Add latest changes from gitlab-org/gitlab@master

changelogs/unreleased/jhyson-issue-import-export-consistency.yml

+---
+title: Fix issue importer so it matches issue export format
+merge_request: 25896
+author:
+type: fixed

changelogs/unreleased/refactor-bypass-session-admin-mode.yml

+---
+title: Sessionless and API endpoints bypass session for admin mode
+merge_request: 25056
+author: Diego Louzán
+type: changed

config/application.rb

@@ -292,6 +292,13 @@ module Gitlab
     initializer :move_initializers, before: :load_config_initializers, after: :let_zeitwerk_take_over do
     end
+    # We need this for initializers that need to be run before Zeitwerk is loaded
+    initializer :before_zeitwerk, before: :let_zeitwerk_take_over, after: :prepend_helpers_path do
+      Dir[Rails.root.join('config/initializers_before_autoloader/*.rb')].sort.each do |initializer|
+        load_config_initializer(initializer)
+      end
+    end
+
     config.after_initialize do
       Rails.application.reload_routes!

db/migrate/20200207062728_add_default_branch_protection_to_namespaces.rb

+# frozen_string_literal: true
+
+class AddDefaultBranchProtectionToNamespaces < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    with_lock_retries do
+      add_column :namespaces, :default_branch_protection, :integer, limit: 2
+    end
+  end
+end

db/schema.rb

@@ -2762,6 +2762,7 @@ ActiveRecord::Schema.define(version: 2020_02_26_162723) do
     t.integer "max_pages_size"
     t.integer "max_artifacts_size"
     t.boolean "mentions_disabled"
+    t.integer "default_branch_protection", limit: 2
     t.index ["created_at"], name: "index_namespaces_on_created_at"
     t.index ["custom_project_templates_group_id", "type"], name: "index_namespaces_on_custom_project_templates_group_id_and_type", where: "(custom_project_templates_group_id IS NOT NULL)"
     t.index ["file_template_project_id"], name: "index_namespaces_on_file_template_project_id"

doc/api/groups.md

@@ -42,6 +42,7 @@ GET /groups
     "emails_disabled": null,
     "mentions_disabled": null,
     "lfs_enabled": true,
+    "default_branch_protection": 2,
     "avatar_url": "http://localhost:3000/uploads/group/avatar/1/foo.jpg",
     "web_url": "http://localhost:3000/groups/foo-bar",
     "request_access_enabled": false,
@@ -76,6 +77,7 @@ GET /groups?statistics=true
     "emails_disabled": null,
     "mentions_disabled": null,
     "lfs_enabled": true,
+    "default_branch_protection": 2,
     "avatar_url": "http://localhost:3000/uploads/group/avatar/1/foo.jpg",
     "web_url": "http://localhost:3000/groups/foo-bar",
     "request_access_enabled": false,
@@ -148,6 +150,7 @@ GET /groups/:id/subgroups
     "emails_disabled": null,
     "mentions_disabled": null,
     "lfs_enabled": true,
+    "default_branch_protection": 2,
     "avatar_url": "http://gitlab.example.com/uploads/group/avatar/1/foo.jpg",
     "web_url": "http://gitlab.example.com/groups/foo-bar",
     "request_access_enabled": false,
@@ -493,9 +496,20 @@ Parameters:
 | `lfs_enabled`                        | boolean | no       | Enable/disable Large File Storage (LFS) for the projects in this group. |
 | `request_access_enabled`             | boolean | no       | Allow users to request member access. |
 | `parent_id`                          | integer | no       | The parent group ID for creating nested group. |
+| `default_branch_protection`          | integer | no       | See [Options for `default_branch_protection`](#options-for-default_branch_protection). Default to the global level default branch protection setting.      |
 | `shared_runners_minutes_limit`       | integer | no       | **(STARTER ONLY)** Pipeline minutes quota for this group. |
 | `extra_shared_runners_minutes_limit` | integer | no       | **(STARTER ONLY)** Extra pipeline minutes quota for this group. |
+### Options for `default_branch_protection`
+
+The `default_branch_protection` attribute determines whether developers and maintainers can push to the applicable master branch, as described in the following table:
+
+| Value | Description |
+|-------|-------------------------------------------------------------------------------------------------------------|
+| `0`   | No protection. Developers and maintainers can:  <br>- Push new commits<br>- Force push changes<br>- Delete the branch |
+| `1`   | Partial protection. Developers and maintainers can:  <br>- Push new commits |
+| `2`   | Full protection. Only maintainers can:  <br>- Push new commits |
+
 ## Transfer project to group
 Transfer a project to the Group namespace. Available only to instance administrators, although an [alternative API endpoint](projects.md#transfer-a-project-to-a-new-namespace) is available which does not require instance administrator access. Transferring projects may fail when tagged packages exist in the project's repository.
@@ -542,6 +556,7 @@ PUT /groups/:id
 | `mentions_disabled`                  | boolean | no       | Disable the capability of a group from getting mentioned |
 | `lfs_enabled` (optional)             | boolean | no       | Enable/disable Large File Storage (LFS) for the projects in this group. |
 | `request_access_enabled`             | boolean | no       | Allow users to request member access. |
+| `default_branch_protection`          | integer | no       | See [Options for `default_branch_protection`](#options-for-default_branch_protection). |
 | `file_template_project_id`           | integer | no       | **(PREMIUM)** The ID of a project to load custom file templates from. |
 | `shared_runners_minutes_limit`       | integer | no       | **(STARTER ONLY)** Pipeline minutes quota for this group. |
 | `extra_shared_runners_minutes_limit` | integer | no       | **(STARTER ONLY)** Extra pipeline minutes quota for this group. |

doc/development/README.md

@@ -97,6 +97,7 @@ Complementary reads:
 - [Issue types vs first-class types](issue_types.md)
 - [Application limits](application_limits.md)
 - [Redis guidelines](redis.md)
+- [Rails initializers](rails_initializers.md)
 ## Performance guides

doc/development/database_review.md

@@ -187,4 +187,4 @@ NOTE: **Note:** Keep in mind that all runtimes should be measured against GitLab
 |----|----|---|
 | Regular migrations on `db/migrate` | `3 minutes` | A valid exception  are index creation as this can take a long time. |
 | Post migrations on `db/post_migrate` | `10 minutes` | |
-| Background migrations | --- | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any query must stay well below `10s` of execution time. |
+| Background migrations | --- | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any single query must stay below `1 second` execution time with cold caches. |

doc/development/migration_style_guide.md

@@ -432,10 +432,6 @@ default values if absolutely necessary. There is a RuboCop cop that will fail if
 this method is used on some tables that are very large on GitLab.com, which
 would cause other issues.
-For a small table (such as an empty one or one with less than `1,000` records),
-use `add_column` and `change_column_default` in a single-transaction migration,
-combining it with other operations that don't require `disable_ddl_transaction!`.
-
 ## Changing the column default
 One might think that changing a default column with `change_column_default` is an

doc/development/rails_initializers.md

+# Rails initializers
+
+By default, Rails loads Zeitwerk after the initializers in `config/initializers` are loaded.
+Autoloading before Zeitwerk is loaded is now deprecated but because we use a lot of autoloaded
+constants in our initializers, we had to move the loading of Zeitwerk earlier than these
+initializers.
+
+A side-effect of this is that in the initializers, `config.autoload_paths` is already frozen.
+
+To run an initializer before Zeitwerk is loaded, you need put them in `config/initializers_before_autoloader`.
+Ruby files in this folder are loaded in alphabetical order just like the default Rails initializers.
+
+Some examples where you would need to do this are:
+
+1. Modifying Rails' `config.autoload_paths`
+1. Changing configuration that Zeitwerk uses, e.g. inflections

doc/user/admin_area/settings/visibility_and_access_controls.md

@@ -26,6 +26,8 @@ To change the default branch protection:
 For more details, see [Protected branches](../../project/protected_branches.md).
+To change this setting for a specific group, see [Default branch protection for groups](../../group/index.md#changing-the-default-branch-protection-of-a-group)
+
 ## Default project creation protection
 Project creation protection specifies which roles can create projects.

doc/user/group/index.md

@@ -181,6 +181,21 @@ of a group:
   1. Give a different member **Owner** permissions.
   1. Have the new owner sign in and remove **Owner** permissions from you.
+## Changing the default branch protection of a group
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/7583) in GitLab 12.9.
+
+By default, every group inherits the branch protection set at the global level.
+
+To change this setting for a specific group:
+
+1. Go to the group's **{settings}** **Settings > General** page.
+1. Expand the **Permissions, LFS, 2FA** section.
+1. Select the desired option in the **Default branch protection** dropdown list.
+1. Click **Save changes**.
+
+To change this setting globally, see [Default branch protection](../admin_area/settings/visibility_and_access_controls.md#default-branch-protection).
+
 ## Add projects to a group
 There are two different ways to add a new project to a group:

doc/user/project/issues/csv_import.md

@@ -3,7 +3,7 @@
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/23532) in GitLab 11.7.
 Issues can be imported to a project by uploading a CSV file with the columns
-`title` and `description`, in that order.
+`title` and `description`.
 The user uploading the CSV file will be set as the author of the imported issues.
@@ -31,9 +31,9 @@ to you once the import is complete.
 When importing issues from a CSV file, it must be formatted in a certain way:
-- **header row:** CSV files must contain a header row where the first column header
-  is `title` and the second is `description`. If additional columns are present, they
-  will be ignored.
+- **header row:** CSV files must include the following headers:
+`title` and `description`. The case of the headers does not matter.
+- **columns:** Data from columns beyond `title` and `description` are not imported.
 - **separators:** The column separator is automatically detected from the header row.
   Supported separator characters are: commas (`,`), semicolons (`;`), and tabs (`\t`).
   The row separator can be either `CRLF` or `LF`.

lib/api/api_guard.rb

@@ -50,17 +50,13 @@ module API
         user = find_user_from_sources
         return unless user
+        # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode
+        Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if Feature.enabled?(:user_mode_in_session)
+
         unless api_access_allowed?(user)
           forbidden!(api_access_denied_message(user))
         end
-        # Set admin mode for API requests (if admin)
-        if Feature.enabled?(:user_mode_in_session)
-          current_user_mode = Gitlab::Auth::CurrentUserMode.new(user)
-
-          current_user_mode.enable_sessionless_admin_mode!
-        end
-
         user
       end
@@ -154,19 +150,13 @@ module API
     end
     class AdminModeMiddleware < ::Grape::Middleware::Base
-      def initialize(app, **options)
-        super
-      end
-      def call(env)
-        if Feature.enabled?(:user_mode_in_session)
-          session = {}
-          Gitlab::Session.with_session(session) do
-            app.call(env)
-          end
-        else
-          app.call(env)
-        end
+      def after
+        # Use a Grape middleware since the Grape `after` blocks might run
+        # before we are finished rendering the `Grape::Entity` classes
+        Gitlab::Auth::CurrentUserMode.reset_bypass_session! if Feature.enabled?(:user_mode_in_session)
+        # Explicit nil is needed or the api call return value will be overwritten
+        nil
       end
     end
   end

lib/api/entities/group.rb

@@ -13,6 +13,7 @@ module API
       expose :emails_disabled
       expose :mentions_disabled
       expose :lfs_enabled?, as: :lfs_enabled
+      expose :default_branch_protection
       expose :avatar_url do |group, options|
         group.avatar_url(only_path: false)
       end

lib/api/helpers/groups_helpers.rb

@@ -21,6 +21,7 @@ module API
         optional :mentions_disabled, type: Boolean, desc: 'Disable a group from getting mentioned'
         optional :lfs_enabled, type: Boolean, desc: 'Enable/disable LFS for the projects in this group'
         optional :request_access_enabled, type: Boolean, desc: 'Allow users to request member access'
+        optional :default_branch_protection, type: Integer, values: ::Gitlab::Access.protection_values, desc: 'Determine if developers can push to master'
       end
       params :optional_params_ee do

lib/gitlab/access/branch_protection.rb

@@ -37,6 +37,10 @@ module Gitlab
       def developer_can_merge?
         level == PROTECTION_DEV_CAN_MERGE
       end
+
+      def fully_protected?
+        level == PROTECTION_FULL
+      end
     end
   end
 end

lib/gitlab/auth/current_user_mode.rb

@@ -23,15 +23,26 @@ module Gitlab
       class << self
         # Admin mode activation requires storing a flag in the user session. Using this
-        # method when scheduling jobs in Sidekiq will bypass the session check for a
-        # user that was already in admin mode
+        # method when scheduling jobs in sessionless environments (e.g. Sidekiq, API)
+        # will bypass the session check for a user that was already in admin mode
+        #
+        # If passed a block, it will surround the block execution and reset the session
+        # bypass at the end; otherwise use manually '.reset_bypass_session!'
         def bypass_session!(admin_id)
           Gitlab::SafeRequestStore[CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY] = admin_id
           Gitlab::AppLogger.debug("Bypassing session in admin mode for: #{admin_id}")
-          yield
-        ensure
+          if block_given?
+            begin
+              yield
+            ensure
+              reset_bypass_session!
+            end
+          end
+        end
+
+        def reset_bypass_session!
           Gitlab::SafeRequestStore.delete(CURRENT_REQUEST_BYPASS_SESSION_ADMIN_ID_RS_KEY)
         end
@@ -90,10 +101,6 @@ module Gitlab
         current_session_data[ADMIN_MODE_START_TIME_KEY] = Time.now
       end
-      def enable_sessionless_admin_mode!
-        request_admin_mode! && enable_admin_mode!(skip_password_validation: true)
-      end
-
       def disable_admin_mode!
         return unless user&.admin?

lib/gitlab/graphql/connections.rb

@@ -16,6 +16,10 @@ module Gitlab
           Gitlab::Graphql::ExternallyPaginatedArray,
           Gitlab::Graphql::Connections::ExternallyPaginatedArrayConnection
         )
+        GraphQL::Relay::BaseConnection.register_connection_implementation(
+          Gitlab::Graphql::Pagination::Relations::OffsetActiveRecordRelation,
+          Gitlab::Graphql::Pagination::OffsetActiveRecordRelationConnection
+        )
       end
     end
   end