Add latest changes from gitlab-org/gitlab@master

15 files changed, 100 insertions, 45 deletions

diff --git a/app/controllers/concerns/page_limiter.rb b/app/controllers/concerns/page_limiter.rb
index 362b02e5856..1d044a41899 100644
--- a/app/controllers/concerns/page_limiter.rb
+++ b/app/controllers/concerns/page_limiter.rb
@@ -44,10 +44,11 @@ module PageLimiter
     raise PageLimitNotANumberError unless max_page_number.is_a?(Integer)
     raise PageLimitNotSensibleError unless max_page_number > 0
 
-    if params[:page].present? && params[:page].to_i > max_page_number
-      record_page_limit_interception
-      raise PageOutOfBoundsError, max_page_number
-    end
+    return if params[:page].blank?
+    return if params[:page].to_i <= max_page_number
+
+    record_page_limit_interception
+    raise PageOutOfBoundsError, max_page_number
   end
 
   # By default just return a HTTP status code and an empty response
diff --git a/app/controllers/concerns/product_analytics_tracking.rb b/app/controllers/concerns/product_analytics_tracking.rb
index 5bfbc4b7529..42edc328fa1 100644
--- a/app/controllers/concerns/product_analytics_tracking.rb
+++ b/app/controllers/concerns/product_analytics_tracking.rb
@@ -30,15 +30,15 @@ module ProductAnalyticsTracking
   def route_events_to(destinations, name, &block)
     track_unique_redis_hll_event(name, &block) if destinations.include?(:redis_hll)
 
-    if destinations.include?(:snowplow) && event_enabled?(name)
-      Gitlab::Tracking.event(
-        self.class.to_s,
-        name,
-        namespace: tracking_namespace_source,
-        user: current_user,
-        context: [Gitlab::Tracking::ServicePingContext.new(data_source: :redis_hll, event: name).to_context]
-      )
-    end
+    return unless destinations.include?(:snowplow) && event_enabled?(name)
+
+    Gitlab::Tracking.event(
+      self.class.to_s,
+      name,
+      namespace: tracking_namespace_source,
+      user: current_user,
+      context: [Gitlab::Tracking::ServicePingContext.new(data_source: :redis_hll, event: name).to_context]
+    )
   end
 
   def route_custom_events_to(destinations, name, action, label, &block)
diff --git a/app/controllers/concerns/record_user_last_activity.rb b/app/controllers/concerns/record_user_last_activity.rb
index 29164df4516..a189d4a5c79 100644
--- a/app/controllers/concerns/record_user_last_activity.rb
+++ b/app/controllers/concerns/record_user_last_activity.rb
@@ -19,8 +19,8 @@ module RecordUserLastActivity
     return unless request.get?
     return if Gitlab::Database.read_only?
 
-    if current_user && current_user.last_activity_on != Date.today
-      Users::ActivityService.new(current_user).execute
-    end
+    return unless current_user && current_user.last_activity_on != Date.today
+
+    Users::ActivityService.new(current_user).execute
   end
 end
diff --git a/app/controllers/concerns/routable_actions.rb b/app/controllers/concerns/routable_actions.rb
index e34d6b09c24..28e1fa473b3 100644
--- a/app/controllers/concerns/routable_actions.rb
+++ b/app/controllers/concerns/routable_actions.rb
@@ -46,13 +46,13 @@ module RoutableActions
     return unless request.get?
 
     canonical_path = routable.full_path
-    if canonical_path != routable_full_path
-      if !request.xhr? && request.format.html? && canonical_path.casecmp(routable_full_path) != 0
-        flash[:notice] = "#{routable.class.to_s.titleize} '#{routable_full_path}' was moved to '#{canonical_path}'. Please update any links and bookmarks that may still have the old path."
-      end
+    return unless canonical_path != routable_full_path
 
-      redirect_to build_canonical_path(routable), status: :moved_permanently
+    if !request.xhr? && request.format.html? && canonical_path.casecmp(routable_full_path) != 0
+      flash[:notice] = "#{routable.class.to_s.titleize} '#{routable_full_path}' was moved to '#{canonical_path}'. Please update any links and bookmarks that may still have the old path."
     end
+
+    redirect_to build_canonical_path(routable), status: :moved_permanently
   end
 end
 
diff --git a/app/controllers/concerns/snippets/blobs_actions.rb b/app/controllers/concerns/snippets/blobs_actions.rb
index c711d2ca85b..2a0491b4df8 100644
--- a/app/controllers/concerns/snippets/blobs_actions.rb
+++ b/app/controllers/concerns/snippets/blobs_actions.rb
@@ -39,11 +39,11 @@ module Snippets::BlobsActions
   end
 
   def ensure_repository
-    unless snippet.repo_exists?
-      Gitlab::AppLogger.error(message: "Snippet raw blob attempt with no repo", snippet: snippet.id)
+    return if snippet.repo_exists?
 
-      respond_422
-    end
+    Gitlab::AppLogger.error(message: "Snippet raw blob attempt with no repo", snippet: snippet.id)
+
+    respond_422
   end
 
   def snippet_id
diff --git a/app/controllers/concerns/uploads_actions.rb b/app/controllers/concerns/uploads_actions.rb
index 6ad1b63db59..0ba13896631 100644
--- a/app/controllers/concerns/uploads_actions.rb
+++ b/app/controllers/concerns/uploads_actions.rb
@@ -73,11 +73,11 @@ module UploadsActions
   def set_request_format_from_path_extension
     path = request.headers['action_dispatch.original_path'] || request.headers['PATH_INFO']
 
-    if match = path&.match(/\.(\w+)\z/)
-      format = Mime[match.captures.first]
+    return unless match = path&.match(/\.(\w+)\z/)
 
-      request.format = format.symbol if format
-    end
+    format = Mime[match.captures.first]
+
+    request.format = format.symbol if format
   end
 
   def content_disposition
diff --git a/app/controllers/dashboard/todos_controller.rb b/app/controllers/dashboard/todos_controller.rb
index d2434d4b0ba..c904f09d1bb 100644
--- a/app/controllers/dashboard/todos_controller.rb
+++ b/app/controllers/dashboard/todos_controller.rb
@@ -64,19 +64,19 @@ class Dashboard::TodosController < Dashboard::ApplicationController
   def authorize_read_project!
     project_id = params[:project_id]
 
-    if project_id.present?
-      project = Project.find(project_id)
-      render_404 unless can?(current_user, :read_project, project)
-    end
+    return unless project_id.present?
+
+    project = Project.find(project_id)
+    render_404 unless can?(current_user, :read_project, project)
   end
 
   def authorize_read_group!
     group_id = params[:group_id]
 
-    if group_id.present?
-      group = Group.find(group_id)
-      render_404 unless can?(current_user, :read_group, group)
-    end
+    return unless group_id.present?
+
+    group = Group.find(group_id)
+    render_404 unless can?(current_user, :read_group, group)
   end
 
   def find_todos
diff --git a/app/controllers/jira_connect/events_controller.rb b/app/controllers/jira_connect/events_controller.rb
index 394fdc9b2f6..3569b233393 100644
--- a/app/controllers/jira_connect/events_controller.rb
+++ b/app/controllers/jira_connect/events_controller.rb
@@ -56,7 +56,7 @@ class JiraConnect::EventsController < JiraConnect::ApplicationController
 
   def jwt_verification_claims
     {
-      aud: jira_connect_base_url(protocol: 'https'),
+      aud: Gitlab.config.jira_connect.enforce_jira_base_url_https ? jira_connect_base_url(protocol: 'https') : jira_connect_base_url,
       iss: transformed_params[:client_key],
       qsh: Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url)
     }
diff --git a/app/controllers/jira_connect/public_keys_controller.rb b/app/controllers/jira_connect/public_keys_controller.rb
index b3144993edb..09003f8478f 100644
--- a/app/controllers/jira_connect/public_keys_controller.rb
+++ b/app/controllers/jira_connect/public_keys_controller.rb
@@ -10,7 +10,9 @@ module JiraConnect
     skip_before_action :authenticate_user!
 
     def show
-      return render_404 if Feature.disabled?(:jira_connect_oauth_self_managed) || !Gitlab.com?
+      if Feature.disabled?(:jira_connect_oauth_self_managed) || !Gitlab.config.jira_connect.enable_public_keys_storage
+        return render_404
+      end
 
       render plain: public_key.key
     end
diff --git a/app/controllers/jira_connect/subscriptions_controller.rb b/app/controllers/jira_connect/subscriptions_controller.rb
index 33d77c5b536..ff7477a94d6 100644
--- a/app/controllers/jira_connect/subscriptions_controller.rb
+++ b/app/controllers/jira_connect/subscriptions_controller.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
+  ALLOWED_IFRAME_ANCESTORS = [:self, 'https://*.atlassian.net', 'https://*.jira.com'].freeze
   layout 'jira_connect'
 
   content_security_policy do |p|
@@ -13,7 +14,7 @@ class JiraConnect::SubscriptionsController < JiraConnect::ApplicationController
 
     # *.jira.com is needed for some legacy Jira Cloud instances, new ones will use *.atlassian.net
     # https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/
-    p.frame_ancestors :self, 'https://*.atlassian.net', 'https://*.jira.com'
+    p.frame_ancestors(*(ALLOWED_IFRAME_ANCESTORS + Gitlab.config.jira_connect.additional_iframe_ancestors))
     p.script_src(*script_src_values)
     p.style_src(*style_src_values)
   end
diff --git a/app/models/ci/pipeline_schedule.rb b/app/models/ci/pipeline_schedule.rb
index 96e5567e85e..499db3a8dd3 100644
--- a/app/models/ci/pipeline_schedule.rb
+++ b/app/models/ci/pipeline_schedule.rb
@@ -16,7 +16,7 @@ module Ci
     belongs_to :owner, class_name: 'User'
     has_one :last_pipeline, -> { order(id: :desc) }, class_name: 'Ci::Pipeline'
     has_many :pipelines
-    has_many :variables, class_name: 'Ci::PipelineScheduleVariable', validate: false
+    has_many :variables, class_name: 'Ci::PipelineScheduleVariable'
 
     validates :cron, unless: :importing?, cron: true, presence: { unless: :importing? }
     validates :cron_timezone, cron_timezone: true, presence: { unless: :importing? }
diff --git a/app/models/ci/pipeline_schedule_variable.rb b/app/models/ci/pipeline_schedule_variable.rb
index 718ed14edeb..00251ea06fd 100644
--- a/app/models/ci/pipeline_schedule_variable.rb
+++ b/app/models/ci/pipeline_schedule_variable.rb
@@ -9,6 +9,6 @@ module Ci
 
     alias_attribute :secret_value, :value
 
-    validates :key, uniqueness: { scope: :pipeline_schedule_id }
+    validates :key, presence: true, uniqueness: { scope: :pipeline_schedule_id }
   end
 end
diff --git a/app/services/clusters/agents/filter_authorizations_service.rb b/app/services/clusters/agents/filter_authorizations_service.rb
new file mode 100644
index 00000000000..68517ceec04
--- /dev/null
+++ b/app/services/clusters/agents/filter_authorizations_service.rb
@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class FilterAuthorizationsService
+      def initialize(authorizations, filter_params)
+        @authorizations = authorizations
+        @filter_params = filter_params
+
+        @environments_matcher = {}
+      end
+
+      def execute
+        filter_by_environment(authorizations)
+      end
+
+      private
+
+      attr_reader :authorizations, :filter_params
+
+      def filter_by_environment(auths)
+        return auths unless filter_by_environment?
+
+        auths.select do |auth|
+          next true if auth.config['environments'].blank?
+
+          auth.config['environments'].any? { |environment_pattern| matches_environment?(environment_pattern) }
+        end
+      end
+
+      def filter_by_environment?
+        filter_params.has_key?(:environment)
+      end
+
+      def environment_filter
+        @environment_filter ||= filter_params[:environment]
+      end
+
+      def matches_environment?(environment_pattern)
+        return false if environment_filter.nil?
+
+        environments_matcher(environment_pattern).match?(environment_filter)
+      end
+
+      def environments_matcher(environment_pattern)
+        @environments_matcher[environment_pattern] ||= ::Gitlab::Ci::EnvironmentMatcher.new(environment_pattern)
+      end
+    end
+  end
+end
diff --git a/app/views/layouts/jira_connect.html.haml b/app/views/layouts/jira_connect.html.haml
index 6acd7799875..80bbe578510 100644
--- a/app/views/layouts/jira_connect.html.haml
+++ b/app/views/layouts/jira_connect.html.haml
@@ -5,7 +5,7 @@
       GitLab
     = yield :page_specific_styles
 
-    = javascript_include_tag 'https://connect-cdn.atl-paas.net/all.js'
+    = javascript_include_tag Gitlab.config.jira_connect.atlassian_js_url
     = Gon::Base.render_data(nonce: content_security_policy_nonce)
     = yield :head
   %body
diff --git a/app/views/projects/pipelines/_info.html.haml b/app/views/projects/pipelines/_info.html.haml
index 30cc7f94311..a5f133807b6 100644
--- a/app/views/projects/pipelines/_info.html.haml
+++ b/app/views/projects/pipelines/_info.html.haml
@@ -1,6 +1,7 @@
 - if Feature.enabled?(:pipeline_name, @pipeline.project) && @pipeline.name
-  %h3
-    = @pipeline.name
+  .gl-border-t.gl-p-5.gl-px-0
+    %h3.gl-m-0.gl-text-body
+      = @pipeline.name
 - else
   .commit-box
     %h3.commit-title