Add latest changes from gitlab-org/gitlab@16-0-stable-eev16.0.0-rc42

4 files changed, 40 insertions, 20 deletions

diff --git a/app/controllers/oauth/applications_controller.rb b/app/controllers/oauth/applications_controller.rb
index 3b78b997da1..2d5421f9f74 100644
--- a/app/controllers/oauth/applications_controller.rb
+++ b/app/controllers/oauth/applications_controller.rb
@@ -23,9 +23,7 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
     set_index_vars
   end
 
-  def show
-    @created = get_created_session if Feature.disabled?('hash_oauth_secrets')
-  end
+  def show; end
 
   def create
     @application = Applications::CreateService.new(current_user, application_params).execute(request)
@@ -33,20 +31,26 @@ class Oauth::ApplicationsController < Doorkeeper::ApplicationsController
     if @application.persisted?
       flash[:notice] = I18n.t(:notice, scope: [:doorkeeper, :flash, :applications, :create])
 
-      if Feature.enabled?('hash_oauth_secrets')
-        @created = true
-        render :show
-      else
-        set_created_session
-
-        redirect_to oauth_application_url(@application)
-      end
+      @created = true
+      render :show
     else
       set_index_vars
       render :index
     end
   end
 
+  def renew
+    set_application
+
+    @application.renew_secret
+
+    if @application.save
+      render json: { secret: @application.plaintext_secret }
+    else
+      render json: { errors: @application.errors }, status: :unprocessable_entity
+    end
+  end
+
   private
 
   def verify_user_oauth_applications_enabled
diff --git a/app/controllers/oauth/authorizations_controller.rb b/app/controllers/oauth/authorizations_controller.rb
index 43bf895ea76..96a3fab7e1a 100644
--- a/app/controllers/oauth/authorizations_controller.rb
+++ b/app/controllers/oauth/authorizations_controller.rb
@@ -108,8 +108,10 @@ class Oauth::AuthorizationsController < Doorkeeper::AuthorizationsController
   end
 
   def dangerous_scopes?
-    doorkeeper_application&.includes_scope?(*::Gitlab::Auth::API_SCOPE, *::Gitlab::Auth::READ_API_SCOPE,
-                                             *::Gitlab::Auth::ADMIN_SCOPES, *::Gitlab::Auth::REPOSITORY_SCOPES,
-                                             *::Gitlab::Auth::REGISTRY_SCOPES) && !doorkeeper_application&.trusted?
+    doorkeeper_application&.includes_scope?(
+      *::Gitlab::Auth::API_SCOPE, *::Gitlab::Auth::READ_API_SCOPE,
+      *::Gitlab::Auth::ADMIN_SCOPES, *::Gitlab::Auth::REPOSITORY_SCOPES,
+      *::Gitlab::Auth::REGISTRY_SCOPES
+    ) && !doorkeeper_application&.trusted?
   end
 end
diff --git a/app/controllers/oauth/authorized_applications_controller.rb b/app/controllers/oauth/authorized_applications_controller.rb
index 3f476c0d717..6fc2eb6bc45 100644
--- a/app/controllers/oauth/authorized_applications_controller.rb
+++ b/app/controllers/oauth/authorized_applications_controller.rb
@@ -20,7 +20,7 @@ class Oauth::AuthorizedApplicationsController < Doorkeeper::AuthorizedApplicatio
     end
 
     redirect_to applications_profile_url,
-                status: :found,
-                notice: I18n.t(:notice, scope: [:doorkeeper, :flash, :authorized_applications, :destroy])
+      status: :found,
+      notice: I18n.t(:notice, scope: [:doorkeeper, :flash, :authorized_applications, :destroy])
   end
 end
diff --git a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
index 03921761f45..ba587944a36 100644
--- a/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
+++ b/app/controllers/oauth/jira_dvcs/authorizations_controller.rb
@@ -8,6 +8,7 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController
   skip_before_action :authenticate_user!
   skip_before_action :verify_authenticity_token
 
+  before_action :reversible_end_of_life!
   before_action :validate_redirect_uri, only: :new
 
   feature_category :integrations
@@ -16,10 +17,12 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController
   def new
     session[:redirect_uri] = params['redirect_uri']
 
-    redirect_to oauth_authorization_path(client_id: params['client_id'],
-                                         response_type: 'code',
-                                         scope: normalize_scope(params['scope']),
-                                         redirect_uri: oauth_jira_dvcs_callback_url)
+    redirect_to oauth_authorization_path(
+      client_id: params['client_id'],
+      response_type: 'code',
+      scope: normalize_scope(params['scope']),
+      redirect_uri: oauth_jira_dvcs_callback_url
+    )
   end
 
   # 2. Handle the callback call as we were a Github Enterprise instance client.
@@ -53,6 +56,17 @@ class Oauth::JiraDvcs::AuthorizationsController < ApplicationController
 
   private
 
+  # The endpoints in this controller have been deprecated since 15.1.
+  #
+  # Due to uncertainty about the impact of a full removal in 16.0, all endpoints return `404`
+  # by default but we allow customers to toggle a flag to reverse this breaking change.
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/362168#note_1347692683.
+  #
+  # TODO Make the breaking change irreversible https://gitlab.com/gitlab-org/gitlab/-/issues/408148.
+  def reversible_end_of_life!
+    render_404 unless Feature.enabled?(:jira_dvcs_end_of_life_amnesty)
+  end
+
   # When using the GitHub Enterprise connector in Jira we receive the "repo" scope,
   # this doesn't exist in GitLab but we can map it to our "api" scope.
   def normalize_scope(scope)