Merge remote-tracking branch 'upstream/master' into feature/1376-allow-write-access-deploy-keys

* upstream/master: (3852 commits)
  Grapify token API
  Fix cache for commit status in commits list to respect branches
  Grapify milestones API
  Grapify runners API
  Improve EeCompatCheck, cache EE repo and keep artifacts for the ee_compat_check task
  Use 'Forking in progress' title when appropriate
  Fix CHANGELOG after 8.14.0-rc1 tag
  Update CHANGELOG.md for 8.14.0-rc1
  Fix YAML syntax on CHANGELOG entry
  Remove redundant rescue from repository keep_around
  Remove redundant space from repository model code
  Remove order-dependent expectation
  Minor CHANGELOG.md cleanups
  Add a link to Git cheatsheet PDF in docs readme
  Grapify the session API
  Add 8.13.5, 8.12.9, and 8.11.11 CHANGELOG
  Merge branch 'unauthenticated-container-registry-access' into 'security'
  Merge branch '23403-fix-events-for-private-project-features' into 'security'
  Merge branch 'fix-unathorized-cloning' into 'security'
  Merge branch 'markdown-xss-fix-option-2.1' into 'security'
  ...

43 files changed, 1215 insertions, 877 deletions

diff --git a/config/application.rb b/config/application.rb
index 4a9ed41cbf8..946b632b0e8 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -24,7 +24,8 @@ module Gitlab
                                      #{config.root}/app/models/ci
                                      #{config.root}/app/models/hooks
                                      #{config.root}/app/models/members
-                                     #{config.root}/app/models/project_services))
+                                     #{config.root}/app/models/project_services
+                                     #{config.root}/app/workers/concerns))
 
     config.generators.templates.push("#{config.root}/generator_templates")
 
@@ -50,6 +51,7 @@ module Gitlab
     # - Build variables (:variables)
     # - GitLab Pages SSL cert/key info (:certificate, :encrypted_key)
     # - Webhook URLs (:hook)
+    # - GitLab-shell secret token (:secret_token)
     # - Sentry DSN (:sentry_dsn)
     # - Deploy keys (:key)
     config.filter_parameters += %i(
@@ -62,6 +64,7 @@ module Gitlab
       password
       password_confirmation
       private_token
+      secret_token
       sentry_dsn
       variables
     )
@@ -85,6 +88,14 @@ module Gitlab
     config.assets.precompile << "users/users_bundle.js"
     config.assets.precompile << "network/network_bundle.js"
     config.assets.precompile << "profile/profile_bundle.js"
+    config.assets.precompile << "protected_branches/protected_branches_bundle.js"
+    config.assets.precompile << "diff_notes/diff_notes_bundle.js"
+    config.assets.precompile << "boards/boards_bundle.js"
+    config.assets.precompile << "cycle_analytics/cycle_analytics_bundle.js"
+    config.assets.precompile << "merge_conflicts/merge_conflicts_bundle.js"
+    config.assets.precompile << "boards/test_utils/simulate_drag.js"
+    config.assets.precompile << "blob_edit/blob_edit_bundle.js"
+    config.assets.precompile << "snippet/snippet_bundle.js"
     config.assets.precompile << "lib/utils/*.js"
     config.assets.precompile << "lib/*.js"
     config.assets.precompile << "u2f.js"
@@ -94,13 +105,24 @@ module Gitlab
 
     config.action_view.sanitized_allowed_protocols = %w(smb)
 
-    config.middleware.use Rack::Attack
+    config.middleware.insert_before Warden::Manager, Rack::Attack
 
     # Allow access to GitLab API from other domains
-    config.middleware.use Rack::Cors do
+    config.middleware.insert_before Warden::Manager, Rack::Cors do
+      allow do
+        origins Gitlab.config.gitlab.url
+        resource '/api/*',
+          credentials: true,
+          headers: :any,
+          methods: :any,
+          expose: ['Link']
+      end
+
+      # Cross-origin requests must not have the session cookie available
       allow do
         origins '*'
         resource '/api/*',
+          credentials: false,
           headers: :any,
           methods: :any,
           expose: ['Link']
@@ -111,6 +133,10 @@ module Gitlab
     redis_config_hash = Gitlab::Redis.params
     redis_config_hash[:namespace] = Gitlab::Redis::CACHE_NAMESPACE
     redis_config_hash[:expires_in] = 2.weeks # Cache should not grow forever
+    if Sidekiq.server? # threaded context
+      redis_config_hash[:pool_size] = Sidekiq.options[:concurrency] + 5
+      redis_config_hash[:pool_timeout] = 1
+    end
     config.cache_store = :redis_store, redis_config_hash
 
     config.active_record.raise_in_transactional_callbacks = true
diff --git a/config/dependency_decisions.yml b/config/dependency_decisions.yml
index 74325872b09..c11296975b7 100644
--- a/config/dependency_decisions.yml
+++ b/config/dependency_decisions.yml
@@ -101,6 +101,13 @@
     :why: GPL-licensed libraries cannot be linked to from non-GPL projects.
     :versions: []
     :when: 2016-05-02 05:29:43.904715000 Z
+- - :blacklist
+  - OSL-3.0
+  - :who: Sean McGivern
+    :why: The OSL license is a copyleft license
+    :versions: []
+    :when: 2016-10-28 11:02:15.540105000 Z
+
 
 # GEM LICENSES
 - - :license
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 1470a6e2550..699ab6075b6 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -70,6 +70,7 @@ production: &base
     email_from: example@example.com
     email_display_name: GitLab
     email_reply_to: noreply@example.com
+    email_subject_suffix: ''
 
     # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
 
@@ -111,7 +112,7 @@ production: &base
 
   ## Reply by email
   # Allow users to comment on issues and merge requests by replying to notification emails.
-  # For documentation on how to set this up, see http://doc.gitlab.com/ce/incoming_email/README.html
+  # For documentation on how to set this up, see http://doc.gitlab.com/ce/administration/reply_by_email.html
   incoming_email:
     enabled: false
 
@@ -431,7 +432,9 @@ production: &base
   ## Repositories settings
   repositories:
     # Paths where repositories can be stored. Give the canonicalized absolute pathname.
-    # NOTE: REPOS PATHS MUST NOT CONTAIN ANY SYMLINK!!!
+    # IMPORTANT: None of the path components may be symlink, because
+    # gitlab-shell invokes Dir.pwd inside the repository path and that results
+    # real path not the symlink.
     storages: # You must have at least a `default` storage path.
       default: /home/git/repositories/
 
@@ -546,6 +549,10 @@ test:
       project_url: "http://redmine/projects/:issues_tracker_id"
       issues_url: "http://redmine/:project_id/:issues_tracker_id/:id"
       new_issue_url: "http://redmine/projects/:issues_tracker_id/issues/new"
+    jira:
+      title: "JIRA"
+      url: https://sample_company.atlasian.net
+      project_key: PROJECT
   ldap:
     enabled: false
     servers:
diff --git a/config/initializers/0_post_deployment_migrations.rb b/config/initializers/0_post_deployment_migrations.rb
new file mode 100644
index 00000000000..0068a03d214
--- /dev/null
+++ b/config/initializers/0_post_deployment_migrations.rb
@@ -0,0 +1,12 @@
+# Post deployment migrations are included by default. This file must be loaded
+# before other initializers as Rails may otherwise memoize a list of migrations
+# excluding the post deployment migrations.
+unless ENV['SKIP_POST_DEPLOYMENT_MIGRATIONS']
+  path = Rails.root.join('db', 'post_migrate').to_s
+
+  Rails.application.config.paths['db/migrate'] << path
+
+  # Rails memoizes migrations at certain points where it won't read the above
+  # path just yet. As such we must also update the following list of paths.
+  ActiveRecord::Migrator.migrations_paths << path
+end
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index deac3b0f0f9..9fec2ad6bf7 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -186,6 +186,7 @@ Settings.gitlab['email_enabled'] ||= true if Settings.gitlab['email_enabled'].ni
 Settings.gitlab['email_from'] ||= ENV['GITLAB_EMAIL_FROM'] || "gitlab@#{Settings.gitlab.host}"
 Settings.gitlab['email_display_name'] ||= ENV['GITLAB_EMAIL_DISPLAY_NAME'] || 'GitLab'
 Settings.gitlab['email_reply_to'] ||= ENV['GITLAB_EMAIL_REPLY_TO'] || "noreply@#{Settings.gitlab.host}"
+Settings.gitlab['email_subject_suffix'] ||= ENV['GITLAB_EMAIL_SUBJECT_SUFFIX'] || ""
 Settings.gitlab['base_url']   ||= Settings.send(:build_base_gitlab_url)
 Settings.gitlab['url']        ||= Settings.send(:build_gitlab_url)
 Settings.gitlab['user']       ||= 'git'
@@ -212,7 +213,7 @@ Settings.gitlab.default_projects_features['builds']             = true if Settin
 Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
 Settings.gitlab.default_projects_features['visibility_level']   = Settings.send(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
 Settings.gitlab['domain_whitelist'] ||= []
-Settings.gitlab['import_sources'] ||= %w[github bitbucket gitlab gitorious google_code fogbugz git gitlab_project]
+Settings.gitlab['import_sources'] ||= %w[github bitbucket gitlab google_code fogbugz git gitlab_project]
 Settings.gitlab['trusted_proxies'] ||= []
 
 #
@@ -293,6 +294,22 @@ Settings.cron_jobs['import_export_project_cleanup_worker']['job_class'] = 'Impor
 Settings.cron_jobs['requests_profiles_worker'] ||= Settingslogic.new({})
 Settings.cron_jobs['requests_profiles_worker']['cron'] ||= '0 0 * * *'
 Settings.cron_jobs['requests_profiles_worker']['job_class'] = 'RequestsProfilesWorker'
+Settings.cron_jobs['remove_expired_members_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['remove_expired_members_worker']['cron'] ||= '10 0 * * *'
+Settings.cron_jobs['remove_expired_members_worker']['job_class'] = 'RemoveExpiredMembersWorker'
+Settings.cron_jobs['remove_expired_group_links_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['remove_expired_group_links_worker']['cron'] ||= '10 0 * * *'
+Settings.cron_jobs['remove_expired_group_links_worker']['job_class'] = 'RemoveExpiredGroupLinksWorker'
+Settings.cron_jobs['prune_old_events_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['prune_old_events_worker']['cron'] ||= '* */6 * * *'
+Settings.cron_jobs['prune_old_events_worker']['job_class'] = 'PruneOldEventsWorker'
+
+Settings.cron_jobs['trending_projects_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['trending_projects_worker']['cron'] = '0 1 * * *'
+Settings.cron_jobs['trending_projects_worker']['job_class'] = 'TrendingProjectsWorker'
+Settings.cron_jobs['remove_unreferenced_lfs_objects_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['remove_unreferenced_lfs_objects_worker']['cron'] ||= '20 0 * * *'
+Settings.cron_jobs['remove_unreferenced_lfs_objects_worker']['job_class'] = 'RemoveUnreferencedLfsObjectsWorker'
 
 #
 # GitLab Shell
diff --git a/config/initializers/7_redis.rb b/config/initializers/7_redis.rb
new file mode 100644
index 00000000000..ae2ca258df1
--- /dev/null
+++ b/config/initializers/7_redis.rb
@@ -0,0 +1,3 @@
+# Make sure we initialize a Redis connection pool before Sidekiq starts
+# multi-threaded execution.
+Gitlab::Redis.with { nil }
diff --git a/config/initializers/ar5_batching.rb b/config/initializers/ar5_batching.rb
new file mode 100644
index 00000000000..35e8b3808e2
--- /dev/null
+++ b/config/initializers/ar5_batching.rb
@@ -0,0 +1,41 @@
+# Port ActiveRecord::Relation#in_batches from ActiveRecord 5.
+# https://github.com/rails/rails/blob/ac027338e4a165273607dccee49a3d38bc836794/activerecord/lib/active_record/relation/batches.rb#L184
+# TODO: this can be removed once we're using AR5.
+raise "Vendored ActiveRecord 5 code! Delete #{__FILE__}!" if ActiveRecord::VERSION::MAJOR >= 5
+
+module ActiveRecord
+  module Batches
+    # Differences from upstream: enumerator support was removed, and custom
+    # order/limit clauses are ignored without a warning.
+    def in_batches(of: 1000, start: nil, finish: nil, load: false)
+      raise "Must provide a block" unless block_given?
+
+      relation = self.reorder(batch_order).limit(of)
+      relation = relation.where(arel_table[primary_key].gteq(start)) if start
+      relation = relation.where(arel_table[primary_key].lteq(finish)) if finish
+      batch_relation = relation
+
+      loop do
+        if load
+          records = batch_relation.records
+          ids = records.map(&:id)
+          yielded_relation = self.where(primary_key => ids)
+          yielded_relation.load_records(records)
+        else
+          ids = batch_relation.pluck(primary_key)
+          yielded_relation = self.where(primary_key => ids)
+        end
+
+        break if ids.empty?
+
+        primary_key_offset = ids.last
+        raise ArgumentError.new("Primary key not included in the custom select clause") unless primary_key_offset
+
+        yield yielded_relation
+
+        break if ids.length < of
+        batch_relation = relation.where(arel_table[primary_key].gt(primary_key_offset))
+      end
+    end
+  end
+end
diff --git a/config/initializers/ar_monkey_patch.rb b/config/initializers/ar_monkey_patch.rb
new file mode 100644
index 00000000000..0da584626ee
--- /dev/null
+++ b/config/initializers/ar_monkey_patch.rb
@@ -0,0 +1,57 @@
+# rubocop:disable Lint/RescueException
+
+# This patch fixes https://github.com/rails/rails/issues/26024
+# TODO: Remove it when it's no longer necessary
+
+module ActiveRecord
+  module Locking
+    module Optimistic
+      # We overwrite this method because we don't want to have default value
+      # for newly created records
+      def _create_record(attribute_names = self.attribute_names, *) # :nodoc:
+        super
+      end
+
+      def _update_record(attribute_names = self.attribute_names) #:nodoc:
+        return super unless locking_enabled?
+        return 0 if attribute_names.empty?
+
+        lock_col = self.class.locking_column
+
+        previous_lock_value = send(lock_col).to_i
+
+        # This line is added as a patch
+        previous_lock_value = nil if previous_lock_value == '0' || previous_lock_value == 0
+
+        increment_lock
+
+        attribute_names += [lock_col]
+        attribute_names.uniq!
+
+        begin
+          relation = self.class.unscoped
+
+          affected_rows = relation.where(
+            self.class.primary_key => id,
+            lock_col => previous_lock_value,
+          ).update_all(
+            attributes_for_update(attribute_names).map do |name|
+              [name, _read_attribute(name)]
+            end.to_h
+          )
+
+          unless affected_rows == 1
+            raise ActiveRecord::StaleObjectError.new(self, "update")
+          end
+
+          affected_rows
+
+        # If something went wrong, revert the version.
+        rescue Exception
+          send(lock_col + '=', previous_lock_value)
+          raise
+        end
+      end
+    end
+  end
+end
diff --git a/config/initializers/ar_speed_up_migration_checking.rb b/config/initializers/ar_speed_up_migration_checking.rb
new file mode 100644
index 00000000000..1fe5defc01d
--- /dev/null
+++ b/config/initializers/ar_speed_up_migration_checking.rb
@@ -0,0 +1,18 @@
+if Rails.env.test?
+  require 'active_record/migration'
+
+  module ActiveRecord
+    class Migrator
+      class << self
+        alias_method :migrations_unmemoized, :migrations
+
+        # This method is called a large number of times per rspec example, and
+        # it reads + parses `db/migrate/*` each time. Memoizing it can save 0.5
+        # seconds per spec.
+        def migrations(paths)
+          @migrations ||= migrations_unmemoized(paths)
+        end
+      end
+    end
+  end
+end
diff --git a/config/initializers/attr_encrypted_no_db_connection.rb b/config/initializers/attr_encrypted_no_db_connection.rb
index c668864089b..e007666b852 100644
--- a/config/initializers/attr_encrypted_no_db_connection.rb
+++ b/config/initializers/attr_encrypted_no_db_connection.rb
@@ -1,20 +1,21 @@
 module AttrEncrypted
   module Adapters
     module ActiveRecord
-      def attribute_instance_methods_as_symbols_with_no_db_connection
-        # Use with_connection so the connection doesn't stay pinned to the thread.
-        connected = ::ActiveRecord::Base.connection_pool.with_connection(&:active?) rescue false
-        
-        if connected
-          # Call version from AttrEncrypted::Adapters::ActiveRecord
-          attribute_instance_methods_as_symbols_without_no_db_connection
-        else
-          # Call version from AttrEncrypted, i.e., `super` with regards to AttrEncrypted::Adapters::ActiveRecord
-          AttrEncrypted.instance_method(:attribute_instance_methods_as_symbols).bind(self).call
+      module DBConnectionQuerier
+        def attribute_instance_methods_as_symbols
+          # Use with_connection so the connection doesn't stay pinned to the thread.
+          connected = ::ActiveRecord::Base.connection_pool.with_connection(&:active?) rescue false
+
+          if connected
+            # Call version from AttrEncrypted::Adapters::ActiveRecord
+            super
+          else
+            # Call version from AttrEncrypted, i.e., `super` with regards to AttrEncrypted::Adapters::ActiveRecord
+            AttrEncrypted.instance_method(:attribute_instance_methods_as_symbols).bind(self).call
+          end
         end
       end
-
-      alias_method_chain :attribute_instance_methods_as_symbols, :no_db_connection
+      prepend DBConnectionQuerier
     end
   end
 end
diff --git a/config/initializers/connection_fix.rb b/config/initializers/connection_fix.rb
index d831a1838ed..d0b1444f607 100644
--- a/config/initializers/connection_fix.rb
+++ b/config/initializers/connection_fix.rb
@@ -20,7 +20,7 @@ if defined?(ActiveRecord::ConnectionAdapters::Mysql2Adapter)
         execute_without_retry(*args)
       rescue ActiveRecord::StatementInvalid => e
         if e.message =~ /server has gone away/i
-          warn "Server timed out, retrying"
+          warn "Lost connection to MySQL server during query"
           reconnect!
           retry
         else
diff --git a/config/initializers/doorkeeper.rb b/config/initializers/doorkeeper.rb
index 618dba74151..fc4b0a72add 100644
--- a/config/initializers/doorkeeper.rb
+++ b/config/initializers/doorkeeper.rb
@@ -12,7 +12,8 @@ Doorkeeper.configure do
   end
 
   resource_owner_from_credentials do |routes|
-    Gitlab::Auth.find_with_user_password(params[:username], params[:password])
+    user = Gitlab::Auth.find_with_user_password(params[:username], params[:password])
+    user unless user.try(:two_factor_enabled?)
   end
 
   # If you want to restrict access to the web interface for adding oauth authorized applications, you need to declare the block below.
diff --git a/config/initializers/gitlab_shell_secret_token.rb b/config/initializers/gitlab_shell_secret_token.rb
index 7454c33c9dd..529dcdd4644 100644
--- a/config/initializers/gitlab_shell_secret_token.rb
+++ b/config/initializers/gitlab_shell_secret_token.rb
@@ -1 +1 @@
-Gitlab::Shell.new.generate_and_link_secret_token
+Gitlab::Shell.ensure_secret_token!
diff --git a/config/initializers/gitlab_workhorse_secret.rb b/config/initializers/gitlab_workhorse_secret.rb
new file mode 100644
index 00000000000..ed54dc11098
--- /dev/null
+++ b/config/initializers/gitlab_workhorse_secret.rb
@@ -0,0 +1,8 @@
+begin
+  Gitlab::Workhorse.secret
+rescue
+  Gitlab::Workhorse.write_secret
+end
+
+# Try a second time. If it does not work this will raise.
+Gitlab::Workhorse.secret
diff --git a/config/initializers/metrics.rb b/config/initializers/metrics.rb
index 52522e099e7..3b8771543e4 100644
--- a/config/initializers/metrics.rb
+++ b/config/initializers/metrics.rb
@@ -67,8 +67,10 @@ if Gitlab::Metrics.enabled?
       ['app', 'finders']                    => ['app', 'finders'],
       ['app', 'mailers', 'emails']          => ['app', 'mailers'],
       ['app', 'services', '**']             => ['app', 'services'],
+      ['lib', 'gitlab', 'conflicts']        => ['lib'],
       ['lib', 'gitlab', 'diff']             => ['lib'],
-      ['lib', 'gitlab', 'email', 'message'] => ['lib']
+      ['lib', 'gitlab', 'email', 'message'] => ['lib'],
+      ['lib', 'gitlab', 'checks']           => ['lib']
     }
 
     paths_to_instrument.each do |(path, prefix)|
diff --git a/config/initializers/mime_types.rb b/config/initializers/mime_types.rb
index f498732feca..5e3e4c966cb 100644
--- a/config/initializers/mime_types.rb
+++ b/config/initializers/mime_types.rb
@@ -13,9 +13,5 @@ Mime::Type.register "video/mp4",  :mp4, [], [:m4v, :mov]
 Mime::Type.register "video/webm", :webm
 Mime::Type.register "video/ogg",  :ogv
 
-middlewares = Gitlab::Application.config.middleware
-middlewares.swap(ActionDispatch::ParamsParser, ActionDispatch::ParamsParser, {
-  Mime::Type.lookup('application/vnd.git-lfs+json') => lambda do |body|
-    ActiveSupport::JSON.decode(body)
-  end
-})
+Mime::Type.unregister :json
+Mime::Type.register 'application/json', :json, %w(application/vnd.git-lfs+json application/json)
diff --git a/config/initializers/postgresql_limit_fix.rb b/config/initializers/postgresql_limit_fix.rb
index 0cb3aaf4d24..4224d857e8a 100644
--- a/config/initializers/postgresql_limit_fix.rb
+++ b/config/initializers/postgresql_limit_fix.rb
@@ -1,5 +1,19 @@
 if defined?(ActiveRecord::ConnectionAdapters::PostgreSQLAdapter)
   class ActiveRecord::ConnectionAdapters::PostgreSQLAdapter
+    module LimitFilter
+      def add_column(table_name, column_name, type, options = {})
+        options.delete(:limit) if type == :text
+        super(table_name, column_name, type, options)
+      end
+
+      def change_column(table_name, column_name, type, options = {})
+        options.delete(:limit) if type == :text
+        super(table_name, column_name, type, options)
+      end
+    end
+
+    prepend ActiveRecord::ConnectionAdapters::PostgreSQLAdapter::LimitFilter
+
     class TableDefinition
       def text(*args)
         options = args.extract_options!
@@ -9,18 +23,5 @@ if defined?(ActiveRecord::ConnectionAdapters::PostgreSQLAdapter)
         column_names.each { |name| column(name, type, options) }
       end
     end
-
-    def add_column_with_limit_filter(table_name, column_name, type, options = {})
-      options.delete(:limit) if type == :text
-      add_column_without_limit_filter(table_name, column_name, type, options)
-    end
-
-    def change_column_with_limit_filter(table_name, column_name, type, options = {})
-      options.delete(:limit) if type == :text
-      change_column_without_limit_filter(table_name, column_name, type, options)
-    end
-
-    alias_method_chain :add_column, :limit_filter
-    alias_method_chain :change_column, :limit_filter
   end
 end
diff --git a/config/initializers/routing_draw.rb b/config/initializers/routing_draw.rb
new file mode 100644
index 00000000000..25003cf0239
--- /dev/null
+++ b/config/initializers/routing_draw.rb
@@ -0,0 +1,7 @@
+# Adds draw method into Rails routing
+# It allows us to keep routing splitted into files
+class ActionDispatch::Routing::Mapper
+  def draw(routes_name)
+    instance_eval(File.read(Rails.root.join("config/routes/#{routes_name}.rb")))
+  end
+end
diff --git a/config/initializers/sentry.rb b/config/initializers/sentry.rb
index 74fef7cadfe..4f30d1265c8 100644
--- a/config/initializers/sentry.rb
+++ b/config/initializers/sentry.rb
@@ -18,6 +18,9 @@ if Rails.env.production?
       
       # Sanitize fields based on those sanitized from Rails.
       config.sanitize_fields = Rails.application.config.filter_parameters.map(&:to_s)
+      # Sanitize authentication headers
+      config.sanitize_http_headers = %w[Authorization Private-Token]
+      config.tags = { program: Gitlab::Sentry.program_context }
     end
   end
 end
diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index f7e714cd6bc..023af2af23c 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -2,6 +2,9 @@
 redis_config_hash = Gitlab::Redis.params
 redis_config_hash[:namespace] = Gitlab::Redis::SIDEKIQ_NAMESPACE
 
+# Default is to retry 25 times with exponential backoff. That's too much.
+Sidekiq.default_worker_options = { retry: 3 }
+
 Sidekiq.configure_server do |config|
   config.redis = redis_config_hash
 
@@ -42,3 +45,19 @@ end
 Sidekiq.configure_client do |config|
   config.redis = redis_config_hash
 end
+
+# The Sidekiq client API always adds the queue to the Sidekiq queue
+# list, but mail_room and gitlab-shell do not. This is only necessary
+# for monitoring.
+config = YAML.load_file(Rails.root.join('config', 'sidekiq_queues.yml').to_s)
+
+begin
+  Sidekiq.redis do |conn|
+    conn.pipelined do
+      config[:queues].each do |queue|
+        conn.sadd('queues', queue[0])
+      end
+    end
+  end
+rescue Redis::BaseError, SocketError
+end
diff --git a/config/locales/en.yml b/config/locales/en.yml
index cedb5e207bd..12a59be79f0 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -5,6 +5,7 @@ en:
   hello: "Hello world"
   errors:
     messages:
+      label_already_exists_at_group_level: "already exists at group level for %{group}. Please choose another one."
       wrong_size: "is the wrong size (should be %{file_size})"
       size_too_small: "is too small (should be at least %{file_size})"
       size_too_big: "is too big (should be at most %{file_size})"
diff --git a/config/mail_room.yml b/config/mail_room.yml
index c639f8260aa..b026d510f1b 100644
--- a/config/mail_room.yml
+++ b/config/mail_room.yml
@@ -25,12 +25,27 @@
       :delivery_options:
         :redis_url: <%= config[:redis_url].to_json %>
         :namespace: <%= Gitlab::Redis::SIDEKIQ_NAMESPACE %>
-        :queue: incoming_email
+        :queue: email_receiver
         :worker: EmailReceiverWorker
+        <% if config[:sentinels] %>
+        :sentinels:
+          <% config[:sentinels].each do |sentinel| %>
+          -
+            :host: <%= sentinel[:host] %>
+            :port: <%= sentinel[:port] %>
+          <% end %>
+        <% end %>
 
       :arbitration_method: redis
       :arbitration_options:
         :redis_url: <%= config[:redis_url].to_json %>
         :namespace: <%= Gitlab::Redis::MAILROOM_NAMESPACE %>
-
+        <% if config[:sentinels] %>
+        :sentinels:
+          <% config[:sentinels].each do |sentinel| %>
+          -
+            :host: <%= sentinel[:host] %>
+            :port: <%= sentinel[:port] %>
+          <% end %>
+        <% end %>
   <% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 63a8827a6a2..7bf6c03e69b 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -3,54 +3,19 @@ require 'sidekiq/cron/web'
 require 'api/api'
 
 Rails.application.routes.draw do
-  if Gitlab::Sherlock.enabled?
-    namespace :sherlock do
-      resources :transactions, only: [:index, :show] do
-        resources :queries, only: [:show]
-        resources :file_samples, only: [:show]
-
-        collection do
-          delete :destroy_all
-        end
-      end
-    end
-  end
-
-  if Rails.env.development?
-    # Make the built-in Rails routes available in development, otherwise they'd
-    # get swallowed by the `namespace/project` route matcher below.
-    #
-    # See https://git.io/va79N
-    get '/rails/mailers'         => 'rails/mailers#index'
-    get '/rails/mailers/:path'   => 'rails/mailers#preview'
-    get '/rails/info/properties' => 'rails/info#properties'
-    get '/rails/info/routes'     => 'rails/info#routes'
-    get '/rails/info'            => 'rails/info#index'
-
-    mount LetterOpenerWeb::Engine, at: '/rails/letter_opener'
-  end
-
   concern :access_requestable do
     post :request_access, on: :collection
     post :approve_access_request, on: :member
   end
 
-  namespace :ci do
-    # CI API
-    Ci::API::API.logger Rails.logger
-    mount Ci::API::API => '/api'
-
-    resource :lint, only: [:show, :create]
-
-    resources :projects, only: [:index, :show] do
-      member do
-        get :status, to: 'projects#badge'
-      end
-    end
-
-    root to: 'projects#index'
+  concern :awardable do
+    post :toggle_award_emoji, on: :member
   end
 
+  draw :sherlock
+  draw :development
+  draw :ci
+
   use_doorkeeper do
     controllers applications: 'oauth/applications',
                 authorized_applications: 'oauth/authorized_applications',
@@ -72,40 +37,18 @@ Rails.application.routes.draw do
   # JSON Web Token
   get 'jwt/auth' => 'jwt#auth'
 
-  # API
-  API::API.logger Rails.logger
-  mount API::API => '/api'
-
-  constraint = lambda { |request| request.env['warden'].authenticate? and request.env['warden'].user.admin? }
-  constraints constraint do
-    mount Sidekiq::Web, at: '/admin/sidekiq', as: :sidekiq
-  end
-
   # Health check
   get 'health_check(/:checks)' => 'health_check#index', as: :health_check
 
-  # Help
-  get 'help'           => 'help#index'
-  get 'help/shortcuts' => 'help#shortcuts'
-  get 'help/ui'        => 'help#ui'
-  get 'help/*path'     => 'help#show', as: :help_page
+  # Koding route
+  get 'koding' => 'koding#index'
 
-  #
-  # Global snippets
-  #
-  resources :snippets do
-    member do
-      get 'raw'
-    end
-  end
-
-  get '/s/:username', to: redirect('/u/%{username}/snippets'),
-                      constraints: { username: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ }
+  draw :api
+  draw :sidekiq
+  draw :help
+  draw :snippets
 
-  #
   # Invites
-  #
-
   resources :invites, only: [:show], constraints: { id: /[A-Za-z0-9_-]+/ } do
     member do
       post :accept
@@ -119,779 +62,26 @@ Rails.application.routes.draw do
     end
   end
 
-  #
   # Spam reports
-  #
   resources :abuse_reports, only: [:new, :create]
 
-  #
   # Notification settings
-  #
   resources :notification_settings, only: [:create, :update]
 
-  #
-  # Import
-  #
-  namespace :import do
-    resource :github, only: [:create, :new], controller: :github do
-      post :personal_access_token
-      get :status
-      get :callback
-      get :jobs
-    end
-
-    resource :gitlab, only: [:create], controller: :gitlab do
-      get :status
-      get :callback
-      get :jobs
-    end
-
-    resource :bitbucket, only: [:create], controller: :bitbucket do
-      get :status
-      get :callback
-      get :jobs
-    end
-
-    resource :gitorious, only: [:create, :new], controller: :gitorious do
-      get :status
-      get :callback
-      get :jobs
-    end
-
-    resource :google_code, only: [:create, :new], controller: :google_code do
-      get :status
-      post :callback
-      get :jobs
-
-      get   :new_user_map,    path: :user_map
-      post  :create_user_map, path: :user_map
-    end
-
-    resource :fogbugz, only: [:create, :new], controller: :fogbugz do
-      get :status
-      post :callback
-      get :jobs
-
-      get   :new_user_map,    path: :user_map
-      post  :create_user_map, path: :user_map
-    end
-
-    resource :gitlab_project, only: [:create, :new] do
-      post :create
-    end
-  end
-
-  #
-  # Uploads
-  #
-
-  scope path: :uploads do
-    # Note attachments and User/Group/Project avatars
-    get ":model/:mounted_as/:id/:filename",
-        to:           "uploads#show",
-        constraints:  { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /[^\/]+/ }
-
-    # Appearance
-    get ":model/:mounted_as/:id/:filename",
-        to:           "uploads#show",
-        constraints:  { model: /appearance/, mounted_as: /logo|header_logo/, filename: /.+/ }
-
-    # Project markdown uploads
-    get ":namespace_id/:project_id/:secret/:filename",
-      to:           "projects/uploads#show",
-      constraints:  { namespace_id: /[a-zA-Z.0-9_\-]+/, project_id: /[a-zA-Z.0-9_\-]+/, filename: /[^\/]+/ }
-  end
-
-  # Redirect old note attachments path to new uploads path.
-  get "files/note/:id/:filename",
-    to:           redirect("uploads/note/attachment/%{id}/%{filename}"),
-    constraints:  { filename: /[^\/]+/ }
-
-  #
-  # Explore area
-  #
-  namespace :explore do
-    resources :projects, only: [:index] do
-      collection do
-        get :trending
-        get :starred
-      end
-    end
-
-    resources :groups, only: [:index]
-    resources :snippets, only: [:index]
-    root to: 'projects#trending'
-  end
-
-  # Compatibility with old routing
-  get 'public' => 'explore/projects#index'
-  get 'public/projects' => 'explore/projects#index'
-
-  #
-  # Admin Area
-  #
-  namespace :admin do
-    resources :users, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ } do
-      resources :keys, only: [:show, :destroy]
-      resources :identities, except: [:show]
-
-      member do
-        get :projects
-        get :keys
-        get :groups
-        put :block
-        put :unblock
-        put :unlock
-        put :confirm
-        post :impersonate
-        patch :disable_two_factor
-        delete 'remove/:email_id', action: 'remove_email', as: 'remove_email'
-      end
-    end
-
-    resource :impersonation, only: :destroy
-
-    resources :abuse_reports, only: [:index, :destroy]
-    resources :spam_logs, only: [:index, :destroy] do
-      member do
-        post :mark_as_ham
-      end
-    end
-
-    resources :applications
-
-    resources :groups, constraints: { id: /[^\/]+/ } do
-      member do
-        put :members_update
-      end
-    end
-
-    resources :deploy_keys, only: [:index, :new, :create, :destroy]
-
-    resources :hooks, only: [:index, :create, :destroy] do
-      get :test
-    end
-
-    resources :broadcast_messages, only: [:index, :edit, :create, :update, :destroy] do
-      post :preview, on: :collection
-    end
-
-    resource :logs, only: [:show]
-    resource :health_check, controller: 'health_check', only: [:show]
-    resource :background_jobs, controller: 'background_jobs', only: [:show]
-    resource :system_info, controller: 'system_info', only: [:show]
-    resources :requests_profiles, only: [:index, :show], param: :name, constraints: { name: /.+\.html/ }
-
-    resources :namespaces, path: '/projects', constraints: { id: /[a-zA-Z.0-9_\-]+/ }, only: [] do
-      root to: 'projects#index', as: :projects
-
-      resources(:projects,
-                path: '/',
-                constraints: { id: /[a-zA-Z.0-9_\-]+/ },
-                only: [:index, :show]) do
-        root to: 'projects#show'
-
-        member do
-          put :transfer
-          post :repository_check
-        end
-
-        resources :runner_projects, only: [:create, :destroy]
-      end
-    end
-
-    resource :appearances, only: [:show, :create, :update], path: 'appearance' do
-      member do
-        get :preview
-        delete :logo
-        delete :header_logos
-      end
-    end
-
-    resource :application_settings, only: [:show, :update] do
-      resources :services, only: [:index, :edit, :update]
-      put :reset_runners_token
-      put :reset_health_check_token
-      put :clear_repository_check_states
-    end
-
-    resources :labels
-
-    resources :runners, only: [:index, :show, :update, :destroy] do
-      member do
-        get :resume
-        get :pause
-      end
-    end
-
-    resources :builds, only: :index do
-      collection do
-        post :cancel_all
-      end
-    end
-
-    root to: 'dashboard#index'
-  end
-
-  #
-  # Profile Area
-  #
-  resource :profile, only: [:show, :update] do
-    member do
-      get :audit_log
-      get :applications, to: 'oauth/applications#index'
-
-      put :reset_private_token
-      put :update_username
-    end
-
-    scope module: :profiles do
-      resource :account, only: [:show] do
-        member do
-          delete :unlink
-        end
-      end
-      resource :notifications, only: [:show, :update]
-      resource :password, only: [:new, :create, :edit, :update] do
-        member do
-          put :reset
-        end
-      end
-      resource :preferences, only: [:show, :update]
-      resources :keys, only: [:index, :show, :new, :create, :destroy]
-      resources :emails, only: [:index, :create, :destroy]
-      resource :avatar, only: [:destroy]
-
-      resources :personal_access_tokens, only: [:index, :create] do
-        member do
-          put :revoke
-        end
-      end
-
-      resource :two_factor_auth, only: [:show, :create, :destroy] do
-        member do
-          post :create_u2f
-          post :codes
-          patch :skip
-        end
-      end
-    end
-  end
-
-  scope(path: 'u/:username',
-        as: :user,
-        constraints: { username: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ },
-        controller: :users) do
-    get :calendar
-    get :calendar_activities
-    get :groups
-    get :projects
-    get :contributed, as: :contributed_projects
-    get :snippets
-    get '/', action: :show
-  end
-
-  #
-  # Dashboard Area
-  #
-  resource :dashboard, controller: 'dashboard', only: [] do
-    get :issues
-    get :merge_requests
-    get :activity
-
-    scope module: :dashboard do
-      resources :milestones, only: [:index, :show]
-      resources :labels, only: [:index]
-
-      resources :groups, only: [:index]
-      resources :snippets, only: [:index]
-
-      resources :todos, only: [:index, :destroy] do
-        collection do
-          delete :destroy_all
-        end
-      end
-
-      resources :projects, only: [:index] do
-        collection do
-          get :starred
-        end
-      end
-    end
-
-    root to: "dashboard/projects#index"
-  end
-
-  #
-  # Groups Area
-  #
-  resources :groups, constraints: { id: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ }  do
-    member do
-      get :issues
-      get :merge_requests
-      get :projects
-      get :activity
-    end
-
-    scope module: :groups do
-      resources :group_members, only: [:index, :create, :update, :destroy], concerns: :access_requestable do
-        post :resend_invite, on: :member
-        delete :leave, on: :collection
-      end
-
-      resource :avatar, only: [:destroy]
-      resources :milestones, constraints: { id: /[^\/]+/ }, only: [:index, :show, :update, :new, :create]
-    end
-  end
-
-  resources :projects, constraints: { id: /[^\/]+/ }, only: [:index, :new, :create]
-
-  devise_for :users, controllers: { omniauth_callbacks: :omniauth_callbacks,
-                                    registrations: :registrations,
-                                    passwords: :passwords,
-                                    sessions: :sessions,
-                                    confirmations: :confirmations }
-
-  devise_scope :user do
-    get '/users/auth/:provider/omniauth_error' => 'omniauth_callbacks#omniauth_error', as: :omniauth_error
-    get '/users/almost_there' => 'confirmations#almost_there'
-  end
-
-  root to: "root#index"
-
-  #
-  # Project Area
-  #
-  resources :namespaces, path: '/', constraints: { id: /[a-zA-Z.0-9_\-]+/ }, only: [] do
-    resources(:projects, constraints: { id: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ }, except:
-              [:new, :create, :index], path: "/") do
-      member do
-        put :transfer
-        delete :remove_fork
-        post :archive
-        post :unarchive
-        post :housekeeping
-        post :toggle_star
-        post :preview_markdown
-        post :export
-        post :remove_export
-        post :generate_new_export
-        get :download_export
-        get :autocomplete_sources
-        get :activity
-        get :refs
-      end
-
-      scope module: :projects do
-        scope constraints: { id: /.+\.git/, format: nil } do
-          # Git HTTP clients ('git clone' etc.)
-          get '/info/refs', to: 'git_http#info_refs'
-          post '/git-upload-pack', to: 'git_http#git_upload_pack'
-          post '/git-receive-pack', to: 'git_http#git_receive_pack'
-
-          # Git LFS API (metadata)
-          post '/info/lfs/objects/batch', to: 'lfs_api#batch'
-          post '/info/lfs/objects', to: 'lfs_api#deprecated'
-          get '/info/lfs/objects/*oid', to: 'lfs_api#deprecated'
-
-          # GitLab LFS object storage
-          scope constraints: { oid: /[a-f0-9]{64}/ } do
-            get '/gitlab-lfs/objects/*oid', to: 'lfs_storage#download'
-
-            scope constraints: { size: /[0-9]+/ } do
-              put '/gitlab-lfs/objects/*oid/*size/authorize', to: 'lfs_storage#upload_authorize'
-              put '/gitlab-lfs/objects/*oid/*size', to: 'lfs_storage#upload_finalize'
-            end
-          end
-        end
-
-        # Allow /info/refs, /info/refs?service=git-upload-pack, and
-        # /info/refs?service=git-receive-pack, but nothing else.
-        #
-        git_http_handshake = lambda do |request|
-          request.query_string.blank? ||
-            request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/)
-        end
-
-        ref_redirect = redirect do |params, request|
-          path = "#{params[:namespace_id]}/#{params[:project_id]}.git/info/refs"
-          path << "?#{request.query_string}" unless request.query_string.blank?
-          path
-        end
-
-        get '/info/refs', constraints: git_http_handshake, to: ref_redirect
-
-        # Blob routes:
-        get '/new/*id', to: 'blob#new', constraints: { id: /.+/ }, as: 'new_blob'
-        post '/create/*id', to: 'blob#create', constraints: { id: /.+/ }, as: 'create_blob'
-        get '/edit/*id', to: 'blob#edit', constraints: { id: /.+/ }, as: 'edit_blob'
-        put '/update/*id', to: 'blob#update', constraints: { id: /.+/ }, as: 'update_blob'
-        post '/preview/*id', to: 'blob#preview', constraints: { id: /.+/ }, as: 'preview_blob'
-
-        #
-        # Templates
-        #
-        get '/templates/:template_type/:key' => 'templates#show', as: :template
-
-        scope do
-          get(
-            '/blob/*id/diff',
-            to: 'blob#diff',
-            constraints: { id: /.+/, format: false },
-            as: :blob_diff
-          )
-          get(
-            '/blob/*id',
-            to: 'blob#show',
-            constraints: { id: /.+/, format: false },
-            as: :blob
-          )
-          delete(
-            '/blob/*id',
-            to: 'blob#destroy',
-            constraints: { id: /.+/, format: false }
-          )
-          put(
-            '/blob/*id',
-            to: 'blob#update',
-            constraints: { id: /.+/, format: false }
-          )
-          post(
-            '/blob/*id',
-            to: 'blob#create',
-            constraints: { id: /.+/, format: false }
-          )
-        end
-
-        scope do
-          get(
-            '/raw/*id',
-            to: 'raw#show',
-            constraints: { id: /.+/, format: /(html|js)/ },
-            as: :raw
-          )
-        end
-
-        scope do
-          get(
-            '/tree/*id',
-            to: 'tree#show',
-            constraints: { id: /.+/, format: /(html|js)/ },
-            as: :tree
-          )
-        end
-
-        scope do
-          get(
-            '/find_file/*id',
-            to: 'find_file#show',
-            constraints: { id: /.+/, format: /html/ },
-            as: :find_file
-          )
-        end
-
-        scope do
-          get(
-            '/files/*id',
-            to: 'find_file#list',
-            constraints: { id: /(?:[^.]|\.(?!json$))+/, format: /json/ },
-            as: :files
-          )
-        end
-
-        scope do
-          post(
-            '/create_dir/*id',
-              to: 'tree#create_dir',
-              constraints: { id: /.+/ },
-              as: 'create_dir'
-          )
-        end
-
-        scope do
-          get(
-            '/blame/*id',
-            to: 'blame#show',
-            constraints: { id: /.+/, format: /(html|js)/ },
-            as: :blame
-          )
-        end
-
-        scope do
-          get(
-            '/commits/*id',
-            to: 'commits#show',
-            constraints: { id: /(?:[^.]|\.(?!atom$))+/, format: /atom/ },
-            as: :commits
-          )
-        end
-
-        resource  :avatar, only: [:show, :destroy]
-        resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do
-          member do
-            get :branches
-            get :builds
-            post :cancel_builds
-            post :retry_builds
-            post :revert
-            post :cherry_pick
-            get :diff_for_path
-          end
-        end
-
-        resources :compare, only: [:index, :create] do
-          collection do
-            get :diff_for_path
-          end
-        end
-
-        get '/compare/:from...:to', to: 'compare#show', as: 'compare', constraints: { from: /.+/, to: /.+/ }
-
-        # Don't use format parameter as file extension (old 3.0.x behavior)
-        # See http://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments
-        scope format: false do
-          resources :network, only: [:show], constraints: { id: Gitlab::Regex.git_reference_regex }
-
-          resources :graphs, only: [:show], constraints: { id: Gitlab::Regex.git_reference_regex } do
-            member do
-              get :commits
-              get :ci
-              get :languages
-            end
-          end
-        end
-
-        resources :snippets, constraints: { id: /\d+/ } do
-          member do
-            get 'raw'
-          end
-        end
-
-        WIKI_SLUG_ID = { id: /\S+/ } unless defined? WIKI_SLUG_ID
-
-        scope do
-          # Order matters to give priority to these matches
-          get '/wikis/git_access', to: 'wikis#git_access'
-          get '/wikis/pages', to: 'wikis#pages', as: 'wiki_pages'
-          post '/wikis', to: 'wikis#create'
-
-          get '/wikis/*id/history', to: 'wikis#history', as: 'wiki_history', constraints: WIKI_SLUG_ID
-          get '/wikis/*id/edit', to: 'wikis#edit', as: 'wiki_edit', constraints: WIKI_SLUG_ID
-
-          get '/wikis/*id', to: 'wikis#show', as: 'wiki', constraints: WIKI_SLUG_ID
-          delete '/wikis/*id', to: 'wikis#destroy', constraints: WIKI_SLUG_ID
-          put '/wikis/*id', to: 'wikis#update', constraints: WIKI_SLUG_ID
-          post '/wikis/*id/preview_markdown', to: 'wikis#preview_markdown', constraints: WIKI_SLUG_ID, as: 'wiki_preview_markdown'
-        end
-
-        resource :repository, only: [:create] do
-          member do
-            get 'archive', constraints: { format: Gitlab::Regex.archive_formats_regex }
-          end
-        end
-
-        resources :services, constraints: { id: /[^\/]+/ }, only: [:index, :edit, :update] do
-          member do
-            get :test
-          end
-        end
-
-        resources :deploy_keys, constraints: { id: /\d+/ }, only: [:index, :new, :create] do
-          member do
-            put :enable
-            put :disable
-          end
-        end
-
-        resources :forks, only: [:index, :new, :create]
-        resource :import, only: [:new, :create, :show]
-
-        resources :refs, only: [] do
-          collection do
-            get 'switch'
-          end
-
-          member do
-            # tree viewer logs
-            get 'logs_tree', constraints: { id: Gitlab::Regex.git_reference_regex }
-            # Directories with leading dots erroneously get rejected if git
-            # ref regex used in constraints. Regex verification now done in controller.
-            get 'logs_tree/*path' => 'refs#logs_tree', as: :logs_file, constraints: {
-              id: /.*/,
-              path: /.*/
-            }
-          end
-        end
-
-        resources :merge_requests, constraints: { id: /\d+/ } do
-          member do
-            get :commits
-            get :diffs
-            get :builds
-            get :merge_check
-            post :merge
-            post :cancel_merge_when_build_succeeds
-            get :ci_status
-            post :toggle_subscription
-            post :toggle_award_emoji
-            post :remove_wip
-            get :diff_for_path
-          end
-
-          collection do
-            get :branch_from
-            get :branch_to
-            get :update_branches
-            get :diff_for_path
-          end
-        end
-
-        resources :branches, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
-        resources :tags, only: [:index, :show, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex } do
-          resource :release, only: [:edit, :update]
-        end
-
-        resources :protected_branches, only: [:index, :show, :create, :update, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
-        resources :variables, only: [:index, :show, :update, :create, :destroy]
-        resources :triggers, only: [:index, :create, :destroy]
-
-        resources :pipelines, only: [:index, :new, :create, :show] do
-          collection do
-            resource :pipelines_settings, path: 'settings', only: [:show, :update]
-          end
-
-          member do
-            post :cancel
-            post :retry
-          end
-        end
-
-        resources :environments
-
-        resources :builds, only: [:index, :show], constraints: { id: /\d+/ } do
-          collection do
-            post :cancel_all
-          end
-
-          member do
-            get :status
-            post :cancel
-            post :retry
-            post :play
-            post :erase
-            get :trace
-            get :raw
-          end
-
-          resource :artifacts, only: [] do
-            get :download
-            get :browse, path: 'browse(/*path)', format: false
-            get :file, path: 'file/*path', format: false
-            post :keep
-          end
-        end
-
-        resources :hooks, only: [:index, :create, :destroy], constraints: { id: /\d+/ } do
-          member do
-            get :test
-          end
-        end
-
-        resources :container_registry, only: [:index, :destroy], constraints: { id: Gitlab::Regex.container_registry_reference_regex }
-
-        resources :milestones, constraints: { id: /\d+/ } do
-          member do
-            put :sort_issues
-            put :sort_merge_requests
-          end
-        end
-
-        resources :labels, except: [:show], constraints: { id: /\d+/ } do
-          collection do
-            post :generate
-            post :set_priorities
-          end
-
-          member do
-            post :toggle_subscription
-            delete :remove_priority
-          end
-        end
-
-        resources :issues, constraints: { id: /\d+/ } do
-          member do
-            post :toggle_subscription
-            post :toggle_award_emoji
-            post :mark_as_spam
-            get :referenced_merge_requests
-            get :related_branches
-            get :can_create_branch
-          end
-          collection do
-            post  :bulk_update
-          end
-        end
-
-        resources :project_members, except: [:show, :new, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }, concerns: :access_requestable do
-          collection do
-            delete :leave
-
-            # Used for import team
-            # from another project
-            get :import
-            post :apply_import
-          end
-
-          member do
-            post :resend_invite
-          end
-        end
-
-        resources :group_links, only: [:index, :create, :destroy], constraints: { id: /\d+/ }
-
-        resources :notes, only: [:index, :create, :destroy, :update], constraints: { id: /\d+/ } do
-          member do
-            post :toggle_award_emoji
-            delete :delete_attachment
-          end
-        end
-
-        resources :todos, only: [:create]
-
-        resources :uploads, only: [:create] do
-          collection do
-            get ":secret/:filename", action: :show, as: :show, constraints: { filename: /[^\/]+/ }
-          end
-        end
-
-        resources :runners, only: [:index, :edit, :update, :destroy, :show] do
-          member do
-            get :resume
-            get :pause
-          end
-
-          collection do
-            post :toggle_shared_runners
-          end
-        end
-
-        resources :runner_projects, only: [:create, :destroy]
-        resources :badges, only: [:index] do
-          collection do
-            scope '*ref', constraints: { ref: Gitlab::Regex.git_reference_regex } do
-              constraints format: /svg/ do
-                get :build
-                get :coverage
-              end
-            end
-          end
-        end
-      end
-    end
-  end
+  draw :import
+  draw :uploads
+  draw :explore
+  draw :admin
+  draw :profile
+  draw :dashboard
+  draw :group
+  draw :user
+  draw :project
 
   # Get all keys of user
   get ':username.keys' => 'profiles/keys#get_keys', constraints: { username: /.*/ }
 
-  get ':id' => 'namespaces#show', constraints: { id: /(?:[^.]|\.(?!atom$))+/, format: /atom/ }
+  root to: "root#index"
+
+  get '*unmatched_route', to: 'application#not_found'
 end
diff --git a/config/routes/admin.rb b/config/routes/admin.rb
new file mode 100644
index 00000000000..5ae985da561
--- /dev/null
+++ b/config/routes/admin.rb
@@ -0,0 +1,102 @@
+namespace :admin do
+  resources :users, constraints: { id: /[a-zA-Z.\/0-9_\-]+/ } do
+    resources :keys, only: [:show, :destroy]
+    resources :identities, except: [:show]
+
+    member do
+      get :projects
+      get :keys
+      get :groups
+      put :block
+      put :unblock
+      put :unlock
+      put :confirm
+      post :impersonate
+      patch :disable_two_factor
+      delete 'remove/:email_id', action: 'remove_email', as: 'remove_email'
+    end
+  end
+
+  resource :impersonation, only: :destroy
+
+  resources :abuse_reports, only: [:index, :destroy]
+  resources :spam_logs, only: [:index, :destroy] do
+    member do
+      post :mark_as_ham
+    end
+  end
+
+  resources :applications
+
+  resources :groups, constraints: { id: /[^\/]+/ } do
+    member do
+      put :members_update
+    end
+  end
+
+  resources :deploy_keys, only: [:index, :new, :create, :destroy]
+
+  resources :hooks, only: [:index, :create, :destroy] do
+    get :test
+  end
+
+  resources :broadcast_messages, only: [:index, :edit, :create, :update, :destroy] do
+    post :preview, on: :collection
+  end
+
+  resource :logs, only: [:show]
+  resource :health_check, controller: 'health_check', only: [:show]
+  resource :background_jobs, controller: 'background_jobs', only: [:show]
+  resource :system_info, controller: 'system_info', only: [:show]
+  resources :requests_profiles, only: [:index, :show], param: :name, constraints: { name: /.+\.html/ }
+
+  resources :namespaces, path: '/projects', constraints: { id: /[a-zA-Z.0-9_\-]+/ }, only: [] do
+    root to: 'projects#index', as: :projects
+
+    resources(:projects,
+              path: '/',
+              constraints: { id: /[a-zA-Z.0-9_\-]+/ },
+              only: [:index, :show]) do
+      root to: 'projects#show'
+
+      member do
+        put :transfer
+        post :repository_check
+      end
+
+      resources :runner_projects, only: [:create, :destroy]
+    end
+  end
+
+  resource :appearances, only: [:show, :create, :update], path: 'appearance' do
+    member do
+      get :preview
+      delete :logo
+      delete :header_logos
+    end
+  end
+
+  resource :application_settings, only: [:show, :update] do
+    resources :services, only: [:index, :edit, :update]
+    put :reset_runners_token
+    put :reset_health_check_token
+    put :clear_repository_check_states
+  end
+
+  resources :labels
+
+  resources :runners, only: [:index, :show, :update, :destroy] do
+    member do
+      get :resume
+      get :pause
+    end
+  end
+
+  resources :builds, only: :index do
+    collection do
+      post :cancel_all
+    end
+  end
+
+  root to: 'dashboard#index'
+end
diff --git a/config/routes/api.rb b/config/routes/api.rb
new file mode 100644
index 00000000000..69c8efc151c
--- /dev/null
+++ b/config/routes/api.rb
@@ -0,0 +1,2 @@
+API::API.logger Rails.logger
+mount API::API => '/api'
diff --git a/config/routes/ci.rb b/config/routes/ci.rb
new file mode 100644
index 00000000000..47a049d5b20
--- /dev/null
+++ b/config/routes/ci.rb
@@ -0,0 +1,15 @@
+namespace :ci do
+  # CI API
+  Ci::API::API.logger Rails.logger
+  mount Ci::API::API => '/api'
+
+  resource :lint, only: [:show, :create]
+
+  resources :projects, only: [:index, :show] do
+    member do
+      get :status, to: 'projects#badge'
+    end
+  end
+
+  root to: 'projects#index'
+end
diff --git a/config/routes/dashboard.rb b/config/routes/dashboard.rb
new file mode 100644
index 00000000000..fb20c63bc63
--- /dev/null
+++ b/config/routes/dashboard.rb
@@ -0,0 +1,27 @@
+resource :dashboard, controller: 'dashboard', only: [] do
+  get :issues
+  get :merge_requests
+  get :activity
+
+  scope module: :dashboard do
+    resources :milestones, only: [:index, :show]
+    resources :labels, only: [:index]
+
+    resources :groups, only: [:index]
+    resources :snippets, only: [:index]
+
+    resources :todos, only: [:index, :destroy] do
+      collection do
+        delete :destroy_all
+      end
+    end
+
+    resources :projects, only: [:index] do
+      collection do
+        get :starred
+      end
+    end
+  end
+
+  root to: "dashboard/projects#index"
+end
diff --git a/config/routes/development.rb b/config/routes/development.rb
new file mode 100644
index 00000000000..9b2b47c6a21
--- /dev/null
+++ b/config/routes/development.rb
@@ -0,0 +1,13 @@
+if Rails.env.development?
+  # Make the built-in Rails routes available in development, otherwise they'd
+  # get swallowed by the `namespace/project` route matcher below.
+  #
+  # See https://git.io/va79N
+  get '/rails/mailers'         => 'rails/mailers#index'
+  get '/rails/mailers/:path'   => 'rails/mailers#preview'
+  get '/rails/info/properties' => 'rails/info#properties'
+  get '/rails/info/routes'     => 'rails/info#routes'
+  get '/rails/info'            => 'rails/info#index'
+
+  mount LetterOpenerWeb::Engine, at: '/rails/letter_opener'
+end
diff --git a/config/routes/explore.rb b/config/routes/explore.rb
new file mode 100644
index 00000000000..42ec5e8abec
--- /dev/null
+++ b/config/routes/explore.rb
@@ -0,0 +1,16 @@
+namespace :explore do
+  resources :projects, only: [:index] do
+    collection do
+      get :trending
+      get :starred
+    end
+  end
+
+  resources :groups, only: [:index]
+  resources :snippets, only: [:index]
+  root to: 'projects#trending'
+end
+
+# Compatibility with old routing
+get 'public' => 'explore/projects#index'
+get 'public/projects' => 'explore/projects#index'
diff --git a/config/routes/git_http.rb b/config/routes/git_http.rb
new file mode 100644
index 00000000000..03adc4815f3
--- /dev/null
+++ b/config/routes/git_http.rb
@@ -0,0 +1,37 @@
+scope constraints: { id: /.+\.git/, format: nil } do
+  # Git HTTP clients ('git clone' etc.)
+  get '/info/refs', to: 'git_http#info_refs'
+  post '/git-upload-pack', to: 'git_http#git_upload_pack'
+  post '/git-receive-pack', to: 'git_http#git_receive_pack'
+
+  # Git LFS API (metadata)
+  post '/info/lfs/objects/batch', to: 'lfs_api#batch'
+  post '/info/lfs/objects', to: 'lfs_api#deprecated'
+  get '/info/lfs/objects/*oid', to: 'lfs_api#deprecated'
+
+  # GitLab LFS object storage
+  scope constraints: { oid: /[a-f0-9]{64}/ } do
+    get '/gitlab-lfs/objects/*oid', to: 'lfs_storage#download'
+
+    scope constraints: { size: /[0-9]+/ } do
+      put '/gitlab-lfs/objects/*oid/*size/authorize', to: 'lfs_storage#upload_authorize'
+      put '/gitlab-lfs/objects/*oid/*size', to: 'lfs_storage#upload_finalize'
+    end
+  end
+end
+
+# Allow /info/refs, /info/refs?service=git-upload-pack, and
+# /info/refs?service=git-receive-pack, but nothing else.
+#
+git_http_handshake = lambda do |request|
+  request.query_string.blank? ||
+    request.query_string.match(/\Aservice=git-(upload|receive)-pack\z/)
+end
+
+ref_redirect = redirect do |params, request|
+  path = "#{params[:namespace_id]}/#{params[:project_id]}.git/info/refs"
+  path << "?#{request.query_string}" unless request.query_string.blank?
+  path
+end
+
+get '/info/refs', constraints: git_http_handshake, to: ref_redirect
diff --git a/config/routes/group.rb b/config/routes/group.rb
new file mode 100644
index 00000000000..3c392f77ef6
--- /dev/null
+++ b/config/routes/group.rb
@@ -0,0 +1,37 @@
+require 'constraints/group_url_constrainer'
+
+constraints(GroupUrlConstrainer.new) do
+  scope(path: ':id',
+        as: :group,
+        constraints: { id: Gitlab::Regex.namespace_route_regex },
+        controller: :groups) do
+    get '/', action: :show
+    patch '/', action: :update
+    put '/', action: :update
+    delete '/', action: :destroy
+  end
+end
+
+resources :groups, only: [:index, :new, :create]
+
+scope(path: 'groups/:id', controller: :groups) do
+  get :edit, as: :edit_group
+  get :issues, as: :issues_group
+  get :merge_requests, as: :merge_requests_group
+  get :projects, as: :projects_group
+  get :activity, as: :activity_group
+end
+
+scope(path: 'groups/:group_id', module: :groups, as: :group) do
+  resources :group_members, only: [:index, :create, :update, :destroy], concerns: :access_requestable do
+    post :resend_invite, on: :member
+    delete :leave, on: :collection
+  end
+
+  resource :avatar, only: [:destroy]
+  resources :milestones, constraints: { id: /[^\/]+/ }, only: [:index, :show, :update, :new, :create]
+  resources :labels, except: [:show], constraints: { id: /\d+/ }
+end
+
+# Must be last route in this file
+get 'groups/:id' => 'groups#show', as: :group_canonical
diff --git a/config/routes/help.rb b/config/routes/help.rb
new file mode 100644
index 00000000000..d53822da9ec
--- /dev/null
+++ b/config/routes/help.rb
@@ -0,0 +1,4 @@
+get 'help'           => 'help#index'
+get 'help/shortcuts' => 'help#shortcuts'
+get 'help/ui'        => 'help#ui'
+get 'help/*path'     => 'help#show', as: :help_page
diff --git a/config/routes/import.rb b/config/routes/import.rb
new file mode 100644
index 00000000000..89f3b3f6378
--- /dev/null
+++ b/config/routes/import.rb
@@ -0,0 +1,42 @@
+namespace :import do
+  resource :github, only: [:create, :new], controller: :github do
+    post :personal_access_token
+    get :status
+    get :callback
+    get :jobs
+  end
+
+  resource :gitlab, only: [:create], controller: :gitlab do
+    get :status
+    get :callback
+    get :jobs
+  end
+
+  resource :bitbucket, only: [:create], controller: :bitbucket do
+    get :status
+    get :callback
+    get :jobs
+  end
+
+  resource :google_code, only: [:create, :new], controller: :google_code do
+    get :status
+    post :callback
+    get :jobs
+
+    get   :new_user_map,    path: :user_map
+    post  :create_user_map, path: :user_map
+  end
+
+  resource :fogbugz, only: [:create, :new], controller: :fogbugz do
+    get :status
+    post :callback
+    get :jobs
+
+    get   :new_user_map,    path: :user_map
+    post  :create_user_map, path: :user_map
+  end
+
+  resource :gitlab_project, only: [:create, :new] do
+    post :create
+  end
+end
diff --git a/config/routes/profile.rb b/config/routes/profile.rb
new file mode 100644
index 00000000000..52b9a565db8
--- /dev/null
+++ b/config/routes/profile.rb
@@ -0,0 +1,44 @@
+resource :profile, only: [:show, :update] do
+  member do
+    get :audit_log
+    get :applications, to: 'oauth/applications#index'
+
+    put :reset_private_token
+    put :reset_incoming_email_token
+    put :update_username
+  end
+
+  scope module: :profiles do
+    resource :account, only: [:show] do
+      member do
+        delete :unlink
+      end
+    end
+    resource :notifications, only: [:show, :update]
+    resource :password, only: [:new, :create, :edit, :update] do
+      member do
+        put :reset
+      end
+    end
+    resource :preferences, only: [:show, :update]
+    resources :keys, only: [:index, :show, :new, :create, :destroy]
+    resources :emails, only: [:index, :create, :destroy]
+    resource :avatar, only: [:destroy]
+
+    resources :personal_access_tokens, only: [:index, :create] do
+      member do
+        put :revoke
+      end
+    end
+
+    resource :two_factor_auth, only: [:show, :create, :destroy] do
+      member do
+        post :create_u2f
+        post :codes
+        patch :skip
+      end
+    end
+
+    resources :u2f_registrations, only: [:destroy]
+  end
+end
diff --git a/config/routes/project.rb b/config/routes/project.rb
new file mode 100644
index 00000000000..82defb0ba71
--- /dev/null
+++ b/config/routes/project.rb
@@ -0,0 +1,302 @@
+resources :projects, constraints: { id: /[^\/]+/ }, only: [:index, :new, :create]
+
+resources :namespaces, path: '/', constraints: { id: /[a-zA-Z.0-9_\-]+/ }, only: [] do
+  resources(:projects, constraints: { id: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ }, except:
+            [:new, :create, :index], path: "/") do
+    member do
+      put :transfer
+      delete :remove_fork
+      post :archive
+      post :unarchive
+      post :housekeeping
+      post :toggle_star
+      post :preview_markdown
+      post :export
+      post :remove_export
+      post :generate_new_export
+      get :download_export
+      get :autocomplete_sources
+      get :activity
+      get :refs
+      put :new_issue_address
+    end
+
+    scope module: :projects do
+      draw :git_http
+
+      #
+      # Templates
+      #
+      get '/templates/:template_type/:key' => 'templates#show', as: :template
+
+      resource  :avatar, only: [:show, :destroy]
+      resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do
+        member do
+          get :branches
+          get :builds
+          get :pipelines
+          post :cancel_builds
+          post :retry_builds
+          post :revert
+          post :cherry_pick
+          get :diff_for_path
+        end
+      end
+
+      resources :compare, only: [:index, :create] do
+        collection do
+          get :diff_for_path
+        end
+      end
+
+      get '/compare/:from...:to', to: 'compare#show', as: 'compare', constraints: { from: /.+/, to: /.+/ }
+
+      # Don't use format parameter as file extension (old 3.0.x behavior)
+      # See http://guides.rubyonrails.org/routing.html#route-globbing-and-wildcard-segments
+      scope format: false do
+        resources :network, only: [:show], constraints: { id: Gitlab::Regex.git_reference_regex }
+
+        resources :graphs, only: [:show], constraints: { id: Gitlab::Regex.git_reference_regex } do
+          member do
+            get :commits
+            get :ci
+            get :languages
+          end
+        end
+      end
+
+      resources :snippets, concerns: :awardable, constraints: { id: /\d+/ } do
+        member do
+          get 'raw'
+        end
+      end
+
+      resources :services, constraints: { id: /[^\/]+/ }, only: [:index, :edit, :update] do
+        member do
+          get :test
+        end
+      end
+
+      resources :deploy_keys, constraints: { id: /\d+/ }, only: [:index, :new, :create] do
+        member do
+          put :enable
+          put :disable
+        end
+      end
+
+      resources :forks, only: [:index, :new, :create]
+      resource :import, only: [:new, :create, :show]
+
+      resources :merge_requests, concerns: :awardable, constraints: { id: /\d+/ } do
+        member do
+          get :commits
+          get :diffs
+          get :conflicts
+          get :conflict_for_path
+          get :builds
+          get :pipelines
+          get :merge_check
+          post :merge
+          post :cancel_merge_when_build_succeeds
+          get :ci_status
+          get :ci_environments_status
+          post :toggle_subscription
+          post :remove_wip
+          get :diff_for_path
+          post :resolve_conflicts
+          post :assign_related_issues
+        end
+
+        collection do
+          get :branch_from
+          get :branch_to
+          get :update_branches
+          get :diff_for_path
+          post :bulk_update
+          get :new_diffs, path: 'new/diffs'
+        end
+
+        resources :discussions, only: [], constraints: { id: /\h{40}/ } do
+          member do
+            post :resolve
+            delete :resolve, action: :unresolve
+          end
+        end
+      end
+
+      resources :branches, only: [:index, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
+      resources :tags, only: [:index, :show, :new, :create, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex } do
+        resource :release, only: [:edit, :update]
+      end
+
+      resources :protected_branches, only: [:index, :show, :create, :update, :destroy], constraints: { id: Gitlab::Regex.git_reference_regex }
+      resources :variables, only: [:index, :show, :update, :create, :destroy]
+      resources :triggers, only: [:index, :create, :destroy]
+
+      resources :pipelines, only: [:index, :new, :create, :show] do
+        collection do
+          resource :pipelines_settings, path: 'settings', only: [:show, :update]
+        end
+
+        member do
+          post :cancel
+          post :retry
+        end
+      end
+
+      resources :environments, except: [:destroy] do
+        member do
+          post :stop
+        end
+      end
+
+      resource :cycle_analytics, only: [:show]
+
+      resources :builds, only: [:index, :show], constraints: { id: /\d+/ } do
+        collection do
+          post :cancel_all
+
+          resources :artifacts, only: [] do
+            collection do
+              get :latest_succeeded,
+                path: '*ref_name_and_path',
+                format: false
+            end
+          end
+        end
+
+        member do
+          get :status
+          post :cancel
+          post :retry
+          post :play
+          post :erase
+          get :trace
+          get :raw
+        end
+
+        resource :artifacts, only: [] do
+          get :download
+          get :browse, path: 'browse(/*path)', format: false
+          get :file, path: 'file/*path', format: false
+          post :keep
+        end
+      end
+
+      resources :hooks, only: [:index, :create, :destroy], constraints: { id: /\d+/ } do
+        member do
+          get :test
+        end
+      end
+
+      resources :container_registry, only: [:index, :destroy], constraints: { id: Gitlab::Regex.container_registry_reference_regex }
+
+      resources :milestones, constraints: { id: /\d+/ } do
+        member do
+          put :sort_issues
+          put :sort_merge_requests
+        end
+      end
+
+      resources :labels, except: [:show], constraints: { id: /\d+/ } do
+        collection do
+          post :generate
+          post :set_priorities
+        end
+
+        member do
+          post :toggle_subscription
+          delete :remove_priority
+        end
+      end
+
+      resources :issues, concerns: :awardable, constraints: { id: /\d+/ } do
+        member do
+          post :toggle_subscription
+          post :mark_as_spam
+          get :referenced_merge_requests
+          get :related_branches
+          get :can_create_branch
+        end
+        collection do
+          post  :bulk_update
+        end
+      end
+
+      resources :project_members, except: [:show, :new, :edit], constraints: { id: /[a-zA-Z.\/0-9_\-#%+]+/ }, concerns: :access_requestable do
+        collection do
+          delete :leave
+
+          # Used for import team
+          # from another project
+          get :import
+          post :apply_import
+        end
+
+        member do
+          post :resend_invite
+        end
+      end
+
+      resources :group_links, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
+
+      resources :notes, only: [:index, :create, :destroy, :update], concerns: :awardable, constraints: { id: /\d+/ } do
+        member do
+          delete :delete_attachment
+          post :resolve
+          delete :resolve, action: :unresolve
+        end
+      end
+
+      resources :boards, only: [:index, :show] do
+        scope module: :boards do
+          resources :issues, only: [:update]
+
+          resources :lists, only: [:index, :create, :update, :destroy] do
+            collection do
+              post :generate
+            end
+
+            resources :issues, only: [:index, :create]
+          end
+        end
+      end
+
+      resources :todos, only: [:create]
+
+      resources :uploads, only: [:create] do
+        collection do
+          get ":secret/:filename", action: :show, as: :show, constraints: { filename: /[^\/]+/ }
+        end
+      end
+
+      resources :runners, only: [:index, :edit, :update, :destroy, :show] do
+        member do
+          get :resume
+          get :pause
+        end
+
+        collection do
+          post :toggle_shared_runners
+        end
+      end
+
+      resources :runner_projects, only: [:create, :destroy]
+      resources :badges, only: [:index] do
+        collection do
+          scope '*ref', constraints: { ref: Gitlab::Regex.git_reference_regex } do
+            constraints format: /svg/ do
+              get :build
+              get :coverage
+            end
+          end
+        end
+      end
+
+      # Since both wiki and repository routing contains wildcard characters
+      # its preferable to keep it below all other project routes
+      draw :wiki
+      draw :repository
+    end
+  end
+end
diff --git a/config/routes/repository.rb b/config/routes/repository.rb
new file mode 100644
index 00000000000..76dcf113aea
--- /dev/null
+++ b/config/routes/repository.rb
@@ -0,0 +1,110 @@
+# All routing related to repositoty browsing
+
+resource :repository, only: [:create] do
+  member do
+    get 'archive', constraints: { format: Gitlab::Regex.archive_formats_regex }
+  end
+end
+
+resources :refs, only: [] do
+  collection do
+    get 'switch'
+  end
+
+  member do
+    # tree viewer logs
+    get 'logs_tree', constraints: { id: Gitlab::Regex.git_reference_regex }
+    # Directories with leading dots erroneously get rejected if git
+    # ref regex used in constraints. Regex verification now done in controller.
+    get 'logs_tree/*path' => 'refs#logs_tree', as: :logs_file, constraints: {
+      id: /.*/,
+      path: /.*/
+    }
+  end
+end
+
+get '/new/*id', to: 'blob#new', constraints: { id: /.+/ }, as: 'new_blob'
+post '/create/*id', to: 'blob#create', constraints: { id: /.+/ }, as: 'create_blob'
+get '/edit/*id', to: 'blob#edit', constraints: { id: /.+/ }, as: 'edit_blob'
+put '/update/*id', to: 'blob#update', constraints: { id: /.+/ }, as: 'update_blob'
+post '/preview/*id', to: 'blob#preview', constraints: { id: /.+/ }, as: 'preview_blob'
+
+scope do
+  get(
+    '/blob/*id/diff',
+    to: 'blob#diff',
+    constraints: { id: /.+/, format: false },
+    as: :blob_diff
+  )
+  get(
+    '/blob/*id',
+    to: 'blob#show',
+    constraints: { id: /.+/, format: false },
+    as: :blob
+  )
+  delete(
+    '/blob/*id',
+    to: 'blob#destroy',
+    constraints: { id: /.+/, format: false }
+  )
+  put(
+    '/blob/*id',
+    to: 'blob#update',
+    constraints: { id: /.+/, format: false }
+  )
+  post(
+    '/blob/*id',
+    to: 'blob#create',
+    constraints: { id: /.+/, format: false }
+  )
+
+  get(
+    '/raw/*id',
+    to: 'raw#show',
+    constraints: { id: /.+/, format: /(html|js)/ },
+    as: :raw
+  )
+
+  get(
+    '/tree/*id',
+    to: 'tree#show',
+    constraints: { id: /.+/, format: /(html|js)/ },
+    as: :tree
+  )
+
+  get(
+    '/find_file/*id',
+    to: 'find_file#show',
+    constraints: { id: /.+/, format: /html/ },
+    as: :find_file
+  )
+
+  get(
+    '/files/*id',
+    to: 'find_file#list',
+    constraints: { id: /(?:[^.]|\.(?!json$))+/, format: /json/ },
+    as: :files
+  )
+
+  post(
+    '/create_dir/*id',
+      to: 'tree#create_dir',
+      constraints: { id: /.+/ },
+      as: 'create_dir'
+  )
+
+  get(
+    '/blame/*id',
+    to: 'blame#show',
+    constraints: { id: /.+/, format: /(html|js)/ },
+    as: :blame
+  )
+
+  # File/dir history
+  get(
+    '/commits/*id',
+    to: 'commits#show',
+    constraints: { id: /.+/, format: false },
+    as: :commits
+  )
+end
diff --git a/config/routes/sherlock.rb b/config/routes/sherlock.rb
new file mode 100644
index 00000000000..c9969f91c36
--- /dev/null
+++ b/config/routes/sherlock.rb
@@ -0,0 +1,12 @@
+if Gitlab::Sherlock.enabled?
+  namespace :sherlock do
+    resources :transactions, only: [:index, :show] do
+      resources :queries, only: [:show]
+      resources :file_samples, only: [:show]
+
+      collection do
+        delete :destroy_all
+      end
+    end
+  end
+end
diff --git a/config/routes/sidekiq.rb b/config/routes/sidekiq.rb
new file mode 100644
index 00000000000..d3e6bc4c292
--- /dev/null
+++ b/config/routes/sidekiq.rb
@@ -0,0 +1,4 @@
+constraint = lambda { |request| request.env['warden'].authenticate? and request.env['warden'].user.admin? }
+constraints constraint do
+  mount Sidekiq::Web, at: '/admin/sidekiq', as: :sidekiq
+end
diff --git a/config/routes/snippets.rb b/config/routes/snippets.rb
new file mode 100644
index 00000000000..3ca096f31ba
--- /dev/null
+++ b/config/routes/snippets.rb
@@ -0,0 +1,9 @@
+resources :snippets, concerns: :awardable do
+  member do
+    get 'raw'
+    get 'download'
+  end
+end
+
+get '/s/:username', to: redirect('/u/%{username}/snippets'),
+                    constraints: { username: /[a-zA-Z.0-9_\-]+(?<!\.atom)/ }
diff --git a/config/routes/uploads.rb b/config/routes/uploads.rb
new file mode 100644
index 00000000000..2b22148a134
--- /dev/null
+++ b/config/routes/uploads.rb
@@ -0,0 +1,21 @@
+scope path: :uploads do
+  # Note attachments and User/Group/Project avatars
+  get ":model/:mounted_as/:id/:filename",
+      to:           "uploads#show",
+      constraints:  { model: /note|user|group|project/, mounted_as: /avatar|attachment/, filename: /[^\/]+/ }
+
+  # Appearance
+  get ":model/:mounted_as/:id/:filename",
+      to:           "uploads#show",
+      constraints:  { model: /appearance/, mounted_as: /logo|header_logo/, filename: /.+/ }
+
+  # Project markdown uploads
+  get ":namespace_id/:project_id/:secret/:filename",
+    to:           "projects/uploads#show",
+    constraints:  { namespace_id: /[a-zA-Z.0-9_\-]+/, project_id: /[a-zA-Z.0-9_\-]+/, filename: /[^\/]+/ }
+end
+
+# Redirect old note attachments path to new uploads path.
+get "files/note/:id/:filename",
+  to:           redirect("uploads/note/attachment/%{id}/%{filename}"),
+  constraints:  { filename: /[^\/]+/ }
diff --git a/config/routes/user.rb b/config/routes/user.rb
new file mode 100644
index 00000000000..dc1068af6f6
--- /dev/null
+++ b/config/routes/user.rb
@@ -0,0 +1,45 @@
+require 'constraints/user_url_constrainer'
+
+devise_for :users, controllers: { omniauth_callbacks: :omniauth_callbacks,
+                                  registrations: :registrations,
+                                  passwords: :passwords,
+                                  sessions: :sessions,
+                                  confirmations: :confirmations }
+
+devise_scope :user do
+  get '/users/auth/:provider/omniauth_error' => 'omniauth_callbacks#omniauth_error', as: :omniauth_error
+  get '/users/almost_there' => 'confirmations#almost_there'
+end
+
+constraints(UserUrlConstrainer.new) do
+  scope(path: ':username',
+        as: :user,
+        constraints: { username: Gitlab::Regex.namespace_route_regex },
+        controller: :users) do
+    get '/', action: :show
+  end
+end
+
+scope(constraints: { username: Gitlab::Regex.namespace_route_regex }) do
+  scope(path: 'users/:username',
+        as: :user,
+        controller: :users) do
+    get :calendar
+    get :calendar_activities
+    get :groups
+    get :projects
+    get :contributed, as: :contributed_projects
+    get :snippets
+    get :exists
+    get '/', to: redirect('/%{username}')
+  end
+
+  # Compatibility with old routing
+  # TODO (dzaporozhets): remove in 10.0
+  get '/u/:username', to: redirect('/%{username}')
+  # TODO (dzaporozhets): remove in 9.0
+  get '/u/:username/groups', to: redirect('/users/%{username}/groups')
+  get '/u/:username/projects', to: redirect('/users/%{username}/projects')
+  get '/u/:username/snippets', to: redirect('/users/%{username}/snippets')
+  get '/u/:username/contributed', to: redirect('/users/%{username}/contributed')
+end
diff --git a/config/routes/wiki.rb b/config/routes/wiki.rb
new file mode 100644
index 00000000000..ecd4d395d66
--- /dev/null
+++ b/config/routes/wiki.rb
@@ -0,0 +1,16 @@
+WIKI_SLUG_ID = { id: /\S+/ } unless defined? WIKI_SLUG_ID
+
+scope do
+  # Order matters to give priority to these matches
+  get '/wikis/git_access', to: 'wikis#git_access'
+  get '/wikis/pages', to: 'wikis#pages', as: 'wiki_pages'
+  post '/wikis', to: 'wikis#create'
+
+  get '/wikis/*id/history', to: 'wikis#history', as: 'wiki_history', constraints: WIKI_SLUG_ID
+  get '/wikis/*id/edit', to: 'wikis#edit', as: 'wiki_edit', constraints: WIKI_SLUG_ID
+
+  get '/wikis/*id', to: 'wikis#show', as: 'wiki', constraints: WIKI_SLUG_ID
+  delete '/wikis/*id', to: 'wikis#destroy', constraints: WIKI_SLUG_ID
+  put '/wikis/*id', to: 'wikis#update', constraints: WIKI_SLUG_ID
+  post '/wikis/*id/preview_markdown', to: 'wikis#preview_markdown', constraints: WIKI_SLUG_ID, as: 'wiki_preview_markdown'
+end
diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml
new file mode 100644
index 00000000000..0aec8aedf72
--- /dev/null
+++ b/config/sidekiq_queues.yml
@@ -0,0 +1,48 @@
+# This configuration file should be exclusively used to set queue settings for
+# Sidekiq. Any other setting should be specified using the Sidekiq CLI or the
+# Sidekiq Ruby API (see config/initializers/sidekiq.rb).
+---
+# All the queues to process and their weights. Every queue _must_ have a weight
+# defined.
+#
+# The available weights are as follows
+#
+# 1: low priority
+# 2: medium priority
+# 3: high priority
+# 5: _super_ high priority, this should only be used for _very_ important queues
+#
+# As per http://stackoverflow.com/a/21241357/290102 the formula for calculating
+# the likelihood of a job being popped off a queue (given all queues have work
+# to perform) is:
+#
+#     chance = (queue weight / total weight of all queues) * 100
+:queues:
+  - [post_receive, 5]
+  - [merge, 5]
+  - [update_merge_requests, 3]
+  - [process_commit, 2]
+  - [new_note, 2]
+  - [build, 2]
+  - [pipeline, 2]
+  - [gitlab_shell, 2]
+  - [email_receiver, 2]
+  - [emails_on_push, 2]
+  - [mailers, 2]
+  - [repository_fork, 1]
+  - [repository_import, 1]
+  - [project_service, 1]
+  - [clear_database_cache, 1]
+  - [delete_user, 1]
+  - [expire_build_instance_artifacts, 1]
+  - [group_destroy, 1]
+  - [irker, 1]
+  - [project_cache, 1]
+  - [project_destroy, 1]
+  - [project_export, 1]
+  - [project_web_hook, 1]
+  - [repository_check, 1]
+  - [system_hook, 1]
+  - [git_garbage_collect, 1]
+  - [cronjob, 1]
+  - [default, 1]