Add latest changes from gitlab-org/gitlab@13-12-stable-ee

app/controllers/concerns/integrations_actions.rb

@@ -48,9 +48,12 @@ module IntegrationsActions
 
   private
 
+  # rubocop: disable Gitlab/ModuleWithInstanceVariables
   def integration
     @integration ||= find_or_initialize_non_project_specific_integration(params[:id])
+    @service ||= @integration # TODO: remove references to @service https://gitlab.com/gitlab-org/gitlab/-/issues/329759
   end
+  # rubocop: enable Gitlab/ModuleWithInstanceVariables
 
   def success_message
     if integration.active?

doc/api/groups.md

@@ -722,18 +722,21 @@ Example response:
 }
 ```
 
-### Disabling the results limit
+### Disable the results limit **(FREE SELF)**
 
-The 100 results limit can be disabled if it breaks integrations developed using GitLab
-12.4 and earlier.
+The 100 results limit can break integrations developed using GitLab 12.4 and earlier.
 
-To disable the limit while migrating to using the [list a group's projects](#list-a-groups-projects) endpoint, ask a GitLab administrator
-with Rails console access to run the following command:
+For GitLab 12.5 to GitLab 13.12, the limit can be disabled while migrating to using the
+[list a group's projects](#list-a-groups-projects) endpoint.
+
+Ask a GitLab administrator with Rails console access to run the following command:
 
 ```ruby
 Feature.disable(:limit_projects_in_groups_api)
 ```
 
+For GitLab 14.0 and later, the [limit cannot be disabled](https://gitlab.com/gitlab-org/gitlab/-/issues/257829).
+
 ## New group
 
 Creates a new project group. Available only for users who can create groups.
@@ -918,19 +921,21 @@ Example response:
 }
 ```
 
-### Disabling the results limit
+### Disable the results limit **(FREE SELF)**
 
-The 100 results limit can be disabled if it breaks integrations developed using GitLab
-12.4 and earlier.
+The 100 results limit can break integrations developed using GitLab 12.4 and earlier.
 
-To disable the limit while migrating to using the
-[list a group's projects](#list-a-groups-projects) endpoint, ask a GitLab administrator
-with Rails console access to run the following command:
+For GitLab 12.5 to GitLab 13.12, the limit can be disabled while migrating to using the
+[list a group's projects](#list-a-groups-projects) endpoint.
+
+Ask a GitLab administrator with Rails console access to run the following command:
 
 ```ruby
 Feature.disable(:limit_projects_in_groups_api)
 ```
 
+For GitLab 14.0 and later, the [limit cannot be disabled](https://gitlab.com/gitlab-org/gitlab/-/issues/257829).
+
 ### Options for `shared_runners_setting`
 
 The `shared_runners_setting` attribute determines whether shared runners are enabled for a group's subgroups and projects.

doc/api/oauth2.md

@@ -194,8 +194,10 @@ NOTE:
 For a detailed flow diagram, see the [RFC specification](https://tools.ietf.org/html/rfc6749#section-4.2).
 
 WARNING:
-The Implicit grant flow is inherently insecure. The IETF plans to remove it in
-[OAuth 2.1](https://oauth.net/2.1/).
+Implicit grant flow is inherently insecure and the IETF has removed it in [OAuth 2.1](https://oauth.net/2.1/).
+For this reason, [support for it is deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/288516).
+In GitLab 14.0, new applications can't be created using it. In GitLab 14.4, support for it is
+scheduled to be removed for existing applications.
 
 We recommend that you use [Authorization code with PKCE](#authorization-code-with-proof-key-for-code-exchange-pkce) instead. If you choose to use Implicit flow, be sure to verify the
 `application id` (or `client_id`) associated with the access token before granting

doc/user/admin_area/settings/floc.md

+---
+stage: none
+group: unassigned
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# Federated Learning of Cohorts (FLoC) **(FREE SELF)**
+
+> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/60933) in GitLab Free 13.12.
+
+Federated Learning of Conhorts (FLoC) is a feature that the Chrome browser has
+rolled out, where users are categorized into different cohorts, so that
+advertisers can use this data to uniquely target and track users. For more
+information, visit the [FLoC repository](https://github.com/WICG/floc).
+
+To avoid users being tracked and categorized in any GitLab instance, FLoC is
+disabled by default by sending the following header:
+
+```plaintext
+Permissions-Policy: interest-cohort=()
+```
+
+To enable it:
+
+1. Go to the Admin Area (**{admin}**) and select **Settings > General**.
+1. Expand **Federated Learning of Cohorts**.
+1. Check the box.
+1. Click **Save changes**.
+
+<!-- ## Troubleshooting
+
+Include any troubleshooting steps that you can foresee. If you know beforehand what issues
+one might have when setting this up, or when something is changed, or on upgrading, it's
+important to describe those, too. Think of things that may go wrong and include them here.
+This is important to minimize requests for support, and to avoid doc comments with
+questions that you know someone might ask.
+
+Each scenario can be a third-level heading, e.g. `### Getting error message X`.
+If you have none to add when creating a doc, leave this section in place
+but commented out to help encourage others to add to it in the future. -->

doc/user/admin_area/settings/index.md

@@ -28,6 +28,7 @@ Access the default page for admin area settings by navigating to **Admin Area >
 | [External Authentication](external_authorization.md#configuration) | External Classification Policy Authorization |
 | [Web terminal](../../../administration/integration/terminal.md#limiting-websocket-connection-time) | Set max session time for web terminal. |
 | [Web IDE](../../project/web_ide/index.md#enabling-live-preview) | Manage Web IDE Features. |
+| [FLoC](floc.md) | Enable or disable [Federated Learning of Cohorts (FLoC)](https://en.wikipedia.org/wiki/Federated_Learning_of_Cohorts) tracking. |
 
 ## Integrations
 

doc/user/application_security/vulnerability_report/index.md

@@ -45,11 +45,11 @@ From the Vulnerability Report you can:
 
 You can filter the vulnerabilities table by:
 
-| Filter  | Available options |
+| Filter   | Available options |
 |:---------|:------------------|
 | Status   | Detected, Confirmed, Dismissed, Resolved. |
 | Severity | Critical, High, Medium, Low, Info, Unknown. |
-| Scanner  | [Available scanners](../index.md#security-scanning-tools). |
+| Scanner  | For more details, see [Scanner filter](#scanner-filter). |
 | Project  | For more details, see [Project filter](#project-filter). |
 | Activity | For more details, see [Activity filter](#activity-filter). |
 
@@ -61,12 +61,27 @@ To filter the list of vulnerabilities:
 1. Select values from the dropdown.
 1. Repeat the above steps for each desired filter.
 
-The vulnerability table is applied immediately. The vulnerability severity totals are also updated.
+After each filter is selected:
+
+- The list of matching vulnerabilities is updated.
+- The vulnerability severity totals are updated.
 
 The filters' criteria are combined to show only vulnerabilities matching all criteria.
 An exception to this behavior is the Activity filter. For more details about how it works, see
 [Activity filter](#activity-filter).
 
+## Scanner filter
+
+The scanner filter allows you to focus on vulnerabilities detected by selected scanners.
+
+When using the scanner filter, you can choose:
+
+- **All scanners** (default).
+- Individual GitLab-provided scanners.
+- Any integrated 3rd-party scanner. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12.
+
+For details of each of the available scanners, see [Security scanning tools](../index.md#security-scanning-tools).
+
 ### Project filter
 
 The content of the Project filter depends on the current level:
@@ -89,8 +104,8 @@ Selection behavior when using the Activity filter:
 
 | Activity selection                  | Results displayed |
 |:------------------------------------|:------------------|
-|  All                                | Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this will deselect any other Activity filter options. |
-|  No activity                        | Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this will deselect any other Activity filter options. |
+|  All                                | Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this deselects any other Activity filter options. |
+|  No activity                        | Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this deselects any other Activity filter options. |
 |  With issues                        | Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected. |
 |  No longer detected                 | Only vulnerabilities that are no longer detected in the latest pipeline scan of the `default` branch. Does not include vulnerabilities with one or more associated issues. |
 |  With issues and No longer detected | Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the `default` branch. |

lib/gitlab/email/attachment_uploader.rb

@@ -40,7 +40,7 @@ module Gitlab
       def filter_signature_attachments(message)
         attachments = message.attachments
         content_type = normalize_mime(message.content_type)
-        protocol = normalize_mime(message.content_type_parameters[:protocol])
+        protocol = normalize_mime(message.content_type_parameters&.fetch(:protocol, nil))
 
         if content_type == 'multipart/signed' && protocol
           attachments.delete_if { |attachment| protocol == normalize_mime(attachment.content_type) }

lib/google_api/cloud_platform/client.rb

@@ -13,6 +13,10 @@ module GoogleApi
       LEAST_TOKEN_LIFE_TIME = 10.minutes
       CLUSTER_MASTER_AUTH_USERNAME = 'admin'
       CLUSTER_IPV4_CIDR_BLOCK = '/16'
+      # Don't upgrade to > 1.18 before we move away from Basic Auth
+      # See issue: https://gitlab.com/gitlab-org/gitlab/-/issues/331582
+      # Possible solution: https://gitlab.com/groups/gitlab-org/-/epics/6049
+      GKE_VERSION = '1.18'
       CLUSTER_OAUTH_SCOPES = [
         "https://www.googleapis.com/auth/devstorage.read_only",
         "https://www.googleapis.com/auth/logging.write",
@@ -90,6 +94,7 @@ module GoogleApi
           cluster: {
             name: cluster_name,
             initial_node_count: cluster_size,
+            initial_cluster_version: GKE_VERSION,
             node_config: {
               machine_type: machine_type,
               oauth_scopes: CLUSTER_OAUTH_SCOPES

spec/features/merge_request/user_creates_image_diff_notes_spec.rb

@@ -278,8 +278,9 @@ RSpec.describe 'Merge request > User creates image diff notes', :js do
   end
 
   def create_image_diff_note
-    expand_text = 'Click to expand it.'
-    page.all('a', text: expand_text, wait: false).each do |element|
+    wait_for_all_requests
+
+    page.all('a', text: 'Click to expand it.', wait: false).each do |element|
       element.click
     end
 

spec/fixtures/emails/no_content_type.eml

+Return-path: <frank@example.org>
+Envelope-to: gitlab+gitlab-instance-administrators-9a72b788-code-hello-world-php-2-issue-@qyber.black
+Delivery-date: Sun, 23 May 2021 10:28:57 +0100
+Received: from example.plus.com ([212.159.19.195] helo=nut.example.org)
+        by se.example.org with esmtpsa  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        (Exim 4.93)
+        (envelope-from <frank@example.org>)
+        id 1lkkPp-009OFG-9z
+        for gitlab+gitlab-instance-administrators-9a72b788-code-hello-world-php-2-issue-@qyber.black; Sun, 23 May 2021 10:28:57 +0100
+Received: ***REMOVED***
+To: <gitlab+gitlab-instance-administrators-9a72b788-code-hello-world-php-2-issue-@qyber.black>
+X-Mailer: mail (GNU Mailutils 3.10)
+Message-Id: <E1lkkPn-00DuvG-Rf@set>
+From: Frank C Example <frank@example.org>
+Date: Sun, 23 May 2021 10:28:55 +0100
+Subject: Testing Service Desk E-Mail
+
+Test.

spec/lib/gitlab/email/attachment_uploader_spec.rb

@@ -46,5 +46,15 @@ RSpec.describe Gitlab::Email::AttachmentUploader do
         expect(image_link[:url]).to include('gitlab_logo.png')
       end
     end
+
+    context 'with a message with no content type' do
+      let(:message_raw) { fixture_file("emails/no_content_type.eml") }
+
+      it 'uploads all attachments except the signature' do
+        links = described_class.new(message).execute(upload_parent: project, uploader_class: FileUploader)
+
+        expect(links).to eq([])
+      end
+    end
   end
 end

spec/lib/google_api/cloud_platform/client_spec.rb

@@ -91,6 +91,7 @@ RSpec.describe GoogleApi::CloudPlatform::Client do
         cluster: {
           name: cluster_name,
           initial_node_count: cluster_size,
+          initial_cluster_version: '1.18',
           node_config: {
             machine_type: machine_type,
             oauth_scopes: [