Add latest changes from gitlab-org/gitlab@master

changelogs/unreleased/stop-liveness-check-returning-incorrect-data.yml

+---
+title: Changes response body of liveness check to be more accurate
+merge_request: 17655
+author:
+type: changed

changelogs/unreleased/winh-related-issues-border.yml

 ---
 title: Redo fix for related issues border radius
-merge_request: 17172
+merge_request: 17480
 author:
 type: fixed

config/initializers/google_api_client.rb

@@ -6,7 +6,7 @@
 # as a workaround until this is resolved.
 #
 # This can be removed once fog-google and google-api-client can be upgraded.
-# See https://gitlab.com/gitlab-org/gitlab-ce/issues/66630 for more details.
+# See https://gitlab.com/gitlab-org/gitlab/issues/31280 for more details.
 #
 require 'google/apis/container_v1beta1'

config/routes/admin.rb

@@ -21,6 +21,10 @@ namespace :admin do
     end
   end
+  resource :session, only: [:new, :create] do
+    get 'destroy', action: :destroy, as: :destroy
+  end
+
   resource :impersonation, only: :destroy
   resources :abuse_reports, only: [:index, :destroy]

doc/administration/raketasks/uploads/migrate.md

@@ -125,7 +125,7 @@ CAUTION: **Warning:**
    **Extended downtime is required** so no new files are created in object storage during
    the migration. A configuration setting will be added soon to allow migrating
    from object storage to local files with only a brief moment of downtime for configuration changes.
-   See issue [gitlab-org/gitlab-ce#66144](https://gitlab.com/gitlab-org/gitlab-ce/issues/66144)
+   See issue [gitlab-org/gitlab#30979](https://gitlab.com/gitlab-org/gitlab/issues/30979)
 ### All-in-one rake task

doc/user/admin_area/monitoring/health_check.md

@@ -116,28 +116,11 @@ curl 'https://gitlab.example.com/-/liveness'
 Example response:
-On success, the endpoint will return a valid successful HTTP status code, and a response like below.
+On success, the endpoint will return a `200` HTTP status code, and a response like below.
 ```json
 {
-   "db_check":{
-      "status":"ok"
-   },
-   "redis_check":{
-      "status":"ok"
-   },
-   "cache_check":{
-      "status":"ok"
-   },
-   "queues_check":{
-      "status":"ok"
-   },
-   "shared_state_check":{
-      "status":"ok"
-   },
-   "gitaly_check":{
-      "status":"ok"
-   }
+   "status": "ok"
 }
 ```

doc/user/group/subgroups/index.md

@@ -4,7 +4,7 @@ type: reference, howto, concepts
 # Subgroups
->[Introduced](https://gitlab.com/gitlab-org/gitlab-ce/issues/2772) in GitLab 9.0.
+>[Introduced](https://gitlab.com/gitlab-org/gitlab-foss/issues/2772) in GitLab 9.0.
 Subgroups, also known as nested groups or hierarchical groups, allow you to have up to 20
 levels of groups.

jest.config.js

@@ -3,7 +3,7 @@ const IS_EE = require('./config/helpers/is_ee_env');
 const reporters = ['default'];
 // To have consistent date time parsing both in local and CI environments we set
-// the timezone of the Node process. https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/27738
+// the timezone of the Node process. https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/27738
 process.env.TZ = 'GMT';
 if (process.env.CI) {

lib/api/api_guard.rb

@@ -17,6 +17,8 @@ module API
         request.access_token
       end
+      use AdminModeMiddleware
+
       helpers HelperMethods
       install_error_responders(base)
@@ -52,6 +54,11 @@ module API
           forbidden!(api_access_denied_message(user))
         end
+        # Set admin mode for API requests (if admin)
+        if Feature.enabled?(:user_mode_in_session)
+          Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(skip_password_validation: true)
+        end
+
         user
       end
@@ -141,5 +148,22 @@ module API
         end
       end
     end
+
+    class AdminModeMiddleware < ::Grape::Middleware::Base
+      def initialize(app, **options)
+        super
+      end
+
+      def call(env)
+        if Feature.enabled?(:user_mode_in_session)
+          session = {}
+          Gitlab::Session.with_session(session) do
+            app.call(env)
+          end
+        else
+          app.call(env)
+        end
+      end
+    end
   end
 end

lib/api/entities.rb

@@ -1052,7 +1052,7 @@ module API
       expose :job_events
       # Expose serialized properties
       expose :properties do |service, options|
-        # TODO: Simplify as part of https://gitlab.com/gitlab-org/gitlab-ce/issues/63084
+        # TODO: Simplify as part of https://gitlab.com/gitlab-org/gitlab/issues/29404
         if service.data_fields_present?
           service.data_fields.as_json.slice(*service.api_field_names)
         else

lib/gitlab/auth/current_user_mode.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    # Keeps track of the current session user mode
+    #
+    # In order to perform administrative tasks over some interfaces,
+    # an administrator must have explicitly enabled admin-mode
+    # e.g. on web access require re-authentication
+    class CurrentUserMode
+      SESSION_STORE_KEY = :current_user_mode
+      ADMIN_MODE_START_TIME_KEY = 'admin_mode'
+      MAX_ADMIN_MODE_TIME = 6.hours
+
+      def initialize(user)
+        @user = user
+      end
+
+      def admin_mode?
+        return false unless user
+
+        Gitlab::SafeRequestStore.fetch(request_store_key) do
+          user&.admin? && any_session_with_admin_mode?
+        end
+      end
+
+      def enable_admin_mode!(password: nil, skip_password_validation: false)
+        return unless user&.admin?
+        return unless skip_password_validation || user&.valid_password?(password)
+
+        current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now
+      end
+
+      def disable_admin_mode!
+        current_session_data[ADMIN_MODE_START_TIME_KEY] = nil
+        Gitlab::SafeRequestStore.delete(request_store_key)
+      end
+
+      private
+
+      attr_reader :user
+
+      def request_store_key
+        @request_store_key ||= { res: :current_user_mode, user: user.id }
+      end
+
+      def current_session_data
+        @current_session ||= Gitlab::NamespacedSessionStore.new(SESSION_STORE_KEY)
+      end
+
+      def any_session_with_admin_mode?
+        return true if current_session_data.initiated? && current_session_data[ADMIN_MODE_START_TIME_KEY].to_i > MAX_ADMIN_MODE_TIME.ago.to_i
+
+        all_sessions.any? do |session|
+          session[ADMIN_MODE_START_TIME_KEY].to_i > MAX_ADMIN_MODE_TIME.ago.to_i
+        end
+      end
+
+      def all_sessions
+        @all_sessions ||= ActiveSession.list_sessions(user).lazy.map do |session|
+          Gitlab::NamespacedSessionStore.new(SESSION_STORE_KEY, session.with_indifferent_access )
+        end
+      end
+    end
+  end
+end

lib/gitlab/file_type_detection.rb

@@ -12,7 +12,7 @@
 # We use Workhorse to detect the real extension when we serve files with
 # the `SendsBlob` helper methods, and ask Workhorse to set the content
 # type when it serves the file:
-# https://gitlab.com/gitlab-org/gitlab-ce/blob/33e5955/app/helpers/workhorse_helper.rb#L48.
+# https://gitlab.com/gitlab-org/gitlab/blob/33e5955/app/helpers/workhorse_helper.rb#L48.
 #
 # Because Workhorse has access to the content when it is downloaded, if
 # the type/extension doesn't match the real type, we adjust the

lib/gitlab/health_checks/base_abstract_check.rb

@@ -15,10 +15,6 @@ module Gitlab
         raise NotImplementedError
       end
-      def liveness
-        HealthChecks::Result.new(true)
-      end
-
       def metrics
         []
       end

lib/gitlab/usage_data.rb

@@ -187,7 +187,7 @@ module Gitlab
           .find_in_batches(batch_size: BATCH_SIZE) do |services|
           counts = services.group_by do |service|
-            # TODO: Simplify as part of https://gitlab.com/gitlab-org/gitlab-ce/issues/63084
+            # TODO: Simplify as part of https://gitlab.com/gitlab-org/gitlab/issues/29404
             service_url = service.data_fields&.url || (service.properties && service.properties['url'])
             service_url&.include?('.atlassian.net') ? :cloud : :server
           end

locale/gitlab.pot

@@ -1031,6 +1031,9 @@ msgstr ""
 msgid "Admin Section"
 msgstr ""
+msgid "Admin mode disabled"
+msgstr ""
+
 msgid "Admin notes"
 msgstr ""
@@ -5734,6 +5737,9 @@ msgstr ""
 msgid "Enter a number"
 msgstr ""
+msgid "Enter admin mode"
+msgstr ""
+
 msgid "Enter at least three characters to search"
 msgstr ""
@@ -9123,6 +9129,9 @@ msgstr ""
 msgid "Leave"
 msgstr ""
+msgid "Leave admin mode"
+msgstr ""
+
 msgid "Leave edit mode? All unsaved changes will be lost."
 msgstr ""
@@ -12739,6 +12748,9 @@ msgstr ""
 msgid "Raw blob request rate limit per minute"
 msgstr ""
+msgid "Re-authentication required"
+msgstr ""
+
 msgid "Read more"
 msgstr ""

public/robots.txt

@@ -8,7 +8,7 @@
 # Only some crawlers respect this setting, e.g. Googlebot does not
 # Crawl-delay: 1
-# Based on details in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/routes.rb, https://gitlab.com/gitlab-org/gitlab-ce/blob/master/spec/routing, and using application
+# Based on details in https://gitlab.com/gitlab-org/gitlab/blob/master/config/routes.rb, https://gitlab.com/gitlab-org/gitlab/blob/master/spec/routing, and using application
 User-Agent: *
 Disallow: /autocomplete/users
 Disallow: /search

spec/controllers/admin/sessions_controller_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Admin::SessionsController, :do_not_mock_admin_mode do
+  include_context 'custom session'
+
+  let(:user) { create(:user) }
+
+  before do
+    sign_in(user)
+  end
+
+  describe '#new' do
+    context 'for regular users' do
+      it 'shows error page' do
+        get :new
+
+        expect(response).to have_gitlab_http_status(:not_found)
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+
+    context 'for admin users' do
+      let(:user) { create(:admin) }
+
+      it 'renders a password form' do
+        get :new
+
+        expect(response).to render_template :new
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+  end
+
+  describe '#create' do
+    context 'for regular users' do
+      it 'shows error page' do
+        post :create
+
+        expect(response).to have_gitlab_http_status(:not_found)
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+
+    context 'for admin users' do
+      let(:user) { create(:admin) }
+
+      it 'sets admin mode with a valid password' do
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+
+        controller.store_location_for(:redirect, admin_root_path)
+        post :create, params: { password: user.password }
+
+        expect(response).to redirect_to admin_root_path
+        expect(controller.send(:current_user_mode).admin_mode?).to be(true)
+      end
+
+      it 'fails with an invalid password' do
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+
+        controller.store_location_for(:redirect, admin_root_path)
+
+        post :create, params: { password: '' }
+
+        expect(response).to render_template :new
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+  end
+
+  describe '#destroy' do
+    context 'for regular users' do
+      it 'shows error page' do
+        get :destroy
+
+        expect(response).to have_gitlab_http_status(404)
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+
+    context 'for admin users' do
+      let(:user) { create(:admin) }
+
+      it 'disables admin mode and redirects to main page' do
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+        post :create, params: { password: user.password }
+        expect(controller.send(:current_user_mode).admin_mode?).to be(true)
+
+        get :destroy
+
+        expect(response).to have_gitlab_http_status(:found)
+        expect(response).to redirect_to(root_path)
+        expect(controller.send(:current_user_mode).admin_mode?).to be(false)
+      end
+    end
+  end
+end

spec/controllers/application_controller_spec.rb

@@ -777,4 +777,48 @@ describe ApplicationController do
       end
     end
   end
+
+  describe '#current_user_mode', :do_not_mock_admin_mode do
+    include_context 'custom session'
+
+    controller(described_class) do
+      def index
+        render html: 'authenticated'
+      end
+    end
+
+    before do
+      allow(ActiveSession).to receive(:list_sessions).with(user).and_return([session])
+
+      sign_in(user)
+      get :index
+    end
+
+    context 'with a regular user' do
+      it 'admin mode is not set' do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(Gitlab::Auth::CurrentUserMode.new(user).admin_mode?).to be(false)
+      end
+    end
+
+    context 'with an admin user' do
+      let(:user) { create(:admin) }
+
+      it 'admin mode is not set' do
+        expect(response).to have_gitlab_http_status(:ok)
+        expect(Gitlab::Auth::CurrentUserMode.new(user).admin_mode?).to be(false)
+      end
+
+      context 'that re-authenticated' do
+        before do
+          Gitlab::Auth::CurrentUserMode.new(user).enable_admin_mode!(password: user.password)
+        end
+
+        it 'admin mode is set' do
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(Gitlab::Auth::CurrentUserMode.new(user).admin_mode?).to be(true)
+        end
+      end
+    end
+  end
 end

spec/controllers/concerns/enforces_admin_authentication_spec.rb

@@ -2,7 +2,9 @@
 require 'spec_helper'
-describe EnforcesAdminAuthentication do
+describe EnforcesAdminAuthentication, :do_not_mock_admin_mode do
+  include AdminModeHelper
+
   let(:user) { create(:user) }
   before do
@@ -10,30 +12,86 @@ describe EnforcesAdminAuthentication do
   end
   controller(ApplicationController) do
-    # `described_class` is not available in this context
-    include EnforcesAdminAuthentication # rubocop:disable RSpec/DescribedClass
+    include EnforcesAdminAuthentication
     def index
       head :ok
     end
   end
-  describe 'authenticate_admin!' do
-    context 'as an admin' do
-      let(:user) { create(:admin) }
-      it 'renders ok' do
-        get :index
-        expect(response).to have_gitlab_http_status(200)
+  context 'feature flag :user_mode_in_session is enabled' do
+    describe 'authenticate_admin!' do
+      context 'as an admin' do
+        let(:user) { create(:admin) }
+        it 'renders redirect for re-authentication and does not set admin mode' do
+          get :index
+
+          expect(response).to redirect_to new_admin_session_path
+          expect(assigns(:current_user_mode)&.admin_mode?).to be(false)
+        end
+
+        context 'when admin mode is active' do
+          before do
+            enable_admin_mode!(user)
+          end
+
+          it 'renders ok' do
+            get :index
+
+            expect(response).to have_gitlab_http_status(200)
+          end
+        end
+      end
+
+      context 'as a user' do
+        it 'renders a 404' do
+          get :index
+
+          expect(response).to have_gitlab_http_status(404)
+        end
+
+        it 'does not set admin mode' do
+          get :index
+          # check for nil too since on 404, current_user_mode might not be initialized
+          expect(assigns(:current_user_mode)&.admin_mode?).to be_falsey
+        end
       end
     end
-    context 'as a user' do
-      it 'renders a 404' do
+  end
+
+  context 'feature flag :user_mode_in_session is disabled' do
+    before do
+      stub_feature_flags(user_mode_in_session: false)
+    end
+    describe 'authenticate_admin!' do
+      before do
         get :index
-        expect(response).to have_gitlab_http_status(404)
+      end
+
+      context 'as an admin' do
+        let(:user) { create(:admin) }
+
+        it 'allows direct access to page' do
+          expect(response).to have_gitlab_http_status(200)
+        end
+
+        it 'does not set admin mode' do
+          expect(assigns(:current_user_mode)&.admin_mode?).to be_falsey
+        end
+      end
+
+      context 'as a user' do
+        it 'renders a 404' do
+          expect(response).to have_gitlab_http_status(404)
+        end
+        it 'does not set admin mode' do
+          # check for nil too since on 404, current_user_mode might not be initialized
+          expect(assigns(:current_user_mode)&.admin_mode?).to be_falsey
+        end
       end
     end
   end

spec/controllers/health_controller_spec.rb

@@ -76,10 +76,7 @@ describe HealthController do
       it 'responds with liveness checks data' do
         subject
-        expect(json_response['db_check']['status']).to eq('ok')
-        expect(json_response['cache_check']['status']).to eq('ok')
-        expect(json_response['queues_check']['status']).to eq('ok')
-        expect(json_response['shared_state_check']['status']).to eq('ok')
+        expect(json_response['status']).to eq('ok')
       end
     end