gitlab-qa 14.2.1 → 14.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 4fbdad805d2a329e5680370ec5873a1d6eab6c63a86e699dd27c0f1f87acbda0
-  data.tar.gz: 6a7ef31aca034df274e9acc8e0e5fd333d17b7d16bd8d5a2f4d19d2d32d46cd6
+  metadata.gz: bef7bd332a79ee7f62016c94ad14f6f681b8c957a9f1e862e772704b0dae9e87
+  data.tar.gz: 752ee71edfbbe0f9132da6dd54b201f8772cc396cd90947f9b9c37e5f027fd91
 SHA512:
-  metadata.gz: 9815bfe1067fdc4e39b0b620582ed935dc87a37335652397de7725175b2e39f270abc0d9e97c6177bdfa8fce74ad29a280cea160b6fe25dc788d306e1e733bff
-  data.tar.gz: 2eea71cf51311871291ccef7ae12a43b9a644f6200f36bd19ec7fc32876cfa58cc145e0e13b4847b3e7aa1a2a362ded548b140ecca6c1c3e9354842003a587e2
+  metadata.gz: b17db04aed34a0419361afbc7a5d3986da58be13bd2cf2c446b8442e3133eb18b56822ec9a0da686e599dc32c20c1d21545029eb75983aae6b1c956a82617c59
+  data.tar.gz: e7e6d86cd7c781c6dd4f1ab70a50e3a601338a2362e8b5ad7d7200aa43845bc0217056753f92e47de765658cdb2d8f8a3f52628ae2c139060cfbfe4c697118c3

data/.rubocop.yml

@@ -7,6 +7,9 @@ inherit_from:
   - '.rubocop_todo.yml'
   <% end %>
 
+require:
+  - ./rubocop/cop/gitlab/dangerous_interpolation.rb
+
 AllCops:
   NewCops: enable
   SuggestExtensions: false
@@ -51,6 +54,11 @@ CodeReuse/ActiveRecord:
 Style/OperatorMethodCall:
   Enabled: false
 
+Gitlab/DangerousInterpolation:
+  Enabled: true
+  Include:
+    - 'lib/gitlab/qa/runtime/*'
+
 # disable for now as it might break automatic publish
 Gemspec/RequireMFA:
   Enabled: false

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    gitlab-qa (14.2.1)
+    gitlab-qa (14.3.0)
       activesupport (>= 6.1, < 7.2)
       gitlab (~> 4.19)
       http (~> 5.0)

data/docs/specifics_for_macos_m1_m2.md

@@ -37,8 +37,17 @@ To resolve these issues:
     $ export CHROME_DISABLE_DEV_SHM=true
     # Disable Chrome shared memory
     ```
-2. Enable **Use Rosetta for x86/amd64 emulation on Apple Silicon** option in Docker (Using Docker Desktop ~v4.22.1).
-    1. Open **Settings** in Docker Desktop
-    1. Go to **Features in development**
-    1. Enable **Use Rosetta for x86/amd64 emulation on Apple Silicon** setting
-    1. Select **Apply & restart**
+
+2. Enable **Rosetta for x86/amd64 emulation on Apple Silicon**
+    1. Using Docker (Based on Docker Desktop ~v4.22.1):
+        1. Open **Settings** in Docker Desktop
+        1. Go to **Features in development**
+        1. Enable **Use Rosetta for x86/amd64 emulation on Apple Silicon** setting
+        1. Select **Apply & restart**
+    1. Using Rancher Desktop
+        1. Open **Preferences > Virtual Machine > Emulation**
+        1. Enable **VZ**
+        1. Enable **Enable Rosetta support** 
+    1. Using Colima
+        1. Start with `colima start --arch aarch64 --vm-type=vz --vz-rosetta`
+        1. If this fails remove current configuration with `colima delete default` and retry

data/docs/what_tests_can_be_run.md

@@ -1026,11 +1026,15 @@ These tests verify features related to multiple repository storages.
 **Required environment variables:**
 
 - `QA_ADDITIONAL_REPOSITORY_STORAGE`: The name of the non-default repository storage.
+- `QA_PRAEFECT_REPOSITORY_STORAGE`: The name of the gitaly cluster (praefect) repository storage.
+- `QA_GITALY_NON_CLUSTER_STORAGE`: The name of a non gitaly cluster repository storage.
 
 Example:
 
 ```shell
-$ export QA_ADDITIONAL_REPOSITORY_STORAGE=secondary
+$ export QA_ADDITIONAL_REPOSITORY_STORAGE=secondary 
+$ export QA_GITALY_NON_CLUSTER_STORAGE=gitaly
+$ export QA_PRAEFECT_REPOSITORY_STORAGE=praefect
 
 $ gitlab-qa Test::Instance::RepositoryStorage
 ```
@@ -1174,13 +1178,15 @@ need to be updated, it can be useful to proxy all requests to real `GitHub` inst
 
 Testing import [by direct transfer](https://docs.gitlab.com/ee/user/group/import/#migrate-groups-by-direct-transfer-recommended) is done by spinning up 2 omnibus installations - `import-target` and `import-source`. In order for tests to work, application setting `allow_local_requests_from_web_hooks_and_services` must be enabled in target instance. This is automatically done by test process if environment variable `QA_ALLOW_LOCAL_REQUESTS` is set to `true`.
 
-### `Test::Integration::AiGateway EE|<full image address>`
+### `AiGateway` Scenarios
 
-This scenario spins up a GitLab Omnibus instance integrated with a test AI Gateway using [fake models](https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#faking-out-ai-models). It will run specs tagged with the `:ai_gateway` tag in order to help verify that cloud licensing and authentication for AI features work as expected for self-managed instances.
+The following `AiGateway` scenarios spin up a GitLab Omnibus instance integrated with a test AI Gateway using [fake models](https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#faking-out-ai-models). These scenarios help to verify various configurations of cloud licensing and seat assignment work as expected when authenticating for AI features on self-managed instances.
 
 **Required environment variables:**
 
-- `QA_EE_ACTIVATION_CODE`: An activation code for a Staging-generated Premium or Ultimate cloud license with a purchased AI add-on. This can be found in the GitLab QA 1Password vault.
+All scenarios below require the following environment variables, **_unless otherwise noted:_**
+
+- `QA_EE_ACTIVATION_CODE`: An activation code for a Staging-generated Premium or Ultimate cloud license with a purchased Duo Pro add-on. This can be found in the GitLab QA 1Password vault.
 - `GITLAB_LICENSE_MODE`: Set to `test` in order to configure GitLab Omnibus with the correct license mode and `CUSTOMER_PORTAL_URL`.
 
 Example:
@@ -1188,10 +1194,68 @@ Example:
 ```shell
 $ export QA_EE_ACTIVATION_CODE="<value from 1Password>"
 $ export GITLAB_LICENSE_MODE="test"
+```
+
+----
+
+#### `Test::Integration::AiGateway EE|<full image address>`
 
+- Runs tests tagged with `:ai_gateway`
+- GitLab instance has a cloud license + Duo Pro add-on, and a seat is assigned to the admin user
+
+Example:
+
+```shell
 $ gitlab-qa Test::Integration::AiGateway EE
 ```
 
 ----
 
+#### `Test::Integration::AiGatewayNoSeatAssigned EE|<full image address>`
+
+- Runs tests tagged with `:ai_gateway_no_seat_assigned`
+- GitLab instance has a cloud license + Duo Pro add-on, but no seat is assigned to the admin user
+
+Example:
+
+```shell
+$ gitlab-qa Test::Integration::AiGatewayNoSeatAssigned EE
+```
+
+----
+
+#### `Test::Integration::AiGatewayNoAddOn EE|<full image address>`
+
+- Runs tests tagged with `:ai_gateway_no_add_on`
+- GitLab instance has a cloud license without a Duo Pro add-on, and no seat is assigned to the admin user
+
+**Regarding environment variables:**
+
+- `QA_EE_ACTIVATION_CODE` should be set to a Staging-generated Premium or Ultimate cloud license _without_ a Duo Pro add-on.
+
+Example:
+
+```shell
+$ gitlab-qa Test::Integration::AiGatewayNoAddOn EE
+```
+
+---
+
+#### `Test::Integration::AiGatewayNoLicense EE|<full image address>`
+
+- Runs tests tagged with `:ai_gateway_no_license`
+- GitLab instance has no cloud license and no seat is assigned to the admin user
+
+**Regarding environment variables:**
+
+- `QA_EE_ACTIVATION_CODE` and `GITLAB_LICENSE_MODE` can be omitted
+
+Example:
+
+```shell
+$ gitlab-qa Test::Integration::AiGatewayNoLicense EE
+```
+
+----
+
 [Back to README.md](../README.md)

data/lib/gitlab/qa/component/base.rb

@@ -203,6 +203,10 @@ module Gitlab
               Runtime::Logger.warn(
                 "Retry instance_no_teardown due to Support::ShellCommand::StatusError -- attempt #{retries}"
               )
+              Runtime::Logger.info(
+                "Follow the document " \
+                "https://gitlab.com/gitlab-org/quality/runbooks/-/blob/main/debug_orchestrated_test_locally/running_update-major_and_update-minor_locally.md " \
+                "for debugging this issue locally.")
               teardown!
               retry
             end

data/lib/gitlab/qa/runtime/env.rb

@@ -13,7 +13,9 @@ module Gitlab
 
         # Variables that are used in tests and are passed through to the docker container that executes the tests.
         # These variables should be listed in /docs/what_tests_can_be_run.md#supported-gitlab-environment-variables
-        # unless they're defined elsewhere (e.g.: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html)
+        # unless they're defined elsewhere (e.g.: https://docs.gitlab.com/ee/ci/variables/predefined_variables.html).
+        # Any new key-value pairs should also be added to the hash at /rubocop/cop/gitlab/dangerous_interpolation.rb
+        # to prevent Rubocop errors.
         ENV_VARIABLES = {
           'QA_IMAGE' => :qa_image,
           'QA_REMOTE_GRID' => :remote_grid,

data/lib/gitlab/qa/scenario/test/instance/repository_storage.rb

@@ -11,31 +11,77 @@ module Gitlab
                 gitlab.release = QA::Release.new(release)
                 gitlab.name = 'gitlab'
                 gitlab.network = 'test'
-                gitlab.omnibus_configuration << <<~OMNIBUS
-                  git_data_dirs({
-                    'default' => {
-                      'path' => '/var/opt/gitlab/git-data/repositories/default'
-                    },
-                    'secondary' => {
-                      'path' => '/var/opt/gitlab/git-data/repositories/secondary'
-                    }
-                  });
-                OMNIBUS
-
-                rspec_args << "--" unless rspec_args.include?('--')
-                rspec_args << %w[--tag repository_storage]
+                gitlab.omnibus_configuration << gitlab_omnibus_configuration
+                cluster = Component::GitalyCluster.perform do |c|
+                  c.config = Component::GitalyCluster::GitalyClusterConfig.new(gitlab_name: 'gitlab')
+                  c.release = release
+                  c.instance
+                end
 
                 gitlab.instance do
+                  cluster.join
+
+                  rspec_args << "--" unless rspec_args.include?('--')
+                  rspec_args << %w[--tag repository_storage]
+
                   Component::Specs.perform do |specs|
                     specs.suite = 'Test::Instance::All'
                     specs.release = gitlab.release
                     specs.network = gitlab.network
                     specs.args = [gitlab.address, *rspec_args]
-                    specs.env = { 'QA_ADDITIONAL_REPOSITORY_STORAGE' => 'secondary' }
+                    specs.env = {
+                      'QA_PRAEFECT_REPOSITORY_STORAGE' => 'default',
+                      'QA_GITALY_NON_CLUSTER_STORAGE' => 'gitaly',
+                      'QA_ADDITIONAL_REPOSITORY_STORAGE' => 'secondary'
+                    }
                   end
                 end
               end
             end
+
+            private
+
+            def gitlab_omnibus_configuration
+              # refer to Gitlab::QA::Component::Praefect and Gitlab::QA::Component::Gitaly
+              # for details relating to the default values for tokens/secrets
+              <<~OMNIBUS
+                external_url 'http://gitlab.test';
+
+                git_data_dirs({
+                  'default' => {
+                    'gitaly_address' => 'tcp://praefect.test:2305',
+                    'gitaly_token' => 'PRAEFECT_EXTERNAL_TOKEN'
+                  },
+                  'gitaly' => {
+                    'gitaly_address' => 'tcp://gitlab.test:8075',
+                    'path' => '/var/opt/gitlab/git-data/gitaly'
+                  },
+                  'secondary' => {
+                    'gitaly_address' => 'tcp://gitlab.test:8075',
+                    'path' => '/var/opt/gitlab/git-data/secondary'
+                  }
+                });
+                gitaly['enable'] = true;
+                gitaly['configuration'] = {
+                  auth: {
+                    token: 'secret-token',
+                  },
+                  listen_addr: '0.0.0.0:8075',
+                  storage: [
+                    {
+                      name: 'gitaly',
+                      path: '/var/opt/gitlab/git-data/gitaly',
+                    },
+                    {
+                      name: 'secondary',
+                      path: '/var/opt/gitlab/git-data/secondary',
+                    },
+                  ],
+                };
+                gitlab_rails['gitaly_token'] = 'secret-token';
+                gitlab_shell['secret_token'] = 'GITLAB_SHELL_SECRET_TOKEN';
+              OMNIBUS
+            end
           end
         end
       end

data/lib/gitlab/qa/scenario/test/integration/ai_gateway.rb

@@ -5,78 +5,10 @@ module Gitlab
     module Scenario
       module Test
         module Integration
-          class AiGateway < Scenario::Template
-            SETUP_SRC_PATH = File.expand_path('../../../../../../support/setup', __dir__)
-            SETUP_DEST_PATH = '/tmp/setup-scripts'
-
+          class AiGateway < AiGatewayBase
             def initialize
-              @network = 'test'
-              @ai_gateway_name = 'ai-gateway'
-              @ai_gateway_hostname = "#{@ai_gateway_name}.#{@network}"
-              @ai_gateway_port = 5000
-            end
-
-            def perform(release, *rspec_args)
-              Component::Gitlab.perform do |gitlab|
-                setup_gitlab(gitlab, release)
-
-                Component::AiGateway.perform do |ai_gateway|
-                  setup_ai_gateway(ai_gateway, gitlab_hostname: gitlab.hostname)
-
-                  ai_gateway.instance do
-                    gitlab.instance do
-                      setup_code_suggestions(gitlab)
-                      run_specs(gitlab, *rspec_args)
-                    end
-                  end
-                end
-              end
-            end
-
-            private
-
-            def setup_gitlab(gitlab, release)
-              gitlab.release = QA::Release.new(release)
-              gitlab.name = 'gitlab'
-              gitlab.network = @network
-
-              gitlab.omnibus_gitlab_rails_env['AI_GATEWAY_URL'] = "http://#{@ai_gateway_hostname}:#{@ai_gateway_port}"
-
-              gitlab.set_ee_activation_code
-            end
-
-            def setup_ai_gateway(ai_gateway, gitlab_hostname:)
-              ai_gateway.name = @ai_gateway_name
-              ai_gateway.network = @network
-              ai_gateway.ports = [@ai_gateway_port]
-
-              ai_gateway.configure_environment(gitlab_hostname: gitlab_hostname)
-            end
-
-            def setup_code_suggestions(gitlab)
-              Runtime::Logger.info('Setting up Code Suggestions on GitLab instance')
-
-              gitlab.docker.copy(gitlab.name, SETUP_SRC_PATH, SETUP_DEST_PATH)
-
-              gitlab.docker.exec(
-                gitlab.name,
-                "gitlab-rails runner #{SETUP_DEST_PATH}/code_suggestions_setup.rb",
-                mask_secrets: gitlab.secrets
-              )
-            end
-
-            def run_specs(gitlab, *rspec_args)
-              Runtime::Logger.info('Running AI Gateway specs!')
-
-              rspec_args << "--" unless rspec_args.include?('--')
-              rspec_args << %w[--tag ai_gateway]
-
-              Component::Specs.perform do |specs|
-                specs.suite = 'Test::Instance::All'
-                specs.release = gitlab.release
-                specs.network = gitlab.network
-                specs.args = [gitlab.address, *rspec_args]
-              end
+              super
+              @tag = 'ai_gateway'
             end
           end
         end

data/lib/gitlab/qa/scenario/test/integration/ai_gateway_base.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module QA
+    module Scenario
+      module Test
+        module Integration
+          class AiGatewayBase < Scenario::Template
+            SETUP_SRC_PATH = File.expand_path('../../../../../../support/setup', __dir__)
+            SETUP_DEST_PATH = '/tmp/setup-scripts'
+
+            def initialize
+              @network = 'test'
+              @ai_gateway_name = 'ai-gateway'
+              @ai_gateway_hostname = "#{@ai_gateway_name}.#{@network}"
+              @ai_gateway_port = 5000
+              @use_cloud_license = true
+              @has_add_on = true
+              @assign_seats = true
+            end
+
+            def perform(release, *rspec_args)
+              Component::Gitlab.perform do |gitlab|
+                set_up_gitlab(gitlab, release)
+
+                Component::AiGateway.perform do |ai_gateway|
+                  set_up_ai_gateway(ai_gateway, gitlab_hostname: gitlab.hostname)
+
+                  ai_gateway.instance do
+                    gitlab.instance do
+                      set_up_duo_pro(gitlab) if @use_cloud_license
+                      run_specs(gitlab, *rspec_args)
+                    end
+                  end
+                end
+              end
+            end
+
+            def set_up_gitlab(gitlab, release)
+              gitlab.release = QA::Release.new(release)
+              gitlab.name = 'gitlab'
+              gitlab.network = @network
+
+              gitlab.omnibus_gitlab_rails_env['AI_GATEWAY_URL'] = "http://#{@ai_gateway_hostname}:#{@ai_gateway_port}"
+
+              gitlab.set_ee_activation_code if @use_cloud_license
+            end
+
+            def set_up_ai_gateway(ai_gateway, gitlab_hostname:)
+              ai_gateway.name = @ai_gateway_name
+              ai_gateway.network = @network
+              ai_gateway.ports = [@ai_gateway_port]
+
+              ai_gateway.configure_environment(gitlab_hostname: gitlab_hostname)
+            end
+
+            def set_up_duo_pro(gitlab)
+              Runtime::Logger.info('Setting up Duo Pro on GitLab instance')
+
+              gitlab.docker.copy(gitlab.name, SETUP_SRC_PATH, SETUP_DEST_PATH)
+
+              gitlab.docker.exec(
+                gitlab.name,
+                "ASSIGN_SEATS=#{@assign_seats} HAS_ADD_ON=#{@has_add_on} gitlab-rails runner #{SETUP_DEST_PATH}/duo_pro_setup.rb",
+                mask_secrets: gitlab.secrets
+              )
+            end
+
+            def run_specs(gitlab, *rspec_args)
+              Runtime::Logger.info('Running AI Gateway specs!')
+
+              rspec_args << "--" unless rspec_args.include?('--')
+              rspec_args << "--tag" << @tag
+
+              Component::Specs.perform do |specs|
+                specs.suite = 'Test::Instance::All'
+                specs.release = gitlab.release
+                specs.network = gitlab.network
+                specs.args = [gitlab.address, *rspec_args]
+              end
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/qa/scenario/test/integration/ai_gateway_no_add_on.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module QA
+    module Scenario
+      module Test
+        module Integration
+          class AiGatewayNoAddOn < AiGatewayBase
+            def initialize
+              super
+              @tag = 'ai_gateway_no_add_on'
+              @has_add_on = false
+              @assign_seats = false
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/qa/scenario/test/integration/ai_gateway_no_license.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module QA
+    module Scenario
+      module Test
+        module Integration
+          class AiGatewayNoLicense < AiGatewayBase
+            def initialize
+              super
+              @tag = 'ai_gateway_no_license'
+              @use_cloud_license = false
+              @assign_seats = false
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/qa/scenario/test/integration/ai_gateway_no_seat_assigned.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Gitlab
+  module QA
+    module Scenario
+      module Test
+        module Integration
+          class AiGatewayNoSeatAssigned < AiGatewayBase
+            def initialize
+              super
+              @tag = 'ai_gateway_no_seat_assigned'
+              @assign_seats = false
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/gitlab/qa/version.rb

@@ -2,6 +2,6 @@
 
 module Gitlab
   module QA
-    VERSION = '14.2.1'
+    VERSION = '14.3.0'
   end
 end

data/rubocop/cop/gitlab/dangerous_interpolation.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module Gitlab
+      # Checks for string interpolation of sensitive variables
+      # in information that's *probably* logged.
+
+      # @example
+      #   # bad
+      #   <<~OMNIBUS
+      #   gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_secret_key}'
+      #   OMNIBUS
+      #
+      #   # good
+      #   gitlab_rails['object_store']['objects']['lfs']['bucket'] = '#{Runtime::Env.aws_s3_bucket_name}'
+
+      class DangerousInterpolation < Base
+        MSG = 'Sensitive variables should not be logged. ' \
+              'Please ensure that the interpolated variable is not sensitive. If not, add it to `ENV_VARIABLES` in the cop class.'
+
+        # These values are taken from /lib/gitlab/qa/runtime/env.rb. Sensitive variables have been removed.
+        ENV_VARIABLES = {
+          'HOST_ARTIFACT_DIR' => :host_artifacts_dir,
+          'QA_IMAGE' => :qa_image,
+          'QA_REMOTE_GRID' => :remote_grid,
+          'QA_REMOTE_GRID_USERNAME' => :remote_grid_username,
+          'QA_REMOTE_GRID_PROTOCOL' => :remote_grid_protocol,
+          'QA_REMOTE_MOBILE_DEVICE_NAME' => :remote_mobile_device_name,
+          'QA_REMOTE_TUNNEL_ID' => :remote_tunnel_id,
+          'QA_BROWSER' => :browser,
+          'QA_SELENOID_BROWSER_VERSION' => :selenoid_browser_version,
+          'QA_RECORD_VIDEO' => :record_video,
+          'QA_LAYOUT' => :layout,
+          'QA_VIDEO_RECORDER_IMAGE' => :video_recorder_image,
+          'QA_VIDEO_RECORDER_VERSION' => :video_recorder_version,
+          'QA_SELENOID_BROWSER_IMAGE' => :selenoid_browser_image,
+          'QA_ADDITIONAL_REPOSITORY_STORAGE' => :qa_additional_repository_storage,
+          'QA_PRAEFECT_REPOSITORY_STORAGE' => :qa_praefect_repository_storage,
+          'QA_GITALY_NON_CLUSTER_STORAGE' => :qa_gitaly_non_cluster_storage,
+          'QA_DEBUG' => :qa_debug,
+          'QA_CAN_TEST_ADMIN_FEATURES' => :qa_can_test_admin_features,
+          'QA_CAN_TEST_GIT_PROTOCOL_V2' => :qa_can_test_git_protocol_v2,
+          'QA_CAN_TEST_PRAEFECT' => :qa_can_test_praefect,
+          'QA_DISABLE_RSPEC_RETRY' => :qa_disable_rspec_retry,
+          'QA_SIMULATE_SLOW_CONNECTION' => :qa_simulate_slow_connection,
+          'QA_SLOW_CONNECTION_LATENCY_MS' => :qa_slow_connection_latency_ms,
+          'QA_SLOW_CONNECTION_THROUGHPUT_KBPS' => :qa_slow_connection_throughput_kbps,
+          'QA_GENERATE_ALLURE_REPORT' => :generate_allure_report,
+          'QA_EXPORT_TEST_METRICS' => :qa_export_test_metrics,
+          'QA_INFLUXDB_URL' => :qa_influxdb_url,
+          'QA_SKIP_PULL' => :qa_skip_pull,
+          'QA_VALIDATE_RESOURCE_REUSE' => :qa_validate_resource_reuse,
+          'WEBDRIVER_HEADLESS' => :webdriver_headless,
+          'GITLAB_ADMIN_USERNAME' => :admin_username,
+          'GITLAB_USERNAME' => :user_username,
+          'GITLAB_LDAP_USERNAME' => :ldap_username,
+          'GITLAB_FORKER_USERNAME' => :forker_username,
+          'GITLAB_USER_TYPE' => :user_type,
+          'GITLAB_SANDBOX_NAME' => :gitlab_sandbox_name,
+          'GITLAB_URL' => :gitlab_url,
+          'SIMPLE_SAML_HOSTNAME' => :simple_saml_hostname,
+          'SIMPLE_SAML_FINGERPRINT' => :simple_saml_fingerprint,
+          'ACCEPT_INSECURE_CERTS' => :accept_insecure_certs,
+          'EE_LICENSE' => :ee_license,
+          'GCLOUD_ACCOUNT_EMAIL' => :gcloud_account_email,
+          'CLOUDSDK_CORE_PROJECT' => :cloudsdk_core_project,
+          'GCLOUD_REGION' => :gcloud_region,
+          'SIGNUP_DISABLED' => :signup_disabled,
+          'GITLAB_QA_USERNAME_1' => :gitlab_qa_username_1,
+          'GITLAB_QA_USERNAME_2' => :gitlab_qa_username_2,
+          'QA_GITHUB_USERNAME' => :qa_github_username,
+          'QA_GITLAB_HOSTNAME' => :qa_gitlab_hostname,
+          'QA_GITLAB_USE_TLS' => :qa_gitlab_use_tls,
+          'KNAPSACK_GENERATE_REPORT' => :knapsack_generate_report,
+          'KNAPSACK_REPORT_PATH' => :knapsack_report_path,
+          'KNAPSACK_TEST_FILE_PATTERN' => :knapsack_test_file_pattern,
+          'KNAPSACK_TEST_DIR' => :knapsack_test_dir,
+          'NO_KNAPSACK' => :no_knapsack,
+          'QA_KNAPSACK_REPORT_GCS_CREDENTIALS' => :qa_knapsack_report_gcs_credentials,
+          'QA_KNAPSACK_REPORT_PATH' => :qa_knapsack_report_path,
+          'QA_RSPEC_REPORT_PATH' => :qa_rspec_report_path,
+          'RSPEC_FAST_QUARANTINE_PATH' => :rspec_fast_quarantine_path,
+          'RSPEC_SKIPPED_TESTS_REPORT_PATH' => :skipped_tests_report_path,
+          'CI' => :ci,
+          'CI_JOB_NAME' => :ci_job_name,
+          'CI_JOB_NAME_SLUG' => :ci_job_name_slug,
+          'CI_JOB_URL' => :ci_job_url,
+          'CI_RUNNER_ID' => :ci_runner_id,
+          'CI_SERVER_HOST' => :ci_server_host,
+          'CI_NODE_INDEX' => :ci_node_index,
+          'CI_NODE_TOTAL' => :ci_node_total,
+          'CI_PROJECT_NAME' => :ci_project_name,
+          'CI_PROJECT_PATH' => :ci_project_path,
+          'CI_PIPELINE_SOURCE' => :ci_pipeline_source,
+          'CI_PIPELINE_URL' => :ci_pipeline_url,
+          'CI_PIPELINE_CREATED_AT' => :ci_pipeline_created_at,
+          'CI_MERGE_REQUEST_IID' => :ci_merge_request_iid,
+          'GITLAB_CI' => :gitlab_ci,
+          'ELASTIC_URL' => :elastic_url,
+          'GITLAB_QA_LOOP_RUNNER_MINUTES' => :gitlab_qa_loop_runner_minutes,
+          'MAILHOG_HOSTNAME' => :mailhog_hostname,
+          'GEO_MAX_FILE_REPLICATION_TIME' => :geo_max_file_replication_time,
+          'GEO_MAX_DB_REPLICATION_TIME' => :geo_max_db_replication_time,
+          'JIRA_HOSTNAME' => :jira_hostname,
+          'JIRA_ADMIN_USERNAME' => :jira_admin_username,
+          'CACHE_NAMESPACE_NAME' => :cache_namespace_name,
+          'GITLAB_QA_USER_AGENT' => :gitlab_qa_user_agent,
+          'GEO_FAILOVER' => :geo_failover,
+          'GITLAB_INITIAL_ROOT_PASSWORD' => :initial_root_password,
+          'GITLAB_TLS_CERTIFICATE' => :gitlab_tls_certificate,
+          'AWS_S3_REGION' => :aws_s3_region,
+          'AWS_S3_KEY_ID' => :aws_s3_key_id,
+          'AWS_S3_BUCKET_NAME' => :aws_s3_bucket_name,
+          'TOP_UPSTREAM_MERGE_REQUEST_IID' => :top_upstream_merge_request_iid,
+          'GOOGLE_PROJECT' => :google_project,
+          'GOOGLE_CLIENT_EMAIL' => :google_client_email,
+          'GOOGLE_CDN_LB' => :google_cdn_load_balancer,
+          'GOOGLE_CDN_SIGNURL_KEY_NAME' => :google_cdn_signurl_key_name,
+          'GCS_CDN_BUCKET_NAME' => :gcs_cdn_bucket_name,
+          'GCS_BUCKET_NAME' => :gcs_bucket_name,
+          'SMOKE_ONLY' => :smoke_only,
+          'NO_ADMIN' => :no_admin,
+          'CHROME_DISABLE_DEV_SHM' => :chrome_disable_dev_shm,
+          'COLORIZED_LOGS' => :colorized_logs,
+          'FIPS' => :fips,
+          'JH_ENV' => :jh_env,
+          'QA_GITHUB_OAUTH_APP_ID' => :github_oauth_app_id,
+          'QA_1P_EMAIL' => :qa_1p_email,
+          'QA_1P_GITHUB_UUID' => :qa_1p_github_uuid,
+          'RELEASE' => :release,
+          'RELEASE_REGISTRY_URL' => :release_registry_url,
+          'RELEASE_REGISTRY_USERNAME' => :release_registry_username,
+          'SELENOID_DIRECTORY' => :selenoid_directory,
+          'USE_SELENOID' => :use_selenoid,
+          'SCHEDULE_TYPE' => :schedule_type,
+          'WORKSPACES_OAUTH_APP_ID' => :workspaces_oauth_app_id,
+          'WORKSPACES_PROXY_DOMAIN' => :workspaces_proxy_domain,
+          'WORKSPACES_DOMAIN_CERT' => { name: :workspaces_domain_cert, type: :file },
+          'WORKSPACES_DOMAIN_KEY' => { name: :workspaces_domain_key, type: :file },
+          'WORKSPACES_WILDCARD_CERT' => { name: :workspaces_wildcard_cert, type: :file },
+          'WORKSPACES_WILDCARD_KEY' => { name: :workspaces_wildcard_key, type: :file }
+        }.freeze
+
+        def_node_matcher :heredoc_interpolation?, <<~PATTERN
+          (send (const (const nil? :Runtime) :Env) ...)
+        PATTERN
+
+        def on_send(node)
+          return unless heredoc_interpolation?(node) && node.parent.parent.dstr_type? && !ENV_VARIABLES.value?(node.source.split(".")[1].to_sym)
+
+          add_offense(node)
+        end
+      end
+    end
+  end
+end

data/support/setup/{code_suggestions_setup.rb → duo_pro_setup.rb}

@@ -1,28 +1,24 @@
 # frozen_string_literal: true
 
-class CodeSuggestionsSetup
+class DuoProSetup
   class << self
     def configure!
       activate_cloud_license
 
-      # Due to the various async Sidekiq processes involved, we wait to verify
-      # that the code suggestions access token has been generated before proceeding
-      verify_code_suggestions_access_token
+      return unless enabled?('HAS_ADD_ON')
 
-      # TODO: Remove after service start date
-      # This toggle will no longer be used to control access to code suggestions
-      # See https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/policies/ee/global_policy.rb#L62
-      puts 'Enabling application setting instance_level_code_suggestions_enabled...'
-      ApplicationSetting.last.update(instance_level_code_suggestions_enabled: true)
+      # Due to the various async Sidekiq processes involved, we wait to verify
+      # that the service access token has been generated before proceeding
+      verify_service_access_token
 
-      assign_code_suggestions_seat_to_admin
+      assign_duo_pro_seat_to_admin if enabled?('ASSIGN_SEATS')
     end
 
     private
 
     def activate_cloud_license
       puts 'Activating cloud license...'
-      result = ::GitlabSubscriptions::ActivateService.new.execute(ENV.fetch('QA_EE_ACTIVATION_CODE', nil))
+      result = ::GitlabSubscriptions::ActivateService.new.execute(ENV.fetch('QA_EE_ACTIVATION_CODE'))
 
       if result[:success]
         puts 'Cloud license activation successful'
@@ -33,8 +29,8 @@ class CodeSuggestionsSetup
       end
     end
 
-    def verify_code_suggestions_access_token
-      puts 'Waiting for code suggestions access token to be available...'
+    def verify_service_access_token
+      puts 'Waiting for service access token to be available...'
 
       max_attempts = 3
       attempts = 0
@@ -47,12 +43,12 @@ class CodeSuggestionsSetup
 
       return if tokens&.positive?
 
-      puts "Failed to create code suggestions access token after #{max_attempts} attempts"
+      puts "Failed to create service access token after #{max_attempts} attempts"
       exit 1
     end
 
-    def assign_code_suggestions_seat_to_admin
-      puts 'Assigning code suggestions seat to admin...'
+    def assign_duo_pro_seat_to_admin
+      puts 'Assigning Duo Pro seat to admin...'
 
       admin = User.find_by(username: 'root')
       add_on = GitlabSubscriptions::AddOnPurchase.find_by(add_on: GitlabSubscriptions::AddOn.code_suggestions.last)
@@ -70,7 +66,11 @@ class CodeSuggestionsSetup
         puts error
       end
     end
+
+    def enabled?(key, default: nil)
+      ENV.fetch(key, default) == 'true'
+    end
   end
 end
 
-CodeSuggestionsSetup.configure!
+DuoProSetup.configure!

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-qa
 version: !ruby/object:Gem::Version
-  version: 14.2.1
+  version: 14.3.0
 platform: ruby
 authors:
 - GitLab Quality
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-02-21 00:00:00.000000000 Z
+date: 2024-03-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: climate_control
@@ -446,6 +446,10 @@ files:
 - lib/gitlab/qa/scenario/test/instance/staging_ref.rb
 - lib/gitlab/qa/scenario/test/instance/staging_ref_geo.rb
 - lib/gitlab/qa/scenario/test/integration/ai_gateway.rb
+- lib/gitlab/qa/scenario/test/integration/ai_gateway_base.rb
+- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_add_on.rb
+- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_license.rb
+- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_seat_assigned.rb
 - lib/gitlab/qa/scenario/test/integration/chaos.rb
 - lib/gitlab/qa/scenario/test/integration/client_ssl.rb
 - lib/gitlab/qa/scenario/test/integration/elasticsearch.rb
@@ -490,6 +494,7 @@ files:
 - lib/gitlab/qa/support/shellout.rb
 - lib/gitlab/qa/test_logger.rb
 - lib/gitlab/qa/version.rb
+- rubocop/cop/gitlab/dangerous_interpolation.rb
 - scripts/build-package-and-test-env
 - support/data/admin_access_token_seed.rb
 - support/data/license_usage_seed.rb
@@ -498,7 +503,7 @@ files:
 - support/manifests/suggested_reviewer/pubsub.yaml
 - support/manifests/suggested_reviewer/recommender-bot.yaml
 - support/manifests/suggested_reviewer/recommender.yaml
-- support/setup/code_suggestions_setup.rb
+- support/setup/duo_pro_setup.rb
 - tls_certificates/authority/ca.crt
 - tls_certificates/authority/ca.key
 - tls_certificates/authority/ca.pem