Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/graphql/ordered_arguments.yml

@@ -1,6 +0,0 @@
----
-GraphQL/OrderedArguments:
-  Exclude:
-  - app/graphql/resolvers/base_issues_resolver.rb
-  - app/graphql/resolvers/design_management/designs_resolver.rb
-  - app/graphql/resolvers/design_management/version/design_at_version_resolver.rb

.rubocop_todo/graphql/ordered_fields.yml

@@ -1,55 +1,12 @@
 ---
 GraphQL/OrderedFields:
   Exclude:
-  - app/graphql/types/ci/runner_platform_type.rb
   - app/graphql/types/ci/runner_type.rb
-  - app/graphql/types/ci/stage_type.rb
-  - app/graphql/types/ci/status_action_type.rb
-  - app/graphql/types/ci/template_type.rb
-  - app/graphql/types/commit_type.rb
-  - app/graphql/types/container_expiration_policy_type.rb
-  - app/graphql/types/container_repository_tag_type.rb
   - app/graphql/types/container_repository_type.rb
-  - app/graphql/types/dependency_proxy/blob_type.rb
-  - app/graphql/types/dependency_proxy/image_ttl_group_policy_type.rb
   - app/graphql/types/dependency_proxy/manifest_type.rb
-  - app/graphql/types/design_management/design_collection_type.rb
-  - app/graphql/types/diff_refs_type.rb
-  - app/graphql/types/diff_stats_summary_type.rb
-  - app/graphql/types/diff_stats_type.rb
-  - app/graphql/types/error_tracking/sentry_detailed_error_type.rb
-  - app/graphql/types/error_tracking/sentry_error_collection_type.rb
-  - app/graphql/types/error_tracking/sentry_error_frequency_type.rb
-  - app/graphql/types/error_tracking/sentry_error_stack_trace_context_type.rb
-  - app/graphql/types/error_tracking/sentry_error_stack_trace_entry_type.rb
   - app/graphql/types/merge_request_type.rb
-  - app/graphql/types/metadata/kas_type.rb
-  - app/graphql/types/metadata_type.rb
-  - app/graphql/types/namespace/package_settings_type.rb
-  - app/graphql/types/namespace_type.rb
-  - app/graphql/types/notes/diff_position_type.rb
-  - app/graphql/types/notes/discussion_type.rb
-  - app/graphql/types/notes/note_type.rb
-  - app/graphql/types/packages/nuget/metadatum_type.rb
-  - app/graphql/types/packages/package_dependency_link_type.rb
-  - app/graphql/types/packages/package_file_type.rb
-  - app/graphql/types/packages/package_tag_type.rb
-  - app/graphql/types/packages/package_type.rb
   - app/graphql/types/project_statistics_type.rb
-  - app/graphql/types/project_type.rb
-  - app/graphql/types/projects/services/jira_project_type.rb
-  - app/graphql/types/release_asset_link_type.rb
-  - app/graphql/types/release_links_type.rb
   - app/graphql/types/release_type.rb
-  - app/graphql/types/repository_type.rb
   - app/graphql/types/root_storage_statistics_type.rb
-  - app/graphql/types/task_completion_status.rb
-  - app/graphql/types/tree/blob_type.rb
-  - ee/app/graphql/types/epic_type.rb
-  - ee/app/graphql/types/geo/geo_node_type.rb
-  - ee/app/graphql/types/requirements_management/requirement_states_count_type.rb
-  - ee/app/graphql/types/scan_execution_policy_type.rb
   - ee/app/graphql/types/scan_type.rb
-  - ee/app/graphql/types/scanned_resource_type.rb
-  - ee/app/graphql/types/security_report_summary_section_type.rb
   - ee/app/graphql/types/timebox_report_type.rb

.rubocop_todo/graphql/resolver_method_length.yml

@@ -3,5 +3,4 @@ GraphQL/ResolverMethodLength:
   Exclude:
   - app/graphql/types/ci/detailed_status_type.rb
   - app/graphql/types/ci/runner_type.rb
-  - app/graphql/types/ci/stage_type.rb
-  - app/graphql/types/packages/package_type.rb
+  - app/graphql/types/ci/stage_type.rb

.rubocop_todo/performance/active_record_subtransaction_methods.yml

@@ -1,62 +1,50 @@
 ---
 Performance/ActiveRecordSubtransactionMethods:
   Exclude:
-  - app/controllers/clusters/clusters_controller.rb
-  - app/controllers/repositories/lfs_storage_controller.rb
-  - app/controllers/search_controller.rb
-  - app/models/application_record.rb
-  - app/models/ci/ref.rb
-  - app/models/container_repository.rb
-  - app/models/design_management/design_collection.rb
-  - app/models/error_tracking/error.rb
-  - app/models/external_pull_request.rb
-  - app/models/merge_request.rb
-  - app/models/plan.rb
-  - app/models/project.rb
-  - app/models/shard.rb
-  - app/models/x509_certificate.rb
-  - app/models/x509_commit_signature.rb
-  - app/models/x509_issuer.rb
-  - app/models/concerns/commit_signature.rb
-  - app/services/bulk_imports/relation_export_service.rb
-  - app/services/ci/update_build_state_service.rb
-  - app/services/event_create_service.rb
-  - app/services/groups/import_export/import_service.rb
-  - app/services/lfs/file_transformer.rb
-  - app/services/merge_requests/approval_service.rb
-  - app/services/namespaces/statistics_refresher_service.rb
-  - app/services/packages/rubygems/create_dependencies_service.rb
-  - app/services/packages/rubygems/metadata_extraction_service.rb
-  - app/services/projects/create_service.rb
-  - app/services/projects/lfs_pointers/lfs_download_service.rb
-  - app/services/service_desk_settings/update_service.rb
-  - app/services/service_ping/submit_service.rb
-  - app/services/terraform/remote_state_handler.rb
-  - app/workers/namespaces/schedule_aggregation_worker.rb
-  - app/workers/project_export_worker.rb
-  - db/migrate/20200212014653_rename_security_dashboard_feature_flag_to_instance_security_dashboard.rb
-  - db/post_migrate/20200214034836_remove_security_dashboard_feature_flag.rb
-  - db/post_migrate/20210824174615_prepare_ci_builds_metadata_and_ci_build_async_indexes.rb
-  - ee/app/models/ci/minutes/namespace_monthly_usage.rb
-  - ee/app/models/ci/minutes/project_monthly_usage.rb
-  - ee/app/models/concerns/deprecated_approvals_before_merge.rb
-  - ee/app/models/ee/iteration.rb
-  - ee/app/models/ee/plan.rb
-  - ee/app/models/elastic/index_setting.rb
-  - ee/app/models/gitlab_subscription.rb
-  - ee/app/models/software_license.rb
-  - ee/app/services/boards/user_preferences/update_service.rb
-  - ee/app/services/ci/minutes/update_project_and_namespace_usage_service.rb
-  - ee/app/services/ee/analytics/cycle_analytics/stages/base_service.rb
-  - ee/app/services/security/store_report_service.rb
-  - ee/app/services/security/store_scan_service.rb
-  - ee/app/workers/import_software_licenses_worker.rb
-  - ee/db/fixtures/production/027_plans.rb
-  - ee/lib/ee/gitlab/background_migration/migrate_approver_to_approval_rules.rb
-  - ee/lib/gitlab/elastic/indexer.rb
-  - lib/gitlab/ci/pipeline/seed/environment.rb
-  - lib/gitlab/ci/pipeline/seed/processable/resource_group.rb
-  - lib/gitlab/ci/trace/chunked_io.rb
-  - lib/gitlab/composer/cache.rb
-  - lib/gitlab/database/async_indexes/migration_helpers.rb
-  - lib/gitlab/issuables_count_for_state.rb
+    - 'app/controllers/repositories/lfs_storage_controller.rb'
+    - 'app/controllers/search_controller.rb'
+    - 'app/models/application_record.rb'
+    - 'app/models/ci/ref.rb'
+    - 'app/models/concerns/commit_signature.rb'
+    - 'app/models/container_repository.rb'
+    - 'app/models/design_management/design_collection.rb'
+    - 'app/models/error_tracking/error.rb'
+    - 'app/models/external_pull_request.rb'
+    - 'app/models/plan.rb'
+    - 'app/models/project.rb'
+    - 'app/models/shard.rb'
+    - 'app/models/x509_certificate.rb'
+    - 'app/models/x509_issuer.rb'
+    - 'app/services/bulk_imports/relation_export_service.rb'
+    - 'app/services/ci/update_build_state_service.rb'
+    - 'app/services/event_create_service.rb'
+    - 'app/services/groups/import_export/import_service.rb'
+    - 'app/services/lfs/file_transformer.rb'
+    - 'app/services/merge_requests/approval_service.rb'
+    - 'app/services/namespaces/statistics_refresher_service.rb'
+    - 'app/services/packages/rubygems/create_dependencies_service.rb'
+    - 'app/services/projects/create_service.rb'
+    - 'app/services/projects/lfs_pointers/lfs_download_service.rb'
+    - 'app/services/service_desk_settings/update_service.rb'
+    - 'app/services/terraform/remote_state_handler.rb'
+    - 'app/workers/namespaces/schedule_aggregation_worker.rb'
+    - 'app/workers/project_export_worker.rb'
+    - 'ee/app/models/ci/minutes/project_monthly_usage.rb'
+    - 'ee/app/models/concerns/deprecated_approvals_before_merge.rb'
+    - 'ee/app/models/ee/plan.rb'
+    - 'ee/app/models/elastic/index_setting.rb'
+    - 'ee/app/models/gitlab_subscription.rb'
+    - 'ee/app/models/software_license.rb'
+    - 'ee/app/services/boards/user_preferences/update_service.rb'
+    - 'ee/app/services/ci/minutes/update_project_and_namespace_usage_service.rb'
+    - 'ee/app/services/ee/analytics/cycle_analytics/stages/base_service.rb'
+    - 'ee/app/services/security/store_scan_service.rb'
+    - 'ee/app/workers/import_software_licenses_worker.rb'
+    - 'ee/db/fixtures/production/027_plans.rb'
+    - 'ee/lib/ee/gitlab/background_migration/migrate_approver_to_approval_rules.rb'
+    - 'ee/lib/gitlab/elastic/indexer.rb'
+    - 'lib/gitlab/ci/pipeline/seed/environment.rb'
+    - 'lib/gitlab/ci/pipeline/seed/processable/resource_group.rb'
+    - 'lib/gitlab/ci/trace/chunked_io.rb'
+    - 'lib/gitlab/composer/cache.rb'
+    - 'lib/gitlab/issuables_count_for_state.rb'

.rubocop_todo/performance/block_given_with_explicit_block.yml

@@ -12,7 +12,6 @@ Performance/BlockGivenWithExplicitBlock:
     - 'app/helpers/tab_helper.rb'
     - 'app/services/base_count_service.rb'
     - 'app/services/error_tracking/base_service.rb'
-    - 'app/services/projects/open_issues_count_service.rb'
     - 'app/services/users/update_service.rb'
     - 'ee/lib/elastic/latest/query_context.rb'
     - 'ee/lib/gitlab/geo.rb'
@@ -35,7 +34,6 @@ Performance/BlockGivenWithExplicitBlock:
     - 'lib/gitlab/usage_data_queries.rb'
     - 'lib/gitlab/utils/usage_data.rb'
     - 'qa/qa/page/view.rb'
-    - 'qa/qa/runtime/browser.rb'
     - 'spec/lib/api/helpers/authentication_spec.rb'
     - 'spec/lib/gitlab/slash_commands/deploy_spec.rb'
     - 'spec/support/helpers/graphql_helpers.rb'

.rubocop_todo/performance/constant_regexp.yml

@@ -28,5 +28,4 @@ Performance/ConstantRegexp:
     - 'scripts/perf/query_limiting_report.rb'
     - 'scripts/validate_migration_schema'
     - 'spec/models/concerns/token_authenticatable_spec.rb'
-    - 'spec/scripts/lib/glfm/update_specification_spec.rb'
     - 'spec/services/notes/copy_service_spec.rb'

.rubocop_todo/performance/rubyzip.yml

@@ -1,5 +1,5 @@
 ---
 Performance/Rubyzip:
   Exclude:
-  - app/services/packages/nuget/metadata_extraction_service.rb
-  - lib/gitlab/ci/artifact_file_reader.rb
+    - 'app/services/packages/nuget/metadata_extraction_service.rb'
+    - 'lib/gitlab/ci/artifact_file_reader.rb'

.rubocop_todo/performance/string_include.yml

@@ -10,6 +10,5 @@ Performance/StringInclude:
     - 'lib/gitlab/database/migration_helpers.rb'
     - 'lib/kramdown/parser/atlassian_document_format.rb'
     - 'lib/prometheus/pid_provider.rb'
-    - 'qa/qa/specs/runner.rb'
     - 'spec/features/projects/jobs_spec.rb'
     - 'spec/spec_helper.rb'

Gemfile

@@ -344,7 +344,7 @@ gem 'prometheus-client-mmap', '~> 0.15.0', require: 'prometheus/client'
 gem 'warning', '~> 1.2.0'
 
 group :development do
-  gem 'lefthook', '~> 0.7.0', require: false
+  gem 'lefthook', '~> 0.8.0', require: false
   gem 'rubocop'
   gem 'solargraph', '~> 0.44.3', require: false
 

Gemfile.lock

@@ -723,7 +723,7 @@ GEM
       rest-client (~> 2.0)
     launchy (2.5.0)
       addressable (~> 2.7)
-    lefthook (0.7.5)
+    lefthook (0.8.0)
     letter_opener (1.7.0)
       launchy (~> 2.2)
     letter_opener_web (2.0.0)
@@ -1584,7 +1584,7 @@ DEPENDENCIES
   knapsack (~> 1.21.1)
   kramdown (~> 2.3.1)
   kubeclient (~> 4.9.2)
-  lefthook (~> 0.7.0)
+  lefthook (~> 0.8.0)
   letter_opener_web (~> 2.0.0)
   licensee (~> 9.14.1)
   lockbox (~> 0.6.2)

app/assets/stylesheets/framework/awards.scss

@@ -6,6 +6,12 @@
     width: 20px;
     height: 20px;
   }
+
+  // Show active state.
+  .gl-button.selected {
+    background-color: $blue-50;
+    box-shadow: inset 0 0 0 2px $blue-500;
+  }
 }
 
 .emoji-menu {

app/controllers/concerns/spammable_actions/captcha_check/html_format_actions_support.rb

@@ -32,3 +32,5 @@ module SpammableActions::CaptchaCheck::HtmlFormatActionsSupport
     request.headers['X-GitLab-Spam-Log-Id'] = params[:spam_log_id] if params[:spam_log_id]
   end
 end
+
+SpammableActions::CaptchaCheck::HtmlFormatActionsSupport.prepend_mod

app/finders/issuable_finder.rb

@@ -316,10 +316,8 @@ class IssuableFinder
 
   # rubocop: disable CodeReuse/ActiveRecord
   def by_project(items)
-    if params.project?
+    if params.project? || params.projects
       items.of_projects(params.projects).references_project
-    elsif params.projects
-      items.merge(params.projects.reorder(nil)).join_project
     else
       items.none
     end

app/finders/issuable_finder/params.rb

@@ -175,7 +175,7 @@ class IssuableFinder
       return Project.none unless group
 
       if params[:include_subgroups]
-        Project.where(namespace_id: group.self_and_descendants) # rubocop: disable CodeReuse/ActiveRecord
+        Project.where(namespace_id: group.self_and_descendant_ids) # rubocop: disable CodeReuse/ActiveRecord
       else
         group.projects
       end

app/models/hooks/web_hook.rb

@@ -140,6 +140,16 @@ class WebHook < ApplicationRecord
     { related_class: type }
   end
 
+  def alert_status
+    if temporarily_disabled?
+      :temporarily_disabled
+    elsif permanently_disabled?
+      :disabled
+    else
+      :executable
+    end
+  end
+
   private
 
   def web_hooks_disable_failed?

app/models/issue.rb

@@ -149,7 +149,7 @@ class Issue < ApplicationRecord
 
   scope :without_hidden, -> {
     if Feature.enabled?(:ban_user_feature_flag)
-      where('NOT EXISTS (?)', Users::BannedUser.select(1).where('issues.author_id = banned_users.user_id'))
+      where.not(author_id: Users::BannedUser.all.select(:user_id))
     else
       all
     end

app/models/namespaces/traversal/recursive.rb

@@ -63,19 +63,17 @@ module Namespaces
 
       # Returns all the descendants of the current namespace.
       def descendants
-        object_hierarchy(self.class.where(parent_id: id))
-          .base_and_descendants
+        object_hierarchy(self.class.where(parent_id: id)).base_and_descendants
       end
       alias_method :recursive_descendants, :descendants
 
       def self_and_descendants
-        object_hierarchy(self.class.where(id: id))
-          .base_and_descendants
+        object_hierarchy(self.class.where(id: id)).base_and_descendants
       end
       alias_method :recursive_self_and_descendants, :self_and_descendants
 
       def self_and_descendant_ids
-        recursive_self_and_descendants.select(:id)
+        object_hierarchy(self.class.where(id: id)).base_and_descendant_ids
       end
       alias_method :recursive_self_and_descendant_ids, :self_and_descendant_ids
 

app/views/projects/usage_quotas/index.html.haml

@@ -1,10 +1,10 @@
 - page_title s_("UsageQuota|Usage")
 
-= render Pajamas::AlertComponent.new(title: _('Repository size recalculation started'),
+= render Pajamas::AlertComponent.new(title: _('Repository usage recalculation started'),
   variant: :info,
   alert_class: 'js-recalculation-started-alert gl-mt-4 gl-mb-5 gl-display-none') do |c|
   = c.body do
-    = _('Refresh the page in a few minutes to view usage.')
+    = _('To view usage, refresh this page in a few minutes.')
 
 %h1.page-title
   = s_('UsageQuota|Usage Quotas')

db/migrate/20220602130306_add_namespace_type_index.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class AddNamespaceTypeIndex < Gitlab::Database::Migration[2.0]
+  disable_ddl_transaction!
+
+  INDEX_NAME = 'index_groups_on_parent_id_id'
+
+  def up
+    add_concurrent_index :namespaces, [:parent_id, :id], where: "type = 'Group'", name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name(:namespaces, INDEX_NAME)
+  end
+end

db/schema_migrations/20220602130306

@@ -0,0 +1 @@
+493009101e8b1340507ff8cf5d6add16f848d8d99f0b6091bf7b07105f711304

db/structure.sql

@@ -28090,6 +28090,8 @@ CREATE UNIQUE INDEX index_group_wiki_repositories_on_disk_path ON group_wiki_rep
 
 CREATE INDEX index_group_wiki_repositories_on_shard_id ON group_wiki_repositories USING btree (shard_id);
 
+CREATE INDEX index_groups_on_parent_id_id ON namespaces USING btree (parent_id, id) WHERE ((type)::text = 'Group'::text);
+
 CREATE INDEX index_historical_data_on_recorded_at ON historical_data USING btree (recorded_at);
 
 CREATE UNIQUE INDEX index_http_integrations_on_active_and_project_and_endpoint ON alert_management_http_integrations USING btree (active, project_id, endpoint_identifier) WHERE active;

doc/administration/audit_events.md

@@ -115,7 +115,7 @@ From there, you can see the following actions:
 - Instance administrator started or stopped impersonation of a group member. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/300961) in GitLab 14.8.
 - Group deploy token was successfully created, revoked, or deleted. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.
 - Failed attempt to create a group deploy token. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/353452) in GitLab 14.9.
-- [IP restrictions](../user/group/index.md#restrict-group-access-by-ip-address) changed. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358986) in GitLab 15.0
+- [IP restrictions](../user/group/index.md#group-access-restriction-by-ip-address) changed. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/358986) in GitLab 15.0.
 - Changes to push rules. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/227629) in GitLab 15.0.
 
 Group events can also be accessed via the [Group Audit Events API](../api/audit_events.md#group-audit-events)

doc/administration/object_storage.md

@@ -541,6 +541,10 @@ supported by consolidated configuration form, refer to the following guides:
 | [Terraform state files](terraform_state.md#using-object-storage) | **{check-circle}** Yes |
 | [Pages content](pages/index.md#using-object-storage) | **{check-circle}** Yes |
 
+WARNING:
+The use of [encrypted S3 buckets](#encrypted-s3-buckets) with non-consolidated configuration is not supported. 
+You may start getting [ETag mismatch errors](#etag-mismatch) if you use it.
+
 ### Other alternatives to file system storage
 
 If you're working to [scale out](reference_architectures/index.md) your GitLab implementation,

doc/development/documentation/styleguide/word_list.md

@@ -407,6 +407,13 @@ of the fields at once. For example:
 
 Learn more about [documenting multiple fields at once](index.md#documenting-multiple-fields-at-once).
 
+## filter
+
+When you are viewing a list of items, like issues or merge requests, you filter the list by
+the available attributes. For example, you might filter by assignee or reviewer.
+
+Filtering is different from [searching](#search).
+
 ## foo
 
 Do not use **foo** in product documentation. You can use it in our API and contributor documentation, but try to use a clearer and more meaningful example instead.
@@ -863,6 +870,13 @@ Do not use **scalability** when talking about increasing GitLab performance for
 are sometimes acceptable, but references to increasing GitLab performance for additional users should direct readers
 to the GitLab [reference architectures](../../../administration/reference_architectures/index.md) page.
 
+## search
+
+When you search, you type a string in the search box on the top bar.
+The search results are displayed on a search page.
+
+Searching is different from [filtering](#filter).
+
 ## section
 
 Use **section** to describe an area on a page. For example, if a page has lines that separate the UI

doc/development/fips_compliance.md

@@ -301,7 +301,7 @@ all:
     gitlab_charts_custom_config_file: '/path/to/gitlab-environment-toolkit/ansible/environments/gitlab-10k/inventory/charts.yml'
 ```
 
-Now create `charts.yml` in the location specified above and specify tags with a `-ubi8` suffix. For example:
+Now create `charts.yml` in the location specified above and specify tags with a `-fips` suffix. For example:
 
 ```yaml
 global:
@@ -309,35 +309,38 @@ global:
     pullPolicy: Always
   certificates:
     image:
-      tag: master-ubi8
+      tag: master-fips
+  kubectl:
+    image:
+      tag: master-fips
 
 gitlab:
   gitaly:
     image:
-      tag: master-ubi8
+      tag: master-fips
   gitlab-exporter:
     image:
-      tag: master-ubi8
+      tag: master-fips
   gitlab-shell:
     image:
-      tag: main-ubi8 # The default branch is main, not master
+      tag: main-fips # The default branch is main, not master
   gitlab-mailroom:
     image:
-      tag: master-ubi8
+      tag: master-fips
   migrations:
     image:
-      tag: master-ubi8
+      tag: master-fips
   sidekiq:
     image:
-      tag: master-ubi8
+      tag: master-fips
   toolbox:
     image:
-      tag: master-ubi8
+      tag: master-fips
   webservice:
     image:
-      tag: master-ubi8
+      tag: master-fips
     workhorse:
-      tag: master-ubi8
+      tag: master-fips
 
 nginx-ingress:
   controller:
@@ -353,41 +356,44 @@ See [this issue](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3153#note_
 how to build NGINX and the Ingress Controller.
 
 You can also use release tags, but the versioning is tricky because each
-component may use its own versioning scheme. For example, for GitLab v14.10:
+component may use its own versioning scheme. For example, for GitLab v15.1:
 
 ```yaml
 global:
   certificates:
     image:
-      tag: 20191127-r2-ubi8
+      tag: 20211220-r0-fips
+  kubectl:
+    image:
+      tag: 1.18.20-fips
 
 gitlab:
   gitaly:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
   gitlab-exporter:
     image:
-      tag: 11.14.0-ubi8
+      tag: 11.15.2-fips
   gitlab-shell:
     image:
-      tag: v13.25.1-ubi8
+      tag: v15.1.0-fips
   gitlab-mailroom:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
   migrations:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
   sidekiq:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
   toolbox:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
   webservice:
     image:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
     workhorse:
-      tag: v14.10.0-ubi8
+      tag: v15.1.0-fips
 ```
 
 ## Verify FIPS

doc/install/requirements.md

@@ -13,15 +13,7 @@ the minimum requirements needed to install and use GitLab.
 
 ### Supported Linux distributions
 
-- Ubuntu (18.04/20.04)
-- Debian (9/10/11)
-- AlmaLinux (8)
-- CentOS (7)
-- openSUSE Leap (15.3)
-- SUSE Linux Enterprise Server (12 SP2/12 SP5)
-- Red Hat Enterprise Linux (use the AlmaLinux or CentOS instructions)
-- Scientific Linux (use the CentOS instructions)
-- Oracle Linux (use the CentOS instructions)
+See the [list of supported operating systems](../administration/package_information/supported_os.md#supported-operating-systems).
 
 For the installation options, see [the main installation page](index.md).
 

doc/raketasks/backup_restore.md

@@ -304,6 +304,9 @@ sudo -u git -H bundle exec rake gitlab:backup:create SKIP=db,uploads RAILS_ENV=p
 
 #### Skipping tar creation
 
+NOTE:
+It is not possible to skip the tar creation when using [object storage](#uploading-backups-to-a-remote-cloud-storage) for backups.
+
 The last part of creating a backup is generation of a `.tar` file containing
 all the parts. In some cases (for example, if the backup is picked up by other
 backup software) creating a `.tar` file might be wasted effort or even directly
@@ -451,6 +454,9 @@ For example, to back up all repositories for all projects in **Group A** (`group
 
 #### Uploading backups to a remote (cloud) storage
 
+NOTE:
+It is not possible to [skip the tar creation](#skipping-tar-creation) when using object storage for backups.
+
 You can let the backup script upload (using the [Fog library](https://fog.io/))
 the `.tar` file it creates. In the following example, we use Amazon S3 for
 storage, but Fog also lets you use [other storage providers](https://fog.io/storage/).

doc/user/admin_area/settings/usage_statistics.md

@@ -48,7 +48,7 @@ tier. Users can continue to access the features in a paid tier without sharing u
 ### Features available in 14.4 and later
 
 - [Repository size limit](../settings/account_and_limit_settings.md#repository-size-limit).
-- [Restrict group access by IP address](../../group/index.md#restrict-group-access-by-ip-address).
+- [Group access restriction by IP address](../../group/index.md#group-access-restriction-by-ip-address).
 
 NOTE:
 Registration is not yet required for participation, but may be added in a future milestone.

doc/user/group/index.md

@@ -599,7 +599,7 @@ You can export a list of members in a group or subgroup as a CSV.
 1. Select **Export as CSV**.
 1. After the CSV file has been generated, it is emailed as an attachment to the user that requested it.
 
-## Restrict group access by IP address **(PREMIUM)**
+## Group access restriction by IP address **(PREMIUM)**
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/1985) in GitLab 12.0.
 > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/215410) from GitLab Ultimate to GitLab Premium in 13.1.
@@ -611,25 +611,26 @@ applies to:
 - The GitLab UI, including subgroups, projects, and issues.
 - [In GitLab 12.3 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/12874), the API.
 
-You should consider these security implications before configuring IP address restrictions:
+### Security implications
 
-- **SSH requests, including `git` operations will fail from all IP addresses**: While you can restrict HTTP traffic on GitLab.com with IP address restrictions,
-  they cause SSH requests, including Git operations over SSH, to fail. For more information,
-  read [issue 271673](https://gitlab.com/gitlab-org/gitlab/-/issues/271673).
-- **Administrators and group owners can access group settings from any IP address**: Users with these permission levels can always
-  access the group settings, regardless of IP restriction, but they cannot access projects
-  belonging to the group when accessing from a disallowed IP address.
-  - **Some GitLab API endpoints will remain accessible from any IP**: Users coming from denied IP addresses can still see group and project
-    names and hierarchies. Only the [group](../../api/groups.md) (including all [group resources](../../api/api_resources.md#group-resources))
-    APIs and [project](../../api/api_resources.md#project-resources) (including all [project resources](../../api/api_resources.md#project-resources))
-    APIs are protected by IP address restrictions.
-- **Activities performed by GitLab Runners are not bound by IP restrictions**:
-  When you register a runner, it is not bound by the IP restrictions. When the runner
-  requests a new job or an update to a job's state, it is also not bound by
-  the IP restrictions. But when the running CI/CD job sends Git requests from a
+You should consider some security implications before configuring IP address restrictions.
+
+- Restricting HTTP traffic on GitLab.com with IP address restrictions causes SSH requests (including Git operations over
+  SSH) to fail. For more information, see [the relevant issue](https://gitlab.com/gitlab-org/gitlab/-/issues/271673).
+- Administrators and group owners can access group settings from any IP address, regardless of IP restriction. However:
+  - Groups owners cannot access projects belonging to the group when accessing from a disallowed IP address.
+  - Administrators can access projects belonging to the group when accessing from a disallowed IP address.
+    Access to projects includes cloning code from them.
+  - Users can still see group and project names and hierarchies. Only the following are restricted:
+    - [Groups](../../api/groups.md), including all [group resources](../../api/api_resources.md#group-resources).
+    - [Project](../../api/projects.md), including all [project resources](../../api/api_resources.md#project-resources).
+- When you register a runner, it is not bound by the IP restrictions. When the runner requests a new job or an update to
+  a job's state, it is also not bound by the IP restrictions. But when the running CI/CD job sends Git requests from a
   restricted IP address, the IP restriction prevents code from being cloned.
-- **User dashboard activity**: Users may still see some events from the IP restricted groups and projects
-  on their dashboard. Activity may include push, merge, issue, or comment events.
+- Users may still see some events from the IP restricted groups and projects on their dashboard. Activity may include
+  push, merge, issue, or comment events.
+
+### Restrict group access by IP address
 
 To restrict group access by IP address:
 
@@ -638,8 +639,6 @@ To restrict group access by IP address:
 1. In the **Allow access to the following IP addresses** field, enter IPv4 or IPv6 address ranges in CIDR notation.
 1. Select **Save changes**.
 
-   ![Domain restriction by IP address](img/restrict-by-ip.gif)
-
 In self-managed installations of GitLab 15.1 and later, you can also configure
 [globally-allowed IP address ranges](../admin_area/settings/visibility_and_access_controls.md#configure-globally-allowed-ip-address-ranges)
 at the group level.
@@ -659,8 +658,6 @@ To restrict group access by domain:
 1. In the **Restrict membership by email** field, enter the domain names.
 1. Select **Save changes**.
 
-![Domain restriction by email](img/restrict-by-email.gif)
-
 Any time you attempt to add a new user, the user's [primary email](../profile/index.md#change-your-primary-email) is compared against this list.
 Only users with a [primary email](../profile/index.md#change-your-primary-email) that matches any of the configured email domain restrictions
 can be added to the group.
@@ -861,7 +858,7 @@ If a user sees a 404 when they would normally expect access, and the problem is
 - `json.allowed`: `false`
 
 In viewing the log entries, compare the `remote.ip` with the list of
-[allowed IPs](#restrict-group-access-by-ip-address) for the group.
+[allowed IPs](#group-access-restriction-by-ip-address) for the group.
 
 ### Validation errors on namespaces and groups
 

lib/api/entities/hook.rb

@@ -5,6 +5,9 @@ module API
     class Hook < Grape::Entity
       expose :id, :url, :created_at, :push_events, :tag_push_events, :merge_requests_events, :repository_update_events
       expose :enable_ssl_verification
+
+      expose :alert_status
+      expose :disabled_until
     end
   end
 end

lib/gitlab/object_hierarchy.rb

@@ -92,6 +92,14 @@ module Gitlab
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
+    # Returns a relation that includes ID of the descendants_base set of objects
+    # and all their descendants IDs (recursively).
+    # rubocop: disable CodeReuse/ActiveRecord
+    def base_and_descendant_ids
+      read_only(base_and_descendant_ids_cte.apply_to(unscoped_model.select(objects_table[:id])))
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
     # Returns a relation that includes the base objects, their ancestors,
     # and the descendants of the base objects.
     #
@@ -214,6 +222,26 @@ module Gitlab
     end
     # rubocop: enable CodeReuse/ActiveRecord
 
+    # rubocop: disable CodeReuse/ActiveRecord
+    def base_and_descendant_ids_cte
+      cte = SQL::RecursiveCTE.new(:base_and_descendants)
+
+      base_query = descendants_base.except(:order).select(objects_table[:id])
+
+      cte << base_query
+
+      # Recursively get all the descendants of the base set.
+      descendants_query = unscoped_model
+        .select(objects_table[:id])
+        .from(from_tables(cte))
+        .where(descendant_conditions(cte))
+        .except(:order)
+
+      cte << descendants_query
+      cte
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
     def objects_table
       model.arel_table
     end

locale/gitlab.pot

@@ -31262,9 +31262,6 @@ msgstr ""
 msgid "Refresh the page and try again."
 msgstr ""
 
-msgid "Refresh the page in a few minutes to view usage."
-msgstr ""
-
 msgid "Refreshing in a second to show the updated status..."
 msgid_plural "Refreshing in %d seconds to show the updated status..."
 msgstr[0] ""
@@ -32186,15 +32183,15 @@ msgstr ""
 msgid "Repository size limit (MB)"
 msgstr ""
 
-msgid "Repository size recalculation started"
-msgstr ""
-
 msgid "Repository storage"
 msgstr ""
 
 msgid "Repository update events"
 msgstr ""
 
+msgid "Repository usage recalculation started"
+msgstr ""
+
 msgid "Repository: %{counter_repositories} / Wikis: %{counter_wikis} / Build Artifacts: %{counter_build_artifacts} / Pipeline Artifacts: %{counter_pipeline_artifacts} / LFS: %{counter_lfs_objects} / Snippets: %{counter_snippets} / Packages: %{counter_packages} / Uploads: %{counter_uploads}"
 msgstr ""
 
@@ -39754,6 +39751,9 @@ msgstr ""
 msgid "To view all %{scannedResourcesCount} scanned URLs, %{linkStart}please download the CSV file%{linkEnd}"
 msgstr ""
 
+msgid "To view usage, refresh this page in a few minutes."
+msgstr ""
+
 msgid "To widen your search, change or remove filters above"
 msgstr ""
 

package.json

@@ -257,7 +257,7 @@
     "stylelint": "^14.3.0",
     "timezone-mock": "^1.0.8",
     "vue-jest": "4.0.1",
-    "webpack-dev-server": "4.9.1",
+    "webpack-dev-server": "4.9.2",
     "xhr-mock": "^2.5.1",
     "yarn-check-webpack-plugin": "^1.2.0",
     "yarn-deduplicate": "^5.0.0"

public/robots.txt

@@ -20,6 +20,7 @@ Disallow: /admin
 Disallow: /profile
 Disallow: /dashboard
 Disallow: /users
+Disallow: /api/v*
 Disallow: /help
 Disallow: /s/
 Disallow: /-/profile

spec/fixtures/api/schemas/public_api/v4/system_hook.json

@@ -8,7 +8,9 @@
     "tag_push_events",
     "merge_requests_events",
     "repository_update_events",
-    "enable_ssl_verification"
+    "enable_ssl_verification",
+    "alert_status",
+    "disabled_until"
   ],
   "properties": {
     "id": { "type": "integer" },
@@ -18,7 +20,9 @@
     "tag_push_events": { "type": "boolean" },
     "merge_requests_events": { "type": "boolean" },
     "repository_update_events": { "type": "boolean" },
-    "enable_ssl_verification": { "type": "boolean" }
+    "enable_ssl_verification": { "type": "boolean" },
+    "alert_status": { "type": "string", "enum": ["executable", "disabled", "temporarily_disabled"] },
+    "disabled_until": { "type": ["string", "null"] }
   },
   "additionalProperties": false
 }

spec/models/hooks/web_hook_spec.rb

@@ -497,4 +497,26 @@ RSpec.describe WebHook do
       end
     end
   end
+
+  describe '#alert_status' do
+    subject(:status) { hook.alert_status }
+
+    it { is_expected.to eq :executable }
+
+    context 'when hook has been disabled' do
+      before do
+        hook.disable!
+      end
+
+      it { is_expected.to eq :disabled }
+    end
+
+    context 'when hook has been backed off' do
+      before do
+        hook.disabled_until = 1.hour.from_now
+      end
+
+      it { is_expected.to eq :temporarily_disabled }
+    end
+  end
 end

spec/requests/api/project_hooks_spec.rb

@@ -44,6 +44,8 @@ RSpec.describe API::ProjectHooks, 'ProjectHooks' do
         expect(json_response.first['releases_events']).to eq(true)
         expect(json_response.first['enable_ssl_verification']).to eq(true)
         expect(json_response.first['push_events_branch_filter']).to eq('master')
+        expect(json_response.first['alert_status']).to eq('executable')
+        expect(json_response.first['disabled_until']).to be_nil
       end
     end
 
@@ -76,6 +78,8 @@ RSpec.describe API::ProjectHooks, 'ProjectHooks' do
         expect(json_response['releases_events']).to eq(hook.releases_events)
         expect(json_response['deployment_events']).to eq(true)
         expect(json_response['enable_ssl_verification']).to eq(hook.enable_ssl_verification)
+        expect(json_response['alert_status']).to eq(hook.alert_status.to_s)
+        expect(json_response['disabled_until']).to be_nil
       end
 
       it "returns a 404 error if hook id is not available" do

spec/requests/api/system_hooks_spec.rb

@@ -44,6 +44,8 @@ RSpec.describe API::SystemHooks do
         expect(json_response.first['merge_requests_events']).to be false
         expect(json_response.first['repository_update_events']).to be true
         expect(json_response.first['enable_ssl_verification']).to be true
+        expect(json_response.first['disabled_until']).to be nil
+        expect(json_response.first['alert_status']).to eq 'executable'
       end
     end
   end
@@ -79,10 +81,43 @@ RSpec.describe API::SystemHooks do
           'tag_push_events' => be(hook.tag_push_events),
           'merge_requests_events' => be(hook.merge_requests_events),
           'repository_update_events' => be(hook.repository_update_events),
-          'enable_ssl_verification' => be(hook.enable_ssl_verification)
+          'enable_ssl_verification' => be(hook.enable_ssl_verification),
+          'alert_status' => eq(hook.alert_status.to_s),
+          'disabled_until' => eq(hook.disabled_until&.iso8601(3))
         )
       end
 
+      context 'the hook is disabled' do
+        before do
+          hook.disable!
+        end
+
+        it "has the correct alert status", :aggregate_failures do
+          get api("/hooks/#{hook.id}", admin)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('public_api/v4/system_hook')
+          expect(json_response).to include('alert_status' => 'disabled')
+        end
+      end
+
+      context 'the hook is backed-off' do
+        before do
+          hook.backoff!
+        end
+
+        it "has the correct alert status", :aggregate_failures do
+          get api("/hooks/#{hook.id}", admin)
+
+          expect(response).to have_gitlab_http_status(:ok)
+          expect(response).to match_response_schema('public_api/v4/system_hook')
+          expect(json_response).to include(
+            'alert_status' => 'temporarily_disabled',
+            'disabled_until' => hook.disabled_until.iso8601(3)
+          )
+        end
+      end
+
       it 'returns 404 if the system hook does not exist' do
         get api("/hooks/#{non_existing_record_id}", admin)
 

spec/requests/robots_txt_spec.rb

@@ -37,6 +37,9 @@ RSpec.describe 'Robots.txt Requests', :aggregate_failures do
       '/dashboard',
       '/users',
       '/users/foo',
+      '/users/foo@email.com/captcha_check',
+      '/users/foo/captcha_check',
+      '/api/v1/users/foo/captcha_check',
       '/help',
       '/s/',
       '/-/profile',

spec/support/matchers/exceed_query_limit.rb

@@ -121,13 +121,27 @@ module ExceedQueryLimitHelpers
       end
     end
 
-    unless @show_common_queries
-      combined_counts = combined_counts.transform_values do |suffs|
-        suffs.reject { |_k, counts| counts.first == counts.second }
-      end
-    end
+    reject_groups_with_matching_counts(combined_counts)
+  end
 
-    combined_counts.reject { |_prefix, suffs| suffs.empty? }
+  def reject_groups_with_matching_counts(combined_counts)
+    return combined_counts if @show_common_queries
+
+    combined_counts
+      .transform_values { select_suffixes_with_diffs(_1) }
+      .reject { |_prefix, suffs| suffs.empty? }
+  end
+
+  def select_suffixes_with_diffs(suffs)
+    # reject when count in LHS is the same as count in RHS
+    suffs = suffs.reject { |_k, counts| counts.first == counts.second }
+
+    # Reject common case of N queries on LHS and N on right, but with different parameters
+    # accepts as equivalent if a == [0, 1] and b == [1, 0], for example
+    keys = suffs.keys
+    return {} if keys.size == 2 && suffs[keys.first] == suffs[keys.second].reverse
+
+    suffs
   end
 
   def diff_query_group_message(query, suffixes)
@@ -141,7 +155,7 @@ module ExceedQueryLimitHelpers
   def log_message
     if expected.is_a?(ActiveRecord::QueryRecorder)
       diff_counts = diff_query_counts(count_queries(expected), count_queries(@recorder))
-      sections = diff_counts.map { |q, suffixes| diff_query_group_message(q, suffixes) }
+      sections = diff_counts.filter_map { |q, suffixes| diff_query_group_message(q, suffixes) }
 
       <<~MSG
       Query Diff:

spec/support_specs/matchers/exceed_query_limit_helpers_spec.rb

@@ -56,6 +56,7 @@ RSpec.describe ExceedQueryLimitHelpers do
         TestQueries.where(version: 'x').update_all(version: 'y')
         TestQueries.where(version: 'foobar').count
         TestQueries.where(version: 'z').delete_all
+        Project.where(id: 1).pluck(:title)
       end
     end
 
@@ -71,10 +72,11 @@ RSpec.describe ExceedQueryLimitHelpers do
         TestQueries.count
         TestQueries.where(version: 'y').update_all(version: 'z')
         TestQueries.where(version: 'z').delete_all
+        Project.where(id: 2).pluck(:title)
       end
     end
 
-    it 'merges two query counts' do
+    it 'merges two query counts, showing only diffs' do
       test_matcher = TestMatcher.new
 
       diff = test_matcher.diff_query_counts(
@@ -131,6 +133,10 @@ RSpec.describe ExceedQueryLimitHelpers do
         },
         "RELEASE SAVEPOINT active_record_1" => {
           "" => [0, 1]
+        },
+        "SELECT \"projects\".\"name\" FROM \"projects\"" => {
+          "WHERE \"projects\".\"id\" = 1" => [1, 0],
+          "WHERE \"projects\".\"id\" = 2" => [0, 1]
         }
       })
     end

yarn.lock

@@ -2118,7 +2118,7 @@
   dependencies:
     "@types/express" "*"
 
-"@types/serve-static@*":
+"@types/serve-static@*", "@types/serve-static@^1.13.10":
   version "1.13.10"
   resolved "https://registry.yarnpkg.com/@types/serve-static/-/serve-static-1.13.10.tgz#f5e0ce8797d2d7cc5ebeda48a52c96c4fa47a8d9"
   integrity sha512-nCkHGI4w7ZgAdNkrEu0bv+4xNV/XDqW+DydknebMOQwkpDGx8G+HTlj7R7ABI8i8nKxVw0wtKPi1D+lPOkh4YQ==
@@ -12926,15 +12926,16 @@ webpack-dev-middleware@^5.3.1:
     range-parser "^1.2.1"
     schema-utils "^4.0.0"
 
-webpack-dev-server@4.9.1:
-  version "4.9.1"
-  resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-4.9.1.tgz#184607b0287c791aeaa45e58e8fe75fcb4d7e2a8"
-  integrity sha512-CTMfu2UMdR/4OOZVHRpdy84pNopOuigVIsRbGX3LVDMWNP8EUgC5mUBMErbwBlHTEX99ejZJpVqrir6EXAEajA==
+webpack-dev-server@4.9.2:
+  version "4.9.2"
+  resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-4.9.2.tgz#c188db28c7bff12f87deda2a5595679ebbc3c9bc"
+  integrity sha512-H95Ns95dP24ZsEzO6G9iT+PNw4Q7ltll1GfJHV4fKphuHWgKFzGHWi4alTlTnpk1SPPk41X+l2RB7rLfIhnB9Q==
   dependencies:
     "@types/bonjour" "^3.5.9"
     "@types/connect-history-api-fallback" "^1.3.5"
     "@types/express" "^4.17.13"
     "@types/serve-index" "^1.9.1"
+    "@types/serve-static" "^1.13.10"
     "@types/sockjs" "^0.3.33"
     "@types/ws" "^8.5.1"
     ansi-html-community "^0.0.8"