6 files changed, 46 insertions, 0 deletions

diff --git a/app/models/ci/secure_file.rb b/app/models/ci/secure_file.rb
index 0644c9f3235..3cc57e8f907 100644
--- a/app/models/ci/secure_file.rb
+++ b/app/models/ci/secure_file.rb
@@ -7,6 +7,7 @@ module Ci
 
     FILE_SIZE_LIMIT = 5.megabytes.freeze
     CHECKSUM_ALGORITHM = 'sha256'
+    PARSABLE_EXTENSIONS = ['cer'].freeze
 
     self.limit_scope = :project
     self.limit_name = 'project_ci_secure_files'
@@ -34,6 +35,37 @@ module Ci
       CHECKSUM_ALGORITHM
     end
 
+    def file_extension
+      File.extname(name).delete_prefix('.')
+    end
+
+    def metadata_parsable?
+      PARSABLE_EXTENSIONS.include?(file_extension)
+    end
+
+    def metadata_parser
+      return unless metadata_parsable?
+
+      case file_extension
+      when 'cer'
+        Gitlab::Ci::SecureFiles::Cer.new(file.read)
+      end
+    end
+
+    def update_metadata!
+      return unless metadata_parser
+
+      begin
+        parser = metadata_parser
+        self.metadata = parser.metadata
+        self.expires_at = parser.expires_at if parser.respond_to?(:expires_at)
+        save!
+      rescue StandardError => err
+        Gitlab::AppLogger.error("Secure File Parser Failure (#{id}): #{err.message} - #{parser.error}.")
+        nil
+      end
+    end
+
     private
 
     def assign_checksum
diff --git a/app/models/group_label.rb b/app/models/group_label.rb
index ff14529c6e6..0d2eb524929 100644
--- a/app/models/group_label.rb
+++ b/app/models/group_label.rb
@@ -2,6 +2,7 @@
 
 class GroupLabel < Label
   belongs_to :group
+  belongs_to :parent_container, foreign_key: :group_id, class_name: 'Group'
 
   validates :group, presence: true
 
diff --git a/app/models/label.rb b/app/models/label.rb
index 6608a0573cb..35daca92089 100644
--- a/app/models/label.rb
+++ b/app/models/label.rb
@@ -42,6 +42,7 @@ class Label < ApplicationRecord
   scope :order_name_asc, -> { reorder(title: :asc) }
   scope :order_name_desc, -> { reorder(title: :desc) }
   scope :subscribed_by, ->(user_id) { joins(:subscriptions).where(subscriptions: { user_id: user_id, subscribed: true }) }
+  scope :with_preloaded_container, -> { preload(parent_container: :route) }
 
   scope :top_labels_by_target, -> (target_relation) {
     label_id_column = arel_table[:id]
@@ -59,6 +60,14 @@ class Label < ApplicationRecord
       .distinct
   }
 
+  scope :for_targets, ->(target_ids, targets_type) do
+    joins(:label_links)
+      .where(label_links: { target_id: target_ids })
+      .where(label_links: { target_type: targets_type })
+      .select("labels.*, target_id")
+      .with_preloaded_container
+  end
+
   def self.prioritized(project)
     joins(:priorities)
       .where(label_priorities: { project_id: project })
diff --git a/app/models/preloaders/labels_preloader.rb b/app/models/preloaders/labels_preloader.rb
index 722d588d8bc..b6e73c1cd02 100644
--- a/app/models/preloaders/labels_preloader.rb
+++ b/app/models/preloaders/labels_preloader.rb
@@ -21,8 +21,10 @@ module Preloaders
     def preload_all
       preloader = ActiveRecord::Associations::Preloader.new
 
+      preloader.preload(labels, parent_container: :route)
       preloader.preload(labels.select { |l| l.is_a? ProjectLabel }, { project: [:project_feature, namespace: :route] })
       preloader.preload(labels.select { |l| l.is_a? GroupLabel }, { group: :route })
+
       labels.each do |label|
         label.lazy_subscription(user)
         label.lazy_subscription(user, project) if project.present?
diff --git a/app/models/project_label.rb b/app/models/project_label.rb
index d0b16cc98b4..dc647901b46 100644
--- a/app/models/project_label.rb
+++ b/app/models/project_label.rb
@@ -4,6 +4,7 @@ class ProjectLabel < Label
   MAX_NUMBER_OF_PRIORITIES = 1
 
   belongs_to :project
+  belongs_to :parent_container, foreign_key: :project_id, class_name: 'Project'
 
   validates :project, presence: true
 
diff --git a/app/models/user.rb b/app/models/user.rb
index d64a52ff7b9..be3bec0d142 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -935,6 +935,7 @@ class User < ApplicationRecord
   # that the password is the user's password
   def valid_password?(password)
     return false unless password_allowed?(password)
+    return false if password_automatically_set?
     return super if Feature.enabled?(:pbkdf2_password_encryption)
 
     Devise::Encryptor.compare(self.class, encrypted_password, password)