Merge branch 'master' of gitlab.com:gitlab-org/gitlab-ce

a8b4c75f · Marin Jankovski · 3f01f05b · 178626ed · a8b4c75f · a8b4c75f
Commit a8b4c75f authored Feb 06, 2017 by Marin Jankovski
36 changed files
--- a/app/assets/javascripts/lib/ace/ace_config_paths.js.erb
+++ b/app/assets/javascripts/lib/ace/ace_config_paths.js.erb
@@ -7,19 +7,28 @@ ace_modes = Dir[ace_gem_path + '/vendor/assets/javascripts/ace/mode-*.js'].sort.
  File.basename(file, '.js').sub(/^mode-/, '')
 end
 %>
-
+// Lazy-load configuration when ace.edit is called
 (function() {
-  window.gon = window.gon || {};
-  var basePath = (window.gon.relative_url_root || '').replace(/\/$/, '') + '/assets/ace';
-  ace.config.set('basePath', basePath);
+  var basePath;
+  var ace = window.ace;
+  var edit = ace.edit;
+  ace.edit = function() {
+    window.gon = window.gon || {};
+    basePath = (window.gon.relative_url_root || '').replace(/\/$/, '') + '/assets/ace';
+    ace.config.set('basePath', basePath);

-  // configure paths for all worker modules
+    // configure paths for all worker modules
 <% ace_workers.each do |worker| %>
-  ace.config.setModuleUrl('ace/mode/<%= worker %>_worker', basePath + '/worker-<%= worker %>.js');
+    ace.config.setModuleUrl('ace/mode/<%= worker %>_worker', basePath + '/<%= File.basename(asset_path("ace/worker-#{worker}.js")) %>');
 <% end %>

-  // configure paths for all mode modules
+    // configure paths for all mode modules
 <% ace_modes.each do |mode| %>
-  ace.config.setModuleUrl('ace/mode/<%= mode %>', basePath + '/mode-<%= mode %>.js');
+    ace.config.setModuleUrl('ace/mode/<%= mode %>', basePath + '/<%= File.basename(asset_path("ace/mode-#{mode}.js")) %>');
 <% end %>
+
+    // restore original method
+    ace.edit = edit;
+    return ace.edit.apply(ace, arguments);
+  };
 })();
--- a/app/assets/stylesheets/framework/animations.scss
+++ b/app/assets/stylesheets/framework/animations.scss
@@ -71,6 +71,27 @@
  transition: $unfoldedTransitions;
 }

+@mixin disableAllAnimation {
+  /*CSS transitions*/
+  -o-transition-property: none !important;
+  -moz-transition-property: none !important;
+  -ms-transition-property: none !important;
+  -webkit-transition-property: none !important;
+  transition-property: none !important;
+  /*CSS transforms*/
+  -o-transform: none !important;
+  -moz-transform: none !important;
+  -ms-transform: none !important;
+  -webkit-transform: none !important;
+  transform: none !important;
+  /*CSS animations*/
+  -webkit-animation: none !important;
+  -moz-animation: none !important;
+  -o-animation: none !important;
+  -ms-animation: none !important;
+  animation: none !important;
+}
+
 @function unfoldTransition ($transition) {
  // Default values
  $property: all;

--- a/app/assets/stylesheets/framework/markdown_area.scss
+++ b/app/assets/stylesheets/framework/markdown_area.scss
@@ -159,6 +159,7 @@
  .cur {
    .avatar {
      border: 1px solid $white-light;
+      @include disableAllAnimation;
    }
  }
 }
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -137,6 +137,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
      :user_default_external,
      :user_oauth_applications,
      :version_check_enabled,
+      :terminal_max_session_time,

      disabled_oauth_sign_in_sources: [],
      import_sources: [],

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -111,6 +111,10 @@ class ApplicationSetting < ActiveRecord::Base
            presence: true,
            numericality: { only_integer: true, greater_than: :housekeeping_full_repack_period }

+  validates :terminal_max_session_time,
+            presence: true,
+            numericality: { only_integer: true, greater_than_or_equal_to: 0 }
+
  validates_each :restricted_visibility_levels do |record, attr, value|
    unless value.nil?
      value.each do |level|
@@ -204,7 +208,8 @@ class ApplicationSetting < ActiveRecord::Base
      signin_enabled: Settings.gitlab['signin_enabled'],
      signup_enabled: Settings.gitlab['signup_enabled'],
      two_factor_grace_period: 48,
-      user_default_external: false
+      user_default_external: false,
+      terminal_max_session_time: 0
    }
  end


--- a/app/models/project_services/kubernetes_service.rb
+++ b/app/models/project_services/kubernetes_service.rb
 class KubernetesService < DeploymentService
+  include Gitlab::CurrentSettings
  include Gitlab::Kubernetes
  include ReactiveCaching

@@ -110,7 +111,7 @@ class KubernetesService < DeploymentService
      pods = data.fetch(:pods, nil)
      filter_pods(pods, app: environment.slug).
        flat_map { |pod| terminals_for_pod(api_url, namespace, pod) }.
-        map { |terminal| add_terminal_auth(terminal, token, ca_pem) }
+        each { |terminal| add_terminal_auth(terminal, terminal_auth) }
    end
  end

@@ -170,4 +171,12 @@ class KubernetesService < DeploymentService

    url.to_s
  end
+
+  def terminal_auth
+    {
+      token: token,
+      ca_pem: ca_pem,
+      max_session_time: current_application_settings.terminal_max_session_time
+    }
+  end
 end
--- a/app/views/admin/application_settings/_form.html.haml
+++ b/app/views/admin/application_settings/_form.html.haml
@@ -509,5 +509,15 @@
        .help-block
          Number of Git pushes after which 'git gc' is run.

+  %fieldset
+    %legend Web terminal
+    .form-group
+      = f.label :terminal_max_session_time, 'Max session time', class: 'control-label col-sm-2'
+      .col-sm-10
+        = f.number_field :terminal_max_session_time, class: 'form-control'
+        .help-block
+          Maximum time for web terminal websocket connection (in seconds).
+          Set to 0 for unlimited time.
+
  .form-actions
    = f.submit 'Save', class: 'btn btn-save'
--- a/changelogs/unreleased/22007-unify-projects-search.yml
+++ b/changelogs/unreleased/22007-unify-projects-search.yml
+---
+title: Unify projects search by removing /projects/:search endpoint
+merge_request: 8877
+author:
--- a/changelogs/unreleased/27602-fix-avatar-border-flicker-mention-dropdown.yml
+++ b/changelogs/unreleased/27602-fix-avatar-border-flicker-mention-dropdown.yml
+---
+title: Fixes flickering of avatar border in mention dropdown
+merge_request: 8950
+author:
--- a/changelogs/unreleased/api-fix-files.yml
+++ b/changelogs/unreleased/api-fix-files.yml
+---
+title: 'API: Fix file downloading'
+merge_request: Robert Schilling
+author: 8267
--- a/changelogs/unreleased/babel-all-the-things.yml
+++ b/changelogs/unreleased/babel-all-the-things.yml
+---
+title: use babel to transpile all non-vendor javascript assets regardless of file
+  extension
+merge_request: 8988
+author:
--- a/changelogs/unreleased/terminal-max-session-time.yml
+++ b/changelogs/unreleased/terminal-max-session-time.yml
+---
+title: Introduce maximum session time for terminal websocket connection
+merge_request: 8413
+author:
--- a/config/webpack.config.js
+++ b/config/webpack.config.js
@@ -49,8 +49,8 @@ var config = {
  module: {
    loaders: [
      {
-        test: /\.es6$/,
-        exclude: /node_modules/,
+        test: /\.(js|es6)$/,
+        exclude: /(node_modules|vendor\/assets)/,
        loader: 'babel-loader',
        query: {
          // 'use strict' was broken in sprockets-es6 due to sprockets concatination method.

--- a/db/migrate/20170126174819_add_terminal_max_session_time_to_application_settings.rb
+++ b/db/migrate/20170126174819_add_terminal_max_session_time_to_application_settings.rb
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddTerminalMaxSessionTimeToApplicationSettings < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  # When a migration requires downtime you **must** uncomment the following
+  # constant and define a short and easy to understand explanation as to why the
+  # migration requires downtime.
+  # DOWNTIME_REASON = ''
+
+  # When using the methods "add_concurrent_index" or "add_column_with_default"
+  # you must disable the use of transactions as these methods can not run in an
+  # existing transaction. When using "add_concurrent_index" make sure that this
+  # method is the _only_ method called in the migration, any other changes
+  # should go in a separate migration. This ensures that upon failure _only_ the
+  # index creation fails and can be retried or reverted easily.
+  #
+  # To disable transactions uncomment the following line and remove these
+  # comments:
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :application_settings, :terminal_max_session_time, :integer, default: 0, allow_null: false
+  end
+
+  def down
+    remove_column :application_settings, :terminal_max_session_time
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -109,6 +109,7 @@ ActiveRecord::Schema.define(version: 20170204181513) do
    t.boolean "html_emails_enabled", default: true
    t.string "plantuml_url"
    t.boolean "plantuml_enabled"
+    t.integer "terminal_max_session_time", default: 0, null: false
  end

  create_table "audit_events", force: :cascade do |t|

--- a/doc/administration/integration/terminal.md
+++ b/doc/administration/integration/terminal.md
@@ -71,5 +71,15 @@ When these headers are not passed through, Workhorse will return a
 `400 Bad Request` response to users attempting to use a web terminal. In turn,
 they will receive a `Connection failed` message.

+## Limiting WebSocket connection time
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/8413)
+in GitLab 8.17.
+
+Terminal sessions use long-lived connections; by default, these may last
+forever. You can configure a maximum session time in the Admin area of your
+GitLab instance if you find this undesirable from a scalability or security
+point of view.
+
 [ce-7690]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7690
 [kubservice]: ../../user/project/integrations/kubernetes.md)
--- a/doc/api/README.md
+++ b/doc/api/README.md
@@ -49,6 +49,7 @@ following locations:
 - [Todos](todos.md)
 - [Users](users.md)
 - [Validate CI configuration](ci/lint.md)
+- [V3 to V4](v3_to_v4.md)
 - [Version](version.md)

 ### Internal CI API

--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -46,7 +46,8 @@ Example response:
   "koding_enabled": false,
   "koding_url": null,
   "plantuml_enabled": false,
-   "plantuml_url": null
+   "plantuml_url": null,
+   "terminal_max_session_time": 0
 }
 ```

@@ -84,6 +85,7 @@ PUT /application/settings
 | `disabled_oauth_sign_in_sources` | Array of strings | no | Disabled OAuth sign-in sources |
 | `plantuml_enabled` | boolean | no | Enable PlantUML integration. Default is `false`. |
 | `plantuml_url` | string | yes (if `plantuml_enabled` is `true`) |  The PlantUML instance URL for integration. |
+| `terminal_max_session_time` | integer | no | Maximum time for web terminal websocket connection (in seconds). Set to 0 for unlimited time. |

 ```bash
 curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v3/application/settings?signup_enabled=false&default_project_visibility=1
@@ -118,6 +120,7 @@ Example response:
  "koding_enabled": false,
  "koding_url": null,
  "plantuml_enabled": false,
-  "plantuml_url": null
+  "plantuml_url": null,
+  "terminal_max_session_time": 0
 }
 ```
--- a/doc/api/v3_to_v4.md
+++ b/doc/api/v3_to_v4.md
+# V3 to V4 version
+
+Our V4 API version is currently available as *Beta*! It means that V3
+will still be supported and remain unchanged for now, but be aware that the following
+changes are in V4:
+
+### Changes
+
+- Removed `/projects/:search` (use: `/projects?search=x`)
+
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
 module API
  class API < Grape::API
    include APIGuard
-    version 'v3', using: :path
+
+    version %w(v3 v4), using: :path
+
+    version 'v3', using: :path do
+      mount ::API::V3::Projects
+    end

    before { allow_access_with_scope :api }


--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -575,6 +575,7 @@ module API
      expose :koding_url
      expose :plantuml_enabled
      expose :plantuml_url
+      expose :terminal_max_session_time
    end

    class Release < Grape::Entity

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -304,7 +304,7 @@ module API
        header['X-Sendfile'] = path
        body
      else
-        path
+        file path
      end
    end


--- a/lib/api/projects.rb
+++ b/lib/api/projects.rb
@@ -151,22 +151,6 @@ module API
        present_projects Project.all, with: Entities::ProjectWithAccess, statistics: params[:statistics]
      end

-      desc 'Search for projects the current user has access to' do
-        success Entities::Project
-      end
-      params do
-        requires :query, type: String, desc: 'The project name to be searched'
-        use :sort_params
-        use :pagination
-      end
-      get "/search/:query", requirements: { query: /[^\/]+/ } do
-        search_service = Search::GlobalService.new(current_user, search: params[:query]).execute
-        projects = search_service.objects('projects', params[:page])
-        projects = projects.reorder(params[:order_by] => params[:sort])
-
-        present paginate(projects), with: Entities::Project
-      end
-
      desc 'Create new project' do
        success Entities::Project
      end

--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -107,6 +107,7 @@ module API
        requires :housekeeping_full_repack_period, type: Integer, desc: "Number of Git pushes after which a full 'git repack' is run."
        requires :housekeeping_gc_period, type: Integer, desc: "Number of Git pushes after which 'git gc' is run."
      end
+      optional :terminal_max_session_time, type: Integer, desc: 'Maximum time for web terminal websocket connection (in seconds). Set to 0 for unlimited time.'
      at_least_one_of :default_branch_protection, :default_project_visibility, :default_snippet_visibility,
                      :default_group_visibility, :restricted_visibility_levels, :import_sources,
                      :enabled_git_access_protocol, :gravatar_enabled, :default_projects_limit,
@@ -120,7 +121,7 @@ module API
                      :akismet_enabled, :admin_notification_email, :sentry_enabled,
                      :repository_storage, :repository_checks_enabled, :koding_enabled, :plantuml_enabled,
                      :version_check_enabled, :email_author_in_body, :html_emails_enabled,
-                      :housekeeping_enabled
+                      :housekeeping_enabled, :terminal_max_session_time
    end
    put "application/settings" do
      if current_settings.update_attributes(declared_params(include_missing: false))

--- a/lib/api/v3/projects.rb
+++ b/lib/api/v3/projects.rb
--- a/lib/gitlab/kubernetes.rb
+++ b/lib/gitlab/kubernetes.rb
@@ -43,10 +43,10 @@ module Gitlab
      end
    end

-    def add_terminal_auth(terminal, token, ca_pem = nil)
+    def add_terminal_auth(terminal, token:, max_session_time:, ca_pem: nil)
      terminal[:headers]['Authorization'] << "Bearer #{token}"
+      terminal[:max_session_time] = max_session_time
      terminal[:ca_pem] = ca_pem if ca_pem.present?
-      terminal
    end

    def container_exec_url(api_url, namespace, pod_name, container_name)

--- a/lib/gitlab/workhorse.rb
+++ b/lib/gitlab/workhorse.rb
@@ -107,7 +107,8 @@ module Gitlab
          'Terminal' => {
            'Subprotocols' => terminal[:subprotocols],
            'Url' => terminal[:url],
-            'Header' => terminal[:headers]
+            'Header' => terminal[:headers],
+            'MaxSessionTime' => terminal[:max_session_time],
          }
        }
        details['Terminal']['CAPem'] = terminal[:ca_pem] if terminal.has_key?(:ca_pem)

--- a/package.json
+++ b/package.json
 {
  "private": true,
  "scripts": {
-    "dev-server": "node_modules/.bin/webpack-dev-server --config config/webpack.config.js",
+    "dev-server": "webpack-dev-server --config config/webpack.config.js",
    "eslint": "eslint --max-warnings 0 --ext .js,.js.es6 .",
    "eslint-fix": "npm run eslint -- --fix",
    "eslint-report": "npm run eslint -- --format html --output-file ./eslint-report.html",
    "karma": "karma start config/karma.config.js --single-run",
-    "karma-start": "karma start config/karma.config.js"
+    "karma-start": "karma start config/karma.config.js",
+    "webpack": "webpack --config config/webpack.config.js",
+    "webpack-prod": "NODE_ENV=production npm run webpack"
  },
  "dependencies": {
    "babel": "^5.8.38",

--- a/spec/lib/gitlab/workhorse_spec.rb
+++ b/spec/lib/gitlab/workhorse_spec.rb
@@ -42,7 +42,8 @@ describe Gitlab::Workhorse, lib: true do
      out = {
        subprotocols: ['foo'],
        url: 'wss://example.com/terminal.ws',
-        headers: { 'Authorization' => ['Token x'] }
+        headers: { 'Authorization' => ['Token x'] },
+        max_session_time: 600
      }
      out[:ca_pem] = ca_pem if ca_pem
      out
@@ -53,7 +54,8 @@ describe Gitlab::Workhorse, lib: true do
        'Terminal' => {
          'Subprotocols' => ['foo'],
          'Url' => 'wss://example.com/terminal.ws',
-          'Header' => { 'Authorization' => ['Token x'] }
+          'Header' => { 'Authorization' => ['Token x'] },
+          'MaxSessionTime' => 600
        }
      }
      out['Terminal']['CAPem'] = ca_pem if ca_pem

--- a/spec/models/project_services/kubernetes_service_spec.rb
+++ b/spec/models/project_services/kubernetes_service_spec.rb
@@ -181,11 +181,23 @@ describe KubernetesService, models: true, caching: true do
      let(:pod) { kube_pod(app: environment.slug) }
      let(:terminals) { kube_terminals(service, pod) }

-      it 'returns terminals' do
-        stub_reactive_cache(service, pods: [ pod, pod, kube_pod(app: "should-be-filtered-out") ])
+      before do
+        stub_reactive_cache(
+          service,
+          pods: [ pod, pod, kube_pod(app: "should-be-filtered-out") ]
+        )
+      end

+      it 'returns terminals' do
        is_expected.to eq(terminals + terminals)
      end
+
+      it 'uses max session time from settings' do
+        stub_application_setting(terminal_max_session_time: 600)
+
+        times = subject.map { |terminal| terminal[:max_session_time] }
+        expect(times).to eq [600, 600, 600, 600]
+      end
    end
  end


--- a/spec/requests/api/builds_spec.rb
+++ b/spec/requests/api/builds_spec.rb
@@ -188,6 +188,7 @@ describe API::Builds, api: true do
        it 'returns specific job artifacts' do
          expect(response).to have_http_status(200)
          expect(response.headers).to include(download_headers)
+          expect(response.body).to match_file(build.artifacts_file.file.file)
        end
      end


--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1085,52 +1085,6 @@ describe API::Projects, api: true  do
    end
  end

-  describe 'GET /projects/search/:query' do
-    let!(:query)            { 'query'}
-    let!(:search)           { create(:empty_project, name: query, creator_id: user.id, namespace: user.namespace) }
-    let!(:pre)              { create(:empty_project, name: "pre_#{query}", creator_id: user.id, namespace: user.namespace) }
-    let!(:post)             { create(:empty_project, name: "#{query}_post", creator_id: user.id, namespace: user.namespace) }
-    let!(:pre_post)         { create(:empty_project, name: "pre_#{query}_post", creator_id: user.id, namespace: user.namespace) }
-    let!(:unfound)          { create(:empty_project, name: 'unfound', creator_id: user.id, namespace: user.namespace) }
-    let!(:internal)         { create(:empty_project, :internal, name: "internal #{query}") }
-    let!(:unfound_internal) { create(:empty_project, :internal, name: 'unfound internal') }
-    let!(:public)           { create(:empty_project, :public, name: "public #{query}") }
-    let!(:unfound_public)   { create(:empty_project, :public, name: 'unfound public') }
-    let!(:one_dot_two)      { create(:empty_project, :public, name: "one.dot.two") }
-
-    shared_examples_for 'project search response' do |args = {}|
-      it 'returns project search responses' do
-        get api("/projects/search/#{args[:query]}", current_user)
-
-        expect(response).to have_http_status(200)
-        expect(json_response).to be_an Array
-        expect(json_response.size).to eq(args[:results])
-        json_response.each { |project| expect(project['name']).to match(args[:match_regex] || /.*#{args[:query]}.*/) }
-      end
-    end
-
-    context 'when unauthenticated' do
-      it_behaves_like 'project search response', query: 'query', results: 1 do
-        let(:current_user) { nil }
-      end
-    end
-
-    context 'when authenticated' do
-      it_behaves_like 'project search response', query: 'query', results: 6 do
-        let(:current_user) { user }
-      end
-      it_behaves_like 'project search response', query: 'one.dot.two', results: 1 do
-        let(:current_user) { user }
-      end
-    end
-
-    context 'when authenticated as a different user' do
-      it_behaves_like 'project search response', query: 'query', results: 2, match_regex: /(internal|public) query/ do
-        let(:current_user) { user2 }
-      end
-    end
-  end
-
  describe 'PUT /projects/:id' do
    before { project }
    before { user }

--- a/spec/requests/api/v3/projects_spec.rb
+++ b/spec/requests/api/v3/projects_spec.rb
--- a/spec/support/api_helpers.rb
+++ b/spec/support/api_helpers.rb
@@ -17,8 +17,8 @@ module ApiHelpers
  #   => "/api/v2/issues?foo=bar&private_token=..."
  #
  # Returns the relative path to the requested API resource
-  def api(path, user = nil)
-    "/api/#{API::API.version}#{path}" +
+  def api(path, user = nil, version: API::API.version)
+    "/api/#{version}#{path}" +

      # Normalize query string
      (path.index('?') ? '' : '?') +
@@ -31,6 +31,11 @@ module ApiHelpers
      end
  end

+  # Temporary helper method for simplifying V3 exclusive API specs
+  def v3_api(path, user = nil)
+    api(path, user, version: 'v3')
+  end
+
  def ci_api(path, user = nil)
    "/ci/api/v1/#{path}" +


--- a/spec/support/kubernetes_helpers.rb
+++ b/spec/support/kubernetes_helpers.rb
@@ -43,7 +43,8 @@ module KubernetesHelpers
        url:  container_exec_url(service.api_url, service.namespace, pod_name, container['name']),
        subprotocols: ['channel.k8s.io'],
        headers: { 'Authorization' => ["Bearer #{service.token}"] },
-        created_at: DateTime.parse(pod['metadata']['creationTimestamp'])
+        created_at: DateTime.parse(pod['metadata']['creationTimestamp']),
+        max_session_time: 0
      }
      terminal[:ca_pem] = service.ca_pem if service.ca_pem.present?
      terminal

--- a/spec/support/matchers/match_file.rb
+++ b/spec/support/matchers/match_file.rb
+RSpec::Matchers.define :match_file do |expected|
+  match do |actual|
+    expect(Digest::MD5.hexdigest(actual)).to eq(Digest::MD5.hexdigest(File.read(expected)))
+  end
+end