Add latest changes from gitlab-org/gitlab@13-4-stable-ee

11 files changed, 143 insertions, 25 deletions

diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index 3a5b8b2862e..73f71f7ad55 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -32,7 +32,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
   end
 
   def integrations
-    @integrations = Service.find_or_initialize_instances.sort_by(&:title)
+    @integrations = Service.find_or_initialize_all(Service.for_instance).sort_by(&:title)
   end
 
   def update
@@ -170,6 +170,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
 
   def set_application_setting
     @application_setting = ApplicationSetting.current_without_cache
+    @plans = Plan.all
   end
 
   def whitelist_query_limiting
diff --git a/app/controllers/admin/cohorts_controller.rb b/app/controllers/admin/cohorts_controller.rb
new file mode 100644
index 00000000000..e3df98b7917
--- /dev/null
+++ b/app/controllers/admin/cohorts_controller.rb
@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class Admin::CohortsController < Admin::ApplicationController
+  include Analytics::UniqueVisitsHelper
+
+  track_unique_visits :index, target_id: 'i_analytics_cohorts'
+
+  def index
+    if Gitlab::CurrentSettings.usage_ping_enabled
+      cohorts_results = Rails.cache.fetch('cohorts', expires_in: 1.day) do
+        CohortsService.new.execute
+      end
+
+      @cohorts = CohortsSerializer.new.represent(cohorts_results)
+    end
+  end
+end
diff --git a/app/controllers/admin/concerns/authenticates_2fa_for_admin_mode.rb b/app/controllers/admin/concerns/authenticates_2fa_for_admin_mode.rb
index 6014ed0dd13..03783cd75a3 100644
--- a/app/controllers/admin/concerns/authenticates_2fa_for_admin_mode.rb
+++ b/app/controllers/admin/concerns/authenticates_2fa_for_admin_mode.rb
@@ -11,7 +11,13 @@ module Authenticates2FAForAdminMode
     return handle_locked_user(user) unless user.can?(:log_in)
 
     session[:otp_user_id] = user.id
-    setup_u2f_authentication(user)
+    push_frontend_feature_flag(:webauthn)
+
+    if user.two_factor_webauthn_enabled?
+      setup_webauthn_authentication(user)
+    else
+      setup_u2f_authentication(user)
+    end
 
     render 'admin/sessions/two_factor', layout: 'application'
   end
@@ -24,7 +30,11 @@ module Authenticates2FAForAdminMode
     if user_params[:otp_attempt].present? && session[:otp_user_id]
       admin_mode_authenticate_with_two_factor_via_otp(user)
     elsif user_params[:device_response].present? && session[:otp_user_id]
-      admin_mode_authenticate_with_two_factor_via_u2f(user)
+      if user.two_factor_webauthn_enabled?
+        admin_mode_authenticate_with_two_factor_via_webauthn(user)
+      else
+        admin_mode_authenticate_with_two_factor_via_u2f(user)
+      end
     elsif user && user.valid_password?(user_params[:password])
       admin_mode_prompt_for_two_factor(user)
     else
@@ -52,18 +62,17 @@ module Authenticates2FAForAdminMode
 
   def admin_mode_authenticate_with_two_factor_via_u2f(user)
     if U2fRegistration.authenticate(user, u2f_app_id, user_params[:device_response], session[:challenge])
-      # Remove any lingering user data from login
-      session.delete(:otp_user_id)
-      session.delete(:challenge)
-
-      # The admin user has successfully passed 2fa, enable admin mode ignoring password
-      enable_admin_mode
+      admin_handle_two_factor_success
     else
-      user.increment_failed_attempts!
-      Gitlab::AppLogger.info("Failed Admin Mode Login: user=#{user.username} ip=#{request.remote_ip} method=U2F")
-      flash.now[:alert] = _('Authentication via U2F device failed.')
+      admin_handle_two_factor_failure(user, 'U2F')
+    end
+  end
 
-      admin_mode_prompt_for_two_factor(user)
+  def admin_mode_authenticate_with_two_factor_via_webauthn(user)
+    if Webauthn::AuthenticateService.new(user, user_params[:device_response], session[:challenge]).execute
+      admin_handle_two_factor_success
+    else
+      admin_handle_two_factor_failure(user, 'WebAuthn')
     end
   end
 
@@ -81,4 +90,21 @@ module Authenticates2FAForAdminMode
     flash.now[:alert] = _('Invalid login or password')
     render :new
   end
+
+  def admin_handle_two_factor_success
+    # Remove any lingering user data from login
+    session.delete(:otp_user_id)
+    session.delete(:challenge)
+
+    # The admin user has successfully passed 2fa, enable admin mode ignoring password
+    enable_admin_mode
+  end
+
+  def admin_handle_two_factor_failure(user, method)
+    user.increment_failed_attempts!
+    Gitlab::AppLogger.info("Failed Admin Mode Login: user=#{user.username} ip=#{request.remote_ip} method=#{method}")
+    flash.now[:alert] = _('Authentication via %{method} device failed.') % { method: method }
+
+    admin_mode_prompt_for_two_factor(user)
+  end
 end
diff --git a/app/controllers/admin/dev_ops_report_controller.rb b/app/controllers/admin/dev_ops_report_controller.rb
new file mode 100644
index 00000000000..bed0d51c331
--- /dev/null
+++ b/app/controllers/admin/dev_ops_report_controller.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class Admin::DevOpsReportController < Admin::ApplicationController
+  include Analytics::UniqueVisitsHelper
+
+  track_unique_visits :show, target_id: 'i_analytics_dev_ops_score'
+
+  # rubocop: disable CodeReuse/ActiveRecord
+  def show
+    @metric = DevOpsReport::Metric.order(:created_at).last&.present
+  end
+  # rubocop: enable CodeReuse/ActiveRecord
+end
diff --git a/app/controllers/admin/groups_controller.rb b/app/controllers/admin/groups_controller.rb
index 0245c00aacb..6414792dd43 100644
--- a/app/controllers/admin/groups_controller.rb
+++ b/app/controllers/admin/groups_controller.rb
@@ -19,7 +19,7 @@ class Admin::GroupsController < Admin::ApplicationController
     # the Group with statistics).
     @group = Group.with_statistics.find(group&.id)
     @members = present_members(
-      @group.members.order("access_level DESC").page(params[:members_page]))
+      group_members.order("access_level DESC").page(params[:members_page]))
     @requesters = present_members(
       AccessRequestsFinder.new(@group).execute(current_user))
     @projects = @group.projects.with_statistics.page(params[:projects_page])
@@ -82,6 +82,10 @@ class Admin::GroupsController < Admin::ApplicationController
     @group ||= Group.find_by_full_path(params[:id])
   end
 
+  def group_members
+    @group.members
+  end
+
   def group_params
     params.require(:group).permit(allowed_group_params)
   end
diff --git a/app/controllers/admin/instance_statistics_controller.rb b/app/controllers/admin/instance_statistics_controller.rb
new file mode 100644
index 00000000000..3aee26b97a2
--- /dev/null
+++ b/app/controllers/admin/instance_statistics_controller.rb
@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class Admin::InstanceStatisticsController < Admin::ApplicationController
+  include Analytics::UniqueVisitsHelper
+
+  before_action :check_feature_flag
+
+  track_unique_visits :index, target_id: 'i_analytics_instance_statistics'
+
+  def index
+  end
+
+  def check_feature_flag
+    render_404 unless Feature.enabled?(:instance_statistics)
+  end
+end
diff --git a/app/controllers/admin/integrations_controller.rb b/app/controllers/admin/integrations_controller.rb
index b2d5a2d130c..1e2a99f7078 100644
--- a/app/controllers/admin/integrations_controller.rb
+++ b/app/controllers/admin/integrations_controller.rb
@@ -6,9 +6,7 @@ class Admin::IntegrationsController < Admin::ApplicationController
   private
 
   def find_or_initialize_integration(name)
-    if name.in?(Service.available_services_names)
-      "#{name}_service".camelize.constantize.find_or_initialize_by(instance: true) # rubocop:disable CodeReuse/ActiveRecord
-    end
+    Service.find_or_initialize_integration(name, instance: true)
   end
 
   def integrations_enabled?
diff --git a/app/controllers/admin/plan_limits_controller.rb b/app/controllers/admin/plan_limits_controller.rb
new file mode 100644
index 00000000000..2620db8aec5
--- /dev/null
+++ b/app/controllers/admin/plan_limits_controller.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Admin::PlanLimitsController < Admin::ApplicationController
+  include InternalRedirect
+
+  before_action :set_plan_limits
+
+  def create
+    redirect_path = referer_path(request) || general_admin_application_settings_path
+
+    respond_to do |format|
+      if @plan_limits.update(plan_limits_params)
+        format.json { head :ok }
+        format.html { redirect_to redirect_path, notice: _('Application limits saved successfully') }
+      else
+        format.json { head :bad_request }
+        format.html { render_update_error }
+      end
+    end
+  end
+
+  private
+
+  def set_plan_limits
+    @plan_limits = Plan.find(plan_limits_params[:plan_id]).actual_limits
+  end
+
+  def plan_limits_params
+    params.require(:plan_limits).permit(%i[
+      plan_id
+      conan_max_file_size
+      maven_max_file_size
+      npm_max_file_size
+      nuget_max_file_size
+      pypi_max_file_size
+      generic_packages_max_file_size
+    ])
+  end
+end
diff --git a/app/controllers/admin/runners_controller.rb b/app/controllers/admin/runners_controller.rb
index 2449fa3128c..7a377a33d41 100644
--- a/app/controllers/admin/runners_controller.rb
+++ b/app/controllers/admin/runners_controller.rb
@@ -17,7 +17,6 @@ class Admin::RunnersController < Admin::ApplicationController
   def update
     if Ci::UpdateRunnerService.new(@runner).update(runner_params)
       respond_to do |format|
-        format.js
         format.html { redirect_to admin_runner_path(@runner) }
       end
     else
diff --git a/app/controllers/admin/services_controller.rb b/app/controllers/admin/services_controller.rb
index 1bc82e98ab8..1f4250639c4 100644
--- a/app/controllers/admin/services_controller.rb
+++ b/app/controllers/admin/services_controller.rb
@@ -8,7 +8,7 @@ class Admin::ServicesController < Admin::ApplicationController
 
   def index
     @services = Service.find_or_create_templates.sort_by(&:title)
-    @existing_instance_types = Service.instances.pluck(:type) # rubocop: disable CodeReuse/ActiveRecord
+    @existing_instance_types = Service.for_instance.pluck(:type) # rubocop: disable CodeReuse/ActiveRecord
   end
 
   def edit
diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index fc0acd8f99a..050f83edacb 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -111,10 +111,14 @@ class Admin::UsersController < Admin::ApplicationController
   end
 
   def disable_two_factor
-    update_user { |user| user.disable_two_factor! }
+    result = TwoFactor::DestroyService.new(current_user, user: user).execute
 
-    redirect_to admin_user_path(user),
-      notice: _('Two-factor Authentication has been disabled for this user')
+    if result[:status] == :success
+      redirect_to admin_user_path(user),
+        notice: _('Two-factor authentication has been disabled for this user')
+    else
+      redirect_to admin_user_path(user), alert: result[:message]
+    end
   end
 
   def create
@@ -145,7 +149,7 @@ class Admin::UsersController < Admin::ApplicationController
         password_confirmation: params[:user][:password_confirmation]
       }
 
-      password_params[:password_expires_at] = Time.current unless changing_own_password?
+      password_params[:password_expires_at] = Time.current if admin_making_changes_for_another_user?
 
       user_params_with_pass.merge!(password_params)
     end
@@ -153,6 +157,7 @@ class Admin::UsersController < Admin::ApplicationController
     respond_to do |format|
       result = Users::UpdateService.new(current_user, user_params_with_pass.merge(user: user)).execute do |user|
         user.skip_reconfirmation!
+        user.send_only_admin_changed_your_password_notification! if admin_making_changes_for_another_user?
       end
 
       if result[:status] == :success
@@ -193,8 +198,8 @@ class Admin::UsersController < Admin::ApplicationController
 
   protected
 
-  def changing_own_password?
-    user == current_user
+  def admin_making_changes_for_another_user?
+    user != current_user
   end
 
   def user