Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/clusters/components/ingress_modsecurity_settings.vue

@@ -93,7 +93,10 @@ export default {
       return [UPDATING].includes(this.ingress.status);
     },
     saveButtonDisabled() {
-      return [UNINSTALLING, UPDATING, INSTALLING].includes(this.ingress.status);
+      return (
+        [UNINSTALLING, UPDATING, INSTALLING].includes(this.ingress.status) ||
+        this.ingress.updateAvailable
+      );
     },
     saveButtonLabel() {
       return this.saving ? __('Saving') : __('Save changes');
@@ -105,13 +108,14 @@ export default {
      *     neither getting installed nor updated.
      */
     showButtons() {
-      return (
-        this.saving || (this.hasValueChanged && [INSTALLED, UPDATED].includes(this.ingress.status))
-      );
+      return this.saving || this.valuesChangedByUser;
     },
     modSecurityModeName() {
       return this.modes[this.ingress.modsecurity_mode].name;
     },
+    valuesChangedByUser() {
+      return this.hasValueChanged && [INSTALLED, UPDATED].includes(this.ingress.status);
+    },
   },
   methods: {
     updateApplication() {

app/assets/javascripts/clusters/stores/clusters_store.js

@@ -59,6 +59,7 @@ export default class ClusterStore {
           isEditingModSecurityEnabled: false,
           isEditingModSecurityMode: false,
           updateFailed: false,
+          updateAvailable: false,
         },
         cert_manager: {
           ...applicationInitialState,
@@ -213,6 +214,7 @@ export default class ClusterStore {
       if (appId === INGRESS) {
         this.state.applications.ingress.externalIp = serverAppEntry.external_ip;
         this.state.applications.ingress.externalHostname = serverAppEntry.external_hostname;
+        this.state.applications.ingress.updateAvailable = updateAvailable;
         if (!this.state.applications.ingress.isEditingModSecurityEnabled) {
           this.state.applications.ingress.modsecurity_enabled = serverAppEntry.modsecurity_enabled;
         }

app/controllers/projects/merge_requests/diffs_controller.rb

@@ -98,7 +98,7 @@ class Projects::MergeRequests::DiffsController < Projects::MergeRequests::Applic
         @merge_request.merge_request_diff
       end
 
-    return unless @merge_request_diff
+    return unless @merge_request_diff&.id
 
     @comparable_diffs = @merge_request_diffs.select { |diff| diff.id < @merge_request_diff.id }
 

app/controllers/projects/prometheus/alerts_controller.rb

+# frozen_string_literal: true
+
+module Projects
+  module Prometheus
+    class AlertsController < Projects::ApplicationController
+      include MetricsDashboard
+
+      respond_to :json
+
+      protect_from_forgery except: [:notify]
+
+      skip_before_action :project, only: [:notify]
+
+      prepend_before_action :repository, :project_without_auth, only: [:notify]
+
+      before_action :authorize_read_prometheus_alerts!, except: [:notify]
+      before_action :alert, only: [:update, :show, :destroy, :metrics_dashboard]
+
+      def index
+        render json: serialize_as_json(alerts)
+      end
+
+      def show
+        render json: serialize_as_json(alert)
+      end
+
+      def notify
+        token = extract_alert_manager_token(request)
+
+        if notify_service.execute(token)
+          head :ok
+        else
+          head :unprocessable_entity
+        end
+      end
+
+      def create
+        @alert = create_service.execute
+
+        if @alert.persisted?
+          schedule_prometheus_update!
+
+          render json: serialize_as_json(@alert)
+        else
+          head :no_content
+        end
+      end
+
+      def update
+        if update_service.execute(alert)
+          schedule_prometheus_update!
+
+          render json: serialize_as_json(alert)
+        else
+          head :no_content
+        end
+      end
+
+      def destroy
+        if destroy_service.execute(alert)
+          schedule_prometheus_update!
+
+          head :ok
+        else
+          head :no_content
+        end
+      end
+
+      private
+
+      def alerts_params
+        params.permit(:operator, :threshold, :environment_id, :prometheus_metric_id)
+      end
+
+      def notify_service
+        Projects::Prometheus::Alerts::NotifyService
+          .new(project, current_user, params.permit!)
+      end
+
+      def create_service
+        Projects::Prometheus::Alerts::CreateService
+          .new(project, current_user, alerts_params)
+      end
+
+      def update_service
+        Projects::Prometheus::Alerts::UpdateService
+          .new(project, current_user, alerts_params)
+      end
+
+      def destroy_service
+        Projects::Prometheus::Alerts::DestroyService
+          .new(project, current_user, nil)
+      end
+
+      def schedule_prometheus_update!
+        ::Clusters::Applications::ScheduleUpdateService.new(application, project).execute
+      end
+
+      def serialize_as_json(alert_obj)
+        serializer.represent(alert_obj)
+      end
+
+      def serializer
+        PrometheusAlertSerializer
+          .new(project: project, current_user: current_user)
+      end
+
+      def alerts
+        alerts_finder.execute
+      end
+
+      def alert
+        @alert ||= alerts_finder(metric: params[:id]).execute.first || render_404
+      end
+
+      def alerts_finder(opts = {})
+        Projects::Prometheus::AlertsFinder.new({
+          project: project,
+          environment: params[:environment_id]
+        }.reverse_merge(opts))
+      end
+
+      def application
+        @application ||= alert.environment.cluster_prometheus_adapter
+      end
+
+      def extract_alert_manager_token(request)
+        Doorkeeper::OAuth::Token.from_bearer_authorization(request)
+      end
+
+      def project_without_auth
+        @project ||= Project
+          .find_by_full_path("#{params[:namespace_id]}/#{params[:project_id]}")
+      end
+
+      def prometheus_alerts
+        project.prometheus_alerts.for_environment(params[:environment_id])
+      end
+
+      def metrics_dashboard_params
+        {
+          embedded: true,
+          prometheus_alert_id: alert.id
+        }
+      end
+    end
+  end
+end

changelogs/unreleased/212398-harden-optimie-jira-usage-data.yml

+---
+title: Harden jira usage data
+merge_request: 27973
+author:
+type: performance

changelogs/unreleased/add_restriction_for_ingress_update.yml

+---
+title: WAF settings will be read-only if there is a new version of ingress available
+merge_request: 27845
+author:
+type: changed

db/migrate/20200213100530_add_verification_columns_to_packages.rb

+# frozen_string_literal: true
+
+class AddVerificationColumnsToPackages < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def change
+    add_column :packages_package_files, :verification_retry_at, :datetime_with_timezone
+    add_column :packages_package_files, :verified_at, :datetime_with_timezone
+    add_column :packages_package_files, :verification_checksum, :string, limit: 255
+    add_column :packages_package_files, :verification_failure, :string, limit: 255
+    add_column :packages_package_files, :verification_retry_count, :integer
+  end
+end

db/structure.sql

@@ -4364,6 +4364,11 @@ CREATE TABLE public.packages_package_files (
     file_sha1 bytea,
     file_name character varying NOT NULL,
     file text NOT NULL,
+    verification_retry_at timestamp with time zone,
+    verified_at timestamp with time zone,
+    verification_checksum character varying(255),
+    verification_failure character varying(255),
+    verification_retry_count integer,
     file_sha256 bytea
 );
 
@@ -12720,6 +12725,7 @@ COPY "schema_migrations" (version) FROM STDIN;
 20200212133945
 20200212134201
 20200213093702
+20200213100530
 20200213155311
 20200213204737
 20200213220159

doc/development/geo/framework.md

@@ -174,7 +174,7 @@ For example, to add support for files referenced by a `Widget` model with a
 
      def change
        add_column :widgets, :verification_retry_at,  :datetime_with_timezone
-       add_column :widgets, :last_verification_ran_at,  :datetime_with_timezone
+       add_column :widgets, :verified_at,  :datetime_with_timezone
        add_column :widgets, :verification_checksum, :string
        add_column :widgets, :verification_failure, :string
        add_column :widgets, :verification_retry_count, :integer

lib/gitlab/usage_data.rb

@@ -202,7 +202,7 @@ module Gitlab
         results = {
           projects_jira_server_active: 0,
           projects_jira_cloud_active: 0,
-          projects_jira_active: -1
+          projects_jira_active: 0
         }
 
         Service.active
@@ -217,14 +217,12 @@ module Gitlab
 
           results[:projects_jira_server_active] += counts[:server].count if counts[:server]
           results[:projects_jira_cloud_active] += counts[:cloud].count if counts[:cloud]
-          if results[:projects_jira_active] == -1
-            results[:projects_jira_active] = services.size
-          else
-            results[:projects_jira_active] += services.size
-          end
+          results[:projects_jira_active] += services.size
         end
 
         results
+      rescue ActiveRecord::StatementInvalid
+        { projects_jira_server_active: -1, projects_jira_cloud_active: -1, projects_jira_active: -1 }
       end
       # rubocop: enable CodeReuse/ActiveRecord
 

spec/controllers/projects/merge_requests/diffs_controller_spec.rb

@@ -16,6 +16,18 @@ describe Projects::MergeRequests::DiffsController do
         expect(response).to have_gitlab_http_status(:not_found)
       end
     end
+
+    context 'when the merge_request_diff.id is blank' do
+      it 'returns 404' do
+        allow_next_instance_of(MergeRequest) do |instance|
+          allow(instance).to receive(:merge_request_diff).and_return(MergeRequestDiff.new(merge_request_id: instance.id))
+
+          go
+
+          expect(response).to have_gitlab_http_status(:not_found)
+        end
+      end
+    end
   end
 
   shared_examples 'forked project with submodules' do

spec/frontend/clusters/components/ingress_modsecurity_settings_spec.js

@@ -14,6 +14,7 @@ describe('IngressModsecuritySettings', () => {
     status: 'installable',
     installed: false,
     modsecurity_mode: 'logging',
+    updateAvailable: false,
   };
 
   const createComponent = (props = defaultProps) => {
@@ -61,6 +62,11 @@ describe('IngressModsecuritySettings', () => {
         expect(findCancelButton().exists()).toBe(true);
       });
 
+      it('enables related toggle and buttons', () => {
+        expect(findSaveButton().attributes().disabled).toBeUndefined();
+        expect(findCancelButton().attributes().disabled).toBeUndefined();
+      });
+
       describe('with dropdown changed by the user', () => {
         beforeEach(() => {
           findModSecurityDropdown().vm.$children[1].$emit('click');
@@ -105,6 +111,25 @@ describe('IngressModsecuritySettings', () => {
           expect(findCancelButton().exists()).toBe(false);
         });
       });
+
+      describe('with a new version available', () => {
+        beforeEach(() => {
+          wrapper.setProps({
+            ingress: {
+              ...defaultProps,
+              installed: true,
+              status: 'installed',
+              modsecurity_enabled: true,
+              updateAvailable: true,
+            },
+          });
+        });
+
+        it('disables related toggle and buttons', () => {
+          expect(findSaveButton().attributes().disabled).toBe('true');
+          expect(findCancelButton().attributes().disabled).toBe('true');
+        });
+      });
     });
 
     it('triggers set event to be propagated with the current modsecurity value', () => {

spec/lib/gitlab/usage_data_spec.rb

@@ -85,6 +85,13 @@ describe Gitlab::UsageData, :aggregate_failures do
 
         expect { subject }.not_to raise_error
       end
+
+      it 'jira usage works when queries time out' do
+        allow_any_instance_of(ActiveRecord::Relation)
+          .to receive(:find_in_batches).and_raise(ActiveRecord::StatementInvalid.new(''))
+
+        expect { described_class.jira_usage }.not_to raise_error
+      end
     end
 
     describe '#usage_data_counters' do

spec/support/shared_examples/models/concerns/blob_replicator_strategy_shared_examples.rb

@@ -27,6 +27,45 @@ RSpec.shared_examples 'a blob replicator' do
       expect(::Geo::Event.last.attributes).to include(
         "replicable_name" => replicator.replicable_name, "event_name" => "created", "payload" => { "model_record_id" => replicator.model_record.id })
     end
+
+    it 'schedules the checksum calculation if needed' do
+      expect(Geo::BlobVerificationPrimaryWorker).to receive(:perform_async)
+      expect(replicator).to receive(:needs_checksum?).and_return(true)
+
+      replicator.handle_after_create_commit
+    end
+
+    it 'does not schedule the checksum calculation if feature flag is disabled' do
+      stub_feature_flags(geo_self_service_framework: false)
+
+      expect(Geo::BlobVerificationPrimaryWorker).not_to receive(:perform_async)
+      allow(replicator).to receive(:needs_checksum?).and_return(true)
+
+      replicator.handle_after_create_commit
+    end
+  end
+
+  describe '#calculate_checksum!' do
+    it 'calculates the checksum' do
+      model_record.save!
+
+      replicator.calculate_checksum!
+
+      expect(model_record.reload.verification_checksum).not_to be_nil
+    end
+
+    it 'saves the error message and increments retry counter' do
+      model_record.save!
+
+      allow(model_record).to receive(:calculate_checksum!) do
+        raise StandardError.new('Failure to calculate checksum')
+      end
+
+      replicator.calculate_checksum!
+
+      expect(model_record.reload.verification_failure).to eq 'Failure to calculate checksum'
+      expect(model_record.verification_retry_count).to be 1
+    end
   end
 
   describe '#consume_created_event' do