Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-01-22

.gitlab-ci.yml

@@ -313,7 +313,7 @@ flaky-examples-check:
     - scripts/merge-reports ${NEW_FLAKY_SPECS_REPORT} rspec_flaky/new_*_*.json
     - scripts/detect-new-flaky-examples $NEW_FLAKY_SPECS_REPORT
 
-setup-test-env:
+compile-assets:
   <<: *dedicated-runner
   <<: *except-docs
   <<: *use-pg
@@ -324,13 +324,25 @@ setup-test-env:
     - node --version
     - yarn install --frozen-lockfile --cache-folder .yarn-cache
     - bundle exec rake gitlab:assets:compile
-    - bundle exec ruby -Ispec -e 'require "spec_helper" ; TestEnv.init'
-    - scripts/gitaly-test-build # Do not use 'bundle exec' here
   artifacts:
     expire_in: 7d
     paths:
       - node_modules
       - public/assets
+
+setup-test-env:
+  <<: *dedicated-runner
+  <<: *except-docs
+  <<: *use-pg
+  stage: prepare
+  cache:
+    <<: *default-cache
+  script:
+    - bundle exec ruby -Ispec -e 'require "spec_helper" ; TestEnv.init'
+    - scripts/gitaly-test-build # Do not use 'bundle exec' here
+  artifacts:
+    expire_in: 7d
+    paths:
       - tmp/tests
 
 rspec-pg geo: *rspec-metadata-pg-geo
@@ -689,6 +701,7 @@ lint:javascript:report:
   <<: *pull-cache
   stage: post-test
   dependencies:
+    - compile-assets
     - setup-test-env
   before_script: []
   script:

app/assets/stylesheets/framework/layout.scss

 html {
   overflow-y: scroll;
 
-  &.touch .tooltip { display: none !important; }
+  &.touch .tooltip {
+    display: none !important;
+  }
 }
 
 body {
+  // Improves readability for dyslexic users; supported only in Chrome/Safari so far
+  // scss-lint:disable PropertySpelling
+  text-decoration-skip: ink;
+  // scss-lint:enable PropertySpelling
   &.navless {
     background-color: $white-light !important;
   }

app/helpers/application_settings_helper.rb

@@ -202,6 +202,7 @@ module ApplicationSettingsHelper
       :metrics_sample_interval,
       :metrics_timeout,
       :password_authentication_enabled_for_web,
+      :password_authentication_enabled_for_git,
       :performance_bar_allowed_group_id,
       :performance_bar_enabled,
       :plantuml_enabled,

app/models/project.rb

@@ -1449,7 +1449,7 @@ class Project < ActiveRecord::Base
     # We'd need to keep track of project full path otherwise directory tree
     # created with hashed storage enabled cannot be usefully imported using
     # the import rake task.
-    repository.rugged.config['gitlab.fullpath'] = gl_full_path
+    repository.raw_repository.write_config(full_path: gl_full_path)
   rescue Gitlab::Git::Repository::NoRepository => e
     Rails.logger.error("Error writing to .git/config for project #{full_path} (#{id}): #{e.message}.")
     nil

changelogs/unreleased/41814-text-decoration-skip.yml

+---
+title: Improve readability of underlined links for dyslexic users
+merge_request:
+author:
+type: other

changelogs/unreleased/42206-permit-password-for-git-param.yml

+---
+title: Permits 'password_authentication_enabled_for_git' parameter for ApplicationSettingsController
+merge_request:
+author:
+type: fixed

changelogs/unreleased/42231-protected-branches-api-route-returns-404-for-branches-with-dots.yml

+---
+title: Fix protected branches API to accept name parameter with dot
+merge_request:
+author:
+type: fixed

lib/api/protected_branches.rb

@@ -2,7 +2,7 @@ module API
   class ProtectedBranches < Grape::API
     include PaginationParams
 
-    BRANCH_ENDPOINT_REQUIREMENTS = API::PROJECT_ENDPOINT_REQUIREMENTS.merge(branch: API::NO_SLASH_URL_PART_REGEX)
+    BRANCH_ENDPOINT_REQUIREMENTS = API::PROJECT_ENDPOINT_REQUIREMENTS.merge(name: API::NO_SLASH_URL_PART_REGEX)
 
     before { authorize_admin_project }
 

lib/gitlab/git/repository.rb

@@ -1311,6 +1311,10 @@ module Gitlab
       end
       # rubocop:enable Metrics/ParameterLists
 
+      def write_config(full_path:)
+        rugged.config['gitlab.fullpath'] = full_path if full_path.present?
+      end
+
       def gitaly_repository
         Gitlab::GitalyClient::Util.repository(@storage, @relative_path, @gl_repository)
       end

spec/controllers/admin/application_settings_controller_spec.rb

@@ -51,6 +51,13 @@ describe Admin::ApplicationSettingsController do
       sign_in(admin)
     end
 
+    it 'updates the password_authentication_enabled_for_git setting' do
+      put :update, application_setting: { password_authentication_enabled_for_git: "0" }
+
+      expect(response).to redirect_to(admin_application_settings_path)
+      expect(ApplicationSetting.current.password_authentication_enabled_for_git).to eq(false)
+    end
+
     it 'updates the default_project_visibility for string value' do
       put :update, application_setting: { default_project_visibility: "20" }
 

spec/requests/api/protected_branches_spec.rb

@@ -101,6 +101,12 @@ describe API::ProtectedBranches do
 
         it_behaves_like 'protected branch'
       end
+
+      context 'when protected branch contains a period' do
+        let(:protected_name) { 'my.feature' }
+
+        it_behaves_like 'protected branch'
+      end
     end
 
     context 'when authenticated as a guest' do

vendor/gitlab-ci-yml/Auto-DevOps.gitlab-ci.yml

@@ -42,6 +42,7 @@ stages:
   - build
   - test
   - review
+  - dast
   - staging
   - canary
   - production
@@ -130,6 +131,23 @@ sast:container:
   artifacts:
     paths: [gl-sast-container-report.json]
 
+dast:
+  stage: dast
+  allow_failure: true
+  image: owasp/zap2docker-stable
+  variables:
+    POSTGRES_DB: "false"
+  script:
+    - dast
+  artifacts:
+    paths: [gl-dast-report.json]
+  only:
+    refs:
+      - branches
+    kubernetes: active
+  except:
+    - master
+
 review:
   stage: review
   script:
@@ -270,8 +288,8 @@ production:
     docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.1
     apk add -U wget ca-certificates
     docker pull ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG}
-    wget https://github.com/arminc/clair-scanner/releases/download/v6/clair-scanner_linux_386
-    mv clair-scanner_linux_386 clair-scanner
+    wget https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64
+    mv clair-scanner_linux_amd64 clair-scanner
     chmod +x clair-scanner
     touch clair-whitelist.yml
     ./clair-scanner -c http://docker:6060 --ip $(hostname -i) -r gl-sast-container-report.json -l clair.log -w clair-whitelist.yml ${CI_APPLICATION_REPOSITORY}:${CI_APPLICATION_TAG} || true
@@ -327,6 +345,12 @@ production:
       replicas="$new_replicas"
     fi
 
+    if [[ "$CI_PROJECT_VISIBILITY" != "public" ]]; then
+      secret_name='gitlab-registry'
+    else
+      secret_name=''
+    fi
+
     helm upgrade --install \
       --wait \
       --set service.enabled="$service_enabled" \
@@ -334,6 +358,7 @@ production:
       --set image.repository="$CI_APPLICATION_REPOSITORY" \
       --set image.tag="$CI_APPLICATION_TAG" \
       --set image.pullPolicy=IfNotPresent \
+      --set image.secrets[0].name="$secret_name" \
       --set application.track="$track" \
       --set application.database_url="$DATABASE_URL" \
       --set service.url="$CI_ENVIRONMENT_URL" \
@@ -462,6 +487,11 @@ production:
   }
 
   function create_secret() {
+    echo "Create secret..."
+    if [[ "$CI_PROJECT_VISIBILITY" == "public" ]]; then
+      return
+    fi
+
     kubectl create secret -n "$KUBE_NAMESPACE" \
       docker-registry gitlab-registry \
       --docker-server="$CI_REGISTRY" \
@@ -471,6 +501,14 @@ production:
       -o yaml --dry-run | kubectl replace -n "$KUBE_NAMESPACE" --force -f -
   }
 
+  function dast() {
+    export CI_ENVIRONMENT_URL=$(cat environment_url.txt)
+
+    mkdir /zap/wrk/
+    /zap/zap-baseline.py -J gl-dast-report.json -t "$CI_ENVIRONMENT_URL" || true
+    cp /zap/wrk/gl-dast-report.json .
+  }
+
   function performance() {
     export CI_ENVIRONMENT_URL=$(cat environment_url.txt)