Add latest changes from gitlab-org/gitlab@master

app/assets/javascripts/diffs/components/diff_file.vue

@@ -205,6 +205,8 @@ export default {
 
     if (this.hasDiff) {
       this.postRender();
+    } else if (this.viewDiffsFileByFile && !this.isCollapsed) {
+      this.requestDiff();
     }
 
     this.manageViewedEffects();

app/models/instance_configuration.rb

@@ -13,7 +13,8 @@ class InstanceConfiguration
       { ssh_algorithms_hashes: ssh_algorithms_hashes,
         host: host,
         gitlab_pages: gitlab_pages,
-        gitlab_ci: gitlab_ci }.deep_symbolize_keys
+        gitlab_ci: gitlab_ci,
+        rate_limits: rate_limits }.deep_symbolize_keys
     end
   end
 
@@ -43,6 +44,50 @@ class InstanceConfiguration
                                          default: 100.megabytes })
   end
 
+  def rate_limits
+    {
+      unauthenticated: {
+        enabled: application_settings[:throttle_unauthenticated_enabled],
+        requests_per_period: application_settings[:throttle_unauthenticated_requests_per_period],
+        period_in_seconds: application_settings[:throttle_unauthenticated_period_in_seconds]
+      },
+      authenticated_api: {
+        enabled: application_settings[:throttle_authenticated_api_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_api_period_in_seconds]
+      },
+      authenticated_web: {
+        enabled: application_settings[:throttle_authenticated_web_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_web_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_web_period_in_seconds]
+      },
+      protected_paths: {
+        enabled: application_settings[:throttle_protected_paths_enabled],
+        requests_per_period: application_settings[:throttle_protected_paths_requests_per_period],
+        period_in_seconds: application_settings[:throttle_protected_paths_period_in_seconds]
+      },
+      unauthenticated_packages_api: {
+        enabled: application_settings[:throttle_unauthenticated_packages_api_enabled],
+        requests_per_period: application_settings[:throttle_unauthenticated_packages_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_unauthenticated_packages_api_period_in_seconds]
+      },
+      authenticated_packages_api: {
+        enabled: application_settings[:throttle_authenticated_packages_api_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_packages_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_packages_api_period_in_seconds]
+      },
+      issue_creation: application_setting_limit_per_minute(:issues_create_limit),
+      note_creation: application_setting_limit_per_minute(:notes_create_limit),
+      project_export: application_setting_limit_per_minute(:project_export_limit),
+      project_export_download: application_setting_limit_per_minute(:project_download_export_limit),
+      project_import: application_setting_limit_per_minute(:project_import_limit),
+      group_export: application_setting_limit_per_minute(:group_export_limit),
+      group_export_download: application_setting_limit_per_minute(:group_download_export_limit),
+      group_import: application_setting_limit_per_minute(:group_import_limit),
+      raw_blob: application_setting_limit_per_minute(:raw_blob_request_limit)
+    }
+  end
+
   def ssh_algorithm_file(algorithm)
     File.join(SSH_ALGORITHMS_PATH, "ssh_host_#{algorithm.downcase}_key.pub")
   end
@@ -70,4 +115,16 @@ class InstanceConfiguration
   def ssh_algorithm_sha256(ssh_file_content)
     Gitlab::SSHPublicKey.new(ssh_file_content).fingerprint('SHA256')
   end
+
+  def application_settings
+    Gitlab::CurrentSettings.current_application_settings
+  end
+
+  def application_setting_limit_per_minute(setting)
+    {
+      enabled: application_settings[setting] > 0,
+      requests_per_period: application_settings[setting],
+      period_in_seconds: 1.minute
+    }
+  end
 end

app/views/help/instance_configuration.html.haml

@@ -8,6 +8,7 @@
   = render 'help/instance_configuration/ssh_info'
   = render 'help/instance_configuration/gitlab_pages'
   = render 'help/instance_configuration/gitlab_ci'
+  = render 'help/instance_configuration/rate_limits'
   %p
     %strong= _("Table of contents")
 

app/views/help/instance_configuration/_rate_limit_row.html.haml

@@ -0,0 +1,7 @@
+- public_visible = local_assigns.fetch(:public_visible, false)
+
+- if rate_limit && (public_visible || user_signed_in?)
+  %tr
+    %td= title
+    %td= instance_configuration_cell_html(rate_limit[:enabled] ? rate_limit[:requests_per_period] : nil)
+    %td= instance_configuration_cell_html(rate_limit[:enabled] ? rate_limit[:period_in_seconds] : nil)

app/views/help/instance_configuration/_rate_limits.html.haml

@@ -0,0 +1,36 @@
+- rate_limits = @instance_configuration.settings[:rate_limits]
+- content_for :table_content do
+  - if rate_limits
+    %li= link_to _('Rate Limits'), '#rate-limits'
+
+- content_for :settings_content do
+  - if rate_limits
+    %h2#rate-limits
+      = _('Rate Limits')
+
+    %p
+      = _('There are several rate limits in place to protect the system.')
+    .table-responsive
+      %table
+        %thead
+          %tr
+            %th= _('Rate limit')
+            %th= _('Requests per period')
+            %th= _('Period in seconds')
+        %tbody
+          = render 'help/instance_configuration/rate_limit_row', title: _('Unauthenticated requests'), rate_limit: rate_limits[:unauthenticated], public_visible: true
+          = render 'help/instance_configuration/rate_limit_row', title: _('Authenticated API requests'), rate_limit: rate_limits[:authenticated_api]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Authenticated web requests'), rate_limit: rate_limits[:authenticated_web]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Protected Paths: requests'), rate_limit: rate_limits[:protected_paths]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Package Registry: unauthenticated API requests'), rate_limit: rate_limits[:unauthenticated_packages_api], public_visible: true
+          = render 'help/instance_configuration/rate_limit_row', title: _('Package Registry: authenticated API requests'), rate_limit: rate_limits[:authenticated_packages_api]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Issue creation requests'), rate_limit: rate_limits[:issue_creation]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Note creation requests'), rate_limit: rate_limits[:note_creation]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project export requests'), rate_limit: rate_limits[:project_export]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project export download requests'), rate_limit: rate_limits[:project_export_download]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project import requests'), rate_limit: rate_limits[:project_import]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group export requests'), rate_limit: rate_limits[:group_export]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group export download requests'), rate_limit: rate_limits[:group_export_download]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group import requests'), rate_limit: rate_limits[:group_import]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Raw blob requests'), rate_limit: rate_limits[:raw_blob]
+    %br

app/workers/all_queues.yml

@@ -288,7 +288,7 @@
   :feature_category: :service_ping
   :has_external_dependencies:
   :urgency: :low
-  :resource_boundary: :unknown
+  :resource_boundary: :cpu
   :weight: 1
   :idempotent:
   :tags: []
@@ -2383,7 +2383,7 @@
   :feature_category: :product_analytics
   :has_external_dependencies:
   :urgency: :low
-  :resource_boundary: :unknown
+  :resource_boundary: :cpu
   :weight: 1
   :idempotent: true
   :tags:

app/workers/gitlab_service_ping_worker.rb

@@ -11,6 +11,7 @@ class GitlabServicePingWorker # rubocop:disable Scalability/IdempotentWorker
   include Gitlab::ExclusiveLeaseHelpers
 
   feature_category :service_ping
+  worker_resource_boundary :cpu
   sidekiq_options retry: 3, dead: false
   sidekiq_retry_in { |count| (count + 1) * 8.hours.to_i }
 

app/workers/namespaces/onboarding_progress_worker.rb

@@ -9,6 +9,7 @@ module Namespaces
     sidekiq_options retry: 3
 
     feature_category :product_analytics
+    worker_resource_boundary :cpu
     tags :exclude_from_kubernetes
     urgency :low
 

doc/user/admin_area/settings/help_page.md

@@ -8,7 +8,7 @@ type: howto
 # Customize the Help and sign-in page messages
 
 In large organizations, it is useful to have information about who to contact or where
-to go for help. You can customize and display this information on the GitLab  `/help` page and on
+to go for help. You can customize and display this information on the GitLab `/help` page and on
 the GitLab sign-in page.
 
 ## Add a help message to the Help page
@@ -58,6 +58,45 @@ You can specify a custom URL to which users are directed when they:
 1. Enter the URL in the **Support page URL** field.
 1. Select **Save changes**.
 
+## Redirect GitLab documentation links
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/43157) in GitLab 13.5.
+> - [Deployed behind a feature flag](../../feature_flags.md), disabled by default.
+> - Enabled on GitLab.com.
+> - Ready for production use.
+> - To use in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-gitlab-documentation-link-redirects). **(FREE SELF)**
+
+This in-development feature might not be available for your use. There can be
+[risks when enabling features still in development](../../feature_flags.md#risks-when-enabling-features-still-in-development).
+Refer to this feature's version history for more details.
+
+Documentation links go to the `/help` section on the instance by default, but you can
+redirect these links to an external documentation site like `https://docs.gitlab.com`:
+
+1. On the top bar, select **Menu >** **{admin}** **Admin**.
+1. In the left sidebar, select **Settings > Preferences**, then expand **Help page**.
+1. Enter the URL in the **Documentation pages URL** field.
+1. Select **Save changes**.
+
+### Enable or disable GitLab documentation link redirects **(FREE SELF)**
+
+The GitLab documentation link redirects feature is under development and not ready
+for production use. It is deployed behind a feature flag that is **disabled by default**.
+[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md)
+can enable it.
+
+To enable it:
+
+```ruby
+Feature.enable(:help_page_documentation_redirect)
+```
+
+To disable it:
+
+```ruby
+Feature.disable(:help_page_documentation_redirect)
+```
+
 <!-- ## Troubleshooting
 
 Include any troubleshooting steps that you can foresee. If you know beforehand what issues

lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml

@@ -26,3 +26,8 @@ deploy:
   extends: .deploy
   dependencies:
     - build
+
+cleanup:
+  extends: .destroy
+  dependencies:
+    - deploy

locale/gitlab.pot

@@ -4689,12 +4689,18 @@ msgstr ""
 msgid "Authenticated API request rate limit"
 msgstr ""
 
+msgid "Authenticated API requests"
+msgstr ""
+
 msgid "Authenticated web rate limit period in seconds"
 msgstr ""
 
 msgid "Authenticated web request rate limit"
 msgstr ""
 
+msgid "Authenticated web requests"
+msgstr ""
+
 msgid "Authenticating"
 msgstr ""
 
@@ -15500,12 +15506,18 @@ msgstr ""
 msgid "Group export could not be started."
 msgstr ""
 
+msgid "Group export download requests"
+msgstr ""
+
 msgid "Group export error"
 msgstr ""
 
 msgid "Group export link has expired. Please generate a new export from your group settings."
 msgstr ""
 
+msgid "Group export requests"
+msgstr ""
+
 msgid "Group export started. A download link will be sent by email and made available on this page."
 msgstr ""
 
@@ -15518,6 +15530,9 @@ msgstr ""
 msgid "Group import could not be scheduled"
 msgstr ""
 
+msgid "Group import requests"
+msgstr ""
+
 msgid "Group info:"
 msgstr ""
 
@@ -18209,6 +18224,9 @@ msgstr ""
 msgid "Issue created from vulnerability %{vulnerability_link}"
 msgstr ""
 
+msgid "Issue creation requests"
+msgstr ""
+
 msgid "Issue details"
 msgstr ""
 
@@ -22511,6 +22529,9 @@ msgstr ""
 msgid "Note"
 msgstr ""
 
+msgid "Note creation requests"
+msgstr ""
+
 msgid "Note parameters are invalid: %{errors}"
 msgstr ""
 
@@ -23307,6 +23328,12 @@ msgstr ""
 msgid "Package Registry Rate Limits"
 msgstr ""
 
+msgid "Package Registry: authenticated API requests"
+msgstr ""
+
+msgid "Package Registry: unauthenticated API requests"
+msgstr ""
+
 msgid "Package already exists"
 msgstr ""
 
@@ -23940,6 +23967,9 @@ msgstr ""
 msgid "PerformanceBar|Trace"
 msgstr ""
 
+msgid "Period in seconds"
+msgstr ""
+
 msgid "Permanently delete project"
 msgstr ""
 
@@ -25518,6 +25548,9 @@ msgstr ""
 msgid "Project export could not be deleted."
 msgstr ""
 
+msgid "Project export download requests"
+msgstr ""
+
 msgid "Project export enabled"
 msgstr ""
 
@@ -25527,12 +25560,18 @@ msgstr ""
 msgid "Project export link has expired. Please generate a new export from your project settings."
 msgstr ""
 
+msgid "Project export requests"
+msgstr ""
+
 msgid "Project export started. A download link will be sent by email and made available on this page."
 msgstr ""
 
 msgid "Project has too many %{label_for_message} to search"
 msgstr ""
 
+msgid "Project import requests"
+msgstr ""
+
 msgid "Project info:"
 msgstr ""
 
@@ -26625,6 +26664,9 @@ msgstr ""
 msgid "Protected Paths"
 msgstr ""
 
+msgid "Protected Paths: requests"
+msgstr ""
+
 msgid "Protected Tag"
 msgstr ""
 
@@ -27003,9 +27045,18 @@ msgstr ""
 msgid "Random"
 msgstr ""
 
+msgid "Rate Limits"
+msgstr ""
+
+msgid "Rate limit"
+msgstr ""
+
 msgid "Raw blob request rate limit per minute"
 msgstr ""
 
+msgid "Raw blob requests"
+msgstr ""
+
 msgid "Re-authentication period expired or never requested. Please try again"
 msgstr ""
 
@@ -27921,6 +27972,9 @@ msgstr ""
 msgid "Requests Profiles"
 msgstr ""
 
+msgid "Requests per period"
+msgstr ""
+
 msgid "Requests to these domain(s)/address(es) on the local network will be allowed when local requests from hooks and services are not allowed. IP ranges such as 1:0:0:0:0:0:0:0/124 or 127.0.0.0/28 are supported. Domain wildcards are not supported currently. Use comma, semicolon, or newline to separate multiple entries. The allowlist can hold a maximum of 1000 entries. Domains should use IDNA encoding. Ex: example.com, 192.168.1.1, 127.0.0.0/28, xn--itlab-j1a.com."
 msgstr ""
 
@@ -33199,6 +33253,9 @@ msgstr ""
 msgid "There are running deployments on the environment. Please retry later."
 msgstr ""
 
+msgid "There are several rate limits in place to protect the system."
+msgstr ""
+
 msgid "There is a halted Elasticsearch migration"
 msgstr ""
 
@@ -35155,6 +35212,9 @@ msgstr ""
 msgid "Unauthenticated request rate limit"
 msgstr ""
 
+msgid "Unauthenticated requests"
+msgstr ""
+
 msgid "Undo"
 msgstr ""
 

qa/qa/specs/features/browser_ui/4_verify/pipeline/mr_event_rule_pipeline_spec.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'faker'
+
+module QA
+  RSpec.describe 'Verify', :runner do
+    context 'When job is configured to only run on merge_request_events' do
+      let(:mr_only_job_name) { 'mr_only_job' }
+      let(:non_mr_only_job_name) { 'non_mr_only_job' }
+      let(:executor) { "qa-runner-#{Faker::Alphanumeric.alphanumeric(8)}" }
+
+      let(:project) do
+        Resource::Project.fabricate_via_api! do |project|
+          project.name = 'merge-request-only-job'
+        end
+      end
+
+      let!(:runner) do
+        Resource::Runner.fabricate! do |runner|
+          runner.project = project
+          runner.name = executor
+          runner.tags = [executor]
+        end
+      end
+
+      let!(:ci_file) do
+        Resource::Repository::Commit.fabricate_via_api! do |commit|
+          commit.project = project
+          commit.commit_message = 'Add .gitlab-ci.yml'
+          commit.add_files(
+            [
+              {
+                file_path: '.gitlab-ci.yml',
+                content: <<~YAML
+                  #{mr_only_job_name}:
+                    script: echo 'OK'
+                    rules:
+                      - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
+                  #{non_mr_only_job_name}:
+                    script: echo 'OK'
+                    rules:
+                      - if: '$CI_PIPELINE_SOURCE != "merge_request_event"'
+                YAML
+              }
+            ]
+          )
+        end
+      end
+
+      let(:merge_request) do
+        Resource::MergeRequest.fabricate_via_api! do |merge_request|
+          merge_request.project = project
+          merge_request.description = Faker::Lorem.sentence
+          merge_request.target_new_branch = false
+          merge_request.file_name = 'new.txt'
+          merge_request.file_content = Faker::Lorem.sentence
+        end
+      end
+
+      before do
+        Flow::Login.sign_in
+        merge_request.visit!
+        Page::MergeRequest::Show.perform(&:click_pipeline_link)
+      end
+
+      after do
+        runner.remove_via_api!
+        project.remove_via_api!
+      end
+
+      it 'only runs the job configured to run on merge requests', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/170' do
+        Page::Project::Pipeline::Show.perform do |pipeline|
+          aggregate_failures do
+            expect(pipeline).to have_job(mr_only_job_name)
+            expect(pipeline).to have_no_job(non_mr_only_job_name)
+          end
+        end
+      end
+    end
+  end
+end

spec/frontend/diffs/components/diff_file_spec.js

@@ -521,4 +521,24 @@ describe('DiffFile', () => {
       expect(button.attributes('href')).toBe('/file/view/path');
     });
   });
+
+  it('loads collapsed file on mounted when single file mode is enabled', async () => {
+    wrapper.destroy();
+
+    const file = {
+      ...getReadableFile(),
+      load_collapsed_diff_url: '/diff_for_path',
+      highlighted_diff_lines: [],
+      parallel_diff_lines: [],
+      viewer: { name: 'collapsed', automaticallyCollapsed: true },
+    };
+
+    axiosMock.onGet(file.load_collapsed_diff_url).reply(httpStatus.OK, getReadableFile());
+
+    ({ wrapper, store } = createComponent({ file, props: { viewDiffsFileByFile: true } }));
+
+    await wrapper.vm.$nextTick();
+
+    expect(findLoader(wrapper).exists()).toBe(true);
+  });
 });

spec/models/instance_configuration_spec.rb

@@ -96,6 +96,60 @@ RSpec.describe InstanceConfiguration do
           expect(gitlab_ci[:artifacts_max_size][:value]).to eq(200.megabytes)
         end
       end
+
+      describe '#rate_limits' do
+        before do
+          Gitlab::CurrentSettings.current_application_settings.update!(
+            throttle_unauthenticated_enabled: false,
+            throttle_unauthenticated_requests_per_period: 1001,
+            throttle_unauthenticated_period_in_seconds: 1002,
+            throttle_authenticated_api_enabled: true,
+            throttle_authenticated_api_requests_per_period: 1003,
+            throttle_authenticated_api_period_in_seconds: 1004,
+            throttle_authenticated_web_enabled: true,
+            throttle_authenticated_web_requests_per_period: 1005,
+            throttle_authenticated_web_period_in_seconds: 1006,
+            throttle_protected_paths_enabled: true,
+            throttle_protected_paths_requests_per_period: 1007,
+            throttle_protected_paths_period_in_seconds: 1008,
+            throttle_unauthenticated_packages_api_enabled: false,
+            throttle_unauthenticated_packages_api_requests_per_period: 1009,
+            throttle_unauthenticated_packages_api_period_in_seconds: 1010,
+            throttle_authenticated_packages_api_enabled: true,
+            throttle_authenticated_packages_api_requests_per_period: 1011,
+            throttle_authenticated_packages_api_period_in_seconds: 1012,
+            issues_create_limit: 1013,
+            notes_create_limit: 1014,
+            project_export_limit: 1015,
+            project_download_export_limit: 1016,
+            project_import_limit: 1017,
+            group_export_limit: 1018,
+            group_download_export_limit: 1019,
+            group_import_limit: 1020,
+            raw_blob_request_limit: 1021
+          )
+        end
+
+        it 'returns rate limits from application settings' do
+          rate_limits = subject.settings[:rate_limits]
+
+          expect(rate_limits[:unauthenticated]).to eq({ enabled: false, requests_per_period: 1001, period_in_seconds: 1002 })
+          expect(rate_limits[:authenticated_api]).to eq({ enabled: true, requests_per_period: 1003, period_in_seconds: 1004 })
+          expect(rate_limits[:authenticated_web]).to eq({ enabled: true, requests_per_period: 1005, period_in_seconds: 1006 })
+          expect(rate_limits[:protected_paths]).to eq({ enabled: true, requests_per_period: 1007, period_in_seconds: 1008 })
+          expect(rate_limits[:unauthenticated_packages_api]).to eq({ enabled: false, requests_per_period: 1009, period_in_seconds: 1010 })
+          expect(rate_limits[:authenticated_packages_api]).to eq({ enabled: true, requests_per_period: 1011, period_in_seconds: 1012 })
+          expect(rate_limits[:issue_creation]).to eq({ enabled: true, requests_per_period: 1013, period_in_seconds: 60 })
+          expect(rate_limits[:note_creation]).to eq({ enabled: true, requests_per_period: 1014, period_in_seconds: 60 })
+          expect(rate_limits[:project_export]).to eq({ enabled: true, requests_per_period: 1015, period_in_seconds: 60 })
+          expect(rate_limits[:project_export_download]).to eq({ enabled: true, requests_per_period: 1016, period_in_seconds: 60 })
+          expect(rate_limits[:project_import]).to eq({ enabled: true, requests_per_period: 1017, period_in_seconds: 60 })
+          expect(rate_limits[:group_export]).to eq({ enabled: true, requests_per_period: 1018, period_in_seconds: 60 })
+          expect(rate_limits[:group_export_download]).to eq({ enabled: true, requests_per_period: 1019, period_in_seconds: 60 })
+          expect(rate_limits[:group_import]).to eq({ enabled: true, requests_per_period: 1020, period_in_seconds: 60 })
+          expect(rate_limits[:raw_blob]).to eq({ enabled: true, requests_per_period: 1021, period_in_seconds: 60 })
+        end
+      end
     end
   end