Add latest changes from gitlab-org/gitlab@12-3-stable-ee

.gitlab/ci/global.gitlab-ci.yml

@@ -121,5 +121,5 @@
 .only-ee:
   only:
     variables:
-      - $CI_PROJECT_NAME == "gitlab-ee"
-      - $CI_PROJECT_NAME == "gitlab"  # New name of gitlab-ee after the single codebase migration
+      - $CI_PROJECT_NAME == "gitlab"
+      - $CI_PROJECT_NAME == "gitlab-ee"  # Support former project name for forks/mirrors

.gitlab/ci/review.gitlab-ci.yml

@@ -114,7 +114,8 @@ schedule:review-deploy:
   needs: ["schedule:review-build-cng"]
 review-stop:
-  extends: review-deploy
+  extends:
+    - .review-deploy-base
   when: manual
   environment:
     action: stop
@@ -137,7 +138,6 @@ review-cleanup-failed-deployment:
   extends: review-stop
   stage: prepare
   when: on_success
-  needs: []
   allow_failure: false
   script:
     - delete_failed_release

.gitlab/ci/setup.gitlab-ci.yml

@@ -43,5 +43,6 @@ no_ee_check:
     - scripts/no-ee-check
   only:
     variables:
-      - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAME == "gitlab-foss"
-      - $CI_SERVER_HOST == "dev.gitlab.org" && $CI_PROJECT_NAME == "gitlabhq"
+      - $CI_PROJECT_NAME == "gitlab-foss"
+      - $CI_PROJECT_NAME == "gitlab-ce"  # Support former project name for forks/mirrors
+      - $CI_PROJECT_NAME == "gitlabhq"  # Support former project name for dev

CHANGELOG-EE.md

 Please view this file on the master branch, on stable branches it's out of date.
+## 12.3.6
+
+### Security (4 changes)
+
+- Do not index system notes for issue update.
+- Redact search results based on Ability.allowed?.
+- Do not show private cross references in epic notes.
+- Filter out packages the user does'nt have permission to see at group level.
+
+
+## 12.3.5
+
+- No changes.
+
+## 12.3.4
+
+### Fixed (2 changes)
+
+- Fix replies to service desk emails for projects with issue access as Only Project Members. !17401
+- Geo: LFS not being synced. !17633
+
+
+## 12.3.3
+
+### Security (1 change)
+
+- Restrict access for security reports in MR widget.
+
+
+## 12.3.2
+
+### Security (2 changes)
+
+- Hide approvers if a rule has any hidden groups.
+- Prevent IDOR when adding groups to protected environments.
+
+
+## 12.3.1
+
+- No changes.
+
 ## 12.3.0
 ### Security (3 changes)

CHANGELOG.md

@@ -4,7 +4,7 @@ entry.
 ## 12.3.6
-### Security (14 changes)
+### Security (15 changes)
 - Standardize error response when route is missing.
 - Do not display project labels that are not visible for user accessing group labels.
@@ -17,6 +17,7 @@ entry.
 - Return 404 on LFS request if project doesn't exist.
 - Mask sentry auth token in Error Tracking dashboard.
 - Fixes a Open Redirect issue in `InternalRedirect`.
+- Remove deploy access level when project/group link is deleted.
 - Sanitize search text to prevent XSS.
 - Sanitize all wiki markup formats with GitLab sanitization pipelines.
 - Fix stored XSS issue for grafana_url.
@@ -24,11 +25,18 @@ entry.
 ## 12.3.5
-- No changes.
+### Security (1 change)
+
+- Limit search for IID to a type to avoid leaking records with the same IID that the user does not have access to.
+
 ## 12.3.4
-- No changes.
+### Fixed (2 changes)
+
+- Fix cannot merge icon showing in dropdown for users who can merge. !17306
+- Fix pipelines for merge requests in project exports. !17844
+
 ## 12.3.3
@@ -39,16 +47,18 @@ entry.
 ## 12.3.2
-### Security (10 changes)
+### Security (12 changes)
 - Fix Gitaly SearchBlobs flag RPC injection.
 - Add a policy check for system notes that may not be visible due to cross references to private items.
 - Display only participants that user has permission to see on milestone page.
 - Do not disclose project milestones on group milestones page when project milestones access is disabled in project settings.
+- Check permissions before showing head pipeline blocking merge requests.
 - Fix new project path being disclosed through unsubscribe link of issue/merge requests.
 - Prevent bypassing email verification using Salesforce.
 - Do not show resource label events referencing not accessible labels.
 - Cancel all running CI jobs triggered by the user who is just blocked.
+- Fix Gitaly SearchBlobs flag RPC injection.
 - Only render fixed number of mermaid blocks.
 - Prevent GitLab accounts takeover if SAML is configured.

VERSION

-12.3.6
+12.3.6-ee

app/assets/javascripts/users_select.js

@@ -7,6 +7,7 @@ import _ from 'underscore';
 import axios from './lib/utils/axios_utils';
 import { s__, __, sprintf } from './locale';
 import ModalStore from './boards/stores/modal_store';
+import { parseBoolean } from './lib/utils/common_utils';
 // TODO: remove eventHub hack after code splitting refactor
 window.emitSidebarEvent = window.emitSidebarEvent || $.noop;
@@ -279,12 +280,13 @@ function UsersSelect(currentUser, els, options = {}) {
                 })
                 .map(input => {
                   const userId = parseInt(input.value, 10);
-                  const { avatarUrl, avatar_url, name, username } = input.dataset;
+                  const { avatarUrl, avatar_url, name, username, canMerge } = input.dataset;
                   return {
                     avatar_url: avatarUrl || avatar_url,
                     id: userId,
                     name,
                     username,
+                    can_merge: parseBoolean(canMerge),
                   };
                 });

app/controllers/concerns/renders_assignees.rb

+# frozen_string_literal: true
+
+module RendersAssignees
+  def preload_assignees_for_render(merge_request)
+    merge_request.project.team.max_member_access_for_user_ids(merge_request.assignees.map(&:id))
+  end
+end

app/controllers/projects/merge_requests_controller.rb

@@ -5,6 +5,7 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
   include IssuableActions
   include RendersNotes
   include RendersCommits
+  include RendersAssignees
   include ToggleAwardEmoji
   include IssuableCollections
   include RecordUserLastActivity
@@ -41,6 +42,8 @@ class Projects::MergeRequestsController < Projects::MergeRequests::ApplicationCo
         # use next to appease Rubocop
         next render('invalid') if target_branch_missing?
+        preload_assignees_for_render(@merge_request)
+
         # Build a note object for comment form
         @note = @project.notes.new(noteable: @merge_request)

app/helpers/issuables_helper.rb

@@ -372,6 +372,12 @@ module IssuablesHelper
     finder.class.scalar_params.any? { |p| params[p].present? }
   end
+  def assignee_sidebar_data(assignee, merge_request: nil)
+    { avatar_url: assignee.avatar_url, name: assignee.name, username: assignee.username }.tap do |data|
+      data[:can_merge] = merge_request.can_be_merged_by?(assignee) if merge_request
+    end
+  end
+
   private
   def sidebar_gutter_collapsed?

app/views/shared/issuable/_sidebar_assignees.html.haml

@@ -11,7 +11,7 @@
     = hidden_field_tag "#{issuable_type}[assignee_ids][]", 0, id: nil
   - else
     - assignees.each do |assignee|
-      = hidden_field_tag "#{issuable_type}[assignee_ids][]", assignee.id, id: nil, data: { avatar_url: assignee.avatar_url, name: assignee.name, username: assignee.username }
+      = hidden_field_tag "#{issuable_type}[assignee_ids][]", assignee.id, id: nil, data: assignee_sidebar_data(assignee, merge_request: @merge_request)
   - options = { toggle_class: 'js-user-search js-author-search',
     title: _('Assign to'),

db/post_migrate/20190905091812_schedule_project_any_approval_rule_migration.rb

@@ -22,6 +22,8 @@ class ScheduleProjectAnyApprovalRuleMigration < ActiveRecord::Migration[5.2]
   end
   def up
+    return unless Gitlab.ee?
+
     add_concurrent_index :projects, :id,
       name: 'tmp_projects_with_approvals_before_merge',
       where: 'approvals_before_merge <> 0'

db/post_migrate/20190905091831_schedule_merge_request_any_approval_rule_migration.rb

@@ -22,6 +22,8 @@ class ScheduleMergeRequestAnyApprovalRuleMigration < ActiveRecord::Migration[5.2
   end
   def up
+    return unless Gitlab.ee?
+
     add_concurrent_index :merge_requests, :id,
       name: 'tmp_merge_requests_with_approvals_before_merge',
       where: 'approvals_before_merge <> 0'

doc/user/application_security/index.md

@@ -151,7 +151,7 @@ Clicking on this button will create a merge request to apply the solution onto t
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/9928) in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.2.
 Merge Request Approvals can be configured to require approval from a member
-of your security team when a vulnerability would be introduced by a merge request.
+of your security team when a vulnerability, or a software license compliance violation would be introduced by a merge request.
 This threshold is defined as `high`, `critical`, or `unknown`
 severity. When any vulnerabilities are present within a merge request, an
@@ -178,6 +178,29 @@ An approval will be optional when a security report:
 - Contains no new vulnerabilities.
 - Contains only new vulnerabilities of `low` or `medium` severity.
+### Enabling License Approvals within a project
+
+To enable License Approvals, a [project approval rule](../project/merge_requests/merge_request_approvals.md#multiple-approval-rules-premium)
+must be created with the case-sensitive name `License-Check`. This approval
+group must be set with an "Approvals required" count greater than zero.
+
+Once this group has been added to your project, the approval rule will be enabled
+for all Merge Requests. To configure how this rule behaves, you can choose which
+licenses to `approve` or `blacklist` in the
+[project policies for License Compliance](license_compliance/index.md#project-policies-for-license-compliance) section.
+
+Any code changes made will cause the count of approvals required to reset.
+
+An approval will be required when a license report:
+
+- Contains a dependency that includes a software license that is `blacklisted`.
+- Is not generated during pipeline execution.
+
+An approval will be optional when a license report:
+
+- Contains no software license violations.
+- Contains only new licenses that are `approved` or unknown.
+
 <!-- ## Troubleshooting
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

doc/user/project/merge_requests/merge_request_approvals.md

@@ -337,6 +337,16 @@ of your security team when a vulnerability would be introduced by a merge reques
 For more information, see
 [Security approvals in merge requests](../../application_security/index.md#security-approvals-in-merge-requests-ultimate).
+## License compliance approvals in merge requests **(ULTIMATE)**
+
+> Introduced in [GitLab Ultimate](https://about.gitlab.com/pricing) 12.3.
+
+Merge Request Approvals can be configured to require approval from a member
+of your security team when a blacklisted software license would be introduced by a merge request.
+
+For more information, see
+[Security approvals in merge requests](../../application_security/index.md#security-approvals-in-merge-requests-ultimate).
+
 <!-- ## Troubleshooting
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

lib/gitlab/danger/helper.rb

@@ -35,7 +35,8 @@ module Gitlab
       end
       def ee?
-        ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('../../CHANGELOG-EE.md')
+        # Support former project name for `dev` and support local Danger run
+        %w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME']) || Dir.exist?('../../ee')
       end
       def gitlab_helper
@@ -52,7 +53,7 @@ module Gitlab
       end
       def project_name
-        ee? ? 'gitlab-ee' : 'gitlab-ce'
+        ee? ? 'gitlab' : 'gitlab-foss'
       end
       def markdown_list(items)

lib/gitlab/import_export/import_export.yml

@@ -66,6 +66,7 @@ tree:
       - stages:
         - :statuses
       - :external_pull_request
+      - :merge_request
     - :external_pull_requests
     - :auto_devops
     - :triggers
@@ -166,6 +167,12 @@ excluded_attributes:
     - :external_diff_size
   issues:
     - :milestone_id
+  merge_request:
+    - :milestone_id
+    - :ref_fetched
+    - :merge_jid
+    - :rebase_jid
+    - :latest_merge_request_diff_id
   merge_requests:
     - :milestone_id
     - :ref_fetched

lib/gitlab/import_export/relation_factory.rb

@@ -38,7 +38,7 @@ module Gitlab
       IMPORTED_OBJECT_MAX_RETRIES = 5.freeze
-      EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature].freeze
+      EXISTING_OBJECT_CHECK = %i[milestone milestones label labels project_label project_labels group_label group_labels project_feature merge_request].freeze
       TOKEN_RESET_MODELS = %w[Project Namespace Ci::Trigger Ci::Build Ci::Runner ProjectHook].freeze
@@ -289,6 +289,7 @@ module Gitlab
       def find_or_create_object!
         return relation_class.find_or_create_by(project_id: @project.id) if @relation_name == :project_feature
+        return find_or_create_merge_request! if @relation_name == :merge_request
         # Can't use IDs as validation exists calling `group` or `project` attributes
         finder_hash = parsed_relation_hash.tap do |hash|
@@ -299,6 +300,11 @@ module Gitlab
         GroupProjectObjectBuilder.build(relation_class, finder_hash)
       end
+
+      def find_or_create_merge_request!
+        @project.merge_requests.find_by(iid: parsed_relation_hash['iid']) ||
+          relation_class.new(parsed_relation_hash)
+      end
     end
   end
 end

scripts/review_apps/automated_cleanup.rb

@@ -18,7 +18,8 @@ class AutomatedCleanup
   ].freeze
   def self.ee?
-    ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('CHANGELOG-EE.md')
+    # Support former project name for `dev`
+    %w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME'])
   end
   def initialize(project_path: ENV['CI_PROJECT_PATH'], gitlab_token: ENV['GITLAB_BOT_REVIEW_APPS_CLEANUP_TOKEN'])

scripts/trigger-build

@@ -12,7 +12,8 @@ end
 module Trigger
   def self.ee?
-    ENV['CI_PROJECT_NAME'] == 'gitlab-ee' || File.exist?('CHANGELOG-EE.md')
+    # Support former project name for `dev`
+    %w[gitlab gitlab-ee].include?(ENV['CI_PROJECT_NAME'])
   end
   class Base