11 files changed, 78 insertions, 5 deletions

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 6fc33e8971e..be23166cb7b 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -166,6 +166,23 @@ production: &base
     #     aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
     #     endpoint: 'https://s3.amazonaws.com' # default: nil - Useful for S3 compliant services such as DigitalOcean Spaces
 
+  ## Merge request external diff storage
+  external_diffs:
+    # If disabled (the default), the diffs are in-database. Otherwise, they can
+    # be stored on disk, or in object storage
+    enabled: false
+    # The location where external diffs are stored (default: shared/lfs-external-diffs).
+    # storage_path: shared/external-diffs
+    # object_store:
+    #   enabled: false
+    #   remote_directory: external-diffs
+    #   background_upload: false
+    #   proxy_download: false
+    #   connection:
+    #     provider: AWS
+    #     aws_access_key_id: AWS_ACCESS_KEY_ID
+    #     aws_secret_access_key: AWS_SECRET_ACCESS_KEY
+    #     region: us-east-1
 
   ## Git LFS
   lfs:
@@ -733,6 +750,18 @@ test:
   <<: *base
   gravatar:
     enabled: true
+  external_diffs:
+    enabled: false
+    # The location where external diffs are stored (default: shared/external-diffs).
+    # storage_path: shared/external-diffs
+    object_store:
+      enabled: false
+      remote_directory: external-diffs # The bucket name
+      connection:
+        provider: AWS # Only AWS supported at the moment
+        aws_access_key_id: AWS_ACCESS_KEY_ID
+        aws_secret_access_key: AWS_SECRET_ACCESS_KEY
+        region: us-east-1
   lfs:
     enabled: false
     # The location where LFS objects are stored (default: shared/lfs-objects).
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 1aed41e02ab..dfcf1e648b4 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -216,6 +216,14 @@ Settings.pages['admin'] ||= Settingslogic.new({})
 Settings.pages.admin['certificate'] ||= ''
 
 #
+# External merge request diffs
+#
+Settings['external_diffs'] ||= Settingslogic.new({})
+Settings.external_diffs['enabled']      = false if Settings.external_diffs['enabled'].nil?
+Settings.external_diffs['storage_path'] = Settings.absolute(Settings.external_diffs['storage_path'] || File.join(Settings.shared['path'], 'external-diffs'))
+Settings.external_diffs['object_store'] = ObjectStoreSettings.parse(Settings.external_diffs['object_store'])
+
+#
 # Git LFS
 #
 Settings['lfs'] ||= Settingslogic.new({})
diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
index e97c0fcbd6b..fd5a62c39c6 100644
--- a/config/initializers/doorkeeper_openid_connect.rb
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -31,8 +31,27 @@ Doorkeeper::OpenidConnect.configure do
 
       o.claim(:name)           { |user| user.name }
       o.claim(:nickname)       { |user| user.username }
-      o.claim(:email)          { |user| user.public_email }
-      o.claim(:email_verified) { |user| true if user.public_email? }
+
+      # Check whether the application has access to the email scope, and grant
+      # access to the user's primary email address if so, otherwise their
+      # public email address (if present)
+      # This allows existing solutions built for GitLab's old behavior to keep
+      # working without modification.
+      o.claim(:email) do |user, scopes|
+        scopes.exists?(:email) ? user.email : user.public_email
+      end
+      o.claim(:email_verified) do |user, scopes|
+        if scopes.exists?(:email)
+          user.primary_email_verified?
+        elsif user.public_email?
+          user.verified_email?(user.public_email)
+        else
+          # If there is no public email set, tell doorkicker-openid-connect to
+          # exclude the email_verified claim by returning nil.
+          nil
+        end
+      end
+
       o.claim(:website)        { |user| user.full_website_url if user.website_url? }
       o.claim(:profile)        { |user| Gitlab::Routing.url_helpers.user_url user }
       o.claim(:picture)        { |user| user.avatar_url(only_path: false) }
diff --git a/config/initializers/sprockets_base_file_digest_key.rb b/config/initializers/sprockets_base_file_digest_key.rb
new file mode 100644
index 00000000000..81ff3812091
--- /dev/null
+++ b/config/initializers/sprockets_base_file_digest_key.rb
@@ -0,0 +1,3 @@
+# frozen_string_literal: true
+
+Sprockets::Base.prepend(Gitlab::Patch::SprocketsBaseFileDigestKey)
diff --git a/config/initializers/zz_metrics.rb b/config/initializers/zz_metrics.rb
index 462e8c811a6..151cad3ef9a 100644
--- a/config/initializers/zz_metrics.rb
+++ b/config/initializers/zz_metrics.rb
@@ -173,7 +173,7 @@ if Gitlab::Metrics.enabled? && !Rails.env.test? && !(Rails.env.development? && d
     def connect(*args)
       val = super
 
-      if current_transaction = Gitlab::Metrics::Transaction.current
+      if current_transaction = ::Gitlab::Metrics::Transaction.current
         current_transaction.increment(:new_redis_connections, 1)
       end
 
diff --git a/config/locales/de.yml b/config/locales/de.yml
index 38c3711c6c7..554e9913faa 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -43,6 +43,7 @@ de:
       default: "%d.%m.%Y"
       long: "%e. %B %Y"
       short: "%e. %b"
+      admin: "%e %b, %Y"
     month_names:
     -
     - Januar
diff --git a/config/locales/doorkeeper.en.yml b/config/locales/doorkeeper.en.yml
index 9f451046462..a2dff92908e 100644
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@@ -64,6 +64,8 @@ en:
       read_registry: Grants permission to read container registry images
       openid: Authenticate using OpenID Connect
       sudo: Perform API actions as any user in the system
+      profile: Allows read-only access to the user's personal information using OpenID Connect
+      email: Allows read-only access to the user's primary email address using OpenID Connect
     scope_desc:
       api:
         Grants complete read/write access to the API, including all groups and projects.
@@ -77,6 +79,10 @@ en:
         Grants permission to authenticate with GitLab using OpenID Connect. Also gives read-only access to the user's profile and group memberships.
       sudo:
         Grants permission to perform API actions as any user in the system, when authenticated as an admin user.
+      profile:
+        Grants read-only access to the user's profile data using OpenID Connect.
+      email:
+        Grants read-only access to the user's primary email address using OpenID Connect.
     flash:
       applications:
         create:
diff --git a/config/locales/en.yml b/config/locales/en.yml
index 0a43a1d9a6b..e8dbc033a7c 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -55,6 +55,7 @@ en:
       default: "%Y-%m-%d"
       long: "%B %d, %Y"
       short: "%b %d"
+      admin: "%e %b, %Y"
     month_names:
     -
     - January
diff --git a/config/locales/es.yml b/config/locales/es.yml
index fdc52b4ae11..78c07583933 100644
--- a/config/locales/es.yml
+++ b/config/locales/es.yml
@@ -42,6 +42,7 @@ es:
       default: "%d/%m/%Y"
       long: "%d de %B de %Y"
       short: "%d de %b"
+      admin: "%e %b, %Y"
     month_names:
     -
     - enero
diff --git a/config/routes/import.rb b/config/routes/import.rb
index 69df82611f2..da5c31d0062 100644
--- a/config/routes/import.rb
+++ b/config/routes/import.rb
@@ -1,7 +1,7 @@
 # Alias import callbacks under the /users/auth endpoint so that
 # the OAuth2 callback URL can be restricted under http://example.com/users/auth
 # instead of http://example.com.
-Devise.omniauth_providers.each do |provider|
+Devise.omniauth_providers.map(&:downcase).each do |provider|
   next if provider == 'ldapmain'
 
   get "/users/auth/-/import/#{provider}/callback", to: "import/#{provider}#callback", as: "users_import_#{provider}_callback"
diff --git a/config/routes/project.rb b/config/routes/project.rb
index 21793e7756a..b4ebc7df4fe 100644
--- a/config/routes/project.rb
+++ b/config/routes/project.rb
@@ -224,6 +224,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         collection do
           get :metrics, action: :metrics_redirect
           get :folder, path: 'folders/*id', constraints: { format: /(html|json)/ }
+          get :search
         end
 
         resources :deployments, only: [:index] do
@@ -443,7 +444,11 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         end
       end
 
-      resources :error_tracking, only: [:index], controller: :error_tracking
+      resources :error_tracking, only: [:index], controller: :error_tracking do
+        collection do
+          post :list_projects
+        end
+      end
 
       # Since both wiki and repository routing contains wildcard characters
       # its preferable to keep it below all other project routes