Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

.rubocop_todo/rspec/be_eq.yml

@@ -761,7 +761,6 @@ RSpec/BeEq:
     - 'spec/lib/gitlab/auth/saml/auth_hash_spec.rb'
     - 'spec/lib/gitlab/auth/saml/config_spec.rb'
     - 'spec/lib/gitlab/auth/saml/origin_validator_spec.rb'
-    - 'spec/lib/gitlab/auth_spec.rb'
     - 'spec/lib/gitlab/avatar_cache_spec.rb'
     - 'spec/lib/gitlab/background_migration/backfill_vs_code_settings_version_spec.rb'
     - 'spec/lib/gitlab/background_migration/convert_credit_card_validation_data_to_hashes_spec.rb'

.rubocop_todo/rspec/is_expected_specify.yml

@@ -743,3 +743,5 @@ gem 'openbao_client', path: 'gems/openbao_client' # rubocop:todo Gemfile/Missing
 gem 'paper_trail', '~> 15.0' # rubocop:todo Gemfile/MissingFeatureCategory
 
 gem "i18n_data", "~> 0.13.1", feature_category: :system_access
+
+gem "gitlab-cloud-connector", "~> 0.2.1", require: 'cloud_connector', feature_category: :cloud_connector

Gemfile

@@ -220,6 +220,7 @@
 {"name":"gitaly","version":"17.5.0.pre.rc42","platform":"ruby","checksum":"15469230245c5d83f09c6e057ae1088ce87133ff156086bf02a2b8b2ec24e817"},
 {"name":"gitlab","version":"4.19.0","platform":"ruby","checksum":"3f645e3e195dbc24f0834fbf83e8ccfb2056d8e9712b01a640aad418a6949679"},
 {"name":"gitlab-chronic","version":"0.10.5","platform":"ruby","checksum":"f80f18dc699b708870a80685243331290bc10cfeedb6b99c92219722f729c875"},
+{"name":"gitlab-cloud-connector","version":"0.2.1","platform":"ruby","checksum":"552d760ee2a9d25f681c9b2cf677e9f1b3c65f7516b6348e21b3bdf970640db4"},
 {"name":"gitlab-dangerfiles","version":"4.8.0","platform":"ruby","checksum":"b327d079552ec974a63bf34d749a0308425af6ebf51d01064f1a6ff216a523db"},
 {"name":"gitlab-experiment","version":"0.9.1","platform":"ruby","checksum":"f230ee742154805a755d5f2539dc44d93cdff08c5bbbb7656018d61f93d01f48"},
 {"name":"gitlab-fog-azure-rm","version":"2.2.0","platform":"ruby","checksum":"31aa7c2170f57874053144e7f716ec9e15f32e71ffbd2c56753dce46e2e78ba9"},

Gemfile.checksum

@@ -729,6 +729,9 @@ GEM
       terminal-table (>= 1.5.1)
     gitlab-chronic (0.10.5)
       numerizer (~> 0.2)
+    gitlab-cloud-connector (0.2.1)
+      activesupport (~> 7.0)
+      jwt (~> 2.9.3)
     gitlab-dangerfiles (4.8.0)
       danger (>= 9.3.0)
       danger-gitlab (>= 8.0.0)
@@ -2067,6 +2070,7 @@ DEPENDENCIES
   gitaly (~> 17.5.0.pre.rc1)
   gitlab-backup-cli!
   gitlab-chronic (~> 0.10.5)
+  gitlab-cloud-connector (~> 0.2.1)
   gitlab-dangerfiles (~> 4.8.0)
   gitlab-duo-workflow-service-client (~> 0.1)!
   gitlab-experiment (~> 0.9.1)

Gemfile.lock

@@ -221,6 +221,7 @@
 {"name":"gitaly","version":"17.5.0.pre.rc42","platform":"ruby","checksum":"15469230245c5d83f09c6e057ae1088ce87133ff156086bf02a2b8b2ec24e817"},
 {"name":"gitlab","version":"4.19.0","platform":"ruby","checksum":"3f645e3e195dbc24f0834fbf83e8ccfb2056d8e9712b01a640aad418a6949679"},
 {"name":"gitlab-chronic","version":"0.10.5","platform":"ruby","checksum":"f80f18dc699b708870a80685243331290bc10cfeedb6b99c92219722f729c875"},
+{"name":"gitlab-cloud-connector","version":"0.2.1","platform":"ruby","checksum":"552d760ee2a9d25f681c9b2cf677e9f1b3c65f7516b6348e21b3bdf970640db4"},
 {"name":"gitlab-dangerfiles","version":"4.8.0","platform":"ruby","checksum":"b327d079552ec974a63bf34d749a0308425af6ebf51d01064f1a6ff216a523db"},
 {"name":"gitlab-experiment","version":"0.9.1","platform":"ruby","checksum":"f230ee742154805a755d5f2539dc44d93cdff08c5bbbb7656018d61f93d01f48"},
 {"name":"gitlab-fog-azure-rm","version":"2.2.0","platform":"ruby","checksum":"31aa7c2170f57874053144e7f716ec9e15f32e71ffbd2c56753dce46e2e78ba9"},

Gemfile.next.checksum

@@ -739,6 +739,9 @@ GEM
       terminal-table (>= 1.5.1)
     gitlab-chronic (0.10.5)
       numerizer (~> 0.2)
+    gitlab-cloud-connector (0.2.1)
+      activesupport (~> 7.0)
+      jwt (~> 2.9.3)
     gitlab-dangerfiles (4.8.0)
       danger (>= 9.3.0)
       danger-gitlab (>= 8.0.0)
@@ -2094,6 +2097,7 @@ DEPENDENCIES
   gitaly (~> 17.5.0.pre.rc1)
   gitlab-backup-cli!
   gitlab-chronic (~> 0.10.5)
+  gitlab-cloud-connector (~> 0.2.1)
   gitlab-dangerfiles (~> 4.8.0)
   gitlab-duo-workflow-service-client (~> 0.1)!
   gitlab-experiment (~> 0.9.1)

Gemfile.next.lock

@@ -70,7 +70,7 @@ export default {
     ready: s__('Deployment|Ready to be deployed.'),
     deploy: s__('Deployment|Deploy'),
     genericError: s__(
-      'Deloyment|Something went wrong starting the deployment. Please try again later.',
+      'Deployment|Something went wrong starting the deployment. Please try again later.',
     ),
   },
 };

app/assets/javascripts/deployments/components/deployment_deploy_block.vue

@@ -1,11 +1,14 @@
-import { joinPaths, escapeFileUrl } from '~/lib/utils/url_utility';
+import { joinPaths, escapeFileUrl, removeParams } from '~/lib/utils/url_utility';
 
 export function generateHistoryUrl(historyLink, path, refType) {
   const url = new URL(window.location.href);
 
-  url.pathname = joinPaths(historyLink, path ? escapeFileUrl(path) : '');
+  url.pathname = joinPaths(
+    removeParams(['ref_type'], historyLink),
+    path ? escapeFileUrl(path) : '',
+  );
 
-  if (refType) {
+  if (refType && !url.searchParams.get('ref_type')) {
     url.searchParams.set('ref_type', refType);
   }
 

app/assets/javascripts/repository/utils/url_utility.js

@@ -89,9 +89,6 @@ export default {
       }
       return '';
     },
-    showSettingsButton() {
-      return this.glFeatures.secretDetectionProjectLevelExclusions;
-    },
   },
   methods: {
     onError(message) {
@@ -211,7 +208,6 @@ export default {
           @change="togglePreReceiveSecretDetection"
         />
         <gl-button
-          v-if="showSettingsButton"
           v-gl-tooltip.left.viewport="$options.i18n.settingsButtonTooltip"
           icon="settings"
           category="secondary"

app/assets/javascripts/security_configuration/components/pre_receive_secret_detection_feature_card.vue

@@ -30,8 +30,9 @@ def execute
     attr_reader :token
 
     def find_job_by_token
-      job_token = ::Ci::JobToken::Jwt::Decode.new(token)
-      job_token.jwt? ? job_token.job : ::Ci::Build.find_by_token(token)
+      jwt = ::Ci::JobToken::Jwt.decode(token)
+      # TODO: Remove fallback finder when feature flag `ci_job_token_jwt` is removed
+      jwt&.subject || ::Ci::Build.find_by_token(token)
     end
 
     def validate_job!(job)

app/finders/ci/auth_job_finder.rb

@@ -38,6 +38,12 @@ class UserPreferencesType < BaseObject
       experiment: { milestone: '17.2' }
     # rubocop:enable GraphQL/ExtractType
 
+    field :timezone,
+      GraphQL::Types::String,
+      null: true,
+      description: 'Timezone of the user.',
+      experiment: { milestone: '17.7' }
+
     def issues_sort
       user_preference.issues_sort&.to_sym
     end

app/graphql/types/user_preferences_type.rb

@@ -757,9 +757,9 @@ def needs_touch?
     end
 
     def valid_token?(token)
-      job_token = ::Ci::JobToken::Jwt::Decode.new(token)
-      if job_token.jwt?
-        job_token.job == self
+      jwt = ::Ci::JobToken::Jwt.decode(token)
+      if jwt
+        jwt.subject == self
       else
         self.token && token.present? && ActiveSupport::SecurityUtils.secure_compare(token, self.token)
       end
@@ -1203,7 +1203,7 @@ def to_partial_path
     def token
       return super unless Feature.enabled?(:ci_job_token_jwt, user)
 
-      jwt
+      encoded_jwt
     end
 
     protected
@@ -1216,10 +1216,10 @@ def run_status_commit_hooks!
 
     private
 
-    def jwt
-      ::Ci::JobToken::Jwt::Encode.new(self).jwt
+    def encoded_jwt
+      ::Ci::JobToken::Jwt.encode(self)
     end
-    strong_memoize_attr :jwt
+    strong_memoize_attr :encoded_jwt
 
     def matrix_build?
       options.dig(:parallel, :matrix).present?

app/models/ci/build.rb

@@ -6,7 +6,7 @@ class AtomicProcessingService
       include Gitlab::Utils::StrongMemoize
       include ExclusiveLeaseGuard
 
-      attr_reader :pipeline
+      attr_reader :pipeline, :collection
 
       DEFAULT_LEASE_TIMEOUT = 1.minute
       BATCH_SIZE = 20
@@ -128,14 +128,18 @@ def update_job!(job)
 
       def status_of_previous_jobs(job)
         if job.scheduling_type_dag?
-          # job uses DAG, get status of all dependent needs
-          @collection.status_of_jobs(job.aggregated_needs_names.to_a)
+          status_of_previous_jobs_dag(job)
         else
           # job uses Stages, get status of prior stage
           @collection.status_of_jobs_prior_to_stage(job.stage_idx.to_i)
         end
       end
 
+      def status_of_previous_jobs_dag(job)
+        # job uses DAG, get status of all dependent needs
+        @collection.status_of_jobs(job.aggregated_needs_names.to_a)
+      end
+
       # Gets the jobs that changed from stopped to alive status since the initial status collection
       # was evaluated. We determine this by checking if their current status is no longer stopped.
       def new_alive_jobs
@@ -184,3 +188,5 @@ def log_running_reset_skipped_jobs_service(jobs)
     end
   end
 end
+
+Ci::PipelineProcessing::AtomicProcessingService.prepend_mod

app/services/ci/pipeline_processing/atomic_processing_service.rb

@@ -31,7 +31,7 @@ def delete_runners
         # rubocop:disable CodeReuse/ActiveRecord
         runners_to_be_deleted =
           Ci::Runner
-            .where(id: authorized_runners_ids)
+            .id_in(authorized_runners_ids)
             .preload([:taggings, :runner_namespaces, :runner_projects])
         # rubocop:enable CodeReuse/ActiveRecord
         deleted_ids = runners_to_be_deleted.destroy_all.map(&:id) # rubocop:disable Cop/DestroyAll

app/services/ci/runners/bulk_delete_runners_service.rb

@@ -35907,6 +35907,7 @@ fields relate to interactions between the two entities.
 | <a id="userpreferencesissuessort"></a>`issuesSort` | [`IssueSort`](#issuesort) | Sort order for issue lists. |
 | <a id="userpreferencesorganizationgroupsprojectsdisplay"></a>`organizationGroupsProjectsDisplay` **{warning-solid}** | [`OrganizationGroupProjectDisplay!`](#organizationgroupprojectdisplay) | **Introduced** in GitLab 17.2. **Status**: Experiment. Default list view for organization groups and projects. |
 | <a id="userpreferencesorganizationgroupsprojectssort"></a>`organizationGroupsProjectsSort` **{warning-solid}** | [`OrganizationGroupProjectSort`](#organizationgroupprojectsort) | **Introduced** in GitLab 17.2. **Status**: Experiment. Sort order for organization groups and projects. |
+| <a id="userpreferencestimezone"></a>`timezone` **{warning-solid}** | [`String`](#string) | **Introduced** in GitLab 17.7. **Status**: Experiment. Timezone of the user. |
 | <a id="userpreferencesuseworkitemsview"></a>`useWorkItemsView` | [`Boolean`](#boolean) | Use work item view instead of legacy issue view. |
 | <a id="userpreferencesvisibilitypipelineidtype"></a>`visibilityPipelineIdType` | [`VisibilityPipelineIdType`](#visibilitypipelineidtype) | Determines whether the pipeline list shows ID or IID. |
 

config/feature_flags/gitlab_com_derisk/bulk_push_concurrency_limit_resume_worker.yml

@@ -12,11 +12,7 @@ DETAILS:
 **Status:** Experiment
 
 > - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/14878) as an [experiment](../../../policy/experiment-beta-support.md) in GitLab 17.5 [with a flag](../../feature_flags.md) named `secret_detection_project_level_exclusions`. Enabled by default.
-
-FLAG:
-The availability of this feature is controlled by a feature flag.
-For more information, see the history.
-This feature is available for testing, but not ready for production use.
+> - `secret_detection_project_level_exclusions` feature flag [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/499059) in GitLab 17.7.
 
 Secret detection may detect something that's not actually a secret. For example, if you use
 a fake value as a placeholder in your code, it might be detected and possibly blocked.

doc/api/graphql/reference/index.md

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+# This class provides methods to encode and decode JWTs using RSA encryption.
+# It is designed to work within the GitLab authentication system, providing
+# secure token generation and verification for various subjects.
+#
+# Key features:
+# - RSA-based encoding and decoding of JWTs
+# - Validation of JWT format and structure
+# - Configurable subject types and global ID parsing
+# - Support for custom token prefixes
+#
+# Usage:
+# - Use `rsa_encode` to create new JWTs with any subjects
+# - Use `rsa_decode` to verify and extract information from existing JWTs
+#
+module Authn
+  module Tokens
+    class Jwt
+      include Gitlab::Utils::StrongMemoize
+
+      InvalidSubjectForTokenError = Class.new(StandardError)
+
+      ISSUER = Settings.gitlab.host
+      AUDIENCE = 'gitlab-authz-token'
+      VERSION = '0.1.0'
+
+      class << self
+        def rsa_encode(subject:, signing_key:, expire_time:, token_prefix:)
+          subject_global_id = GlobalID.create(subject).to_s if subject
+          raise InvalidSubjectForTokenError unless subject_global_id.present?
+
+          jwt = ::JSONWebToken::Token.new.tap do |token|
+            token.subject = subject_global_id
+            token.issuer = ISSUER
+            token.audience = AUDIENCE
+            token.expire_time = expire_time
+            token[:version] = VERSION
+          end
+
+          token = ::JSONWebToken::RSAToken.encode(
+            jwt.payload,
+            signing_key,
+            signing_key.public_key.to_jwk[:kid]
+          )
+
+          token_prefix + token
+        end
+
+        def rsa_decode(token:, signing_public_key:, subject_type:, token_prefix:)
+          return unless token.start_with?(token_prefix)
+
+          token = token.delete_prefix(token_prefix)
+
+          payload, _header = ::JSONWebToken::RSAToken.decode(token, signing_public_key)
+
+          new(payload: payload, subject_type: subject_type)
+        rescue JWT::DecodeError, Gitlab::Graphql::Errors::ArgumentError => error
+          Gitlab::ErrorTracking.track_exception(error)
+          nil
+        end
+      end
+
+      def initialize(payload:, subject_type:)
+        @payload = payload
+        @subject_type = subject_type
+      end
+
+      def subject
+        return unless payload
+
+        GitlabSchema.parse_gid(payload['sub'], expected_type: subject_type)&.find
+      end
+      strong_memoize_attr :subject
+
+      attr_reader :payload, :subject_type
+    end
+  end
+end