Merge branch 'sh-update-grape-gem' into 'master'

Upgrade Grape v1.1.0 to v1.3.2 Closes #195960 See merge request gitlab-org/gitlab!27276

Merge branch 'sh-update-grape-gem' into 'master'
Upgrade Grape v1.1.0 to v1.3.2 Closes #195960 See merge request gitlab-org/gitlab!27276
11a82cb4 · Igor Drozdov · 7bb3e6e0 · 27c7252b · 11a82cb4 · 11a82cb4
Commit 11a82cb4 authored Apr 27, 2020 by Igor Drozdov
174 changed files
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -284,6 +284,18 @@ Gitlab/Union:
    - 'spec/**/*'
    - 'ee/spec/**/*'

+API/GrapeAPIInstance:
+  Enabled: true
+  Include:
+    - 'lib/**/api/**/*.rb'
+    - 'ee/**/api/**/*.rb'
+
+API/GrapeArrayMissingCoerce:
+  Enabled: true
+  Include:
+    - 'lib/**/api/**/*.rb'
+    - 'ee/**/api/**/*.rb'
+
 Cop/SidekiqOptionsQueue:
  Enabled: true
  Exclude:

--- a/Gemfile
+++ b/Gemfile
@@ -19,7 +19,7 @@ gem 'default_value_for', '~> 3.3.0'
 gem 'pg', '~> 1.1'

 gem 'rugged', '~> 0.28'
-gem 'grape-path-helpers', '~> 1.2'
+gem 'grape-path-helpers', '~> 1.3'

 gem 'faraday', '~> 0.12'
 gem 'marginalia', '~> 1.8.0'
@@ -82,7 +82,7 @@ gem 'gitlab_omniauth-ldap', '~> 2.1.1', require: 'omniauth-ldap'
 gem 'net-ldap'

 # API
-gem 'grape', '~> 1.1.0'
+gem 'grape', '~> 1.3.2'
 gem 'grape-entity', '~> 0.7.1'
 gem 'rack-cors', '~> 1.0.6', require: 'rack/cors'


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -103,10 +103,6 @@ GEM
      aws-sdk-core (= 2.11.374)
    aws-sigv4 (1.1.0)
      aws-eventstream (~> 1.0, >= 1.0.2)
-    axiom-types (0.1.1)
-      descendants_tracker (~> 0.0.4)
-      ice_nine (~> 0.11.0)
-      thread_safe (~> 0.3, >= 0.3.1)
    babosa (1.0.2)
    base32 (0.3.2)
    batch-loader (1.4.0)
@@ -165,8 +161,6 @@ GEM
      nap
      open4 (~> 1.3)
    coderay (1.1.2)
-    coercible (1.0.0)
-      descendants_tracker (~> 0.0.1)
    colored2 (3.1.2)
    commonmarker (0.20.1)
      ruby-enum (~> 0.5)
@@ -222,8 +216,6 @@ GEM
      ruby-statistics (>= 2.1)
      thor (>= 0.19, < 2)
      unicode_plot (>= 0.0.4, < 1.0.0)
-    descendants_tracker (0.0.4)
-      thread_safe (~> 0.3, >= 0.3.1)
    device_detector (1.0.0)
    devise (4.7.1)
      bcrypt (~> 3.0)
@@ -250,6 +242,28 @@ GEM
    doorkeeper-openid_connect (1.6.3)
      doorkeeper (>= 5.0, < 5.2)
      json-jwt (~> 1.6)
+    dry-configurable (0.11.5)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.4, >= 0.4.7)
+      dry-equalizer (~> 0.2)
+    dry-container (0.7.2)
+      concurrent-ruby (~> 1.0)
+      dry-configurable (~> 0.1, >= 0.1.3)
+    dry-core (0.4.9)
+      concurrent-ruby (~> 1.0)
+    dry-equalizer (0.3.0)
+    dry-inflector (0.2.0)
+    dry-logic (1.0.6)
+      concurrent-ruby (~> 1.0)
+      dry-core (~> 0.2)
+      dry-equalizer (~> 0.2)
+    dry-types (1.4.0)
+      concurrent-ruby (~> 1.0)
+      dry-container (~> 0.3)
+      dry-core (~> 0.4, >= 0.4.4)
+      dry-equalizer (~> 0.3)
+      dry-inflector (~> 0.1, >= 0.1.2)
+      dry-logic (~> 1.0, >= 1.0.2)
    ed25519 (1.2.4)
    elasticsearch (6.8.0)
      elasticsearch-api (= 6.8.0)
@@ -439,19 +453,19 @@ GEM
      signet (~> 0.7)
    gpgme (2.0.20)
      mini_portile2 (~> 2.3)
-    grape (1.1.0)
+    grape (1.3.2)
      activesupport
      builder
+      dry-types (>= 1.1)
      mustermann-grape (~> 1.0.0)
      rack (>= 1.3.0)
      rack-accept
-      virtus (>= 1.0.0)
    grape-entity (0.7.1)
      activesupport (>= 4.0)
      multi_json (>= 1.3.2)
-    grape-path-helpers (1.2.0)
+    grape-path-helpers (1.3.0)
      activesupport
-      grape (~> 1.0)
+      grape (~> 1.3)
      rake (~> 12)
    grape_logging (1.8.3)
      grape
@@ -645,9 +659,10 @@ GEM
    multi_xml (0.6.0)
    multipart-post (2.1.1)
    murmurhash3 (0.1.6)
-    mustermann (1.0.3)
-    mustermann-grape (1.0.0)
-      mustermann (~> 1.0.0)
+    mustermann (1.1.1)
+      ruby2_keywords (~> 0.0.1)
+    mustermann-grape (1.0.1)
+      mustermann (>= 1.0.0)
    nakayoshi_fork (0.0.4)
    nap (1.1.0)
    nenv (0.3.0)
@@ -961,6 +976,7 @@ GEM
    ruby-saml (1.7.2)
      nokogiri (>= 1.5.10)
    ruby-statistics (2.1.2)
+    ruby2_keywords (0.0.2)
    ruby_dep (1.5.0)
    ruby_parser (3.13.1)
      sexp_processor (~> 4.9)
@@ -1119,11 +1135,6 @@ GEM
      activerecord (>= 3.0)
      activesupport (>= 3.0)
    version_sorter (2.2.4)
-    virtus (1.0.5)
-      axiom-types (~> 0.1)
-      coercible (~> 1.0)
-      descendants_tracker (~> 0.0, >= 0.0.3)
-      equalizer (~> 0.0, >= 0.0.9)
    vmstat (2.3.0)
    warden (1.2.8)
      rack (>= 2.0.6)
@@ -1254,9 +1265,9 @@ DEPENDENCIES
  google-api-client (~> 0.23)
  google-protobuf (~> 3.8.0)
  gpgme (~> 2.0.19)
-  grape (~> 1.1.0)
+  grape (~> 1.3.2)
  grape-entity (~> 0.7.1)
-  grape-path-helpers (~> 1.2)
+  grape-path-helpers (~> 1.3)
  grape_logging (~> 1.7)
  graphiql-rails (~> 1.4.10)
  graphql (~> 1.10.5)

--- a/changelogs/unreleased/sh-update-grape-gem.yml
+++ b/changelogs/unreleased/sh-update-grape-gem.yml
+---
+title: Upgrade Grape v1.1.0 to v1.3.2
+merge_request: 27276
+author:
+type: other
--- a/doc/development/api_styleguide.md
+++ b/doc/development/api_styleguide.md
@@ -98,6 +98,14 @@ For instance:
 Model.create(foo: params[:foo])
 ```

+## Array types
+
+With Grape v1.3+, Array types must be defined with a `coerce_with`
+block, or parameters will fail to validate when passed a string from an
+API request. See the [Grape upgrading
+documentation](https://github.com/ruby-grape/grape/blob/master/UPGRADING.md#ensure-that-array-types-have-explicit-coercions)
+for more details.
+
 ## Using HTTP status helpers

 For non-200 HTTP responses, use the provided helpers in `lib/api/helpers.rb` to ensure correct behavior (`not_found!`, `no_content!` etc.). These will `throw` inside Grape and abort the execution of your endpoint.

--- a/doc/development/ee_features.md
+++ b/doc/development/ee_features.md
@@ -513,12 +513,12 @@ do that, so we'll follow regular object-oriented practices that we define the
 interface first here.

 For example, suppose we have a few more optional parameters for EE. We can move the
-paramters out of the `Grape::API` class to a helper module, so we can inject it
+parameters out of the `Grape::API::Instance` class to a helper module, so we can inject it
 before it would be used in the class.

 ```ruby
 module API
-  class Projects < Grape::API
+  class Projects < Grape::API::Instance
    helpers Helpers::ProjectsHelpers
  end
 end
@@ -579,7 +579,7 @@ class definition to make it easy and clear:

 ```ruby
 module API
-  class JobArtifacts < Grape::API
+  class JobArtifacts < Grape::API::Instance
    # EE::API::JobArtifacts would override the following helpers
    helpers do
      def authorize_download_artifacts!
@@ -623,7 +623,7 @@ route. Something like this:

 ```ruby
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
    helpers do
      # EE::API::MergeRequests would override the following helpers
      def update_merge_request_ee(merge_request)
@@ -692,7 +692,7 @@ least argument. We would approach this as follows:
 ```ruby
 # api/merge_requests/parameters.rb
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
    module Parameters
      def self.update_params_at_least_one_of
        %i[
@@ -708,7 +708,7 @@ API::MergeRequests::Parameters.prepend_if_ee('EE::API::MergeRequests::Parameters

 # api/merge_requests.rb
 module API
-  class MergeRequests < Grape::API
+  class MergeRequests < Grape::API::Instance
    params do
      at_least_one_of(*Parameters.update_params_at_least_one_of)
    end

--- a/ee/lib/api/analytics/code_review_analytics.rb
+++ b/ee/lib/api/analytics/code_review_analytics.rb
@@ -2,7 +2,7 @@

 module API
  module Analytics
-    class CodeReviewAnalytics < Grape::API
+    class CodeReviewAnalytics < Grape::API::Instance
      include PaginationParams

      helpers ::Gitlab::IssuableMetadata

--- a/ee/lib/api/analytics/group_activity_analytics.rb
+++ b/ee/lib/api/analytics/group_activity_analytics.rb
@@ -2,7 +2,7 @@

 module API
  module Analytics
-    class GroupActivityAnalytics < Grape::API
+    class GroupActivityAnalytics < Grape::API::Instance
      DESCRIPTION_DETAIL =
        'This feature is gated by the `:group_activity_analytics`'\
        ' feature flag, introduced in GitLab 12.9.'

--- a/ee/lib/api/audit_events.rb
+++ b/ee/lib/api/audit_events.rb
 # frozen_string_literal: true

 module API
-  class AuditEvents < ::Grape::API
+  class AuditEvents < ::Grape::API::Instance
    include ::API::PaginationParams

    before do

--- a/ee/lib/api/composer_packages.rb
+++ b/ee/lib/api/composer_packages.rb
@@ -2,7 +2,7 @@

 # PHP composer support (https://getcomposer.org/)
 module API
-  class ComposerPackages < Grape::API
+  class ComposerPackages < Grape::API::Instance
    helpers ::API::Helpers::PackagesManagerClientsHelpers
    helpers ::API::Helpers::RelatedResourcesHelpers
    helpers ::API::Helpers::Packages::BasicAuthHelpers

--- a/ee/lib/api/conan_packages.rb
+++ b/ee/lib/api/conan_packages.rb
@@ -9,7 +9,7 @@
 #
 # Technical debt: https://gitlab.com/gitlab-org/gitlab/issues/35798
 module API
-  class ConanPackages < Grape::API
+  class ConanPackages < Grape::API::Instance
    helpers ::API::Helpers::PackagesManagerClientsHelpers

    PACKAGE_REQUIREMENTS = {

--- a/ee/lib/api/dependencies.rb
+++ b/ee/lib/api/dependencies.rb
 # frozen_string_literal: true

 module API
-  class Dependencies < Grape::API
+  class Dependencies < Grape::API::Instance
    helpers do
      def dependencies_by(params)
        pipeline = ::Security::ReportFetchService.new(user_project, ::Ci::JobArtifact.dependency_list_reports).pipeline
@@ -28,6 +28,7 @@ module API
      params do
        optional :package_manager,
                 type: Array[String],
+                 coerce_with: Validations::Types::CommaSeparatedToArray.coerce,
                 desc: "Returns dependencies belonging to specified package managers: #{::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES.join(', ')}.",
                 values: ::Security::DependencyListService::FILTER_PACKAGE_MANAGERS_VALUES
      end

--- a/ee/lib/api/dependency_proxy.rb
+++ b/ee/lib/api/dependency_proxy.rb
 # frozen_string_literal: true

 module API
-  class DependencyProxy < Grape::API
+  class DependencyProxy < Grape::API::Instance
    helpers ::API::Helpers::PackagesHelpers

    helpers do

--- a/ee/lib/api/elasticsearch_indexed_namespaces.rb
+++ b/ee/lib/api/elasticsearch_indexed_namespaces.rb
 # frozen_string_literal: true

 module API
-  class ElasticsearchIndexedNamespaces < Grape::API
+  class ElasticsearchIndexedNamespaces < Grape::API::Instance
    before { authenticated_as_admin! }

    resource :elasticsearch_indexed_namespaces do

--- a/ee/lib/api/epic_issues.rb
+++ b/ee/lib/api/epic_issues.rb
 # frozen_string_literal: true

 module API
-  class EpicIssues < Grape::API
+  class EpicIssues < Grape::API::Instance
    before do
      authenticate!
      authorize_epics_feature!

--- a/ee/lib/api/epic_links.rb
+++ b/ee/lib/api/epic_links.rb
 # frozen_string_literal: true

 module API
-  class EpicLinks < Grape::API
+  class EpicLinks < Grape::API::Instance
    include ::Gitlab::Utils::StrongMemoize

    before do

--- a/ee/lib/api/epics.rb
+++ b/ee/lib/api/epics.rb
 # frozen_string_literal: true

 module API
-  class Epics < Grape::API
+  class Epics < Grape::API::Instance
    include PaginationParams

    before do
@@ -29,7 +29,7 @@ module API
        optional :state, type: String, values: %w[opened closed all], default: 'all',
                         desc: 'Return opened, closed, or all epics'
        optional :author_id, type: Integer, desc: 'Return epics which are authored by the user with the given ID'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
        optional :with_labels_details, type: Boolean, desc: 'Return titles of labels and other details', default: false
        optional :created_after, type: DateTime, desc: 'Return epics created after the specified time'
        optional :created_before, type: DateTime, desc: 'Return epics created before the specified time'
@@ -70,7 +70,7 @@ module API
        optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
        optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
        optional :due_date_is_fixed, type: Boolean, desc: 'Indicates due date should be sourced from due_date_fixed field not the issue milestones'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
        optional :parent_id, type: Integer, desc: 'The id of a parent epic'
      end
      post ':id/(-/)epics' do
@@ -96,7 +96,7 @@ module API
        optional :start_date_is_fixed, type: Boolean, desc: 'Indicates start date should be sourced from start_date_fixed field not the issue milestones'
        optional :end_date, as: :due_date_fixed, type: String, desc: 'The due date of an epic'
        optional :due_date_is_fixed, type: Boolean, desc: 'Indicates due date should be sourced from due_date_fixed field not the issue milestones'
-        optional :labels, type: Array[String], coerce_with: Validations::Types::LabelsList.coerce, desc: 'Comma-separated list of label names'
+        optional :labels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Comma-separated list of label names'
        optional :state_event, type: String, values: %w[reopen close], desc: 'State event for an epic'
        at_least_one_of :title, :description, :start_date_fixed, :start_date_is_fixed, :due_date_fixed, :due_date_is_fixed, :labels, :state_event, :confidential
      end

--- a/ee/lib/api/feature_flag_scopes.rb
+++ b/ee/lib/api/feature_flag_scopes.rb
 # frozen_string_literal: true

 module API
-  class FeatureFlagScopes < Grape::API
+  class FeatureFlagScopes < Grape::API::Instance
    include PaginationParams

    ENVIRONMENT_SCOPE_ENDPOINT_REQUIREMENTS = FeatureFlags::FEATURE_FLAG_ENDPOINT_REQUIREMENTS

--- a/ee/lib/api/feature_flags.rb
+++ b/ee/lib/api/feature_flags.rb
 # frozen_string_literal: true

 module API
-  class FeatureFlags < Grape::API
+  class FeatureFlags < Grape::API::Instance
    include PaginationParams

    FEATURE_FLAG_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS

--- a/ee/lib/api/feature_flags_user_lists.rb
+++ b/ee/lib/api/feature_flags_user_lists.rb
 # frozen_string_literal: true

 module API
-  class FeatureFlagsUserLists < Grape::API
+  class FeatureFlagsUserLists < Grape::API::Instance
    include PaginationParams

    error_formatter :json, -> (message, _backtrace, _options, _env, _original_exception) {

--- a/ee/lib/api/geo.rb
+++ b/ee/lib/api/geo.rb
@@ -3,7 +3,7 @@
 require 'base64'

 module API
-  class Geo < Grape::API
+  class Geo < Grape::API::Instance
    resource :geo do
      helpers do
        def sanitized_node_status_params

--- a/ee/lib/api/geo_nodes.rb
+++ b/ee/lib/api/geo_nodes.rb
 # frozen_string_literal: true

 module API
-  class GeoNodes < Grape::API
+  class GeoNodes < Grape::API::Instance
    include PaginationParams
    include APIGuard
    include ::Gitlab::Utils::StrongMemoize

--- a/ee/lib/api/geo_replication.rb
+++ b/ee/lib/api/geo_replication.rb
 # frozen_string_literal: true

 module API
-  class GeoReplication < Grape::API
+  class GeoReplication < Grape::API::Instance
    include PaginationParams
    include APIGuard
    include ::Gitlab::Utils::StrongMemoize

--- a/ee/lib/api/group_hooks.rb
+++ b/ee/lib/api/group_hooks.rb
 # frozen_string_literal: true

 module API
-  class GroupHooks < Grape::API
+  class GroupHooks < Grape::API::Instance
    include ::API::PaginationParams

    before { authenticate! }

--- a/ee/lib/api/group_packages.rb
+++ b/ee/lib/api/group_packages.rb
 # frozen_string_literal: true

 module API
-  class GroupPackages < Grape::API
+  class GroupPackages < Grape::API::Instance
    include PaginationParams

    before do

--- a/ee/lib/api/helpers/project_approval_rules_helpers.rb
+++ b/ee/lib/api/helpers/project_approval_rules_helpers.rb
@@ -5,24 +5,22 @@ module API
    module ProjectApprovalRulesHelpers
      extend Grape::API::Helpers

-      ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
      params :create_project_approval_rule do
        requires :name, type: String, desc: 'The name of the approval rule'
        requires :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
        optional :rule_type, type: String, desc: 'The type of approval rule'
-        optional :users, as: :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-        optional :groups, as: :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
-        optional :protected_branch_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The protected branch ids for this rule'
+        optional :users, as: :user_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+        optional :groups, as: :group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
+        optional :protected_branch_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The protected branch ids for this rule'
      end

      params :update_project_approval_rule do
        requires :approval_rule_id, type: Integer, desc: 'The ID of an approval_rule'
        optional :name, type: String, desc: 'The name of the approval rule'
        optional :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
-        optional :users, as: :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-        optional :groups, as: :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
-        optional :protected_branch_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The protected branch ids for this rule'
+        optional :users, as: :user_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+        optional :groups, as: :group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
+        optional :protected_branch_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The protected branch ids for this rule'
        optional :remove_hidden_groups, type: Boolean, desc: 'Whether hidden groups should be removed'
      end


--- a/ee/lib/api/issue_links.rb
+++ b/ee/lib/api/issue_links.rb
 # frozen_string_literal: true

 module API
-  class IssueLinks < Grape::API
+  class IssueLinks < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/ee/lib/api/ldap.rb
+++ b/ee/lib/api/ldap.rb
 # frozen_string_literal: true

 module API
-  class Ldap < Grape::API
+  class Ldap < Grape::API::Instance
    # Admin users by default should be able to access these API endpoints.
    # However, non-admin users can access these endpoints if the "Allow group
    # owners to manage LDAP-related group settings" is enabled, and they own a

--- a/ee/lib/api/ldap_group_links.rb
+++ b/ee/lib/api/ldap_group_links.rb
 # frozen_string_literal: true

 module API
-  class LdapGroupLinks < Grape::API
+  class LdapGroupLinks < Grape::API::Instance
    before { authenticate! }

    params do

--- a/ee/lib/api/license.rb
+++ b/ee/lib/api/license.rb
 # frozen_string_literal: true

 module API
-  class License < Grape::API
+  class License < Grape::API::Instance
    before { authenticated_as_admin! }

    resource :license do

--- a/ee/lib/api/managed_licenses.rb
+++ b/ee/lib/api/managed_licenses.rb
 # frozen_string_literal: true

 module API
-  class ManagedLicenses < Grape::API
+  class ManagedLicenses < Grape::API::Instance
    include PaginationParams

    before { authenticate! unless route.settings[:skip_authentication] }

--- a/ee/lib/api/maven_packages.rb
+++ b/ee/lib/api/maven_packages.rb
 # frozen_string_literal: true
 module API
-  class MavenPackages < Grape::API
+  class MavenPackages < Grape::API::Instance
    MAVEN_ENDPOINT_REQUIREMENTS = {
      file_name: API::NO_SLASH_URL_PART_REGEX
    }.freeze

--- a/ee/lib/api/merge_request_approval_rules.rb
+++ b/ee/lib/api/merge_request_approval_rules.rb
 # frozen_string_literal: true

 module API
-  class MergeRequestApprovalRules < ::Grape::API
+  class MergeRequestApprovalRules < ::Grape::API::Instance
    before { authenticate_non_get! }

-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
    helpers do
      def find_merge_request_approval_rule(merge_request, id)
        merge_request.approval_rules.find_by_id!(id)
@@ -34,8 +32,8 @@ module API
          requires :name, type: String, desc: 'The name of the approval rule'
          requires :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
          optional :approval_project_rule_id, type: Integer, desc: 'The ID of a project-level approval rule'
-          optional :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-          optional :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
+          optional :user_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+          optional :group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
        end
        post do
          merge_request = find_merge_request_with_access(params[:merge_request_iid], :update_approvers)
@@ -56,8 +54,8 @@ module API
            requires :approval_rule_id, type: Integer, desc: 'The ID of an approval rule'
            optional :name, type: String, desc: 'The name of the approval rule'
            optional :approvals_required, type: Integer, desc: 'The number of required approvals for this rule'
-            optional :user_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The user ids for this rule'
-            optional :group_ids, type: Array, coerce_with: ARRAY_COERCION_LAMBDA, desc: 'The group ids for this rule'
+            optional :user_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The user ids for this rule'
+            optional :group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The group ids for this rule'
            optional :remove_hidden_groups, type: Boolean, desc: 'Whether hidden groups should be removed'
          end
          put do

--- a/ee/lib/api/merge_request_approvals.rb
+++ b/ee/lib/api/merge_request_approvals.rb
 # frozen_string_literal: true

 module API
-  class MergeRequestApprovals < ::Grape::API
+  class MergeRequestApprovals < ::Grape::API::Instance
    before { authenticate_non_get! }

-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
    helpers do
      def present_approval(merge_request)
        present merge_request.approval_state, with: ::EE::API::Entities::ApprovalState, current_user: current_user
@@ -109,8 +107,10 @@ module API
          success ::EE::API::Entities::ApprovalState
        end
        params do
-          requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
-          requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
+          requires :approver_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce,
+            desc: 'Array of User IDs to set as approvers.'
+          requires :approver_group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce,
+            desc: 'Array of Group IDs to set as approvers.'
        end
        put 'approvers' do
          Gitlab::QueryLimiting.whitelist('https://gitlab.com/gitlab-org/gitlab/issues/8883')

--- a/ee/lib/api/merge_trains.rb
+++ b/ee/lib/api/merge_trains.rb
 # frozen_string_literal: true

 module API
-  class MergeTrains < ::Grape::API
+  class MergeTrains < ::Grape::API::Instance
    include PaginationParams

    before do

--- a/ee/lib/api/npm_packages.rb
+++ b/ee/lib/api/npm_packages.rb
 # frozen_string_literal: true
 module API
-  class NpmPackages < Grape::API
+  class NpmPackages < Grape::API::Instance
    helpers ::API::Helpers::PackagesHelpers
    helpers ::API::Helpers::Packages::DependencyProxyHelpers


--- a/ee/lib/api/nuget_packages.rb
+++ b/ee/lib/api/nuget_packages.rb
@@ -6,7 +6,7 @@
 # called by the NuGet package manager client when users run commands
 # like `nuget install` or `nuget push`.
 module API
-  class NugetPackages < Grape::API
+  class NugetPackages < Grape::API::Instance
    helpers ::API::Helpers::PackagesManagerClientsHelpers
    helpers ::API::Helpers::Packages::BasicAuthHelpers


--- a/ee/lib/api/package_files.rb
+++ b/ee/lib/api/package_files.rb
 # frozen_string_literal: true

 module API
-  class PackageFiles < Grape::API
+  class PackageFiles < Grape::API::Instance
    include PaginationParams

    before do

--- a/ee/lib/api/project_aliases.rb
+++ b/ee/lib/api/project_aliases.rb
 # frozen_string_literal: true

 module API
-  class ProjectAliases < Grape::API
+  class ProjectAliases < Grape::API::Instance
    include PaginationParams

    before { check_feature_availability }

--- a/ee/lib/api/project_approval_rules.rb
+++ b/ee/lib/api/project_approval_rules.rb
 # frozen_string_literal: true

 module API
-  class ProjectApprovalRules < ::Grape::API
+  class ProjectApprovalRules < ::Grape::API::Instance
    before { authenticate! }

    helpers ::API::Helpers::ProjectApprovalRulesHelpers

--- a/ee/lib/api/project_approval_settings.rb
+++ b/ee/lib/api/project_approval_settings.rb
 # frozen_string_literal: true

 module API
-  class ProjectApprovalSettings < ::Grape::API
+  class ProjectApprovalSettings < ::Grape::API::Instance
    before { authenticate! }

    helpers ::API::Helpers::ProjectApprovalRulesHelpers

--- a/ee/lib/api/project_approvals.rb
+++ b/ee/lib/api/project_approvals.rb
 # frozen_string_literal: true

 module API
-  class ProjectApprovals < ::Grape::API
+  class ProjectApprovals < ::Grape::API::Instance
    before { authenticate! }
    before { authorize! :update_approvers, user_project }

-    ARRAY_COERCION_LAMBDA = ->(val) { val.empty? ? [] : Array.wrap(val) }
-
    helpers do
      def filter_forbidden_param!(permission, param)
        unless can?(current_user, permission, user_project)
@@ -67,8 +65,8 @@ module API
        success EE::API::Entities::ApprovalSettings
      end
      params do
-        requires :approver_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of User IDs to set as approvers.'
-        requires :approver_group_ids, type: Array[String], coerce_with: ARRAY_COERCION_LAMBDA, desc: 'Array of Group IDs to set as approvers.'
+        requires :approver_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'Array of User IDs to set as approvers.'
+        requires :approver_group_ids, type: Array[Integer], coerce_with: Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'Array of Group IDs to set as approvers.'
      end
      put ':id/approvers' do
        result = ::Projects::UpdateService.new(user_project, current_user, declared(params, include_parent_namespaces: false).merge(remove_old_approvers: true)).execute

--- a/ee/lib/api/project_mirror.rb
+++ b/ee/lib/api/project_mirror.rb
@@ -3,7 +3,7 @@
 require_dependency 'declarative_policy'

 module API
-  class ProjectMirror < Grape::API
+  class ProjectMirror < Grape::API::Instance
    helpers do
      def github_webhook_signature
        @github_webhook_signature ||= headers['X-Hub-Signature']

--- a/ee/lib/api/project_packages.rb
+++ b/ee/lib/api/project_packages.rb
 # frozen_string_literal: true

 module API
-  class ProjectPackages < Grape::API
+  class ProjectPackages < Grape::API::Instance
    include PaginationParams

    before do

--- a/ee/lib/api/project_push_rule.rb
+++ b/ee/lib/api/project_push_rule.rb
 # frozen_string_literal: true

 module API
-  class ProjectPushRule < Grape::API
+  class ProjectPushRule < Grape::API::Instance
    before { authenticate! }
    before { authorize_admin_project }
    before { check_project_feature_available!(:push_rules) }

--- a/ee/lib/api/protected_environments.rb
+++ b/ee/lib/api/protected_environments.rb
 # frozen_string_literal: true

 module API
-  class ProtectedEnvironments < Grape::API
+  class ProtectedEnvironments < Grape::API::Instance
    include PaginationParams

    ENVIRONMENT_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX)

--- a/ee/lib/api/pypi_packages.rb
+++ b/ee/lib/api/pypi_packages.rb
@@ -6,7 +6,7 @@
 # called by the PyPI package manager client when users run commands
 # like `pip install` or `twine upload`.
 module API
-  class PypiPackages < Grape::API
+  class PypiPackages < Grape::API::Instance
    helpers ::API::Helpers::PackagesManagerClientsHelpers
    helpers ::API::Helpers::RelatedResourcesHelpers
    helpers ::API::Helpers::Packages::BasicAuthHelpers

--- a/ee/lib/api/scim.rb
+++ b/ee/lib/api/scim.rb
 # frozen_string_literal: true

 module API
-  class Scim < Grape::API
+  class Scim < Grape::API::Instance
    include ::Gitlab::Utils::StrongMemoize

    prefix 'api/scim'

--- a/ee/lib/api/unleash.rb
+++ b/ee/lib/api/unleash.rb
 # frozen_string_literal: true

 module API
-  class Unleash < Grape::API
+  class Unleash < Grape::API::Instance
    include PaginationParams

    namespace :feature_flags do

--- a/ee/lib/api/v3/github.rb
+++ b/ee/lib/api/v3/github.rb
@@ -7,7 +7,7 @@
 #
 module API
  module V3
-    class Github < Grape::API
+    class Github < Grape::API::Instance
      JIRA_DEV_PANEL_FEATURE = :jira_dev_panel_integration.freeze
      NO_SLASH_URL_PART_REGEX = %r{[^/]+}.freeze
      ENDPOINT_REQUIREMENTS = {

--- a/ee/lib/api/visual_review_discussions.rb
+++ b/ee/lib/api/visual_review_discussions.rb
 # frozen_string_literal: true

 module API
-  class VisualReviewDiscussions < Grape::API
+  class VisualReviewDiscussions < Grape::API::Instance
    include PaginationParams
    helpers ::API::Helpers::NotesHelpers
    helpers ::RendersNotes

--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
 # frozen_string_literal: true

 module API
-  class Vulnerabilities < Grape::API
+  class Vulnerabilities < Grape::API::Instance
    include ::API::Helpers::VulnerabilitiesHooks
    include PaginationParams


--- a/ee/lib/api/vulnerability_exports.rb
+++ b/ee/lib/api/vulnerability_exports.rb
 # frozen_string_literal: true

 module API
-  class VulnerabilityExports < Grape::API
+  class VulnerabilityExports < Grape::API::Instance
    include ::API::Helpers::VulnerabilitiesHooks
    include ::Gitlab::Utils::StrongMemoize


--- a/ee/lib/api/vulnerability_findings.rb
+++ b/ee/lib/api/vulnerability_findings.rb
 # frozen_string_literal: true

 module API
-  class VulnerabilityFindings < Grape::API
+  class VulnerabilityFindings < Grape::API::Instance
    include PaginationParams
    include ::Gitlab::Utils::StrongMemoize

@@ -33,19 +33,23 @@ module API
    end
    resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
      params do
-        optional :report_type, type: Array[String], desc: 'The type of report vulnerability belongs to',
+        optional :report_type, type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
+                 desc: 'The type of report vulnerability belongs to',
                 values: ::Vulnerabilities::Occurrence.report_types.keys,
                 default: ::Vulnerabilities::Occurrence.report_types.keys
        optional :scope, type: String, desc: 'Return vulnerabilities for the given scope: `dismissed` or `all`',
                 default: 'dismissed', values: %w[all dismissed]
        optional :severity,
                 type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
                 desc: 'Returns vulnerabilities belonging to specified severity level: '\
                       '`info`, `unknown`, `low`, `medium`, `high`, or `critical`. Defaults to all',
                 values: ::Vulnerabilities::Occurrence.severities.keys,
                 default: ::Vulnerabilities::Occurrence.severities.keys
        optional :confidence,
                 type: Array[String],
+                 coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce,
                 desc: 'Returns vulnerabilities belonging to specified confidence level: '\
                       '`undefined`, `ignore`, `unknown`, `experimental`, `low`, `medium`, `high`, or `confirmed`. '\
                       'Defaults to all',

--- a/ee/lib/api/vulnerability_issue_links.rb
+++ b/ee/lib/api/vulnerability_issue_links.rb
 # frozen_string_literal: true

 module API
-  class VulnerabilityIssueLinks < Grape::API
+  class VulnerabilityIssueLinks < Grape::API::Instance
    include ::API::Helpers::VulnerabilitiesHooks

    helpers ::API::Helpers::VulnerabilitiesHelpers

--- a/ee/lib/ee/api/boards.rb
+++ b/ee/lib/ee/api/boards.rb
@@ -2,7 +2,7 @@

 module EE
  module API
-    class Boards < ::Grape::API
+    class Boards < ::Grape::API::Instance
      include ::API::PaginationParams
      include ::API::BoardsResponses


--- a/ee/lib/ee/api/group_boards.rb
+++ b/ee/lib/ee/api/group_boards.rb
@@ -2,7 +2,7 @@

 module EE
  module API
-    class GroupBoards < ::Grape::API
+    class GroupBoards < ::Grape::API::Instance
      include ::API::PaginationParams
      include ::API::BoardsResponses


--- a/ee/lib/ee/api/helpers/settings_helpers.rb
+++ b/ee/lib/ee/api/helpers/settings_helpers.rb
@@ -25,8 +25,8 @@ module EE
            end

            given elasticsearch_limit_indexing: ->(val) { val } do
-              optional :elasticsearch_namespace_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::LabelsList.coerce, desc: 'The namespace ids to index with Elasticsearch.'
-              optional :elasticsearch_project_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::LabelsList.coerce, desc: 'The project ids to index with Elasticsearch.'
+              optional :elasticsearch_namespace_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The namespace ids to index with Elasticsearch.'
+              optional :elasticsearch_project_ids, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'The project ids to index with Elasticsearch.'
            end

            optional :email_additional_text, type: String, desc: 'Additional text added to the bottom of every email for legal/auditing/compliance reasons'
@@ -35,7 +35,7 @@ module EE
            optional :help_text, type: String, desc: 'GitLab server administrator information'
            optional :repository_size_limit, type: Integer, desc: 'Size limit per repository (MB)'
            optional :file_template_project_id, type: Integer, desc: 'ID of project where instance-level file templates are stored.'
-            optional :repository_storages, type: Array[String], desc: 'A list of names of enabled storage paths, taken from `gitlab.yml`. New projects will be created in one of these stores, chosen at random.'
+            optional :repository_storages, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'A list of names of enabled storage paths, taken from `gitlab.yml`. New projects will be created in one of these stores, chosen at random.'
            optional :usage_ping_enabled, type: Grape::API::Boolean, desc: 'Every week GitLab will report license usage back to GitLab, Inc.'
            optional :updating_name_disabled_for_users, type: Grape::API::Boolean, desc: 'Flag indicating if users are permitted to update their profile name'
            optional :disable_overriding_approvers_per_merge_request, type: Grape::API::Boolean, desc: 'Disable Users ability to overwrite approvers in merge requests.'

--- a/ee/spec/lib/ee/api/helpers_spec.rb
+++ b/ee/spec/lib/ee/api/helpers_spec.rb
@@ -6,7 +6,7 @@ describe EE::API::Helpers do
  include Rack::Test::Methods

  let(:helper) do
-    Class.new(Grape::API) do
+    Class.new(Grape::API::Instance) do
      helpers EE::API::Helpers
      helpers API::APIGuard::HelperMethods
      helpers API::Helpers

--- a/ee/spec/requests/api/merge_request_approval_rules_spec.rb
+++ b/ee/spec/requests/api/merge_request_approval_rules_spec.rb
@@ -143,7 +143,9 @@ describe API::MergeRequestApprovalRules do
    let(:current_user) { user }
    let(:url) { "/projects/#{project.id}/merge_requests/#{merge_request.iid}/approval_rules" }
    let(:approver) { create(:user) }
+    let(:other_approver) { create(:user) }
    let(:group) { create(:group) }
+    let(:other_group) { create(:group) }
    let(:approval_project_rule_id) { nil }
    let(:user_ids) { [] }
    let(:group_ids) { [] }
@@ -166,7 +168,9 @@ describe API::MergeRequestApprovalRules do
      before do
        project.update!(disable_overriding_approvers_per_merge_request: false)
        project.add_developer(approver)
+        project.add_developer(other_approver)
        group.add_developer(approver)
+        other_group.add_developer(other_approver)

        action
      end
@@ -179,7 +183,7 @@ describe API::MergeRequestApprovalRules do

        expect(rule['name']).to eq(params[:name])
        expect(rule['approvals_required']).to eq(params[:approvals_required])
-        expect(rule['rule_type']).to eq('regular')
+        expect(rule['rule_type']).to eq('any_approver')
        expect(rule['contains_hidden_groups']).to eq(false)
        expect(rule['source_rule']).to be_nil
        expect(rule['eligible_approvers']).to be_empty
@@ -188,24 +192,24 @@ describe API::MergeRequestApprovalRules do
      end

      context 'users are passed' do
-        let(:user_ids) { [approver.id] }
+        let(:user_ids) { "#{approver.id},#{other_approver.id}" }

        it 'includes users' do
          rule = json_response

-          expect(rule['eligible_approvers']).to match([hash_including('id' => approver.id)])
-          expect(rule['users']).to match([hash_including('id' => approver.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(approver.id, other_approver.id)
+          expect(rule['users'].map { |user| user['id'] }).to contain_exactly(approver.id, other_approver.id)
        end
      end

      context 'groups are passed' do
-        let(:group_ids) { [group.id] }
+        let(:group_ids) { "#{group.id},#{other_group.id}" }

        it 'includes groups' do
          rule = json_response

-          expect(rule['eligible_approvers']).to match([hash_including('id' => approver.id)])
-          expect(rule['groups']).to match([hash_including('id' => group.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(approver.id, other_approver.id)
+          expect(rule['groups'].map { |group| group['id'] }).to contain_exactly(group.id, other_group.id)
        end
      end

@@ -257,6 +261,8 @@ describe API::MergeRequestApprovalRules do
    let(:user_ids) { [] }
    let(:group_ids) { [] }
    let(:remove_hidden_groups) { nil }
+    let(:other_approver) { create(:user) }
+    let(:other_group) { create(:group) }

    let(:params) do
      {
@@ -277,8 +283,10 @@ describe API::MergeRequestApprovalRules do
        project.update!(disable_overriding_approvers_per_merge_request: false)
        project.add_developer(existing_approver)
        project.add_developer(new_approver)
+        project.add_developer(other_approver)
        existing_group.add_developer(existing_approver)
        new_group.add_developer(new_approver)
+        other_group.add_developer(other_approver)

        action
      end
@@ -302,24 +310,24 @@ describe API::MergeRequestApprovalRules do
      end

      context 'users are passed' do
-        let(:user_ids) { [new_approver.id] }
+        let(:user_ids) { "#{new_approver.id},#{existing_approver.id}" }

        it 'changes users' do
          rule = json_response

-          expect(rule['eligible_approvers']).to match([hash_including('id' => new_approver.id)])
-          expect(rule['users']).to match([hash_including('id' => new_approver.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(new_approver.id, existing_approver.id)
+          expect(rule['users'].map { |user| user['id'] }).to contain_exactly(new_approver.id, existing_approver.id)
        end
      end

      context 'groups are passed' do
-        let(:group_ids) { [new_group.id] }
+        let(:group_ids) { "#{new_group.id},#{other_group.id}" }

        it 'changes groups' do
          rule = json_response

-          expect(rule['eligible_approvers']).to match([hash_including('id' => new_approver.id)])
-          expect(rule['groups']).to match([hash_including('id' => new_group.id)])
+          expect(rule['eligible_approvers'].map { |approver| approver['id'] }).to contain_exactly(new_approver.id, other_approver.id)
+          expect(rule['groups'].map { |group| group['id'] }).to contain_exactly(new_group.id, other_group.id)
        end
      end


--- a/ee/spec/requests/api/merge_request_approvals_spec.rb
+++ b/ee/spec/requests/api/merge_request_approvals_spec.rb
@@ -321,7 +321,7 @@ describe API::MergeRequestApprovals do
        it 'does not allow overriding approvers' do
          expect do
            put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [approver.id], approver_group_ids: [group.id] }
+              params: { approver_ids: approver.id.to_s, approver_group_ids: group.id.to_s }
          end.to not_change { merge_request.approvers.count }.and not_change { merge_request.approver_groups.count }
        end
      end
@@ -334,12 +334,12 @@ describe API::MergeRequestApprovals do
        it 'allows overriding approvers' do
          expect do
            put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [approver.id], approver_group_ids: [group.id] }
-          end.to change { merge_request.approvers.count }.from(0).to(1)
+              params: { approver_ids: "#{approver.id},#{user2.id}", approver_group_ids: "#{group.id}" }
+          end.to change { merge_request.approvers.count }.from(0).to(2)
            .and change { merge_request.approver_groups.count }.from(0).to(1)

          expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['approvers'][0]['user']['username']).to eq(approver.username)
+          expect(json_response['approvers'].map { |approver| approver['user'] }.map { |user| user['username'] }).to contain_exactly(approver.username, user2.username)
          expect(json_response['approver_groups'][0]['group']['name']).to eq(group.name)
        end

@@ -349,7 +349,7 @@ describe API::MergeRequestApprovals do

          expect do
            put api("/projects/#{project.id}/merge_requests/#{merge_request.iid}/approvers", current_user),
-              params: { approver_ids: [], approver_group_ids: [] }.to_json, headers: { CONTENT_TYPE: 'application/json' }
+              params: { approver_ids: '', approver_group_ids: '' }.to_json, headers: { CONTENT_TYPE: 'application/json' }
          end.to change { merge_request.approvers.count }.from(1).to(0)
            .and change { merge_request.approver_groups.count }.from(1).to(0)


--- a/ee/spec/requests/api/project_approval_rules_spec.rb
+++ b/ee/spec/requests/api/project_approval_rules_spec.rb
@@ -9,6 +9,7 @@ describe API::ProjectApprovalRules do
  let_it_be(:admin) { create(:user, :admin) }
  let_it_be(:project) { create(:project, :public, :repository, creator: user, namespace: user.namespace, only_allow_merge_if_pipeline_succeeds: false) }
  let_it_be(:approver) { create(:user) }
+  let_it_be(:other_approver) { create(:user) }

  describe 'GET /projects/:id/approval_rules' do
    let(:url) { "/projects/#{project.id}/approval_rules" }

--- a/ee/spec/requests/api/project_approval_settings_spec.rb
+++ b/ee/spec/requests/api/project_approval_settings_spec.rb
@@ -9,6 +9,7 @@ describe API::ProjectApprovalSettings do
  let_it_be(:admin) { create(:user, :admin) }
  let_it_be(:project) { create(:project, :public, :repository, creator: user, namespace: user.namespace, only_allow_merge_if_pipeline_succeeds: false) }
  let_it_be(:approver) { create(:user) }
+  let_it_be(:other_approver) { create(:user) }

  describe 'GET /projects/:id/approval_settings' do
    let(:url) { "/projects/#{project.id}/approval_settings" }

--- a/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb
+++ b/ee/spec/support/shared_examples/requests/api/project_approval_rules_api_shared_examples.rb
@@ -79,6 +79,7 @@ RSpec.shared_examples 'an API endpoint for updating project approval rule' do
  shared_examples 'a user with access' do
    before do
      project.add_developer(approver)
+      project.add_developer(other_approver)
    end

    context 'when protected_branch_ids param is present' do
@@ -117,10 +118,10 @@ RSpec.shared_examples 'an API endpoint for updating project approval rule' do

    it 'sets approvers' do
      expect do
-        put api(url, current_user), params: { users: [approver.id] }
-      end.to change { approval_rule.users.count }.from(0).to(1)
+        put api(url, current_user), params: { users: "#{approver.id},#{other_approver.id}" }
+      end.to change { approval_rule.users.count }.from(0).to(2)

-      expect(approval_rule.users).to contain_exactly(approver)
+      expect(approval_rule.users).to contain_exactly(approver, other_approver)
      expect(approval_rule.groups).to be_empty

      expect(response).to have_gitlab_http_status(:ok)

--- a/lib/api/access_requests.rb
+++ b/lib/api/access_requests.rb
 # frozen_string_literal: true

 module API
-  class AccessRequests < Grape::API
+  class AccessRequests < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/admin/sidekiq.rb
+++ b/lib/api/admin/sidekiq.rb
@@ -2,7 +2,7 @@

 module API
  module Admin
-    class Sidekiq < Grape::API
+    class Sidekiq < Grape::API::Instance
      before { authenticated_as_admin! }

      namespace 'admin' do

--- a/lib/api/api.rb
+++ b/lib/api/api.rb
 # frozen_string_literal: true

 module API
-  class API < Grape::API
+  class API < Grape::API::Instance
    include APIGuard

    LOG_FILENAME = Rails.root.join("log", "api_json.log")

--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@@ -148,7 +148,16 @@ module API
                { scope: e.scopes })
            end

-          response.finish
+          finished_response = nil
+          response.finish do |rack_response|
+            # Grape expects a Rack::Response
+            # (https://github.com/ruby-grape/grape/commit/c117bff7d22971675f4b34367d3a98bc31c8fc02),
+            # and we need to retrieve it here:
+            # https://github.com/nov/rack-oauth2/blob/40c9a99fd80486ccb8de0e4869ae384547c0d703/lib/rack/oauth2/server/abstract/error.rb#L28
+            finished_response = rack_response
+          end
+
+          finished_response
        end
      end
    end

--- a/lib/api/appearance.rb
+++ b/lib/api/appearance.rb
 # frozen_string_literal: true

 module API
-  class Appearance < Grape::API
+  class Appearance < Grape::API::Instance
    before { authenticated_as_admin! }

    helpers do

--- a/lib/api/applications.rb
+++ b/lib/api/applications.rb
@@ -2,7 +2,7 @@

 module API
  # External applications API
-  class Applications < Grape::API
+  class Applications < Grape::API::Instance
    before { authenticated_as_admin! }

    resource :applications do

--- a/lib/api/avatar.rb
+++ b/lib/api/avatar.rb
 # frozen_string_literal: true

 module API
-  class Avatar < Grape::API
+  class Avatar < Grape::API::Instance
    resource :avatar do
      desc 'Return avatar url for a user' do
        success Entities::Avatar

--- a/lib/api/award_emoji.rb
+++ b/lib/api/award_emoji.rb
 # frozen_string_literal: true

 module API
-  class AwardEmoji < Grape::API
+  class AwardEmoji < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/badges.rb
+++ b/lib/api/badges.rb
 # frozen_string_literal: true

 module API
-  class Badges < Grape::API
+  class Badges < Grape::API::Instance
    include PaginationParams

    before { authenticate_non_get! }

--- a/lib/api/boards.rb
+++ b/lib/api/boards.rb
 # frozen_string_literal: true

 module API
-  class Boards < Grape::API
+  class Boards < Grape::API::Instance
    include BoardsResponses
    include PaginationParams


--- a/lib/api/branches.rb
+++ b/lib/api/branches.rb
@@ -3,7 +3,7 @@
 require 'mime/types'

 module API
-  class Branches < Grape::API
+  class Branches < Grape::API::Instance
    include PaginationParams

    BRANCH_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(branch: API::NO_SLASH_URL_PART_REGEX)

--- a/lib/api/broadcast_messages.rb
+++ b/lib/api/broadcast_messages.rb
 # frozen_string_literal: true

 module API
-  class BroadcastMessages < Grape::API
+  class BroadcastMessages < Grape::API::Instance
    include PaginationParams

    resource :broadcast_messages do

--- a/lib/api/commit_statuses.rb
+++ b/lib/api/commit_statuses.rb
@@ -3,7 +3,7 @@
 require 'mime/types'

 module API
-  class CommitStatuses < Grape::API
+  class CommitStatuses < Grape::API::Instance
    params do
      requires :id, type: String, desc: 'The ID of a project'
    end

--- a/lib/api/commits.rb
+++ b/lib/api/commits.rb
@@ -3,7 +3,7 @@
 require 'mime/types'

 module API
-  class Commits < Grape::API
+  class Commits < Grape::API::Instance
    include PaginationParams

    before do

--- a/lib/api/container_registry_event.rb
+++ b/lib/api/container_registry_event.rb
 # frozen_string_literal: true

 module API
-  class ContainerRegistryEvent < Grape::API
+  class ContainerRegistryEvent < Grape::API::Instance
    DOCKER_DISTRIBUTION_EVENTS_V1_JSON = 'application/vnd.docker.distribution.events.v1+json'

    before { authenticate_registry_notification! }

--- a/lib/api/deploy_keys.rb
+++ b/lib/api/deploy_keys.rb
 # frozen_string_literal: true

 module API
-  class DeployKeys < Grape::API
+  class DeployKeys < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/deploy_tokens.rb
+++ b/lib/api/deploy_tokens.rb
 # frozen_string_literal: true

 module API
-  class DeployTokens < Grape::API
+  class DeployTokens < Grape::API::Instance
    include PaginationParams

    helpers do
@@ -54,7 +54,7 @@ module API

      params do
        requires :name, type: String, desc: "New deploy token's name"
-        requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
+        requires :scopes, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
          desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository", "read_registry", or "write_registry".'
        optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
        optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'
@@ -117,7 +117,7 @@ module API

      params do
        requires :name, type: String, desc: 'The name of the deploy token'
-        requires :scopes, type: Array[String], values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
+        requires :scopes, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, values: ::DeployToken::AVAILABLE_SCOPES.map(&:to_s),
          desc: 'Indicates the deploy token scopes. Must be at least one of "read_repository", "read_registry", or "write_registry".'
        optional :expires_at, type: DateTime, desc: 'Expiration date for the deploy token. Does not expire if no value is provided.'
        optional :username, type: String, desc: 'Username for deploy token. Default is `gitlab+deploy-token-{n}`'

--- a/lib/api/deployments.rb
+++ b/lib/api/deployments.rb
@@ -2,7 +2,7 @@

 module API
  # Deployments RESTful API endpoints
-  class Deployments < Grape::API
+  class Deployments < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/discussions.rb
+++ b/lib/api/discussions.rb
 # frozen_string_literal: true

 module API
-  class Discussions < Grape::API
+  class Discussions < Grape::API::Instance
    include PaginationParams
    helpers ::API::Helpers::NotesHelpers
    helpers ::RendersNotes

--- a/lib/api/environments.rb
+++ b/lib/api/environments.rb
@@ -2,7 +2,7 @@

 module API
  # Environments RESTfull API endpoints
-  class Environments < Grape::API
+  class Environments < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/error_tracking.rb
+++ b/lib/api/error_tracking.rb
 # frozen_string_literal: true

 module API
-  class ErrorTracking < Grape::API
+  class ErrorTracking < Grape::API::Instance
    before { authenticate! }

    params do

--- a/lib/api/events.rb
+++ b/lib/api/events.rb
 # frozen_string_literal: true

 module API
-  class Events < Grape::API
+  class Events < Grape::API::Instance
    include PaginationParams
    include APIGuard
    helpers ::API::Helpers::EventsHelpers

--- a/lib/api/features.rb
+++ b/lib/api/features.rb
 # frozen_string_literal: true

 module API
-  class Features < Grape::API
+  class Features < Grape::API::Instance
    before { authenticated_as_admin! }

    helpers do

--- a/lib/api/files.rb
+++ b/lib/api/files.rb
 # frozen_string_literal: true

 module API
-  class Files < Grape::API
+  class Files < Grape::API::Instance
    include APIGuard

    FILE_ENDPOINT_REQUIREMENTS = API::NAMESPACE_OR_PROJECT_REQUIREMENTS.merge(file_path: API::NO_SLASH_URL_PART_REGEX)

--- a/lib/api/group_boards.rb
+++ b/lib/api/group_boards.rb
 # frozen_string_literal: true

 module API
-  class GroupBoards < Grape::API
+  class GroupBoards < Grape::API::Instance
    include BoardsResponses
    include PaginationParams


--- a/lib/api/group_clusters.rb
+++ b/lib/api/group_clusters.rb
 # frozen_string_literal: true

 module API
-  class GroupClusters < Grape::API
+  class GroupClusters < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/group_container_repositories.rb
+++ b/lib/api/group_container_repositories.rb
 # frozen_string_literal: true

 module API
-  class GroupContainerRepositories < Grape::API
+  class GroupContainerRepositories < Grape::API::Instance
    include PaginationParams

    before { authorize_read_group_container_images! }

--- a/lib/api/group_export.rb
+++ b/lib/api/group_export.rb
 # frozen_string_literal: true

 module API
-  class GroupExport < Grape::API
+  class GroupExport < Grape::API::Instance
    before do
      not_found! unless Feature.enabled?(:group_import_export, user_group, default_enabled: true)


--- a/lib/api/group_import.rb
+++ b/lib/api/group_import.rb
 # frozen_string_literal: true

 module API
-  class GroupImport < Grape::API
+  class GroupImport < Grape::API::Instance
    MAXIMUM_FILE_SIZE = 50.megabytes.freeze

    helpers do

--- a/lib/api/group_labels.rb
+++ b/lib/api/group_labels.rb
 # frozen_string_literal: true

 module API
-  class GroupLabels < Grape::API
+  class GroupLabels < Grape::API::Instance
    include PaginationParams
    helpers ::API::Helpers::LabelHelpers


--- a/lib/api/group_milestones.rb
+++ b/lib/api/group_milestones.rb
 # frozen_string_literal: true

 module API
-  class GroupMilestones < Grape::API
+  class GroupMilestones < Grape::API::Instance
    include MilestoneResponses
    include PaginationParams


--- a/lib/api/group_variables.rb
+++ b/lib/api/group_variables.rb
 # frozen_string_literal: true

 module API
-  class GroupVariables < Grape::API
+  class GroupVariables < Grape::API::Instance
    include PaginationParams

    before { authenticate! }

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
 # frozen_string_literal: true

 module API
-  class Groups < Grape::API
+  class Groups < Grape::API::Instance
    include PaginationParams
    include Helpers::CustomAttributes

@@ -16,7 +16,7 @@ module API

      params :group_list_params do
        use :statistics_params
-        optional :skip_groups, type: Array[Integer], desc: 'Array of group ids to exclude from list'
+        optional :skip_groups, type: Array[Integer], coerce_with: ::API::Validations::Types::CommaSeparatedToIntegerArray.coerce, desc: 'Array of group ids to exclude from list'
        optional :all_available, type: Boolean, desc: 'Show all group that you have access to'
        optional :search, type: String, desc: 'Search for a specific group'
        optional :owned, type: Boolean, default: false, desc: 'Limit by owned by authenticated user'

--- a/lib/api/helpers/merge_requests_helpers.rb
+++ b/lib/api/helpers/merge_requests_helpers.rb
@@ -24,7 +24,7 @@ module API
        optional :milestone, type: String, desc: 'Return merge requests for a specific milestone'
        optional :labels,
                 type: Array[String],
-                 coerce_with: Validations::Types::LabelsList.coerce,
+                 coerce_with: Validations::Types::CommaSeparatedToArray.coerce,
                 desc: 'Comma-separated list of label names'
        optional :with_labels_details, type: Boolean, desc: 'Return titles of labels and other details', default: false
        optional :created_after, type: DateTime, desc: 'Return merge requests created after the specified time'

--- a/lib/api/helpers/projects_helpers.rb
+++ b/lib/api/helpers/projects_helpers.rb
@@ -44,7 +44,7 @@ module API
        optional :request_access_enabled, type: Boolean, desc: 'Allow users to request member access'
        optional :only_allow_merge_if_pipeline_succeeds, type: Boolean, desc: 'Only allow to merge if builds succeed'
        optional :only_allow_merge_if_all_discussions_are_resolved, type: Boolean, desc: 'Only allow to merge if all discussions are resolved'
-        optional :tag_list, type: Array[String], desc: 'The list of tags for a project'
+        optional :tag_list, type: Array[String], coerce_with: ::API::Validations::Types::CommaSeparatedToArray.coerce, desc: 'The list of tags for a project'
        # TODO: remove rubocop disable - https://gitlab.com/gitlab-org/gitlab/issues/14960
        optional :avatar, type: File, desc: 'Avatar image for project' # rubocop:disable Scalability/FileUploads
        optional :printing_merge_request_link_enabled, type: Boolean, desc: 'Show link to create/view merge request when pushing from the command line'

--- a/lib/api/import_github.rb
+++ b/lib/api/import_github.rb
 # frozen_string_literal: true

 module API
-  class ImportGithub < Grape::API
+  class ImportGithub < Grape::API::Instance
    rescue_from Octokit::Unauthorized, with: :provider_unauthorized

    helpers do

--- a/lib/api/internal/base.rb
+++ b/lib/api/internal/base.rb
--- a/lib/api/internal/pages.rb
+++ b/lib/api/internal/pages.rb
--- a/lib/api/issues.rb
+++ b/lib/api/issues.rb
--- a/lib/api/job_artifacts.rb
+++ b/lib/api/job_artifacts.rb
--- a/lib/api/jobs.rb
+++ b/lib/api/jobs.rb
--- a/lib/api/keys.rb
+++ b/lib/api/keys.rb
--- a/lib/api/labels.rb
+++ b/lib/api/labels.rb
--- a/lib/api/lint.rb
+++ b/lib/api/lint.rb
--- a/lib/api/lsif_data.rb
+++ b/lib/api/lsif_data.rb
--- a/lib/api/markdown.rb
+++ b/lib/api/markdown.rb
--- a/lib/api/members.rb
+++ b/lib/api/members.rb
--- a/lib/api/merge_request_diffs.rb
+++ b/lib/api/merge_request_diffs.rb
--- a/lib/api/merge_requests.rb
+++ b/lib/api/merge_requests.rb
--- a/lib/api/metrics/dashboard/annotations.rb
+++ b/lib/api/metrics/dashboard/annotations.rb
--- a/lib/api/milestone_responses.rb
+++ b/lib/api/milestone_responses.rb
--- a/lib/api/namespaces.rb
+++ b/lib/api/namespaces.rb
--- a/lib/api/notes.rb
+++ b/lib/api/notes.rb
--- a/lib/api/notification_settings.rb
+++ b/lib/api/notification_settings.rb
--- a/lib/api/pages.rb
+++ b/lib/api/pages.rb
--- a/lib/api/pages_domains.rb
+++ b/lib/api/pages_domains.rb
--- a/lib/api/pagination_params.rb
+++ b/lib/api/pagination_params.rb
--- a/lib/api/pipeline_schedules.rb
+++ b/lib/api/pipeline_schedules.rb
--- a/lib/api/pipelines.rb
+++ b/lib/api/pipelines.rb
--- a/lib/api/project_clusters.rb
+++ b/lib/api/project_clusters.rb
--- a/lib/api/project_container_repositories.rb
+++ b/lib/api/project_container_repositories.rb
--- a/lib/api/project_events.rb
+++ b/lib/api/project_events.rb
--- a/lib/api/project_export.rb
+++ b/lib/api/project_export.rb
--- a/lib/api/project_hooks.rb
+++ b/lib/api/project_hooks.rb
--- a/lib/api/project_import.rb
+++ b/lib/api/project_import.rb
--- a/lib/api/project_milestones.rb
+++ b/lib/api/project_milestones.rb
--- a/lib/api/project_snapshots.rb
+++ b/lib/api/project_snapshots.rb
--- a/lib/api/project_snippets.rb
+++ b/lib/api/project_snippets.rb
--- a/lib/api/project_statistics.rb
+++ b/lib/api/project_statistics.rb
--- a/lib/api/project_templates.rb
+++ b/lib/api/project_templates.rb
--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
--- a/lib/api/protected_branches.rb
+++ b/lib/api/protected_branches.rb
--- a/lib/api/protected_tags.rb
+++ b/lib/api/protected_tags.rb
--- a/lib/api/release/links.rb
+++ b/lib/api/release/links.rb
--- a/lib/api/releases.rb
+++ b/lib/api/releases.rb
--- a/lib/api/remote_mirrors.rb
+++ b/lib/api/remote_mirrors.rb
--- a/lib/api/repositories.rb
+++ b/lib/api/repositories.rb
--- a/lib/api/resource_label_events.rb
+++ b/lib/api/resource_label_events.rb
--- a/lib/api/runner.rb
+++ b/lib/api/runner.rb
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
--- a/lib/api/search.rb
+++ b/lib/api/search.rb
--- a/lib/api/services.rb
+++ b/lib/api/services.rb
--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
--- a/lib/api/sidekiq_metrics.rb
+++ b/lib/api/sidekiq_metrics.rb
--- a/lib/api/snippets.rb
+++ b/lib/api/snippets.rb
--- a/lib/api/statistics.rb
+++ b/lib/api/statistics.rb
--- a/lib/api/submodules.rb
+++ b/lib/api/submodules.rb
--- a/lib/api/subscriptions.rb
+++ b/lib/api/subscriptions.rb
--- a/lib/api/suggestions.rb
+++ b/lib/api/suggestions.rb
--- a/lib/api/system_hooks.rb
+++ b/lib/api/system_hooks.rb
--- a/lib/api/tags.rb
+++ b/lib/api/tags.rb
--- a/lib/api/templates.rb
+++ b/lib/api/templates.rb
--- a/lib/api/terraform/state.rb
+++ b/lib/api/terraform/state.rb
--- a/lib/api/todos.rb
+++ b/lib/api/todos.rb
--- a/lib/api/triggers.rb
+++ b/lib/api/triggers.rb
--- a/lib/api/user_counts.rb
+++ b/lib/api/user_counts.rb
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
--- a/lib/api/validations/types/comma_separated_to_array.rb
+++ b/lib/api/validations/types/comma_separated_to_array.rb
--- a/lib/api/validations/types/labels_list.rb
+++ b/lib/api/validations/types/labels_list.rb
--- a/lib/api/validations/types/safe_file.rb
+++ b/lib/api/validations/types/safe_file.rb
--- a/lib/api/validations/types/workhorse_file.rb
+++ b/lib/api/validations/types/workhorse_file.rb
--- a/lib/api/variables.rb
+++ b/lib/api/variables.rb
--- a/lib/api/version.rb
+++ b/lib/api/version.rb
--- a/lib/api/wikis.rb
+++ b/lib/api/wikis.rb
--- a/rubocop/cop/api/grape_api_instance.rb
+++ b/rubocop/cop/api/grape_api_instance.rb
--- a/rubocop/cop/api/grape_array_missing_coerce.rb
+++ b/rubocop/cop/api/grape_array_missing_coerce.rb
--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
--- a/spec/rubocop/cop/api/grape_api_instance_spec.rb
+++ b/spec/rubocop/cop/api/grape_api_instance_spec.rb
--- a/spec/rubocop/cop/api/grape_array_missing_coerce_spec.rb
+++ b/spec/rubocop/cop/api/grape_array_missing_coerce_spec.rb
--- a/spec/rubocop/cop/code_reuse/worker_spec.rb
+++ b/spec/rubocop/cop/code_reuse/worker_spec.rb