Merge remote-tracking branch 'upstream/master' into ce-to-ee-2018-11-13

# Conflicts:
#	Gemfile.lock
#	Gemfile.rails5.lock

[ci skip]

Gemfile

@@ -354,7 +354,7 @@ group :development, :test do
   gem 'minitest', '~> 5.7.0'
 
   # Generate Fake data
-  gem 'ffaker', '~> 2.4'
+  gem 'ffaker', '~> 2.10'
 
   gem 'capybara', '~> 2.15'
   gem 'capybara-screenshot', '~> 1.0.0'
@@ -369,7 +369,7 @@ group :development, :test do
   gem 'rubocop-rspec', '~> 1.22.1'
 
   gem 'scss_lint', '~> 0.56.0', require: false
-  gem 'haml_lint', '~> 0.26.0', require: false
+  gem 'haml_lint', '~> 0.28.0', require: false
   gem 'simplecov', '~> 0.14.0', require: false
   gem 'bundler-audit', '~> 0.5.0', require: false
 

Gemfile.lock

@@ -226,7 +226,7 @@ GEM
       multi_json
     fast_blank (1.0.0)
     fast_gettext (1.6.0)
-    ffaker (2.4.0)
+    ffaker (2.10.0)
     ffi (1.9.25)
     flipper (0.13.0)
     flipper-active_record (0.13.0)
@@ -364,11 +364,11 @@ GEM
     haml (5.0.4)
       temple (>= 0.8.0)
       tilt
-    haml_lint (0.26.0)
+    haml_lint (0.28.0)
       haml (>= 4.0, < 5.1)
       rainbow
       rake (>= 10, < 13)
-      rubocop (>= 0.49.0)
+      rubocop (>= 0.50.0)
       sysexits (~> 1.1)
     hamlit (2.8.8)
       temple (>= 0.8.0)
@@ -1011,7 +1011,7 @@ DEPENDENCIES
   faraday (~> 0.12)
   faraday_middleware-aws-signers-v4
   fast_blank
-  ffaker (~> 2.4)
+  ffaker (~> 2.10)
   flipper (~> 0.13.0)
   flipper-active_record (~> 0.13.0)
   flipper-active_support_cache_store (~> 0.13.0)
@@ -1048,8 +1048,12 @@ DEPENDENCIES
   graphiql-rails (~> 1.4.10)
   graphql (~> 1.8.0)
   grpc (~> 1.15.0)
+<<<<<<< HEAD
   gssapi
   haml_lint (~> 0.26.0)
+=======
+  haml_lint (~> 0.28.0)
+>>>>>>> upstream/master
   hamlit (~> 2.8.8)
   hangouts-chat (~> 0.0.5)
   hashie-forbidden_attributes

Gemfile.rails5.lock

@@ -229,7 +229,7 @@ GEM
       multi_json
     fast_blank (1.0.0)
     fast_gettext (1.6.0)
-    ffaker (2.4.0)
+    ffaker (2.10.0)
     ffi (1.9.25)
     flipper (0.13.0)
     flipper-active_record (0.13.0)
@@ -367,11 +367,11 @@ GEM
     haml (5.0.4)
       temple (>= 0.8.0)
       tilt
-    haml_lint (0.26.0)
+    haml_lint (0.28.0)
       haml (>= 4.0, < 5.1)
       rainbow
       rake (>= 10, < 13)
-      rubocop (>= 0.49.0)
+      rubocop (>= 0.50.0)
       sysexits (~> 1.1)
     hamlit (2.8.8)
       temple (>= 0.8.0)
@@ -1020,7 +1020,7 @@ DEPENDENCIES
   faraday (~> 0.12)
   faraday_middleware-aws-signers-v4
   fast_blank
-  ffaker (~> 2.4)
+  ffaker (~> 2.10)
   flipper (~> 0.13.0)
   flipper-active_record (~> 0.13.0)
   flipper-active_support_cache_store (~> 0.13.0)
@@ -1057,8 +1057,12 @@ DEPENDENCIES
   graphiql-rails (~> 1.4.10)
   graphql (~> 1.8.0)
   grpc (~> 1.15.0)
+<<<<<<< HEAD
   gssapi
   haml_lint (~> 0.26.0)
+=======
+  haml_lint (~> 0.28.0)
+>>>>>>> upstream/master
   hamlit (~> 2.8.8)
   hangouts-chat (~> 0.0.5)
   hashie-forbidden_attributes

app/assets/javascripts/jobs/store/actions.js

@@ -80,8 +80,8 @@ export const fetchJob = ({ state, dispatch }) => {
 export const receiveJobSuccess = ({ commit }, data = {}) => {
   commit(types.RECEIVE_JOB_SUCCESS, data);
 
-  if (data.favicon) {
-    setFaviconOverlay(data.favicon);
+  if (data.status && data.status.favicon) {
+    setFaviconOverlay(data.status.favicon);
   } else {
     resetFavicon();
   }

changelogs/unreleased/53289-update-haml_lint-to-0-28-0.yml

+---
+title: Update haml_lint to 0.28.0
+merge_request: 22660
+author: Takuya Noguchi
+type: other

changelogs/unreleased/53291-update-ffaker-to-2-10-0.yml

+---
+title: Update ffaker to 2.10.0
+merge_request: 22661
+author: Takuya Noguchi
+type: other

changelogs/unreleased/53888-missing-favicon.yml

+---
+title: Adds CI favicon back to jobs page
+merge_request:
+author:
+type: fixed

changelogs/unreleased/ashmckenzie-hmac-token-decode-and-tests.yml

+---
+title: Relocate JSONWebToken::HMACToken from EE
+merge_request: 22906
+author:
+type: changed

changelogs/unreleased/zj-remove-broken-storage.yml

+---
+title: Remove obsolete gitlab_shell rake tasks
+merge_request: 22417
+author:
+type: removed

lib/json_web_token/hmac_token.rb

+# frozen_string_literal: true
+
+require 'jwt'
+
+module JSONWebToken
+  class HMACToken < Token
+    IAT_LEEWAY = 60
+    JWT_ALGORITHM = 'HS256'
+
+    def initialize(secret)
+      super()
+
+      @secret = secret
+    end
+
+    def self.decode(token, secret, leeway: IAT_LEEWAY, verify_iat: true)
+      JWT.decode(token, secret, true, leeway: leeway, verify_iat: verify_iat, algorithm: JWT_ALGORITHM)
+    end
+
+    def encoded
+      JWT.encode(payload, secret, JWT_ALGORITHM)
+    end
+
+    private
+
+    attr_reader :secret
+  end
+end

lib/json_web_token/token.rb

 # frozen_string_literal: true
 
+require 'securerandom'
+
 module JSONWebToken
   class Token
     attr_accessor :issuer, :subject, :audience, :id
     attr_accessor :issued_at, :not_before, :expire_time
 
+    DEFAULT_NOT_BEFORE_TIME = 5
+    DEFAULT_EXPIRE_TIME = 60
+
     def initialize
       @id = SecureRandom.uuid
       @issued_at = Time.now
       # we give a few seconds for time shift
-      @not_before = issued_at - 5.seconds
+      @not_before = issued_at - DEFAULT_NOT_BEFORE_TIME
       # default 60 seconds should be more than enough for this authentication token
-      @expire_time = issued_at + 1.minute
+      @expire_time = issued_at + DEFAULT_EXPIRE_TIME
       @custom_payload = {}
     end
 

lib/tasks/gitlab/check.rake

@@ -48,7 +48,6 @@ namespace :gitlab do
       start_checking "GitLab Shell"
 
       check_gitlab_shell
-      check_repos_hooks_directory_is_link
       check_gitlab_shell_self_test
 
       finished_checking "GitLab Shell"
@@ -57,42 +56,6 @@ namespace :gitlab do
     # Checks
     ########################
 
-    def check_repos_hooks_directory_is_link
-      print "hooks directories in repos are links: ... "
-
-      gitlab_shell_hooks_path = Gitlab.config.gitlab_shell.hooks_path
-
-      unless Project.count > 0
-        puts "can't check, you have no projects".color(:magenta)
-        return
-      end
-
-      puts ""
-
-      Project.find_each(batch_size: 100) do |project|
-        print sanitized_message(project)
-        project_hook_directory = File.join(project.repository.path_to_repo, "hooks")
-
-        if project.empty_repo?
-          puts "repository is empty".color(:magenta)
-        elsif File.directory?(project_hook_directory) && File.directory?(gitlab_shell_hooks_path) &&
-            (File.realpath(project_hook_directory) == File.realpath(gitlab_shell_hooks_path))
-          puts 'ok'.color(:green)
-        else
-          puts "wrong or missing hooks".color(:red)
-          try_fixing_it(
-            sudo_gitlab("#{File.join(gitlab_shell_path, 'bin/create-hooks')} #{repository_storage_paths_args.join(' ')}"),
-            'Check the hooks_path in config/gitlab.yml',
-            'Check your gitlab-shell installation'
-          )
-          for_more_information(
-            see_installation_guide_section "GitLab Shell"
-          )
-          fix_and_rerun
-        end
-      end
-    end
-
     def check_gitlab_shell_self_test
       gitlab_shell_repo_base = gitlab_shell_path
       check_cmd = File.expand_path('bin/check', gitlab_shell_repo_base)

spec/lib/json_web_token/hmac_token_spec.rb

+# frozen_string_literal: true
+
+require 'json'
+require 'timecop'
+
+describe JSONWebToken::HMACToken do
+  let(:secret) { 'shh secret squirrel' }
+
+  shared_examples 'a valid, non-expired token' do
+    it 'is an Array with two elements' do
+      expect(decoded_token).to be_a(Array)
+      expect(decoded_token.count).to eq(2)
+    end
+
+    it 'contains the following keys in the first Array element Hash - jti, iat, nbf, exp' do
+      expect(decoded_token[0].keys).to include('jti', 'iat', 'nbf', 'exp')
+    end
+
+    it 'contains the following keys in the second Array element Hash - typ and alg' do
+      expect(decoded_token[1]['typ']).to eql('JWT')
+      expect(decoded_token[1]['alg']).to eql('HS256')
+    end
+  end
+
+  describe '.decode' do
+    let(:leeway) { described_class::IAT_LEEWAY }
+    let(:decoded_token) { described_class.decode(encoded_token, secret, leeway: leeway) }
+
+    context 'with an invalid token' do
+      context 'that is junk' do
+        let(:encoded_token) { 'junk' }
+
+        it "raises exception saying 'Not enough or too many segments'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Not enough or too many segments')
+        end
+      end
+
+      context 'that has been fiddled with' do
+        let(:encoded_token) do
+          described_class.new(secret).encoded.tap { |token| token[0] = 'E' }
+        end
+
+        it "raises exception saying 'Invalid segment encoding'" do
+          expect { decoded_token }.to raise_error(JWT::DecodeError, 'Invalid segment encoding')
+        end
+      end
+
+      context 'that was generated using a different secret' do
+        let(:encoded_token) { described_class.new('some other secret').encoded }
+
+        it "raises exception saying 'Signature verification raised" do
+          expect { decoded_token }.to raise_error(JWT::VerificationError, 'Signature verification raised')
+        end
+      end
+
+      context 'that is expired' do
+        # Needs the ! so Timecop.freeze() is effective
+        let!(:encoded_token) { described_class.new(secret).encoded }
+
+        it "raises exception saying 'Signature has expired'" do
+          # Needs to be 120 seconds, because the default expiry is 60 seconds
+          # with an additional 60 second leeway.
+          Timecop.freeze(Time.now + 120) do
+            expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+          end
+        end
+      end
+    end
+
+    context 'with a valid token' do
+      let(:encoded_token) do
+        hmac_token = described_class.new(secret)
+        hmac_token.expire_time = Time.now + expire_time
+        hmac_token.encoded
+      end
+
+      context 'that has expired' do
+        let(:expire_time) { 0 }
+
+        context 'with the default leeway' do
+          Timecop.freeze(Time.now + 1) do
+            it_behaves_like 'a valid, non-expired token'
+          end
+        end
+
+        context 'with a leeway of 0 seconds' do
+          let(:leeway) { 0 }
+
+          it "raises exception saying 'Signature has expired'" do
+            Timecop.freeze(Time.now + 1) do
+              expect { decoded_token }.to raise_error(JWT::ExpiredSignature, 'Signature has expired')
+            end
+          end
+        end
+      end
+
+      context 'that has not expired' do
+        let(:expire_time) { described_class::DEFAULT_EXPIRE_TIME }
+
+        it_behaves_like 'a valid, non-expired token'
+      end
+    end
+  end
+
+  describe '#encoded' do
+    let(:decoded_token) { described_class.decode(encoded_token, secret) }
+
+    context 'without data' do
+      let(:encoded_token) { described_class.new(secret).encoded }
+
+      it_behaves_like 'a valid, non-expired token'
+    end
+
+    context 'with data' do
+      let(:data) { { secret_key: 'secret value' }.to_json }
+      let(:encoded_token) do
+        ec = described_class.new(secret)
+        ec[:data] = data
+        ec.encoded
+      end
+
+      it_behaves_like 'a valid, non-expired token'
+
+      it "contains the 'data' key in the first Array element Hash" do
+        expect(decoded_token[0]).to have_key('data')
+      end
+
+      it 'can re-read back the data' do
+        expect(decoded_token[0]['data']).to eql(data)
+      end
+    end
+  end
+end