Add latest changes from gitlab-org/gitlab@master

5564275a · GitLab Bot · d8791851 · 5564275a · 5564275a · 5564275a
Commit 5564275a authored 5 years ago by GitLab Bot
--- a/changelogs/unreleased/13904-tab-width-option.yml
+++ b/changelogs/unreleased/13904-tab-width-option.yml
+---
+title: Add tab width option to user preferences
+merge_request: 22063
+author: Alexander Oleynikov
+type: added
--- a/changelogs/unreleased/197311-board-list-wip-limit-distorted-when-board-list-is-scoped-to-an-ass.yml
+++ b/changelogs/unreleased/197311-board-list-wip-limit-distorted-when-board-list-is-scoped-to-an-ass.yml
+---
+title: Fix issue count wrapping on board list
+merge_request:
+author:
+type: fixed
--- a/changelogs/unreleased/21765-group-token-architecture.yml
+++ b/changelogs/unreleased/21765-group-token-architecture.yml
+---
+title: Update deploy token architecture to introduce group-level deploy tokens.
+merge_request: 23460
+author:
+type: added
--- a/changelogs/unreleased/26247-junit-xml-tests-mis-present-the-test-execution-time-from-test-cases.yml
+++ b/changelogs/unreleased/26247-junit-xml-tests-mis-present-the-test-execution-time-from-test-cases.yml
+---
+title: Label MR test modal execution time as seconds
+merge_request: 24019
+author:
+type: fixed
--- a/changelogs/unreleased/37012-jira-dvcs-error.yml
+++ b/changelogs/unreleased/37012-jira-dvcs-error.yml
+---
+title: Fix JIRA DVCS retrieving repositories
+merge_request: 23180
+author:
+type: fixed
--- a/changelogs/unreleased/39474-unable-to-view-project-audit-events-statement-timeouts.yml
+++ b/changelogs/unreleased/39474-unable-to-view-project-audit-events-statement-timeouts.yml
+---
+title: Add index to audit_events (entity_id, entity_type, id)
+merge_request: 23998
+author:
+type: performance
--- a/changelogs/unreleased/fix-duplicated-user-popover.yml
+++ b/changelogs/unreleased/fix-duplicated-user-popover.yml
+---
+title: Fix duplicated user popovers
+merge_request: 24405
+author:
+type: fixed
--- a/changelogs/unreleased/fix-quoted-printable-unicode-in-mails.yml
+++ b/changelogs/unreleased/fix-quoted-printable-unicode-in-mails.yml
+---
+title: Fix quoted-printable encoding for unicode and newlines in mails
+merge_request: 24153
+author: Diego Louzán
+type: fixed
--- a/config/initializers/mail_encoding_patch.rb
+++ b/config/initializers/mail_encoding_patch.rb
+# Monkey patch mail 2.7.1 to fix quoted-printable issues with newlines
+# The issues upstream invalidate SMIME signatures under some conditions
+# This was working properly in 2.6.6
+#
+# See https://gitlab.com/gitlab-org/gitlab/issues/197386
+# See https://github.com/mikel/mail/issues/1190
+
+module Mail
+  module Encodings
+    # PATCH
+    # This reverts https://github.com/mikel/mail/pull/1113, which solves some
+    # encoding issues with binary attachments encoded in quoted-printable, but
+    # unfortunately breaks re-encoding of messages
+    class QuotedPrintable < SevenBit
+      def self.decode(str)
+        ::Mail::Utilities.to_lf str.gsub(/(?:=0D=0A|=0D|=0A)\r\n/, "\r\n").unpack1("M*")
+      end
+
+      def self.encode(str)
+        ::Mail::Utilities.to_crlf([::Mail::Utilities.to_lf(str)].pack("M"))
+      end
+    end
+  end
+
+  class Body
+    def encoded(transfer_encoding = nil, charset = nil)
+      # PATCH
+      # Use provided parameter charset (from parent Message) if not nil,
+      # otherwise use own self.charset
+      # Required because the Message potentially has on its headers the charset
+      # that needs to be used (e.g. 'Content-Type: text/plain; charset=UTF-8')
+      charset = self.charset if charset.nil?
+
+      if multipart?
+        self.sort_parts!
+        encoded_parts = parts.map { |p| p.encoded }
+        ([preamble] + encoded_parts).join(crlf_boundary) + end_boundary + epilogue.to_s
+      else
+        dec = Mail::Encodings.get_encoding(encoding)
+        enc = if Utilities.blank?(transfer_encoding)
+                dec
+              else
+                negotiate_best_encoding(transfer_encoding)
+              end
+
+        if dec.nil?
+          # Cannot decode, so skip normalization
+          raw_source
+        else
+          # Decode then encode to normalize and allow transforming
+          # from base64 to Q-P and vice versa
+          decoded = dec.decode(raw_source)
+
+          if defined?(Encoding) && charset && charset != "US-ASCII"
+            # PATCH
+            # We need to force the encoding: in the case of quoted-printable
+            # this will throw an exception otherwise, because `decoded` will have
+            # an encoding of BINARY (or its equivalent ASCII-8BIT),
+            # coming from QuotedPrintable#decode, and inside it from String#unpack1
+            decoded = decoded.force_encoding(charset)
+            decoded.force_encoding('BINARY') unless Encoding.find(charset).ascii_compatible?
+          end
+
+          enc.encode(decoded)
+        end
+      end
+    end
+  end
+
+  class Message
+    def encoded
+      ready_to_send!
+      buffer = header.encoded
+      buffer << "\r\n"
+      # PATCH
+      # Pass the Message charset down to the contained Body, the headers
+      # potentially contain the charset needed to be applied
+      buffer << body.encoded(content_transfer_encoding, charset)
+      buffer
+    end
+  end
+end
--- a/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+++ b/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+# frozen_string_literal: true
+
+class AddSamlProviderProhibitedOuterForks < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :saml_providers, :prohibited_outer_forks, :boolean, default: false, allow_null: true
+  end
+
+  def down
+    remove_column :saml_providers, :prohibited_outer_forks
+  end
+end
--- a/db/migrate/20191218190253_add_tab_width_to_user_preferences.rb
+++ b/db/migrate/20191218190253_add_tab_width_to_user_preferences.rb
+# frozen_string_literal: true
+
+class AddTabWidthToUserPreferences < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def change
+    add_column(:user_preferences, :tab_width, :integer, limit: 2)
+  end
+end
--- a/db/migrate/20200121200203_create_group_deploy_tokens.rb
+++ b/db/migrate/20200121200203_create_group_deploy_tokens.rb
+# frozen_string_literal: true
+
+class CreateGroupDeployTokens < ActiveRecord::Migration[5.2]
+  DOWNTIME = false
+
+  def change
+    create_table :group_deploy_tokens do |t|
+      t.timestamps_with_timezone null: false
+
+      t.references :group, index: false, null: false, foreign_key: { to_table: :namespaces, on_delete: :cascade }
+      t.references :deploy_token, null: false, foreign_key: { on_delete: :cascade }
+
+      t.index [:group_id, :deploy_token_id], unique: true, name: 'index_group_deploy_tokens_on_group_and_deploy_token_ids'
+    end
+  end
+end
--- a/db/migrate/20200129172428_add_index_on_audit_events_id_desc.rb
+++ b/db/migrate/20200129172428_add_index_on_audit_events_id_desc.rb
+# frozen_string_literal: true
+
+class AddIndexOnAuditEventsIdDesc < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+  OLD_INDEX_NAME = 'index_audit_events_on_entity_id_and_entity_type'
+  NEW_INDEX_NAME = 'index_audit_events_on_entity_id_and_entity_type_and_id_desc'
+
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_index :audit_events, [:entity_id, :entity_type, :id], name: NEW_INDEX_NAME,
+      order: { entity_id: :asc, entity_type: :asc, id: :desc }
+
+    remove_concurrent_index_by_name :audit_events, OLD_INDEX_NAME
+  end
+
+  def down
+    add_concurrent_index :audit_events, [:entity_id, :entity_type], name: OLD_INDEX_NAME
+
+    remove_concurrent_index_by_name :audit_events, NEW_INDEX_NAME
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -465,7 +465,7 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.datetime "created_at"
    t.datetime "updated_at"
    t.index ["created_at", "author_id"], name: "analytics_index_audit_events_on_created_at_and_author_id"
-    t.index ["entity_id", "entity_type"], name: "index_audit_events_on_entity_id_and_entity_type"
+    t.index ["entity_id", "entity_type", "id"], name: "index_audit_events_on_entity_id_and_entity_type_and_id_desc", order: { id: :desc }
  end
  
  create_table "award_emoji", id: :serial, force: :cascade do |t|
@@ -1979,6 +1979,15 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.index ["user_id"], name: "index_group_deletion_schedules_on_user_id"
  end
  
+  create_table "group_deploy_tokens", force: :cascade do |t|
+    t.datetime_with_timezone "created_at", null: false
+    t.datetime_with_timezone "updated_at", null: false
+    t.bigint "group_id", null: false
+    t.bigint "deploy_token_id", null: false
+    t.index ["deploy_token_id"], name: "index_group_deploy_tokens_on_deploy_token_id"
+    t.index ["group_id", "deploy_token_id"], name: "index_group_deploy_tokens_on_group_and_deploy_token_ids", unique: true
+  end
+
  create_table "group_group_links", force: :cascade do |t|
    t.datetime_with_timezone "created_at", null: false
    t.datetime_with_timezone "updated_at", null: false
@@ -3735,6 +3744,7 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.string "sso_url", null: false
    t.boolean "enforced_sso", default: false, null: false
    t.boolean "enforced_group_managed_accounts", default: false, null: false
+    t.boolean "prohibited_outer_forks", default: false, null: false
    t.index ["group_id"], name: "index_saml_providers_on_group_id"
  end
  
@@ -4133,6 +4143,7 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.boolean "sourcegraph_enabled"
    t.boolean "setup_for_company"
    t.boolean "render_whitespace_in_code"
+    t.integer "tab_width", limit: 2
    t.index ["user_id"], name: "index_user_preferences_on_user_id", unique: true
  end
  
@@ -4691,6 +4702,8 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
  add_foreign_key "group_custom_attributes", "namespaces", column: "group_id", on_delete: :cascade
  add_foreign_key "group_deletion_schedules", "namespaces", column: "group_id", on_delete: :cascade
  add_foreign_key "group_deletion_schedules", "users", name: "fk_11e3ebfcdd", on_delete: :cascade
+  add_foreign_key "group_deploy_tokens", "deploy_tokens", on_delete: :cascade
+  add_foreign_key "group_deploy_tokens", "namespaces", column: "group_id", on_delete: :cascade
  add_foreign_key "group_group_links", "namespaces", column: "shared_group_id", on_delete: :cascade
  add_foreign_key "group_group_links", "namespaces", column: "shared_with_group_id", on_delete: :cascade
  add_foreign_key "identities", "saml_providers", name: "fk_aade90f0fc", on_delete: :cascade

--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -487,7 +487,7 @@ Parameters:
 | `two_factor_grace_period`            | integer | no       | Time before Two-factor authentication is enforced (in hours). |
 | `project_creation_level`             | string  | no       | Determine if developers can create projects in the group. Can be `noone` (No one), `maintainer` (Maintainers), or `developer` (Developers + Maintainers). |
 | `auto_devops_enabled`                | boolean | no       | Default to Auto DevOps pipeline for all projects within this group. |
-| `subgroup_creation_level`            | integer | no       | Allowed to create subgroups. Can be `owner` (Owners), or `maintainer` (Maintainers). |
+| `subgroup_creation_level`            | string  | no       | Allowed to create subgroups. Can be `owner` (Owners), or `maintainer` (Maintainers). |
 | `emails_disabled`                    | boolean | no       | Disable email notifications |
 | `mentions_disabled`                  | boolean | no       | Disable the capability of a group from getting mentioned |
 | `lfs_enabled`                        | boolean | no       | Enable/disable Large File Storage (LFS) for the projects in this group. |
@@ -533,7 +533,7 @@ PUT /groups/:id
 | `two_factor_grace_period`            | integer | no       | Time before Two-factor authentication is enforced (in hours). |
 | `project_creation_level`             | string  | no       | Determine if developers can create projects in the group. Can be `noone` (No one), `maintainer` (Maintainers), or `developer` (Developers + Maintainers). |
 | `auto_devops_enabled`                | boolean | no       | Default to Auto DevOps pipeline for all projects within this group. |
-| `subgroup_creation_level`            | integer | no       | Allowed to create subgroups. Can be `owner` (Owners), or `maintainer` (Maintainers). |
+| `subgroup_creation_level`            | string  | no       | Allowed to create subgroups. Can be `owner` (Owners), or `maintainer` (Maintainers). |
 | `emails_disabled`                    | boolean | no       | Disable email notifications |
 | `mentions_disabled`                  | boolean | no       | Disable the capability of a group from getting mentioned |
 | `lfs_enabled` (optional)             | boolean | no       | Enable/disable Large File Storage (LFS) for the projects in this group. |

--- a/doc/ci/yaml/README.md
+++ b/doc/ci/yaml/README.md
@@ -1970,7 +1970,7 @@ job:
 > Introduced in GitLab 8.9 and GitLab Runner v1.3.0.
  
 `expire_in` allows you to specify how long artifacts should live before they
-expire and therefore deleted, counting from the time they are uploaded and
+expire and are therefore deleted, counting from the time they are uploaded and
 stored on GitLab. If the expiry time is not defined, it defaults to the
 [instance wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration-core-only)
 (30 days by default, forever on GitLab.com).

--- a/doc/topics/autodevops/index.md
+++ b/doc/topics/autodevops/index.md
@@ -762,6 +762,39 @@ networkPolicy:
            app.gitlab.com/managed_by: gitlab
 ```
  
+#### Web Application Firewall (ModSecurity) customization
+
+> [Introduced](https://gitlab.com/gitlab-org/charts/auto-deploy-app/-/merge_requests/44) in GitLab 12.8.
+
+Customization on an [Ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/) or on a deployment base is available for clusters with [ModSecurity installed](../../user/clusters/applications.md#web-application-firewall-modsecurity).
+
+To enable ModSecurity with Auto Deploy, you need to create a `.gitlab/auto-deploy-values.yaml` file in your project with the following attributes.
+
+|Attribute | Description | Default |
+-----------|-------------|---------|
+|`enabled` | Enables custom configuration for modsecurity, defaulting to the [Core Rule Set](https://coreruleset.org/) | `false` |
+|`secRuleEngine` | Configures the [rules engine](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#secruleengine) | `DetectionOnly` |
+|`secRules` | Creates one or more additional [rule](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-(v2.x)#SecRule) | `nil` |
+
+In the following `auto-deploy-values.yaml` example, some custom settings
+are enabled for ModSecurity. Those include setting its engine to
+process rules instead of only logging them, while adding two specific
+rules which are header-based:
+
+```yaml
+ingress:
+  modSecurity:
+    enabled: true
+    secRuleEngine: "On"
+    secRules:
+      - variable: "REQUEST_HEADERS:User-Agent"
+        operator: "printer"
+        action: "log,deny,id:'2010',status:403,msg:'printer is an invalid agent'"
+      - variable: "REQUEST_HEADERS:Content-Type"
+        operator: "text/plain"
+        action: "log,deny,id:'2011',status:403,msg:'Text is not supported as content type'"
+```
+
 #### Running commands in the container
  
 Applications built with [Auto Build](#auto-build) using Herokuish, the default

--- a/doc/user/application_security/dependency_list/index.md
+++ b/doc/user/application_security/dependency_list/index.md
@@ -5,7 +5,7 @@
 The Dependency list allows you to see your project's dependencies, and key
 details about them, including their known vulnerabilities. To see it,
 navigate to **Security & Compliance > Dependency List** in your project's
-sidebar.
+sidebar. This information is sometimes referred to as a Software Bill of Materials or SBoM / BOM.
  
 ## Requirements
  

--- a/doc/user/application_security/sast/index.md
+++ b/doc/user/application_security/sast/index.md
@@ -454,6 +454,12 @@ CI/CD configuration file to turn it on. Results are available in the SAST report
  
 GitLab currently includes [Gitleaks](https://github.com/zricethezav/gitleaks) and [TruffleHog](https://github.com/dxa4481/truffleHog) checks.
  
+NOTE: **Note:**
+The secrets analyzer will ignore "Password in URL" vulnerabilities if the password begins
+with a dollar sign (`$`) as this likely indicates the password being used is an environment
+variable. For example, `https://username:$password@example.com/path/to/repo` will not be
+detected, whereas `https://username:password@example.com/path/to/repo` would be detected.
+
 ## Security Dashboard
  
 The Security Dashboard is a good place to get an overview of all the security

--- a/doc/user/profile/preferences.md
+++ b/doc/user/profile/preferences.md
@@ -108,6 +108,15 @@ You can choose between 3 options:
 - Readme
 - Activity
  
+### Tab width
+
+You can set the displayed width of tab characters across various parts of
+GitLab, for example, blobs, diffs, and snippets.
+
+NOTE: **Note:**
+Some parts of GitLab do not respect this setting, including the WebIDE, file
+editor and Markdown editor.
+
 ## Localization
  
 ### Language