Add latest changes from gitlab-org/gitlab@13-4-stable-ee

Gemfile

@@ -120,7 +120,7 @@ gem 'fog-local', '~> 0.6'
 gem 'fog-openstack', '~> 1.0'
 gem 'fog-rackspace', '~> 0.1.1'
 gem 'fog-aliyun', '~> 0.3'
-gem 'gitlab-fog-azure-rm', '~> 0.9', require: false
+gem 'gitlab-fog-azure-rm', '~> 1.0', require: false
 
 # for Google storage
 gem 'google-api-client', '~> 0.33'

Gemfile.lock

@@ -421,7 +421,7 @@ GEM
     github-markup (1.7.0)
     gitlab-chronic (0.10.5)
       numerizer (~> 0.2)
-    gitlab-fog-azure-rm (0.9.0)
+    gitlab-fog-azure-rm (1.0.0)
       azure-storage-blob (~> 2.0)
       azure-storage-common (~> 2.0)
       fog-core (= 2.1.0)
@@ -1325,7 +1325,7 @@ DEPENDENCIES
   gitaly (~> 13.3.0.pre.rc1)
   github-markup (~> 1.7.0)
   gitlab-chronic (~> 0.10.5)
-  gitlab-fog-azure-rm (~> 0.9)
+  gitlab-fog-azure-rm (~> 1.0)
   gitlab-labkit (= 0.12.1)
   gitlab-license (~> 1.0)
   gitlab-mail_room (~> 0.0.6)

app/controllers/concerns/enforces_two_factor_authentication.rb

@@ -11,7 +11,7 @@ module EnforcesTwoFactorAuthentication
   extend ActiveSupport::Concern
 
   included do
-    before_action :check_two_factor_requirement
+    before_action :check_two_factor_requirement, except: [:route_not_found]
 
     # to include this in controllers inheriting from `ActionController::Metal`
     # we need to add this block

app/controllers/uploads_controller.rb

@@ -19,6 +19,7 @@ class UploadsController < ApplicationController
   rescue_from UnknownUploadModelError, with: :render_404
 
   skip_before_action :authenticate_user!
+  skip_before_action :check_two_factor_requirement, only: [:show]
   before_action :upload_mount_satisfied?
   before_action :authorize_access!, only: [:show]
   before_action :authorize_create_access!, only: [:create, :authorize]

app/services/issuable/clone/attributes_rewriter.rb

@@ -56,7 +56,7 @@ module Issuable
       end
 
       def copy_resource_weight_events
-        return unless original_entity.respond_to?(:resource_weight_events)
+        return unless both_respond_to?(:resource_weight_events)
 
         copy_events(ResourceWeightEvent.table_name, original_entity.resource_weight_events) do |event|
           event.attributes

app/services/projects/container_repository/cleanup_tags_service.rb

@@ -25,7 +25,10 @@ module Projects
         tag_names = tags.map(&:name)
 
         Projects::ContainerRepository::DeleteTagsService
-          .new(container_repository.project, current_user, tags: tag_names)
+          .new(container_repository.project,
+               current_user,
+               tags: tag_names,
+               container_expiration_policy: params['container_expiration_policy'])
           .execute(container_repository)
       end
 

app/services/projects/container_repository/delete_tags_service.rb

@@ -7,7 +7,10 @@ module Projects
 
       def execute(container_repository)
         @container_repository = container_repository
-        return error('access denied') unless can?(current_user, :destroy_container_image, project)
+
+        unless params[:container_expiration_policy]
+          return error('access denied') unless can?(current_user, :destroy_container_image, project)
+        end
 
         @tag_names = params[:tags]
         return error('not tags specified') if @tag_names.blank?

app/services/projects/update_service.rb

@@ -135,8 +135,8 @@ module Projects
     end
 
     def ensure_wiki_exists
-      ProjectWiki.new(project, project.owner).wiki
-    rescue Wiki::CouldNotCreateWikiError
+      return if project.create_wiki
+
       log_error("Could not create wiki for #{project.full_name}")
       Gitlab::Metrics.counter(:wiki_can_not_be_created_total, 'Counts the times we failed to create a wiki').increment
     end

changelogs/unreleased/42910-use-create-wiki-method-on-ensure-wiki-exists-in-update-service.yml

+---
+title: use create_wiki method on ensure_wiki_exists in update_service
+merge_request: 42910
+author:
+type: fixed

changelogs/unreleased/cat-2fa-404-redirect.yml

+---
+title: Exclude 2FA from upload#show routes and 404s
+merge_request: 42784
+author:
+type: fixed

changelogs/unreleased/sh-update-fog-azure-rm-gem.yml

+---
+title: Fix large backups not working with Azure Blob storage
+merge_request: 44233
+author:
+type: fixed

doc/user/clusters/agent/index.md

@@ -69,7 +69,8 @@ If you don't already have GitLab installed via Helm please refer to our [install
 When installing/upgrading the GitLab Helm chart please consider the following Helm 2 example (if using Helm 3 please modify):
 
 ```shell
-helm upgrade --force --install gitlab . \
+helm repo update
+helm upgrade --force --install gitlab gitlab/gitlab \
   --timeout 600 \
   --set global.hosts.domain=<YOUR_DOMAIN> \
   --set global.hosts.externalIP=<YOUR_IP> \
@@ -299,6 +300,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nginx-deployment
+  namespace: gitlab-agent  # Can be any namespace managed by you that the agent has access to.
 spec:
   selector:
     matchLabels:

spec/services/projects/container_repository/cleanup_tags_service_spec.rb

@@ -245,7 +245,7 @@ RSpec.describe Projects::ContainerRepository::CleanupTagsService do
         end
 
         it 'succeeds without a user' do
-          expect_delete(%w(Bb Ba C))
+          expect_delete(%w(Bb Ba C), container_expiration_policy: true)
 
           is_expected.to include(status: :success, deleted: %w(Bb Ba C))
         end
@@ -287,10 +287,10 @@ RSpec.describe Projects::ContainerRepository::CleanupTagsService do
     end
   end
 
-  def expect_delete(tags)
+  def expect_delete(tags, container_expiration_policy: nil)
     expect(Projects::ContainerRepository::DeleteTagsService)
       .to receive(:new)
-      .with(repository.project, user, tags: tags)
+      .with(repository.project, user, tags: tags, container_expiration_policy: container_expiration_policy)
       .and_call_original
 
     expect_any_instance_of(Projects::ContainerRepository::DeleteTagsService)

spec/services/projects/container_repository/delete_tags_service_spec.rb

@@ -85,81 +85,85 @@ RSpec.describe Projects::ContainerRepository::DeleteTagsService do
     end
   end
 
-  describe '#execute' do
-    let(:tags) { %w[A Ba] }
-
-    subject { service.execute(repository) }
-
-    before do
-      stub_feature_flags(container_registry_expiration_policies_throttling: false)
-    end
+  RSpec.shared_examples 'supporting fast delete' do
+    context 'when the registry supports fast delete' do
+      context 'and the feature is enabled' do
+        before do
+          allow(repository.client).to receive(:supports_tag_delete?).and_return(true)
+        end
 
-    context 'without permissions' do
-      it { is_expected.to include(status: :error) }
-    end
+        it_behaves_like 'calling the correct delete tags service', ::Projects::ContainerRepository::Gitlab::DeleteTagsService
 
-    context 'with permissions' do
-      before do
-        project.add_developer(user)
-      end
+        it_behaves_like 'handling invalid params'
 
-      context 'when the registry supports fast delete' do
-        context 'and the feature is enabled' do
+        context 'with the real service' do
           before do
-            allow(repository.client).to receive(:supports_tag_delete?).and_return(true)
+            stub_delete_reference_requests(tags)
+            expect_delete_tag_by_names(tags)
           end
 
-          it_behaves_like 'calling the correct delete tags service', ::Projects::ContainerRepository::Gitlab::DeleteTagsService
+          it { is_expected.to include(status: :success) }
 
-          it_behaves_like 'handling invalid params'
+          it_behaves_like 'logging a success response'
+        end
 
-          context 'with the real service' do
-            before do
-              stub_delete_reference_requests(tags)
-              expect_delete_tag_by_names(tags)
+        context 'with a timeout error' do
+          before do
+            expect_next_instance_of(::Projects::ContainerRepository::Gitlab::DeleteTagsService) do |delete_service|
+              expect(delete_service).to receive(:delete_tags).and_raise(::Projects::ContainerRepository::Gitlab::DeleteTagsService::TimeoutError)
             end
-
-            it { is_expected.to include(status: :success) }
-
-            it_behaves_like 'logging a success response'
           end
 
-          context 'with a timeout error' do
-            before do
-              expect_next_instance_of(::Projects::ContainerRepository::Gitlab::DeleteTagsService) do |delete_service|
-                expect(delete_service).to receive(:delete_tags).and_raise(::Projects::ContainerRepository::Gitlab::DeleteTagsService::TimeoutError)
-              end
-            end
+          it { is_expected.to include(status: :error, message: 'timeout while deleting tags') }
 
-            it { is_expected.to include(status: :error, message: 'timeout while deleting tags') }
+          it_behaves_like 'logging an error response', message: 'timeout while deleting tags'
+        end
+      end
 
-            it_behaves_like 'logging an error response', message: 'timeout while deleting tags'
-          end
+      context 'and the feature is disabled' do
+        before do
+          stub_feature_flags(container_registry_fast_tag_delete: false)
         end
 
-        context 'and the feature is disabled' do
+        it_behaves_like 'calling the correct delete tags service', ::Projects::ContainerRepository::ThirdParty::DeleteTagsService
+
+        it_behaves_like 'handling invalid params'
+
+        context 'with the real service' do
           before do
-            stub_feature_flags(container_registry_fast_tag_delete: false)
+            stub_upload('sha256:4435000728ee66e6a80e55637fc22725c256b61de344a2ecdeaac6bdb36e8bc3')
+            tags.each { |tag| stub_put_manifest_request(tag) }
+            expect_delete_tag_by_digest('sha256:dummy')
           end
 
-          it_behaves_like 'calling the correct delete tags service', ::Projects::ContainerRepository::ThirdParty::DeleteTagsService
+          it { is_expected.to include(status: :success) }
 
-          it_behaves_like 'handling invalid params'
+          it_behaves_like 'logging a success response'
+        end
+      end
+    end
+  end
 
-          context 'with the real service' do
-            before do
-              stub_upload('sha256:4435000728ee66e6a80e55637fc22725c256b61de344a2ecdeaac6bdb36e8bc3')
-              tags.each { |tag| stub_put_manifest_request(tag) }
-              expect_delete_tag_by_digest('sha256:dummy')
-            end
+  describe '#execute' do
+    let(:tags) { %w[A Ba] }
 
-            it { is_expected.to include(status: :success) }
+    subject { service.execute(repository) }
 
-            it_behaves_like 'logging a success response'
-          end
-        end
+    before do
+      stub_feature_flags(container_registry_expiration_policies_throttling: false)
+    end
+
+    context 'without permissions' do
+      it { is_expected.to include(status: :error) }
+    end
+
+    context 'with permissions' do
+      before do
+        project.add_developer(user)
       end
 
+      it_behaves_like 'supporting fast delete'
+
       context 'when the registry does not support fast delete' do
         before do
           allow(repository.client).to receive(:supports_tag_delete?).and_return(false)
@@ -170,5 +174,19 @@ RSpec.describe Projects::ContainerRepository::DeleteTagsService do
         it_behaves_like 'handling invalid params'
       end
     end
+
+    context 'without user' do
+      let_it_be(:user) { nil }
+
+      context 'when not run by a cleanup policy' do
+        it { is_expected.to include(status: :error) }
+      end
+
+      context 'when run by a cleanup policy' do
+        let(:params) { { tags: tags, container_expiration_policy: true } }
+
+        it_behaves_like 'supporting fast delete'
+      end
+    end
   end
 end