Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-03-27

# Conflicts:
#	CHANGELOG.md
#	spec/services/clusters/create_service_spec.rb

[ci skip]

CHANGELOG.md

@@ -8,11 +8,18 @@ entry.
 
 - Bump rails-html-sanitizer to 1.0.4.
 
+<<<<<<< HEAD
 ### Fixed (3 changes)
 
 - Prevent auto-retry AccessDenied error from stopping transition to failed. !17862
 - Fix 500 error when trying to resolve non-ASCII conflicts in the editor. !17962
 - Don't capture trailing punctuation when autolinking. !17965
+=======
+### Fixed (2 changes)
+
+- Prevent auto-retry AccessDenied error from stopping transition to failed. !17862
+- Fix 500 error when trying to resolve non-ASCII conflicts in the editor. !17962
+>>>>>>> upstream/master
 
 ### Performance (1 change)
 

Gemfile

@@ -52,6 +52,7 @@ gem 'omniauth-shibboleth', '~> 1.2.0'
 gem 'omniauth-twitter', '~> 1.4'
 gem 'omniauth_crowd', '~> 2.2.0'
 gem 'omniauth-authentiq', '~> 0.3.1'
+gem 'omniauth-jwt', '~> 0.0.2'
 gem 'rack-oauth2', '~> 1.2.1'
 gem 'jwt', '~> 1.5.6'
 

Gemfile.lock

@@ -584,6 +584,9 @@ GEM
       multi_json (~> 1.3)
       omniauth (>= 1.1.1)
       omniauth-oauth2 (>= 1.3.1)
+    omniauth-jwt (0.0.2)
+      jwt
+      omniauth (~> 1.1)
     omniauth-kerberos (0.3.0)
       omniauth-multipassword
       timfel-krb5-auth (~> 0.8)
@@ -1153,6 +1156,7 @@ DEPENDENCIES
   omniauth-github (~> 1.1.1)
   omniauth-gitlab (~> 1.0.2)
   omniauth-google-oauth2 (~> 0.5.2)
+  omniauth-jwt (~> 0.0.2)
   omniauth-kerberos (~> 0.3.0)
   omniauth-oauth2-generic (~> 0.2.2)
   omniauth-saml (~> 1.10)

app/controllers/root_controller.rb

@@ -42,6 +42,10 @@ class RootController < Dashboard::ProjectsController
       redirect_to(dashboard_groups_path)
     when 'todos'
       redirect_to(dashboard_todos_path)
+    when 'issues'
+      redirect_to(issues_dashboard_path(assignee_id: current_user.id))
+    when 'merge_requests'
+      redirect_to(merge_requests_dashboard_path(assignee_id: current_user.id))
     end
   end
 

app/helpers/preferences_helper.rb

@@ -9,12 +9,14 @@ module PreferencesHelper
 
   # Maps `dashboard` values to more user-friendly option text
   DASHBOARD_CHOICES = {
-    projects: 'Your Projects (default)',
-    stars:    'Starred Projects',
-    project_activity: "Your Projects' Activity",
-    starred_project_activity: "Starred Projects' Activity",
-    groups: "Your Groups",
-    todos: "Your Todos"
+    projects: _("Your Projects (default)"),
+    stars:    _("Starred Projects"),
+    project_activity: _("Your Projects' Activity"),
+    starred_project_activity: _("Starred Projects' Activity"),
+    groups: _("Your Groups"),
+    todos: _("Your Todos"),
+    issues: _("Assigned Issues"),
+    merge_requests: _("Assigned Merge Requests")
   }.with_indifferent_access.freeze
 
   # Returns an Array usable by a select field for more user-friendly option text

app/models/user.rb

@@ -189,7 +189,7 @@ class User < ActiveRecord::Base
 
   # User's Dashboard preference
   # Note: When adding an option, it MUST go on the end of the array.
-  enum dashboard: [:projects, :stars, :project_activity, :starred_project_activity, :groups, :todos]
+  enum dashboard: [:projects, :stars, :project_activity, :starred_project_activity, :groups, :todos, :issues, :merge_requests]
 
   # User's Project preference
   # Note: When adding an option, it MUST go on the end of the array.

changelogs/unreleased/43512-add-support-for-omniauth-jwt-provider.yml

+---
+title: Adds support for OmniAuth JWT provider
+merge_request: 17774
+author:
+type: added

changelogs/unreleased/dashboard-view-user-choices-issues-merge-requests.yml

+---
+title: Add 'Assigned Issues' and 'Assigned Merge Requests' as dashboard view choices for users
+merge_request: 17860
+author: Elias Werberich
+type: added

changelogs/unreleased/workhorse-gitaly-mandatory.yml

+---
+title: Make all workhorse gitaly calls opt-out
+merge_request: 18002
+author:
+type: other

config/gitlab.yml.example

@@ -610,7 +610,17 @@ production: &base
       # - { name: 'twitter',
       #     app_id: 'YOUR_APP_ID',
       #     app_secret: 'YOUR_APP_SECRET' }
-      #
+      # - { name: 'jwt',
+      #     app_secret: 'YOUR_APP_SECRET',
+      #     args: {
+      #             algorithm: 'HS256',
+      #             uid_claim: 'email',
+      #             required_claims: ["name", "email"],
+      #             info_map: { name: "name", email: "email" },
+      #             auth_url: 'https://example.com/',
+      #             valid_within: nil,
+      #           }
+      #   }
       # - { name: 'saml',
       #     label: 'Our SAML Provider',
       #     groups_attribute: 'Groups',
@@ -891,6 +901,17 @@ test:
       - { name: 'twitter',
           app_id: 'YOUR_APP_ID',
           app_secret: 'YOUR_APP_SECRET' }
+      - { name: 'jwt',
+          app_secret: 'YOUR_APP_SECRET',
+          args: {
+                  algorithm: 'HS256',
+                  uid_claim: 'email',
+                  required_claims: ["name", "email"],
+                  info_map: { name: "name", email: "email" },
+                  auth_url: 'https://example.com/',
+                  valid_within: nil,
+                }
+        }
       - { name: 'auth0',
           args: {
             client_id: 'YOUR_AUTH0_CLIENT_ID',

doc/administration/auth/jwt.md

+# JWT OmniAuth provider
+
+To enable the JWT OmniAuth provider, you must register your application with JWT.
+JWT will provide you with a secret key for you to use.
+
+1.  On your GitLab server, open the configuration file.
+
+    For Omnibus GitLab:
+
+    ```sh
+    sudo editor /etc/gitlab/gitlab.rb
+    ```
+
+    For installations from source:
+
+    ```sh
+    cd /home/git/gitlab
+    sudo -u git -H editor config/gitlab.yml
+    ```
+
+1.  See [Initial OmniAuth Configuration](../../integration/omniauth.md#initial-omniauth-configuration) for initial settings.
+1.  Add the provider configuration.
+
+    For Omnibus GitLab:
+
+    ```ruby
+    gitlab_rails['omniauth_providers'] = [
+      { name: 'jwt',
+        app_secret: 'YOUR_APP_SECRET',
+        args: {
+                algorithm: 'HS256',
+                uid_claim: 'email',
+                required_claims: ["name", "email"],
+                info_maps: { name: "name", email: "email" },
+                auth_url: 'https://example.com/',
+                valid_within: nil,
+              }
+      }
+    ]
+    ```
+
+    For installation from source:
+
+    ```
+    - { name: 'jwt',
+        app_secret: 'YOUR_APP_SECRET',
+        args: {
+                algorithm: 'HS256',
+                uid_claim: 'email',
+                required_claims: ["name", "email"],
+                info_map: { name: "name", email: "email" },
+                auth_url: 'https://example.com/',
+                valid_within: nil,
+              }
+      }
+    ```
+
+    NOTE: **Note:** For more information on each configuration option refer to
+    the [OmniAuth JWT usage documentation](https://github.com/mbleigh/omniauth-jwt#usage).
+
+1.  Change `YOUR_APP_SECRET` to the client secret and set `auth_url` to your redirect URL.
+1.  Save the configuration file.
+1.  [Reconfigure GitLab][] or [restart GitLab][] for the changes to take effect if you
+    installed GitLab via Omnibus or from source respectively.
+
+On the sign in page there should now be a JWT icon below the regular sign in form.
+Click the icon to begin the authentication process. JWT will ask the user to
+sign in and authorize the GitLab application. If everything goes well, the user
+will be redirected to GitLab and will be signed in.
+
+[reconfigure GitLab]: ../restart_gitlab.md#omnibus-gitlab-reconfigure
+[restart GitLab]: ../restart_gitlab.md#installations-from-source

doc/integration/omniauth.md

@@ -32,6 +32,7 @@ contains some settings that are common for all providers.
 - [Auth0](auth0.md)
 - [Authentiq](../administration/auth/authentiq.md)
 - [OAuth2Generic](oauth2_generic.md)
+- [JWT](../administration/auth/jwt.md)
 
 ## Initial OmniAuth Configuration
 

doc/user/profile/preferences.md

@@ -41,7 +41,7 @@ select few, the amount of activity on the default Dashboard page can be
 overwhelming. Changing this setting allows you to redefine what your default
 dashboard will be.
 
-You have 6 options here that you can use for your default dashboard view:
+You have 8 options here that you can use for your default dashboard view:
 
 - Your projects (default)
 - Starred projects
@@ -49,6 +49,8 @@ You have 6 options here that you can use for your default dashboard view:
 - Starred projects' activity
 - Your groups
 - Your [Todos]
+- Assigned Issues
+- Assigned Merge Requests
 
 ### Project home page content
 

doc/user/project/clusters/index.md

@@ -71,7 +71,7 @@ You need Master [permissions] and above to access the Kubernetes page.
 To add an existing Kubernetes cluster to your project:
 
 1. Navigate to your project's **CI/CD > Kubernetes** page.
-1. Click on **Add Kuberntes cluster**.
+1. Click on **Add Kubernetes cluster**.
 1. Click on **Add an existing Kubernetes cluster** and fill in the details:
     - **Kubernetes cluster name** (required) - The name you wish to give the cluster.
     - **Environment scope** (required)- The
@@ -101,7 +101,7 @@ To add an existing Kubernetes cluster to your project:
       - If you or someone created a secret specifically for the project, usually
         with limited permissions, the secret's namespace and project namespace may
         be the same.
-1. Finally, click the **Create Kuberntes cluster** button.
+1. Finally, click the **Create Kubernetes cluster** button.
 
 After a few moments, your cluster should be created. If something goes wrong,
 you will be notified.

lib/gitlab/workhorse.rb

@@ -44,7 +44,7 @@ module Gitlab
       end
 
       def send_git_blob(repository, blob)
-        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_raw_show)
+        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_raw_show, Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
                    {
                      'GitalyServer' => gitaly_server_hash(repository),
                      'GetBlobRequest' => {
@@ -72,7 +72,7 @@ module Gitlab
         params = repository.archive_metadata(ref, Gitlab.config.gitlab.repository_downloads_path, format)
         raise "Repository or ref not found" if params.empty?
 
-        if Gitlab::GitalyClient.feature_enabled?(:workhorse_archive)
+        if Gitlab::GitalyClient.feature_enabled?(:workhorse_archive, Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
           params.merge!(
             'GitalyServer' => gitaly_server_hash(repository),
             'GitalyRepository' => repository.gitaly_repository.to_h
@@ -89,7 +89,7 @@ module Gitlab
       end
 
       def send_git_diff(repository, diff_refs)
-        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_diff)
+        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_diff, Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
                    {
                      'GitalyServer' => gitaly_server_hash(repository),
                      'RawDiffRequest' => Gitaly::RawDiffRequest.new(
@@ -107,7 +107,7 @@ module Gitlab
       end
 
       def send_git_patch(repository, diff_refs)
-        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_patch)
+        params = if Gitlab::GitalyClient.feature_enabled?(:workhorse_send_git_patch, Gitlab::GitalyClient::MigrationStatus::OPT_OUT)
                    {
                      'GitalyServer' => gitaly_server_hash(repository),
                      'RawPatchRequest' => Gitaly::RawPatchRequest.new(

spec/controllers/root_controller_spec.rb

@@ -90,6 +90,30 @@ describe RootController do
         end
       end
 
+      context 'who has customized their dashboard setting for assigned issues' do
+        before do
+          user.dashboard = 'issues'
+        end
+
+        it 'redirects to their assigned issues' do
+          get :index
+
+          expect(response).to redirect_to issues_dashboard_path(assignee_id: user.id)
+        end
+      end
+
+      context 'who has customized their dashboard setting for assigned merge requests' do
+        before do
+          user.dashboard = 'merge_requests'
+        end
+
+        it 'redirects to their assigned merge requests' do
+          get :index
+
+          expect(response).to redirect_to merge_requests_dashboard_path(assignee_id: user.id)
+        end
+      end
+
       context 'who uses the default dashboard setting' do
         it 'renders the default dashboard' do
           get :index

spec/features/projects/hook_logs/user_reads_log_spec.rb

+require 'spec_helper'
+
+feature 'Hook logs' do
+  given(:web_hook_log) { create(:web_hook_log, response_body: '<script>') }
+  given(:project) { web_hook_log.web_hook.project }
+  given(:user) { create(:user) }
+
+  before do
+    project.add_master(user)
+
+    sign_in(user)
+  end
+
+  scenario 'user reads log without getting XSS' do
+    visit(
+      project_hook_hook_log_path(
+        project, web_hook_log.web_hook, web_hook_log))
+
+    expect(page).to have_content('<script>')
+  end
+end

spec/helpers/preferences_helper_spec.rb

@@ -21,7 +21,9 @@ describe PreferencesHelper do
         ["Your Projects' Activity", 'project_activity'],
         ["Starred Projects' Activity", 'starred_project_activity'],
         ["Your Groups", 'groups'],
-        ["Your Todos", 'todos']
+        ["Your Todos", 'todos'],
+        ["Assigned Issues", 'issues'],
+        ["Assigned Merge Requests", 'merge_requests']
       ]
     end
   end

spec/lib/gitlab/workhorse_spec.rb

@@ -55,7 +55,7 @@ describe Gitlab::Workhorse do
       end
     end
 
-    context 'when Gitaly workhorse_archive feature is disabled', :skip_gitaly_mock do
+    context 'when Gitaly workhorse_archive feature is disabled', :disable_gitaly do
       it 'sets the header correctly' do
         key, command, params = decode_workhorse_header(subject)
 
@@ -100,7 +100,7 @@ describe Gitlab::Workhorse do
       end
     end
 
-    context 'when Gitaly workhorse_send_git_patch feature is disabled', :skip_gitaly_mock do
+    context 'when Gitaly workhorse_send_git_patch feature is disabled', :disable_gitaly do
       it 'sets the header correctly' do
         key, command, params = decode_workhorse_header(subject)
 
@@ -173,7 +173,7 @@ describe Gitlab::Workhorse do
       end
     end
 
-    context 'when Gitaly workhorse_send_git_diff feature is disabled', :skip_gitaly_mock do
+    context 'when Gitaly workhorse_send_git_diff feature is disabled', :disable_gitaly do
       it 'sets the header correctly' do
         key, command, params = decode_workhorse_header(subject)
 
@@ -455,7 +455,7 @@ describe Gitlab::Workhorse do
       end
     end
 
-    context 'when Gitaly workhorse_raw_show feature is disabled', :skip_gitaly_mock do
+    context 'when Gitaly workhorse_raw_show feature is disabled', :disable_gitaly do
       it 'sets the header correctly' do
         key, command, params = decode_workhorse_header(subject)
 

spec/services/clusters/create_service_spec.rb

@@ -81,6 +81,10 @@ describe Clusters::CreateService do
     end
 
     context 'when project has a cluster' do
+<<<<<<< HEAD
+=======
+      include_context 'valid params'
+>>>>>>> upstream/master
       let!(:cluster) { create(:cluster, :provided_by_gcp, :production_environment, projects: [project]) }
 
       before do