Merge branch 'master' into fix-restricted-visibility

Conflicts:
	db/schema.rb

15 files changed, 108 insertions, 24 deletions

diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index f46dc8b456e..a6e77002a01 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -83,7 +83,10 @@ module API
     end
 
     def authenticate_by_gitlab_shell_token!
-      unauthorized! unless secret_token == params['secret_token'].try(:chomp)
+      input = params['secret_token'].try(:chomp)
+      unless Devise.secure_compare(secret_token, input)
+        unauthorized!
+      end
     end
 
     def authenticated_as_admin!
diff --git a/lib/gitlab/bitbucket_import/client.rb b/lib/gitlab/bitbucket_import/client.rb
index c907bebaef6..1e4906c9e31 100644
--- a/lib/gitlab/bitbucket_import/client.rb
+++ b/lib/gitlab/bitbucket_import/client.rb
@@ -92,7 +92,7 @@ module Gitlab
       end
 
       def bitbucket_options
-        OmniAuth::Strategies::Bitbucket.default_options[:client_options]
+        OmniAuth::Strategies::Bitbucket.default_options[:client_options].dup
       end
     end
   end
diff --git a/lib/gitlab/git.rb b/lib/gitlab/git.rb
index 4a712c6345f..0c350d7c675 100644
--- a/lib/gitlab/git.rb
+++ b/lib/gitlab/git.rb
@@ -1,9 +1,25 @@
 module Gitlab
   module Git
     BLANK_SHA = '0' * 40
+    TAG_REF_PREFIX = "refs/tags/"
+    BRANCH_REF_PREFIX = "refs/heads/"
 
-    def self.extract_ref_name(ref)
-      ref.gsub(/\Arefs\/(tags|heads)\//, '')
+    class << self
+      def ref_name(ref)
+        ref.gsub(/\Arefs\/(tags|heads)\//, '')
+      end
+
+      def tag_ref?(ref)
+        ref.start_with?(TAG_REF_PREFIX)
+      end
+
+      def branch_ref?(ref)
+        ref.start_with?(BRANCH_REF_PREFIX)
+      end
+
+      def blank_ref?(ref)
+        ref == BLANK_SHA
+      end
     end
   end
 end
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 9b31190a882..cb69e4b13d3 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -115,7 +115,7 @@ module Gitlab
       # we dont allow force push to protected branch
       if forced_push?(project, oldrev, newrev)
         :force_push_code_to_protected_branches
-      elsif newrev == Gitlab::Git::BLANK_SHA
+      elsif Gitlab::Git.blank_ref?(newrev)
         # and we dont allow remove of protected branch
         :remove_protected_branches
       elsif project.developers_can_push_to_protected_branch?(branch_name)
@@ -135,8 +135,8 @@ module Gitlab
 
     def branch_name(ref)
       ref = ref.to_s
-      if ref.start_with?('refs/heads')
-        ref.sub(%r{\Arefs/heads/}, '')
+      if Gitlab::Git.branch_ref?(ref)
+        Gitlab::Git.ref_name(ref)
       else
         nil
       end
@@ -144,8 +144,8 @@ module Gitlab
 
     def tag_name(ref)
       ref = ref.to_s
-      if ref.start_with?('refs/tags')
-        ref.sub(%r{\Arefs/tags/}, '')
+      if Gitlab::Git.tag_ref?(ref)
+        Gitlab::Git.ref_name(ref)
       else
         nil
       end
diff --git a/lib/gitlab/github_import/client.rb b/lib/gitlab/github_import/client.rb
index 676d226bddd..7fe076b333b 100644
--- a/lib/gitlab/github_import/client.rb
+++ b/lib/gitlab/github_import/client.rb
@@ -46,7 +46,7 @@ module Gitlab
       end
 
       def github_options
-        OmniAuth::Strategies::GitHub.default_options[:client_options]
+        OmniAuth::Strategies::GitHub.default_options[:client_options].dup
       end
     end
   end
diff --git a/lib/gitlab/gitlab_import/client.rb b/lib/gitlab/gitlab_import/client.rb
index ecf4ff94e39..2236439c6ce 100644
--- a/lib/gitlab/gitlab_import/client.rb
+++ b/lib/gitlab/gitlab_import/client.rb
@@ -71,7 +71,7 @@ module Gitlab
       end
 
       def gitlab_options
-        OmniAuth::Strategies::GitLab.default_options[:client_options]
+        OmniAuth::Strategies::GitLab.default_options[:client_options].dup
       end
     end
   end
diff --git a/lib/gitlab/ldap/access.rb b/lib/gitlab/ldap/access.rb
index 0c85acf7e69..960fb3849b4 100644
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -34,7 +34,15 @@ module Gitlab
       def allowed?
         if Gitlab::LDAP::Person.find_by_dn(user.ldap_identity.extern_uid, adapter)
           return true unless ldap_config.active_directory
-          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+
+          # Block user in GitLab if he/she was blocked in AD
+          if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
+            user.block unless user.blocked?
+            false
+          else
+            user.activate if user.blocked?
+            true
+          end
         else
           false
         end
diff --git a/lib/gitlab/ldap/authentication.rb b/lib/gitlab/ldap/authentication.rb
index 8af2c74e959..649cf3194b8 100644
--- a/lib/gitlab/ldap/authentication.rb
+++ b/lib/gitlab/ldap/authentication.rb
@@ -50,7 +50,7 @@ module Gitlab
       end
 
       def user_filter(login)
-        filter = Net::LDAP::Filter.eq(config.uid, login)
+        filter = Net::LDAP::Filter.equals(config.uid, login)
 
         # Apply LDAP user filter if present
         if config.user_filter.present?
diff --git a/lib/gitlab/ldap/person.rb b/lib/gitlab/ldap/person.rb
index 3e0b3e6cbf8..3c426179375 100644
--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -9,10 +9,12 @@ module Gitlab
       attr_accessor :entry, :provider
 
       def self.find_by_uid(uid, adapter)
+        uid = Net::LDAP::Filter.escape(uid)
         adapter.user(adapter.config.uid, uid)
       end
 
       def self.find_by_dn(dn, adapter)
+        dn = Net::LDAP::Filter.escape(dn)
         adapter.user('dn', dn)
       end
 
diff --git a/lib/gitlab/markdown.rb b/lib/gitlab/markdown.rb
index d85c2ee4f2d..2dfa18da482 100644
--- a/lib/gitlab/markdown.rb
+++ b/lib/gitlab/markdown.rb
@@ -14,6 +14,7 @@ module Gitlab
   #   * !123 for merge requests
   #   * $123 for snippets
   #   * 123456 for commits
+  #   * 123456...7890123 for commit ranges (comparisons)
   #
   # It also parses Emoji codes to insert images. See
   # http://www.emoji-cheat-sheet.com/ for a list of the supported icons.
@@ -133,13 +134,14 @@ module Gitlab
         |#{PROJ_STR}?\#(?<issue>([a-zA-Z\-]+-)?\d+) # Issue ID
         |#{PROJ_STR}?!(?<merge_request>\d+)  # MR ID
         |\$(?<snippet>\d+)                   # Snippet ID
+        |(#{PROJ_STR}@)?(?<commit_range>[\h]{6,40}\.{2,3}[\h]{6,40}) # Commit range
         |(#{PROJ_STR}@)?(?<commit>[\h]{6,40}) # Commit ID
         |(?<skip>gfm-extraction-[\h]{6,40})  # Skip gfm extractions. Otherwise will be parsed as commit
       )
       (?<suffix>\W)?                         # Suffix
     }x.freeze
 
-    TYPES = [:user, :issue, :label, :merge_request, :snippet, :commit].freeze
+    TYPES = [:user, :issue, :label, :merge_request, :snippet, :commit, :commit_range].freeze
 
     def parse_references(text, project = @project)
       # parse reference links
@@ -290,6 +292,30 @@ module Gitlab
       end
     end
 
+    def reference_commit_range(identifier, project = @project, prefix_text = nil)
+      from_id, to_id = identifier.split(/\.{2,3}/, 2)
+
+      inclusive = identifier !~ /\.{3}/
+      from_id << "^" if inclusive
+
+      if project.valid_repo? && 
+          from = project.repository.commit(from_id) && 
+          to = project.repository.commit(to_id)
+
+        options = html_options.merge(
+          title: "Commits #{from_id} through #{to_id}",
+          class: "gfm gfm-commit_range #{html_options[:class]}"
+        )
+        prefix_text = "#{prefix_text}@" if prefix_text
+
+        link_to(
+          "#{prefix_text}#{identifier}",
+          namespace_project_compare_url(project.namespace, project, from: from_id, to: to_id),
+          options
+        )
+      end
+    end
+
     def reference_external_issue(identifier, project = @project,
                                  prefix_text = nil)
       url = url_for_issue(identifier, project)
diff --git a/lib/gitlab/push_data_builder.rb b/lib/gitlab/push_data_builder.rb
index 5cefa67d3ab..ea9012b8844 100644
--- a/lib/gitlab/push_data_builder.rb
+++ b/lib/gitlab/push_data_builder.rb
@@ -28,9 +28,10 @@ module Gitlab
         # Get latest 20 commits ASC
         commits_limited = commits.last(20)
 
+        type = Gitlab::Git.tag_ref?(ref) ? "tag_push" : "push"
         # Hash to be passed as post_receive_data
         data = {
-          object_kind: "push",
+          object_kind: type,
           before: oldrev,
           after: newrev,
           ref: ref,
@@ -58,6 +59,7 @@ module Gitlab
           data[:commits] << commit.hook_attrs(project)
         end
 
+        data[:commits] = "" if data[:commits].count == 0
         data
       end
 
@@ -65,12 +67,13 @@ module Gitlab
       # existing project and commits to test web hooks
       def build_sample(project, user)
         commits = project.repository.commits(project.default_branch, nil, 3)
-        build(project, user, commits.last.id, commits.first.id, "refs/heads/#{project.default_branch}", commits)
+        ref = "#{Gitlab::Git::BRANCH_REF_PREFIX}#{project.default_branch}"
+        build(project, user, commits.last.id, commits.first.id, ref, commits)
       end
 
       def checkout_sha(repository, newrev, ref)
-        if newrev != Gitlab::Git::BLANK_SHA && ref.start_with?('refs/tags/')
-          tag_name = Gitlab::Git.extract_ref_name(ref)
+        if newrev != Gitlab::Git::BLANK_SHA && Gitlab::Git.tag_ref?(ref)
+          tag_name = Gitlab::Git.ref_name(ref)
           tag = repository.find_tag(tag_name)
 
           if tag
diff --git a/lib/gitlab/reference_extractor.rb b/lib/gitlab/reference_extractor.rb
index 7e5c991a222..5b9772de168 100644
--- a/lib/gitlab/reference_extractor.rb
+++ b/lib/gitlab/reference_extractor.rb
@@ -1,13 +1,13 @@
 module Gitlab
   # Extract possible GFM references from an arbitrary String for further processing.
   class ReferenceExtractor
-    attr_accessor :users, :labels, :issues, :merge_requests, :snippets, :commits
+    attr_accessor :users, :labels, :issues, :merge_requests, :snippets, :commits, :commit_ranges
 
     include Markdown
 
     def initialize
-      @users, @labels, @issues, @merge_requests, @snippets, @commits =
-        [], [], [], [], [], []
+      @users, @labels, @issues, @merge_requests, @snippets, @commits, @commit_ranges =
+        [], [], [], [], [], [], []
     end
 
     def analyze(string, project)
@@ -60,6 +60,16 @@ module Gitlab
       end.reject(&:nil?)
     end
 
+    def commit_ranges_for(project = nil)
+      commit_ranges.map do |entry|
+        repo = entry[:project].repository if entry[:project]
+        if repo && should_lookup?(project, entry[:project])
+          from_id, to_id = entry[:id].split(/\.{2,3}/, 2)
+          [repo.commit(from_id), repo.commit(to_id)]
+        end
+      end.reject(&:nil?)
+    end
+
     private
 
     def reference_link(type, identifier, project, _)
diff --git a/lib/gitlab/theme.rb b/lib/gitlab/theme.rb
index a7c83a880f6..9799e54de5d 100644
--- a/lib/gitlab/theme.rb
+++ b/lib/gitlab/theme.rb
@@ -5,6 +5,7 @@ module Gitlab
     MODERN = 3 unless const_defined?(:MODERN)
     GRAY   = 4 unless const_defined?(:GRAY)
     COLOR  = 5 unless const_defined?(:COLOR)
+    BLUE   = 6 unless const_defined?(:BLUE)
 
     def self.css_class_by_id(id)
       themes = {
@@ -12,7 +13,8 @@ module Gitlab
         MARS   => "ui_mars",
         MODERN => "ui_modern",
         GRAY   => "ui_gray",
-        COLOR  => "ui_color"
+        COLOR  => "ui_color",
+        BLUE   => "ui_blue"
       }
 
       id ||= Gitlab.config.gitlab.default_theme
diff --git a/lib/redcarpet/render/gitlab_html.rb b/lib/redcarpet/render/gitlab_html.rb
index 714261f815c..1cd3933e4b7 100644
--- a/lib/redcarpet/render/gitlab_html.rb
+++ b/lib/redcarpet/render/gitlab_html.rb
@@ -3,13 +3,20 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   attr_reader :template
   alias_method :h, :template
 
-  def initialize(template, options = {})
+  def initialize(template, color_scheme, options = {})
     @template = template
+    @color_scheme = color_scheme
     @project = @template.instance_variable_get("@project")
     @options = options.dup
     super options
   end
 
+  def preprocess(full_document)
+    # Redcarpet doesn't allow SMB links when `safe_links_only` is enabled.
+    # FTP links are allowed, so we trick Redcarpet.
+    full_document.gsub("smb://", "ftp://smb:")
+  end
+
   # If project has issue number 39, apostrophe will be linked in
   # regular text to the issue as Redcarpet will convert apostrophe to
   # #39;
@@ -34,7 +41,7 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
     end
 
     formatter = Rugments::Formatters::HTML.new(
-      cssclass: "code highlight white #{lexer.tag}"
+      cssclass: "code highlight #{@color_scheme} #{lexer.tag}"
     )
     formatter.format(lexer.lex(code))
   end
@@ -54,6 +61,8 @@ class Redcarpet::Render::GitlabHTML < Redcarpet::Render::HTML
   end
 
   def postprocess(full_document)
+    full_document.gsub!("ftp://smb:", "smb://")
+
     full_document.gsub!("&rsquo;", "'")
     unless @template.instance_variable_get("@project_wiki") || @project.nil?
       full_document = h.create_relative_links(full_document)
diff --git a/lib/tasks/gitlab/check.rake b/lib/tasks/gitlab/check.rake
index 43115915de1..976c4b5f22f 100644
--- a/lib/tasks/gitlab/check.rake
+++ b/lib/tasks/gitlab/check.rake
@@ -29,6 +29,7 @@ namespace :gitlab do
       check_redis_version
       check_ruby_version
       check_git_version
+      check_active_users
 
       finished_checking "GitLab"
     end
@@ -781,6 +782,10 @@ namespace :gitlab do
     end
   end
 
+  def check_active_users
+    puts "Active users: #{User.active.count}"
+  end
+
   def omnibus_gitlab?
     Dir.pwd == '/opt/gitlab/embedded/service/gitlab-rails'
   end