Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

GITLAB_KAS_VERSION

@@ -1 +1 @@
-02ff05833da52a69f4c16fa94e539c6f3ab306ea
+e8c0552b8152cf9363ccd1d9e9002225904d5202

app/assets/javascripts/admin/users/constants.js

@@ -76,6 +76,14 @@ export const TOKENS = [
     unique: true,
     options: [{ value: 'placeholder', title: s__('UserMapping|Placeholder') }],
   },
+  {
+    title: s__('AdminUsers|LDAP sync'),
+    type: 'ldap_sync',
+    token: GlFilteredSearchToken,
+    operators: OPERATORS_IS,
+    unique: true,
+    options: [{ value: 'ldap_sync', title: __('True') }],
+  },
 ];
 
 export const SOLO_OWNED_ORGANIZATIONS_REQUESTED_COUNT = 10;

app/assets/javascripts/gl_field_errors.js

@@ -21,6 +21,7 @@ export default class GlFieldErrors {
       'input[type=email]',
       'input[type=url]',
       'input[type=number]',
+      'input[type=tel]',
       'textarea',
       'select',
     ].join(',');

app/assets/javascripts/vue_shared/components/users_table/user_avatar.vue

@@ -71,15 +71,13 @@ export default {
         <div v-if="user.note" class="gl-p-1 gl-text-subtle">
           <gl-icon v-gl-tooltip="userNoteShort" name="document" />
         </div>
-        <div
-          v-for="(badge, idx) in user.badges"
-          :key="idx"
-          class="gl-p-1"
-          :class="{ 'gl-pb-0': glFeatures.simplifiedBadges }"
-        >
-          <gl-badge class="!gl-flex" :variant="badge.variant">{{ badge.text }}</gl-badge>
-        </div>
       </template>
+
+      <div class="gl-flex gl-flex-wrap gl-pt-2">
+        <div v-for="badge in user.badges" :key="badge.text" class="gl-pr-2">
+          <gl-badge :variant="badge.variant">{{ badge.text }}</gl-badge>
+        </div>
+      </div>
     </gl-avatar-labeled>
   </div>
 </template>

app/controllers/admin/users_controller.rb

@@ -327,7 +327,7 @@ def paginate_without_count?
   end
 
   def users_with_included_associations(users)
-    users.includes(:authorized_projects, :trusted_with_spam_attribute) # rubocop: disable CodeReuse/ActiveRecord
+    users.includes(:authorized_projects, :trusted_with_spam_attribute, :identities) # rubocop: disable CodeReuse/ActiveRecord
   end
 
   def admin_making_changes_for_another_user?

app/controllers/concerns/uploads_actions.rb

@@ -10,6 +10,13 @@ module UploadsActions
 
   UPLOAD_MOUNTS = %w[avatar attachment file logo pwa_icon header_logo favicon screenshot].freeze
 
+  # We need to avoid setting certain formats. For example, using the :js format
+  # would trigger Rails' cross-origin JavaScript protection. To avoid this, we use
+  # the :text format for JS files instead.
+  CUSTOM_REQUEST_FORMAT_MAPPING = {
+    js: :text
+  }.freeze
+
   included do
     prepend_before_action :set_request_format_from_path_extension
     rescue_from FileUploader::InvalidSecret, with: :render_404
@@ -85,7 +92,9 @@ def set_request_format_from_path_extension
 
     format = Mime[match.captures.first]
 
-    request.format = format.symbol if format
+    return if format.blank?
+
+    request.format = CUSTOM_REQUEST_FORMAT_MAPPING[format.symbol] || format.symbol
   end
 
   def content_disposition

app/graphql/resolvers/organizations/organization_users_resolver.rb

@@ -28,7 +28,7 @@ def organization_users
 
       def preloads
         {
-          user: [:user]
+          user: [{ user: [:identities] }]
         }
       end
     end

app/helpers/users_helper.rb

@@ -141,6 +141,7 @@ def user_badges_in_admin_section(user)
       badges << { text: s_("AdminUsers|It's you!"), variant: 'muted' } if current_user == user
       badges << { text: s_("AdminUsers|Locked"), variant: 'warning' } if user.access_locked?
       badges << { text: s_("UserMapping|Placeholder"), variant: 'muted' } if user.placeholder?
+      badges << { text: s_('AdminUsers|LDAP'), variant: 'info' } if user.ldap_user?
     end
   end
 

app/models/user.rb

@@ -682,6 +682,7 @@ def blocked?
   scope :dormant, -> { with_state(:active).human_or_service_user.where('last_activity_on <= ?', Gitlab::CurrentSettings.deactivate_dormant_users_period.day.ago.to_date) }
   scope :with_no_activity, -> { with_state(:active).human_or_service_user.where(last_activity_on: nil).where('created_at <= ?', MINIMUM_DAYS_CREATED.day.ago.to_date) }
   scope :by_provider_and_extern_uid, ->(provider, extern_uid) { joins(:identities).merge(Identity.with_extern_uid(provider, extern_uid)) }
+  scope :ldap, -> { joins(:identities).where('identities.provider LIKE ?', 'ldap%') }
   scope :by_ids, ->(ids) { where(id: ids) }
   scope :by_ids_or_usernames, ->(ids, usernames) { where(username: usernames).or(where(id: ids)) }
   scope :without_forbidden_states, -> { where.not(state: FORBIDDEN_SEARCH_STATES) }
@@ -886,12 +887,14 @@ def filter_items(filter_name)
         without_projects
       when 'external'
         external
-      when "trusted"
+      when 'trusted'
         trusted
-      when "placeholder"
+      when 'placeholder'
         placeholder
-      when "without_placeholders"
+      when 'without_placeholders'
         without_placeholders
+      when 'ldap_sync'
+        ldap
       else
         all_without_ghosts
       end

config/feature_flags/beta/duo_code_review_full_file.yml

@@ -0,0 +1,10 @@
+---
+name: duo_code_review_full_file
+description:
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/510266
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/189314
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/537556
+milestone: '18.0'
+group: group::code review
+type: beta
+default_enabled: false

config/feature_flags/development/invitation_flow_enforcement_setting.yml

@@ -4,5 +4,5 @@ introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92218
 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/367666
 milestone: '15.4'
 type: development
-group: group::organizations
+group: group::authorization
 default_enabled: false

db/docs/batched_background_migrations/backfill_resource_iteration_events_namespace_id.yml

@@ -0,0 +1,8 @@
+---
+migration_job_name: BackfillResourceIterationEventsNamespaceId
+description: Backfills sharding key for resource_iteration_events.namespace_id
+feature_category: team_planning
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/187487
+milestone: '17.11'
+queued_migration_version: 20250409172701
+finalized_by: # version of the migration that finalized this BBM

db/post_migrate/20250409172701_queue_backfill_resource_iteration_events_namespace_id.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+class QueueBackfillResourceIterationEventsNamespaceId < Gitlab::Database::Migration[2.2]
+  milestone '17.11'
+
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
+  MIGRATION = "BackfillResourceIterationEventsNamespaceId"
+  DELAY_INTERVAL = 2.minutes
+  BATCH_SIZE = 10000
+  SUB_BATCH_SIZE = 100
+
+  def up
+    queue_batched_background_migration(
+      MIGRATION,
+      :resource_iteration_events,
+      :id,
+      job_interval: DELAY_INTERVAL,
+      batch_size: BATCH_SIZE,
+      sub_batch_size: SUB_BATCH_SIZE
+    )
+  end
+
+  def down
+    delete_batched_background_migration(MIGRATION, :resource_iteration_events, :id, [])
+  end
+end

db/schema_migrations/20250409172701

@@ -0,0 +1 @@
+9b9e08f01422c89998b6dcd36552eda1219bd2aec90d6da4e6eb763aeae546f6

doc/development/database/ci_mirrored_tables.md

@@ -10,7 +10,7 @@ title: CI mirrored tables
 As part of the database [decomposition work](https://gitlab.com/groups/gitlab-org/-/epics/6168),
 which had the goal of splitting the single database GitLab is using, into two databases: `main` and
 `ci`, came the big challenge of
-[removing all joins between the `main` and the `ci` tables](multiple_databases.md#removing-joins-between-ci-and-non-ci-tables).
+[removing all joins between the `main` and the `ci` tables](multiple_databases.md#removing-joins-between-main-and-non-main-tables).
 That is because PostgreSQL doesn't support joins between tables that belong to different databases.
 However, some core application models in the main database are queried very often by the CI side.
 For example:

doc/development/database/multiple_databases.md

@@ -7,7 +7,7 @@ title: Multiple Databases
 
 To allow GitLab to scale further we
 [decomposed the GitLab application database into multiple databases](https://gitlab.com/groups/gitlab-org/-/epics/6168).
-The main databases are `main`, `ci`, and (optionally) `sec`. GitLab supports being run with one, two, or three databases.
+The main databases are `main`, `ci`, and `sec`. GitLab supports being run with one, two, or three databases.
 On GitLab.com we are using separate `main` `ci`, and `sec` databases.
 
 For the purpose of building the [Cells](https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/cells/) architecture, we are decomposing
@@ -68,7 +68,7 @@ The `gitlab_schema` primary purpose is to introduce a barrier between different
 
 This is used as a primary source of classification for:
 
-- [Discovering cross-joins across tables from different schemas](#removing-joins-between-ci-and-non-ci-tables)
+- [Discovering cross-joins across tables from different schemas](#removing-joins-between-main-and-non-main-tables)
 - [Discovering cross-database transactions across tables from different schemas](#removing-cross-database-transactions)
 
 ### The special purpose of `gitlab_shared`
@@ -102,7 +102,7 @@ might be missing some of those application-defined `gitlab_shared` tables (like
 
 Read [Migrations for Multiple Databases](migrations_for_multiple_databases.md).
 
-## CI/CD Database
+## CI and Sec Databases
 
 ### Configure single database
 
@@ -111,7 +111,7 @@ By default, GDK is configured to run with multiple databases.
 {{< alert type="warning" >}}
 
 Switching back-and-forth between single and multiple databases in
-the same development instance is discouraged. Any data in the `ci`
+the same development instance is discouraged. Any data in the `ci` or `sec`
 database will not be accessible in single database mode. For single database, you should use a separate development instance.
 
 {{< /alert >}}
@@ -122,6 +122,7 @@ To configure GDK to use a single database:
 
    ```shell
    gdk config set gitlab.rails.databases.ci.enabled false
+   gdk config set gitlab.rails.databases.sec.enabled false
    ```
 
 1. Reconfigure GDK:
@@ -130,21 +131,21 @@ To configure GDK to use a single database:
    gdk reconfigure
    ```
 
-To switch back to using multiple databases, set `gitlab.rails.databases.ci.enabled` to `true` and run `gdk reconfigure`.
+To switch back to using multiple databases, set `gitlab.rails.databases.<db_name>.enabled` to `true` and run `gdk reconfigure`.
 
 <!--
 The `validate_cross_joins!` method in `spec/support/database/prevent_cross_joins.rb` references
 the following heading in the code, so if you make a change to this heading, make sure to update
 the corresponding documentation URL used in `spec/support/database/prevent_cross_joins.rb`.
 -->
 
-### Removing joins between `ci` and non `ci` tables
+### Removing joins between `main` and non `main` tables
 
 Queries that join across databases raise an error. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68620)
 in GitLab 14.3, for new queries only. Pre-existing queries do not raise an error.
 
-Because GitLab can be run with multiple separate databases, referencing `ci`
-tables with non `ci` tables in a single query is not possible. Therefore,
+Because GitLab can be run with multiple separate databases, referencing `main`
+tables with non `main` tables in a single query is not possible. Therefore,
 using any kind of `JOIN` in SQL queries will not work.
 
 #### Suggestions for removing cross-database joins
@@ -296,28 +297,28 @@ met:
 1. The data does not update often (for example, the `project_id` column is almost
    never updated for most tables).
 
-One example we found was the `security_scans` table. This table has a foreign
-key `security_scans.build_id` which allows you to join to the build. Therefore
+One example we found was the `terraform_state_versions` table. This table has a foreign
+key `terraform_state_versions.ci_build_id` which allows you to join to the build. Therefore
 you could join to the project like so:
 
 ```sql
-select projects.* from security_scans
-inner join ci_builds on security_scans.build_id = ci_builds.id
+select projects.* from terraform_state_versions
+inner join ci_builds on terraform_state_versions.ci_build_id = ci_builds.id
 inner join projects on ci_builds.project_id = projects.id
 ```
 
 The problem with this query is that `ci_builds` is in a different database
 from the other two tables.
 
 The solution in this case is to add the `project_id` column to
-`security_scans`. This doesn't use much extra storage, and due to the way
+`terraform_state_versions`. This doesn't use much extra storage, and due to the way
 these features work, it's never updated (a build never moves projects).
 
 This simplified the query to:
 
 ```sql
-select projects.* from security_scans
-inner join projects on security_scans.project_id = projects.id
+select projects.* from terraform_state_versions
+inner join projects on terraform_state_versions.project_id = projects.id
 ```
 
 This also improves performance because you don't need to join through an extra
@@ -754,12 +755,13 @@ to limit the modes where tests can run, and skip them on any other modes.
 
 ## Locking writes on the tables that don't belong to the database schemas
 
-When the CI database is promoted and the two databases are fully split,
+When a separate database is promoted and the split from main,
 as an extra safeguard against creating a split brain situation,
 run the Rake task `gitlab:db:lock_writes`. This command locks writes on:
 
-- The `gitlab_main` tables on the CI Database.
-- The `gitlab_ci` tables on the Main Database.
+- Legacy tables on `gitlab_ci` belonging to the Main or Sec Databases.
+- Legacy tables on `gitlab_main` belonging to the CI or Sec Databases.
+- Legacy tables on `gitlab_sec` belonging to the CI or Main Databases.
 
 This Rake task adds triggers to all the tables, to prevent any
 `INSERT`, `UPDATE`, `DELETE`, or `TRUNCATE` statements from running
@@ -832,7 +834,7 @@ end
 
 ## Truncating tables
 
-When the databases `main` and `ci` are fully split, we can free up disk
+When separate databases from `main` are fully split, we can free up disk
 space by truncating tables. This results in a smaller data set: For example,
 the data in `users` table on CI database is no longer read and also no
 longer updated. So this data can be removed by truncating the tables.