Add latest changes from gitlab-org/gitlab@master

7 files changed, 103 insertions, 18 deletions

diff --git a/app/assets/stylesheets/pages/issuable.scss b/app/assets/stylesheets/pages/issuable.scss
index 5617ab0af41..09b335f9ba2 100644
--- a/app/assets/stylesheets/pages/issuable.scss
+++ b/app/assets/stylesheets/pages/issuable.scss
@@ -883,7 +883,7 @@
 
   .time-tracking-help-state {
     background: $white-light;
-    margin: 16px -20px 0;
+    margin: 16px -20px -20px;
     padding: 16px 20px;
     border-top: 1px solid $border-gray-light;
     border-bottom: 1px solid $border-gray-light;
diff --git a/app/helpers/emails_helper.rb b/app/helpers/emails_helper.rb
index c244eba9e08..ba2330dfc9a 100644
--- a/app/helpers/emails_helper.rb
+++ b/app/helpers/emails_helper.rb
@@ -112,20 +112,20 @@ module EmailsHelper
     end
   end
 
-  # "You are receiving this email because #{reason}"
+  # "You are receiving this email because #{reason} on #{gitlab_host}."
   def notification_reason_text(reason)
-    string = case reason
-             when NotificationReason::OWN_ACTIVITY
-               'of your activity'
-             when NotificationReason::ASSIGNED
-               'you have been assigned an item'
-             when NotificationReason::MENTIONED
-               'you have been mentioned'
-             else
-               'of your account'
-             end
-
-    "#{string} on #{Gitlab.config.gitlab.host}"
+    gitlab_host = Gitlab.config.gitlab.host
+
+    case reason
+    when NotificationReason::OWN_ACTIVITY
+      _("You're receiving this email because of your activity on %{host}.") % { host: gitlab_host }
+    when NotificationReason::ASSIGNED
+      _("You're receiving this email because you have been assigned an item on %{host}.") % { host: gitlab_host }
+    when NotificationReason::MENTIONED
+      _("You're receiving this email because you have been mentioned on %{host}.") % { host: gitlab_host }
+    else
+      _("You're receiving this email because of your account on %{host}.") % { host: gitlab_host }
+    end
   end
 
   def create_list_id_string(project, list_id_max_length = 255)
diff --git a/app/models/active_session.rb b/app/models/active_session.rb
index a6d5fc1137d..3ecc3137157 100644
--- a/app/models/active_session.rb
+++ b/app/models/active_session.rb
@@ -146,8 +146,9 @@ class ActiveSession
     # remove sessions if there are more than ALLOWED_NUMBER_OF_ACTIVE_SESSIONS.
     sessions = active_session_entries(session_ids, user.id, redis)
     sessions.sort_by! {|session| session.updated_at }.reverse!
-    sessions = sessions[ALLOWED_NUMBER_OF_ACTIVE_SESSIONS..-1].map { |session| session.session_id }
-    destroy_sessions(redis, user, sessions)
+    sessions = sessions.drop(ALLOWED_NUMBER_OF_ACTIVE_SESSIONS)
+    sessions = sessions.map { |session| session.session_id }
+    destroy_sessions(redis, user, sessions) if sessions.any?
   end
 
   def self.cleaned_up_lookup_entries(redis, user)
diff --git a/app/models/clusters/cluster.rb b/app/models/clusters/cluster.rb
index 62b2217a9af..315cdcffb42 100644
--- a/app/models/clusters/cluster.rb
+++ b/app/models/clusters/cluster.rb
@@ -271,6 +271,21 @@ module Clusters
       kubernetes_namespaces.delete_all(:delete_all)
     end
 
+    def clusterable
+      return unless cluster_type
+
+      case cluster_type
+      when 'project_type'
+        project
+      when 'group_type'
+        group
+      when 'instance_type'
+        instance
+      else
+        raise NotImplementedError
+      end
+    end
+
     private
 
     def unique_management_project_environment_scope
diff --git a/app/services/clusters/applications/ingress_modsecurity_usage_service.rb b/app/services/clusters/applications/ingress_modsecurity_usage_service.rb
new file mode 100644
index 00000000000..4aac8bb3cbd
--- /dev/null
+++ b/app/services/clusters/applications/ingress_modsecurity_usage_service.rb
@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+# rubocop: disable CodeReuse/ActiveRecord
+module Clusters
+  module Applications
+    ##
+    # This service measures usage of the Modsecurity Web Application Firewall across the entire
+    # instance's deployed environments.
+    #
+    # The default configuration is`AUTO_DEVOPS_MODSECURITY_SEC_RULE_ENGINE=DetectionOnly` so we
+    # measure non-default values via definition of either ci_variables or ci_pipeline_variables.
+    # Since both these values are encrypted, we must decrypt and count them in memory.
+    #
+    # NOTE: this service is an approximation as it does not yet take into account `environment_scope` or `ci_group_variables`.
+    ##
+    class IngressModsecurityUsageService
+      ADO_MODSEC_KEY = "AUTO_DEVOPS_MODSECURITY_SEC_RULE_ENGINE"
+
+      def initialize(blocking_count: 0, disabled_count: 0)
+        @blocking_count = blocking_count
+        @disabled_count = disabled_count
+      end
+
+      def execute
+        conditions = -> { merge(::Environment.available).merge(::Deployment.success).where(key: ADO_MODSEC_KEY) }
+
+        ci_pipeline_var_enabled =
+          ::Ci::PipelineVariable
+            .joins(pipeline: { environments: :last_visible_deployment })
+            .merge(conditions)
+            .order('deployments.environment_id, deployments.id DESC')
+
+        ci_var_enabled =
+          ::Ci::Variable
+            .joins(project: { environments: :last_visible_deployment })
+            .merge(conditions)
+            .merge(
+              # Give priority to pipeline variables by excluding from dataset
+              ::Ci::Variable.joins(project: :environments).where.not(
+                environments: { id: ci_pipeline_var_enabled.select('DISTINCT ON (deployments.environment_id) deployments.environment_id') }
+              )
+            ).select('DISTINCT ON (deployments.environment_id) ci_variables.*')
+
+        sum_modsec_config_counts(
+          ci_pipeline_var_enabled.select('DISTINCT ON (deployments.environment_id) ci_pipeline_variables.*')
+        )
+        sum_modsec_config_counts(ci_var_enabled)
+
+        {
+          ingress_modsecurity_blocking: @blocking_count,
+          ingress_modsecurity_disabled: @disabled_count
+        }
+      end
+
+      private
+
+      # These are encrypted so we must decrypt and count in memory
+      def sum_modsec_config_counts(dataset)
+        dataset.each do |var|
+          case var.value
+          when "On" then @blocking_count += 1
+          when "Off" then @disabled_count += 1
+            # `else` could be default or any unsupported user input
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/app/views/layouts/notify.html.haml b/app/views/layouts/notify.html.haml
index de487a94d40..e922b505be8 100644
--- a/app/views/layouts/notify.html.haml
+++ b/app/views/layouts/notify.html.haml
@@ -20,7 +20,7 @@
             #{link_to _("View it on GitLab"), @target_url}.
           %br
           -# Don't link the host in the line below, one link in the email is easier to quickly click than two.
-          = _("You're receiving this email because %{reason}.") % { reason: notification_reason_text(@reason) }
+          = notification_reason_text(@reason)
           If you'd like to receive fewer emails, you can
           - if @labels_url
             adjust your #{link_to 'label subscriptions', @labels_url}.
diff --git a/app/views/layouts/notify.text.erb b/app/views/layouts/notify.text.erb
index 0ee30c2a6cf..49ad0b5abc5 100644
--- a/app/views/layouts/notify.text.erb
+++ b/app/views/layouts/notify.text.erb
@@ -11,7 +11,7 @@
 <%    end -%>
 <%  end -%>
 
-<%= "You're receiving this email because #{notification_reason_text(@reason)}." %>
+<%= notification_reason_text(@reason) %>
 <%= render_if_exists 'layouts/mailer/additional_text' %>
 
 <%= text_footer_message -%>