Merge remote-tracking branch 'origin/master' into zj-mattermost-slash-config

GITLAB_WORKHORSE_VERSION

-1.2.0
+1.2.1

app/assets/javascripts/environments/components/environment.js.es6

@@ -18,7 +18,7 @@
    * The environments array is a recursive tree structure and we need to filter
    * both root level environments and children environments.
    *
-   * In order to acomplish that, both `filterState` and `filterEnvironmnetsByState`
+   * In order to acomplish that, both `filterState` and `filterEnvironmentsByState`
    * functions work together.
    * The first one works as the filter that verifies if the given environment matches
    * the given state.
@@ -34,9 +34,9 @@
    * @param {Array} array
    * @return {Array}
    */
-  const filterEnvironmnetsByState = (fn, arr) => arr.map((item) => {
+  const filterEnvironmentsByState = (fn, arr) => arr.map((item) => {
     if (item.children) {
-      const filteredChildren = filterEnvironmnetsByState(fn, item.children).filter(Boolean);
+      const filteredChildren = filterEnvironmentsByState(fn, item.children).filter(Boolean);
       if (filteredChildren.length) {
         item.children = filteredChildren;
         return item;
@@ -76,12 +76,13 @@
         helpPagePath: environmentsData.helpPagePath,
         commitIconSvg: environmentsData.commitIconSvg,
         playIconSvg: environmentsData.playIconSvg,
+        terminalIconSvg: environmentsData.terminalIconSvg,
       };
     },
 
     computed: {
       filteredEnvironments() {
-        return filterEnvironmnetsByState(filterState(this.visibility), this.state.environments);
+        return filterEnvironmentsByState(filterState(this.visibility), this.state.environments);
       },
 
       scope() {
@@ -102,7 +103,7 @@
     },
 
     /**
-     * Fetches all the environmnets and stores them.
+     * Fetches all the environments and stores them.
      * Toggles loading property.
      */
     created() {
@@ -230,6 +231,7 @@
                     :can-create-deployment="canCreateDeploymentParsed"
                     :can-read-environment="canReadEnvironmentParsed"
                     :play-icon-svg="playIconSvg"
+                    :terminal-icon-svg="terminalIconSvg"
                     :commit-icon-svg="commitIconSvg"></tr>
 
                   <tr v-if="model.isOpen && model.children && model.children.length > 0"
@@ -240,6 +242,7 @@
                     :can-create-deployment="canCreateDeploymentParsed"
                     :can-read-environment="canReadEnvironmentParsed"
                     :play-icon-svg="playIconSvg"
+                    :terminal-icon-svg="terminalIconSvg"
                     :commit-icon-svg="commitIconSvg">
                     </tr>
 

app/assets/javascripts/environments/components/environment_item.js.es6

@@ -8,6 +8,7 @@
 /*= require ./environment_external_url */
 /*= require ./environment_stop */
 /*= require ./environment_rollback */
+/*= require ./environment_terminal_button */
 
 (() => {
   /**
@@ -33,6 +34,7 @@
       'external-url-component': window.gl.environmentsList.ExternalUrlComponent,
       'stop-component': window.gl.environmentsList.StopComponent,
       'rollback-component': window.gl.environmentsList.RollbackComponent,
+      'terminal-button-component': window.gl.environmentsList.TerminalButtonComponent,
     },
 
     props: {
@@ -68,6 +70,12 @@
         type: String,
         required: false,
       },
+
+      terminalIconSvg: {
+        type: String,
+        required: false,
+      },
+
     },
 
     data() {
@@ -506,6 +514,14 @@
               </stop-component>
             </div>
 
+            <div v-if="model.terminal_path"
+              class="inline js-terminal-button-container">
+              <terminal-button-component
+                :terminal-icon-svg="terminalIconSvg"
+                :terminal-path="model.terminal_path">
+              </terminal-button-component>
+            </div>
+
             <div v-if="canRetry && canCreateDeployment"
               class="inline js-rollback-component-container">
               <rollback-component

app/assets/javascripts/environments/components/environment_terminal_button.js.es6

+/*= require vue */
+/* global Vue */
+
+(() => {
+  window.gl = window.gl || {};
+  window.gl.environmentsList = window.gl.environmentsList || {};
+
+  window.gl.environmentsList.TerminalButtonComponent = Vue.component('terminal-button-component', {
+    props: {
+      terminalPath: {
+        type: String,
+        default: '',
+      },
+      terminalIconSvg: {
+        type: String,
+        default: '',
+      },
+    },
+
+    template: `
+      <a class="btn terminal-button"
+        :href="terminalPath">
+        <span class="js-terminal-icon-container" v-html="terminalIconSvg"></span>
+      </a>
+    `,
+  });
+})();

app/assets/javascripts/terminal/terminal.js.es6

+/* global Terminal */
+
+(() => {
+  class GLTerminal {
+
+    constructor(options) {
+      this.options = options || {};
+
+      this.options.cursorBlink = options.cursorBlink || true;
+      this.options.screenKeys = options.screenKeys || true;
+      this.container = document.querySelector(options.selector);
+
+      this.setSocketUrl();
+      this.createTerminal();
+      $(window).off('resize.terminal').on('resize.terminal', () => {
+        this.terminal.fit();
+      });
+    }
+
+    setSocketUrl() {
+      const { protocol, hostname, port } = window.location;
+      const wsProtocol = protocol === 'https:' ? 'wss://' : 'ws://';
+      const path = this.container.dataset.projectPath;
+
+      this.socketUrl = `${wsProtocol}${hostname}:${port}${path}`;
+    }
+
+    createTerminal() {
+      this.terminal = new Terminal(this.options);
+      this.socket = new WebSocket(this.socketUrl, ['terminal.gitlab.com']);
+      this.socket.binaryType = 'arraybuffer';
+
+      this.terminal.open(this.container);
+      this.socket.onopen = () => { this.runTerminal(); };
+      this.socket.onerror = () => { this.handleSocketFailure(); };
+    }
+
+    runTerminal() {
+      const decoder = new TextDecoder('utf-8');
+      const encoder = new TextEncoder('utf-8');
+
+      this.terminal.on('data', (data) => {
+        this.socket.send(encoder.encode(data));
+      });
+
+      this.socket.addEventListener('message', (ev) => {
+        this.terminal.write(decoder.decode(ev.data));
+      });
+
+      this.isTerminalInitialized = true;
+      this.terminal.fit();
+    }
+
+    handleSocketFailure() {
+      this.terminal.write('\r\nConnection failure');
+    }
+
+  }
+
+  window.gl = window.gl || {};
+  gl.Terminal = GLTerminal;
+})();

app/assets/javascripts/terminal/terminal_bundle.js.es6

+//= require xterm/xterm.js
+//= require xterm/fit.js
+//= require ./terminal.js
+
+$(() => new gl.Terminal({ selector: '#terminal' }));

app/assets/stylesheets/framework/avatar.scss

@@ -64,7 +64,7 @@
   &.s32 { font-size: 20px; line-height: 30px; }
   &.s40 { font-size: 16px; line-height: 38px; }
   &.s60 { font-size: 32px; line-height: 58px; }
-  &.s70 { font-size: 34px; line-height: 68px; }
+  &.s70 { font-size: 34px; line-height: 70px; }
   &.s90 { font-size: 36px; line-height: 88px; }
   &.s110 { font-size: 40px; line-height: 108px; font-weight: 300; }
   &.s140 { font-size: 72px; line-height: 138px; }

app/assets/stylesheets/framework/buttons.scss

@@ -230,6 +230,13 @@
   }
 }
 
+.btn-terminal {
+  svg {
+    height: 14px;
+    width: 18px;
+  }
+}
+
 .btn-lg {
   padding: 12px 20px;
 }

app/assets/stylesheets/pages/pipelines.scss

@@ -726,3 +726,23 @@
     padding: 5px 5px 5px 7px;
   }
 }
+
+.terminal-icon {
+  margin-left: 3px;
+}
+
+.terminal-container {
+  .content-block {
+    border-bottom: none;
+  }
+
+  #terminal {
+    margin-top: 10px;
+    min-height: 450px;
+    box-sizing: border-box;
+
+    > div {
+      min-height: 450px;
+    }
+  }
+}

app/assets/stylesheets/pages/projects.scss

@@ -93,7 +93,6 @@
   .group-avatar {
     float: none;
     margin: 0 auto;
-    border: none;
 
     &.identicon {
       border-radius: 50%;

app/controllers/application_controller.rb

@@ -25,7 +25,7 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
   helper_method :can?, :current_application_settings
-  helper_method :import_sources_enabled?, :github_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?
+  helper_method :import_sources_enabled?, :github_import_enabled?, :gitea_import_enabled?, :github_import_configured?, :gitlab_import_enabled?, :gitlab_import_configured?, :bitbucket_import_enabled?, :bitbucket_import_configured?, :google_code_import_enabled?, :fogbugz_import_enabled?, :git_import_enabled?, :gitlab_project_import_enabled?
 
   rescue_from Encoding::CompatibilityError do |exception|
     log_exception(exception)
@@ -245,6 +245,10 @@ class ApplicationController < ActionController::Base
     current_application_settings.import_sources.include?('github')
   end
 
+  def gitea_import_enabled?
+    current_application_settings.import_sources.include?('gitea')
+  end
+
   def github_import_configured?
     Gitlab::OAuth::Provider.enabled?(:github)
   end

app/controllers/import/gitea_controller.rb

+class Import::GiteaController < Import::GithubController
+  def new
+    if session[access_token_key].present? && session[host_key].present?
+      redirect_to status_import_url
+    end
+  end
+
+  def personal_access_token
+    session[host_key] = params[host_key]
+    super
+  end
+
+  def status
+    @gitea_host_url = session[host_key]
+    super
+  end
+
+  private
+
+  def host_key
+    :"#{provider}_host_url"
+  end
+
+  # Overriden methods
+  def provider
+    :gitea
+  end
+
+  # Gitea is not yet an OAuth provider
+  # See https://github.com/go-gitea/gitea/issues/27
+  def logged_in_with_provider?
+    false
+  end
+
+  def provider_auth
+    if session[access_token_key].blank? || session[host_key].blank?
+      redirect_to new_import_gitea_url,
+        alert: 'You need to specify both an Access Token and a Host URL.'
+    end
+  end
+
+  def client_options
+    { host: session[host_key], api_version: 'v1' }
+  end
+end

app/controllers/import/github_controller.rb

 class Import::GithubController < Import::BaseController
-  before_action :verify_github_import_enabled
-  before_action :github_auth, only: [:status, :jobs, :create]
+  before_action :verify_import_enabled
+  before_action :provider_auth, only: [:status, :jobs, :create]
 
-  rescue_from Octokit::Unauthorized, with: :github_unauthorized
-
-  helper_method :logged_in_with_github?
+  rescue_from Octokit::Unauthorized, with: :provider_unauthorized
 
   def new
-    if logged_in_with_github?
-      go_to_github_for_permissions
-    elsif session[:github_access_token]
-      redirect_to status_import_github_url
+    if logged_in_with_provider?
+      go_to_provider_for_permissions
+    elsif session[access_token_key]
+      redirect_to status_import_url
     end
   end
 
   def callback
-    session[:github_access_token] = client.get_token(params[:code])
-    redirect_to status_import_github_url
+    session[access_token_key] = client.get_token(params[:code])
+    redirect_to status_import_url
   end
 
   def personal_access_token
-    session[:github_access_token] = params[:personal_access_token]
-    redirect_to status_import_github_url
+    session[access_token_key] = params[:personal_access_token]
+    redirect_to status_import_url
   end
 
   def status
     @repos = client.repos
-    @already_added_projects = current_user.created_projects.where(import_type: "github")
+    @already_added_projects = current_user.created_projects.where(import_type: provider)
     already_added_projects_names = @already_added_projects.pluck(:import_source)
 
-    @repos.reject!{ |repo| already_added_projects_names.include? repo.full_name }
+    @repos.reject! { |repo| already_added_projects_names.include? repo.full_name }
   end
 
   def jobs
-    jobs = current_user.created_projects.where(import_type: "github").to_json(only: [:id, :import_status])
+    jobs = current_user.created_projects.where(import_type: provider).to_json(only: [:id, :import_status])
     render json: jobs
   end
 
@@ -44,8 +42,8 @@ class Import::GithubController < Import::BaseController
     namespace_path = params[:target_namespace].presence || current_user.namespace_path
     @target_namespace = find_or_create_namespace(namespace_path, current_user.namespace_path)
 
-    if current_user.can?(:create_projects, @target_namespace)
-      @project = Gitlab::GithubImport::ProjectCreator.new(repo, @project_name, @target_namespace, current_user, access_params).execute
+    if can?(current_user, :create_projects, @target_namespace)
+      @project = Gitlab::GithubImport::ProjectCreator.new(repo, @project_name, @target_namespace, current_user, access_params, type: provider).execute
     else
       render 'unauthorized'
     end
@@ -54,34 +52,63 @@ class Import::GithubController < Import::BaseController
   private
 
   def client
-    @client ||= Gitlab::GithubImport::Client.new(session[:github_access_token])
+    @client ||= Gitlab::GithubImport::Client.new(session[access_token_key], client_options)
   end
 
-  def verify_github_import_enabled
-    render_404 unless github_import_enabled?
+  def verify_import_enabled
+    render_404 unless import_enabled?
   end
 
-  def github_auth
-    if session[:github_access_token].blank?
-      go_to_github_for_permissions
-    end
+  def go_to_provider_for_permissions
+    redirect_to client.authorize_url(callback_import_url)
   end
 
-  def go_to_github_for_permissions
-    redirect_to client.authorize_url(callback_import_github_url)
+  def import_enabled?
+    __send__("#{provider}_import_enabled?")
   end
 
-  def github_unauthorized
-    session[:github_access_token] = nil
-    redirect_to new_import_github_url,
-      alert: 'Access denied to your GitHub account.'
+  def new_import_url
+    public_send("new_import_#{provider}_url")
   end
 
-  def logged_in_with_github?
-    current_user.identities.exists?(provider: 'github')
+  def status_import_url
+    public_send("status_import_#{provider}_url")
+  end
+
+  def callback_import_url
+    public_send("callback_import_#{provider}_url")
+  end
+
+  def provider_unauthorized
+    session[access_token_key] = nil
+    redirect_to new_import_url,
+      alert: "Access denied to your #{Gitlab::ImportSources.title(provider.to_s)} account."
+  end
+
+  def access_token_key
+    :"#{provider}_access_token"
   end
 
   def access_params
-    { github_access_token: session[:github_access_token] }
+    { github_access_token: session[access_token_key] }
+  end
+
+  # The following methods are overriden in subclasses
+  def provider
+    :github
+  end
+
+  def logged_in_with_provider?
+    current_user.identities.exists?(provider: provider)
+  end
+
+  def provider_auth
+    if session[access_token_key].blank?
+      go_to_provider_for_permissions
+    end
+  end
+
+  def client_options
+    {}
   end
 end

app/controllers/projects/environments_controller.rb

@@ -4,17 +4,19 @@ class Projects::EnvironmentsController < Projects::ApplicationController
   before_action :authorize_create_environment!, only: [:new, :create]
   before_action :authorize_create_deployment!, only: [:stop]
   before_action :authorize_update_environment!, only: [:edit, :update]
-  before_action :environment, only: [:show, :edit, :update, :stop]
+  before_action :authorize_admin_environment!, only: [:terminal, :terminal_websocket_authorize]
+  before_action :environment, only: [:show, :edit, :update, :stop, :terminal, :terminal_websocket_authorize]
+  before_action :verify_api_request!, only: :terminal_websocket_authorize
 
   def index
     @scope = params[:scope]
     @environments = project.environments
-  
+
     respond_to do |format|
       format.html
       format.json do
         render json: EnvironmentSerializer
-          .new(project: @project)
+          .new(project: @project, user: current_user)
           .represent(@environments)
       end
     end
@@ -56,8 +58,33 @@ class Projects::EnvironmentsController < Projects::ApplicationController
     redirect_to polymorphic_path([project.namespace.becomes(Namespace), project, new_action])
   end
 
+  def terminal
+    # Currently, this acts as a hint to load the terminal details into the cache
+    # if they aren't there already. In the future, users will need these details
+    # to choose between terminals to connect to.
+    @terminals = environment.terminals
+  end
+
+  # GET .../terminal.ws : implemented in gitlab-workhorse
+  def terminal_websocket_authorize
+    # Just return the first terminal for now. If the list is in the process of
+    # being looked up, this may result in a 404 response, so the frontend
+    # should retry those errors
+    terminal = environment.terminals.try(:first)
+    if terminal
+      set_workhorse_internal_api_content_type
+      render json: Gitlab::Workhorse.terminal_websocket(terminal)
+    else
+      render text: 'Not found', status: 404
+    end
+  end
+
   private
 
+  def verify_api_request!
+    Gitlab::Workhorse.verify_api_request!(request.headers)
+  end
+
   def environment_params
     params.require(:environment).permit(:name, :external_url)
   end

app/helpers/import_helper.rb

@@ -4,8 +4,10 @@ module ImportHelper
     "#{namespace}/#{name}"
   end
 
-  def github_project_link(path_with_namespace)
-    link_to path_with_namespace, github_project_url(path_with_namespace), target: '_blank'
+  def provider_project_link(provider, path_with_namespace)
+    url = __send__("#{provider}_project_url", path_with_namespace)
+
+    link_to path_with_namespace, url, target: '_blank'
   end
 
   private
@@ -20,4 +22,8 @@ module ImportHelper
     provider = Gitlab.config.omniauth.providers.find { |p| p.name == 'github' }
     @github_url = provider.fetch('url', 'https://github.com') if provider
   end
+
+  def gitea_project_url(path_with_namespace)
+    "#{@gitea_host_url.sub(%r{/+\z}, '')}/#{path_with_namespace}"
+  end
 end

app/models/concerns/milestoneish.rb

 module Milestoneish
   def closed_items_count(user)
-    issues_visible_to_user(user).closed.size + merge_requests.closed_and_merged.size
+    memoize_per_user(user, :closed_items_count) do
+      (count_issues_by_state(user)['closed'] || 0) + merge_requests.closed_and_merged.size
+    end
   end
 
   def total_items_count(user)
-    issues_visible_to_user(user).size + merge_requests.size
+    memoize_per_user(user, :total_items_count) do
+      issues_count = count_issues_by_state(user).values.sum
+      issues_count + merge_requests.size
+    end
   end
 
   def complete?(user)
@@ -30,7 +35,10 @@ module Milestoneish
   end
 
   def issues_visible_to_user(user)
-    IssuesFinder.new(user).execute.where(id: issues)
+    memoize_per_user(user, :issues_visible_to_user) do
+      params = try(:project_id) ? { project_id: project_id } : {}
+      IssuesFinder.new(user, params).execute.where(milestone_id: milestoneish_ids)
+    end
   end
 
   def upcoming?
@@ -50,4 +58,18 @@ module Milestoneish
   def expired?
     due_date && due_date.past?
   end
+
+  private
+
+  def count_issues_by_state(user)
+    memoize_per_user(user, :count_issues_by_state) do
+      issues_visible_to_user(user).reorder(nil).group(:state).count
+    end
+  end
+
+  def memoize_per_user(user, method_name)
+    @memoized ||= {}
+    @memoized[method_name] ||= {}
+    @memoized[method_name][user.try!(:id)] ||= yield
+  end
 end

app/models/concerns/reactive_caching.rb

+# The ReactiveCaching concern is used to fetch some data in the background and
+# store it in the Rails cache, keeping it up-to-date for as long as it is being
+# requested.  If the data hasn't been requested for +reactive_cache_lifetime+,
+# it stop being refreshed, and then be removed.
+#
+# Example of use:
+#
+#    class Foo < ActiveRecord::Base
+#      include ReactiveCaching
+#
+#      self.reactive_cache_key = ->(thing) { ["foo", thing.id] }
+#
+#      after_save :clear_reactive_cache!
+#
+#      def calculate_reactive_cache
+#        # Expensive operation here. The return value of this method is cached
+#      end
+#
+#      def result
+#        with_reactive_cache do |data|
+#          # ...
+#        end
+#      end
+#    end
+#
+# In this example, the first time `#result` is called, it will return `nil`.
+# However, it will enqueue a background worker to call `#calculate_reactive_cache`
+# and set an initial cache lifetime of ten minutes.
+#
+# Each time the background job completes, it stores the return value of
+# `#calculate_reactive_cache`. It is also re-enqueued to run again after
+# `reactive_cache_refresh_interval`, so keeping the stored value up to date.
+# Calculations are never run concurrently.
+#
+# Calling `#result` while a value is in the cache will call the block given to
+# `#with_reactive_cache`, yielding the cached value. It will also extend the
+# lifetime by `reactive_cache_lifetime`.
+#
+# Once the lifetime has expired, no more background jobs will be enqueued and
+# calling `#result` will again return `nil` - starting the process all over
+# again
+module ReactiveCaching
+  extend ActiveSupport::Concern
+
+  included do
+    class_attribute :reactive_cache_lease_timeout
+
+    class_attribute :reactive_cache_key
+    class_attribute :reactive_cache_lifetime
+    class_attribute :reactive_cache_refresh_interval
+
+    # defaults
+    self.reactive_cache_lease_timeout = 2.minutes
+
+    self.reactive_cache_refresh_interval = 1.minute
+    self.reactive_cache_lifetime = 10.minutes
+
+    def calculate_reactive_cache
+      raise NotImplementedError
+    end
+
+    def with_reactive_cache(&blk)
+      within_reactive_cache_lifetime do
+        data = Rails.cache.read(full_reactive_cache_key)
+        yield data if data.present?
+      end
+    ensure
+      Rails.cache.write(full_reactive_cache_key('alive'), true, expires_in: self.class.reactive_cache_lifetime)
+      ReactiveCachingWorker.perform_async(self.class, id)
+    end
+
+    def clear_reactive_cache!
+      Rails.cache.delete(full_reactive_cache_key)
+    end
+
+    def exclusively_update_reactive_cache!
+      locking_reactive_cache do
+        within_reactive_cache_lifetime do
+          enqueuing_update do
+            value = calculate_reactive_cache
+            Rails.cache.write(full_reactive_cache_key, value)
+          end
+        end
+      end
+    end
+
+    private
+
+    def full_reactive_cache_key(*qualifiers)
+      prefix = self.class.reactive_cache_key
+      prefix = prefix.call(self) if prefix.respond_to?(:call)
+
+      ([prefix].flatten + qualifiers).join(':')
+    end
+
+    def locking_reactive_cache
+      lease = Gitlab::ExclusiveLease.new(full_reactive_cache_key, timeout: reactive_cache_lease_timeout)
+      uuid = lease.try_obtain
+      yield if uuid
+    ensure
+      Gitlab::ExclusiveLease.cancel(full_reactive_cache_key, uuid)
+    end
+
+    def within_reactive_cache_lifetime
+      yield if Rails.cache.read(full_reactive_cache_key('alive'))
+    end
+
+    def enqueuing_update
+      yield
+    ensure
+      ReactiveCachingWorker.perform_in(self.class.reactive_cache_refresh_interval, self.class, id)
+    end
+  end
+end

app/models/environment.rb

@@ -128,6 +128,14 @@ class Environment < ActiveRecord::Base
     end
   end
 
+  def has_terminals?
+    project.deployment_service.present? && available? && last_deployment.present?
+  end
+
+  def terminals
+    project.deployment_service.terminals(self) if has_terminals?
+  end
+
   # An environment name is not necessarily suitable for use in URLs, DNS
   # or other third-party contexts, so provide a slugified version. A slug has
   # the following properties:

app/models/global_milestone.rb

@@ -24,12 +24,16 @@ class GlobalMilestone
     @first_milestone = milestones.find {|m| m.description.present? } || milestones.first
   end
 
+  def milestoneish_ids
+    milestones.select(:id)
+  end
+
   def safe_title
     @title.to_slug.normalize.to_s
   end
 
   def projects
-    @projects ||= Project.for_milestones(milestones.select(:id))
+    @projects ||= Project.for_milestones(milestoneish_ids)
   end
 
   def state
@@ -49,11 +53,11 @@ class GlobalMilestone
   end
 
   def issues
-    @issues ||= Issue.of_milestones(milestones.select(:id)).includes(:project, :assignee, :labels)
+    @issues ||= Issue.of_milestones(milestoneish_ids).includes(:project, :assignee, :labels)
   end
 
   def merge_requests
-    @merge_requests ||= MergeRequest.of_milestones(milestones.select(:id)).includes(:target_project, :assignee, :labels)
+    @merge_requests ||= MergeRequest.of_milestones(milestoneish_ids).includes(:target_project, :assignee, :labels)
   end
 
   def participants

app/models/milestone.rb

@@ -129,6 +129,10 @@ class Milestone < ActiveRecord::Base
     self.title
   end
 
+  def milestoneish_ids
+    id
+  end
+
   def can_be_closed?
     active? && issues.opened.count.zero?
   end

app/models/project.rb

@@ -533,6 +533,10 @@ class Project < ActiveRecord::Base
     import_type == 'gitlab_project'
   end
 
+  def gitea_import?
+    import_type == 'gitea'
+  end
+
   def check_limit
     unless creator.can_create_project? or namespace.kind == 'group'
       projects_limit = creator.projects_limit

app/models/project_authorization.rb

@@ -5,4 +5,17 @@ class ProjectAuthorization < ActiveRecord::Base
   validates :project, presence: true
   validates :access_level, inclusion: { in: Gitlab::Access.all_values }, presence: true
   validates :user, uniqueness: { scope: [:project, :access_level] }, presence: true
+
+  def self.insert_authorizations(rows, per_batch = 1000)
+    rows.each_slice(per_batch) do |slice|
+      tuples = slice.map do |tuple|
+        tuple.map { |value| connection.quote(value) }
+      end
+
+      connection.execute <<-EOF.strip_heredoc
+      INSERT INTO project_authorizations (user_id, project_id, access_level)
+      VALUES #{tuples.map { |tuple| "(#{tuple.join(', ')})" }.join(', ')}
+      EOF
+    end
+  end
 end

app/models/project_services/deployment_service.rb

@@ -12,4 +12,22 @@ class DeploymentService < Service
   def predefined_variables
     []
   end
+
+  # Environments may have a number of terminals. Should return an array of
+  # hashes describing them, e.g.:
+  #
+  #     [{
+  #       :selectors    => {"a" => "b", "foo" => "bar"},
+  #       :url          => "wss://external.example.com/exec",
+  #       :headers      => {"Authorization" => "Token xxx"},
+  #       :subprotocols => ["foo"],
+  #       :ca_pem       => "----BEGIN CERTIFICATE...", # optional
+  #       :created_at   => Time.now.utc
+  #     }]
+  #
+  # Selectors should be a set of values that uniquely identify a particular
+  # terminal
+  def terminals(environment)
+    raise NotImplementedError
+  end
 end

app/models/project_services/kubernetes_service.rb

 class KubernetesService < DeploymentService
+  include Gitlab::Kubernetes
+  include ReactiveCaching
+
+  self.reactive_cache_key = ->(service) { [ service.class.model_name.singular, service.project_id ] }
+
   # Namespace defaults to the project path, but can be overridden in case that
   # is an invalid or inappropriate name
   prop_accessor :namespace
@@ -25,6 +30,8 @@ class KubernetesService < DeploymentService
       length: 1..63
   end
 
+  after_save :clear_reactive_cache!
+
   def initialize_properties
     if properties.nil?
       self.properties = {}
@@ -41,7 +48,8 @@ class KubernetesService < DeploymentService
   end
 
   def help
-    ''
+    'To enable terminal access to Kubernetes environments, label your ' \
+    'deployments with `app=$CI_ENVIRONMENT_SLUG`'
   end
 
   def to_param
@@ -75,9 +83,9 @@ class KubernetesService < DeploymentService
 
   # Check we can connect to the Kubernetes API
   def test(*args)
-    kubeclient = build_kubeclient
-    kubeclient.discover
+    kubeclient = build_kubeclient!
 
+    kubeclient.discover
     { success: kubeclient.discovered, result: "Checked API discovery endpoint" }
   rescue => err
     { success: false, result: err }
@@ -93,20 +101,48 @@ class KubernetesService < DeploymentService
     variables
   end
 
-  private
+  # Constructs a list of terminals from the reactive cache
+  #
+  # Returns nil if the cache is empty, in which case you should try again a
+  # short time later
+  def terminals(environment)
+    with_reactive_cache do |data|
+      pods = data.fetch(:pods, nil)
+      filter_pods(pods, app: environment.slug).
+        flat_map { |pod| terminals_for_pod(api_url, namespace, pod) }.
+        map { |terminal| add_terminal_auth(terminal, token, ca_pem) }
+    end
+  end
 
-  def build_kubeclient(api_path = '/api', api_version = 'v1')
-    return nil unless api_url && namespace && token
+  # Caches all pods in the namespace so other calls don't need to block on
+  # network access.
+  def calculate_reactive_cache
+    return unless active? && project && !project.pending_delete?
 
-    url = URI.parse(api_url)
-    url.path = url.path[0..-2] if url.path[-1] == "/"
-    url.path += api_path
+    kubeclient = build_kubeclient!
+
+    # Store as hashes, rather than as third-party types
+    pods = begin
+      kubeclient.get_pods(namespace: namespace).as_json
+    rescue KubeException => err
+      raise err unless err.error_code == 404
+      []
+    end
+
+    # We may want to cache extra things in the future
+    { pods: pods }
+  end
+
+  private
+
+  def build_kubeclient!(api_path: 'api', api_version: 'v1')
+    raise "Incomplete settings" unless api_url && namespace && token
 
     ::Kubeclient::Client.new(
-      url,
+      join_api_url(api_path),
       api_version,
-      ssl_options: kubeclient_ssl_options,
       auth_options: kubeclient_auth_options,
+      ssl_options: kubeclient_ssl_options,
       http_proxy_uri: ENV['http_proxy']
     )
   end
@@ -125,4 +161,13 @@ class KubernetesService < DeploymentService
   def kubeclient_auth_options
     { bearer_token: token }
   end
+
+  def join_api_url(*parts)
+    url = URI.parse(api_url)
+    prefix = url.path.sub(%r{/+\z}, '')
+
+    url.path = [ prefix, *parts ].join("/")
+
+    url.to_s
+  end
 end

app/models/user.rb

@@ -311,10 +311,6 @@ class User < ActiveRecord::Base
       find_by(id: Key.unscoped.select(:user_id).where(id: key_id))
     end
 
-    def build_user(attrs = {})
-      User.new(attrs)
-    end
-
     def reference_prefix
       '@'
     end
@@ -443,22 +439,16 @@ class User < ActiveRecord::Base
   end
 
   def refresh_authorized_projects
-    transaction do
-      project_authorizations.delete_all
-
-      # project_authorizations_union can return multiple records for the same
-      # project/user with different access_level so we take row with the maximum
-      # access_level
-      project_authorizations.connection.execute <<-SQL
-      INSERT INTO project_authorizations (user_id, project_id, access_level)
-      SELECT user_id, project_id, MAX(access_level) AS access_level
-      FROM (#{project_authorizations_union.to_sql}) sub
-      GROUP BY user_id, project_id
-      SQL
-
-      unless authorized_projects_populated
-        update_column(:authorized_projects_populated, true)
-      end
+    Users::RefreshAuthorizedProjectsService.new(self).execute
+  end
+
+  def remove_project_authorizations(project_ids)
+    project_authorizations.where(id: project_ids).delete_all
+  end
+
+  def set_authorized_projects_column
+    unless authorized_projects_populated
+      update_column(:authorized_projects_populated, true)
     end
   end
 
@@ -905,18 +895,6 @@ class User < ActiveRecord::Base
 
   private
 
-  # Returns a union query of projects that the user is authorized to access
-  def project_authorizations_union
-    relations = [
-      personal_projects.select("#{id} AS user_id, projects.id AS project_id, #{Gitlab::Access::MASTER} AS access_level"),
-      groups_projects.select_for_project_authorization,
-      projects.select_for_project_authorization,
-      groups.joins(:shared_projects).select_for_project_authorization
-    ]
-
-    Gitlab::SQL::Union.new(relations)
-  end
-
   def ci_projects_union
     scope  = { access_level: [Gitlab::Access::MASTER, Gitlab::Access::OWNER] }
     groups = groups_projects.where(members: scope)

app/serializers/environment_entity.rb

@@ -23,5 +23,13 @@ class EnvironmentEntity < Grape::Entity
       environment)
   end
 
+  expose :terminal_path, if: ->(environment, _) { environment.has_terminals? } do |environment|
+    can?(request.user, :admin_environment, environment.project) &&
+      terminal_namespace_project_environment_path(
+        environment.project.namespace,
+        environment.project,
+        environment)
+  end
+
   expose :created_at, :updated_at
 end

app/serializers/request_aware_entity.rb

@@ -8,4 +8,8 @@ module RequestAwareEntity
   def request
     @options.fetch(:request)
   end
+
+  def can?(object, action, subject)
+    Ability.allowed?(object, action, subject)
+  end
 end

app/services/projects/import_service.rb

@@ -4,15 +4,6 @@ module Projects
 
     class Error < StandardError; end
 
-    ALLOWED_TYPES = [
-      'bitbucket',
-      'fogbugz',
-      'gitlab',
-      'github',
-      'google_code',
-      'gitlab_project'
-    ]
-
     def execute
       add_repository_to_project unless project.gitlab_project_import?
 
@@ -64,14 +55,11 @@ module Projects
     end
 
     def has_importer?
-      ALLOWED_TYPES.include?(project.import_type)
+      Gitlab::ImportSources.importer_names.include?(project.import_type)
     end
 
     def importer
-      return Gitlab::ImportExport::Importer.new(project) if @project.gitlab_project_import?
-
-      class_name = "Gitlab::#{project.import_type.camelize}Import::Importer"
-      class_name.constantize.new(project)
+      Gitlab::ImportSources.importer(project.import_type).new(project)
     end
 
     def unknown_url?

app/services/system_note_service.rb

@@ -146,7 +146,7 @@ module SystemNoteService
   end
 
   def remove_merge_request_wip(noteable, project, author)
-    body = 'unmarked as a Work In Progress'
+    body = 'unmarked as a **Work In Progress**'
 
     create_note(noteable: noteable, project: project, author: author, note: body)
   end

app/services/users/refresh_authorized_projects_service.rb

+module Users
+  # Service for refreshing the authorized projects of a user.
+  #
+  # This particular service class can not be used to update data for the same
+  # user concurrently. Doing so could lead to an incorrect state. To ensure this
+  # doesn't happen a caller must synchronize access (e.g. using
+  # `Gitlab::ExclusiveLease`).
+  #
+  # Usage:
+  #
+  #     user = User.find_by(username: 'alice')
+  #     service = Users::RefreshAuthorizedProjectsService.new(some_user)
+  #     service.execute
+  class RefreshAuthorizedProjectsService
+    attr_reader :user
+
+    LEASE_TIMEOUT = 1.minute.to_i
+
+    # user - The User for which to refresh the authorized projects.
+    def initialize(user)
+      @user = user
+
+      # We need an up to date User object that has access to all relations that
+      # may have been created earlier. The only way to ensure this is to reload
+      # the User object.
+      user.reload
+    end
+
+    # This method returns the updated User object.
+    def execute
+      current = current_authorizations_per_project
+      fresh = fresh_access_levels_per_project
+
+      remove = current.each_with_object([]) do |(project_id, row), array|
+        # rows not in the new list or with a different access level should be
+        # removed.
+        if !fresh[project_id] || fresh[project_id] != row.access_level
+          array << row.id
+        end
+      end
+
+      add = fresh.each_with_object([]) do |(project_id, level), array|
+        # rows not in the old list or with a different access level should be
+        # added.
+        if !current[project_id] || current[project_id].access_level != level
+          array << [user.id, project_id, level]
+        end
+      end
+
+      update_with_lease(remove, add)
+    end
+
+    # Updates the list of authorizations using an exclusive lease.
+    def update_with_lease(remove = [], add = [])
+      lease_key = "refresh_authorized_projects:#{user.id}"
+      lease = Gitlab::ExclusiveLease.new(lease_key, timeout: LEASE_TIMEOUT)
+
+      until uuid = lease.try_obtain
+        # Keep trying until we obtain the lease. If we don't do so we may end up
+        # not updating the list of authorized projects properly. To prevent
+        # hammering Redis too much we'll wait for a bit between retries.
+        sleep(1)
+      end
+
+      begin
+        update_authorizations(remove, add)
+      ensure
+        Gitlab::ExclusiveLease.cancel(lease_key, uuid)
+      end
+    end
+
+    # Updates the list of authorizations for the current user.
+    #
+    # remove - The IDs of the authorization rows to remove.
+    # add - Rows to insert in the form `[user id, project id, access level]`
+    def update_authorizations(remove = [], add = [])
+      return if remove.empty? && add.empty?
+
+      User.transaction do
+        user.remove_project_authorizations(remove) unless remove.empty?
+        ProjectAuthorization.insert_authorizations(add) unless add.empty?
+        user.set_authorized_projects_column
+      end
+
+      # Since we batch insert authorization rows, Rails' associations may get
+      # out of sync. As such we force a reload of the User object.
+      user.reload
+    end
+
+    def fresh_access_levels_per_project
+      fresh_authorizations.each_with_object({}) do |row, hash|
+        hash[row.project_id] = row.access_level
+      end
+    end
+
+    def current_authorizations_per_project
+      current_authorizations.each_with_object({}) do |row, hash|
+        hash[row.project_id] = row
+      end
+    end
+
+    def current_authorizations
+      user.project_authorizations.select(:id, :project_id, :access_level)
+    end
+
+    def fresh_authorizations
+      ProjectAuthorization.
+        unscoped.
+        select('project_id, MAX(access_level) AS access_level').
+        from("(#{project_authorizations_union.to_sql}) #{ProjectAuthorization.table_name}").
+        group(:project_id)
+    end
+
+    private
+
+    # Returns a union query of projects that the user is authorized to access
+    def project_authorizations_union
+      relations = [
+        user.personal_projects.select("#{user.id} AS user_id, projects.id AS project_id, #{Gitlab::Access::MASTER} AS access_level"),
+        user.groups_projects.select_for_project_authorization,
+        user.projects.select_for_project_authorization,
+        user.groups.joins(:shared_projects).select_for_project_authorization
+      ]
+
+      Gitlab::SQL::Union.new(relations)
+    end
+  end
+end

app/views/import/_githubish_status.html.haml

+- provider = local_assigns.fetch(:provider)
+- provider_title = Gitlab::ImportSources.title(provider)
+
+%p.light
+  Select projects you want to import.
+%hr
+%p
+  = button_tag class: "btn btn-import btn-success js-import-all" do
+    Import all projects
+    = icon("spinner spin", class: "loading-icon")
+
+.table-responsive
+  %table.table.import-jobs
+    %colgroup.import-jobs-from-col
+    %colgroup.import-jobs-to-col
+    %colgroup.import-jobs-status-col
+    %thead
+      %tr
+        %th= "From #{provider_title}"
+        %th To GitLab
+        %th Status
+    %tbody
+      - @already_added_projects.each do |project|
+        %tr{id: "project_#{project.id}", class: "#{project_status_css_class(project.import_status)}"}
+          %td
+            = provider_project_link(provider, project.import_source)
+          %td
+            = link_to project.path_with_namespace, [project.namespace.becomes(Namespace), project]
+          %td.job-status
+            - if project.import_status == 'finished'
+              %span
+                %i.fa.fa-check
+                done
+            - elsif project.import_status == 'started'
+              %i.fa.fa-spinner.fa-spin
+              started
+            - else
+              = project.human_import_status_name
+
+      - @repos.each do |repo|
+        %tr{id: "repo_#{repo.id}"}
+          %td
+            = provider_project_link(provider, repo.full_name)
+          %td.import-target
+            %fieldset.row
+            .input-group
+              .project-path.input-group-btn
+                - if current_user.can_select_namespace?
+                  - selected = params[:namespace_id] || :current_user
+                  - opts = current_user.can_create_group? ? { extra_group: Group.new(name: repo.owner.login, path: repo.owner.login) } : {}
+                  = select_tag :namespace_id, namespaces_options(selected, opts.merge({ display_path: true })), { class: 'select2 js-select-namespace', tabindex: 1 }
+                - else
+                  = text_field_tag :path, current_user.namespace_path, class: "input-large form-control", tabindex: 1, disabled: true
+              %span.input-group-addon /
+              = text_field_tag :path, repo.name, class: "input-mini form-control", tabindex: 2, autofocus: true, required: true
+          %td.import-actions.job-status
+            = button_tag class: "btn btn-import js-add-to-import" do
+              Import
+              = icon("spinner spin", class: "loading-icon")
+
+.js-importer-status{ data: { jobs_import_path: "#{url_for([:jobs, :import, provider])}", import_path: "#{url_for([:import, provider])}" } }

app/views/import/gitea/new.html.haml

+- page_title "Gitea Import"
+- header_title "Projects", root_path
+
+%h3.page-title
+  = custom_icon('go_logo')
+  Import Projects from Gitea
+
+%p
+  To get started, please enter your Gitea Host URL and a
+  = succeed '.' do
+    = link_to 'Personal Access Token', 'https://github.com/gogits/go-gogs-client/wiki#access-token'
+
+= form_tag personal_access_token_import_gitea_path, class: 'form-horizontal' do
+  .form-group
+    = label_tag :gitea_host_url, 'Gitea Host URL', class: 'control-label'
+    .col-sm-4
+      = text_field_tag :gitea_host_url, nil, placeholder: 'https://try.gitea.io', class: 'form-control'
+  .form-group
+    = label_tag :personal_access_token, 'Personal Access Token', class: 'control-label'
+    .col-sm-4
+      = text_field_tag :personal_access_token, nil, class: 'form-control'
+  .form-actions
+    = submit_tag 'List Your Gitea Repositories', class: 'btn btn-create'

app/views/import/gitea/status.html.haml

+- page_title "Gitea Import"
+- header_title "Projects", root_path
+%h3.page-title
+  = custom_icon('go_logo')
+  Import Projects from Gitea
+
+= render 'import/githubish_status', provider: 'gitea'

app/views/import/github/status.html.haml

-- page_title "GitHub import"
+- page_title "GitHub Import"
 - header_title "Projects", root_path
 %h3.page-title
-  %i.fa.fa-github
-  Import projects from GitHub
+  = icon 'github', text: 'Import Projects from GitHub'
 
-%p.light
-  Select projects you want to import.
-%hr
-%p
-  = button_tag class: "btn btn-import btn-success js-import-all" do
-    Import all projects
-    = icon("spinner spin", class: "loading-icon")
-
-.table-responsive
-  %table.table.import-jobs
-    %colgroup.import-jobs-from-col
-    %colgroup.import-jobs-to-col
-    %colgroup.import-jobs-status-col
-    %thead
-      %tr
-        %th From GitHub
-        %th To GitLab
-        %th Status
-    %tbody
-      - @already_added_projects.each do |project|
-        %tr{id: "project_#{project.id}", class: "#{project_status_css_class(project.import_status)}"}
-          %td
-            = github_project_link(project.import_source)
-          %td
-            = link_to project.path_with_namespace, [project.namespace.becomes(Namespace), project]
-          %td.job-status
-            - if project.import_status == 'finished'
-              %span
-                %i.fa.fa-check
-                done
-            - elsif project.import_status == 'started'
-              %i.fa.fa-spinner.fa-spin
-              started
-            - else
-              = project.human_import_status_name
-
-      - @repos.each do |repo|
-        %tr{id: "repo_#{repo.id}"}
-          %td
-            = github_project_link(repo.full_name)
-          %td.import-target
-            %fieldset.row
-            .input-group
-              .project-path.input-group-btn
-                - if current_user.can_select_namespace?
-                  - selected = params[:namespace_id] || :current_user
-                  - opts = current_user.can_create_group? ? { extra_group: Group.new(name: repo.owner.login, path: repo.owner.login) } : {}
-                  = select_tag :namespace_id, namespaces_options(selected, opts.merge({ display_path: true })), { class: 'select2 js-select-namespace', tabindex: 1 }
-                - else
-                  = text_field_tag :path, current_user.namespace_path, class: "input-large form-control", tabindex: 1, disabled: true
-              %span.input-group-addon /
-              = text_field_tag :path, repo.name, class: "input-mini form-control", tabindex: 2, autofocus: true, required: true
-          %td.import-actions.job-status
-            = button_tag class: "btn btn-import js-add-to-import" do
-              Import
-              = icon("spinner spin", class: "loading-icon")
-
-.js-importer-status{ data: { jobs_import_path: "#{jobs_import_github_path}", import_path: "#{import_github_path}" } }
+= render 'import/githubish_status', provider: 'github'

app/views/projects/environments/_terminal_button.html.haml

+- if environment.has_terminals? && can?(current_user, :admin_environment, @project)
+  = link_to terminal_namespace_project_environment_path(@project.namespace, @project, environment), class: 'btn terminal-button' do
+    = icon('terminal')

app/views/projects/environments/index.html.haml

@@ -4,10 +4,6 @@
 
 - content_for :page_specific_javascripts do
   = page_specific_javascript_tag("environments/environments_bundle.js")
-.commit-icon-svg.hidden
-  = custom_icon("icon_commit")
-.play-icon-svg.hidden
-  = custom_icon("icon_play")
 
 #environments-list-view{ data: { environments_data: environments_list_data,
   "can-create-deployment" => can?(current_user, :create_deployment, @project).to_s,
@@ -19,4 +15,5 @@
   "help-page-path" => help_page_path("ci/environments"),
   "css-class" => container_class,
   "commit-icon-svg" => custom_icon("icon_commit"),
+  "terminal-icon-svg" => custom_icon("icon_terminal"),
   "play-icon-svg" => custom_icon("icon_play")}}

app/views/projects/environments/show.html.haml

@@ -8,6 +8,7 @@
       %h3.page-title= @environment.name.capitalize
     .col-md-3
       .nav-controls
+        = render 'projects/environments/terminal_button', environment: @environment
         = render 'projects/environments/external_url', environment: @environment
         - if can?(current_user, :update_environment, @environment)
           = link_to 'Edit', edit_namespace_project_environment_path(@project.namespace, @project, @environment), class: 'btn'

app/views/projects/environments/terminal.html.haml

+- @no_container = true
+- page_title "Terminal for environment", @environment.name
+= render "projects/pipelines/head"
+
+- content_for :page_specific_javascripts do
+  = stylesheet_link_tag "xterm/xterm"
+  = page_specific_javascript_tag("terminal/terminal_bundle.js")
+
+%div{class: container_class}
+  .top-area
+    .row
+      .col-sm-6
+        %h3.page-title
+          Terminal for environment
+          = @environment.name
+
+      .col-sm-6
+        .nav-controls
+          = render 'projects/deployments/actions', deployment: @environment.last_deployment
+
+.terminal-container{class: container_class}
+  #terminal{data:{project_path: "#{terminal_namespace_project_environment_path(@project.namespace, @project, @environment)}.ws"}}

app/views/projects/new.html.haml

@@ -68,6 +68,11 @@
                   - if fogbugz_import_enabled?
                     = link_to new_import_fogbugz_path, class: 'btn import_fogbugz' do
                       = icon('bug', text: 'Fogbugz')
+                %div
+                  - if gitea_import_enabled?
+                    = link_to new_import_gitea_url, class: 'btn import_gitea' do
+                      = custom_icon('go_logo')
+                      Gitea
                 %div
                   - if git_import_enabled?
                     = link_to "#", class: 'btn js-toggle-button import_git' do

app/views/shared/empty_states/_issues.html.haml

@@ -8,7 +8,7 @@
       = render 'shared/empty_states/icons/issues.svg'
   .col-xs-12{ class: "#{'col-sm-6' if has_button}" }
     .text-content
-      - if has_button
+      - if has_button && current_user
         %h4
           The Issue Tracker is a good place to add things that need to be improved or solved in a project!
         %p

app/views/shared/icons/_go_logo.svg.erb

+<svg xmlns="http://www.w3.org/2000/svg" width="<%= size %>" height="<%= size %>" viewBox="0 0 16 16"><g fill-rule="evenodd" transform="translate(0 1)"><path d="m14 15.01h1v-8.02c0-3.862-3.134-6.991-7-6.991-3.858 0-7 3.13-7 6.991v8.02h1v-8.02c0-3.306 2.691-5.991 6-5.991 3.314 0 6 2.682 6 5.991v8.02m-10.52-13.354c-.366-.402-.894-.655-1.48-.655-1.105 0-2 .895-2 2 0 .868.552 1.606 1.325 1.883.102-.321.226-.631.371-.93-.403-.129-.695-.507-.695-.953 0-.552.448-1 1-1 .306 0 .58.138.764.354.222-.25.461-.483.717-.699m9.04-.002c.366-.401.893-.653 1.479-.653 1.105 0 2 .895 2 2 0 .867-.552 1.606-1.324 1.883-.101-.321-.225-.632-.37-.931.403-.129.694-.507.694-.952 0-.552-.448-1-1-1-.305 0-.579.137-.762.353-.222-.25-.461-.483-.717-.699"/><path d="m5.726 7.04h1.557v.124c0 .283-.033.534-.1.752-.065.202-.175.391-.33.566-.35.394-.795.591-1.335.591-.527 0-.979-.19-1.355-.571-.376-.382-.564-.841-.564-1.377 0-.547.191-1.01.574-1.391.382-.382.848-.574 1.396-.574.295 0 .57.06.825.181.244.12.484.316.72.586l-.405.388c-.309-.412-.686-.618-1.13-.618-.399 0-.733.138-1 .413-.27.27-.405.609-.405 1.015 0 .42.151.766.452 1.037.282.252.587.378.915.378.28 0 .531-.094.754-.283.223-.19.347-.418.373-.683h-.94v-.535m2.884.061c0-.53.194-.986.583-1.367.387-.381.853-.571 1.396-.571.537 0 .998.192 1.382.576.386.384.578.845.578 1.384 0 .542-.194 1-.581 1.379-.389.379-.858.569-1.408.569-.487 0-.923-.168-1.311-.505-.426-.373-.64-.861-.64-1.465m.574.007c0 .417.14.759.42 1.028.278.269.6.403.964.403.395 0 .729-.137 1-.41.272-.277.408-.613.408-1.01 0-.402-.134-.739-.403-1.01-.267-.273-.597-.41-.991-.41-.392 0-.723.137-.993.41-.27.27-.405.604-.405 1m-.184 3.918c.525.026.812.063.812.063.271.025.324-.096.116-.273 0 0-.775-.813-1.933-.813-1.159 0-1.923.813-1.923.813-.211.174-.153.3.12.273 0 0 .286-.037.81-.063v.477c0 .268.224.5.5.5.268 0 .5-.223.5-.498v-.252.25c0 .268.224.5.5.5.268 0 .5-.223.5-.498v-.478m-1-1.023c.552 0 1-.224 1-.5 0-.276-.448-.5-1-.5-.552 0-1 .224-1 .5 0 .276.448.5 1 .5"/></g></svg>

app/views/shared/icons/_icon_terminal.svg

+<svg width="19" height="14" viewBox="0 0 19 14" xmlns="http://www.w3.org/2000/svg"><rect fill="#848484" x="7.2" y="9.25" width="6.46" height="1.5" rx=".5"/><path d="M5.851 7.016L3.81 9.103a.503.503 0 0 0 .017.709l.35.334c.207.198.524.191.717-.006l2.687-2.748a.493.493 0 0 0 .137-.376.493.493 0 0 0-.137-.376L4.894 3.892a.507.507 0 0 0-.717-.006l-.35.334a.503.503 0 0 0-.017.709L5.85 7.016z"/><path d="M1.25 11.497c0 .691.562 1.253 1.253 1.253h13.994c.694 0 1.253-.56 1.253-1.253V2.503c0-.691-.562-1.253-1.253-1.253H2.503c-.694 0-1.253.56-1.253 1.253v8.994zM2.503 0h13.994A2.504 2.504 0 0 1 19 2.503v8.994A2.501 2.501 0 0 1 16.497 14H2.503A2.504 2.504 0 0 1 0 11.497V2.503A2.501 2.501 0 0 1 2.503 0z"/></svg>

app/workers/authorized_projects_worker.rb

@@ -2,8 +2,6 @@ class AuthorizedProjectsWorker
   include Sidekiq::Worker
   include DedicatedSidekiqQueue
 
-  LEASE_TIMEOUT = 1.minute.to_i
-
   def self.bulk_perform_async(args_list)
     Sidekiq::Client.push_bulk('class' => self, 'args' => args_list)
   end
@@ -11,24 +9,6 @@ class AuthorizedProjectsWorker
   def perform(user_id)
     user = User.find_by(id: user_id)
 
-    refresh(user) if user
-  end
-
-  def refresh(user)
-    lease_key = "refresh_authorized_projects:#{user.id}"
-    lease = Gitlab::ExclusiveLease.new(lease_key, timeout: LEASE_TIMEOUT)
-
-    until uuid = lease.try_obtain
-      # Keep trying until we obtain the lease. If we don't do so we may end up
-      # not updating the list of authorized projects properly. To prevent
-      # hammering Redis too much we'll wait for a bit between retries.
-      sleep(1)
-    end
-
-    begin
-      user.refresh_authorized_projects
-    ensure
-      Gitlab::ExclusiveLease.cancel(lease_key, uuid)
-    end
+    user.refresh_authorized_projects if user
   end
 end

app/workers/reactive_caching_worker.rb

+class ReactiveCachingWorker
+  include Sidekiq::Worker
+  include DedicatedSidekiqQueue
+
+  def perform(class_name, id)
+    klass = begin
+      Kernel.const_get(class_name)
+    rescue NameError
+      nil
+    end
+    return unless klass
+
+    klass.find_by(id: id).try(:exclusively_update_reactive_cache!)
+  end
+end

bin/changelog

@@ -84,12 +84,15 @@ class ChangelogEntry
     end
   end
 
+  private
+
   def contents
-    YAML.dump(
+    yaml_content = YAML.dump(
       'title'         => title,
       'merge_request' => options.merge_request,
       'author'        => options.author
     )
+    remove_trailing_whitespace(yaml_content)
   end
 
   def write
@@ -101,8 +104,6 @@ class ChangelogEntry
     exec("git commit --amend")
   end
 
-  private
-
   def fail_with(message)
     $stderr.puts "\e[31merror\e[0m #{message}"
     exit 1
@@ -160,6 +161,10 @@ class ChangelogEntry
   def branch_name
     @branch_name ||= %x{git symbolic-ref --short HEAD}.strip
   end
+
+  def remove_trailing_whitespace(yaml_content)
+    yaml_content.gsub(/ +$/, '')
+  end
 end
 
 if $0 == __FILE__

changelogs/unreleased/22348-gitea-importer.yml

+---
+title: New Gitea importer
+merge_request: 8116
+author:

changelogs/unreleased/25093-hide-new-issue-btn-non-loggedin-user.yml

+---
+title: Hides new issue button for non loggedin user
+merge_request: 8175
+author: 

changelogs/unreleased/25678-remove-user-build.yml

+---
+title: remove build_user
+merge_request: 8162 
+author: Arsenev Vladislav

changelogs/unreleased/4269-public-api.yml

 ---
-title: Allow public access to some Project API endpoints
+title: Allow unauthenticated access to some Project API GET endpoints
 merge_request: 7843
 author:

changelogs/unreleased/4269-public-files-api.yml

+---
+title: Allow unauthenticated access to Repositories Files API GET endpoints
+merge_request:
+author:

changelogs/unreleased/4269-public-repositories-api.yml

+---
+title: Allow unauthenticated access to Repositories API GET endpoints
+merge_request: 8148
+author:

changelogs/unreleased/jej-memoize-milestoneish-visible-to-user.yml

+---
+title: Milestoneish SQL performance partially improved and memoized
+merge_request: 8146
+author: 

changelogs/unreleased/nick-thomas-gitlab-ce-22864-kubernetes-deploy-with-terminal.yml

+---
+title: Add online terminal support for Kubernetes
+merge_request: 7690
+author: 

changelogs/unreleased/nuke-ugly-spaces-in-changelog-generator.yml

+---
+title: Remove trailing whitespace when generating changelog entry
+merge_request: 7948
+author:

config/application.rb

@@ -89,6 +89,7 @@ module Gitlab
     config.assets.precompile << "mailers/*.css"
     config.assets.precompile << "katex.css"
     config.assets.precompile << "katex.js"
+    config.assets.precompile << "xterm/xterm.css"
     config.assets.precompile << "graphs/graphs_bundle.js"
     config.assets.precompile << "users/users_bundle.js"
     config.assets.precompile << "network/network_bundle.js"
@@ -102,6 +103,7 @@ module Gitlab
     config.assets.precompile << "environments/environments_bundle.js"
     config.assets.precompile << "blob_edit/blob_edit_bundle.js"
     config.assets.precompile << "snippet/snippet_bundle.js"
+    config.assets.precompile << "terminal/terminal_bundle.js"
     config.assets.precompile << "lib/utils/*.js"
     config.assets.precompile << "lib/*.js"
     config.assets.precompile << "u2f.js"

config/initializers/1_settings.rb

@@ -213,7 +213,7 @@ Settings.gitlab.default_projects_features['builds']             = true if Settin
 Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
 Settings.gitlab.default_projects_features['visibility_level']   = Settings.send(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
 Settings.gitlab['domain_whitelist'] ||= []
-Settings.gitlab['import_sources'] ||= %w[github bitbucket gitlab google_code fogbugz git gitlab_project]
+Settings.gitlab['import_sources'] ||= %w[github bitbucket gitlab google_code fogbugz git gitlab_project gitea]
 Settings.gitlab['trusted_proxies'] ||= []
 Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml'))
 

config/routes/import.rb

@@ -6,6 +6,12 @@ namespace :import do
     get :jobs
   end
 
+  resource :gitea, only: [:create, :new], controller: :gitea do
+    post :personal_access_token
+    get :status
+    get :jobs
+  end
+
   resource :gitlab, only: [:create], controller: :gitlab do
     get :status
     get :callback

config/routes/project.rb

@@ -150,6 +150,8 @@ constraints(ProjectUrlConstrainer.new) do
       resources :environments, except: [:destroy] do
         member do
           post :stop
+          get :terminal
+          get '/terminal.ws/authorize', to: 'environments#terminal_websocket_authorize', constraints: { format: nil }
         end
       end
 

config/sidekiq_queues.yml

@@ -46,5 +46,6 @@
   - [repository_check, 1]
   - [system_hook, 1]
   - [git_garbage_collect, 1]
+  - [reactive_caching, 1]
   - [cronjob, 1]
   - [default, 1]

doc/README.md

@@ -34,6 +34,7 @@
 - [Integration](integration/README.md) How to integrate with systems such as JIRA, Redmine, Twitter.
 - [Issue closing pattern](administration/issue_closing_pattern.md) Customize how to close an issue from commit messages.
 - [Koding](administration/integration/koding.md) Set up Koding to use with GitLab.
+- [Online terminals](administration/integration/terminal.md) Provide terminal access to environments from within GitLab.
 - [Libravatar](customization/libravatar.md) Use Libravatar instead of Gravatar for user avatars.
 - [Log system](administration/logs.md) Log system.
 - [Environment Variables](administration/environment_variables.md) to configure GitLab.

doc/administration/high_availability/load_balancer.md

@@ -10,11 +10,11 @@ you need to use with GitLab.
 
 ## Basic ports
 
-| LB Port | Backend Port | Protocol   |
-| ------- | ------------ | --------   |
-| 80      | 80           | HTTP       |
-| 443     | 443          | HTTPS [^1] |
-| 22      | 22           | TCP        |
+| LB Port | Backend Port | Protocol        |
+| ------- | ------------ | --------------- |
+| 80      | 80           | HTTP  [^1]      |
+| 443     | 443          | HTTPS [^1] [^2] |
+| 22      | 22           | TCP             |
 
 ## GitLab Pages Ports
 
@@ -25,8 +25,8 @@ GitLab Pages requires a separate VIP. Configure DNS to point the
 
 | LB Port | Backend Port | Protocol |
 | ------- | ------------ | -------- |
-| 80      | Varies [^2]  | HTTP     |
-| 443     | Varies [^2]  | TCP [^3] |
+| 80      | Varies [^3]  | HTTP     |
+| 443     | Varies [^3]  | TCP [^4] |
 
 ## Alternate SSH Port
 
@@ -50,13 +50,19 @@ Read more on high-availability configuration:
 1. [Configure NFS](nfs.md)
 1. [Configure the GitLab application servers](gitlab.md)
 
-[^1]: When using HTTPS protocol for port 443, you will need to add an SSL
+[^1]: [Terminal support](../../ci/environments.md#terminal-support) requires
+      your load balancer to correctly handle WebSocket connections. When using
+      HTTP or HTTPS proxying, this means your load balancer must be configured
+      to pass through the `Connection` and `Upgrade` hop-by-hop headers. See the
+      [online terminal](../integration/terminal.md) integration guide for
+      more details.
+[^2]: When using HTTPS protocol for port 443, you will need to add an SSL
       certificate to the load balancers. If you wish to terminate SSL at the
       GitLab application server instead, use TCP protocol.
-[^2]: The backend port for GitLab Pages depends on the
+[^3]: The backend port for GitLab Pages depends on the
       `gitlab_pages['external_http']` and `gitlab_pages['external_https']`
       setting. See [GitLab Pages documentation][gitlab-pages] for more details.
-[^3]: Port 443 for GitLab Pages should always use the TCP protocol. Users can
+[^4]: Port 443 for GitLab Pages should always use the TCP protocol. Users can
       configure custom domains with custom SSL, which would not be possible
       if SSL was terminated at the load balancer.
 

doc/administration/integration/terminal.md

+# Online terminals
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7690)
+in GitLab 8.15. Only project masters and owners can access online terminals.
+
+With the introduction of the [Kubernetes](../../project_services/kubernetes.md)
+project service, GitLab gained the ability to store and use credentials for a
+Kubernetes cluster. One of the things it uses these credentials for is providing
+access to [online terminals](../../ci/environments.html#online-terminals)
+for environments.
+
+## How it works
+
+A detailed overview of the architecture of online terminals and how they work
+can be found in [this document](https://gitlab.com/gitlab-org/gitlab-workhorse/blob/master/doc/terminal.md).
+In brief:
+
+* GitLab relies on the user to provide their own Kubernetes credentials, and to
+  appropriately label the pods they create when deploying.
+* When a user navigates to the terminal page for an environment, they are served
+  a JavaScript application that opens a WebSocket connection back to GitLab.
+* The WebSocket is handled in [Workhorse](https://gitlab.com/gitlab-org/gitlab-workhorse),
+   rather than the Rails application server.
+* Workhorse queries Rails for connection details and user permissions; Rails
+  queries Kubernetes for them in the background, using [Sidekiq](../troubleshooting/sidekiq.md)
+* Workhorse acts as a proxy server between the user's browser and the Kubernetes
+  API, passing WebSocket frames between the two.
+* Workhorse regularly polls Rails, terminating the WebSocket connection if the
+  user no longer has permission to access the terminal, or if the connection
+  details have changed.
+
+##  Enabling and disabling terminal support
+
+As online terminals use WebSockets, every HTTP/HTTPS reverse proxy in front of
+Workhorse needs to be configured to pass the `Connection` and `Upgrade` headers
+through to the next one in the chain. If you installed Gitlab using Omnibus, or
+from source, starting with GitLab 8.15, this should be done by the default
+configuration, so there's no need for you to do anything.
+
+However, if you run a [load balancer](../high_availability/load_balancer.md) in
+front of GitLab, you may need to make some changes to your configuration. These
+guides document the necessary steps for a selection of popular reverse proxies:
+
+* [Apache](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html)
+* [NGINX](https://www.nginx.com/blog/websocket-nginx/)
+* [HAProxy](http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/)
+* [Varnish](https://www.varnish-cache.org/docs/4.1/users-guide/vcl-example-websockets.html)
+
+Workhorse won't let WebSocket requests through to non-WebSocket endpoints, so
+it's safe to enable support for these headers globally. If you'd rather had a
+narrower set of rules, you can restrict it to URLs ending with `/terminal.ws`
+(although this may still have a few false positives).
+
+If you installed from source, or have made any configuration changes to your
+Omnibus installation before upgrading to 8.15, you may need to make some
+changes to your configuration. See the  [8.14 to 8.15 upgrade](../../update/8.14-to-8.15.md#nginx-configuration)
+document for more details.
+
+If you'd like to disable online terminal support in GitLab, just stop passing
+the `Connection` and `Upgrade` hop-by-hop headers in the *first* HTTP reverse
+proxy in the chain. For most users, this will be the NGINX server bundled with
+Omnibus Gitlab, in which case, you need to:
+
+* Find the `nginx['proxy_set_headers']` section of your `gitlab.rb` file
+* Ensure the whole block is uncommented, and then comment out or remove the
+  `Connection` and `Upgrade` lines.
+
+For your own load balancer, just reverse the configuration changes recommended
+by the above guides.
+
+When these headers are not passed through, Workhorse will return a
+`400 Bad Request` response to users attempting to use an online terminal. In
+turn, they will receive a `Connection failed` message.

doc/api/repositories.md

@@ -2,7 +2,8 @@
 
 ## List repository tree
 
-Get a list of repository files and directories in a project.
+Get a list of repository files and directories in a project. This endpoint can
+be accessed without authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/tree
@@ -71,7 +72,8 @@ Parameters:
 
 ## Raw file content
 
-Get the raw file contents for a file by commit SHA and path.
+Get the raw file contents for a file by commit SHA and path. This endpoint can
+be accessed without authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/blobs/:sha
@@ -85,7 +87,8 @@ Parameters:
 
 ## Raw blob content
 
-Get the raw file contents for a blob by blob SHA.
+Get the raw file contents for a blob by blob SHA. This endpoint can be accessed
+without authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/raw_blobs/:sha
@@ -98,7 +101,8 @@ Parameters:
 
 ## Get file archive
 
-Get an archive of the repository
+Get an archive of the repository. This endpoint can be accessed without
+authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/archive
@@ -111,6 +115,9 @@ Parameters:
 
 ## Compare branches, tags or commits
 
+This endpoint can be accessed without authentication if the repository is
+publicly accessible.
+
 ```
 GET /projects/:id/repository/compare
 ```
@@ -163,7 +170,8 @@ Response:
 
 ## Contributors
 
-Get repository contributors list
+Get repository contributors list. This endpoint can be accessed without
+authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/contributors

doc/api/repository_files.md

@@ -6,7 +6,9 @@
 
 ## Get file from repository
 
-Allows you to receive information about file in repository like name, size, content. Note that file content is Base64 encoded.
+Allows you to receive information about file in repository like name, size,
+content. Note that file content is Base64 encoded. This endpoint can be accessed
+without authentication if the repository is publicly accessible.
 
 ```
 GET /projects/:id/repository/files

doc/ci/environments.md

@@ -25,7 +25,9 @@ Environments are like tags for your CI jobs, describing where code gets deployed
 Deployments are created when [jobs] deploy versions of code to environments,
 so every environment can have one or more deployments. GitLab keeps track of
 your deployments, so you always know what is currently being deployed on your
-servers.
+servers. If you have a deployment service such as [Kubernetes][kubernetes-service]
+enabled for your project, you can use it to assist with your deployments, and
+can even access a terminal for your environment from within GitLab!
 
 To better understand how environments and deployments work, let's consider an
 example. We assume that you have already created a project in GitLab and set up
@@ -233,6 +235,46 @@ Remember that if your environment's name is `production` (all lowercase), then
 it will get recorded in [Cycle Analytics](../user/project/cycle_analytics.md).
 Double the benefit!
 
+## Terminal support
+
+>**Note:**
+Terminal support was added in GitLab 8.15 and is only available to project
+masters and owners.
+
+If you deploy to your environments with the help of a deployment service (e.g.,
+the [Kubernetes](../project_services/kubernetes.md) service), GitLab can open
+a terminal session to your environment! This is a very powerful feature that
+allows you to debug issues without leaving the comfort of your web browser. To
+enable it, just follow the instructions given in the service documentation.
+
+Once enabled, your environments will gain a "terminal" button:
+
+![Terminal button on environment index](img/environments_terminal_button_on_index.png)
+
+You can also access the terminal button from the page for a specific environment:
+
+![Terminal button for an environment](img/environments_terminal_button_on_show.png)
+
+Wherever you find it, clicking the button will take you to a separate page to
+establish the terminal session:
+
+![Terminal page](img/environments_terminal_page.png)
+
+This works just like any other terminal - you'll be in the container created
+by your deployment, so you can run shell commands and get responses in real
+time, check the logs, try out configuration or code tweaks, etc. You can open
+multiple terminals to the same environment - they each get their own shell
+session -  and even a multiplexer like `screen` or `tmux`!  
+
+>**Note:**
+Container-based deployments often lack basic tools (like an editor), and may
+be stopped or restarted at any time. If this happens, you will lose all your
+changes! Treat this as a debugging tool, not a comprehensive online IDE. You
+can use [Koding](../administration/integration/koding.md) for online
+development.
+
+---
+
 While this is fine for deploying to some stable environments like staging or
 production, what happens for branches? So far we haven't defined anything
 regarding deployments for branches other than `master`. Dynamic environments
@@ -524,6 +566,7 @@ Below are some links you may find interesting:
 [Pipelines]: pipelines.md
 [jobs]: yaml/README.md#jobs
 [yaml]: yaml/README.md
+[kubernetes-service]: ../project_services/kubernetes.md]
 [environments]: #environments
 [deployments]: #deployments
 [permissions]: ../user/permissions.md

doc/ci/pipelines.md

@@ -36,6 +36,37 @@ Clicking on a pipeline will show the builds that were run for that pipeline.
 Clicking on an individual build will show you its build trace, and allow you to
 cancel the build, retry it,  or erase the build trace.
 
+## How the pipeline duration is calculated
+
+Total running time for a given pipeline would exclude retries and pending
+(queue) time. We could reduce this problem down to finding the union of
+periods.
+
+So each job would be represented as a `Period`, which consists of
+`Period#first` as when the job started and `Period#last` as when the
+job was finished. A simple example here would be:
+
+* A (1, 3)
+* B (2, 4)
+* C (6, 7)
+
+Here A begins from 1, and ends to 3. B begins from 2, and ends to 4.
+C begins from 6, and ends to 7. Visually it could be viewed as:
+
+```
+0  1  2  3  4  5  6  7
+   AAAAAAA
+      BBBBBBB
+                  CCCC
+```
+
+The union of A, B, and C would be (1, 4) and (6, 7), therefore the
+total running time should be:
+
+```
+(4 - 1) + (7 - 6) => 4
+```
+
 ## Badges
 
 Build status and test coverage report badges are available. You can find their

doc/project_services/kubernetes.md

@@ -47,3 +47,17 @@ GitLab CI build environment:
 - `KUBE_TOKEN`
 - `KUBE_NAMESPACE`
 - `KUBE_CA_PEM` - only if a custom CA bundle was specified
+
+## Terminal support
+
+>**NOTE:**
+Added in GitLab 8.15. You must be the project owner or have `master` permissions
+to use terminals. Support is currently limited to the first container in the
+first pod of your environment.
+
+When enabled, the Kubernetes service adds online [terminal support](../ci/environments.md#terminal-support)
+to your environments. This is based on the `exec` functionality found in
+Docker and Kubernetes, so you get a new shell session within your existing
+containers. To use this integration, you should deploy to Kubernetes using
+the deployment variables above, ensuring any pods you create are labelled with
+`app=$CI_ENVIRONMENT_SLUG`.

doc/user/permissions.md

@@ -33,6 +33,7 @@ The following table depicts the various user permission levels in a project.
 | See a container registry              |         | ✓          | ✓           | ✓        | ✓      |
 | See environments                      |         | ✓          | ✓           | ✓        | ✓      |
 | Create new environments               |         |            | ✓           | ✓        | ✓      |
+| Use environment terminals             |         |            |             | ✓        | ✓      |
 | Stop environments                     |         |            | ✓           | ✓        | ✓      |
 | See a list of merge requests          |         | ✓          | ✓           | ✓        | ✓      |
 | Manage/Accept merge requests          |         |            | ✓           | ✓        | ✓      |

doc/workflow/importing/README.md

@@ -4,6 +4,7 @@
 1. [GitHub](import_projects_from_github.md)
 1. [GitLab.com](import_projects_from_gitlab_com.md)
 1. [FogBugz](import_projects_from_fogbugz.md)
+1. [Gitea](import_projects_from_gitea.md)
 1. [SVN](migrating_from_svn.md)
 
 In addition to the specific migration documentation above, you can import any
@@ -14,4 +15,3 @@ repository is too large the import can timeout.
 
 You can copy your repos by changing the remote and pushing to the new server;
 but issues and merge requests can't be imported.
-

doc/workflow/importing/import_projects_from_gitea.md

+# Import your project from Gitea to GitLab
+
+Import your projects from Gitea to GitLab with minimal effort.
+
+## Overview
+
+>**Note:**
+As of Gitea `v1.0.0`, issue & pull-request comments cannot be imported! This is
+a [known issue][issue-401] that should be fixed in a near-future.
+
+- At its current state, Gitea importer can import:
+  - the repository description (GitLab 8.15+)
+  - the Git repository data (GitLab 8.15+)
+  - the issues (GitLab 8.15+)
+  - the pull requests (GitLab 8.15+)
+  - the milestones (GitLab 8.15+)
+  - the labels (GitLab 8.15+)
+- Repository public access is retained. If a repository is private in Gitea
+  it will be created as private in GitLab as well.
+
+## How it works
+
+Since Gitea is currently not an OAuth provider, author/assignee cannot be mapped
+to users in your GitLab's instance. This means that the project creator (most of
+the times the current user that started the import process) is set as the author,
+but a reference on the issue about the original Gitea author is kept.
+
+The importer will create any new namespaces (groups) if they don't exist or in
+the case the namespace is taken, the repository will be imported under the user's
+namespace that started the import process.
+
+## Importing your Gitea repositories
+
+The importer page is visible when you create a new project.
+
+![New project page on GitLab](img/import_projects_from_new_project_page.png)
+
+Click on the **Gitea** link and the import authorization process will start.
+
+![New Gitea project import](img/import_projects_from_gitea_new_import.png)
+
+### Authorize access to your repositories using a personal access token
+
+With this method, you will perform a one-off authorization with Gitea to grant
+GitLab access your repositories:
+
+1. Go to <https://you-gitea-instance/user/settings/applications> (replace
+   `you-gitea-instance` with the host of your Gitea instance).
+1. Click **Generate New Token**.
+1. Enter a token description.
+1. Click **Generate Token**.
+1. Copy the token hash.
+1. Go back to GitLab and provide the token to the Gitea importer.
+1. Hit the **List Your Gitea Repositories** button and wait while GitLab reads
+   your repositories' information. Once done, you'll be taken to the importer
+   page to select the repositories to import.
+
+### Select which repositories to import
+
+After you've authorized access to your Gitea repositories, you will be
+redirected to the Gitea importer page.
+
+From there, you can see the import statuses of your Gitea repositories.
+
+- Those that are being imported will show a _started_ status,
+- those already successfully imported will be green with a _done_ status,
+- whereas those that are not yet imported will have an **Import** button on the
+  right side of the table.
+
+If you want, you can import all your Gitea projects in one go by hitting
+**Import all projects** in the upper left corner.
+
+![Gitea importer page](img/import_projects_from_github_importer.png)
+
+---
+
+You can also choose a different name for the project and a different namespace,
+if you have the privileges to do so.
+
+[issue-401]: https://github.com/go-gitea/gitea/issues/401

doc/workflow/importing/import_projects_from_github.md

@@ -6,8 +6,9 @@ Import your projects from GitHub to GitLab with minimal effort.
 
 >**Note:**
 If you are an administrator you can enable the [GitHub integration][gh-import]
-in your GitLab instance sitewide. This configuration is optional, users will be
-able import their GitHub repositories with a [personal access token][gh-token].
+in your GitLab instance sitewide. This configuration is optional, users will
+still be able to import their GitHub repositories with a
+[personal access token][gh-token].
 
 - At its current state, GitHub importer can import:
   - the repository description (GitLab 7.7+)
@@ -85,7 +86,7 @@ authorization with GitHub to grant GitLab access your repositories:
 1. Click **Generate token**.
 1. Copy the token hash.
 1. Go back to GitLab and provide the token to the GitHub importer.
-1. Hit the **List your GitHub repositories** button and wait while GitLab reads
+1. Hit the **List Your GitHub Repositories** button and wait while GitLab reads
    your repositories' information. Once done, you'll be taken to the importer
    page to select the repositories to import.
 
@@ -112,7 +113,6 @@ You can also choose a different name for the project and a different namespace,
 if you have the privileges to do so.
 
 [gh-import]: ../../integration/github.md "GitHub integration"
-[new-project]: ../../gitlab-basics/create-project.md "How to create a new project in GitLab"
 [gh-integration]: #authorize-access-to-your-repositories-using-the-github-integration
 [gh-token]: #authorize-access-to-your-repositories-using-a-personal-access-token
 [social sign-in]: ../../profile/account/social_sign_in.md

features/admin/projects.feature

-@admin
-Feature: Admin Projects
-  Background:
-    Given I sign in as an admin
-    And there are projects in system
-
-  Scenario: I should see non-archived projects in the list
-    Given archived project "Archive"
-    When I visit admin projects page
-    Then I should see all non-archived projects
-    And I should not see project "Archive"
-
-  @javascript
-  Scenario: I should see all projects in the list
-    Given archived project "Archive"
-    When I visit admin projects page
-    And I select "Show archived projects"
-    Then I should see all projects
-    And I should see "archived" label
-
-  Scenario: Projects show
-    When I visit admin projects page
-    And I click on first project
-    Then I should see project details
-
-  @javascript
-  Scenario: Transfer project
-    Given group 'Web'
-    And I visit admin project page
-    When I transfer project to group 'Web'
-    Then I should see project transfered
-
-  @javascript
-  Scenario: Signed in admin should be able to add himself to a project
-    Given "John Doe" owns private project "Enterprise"
-    When I visit project "Enterprise" members page
-    When I select current user as "Developer"
-    Then I should see current user as "Developer"
-
-  @javascript
-  Scenario: Signed in admin should be able to remove himself from a project
-    Given "John Doe" owns private project "Enterprise"
-    And current user is developer of project "Enterprise"
-    When I visit project "Enterprise" members page
-    Then I should see current user as "Developer"
-    When I click on the "Remove User From Project" button for current user
-    Then I should not see current user as "Developer"

features/steps/admin/projects.rb

-class Spinach::Features::AdminProjects < Spinach::FeatureSteps
-  include SharedAuthentication
-  include SharedPaths
-  include SharedAdmin
-  include SharedProject
-  include SharedUser
-  include Select2Helper
-
-  step 'I should see all non-archived projects' do
-    Project.non_archived.each do |p|
-      expect(page).to have_content p.name_with_namespace
-    end
-  end
-
-  step 'I should see all projects' do
-    Project.all.each do |p|
-      expect(page).to have_content p.name_with_namespace
-    end
-  end
-
-  step 'I select "Show archived projects"' do
-    find(:css, '#sort-projects-dropdown').click
-    click_link 'Show archived projects'
-  end
-
-  step 'I should see "archived" label' do
-    expect(page).to have_xpath("//span[@class='label label-warning']", text: 'archived')
-  end
-
-  step 'I click on first project' do
-    click_link Project.first.name_with_namespace
-  end
-
-  step 'I should see project details' do
-    project = Project.first
-    expect(current_path).to eq admin_namespace_project_path(project.namespace, project)
-    expect(page).to have_content(project.name_with_namespace)
-    expect(page).to have_content(project.creator.name)
-  end
-
-  step 'I visit admin project page' do
-    visit admin_namespace_project_path(project.namespace, project)
-  end
-
-  step 'I transfer project to group \'Web\'' do
-    allow_any_instance_of(Projects::TransferService).
-      to receive(:move_uploads_to_new_namespace).and_return(true)
-    click_button 'Search for Namespace'
-    click_link 'group: web'
-    click_button 'Transfer'
-  end
-
-  step 'group \'Web\'' do
-    create(:group, name: 'Web')
-  end
-
-  step 'I should see project transfered' do
-    expect(page).to have_content 'Web / ' + project.name
-    expect(page).to have_content 'Namespace: Web'
-  end
-
-  step 'I visit project "Enterprise" members page' do
-    project = Project.find_by!(name: "Enterprise")
-    visit namespace_project_project_members_path(project.namespace, project)
-  end
-
-  step 'I select current user as "Developer"' do
-    page.within ".users-project-form" do
-      select2(current_user.id, from: "#user_ids", multiple: true)
-      select "Developer", from: "access_level"
-    end
-
-    click_button "Add to project"
-  end
-
-  step 'I should see current user as "Developer"' do
-    page.within '.content-list' do
-      expect(page).to have_content(current_user.name)
-      expect(page).to have_content('Developer')
-    end
-  end
-
-  step 'current user is developer of project "Enterprise"' do
-    project = Project.find_by!(name: "Enterprise")
-    project.team << [current_user, :developer]
-  end
-
-  step 'I click on the "Remove User From Project" button for current user' do
-    find(:css, 'li', text: current_user.name).find(:css, 'a.btn-remove').click
-    # poltergeist always confirms popups.
-  end
-
-  step 'I should not see current_user as "Developer"' do
-    expect(page).not_to have_selector(:css, '.content-list')
-  end
-
-  def project
-    @project ||= Project.first
-  end
-
-  def group
-    Group.find_by(name: 'Web')
-  end
-end

lib/api/files.rb

 module API
   # Projects API
   class Files < Grape::API
-    before { authenticate! }
-
     helpers do
       def commit_params(attrs)
         {

lib/api/repositories.rb

@@ -2,7 +2,6 @@ require 'mime/types'
 
 module API
   class Repositories < Grape::API
-    before { authenticate! }
     before { authorize! :download_code, user_project }
 
     params do
@@ -79,8 +78,6 @@ module API
         optional :format, type: String, desc: 'The archive format'
       end
       get ':id/repository/archive', requirements: { format: Gitlab::Regex.archive_formats_regex } do
-        authorize! :download_code, user_project
-
         begin
           send_git_archive user_project.repository, ref: params[:sha], format: params[:format]
         rescue
@@ -96,7 +93,6 @@ module API
         requires :to, type: String, desc: 'The commit, branch name, or tag name to stop comparison'
       end
       get ':id/repository/compare' do
-        authorize! :download_code, user_project
         compare = Gitlab::Git::Compare.new(user_project.repository.raw_repository, params[:from], params[:to])
         present compare, with: Entities::Compare
       end
@@ -105,8 +101,6 @@ module API
         success Entities::Contributor
       end
       get ':id/repository/contributors' do
-        authorize! :download_code, user_project
-
         begin
           present user_project.repository.contributors,
                   with: Entities::Contributor

lib/api/users.rb

@@ -94,7 +94,7 @@ module API
         identity_attrs = params.slice(:provider, :extern_uid)
         confirm = params.delete(:confirm)
 
-        user = User.build_user(declared_params(include_missing: false))
+        user = User.new(declared_params(include_missing: false))
         user.skip_confirmation! unless confirm
 
         if identity_attrs.any?

lib/gitlab/current_settings.rb

@@ -45,7 +45,7 @@ module Gitlab
         default_project_visibility: Settings.gitlab.default_projects_features['visibility_level'],
         default_snippet_visibility: Settings.gitlab.default_projects_features['visibility_level'],
         domain_whitelist: Settings.gitlab['domain_whitelist'],
-        import_sources: %w[github bitbucket gitlab google_code fogbugz git gitlab_project],
+        import_sources: %w[gitea github bitbucket gitlab google_code fogbugz git gitlab_project],
         shared_runners_enabled: Settings.gitlab_ci['shared_runners_enabled'],
         max_artifacts_size: Settings.artifacts['max_size'],
         require_two_factor_authentication: false,

lib/gitlab/github_import/base_formatter.rb

@@ -15,6 +15,10 @@ module Gitlab
         end
       end
 
+      def url
+        raw_data.url || ''
+      end
+
       private
 
       def gitlab_user_id(github_id)

lib/gitlab/github_import/client.rb

@@ -4,10 +4,12 @@ module Gitlab
       GITHUB_SAFE_REMAINING_REQUESTS = 100
       GITHUB_SAFE_SLEEP_TIME = 500
 
-      attr_reader :access_token
+      attr_reader :access_token, :host, :api_version
 
-      def initialize(access_token)
+      def initialize(access_token, host: nil, api_version: 'v3')
         @access_token = access_token
+        @host = host.to_s.sub(%r{/+\z}, '')
+        @api_version = api_version
 
         if access_token
           ::Octokit.auto_paginate = false
@@ -17,7 +19,7 @@ module Gitlab
       def api
         @api ||= ::Octokit::Client.new(
           access_token: access_token,
-          api_endpoint: github_options[:site],
+          api_endpoint: api_endpoint,
           # If there is no config, we're connecting to github.com and we
           # should verify ssl.
           connection_options: {
@@ -64,6 +66,14 @@ module Gitlab
 
       private
 
+      def api_endpoint
+        if host.present? && api_version.present?
+          "#{host}/api/#{api_version}"
+        else
+          github_options[:site]
+        end
+      end
+
       def config
         Gitlab.config.omniauth.providers.find { |provider| provider.name == "github" }
       end

lib/gitlab/github_import/importer.rb

@@ -3,7 +3,7 @@ module Gitlab
     class Importer
       include Gitlab::ShellAdapter
 
-      attr_reader :client, :errors, :project, :repo, :repo_url
+      attr_reader :errors, :project, :repo, :repo_url
 
       def initialize(project)
         @project  = project
@@ -11,12 +11,27 @@ module Gitlab
         @repo_url = project.import_url
         @errors   = []
         @labels   = {}
+      end
+
+      def client
+        return @client if defined?(@client)
+        unless credentials
+          raise Projects::ImportService::Error,
+                "Unable to find project import data credentials for project ID: #{@project.id}"
+        end
 
-        if credentials
-          @client = Client.new(credentials[:user])
-        else
-          raise Projects::ImportService::Error, "Unable to find project import data credentials for project ID: #{@project.id}"
+        opts = {}
+        # Gitea plan to be GitHub compliant
+        if project.gitea_import?
+          uri = URI.parse(project.import_url)
+          host = "#{uri.scheme}://#{uri.host}:#{uri.port}#{uri.path}".sub(%r{/?[\w-]+/[\w-]+\.git\z}, '')
+          opts = {
+            host: host,
+            api_version: 'v1'
+          }
         end
+
+        @client = Client.new(credentials[:user], opts)
       end
 
       def execute
@@ -35,7 +50,13 @@ module Gitlab
         import_comments(:issues)
         import_comments(:pull_requests)
         import_wiki
-        import_releases
+
+        # Gitea doesn't have a Release API yet
+        # See https://github.com/go-gitea/gitea/issues/330
+        unless project.gitea_import?
+          import_releases
+        end
+
         handle_errors
 
         true
@@ -44,7 +65,9 @@ module Gitlab
       private
 
       def credentials
-        @credentials ||= project.import_data.credentials if project.import_data
+        return @credentials if defined?(@credentials)
+
+        @credentials = project.import_data ? project.import_data.credentials : nil
       end
 
       def handle_errors
@@ -60,9 +83,10 @@ module Gitlab
         fetch_resources(:labels, repo, per_page: 100) do |labels|
           labels.each do |raw|
             begin
-              LabelFormatter.new(project, raw).create!
+              gh_label = LabelFormatter.new(project, raw)
+              gh_label.create!
             rescue => e
-              errors << { type: :label, url: Gitlab::UrlSanitizer.sanitize(raw.url), errors: e.message }
+              errors << { type: :label, url: Gitlab::UrlSanitizer.sanitize(gh_label.url), errors: e.message }
             end
           end
         end
@@ -74,9 +98,10 @@ module Gitlab
         fetch_resources(:milestones, repo, state: :all, per_page: 100) do |milestones|
           milestones.each do |raw|
             begin
-              MilestoneFormatter.new(project, raw).create!
+              gh_milestone = MilestoneFormatter.new(project, raw)
+              gh_milestone.create!
             rescue => e
-              errors << { type: :milestone, url: Gitlab::UrlSanitizer.sanitize(raw.url), errors: e.message }
+              errors << { type: :milestone, url: Gitlab::UrlSanitizer.sanitize(gh_milestone.url), errors: e.message }
             end
           end
         end
@@ -97,7 +122,7 @@ module Gitlab
 
               apply_labels(issuable, raw)
             rescue => e
-              errors << { type: :issue, url: Gitlab::UrlSanitizer.sanitize(raw.url), errors: e.message }
+              errors << { type: :issue, url: Gitlab::UrlSanitizer.sanitize(gh_issue.url), errors: e.message }
             end
           end
         end
@@ -106,18 +131,23 @@ module Gitlab
       def import_pull_requests
         fetch_resources(:pull_requests, repo, state: :all, sort: :created, direction: :asc, per_page: 100) do |pull_requests|
           pull_requests.each do |raw|
-            pull_request = PullRequestFormatter.new(project, raw)
-            next unless pull_request.valid?
+            gh_pull_request = PullRequestFormatter.new(project, raw)
+            next unless gh_pull_request.valid?
 
             begin
-              restore_source_branch(pull_request) unless pull_request.source_branch_exists?
-              restore_target_branch(pull_request) unless pull_request.target_branch_exists?
+              restore_source_branch(gh_pull_request) unless gh_pull_request.source_branch_exists?
+              restore_target_branch(gh_pull_request) unless gh_pull_request.target_branch_exists?
+
+              merge_request = gh_pull_request.create!
 
-              pull_request.create!
+              # Gitea doesn't return PR in the Issue API endpoint, so labels must be assigned at this stage
+              if project.gitea_import?
+                apply_labels(merge_request, raw)
+              end
             rescue => e
-              errors << { type: :pull_request, url: Gitlab::UrlSanitizer.sanitize(pull_request.url), errors: e.message }
+              errors << { type: :pull_request, url: Gitlab::UrlSanitizer.sanitize(gh_pull_request.url), errors: e.message }
             ensure
-              clean_up_restored_branches(pull_request)
+              clean_up_restored_branches(gh_pull_request)
             end
           end
         end
@@ -233,7 +263,7 @@ module Gitlab
               gh_release = ReleaseFormatter.new(project, raw)
               gh_release.create! if gh_release.valid?
             rescue => e
-              errors << { type: :release, url: Gitlab::UrlSanitizer.sanitize(raw.url), errors: e.message }
+              errors << { type: :release, url: Gitlab::UrlSanitizer.sanitize(gh_release.url), errors: e.message }
             end
           end
         end

lib/gitlab/github_import/issuable_formatter.rb

+module Gitlab
+  module GithubImport
+    class IssuableFormatter < BaseFormatter
+      def project_association
+        raise NotImplementedError
+      end
+
+      def number
+        raw_data.number
+      end
+
+      def find_condition
+        { iid: number }
+      end
+
+      private
+
+      def state
+        raw_data.state == 'closed' ? 'closed' : 'opened'
+      end
+
+      def assigned?
+        raw_data.assignee.present?
+      end
+
+      def assignee_id
+        if assigned?
+          gitlab_user_id(raw_data.assignee.id)
+        end
+      end
+
+      def author
+        raw_data.user.login
+      end
+
+      def author_id
+        gitlab_author_id || project.creator_id
+      end
+
+      def body
+        raw_data.body || ""
+      end
+
+      def description
+        if gitlab_author_id
+          body
+        else
+          formatter.author_line(author) + body
+        end
+      end
+
+      def milestone
+        if raw_data.milestone.present?
+          milestone = MilestoneFormatter.new(project, raw_data.milestone)
+          project.milestones.find_by(milestone.find_condition)
+        end
+      end
+    end
+  end
+end

lib/gitlab/github_import/issue_formatter.rb

 module Gitlab
   module GithubImport
-    class IssueFormatter < BaseFormatter
+    class IssueFormatter < IssuableFormatter
       def attributes
         {
           iid: number,
@@ -24,59 +24,9 @@ module Gitlab
         :issues
       end
 
-      def find_condition
-        { iid: number }
-      end
-
-      def number
-        raw_data.number
-      end
-
       def pull_request?
         raw_data.pull_request.present?
       end
-
-      private
-
-      def assigned?
-        raw_data.assignee.present?
-      end
-
-      def assignee_id
-        if assigned?
-          gitlab_user_id(raw_data.assignee.id)
-        end
-      end
-
-      def author
-        raw_data.user.login
-      end
-
-      def author_id
-        gitlab_author_id || project.creator_id
-      end
-
-      def body
-        raw_data.body || ""
-      end
-
-      def description
-        if gitlab_author_id
-          body
-        else
-          formatter.author_line(author) + body
-        end
-      end
-
-      def milestone
-        if raw_data.milestone.present?
-          project.milestones.find_by(iid: raw_data.milestone.number)
-        end
-      end
-
-      def state
-        raw_data.state == 'closed' ? 'closed' : 'opened'
-      end
     end
   end
 end

lib/gitlab/github_import/milestone_formatter.rb

@@ -3,7 +3,7 @@ module Gitlab
     class MilestoneFormatter < BaseFormatter
       def attributes
         {
-          iid: raw_data.number,
+          iid: number,
           project: project,
           title: raw_data.title,
           description: raw_data.description,
@@ -19,7 +19,15 @@ module Gitlab
       end
 
       def find_condition
-        { iid: raw_data.number }
+        { iid: number }
+      end
+
+      def number
+        if project.gitea_import?
+          raw_data.id
+        else
+          raw_data.number
+        end
       end
 
       private

lib/gitlab/github_import/project_creator.rb

 module Gitlab
   module GithubImport
     class ProjectCreator
-      attr_reader :repo, :name, :namespace, :current_user, :session_data
+      attr_reader :repo, :name, :namespace, :current_user, :session_data, :type
 
-      def initialize(repo, name, namespace, current_user, session_data)
+      def initialize(repo, name, namespace, current_user, session_data, type: 'github')
         @repo = repo
         @name = name
         @namespace = namespace
         @current_user = current_user
         @session_data = session_data
+        @type = type
       end
 
       def execute
@@ -19,7 +20,7 @@ module Gitlab
           description: repo.description,
           namespace_id: namespace.id,
           visibility_level: visibility_level,
-          import_type: "github",
+          import_type: type,
           import_source: repo.full_name,
           import_url: import_url,
           skip_wiki: skip_wiki
@@ -29,7 +30,7 @@ module Gitlab
       private
 
       def import_url
-        repo.clone_url.sub('https://', "https://#{session_data[:github_access_token]}@")
+        repo.clone_url.sub('://', "://#{session_data[:github_access_token]}@")
       end
 
       def visibility_level

lib/gitlab/github_import/pull_request_formatter.rb

 module Gitlab
   module GithubImport
-    class PullRequestFormatter < BaseFormatter
+    class PullRequestFormatter < IssuableFormatter
       delegate :exists?, :project, :ref, :repo, :sha, to: :source_branch, prefix: true
       delegate :exists?, :project, :ref, :repo, :sha, to: :target_branch, prefix: true
 
@@ -28,14 +28,6 @@ module Gitlab
         :merge_requests
       end
 
-      def find_condition
-        { iid: number }
-      end
-
-      def number
-        raw_data.number
-      end
-
       def valid?
         source_branch.valid? && target_branch.valid?
       end
@@ -60,57 +52,15 @@ module Gitlab
         end
       end
 
-      def url
-        raw_data.url
-      end
-
       private
 
-      def assigned?
-        raw_data.assignee.present?
-      end
-
-      def assignee_id
-        if assigned?
-          gitlab_user_id(raw_data.assignee.id)
-        end
-      end
-
-      def author
-        raw_data.user.login
-      end
-
-      def author_id
-        gitlab_author_id || project.creator_id
-      end
-
-      def body
-        raw_data.body || ""
-      end
-
-      def description
-        if gitlab_author_id
-          body
+      def state
+        if raw_data.state == 'closed' && raw_data.merged_at.present?
+          'merged'
         else
-          formatter.author_line(author) + body
+          super
         end
       end
-
-      def milestone
-        if raw_data.milestone.present?
-          project.milestones.find_by(iid: raw_data.milestone.number)
-        end
-      end
-
-      def state
-        @state ||= if raw_data.state == 'closed' && raw_data.merged_at.present?
-                     'merged'
-                   elsif raw_data.state == 'closed'
-                     'closed'
-                   else
-                     'opened'
-                   end
-      end
     end
   end
 end

lib/gitlab/import_sources.rb

@@ -7,21 +7,38 @@ module Gitlab
   module ImportSources
     extend CurrentSettings
 
+    ImportSource = Struct.new(:name, :title, :importer)
+
+    ImportTable = [
+      ImportSource.new('github',         'GitHub',        Gitlab::GithubImport::Importer),
+      ImportSource.new('bitbucket',      'Bitbucket',     Gitlab::BitbucketImport::Importer),
+      ImportSource.new('gitlab',         'GitLab.com',    Gitlab::GitlabImport::Importer),
+      ImportSource.new('google_code',    'Google Code',   Gitlab::GoogleCodeImport::Importer),
+      ImportSource.new('fogbugz',        'FogBugz',       Gitlab::FogbugzImport::Importer),
+      ImportSource.new('git',            'Repo by URL',   nil),
+      ImportSource.new('gitlab_project', 'GitLab export', Gitlab::ImportExport::Importer),
+      ImportSource.new('gitea',          'Gitea',         Gitlab::GithubImport::Importer)
+    ].freeze
+
     class << self
+      def options
+        @options ||= Hash[ImportTable.map { |importer| [importer.title, importer.name] }]
+      end
+
       def values
-        options.values
+        @values ||= ImportTable.map(&:name)
       end
 
-      def options
-        {
-          'GitHub'        => 'github',
-          'Bitbucket'     => 'bitbucket',
-          'GitLab.com'    => 'gitlab',
-          'Google Code'   => 'google_code',
-          'FogBugz'       => 'fogbugz',
-          'Repo by URL'   => 'git',
-          'GitLab export' => 'gitlab_project'
-        }
+      def importer_names
+        @importer_names ||= ImportTable.select(&:importer).map(&:name)
+      end
+
+      def importer(name)
+        ImportTable.find { |import_source| import_source.name == name }.importer
+      end
+
+      def title(name)
+        options.key(name)
       end
     end
   end

lib/gitlab/kubernetes.rb

+module Gitlab
+  # Helper methods to do with Kubernetes network services & resources
+  module Kubernetes
+    # This is the comand that is run to start a terminal session. Kubernetes
+    # expects `command=foo&command=bar, not `command[]=foo&command[]=bar`
+    EXEC_COMMAND = URI.encode_www_form(
+      ['sh', '-c', 'bash || sh'].map { |value| ['command', value] }
+    )
+
+    # Filters an array of pods (as returned by the kubernetes API) by their labels
+    def filter_pods(pods, labels = {})
+      pods.select do |pod|
+        metadata = pod.fetch("metadata", {})
+        pod_labels = metadata.fetch("labels", nil)
+        next unless pod_labels
+
+        labels.all? { |k, v| pod_labels[k.to_s] == v }
+      end
+    end
+
+    # Converts a pod (as returned by the kubernetes API) into a terminal
+    def terminals_for_pod(api_url, namespace, pod)
+      metadata = pod.fetch("metadata", {})
+      status   = pod.fetch("status", {})
+      spec     = pod.fetch("spec", {})
+
+      containers = spec["containers"]
+      pod_name   = metadata["name"]
+      phase      = status["phase"]
+
+      return unless containers.present? && pod_name.present? && phase == "Running"
+
+      created_at = DateTime.parse(metadata["creationTimestamp"]) rescue nil
+
+      containers.map do |container|
+        {
+          selectors:    { pod: pod_name, container: container["name"] },
+          url:          container_exec_url(api_url, namespace, pod_name, container["name"]),
+          subprotocols: ['channel.k8s.io'],
+          headers:      Hash.new { |h, k| h[k] = [] },
+          created_at:   created_at,
+        }
+      end
+    end
+
+    def add_terminal_auth(terminal, token, ca_pem = nil)
+      terminal[:headers]['Authorization'] << "Bearer #{token}"
+      terminal[:ca_pem] = ca_pem if ca_pem.present?
+      terminal
+    end
+
+    def container_exec_url(api_url, namespace, pod_name, container_name)
+      url = URI.parse(api_url)
+      url.path = [
+        url.path.sub(%r{/+\z}, ''),
+        'api', 'v1',
+        'namespaces', ERB::Util.url_encode(namespace),
+        'pods', ERB::Util.url_encode(pod_name),
+        'exec'
+      ].join('/')
+
+      url.query = {
+        container: container_name,
+        tty: true,
+        stdin: true,
+        stdout: true,
+        stderr: true,
+      }.to_query + '&' + EXEC_COMMAND
+
+      case url.scheme
+      when 'http'
+        url.scheme = 'ws'
+      when 'https'
+        url.scheme = 'wss'
+      end
+
+      url.to_s
+    end
+  end
+end

lib/gitlab/workhorse.rb

@@ -95,6 +95,19 @@ module Gitlab
         ]
       end
 
+      def terminal_websocket(terminal)
+        details = {
+          'Terminal' => {
+            'Subprotocols' => terminal[:subprotocols],
+            'Url' => terminal[:url],
+            'Header' => terminal[:headers]
+          }
+        }
+        details['Terminal']['CAPem'] = terminal[:ca_pem] if terminal.has_key?(:ca_pem)
+
+        details
+      end
+
       def version
         path = Rails.root.join(VERSION_FILE)
         path.readable? ? path.read.chomp : 'unknown'

spec/controllers/import/gitea_controller_spec.rb

+require 'spec_helper'
+
+describe Import::GiteaController do
+  include ImportSpecHelper
+
+  let(:provider) { :gitea }
+  let(:host_url) { 'https://try.gitea.io' }
+
+  include_context 'a GitHub-ish import controller'
+
+  def assign_host_url
+    session[:gitea_host_url] = host_url
+  end
+
+  describe "GET new" do
+    it_behaves_like 'a GitHub-ish import controller: GET new' do
+      before do
+        assign_host_url
+      end
+    end
+  end
+
+  describe "POST personal_access_token" do
+    it_behaves_like 'a GitHub-ish import controller: POST personal_access_token'
+  end
+
+  describe "GET status" do
+    it_behaves_like 'a GitHub-ish import controller: GET status' do
+      before do
+        assign_host_url
+      end
+      let(:extra_assign_expectations) { { gitea_host_url: host_url } }
+    end
+  end
+
+  describe 'POST create' do
+    it_behaves_like 'a GitHub-ish import controller: POST create' do
+      before do
+        assign_host_url
+      end
+    end
+  end
+end

spec/controllers/import/github_controller_spec.rb

@@ -3,34 +3,18 @@ require 'spec_helper'
 describe Import::GithubController do
   include ImportSpecHelper
 
-  let(:user) { create(:user) }
-  let(:token) { "asdasd12345" }
-  let(:access_params) { { github_access_token: token } }
+  let(:provider) { :github }
 
-  def assign_session_token
-    session[:github_access_token] = token
-  end
-
-  before do
-    sign_in(user)
-    allow(controller).to receive(:github_import_enabled?).and_return(true)
-  end
+  include_context 'a GitHub-ish import controller'
 
   describe "GET new" do
-    it "redirects to GitHub for an access token if logged in with GitHub" do
-      allow(controller).to receive(:logged_in_with_github?).and_return(true)
-      expect(controller).to receive(:go_to_github_for_permissions)
+    it_behaves_like 'a GitHub-ish import controller: GET new'
 
-      get :new
-    end
-
-    it "redirects to status if we already have a token" do
-      assign_session_token
-      allow(controller).to receive(:logged_in_with_github?).and_return(false)
+    it "redirects to GitHub for an access token if logged in with GitHub" do
+      allow(controller).to receive(:logged_in_with_provider?).and_return(true)
+      expect(controller).to receive(:go_to_provider_for_permissions)
 
       get :new
-
-      expect(controller).to redirect_to(status_import_github_url)
     end
   end
 
@@ -51,196 +35,14 @@ describe Import::GithubController do
   end
 
   describe "POST personal_access_token" do
-    it "updates access token" do
-      token = "asdfasdf9876"
-
-      allow_any_instance_of(Gitlab::GithubImport::Client).
-        to receive(:user).and_return(true)
-
-      post :personal_access_token, personal_access_token: token
-
-      expect(session[:github_access_token]).to eq(token)
-      expect(controller).to redirect_to(status_import_github_url)
-    end
+    it_behaves_like 'a GitHub-ish import controller: POST personal_access_token'
   end
 
   describe "GET status" do
-    before do
-      @repo = OpenStruct.new(login: 'vim', full_name: 'asd/vim')
-      @org = OpenStruct.new(login: 'company')
-      @org_repo = OpenStruct.new(login: 'company', full_name: 'company/repo')
-      assign_session_token
-    end
-
-    it "assigns variables" do
-      @project = create(:project, import_type: 'github', creator_id: user.id)
-      stub_client(repos: [@repo, @org_repo], orgs: [@org], org_repos: [@org_repo])
-
-      get :status
-
-      expect(assigns(:already_added_projects)).to eq([@project])
-      expect(assigns(:repos)).to eq([@repo, @org_repo])
-    end
-
-    it "does not show already added project" do
-      @project = create(:project, import_type: 'github', creator_id: user.id, import_source: 'asd/vim')
-      stub_client(repos: [@repo], orgs: [])
-
-      get :status
-
-      expect(assigns(:already_added_projects)).to eq([@project])
-      expect(assigns(:repos)).to eq([])
-    end
-
-    it "handles an invalid access token" do
-      allow_any_instance_of(Gitlab::GithubImport::Client).
-        to receive(:repos).and_raise(Octokit::Unauthorized)
-
-      get :status
-
-      expect(session[:github_access_token]).to eq(nil)
-      expect(controller).to redirect_to(new_import_github_url)
-      expect(flash[:alert]).to eq('Access denied to your GitHub account.')
-    end
+    it_behaves_like 'a GitHub-ish import controller: GET status'
   end
 
   describe "POST create" do
-    let(:github_username) { user.username }
-    let(:github_user) { OpenStruct.new(login: github_username) }
-    let(:github_repo) do
-      OpenStruct.new(
-        name: 'vim',
-        full_name: "#{github_username}/vim",
-        owner: OpenStruct.new(login: github_username)
-      )
-    end
-
-    before do
-      stub_client(user: github_user, repo: github_repo)
-      assign_session_token
-    end
-
-    context "when the repository owner is the GitHub user" do
-      context "when the GitHub user and GitLab user's usernames match" do
-        it "takes the current user's namespace" do
-          expect(Gitlab::GithubImport::ProjectCreator).
-            to receive(:new).with(github_repo, github_repo.name, user.namespace, user, access_params).
-              and_return(double(execute: true))
-
-          post :create, format: :js
-        end
-      end
-
-      context "when the GitHub user and GitLab user's usernames don't match" do
-        let(:github_username) { "someone_else" }
-
-        it "takes the current user's namespace" do
-          expect(Gitlab::GithubImport::ProjectCreator).
-            to receive(:new).with(github_repo, github_repo.name, user.namespace, user, access_params).
-              and_return(double(execute: true))
-
-          post :create, format: :js
-        end
-      end
-    end
-
-    context "when the repository owner is not the GitHub user" do
-      let(:other_username) { "someone_else" }
-
-      before do
-        github_repo.owner = OpenStruct.new(login: other_username)
-        assign_session_token
-      end
-
-      context "when a namespace with the GitHub user's username already exists" do
-        let!(:existing_namespace) { create(:namespace, name: other_username, owner: user) }
-
-        context "when the namespace is owned by the GitLab user" do
-          it "takes the existing namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).with(github_repo, github_repo.name, existing_namespace, user, access_params).
-                and_return(double(execute: true))
-
-            post :create, format: :js
-          end
-        end
-
-        context "when the namespace is not owned by the GitLab user" do
-          before do
-            existing_namespace.owner = create(:user)
-            existing_namespace.save
-          end
-
-          it "creates a project using user's namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).with(github_repo, github_repo.name, user.namespace, user, access_params).
-                and_return(double(execute: true))
-
-            post :create, format: :js
-          end
-        end
-      end
-
-      context "when a namespace with the GitHub user's username doesn't exist" do
-        context "when current user can create namespaces" do
-          it "creates the namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).and_return(double(execute: true))
-
-            expect { post :create, target_namespace: github_repo.name, format: :js }.to change(Namespace, :count).by(1)
-          end
-
-          it "takes the new namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).with(github_repo, github_repo.name, an_instance_of(Group), user, access_params).
-              and_return(double(execute: true))
-
-            post :create, target_namespace: github_repo.name, format: :js
-          end
-        end
-
-        context "when current user can't create namespaces" do
-          before do
-            user.update_attribute(:can_create_group, false)
-          end
-
-          it "doesn't create the namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).and_return(double(execute: true))
-
-            expect { post :create, format: :js }.not_to change(Namespace, :count)
-          end
-
-          it "takes the current user's namespace" do
-            expect(Gitlab::GithubImport::ProjectCreator).
-              to receive(:new).with(github_repo, github_repo.name, user.namespace, user, access_params).
-              and_return(double(execute: true))
-
-            post :create, format: :js
-          end
-        end
-      end
-
-      context 'user has chosen a namespace and name for the project' do
-        let(:test_namespace) { create(:namespace, name: 'test_namespace', owner: user) }
-        let(:test_name) { 'test_name' }
-
-        it 'takes the selected namespace and name' do
-          expect(Gitlab::GithubImport::ProjectCreator).
-            to receive(:new).with(github_repo, test_name, test_namespace, user, access_params).
-              and_return(double(execute: true))
-
-          post :create, { target_namespace: test_namespace.name, new_name: test_name, format: :js }
-        end
-
-        it 'takes the selected name and default namespace' do
-          expect(Gitlab::GithubImport::ProjectCreator).
-            to receive(:new).with(github_repo, test_name, user.namespace, user, access_params).
-              and_return(double(execute: true))
-
-          post :create, { new_name: test_name, format: :js }
-        end
-      end
-    end
+    it_behaves_like 'a GitHub-ish import controller: POST create'
   end
 end

spec/controllers/projects/environments_controller_spec.rb

@@ -71,6 +71,75 @@ describe Projects::EnvironmentsController do
     end
   end
 
+  describe 'GET #terminal' do
+    context 'with valid id' do
+      it 'responds with a status code 200' do
+        get :terminal, environment_params
+
+        expect(response).to have_http_status(200)
+      end
+
+      it 'loads the terminals for the enviroment' do
+        expect_any_instance_of(Environment).to receive(:terminals)
+
+        get :terminal, environment_params
+      end
+    end
+
+    context 'with invalid id' do
+      it 'responds with a status code 404' do
+        get :terminal, environment_params(id: 666)
+
+        expect(response).to have_http_status(404)
+      end
+    end
+  end
+
+  describe 'GET #terminal_websocket_authorize' do
+    context 'with valid workhorse signature' do
+      before do
+        allow(Gitlab::Workhorse).to receive(:verify_api_request!).and_return(nil)
+      end
+
+      context 'and valid id' do
+        it 'returns the first terminal for the environment' do
+          expect_any_instance_of(Environment).
+            to receive(:terminals).
+            and_return([:fake_terminal])
+
+          expect(Gitlab::Workhorse).
+            to receive(:terminal_websocket).
+            with(:fake_terminal).
+            and_return(workhorse: :response)
+
+          get :terminal_websocket_authorize, environment_params
+
+          expect(response).to have_http_status(200)
+          expect(response.headers["Content-Type"]).to eq(Gitlab::Workhorse::INTERNAL_API_CONTENT_TYPE)
+          expect(response.body).to eq('{"workhorse":"response"}')
+        end
+      end
+
+      context 'and invalid id' do
+        it 'returns 404' do
+          get :terminal_websocket_authorize, environment_params(id: 666)
+
+          expect(response).to have_http_status(404)
+        end
+      end
+    end
+
+    context 'with invalid workhorse signature' do
+      it 'aborts with an exception' do
+        allow(Gitlab::Workhorse).to receive(:verify_api_request!).and_raise(JWT::DecodeError)
+
+        expect { get :terminal_websocket_authorize, environment_params }.to raise_error(JWT::DecodeError)
+        # controller tests don't set the response status correctly. It's enough
+        # to check that the action raised an exception
+      end
+    end
+  end
+
   def environment_params(opts = {})
     opts.reverse_merge(namespace_id: project.namespace,
                        project_id: project,

spec/factories/projects.rb

@@ -42,6 +42,12 @@ FactoryGirl.define do
       end
     end
 
+    trait :test_repo do
+      after :create do |project|
+        TestEnv.copy_repo(project)
+      end
+    end
+
     # Nest Project Feature attributes
     transient do
       wiki_access_level ProjectFeature::ENABLED
@@ -91,9 +97,7 @@ FactoryGirl.define do
   factory :project, parent: :empty_project do
     path { 'gitlabhq' }
 
-    after :create do |project|
-      TestEnv.copy_repo(project)
-    end
+    test_repo
   end
 
   factory :forked_project_with_submodules, parent: :empty_project do
@@ -140,7 +144,7 @@ FactoryGirl.define do
         active: true,
         properties: {
           namespace: project.path,
-          api_url: 'https://kubernetes.example.com/api',
+          api_url: 'https://kubernetes.example.com',
           token: 'a' * 40,
         }
       )

spec/features/admin/admin_projects_spec.rb

 require 'spec_helper'
 
 describe "Admin::Projects", feature: true  do
-  before do
-    @project = create(:project)
+  include Select2Helper
+
+  let(:user) { create :user }
+  let!(:project) { create(:project) }
+  let!(:current_user) do
     login_as :admin
   end
 
   describe "GET /admin/projects" do
+    let!(:archived_project) { create :project, :public, archived: true }
+
     before do
       visit admin_projects_path
     end
@@ -15,20 +20,98 @@ describe "Admin::Projects", feature: true  do
       expect(current_path).to eq(admin_projects_path)
     end
 
-    it "has projects list" do
-      expect(page).to have_content(@project.name)
+    it 'renders projects list without archived project' do
+      expect(page).to have_content(project.name)
+      expect(page).not_to have_content(archived_project.name)
+    end
+
+    it 'renders all projects', js: true do
+      find(:css, '#sort-projects-dropdown').click
+      click_link 'Show archived projects'
+
+      expect(page).to have_content(project.name)
+      expect(page).to have_content(archived_project.name)
+      expect(page).to have_xpath("//span[@class='label label-warning']", text: 'archived')
     end
   end
 
-  describe "GET /admin/projects/:id" do
+  describe "GET /admin/projects/:namespace_id/:id" do
     before do
       visit admin_projects_path
-      click_link "#{@project.name}"
+      click_link "#{project.name}"
+    end
+
+    it do
+      expect(current_path).to eq admin_namespace_project_path(project.namespace, project)
     end
 
     it "has project info" do
-      expect(page).to have_content(@project.path)
-      expect(page).to have_content(@project.name)
+      expect(page).to have_content(project.path)
+      expect(page).to have_content(project.name)
+      expect(page).to have_content(project.name_with_namespace)
+      expect(page).to have_content(project.creator.name)
+    end
+  end
+
+  describe 'transfer project' do
+    before do
+      create(:group, name: 'Web')
+
+      allow_any_instance_of(Projects::TransferService).
+        to receive(:move_uploads_to_new_namespace).and_return(true)
+    end
+
+    it 'transfers project to group web', js: true do
+      visit admin_namespace_project_path(project.namespace, project)
+
+      click_button 'Search for Namespace'
+      click_link 'group: web'
+      click_button 'Transfer'
+
+      expect(page).to have_content("Web / #{project.name}")
+      expect(page).to have_content('Namespace: Web')
+    end
+  end
+
+  describe 'add admin himself to a project' do
+    before do
+      project.team << [user, :master]
+    end
+
+    it 'adds admin a to a project as developer', js: true do
+      visit namespace_project_project_members_path(project.namespace, project)
+
+      page.within '.users-project-form' do
+        select2(current_user.id, from: '#user_ids', multiple: true)
+        select 'Developer', from: 'access_level'
+      end
+
+      click_button 'Add to project'
+
+      page.within '.content-list' do
+        expect(page).to have_content(current_user.name)
+        expect(page).to have_content('Developer')
+      end
+    end
+  end
+
+  describe 'admin remove himself from a project' do
+    before do
+      project.team << [user, :master]
+      project.team << [current_user, :developer]
+    end
+
+    it 'removes admin from the project' do
+      visit namespace_project_project_members_path(project.namespace, project)
+
+      page.within '.content-list' do
+        expect(page).to have_content(current_user.name)
+        expect(page).to have_content('Developer')
+      end
+
+      find(:css, 'li', text: current_user.name).find(:css, 'a.btn-remove').click
+
+      expect(page).not_to have_selector(:css, '.content-list')
     end
   end
 end

spec/features/environment_spec.rb

@@ -38,6 +38,10 @@ feature 'Environment', :feature do
         scenario 'does not show a re-deploy button for deployment without build' do
           expect(page).not_to have_link('Re-deploy')
         end
+
+        scenario 'does not show terminal button' do
+          expect(page).not_to have_terminal_button
+        end
       end
 
       context 'with related deployable present' do
@@ -60,6 +64,10 @@ feature 'Environment', :feature do
           expect(page).not_to have_link('Stop')
         end
 
+        scenario 'does not show terminal button' do
+          expect(page).not_to have_terminal_button
+        end
+
         context 'with manual action' do
           given(:manual) { create(:ci_build, :manual, pipeline: pipeline, name: 'deploy to production') }
 
@@ -84,6 +92,26 @@ feature 'Environment', :feature do
             end
           end
 
+          context 'with terminal' do
+            let(:project) { create(:kubernetes_project, :test_repo) }
+
+            context 'for project master' do
+              let(:role) { :master }
+
+              scenario 'it shows the terminal button' do
+                expect(page).to have_terminal_button
+              end
+            end
+
+            context 'for developer' do
+              let(:role) { :developer }
+
+              scenario 'does not show terminal button' do
+                expect(page).not_to have_terminal_button
+              end
+            end
+          end
+
           context 'with stop action' do
             given(:manual) { create(:ci_build, :manual, pipeline: pipeline, name: 'close_app') }
             given(:deployment) { create(:deployment, environment: environment, deployable: build, on_stop: 'close_app') }
@@ -158,4 +186,8 @@ feature 'Environment', :feature do
                                              environment.project,
                                              environment)
   end
+
+  def have_terminal_button
+    have_link(nil, href: terminal_namespace_project_environment_path(project.namespace, project, environment))
+  end
 end

spec/features/environments_spec.rb

@@ -113,6 +113,10 @@ feature 'Environments page', :feature, :js do
           expect(page).not_to have_css('external-url')
         end
 
+        scenario 'does not show terminal button' do
+          expect(page).not_to have_terminal_button
+        end
+
         context 'with external_url' do
           given(:environment) { create(:environment, project: project, external_url: 'https://git.gitlab.com') }
           given(:build) { create(:ci_build, pipeline: pipeline) }
@@ -145,6 +149,26 @@ feature 'Environments page', :feature, :js do
             end
           end
         end
+
+        context 'with terminal' do
+          let(:project) { create(:kubernetes_project, :test_repo) }
+
+          context 'for project master' do
+            let(:role) { :master }
+
+            scenario 'it shows the terminal button' do
+              expect(page).to have_terminal_button
+            end
+          end
+
+          context 'for developer' do
+            let(:role) { :developer }
+
+            scenario 'does not show terminal button' do
+              expect(page).not_to have_terminal_button
+            end
+          end
+        end
       end
     end
   end
@@ -195,6 +219,10 @@ feature 'Environments page', :feature, :js do
     end
   end
 
+  def have_terminal_button
+    have_link(nil, href: terminal_namespace_project_environment_path(project.namespace, project, environment))
+  end
+
   def visit_environments(project)
     visit namespace_project_environments_path(project.namespace, project)
   end

spec/features/projects/members/master_adds_member_with_expiration_date_spec.rb

@@ -24,7 +24,7 @@ feature 'Projects > Members > Master adds member with expiration date', feature:
         click_on 'Add to project'
       end
 
-      page.within '.project_member:first-child' do
+      page.within "#project_member_#{new_member.project_members.first.id}" do
         expect(page).to have_content('Expires in 4 days')
       end
     end
@@ -35,7 +35,7 @@ feature 'Projects > Members > Master adds member with expiration date', feature:
       project.team.add_users([new_member.id], :developer, expires_at: '2016-09-06')
       visit namespace_project_project_members_path(project.namespace, project)
 
-      page.within '.project_member:first-child' do
+      page.within "#project_member_#{new_member.project_members.first.id}" do
         find('.js-access-expiration-date').set '2016-08-09'
         wait_for_ajax
         expect(page).to have_content('Expires in 3 days')