Automatic merge of gitlab-org/gitlab master

app/assets/javascripts/reports/components/report_section.vue

@@ -190,10 +190,14 @@ export default {
       <status-icon :status="statusIconName" :size="24" class="align-self-center" />
       <div class="media-body d-flex flex-align-self-center align-items-center">
         <div data-testid="report-section-code-text" class="js-code-text code-text">
-          <div>
-            {{ headerText }}
+          <div class="gl-display-flex gl-align-items-center">
+            <p class="gl-line-height-normal gl-m-0">{{ headerText }}</p>
             <slot :name="slotName"></slot>
-            <popover v-if="hasPopover" :options="popoverOptions" class="gl-ml-2" />
+            <popover
+              v-if="hasPopover"
+              :options="popoverOptions"
+              class="gl-ml-2 gl-display-inline-flex"
+            />
           </div>
           <slot name="sub-heading"></slot>
         </div>

app/helpers/nav_helper.rb

@@ -12,6 +12,7 @@ module NavHelper
   def page_with_sidebar_class
     class_name = page_gutter_class
     class_name << 'page-with-contextual-sidebar' if defined?(@left_sidebar) && @left_sidebar
+    class_name << 'sidebar-refactoring' if Feature.enabled?(:sidebar_refactor, current_user)
     class_name << 'page-with-icon-sidebar' if collapsed_sidebar? && @left_sidebar
     class_name -= ['right-sidebar-expanded'] if defined?(@right_sidebar) && !@right_sidebar
 

app/views/profiles/passwords/new.html.haml

@@ -16,16 +16,16 @@
       .col-sm-2.col-form-label
         = f.label :current_password, _('Current password')
       .col-sm-10
-        = f.password_field :current_password, required: true, class: 'form-control gl-form-input'
+        = f.password_field :current_password, required: true, class: 'form-control gl-form-input', data: { qa_selector: 'current_password_field' }
   .form-group.row
     .col-sm-2.col-form-label
       = f.label :password, _('New password')
     .col-sm-10
-      = f.password_field :password, required: true, class: 'form-control gl-form-input'
+      = f.password_field :password, required: true, class: 'form-control gl-form-input', data: { qa_selector: 'new_password_field' }
   .form-group.row
     .col-sm-2.col-form-label
       = f.label :password_confirmation, _('Password confirmation')
     .col-sm-10
-      = f.password_field :password_confirmation, required: true, class: 'form-control gl-form-input'
+      = f.password_field :password_confirmation, required: true, class: 'form-control gl-form-input', data: { qa_selector: 'confirm_password_field' }
   .form-actions
-    = f.submit _('Set new password'), class: 'gl-button btn btn-confirm'
+    = f.submit _('Set new password'), class: 'gl-button btn btn-confirm', data: { qa_selector: 'set_new_password_button' }

changelogs/unreleased/283892-fix-mr-widget-help-icon.yml

+---
+title: Align help icon for code quality merge request widget
+merge_request: 60330
+author:
+type: fixed

doc/administration/auth/oidc.md

@@ -134,7 +134,7 @@ See the [Google documentation](https://developers.google.com/identity/protocols/
 for more details:
 
 ```ruby
- gitlab_rails['omniauth_providers'] = [
+gitlab_rails['omniauth_providers'] = [
   {
     'name' => 'openid_connect',
     'label' => 'Google OpenID',
@@ -153,6 +153,7 @@ for more details:
        }
      }
   }
+]
 ```
 
 ### Microsoft Azure
@@ -170,7 +171,7 @@ to obtain the tenant ID, client ID, and client secret for your app.
 Example Omnibus configuration block:
 
 ```ruby
- gitlab_rails['omniauth_providers'] = [
+gitlab_rails['omniauth_providers'] = [
   {
     'name' => 'openid_connect',
     'label' => 'Azure OIDC',
@@ -189,11 +190,159 @@ Example Omnibus configuration block:
       }
     }
   }
+]
 ```
 
 Microsoft has documented how its platform works with [the OIDC protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
 
-## Troubleshooting
+### Microsoft Azure Active Directory B2C
+
+While GitLab works with [Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview), it requires special
+configuration to work. To get started, sign in to the [Azure Portal](https://portal.azure.com).
+For your app, you'll need the following information from Azure:
+
+- A tenant ID. You may already have one. For more information, review the
+  [Microsoft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
+- A client ID and a client secret. Follow the instructions in the
+  [Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga) documentation to obtain the
+  client ID and client secret for your app.
+- The user flow or policy name. Follow the instructions in the [Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
+
+If your GitLab domain is `gitlab.example.com`, ensure the app has the following `Redirect URI`:
+
+`https://gitlab.example.com/users/auth/openid_connect/callback`
+
+In addition, ensure that [ID tokens are enabled](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
+
+Add the following API permissions to the app:
+
+1. `openid`
+1. `offline_access`
+
+#### Configure custom policies
+
+Azure B2C [offers two ways of defining the business logic for logging in a user](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview):
+
+- [User flows](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#user-flows)
+- [Custom policies](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#custom-policies)
+
+While cumbersome to configure, custom policies are required because
+standard Azure B2C user flows [do not send the OpenID `email` claim](https://github.com/MicrosoftDocs/azure-docs/issues/16566). In
+other words, they do not work with the [`allow_single_sign_on` or `auto_link_user`
+parameters](../../integration/omniauth.md#initial-omniauth-configuration).
+With a standard Azure B2C policy, GitLab cannot create a new account or
+link to an existing one with an e-mail address.
+
+Carefully follow the instructions for [creating a custom policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy).
+
+The Microsoft instructions use `SocialAndLocalAccounts` in the [custom policy starter pack](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack),
+but `LocalAccounts` works for authenticating against local, Active Directory accounts. Before you follow the instructions to [upload the polices](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies), do the following:
+
+1. To export the `email` claim, modify the `SignUpOrSignin.xml`. Replace the following line:
+
+    ```xml
+    <OutputClaim ClaimTypeReferenceId="email" />
+    ```
+
+    with:
+
+    ```xml
+    <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="email" />
+    ```
+
+1. For OIDC discovery to work with B2C, the policy must be configured with an issuer compatible with the [OIDC
+specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3).
+See the [token compatibility settings](https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
+In `TrustFrameworkBase.xml` under `JwtIssuer`, set `IssuanceClaimPattern` to `AuthorityWithTfp`:
+
+    ```xml
+    <ClaimsProvider>
+      <DisplayName>Token Issuer</DisplayName>
+      <TechnicalProfiles>
+        <TechnicalProfile Id="JwtIssuer">
+          <DisplayName>JWT Issuer</DisplayName>
+          <Protocol Name="None" />
+          <OutputTokenFormat>JWT</OutputTokenFormat>
+          <Metadata>
+            <Item Key="IssuanceClaimPattern">AuthorityWithTfp</Item>
+            ...
+      ```
+
+1. Now [upload the policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies). Overwrite
+the existing files if you are updating an existing policy.
+
+1. Determine the issuer URL using the sign-in policy. The issuer URL will be in the form:
+
+    ```markdown
+    https://<YOUR-DOMAIN>/tfp/<YOUR-TENANT-ID>/<YOUR-SIGN-IN-POLICY-NAME>/v2.0/
+    ```
+
+   The policy name is lowercased in the URL. For example, `B2C_1A_signup_signin`
+   policy appears as `b2c_1a_signup_sigin`.
+
+   Note that the trailing forward slash is required.
+
+1. Verify the operation of the OIDC discovery URL and issuer URL, append `.well-known/openid-configuration`
+to the issuer URL:
+
+    ```markdown
+    https://<YOUR-DOMAIN>/tfp/<YOUR-TENANT-ID>/<YOUR-SIGN-IN-POLICY-NAME>/v2.0/.well-known/openid-configuration
+    ```
+
+    For example, if `domain` is `example.b2clogin.com` and tenant ID is `fc40c736-476c-4da1-b489-ee48cee84386`, you can use `curl` and `jq` to
+extract the issuer:
+
+    ```shell
+    $ curl --silent "https://example.b2clogin.com/tfp/fc40c736-476c-4da1-b489-ee48cee84386/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration" | jq .issuer
+    "https://example.b2clogin.com/tfp/fc40c736-476c-4da1-b489-ee48cee84386/b2c_1a_signup_signin/v2.0/"
+    ```
+
+1. Configure the issuer URL with the custom policy used for
+`signup_signin`. For example, this is the Omnibus configuration with a
+custom policy for `b2c_1a_signup_signin`:
+
+```ruby
+gitlab_rails['omniauth_providers'] = [
+{
+  'name' => 'openid_connect',
+  'label' => 'Azure B2C OIDC',
+  'args' => {
+    'name' => 'openid_connect',
+    'scope' => ['openid'],
+    'response_mode' => 'query',
+    'response_type' => 'id_token',
+    'issuer' =>  'https://<YOUR-DOMAIN>/tfp/<YOUR-TENANT-ID>/b2c_1a_signup_signin/v2.0/',
+    'client_auth_method' => 'query',
+    'discovery' => true,
+    'send_scope_to_token_endpoint' => true,
+    'client_options' => {
+      'identifier' => '<YOUR APP CLIENT ID>',
+      'secret' => '<YOUR APP CLIENT SECRET>',
+      'redirect_uri' => 'https://gitlab.example.com/users/auth/openid_connect/callback'
+    }
+  }
+}]
+```
+
+#### Troubleshooting Azure B2C
+
+- Ensure all occurrences of `yourtenant.onmicrosoft.com`, `ProxyIdentityExperienceFrameworkAppId`, and `IdentityExperienceFrameworkAppId` match your B2C tenant hostname and
+the respective client IDs in the XML policy files.
+
+- Add `https://jwt.ms` as a redirect URI to the app, and use the [custom policy tester](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#test-the-custom-policy).
+Make sure the payload includes `email` that matches the user's e-mail access.
+
+- After you enable the custom policy, users might see "Invalid username or password" after they try to sign in. This might be a configuration
+issue with the `IdentityExperienceFramework` app. See [this Microsoft comment](https://docs.microsoft.com/en-us/answers/questions/50355/unable-to-sign-on-using-custom-policy.html?childToView=122370#comment-122370)
+that suggests checking that the app manifest contains these settings:
+
+  - `"accessTokenAcceptedVersion": null`
+  - `"signInAudience": "AzureADMyOrg"`
+    1. `"signInAudience": "AzureADMyOrg"`
+
+    Note that this configuration corresponds with the `Supported account types` setting used when creating the `IdentityExperienceFramework` app.
+
+## General troubleshooting
 
 If you're having trouble, here are some tips:
 

doc/administration/geo/replication/usage.md

@@ -25,3 +25,11 @@ remote:   ssh://git@primary.geo/user/repo.git
 remote:
 Everything up-to-date
 ```
+
+NOTE:
+If you're using HTTPS instead of [SSH](../../../ssh/README.md) to push to the secondary,
+you can't store credentials in the URL like `user:password@URL`. Instead, you can use a
+[`.netrc` file](https://www.gnu.org/software/inetutils/manual/html_node/The-_002enetrc-file.html)
+for Unix-like operating systems or `_netrc` for Windows. In that case, the credentials
+will be stored as a plain text. If you're looking for a more secure way to store credentials,
+you can use [Git Credential Storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage).

doc/administration/troubleshooting/log_parsing.md

@@ -201,3 +201,42 @@ grep "fatal: " /var/log/gitlab/gitaly/current | \
     jq '."grpc.request.glProjectPath"' | \
     sort | uniq
 ```
+
+### Parsing `gitlab-shell.log`
+
+For investigating Git calls via SSH, from [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/367).
+
+Find the top 20 calls by project and user:
+
+```shell
+jq --raw-output --slurp '
+  map(
+    select(
+      .username != null and
+      .gl_project_path !=null
+    )
+  )
+  | group_by(.username+.gl_project_path)
+  | sort_by(-length)
+  | limit(20; .[])
+  | "count: \(length)\tuser: \(.[0].username)\tproject: \(.[0].gl_project_path)" ' \
+  /var/log/gitlab/gitlab-shell/gitlab-shell.log
+```
+
+Find the top 20 calls by project, user, and command:
+
+```shell
+jq --raw-output --slurp '
+  map(
+    select(
+      .command  != null and
+      .username != null and
+      .gl_project_path !=null
+    )
+  )
+  | group_by(.username+.gl_project_path+.command)
+  | sort_by(-length)
+  | limit(20; .[])
+  | "count: \(length)\tcommand: \(.[0].command)\tuser: \(.[0].username)\tproject: \(.[0].gl_project_path)" ' \
+  /var/log/gitlab/gitlab-shell/gitlab-shell.log
+```

doc/api/releases/index.md

@@ -717,6 +717,5 @@ Example response:
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/38105) in GitLab 12.1.
 
-A release with a `released_at` attribute set to a future date is labeled an **Upcoming Release** in the UI:
-
-![Upcoming release](img/upcoming_release_v12_1.png)
+A release with a `released_at` attribute set to a future date is labeled
+as an **Upcoming Release** [in the UI](../../user/project/releases/index.md#upcoming-releases).

doc/ci/variables/predefined_variables.md

@@ -50,7 +50,7 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu
 | `CI_DEPLOY_USER`                         | 10.8   | all    | The authentication username of the [GitLab Deploy Token](../../user/project/deploy_tokens/index.md#gitlab-deploy-token), if the project has one. |
 | `CI_DISPOSABLE_ENVIRONMENT`              | all    | 10.1   | Only available if the job is executed in a disposable environment (something that is created only for this job and disposed of/destroyed after the execution - all executors except `shell` and `ssh`). `true` when available. |
 | `CI_ENVIRONMENT_NAME`                    | 8.15   | all    | The name of the environment for this job. Available if [`environment:name`](../yaml/README.md#environmentname) is set. |
-| `CI_ENVIRONMENT_SLUG`                    | 8.15   | all    | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/README.md#environmentname) is set. |
+| `CI_ENVIRONMENT_SLUG`                    | 8.15   | all    | The simplified version of the environment name, suitable for inclusion in DNS, URLs, Kubernetes labels, and so on. Available if [`environment:name`](../yaml/README.md#environmentname) is set. The slug is [truncated to 24 characters](https://gitlab.com/gitlab-org/gitlab/-/issues/20941). |
 | `CI_ENVIRONMENT_URL`                     | 9.3    | all    | The URL of the environment for this job. Available if [`environment:url`](../yaml/README.md#environmenturl) is set. |
 | `CI_HAS_OPEN_REQUIREMENTS`               | 13.1   | all    | Only available if the pipeline's project has an open [requirement](../../user/project/requirements/index.md). `true` when available. |
 | `CI_JOB_ID`                              | 9.0    | all    | The internal ID of the job, unique across all jobs in the GitLab instance. |

doc/install/installation.md

@@ -828,6 +828,8 @@ to use. Read all about the needed configuration at the
 
 If you want to use HTTPS, replace the `gitlab` NGINX configuration with `gitlab-ssl`. See [Using HTTPS](#using-https) for HTTPS configuration details.
 
+For the NGINX to be able to read the GitLab-Workhorse socket, you need to make sure, that the `www-data` user can read the socket, which will be owned by the GitLab user. This is most easily achieved, if it is world-readable, for example that it has permissions `0755`, which is the default. `www-data` also needs to be able to list the parent directories.
+
 ### Test Configuration
 
 Validate your `gitlab` or `gitlab-ssl` NGINX configuration file with the following command:

doc/user/project/releases/index.md

@@ -86,7 +86,7 @@ by using a `release` node in the job definition.
 The release is created only if the job processes without error. If the Rails API returns an error
 during release creation, the release job fails.
 
-### Schedule a future release
+### Upcoming releases
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/38105) in GitLab 12.1.
 

qa/qa/page/main/login.rb

@@ -50,15 +50,17 @@ module QA
           return if Page::Main::Menu.perform(&:signed_in?)
 
           using_wait_time 0 do
-            set_initial_password_if_present
-
-            raise 'If an LDAP user is provided, it must be used for sign-in', QA::Resource::User::InvalidUserError if Runtime::User.ldap_user? && user && user.username != Runtime::User.ldap_username
+            if Runtime::User.ldap_user? && user && user.username != Runtime::User.ldap_username
+              raise 'If an LDAP user is provided, it must be used for sign-in', QA::Resource::User::InvalidUserError
+            end
 
             if Runtime::User.ldap_user?
               sign_in_using_ldap_credentials(user: user || Runtime::User)
             else
               sign_in_using_gitlab_credentials(user: user || Runtime::User, skip_page_validation: skip_page_validation)
             end
+
+            set_initial_password_if_present
           end
         end
 
@@ -69,8 +71,6 @@ module QA
           end
 
           using_wait_time 0 do
-            set_initial_password_if_present
-
             sign_in_using_gitlab_credentials(user: admin)
           end
 
@@ -81,8 +81,6 @@ module QA
           Page::Main::Menu.perform(&:sign_out_if_signed_in)
 
           using_wait_time 0 do
-            set_initial_password_if_present
-
             switch_to_ldap_tab
 
             fill_element :username_field, user.ldap_username
@@ -169,11 +167,11 @@ module QA
         end
 
         def set_initial_password_if_present
-          return unless has_content?('Change your password')
+          return unless has_content?('Set up new password')
 
-          fill_element :password_field, Runtime::User.password
-          fill_element :password_confirmation_field, Runtime::User.password
-          click_element :change_password_button
+          Profile::Password.perform do |new_password_page|
+            new_password_page.set_new_password(Runtime::User.password, Runtime::User.password)
+          end
         end
       end
     end

qa/qa/page/profile/password.rb

@@ -11,12 +11,26 @@ module QA
           element :save_password_button
         end
 
+        view 'app/views/profiles/passwords/new.html.haml' do
+          element :current_password_field
+          element :new_password_field
+          element :confirm_password_field
+          element :set_new_password_button
+        end
+
         def update_password(new_password, current_password)
           find_element(:current_password_field).set current_password
           find_element(:new_password_field).set new_password
           find_element(:confirm_password_field).set new_password
           click_element(:save_password_button)
         end
+
+        def set_new_password(new_password, current_password)
+          fill_element :current_password_field, current_password
+          fill_element :new_password_field, new_password
+          fill_element :confirm_password_field, new_password
+          click_element :set_new_password_button
+        end
       end
     end
   end