Add latest changes from gitlab-org/gitlab@15-4-stable-eev15.4.0-rc42

17 files changed, 483 insertions, 93 deletions

diff --git a/config/initializers/01_secret_token.rb b/config/initializers/01_secret_token.rb
index c1f03dfdb07..bb13869c963 100644
--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -65,11 +65,10 @@ end
 
 def set_missing_keys(defaults)
   defaults.stringify_keys.each_with_object({}) do |(key, default), missing|
-    if Rails.application.secrets[key].blank?
-      warn_missing_secret(key)
+    next if Rails.application.secrets[key].present?
 
-      missing[key] = Rails.application.secrets[key] = default
-    end
+    warn_missing_secret(key)
+    missing[key] = Rails.application.secrets[key] = default
   end
 end
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index b271cefadd9..3fc4b56f458 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -117,6 +117,27 @@ Settings.omniauth.cas3['session_duration'] ||= 8.hours
 Settings.omniauth['session_tickets'] ||= Settingslogic.new({})
 Settings.omniauth.session_tickets['cas3'] = 'ticket'
 
+# Handle backward compatibility with the renamed kerberos_spnego provider
+# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96335#note_1094265436
+Gitlab.ee do
+  kerberos_spnego = Settings.omniauth.providers.find { |p| p.name == 'kerberos_spnego' }
+  if kerberos_spnego
+    Settings.omniauth.providers.delete_if { |p| p.name == 'kerberos' }
+    kerberos_spnego['name'] = 'kerberos'
+
+    omniauth_keys = %w(allow_single_sign_on auto_link_user external_providers sync_profile_from_provider allow_bypass_two_factor)
+    omniauth_keys.each do |key|
+      next unless Settings.omniauth[key].is_a?(Array)
+
+      Settings.omniauth[key].map! { |p| p == 'kerberos_spnego' ? 'kerberos' : p }
+    end
+
+    if Settings.omniauth['auto_sign_in_with_provider'] == 'kerberos_spnego'
+      Settings.omniauth['auto_sign_in_with_provider'] = 'kerberos'
+    end
+  end
+end
+
 # Fill out omniauth-gitlab settings. It is needed for easy set up GHE or GH by just specifying url.
 
 github_default_url = "https://github.com"
@@ -214,11 +235,11 @@ Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
 Settings.gitlab['trusted_proxies'] ||= []
 Settings.gitlab['content_security_policy'] ||= {}
 Settings.gitlab['allowed_hosts'] ||= []
-Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml'))
 Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil?
 Settings.gitlab['usage_ping_enabled'] = true if Settings.gitlab['usage_ping_enabled'].nil?
 Settings.gitlab['max_request_duration_seconds'] ||= 57
 Settings.gitlab['display_initial_root_password'] = false if Settings.gitlab['display_initial_root_password'].nil?
+Settings.gitlab['weak_passwords_digest_set'] ||= YAML.safe_load(File.open(Rails.root.join('config', 'weak_password_digests.yml')), permitted_classes: [String]).to_set.freeze
 
 Gitlab.ee do
   Settings.gitlab['mirror_max_delay'] ||= 300
@@ -547,7 +568,7 @@ Settings.cron_jobs['container_registry_migration_observer_worker'] ||= Settingsl
 Settings.cron_jobs['container_registry_migration_observer_worker']['cron'] ||= '*/30 * * * *'
 Settings.cron_jobs['container_registry_migration_observer_worker']['job_class'] = 'ContainerRegistry::Migration::ObserverWorker'
 Settings.cron_jobs['container_registry_migration_enqueuer_worker'] ||= Settingslogic.new({})
-Settings.cron_jobs['container_registry_migration_enqueuer_worker']['cron'] ||= '45 */1 * * *'
+Settings.cron_jobs['container_registry_migration_enqueuer_worker']['cron'] ||= '15,45 */1 * * *'
 Settings.cron_jobs['container_registry_migration_enqueuer_worker']['job_class'] = 'ContainerRegistry::Migration::EnqueuerWorker'
 Settings.cron_jobs['image_ttl_group_policy_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['image_ttl_group_policy_worker']['cron'] ||= '40 0 * * *'
@@ -633,6 +654,9 @@ Settings.cron_jobs['loose_foreign_keys_cleanup_worker']['job_class'] = 'LooseFor
 Settings.cron_jobs['ci_runner_versions_reconciliation_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['ci_runner_versions_reconciliation_worker']['cron'] ||= '@daily'
 Settings.cron_jobs['ci_runner_versions_reconciliation_worker']['job_class'] = 'Ci::Runners::ReconcileExistingRunnerVersionsCronWorker'
+Settings.cron_jobs['users_migrate_records_to_ghost_user_in_batches_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['users_migrate_records_to_ghost_user_in_batches_worker']['cron'] ||= '*/1 * * * *'
+Settings.cron_jobs['users_migrate_records_to_ghost_user_in_batches_worker']['job_class'] = 'Users::MigrateRecordsToGhostUserInBatchesWorker'
 
 Gitlab.ee do
   Settings.cron_jobs['analytics_devops_adoption_create_all_snapshots_worker'] ||= Settingslogic.new({})
@@ -713,9 +737,6 @@ Gitlab.ee do
   Settings.cron_jobs['ldap_sync_worker'] ||= Settingslogic.new({})
   Settings.cron_jobs['ldap_sync_worker']['cron'] ||= '30 1 * * *'
   Settings.cron_jobs['ldap_sync_worker']['job_class'] = 'LdapSyncWorker'
-  Settings.cron_jobs['free_user_cap_data_remediation'] ||= Settingslogic.new({})
-  Settings.cron_jobs['free_user_cap_data_remediation']['cron'] ||= '17 6,10,14,18 * * *'
-  Settings.cron_jobs['free_user_cap_data_remediation']['job_class'] = 'Namespaces::FreeUserCap::RemediationWorker'
   Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker'] ||= Settingslogic.new({})
   Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker']['cron'] ||= '0 12 * * *'
   Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker']['job_class'] = 'UpdateMaxSeatsUsedForGitlabComSubscriptionsWorker'
@@ -791,7 +812,7 @@ end
 #
 Settings['sidekiq'] ||= Settingslogic.new({})
 Settings['sidekiq']['log_format'] ||= 'default'
-Settings['sidekiq']['routing_rules'] ||= []
+Settings['sidekiq']['routing_rules'] = Settings.__send__(:build_sidekiq_routing_rules, Settings['sidekiq']['routing_rules'])
 
 #
 # GitLab Shell
@@ -885,6 +906,18 @@ Settings['satellites'] ||= Settingslogic.new({})
 Settings.satellites['path'] = Settings.absolute(Settings.satellites['path'] || "tmp/repo_satellites/")
 
 #
+# Microsoft Graph Mailer
+#
+Settings['microsoft_graph_mailer'] ||= Settingslogic.new({})
+Settings.microsoft_graph_mailer['enabled'] = false if Settings.microsoft_graph_mailer['enabled'].nil?
+Settings.microsoft_graph_mailer['user_id'] ||= nil
+Settings.microsoft_graph_mailer['tenant'] ||= nil
+Settings.microsoft_graph_mailer['client_id'] ||= nil
+Settings.microsoft_graph_mailer['client_secret'] ||= nil
+Settings.microsoft_graph_mailer['azure_ad_endpoint'] ||= 'https://login.microsoftonline.com'
+Settings.microsoft_graph_mailer['graph_endpoint'] ||= 'https://graph.microsoft.com'
+
+#
 # Kerberos
 #
 Gitlab.ee do
@@ -897,8 +930,8 @@ Gitlab.ee do
   Settings.kerberos['https'] = Settings.gitlab.https if Settings.kerberos['https'].nil?
   Settings.kerberos['port'] ||= Settings.kerberos.https ? 8443 : 8088
 
-  if Settings.kerberos['enabled'] && !Settings.omniauth.providers.map(&:name).include?('kerberos_spnego')
-    Settings.omniauth.providers << Settingslogic.new({ 'name' => 'kerberos_spnego' })
+  if Settings.kerberos['enabled'] && !Settings.omniauth.providers.map(&:name).include?('kerberos')
+    Settings.omniauth.providers << Settingslogic.new({ 'name' => 'kerberos' })
   end
 end
 
diff --git a/config/initializers/7_redis.rb b/config/initializers/7_redis.rb
index 415574e1ce1..1e2786db413 100644
--- a/config/initializers/7_redis.rb
+++ b/config/initializers/7_redis.rb
@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+require 'gitlab/redis'
+
+Redis.raise_deprecations = true unless Rails.env.production?
+
 # We set the instance variable directly to suppress warnings.
 # We cannot switch to the new behavior until we change all existing `redis.exists` calls to `redis.exists?`.
 # Some gems also need to be updated
@@ -13,11 +17,6 @@ Redis::Client.prepend(Gitlab::Instrumentation::RedisInterceptor)
 # 1. Sidekiq
 # 2. Rails.cache
 # 3. HTTP clients
-Gitlab::Redis::Cache.with { nil }
-Gitlab::Redis::Queues.with { nil }
-Gitlab::Redis::SharedState.with { nil }
-Gitlab::Redis::TraceChunks.with { nil }
-Gitlab::Redis::RateLimiting.with { nil }
-Gitlab::Redis::Sessions.with { nil }
-Gitlab::Redis::DuplicateJobs.with { nil }
-Gitlab::Redis::SidekiqStatus.with { nil }
+Gitlab::Redis::ALL_CLASSES.each do |redis_instance|
+  redis_instance.with { nil }
+end
diff --git a/config/initializers/active_record_keyset_pagination.rb b/config/initializers/active_record_keyset_pagination.rb
index f5692c95276..7f830cafd31 100644
--- a/config/initializers/active_record_keyset_pagination.rb
+++ b/config/initializers/active_record_keyset_pagination.rb
@@ -1,10 +1,36 @@
 # frozen_string_literal: true
 
 module PaginatorExtension
+  KEYSET_ORDER_PLACEHOLDER = Object.new
+
   # This method loads the records for the requested page and returns a keyset paginator object.
   def keyset_paginate(cursor: nil, per_page: 20, keyset_order_options: {})
     Gitlab::Pagination::Keyset::Paginator.new(scope: self.dup, cursor: cursor, per_page: per_page, keyset_order_options: keyset_order_options)
   end
+
+  # This modifies `reverse_sql_order` so that it is aware of Gitlab::Pagination::Keyset::Order which
+  # can reverse order clauses with NULLS LAST because we provide it a `reversed_order_expression`.
+  # This allows us to use `#last` on these relations.
+  #
+  # Overrides https://github.com/rails/rails/blob/v6.1.6.1/activerecord/lib/active_record/relation/query_methods.rb#L1331-L1358
+  def reverse_sql_order(order_query)
+    return super if order_query.empty?
+
+    keyset_order_values = []
+
+    order_query_without_keyset = order_query.flat_map do |o|
+      next o unless o.is_a?(Gitlab::Pagination::Keyset::Order)
+
+      keyset_order_values << o
+      KEYSET_ORDER_PLACEHOLDER
+    end
+
+    super(order_query_without_keyset).map do |o|
+      next o unless o == KEYSET_ORDER_PLACEHOLDER
+
+      keyset_order_values.shift.reversed_order
+    end
+  end
 end
 
 ActiveSupport.on_load(:active_record) do
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 867f3fd47cc..918b2767c4d 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -90,7 +90,9 @@ Doorkeeper.configure do
   # Check out the wiki for more information on customization
   access_token_methods :from_access_token_param, :from_bearer_authorization, :from_bearer_param
 
-  hash_token_secrets using: '::Gitlab::DoorkeeperSecretStoring::Pbkdf2Sha512', fallback: :plain
+  hash_token_secrets using: '::Gitlab::DoorkeeperSecretStoring::Token::Pbkdf2Sha512', fallback: :plain
+
+  hash_application_secrets using: '::Gitlab::DoorkeeperSecretStoring::Secret::Pbkdf2Sha512', fallback: :plain
 
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
diff --git a/config/initializers/excon.rb b/config/initializers/excon.rb
new file mode 100644
index 00000000000..132cb2ff15b
--- /dev/null
+++ b/config/initializers/excon.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+# Excon ships its own bundled certs by default. Avoid confusion
+# by using the same set that GitLab uses.
+Excon.defaults[:ssl_ca_file] = OpenSSL::X509::DEFAULT_CERT_FILE
+Excon.defaults[:ssl_verify_peer] = true
diff --git a/config/initializers/gitlab_experiment.rb b/config/initializers/gitlab_experiment.rb
index a201a075f62..6d2795caf51 100644
--- a/config/initializers/gitlab_experiment.rb
+++ b/config/initializers/gitlab_experiment.rb
@@ -65,7 +65,7 @@ Gitlab::Experiment.configure do |config|
   # permitted, and will be sent along using Gitlab::Tracking::StandardContext.
   #
   config.tracking_behavior = lambda do |action, event_args|
-    Gitlab::Tracking.event(name, action.to_s, **event_args.merge(
+    Gitlab::Tracking.event(name, action, **event_args.merge(
       context: (event_args[:context] || []) << SnowplowTracker::SelfDescribingJson.new(
         'iglu:com.gitlab/gitlab_experiment/jsonschema/1-0-0', signature
       )
diff --git a/config/initializers/load_balancing.rb b/config/initializers/load_balancing.rb
index 290481f7296..bcc62a6be5d 100644
--- a/config/initializers/load_balancing.rb
+++ b/config/initializers/load_balancing.rb
@@ -2,15 +2,6 @@
 
 Gitlab::Application.configure do |config|
   config.middleware.use(Gitlab::Database::LoadBalancing::RackMiddleware)
-
-  # We need re-rerun the setup when code reloads in development
-  config.reloader.to_prepare do
-    if Rails.env.development? || Rails.env.test?
-      Gitlab::Database::LoadBalancing.base_models.each do |model|
-        Gitlab::Database::LoadBalancing::Setup.new(model).setup
-      end
-    end
-  end
 end
 
 Gitlab::Database::LoadBalancing.base_models.each do |model|
@@ -23,8 +14,9 @@ Gitlab::Database::LoadBalancing.base_models.each do |model|
   # information.
   Gitlab::Database::LoadBalancing::Setup.new(model).setup
 
+  # We need re-rerun the setup when code reloads in development
   Rails.application.reloader.to_prepare do
-    if Rails.env.development?
+    if Rails.env.development? || Rails.env.test?
       Gitlab::Database::LoadBalancing::Setup.new(model).setup
     end
   end
diff --git a/config/initializers/lookbook.rb b/config/initializers/lookbook.rb
deleted file mode 100644
index 4cb1b827286..00000000000
--- a/config/initializers/lookbook.rb
+++ /dev/null
@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-
-if Rails.env.development?
-  # :nocov: Lookbook is only available in development
-  Lookbook::ApplicationController.class_eval do
-    content_security_policy false
-  end
-
-  Rails.application.configure do
-    config.lookbook.experimental_features = [:pages]
-    config.lookbook.page_paths = ["#{config.root}/spec/components/docs"]
-  end
-  # :nocov:
-end
diff --git a/config/initializers/microsoft_graph_mailer.rb b/config/initializers/microsoft_graph_mailer.rb
new file mode 100644
index 00000000000..45fdef1c57d
--- /dev/null
+++ b/config/initializers/microsoft_graph_mailer.rb
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+if Gitlab.config.microsoft_graph_mailer.enabled
+  ActionMailer::Base.delivery_method = :microsoft_graph
+
+  ActionMailer::Base.microsoft_graph_settings = {
+    user_id: Gitlab.config.microsoft_graph_mailer.user_id,
+    tenant: Gitlab.config.microsoft_graph_mailer.tenant,
+    client_id: Gitlab.config.microsoft_graph_mailer.client_id,
+    client_secret: Gitlab.config.microsoft_graph_mailer.client_secret,
+    azure_ad_endpoint: Gitlab.config.microsoft_graph_mailer.azure_ad_endpoint,
+    graph_endpoint: Gitlab.config.microsoft_graph_mailer.graph_endpoint
+  }
+end
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 38bd1034b36..2454b5ea818 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -11,6 +11,17 @@ if Gitlab::Auth::Ldap::Config.enabled?
   end
 end
 
+module OmniAuth
+  module Strategies
+    class AzureActivedirectoryV2
+      # override until https://github.com/RIPAGlobal/omniauth-azure-activedirectory-v2/pull/6 is merged
+      def callback_url
+        full_host + callback_path
+      end
+    end
+  end
+end
+
 OmniAuth.config.full_host = Gitlab::OmniauthInitializer.full_host
 
 OmniAuth.config.allowed_request_methods = [:post]
diff --git a/config/initializers/postgres_partitioning.rb b/config/initializers/postgres_partitioning.rb
index 4de6e706f16..e7f29ee1a84 100644
--- a/config/initializers/postgres_partitioning.rb
+++ b/config/initializers/postgres_partitioning.rb
@@ -1,43 +1,48 @@
 # frozen_string_literal: true
 
-Gitlab::Database::Partitioning.register_models([
-  AuditEvent,
-  WebHookLog,
-  LooseForeignKeys::DeletedRecord,
-  Gitlab::Database::BackgroundMigration::BatchedJobTransitionLog
-])
+Gitlab::Database::Partitioning.register_models(
+  [
+    AuditEvent,
+    WebHookLog,
+    LooseForeignKeys::DeletedRecord,
+    Gitlab::Database::BackgroundMigration::BatchedJobTransitionLog
+  ])
 
 if Gitlab.ee?
-  Gitlab::Database::Partitioning.register_models([
-    IncidentManagement::PendingEscalations::Alert,
-    IncidentManagement::PendingEscalations::Issue
-  ])
+  Gitlab::Database::Partitioning.register_models(
+    [
+      IncidentManagement::PendingEscalations::Alert,
+      IncidentManagement::PendingEscalations::Issue,
+      Security::Finding
+    ])
 else
-  Gitlab::Database::Partitioning.register_tables([
-    {
-      limit_connection_names: %i[main],
-      table_name: 'incident_management_pending_alert_escalations',
-      partitioned_column: :process_at, strategy: :monthly
-    },
-    {
-      limit_connection_names: %i[main],
-      table_name: 'incident_management_pending_issue_escalations',
-      partitioned_column: :process_at, strategy: :monthly
-    }
-  ])
+  Gitlab::Database::Partitioning.register_tables(
+    [
+      {
+        limit_connection_names: %i[main],
+        table_name: 'incident_management_pending_alert_escalations',
+        partitioned_column: :process_at, strategy: :monthly
+      },
+      {
+        limit_connection_names: %i[main],
+        table_name: 'incident_management_pending_issue_escalations',
+        partitioned_column: :process_at, strategy: :monthly
+      }
+    ])
 end
 
 # The following tables are already defined as models
 unless Gitlab.jh?
-  Gitlab::Database::Partitioning.register_tables([
-    # This should be synchronized with the following model:
-    # https://jihulab.com/gitlab-cn/gitlab/-/blob/main-jh/jh/app/models/phone/verification_code.rb
-    {
-      limit_connection_names: %i[main],
-      table_name: 'verification_codes',
-      partitioned_column: :created_at, strategy: :monthly
-    }
-  ])
+  Gitlab::Database::Partitioning.register_tables(
+    [
+      # This should be synchronized with the following model:
+      # https://jihulab.com/gitlab-cn/gitlab/-/blob/main-jh/jh/app/models/phone/verification_code.rb
+      {
+        limit_connection_names: %i[main],
+        table_name: 'verification_codes',
+        partitioned_column: :created_at, strategy: :monthly
+      }
+    ])
 end
 
 Gitlab::Database::Partitioning.sync_partitions_ignore_db_error
diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index 29df6da6ef1..262ef1dea21 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -127,3 +127,4 @@ end
 
 Sidekiq::Scheduled::Poller.prepend Gitlab::Patch::SidekiqPoller
 Sidekiq::Cron::Poller.prepend Gitlab::Patch::SidekiqPoller
+Sidekiq::Cron::Poller.prepend Gitlab::Patch::SidekiqCronPoller
diff --git a/config/initializers/sidekiq_cluster.rb b/config/initializers/sidekiq_cluster.rb
index 2f9c1de47eb..6fd598b3e25 100644
--- a/config/initializers/sidekiq_cluster.rb
+++ b/config/initializers/sidekiq_cluster.rb
@@ -9,22 +9,23 @@ if ENV['ENABLE_SIDEKIQ_CLUSTER']
     loop do
       sleep(5)
 
+      next if Process.ppid == parent
+
       # In cluster mode it's possible that the master process is SIGKILL'd. In
       # this case the parent PID changes and we need to terminate ourselves.
-      if Process.ppid != parent
-        Process.kill(:TERM, Process.pid)
-
-        # Allow sidekiq to cleanly terminate and push any running jobs back
-        # into the queue.  We use the configured timeout and add a small
-        # grace period
-        sleep(Sidekiq.options[:timeout] + 5)
-
-        # Signaling the Sidekiq Pgroup as KILL is not forwarded to
-        # a possible child process. In Sidekiq Cluster, all child Sidekiq
-        # processes are PGROUP leaders (each process has its own pgroup).
-        Process.kill(:KILL, 0)
-        break
-      end
+
+      Process.kill(:TERM, Process.pid)
+
+      # Allow sidekiq to cleanly terminate and push any running jobs back
+      # into the queue.  We use the configured timeout and add a small
+      # grace period
+      sleep(Sidekiq.options[:timeout] + 5)
+
+      # Signaling the Sidekiq Pgroup as KILL is not forwarded to
+      # a possible child process. In Sidekiq Cluster, all child Sidekiq
+      # processes are PGROUP leaders (each process has its own pgroup).
+      Process.kill(:KILL, 0)
+      break
     end
   end
 end
diff --git a/config/initializers/wikicloth_redos_patch.rb b/config/initializers/wikicloth_redos_patch.rb
index 4ff545dd6f7..95901378891 100644
--- a/config/initializers/wikicloth_redos_patch.rb
+++ b/config/initializers/wikicloth_redos_patch.rb
@@ -1,3 +1,27 @@
+# This file contains code based on the wikicloth project:
+# https://github.com/nricciar/wikicloth
+#
+# Copyright (c) 2009 The wikicloth authors.
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
 # frozen_string_literal: true
 
 require 'wikicloth'
@@ -20,7 +44,10 @@ require 'digest/sha2'
 # - https://gitlab.com/gitlab-org/gitlab/-/issues/361266
 
 # Guard to ensure we remember to delete this patch if they ever release a new version of wikicloth
-raise 'New version of WikiCloth detected, please remove this patch' unless Gem::Version.new(WikiCloth::VERSION) == Gem::Version.new('0.8.1')
+unless Gem::Version.new(WikiCloth::VERSION) == Gem::Version.new('0.8.1')
+  raise 'New version of WikiCloth detected, please either update the version for this check, ' \
+    'or remove this patch if no longer needed'
+end
 
 # rubocop:disable Style/ClassAndModuleChildren
 # rubocop:disable Layout/SpaceAroundEqualsInParameterDefault
@@ -43,6 +70,12 @@ raise 'New version of WikiCloth detected, please remove this patch' unless Gem::
 # rubocop:disable Style/RegexpLiteralMixedPreserve
 # rubocop:disable Style/RedundantRegexpCharacterClass
 # rubocop:disable Performance/StringInclude
+# rubocop:disable Layout/LineLength
+# rubocop:disable Style/RedundantSelf
+# rubocop:disable Style/SymbolProc
+# rubocop:disable Layout/SpaceInsideParens
+# rubocop:disable Style/GuardClause
+# rubocop:disable Style/RedundantRegexpEscape
 module WikiCloth
   class WikiCloth
     def render(opt={})
@@ -218,3 +251,9 @@ end
 # rubocop:enable Style/RegexpLiteralMixedPreserve
 # rubocop:enable Style/RedundantRegexpCharacterClass
 # rubocop:enable Performance/StringInclude
+# rubocop:enable Layout/LineLength
+# rubocop:enable Style/RedundantSelf
+# rubocop:enable Style/SymbolProc
+# rubocop:enable Layout/SpaceInsideParens
+# rubocop:enable Style/GuardClause
+# rubocop:enable Style/RedundantRegexpEscape
diff --git a/config/initializers/wikicloth_ruby_3_patch.rb b/config/initializers/wikicloth_ruby_3_patch.rb
new file mode 100644
index 00000000000..d80383a125d
--- /dev/null
+++ b/config/initializers/wikicloth_ruby_3_patch.rb
@@ -0,0 +1,272 @@
+# This file contains code based on the wikicloth project:
+# https://github.com/nricciar/wikicloth
+#
+# Copyright (c) 2009 The wikicloth authors.
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and associated documentation files (the
+# "Software"), to deal in the Software without restriction, including
+# without limitation the rights to use, copy, modify, merge, publish,
+# distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so, subject to
+# the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# frozen_string_literal: true
+
+require 'wikicloth'
+require 'wikicloth/wiki_buffer/var'
+
+# Adds patch for changes in this PRs:
+#
+# https://github.com/nricciar/wikicloth/pull/110
+#
+# The maintainers are not releasing new versions, so we
+# need to patch it here.
+#
+# If they ever do release a version, then we can remove this file.
+#
+# See:
+# - https://gitlab.com/gitlab-org/gitlab/-/issues/372400
+
+# Guard to ensure we remember to delete this patch if they ever release a new version of wikicloth
+unless Gem::Version.new(WikiCloth::VERSION) == Gem::Version.new('0.8.1')
+  raise 'New version of WikiCloth detected, please either update the version for this check, ' \
+    'or remove this patch if no longer needed'
+end
+
+# rubocop:disable Style/ClassAndModuleChildren
+# rubocop:disable Style/HashSyntax
+# rubocop:disable Layout/SpaceAfterComma
+# rubocop:disable Style/RescueStandardError
+# rubocop:disable Metrics/AbcSize
+# rubocop:disable Metrics/CyclomaticComplexity
+# rubocop:disable Metrics/PerceivedComplexity
+# rubocop:disable Cop/LineBreakAroundConditionalBlock
+# rubocop:disable Layout/EmptyLineAfterGuardClause
+# rubocop:disable Performance/ReverseEach
+# rubocop:disable Style/PerlBackrefs
+# rubocop:disable Style/RedundantRegexpCharacterClass
+# rubocop:disable Performance/StringInclude
+# rubocop:disable Style/IfUnlessModifier
+# rubocop:disable Layout/LineLength
+# rubocop:disable Lint/DeprecatedClassMethods
+# rubocop:disable Lint/UselessAssignment
+# rubocop:disable Lint/RedundantStringCoercion
+# rubocop:disable Style/StringLiteralsInInterpolation
+# rubocop:disable Lint/UriEscapeUnescape
+# rubocop:disable Style/For
+# rubocop:disable Style/SlicingWithRange
+# rubocop:disable Style/GuardClause
+# rubocop:disable Style/ZeroLengthPredicate
+# rubocop:disable Cop/LineBreakAfterGuardClauses
+# rubocop:disable Layout/MultilineHashBraceLayout
+module WikiCloth
+  class WikiCloth
+    class MathExtension < Extension
+      # <math>latex markup</math>
+      #
+      element 'math', :skip_html => true, :run_globals => false do |buffer|
+        blahtex_path = @options[:blahtex_path] || '/usr/bin/blahtex'
+        blahtex_png_path = @options[:blahtex_png_path] || '/tmp'
+        blahtex_options = @options[:blahtex_options] || '--texvc-compatible-commands --mathml-version-1-fonts --disallow-plane-1 --spacing strict'
+
+        if File.exists?(blahtex_path) && @options[:math_formatter] != :google
+          begin
+            # pass tex markup to blahtex
+            response = IO.popen("#{blahtex_path} #{blahtex_options} --png --mathml --png-directory #{blahtex_png_path}","w+") do |pipe|
+              pipe.write(buffer.element_content)
+              pipe.close_write
+              pipe.gets
+            end
+
+            xml_response = REXML::Document.new(response).root
+
+            if @options[:blahtex_html_prefix]
+              # render as embedded image
+              file_md5 = xml_response.elements["png/md5"].text
+              "<img src=\"#{File.join(@options[:blahtex_html_prefix],"#{file_md5}.png")}\" />"
+            else
+              # render as mathml
+              html = xml_response.elements["mathml/markup"].text
+              "<math xmlns=\"http://www.w3.org/1998/Math/MathML\">#{xml_response.elements["mathml/markup"].children.to_s}</math>"
+            end
+          rescue => err
+            # blahtex error
+            "<span class=\"error\">#{I18n.t("unable to parse mathml", :error => err)}</span>"
+          end
+        else
+          # if blahtex does not exist fallback to google charts api
+          # This is the patched line from:
+          # https://github.com/nricciar/wikicloth/pull/110/files#diff-f0cb4c400957bbdcc4c97d69d2aa7f48d8ba56c5943e484863f620605d7d17d4R37
+          encoded_string = URI.encode_www_form_component(buffer.element_content)
+          "<img src=\"https://chart.googleapis.com/chart?cht=tx&chl=#{encoded_string}\" />"
+        end
+      end
+    end
+
+    class WikiBuffer::Var < WikiBuffer
+      def default_functions(name,params)
+        case name
+        when "#if"
+          params.first.blank? ? params[2] : params[1]
+        when "#switch"
+          match = params.first
+          default = nil
+          for p in params[1..-1]
+            temp = p.split("=")
+            if p !~ /=/ && temp.length == 1 && p == params.last
+              return p
+            elsif temp.instance_of?(Array) && temp.length > 0
+              test = temp.first.strip
+              default = temp[1..-1].join("=").strip if test == "#default"
+              return temp[1..-1].join("=").strip if test == match || (test == "none" && match.blank?)
+            end
+          end
+          default.nil? ? "" : default
+        when "#expr"
+          begin
+            ExpressionParser::Parser.new.parse(params.first)
+          rescue RuntimeError
+            I18n.t('expression error', :error => $!)
+          end
+        when "#ifexpr"
+          val = false
+          begin
+            val = ExpressionParser::Parser.new.parse(params.first)
+          rescue RuntimeError
+          end
+          if val
+            params[1]
+          else
+            params[2]
+          end
+        when "#ifeq"
+          if params[0] =~ /^[0-9A-Fa-f]+$/ && params[1] =~ /^[0-9A-Fa-f]+$/
+            params[0].to_i == params[1].to_i ? params[2] : params[3]
+          else
+            params[0] == params[1] ? params[2] : params[3]
+          end
+        when "#len"
+          params.first.length
+        when "#sub"
+          params.first[params[1].to_i,params[2].to_i]
+        when "#pad"
+          case params[3]
+          when "right"
+            params[0].ljust(params[1].to_i,params[2])
+          when "center"
+            params[0].center(params[1].to_i,params[2])
+          else
+            params[0].rjust(params[1].to_i,params[2])
+          end
+        when "#iferror"
+          params.first =~ /error/ ? params[1] : params[2]
+        when "#capture"
+          @options[:params][params.first] = params[1]
+          ""
+        when "urlencode"
+          # This is the patched line from:
+          # https://github.com/nricciar/wikicloth/pull/110/files#diff-f262faf4fadb222cca87185be0fb65b3f49659abc840794cc83a736d41310fb1R170
+          URI.encode_www_form_component(params.first)
+        when "lc"
+          params.first.downcase
+        when "uc"
+          params.first.upcase
+        when "ucfirst"
+          params.first.capitalize
+        when "lcfirst"
+          params.first[0,1].downcase + params.first[1..-1]
+        when "anchorencode"
+          params.first.gsub(/\s+/,'_')
+        when "plural"
+          begin
+            expr_value = ExpressionParser::Parser.new.parse(params.first)
+            expr_value.to_i == 1 ? params[1] : params[2]
+          rescue RuntimeError
+            I18n.t('expression error', :error => $!)
+          end
+        when "ns"
+          values = {
+            "" => "", "0" => "",
+            "1" => localise_ns("Talk"), "talk" => localise_ns("Talk"),
+            "6" => localise_ns("File"), "file" => localise_ns("File"), "image" => localise_ns("File"),
+            "10" => localise_ns("Template"), "template" => localise_ns("Template"),
+            "14" => localise_ns("Category"), "category" => localise_ns("Category"),
+            "-1" => localise_ns("Special"), "special" => localise_ns("Special"),
+            "12" => localise_ns("Help"), "help" => localise_ns("Help"),
+            "-2" => localise_ns("Media"), "media" => localise_ns("Media") }
+
+          values[localise_ns(params.first,:en).gsub(/\s+/,'_').downcase]
+        when "#language"
+          WikiNamespaces.language_name(params.first)
+        when "#tag"
+          return "" if params.empty?
+          elem = Builder::XmlMarkup.new
+          return elem.tag!(params.first) if params.length == 1
+          return elem.tag!(params.first) { |e| e << params.last } if params.length == 2
+          tag_attrs = {}
+          params[1..-2].each do |attr|
+            tag_attrs[$1] = $2 if attr =~ /^\s*([\w]+)\s*=\s*"(.*)"\s*$/
+          end
+          elem.tag!(params.first,tag_attrs) { |e| e << params.last }
+        when "debug"
+          ret = nil
+          case params.first
+          when "param"
+            @options[:buffer].buffers.reverse.each do |b|
+              if b.instance_of?(WikiBuffer::HTMLElement) && b.element_name == "template"
+                ret = b.get_param(params[1])
+              end
+            end
+            ret
+          when "buffer"
+            ret = "<pre>"
+            buffer = @options[:buffer].buffers
+            buffer.each do |b|
+              ret += " --- #{b.class}"
+              ret += b.instance_of?(WikiBuffer::HTMLElement) ? " -- #{b.element_name}\n" : " -- #{b.data}\n"
+            end
+            "#{ret}</pre>"
+          end
+        end
+      end
+    end
+  end
+end
+# rubocop:enable Style/ClassAndModuleChildren
+# rubocop:enable Style/HashSyntax
+# rubocop:enable Layout/SpaceAfterComma
+# rubocop:enable Style/RescueStandardError
+# rubocop:enable Metrics/AbcSize
+# rubocop:enable Metrics/CyclomaticComplexity
+# rubocop:enable Metrics/PerceivedComplexity
+# rubocop:enable Cop/LineBreakAroundConditionalBlock
+# rubocop:enable Layout/EmptyLineAfterGuardClause
+# rubocop:enable Performance/ReverseEach
+# rubocop:enable Style/PerlBackrefs
+# rubocop:enable Style/RedundantRegexpCharacterClass
+# rubocop:enable Performance/StringInclude
+# rubocop:enable Style/IfUnlessModifier
+# rubocop:enable Layout/LineLength
+# rubocop:enable Lint/DeprecatedClassMethods
+# rubocop:enable Lint/UselessAssignment
+# rubocop:enable Lint/RedundantStringCoercion
+# rubocop:enable Style/StringLiteralsInInterpolation
+# rubocop:enable Lint/UriEscapeUnescape
+# rubocop:enable Style/For
+# rubocop:enable Style/SlicingWithRange
+# rubocop:enable Style/GuardClause
+# rubocop:enable Style/ZeroLengthPredicate
+# rubocop:enable Cop/LineBreakAfterGuardClauses
+# rubocop:enable Layout/MultilineHashBraceLayout
diff --git a/config/initializers/zz_metrics.rb b/config/initializers/zz_metrics.rb
index 5e6c1abdda6..940d8eed61f 100644
--- a/config/initializers/zz_metrics.rb
+++ b/config/initializers/zz_metrics.rb
@@ -17,7 +17,6 @@
 if Gitlab::Metrics.enabled? && !Rails.env.test? && !(Rails.env.development? && defined?(Rails::Generators))
   require 'pathname'
   require 'connection_pool'
-  require 'method_source'
 
   # These are manually require'd so the classes are registered properly with
   # ActiveSupport.
@@ -40,6 +39,9 @@ if Gitlab::Metrics.enabled? && !Rails.env.test? && !(Rails.env.development? && d
 
   if Gitlab::Runtime.puma?
     Gitlab::Metrics::RequestsRackMiddleware.initialize_metrics
+    Gitlab::Metrics::GlobalSearchSlis.initialize_slis!
+  elsif Gitlab.ee? && Gitlab::Runtime.sidekiq?
+    Gitlab::Metrics::GlobalSearchIndexingSlis.initialize_slis!
   end
 
   GC::Profiler.enable