* 'master' of dev.gitlab.org:gitlab/gitlabhq:
  Make sessions controller specs more explicit
  Fix 2FA authentication spoofing vulnerability
  Add specs for sessions controller  including 2FA

Fix 2FA authentication spoofing

## Summary

This is security fix for vulnerability described at 
https://gitlab.com/gitlab-org/gitlab-ce/issues/14900.

Attacker was able to bypass password authentication of users that have 2FA enabled, and consequently sign is as a different user, without knowing his password, if he managed to guess 2FA One Time Password for that user.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with different error for each case.

## Fix

This MR attempts to change default user search scope if `otp_user_id` session variable has been set. If it is present, it means that user has 2FA enabled, and has already been verified with login and password. In this case we should look for user with `otp_user_id` first, before picking it up by `login`.

Both, 2FA authentication spoofing and 2FA discovery have been covered by specs.

## Further work

Current 2FA code is a bit tricky, so it probably needs some refactoring.



See merge request !1947

Expire caches after project creation to ensure a consistent state

See merge request !3586

Only update main language if it is not already set

Related to gitlab-org/gitlab-ce#14937 (but does not fully fix) This is a temporary fix so performance isn't affected so much. 

cc @yorickpeterse @ayufan how does this look?

See merge request !3556

This commit attempts to change default user search scope if otp_user_id
session variable has been set. If it is present, it means that user has
2FA enabled, and has already been verified with login and password. In
this case we should look for user with otp_user_id first, before picking
it up by login.

API: Ability to filter milestones by state

Ability to filter milestones by `active` and `closed` state.

* Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14931

See merge request !3566

Expose badges

This MR exposes badge somewhere in visible place.

![expose_badges](/uploads/d2e290d3013d1ef2b1bdeebbbe2c5d8b/expose_badges.png)

Closes #13801

See merge request !3326

Fixes #14638.

The SQL query was ambiguous and in this case we want to filter projects.

See merge request !3462

Return status code 303 after a branch DELETE operation to avoid project deletion

Closes #14994

See merge request !3583

Closes #14961

Update coveralls from 0.8.9 to 0.8.13 and simplecov from 0.10.0 to 0.11.2

This removes a few dependencies! It was also rude to be using coveralls
0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also
paves the way for updating mime-types to 3.0.

Coveralls Changelog:
https://github.com/lemurheavy/coveralls-ruby/releases

Simplecov Changelog:
https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md

See merge request !3584

Fix typo in .gitlab-ci.yml doc. [ci skip]



See merge request !3581

This removes a few dependencies! It was also rude to be using coveralls
0.8.9, considering 0.8.12 introduced support for GitLab CI :) Also
paves the way for updating mime-types to 3.0.

Coveralls Changelog:
https://github.com/lemurheavy/coveralls-ruby/releases

Simplecov Changelog:
https://github.com/colszowka/simplecov/blob/master/CHANGELOG.md

Closes #14994

Reset merge request widget options

Fixes #14986 

See merge request !3582

Allow SAML to identify external users and set them as such

Related to #4009

Fixes #14577

This allows SAML to retrieve group information form the `SAML Response`
and match that to a setting that will flag all matching users as external.

See merge request !3530

Wiki preview URL converting problem [via Markdown]

Current implementation when rendering the preview, thinks relative links are for project repository files.

We are creating a new preview route that will define correct context data to render for wikis instead.

Fixes #2380, #1184

See merge request !3461

Do not add location badge when creating a group or project

Closes #14952 

![](/uploads/778d0cbccffc717d601a91528ca8eb3c/Screen_Shot_2016-04-05_at_5.34.10_PM.png)

![](/uploads/dbd9eb06b510a6ac091dcf2e3fcb9c88/Screen_Shot_2016-04-05_at_5.34.21_PM.png)

See merge request !3555

Wrap code blocks to next line

Closes #14866 

![Screen_Shot_2016-04-06_at_9.27.06_AM](/uploads/8bed5c17b17c9d15fe34dc7161d31e09/Screen_Shot_2016-04-06_at_9.27.06_AM.png)

See merge request !3573

Fix missing entries in permission matrix [ci skip]

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/14882

See merge request !3580

Unblocks user when active_directory is disabled and it can be found

We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. 

That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.

Fixes #14253, #13179, #13259, #13959

See merge request !3550