Add latest changes from gitlab-org/gitlab@master

9 files changed, 182 insertions, 78 deletions

diff --git a/lib/api/environments.rb b/lib/api/environments.rb
index 11f1cab0c72..efc86bdc19a 100644
--- a/lib/api/environments.rb
+++ b/lib/api/environments.rb
@@ -22,16 +22,15 @@ module API
         use :pagination
         optional :name, type: String, desc: 'Returns the environment with this name'
         optional :search, type: String, desc: 'Returns list of environments matching the search criteria'
+        optional :states, type: String, values: Environment.valid_states.map(&:to_s), desc: 'List all environments that match a specific state'
         mutually_exclusive :name, :search, message: 'cannot be used together'
       end
       get ':id/environments' do
         authorize! :read_environment, user_project
 
-        environments = ::Environments::EnvironmentsFinder.new(user_project, current_user, params).execute
+        environments = ::Environments::EnvironmentsFinder.new(user_project, current_user, declared_params(include_missing: false)).execute
 
         present paginate(environments), with: Entities::Environment, current_user: current_user
-      rescue ::Environments::EnvironmentsFinder::InvalidStatesError => exception
-        bad_request!(exception.message)
       end
 
       desc 'Creates a new environment' do
diff --git a/lib/api/features.rb b/lib/api/features.rb
index bff2817a2ec..13a6aedc2df 100644
--- a/lib/api/features.rb
+++ b/lib/api/features.rb
@@ -68,10 +68,13 @@ module API
         requires :value, type: String, desc: '`true` or `false` to enable/disable, a float for percentage of time'
         optional :key, type: String, desc: '`percentage_of_actors` or the default `percentage_of_time`'
         optional :feature_group, type: String, desc: 'A Feature group name'
-        optional :user, type: String, desc: 'A GitLab username'
-        optional :group, type: String, desc: "A GitLab group's path, such as 'gitlab-org'"
-        optional :namespace, type: String, desc: "A GitLab group or user namespace path, such as 'gitlab-org'"
-        optional :project, type: String, desc: 'A projects path, like gitlab-org/gitlab-ce'
+        optional :user, type: String, desc: 'A GitLab username or comma-separated multiple usernames'
+        optional :group, type: String,
+          desc: "A GitLab group's path, such as 'gitlab-org', or comma-separated multiple group paths"
+        optional :namespace, type: String,
+          desc: "A GitLab group or user namespace path, such as 'john-doe', or comma-separated multiple namespace paths"
+        optional :project, type: String,
+          desc: "A projects path, such as `gitlab-org/gitlab-ce`, or comma-separated multiple project paths"
         optional :force, type: Boolean, desc: 'Skip feature flag validation checks, ie. YAML definition'
 
         mutually_exclusive :key, :feature_group
@@ -110,6 +113,8 @@ module API
 
         present Feature.get(params[:name]), # rubocop:disable Gitlab/AvoidFeatureGet
           with: Entities::Feature, current_user: current_user
+      rescue Feature::Target::UnknowTargetError => e
+        bad_request!(e.message)
       end
 
       desc 'Remove the gate value for the given feature'
diff --git a/lib/backup/manager.rb b/lib/backup/manager.rb
index 0991177d044..f249becb8f9 100644
--- a/lib/backup/manager.rb
+++ b/lib/backup/manager.rb
@@ -41,29 +41,8 @@ module Backup
     end
 
     def create
-      if incremental?
-        unpack(ENV.fetch('PREVIOUS_BACKUP', ENV['BACKUP']))
-        read_backup_information
-        verify_backup_version
-        update_backup_information
-      end
-
-      build_backup_information
-
-      definitions.keys.each do |task_name|
-        run_create_task(task_name)
-      end
-
-      write_backup_information
-
-      if skipped?('tar')
-        upload
-      else
-        pack
-        upload
-        cleanup
-        remove_old
-      end
+      unpack(ENV.fetch('PREVIOUS_BACKUP', ENV['BACKUP'])) if incremental?
+      run_all_create_tasks
 
       puts_time "Warning: Your gitlab.rb and gitlab-secrets.json files contain sensitive data \n" \
            "and are not included in this backup. You will need these files to restore a backup.\n" \
@@ -95,22 +74,8 @@ module Backup
     end
 
     def restore
-      cleanup_required = unpack(ENV['BACKUP'])
-      read_backup_information
-      verify_backup_version
-
-      definitions.keys.each do |task_name|
-        run_restore_task(task_name) if !skipped?(task_name) && enabled_task?(task_name)
-      end
-
-      Rake::Task['gitlab:shell:setup'].invoke
-      Rake::Task['cache:clear'].invoke
-
-      if cleanup_required
-        cleanup
-      end
-
-      remove_tmp
+      unpack(ENV['BACKUP'])
+      run_all_restore_tasks
 
       puts_time "Warning: Your gitlab.rb and gitlab-secrets.json files contain sensitive data \n" \
         "and are not included in this backup. You will need to restore these files manually.".color(:red)
@@ -232,6 +197,48 @@ module Backup
       Files.new(progress, app_files_dir, excludes: excludes)
     end
 
+    def run_all_create_tasks
+      if incremental?
+        read_backup_information
+        verify_backup_version
+        update_backup_information
+      end
+
+      build_backup_information
+
+      definitions.keys.each do |task_name|
+        run_create_task(task_name)
+      end
+
+      write_backup_information
+
+      unless skipped?('tar')
+        pack
+        upload
+        remove_old
+      end
+
+    ensure
+      cleanup unless skipped?('tar')
+      remove_tmp
+    end
+
+    def run_all_restore_tasks
+      read_backup_information
+      verify_backup_version
+
+      definitions.keys.each do |task_name|
+        run_restore_task(task_name) if !skipped?(task_name) && enabled_task?(task_name)
+      end
+
+      Rake::Task['gitlab:shell:setup'].invoke
+      Rake::Task['cache:clear'].invoke
+
+    ensure
+      cleanup unless skipped?('tar')
+      remove_tmp
+    end
+
     def incremental?
       @incremental
     end
@@ -299,7 +306,7 @@ module Backup
 
     def upload
       connection_settings = Gitlab.config.backup.upload.connection
-      if connection_settings.blank? || skipped?('remote')
+      if connection_settings.blank? || skipped?('remote') || skipped?('tar')
         puts_time "Uploading backup archive to remote storage #{remote_directory} ... ".color(:blue) + "[SKIPPED]".color(:cyan)
         return
       end
@@ -405,8 +412,7 @@ module Backup
     def unpack(source_backup_id)
       if source_backup_id.blank? && non_tarred_backup?
         puts_time "Non tarred backup found in #{backup_path}, using that"
-
-        return false
+        return
       end
 
       Dir.chdir(backup_path) do
diff --git a/lib/banzai/filter/references/commit_reference_filter.rb b/lib/banzai/filter/references/commit_reference_filter.rb
index 157dc696cc8..86ab8597cf5 100644
--- a/lib/banzai/filter/references/commit_reference_filter.rb
+++ b/lib/banzai/filter/references/commit_reference_filter.rb
@@ -19,7 +19,12 @@ module Banzai
         def find_object(project, id)
           return unless project.is_a?(Project) && project.valid_repo?
 
-          _, record = reference_cache.records_per_parent[project].detect { |k, _v| Gitlab::Git.shas_eql?(k, id) }
+          # Optimization: try exact commit hash match first
+          record = reference_cache.records_per_parent[project].fetch(id, nil)
+
+          unless record
+            _, record = reference_cache.records_per_parent[project].detect { |k, _v| Gitlab::Git.shas_eql?(k, id) }
+          end
 
           record
         end
diff --git a/lib/feature.rb b/lib/feature.rb
index b5a97ee8f9b..3bba4be7514 100644
--- a/lib/feature.rb
+++ b/lib/feature.rb
@@ -281,6 +281,8 @@ class Feature
   end
 
   class Target
+    UnknowTargetError = Class.new(StandardError)
+
     attr_reader :params
 
     def initialize(params)
@@ -292,7 +294,7 @@ class Feature
     end
 
     def targets
-      [feature_group, user, project, group, namespace].compact
+      [feature_group, users, projects, groups, namespaces].flatten.compact
     end
 
     private
@@ -305,29 +307,37 @@ class Feature
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
-    def user
+    def users
       return unless params.key?(:user)
 
-      UserFinder.new(params[:user]).find_by_username!
+      params[:user].split(',').map do |arg|
+        UserFinder.new(arg).find_by_username || (raise UnknowTargetError, "#{arg} is not found!")
+      end
     end
 
-    def project
+    def projects
       return unless params.key?(:project)
 
-      Project.find_by_full_path(params[:project])
+      params[:project].split(',').map do |arg|
+        Project.find_by_full_path(arg) || (raise UnknowTargetError, "#{arg} is not found!")
+      end
     end
 
-    def group
+    def groups
       return unless params.key?(:group)
 
-      Group.find_by_full_path(params[:group])
+      params[:group].split(',').map do |arg|
+        Group.find_by_full_path(arg) || (raise UnknowTargetError, "#{arg} is not found!")
+      end
     end
 
-    def namespace
+    def namespaces
       return unless params.key?(:namespace)
 
-      # We are interested in Group or UserNamespace
-      Namespace.without_project_namespaces.find_by_full_path(params[:namespace])
+      params[:namespace].split(',').map do |arg|
+        # We are interested in Group or UserNamespace
+        Namespace.without_project_namespaces.find_by_full_path(arg) || (raise UnknowTargetError, "#{arg} is not found!")
+      end
     end
   end
 end
diff --git a/lib/gitlab/content_security_policy/config_loader.rb b/lib/gitlab/content_security_policy/config_loader.rb
index 521dec110a8..574a7dceaa4 100644
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -44,6 +44,7 @@ module Gitlab
         allow_sentry(directives) if Gitlab.config.sentry&.enabled && Gitlab.config.sentry&.clientside_dsn
         allow_framed_gitlab_paths(directives)
         allow_customersdot(directives) if ENV['CUSTOMER_PORTAL_URL'].present?
+        allow_review_apps(directives) if ENV['REVIEW_APPS_ENABLED']
 
         # The follow section contains workarounds to patch Safari's lack of support for CSP Level 3
         # See https://gitlab.com/gitlab-org/gitlab/-/issues/343579
@@ -154,6 +155,11 @@ module Gitlab
           append_to_directive(directives, 'frame_src', Gitlab::Utils.append_path(Gitlab.config.gitlab.url, path))
         end
       end
+
+      def self.allow_review_apps(directives)
+        # Allow-listed to allow POSTs to https://gitlab.com/api/v4/projects/278964/merge_requests/:merge_request_iid/visual_review_discussions
+        append_to_directive(directives, 'connect_src', 'https://gitlab.com/api/v4/projects/278964/merge_requests/')
+      end
     end
   end
 end
diff --git a/lib/gitlab/git.rb b/lib/gitlab/git.rb
index 2da30b88d55..505d0b8d728 100644
--- a/lib/gitlab/git.rb
+++ b/lib/gitlab/git.rb
@@ -87,7 +87,12 @@ module Gitlab
         length = [sha1.length, sha2.length].min
         return false if length < Gitlab::Git::Commit::MIN_SHA_LENGTH
 
-        sha1[0, length] == sha2[0, length]
+        # Optimization: prevent unnecessary substring creation
+        if sha1.length == sha2.length
+          sha1 == sha2
+        else
+          sha1[0, length] == sha2[0, length]
+        end
       end
     end
   end
diff --git a/lib/tasks/gitlab/db/lock_writes.rake b/lib/tasks/gitlab/db/lock_writes.rake
new file mode 100644
index 00000000000..1d1a67aa2a1
--- /dev/null
+++ b/lib/tasks/gitlab/db/lock_writes.rake
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+namespace :gitlab do
+  namespace :db do
+    TRIGGER_FUNCTION_NAME = 'gitlab_schema_prevent_write'
+
+    desc "GitLab | DB | Install prevent write triggers on all databases"
+    task lock_writes: [:environment, 'gitlab:db:validate_config'] do
+      Gitlab::Database::EachDatabase.each_database_connection do |connection, database_name|
+        create_write_trigger_function(connection)
+
+        schemas_for_connection = Gitlab::Database.gitlab_schemas_for_connection(connection)
+        Gitlab::Database::GitlabSchema.tables_to_schema.each do |table_name, schema_name|
+          connection.transaction do
+            if schemas_for_connection.include?(schema_name.to_sym)
+              drop_write_trigger(database_name, connection, table_name)
+            else
+              create_write_trigger(database_name, connection, table_name)
+            end
+          end
+        end
+      end
+    end
+
+    desc "GitLab | DB | Remove all triggers that prevents writes from all databases"
+    task unlock_writes: :environment do
+      Gitlab::Database::EachDatabase.each_database_connection do |connection, database_name|
+        Gitlab::Database::GitlabSchema.tables_to_schema.each do |table_name, schema_name|
+          drop_write_trigger(database_name, connection, table_name)
+        end
+        drop_write_trigger_function(connection)
+      end
+    end
+
+    def create_write_trigger_function(connection)
+      sql = <<-SQL
+        CREATE OR REPLACE FUNCTION #{TRIGGER_FUNCTION_NAME}()
+          RETURNS TRIGGER AS
+          $$
+          BEGIN
+            RAISE EXCEPTION 'Table: "%" is write protected within this Gitlab database.', TG_TABLE_NAME
+              USING ERRCODE = 'modifying_sql_data_not_permitted',
+              HINT = 'Make sure you are using the right database connection';
+          END
+          $$ LANGUAGE PLPGSQL
+      SQL
+
+      connection.execute(sql)
+    end
+
+    def drop_write_trigger_function(connection)
+      sql = <<-SQL
+        DROP FUNCTION IF EXISTS #{TRIGGER_FUNCTION_NAME}()
+      SQL
+
+      connection.execute(sql)
+    end
+
+    def create_write_trigger(database_name, connection, table_name)
+      puts "#{database_name}: '#{table_name}'... Lock Writes".color(:red)
+      sql = <<-SQL
+          DROP TRIGGER IF EXISTS #{write_trigger_name(table_name)} ON #{table_name};
+          CREATE TRIGGER #{write_trigger_name(table_name)}
+            BEFORE INSERT OR UPDATE OR DELETE OR TRUNCATE
+            ON #{table_name}
+            FOR EACH STATEMENT EXECUTE FUNCTION #{TRIGGER_FUNCTION_NAME}();
+      SQL
+
+      connection.execute(sql)
+    end
+
+    def drop_write_trigger(database_name, connection, table_name)
+      puts "#{database_name}: '#{table_name}'... Allow Writes".color(:green)
+      sql = <<-SQL
+        DROP TRIGGER IF EXISTS #{write_trigger_name(table_name)} ON #{table_name}
+      SQL
+
+      connection.execute(sql)
+    end
+
+    def write_trigger_name(table_name)
+      "gitlab_schema_write_trigger_for_#{table_name}"
+    end
+  end
+end
diff --git a/lib/tasks/migrate/composite_primary_keys.rake b/lib/tasks/migrate/composite_primary_keys.rake
deleted file mode 100644
index 68f7c4d6c4a..00000000000
--- a/lib/tasks/migrate/composite_primary_keys.rake
+++ /dev/null
@@ -1,17 +0,0 @@
-# frozen_string_literal: true
-
-namespace :gitlab do
-  namespace :db do
-    desc 'GitLab | DB | Adds primary keys to tables that only have composite unique keys'
-    task composite_primary_keys_add: :environment do
-      require Rails.root.join('db/optional_migrations/composite_primary_keys')
-      CompositePrimaryKeysMigration.new.up
-    end
-
-    desc 'GitLab | DB | Removes previously added composite primary keys'
-    task composite_primary_keys_drop: :environment do
-      require Rails.root.join('db/optional_migrations/composite_primary_keys')
-      CompositePrimaryKeysMigration.new.down
-    end
-  end
-end