Merge branch 'master' into 4627-fix-epic-issue-reordering

GITLAB_SHELL_VERSION

-5.11.0
+6.0.2

GITLAB_WORKHORSE_VERSION

-3.5.0
+3.5.1

Gemfile

@@ -422,7 +422,7 @@ group :ed25519 do
 end
 
 # Gitaly GRPC client
-gem 'gitaly-proto', '~> 0.73.0', require: 'gitaly'
+gem 'gitaly-proto', '~> 0.74.0', require: 'gitaly'
 
 gem 'toml-rb', '~> 0.3.15', require: false
 

Gemfile.lock

@@ -309,7 +309,7 @@ GEM
       po_to_json (>= 1.0.0)
       rails (>= 3.2.0)
     gherkin-ruby (0.3.2)
-    gitaly-proto (0.73.0)
+    gitaly-proto (0.74.0)
       google-protobuf (~> 3.1)
       grpc (~> 1.0)
     github-linguist (4.7.6)
@@ -1091,7 +1091,7 @@ DEPENDENCIES
   gettext (~> 3.2.2)
   gettext_i18n_rails (~> 1.8.0)
   gettext_i18n_rails_js (~> 1.2.0)
-  gitaly-proto (~> 0.73.0)
+  gitaly-proto (~> 0.74.0)
   github-linguist (~> 4.7.0)
   gitlab-flowdock-git-hook (~> 1.0.1)
   gitlab-license (~> 1.0)

PROCESS.md

@@ -85,7 +85,8 @@ These types of merge requests for the upcoming release need special consideratio
   and a dedicated team with front-end, back-end, and UX.
 * **Small features**: any other feature request.
 
-**Large features** must be with a maintainer **by the 1st**. This means that:
+It is strongly recommended that **large features** be with a maintainer **by the
+1st**. This means that:
 
 * There is a merge request (even if it's WIP).
 * The person (or people, if it needs a frontend and backend maintainer) who will
@@ -100,14 +101,37 @@ The maintainer can also choose to assign a reviewer to perform an initial
 review, but this way the maintainer is unlikely to be surprised by receiving an
 MR later in the cycle.
 
-**Small features** must be with a reviewer (not necessarily maintainer) **by the
-3rd**.
+It is strongly recommended that **small features** be with a reviewer (not
+necessarily a maintainer) **by the 3rd**.
 
 Most merge requests from the community do not have a specific release
 target. However, if one does and falls into either of the above categories, it's
 the reviewer's responsibility to manage the above communication and assignment
 on behalf of the community member.
 
+#### What happens if these deadlines are missed?
+
+If a small or large feature is _not_ with a maintainer or reviewer by the
+recommended date, this does _not_ mean that maintainers or reviewers will refuse
+to review or merge it, or that the feature will definitely not make it in before
+the feature freeze.
+
+However, with every day that passes without review, it will become more likely
+that the feature will slip, because maintainers and reviewers may not have
+enough time to do a thorough review, and developers may not have enough time to
+adequately address any feedback that may come back.
+
+A maintainer or reviewer may also determine that it will not be possible to
+finish the current scope of the feature in time, but that it is possible to
+reduce the scope so that something can still ship this month, with the remaining
+scope moving to the next release. The sooner this decision is made, in
+conversation with the Product Manager and developer, the more time there is to
+extract that which is now out of scope, and to finish that which remains in scope.
+
+For these reasons, it is strongly recommended to follow the guidelines above,
+to maximize the chances of your feature making it in before the feature freeze,
+and to prevent any last minute surprises.
+
 ### On the 7th
 
 Merge requests should still be complete, following the

VERSION

-10.4.0-pre
+10.5.0-pre

app/assets/javascripts/dispatcher.js

 /* eslint-disable func-names, space-before-function-paren, no-var, prefer-arrow-callback, wrap-iife, no-shadow, consistent-return, one-var, one-var-declaration-per-line, camelcase, default-case, no-new, quotes, no-duplicate-case, no-case-declarations, no-fallthrough, max-len */
-import Milestone from './milestone';
 import notificationsDropdown from './notifications_dropdown';
 import LineHighlighter from './line_highlighter';
 import MergeRequest from './merge_request';
-import initCompareAutocomplete from './compare_autocomplete';
-import Sidebar from './right_sidebar';
 import Flash from './flash';
 import BlobViewer from './blob/viewer/index';
 import GfmAutoComplete from './gfm_auto_complete';
@@ -17,13 +14,13 @@ import { convertPermissionToBoolean } from './lib/utils/common_utils';
 import GlFieldErrors from './gl_field_errors';
 import Shortcuts from './shortcuts';
 import ShortcutsIssuable from './shortcuts_issuable';
-import U2FAuthenticate from './u2f/authenticate';
 import Diff from './diff';
 import SearchAutocomplete from './search_autocomplete';
 
 // EE-only
 import UsersSelect from './users_select';
 import UserCallout from './user_callout';
+import initCompareAutocomplete from './compare_autocomplete';
 import initGeoInfoModal from 'ee/init_geo_info_modal'; // eslint-disable-line import/first
 import initGroupAnalytics from 'ee/init_group_analytics'; // eslint-disable-line import/first
 import initPathLocks from 'ee/path_locks'; // eslint-disable-line import/first
@@ -92,6 +89,11 @@ import initLDAPGroupsSelect from 'ee/ldap_groups_select'; // eslint-disable-line
             .catch(fail);
           shortcut_handler = true;
           break;
+        case 'projects:environments:metrics':
+          import('./pages/projects/environments/metrics')
+            .then(callDefault)
+            .catch(fail);
+          break;
         case 'projects:merge_requests:index':
           import('./pages/projects/merge_requests/index')
             .then(callDefault)
@@ -116,10 +118,15 @@ import initLDAPGroupsSelect from 'ee/ldap_groups_select'; // eslint-disable-line
             .catch(fail);
           break;
         case 'projects:milestones:show':
+          import('./pages/projects/milestones/show')
+            .then(callDefault)
+            .catch(fail);
           new UserCallout();
+          break;
         case 'groups:milestones:show':
-          new Milestone();
-          new Sidebar();
+          import('./pages/groups/milestones/show')
+            .then(callDefault)
+            .catch(fail);
           break;
         case 'dashboard:milestones:show':
           import('./pages/dashboard/milestones/show')
@@ -590,6 +597,10 @@ import initLDAPGroupsSelect from 'ee/ldap_groups_select'; // eslint-disable-line
             .then(callDefault)
             .catch(fail);
           break;
+        case 'dashboard:groups:index':
+          import('./pages/dashboard/groups/index')
+            .then(callDefault)
+            .catch(fail);
         case 'admin:licenses:new':
           import(/* webpackChunkName: "admin_licenses" */ 'ee/pages/admin/licenses/new').then(m => m.default()).catch(fail);
           break;
@@ -602,18 +613,15 @@ import initLDAPGroupsSelect from 'ee/ldap_groups_select'; // eslint-disable-line
       }
       switch (path[0]) {
         case 'sessions':
+          import('./pages/sessions')
+            .then(callDefault)
+            .catch(fail);
+          break;
         case 'omniauth_callbacks':
-          if (!gon.u2f) break;
-          const u2fAuthenticate = new U2FAuthenticate(
-            $('#js-authenticate-u2f'),
-            '#js-login-u2f-form',
-            gon.u2f,
-            document.querySelector('#js-login-2fa-device'),
-            document.querySelector('.js-2fa-form'),
-          );
-          u2fAuthenticate.start();
-          // needed in rspec
-          gl.u2fAuthenticate = u2fAuthenticate;
+          import('./pages/omniauth_callbacks')
+            .then(callDefault)
+            .catch(fail);
+          break;
         case 'admin':
           import('./pages/admin')
             .then(callDefault)
@@ -672,10 +680,6 @@ import initLDAPGroupsSelect from 'ee/ldap_groups_select'; // eslint-disable-line
               break;
           }
           break;
-        case 'dashboard':
-        case 'root':
-          new UserCallout();
-          break;
         case 'profiles':
           import('./pages/profiles/index/')
             .then(callDefault)

app/assets/javascripts/fly_out_nav.js

@@ -118,14 +118,14 @@ export const showSubLevelItems = (el) => {
   moveSubItemsToPosition(el, subItems);
 };
 
-export const mouseEnterTopItems = (el) => {
+export const mouseEnterTopItems = (el, timeout = getHideSubItemsInterval()) => {
   clearTimeout(timeoutId);
 
   timeoutId = setTimeout(() => {
     if (currentOpenMenu) hideMenu(currentOpenMenu);
 
     showSubLevelItems(el);
-  }, getHideSubItemsInterval());
+  }, timeout);
 };
 
 export const mouseLeaveTopItem = (el) => {

app/assets/javascripts/groups/index.js

@@ -10,7 +10,7 @@ import groupItemComponent from './components/group_item.vue';
 
 Vue.use(Translate);
 
-document.addEventListener('DOMContentLoaded', () => {
+export default () => {
   const el = document.getElementById('js-groups-tree');
 
   // Don't do anything if element doesn't exist (No groups)
@@ -71,4 +71,4 @@ document.addEventListener('DOMContentLoaded', () => {
       });
     },
   });
-});
+};

app/assets/javascripts/groups/service/groups_service.js

 import Vue from 'vue';
-import VueResource from 'vue-resource';
-
-Vue.use(VueResource);
+import '../../vue_shared/vue_resource_interceptor';
 
 export default class GroupsService {
   constructor(endpoint) {

app/assets/javascripts/monitoring/monitoring_bundle.js

 import Vue from 'vue';
 import Dashboard from './components/dashboard.vue';
 
-document.addEventListener('DOMContentLoaded', () => new Vue({
+export default () => new Vue({
   el: '#prometheus-graphs',
   render: createElement => createElement(Dashboard),
-}));
+});

app/assets/javascripts/pages/dashboard/groups/index/index.js

+import initGroupsList from '../../../../groups';
+
+export default () => {
+  initGroupsList();
+};

app/assets/javascripts/pages/explore/groups/index.js

 import GroupsList from '~/groups_list';
 import Landing from '~/landing';
+import initGroupsList from '../../../groups';
 
 export default function () {
   new GroupsList(); // eslint-disable-line no-new
+  initGroupsList();
   const landingElement = document.querySelector('.js-explore-groups-landing');
   if (!landingElement) return;
   const exploreGroupsLanding = new Landing(

app/assets/javascripts/pages/groups/activity/index.js

 import Activities from '~/activities';
 
-export default new Activities();
+export default () => new Activities();

app/assets/javascripts/pages/groups/labels/edit/index.js

 import Labels from '~/labels';
 
-export default new Labels();
+export default () => new Labels();

app/assets/javascripts/pages/groups/labels/new/index.js

 import Labels from '~/labels';
 
-export default new Labels();
+export default () => new Labels();

app/assets/javascripts/pages/groups/milestones/show/index.js

+import initMilestonesShow from '~/pages/init_milestones_show';
+
+export default initMilestonesShow;

app/assets/javascripts/pages/groups/show/index.js

@@ -5,6 +5,7 @@ import notificationsDropdown from '~/notifications_dropdown';
 import NotificationsForm from '~/notifications_form';
 import ProjectsList from '~/projects_list';
 import ShortcutsNavigation from '~/shortcuts_navigation';
+import initGroupsList from '../../../groups';
 
 export default () => {
   const newGroupChildWrapper = document.querySelector('.js-new-project-subgroup');
@@ -16,4 +17,6 @@ export default () => {
   if (newGroupChildWrapper) {
     new NewGroupChild(newGroupChildWrapper);
   }
+
+  initGroupsList();
 };

app/assets/javascripts/pages/init_milestones_show.js

+/* eslint-disable no-new */
+
+import Milestone from '~/milestone';
+import Sidebar from '~/right_sidebar';
+
+export default () => {
+  new Milestone();
+  new Sidebar();
+};

app/assets/javascripts/pages/omniauth_callbacks/index.js

+import initU2F from '../../shared/sessions/u2f';
+
+export default () => {
+  initU2F();
+};

app/assets/javascripts/pages/projects/environments/metrics/index.js

+import monitoringBundle from '~/monitoring/monitoring_bundle';
+
+export default monitoringBundle;

app/assets/javascripts/pages/projects/milestones/show/index.js

+import initMilestonesShow from '~/pages/init_milestones_show';
+
+export default initMilestonesShow;

app/assets/javascripts/pages/projects/shared/permissions/components/settings_panel.vue

@@ -210,7 +210,7 @@
         </div>
         <span class="help-block">{{ visibilityLevelDescription }}</span>
         <label
-          v-if="visibilityLevel !== visibilityOptions.PUBLIC"
+          v-if="visibilityLevel !== visibilityOptions.PRIVATE"
           class="request-access"
         >
           <input

app/assets/javascripts/pages/sessions/index.js

+import initU2F from '../../shared/sessions/u2f';
+
+export default () => {
+  initU2F();
+};

app/assets/javascripts/shared/sessions/u2f.js

+import U2FAuthenticate from '../../u2f/authenticate';
+
+export default () => {
+  if (!gon.u2f) return;
+
+  const u2fAuthenticate = new U2FAuthenticate(
+    $('#js-authenticate-u2f'),
+    '#js-login-u2f-form',
+    gon.u2f,
+    document.querySelector('#js-login-2fa-device'),
+    document.querySelector('.js-2fa-form'),
+  );
+  u2fAuthenticate.start();
+  // needed in rspec
+  gl.u2fAuthenticate = u2fAuthenticate;
+};

app/assets/javascripts/templates/issuable_template_selector.js

@@ -32,8 +32,8 @@ export default class IssuableTemplateSelector extends TemplateSelector {
     this.startLoadingSpinner();
     Api.issueTemplate(this.namespacePath, this.projectPath, query.name, this.issuableType, (err, currentTemplate) => {
       this.currentTemplate = currentTemplate;
-      if (err) return; // Error handled by global AJAX error handler
       this.stopLoadingSpinner();
+      if (err) return; // Error handled by global AJAX error handler
       this.setInputValueToTemplateContent();
     });
     return;

app/controllers/concerns/group_tree.rb

@@ -2,7 +2,11 @@ module GroupTree
   # rubocop:disable Gitlab/ModuleWithInstanceVariables
   def render_group_tree(groups)
     @groups = if params[:filter].present?
-                Gitlab::GroupHierarchy.new(groups.search(params[:filter]))
+                # We find the ancestors by ID of the search results here.
+                # Otherwise the ancestors would also have filters applied,
+                # which would cause them not to be preloaded.
+                group_ids = groups.search(params[:filter]).select(:id)
+                Gitlab::GroupHierarchy.new(Group.where(id: group_ids))
                   .base_and_ancestors
               else
                 # Only show root groups if no parent-id is given

app/finders/group_descendants_finder.rb

@@ -27,12 +27,16 @@ class GroupDescendantsFinder
   end
 
   def execute
-    # The children array might be extended with the ancestors of projects when
-    # filtering. In that case, take the maximum so the array does not get limited
-    # Otherwise, allow paginating through all results
+    # The children array might be extended with the ancestors of projects and
+    # subgroups when filtering. In that case, take the maximum so the array does
+    # not get limited otherwise, allow paginating through all results.
     #
     all_required_elements = children
-    all_required_elements |= ancestors_for_projects if params[:filter]
+    if params[:filter]
+      all_required_elements |= ancestors_of_filtered_subgroups
+      all_required_elements |= ancestors_of_filtered_projects
+    end
+
     total_count = [all_required_elements.size, paginator.total_count].max
 
     Kaminari.paginate_array(all_required_elements, total_count: total_count)
@@ -49,8 +53,11 @@ class GroupDescendantsFinder
   end
 
   def paginator
-    @paginator ||= Gitlab::MultiCollectionPaginator.new(subgroups, projects,
-                                                        per_page: params[:per_page])
+    @paginator ||= Gitlab::MultiCollectionPaginator.new(
+      subgroups,
+      projects.with_route,
+      per_page: params[:per_page]
+    )
   end
 
   def direct_child_groups
@@ -94,15 +101,21 @@ class GroupDescendantsFinder
   #
   # So when searching 'project', on the 'subgroup' page we want to preload
   # 'nested-group' but not 'subgroup' or 'root'
-  def ancestors_for_groups(base_for_ancestors)
-    Gitlab::GroupHierarchy.new(base_for_ancestors)
+  def ancestors_of_groups(base_for_ancestors)
+    group_ids = base_for_ancestors.except(:select, :sort).select(:id)
+    Gitlab::GroupHierarchy.new(Group.where(id: group_ids))
       .base_and_ancestors(upto: parent_group.id)
   end
 
-  def ancestors_for_projects
+  def ancestors_of_filtered_projects
     projects_to_load_ancestors_of = projects.where.not(namespace: parent_group)
     groups_to_load_ancestors_of = Group.where(id: projects_to_load_ancestors_of.select(:namespace_id))
-    ancestors_for_groups(groups_to_load_ancestors_of)
+    ancestors_of_groups(groups_to_load_ancestors_of)
+      .with_selects_for_list(archived: params[:archived])
+  end
+
+  def ancestors_of_filtered_subgroups
+    ancestors_of_groups(subgroups)
       .with_selects_for_list(archived: params[:archived])
   end
 
@@ -112,7 +125,7 @@ class GroupDescendantsFinder
     # When filtering subgroups, we want to find all matches withing the tree of
     # descendants to show to the user
     groups = if params[:filter]
-               ancestors_for_groups(subgroups_matching_filter)
+               subgroups_matching_filter
              else
                direct_child_groups
              end
@@ -121,8 +134,10 @@ class GroupDescendantsFinder
   end
 
   def direct_child_projects
-    GroupProjectsFinder.new(group: parent_group, current_user: current_user, params: params)
-      .execute
+    GroupProjectsFinder.new(group: parent_group,
+                            current_user: current_user,
+                            options: { only_owned: true },
+                            params: params).execute
   end
 
   # Finds all projects nested under `parent_group` or any of its descendant

app/models/project.rb

@@ -1042,6 +1042,8 @@ class Project < ActiveRecord::Base
   end
 
   def fork_source
+    return nil unless forked?
+
     forked_from_project || fork_network&.root_project
   end
 

app/models/repository.rb

@@ -266,15 +266,7 @@ class Repository
     return if kept_around?(sha)
 
     # This will still fail if the file is corrupted (e.g. 0 bytes)
-    begin
-      raw_repository.write_ref(keep_around_ref_name(sha), sha, shell: false)
-    rescue Rugged::ReferenceError => ex
-      Rails.logger.error "Unable to create #{REF_KEEP_AROUND} reference for repository #{path}: #{ex}"
-    rescue Rugged::OSError => ex
-      raise unless ex.message =~ /Failed to create locked file/ && ex.message =~ /File exists/
-
-      Rails.logger.error "Unable to create #{REF_KEEP_AROUND} reference for repository #{path}: #{ex}"
-    end
+    raw_repository.write_ref(keep_around_ref_name(sha), sha, shell: false)
   end
 
   def kept_around?(sha)

app/models/user.rb

@@ -331,6 +331,8 @@ class User < ActiveRecord::Base
     #
     # Returns an ActiveRecord::Relation.
     def search(query)
+      return none if query.blank?
+
       query = query.downcase
 
       order = <<~SQL
@@ -354,6 +356,8 @@ class User < ActiveRecord::Base
     # This method uses ILIKE on PostgreSQL and LIKE on MySQL.
 
     def search_with_secondary_emails(query)
+      return none if query.blank?
+
       query = query.downcase
 
       email_table = Email.arel_table

app/services/merge_requests/merge_service.rb

@@ -56,6 +56,9 @@ module MergeRequests
       end
 
       true
+    rescue PushRule::MatchError => e
+      handle_merge_error(log_message: e.message, save_message_on_model: true)
+      false
     end
 
     private

app/views/dashboard/activity.html.haml

@@ -7,10 +7,8 @@
 - page_title    "Activity"
 - header_title  "Activity", activity_dashboard_path
 
-.hidden-xs
-  = render "projects/last_push"
-
 %div{ class: container_class }
+  = render "projects/last_push"
   = render 'dashboard/activity_head'
 
   %section.activities

app/views/dashboard/groups/_groups.html.haml

 .js-groups-list-holder
   #js-groups-tree{ data: { hide_projects: 'true', endpoint: dashboard_groups_path(format: :json), path: dashboard_groups_path, form_sel: 'form#group-filter-form', filter_sel: '.js-groups-list-filter', holder_sel: '.js-groups-list-holder', dropdown_sel: '.js-group-filter-dropdown-wrap' } }
+    .loading-container.text-center
+      = icon('spinner spin 2x', class: 'loading-animation prepend-top-20')

app/views/dashboard/groups/index.html.haml

@@ -3,9 +3,6 @@
 - header_title  "Groups", dashboard_groups_path
 = render 'dashboard/groups_head'
 
-= webpack_bundle_tag 'common_vue'
-= webpack_bundle_tag 'groups'
-
 - if params[:filter].blank? && @groups.empty?
   = render 'shared/groups/empty_state'
 - else

app/views/dashboard/projects/index.html.haml

@@ -7,9 +7,8 @@
 - page_title    "Projects"
 - header_title  "Projects", dashboard_projects_path
 
-= render "projects/last_push"
-
 %div{ class: container_class }
+  = render "projects/last_push"
   - if show_projects?(@projects, params)
     = render 'dashboard/projects_head'
     = render 'nav'

app/views/dashboard/projects/starred.html.haml

@@ -4,9 +4,8 @@
 - page_title "Starred Projects"
 - header_title "Projects", dashboard_projects_path
 
-= render "projects/last_push"
-
 %div{ class: container_class }
+  = render "projects/last_push"
   = render 'dashboard/projects_head'
 
   - if params[:filter_projects] || any_projects?(@projects)

app/views/explore/groups/_groups.html.haml

 .js-groups-list-holder
   #js-groups-tree{ data: { hide_projects: 'true', endpoint: explore_groups_path(format: :json), path: explore_groups_path, form_sel: 'form#group-filter-form', filter_sel: '.js-groups-list-filter', holder_sel: '.js-groups-list-holder', dropdown_sel: '.js-group-filter-dropdown-wrap' } }
+    .loading-container.text-center
+      = icon('spinner spin 2x', class: 'loading-animation prepend-top-20')

app/views/explore/groups/index.html.haml

@@ -2,9 +2,6 @@
 - page_title    "Groups"
 - header_title  "Groups", dashboard_groups_path
 
-= webpack_bundle_tag 'common_vue'
-= webpack_bundle_tag 'groups'
-
 - if current_user
   = render 'dashboard/groups_head'
 - else

app/views/groups/_children.html.haml

-= webpack_bundle_tag 'common_vue'
-= webpack_bundle_tag 'groups'
-
 .js-groups-list-holder
   #js-groups-tree{ data: { hide_projects: 'false', group_id: group.id, endpoint: group_children_path(group, format: :json), path: group_path(group), form_sel: 'form#group-filter-form', filter_sel: '.js-groups-list-filter', holder_sel: '.js-groups-list-holder', dropdown_sel: '.js-group-filter-dropdown-wrap' } }
+    .loading-container.text-center
+      = icon('spinner spin 2x', class: 'loading-animation prepend-top-20')

app/views/projects/_last_push.html.haml

 - event = last_push_event
 - if event && show_last_push_widget?(event)
-  %div{ class: container_class }
-    .row-content-block.top-block.hidden-xs.white
-      .event-last-push
-        .event-last-push-text
-          %span= s_("LastPushEvent|You pushed to")
-          %strong
-            = link_to event.ref_name, project_commits_path(event.project, event.ref_name), class: 'ref-name'
+  .row-content-block.top-block.hidden-xs.white
+    .event-last-push
+      .event-last-push-text
+        %span= s_("LastPushEvent|You pushed to")
+        %strong
+          = link_to event.ref_name, project_commits_path(event.project, event.ref_name), class: 'ref-name'
 
-          - if event.project != @project
-            %span= s_("LastPushEvent|at")
-            %strong= link_to_project event.project
+        - if event.project != @project
+          %span= s_("LastPushEvent|at")
+          %strong= link_to_project event.project
 
-          #{time_ago_with_tooltip(event.created_at)}
+        #{time_ago_with_tooltip(event.created_at)}
 
-        .pull-right
-          = link_to new_mr_path_from_push_event(event), title: _("New merge request"), class: "btn btn-info btn-sm" do
-            #{ _('Create merge request') }
+      .pull-right
+        = link_to new_mr_path_from_push_event(event), title: _("New merge request"), class: "btn btn-info btn-sm" do
+          #{ _('Create merge request') }

app/views/projects/activity.html.haml

@@ -2,6 +2,7 @@
 
 - page_title _("Activity")
 
-= render 'projects/last_push'
+%div{ class: container_class }
+  = render 'projects/last_push'
 
 = render 'projects/activity'

app/views/projects/blob/show.html.haml

@@ -6,9 +6,10 @@
 - content_for :page_specific_javascripts do
   = webpack_bundle_tag 'blob'
 
-= render 'projects/last_push'
 
 %div{ class: container_class }
+  = render 'projects/last_push'
+
   #tree-holder.tree-holder
     = render 'blob', blob: @blob
 

app/views/projects/commits/_commit.atom.builder

 xml.entry do
   xml.id      project_commit_url(@project, id: commit.id)
   xml.link    href: project_commit_url(@project, id: commit.id)
-  xml.title   truncate(commit.title, length: 80)
+  xml.title   truncate(commit.title, length: 80, escape: false)
   xml.updated commit.committed_date.xmlschema
   xml.media   :thumbnail, width: "40", height: "40", url: image_url(avatar_icon(commit.author_email))
 
@@ -10,5 +10,5 @@ xml.entry do
     xml.email commit.author_email
   end
 
-  xml.summary markdown(commit.description, pipeline: :single_line)
+  xml.summary markdown(commit.description, pipeline: :single_line), type: 'html'
 end

app/views/projects/environments/metrics.html.haml

@@ -3,7 +3,6 @@
 - content_for :page_specific_javascripts do
   = webpack_bundle_tag 'common_vue'
   = webpack_bundle_tag 'common_d3'
-  = webpack_bundle_tag 'monitoring'
 
 .prometheus-container{ class: container_class }
   .top-area

app/views/projects/jobs/_empty_state.html.haml

 - illustration = local_assigns.fetch(:illustration)
 - illustration_size = local_assigns.fetch(:illustration_size)
 - title = local_assigns.fetch(:title)
-- content = local_assigns.fetch(:content, nil)
+- content = local_assigns.fetch(:content)
 - action = local_assigns.fetch(:action, nil)
 
 .row.empty-state
@@ -11,8 +11,7 @@
   .col-xs-12
     .text-content
       %h4.text-center= title
-      - if content
-        %p= content
+      %p= content
       - if action
         .text-center
           = action

app/views/projects/jobs/show.html.haml

@@ -97,12 +97,18 @@
         title: _('This job requires a manual action'),
         content: _('This job depends on a user to trigger its process. Often they are used to deploy code to production environments'),
         action: ( link_to _('Trigger this manual action'), play_project_job_path(@project, @build), method: :post, class: 'btn btn-primary', title: _('Trigger this manual action') )
+    - elsif @build.created?
+      = render 'empty_state',
+        illustration: 'illustrations/job_not_triggered.svg',
+        illustration_size: 'svg-306',
+        title: _('This job has not been triggered yet'),
+        content: _('This job depends on upstream jobs that need to succeed in order for this job to be triggered')
     - else
       = render 'empty_state',
         illustration: 'illustrations/job_not_triggered.svg',
         illustration_size: 'svg-306',
-        title: _('This job has not been triggered yet')
-
+        title: _('This job has not started yet'),
+        content: _('This job is in pending state and is waiting to be picked by a runner')
   = render "sidebar"
 
 .js-build-options{ data: javascript_build_options }

app/views/projects/merge_requests/index.html.haml

@@ -10,7 +10,8 @@
   = webpack_bundle_tag 'common_vue'
   = webpack_bundle_tag 'filtered_search'
 
-= render 'projects/last_push'
+%div{ class: container_class }
+  = render 'projects/last_push'
 
 - if @project.merge_requests.exists?
   %div{ class: container_class }

app/views/projects/show.html.haml

@@ -7,7 +7,9 @@
 
 = render partial: 'flash_messages', locals: { project: @project }
 
-= render "projects/last_push"
+%div{ class: [container_class, ("limit-container-width" unless fluid_layout)] }
+  = render "projects/last_push"
+
 = render "home_panel"
 
 - if can?(current_user, :download_code, @project)

app/views/projects/tree/_tree_header.html.haml

@@ -24,6 +24,8 @@
           .add-to-tree-dropdown
             %ul.dropdown-menu
               - if can_edit_tree?
+                %li.dropdown-header
+                  #{ _('This directory') }
                 %li
                   = link_to project_new_blob_path(@project, @id) do
                     #{ _('New file') }
@@ -60,6 +62,8 @@
                     #{ _('New directory') }
 
               %li.divider
+              %li.dropdown-header
+                #{ _('This repository') }
               %li
                 = link_to new_project_branch_path(@project) do
                   #{ _('New branch') }

app/views/projects/tree/show.html.haml

@@ -6,7 +6,6 @@
 = content_for :meta_tags do
   = auto_discovery_link_tag(:atom, project_commits_url(@project, @ref, rss_url_options), title: "#{@project.name}:#{@ref} commits")
 
-= render 'projects/last_push'
-
 %div{ class: [(container_class), ("limit-container-width" unless fluid_layout)] }
+  = render 'projects/last_push'
   = render 'projects/files', commit: @last_commit, project: @project, ref: @ref, content_url: project_tree_path(@project, @id)

app/views/shared/_group_form.html.haml

-- content_for :page_specific_javascripts do
-  = page_specific_javascript_bundle_tag('group')
 - parent = @group.parent
 - group_path = root_url
 - group_path << parent.full_path + '/' if parent

bin/profile-url

+#!/usr/bin/env ruby
+require 'optparse'
+
+options = {}
+
+opt_parser = OptionParser.new do |opt|
+  opt.banner = <<DOCSTRING
+Profile a URL on this GitLab instance.
+
+Usage:
+  #{__FILE__} url --output=<profile-html> --sql=<sql-log> [--user=<user>] [--post=<post-data>]
+
+Example:
+  #{__FILE__} /dashboard/issues --output=dashboard-profile.html --sql=dashboard.log --user=root
+DOCSTRING
+  opt.separator ''
+  opt.separator 'Options:'
+
+  opt.on('-o', '--output=/tmp/profile.html', 'profile output filename') do |output|
+    options[:profile_output] = output
+  end
+
+  opt.on('-s', '--sql=/tmp/profile_sql.txt', 'SQL output filename') do |sql|
+    options[:sql_output] = sql
+  end
+
+  opt.on('-u', '--user=root', 'User to authenticate as') do |username|
+    options[:username] = username
+  end
+
+  opt.on('-p', "--post='user=john&pass=test'", 'Send HTTP POST data') do |post_data|
+    options[:post_data] = post_data
+  end
+end
+
+opt_parser.parse!
+options[:url] = ARGV[0]
+
+if options[:url].nil? ||
+   options[:profile_output].nil? ||
+   options[:sql_output].nil?
+  puts opt_parser
+  exit
+end
+
+require File.expand_path('../config/environment', File.dirname(__FILE__))
+
+result = Gitlab::Profiler.profile(options[:url],
+                                  logger: Logger.new(options[:sql_output]),
+                                  post_data: options[:post_data],
+                                  user: User.find_by_username(options[:username]),
+                                  private_token: ENV['PRIVATE_TOKEN'])
+
+printer = RubyProf::CallStackPrinter.new(result)
+file = File.open(options[:profile_output], 'w')
+printer.print(file)
+file.close

changelogs/unreleased-ee/4101-sync-gitattributes-geo.yml

+---
+title: 'Geo: sync .gitattributes to info/attributes in secondary nodes'
+merge_request: 4159
+author:
+type: changed

changelogs/unreleased-ee/4253-dr-compliant-secrets.yml

+---
+title: Update the Geo documentation to replicate all secrets to the secondary
+merge_request: 4188
+author:
+type: fixed

changelogs/unreleased-ee/4398-reuse-primary-host-key-on-secondaries.yml

+---
+title: Update Geo documentation to reuse the primary node SSH host key on secondary
+  node
+merge_request: 4198
+author:
+type: fixed

changelogs/unreleased-ee/da-fix-duplicated-message-geo-update-primary-node-url.yml

+---
+title: Geo - Remove duplicated message on on geo:update_primary_node_url rake task
+merge_request:
+author:
+type: fixed

changelogs/unreleased-ee/dm-push-rule-regexp-error.yml

+---
+title: Capture push rule regex errors and present them to user
+merge_request: 4102
+author:
+type: fixed

changelogs/unreleased-ee/fix_ldap_sync_ssh_keys_boolean.yml

+---
+title: Fix failed LDAP logins when sync_ssh_keys is included in config
+merge_request:
+author:
+type: fixed

changelogs/unreleased/40029-better-error-handling-on-issuable-templates.yml

+---
+title: Stop loading spinner on error of issuable templates
+merge_request: 16600
+author: Takuya Noguchi
+type: fixed

changelogs/unreleased/40612-cannot-change-project-visibility-from-private-even-when-owner.yml

+---
+title: Fix bug in which projects with forks could not change visibility settings from
+  Private to Public
+merge_request: 16595
+author:
+type: fixed

changelogs/unreleased/41208-commit-atom-feeds-double-escaped.yml

+---
+title: Allows html text in commits atom feed
+merge_request: 16603
+author: Jacopo Beschi @jacopo-beschi
+type: fixed

changelogs/unreleased/41673-blank-query-members-api.yml

+---
+title: Fix error on empty query for Members API
+merge_request: 16235
+author:
+type: fixed

changelogs/unreleased/42022-allow-users-to-request-access-not-visible-when-project-visibility-is-public.yml

+---
+title: Fix missing "allow users to request access" option in public project permissions
+merge_request: 16485
+author:
+type: fixed

changelogs/unreleased/42251-explicit-timezone-for-karma.yml

+---
+title: Set timezone for karma to UTC
+merge_request: 16602
+author: Takuya Noguchi
+type: other

changelogs/unreleased/bvl-parent-preloading.yml

+---
+title: Fix issues when rendering groups and their children
+merge_request: 16584
+author:
+type: fixed

changelogs/unreleased/feat-add-section-headers-to-plus-button-dropdown.yml

+---
+title: Add section headers to plus button dropdown
+merge_request: 16394
+author: George Tsiolis
+type: added

changelogs/unreleased/fix-adjust-layout-width-for-fixed-layout.yml

+---
+title: Adjust layout width for fixed layout
+merge_request: 16337
+author: George Tsiolis
+type: fixed

changelogs/unreleased/fix-postgresql-table-grant.yml

+---
+title: Use has_table_privilege for TRIGGER on PostgreSQL
+merge_request:
+author:
+type: fixed

changelogs/unreleased/gitaly-git-http-ssh.yml

+---
+title: Default to Gitaly for 'git push' HTTP/SSH, and make Gitaly mandatory for SSH
+  pull
+merge_request: 16586
+author:
+type: other

config/karma.config.js

@@ -18,6 +18,8 @@ webpackConfig.devtool = 'cheap-inline-source-map';
 
 // Karma configuration
 module.exports = function(config) {
+  process.env.TZ = 'Etc/UTC';
+
   var progressReporter = process.env.CI ? 'mocha' : 'progress';
 
   var karmaConfig = {

config/unicorn.rb.example.development

 worker_processes 2
 timeout 60
+
+before_fork do |server, worker|
+  if /darwin/ =~ RUBY_PLATFORM
+    require 'fiddle'
+
+    # Dynamically load Foundation.framework, ~implicitly~ initialising
+    # the Objective-C runtime before any forking happens in Unicorn
+    #
+    # From https://bugs.ruby-lang.org/issues/14009
+    Fiddle.dlopen '/System/Library/Frameworks/Foundation.framework/Foundation'
+  end
+end
+

config/webpack.config.js

@@ -49,9 +49,6 @@ var config = {
     graphs:               './graphs/graphs_bundle.js',
     graphs_charts:        './graphs/graphs_charts.js',
     graphs_show:          './graphs/graphs_show.js',
-    group:                './group.js',
-    groups:               './groups/index.js',
-    groups_list:          './groups_list.js',
     help:                 './help/help.js',
     issuable:             './issuable/issuable_bundle.js',
     issues:               './issues/issues_bundle.js',
@@ -133,9 +130,9 @@ var config = {
       {
         test: /\_worker\.js$/,
         use: [
-          { 
+          {
             loader: 'worker-loader',
-            options: { 
+            options: {
               inline: true
             }
           },

doc/ci/yaml/README.md

@@ -1293,7 +1293,7 @@ to the CI pipeline:
 ```yaml
 variables:
   GIT_STRATEGY: clone
-  GIT_CHECKOUT: false
+  GIT_CHECKOUT: "false"
 script:
   - git checkout master
   - git merge $CI_BUILD_REF_NAME

doc/development/fe_guide/axios.md

@@ -27,10 +27,23 @@ This exported module should be used instead of directly using `axios` to ensure
     });
 ```
 
-## Mock axios response on tests
+## Mock axios response in tests
 
-To help us mock the responses we need we use [axios-mock-adapter][axios-mock-adapter]
+To help us mock the responses we are using [axios-mock-adapter][axios-mock-adapter].
 
+Advantages over [`spyOn()`]:
+
+- no need to create response objects
+- does not allow call through (which we want to avoid)
+- simple API to test error cases 
+- provides `replyOnce()` to allow for different responses
+
+We have also decided against using [axios interceptors] because they are not suitable for mocking.
+
+[axios interceptors]: https://github.com/axios/axios#interceptors
+[`spyOn()`]: https://jasmine.github.io/api/edge/global.html#spyOn
+
+### Example
 
 ```javascript
   import axios from '~/lib/utils/axios_utils';
@@ -50,11 +63,11 @@ To help us mock the responses we need we use [axios-mock-adapter][axios-mock-ada
   });
 
   afterEach(() => {
-    mock.reset();
+    mock.restore();
   });
 ```
 
-### Mock poll requests on tests with axios
+### Mock poll requests in tests with axios
 
 Because polling function requires a header object, we need to always include an object as the third argument:
 

doc/development/performance.md

@@ -36,7 +36,8 @@ graphs/dashboards.
 
 GitLab provides built-in tools to aid the process of improving performance:
 
-* [Sherlock](profiling.md#sherlock)
+* [Profiling](profiling.md)
+  * [Sherlock](profiling.md#sherlock)
 * [GitLab Performance Monitoring](../administration/monitoring/performance/index.md)
 * [Request Profiling](../administration/monitoring/performance/request_profiling.md)
 * [QueryRecoder](query_recorder.md) for preventing `N+1` regressions

doc/development/profiling.md

@@ -4,6 +4,41 @@ To make it easier to track down performance problems GitLab comes with a set of
 profiling tools, some of these are available by default while others need to be
 explicitly enabled.
 
+## Profiling a URL
+
+There is a `Gitlab::Profiler.profile` method, and corresponding
+`bin/profile-url` script, that enable profiling a GET or POST request to a
+specific URL, either as an anonymous user (the default) or as a specific user.
+
+When using the script, command-line documentation is available by passing no
+arguments.
+
+When using the method in an interactive console session, any changes to the
+application code within that console session will be reflected in the profiler
+output.
+
+For example:
+
+```ruby
+Gitlab::Profiler.profile('/my-user')
+# Returns a RubyProf::Profile for the regular operation of this request
+class UsersController; def show; sleep 100; end; end
+Gitlab::Profiler.profile('/my-user')
+# Returns a RubyProf::Profile where 100 seconds is spent in UsersController#show
+```
+
+Passing a `logger:` keyword argument to `Gitlab::Profiler.profile` will send
+ActiveRecord and ActionController log output to that logger. Further options are
+documented with the method source.
+
+[GitLab-Profiler](https://gitlab.com/gitlab-com/gitlab-profiler) is a project
+that builds on this to add some additional niceties, such as allowing
+configuration with a single Yaml file for multiple URLs, and uploading of the
+profile and log output to S3.
+
+For GitLab.com, you can find the latest results here:
+<http://redash.gitlab.com/dashboard/gitlab-profiler-statistics>
+
 ## Sherlock
 
 Sherlock is a custom profiling tool built into GitLab. Sherlock is _only_
@@ -27,13 +62,3 @@ Bullet will log query problems to both the Rails log as well as the Chrome
 console.
 
 As a follow up to finding `N+1` queries with Bullet, consider writing a [QueryRecoder test](query_recorder.md) to prevent a regression.
-
-## GitLab Profiler
-
-
-[Gitlab-Profiler](https://gitlab.com/gitlab-com/gitlab-profiler) was built to
-help developers understand why specific URLs of their application may be slow
-and to provide hard data that can help reduce load times.
-
-For GitLab.com, you can find the latest results here:
-<http://redash.gitlab.com/dashboard/gitlab-profiler-statistics>

doc/development/testing_guide/best_practices.md

@@ -88,6 +88,8 @@ Finished in 34.51 seconds (files took 0.76702 seconds to load)
 1 example, 0 failures
 ```
 
+Note: `live_debug` only works on javascript enabled specs.
+
 ### `let` variables
 
 GitLab's RSpec suite has made extensive use of `let` variables to reduce

doc/gitlab-geo/configuration.md

@@ -25,32 +25,49 @@ in your testing/production environment.
 - **Do not** add anything in the secondaries Geo nodes admin area
   (**Admin Area ➔ Geo Nodes**). This is handled solely by the primary node.
 
-### Step 1. Copying the database encryption key
+### Step 1. Manually replicate secret GitLab values
 
-GitLab stores a unique encryption key on disk that is used to encrypt
-sensitive data stored in the database. All secondary nodes must have the
-**exact same value** for `db_key_base` as defined on the primary node.
+GitLab stores a number of secret values in the `/etc/gitlab/gitlab-secrets.json`
+file which *must* match between the primary and secondary nodes. Until there is
+a means of automatically replicating these between nodes (see
+[issue #3789](https://gitlab.com/gitlab-org/gitlab-ee/issues/3789)), they must
+be manually replicated to the secondary.
 
-1. SSH into the **primary** node, and execute the command below
-to display the current encryption key:
+1. SSH into the **primary** node, and execute the command below:
 
     ```bash
-    sudo gitlab-rake geo:db:show_encryption_key
+    sudo cat /etc/gitlab/gitlab-secrets.json
     ```
 
-Copy the encryption key to bring it to the secondary node in the following steps.
+    This will display the secrets that need to be replicated, in JSON format.
 
-1. SSH into the **secondary** node and login as root:
+1. SSH into the **secondary** node and login as the `root` user:
 
     ```
     sudo -i
     ```
 
-1. Add the following to `/etc/gitlab/gitlab.rb`, replacing `encryption-key` with the output
-   of the previous command:
+1. Make a backup of any existing secrets:
 
-    ```ruby
-    gitlab_rails['db_key_base'] = 'encryption-key'
+    ```bash
+    mv /etc/gitlab/gitlab-secrets.json /etc/gitlab/gitlab-secrets.json.`date +%F`
+    ```
+
+1. Copy `/etc/gitlab/gitlab-secrets.json` from the primary to the secondary, or
+   copy-and-paste the file contents between nodes:
+
+    ```bash
+    sudo editor /etc/gitlab/gitlab-secrets.json
+
+    # paste the output of the `cat` command you ran on the primary
+    # save and exit
+    ```
+
+1. Ensure the file permissions are correct:
+
+    ```bash
+    chown root:root /etc/gitlab/gitlab-secrets.json
+    chmod 0600 /etc/gitlab/gitlab-secrets.json
     ```
 
 1. Reconfigure the secondary node for the change to take effect:
@@ -68,7 +85,62 @@ Make sure the secondary instance is
 running and accessible. You can login to the secondary node
 with the same credentials as used in the primary.
 
-### Step 2. (Optional) Enabling hashed storage (from GitLab 10.0)
+### Step 2. Manually replicate primary SSH host keys
+
+GitLab integrates with the system-installed SSH daemon, designating a user
+(typically named git) through which all access requests are handled.
+
+In a [Disaster Recovery](disaster-recovery.md) situation, GitLab system
+administrators will promote a secondary Geo replica to a primary and they can
+update the DNS records for the primary domain to point to the secondary to prevent
+the need to update all references to the primary domain to the secondary domain,
+like changing Git remotes and API URLs.
+
+This will cause all SSH requests to the newly promoted primary node from
+failing due to SSH host key mismatch. To prevent this, the primary SSH host
+keys must be manually replicated to the secondary node.
+
+1. SSH into the **secondary** node and login as the `root` user:
+
+    ```
+    sudo -i
+    ```
+
+1. Make a backup of any existing SSH host keys:
+
+    ```bash
+    find /etc/ssh -iname ssh_host_* -exec mv {} {}.backup.`date +%F` \;
+    ```
+
+1. SSH into the **primary** node, and execute the command below:
+
+    ```bash
+    sudo find /etc/ssh -iname ssh_host_* -not -iname '*.pub'
+    ```
+
+1. For each file in that list copy the file from the primary node to
+   the **same** location on your **secondary** node.
+
+1. On your **secondary** node, ensure the file permissions are correct:
+
+    ```bash
+    chown root:root /etc/ssh/ssh_host_*
+    chmod 0600 /etc/ssh/ssh_host_*
+    ```
+
+1. Regenerate the public keys from the private keys:
+
+    ```bash
+    find /etc/ssh -iname ssh_host_* -not -iname '*.backup*' -exec sh -c 'ssh-keygen -y -f "{}" > "{}.pub"' \;
+    ```
+
+1. Restart sshd:
+
+    ```bash
+    service ssh restart
+    ```
+
+### Step 3. (Optional) Enabling hashed storage (from GitLab 10.0)
 
 >**Warning**
 Hashed storage is in **Alpha**. It is considered experimental and not
@@ -85,7 +157,7 @@ renames no longer require synchronization between nodes.
 
     ![](img/hashed-storage.png)
 
-### Step 3. (Optional) Configuring the secondary to trust the primary
+### Step 4. (Optional) Configuring the secondary to trust the primary
 
 You can safely skip this step if your primary uses a CA-issued HTTPS certificate.
 
@@ -95,14 +167,14 @@ certificate from the primary and follow
 [these instructions](https://docs.gitlab.com/omnibus/settings/ssl.html)
 on the secondary.
 
-### Step 4. Enable Git access over HTTP/HTTPS
+### Step 5. Enable Git access over HTTP/HTTPS
 
 GitLab Geo synchronizes repositories over HTTP/HTTPS, and therefore requires this clone
 method to be enabled. Navigate to **Admin Area ➔ Settings**
 (`/admin/application_settings`) on the primary node, and set
 `Enabled Git access protocols` to `Both SSH and HTTP(S)` or `Only HTTP(S)`.
 
-### Step 5. Verify proper functioning of the secondary node
+### Step 6. Verify proper functioning of the secondary node
 
 Congratulations! Your secondary geo node is now configured!
 

doc/gitlab-geo/configuration_source.md

@@ -26,43 +26,56 @@ in your testing/production environment.
 - **Do not** add anything in the secondaries Geo nodes admin area
   (**Admin Area ➔ Geo Nodes**). This is handled solely by the primary node.
 
-### Step 1. Copying the database encryption key
+### Step 1. Manually replicate secret GitLab values
 
-GitLab stores a unique encryption key on disk that is used to encrypt
-sensitive data stored in the database. All secondary nodes must have the
-**exact same value** for `db_key_base` as defined on the primary node.
+GitLab stores a number of secret values in the `/home/git/gitlab/config/secrets.yml`
+file which *must* match between the primary and secondary nodes. Until there is
+a means of automatically replicating these between nodes (see
+[issue #3789](https://gitlab.com/gitlab-org/gitlab-ee/issues/3789)), they must
+be manually replicated to the secondary.
 
-1. SSH into the **primary** node,  and execute the command below to display the
-current encryption key:
+1. SSH into the **primary** node, and execute the command below:
 
     ```bash
-    sudo -u git -H bundle exec rake geo:db:show_encryption_key RAILS_ENV=production
+    sudo cat /home/git/gitlab/config/secrets.yml
     ```
 
-Copy the encryption key to bring it to the secondary node in the following steps.
+    This will display the secrets that need to be replicated, in YAML format.
 
-1. SSH into the **secondary**, and execute the command below to open the
-`secrets.yml` file:
+1. SSH into the **secondary** node and login as the `git` user:
 
     ```bash
-    sudo -u git -H editor config/secrets.yml
+    sudo -i -u git
     ```
 
-1. Change the value of `db_key_base` to the output from the primary node.
-Then save and close the file.
+1. Make a backup of any existing secrets:
 
-1. Restart GitLab for the changes to take effect:
+    ```bash
+    mv /home/git/gitlab/config/secrets.yml /home/git/gitlab/config/secrets.yml.`date +%F`
+    ```
+
+1. Copy `/home/git/gitlab/config/secrets.yml` from the primary to the secondary, or
+   copy-and-paste the file contents between nodes:
 
     ```bash
-    service gitlab restart
+    sudo editor /home/git/gitlab/config/secrets.yml
+
+    # paste the output of the `cat` command you ran on the primary
+    # save and exit
+    ```
+
+1. Ensure the file permissions are correct:
+
+    ```bash
+    chown git:git /home/git/gitlab/config/secrets.yml
+    chmod 0600 /home/git/gitlab/config/secrets.yml
     ```
 
-The secondary will start automatically replicating missing data from the
-primary in a process known as backfill. Meanwhile, the primary node will start
-to notify changes to the secondary, which will act on those notifications
-immediately. Make sure the secondary instance is running and accessible.
+1. Restart GitLab for the changes to take effect:
 
-### Step 2. (Optional) Enabling hashed storage
+    ```bash
+    service gitlab restart
+    ```
 
 Once restarted, the secondary will automatically start replicating missing data
 from the primary in a process known as backfill. Meanwhile, the primary node
@@ -72,11 +85,15 @@ act on those notifications immediately.
 Make sure the secondary instance is running and accessible. You can login to
 the secondary node with the same credentials as used in the primary.
 
-### Step 2. (Optional) Enabling hashed storage (from GitLab 10.0)
+### Step 2. Manually replicate primary SSH host keys
+
+Read [Manually replicate primary SSH host keys](configuration.md#step-2-manually-replicate-primary-ssh-host-keys)
+
+### Step 3. (Optional) Enabling hashed storage (from GitLab 10.0)
 
-Read [Enabling Hashed Storage](configuration.md#step-2-optional-enabling-hashed-storage-from-gitlab-10-0)
+Read [Enabling Hashed Storage](configuration.md#step-3-optional-enabling-hashed-storage-from-gitlab-10-0)
 
-### Step 3. (Optional) Configuring the secondary to trust the primary
+### Step 4. (Optional) Configuring the secondary to trust the primary
 
 You can safely skip this step if your primary uses a CA-issued HTTPS certificate.
 
@@ -92,16 +109,16 @@ cp primary.geo.example.com.crt /usr/local/share/ca-certificates
 update-ca-certificates
 ```
 
-### Step 4. Enable Git access over HTTP/HTTPS
+### Step 5. Enable Git access over HTTP/HTTPS
 
 GitLab Geo synchronizes repositories over HTTP/HTTPS, and therefore requires this clone
 method to be enabled. Navigate to **Admin Area ➔ Settings**
 (`/admin/application_settings`) on the primary node, and set
 `Enabled Git access protocols` to `Both SSH and HTTP(S)` or `Only HTTP(S)`.
 
-### Step 5. Verify proper functioning of the secondary node
+### Step 6. Verify proper functioning of the secondary node
 
-Read [Verify proper functioning of the secondary node](configuration.md#step-5-verify-proper-functioning-of-the-secondary-node).
+Read [Verify proper functioning of the secondary node](configuration.md#step-6-verify-proper-functioning-of-the-secondary-node).
 
 
 ## Selective replication

doc/gitlab-geo/disaster-recovery.md

@@ -73,7 +73,7 @@ secondary domain, like changing Git remotes and API URLs.
 
 1. SSH in to your **secondary** and login as root:
 
-    ```
+    ```bash
     sudo -i
     ```
 
@@ -82,20 +82,20 @@ secondary domain, like changing Git remotes and API URLs.
     After updating the primary domain's DNS records to point to the secondary,
     edit `/etc/gitlab/gitlab.rb` on the the secondary to reflect the new URL:
 
-    ```
+    ```ruby
     # Change the existing external_url configuration
     external_url 'https://gitlab.example.com'
     ```
 
 1. Reconfigure the secondary node for the change to take effect:
 
-    ```
+    ```bash
     gitlab-ctl reconfigure
     ```
 
 1. Execute the command below to update the newly promoted primary node URL:
 
-    ```
+    ```bash
     gitlab-rake geo:update_primary_node_url
     ```
 

doc/gitlab-geo/faq.md

@@ -10,6 +10,19 @@ primary, but this is not officially supported yet.
 If you still want to proceed, see our step-by-step instructions on how to
 manually [promote a secondary node](disaster-recovery.md) into primary.
 
+## I followed the disaster recovery instructions and now two-factor auth is broken!
+
+The setup instructions for GitLab Geo prior to 10.5 failed to replicate the
+`otp_key_base` secret, which used to encrypt the two-factor authentication
+secrets stored in the database. If it differs between primary and secondary
+nodes, users with two-factor authentication enabled won't be able to log in
+after a DR failover.
+
+If you still have access to the old primary node, you can follow the
+instructions in the [Upgrading to GitLab 10.5](updating_the_geo_nodes.md#upgrading-to-gitlab-105)
+section to resolve the error. Otherwise, the secret is lost and you'll need to
+[reset two-factor authentication for all users](../security/two_factor_authentication.md#disabling-2fa-for-everyone).
+
 ## What data is replicated to a secondary node?
 
 We currently replicate project repositories, LFS objects, generated

doc/gitlab-geo/updating_the_geo_nodes.md

@@ -14,6 +14,33 @@ all you need to do is update GitLab itself:
    the tracking database is enabled.
 1. [Test](#check-status-after-updating) primary and secondary nodes, and check version in each.
 
+## Upgrading to GitLab 10.5
+
+For Geo Disaster Recovery to work with minimum downtime, your Geo secondary
+should use the same set of secrets as the primary. However, setup instructions
+prior to the 10.5 release only synchronized the `db_key_base` secret.
+
+To rectify this error on existing installations, you should **overwrite** the
+contents of `/etc/gitlab/gitlab-secrets.json` on the secondary node with the
+contents of `/etc/gitlab/gitlab-secrets.json` on the primary node, then run the
+following command on the secondary node:
+
+```bash
+sudo gitlab-ctl reconfigure
+```
+
+If you do not perform this step, you may find that two-factor authentication
+[is broken following DR](faq.md#i-followed-the-disaster-recovery-instructions-and-now-two-factor-auth-is-broken).
+
+To prevent SSH requests to the newly promoted primary node from failing
+due to SSH host key mismatch when updating the primary domain's DNS record
+you should perform the step to [Manually replicate primary SSH host keys](configuration.md#step-2-manually-replicate-primary-ssh-host-keys) in each
+secondary node.
+
+## Upgrading to GitLab 10.4
+
+There are no Geo-specific steps to take!
+
 ## Upgrading to GitLab 10.3
 
 ### Support for SSH repository synchronization removed
@@ -22,7 +49,7 @@ In GitLab 10.2, synchronizing secondaries over SSH was deprecated. In 10.3,
 support is removed entirely. All installations will switch to the HTTP/HTTPS
 cloning method instead. Before upgrading, ensure that all your Geo nodes are
 configured to use this method and that it works for your installation. In
-particular, ensure that [Git access over HTTP/HTTPS is enabled](configuration.md#step-4-enable-git-access-over-http-https).
+particular, ensure that [Git access over HTTP/HTTPS is enabled](configuration.md#step-5-enable-git-access-over-http-https).
 
 Synchronizing repositories over the public Internet using HTTP is insecure, so
 you should ensure that you have HTTPS configured before upgrading. Note that
@@ -30,7 +57,7 @@ file synchronization is **also** insecure in these cases!
 
 ## Upgrading to GitLab 10.2
 
-### Secure PostgreSQL replication 
+### Secure PostgreSQL replication
 
 Support for TLS-secured PostgreSQL replication has been added. If you are
 currently using PostgreSQL replication across the open internet without an

doc/raketasks/backup_restore.md

@@ -169,6 +169,30 @@ For Omnibus GitLab packages:
 
 1. [Reconfigure GitLab] for the changes to take effect
 
+#### Digital Ocean Spaces and other S3-compatible providers
+
+Not all S3 providers are fully-compatible with the Fog library. For example,
+if you see `411 Length Required` errors after attempting to upload, you may
+need to downgrade the `aws_signature_version` value from the default value to
+2 [due to this issue](https://github.com/fog/fog-aws/issues/428).
+
+1. For example, with [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces/),
+this example configuration can be used for a bucket in Amsterdam (AMS3):
+
+    ```ruby
+    gitlab_rails['backup_upload_connection'] = {
+      'provider' => 'AWS',
+      'region' => 'ams3',
+      'aws_access_key_id' => 'AKIAKIAKI',
+      'aws_secret_access_key' => 'secret123',
+      'aws_signature_version' => 2,
+      'endpoint'              => 'https://ams3.digitaloceanspaces.com'
+    }
+    gitlab_rails['backup_upload_remote_directory'] = 'my.s3.bucket'
+    ```
+
+1. [Reconfigure GitLab] for the changes to take effect
+
 ---
 
 For installations from source:

doc/security/rack_attack.md

-# Rack attack
+# Rack Attack
 
-To prevent abusive clients doing damage GitLab uses rack-attack gem.
+Rack Attack, also known as Rack::Attack, is [a rubygem](https://github.com/kickstarter/rack-attack)
+that is meant to protect GitLab with the ability to customize throttling and
+blocking user IPs.
+You can prevent brute-force passwords attacks, scrapers, or any other offenders
+by throttling requests from IP addresses making large volumes of requests.
+In case you find throttling is not enough to protect you against abusive clients,
+Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering and
+tracking.
 
-If you installed or upgraded GitLab by following the official guides this should be enabled by default.
+By default, user sign-in, user sign-up (if enabled), and user password reset is
+limited to 6 requests per minute. After trying for 6 times, the client will
+have to wait for the next minute to be able to try again.
 
-If you are missing `config/initializers/rack_attack.rb` the following steps need to be taken in order to enable protection for your GitLab instance:
+If you installed or upgraded GitLab by following the [official guides](../install/README.md)
+this should be enabled by default. If your instance is not exposed to any incoming
+connections, it is recommended to disable Rack Attack.
 
-1.  In config/application.rb find and uncomment the following line:
+For more information on how to use these options check out
+[rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
 
-        config.middleware.use Rack::Attack
+## Settings
 
-1.  Rename `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb`.
+**Omnibus GitLab**
 
-1.  Review the `paths_to_be_protected` and add any other path you need protecting.
+1. Open `/etc/gitlab/gitlab.rb` with you editor
+1. Add the following:
 
-1.  Restart GitLab instance.
+    ```ruby
+    gitlab_rails['rack_attack_git_basic_auth'] = {
+      'enabled' => true,
+      'ip_whitelist' => ["127.0.0.1"],
+      'maxretry' => 10,
+      'findtime' => 60,
+      'bantime' => 3600
+    }
+    ```
 
-By default, user sign-in, user sign-up(if enabled) and user password reset is limited to 6 requests per minute. After trying for 6 times, client will have to wait for the next minute to be able to try again. These settings can be found in `config/initializers/rack_attack.rb`
+3. Reconfigure GitLab:
 
-If you want more restrictive/relaxed throttle rule change the `limit` or `period` values. For example, more relaxed throttle rule will be if you set limit: 3 and period: 1.second(this will allow 3 requests per second). You can also add other paths to the protected list by adding to `paths_to_be_protected` variable. If you change any of these settings do not forget to restart your GitLab instance.
+    ```
+    sudo gitlab-ctl reconfigure
+    ```
 
-In case you find throttling is not enough to protect you against abusive clients, rack-attack gem offers IP whitelisting, blacklisting, Fail2ban style filter and tracking.
+The following settings can be configured:
 
-For more information on how to use these options check out [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
+- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack.
+- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array.
+   For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`.
+- `maxretry`: The maximum amount of times a request can be made in the
+   specified time.
+- `findtime`: The maximum amount of time failed requests can count against an IP
+   before it's blacklisted.
+- `bantime`: The total amount of time that a blacklisted IP will be blocked in
+   seconds.
+
+**Installations from source**
+
+These settings can be found in `config/initializers/rack_attack.rb`. If you are
+missing `config/initializers/rack_attack.rb`, the following steps need to be
+taken in order to enable protection for your GitLab instance:
+
+1. In `config/application.rb` find and uncomment the following line:
+
+    ```ruby
+    config.middleware.use Rack::Attack
+    ```
+
+1. Copy `config/initializers/rack_attack.rb.example` to `config/initializers/rack_attack.rb`
+1. Open `config/initializers/rack_attack.rb`, review the
+   `paths_to_be_protected`, and add any other path you need protecting
+1. Restart GitLab:
+
+    ```sh
+    sudo service gitlab restart
+    ```
+
+If you want more restrictive/relaxed throttle rules, edit
+`config/initializers/rack_attack.rb` and change the `limit` or `period` values.
+For example, more relaxed throttle rules will be if you set
+`limit: 3` and `period: 1.seconds` (this will allow 3 requests per second).
+You can also add other paths to the protected list by adding to `paths_to_be_protected`
+variable. If you change any of these settings do not forget to restart your
+GitLab instance.
+
+## Remove blocked IPs from Rack Attack via Redis
+
+In case you want to remove a blocked IP, follow these steps:
+
+1. Find the IPs that have been blocked in the production log:
+
+    ```sh
+    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
+    ```
+
+2. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
+
+    ```sh
+    /opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
+    ```
+
+3. You can remove the block using the following syntax, replacing `<ip>` with
+   the actual IP that is blacklisted:
+
+    ```
+    del cache:gitlab:rack::attack:allow2ban:ban:<ip>
+    ```
+
+4. Confirm that the key with the IP no longer shows up:
+
+    ```
+    keys *rack::attack*
+    ```
+
+5. Optionally, add the IP to the whitelist to prevent it from being blacklisted
+   again (see [settings](#settings)).
+
+## Troubleshooting
+
+### Rack attack is blacklisting the load balancer
+
+Rack Attack may block your load balancer if all traffic appears to come from
+the load balancer. In that case, you will need to:
+
+1. [Configure `nginx[real_ip_trusted_addresses]`](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module).
+   This will keep users' IPs from being listed as the load balancer IPs.
+2. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings).
+3. Reconfigure GitLab:
+
+    ```
+    sudo gitlab-ctl reconfigure
+    ```
+
+4. [Remove the block via Redis.](#remove-blocked-ips-from-rack-attack-via-redis)

doc/topics/autodevops/index.md

@@ -21,10 +21,10 @@ project in an easy and automatic way:
 1. [Auto Code Quality](#auto-code-quality)
 1. [Auto SAST (Static Application Security Testing)](#auto-sast)
 1. [Auto SAST for Docker images](#auto-sast-for-docker-images)
-1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast)
-1. [Auto Browser Performance Testing](#auto-browser-performance-testing)
 1. [Auto Review Apps](#auto-review-apps)
+1. [Auto DAST (Dynamic Application Security Testing)](#auto-dast)
 1. [Auto Deploy](#auto-deploy)
+1. [Auto Browser Performance Testing](#auto-browser-performance-testing)
 1. [Auto Monitoring](#auto-monitoring)
 
 As Auto DevOps relies on many different components, it's good to have a basic
@@ -229,6 +229,32 @@ check out.
 In GitLab Enterprise Edition Ultimate, any security warnings are also
 [shown in the merge request widget](../../user/project/merge_requests/sast_docker.md).
 
+### Auto Review Apps
+
+NOTE: **Note:**
+This is an optional step, since many projects do not have a Kubernetes cluster
+available. If the [prerequisites](#prerequisites) are not met, the job will
+silently be skipped.
+
+CAUTION: **Caution:**
+Your apps should *not* be manipulated outside of Helm (using Kubernetes directly.)
+This can cause confusion with Helm not detecting the change, and subsequent
+deploys with Auto DevOps can undo your changes. Also, if you change something
+and want to undo it by deploying again, Helm may not detect that anything changed
+in the first place, and thus not realize that it needs to re-apply the old config.
+
+[Review Apps][review-app] are temporary application environments based on the
+branch's code so developers, designers, QA, product managers, and other
+reviewers can actually see and interact with code changes as part of the review
+process. Auto Review Apps create a Review App for each branch.
+
+The Review App will have a unique URL based on the project name, the branch
+name, and a unique number, combined with the Auto DevOps base domain. For
+example, `user-project-branch-1234.example.com`. A link to the Review App shows
+up in the merge request widget for easy discovery. When the branch is deleted,
+for example after the merge request is merged, the Review App will automatically
+be deleted.
+
 ### Auto DAST
 
 > Introduced in [GitLab Enterprise Edition Ultimate][ee] 10.4.
@@ -257,32 +283,6 @@ Auto Browser Performance Testing utilizes the [Sitespeed.io container](https://h
 In GitLab Enterprise Edition Premium, performance differences between the source
 and target branches are [shown in the merge request widget](../../user/project/merge_requests/browser_performance_testing.md).
 
-### Auto Review Apps
-
-NOTE: **Note:**
-This is an optional step, since many projects do not have a Kubernetes cluster
-available. If the [prerequisites](#prerequisites) are not met, the job will
-silently be skipped.
-
-CAUTION: **Caution:**
-Your apps should *not* be manipulated outside of Helm (using Kubernetes directly.)
-This can cause confusion with Helm not detecting the change, and subsequent
-deploys with Auto DevOps can undo your changes. Also, if you change something
-and want to undo it by deploying again, Helm may not detect that anything changed
-in the first place, and thus not realize that it needs to re-apply the old config.
-
-[Review Apps][review-app] are temporary application environments based on the
-branch's code so developers, designers, QA, product managers, and other
-reviewers can actually see and interact with code changes as part of the review
-process. Auto Review Apps create a Review App for each branch.
-
-The Review App will have a unique URL based on the project name, the branch
-name, and a unique number, combined with the Auto DevOps base domain. For
-example, `user-project-branch-1234.example.com`. A link to the Review App shows
-up in the merge request widget for easy discovery. When the branch is deleted,
-for example after the merge request is merged, the Review App will automatically
-be deleted.
-
 ### Auto Deploy
 
 NOTE: **Note:**

ee/app/models/push_rule.rb

 class PushRule < ActiveRecord::Base
+  MatchError = Class.new(StandardError)
+
   belongs_to :project
 
   validates :project, presence: true, unless: "is_sample?"
@@ -98,6 +100,8 @@ class PushRule < ActiveRecord::Base
     else
       true
     end
+  rescue RegexpError => e
+    raise MatchError, "Regular expression '#{regex}' is invalid: #{e.message}"
   end
 
   def read_setting_with_global_default(setting)

ee/app/services/geo/repository_sync_service.rb

@@ -22,6 +22,8 @@ module Geo
         fetch_geo_mirror(project.repository)
       end
 
+      update_gitattributes
+
       update_registry!(finished_at: DateTime.now, attrs: { last_repository_sync_failure: nil })
       log_info('Finished repository sync',
                update_delay_s: update_delay_in_seconds,
@@ -52,6 +54,13 @@ module Geo
       project.repository
     end
 
+    # Update info/attributes file using the contents of .gitattributes file from the default branch
+    def update_gitattributes
+      return if project.default_branch.nil?
+
+      repository.copy_gitattributes(project.default_branch)
+    end
+
     def retry_count
       registry.public_send("#{type}_retry_count") || -1 # rubocop:disable GitlabSecurity/PublicSend
     end

ee/lib/ee/gitlab/checks/change_access.rb

+module EE
+  module Gitlab
+    module Checks
+      module ChangeAccess
+        extend ActiveSupport::Concern
+        extend ::Gitlab::Utils::Override
+        include PathLocksHelper
+        include ::Gitlab::Utils::StrongMemoize
+
+        ERROR_MESSAGES = {
+          push_rule_branch_name: "Branch name does not follow the pattern '%{branch_name_regex}'",
+          push_rule_committer_not_verified: "Comitter email '%{commiter_email}' is not verified.",
+          push_rule_committer_not_allowed: "You cannot push commits for '%{committer_email}'. You can only push commits that were committed with one of your own verified emails."
+        }.freeze
+
+        override :exec
+        def exec
+          return true if skip_authorization
+
+          super
+
+          push_rule_check
+
+          true
+        end
+
+        private
+
+        def push_rule_check
+          return unless newrev && oldrev && project.feature_available?(:push_rules)
+
+          push_rule = project.push_rule
+
+          if tag_name
+            push_rule_tag_check(push_rule)
+          else
+            push_rule_branch_check(push_rule)
+          end
+        end
+
+        def push_rule_tag_check(push_rule)
+          if tag_deletion_denied_by_push_rule?(push_rule)
+            raise ::Gitlab::GitAccess::UnauthorizedError, 'You cannot delete a tag'
+          end
+        end
+
+        def push_rule_branch_check(push_rule)
+          unless branch_name_allowed_by_push_rule?(push_rule)
+            message = ERROR_MESSAGES[:push_rule_branch_name] % { branch_name_regex: push_rule.branch_name_regex }
+            raise ::Gitlab::GitAccess::UnauthorizedError.new(message)
+          end
+
+          commit_validation = push_rule.try(:commit_validation?)
+          # if newrev is blank, the branch was deleted
+          return if deletion? || !(commit_validation || validate_path_locks?)
+
+          # n+1: https://gitlab.com/gitlab-org/gitlab-ee/issues/3593
+          ::Gitlab::GitalyClient.allow_n_plus_1_calls do
+            commits.each do |commit|
+              push_rule_commit_check(commit, push_rule)
+            end
+          end
+        rescue ::PushRule::MatchError => e
+          raise ::Gitlab::GitAccess::UnauthorizedError, e.message
+        end
+
+        def branch_name_allowed_by_push_rule?(push_rule)
+          return true if skip_branch_name_push_rule?(push_rule)
+
+          push_rule.branch_name_allowed?(branch_name)
+        end
+
+        def skip_branch_name_push_rule?(push_rule)
+          push_rule.nil? ||
+            deletion? ||
+            branch_name.blank? ||
+            branch_name == project.default_branch
+        end
+
+        def tag_deletion_denied_by_push_rule?(push_rule)
+          push_rule.try(:deny_delete_tag) &&
+            !updated_from_web? &&
+            deletion? &&
+            tag_exists?
+        end
+
+        def push_rule_commit_check(commit, push_rule)
+          if push_rule.try(:commit_validation?)
+            error = check_commit(commit, push_rule)
+            raise ::Gitlab::GitAccess::UnauthorizedError, error if error
+          end
+
+          if error = check_commit_diff(commit, push_rule)
+            raise ::Gitlab::GitAccess::UnauthorizedError, error
+          end
+        end
+
+        # If commit does not pass push rule validation the whole push should be rejected.
+        # This method should return nil if no error found or a string if error.
+        # In case of errors - all other checks will be canceled and push will be rejected.
+        def check_commit(commit, push_rule)
+          unless push_rule.commit_message_allowed?(commit.safe_message)
+            return "Commit message does not follow the pattern '#{push_rule.commit_message_regex}'"
+          end
+
+          unless push_rule.author_email_allowed?(commit.committer_email)
+            return "Committer's email '#{commit.committer_email}' does not follow the pattern '#{push_rule.author_email_regex}'"
+          end
+
+          unless push_rule.author_email_allowed?(commit.author_email)
+            return "Author's email '#{commit.author_email}' does not follow the pattern '#{push_rule.author_email_regex}'"
+          end
+
+          committer_error_message = committer_check(commit, push_rule)
+          return committer_error_message if committer_error_message
+
+          if !updated_from_web? && !push_rule.commit_signature_allowed?(commit)
+            return "Commit must be signed with a GPG key"
+          end
+
+          # Check whether author is a GitLab member
+          if push_rule.member_check
+            unless ::User.existing_member?(commit.author_email.downcase)
+              return "Author '#{commit.author_email}' is not a member of team"
+            end
+
+            if commit.author_email.casecmp(commit.committer_email) == -1
+              unless ::User.existing_member?(commit.committer_email.downcase)
+                return "Committer '#{commit.committer_email}' is not a member of team"
+              end
+            end
+          end
+
+          nil
+        end
+
+        def committer_check(commit, push_rule)
+          unless push_rule.committer_allowed?(commit.committer_email, user_access.user)
+            committer_is_current_user = commit.committer == user_access.user
+
+            if committer_is_current_user && !commit.committer.verified_email?(commit.committer_email)
+              ERROR_MESSAGES[:push_rule_committer_not_verified] % { committer_email: commit.committer_email }
+            else
+              ERROR_MESSAGES[:push_rule_committer_not_allowed] % { committer_email: commit.committer_email }
+            end
+          end
+        end
+
+        def check_commit_diff(commit, push_rule)
+          validations = validations_for_commit(commit, push_rule)
+
+          return if validations.empty?
+
+          commit.raw_deltas.each do |diff|
+            validations.each do |validation|
+              if error = validation.call(diff)
+                return error
+              end
+            end
+          end
+
+          nil
+        end
+
+        def validations_for_commit(commit, push_rule)
+          validations = base_validations
+
+          return validations unless push_rule
+
+          validations << file_name_validation(push_rule)
+
+          if push_rule.max_file_size > 0
+            validations << file_size_validation(commit, push_rule.max_file_size)
+          end
+
+          validations
+        end
+
+        def base_validations
+          validate_path_locks? ? [path_locks_validation] : []
+        end
+
+        def validate_path_locks?
+          strong_memoize(:validate_path_locks) do
+            project.feature_available?(:file_locks) &&
+              project.path_locks.any? && newrev && oldrev &&
+              project.default_branch == branch_name # locks protect default branch only
+          end
+        end
+
+        def path_locks_validation
+          lambda do |diff|
+            path = diff.new_path || diff.old_path
+
+            lock_info = project.find_path_lock(path)
+
+            if lock_info && lock_info.user != user_access.user
+              return "The path '#{lock_info.path}' is locked by #{lock_info.user.name}"
+            end
+          end
+        end
+
+        def file_name_validation(push_rule)
+          lambda do |diff|
+            if (diff.renamed_file || diff.new_file) && blacklisted_regex = push_rule.filename_blacklisted?(diff.new_path)
+              return nil unless blacklisted_regex.present?
+
+              "File name #{diff.new_path} was blacklisted by the pattern #{blacklisted_regex}."
+            end
+          end
+        end
+
+        def file_size_validation(commit, max_file_size)
+          lambda do |diff|
+            return if diff.deleted_file
+
+            blob = project.repository.blob_at(commit.id, diff.new_path)
+            if blob && blob.size && blob.size > max_file_size.megabytes
+              return "File #{diff.new_path.inspect} is larger than the allowed size of #{max_file_size} MB"
+            end
+          end
+        end
+
+        def commits
+          project.repository.new_commits(newrev)
+        end
+      end
+    end
+  end
+end

ee/lib/ee/gitlab/ldap/person.rb

@@ -46,7 +46,7 @@ module EE
           def ldap_attributes(config)
             attributes = super + [
               'memberof',
-              config.sync_ssh_keys
+              (config.sync_ssh_keys if config.sync_ssh_keys.is_a?(String))
             ]
             attributes.compact.uniq
           end

ee/lib/gitlab/geo/geo_tasks.rb

@@ -26,10 +26,8 @@ module Gitlab
         $stdout.puts "Updating primary Geo node with URL #{node.url} ..."
 
         if node.update(url: GeoNode.current_node_url)
-          puts "#{node.url} is now the primary Geo node URL".color(:green)
           $stdout.puts "#{node.url} is now the primary Geo node URL".color(:green)
         else
-          puts "Error saving Geo node:\n#{node.errors.full_messages.join("\n")}".color(:red)
           $stdout.puts "Error saving Geo node:\n#{node.errors.full_messages.join("\n")}".color(:red)
           exit 1
         end

ee/lib/tasks/geo.rake

@@ -55,11 +55,6 @@ namespace :geo do
       Gitlab::Geo::DatabaseTasks.load_seed
     end
 
-    desc 'Display database encryption key'
-    task show_encryption_key: :environment do
-      puts Rails.application.secrets.db_key_base
-    end
-
     desc 'Refresh Foreign Tables definition in Geo Secondary node'
     task refresh_foreign_tables: [:environment] do
       if Gitlab::Geo::GeoTasks.foreign_server_configured?

lib/api/helpers/internal_helpers.rb

 module API
   module Helpers
     module InternalHelpers
-      SSH_GITALY_FEATURES = {
-        'git-receive-pack' => [:ssh_receive_pack, Gitlab::GitalyClient::MigrationStatus::OPT_IN],
-        'git-upload-pack' => [:ssh_upload_pack, Gitlab::GitalyClient::MigrationStatus::OPT_OUT]
-      }.freeze
-
       attr_reader :redirected_path
 
       def wiki?
@@ -102,8 +97,14 @@ module API
 
       # Return the Gitaly Address if it is enabled
       def gitaly_payload(action)
-        feature, status = SSH_GITALY_FEATURES[action]
-        return unless feature && Gitlab::GitalyClient.feature_enabled?(feature, status: status)
+        return unless %w[git-receive-pack git-upload-pack].include?(action)
+
+        if action == 'git-receive-pack'
+          return unless Gitlab::GitalyClient.feature_enabled?(
+            :ssh_receive_pack,
+            status: Gitlab::GitalyClient::MigrationStatus::OPT_OUT
+          )
+        end
 
         {
           repository: repository.gitaly_repository,

lib/api/members.rb

@@ -22,7 +22,7 @@ module API
           source = find_source(source_type, params[:id])
 
           users = source.users
-          users = users.merge(User.search(params[:query])) if params[:query]
+          users = users.merge(User.search(params[:query])) if params[:query].present?
 
           present paginate(users), with: Entities::Member, source: source
         end

lib/api/v3/members.rb

@@ -23,7 +23,7 @@ module API
             source = find_source(source_type, params[:id])
 
             users = source.users
-            users = users.merge(User.search(params[:query])) if params[:query]
+            users = users.merge(User.search(params[:query])) if params[:query].present?
 
             present paginate(users), with: ::API::Entities::Member, source: source
           end

lib/gitlab/database/grant.rb

@@ -12,30 +12,40 @@ module Gitlab
       # Returns true if the current user can create and execute triggers on the
       # given table.
       def self.create_and_execute_trigger?(table)
-        priv =
-          if Database.postgresql?
-            where(privilege_type: 'TRIGGER', table_name: table)
-              .where('grantee = user')
-          else
-            queries = [
-              Grant.select(1)
-                .from('information_schema.user_privileges')
-                .where("PRIVILEGE_TYPE = 'SUPER'")
-                .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')"),
+        if Database.postgresql?
+          # We _must not_ use quote_table_name as this will produce double
+          # quotes on PostgreSQL and for "has_table_privilege" we need single
+          # quotes.
+          quoted_table = connection.quote(table)
 
-              Grant.select(1)
-                .from('information_schema.schema_privileges')
-                .where("PRIVILEGE_TYPE = 'TRIGGER'")
-                .where('TABLE_SCHEMA = ?', Gitlab::Database.database_name)
-                .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')")
-            ]
+          begin
+            from(nil)
+              .pluck("has_table_privilege(#{quoted_table}, 'TRIGGER')")
+              .first
+          rescue ActiveRecord::StatementInvalid
+            # This error is raised when using a non-existing table name. In this
+            # case we just want to return false as a user technically can't
+            # create triggers for such a table.
+            false
+          end
+        else
+          queries = [
+            Grant.select(1)
+              .from('information_schema.user_privileges')
+              .where("PRIVILEGE_TYPE = 'SUPER'")
+              .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')"),
 
-            union = SQL::Union.new(queries).to_sql
+            Grant.select(1)
+              .from('information_schema.schema_privileges')
+              .where("PRIVILEGE_TYPE = 'TRIGGER'")
+              .where('TABLE_SCHEMA = ?', Gitlab::Database.database_name)
+              .where("GRANTEE = CONCAT('\\'', REPLACE(CURRENT_USER(), '@', '\\'@\\''), '\\'')")
+          ]
 
-            Grant.from("(#{union}) privs")
-          end
+          union = SQL::Union.new(queries).to_sql
 
-        priv.any?
+          Grant.from("(#{union}) privs").any?
+        end
       end
     end
   end

lib/gitlab/git/blob.rb

@@ -132,6 +132,8 @@ module Gitlab
         end
 
         def find_by_gitaly(repository, sha, path, limit: MAX_DATA_DISPLAY_SIZE)
+          return unless path
+
           path = path.sub(/\A\/*/, '')
           path = '/' if path.empty?
           name = File.basename(path)
@@ -173,6 +175,8 @@ module Gitlab
         end
 
         def find_by_rugged(repository, sha, path, limit:)
+          return unless path
+
           rugged_commit = repository.lookup(sha)
           root_tree = rugged_commit.tree