Add latest changes from gitlab-org/gitlab@16-2-stable-eev16.2.0-rc42

12 files changed, 76 insertions, 172 deletions

diff --git a/app/controllers/concerns/integrations/params.rb b/app/controllers/concerns/integrations/params.rb
index 19e458307a1..53dd06ce638 100644
--- a/app/controllers/concerns/integrations/params.rb
+++ b/app/controllers/concerns/integrations/params.rb
@@ -43,6 +43,8 @@ module Integrations
       :external_wiki_url,
       :google_iap_service_account_json,
       :google_iap_audience_client_id,
+      :group_confidential_mention_events,
+      :group_mention_events,
       :incident_events,
       :inherit_from_id,
       # We're using `issues_events` and `merge_requests_events`
diff --git a/app/controllers/concerns/internal_redirect.rb b/app/controllers/concerns/internal_redirect.rb
index b803be67d2e..c3aa487c805 100644
--- a/app/controllers/concerns/internal_redirect.rb
+++ b/app/controllers/concerns/internal_redirect.rb
@@ -6,7 +6,7 @@ module InternalRedirect
   def safe_redirect_path(path)
     return unless path
     # Verify that the string starts with a `/` and a known route character.
-    return unless path =~ %r{\A/[-\w].*\z}
+    return unless %r{\A/[-\w].*\z}.match?(path)
 
     uri = URI(path)
     # Ignore anything path of the redirect except for the path, querystring and,
diff --git a/app/controllers/concerns/issuable_actions.rb b/app/controllers/concerns/issuable_actions.rb
index 0ad8a08960a..a326fa308ad 100644
--- a/app/controllers/concerns/issuable_actions.rb
+++ b/app/controllers/concerns/issuable_actions.rb
@@ -12,6 +12,7 @@ module IssuableActions
     before_action :authorize_destroy_issuable!, only: :destroy
     before_action :check_destroy_confirmation!, only: :destroy
     before_action :authorize_admin_issuable!, only: :bulk_update
+    before_action :set_application_context!, only: :show
   end
 
   def show
@@ -226,6 +227,10 @@ module IssuableActions
     render_404 unless can?(current_user, :"update_#{resource_name}", issuable)
   end
 
+  def set_application_context!
+    # no-op. The logic is defined in EE module.
+  end
+
   def bulk_update_params
     clean_bulk_update_params(
       params.require(:update).permit(bulk_update_permitted_keys)
diff --git a/app/controllers/concerns/membership_actions.rb b/app/controllers/concerns/membership_actions.rb
index 31675a58163..0c15c4d0d3f 100644
--- a/app/controllers/concerns/membership_actions.rb
+++ b/app/controllers/concerns/membership_actions.rb
@@ -16,7 +16,7 @@ module MembershipActions
     member_data = if member.expires?
                     {
                       expires_soon: member.expires_soon?,
-                      expires_at_formatted: member.expires_at.to_time.in_time_zone.to_s(:medium)
+                      expires_at_formatted: member.expires_at.to_time.in_time_zone.to_fs(:medium)
                     }
                   else
                     {}
diff --git a/app/controllers/concerns/metrics_dashboard.rb b/app/controllers/concerns/metrics_dashboard.rb
deleted file mode 100644
index 7a84c597424..00000000000
--- a/app/controllers/concerns/metrics_dashboard.rb
+++ /dev/null
@@ -1,126 +0,0 @@
-# frozen_string_literal: true
-
-# Provides an action which fetches a metrics dashboard according
-# to the parameters specified by the controller.
-module MetricsDashboard
-  include RenderServiceResults
-  include ChecksCollaboration
-  include EnvironmentsHelper
-
-  extend ActiveSupport::Concern
-
-  def metrics_dashboard
-    return not_found if Feature.enabled?(:remove_monitor_metrics)
-
-    result = dashboard_finder.find(
-      project_for_dashboard,
-      current_user,
-      decoded_params
-    )
-
-    if result
-      result[:all_dashboards] = all_dashboards if include_all_dashboards?
-      result[:metrics_data] = metrics_data(project_for_dashboard, environment_for_dashboard)
-    end
-
-    respond_to do |format|
-      if result.nil?
-        format.json { continue_polling_response }
-      elsif result[:status] == :success
-        format.json { render dashboard_success_response(result) }
-      else
-        format.json { render dashboard_error_response(result) }
-      end
-    end
-  end
-
-  private
-
-  def all_dashboards
-    dashboard_finder
-      .find_all_paths(project_for_dashboard)
-      .map { |dashboard| amend_dashboard(dashboard) }
-  end
-
-  def amend_dashboard(dashboard)
-    project_dashboard = project_for_dashboard && !dashboard[:out_of_the_box_dashboard]
-
-    dashboard[:can_edit] = project_dashboard ? can_edit?(dashboard) : false
-    dashboard[:project_blob_path] = project_dashboard ? dashboard_project_blob_path(dashboard) : nil
-    dashboard[:starred] = starred_dashboards.include?(dashboard[:path])
-    dashboard[:user_starred_path] = project_for_dashboard ? user_starred_path(project_for_dashboard, dashboard[:path]) : nil
-
-    dashboard
-  end
-
-  def user_starred_path(project, path)
-    expose_path(api_v4_projects_metrics_user_starred_dashboards_path(id: project.id, params: { dashboard_path: path }))
-  end
-
-  def dashboard_project_blob_path(dashboard)
-    project_blob_path(project_for_dashboard, File.join(project_for_dashboard.default_branch, dashboard.fetch(:path, "")))
-  end
-
-  def can_edit?(dashboard)
-    can_collaborate_with_project?(project_for_dashboard, ref: project_for_dashboard.default_branch)
-  end
-
-  # Override in class to provide arguments to the finder.
-  def metrics_dashboard_params
-    {}
-  end
-
-  # Override in class if response requires complete list of
-  # dashboards in addition to requested dashboard body.
-  def include_all_dashboards?
-    false
-  end
-
-  def dashboard_finder
-    ::Gitlab::Metrics::Dashboard::Finder
-  end
-
-  def starred_dashboards
-    @starred_dashboards ||=
-      if project_for_dashboard.present?
-        ::Metrics::UsersStarredDashboardsFinder
-          .new(user: current_user, project: project_for_dashboard)
-          .execute
-          .map(&:dashboard_path)
-          .to_set
-      else
-        Set.new
-      end
-  end
-
-  # Project is not defined for group and admin level clusters.
-  def project_for_dashboard
-    defined?(project) ? project : nil
-  end
-
-  def environment_for_dashboard
-    defined?(environment) ? environment : nil
-  end
-
-  def dashboard_success_response(result)
-    {
-      status: :ok,
-      json: result.slice(:all_dashboards, :dashboard, :status, :metrics_data)
-    }
-  end
-
-  def dashboard_error_response(result)
-    {
-      status: result[:http_status] || :bad_request,
-      json: result.slice(:all_dashboards, :message, :status)
-    }
-  end
-
-  def decoded_params
-    params = metrics_dashboard_params
-
-    params[:dashboard_path] = CGI.unescape(params[:dashboard_path]) if params[:dashboard_path]
-
-    params
-  end
-end
diff --git a/app/controllers/concerns/observability/content_security_policy.rb b/app/controllers/concerns/observability/content_security_policy.rb
index 1e25dc492a0..e51d986d36c 100644
--- a/app/controllers/concerns/observability/content_security_policy.rb
+++ b/app/controllers/concerns/observability/content_security_policy.rb
@@ -5,26 +5,23 @@ module Observability
     extend ActiveSupport::Concern
 
     included do
-      content_security_policy_with_context do |p|
-        current_group = if defined?(group)
-                          group
-                        else
-                          defined?(project) ? project&.group : nil
-                        end
-
-        next if p.directives.blank? || !Feature.enabled?(:observability_group_tab, current_group)
+      content_security_policy do |p|
+        next if p.directives.blank?
 
         default_frame_src = p.directives['frame-src'] || p.directives['default-src']
-
-        # When ObservabilityUI is not authenticated, it needs to be able
-        # to redirect to the GL sign-in page, hence '/users/sign_in' and '/oauth/authorize'
+        # When Gitlab Observability Backend is not authenticated, it needs to be able
+        # to redirect to the GitLab sign-in page, hence '/users/sign_in' and '/oauth/authorize'
         frame_src_values = Array.wrap(default_frame_src) | [
           Gitlab::Observability.observability_url,
           Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/users/sign_in'),
           Gitlab::Utils.append_path(Gitlab.config.gitlab.url, '/oauth/authorize')
         ]
-
         p.frame_src(*frame_src_values)
+
+        default_connect_src = p.directives['connect-src'] || p.directives['default-src']
+        connect_src_values =
+          Array.wrap(default_connect_src) | [Gitlab::Observability.observability_url]
+        p.connect_src(*connect_src_values)
       end
     end
   end
diff --git a/app/controllers/concerns/onboarding/status.rb b/app/controllers/concerns/onboarding/status.rb
new file mode 100644
index 00000000000..986f3f17847
--- /dev/null
+++ b/app/controllers/concerns/onboarding/status.rb
@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module Onboarding
+  class Status
+    def initialize(user)
+      @user = user
+    end
+
+    def continue_full_onboarding?
+      false
+    end
+
+    def single_invite?
+      # If there are more than one member it will mean we have been invited to multiple projects/groups and
+      # are not able to distinguish which one we should putting the user in after registration
+      members.count == 1
+    end
+
+    def last_invited_member
+      members.last
+    end
+
+    def last_invited_member_source
+      last_invited_member&.source
+    end
+
+    def invite_with_tasks_to_be_done?
+      return false if members.empty?
+
+      MemberTask.for_members(members).exists?
+    end
+
+    private
+
+    attr_reader :user
+
+    def members
+      @members ||= user.members
+    end
+  end
+end
diff --git a/app/controllers/concerns/preview_markdown.rb b/app/controllers/concerns/preview_markdown.rb
index a7655efe7a9..7f1b961e92a 100644
--- a/app/controllers/concerns/preview_markdown.rb
+++ b/app/controllers/concerns/preview_markdown.rb
@@ -48,9 +48,7 @@ module PreviewMarkdown
     end.merge(
       requested_path: params[:path],
       ref: params[:ref],
-      # Disable comments in markdown for IE browsers because comments in IE
-      # could allow script execution.
-      allow_comments: !browser.ie?
+      allow_comments: false
     )
   end
 
diff --git a/app/controllers/concerns/redirects_for_missing_path_on_tree.rb b/app/controllers/concerns/redirects_for_missing_path_on_tree.rb
index 92574dfade9..97c23a2cf3c 100644
--- a/app/controllers/concerns/redirects_for_missing_path_on_tree.rb
+++ b/app/controllers/concerns/redirects_for_missing_path_on_tree.rb
@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 module RedirectsForMissingPathOnTree
-  def redirect_to_tree_root_for_missing_path(project, ref, path)
-    redirect_to project_tree_path(project, ref), notice: missing_path_on_ref(path, ref)
+  def redirect_to_tree_root_for_missing_path(project, ref, path, ref_type: nil)
+    redirect_to project_tree_path(project, ref, ref_type: ref_type), notice: missing_path_on_ref(path, ref)
   end
 
   private
diff --git a/app/controllers/concerns/requires_whitelisted_monitoring_client.rb b/app/controllers/concerns/requires_allowlisted_monitoring_client.rb
index ef3d281589a..ad6d4dc548c 100644
--- a/app/controllers/concerns/requires_whitelisted_monitoring_client.rb
+++ b/app/controllers/concerns/requires_allowlisted_monitoring_client.rb
@@ -1,28 +1,28 @@
 # frozen_string_literal: true
 
-module RequiresWhitelistedMonitoringClient
+module RequiresAllowlistedMonitoringClient
   extend ActiveSupport::Concern
 
   included do
-    before_action :validate_ip_whitelisted_or_valid_token!
+    before_action :validate_ip_allowlisted_or_valid_token!
   end
 
   private
 
-  def validate_ip_whitelisted_or_valid_token!
-    render_404 unless client_ip_whitelisted? || valid_token?
+  def validate_ip_allowlisted_or_valid_token!
+    render_404 unless client_ip_allowlisted? || valid_token?
   end
 
-  def client_ip_whitelisted?
+  def client_ip_allowlisted?
     # Always allow developers to access http://localhost:3000/-/metrics for
     # debugging purposes
     return true if Rails.env.development? && request.local?
 
-    ip_whitelist.any? { |e| e.include?(Gitlab::RequestContext.instance.client_ip) }
+    ip_allowlist.any? { |e| e.include?(Gitlab::RequestContext.instance.client_ip) }
   end
 
-  def ip_whitelist
-    @ip_whitelist ||= Settings.monitoring.ip_whitelist.map { |ip| IPAddr.new(ip) }
+  def ip_allowlist
+    @ip_allowlist ||= Settings.monitoring.ip_whitelist.map { |ip| IPAddr.new(ip) }
   end
 
   def valid_token?
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 222fcc17222..29b61264322 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -110,7 +110,7 @@ module UploadsActions
     if uploader_mounted?
       model.public_send(upload_mount) # rubocop:disable GitlabSecurity/PublicSend
     else
-      build_uploader_from_upload || build_uploader_from_params
+      build_uploader_from_upload
     end
   end
   strong_memoize_attr :uploader
@@ -125,21 +125,6 @@ module UploadsActions
   end
   # rubocop: enable CodeReuse/ActiveRecord
 
-  def build_uploader_from_params
-    return unless uploader = build_uploader
-
-    uploader.retrieve_from_store!(params[:filename])
-
-    Gitlab::AppJsonLogger.info(
-      message: 'Deprecated usage of build_uploader_from_params',
-      uploader_class: uploader.class.name,
-      path: params[:filename],
-      exists: uploader.exists?
-    )
-
-    uploader
-  end
-
   def build_uploader
     return unless params[:secret] && params[:filename]
 
diff --git a/app/controllers/concerns/verifies_with_email.rb b/app/controllers/concerns/verifies_with_email.rb
index 45869c05f41..13378800ea9 100644
--- a/app/controllers/concerns/verifies_with_email.rb
+++ b/app/controllers/concerns/verifies_with_email.rb
@@ -25,6 +25,7 @@ module VerifiesWithEmail
 
       if user.valid_password?(user_params[:password])
         # The user has logged in successfully.
+
         if user.unlock_token
           # Prompt for the token if it already has been set
           prompt_for_email_verification(user)
@@ -32,7 +33,8 @@ module VerifiesWithEmail
           # require email verification if:
           # - their account has been locked because of too many failed login attempts, or
           # - they have logged in before, but never from the current ip address
-          send_verification_instructions(user)
+          reason = 'sign in from untrusted IP address' unless user.access_locked?
+          send_verification_instructions(user, reason: reason)
           prompt_for_email_verification(user)
         end
       end
@@ -75,13 +77,13 @@ module VerifiesWithEmail
     super
   end
 
-  def send_verification_instructions(user)
+  def send_verification_instructions(user, reason: nil)
     return if send_rate_limited?(user)
 
     service = Users::EmailVerification::GenerateTokenService.new(attr: :unlock_token, user: user)
     raw_token, encrypted_token = service.execute
     user.unlock_token = encrypted_token
-    user.lock_access!({ send_instructions: false })
+    user.lock_access!({ send_instructions: false, reason: reason })
     send_verification_instructions_email(user, raw_token)
   end