[ci skip] Merge branch 'master' into 42923-close-issue

* master: (21 commits)
  GitLab QA: Add GITLAB_USER_TYPE to support different login types (e.g. standard, LDAP)
  Return a warning string if we try to encode to unsupported encoding
  Remove confirmation_input
  Resolve failures in GitHub-ish import controller specs
  Remove changelogs for already-released security patches
  Merge branch 'mc/bug/38984-wildcard-protected-tags' into 'security-10-4'
  Merge branch 'fix/gh-namespace-issue' into 'security-10-4'
  Merge branch 'security-10-4-todo-api-reveals-sensitive-information' into 'security-10-4'
  Merge branch 'fix-mermaid-xss' into 'security-10-4'
  Merge branch 'security-10-4-25223-snippets-finder-doesnt-obey-feature-visibility' into 'security-10-4'
  API - fix searching in group/project specified by path
  Add documentation on how to build a QA Docker image
  Fix english in style_guide_js.md
  Adds tooltip for environment name Adds CSS for child envrionments
  Do not attach runner to a non-exsiting network in QA
  Remove not needed default statement
  Improve docs about allowing some side effects on the constructor
  Move all ENV to Runtime::Env
  Rename .scss files to use snake_case
  Moves missing branch into a vue file
  ...

app/assets/javascripts/environments/components/environment_item.vue

 <script>
   import Timeago from 'timeago.js';
   import _ from 'underscore';
-  import userAvatarLink from '../../vue_shared/components/user_avatar/user_avatar_link.vue';
-  import { humanize } from '../../lib/utils/text_utility';
+  import tooltip from '~/vue_shared/directives/tooltip';
+  import UserAvatarLink from '~/vue_shared/components/user_avatar/user_avatar_link.vue';
+  import { humanize } from '~/lib/utils/text_utility';
   import ActionsComponent from './environment_actions.vue';
   import ExternalUrlComponent from './environment_external_url.vue';
   import StopComponent from './environment_stop.vue';
@@ -21,14 +22,18 @@
   export default {
     components: {
-      userAvatarLink,
-      'commit-component': CommitComponent,
-      'actions-component': ActionsComponent,
-      'external-url-component': ExternalUrlComponent,
-      'stop-component': StopComponent,
-      'rollback-component': RollbackComponent,
-      'terminal-button-component': TerminalButtonComponent,
-      'monitoring-button-component': MonitoringButtonComponent,
+      UserAvatarLink,
+      CommitComponent,
+      ActionsComponent,
+      ExternalUrlComponent,
+      StopComponent,
+      RollbackComponent,
+      TerminalButtonComponent,
+      MonitoringButtonComponent,
+    },
+
+    directives: {
+      tooltip,
     },
     props: {
@@ -443,7 +448,11 @@
         v-if="!model.isFolder"
         class="environment-name flex-truncate-parent table-mobile-content"
         :href="environmentPath">
-        <span class="flex-truncate-child">{{ model.name }}</span>
+        <span
+          class="flex-truncate-child"
+          v-tooltip
+          :title="model.name"
+        >{{ model.name }}</span>
       </a>
       <span
         v-else

app/assets/javascripts/render_mermaid.js

@@ -30,6 +30,9 @@ export default function renderMermaid($els) {
     $els.each((i, el) => {
       const source = el.textContent;
+      // Remove any extra spans added by the backend syntax highlighting.
+      Object.assign(el, { textContent: source });
+
       mermaid.init(undefined, el, (id) => {
         const svg = document.getElementById(id);

app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_missing_branch.js

-import statusIcon from '../mr_widget_status_icon.vue';
-import tooltip from '../../../vue_shared/directives/tooltip';
-import mrWidgetMergeHelp from '../../components/mr_widget_merge_help.vue';
-
-export default {
-  name: 'MRWidgetMissingBranch',
-  props: {
-    mr: { type: Object, required: true },
-  },
-  directives: {
-    tooltip,
-  },
-  components: {
-    'mr-widget-merge-help': mrWidgetMergeHelp,
-    statusIcon,
-  },
-  computed: {
-    missingBranchName() {
-      return this.mr.sourceBranchRemoved ? 'source' : 'target';
-    },
-    message() {
-      return `If the ${this.missingBranchName} branch exists in your local repository, you can merge this merge request manually using the command line`;
-    },
-  },
-  template: `
-    <div class="mr-widget-body media">
-      <status-icon status="warning" :show-disabled-button="true" />
-      <div class="media-body space-children">
-        <span class="bold js-branch-text">
-          <span class="capitalize">
-            {{missingBranchName}}
-          </span> branch does not exist.
-          Please restore it or use a different {{missingBranchName}} branch
-          <i
-            v-tooltip
-            class="fa fa-question-circle"
-            :title="message"
-            :aria-label="message"></i>
-        </span>
-      </div>
-    </div>
-  `,
-};

app/assets/javascripts/vue_merge_request_widget/components/states/mr_widget_missing_branch.vue

+<script>
+  import { sprintf, s__ } from '~/locale';
+  import tooltip from '~/vue_shared/directives/tooltip';
+  import statusIcon from '../mr_widget_status_icon.vue';
+  import mrWidgetMergeHelp from '../../components/mr_widget_merge_help.vue';
+
+  export default {
+    name: 'MRWidgetMissingBranch',
+    directives: {
+      tooltip,
+    },
+    components: {
+      mrWidgetMergeHelp,
+      statusIcon,
+    },
+    props: {
+      mr: {
+        type: Object,
+        required: true,
+      },
+    },
+    computed: {
+      missingBranchName() {
+        return this.mr.sourceBranchRemoved ? 'source' : 'target';
+      },
+      missingBranchNameMessage() {
+        return sprintf(s__('mrWidget| Please restore it or use a different %{missingBranchName} branch'), {
+          missingBranchName: this.missingBranchName,
+        });
+      },
+      message() {
+        return sprintf(s__('mrWidget|If the %{missingBranchName} branch exists in your local repository, you can merge this merge request manually using the command line'), {
+          missingBranchName: this.missingBranchName,
+        });
+      },
+    },
+  };
+</script>
+<template>
+  <div class="mr-widget-body media">
+    <status-icon
+      status="warning"
+      :show-disabled-button="true"
+    />
+
+    <div class="media-body space-children">
+      <span class="bold js-branch-text">
+        <span class="capitalize">
+          {{ missingBranchName }}
+        </span> {{ s__("mrWidget|branch does not exist.") }}
+        {{ missingBranchNameMessage }}
+        <i
+          v-tooltip
+          class="fa fa-question-circle"
+          :title="message"
+          :aria-label="message"
+        >
+        </i>
+      </span>
+    </div>
+  </div>
+</template>

app/assets/javascripts/vue_merge_request_widget/dependencies.js

@@ -24,7 +24,7 @@ export { default as WipState } from './components/states/mr_widget_wip';
 export { default as ArchivedState } from './components/states/mr_widget_archived.vue';
 export { default as ConflictsState } from './components/states/mr_widget_conflicts.vue';
 export { default as NothingToMergeState } from './components/states/mr_widget_nothing_to_merge';
-export { default as MissingBranchState } from './components/states/mr_widget_missing_branch';
+export { default as MissingBranchState } from './components/states/mr_widget_missing_branch.vue';
 export { default as NotAllowedState } from './components/states/mr_widget_not_allowed';
 export { default as ReadyToMergeState } from './components/states/mr_widget_ready_to_merge';
 export { default as SHAMismatchState } from './components/states/mr_widget_sha_mismatch';

app/assets/javascripts/vue_shared/components/confirmation_input.vue

-<script>
-  import _ from 'underscore';
-  import { __, sprintf } from '~/locale';
-
-  export default {
-    props: {
-      inputId: {
-        type: String,
-        required: true,
-      },
-      confirmationKey: {
-        type: String,
-        required: true,
-      },
-      confirmationValue: {
-        type: String,
-        required: true,
-      },
-      shouldEscapeConfirmationValue: {
-        type: Boolean,
-        required: false,
-        default: true,
-      },
-    },
-    computed: {
-      inputLabel() {
-        let value = this.confirmationValue;
-        if (this.shouldEscapeConfirmationValue) {
-          value = _.escape(value);
-        }
-
-        return sprintf(
-          __('Type %{value} to confirm:'),
-          { value: `<code>${value}</code>` },
-          false,
-        );
-      },
-    },
-    methods: {
-      hasCorrectValue() {
-        return this.$refs.enteredValue.value === this.confirmationValue;
-      },
-    },
-  };
-</script>
-
-<template>
-  <div>
-    <label
-      v-html="inputLabel"
-      :for="inputId"
-    >
-    </label>
-    <input
-      :id="inputId"
-      :name="confirmationKey"
-      type="text"
-      ref="enteredValue"
-      class="form-control"
-    />
-  </div>
-</template>

app/assets/stylesheets/framework.scss

@@ -21,7 +21,7 @@
 @import "framework/flash";
 @import "framework/forms";
 @import "framework/gfm";
-@import "framework/gitlab-theme";
+@import "framework/gitlab_theme";
 @import "framework/header";
 @import "framework/highlight";
 @import "framework/issue_box";
@@ -35,10 +35,10 @@
 @import "framework/pagination";
 @import "framework/panels";
 @import "framework/popup";
-@import "framework/secondary-navigation-elements";
+@import "framework/secondary_navigation_elements";
 @import "framework/selects";
 @import "framework/sidebar";
-@import "framework/contextual-sidebar";
+@import "framework/contextual_sidebar";
 @import "framework/tables";
 @import "framework/notes";
 @import "framework/tabs";
@@ -49,16 +49,16 @@
 @import "framework/zen";
 @import "framework/blank";
 @import "framework/wells";
-@import "framework/page-header";
+@import "framework/page_header";
 @import "framework/awards";
 @import "framework/images";
-@import "framework/broadcast-messages";
+@import "framework/broadcast_messages";
 @import "framework/emojis";
-@import "framework/emoji-sprites";
+@import "framework/emoji_sprites";
 @import "framework/icons";
 @import "framework/snippets";
 @import "framework/memory_graph";
 @import "framework/responsive_tables";
-@import "framework/stacked-progress-bar";
+@import "framework/stacked_progress_bar";
 @import "framework/ci_variable_list";
 @import "framework/feature_highlight";

app/assets/stylesheets/pages/environments.scss

@@ -121,6 +121,10 @@
       width: 100%;
       text-align: left;
     }
+
+    .environment-child-row {
+      padding-left: 20px;
+    }
   }
 }

app/controllers/import/base_controller.rb

@@ -2,26 +2,16 @@ class Import::BaseController < ApplicationController
   private
   def find_or_create_namespace(names, owner)
-    return current_user.namespace if names == owner
-    return current_user.namespace unless current_user.can_create_group?
-
     names = params[:target_namespace].presence || names
-    full_path_namespace = Namespace.find_by_full_path(names)
-    return full_path_namespace if full_path_namespace
-    names.split('/').inject(nil) do |parent, name|
-      begin
-        namespace = Group.create!(name: name,
-                                  path: name,
-                                  owner: current_user,
-                                  parent: parent)
-        namespace.add_owner(current_user)
-        namespace
-      rescue ActiveRecord::RecordNotUnique, ActiveRecord::RecordInvalid
-        Namespace.where(parent: parent).find_by_path_or_name(name)
-      end
-    end
+    return current_user.namespace if names == owner
+
+    group = Groups::NestedCreateService.new(current_user, group_path: names).execute
+    group.errors.any? ? current_user.namespace : group
+  rescue => e
+    Gitlab::AppLogger.error(e)
+    current_user.namespace
   end
 end

app/finders/snippets_finder.rb

+# Snippets Finder
+#
+# Used to filter Snippets collections by a set of params
+#
+# Arguments.
+#
+# current_user - The current user, nil also can be used.
+# params:
+#   visibility (integer) - Individual snippet visibility: Public(20), internal(10) or private(0).
+#   project (Project) - Project related.
+#   author (User) - Author related.
+#
+# params are optional
 class SnippetsFinder < UnionFinder
-  attr_accessor :current_user, :params
+  include Gitlab::Allowable
+  attr_accessor :current_user, :params, :project
   def initialize(current_user, params = {})
     @current_user = current_user
     @params = params
+    @project = params[:project]
   end
   def execute
     items = init_collection
-    items = by_project(items)
     items = by_author(items)
     items = by_visibility(items)
@@ -18,25 +32,42 @@ class SnippetsFinder < UnionFinder
   private
   def init_collection
-    items = Snippet.all
-    accessible(items)
+    if project.present?
+      authorized_snippets_from_project
+    else
+      authorized_snippets
+    end
+  end
+  def authorized_snippets_from_project
+    if can?(current_user, :read_project_snippet, project)
+      if project.team.member?(current_user)
+        project.snippets
+      else
+        project.snippets.public_to_user(current_user)
+      end
+    else
+      Snippet.none
+    end
   end
-  def accessible(items)
-    segments = []
-    segments << items.public_to_user(current_user)
-    segments << authorized_to_user(items)  if current_user
-    find_union(segments, Snippet.includes(:author))
+  def authorized_snippets
+    Snippet.where(feature_available_projects.or(not_project_related)).public_or_visible_to_user(current_user)
+  end
+  def feature_available_projects
+    projects = Project.public_or_visible_to_user(current_user)
+      .with_feature_available_for_user(:snippets, current_user).select(:id)
+    arel_query = Arel::Nodes::SqlLiteral.new(projects.to_sql)
+    table[:project_id].in(arel_query)
   end
-  def authorized_to_user(items)
-    items.where(
-      'author_id = :author_id
-       OR project_id IN (:project_ids)',
-       author_id: current_user.id,
-       project_ids: current_user.authorized_projects.select(:id))
+  def not_project_related
+    table[:project_id].eq(nil)
+  end
+
+  def table
+    Snippet.arel_table
   end
   def by_visibility(items)
@@ -53,12 +84,6 @@ class SnippetsFinder < UnionFinder
     items.where(author_id: params[:author].id)
   end
-  def by_project(items)
-    return items unless params[:project]
-
-    items.where(project_id: params[:project].id)
-  end
-
   def visibility_from_scope
     case params[:scope].to_s
     when 'are_private'

app/models/project.rb

@@ -1589,8 +1589,11 @@ class Project < ActiveRecord::Base
   end
   def protected_for?(ref)
-    ProtectedBranch.protected?(self, ref) ||
+    if repository.branch_exists?(ref)
+      ProtectedBranch.protected?(self, ref)
+    elsif repository.tag_exists?(ref)
       ProtectedTag.protected?(self, ref)
+    end
   end
   def deployment_variables

app/models/snippet.rb

@@ -74,6 +74,27 @@ class Snippet < ActiveRecord::Base
     @link_reference_pattern ||= super("snippets", /(?<snippet>\d+)/)
   end
+  # Returns a collection of snippets that are either public or visible to the
+  # logged in user.
+  #
+  # This method does not verify the user actually has the access to the project
+  # the snippet is in, so it should be only used on a relation that's already scoped
+  # for project access
+  def self.public_or_visible_to_user(user = nil)
+    if user
+      authorized = user
+        .project_authorizations
+        .select(1)
+        .where('project_authorizations.project_id = snippets.project_id')
+
+      levels = Gitlab::VisibilityLevel.levels_for_user(user)
+
+      where('EXISTS (?) OR snippets.visibility_level IN (?) or snippets.author_id = (?)', authorized, levels, user.id)
+    else
+      public_to_user
+    end
+  end
+
   def to_reference(from = nil, full: false)
     reference = "#{self.class.reference_prefix}#{id}"

app/policies/project_policy.rb

@@ -119,7 +119,6 @@ class ProjectPolicy < BasePolicy
     enable :create_note
     enable :upload_file
     enable :read_cycle_analytics
-    enable :read_project_snippet
   end
   rule { can?(:reporter_access) }.policy do