Add latest changes from gitlab-org/gitlab@master

12 files changed, 206 insertions, 78 deletions

diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION
index e5ae88642b2..e17909dfc98 100644
--- a/GITALY_SERVER_VERSION
+++ b/GITALY_SERVER_VERSION
@@ -1 +1 @@
-9ff756d21305e63a256ba74c6f75b5c867d9fc22
+88f78ed883808636f3ee02601ee37f944c82b07e
diff --git a/app/assets/javascripts/boards/components/board_card.vue b/app/assets/javascripts/boards/components/board_card.vue
index dc821cb9f58..3638fdd2ca5 100644
--- a/app/assets/javascripts/boards/components/board_card.vue
+++ b/app/assets/javascripts/boards/components/board_card.vue
@@ -48,6 +48,15 @@ export default {
     isDraggable() {
       return !this.disabled && this.item.id && !this.item.isLoading;
     },
+    cardStyle() {
+      return this.isColorful && this.item.color ? { borderColor: this.item.color } : '';
+    },
+    isColorful() {
+      return gon?.features?.epicColorHighlight;
+    },
+    colorClass() {
+      return this.isColorful ? 'gl-pl-4 gl-border-l-solid gl-border-4' : '';
+    },
   },
   methods: {
     ...mapActions(['toggleBoardItemMultiSelection', 'toggleBoardItem']),
@@ -70,17 +79,21 @@ export default {
 <template>
   <li
     data-qa-selector="board_card"
-    :class="{
-      'multi-select': multiSelectVisible,
-      'gl-cursor-grab': isDraggable,
-      'is-disabled': isDisabled,
-      'is-active': isActive,
-      'gl-cursor-not-allowed gl-bg-gray-10': item.isLoading,
-    }"
+    :class="[
+      {
+        'multi-select': multiSelectVisible,
+        'gl-cursor-grab': isDraggable,
+        'is-disabled': isDisabled,
+        'is-active': isActive,
+        'gl-cursor-not-allowed gl-bg-gray-10': item.isLoading,
+      },
+      colorClass,
+    ]"
     :index="index"
     :data-item-id="item.id"
     :data-item-iid="item.iid"
     :data-item-path="item.referencePath"
+    :style="cardStyle"
     data-testid="board_card"
     class="board-card gl-p-5 gl-rounded-base"
     @click="toggleIssue($event)"
diff --git a/doc/administration/gitaly/recovery.md b/doc/administration/gitaly/recovery.md
index 00233e0ce7d..551a7ab289a 100644
--- a/doc/administration/gitaly/recovery.md
+++ b/doc/administration/gitaly/recovery.md
@@ -425,3 +425,21 @@ This command fails if:
 
 - The repository is already being tracked by the Praefect database.
 - The repository does not exist on disk.
+
+### List virtual storage details
+
+> [Introduced](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4609) in GitLab 15.1.
+
+The `list-storages` Praefect sub-command lists virtual storages and their associated storage nodes. If a virtual storage is:
+
+- Specified using `-virtual-storage`, it lists only storage nodes for the specified virtual storage.
+- Not specified, all virtual storages and their associated storage nodes are listed in tabular format.
+
+```shell
+sudo /opt/gitlab/embedded/bin/praefect -config /var/opt/gitlab/praefect/config.toml list-storages -virtual-storage <virtual_storage_name>
+```
+
+The command outputs:
+
+- Result to `STDOUT` and the command's logs.
+- Errors to `STDERR`.
diff --git a/doc/development/import_project.md b/doc/development/import_project.md
index aa767cd5b4c..c63ba229921 100644
--- a/doc/development/import_project.md
+++ b/doc/development/import_project.md
@@ -80,6 +80,14 @@ If you're running Omnibus, run the following Rake task:
 gitlab-rake "gitlab:import_export:import[root, group/subgroup, testingprojectimport, /path/to/file.tar.gz]"
 ```
 
+#### Enable verbose output
+
+To make the import Rake task more verbose, use the `IMPORT_DEBUG` environment variable:
+
+```shell
+IMPORT_DEBUG=true gitlab-rake "gitlab:import_export:import[root, group/subgroup, testingprojectimport, /path/to/file.tar.gz]"
+```
+
 #### Troubleshooting
 
 Check the common errors listed below, what they mean, and how to fix them.
@@ -168,6 +176,16 @@ Issue.where(project_id: Project.find(ID).root_namespace.all_projects).maximum(:r
 
 Repeat the import attempt after that and check if the issues are imported successfully.
 
+##### Gitaly calls error when importing
+
+If you're attempting to import a large project into a development environment, you may see Gitaly throw an error about too many calls or invocations, for example:
+
+```plaintext
+Error importing repository into qa-perf-testing/gitlabhq - GitalyClient#call called 31 times from single request. Potential n+1?
+```
+
+This is due to a [n+1 calls limit being set for development setups](gitaly.md#toomanyinvocationserror-errors). You can work around this by setting `GITALY_DISABLE_REQUEST_LIMITS=1` as an environment variable, restarting your development environment and importing again.
+
 ### Importing via the Rails console
 
 The last option is to import a project using a Rails console:
@@ -241,20 +259,6 @@ You can execute the script from the `gdk/gitlab` directory like this:
 bundle exec rails r  /path_to_script/script.rb project_name /path_to_extracted_project request_store_enabled
 ```
 
-## Troubleshooting
-
-This section details known issues we've seen when trying to import a project and how to manage them.
-
-### Gitaly calls error when importing
-
-If you're attempting to import a large project into a development environment, you may see Gitaly throw an error about too many calls or invocations, for example:
-
-```plaintext
-Error importing repository into qa-perf-testing/gitlabhq - GitalyClient#call called 31 times from single request. Potential n+1?
-```
-
-This is due to a [n+1 calls limit being set for development setups](gitaly.md#toomanyinvocationserror-errors). You can work around this by setting `GITALY_DISABLE_REQUEST_LIMITS=1` as an environment variable, restarting your development environment and importing again.
-
 ## Access token setup
 
 Many of the tests also require a GitLab Personal Access Token. This is due to numerous endpoints themselves requiring authentication.
diff --git a/doc/gitlab-basics/create-branch.md b/doc/gitlab-basics/create-branch.md
deleted file mode 100644
index d22ce12f9cd..00000000000
--- a/doc/gitlab-basics/create-branch.md
+++ /dev/null
@@ -1,11 +0,0 @@
----
-redirect_to: '../tutorials/make_your_first_git_commit.md'
-remove_date: '2022-06-26'
----
-
-This document was moved to [another location](../tutorials/make_your_first_git_commit.md).
-
-<!-- This redirect file can be deleted after <YYYY-MM-DD>. -->
-<!-- Redirects that point to other docs in the same project expire in three months. -->
-<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
-<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->
\ No newline at end of file
diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md
index 970587a7aef..6bf7d792114 100644
--- a/doc/user/group/saml_sso/scim_setup.md
+++ b/doc/user/group/saml_sso/scim_setup.md
@@ -71,8 +71,10 @@ Follow [Azure documentation to configure the attribute mapping](https://docs.mic
 
 The following table below provides an attribute mapping known to work with GitLab. If
 your SAML configuration differs from [the recommended SAML settings](index.md#azure-setup-notes),
-modify the corresponding `customappsso` settings accordingly. If a mapping is not listed in the
-table, use the Azure defaults. For a list of required attributes, refer to the [SCIM API documentation](../../../api/scim.md).
+modify the corresponding `customappsso` settings accordingly. In particular, the `externalId` must
+match the [SAML NameID](index.md#nameid).
+If a mapping is not listed in the table, use the Azure defaults.
+For a list of required attributes, refer to the [SCIM API documentation](../../../api/scim.md).
 
 | Azure Active Directory Attribute | `customappsso` Attribute       | Matching precedence |
 | -------------------------------- | ------------------------------ | ------------------- |
diff --git a/lib/gitlab/git/conflict/parser.rb b/lib/gitlab/git/conflict/parser.rb
index 20de8ebde4e..670305de95b 100644
--- a/lib/gitlab/git/conflict/parser.rb
+++ b/lib/gitlab/git/conflict/parser.rb
@@ -27,7 +27,7 @@ module Gitlab
             conflict_end = ">>>>>>> #{their_path}"
 
             text.each_line.map do |line|
-              full_line = line.delete("\n")
+              full_line = line.chomp
 
               if full_line == conflict_start
                 validate_delimiter!(type.nil?)
diff --git a/lib/gitlab/metrics/exporter/base_exporter.rb b/lib/gitlab/metrics/exporter/base_exporter.rb
index fc271a24cf2..858a0a120cc 100644
--- a/lib/gitlab/metrics/exporter/base_exporter.rb
+++ b/lib/gitlab/metrics/exporter/base_exporter.rb
@@ -7,6 +7,8 @@ module Gitlab
   module Metrics
     module Exporter
       class BaseExporter < Daemon
+        CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze
+
         attr_reader :server
 
         # @param settings [Hash] SettingsLogic hash containing the `*_exporter` config
@@ -45,19 +47,7 @@ module Gitlab
             AccessLog: access_log
           }
 
-          if settings['tls_enabled']
-            # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
-            require 'webrick/ssl'
-
-            server_config.merge!({
-              SSLEnable: true,
-              SSLCertificate: OpenSSL::X509::Certificate.new(File.binread(settings['tls_cert_path'])),
-              SSLPrivateKey: OpenSSL::PKey.read(File.binread(settings['tls_key_path'])),
-              # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
-              # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
-              SSLStartImmediately: true
-            })
-          end
+          server_config.merge!(ssl_config) if settings['tls_enabled']
 
           @server = ::WEBrick::HTTPServer.new(server_config)
           server.mount '/', Rack::Handler::WEBrick, rack_app
@@ -100,6 +90,33 @@ module Gitlab
             run -> (env) { [404, {}, ['']] }
           end
         end
+
+        def ssl_config
+          # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
+          require 'webrick/ssl'
+
+          certs = load_ca_certs_bundle(File.binread(settings['tls_cert_path']))
+
+          {
+            SSLEnable: true,
+            SSLCertificate: certs.shift,
+            SSLPrivateKey: OpenSSL::PKey.read(File.binread(settings['tls_key_path'])),
+            # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
+            # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
+            SSLStartImmediately: true,
+            SSLExtraChainCert: certs
+          }
+        end
+
+        # In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load
+        # https://github.com/ruby/openssl/issues/254
+        def load_ca_certs_bundle(ca_certs_string)
+          return [] unless ca_certs_string
+
+          ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
+            OpenSSL::X509::Certificate.new(ca_cert_string)
+          end
+        end
       end
     end
   end
diff --git a/spec/frontend/boards/components/board_card_spec.js b/spec/frontend/boards/components/board_card_spec.js
index aad89cf8261..17a5383a31e 100644
--- a/spec/frontend/boards/components/board_card_spec.js
+++ b/spec/frontend/boards/components/board_card_spec.js
@@ -6,7 +6,7 @@ import Vuex from 'vuex';
 import BoardCard from '~/boards/components/board_card.vue';
 import BoardCardInner from '~/boards/components/board_card_inner.vue';
 import { inactiveId } from '~/boards/constants';
-import { mockLabelList, mockIssue } from '../mock_data';
+import { mockLabelList, mockIssue, DEFAULT_COLOR } from '../mock_data';
 
 describe('Board card', () => {
   let wrapper;
@@ -180,4 +180,40 @@ describe('Board card', () => {
       expect(wrapper.classes()).toContain('gl-cursor-grab');
     });
   });
+
+  describe('when Epic colors are enabled', () => {
+    it('applies the correct color', () => {
+      window.gon.features = { epicColorHighlight: true };
+      createStore();
+      mountComponent({
+        item: {
+          ...mockIssue,
+          color: DEFAULT_COLOR,
+        },
+      });
+
+      expect(wrapper.classes()).toEqual(
+        expect.arrayContaining(['gl-pl-4', 'gl-border-l-solid', 'gl-border-4']),
+      );
+      expect(wrapper.attributes('style')).toContain(`border-color: ${DEFAULT_COLOR}`);
+    });
+  });
+
+  describe('when Epic colors are not enabled', () => {
+    it('applies the correct color', () => {
+      window.gon.features = { epicColorHighlight: false };
+      createStore();
+      mountComponent({
+        item: {
+          ...mockIssue,
+          color: DEFAULT_COLOR,
+        },
+      });
+
+      expect(wrapper.classes()).not.toEqual(
+        expect.arrayContaining(['gl-pl-4', 'gl-border-l-solid', 'gl-border-4']),
+      );
+      expect(wrapper.attributes('style')).toBeUndefined();
+    });
+  });
 });
diff --git a/spec/frontend/boards/mock_data.js b/spec/frontend/boards/mock_data.js
index 6ec39be5d29..1ee05d81f37 100644
--- a/spec/frontend/boards/mock_data.js
+++ b/spec/frontend/boards/mock_data.js
@@ -790,3 +790,5 @@ export const epicBoardListQueryResponse = (totalWeight = 5) => ({
     },
   },
 });
+
+export const DEFAULT_COLOR = '#1068bf';
diff --git a/spec/lib/gitlab/git/conflict/parser_spec.rb b/spec/lib/gitlab/git/conflict/parser_spec.rb
index 02b00f711b4..7d81af92412 100644
--- a/spec/lib/gitlab/git/conflict/parser_spec.rb
+++ b/spec/lib/gitlab/git/conflict/parser_spec.rb
@@ -86,43 +86,68 @@ RSpec.describe Gitlab::Git::Conflict::Parser do
         CONFLICT
       end
 
-      let(:lines) do
-        described_class.parse(text, our_path: 'files/ruby/regex.rb', their_path: 'files/ruby/regex.rb')
-      end
+      shared_examples_for 'successful parsing' do
+        let(:lines) do
+          described_class.parse(content, our_path: 'files/ruby/regex.rb', their_path: 'files/ruby/regex.rb')
+        end
 
-      let(:old_line_numbers) do
-        lines.select { |line| line[:type] != 'new' }.map { |line| line[:line_old] }
-      end
+        let(:old_line_numbers) do
+          lines.select { |line| line[:type] != 'new' }.map { |line| line[:line_old] }
+        end
 
-      let(:new_line_numbers) do
-        lines.select { |line| line[:type] != 'old' }.map { |line| line[:line_new] }
-      end
+        let(:new_line_numbers) do
+          lines.select { |line| line[:type] != 'old' }.map { |line| line[:line_new] }
+        end
+
+        let(:line_indexes) { lines.map { |line| line[:line_obj_index] } }
 
-      let(:line_indexes) { lines.map { |line| line[:line_obj_index] } }
+        it 'sets our lines as new lines' do
+          expect(lines[8..13]).to all(include(type: 'new'))
+          expect(lines[26..27]).to all(include(type: 'new'))
+          expect(lines[56..57]).to all(include(type: 'new'))
+        end
 
-      it 'sets our lines as new lines' do
-        expect(lines[8..13]).to all(include(type: 'new'))
-        expect(lines[26..27]).to all(include(type: 'new'))
-        expect(lines[56..57]).to all(include(type: 'new'))
+        it 'sets their lines as old lines' do
+          expect(lines[14..19]).to all(include(type: 'old'))
+          expect(lines[28..29]).to all(include(type: 'old'))
+          expect(lines[58..59]).to all(include(type: 'old'))
+        end
+
+        it 'sets non-conflicted lines as both' do
+          expect(lines[0..7]).to all(include(type: nil))
+          expect(lines[20..25]).to all(include(type: nil))
+          expect(lines[30..55]).to all(include(type: nil))
+          expect(lines[60..62]).to all(include(type: nil))
+        end
+
+        it 'sets consecutive line numbers for line_obj_index, line_old, and line_new' do
+          expect(line_indexes).to eq(0.upto(62).to_a)
+          expect(old_line_numbers).to eq(1.upto(53).to_a)
+          expect(new_line_numbers).to eq(1.upto(53).to_a)
+        end
       end
 
-      it 'sets their lines as old lines' do
-        expect(lines[14..19]).to all(include(type: 'old'))
-        expect(lines[28..29]).to all(include(type: 'old'))
-        expect(lines[58..59]).to all(include(type: 'old'))
+      context 'content has LF endings' do
+        let(:content) { text }
+
+        it_behaves_like 'successful parsing'
       end
 
-      it 'sets non-conflicted lines as both' do
-        expect(lines[0..7]).to all(include(type: nil))
-        expect(lines[20..25]).to all(include(type: nil))
-        expect(lines[30..55]).to all(include(type: nil))
-        expect(lines[60..62]).to all(include(type: nil))
+      context 'content has CRLF endings' do
+        let(:content) { text.gsub("\n", "\r\n") }
+
+        it_behaves_like 'successful parsing'
       end
 
-      it 'sets consecutive line numbers for line_obj_index, line_old, and line_new' do
-        expect(line_indexes).to eq(0.upto(62).to_a)
-        expect(old_line_numbers).to eq(1.upto(53).to_a)
-        expect(new_line_numbers).to eq(1.upto(53).to_a)
+      context 'content has mixed LF and CRLF endings' do
+        # Simulate mixed line endings by only changing some of the lines to CRLF
+        let(:content) do
+          text.each_line.map.with_index do |line, index|
+            index.odd? ? line.gsub("\n", "\r\n") : line
+          end.join
+        end
+
+        it_behaves_like 'successful parsing'
       end
     end
 
diff --git a/spec/lib/gitlab/metrics/exporter/base_exporter_spec.rb b/spec/lib/gitlab/metrics/exporter/base_exporter_spec.rb
index 8175d60c2c9..dc5c7eb2e55 100644
--- a/spec/lib/gitlab/metrics/exporter/base_exporter_spec.rb
+++ b/spec/lib/gitlab/metrics/exporter/base_exporter_spec.rb
@@ -106,11 +106,33 @@ RSpec.describe Gitlab::Metrics::Exporter::BaseExporter do
                   SSLEnable: true,
                   SSLCertificate: an_instance_of(OpenSSL::X509::Certificate),
                   SSLPrivateKey: an_instance_of(OpenSSL::PKey::RSA),
-                  SSLStartImmediately: true
+                  SSLStartImmediately: true,
+                  SSLExtraChainCert: []
                 ))
 
               exporter.start
             end
+
+            context 'with intermediate certificates' do
+              let(:test_cert) { Rails.root.join('spec/fixtures/clusters/chain_certificates.pem').to_s }
+              let(:test_key) { Rails.root.join('spec/fixtures/clusters/sample_key.key').to_s }
+
+              it 'injects them in the extra chain' do
+                expect(::WEBrick::HTTPServer).to receive(:new).with(
+                  a_hash_including(
+                    SSLEnable: true,
+                    SSLCertificate: an_instance_of(OpenSSL::X509::Certificate),
+                    SSLPrivateKey: an_instance_of(OpenSSL::PKey::RSA),
+                    SSLStartImmediately: true,
+                    SSLExtraChainCert: [
+                      an_instance_of(OpenSSL::X509::Certificate),
+                      an_instance_of(OpenSSL::X509::Certificate)
+                    ]
+                  ))
+
+                exporter.start
+              end
+            end
           end
         end