Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42

10 files changed, 95 insertions, 56 deletions

diff --git a/doc/security/README.md b/doc/security/README.md
index 3b64d0229ed..b009fe5c8da 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -23,7 +23,7 @@ type: index
 - [Send email confirmation on sign-up](user_email_confirmation.md)
 - [Security of running jobs](https://docs.gitlab.com/runner/security/)
 - [Proxying images](asset_proxy.md)
-- [CI/CD environment variables](cicd_environment_variables.md)
+- [CI/CD variables](cicd_variables.md)
 
 ## Securing your GitLab installation
 
diff --git a/doc/security/asset_proxy.md b/doc/security/asset_proxy.md
index 613743143d3..7774f5e0635 100644
--- a/doc/security/asset_proxy.md
+++ b/doc/security/asset_proxy.md
@@ -51,7 +51,8 @@ To install a Camo server as an asset proxy:
    | `asset_proxy_enabled`    | Enable proxying of assets. If enabled, requires: `asset_proxy_url`).                                                                 |
    | `asset_proxy_secret_key` | Shared secret with the asset proxy server.                                                                                           |
    | `asset_proxy_url`        | URL of the asset proxy server.                                                                                                       |
-   | `asset_proxy_whitelist`  | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically whitelisted. |
+   | `asset_proxy_whitelist`  | (Deprecated: Use `asset_proxy_allowlist` instead) Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed.         |
+   | `asset_proxy_allowlist`  | Assets that match these domain(s) are NOT proxied. Wildcards allowed. Your GitLab installation URL is automatically allowed.         |
 
 1. Restart the server for the changes to take effect. Each time you change any values for the asset
    proxy, you need to restart the server.
diff --git a/doc/security/cicd_environment_variables.md b/doc/security/cicd_environment_variables.md
index 4d60df8e531..7de2e17c0f9 100644
--- a/doc/security/cicd_environment_variables.md
+++ b/doc/security/cicd_environment_variables.md
@@ -1,13 +1,8 @@
 ---
-stage: Release
-group: Release
-info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+redirect_to: 'cicd_variables.md'
 ---
 
-# CI/CD Environment Variables
+This document was moved to [another location](cicd_variables.md).
 
-Environment variables are applied to environments via the runner and can be set from the project's **Settings > CI/CD** page.
-
-The values are encrypted using [aes-256-cbc](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) and stored in the database.
-
-This data can only be decrypted with a valid [secrets file](../raketasks/backup_restore.md#when-the-secrets-file-is-lost).
+<!-- This redirect file can be deleted after 2021-05-15. -->
+<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page -->
diff --git a/doc/security/cicd_variables.md b/doc/security/cicd_variables.md
new file mode 100644
index 00000000000..4ef8129da2a
--- /dev/null
+++ b/doc/security/cicd_variables.md
@@ -0,0 +1,13 @@
+---
+stage: Secure
+group: None
+info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
+---
+
+# CI/CD Variables
+
+CI/CD variables are applied to environments via the runner and can be set from the project's **Settings > CI/CD** page.
+
+The values are encrypted using [`aes-256-cbc`](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) and stored in the database.
+
+This data can only be decrypted with a valid [secrets file](../raketasks/backup_restore.md#when-the-secrets-file-is-lost).
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md
index c5f8afe36ad..9a43f5dfca8 100644
--- a/doc/security/crime_vulnerability.md
+++ b/doc/security/crime_vulnerability.md
@@ -58,7 +58,7 @@ vulnerability.
 
 ## References
 
-- NGINX ["Module ngx_http_spdy_module"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html)
+- NGINX ["Module `ngx_http_spdy_module`"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html)
 - Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"](https://www.tenable.com/plugins/index.php?view=single&id=62565)
 - Wikipedia contributors, ["CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia, The Free Encyclopedia
 
diff --git a/doc/security/password_storage.md b/doc/security/password_storage.md
index ca39defe6b9..af4b57e342a 100644
--- a/doc/security/password_storage.md
+++ b/doc/security/password_storage.md
@@ -11,6 +11,6 @@ GitLab stores user passwords in a hashed format, to prevent passwords from being
 
 GitLab uses the [Devise](https://github.com/heartcombo/devise) authentication library, which handles the hashing of user passwords. Password hashes are created with the following attributes:
 
-- **Hashing**: the [bcrypt](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function.
+- **Hashing**: the [`bcrypt`](https://en.wikipedia.org/wiki/Bcrypt) hashing function is used to generate the hash of the provided password. This is a strong, industry-standard cryptographic hashing function.
 - **Stretching**: Password hashes are [stretched](https://en.wikipedia.org/wiki/Key_stretching) to harden against brute-force attacks. GitLab uses a stretching factor of 10 by default.
 - **Salting**: A [cryptographic salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) is added to each password to harden against pre-computed hash and dictionary attacks. Each salt is randomly generated for each password, so that no two passwords share a salt, to further increase security.
diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md
index 500ec057102..1609607ea5c 100644
--- a/doc/security/rate_limits.md
+++ b/doc/security/rate_limits.md
@@ -25,11 +25,14 @@ similarly mitigated by a rate limit.
 
 ## Admin Area settings
 
-- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md).
-- [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md).
-- [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md).
-- [Protected paths](../user/admin_area/settings/protected_paths.md).
-- [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md).
+These are rate limits you can set in the Admin Area of your instance:
+
+- [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md)
+- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md)
+- [Notes rate limits](../user/admin_area/settings/rate_limit_on_notes_creation.md)
+- [Protected paths](../user/admin_area/settings/protected_paths.md)
+- [Raw endpoints rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md)
+- [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md)
 
 ## Non-configurable limits
 
diff --git a/doc/security/reset_user_password.md b/doc/security/reset_user_password.md
index fc808452736..ed7b9f89616 100644
--- a/doc/security/reset_user_password.md
+++ b/doc/security/reset_user_password.md
@@ -7,70 +7,91 @@ type: howto
 
 # How to reset user password
 
-To reset the password of a user, first log into your server with root privileges.
+There are a few ways to reset the password of a user.
 
-Start a Ruby on Rails console with this command:
+## Rake Task
+
+GitLab provides a Rake Task to reset passwords of users using their usernames,
+which can be invoked by the following command:
 
 ```shell
-gitlab-rails console -e production
+sudo gitlab-rake "gitlab:password:reset"
 ```
 
-Wait until the console has loaded.
-
-## Find the user
+You will be asked for username, password, and password confirmation. Upon giving
+proper values for them, the password of the specified user will be updated.
 
-There are multiple ways to find your user. You can search by email or user ID number.
+The Rake task also takes the username as an argument, as shown in the example
+below:
 
 ```shell
-user = User.where(id: 7).first
+sudo gitlab-rake "gitlab:password:reset[johndoe]"
 ```
 
-or
+NOTE:
+To reset the default admin password, run this Rake task with the username
+`root`, which is the default username of that admin account.
 
-```shell
-user = User.find_by(email: 'user@example.com')
-```
+## Rails console
 
-## Reset the password
+The Rake task is capable of finding users via their usernames. However, if only
+user ID or email ID of the user is known, Rails console can be used to find user
+using user ID and then change password of the user manually.
 
-Now you can change your password:
+1. Start a Rails console
 
-```shell
-user.password = 'secret_pass'
-user.password_confirmation = 'secret_pass'
-```
+    ```shell
+    sudo gitlab-rails console -e production
+    ```
 
-It's important that you change both password and password_confirmation to make it work.
+1. Find the user either by user ID or email ID:
 
-When using this method instead of the [Users API](../api/users.md#user-modification), GitLab sends an email to the user stating that the user changed their password.
+    ```ruby
+    user = User.find(123)
 
-If the password was changed by an administrator, execute the following command to notify the user by email:
+    #or
 
-```shell
-user.send_only_admin_changed_your_password_notification!
-```
+    user = User.find_by(email: 'user@example.com')
+    ```
 
-Don't forget to save the changes.
+1. Reset the password
 
-```shell
-user.save!
-```
+    ```ruby
+    user.password = 'secret_pass'
+    user.password_confirmation = 'secret_pass'
+    ```
+
+1. When using this method instead of the [Users API](../api/users.md#user-modification),
+   GitLab sends an email to the user stating that the user changed their
+   password. If the password was changed by an administrator, execute the
+   following command to notify the user by email:
+
+    ```ruby
+    user.send_only_admin_changed_your_password_notification!
+    ```
 
-Exit the console, and then try to sign in with your new password.
+1. Save the changes:
+
+    ```ruby
+    user.save!
+    ```
+
+1. Exit the console, and then try to sign in with your new password.
 
 NOTE:
 You can also reset passwords by using the [Users API](../api/users.md#user-modification).
 
-### Reset your root password
+## Reset your root password
 
-The previously described steps can also be used to reset the root password. First,
-identify the root user, with an `id` of `1`. To do so, run the following command:
+The previously described steps can also be used to reset the root password.
 
-```shell
-user = User.where(id: 1).first
-```
+In normal installations where the username of root account hasn't been changed
+manually, the Rake task can be used with username `root` to reset the root
+password.
 
-After finding the user, follow the steps mentioned in the [Reset the password](#reset-the-password) section to reset the password of the root user.
+If the username was changed to something else and has been forgotten, one
+possible way is to reset the password using Rails console with user ID `1` (in
+almost all the cases, the first user will be the default admin account).
 
 <!-- ## Troubleshooting
 
diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md
index 4911cf63489..7a9ed9d435d 100644
--- a/doc/security/two_factor_authentication.md
+++ b/doc/security/two_factor_authentication.md
@@ -110,9 +110,10 @@ Each scenario can be a third-level heading, e.g. `### Getting error message X`.
 If you have none to add when creating a doc, leave this section in place
 but commented out to help encourage others to add to it in the future. -->
 
-## Two-factor Authentication (2FA) for Git over SSH operations
+## Two-factor Authentication (2FA) for Git over SSH operations **(PREMIUM)**
 
 > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7.
+> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/299088) from GitLab Free to GitLab Premium in 13.9.
 > - It's [deployed behind a feature flag](../user/feature_flags.md), disabled by default.
 > - It's disabled on GitLab.com.
 > - It's not recommended for production use.
@@ -149,3 +150,8 @@ To disable it:
 ```ruby
 Feature.disable(:two_factor_for_cli)
 ```
+
+The feature flag affects these features:
+
+- [Two-factor Authentication (2FA) for Git over SSH operations](#two-factor-authentication-2fa-for-git-over-ssh-operations).
+- [Customize session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled).
diff --git a/doc/security/unlock_user.md b/doc/security/unlock_user.md
index 2a26b71071b..45da283f33e 100644
--- a/doc/security/unlock_user.md
+++ b/doc/security/unlock_user.md
@@ -40,7 +40,7 @@ To unlock a locked user:
    user.unlock_access!
    ```
 
-1. Exit the console with <kbd>Ctrl</kbd>+<kbd>d</kbd>
+1. Exit the console with <kbd>Control</kbd>+<kbd>d</kbd>
 
 The user should now be able to log in.