Add latest changes from gitlab-org/gitlab@master

app/serializers/note_user_entity.rb

 # frozen_string_literal: true
 
 class NoteUserEntity < UserEntity
+  expose :gitlab_employee?, as: :is_gitlab_employee, if: ->(user, options) { ::Feature.enabled?(:gitlab_employee_badge) && user.gitlab_employee? }
+
   unexpose :web_url
 end

app/views/admin/application_settings/_protected_paths.html.haml

@@ -6,7 +6,7 @@
       .bs-callout.bs-callout-danger
         - relative_url_link = 'https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#migrate-settings-from-gitlab-123-and-earlier'
         - relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link }
-        = _("Omnibus Protected Paths throttle is active. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
+        = _("Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
 
     .form-group
       .form-check

app/views/admin/application_settings/network.html.haml

@@ -42,7 +42,7 @@
     %button.btn.btn-default.js-settings-toggle{ type: 'button' }
       = expanded_by_default? ? _('Collapse') : _('Expand')
     %p
-      = _('Configure paths to be protected by Rack Attack. A web server restart is required after changing these settings.')
+      = _('Configure paths to be protected by Rack Attack.')
   .settings-content
     = render 'protected_paths'
 

bin/secpick

@@ -120,7 +120,7 @@ module Secpick
             options[:branch] = branch
           end
 
-          opts.on('-s', '--sha abcd', 'SHA or SHA range to cherry pick') do |sha|
+          opts.on('-s', '--sha abcd', 'SHA or SHA range to cherry pick (optional, defaults to current)') do |sha|
             options[:sha] = sha
           end
 
@@ -155,6 +155,7 @@ module Secpick
 
         parser.parse!
 
+        options[:sha] ||= `git rev-parse HEAD`
         options[:branch] ||= `git rev-parse --abbrev-ref HEAD`
         options[:remote] ||= DEFAULT_REMOTE
 

doc/api/users.md

@@ -387,7 +387,7 @@ Parameters:
 | `group_id_for_saml`                  | No       | ID of group where SAML has been configured                                                                                                              |
 | `linkedin`                           | No       | LinkedIn                                                                                                                                                |
 | `location`                           | No       | User's location                                                                                                                                         |
-| `name`                               | No       | Name                                                                                                                                                    |
+| `name`                               | Yes      | Name                                                                                                                                                    |
 | `organization`                       | No       | Organization name                                                                                                                                       |
 | `password`                           | No       | Password                                                                                                                                                |
 | `private_profile`                    | No       | User's profile is private - true, false (default), or null (will be converted to false)                                                                 |

doc/security/rate_limits.md

@@ -24,6 +24,7 @@ similarly mitigated by a rate limit.
 
 - [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md).
 - [Rate limits on raw endpoints](../user/admin_area/settings/rate_limits_on_raw_endpoints.md)
+- [Protected paths](../user/admin_area/settings/protected_paths.md).
 
 ## Rack Attack initializer
 

doc/user/admin_area/settings/protected_paths.md

@@ -4,7 +4,11 @@ type: reference
 
 # Protected paths **(CORE ONLY)**
 
-GitLab protects the following paths with Rack Attack by default:
+Rate limiting is a common technique used to improve the security and durability
+of a web application. For more details, see
+[Rate limits](../../../security/rate_limits.md).
+
+GitLab rate limits the following paths with Rack Attack by default:
 
 ```plaintext
 '/users/password',

doc/user/group/saml_sso/index.md

@@ -8,7 +8,7 @@ type: reference, howto
 
 SAML on GitLab.com allows users to be added to a group. Those users can then sign in to GitLab.com. If such users don't already have an account on the GitLab instance, they can create one when signing in for the first time.
 
-If you follow our guidance to automate user provisioning using [SCIM](scim_setup.md) or [group managed accounts](#group-managed-accounts), you do not need to create such accounts manually.
+If you follow our guidance to automate user provisioning using [SCIM](scim_setup.md) or [group-managed accounts](#group-managed-accounts), you do not need to create such accounts manually.
 
 User synchronization for GitLab.com is partially supported using [SCIM](scim_setup.md).
 
@@ -86,6 +86,15 @@ Since use of the group-managed account requires the use of SSO, users of group-m
 - The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO).
 - Contributions in the group (e.g. issues, merge requests) will remain intact.
 
+##### Feature flag
+
+Currently the group-managed accounts feature is behind a feature flag: `group_managed_accounts`. The flag is disabled by default.
+To activate the feature, ask a GitLab administrator with Rails console access to run:
+
+```ruby
+Feature.enable(:group_managed_accounts)
+```
+
 ##### Credentials inventory for Group-managed accounts **(ULTIMATE)**
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/38133) in GitLab 12.8.

lib/api/entities/discussion.rb

@@ -5,7 +5,7 @@ module API
     class Discussion < Grape::Entity
       expose :id
       expose :individual_note?, as: :individual_note
-      expose :notes, using: Entities::NoteWithGitlabEmployeeBadge
+      expose :notes, using: Entities::Note
     end
   end
 end

lib/api/entities/note_with_gitlab_employee_badge.rb

-# frozen_string_literal: true
-
-module API
-  module Entities
-    class NoteWithGitlabEmployeeBadge < Note
-      expose :author, using: Entities::UserWithGitlabEmployeeBadge
-      expose :resolved_by, using: Entities::UserWithGitlabEmployeeBadge, if: ->(note, options) { note.resolvable? }
-    end
-  end
-end

lib/api/entities/user_with_gitlab_employee_badge.rb

-# frozen_string_literal: true
-
-module API
-  module Entities
-    class UserWithGitlabEmployeeBadge < UserBasic
-      expose :gitlab_employee?, as: :is_gitlab_employee, if: ->(user, options) { ::Feature.enabled?(:gitlab_employee_badge) && user.gitlab_employee? }
-    end
-  end
-end

locale/gitlab.pot

@@ -5172,7 +5172,7 @@ msgstr ""
 msgid "Configure limits on the number of inbound alerts able to be sent to a project."
 msgstr ""
 
-msgid "Configure paths to be protected by Rack Attack. A web server restart is required after changing these settings."
+msgid "Configure paths to be protected by Rack Attack."
 msgstr ""
 
 msgid "Configure repository mirroring."
@@ -13652,7 +13652,7 @@ msgstr ""
 msgid "OmniAuth"
 msgstr ""
 
-msgid "Omnibus Protected Paths throttle is active. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}."
+msgid "Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}."
 msgstr ""
 
 msgid "On track"

spec/controllers/projects/issues_controller_spec.rb

@@ -1390,6 +1390,61 @@ describe Projects::IssuesController do
         expect(note_json['author']['status_tooltip_html']).to be_present
       end
 
+      context 'is_gitlab_employee attribute' do
+        subject { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } }
+
+        before do
+          allow(Gitlab).to receive(:com?).and_return(true)
+          note_user = discussion.author
+          note_user.update(email: email)
+          note_user.confirm
+        end
+
+        shared_examples 'non inclusion of gitlab employee badge' do
+          it 'does not render the is_gitlab_employee attribute' do
+            subject
+
+            note_json = json_response.first['notes'].first
+
+            expect(note_json['author']['is_gitlab_employee']).to be nil
+          end
+        end
+
+        context 'when user is a gitlab employee' do
+          let(:email) { 'test@gitlab.com' }
+
+          it 'renders the is_gitlab_employee attribute' do
+            subject
+
+            note_json = json_response.first['notes'].first
+
+            expect(note_json['author']['is_gitlab_employee']).to be true
+          end
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(gitlab_employee_badge: false)
+            end
+
+            it_behaves_like 'non inclusion of gitlab employee badge'
+          end
+        end
+
+        context 'when user is not a gitlab employee' do
+          let(:email) { 'test@example.com' }
+
+          it_behaves_like 'non inclusion of gitlab employee badge'
+
+          context 'when feature flag is disabled' do
+            before do
+              stub_feature_flags(gitlab_employee_badge: false)
+            end
+
+            it_behaves_like 'non inclusion of gitlab employee badge'
+          end
+        end
+      end
+
       it 'does not cause an extra query for the status' do
         control = ActiveRecord::QueryRecorder.new do
           get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid }

spec/fixtures/api/schemas/entities/user.json

@@ -17,8 +17,7 @@
     "path": { "type": "string" },
     "name": { "type": "string" },
     "username": { "type": "string" },
-    "status_tooltip_html": { "$ref": "../types/nullable_string.json" },
-    "is_gitlab_employee": { "type": "boolean" }
+    "status_tooltip_html": { "$ref": "../types/nullable_string.json" }
   },
   "additionalProperties": false
 }

spec/support/shared_examples/requests/api/discussions_shared_examples.rb

@@ -55,58 +55,6 @@ RSpec.shared_examples 'with cross-reference system notes' do
 end
 
 RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name, can_reply_to_individual_notes: false|
-  shared_examples 'is_gitlab_employee attribute presence' do
-    subject { get api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions", user) }
-
-    before do
-      allow(Gitlab).to receive(:com?).and_return(true)
-      user.update(email: email)
-      user.confirm
-    end
-
-    context 'when author is a gitlab employee' do
-      let(:email) { 'test@gitlab.com' }
-
-      it 'returns is_gitlab_employee as true' do
-        subject
-
-        expect(json_response.first["notes"].first["author"]['is_gitlab_employee']).to be true
-      end
-    end
-
-    shared_examples 'non inclusion of gitlab employee badge' do
-      it 'does not include is_gitlab_employee attribute' do
-        subject
-
-        expect(json_response.first["notes"].first["author"]).not_to have_key('is_gitlab_employee')
-      end
-    end
-
-    context 'when author is not a gitlab employee' do
-      let(:email) { 'test@example.com' }
-
-      it_behaves_like 'non inclusion of gitlab employee badge'
-    end
-
-    describe 'when feature flag is disabled' do
-      before do
-        stub_feature_flags(gitlab_employee_badge: false)
-      end
-
-      context 'when author is a gitlab employee' do
-        let(:email) { 'test@gitlab.com' }
-
-        it_behaves_like 'non inclusion of gitlab employee badge'
-      end
-
-      context 'when author is not a gitlab employee' do
-        let(:email) { 'test@example.com' }
-
-        it_behaves_like 'non inclusion of gitlab employee badge'
-      end
-    end
-  end
-
   describe "GET /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions" do
     it "returns an array of discussions" do
       get api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions", user)
@@ -130,8 +78,6 @@ RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name,
 
       expect(response).to have_gitlab_http_status(:not_found)
     end
-
-    it_behaves_like 'is_gitlab_employee attribute presence'
   end
 
   describe "GET /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions/:discussion_id" do
@@ -250,8 +196,6 @@ RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name,
         end
       end
     end
-
-    it_behaves_like 'is_gitlab_employee attribute presence'
   end
 
   describe "POST /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions/:discussion_id/notes" do