Merge branch 'master' into feature/multi-level-container-registry-images

* master: (1327 commits)
  Merge branch 'render-json-leak' into 'security'
  Merge branch 'ssrf' into 'security'
  Merge branch 'ssrf' into 'security'
  Merge branch 'fix-links-target-blank' into 'security'
  Merge branch '28058-hide-emails-in-atom-feeds' into 'security'
  Fix karma test
  Reset filters after click
  Handle Route#name being nil after an update
  Only add frontend code coverage instrumentation when generating coverage report
  fix recompile assets step in 9.0 upgrade guide to use yarn
  Undo explicit conversion to Integer
  Make level_value accept string integers
  Make feature spec more robust
  Removed d3.js from the main application.js bundle
  Extend compound status for manual actions specs
  Update css to be nice and tidy.
  Fix pipeline status for transition between stages
  add an index to the ghost column
  Return 404 in project issues API endpoint when project cannot be found
  Improve rename projects migration
  ...

Conflicts:
	doc/ci/docker/using_docker_build.md
	spec/lib/gitlab/import_export/all_models.yml

21 files changed, 215 insertions, 72 deletions

diff --git a/config/initializers/inflections.rb b/config/initializers/0_inflections.rb
index d4197da3fa9..d4197da3fa9 100644
--- a/config/initializers/inflections.rb
+++ b/config/initializers/0_inflections.rb
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 3f716dd8833..62020fa9a75 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -14,12 +14,15 @@ class Settings < Settingslogic
     end
 
     def build_gitlab_ci_url
-      if on_standard_port?(gitlab)
-        custom_port = nil
-      else
-        custom_port = ":#{gitlab.port}"
-      end
-      [ gitlab.protocol,
+      custom_port =
+        if on_standard_port?(gitlab)
+          nil
+        else
+          ":#{gitlab.port}"
+        end
+
+      [
+        gitlab.protocol,
         "://",
         gitlab.host,
         custom_port,
@@ -80,7 +83,9 @@ class Settings < Settingslogic
 
     def base_url(config)
       custom_port = on_standard_port?(config) ? nil : ":#{config.port}"
-      [ config.protocol,
+
+      [
+        config.protocol,
         "://",
         config.host,
         custom_port
@@ -160,15 +165,16 @@ if github_settings
 
   github_settings["args"] ||= Settingslogic.new({})
 
-  if github_settings["url"].include?(github_default_url)
-    github_settings["args"]["client_options"] = OmniAuth::Strategies::GitHub.default_options[:client_options]
-  else
-    github_settings["args"]["client_options"] = {
-      "site"          => File.join(github_settings["url"], "api/v3"),
-      "authorize_url" => File.join(github_settings["url"], "login/oauth/authorize"),
-      "token_url"     => File.join(github_settings["url"], "login/oauth/access_token")
-    }
-  end
+  github_settings["args"]["client_options"] =
+    if github_settings["url"].include?(github_default_url)
+      OmniAuth::Strategies::GitHub.default_options[:client_options]
+    else
+      {
+        "site"          => File.join(github_settings["url"], "api/v3"),
+        "authorize_url" => File.join(github_settings["url"], "login/oauth/authorize"),
+        "token_url"     => File.join(github_settings["url"], "login/oauth/access_token")
+      }
+    end
 end
 
 Settings['shared'] ||= Settingslogic.new({})
@@ -180,7 +186,7 @@ Settings['issues_tracker'] ||= {}
 # GitLab
 #
 Settings['gitlab'] ||= Settingslogic.new({})
-Settings.gitlab['default_projects_limit'] ||= 10
+Settings.gitlab['default_projects_limit'] ||= 100000
 Settings.gitlab['default_branch_protection'] ||= 2
 Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
 Settings.gitlab['host']       ||= ENV['GITLAB_HOST'] || 'localhost'
@@ -215,7 +221,7 @@ Settings.gitlab['session_expire_delay'] ||= 10080
 Settings.gitlab.default_projects_features['issues']             = true if Settings.gitlab.default_projects_features['issues'].nil?
 Settings.gitlab.default_projects_features['merge_requests']     = true if Settings.gitlab.default_projects_features['merge_requests'].nil?
 Settings.gitlab.default_projects_features['wiki']               = true if Settings.gitlab.default_projects_features['wiki'].nil?
-Settings.gitlab.default_projects_features['snippets']           = false if Settings.gitlab.default_projects_features['snippets'].nil?
+Settings.gitlab.default_projects_features['snippets']           = true if Settings.gitlab.default_projects_features['snippets'].nil?
 Settings.gitlab.default_projects_features['builds']             = true if Settings.gitlab.default_projects_features['builds'].nil?
 Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
 Settings.gitlab.default_projects_features['visibility_level']   = Settings.send(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
@@ -272,8 +278,8 @@ Settings.pages['host']            ||= "example.com"
 Settings.pages['port']            ||= Settings.pages.https ? 443 : 80
 Settings.pages['protocol']        ||= Settings.pages.https ? "https" : "http"
 Settings.pages['url']             ||= Settings.send(:build_pages_url)
-Settings.pages['external_http']   ||= false if Settings.pages['external_http'].nil?
-Settings.pages['external_https']  ||= false if Settings.pages['external_https'].nil?
+Settings.pages['external_http']   ||= false unless Settings.pages['external_http'].present?
+Settings.pages['external_https']  ||= false unless Settings.pages['external_https'].present?
 
 #
 # Git LFS
@@ -302,9 +308,9 @@ Settings.gravatar['host']         = Settings.host_without_www(Settings.gravatar[
 # Cron Jobs
 #
 Settings['cron_jobs'] ||= Settingslogic.new({})
-Settings.cron_jobs['stuck_ci_builds_worker'] ||= Settingslogic.new({})
-Settings.cron_jobs['stuck_ci_builds_worker']['cron'] ||= '0 0 * * *'
-Settings.cron_jobs['stuck_ci_builds_worker']['job_class'] = 'StuckCiBuildsWorker'
+Settings.cron_jobs['stuck_ci_jobs_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['stuck_ci_jobs_worker']['cron'] ||= '0 * * * *'
+Settings.cron_jobs['stuck_ci_jobs_worker']['job_class'] = 'StuckCiJobsWorker'
 Settings.cron_jobs['expire_build_artifacts_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['expire_build_artifacts_worker']['cron'] ||= '50 * * * *'
 Settings.cron_jobs['expire_build_artifacts_worker']['job_class'] = 'ExpireBuildArtifactsWorker'
@@ -360,8 +366,13 @@ Settings.gitlab_shell['ssh_path_prefix'] ||= Settings.send(:build_gitlab_shell_s
 #
 Settings['repositories'] ||= Settingslogic.new({})
 Settings.repositories['storages'] ||= {}
-# Setting gitlab_shell.repos_path is DEPRECATED and WILL BE REMOVED in version 9.0
-Settings.repositories.storages['default'] ||= Settings.gitlab_shell['repos_path'] || Settings.gitlab['user_home'] + '/repositories/'
+unless Settings.repositories.storages['default']
+  Settings.repositories.storages['default'] ||= {}
+  # We set the path only if the default storage doesn't exist, in case it exists
+  # but follows the pre-9.0 configuration structure. `6_validations.rb` initializer
+  # will validate all storages and throw a relevant error to the user if necessary.
+  Settings.repositories.storages['default']['path'] ||= Settings.gitlab['user_home'] + '/repositories/'
+end
 
 #
 # The repository_downloads_path is used to remove outdated repository
@@ -370,11 +381,11 @@ Settings.repositories.storages['default'] ||= Settings.gitlab_shell['repos_path'
 # data-integrity issue. In this case, we sets it to the default
 # repository_downloads_path value.
 #
-repositories_storages_path     = Settings.repositories.storages.values
+repositories_storages          = Settings.repositories.storages.values
 repository_downloads_path      = Settings.gitlab['repository_downloads_path'].to_s.gsub(/\/$/, '')
 repository_downloads_full_path = File.expand_path(repository_downloads_path, Settings.gitlab['user_home'])
 
-if repository_downloads_path.blank? || repositories_storages_path.any? { |path| [repository_downloads_path, repository_downloads_full_path].include?(path.gsub(/\/$/, '')) }
+if repository_downloads_path.blank? || repositories_storages.any? { |rs| [repository_downloads_path, repository_downloads_full_path].include?(rs['path'].gsub(/\/$/, '')) }
   Settings.gitlab['repository_downloads_path'] = File.join(Settings.shared['path'], 'cache/archive')
 end
 
@@ -393,6 +404,7 @@ if Settings.backup['upload']['connection']
 end
 Settings.backup['upload']['multipart_chunk_size'] ||= 104857600
 Settings.backup['upload']['encryption'] ||= nil
+Settings.backup['upload']['storage_class'] ||= nil
 
 #
 # Git
diff --git a/config/initializers/6_validations.rb b/config/initializers/6_validations.rb
index d92f64e1647..9e24f42d284 100644
--- a/config/initializers/6_validations.rb
+++ b/config/initializers/6_validations.rb
@@ -4,8 +4,8 @@ end
 
 def find_parent_path(name, path)
   parent = Pathname.new(path).realpath.parent
-  Gitlab.config.repositories.storages.detect do |n, p|
-    name != n && Pathname.new(p).realpath == parent
+  Gitlab.config.repositories.storages.detect do |n, rs|
+    name != n && Pathname.new(rs['path']).realpath == parent
   end
 end
 
@@ -13,17 +13,33 @@ def storage_validation_error(message)
   raise "#{message}. Please fix this in your gitlab.yml before starting GitLab."
 end
 
-def validate_storages
+def validate_storages_config
   storage_validation_error('No repository storage path defined') if Gitlab.config.repositories.storages.empty?
 
-  Gitlab.config.repositories.storages.each do |name, path|
+  Gitlab.config.repositories.storages.each do |name, repository_storage|
     storage_validation_error("\"#{name}\" is not a valid storage name") unless storage_name_valid?(name)
 
-    parent_name, _parent_path = find_parent_path(name, path)
+    if repository_storage.is_a?(String)
+      raise "#{name} is not a valid storage, because it has no `path` key. " \
+        "It may be configured as:\n\n#{name}:\n  path: #{repository_storage}\n\n" \
+        "For source installations, update your config/gitlab.yml Refer to gitlab.yml.example for an updated example.\n\n" \
+        "If you're using the Gitlab Development Kit, you can update your configuration running `gdk reconfigure`.\n"
+    end
+
+    if !repository_storage.is_a?(Hash) || repository_storage['path'].nil?
+      storage_validation_error("#{name} is not a valid storage, because it has no `path` key. Refer to gitlab.yml.example for an updated example")
+    end
+  end
+end
+
+def validate_storages_paths
+  Gitlab.config.repositories.storages.each do |name, repository_storage|
+    parent_name, _parent_path = find_parent_path(name, repository_storage['path'])
     if parent_name
       storage_validation_error("#{name} is a nested path of #{parent_name}. Nested paths are not supported for repository storages")
     end
   end
 end
 
-validate_storages unless Rails.env.test? || ENV['SKIP_STORAGE_VALIDATION'] == 'true'
+validate_storages_config
+validate_storages_paths unless Rails.env.test? || ENV['SKIP_STORAGE_VALIDATION'] == 'true'
diff --git a/config/initializers/8_gitaly.rb b/config/initializers/8_gitaly.rb
new file mode 100644
index 00000000000..07dd30f0a24
--- /dev/null
+++ b/config/initializers/8_gitaly.rb
@@ -0,0 +1,2 @@
+# Make sure we initialize a Gitaly channel before Sidekiq starts multi-threaded execution.
+Gitlab::GitalyClient.channel unless Rails.env.test?
diff --git a/config/initializers/metrics.rb b/config/initializers/8_metrics.rb
index e0702e06cc9..5e0eefdb154 100644
--- a/config/initializers/metrics.rb
+++ b/config/initializers/8_metrics.rb
@@ -20,13 +20,17 @@ def instrument_classes(instrumentation)
 
   # Path to search => prefix to strip from constant
   paths_to_instrument = {
-    ['app', 'finders']                    => ['app', 'finders'],
-    ['app', 'mailers', 'emails']          => ['app', 'mailers'],
-    ['app', 'services', '**']             => ['app', 'services'],
-    ['lib', 'gitlab', 'conflicts']        => ['lib'],
-    ['lib', 'gitlab', 'diff']             => ['lib'],
-    ['lib', 'gitlab', 'email', 'message'] => ['lib'],
-    ['lib', 'gitlab', 'checks']           => ['lib']
+    %w(app finders)                => %w(app finders),
+    %w(app mailers emails)         => %w(app mailers),
+    # Don't instrument `app/services/concerns`
+    # It contains modules that are included in the services.
+    # The services themselves are instrumented so the methods from the modules
+    # are included.
+    %w(app services [^concerns]**) => %w(app services),
+    %w(lib gitlab conflicts)       => ['lib'],
+    %w(lib gitlab diff)            => ['lib'],
+    %w(lib gitlab email message)   => ['lib'],
+    %w(lib gitlab checks)          => ['lib']
   }
 
   paths_to_instrument.each do |(path, prefix)|
@@ -120,9 +124,9 @@ if Gitlab::Metrics.enabled?
 
   # These are manually require'd so the classes are registered properly with
   # ActiveSupport.
-  require 'gitlab/metrics/subscribers/action_view'
-  require 'gitlab/metrics/subscribers/active_record'
-  require 'gitlab/metrics/subscribers/rails_cache'
+  require_dependency 'gitlab/metrics/subscribers/action_view'
+  require_dependency 'gitlab/metrics/subscribers/active_record'
+  require_dependency 'gitlab/metrics/subscribers/rails_cache'
 
   Gitlab::Application.configure do |config|
     config.middleware.use(Gitlab::Metrics::RackMiddleware)
diff --git a/config/initializers/acts_as_taggable.rb b/config/initializers/acts_as_taggable.rb
new file mode 100644
index 00000000000..c564c0cab11
--- /dev/null
+++ b/config/initializers/acts_as_taggable.rb
@@ -0,0 +1,5 @@
+ActsAsTaggableOn.strict_case_match = true
+
+# tags_counter enables caching count of tags which results in an update whenever a tag is added or removed
+# since the count is not used anywhere its better performance wise to disable this cache
+ActsAsTaggableOn.tags_counter = false
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 738dbeefc11..3b1317030bc 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -24,7 +24,7 @@ Devise.setup do |config|
   # session. If you need permissions, you should implement that in a before filter.
   # You can also supply a hash where the value is a boolean determining whether
   # or not authentication should be aborted when the value is not present.
-  config.authentication_keys = [ :login ]
+  config.authentication_keys = [:login]
 
   # Configure parameters from the request object used for authentication. Each entry
   # given should be a request method and it will automatically be passed to the
@@ -36,12 +36,12 @@ Devise.setup do |config|
   # Configure which authentication keys should be case-insensitive.
   # These keys will be downcased upon creating or modifying a user and when used
   # to authenticate or find a user. Default is :email.
-  config.case_insensitive_keys = [ :email ]
+  config.case_insensitive_keys = [:email]
 
   # Configure which authentication keys should have whitespace stripped.
   # These keys will have whitespace before and after removed upon creating or
   # modifying a user and when used to authenticate or find a user. Default is :email.
-  config.strip_whitespace_keys = [ :email ]
+  config.strip_whitespace_keys = [:email]
 
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
@@ -124,7 +124,7 @@ Devise.setup do |config|
   config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  config.unlock_keys = [ :email ]
+  config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 88cd0f5f652..a5636765774 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -6,9 +6,14 @@ Doorkeeper.configure do
   # This block will be called to check whether the resource owner is authenticated or not.
   resource_owner_authenticator do
     # Put your resource owner authentication logic here.
-    # Ensure user is redirected to redirect_uri after login
-    session[:user_return_to] = request.fullpath
-    current_user || redirect_to(new_user_session_url)
+    if current_user
+      current_user
+    else
+      # Ensure user is redirected to redirect_uri after login
+      session[:user_return_to] = request.fullpath
+      redirect_to(new_user_session_url)
+      nil
+    end
   end
 
   resource_owner_from_credentials do |routes|
diff --git a/config/initializers/doorkeeper_openid_connect.rb b/config/initializers/doorkeeper_openid_connect.rb
new file mode 100644
index 00000000000..700ca25b884
--- /dev/null
+++ b/config/initializers/doorkeeper_openid_connect.rb
@@ -0,0 +1,36 @@
+Doorkeeper::OpenidConnect.configure do
+  issuer Gitlab.config.gitlab.url
+
+  jws_private_key Rails.application.secrets.jws_private_key
+
+  resource_owner_from_access_token do |access_token|
+    User.active.find_by(id: access_token.resource_owner_id)
+  end
+
+  auth_time_from_resource_owner do |user|
+    user.current_sign_in_at
+  end
+
+  reauthenticate_resource_owner do |user, return_to|
+    store_location_for user, return_to
+    sign_out user
+    redirect_to new_user_session_url
+  end
+
+  subject do |user|
+    # hash the user's ID with the Rails secret_key_base to avoid revealing it
+    Digest::SHA256.hexdigest "#{user.id}-#{Rails.application.secrets.secret_key_base}"
+  end
+
+  claims do
+    with_options scope: :openid do |o|
+      o.claim(:name)           { |user| user.name }
+      o.claim(:nickname)       { |user| user.username }
+      o.claim(:email)          { |user| user.public_email  }
+      o.claim(:email_verified) { |user| true if user.public_email? }
+      o.claim(:website)        { |user| user.full_website_url if user.website_url? }
+      o.claim(:profile)        { |user| Rails.application.routes.url_helpers.user_url user }
+      o.claim(:picture)        { |user| user.avatar_url }
+    end
+  end
+end
diff --git a/config/initializers/etag_caching.rb b/config/initializers/etag_caching.rb
new file mode 100644
index 00000000000..eba88801141
--- /dev/null
+++ b/config/initializers/etag_caching.rb
@@ -0,0 +1,4 @@
+# This middleware has to come after Gitlab::Metrics::RackMiddleware
+# in the middleware stack, because it tracks events with
+# GitLab Performance Monitoring
+Rails.application.config.middleware.use(Gitlab::EtagCaching::Middleware)
diff --git a/config/initializers/fix_local_cache_middleware.rb b/config/initializers/fix_local_cache_middleware.rb
new file mode 100644
index 00000000000..cb37f9ed22c
--- /dev/null
+++ b/config/initializers/fix_local_cache_middleware.rb
@@ -0,0 +1,24 @@
+module LocalCacheRegistryCleanupWithEnsure
+  LocalCacheRegistry =
+    ActiveSupport::Cache::Strategy::LocalCache::LocalCacheRegistry
+  LocalStore =
+    ActiveSupport::Cache::Strategy::LocalCache::LocalStore
+
+  def call(env)
+    LocalCacheRegistry.set_cache_for(local_cache_key, LocalStore.new)
+    response = @app.call(env)
+    response[2] = ::Rack::BodyProxy.new(response[2]) do
+      LocalCacheRegistry.set_cache_for(local_cache_key, nil)
+    end
+    cleanup_after_response = true # ADDED THIS LINE
+    response
+  rescue Rack::Utils::InvalidParameterError
+    [400, {}, []]
+  ensure # ADDED ensure CLAUSE to cleanup when something is thrown
+    LocalCacheRegistry.set_cache_for(local_cache_key, nil) unless
+      cleanup_after_response
+  end
+end
+
+ActiveSupport::Cache::Strategy::LocalCache::Middleware
+  .prepend(LocalCacheRegistryCleanupWithEnsure)
diff --git a/config/initializers/gollum.rb b/config/initializers/gollum.rb
index 703f24f93b2..1ebe3c7a742 100644
--- a/config/initializers/gollum.rb
+++ b/config/initializers/gollum.rb
@@ -1,5 +1,5 @@
 module Gollum
-  GIT_ADAPTER = "rugged"
+  GIT_ADAPTER = "rugged".freeze
 end
 require "gollum-lib"
 
diff --git a/config/initializers/health_check.rb b/config/initializers/health_check.rb
index 4c91a61fb4a..959daa93f78 100644
--- a/config/initializers/health_check.rb
+++ b/config/initializers/health_check.rb
@@ -1,4 +1,4 @@
 HealthCheck.setup do |config|
-  config.standard_checks = ['database', 'migrations', 'cache']
-  config.full_checks = ['database', 'migrations', 'cache']
+  config.standard_checks = %w(database migrations cache)
+  config.full_checks = %w(database migrations cache)
 end
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index ab5a0561b8c..f7fa6d1c2de 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -20,15 +20,12 @@ OmniAuth.config.before_request_phase do |env|
 end
 
 if Gitlab.config.omniauth.enabled
-  Gitlab.config.omniauth.providers.each do |provider|
-    if provider['name'] == 'kerberos'
-      require 'omniauth-kerberos'
-    end
-  end
+  provider_names = Gitlab.config.omniauth.providers.map(&:name)
+  require 'omniauth-kerberos' if provider_names.include?('kerberos')
 end
 
 module OmniAuth
   module Strategies
-    autoload :Bitbucket, Rails.root.join('lib', 'omniauth', 'strategies', 'bitbucket')
+    autoload :Bitbucket, Rails.root.join('lib', 'omni_auth', 'strategies', 'bitbucket')
   end
 end
diff --git a/config/initializers/request_context.rb b/config/initializers/request_context.rb
new file mode 100644
index 00000000000..0b485fc1adc
--- /dev/null
+++ b/config/initializers/request_context.rb
@@ -0,0 +1,3 @@
+Rails.application.configure do |config|
+  config.middleware.insert_after RequestStore::Middleware, Gitlab::RequestContext
+end
diff --git a/config/initializers/rspec_profiling.rb b/config/initializers/rspec_profiling.rb
index 0ef9f51e5cf..70177995356 100644
--- a/config/initializers/rspec_profiling.rb
+++ b/config/initializers/rspec_profiling.rb
@@ -1,22 +1,41 @@
-module RspecProfilingConnection
-  def establish_connection
-    ::RspecProfiling::Collectors::PSQL::Result.establish_connection(ENV['RSPEC_PROFILING_POSTGRES_URL'])
+module RspecProfilingExt
+  module PSQL
+    def establish_connection
+      ::RspecProfiling::Collectors::PSQL::Result.establish_connection(ENV['RSPEC_PROFILING_POSTGRES_URL'])
+    end
   end
-end
 
-module RspecProfilingGitBranchCi
-  def branch
-    ENV['CI_BUILD_REF_NAME'] || super
+  module Git
+    def branch
+      ENV['CI_COMMIT_REF_NAME'] || super
+    end
+  end
+
+  module Run
+    def example_finished(*args)
+      super
+    rescue => err
+      return if @already_logged_example_finished_error
+
+      $stderr.puts "rspec_profiling couldn't collect an example: #{err}. Further warnings suppressed."
+      @already_logged_example_finished_error = true
+    end
+
+    alias_method :example_passed, :example_finished
+    alias_method :example_failed, :example_finished
   end
 end
 
 if Rails.env.test?
   RspecProfiling.configure do |config|
     if ENV['RSPEC_PROFILING_POSTGRES_URL']
-      RspecProfiling::Collectors::PSQL.prepend(RspecProfilingConnection)
+      RspecProfiling::Collectors::PSQL.prepend(RspecProfilingExt::PSQL)
       config.collector = RspecProfiling::Collectors::PSQL
     end
   end
 
-  RspecProfiling::VCS::Git.prepend(RspecProfilingGitBranchCi) if ENV.has_key?('CI')
+  if ENV.has_key?('CI')
+    RspecProfiling::VCS::Git.prepend(RspecProfilingExt::Git)
+    RspecProfiling::Run.prepend(RspecProfilingExt::Run)
+  end
 end
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 291fa6c0abc..f9c1d2165d3 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -24,7 +24,8 @@ def create_tokens
   defaults = {
     secret_key_base: file_secret_key || generate_new_secure_token,
     otp_key_base: env_secret_key || file_secret_key || generate_new_secure_token,
-    db_key_base: generate_new_secure_token
+    db_key_base: generate_new_secure_token,
+    jws_private_key: generate_new_rsa_private_key
   }
 
   missing_secrets = set_missing_keys(defaults)
@@ -41,6 +42,10 @@ def generate_new_secure_token
   SecureRandom.hex(64)
 end
 
+def generate_new_rsa_private_key
+  OpenSSL::PKey::RSA.new(2048).to_pem
+end
+
 def warn_missing_secret(secret)
   warn "Missing Rails.application.secrets.#{secret} for #{Rails.env} environment. The secret will be generated and stored in config/secrets.yml."
 end
diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index 0c4516b70f0..ecd73956488 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -19,6 +19,12 @@ Sidekiq.configure_server do |config|
     chain.add Gitlab::SidekiqStatus::ClientMiddleware
   end
 
+  config.on :startup do
+    # Clear any connections that might have been obtained before starting
+    # Sidekiq (e.g. in an initializer).
+    ActiveRecord::Base.clear_all_connections!
+  end
+
   # Sidekiq-cron: load recurring jobs from gitlab.yml
   # UGLY Hack to get nested hash from settingslogic
   cron_jobs = JSON.parse(Gitlab.config.cron_jobs.to_json)
@@ -36,7 +42,7 @@ Sidekiq.configure_server do |config|
 
   Gitlab::SidekiqThrottler.execute!
 
-  config = ActiveRecord::Base.configurations[Rails.env] ||
+  config = Gitlab::Database.config ||
     Rails.application.config.database_configuration[Rails.env]
   config['pool'] = Sidekiq.options[:concurrency]
   ActiveRecord::Base.establish_connection(config)
diff --git a/config/initializers/trusted_proxies.rb b/config/initializers/trusted_proxies.rb
index cd869657c53..fc4f02453d7 100644
--- a/config/initializers/trusted_proxies.rb
+++ b/config/initializers/trusted_proxies.rb
@@ -21,4 +21,4 @@ gitlab_trusted_proxies = Array(Gitlab.config.gitlab.trusted_proxies).map do |pro
 end.compact
 
 Rails.application.config.action_dispatch.trusted_proxies = (
-  [ '127.0.0.1', '::1' ] + gitlab_trusted_proxies)
+  ['127.0.0.1', '::1'] + gitlab_trusted_proxies)
diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb
new file mode 100644
index 00000000000..3d83fb92d56
--- /dev/null
+++ b/config/initializers/warden.rb
@@ -0,0 +1,5 @@
+Rails.application.configure do |config|
+  Warden::Manager.after_set_user do |user, auth, opts|
+    Gitlab::Auth::UniqueIpsLimiter.limit_user!(user)
+  end
+end
diff --git a/config/initializers/workhorse_multipart.rb b/config/initializers/workhorse_multipart.rb
index 84d809741c4..064e5964f09 100644
--- a/config/initializers/workhorse_multipart.rb
+++ b/config/initializers/workhorse_multipart.rb
@@ -10,7 +10,7 @@ end
 #
 module Gitlab
   module StrongParameterScalars
-    GITLAB_PERMITTED_SCALAR_TYPES = [::UploadedFile]
+    GITLAB_PERMITTED_SCALAR_TYPES = [::UploadedFile].freeze
 
     def permitted_scalar?(value)
       super || GITLAB_PERMITTED_SCALAR_TYPES.any? { |type| value.is_a?(type) }