key to use when a client certificate is provided. This value is encrypted at rest."
-msgstr ""
-
 msgid "The project can be accessed by any logged in user except external users."
 msgstr ""
 
@@ -36791,9 +36800,6 @@ msgstr ""
 msgid "Time in seconds"
 msgstr ""
 
-msgid "Time in seconds GitLab will wait for a response from the external service. When the service does not respond in time, access will be denied."
-msgstr ""
-
 msgid "Time of import: %{importTime}"
 msgstr ""
 
@@ -40034,9 +40040,6 @@ msgstr ""
 msgid "When inactive, an external authentication provider must be used."
 msgstr ""
 
-msgid "When leaving the URL blank, classification labels can still be specified without disabling cross project features or performing external authorization checks."
-msgstr ""
-
 msgid "When merge requests and commits in the default branch close, any issues they reference also close."
 msgstr ""
 

spec/features/issues/user_bulk_edits_issues_spec.rb

@@ -104,6 +104,26 @@ RSpec.describe 'Multiple issue updating from issues#index', :js do
     end
   end
 
+  describe 'select all issues' do
+    let!(:issue_2) { create(:issue, project: project) }
+
+    before do
+      stub_feature_flags(vue_issues_list: true)
+    end
+
+    it 'after selecting all issues, unchecking one issue only unselects that one issue' do
+      visit project_issues_path(project)
+
+      click_button 'Edit issues'
+      check 'Select all'
+      uncheck issue.title
+
+      expect(page).to have_unchecked_field 'Select all'
+      expect(page).to have_unchecked_field issue.title
+      expect(page).to have_checked_field issue_2.title
+    end
+  end
+
   def create_closed
     create(:issue, project: project, state: :closed)
   end

spec/models/group_spec.rb

@@ -2086,6 +2086,23 @@ RSpec.describe Group do
     end
   end
 
+  describe '#bots' do
+    subject { group.bots }
+
+    let_it_be(:group) { create(:group) }
+    let_it_be(:project_bot) { create(:user, :project_bot) }
+    let_it_be(:user) { create(:user) }
+
+    before_all do
+      [project_bot, user].each do |member|
+        group.add_maintainer(member)
+      end
+    end
+
+    it { is_expected.to contain_exactly(project_bot) }
+    it { is_expected.not_to include(user) }
+  end
+
   describe '#related_group_ids' do
     let(:nested_group) { create(:group, parent: group) }
     let(:shared_with_group) { create(:group, parent: group) }

spec/policies/group_policy_spec.rb

@@ -975,7 +975,7 @@ RSpec.describe GroupPolicy do
     it { expect_disallowed(:read_label) }
 
     context 'when group hierarchy has a project with service desk enabled' do
-      let_it_be(:subgroup) { create(:group, :private, parent: group)}
+      let_it_be(:subgroup) { create(:group, :private, parent: group) }
       let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
 
       it { expect_allowed(:read_label) }
@@ -983,6 +983,49 @@ RSpec.describe GroupPolicy do
     end
   end
 
+  context "project bots" do
+    let(:project_bot) { create(:user, :project_bot) }
+    let(:user) { create(:user) }
+
+    context "project_bot_access" do
+      context "when regular user and part of the group" do
+        let(:current_user) { user }
+
+        before do
+          group.add_developer(user)
+        end
+
+        it { is_expected.not_to be_allowed(:project_bot_access) }
+      end
+
+      context "when project bot and not part of the project" do
+        let(:current_user) { project_bot }
+
+        it { is_expected.not_to be_allowed(:project_bot_access) }
+      end
+
+      context "when project bot and part of the project" do
+        let(:current_user) { project_bot }
+
+        before do
+          group.add_developer(project_bot)
+        end
+
+        it { is_expected.to be_allowed(:project_bot_access) }
+      end
+    end
+
+    context 'with resource access tokens' do
+      let(:current_user) { project_bot }
+
+      before do
+        group.add_maintainer(project_bot)
+      end
+
+      it { is_expected.not_to be_allowed(:create_resource_access_tokens) }
+    end
+  end
+
   describe 'update_runners_registration_token' do
     context 'admin' do
       let(:current_user) { admin }

spec/services/resource_access_tokens/create_service_spec.rb

@@ -7,10 +7,10 @@ RSpec.describe ResourceAccessTokens::CreateService do
 
   let_it_be(:user) { create(:user) }
   let_it_be(:project) { create(:project, :private) }
+  let_it_be(:group) { create(:group, :private) }
   let_it_be(:params) { {} }
 
   describe '#execute' do
-    # Created shared_examples as it will easy to include specs for group bots in https://gitlab.com/gitlab-org/gitlab/-/issues/214046
     shared_examples 'token creation fails' do
       let(:resource) { create(:project)}
 
@@ -31,7 +31,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
 
         access_token = response.payload[:access_token]
 
-        expect(access_token.user.reload.user_type).to eq("#{resource_type}_bot")
+        expect(access_token.user.reload.user_type).to eq("project_bot")
         expect(access_token.user.created_by_id).to eq(user.id)
       end
 
@@ -112,10 +112,8 @@ RSpec.describe ResourceAccessTokens::CreateService do
         end
 
         context 'when user is external' do
-          let(:user) { create(:user, :external) }
-
           before do
-            project.add_maintainer(user)
+            user.update!(external: true)
           end
 
           it 'creates resource bot user with external status' do
@@ -162,7 +160,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
                 access_token = response.payload[:access_token]
                 project_bot = access_token.user
 
-                expect(project.members.find_by(user_id: project_bot.id).expires_at).to eq(nil)
+                expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(nil)
               end
             end
           end
@@ -183,7 +181,7 @@ RSpec.describe ResourceAccessTokens::CreateService do
                 access_token = response.payload[:access_token]
                 project_bot = access_token.user
 
-                expect(project.members.find_by(user_id: project_bot.id).expires_at).to eq(params[:expires_at])
+                expect(resource.members.find_by(user_id: project_bot.id).expires_at).to eq(params[:expires_at])
               end
             end
           end
@@ -234,24 +232,41 @@ RSpec.describe ResourceAccessTokens::CreateService do
       end
     end
 
+    shared_examples 'when user does not have permission to create a resource bot' do
+      it_behaves_like 'token creation fails'
+
+      it 'returns the permission error message' do
+        response = subject
+
+        expect(response.error?).to be true
+        expect(response.errors).to include("User does not have permission to create #{resource_type} access token")
+      end
+    end
+
     context 'when resource is a project' do
       let_it_be(:resource_type) { 'project' }
       let_it_be(:resource) { project }
 
-      context 'when user does not have permission to create a resource bot' do
-        it_behaves_like 'token creation fails'
+      it_behaves_like 'when user does not have permission to create a resource bot'
 
-        it 'returns the permission error message' do
-          response = subject
-
-          expect(response.error?).to be true
-          expect(response.errors).to include("User does not have permission to create #{resource_type} access token")
+      context 'user with valid permission' do
+        before_all do
+          resource.add_maintainer(user)
         end
+
+        it_behaves_like 'allows creation of bot with valid params'
       end
+    end
+
+    context 'when resource is a project' do
+      let_it_be(:resource_type) { 'group' }
+      let_it_be(:resource) { group }
+
+      it_behaves_like 'when user does not have permission to create a resource bot'
 
       context 'user with valid permission' do
         before_all do
-          resource.add_maintainer(user)
+          resource.add_owner(user)
         end
 
         it_behaves_like 'allows creation of bot with valid params'

spec/services/resource_access_tokens/revoke_service_spec.rb

@@ -6,11 +6,12 @@ RSpec.describe ResourceAccessTokens::RevokeService do
   subject { described_class.new(user, resource, access_token).execute }
 
   let_it_be(:user) { create(:user) }
+  let_it_be(:user_non_priviledged) { create(:user) }
+  let_it_be(:resource_bot) { create(:user, :project_bot) }
 
   let(:access_token) { create(:personal_access_token, user: resource_bot) }
 
   describe '#execute', :sidekiq_inline do
-    # Created shared_examples as it will easy to include specs for group bots in https://gitlab.com/gitlab-org/gitlab/-/issues/214046
     shared_examples 'revokes access token' do
       it { expect(subject.success?).to be true }
 
@@ -79,71 +80,80 @@ RSpec.describe ResourceAccessTokens::RevokeService do
       end
     end
 
-    context 'when resource is a project' do
-      let_it_be(:resource) { create(:project, :private) }
+    shared_examples 'revoke fails' do |resource_type|
+      let_it_be(:other_user) { create(:user) }
 
-      let(:resource_bot) { create(:user, :project_bot) }
+      context "when access token does not belong to this #{resource_type}" do
+        it 'does not find the bot' do
+          other_access_token = create(:personal_access_token, user: other_user)
 
-      before do
-        resource.add_maintainer(user)
-        resource.add_maintainer(resource_bot)
-      end
+          response = described_class.new(user, resource, other_access_token).execute
 
-      it_behaves_like 'revokes access token'
+          expect(response.success?).to be false
+          expect(response.message).to eq("Failed to find bot user")
+          expect(access_token.reload.revoked?).to be false
+        end
+      end
 
-      context 'revoke fails' do
-        let_it_be(:other_user) { create(:user) }
+      context 'when user does not have permission to destroy bot' do
+        context "when non-#{resource_type} member tries to delete project bot" do
+          it 'does not allow other user to delete bot' do
+            response = described_class.new(other_user, resource, access_token).execute
 
-        context 'when access token does not belong to this project' do
-          it 'does not find the bot' do
-            other_access_token = create(:personal_access_token, user: other_user)
+            expect(response.success?).to be false
+            expect(response.message).to eq("#{other_user.name} cannot delete #{access_token.user.name}")
+            expect(access_token.reload.revoked?).to be false
+          end
+        end
 
-            response = described_class.new(user, resource, other_access_token).execute
+        context "when non-priviledged #{resource_type} member tries to delete project bot" do
+          it 'does not allow developer to delete bot' do
+            response = described_class.new(user_non_priviledged, resource, access_token).execute
 
             expect(response.success?).to be false
-            expect(response.message).to eq("Failed to find bot user")
+            expect(response.message).to eq("#{user_non_priviledged.name} cannot delete #{access_token.user.name}")
             expect(access_token.reload.revoked?).to be false
           end
         end
+      end
 
-        context 'when user does not have permission to destroy bot' do
-          context 'when non-project member tries to delete project bot' do
-            it 'does not allow other user to delete bot' do
-              response = described_class.new(other_user, resource, access_token).execute
-
-              expect(response.success?).to be false
-              expect(response.message).to eq("#{other_user.name} cannot delete #{access_token.user.name}")
-              expect(access_token.reload.revoked?).to be false
-            end
+      context 'when deletion of bot user fails' do
+        before do
+          allow_next_instance_of(::ResourceAccessTokens::RevokeService) do |service|
+            allow(service).to receive(:execute).and_return(false)
           end
+        end
+
+        it_behaves_like 'rollback revoke steps'
+      end
+    end
 
-          context 'when non-maintainer project member tries to delete project bot' do
-            let(:developer) { create(:user) }
+    context 'when resource is a project' do
+      let_it_be(:resource) { create(:project, :private) }
 
-            before do
-              resource.add_developer(developer)
-            end
+      before do
+        resource.add_maintainer(user)
+        resource.add_developer(user_non_priviledged)
+        resource.add_maintainer(resource_bot)
+      end
 
-            it 'does not allow developer to delete bot' do
-              response = described_class.new(developer, resource, access_token).execute
+      it_behaves_like 'revokes access token'
 
-              expect(response.success?).to be false
-              expect(response.message).to eq("#{developer.name} cannot delete #{access_token.user.name}")
-              expect(access_token.reload.revoked?).to be false
-            end
-          end
-        end
+      it_behaves_like 'revoke fails', 'project'
+    end
 
-        context 'when deletion of bot user fails' do
-          before do
-            allow_next_instance_of(::ResourceAccessTokens::RevokeService) do |service|
-              allow(service).to receive(:execute).and_return(false)
-            end
-          end
+    context 'when resource is a group' do
+      let_it_be(:resource) { create(:group, :private) }
 
-          it_behaves_like 'rollback revoke steps'
-        end
+      before do
+        resource.add_owner(user)
+        resource.add_maintainer(user_non_priviledged)
+        resource.add_maintainer(resource_bot)
       end
+
+      it_behaves_like 'revokes access token'
+
+      it_behaves_like 'revoke fails', 'group'
     end
   end
 end