Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/gitlab/namespaced_class.yml

@@ -428,7 +428,6 @@ Gitlab/NamespacedClass:
     - 'app/presenters/group_clusterable_presenter.rb'
     - 'app/presenters/group_member_presenter.rb'
     - 'app/presenters/instance_clusterable_presenter.rb'
-    - 'app/presenters/invitation_presenter.rb'
     - 'app/presenters/issue_presenter.rb'
     - 'app/presenters/label_presenter.rb'
     - 'app/presenters/member_presenter.rb'

Gemfile

@@ -537,7 +537,7 @@ gem 'valid_email', '~> 0.1'
 # JSON
 gem 'json', '~> 2.5.1'
 gem 'json_schemer', '~> 0.2.18'
-gem 'oj', '~> 3.10.6'
+gem 'oj', '~> 3.13.16'
 gem 'multi_json', '~> 1.14.1'
 gem 'yajl-ruby', '~> 1.4.1', require: 'yajl'
 

Gemfile.lock

@@ -861,7 +861,7 @@ GEM
       plist (~> 3.1)
       train-core
       wmi-lite (~> 1.0)
-    oj (3.10.6)
+    oj (3.13.16)
     omniauth (1.9.1)
       hashie (>= 3.4.6)
       rack (>= 1.6.2, < 3)
@@ -1633,7 +1633,7 @@ DEPENDENCIES
   oauth2 (~> 2.0)
   octokit (~> 4.15)
   ohai (~> 16.10)
-  oj (~> 3.10.6)
+  oj (~> 3.13.16)
   omniauth (~> 1.8)
   omniauth-alicloud (~> 1.0.1)
   omniauth-atlassian-oauth2 (~> 0.2.0)

app/assets/javascripts/admin/users/components/user_actions.vue

@@ -94,13 +94,13 @@ export default {
     :data-testid="`user-actions-${user.id}`"
   >
     <div v-if="hasEditAction" class="gl-p-2">
-      <gl-button v-if="showButtonLabels" v-bind="editButtonAttrs">{{
+      <gl-button v-if="showButtonLabels" v-bind="editButtonAttrs" icon="pencil-square">{{
         $options.i18n.edit
       }}</gl-button>
       <gl-button
         v-else
         v-gl-tooltip="$options.i18n.edit"
-        icon="pencil"
+        icon="pencil-square"
         v-bind="editButtonAttrs"
         :aria-label="$options.i18n.edit"
       />
@@ -108,18 +108,12 @@ export default {
 
     <div v-if="hasDropdownActions" class="gl-p-2">
       <gl-dropdown
-        v-gl-tooltip="$options.i18n.userAdministration"
+        :text="$options.i18n.userAdministration"
         data-testid="dropdown-toggle"
-        icon="ellipsis_v"
         data-qa-selector="user_actions_dropdown_toggle"
         :data-qa-username="user.username"
-        no-caret
-        right
+        left
       >
-        <gl-dropdown-section-header>{{
-          $options.i18n.userAdministration
-        }}</gl-dropdown-section-header>
-
         <template v-for="action in dropdownSafeActions">
           <component
             :is="getActionComponent(action)"

app/presenters/invitation_presenter.rb

@@ -1,5 +0,0 @@
-# frozen_string_literal: true
-
-class InvitationPresenter < Gitlab::View::Presenter::Delegated
-  presents nil, as: :invitation
-end

app/views/admin/identities/index.html.haml

@@ -3,7 +3,6 @@
 - page_title _("Identities"), @user.name, _("Users")
 = render 'admin/users/head'
 
-= link_to _('New identity'), new_admin_user_identity_path, class: 'float-right gl-button btn-confirm'
 - if @identities.present?
   .table-holder
     %table.table

app/views/admin/users/_head.html.haml

@@ -27,15 +27,18 @@
       = render_if_exists 'admin/users/gma_user_badge'
 
   .gl-my-3.gl-display-flex.gl-flex-wrap.gl-my-n2.gl-mx-n2
-    - if @user != current_user
-      .gl-p-2
-        - if impersonation_enabled? && @user.can?(:log_in)
-          = link_to _('Impersonate'), impersonate_admin_user_path(@user), method: :post, class: "btn btn-default gl-button", data: { qa_selector: 'impersonate_user_link' }
-        - if can_force_email_confirmation?(@user)
-          = render Pajamas::ButtonComponent.new(variant: :confirm, button_options: { class: 'js-confirm-modal-button', data: confirm_user_data(@user) }) do
-            = _('Confirm user')
     .gl-p-2
       #js-admin-user-actions{ data: admin_user_actions_data_attributes(@user) }
+    - if @user != current_user
+      - if impersonation_enabled? && @user.can?(:log_in)
+        .gl-p-2
+          = link_to _('Impersonate'), impersonate_admin_user_path(@user), method: :post, class: "btn btn-default gl-button", data: { qa_selector: 'impersonate_user_link' }
+      - if can_force_email_confirmation?(@user)
+        .gl-p-2
+          = render Pajamas::ButtonComponent.new(variant: :default, button_options: { class: 'js-confirm-modal-button', data: confirm_user_data(@user) }) do
+            = _('Confirm user')
+    .gl-p-2
+      = link_to _('New identity'), new_admin_user_identity_path(@user), class: "btn btn-primary gl-button"
 = gl_tabs_nav do
   = gl_tab_link_to _("Account"), admin_user_path(@user)
   = gl_tab_link_to _("Groups and projects"), projects_admin_user_path(@user)

db/post_migrate/20220706115138_create_async_index_on_security_findings.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+class CreateAsyncIndexOnSecurityFindings < Gitlab::Database::Migration[2.0]
+  INDEX_NAME = 'index_on_security_findings_uuid_and_id_order_desc'
+
+  def up
+    prepare_async_index(
+      :security_findings,
+      %i[uuid id],
+      order: { id: :desc },
+      name: INDEX_NAME
+    )
+  end
+
+  def down
+    unprepare_async_index(
+      :security_findings,
+      %i[uuid id],
+      name: INDEX_NAME
+    )
+  end
+end

db/schema_migrations/20220706115138

@@ -0,0 +1 @@
+c0c4a18cb711e0288bf1d385e06151e0e329dc40d4e9cd51e6437fe73d6bfc21

doc/administration/gitaly/index.md

@@ -523,6 +523,48 @@ For more information on configuring Gitaly Cluster, see [Configure Gitaly Cluste
 To upgrade a Gitaly Cluster, follow the documentation for
 [zero downtime upgrades](../../update/zero_downtime.md#gitaly-or-gitaly-cluster).
 
+### Downgrade Gitaly Cluster to a previous version
+
+If you need to roll back a Gitaly Cluster to an earlier version, some Praefect database migrations may need to be reverted. In a cluster with:
+
+- A single Praefect node, this happens when GitLab itself is downgraded.
+- Multiple Praefect nodes, additional steps are required.
+
+To downgrade a Gitaly Cluster with multiple Praefect nodes:
+
+1. Stop the Praefect service on all Praefect nodes:
+
+   ```shell
+   gitlab-ctl stop praefect
+   ```
+
+1. Downgrade the GitLab package to the older version on one of the Praefect nodes.
+1. On the downgraded node, check the state of Praefect migrations:
+
+   ```shell
+   /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-migrate-status
+   ```
+
+1. Count the number of migrations with `unknown migration` in the `APPLIED` column.
+1. On a Praefect node that has **not** been downgraded, perform a dry run of the rollback to validate which migrations to revert. `<CT_UNKNOWN>`
+   is the number of unknown migrations reported by the downgraded node.
+
+   ```shell
+   /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-migrate <CT_UNKNOWN>
+   ```
+
+1. If the results look correct, run the same command with the `-f` option to revert the migrations:
+
+   ```shell
+   /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml sql-migrate -f <CT_UNKNOWN>
+   ```
+
+1. Downgrade the GitLab package on the remaining Praefect nodes and start the Praefect service again:
+
+   ```shell
+   gitlab-ctl start praefect
+   ```
+
 ## Migrate to Gitaly Cluster
 
 WARNING:

doc/development/documentation/site_architecture/folder_structure.md

@@ -85,6 +85,15 @@ place for it.
 Do not include the same information in multiple places.
 [Link to a single source of truth instead.](../styleguide/index.md#link-instead-of-repeating-text)
 
+For example, if you have code in a repository other than the [primary repositories](index.md#architecture),
+and documentation in the same repository, you can keep the documentation in that repository.
+
+Then you can either:
+
+- Publish it to <https://docs.gitlab.com>. 
+- Link to it from <https://docs.gitlab.com> by adding an entry in the global navigation.
+  View [an example](https://gitlab.com/gitlab-org/gitlab-docs/-/blob/fedb6378a3c92274ba3b6031df0d34455594e4cc/content/_data/navigation.yaml#L2944).
+
 ## References across documents
 
 - Give each folder an `index.md` page that introduces the topic, and both introduces

doc/development/fips_compliance.md

@@ -112,6 +112,14 @@ def default_min_key_size(name)
 end
 ```
 
+#### Unsupported features in FIPS mode
+
+Some GitLab features may not work when FIPS mode is enabled. The following features are known to not work in FIPS mode; however, there may be additional features not listed here that also do not work properly in FIPS mode:
+
+- [License compliance](../user/compliance/license_compliance/index.md)
+- [Dependency scanning](../user/application_security/dependency_scanning/index.md) support for Gradle
+- [Solutions for vulnerabilities](../user/application_security/vulnerabilities/index.md#resolve-a-vulnerability) for yarn projects
+
 ## Nightly Omnibus FIPS builds
 
 The Distribution team has created [nightly FIPS Omnibus builds](https://packages.gitlab.com/gitlab/nightly-fips-builds). These

doc/gitlab-basics/add-file.md

@@ -29,7 +29,7 @@ to the desired destination:
 cd <destination folder>
 ```
 
-[Create a new branch](create-branch.md) to add your file into. Submitting changes directly
+[Create a new branch](../tutorials/make_your_first_git_commit.md#create-a-branch-and-make-changes) to add your file into. Submitting changes directly
 to the default branch should be avoided unless your project is very small and you're the
 only person working on it.
 

doc/user/application_security/dependency_scanning/index.md

@@ -311,7 +311,7 @@ table.supported-languages ul {
     <p>
       Although Gradle with Java 8 is supported, there are other issues such that Android project builds are not supported at this time.
       Please see the backlog issue <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/336866">Android support for Dependency
-      Scanning (gemnasium-maven)</a> for more details.
+      Scanning (gemnasium-maven)</a> for more details. Also, Gradle is not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled.
     </p>
   </li>
   <li>
@@ -693,7 +693,7 @@ To manually switch to FIPS-enabled images, set the variable `DS_IMAGE_SUFFIX` to
 To ensure compliance with FIPS, the FIPS-enabled image of `gemnasium-maven` uses the OpenJDK packages for RedHat UBI.
 As a result, it only supports Java 8, 11, and 17.
 
-Auto-remediation for Yarn projects isn't supported in FIPS mode.
+Dependency scanning for Gradle projects and auto-remediation for Yarn projects are not supported in FIPS mode.
 
 ## Interacting with the vulnerabilities
 

doc/user/application_security/vulnerabilities/index.md

@@ -153,7 +153,7 @@ The following scanners are supported by this feature:
 
 - [Dependency Scanning](../dependency_scanning/index.md).
   Automatic Patch creation is only available for Node.js projects managed with
-  `yarn`.
+  `yarn` when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is disabled.
 - [Container Scanning](../container_scanning/index.md).
 
 To resolve a vulnerability, you can either:

doc/user/compliance/license_compliance/index.md

@@ -71,11 +71,13 @@ Gradle 1.x projects are not supported. The minimum supported version of Maven is
 |------------|----------------------------------------------------------------------------------------------|-------|
 | JavaScript | [Bower](https://bower.io/), [npm](https://www.npmjs.com/) (7 and earlier)                    |       |
 | Go         | [Godep](https://github.com/tools/godep) ([deprecated](../../../update/deprecations.md#godep-support-in-license-compliance)), [go mod](https://github.com/golang/go/wiki/Modules) |       |
-| Java       | [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/)                            |       |
+| Java       | [Gradle](https://gradle.org/) <sup>1</sup>, [Maven](https://maven.apache.org/)                            |       |
 | .NET       | [NuGet](https://www.nuget.org/)                                                              | The .NET Framework is supported via the [mono project](https://www.mono-project.com/). There are, however, some limitations. The scanner doesn't support Windows-specific dependencies and doesn't report dependencies of your project's listed dependencies. Also, the scanner always marks detected licenses for all dependencies as `unknown`. |
 | Python     | [pip](https://pip.pypa.io/en/stable/)                                                        | Python is supported through [requirements.txt](https://pip.pypa.io/en/stable/user_guide/#requirements-files) and [Pipfile.lock](https://github.com/pypa/pipfile#pipfilelock). |
 | Ruby       | [gem](https://rubygems.org/) |  |
 
+1. Gradle 7 and later is not supported as dependencies are not discovered when included with the `implementation` directive. Please see [GitLab#341222](https://gitlab.com/gitlab-org/gitlab/-/issues/341222) for more details.
+
 ### Experimental support
 
 The following languages and package managers are [supported experimentally](https://github.com/pivotal/LicenseFinder#experimental-project-types).
@@ -100,6 +102,8 @@ To enable License Compliance in your project's pipeline, either:
   (provided by [Auto DevOps](../../../topics/autodevops/index.md)).
 - Include the [`License-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml) in your `.gitlab-ci.yml` file.
 
+Please note that License Compliance is not supported when GitLab is run with FIPS mode enabled.
+
 ### Include the License Scanning template
 
 Prerequisites:
@@ -109,6 +113,7 @@ Prerequisites:
   shared runners on GitLab.com, this is enabled by default.
 - License Scanning runs in the `test` stage, which is available by default. If you redefine the stages in the
   `.gitlab-ci.yml` file, the `test` stage is required.
+- [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) must be disabled.
 
 To [include](../../../ci/yaml/index.md#includetemplate) the
 [`License-Scanning.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/License-Scanning.gitlab-ci.yml), add it to your `.gitlab-ci.yml` file:

lib/gitlab/background_migration/fix_vulnerability_occurrences_with_hashes_as_raw_metadata.rb

@@ -68,7 +68,7 @@ module Gitlab
       def valid_json?(metadata)
         Oj.load(metadata)
         true
-      rescue Oj::ParseError, Encoding::UndefinedConversionError
+      rescue Oj::ParseError, EncodingError, Json::ParseError, Encoding::UndefinedConversionError
         false
       end
 

lib/gitlab/json.rb

@@ -95,7 +95,7 @@ module Gitlab
         opts = standardize_opts(opts)
 
         Oj.load(string, opts)
-      rescue Oj::ParseError, Encoding::UndefinedConversionError => ex
+      rescue Oj::ParseError, EncodingError, JSON::ParseError, Encoding::UndefinedConversionError => ex
         raise parser_error, ex
       end
 

package.json

@@ -200,7 +200,7 @@
     "yaml": "^2.0.0-10"
   },
   "devDependencies": {
-    "@gitlab/eslint-plugin": "12.3.0",
+    "@gitlab/eslint-plugin": "13.0.0",
     "@gitlab/stylelint-config": "4.1.0",
     "@graphql-eslint/eslint-plugin": "3.10.4",
     "@testing-library/dom": "^7.16.2",

spec/frontend/admin/users/components/user_actions_spec.js

@@ -77,12 +77,6 @@ describe('AdminUserActions component', () => {
         expect(findActionsDropdown().exists()).toBe(true);
       });
 
-      it('renders the tooltip', () => {
-        const tooltip = getBinding(findActionsDropdown().element, 'gl-tooltip');
-
-        expect(tooltip.value).toBe(I18N_USER_ACTIONS.userAdministration);
-      });
-
       describe('when there are actions that require confirmation', () => {
         beforeEach(() => {
           initComponent({ actions: CONFIRMATION_ACTIONS });

yarn.lock

@@ -1016,10 +1016,10 @@
   resolved "https://registry.yarnpkg.com/@gitlab/at.js/-/at.js-1.5.7.tgz#1ee6f838cc4410a1d797770934df91d90df8179e"
   integrity sha512-c6ySRK/Ma7lxwpIVbSAF3P+xiTLrNTGTLRx4/pHK111AdFxwgUwrYF6aVZFXvmG65jHOJHoa0eQQ21RW6rm0Rg==
 
-"@gitlab/eslint-plugin@12.3.0":
-  version "12.3.0"
-  resolved "https://registry.yarnpkg.com/@gitlab/eslint-plugin/-/eslint-plugin-12.3.0.tgz#951453556fb3b4f43e3028fead65e083a8b90b0e"
-  integrity sha512-DV84zLLv/wDUjzoVJfpvvAAiaemKUqT1IZf16fEtlw/A4/x48vWJTMHQF7ciQtjz+gVKAnlht67IstSY8W19ZQ==
+"@gitlab/eslint-plugin@13.0.0":
+  version "13.0.0"
+  resolved "https://registry.yarnpkg.com/@gitlab/eslint-plugin/-/eslint-plugin-13.0.0.tgz#fa8d0ad96cfaeaa42f2d978ff059fc17358a00f8"
+  integrity sha512-w7vhBiSMslam1IPeprc2cArrLW6GqIFW9cW/CEwbim8dmzT8wZFzLvTSnIHQdokPN4fM5aToCLr9HkCROy4cRg==
   dependencies:
     "@babel/core" "^7.17.0"
     "@babel/eslint-parser" "^7.17.0"