Automatic merge of gitlab-org/gitlab master

app/controllers/graphql_controller.rb

@@ -82,6 +82,13 @@ def execute
     render_error(exception.message, status: :unprocessable_entity)
   end
 
+  rescue_from ActiveRecord::QueryAborted do |exception|
+    log_exception(exception)
+
+    error = "Request timed out. Please try a less complex query or a smaller set of records."
+    render_error(error, status: :service_unavailable)
+  end
+
   override :feature_category
   def feature_category
     ::Gitlab::FeatureCategories.default.from_request(request) || super

doc/development/i18n/proofreader.md

@@ -54,6 +54,7 @@ are very appreciative of the work done by translators and proofreaders!
   - Andrei Jiroh Halili - [GitLab](https://gitlab.com/ajhalili2006), [Crowdin](https://crowdin.com/profile/AndreiJirohHaliliDev2006)
 - French
   - Davy Defaud - [GitLab](https://gitlab.com/DevDef), [Crowdin](https://crowdin.com/profile/DevDef)
+  - Germain Gorisse - [GitLab](https://gitlab.com/ggorisse), [Crowdin](https://crowdin.com/profile/germaingorisse)
 - Galician
   - Antón Méixome - [Crowdin](https://crowdin.com/profile/meixome)
   - Pedro Garcia - [GitLab](https://gitlab.com/pedgarrod), [Crowdin](https://crowdin.com/profile/breaking_pitt)

doc/user/group/saml_sso/index.md

@@ -513,7 +513,7 @@ Alternatively, the SAML response may be missing the `InResponseTo` attribute in
 The identity provider administrator should ensure that the login is
 initiated by the service provider and not the identity provider.
 
-### Message: "Login to a GitLab account to link with your SAML identity"
+### Message: "Sign in to GitLab to connect your organization's account"
 
 A user can see this message when they are trying to [manually link SAML to their existing GitLab.com account](#linking-saml-to-your-existing-gitlabcom-account).
 

ee/app/controllers/groups/omniauth_callbacks_controller.rb

@@ -31,7 +31,7 @@ def link_identity(identity_linker)
 
   override :redirect_identity_linked
   def redirect_identity_linked
-    flash[:notice] = "SAML for #{@unauthenticated_group.name} was added to your connected accounts"
+    flash[:notice] = s_("SAML|Your organization's SSO has been connected to your GitLab account")
 
     redirect_to after_sign_in_path_for(current_user)
   end
@@ -116,7 +116,7 @@ def fail_login(user)
   end
 
   def redirect_to_login_or_register
-    notice = "Login to a GitLab account to link with your SAML identity"
+    notice = s_("SAML|Sign in to GitLab to connect your organization's account")
 
     after_gitlab_sign_in = sso_group_saml_providers_path(@unauthenticated_group)
 

ee/app/controllers/groups/sso_controller.rb

@@ -23,7 +23,6 @@ def saml
     @group_path = unauthenticated_group.path
     @group_name = unauthenticated_group.full_name
     @group_saml_identity = linked_identity
-    @idp_url = unauthenticated_group.saml_provider.sso_url
     @auto_redirect_to_provider = current_user&.group_sso?(unauthenticated_group)
 
     render layout: 'devise_empty' if @auto_redirect_to_provider

ee/app/views/groups/sso/saml.html.haml

@@ -11,18 +11,12 @@
     .login-body.gl-px-5.gl-pt-5
       - if @group_saml_identity || !user_signed_in?
         %h4.gl-mt-0= _('Sign in to "%{group_name}"') % { group_name: @group_name }
+        %p= s_('SAML|To access "%{group_name}" you must sign in with your Single Sign-On account, through an external sign-in page.') % { group_name: @group_name }
+        = saml_link _('Sign in'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button', redirect: @redirect_path
       - else
-        %h4.gl-mt-0= _('Allow "%{group_name}" to sign you in') % { group_name: @group_name }
-
-      %p= _('The "%{group_path}" group allows you to sign in with your Single Sign-On Account') % { group_path: @group_path }
-
-      - if @group_saml_identity || !user_signed_in?
-        %p= _("This will redirect you to an external sign in page.")
-
-        = saml_link _('Sign in with Single Sign-On'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button', redirect: @redirect_path
-      - else
+        %h4.gl-mt-0= s_('Allow "%{group_name}" to sign you in') % { group_name: @group_name }
+        %p= s_('SAML|The "%{group_path}" group allows you to sign in with your Single Sign-On Account.') % { group_path: @group_path }
         = render Pajamas::AlertComponent.new(variant: :warning, dismissible: false, alert_options: { class: 'gl-mb-5 gl-word-break-word' }) do |c|
           = c.body do
-            = _("Only proceed if you trust %{idp_url} to control your GitLab account sign in.") % { idp_url: @idp_url }
-
+            = s_('SAML|Selecting "Authorize" will transfer ownership of your GitLab account "%{username}" (%{email}) to your organization.') % { username: current_user.username, email: current_user.email }
         = saml_link _('Authorize'), @group_path, html_class: 'btn btn-confirm btn-md gl-button btn-block qa-saml-sso-signin-button'

ee/spec/controllers/groups/omniauth_callbacks_controller_spec.rb

@@ -145,7 +145,7 @@ def stub_last_request_id(id)
       it "displays a flash message verifying group sign in" do
         post provider, params: { group_id: group }
 
-        expect(flash[:notice]).to eq('Login to a GitLab account to link with your SAML identity')
+        expect(flash[:notice]).to eq(s_("SAML|Sign in to GitLab to connect your organization's account"))
       end
 
       it 'does not add linked identity' do
@@ -213,7 +213,7 @@ def stub_last_request_id(id)
         it "displays a flash indicating the account has been linked" do
           post provider, params: { group_id: group }
 
-          expect(flash[:notice]).to match(/SAML for .* was added/)
+          expect(flash[:notice]).to eq(s_("SAML|Your organization's SSO has been connected to your GitLab account"))
         end
 
         it 'logs group audit event for being added to the group' do
@@ -268,7 +268,7 @@ def stub_last_request_id(id)
             post provider, params: { group_id: group }
 
             expect(response).to redirect_to(new_user_session_path)
-            expect(flash[:notice]).to start_with("Login to a GitLab account to link with your SAML identity")
+            expect(flash[:notice]).to eq(s_("SAML|Sign in to GitLab to connect your organization's account"))
           end
         end
 

ee/spec/features/groups/saml_enforcement_spec.rb

@@ -109,7 +109,7 @@
     it 'shows loading screen and link used for auto-redirect' do
       visit group_path(group)
 
-      click_link 'Sign in with Single Sign-On'
+      click_link 'Sign in'
 
       days_after_timeout = Gitlab::Auth::GroupSaml::SsoEnforcer::DEFAULT_SESSION_TIMEOUT + 2.days
       travel_to(days_after_timeout.from_now) do
@@ -129,7 +129,7 @@
 
         expect(current_url).to include("redirect=#{CGI.escape(resource_path)}")
 
-        click_link 'Sign in with Single Sign-On'
+        click_link 'Sign in'
 
         # Capybara's have_current_path matcher checks the path and query string
         expect(page).to have_current_path(resource_path)

ee/spec/features/groups/saml_providers_spec.rb

@@ -227,7 +227,6 @@ def stub_saml_config
 
           expect(page).to have_content('SAML SSO')
           expect(page).to have_content("Sign in to \"#{group.full_name}\"")
-          expect(page).to have_content('Sign in with Single Sign-On')
         end
       end
 
@@ -240,7 +239,6 @@ def stub_saml_config
           visit sso_group_saml_providers_path(group)
 
           expect(page).to have_content(/Allow .* to sign you in/)
-          expect(page).to have_content(saml_provider.sso_url)
           expect(page).to have_content('Authorize')
         end
 
@@ -251,7 +249,7 @@ def stub_saml_config
 
           click_link 'Authorize'
 
-          expect(page).to have_content(/SAML for .* was added to your connected accounts/)
+          expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
           expect(user.identities.last.extern_uid).to eq external_uid
         end
 
@@ -282,7 +280,7 @@ def stub_saml_config
         it 'warns user that their account is locked' do
           visit sso_group_saml_providers_path(group)
 
-          click_link 'Sign in with Single Sign-On'
+          click_link 'Sign in'
 
           expect(page).to have_content('Your account is locked.')
         end
@@ -295,7 +293,7 @@ def stub_saml_config
           it 'warns user their account is locked' do
             visit sso_group_saml_providers_path(group)
 
-            click_link 'Sign in with Single Sign-On'
+            click_link 'Sign in'
 
             expect(page).to have_content('Your account is locked.')
             expect(page).to have_current_path sso_group_saml_providers_path(group), ignore_query: true

ee/spec/features/users/login_spec.rb

@@ -222,7 +222,7 @@
       it 'shows U2F prompt after SAML' do
         visit sso_group_saml_providers_path(group, token: group.saml_discovery_token)
 
-        click_link 'Sign in with Single Sign-On'
+        click_link 'Sign in'
 
         expect(page).to have_content('Trying to communicate with your device')
         expect(page).to have_link('Sign in via 2FA code')
@@ -243,7 +243,7 @@
       it 'shows WebAuthn prompt after SAML' do
         visit sso_group_saml_providers_path(group, token: group.saml_discovery_token)
 
-        click_link 'Sign in with Single Sign-On'
+        click_link 'Sign in'
 
         # Mock the webauthn procedure to neither reject or resolve, just do nothing
         # Using the built-in credentials.get functionality would result in an SecurityError

lib/gitlab/background_migration/batching_strategies/backfill_issue_work_item_type_batching_strategy.rb

@@ -8,7 +8,7 @@ module BatchingStrategies
       #
       # If no more batches exist in the table, returns nil.
       class BackfillIssueWorkItemTypeBatchingStrategy < PrimaryKeyBatchingStrategy
-        def apply_additional_filters(relation, job_arguments:)
+        def apply_additional_filters(relation, job_arguments:, job_class: nil)
           issue_type = job_arguments.first
 
           relation.where(issue_type: issue_type)

lib/gitlab/background_migration/batching_strategies/backfill_project_namespace_per_group_batching_strategy.rb

@@ -16,7 +16,7 @@ class BackfillProjectNamespacePerGroupBatchingStrategy < PrimaryKeyBatchingStrat
         # batch_min_value - The minimum value which the next batch will start at
         # batch_size - The size of the next batch
         # job_arguments - The migration job arguments
-        def next_batch(table_name, column_name, batch_min_value:, batch_size:, job_arguments:)
+        def next_batch(table_name, column_name, batch_min_value:, batch_size:, job_arguments:, job_class: nil)
           next_batch_bounds = nil
           model_class = ::Gitlab::BackgroundMigration::ProjectNamespaces::Models::Project
           quoted_column_name = model_class.connection.quote_column_name(column_name)

lib/gitlab/background_migration/batching_strategies/primary_key_batching_strategy.rb

@@ -18,12 +18,13 @@ class PrimaryKeyBatchingStrategy < BaseStrategy
         # batch_min_value - The minimum value which the next batch will start at
         # batch_size - The size of the next batch
         # job_arguments - The migration job arguments
-        def next_batch(table_name, column_name, batch_min_value:, batch_size:, job_arguments:)
+        # job_class - The migration job class
+        def next_batch(table_name, column_name, batch_min_value:, batch_size:, job_arguments:, job_class: nil)
           model_class = define_batchable_model(table_name, connection: connection)
 
           quoted_column_name = model_class.connection.quote_column_name(column_name)
           relation = model_class.where("#{quoted_column_name} >= ?", batch_min_value)
-          relation = apply_additional_filters(relation, job_arguments: job_arguments)
+          relation = apply_additional_filters(relation, job_arguments: job_arguments, job_class: job_class)
           next_batch_bounds = nil
 
           relation.each_batch(of: batch_size, column: column_name) do |batch| # rubocop:disable Lint/UnreachableLoop
@@ -35,19 +36,11 @@ def next_batch(table_name, column_name, batch_min_value:, batch_size:, job_argum
           next_batch_bounds
         end
 
-        # Strategies based on PrimaryKeyBatchingStrategy can use
-        # this method to easily apply additional filters.
-        #
-        # Example:
-        #
-        #   class MatchingType < PrimaryKeyBatchingStrategy
-        #     def apply_additional_filters(relation, job_arguments:)
-        #       type = job_arguments.first
-        #
-        #       relation.where(type: type)
-        #     end
-        #   end
-        def apply_additional_filters(relation, job_arguments: [])
+        def apply_additional_filters(relation, job_arguments: [], job_class: nil)
+          if job_class.respond_to?(:batching_scope)
+            return job_class.batching_scope(relation, job_arguments: job_arguments)
+          end
+
           relation
         end
       end

lib/gitlab/database/background_migration/batched_job.rb

@@ -128,7 +128,8 @@ def split_and_retry!
               batched_migration.column_name,
               batch_min_value: min_value,
               batch_size: new_batch_size,
-              job_arguments: batched_migration.job_arguments
+              job_arguments: batched_migration.job_arguments,
+              job_class: batched_migration.job_class
             )
             midpoint = next_batch_bounds.last
 

lib/gitlab/database/background_migration/batched_migration_runner.rb

@@ -101,7 +101,8 @@ def find_next_batch_range(active_migration)
             active_migration.column_name,
             batch_min_value: batch_min_value,
             batch_size: active_migration.batch_size,
-            job_arguments: active_migration.job_arguments)
+            job_arguments: active_migration.job_arguments,
+            job_class: active_migration.job_class)
 
           return if next_batch_bounds.nil?
 

locale/gitlab.pot

@@ -33481,6 +33481,21 @@ msgstr ""
 msgid "SAML for %{group_name}"
 msgstr ""
+msgid "SAML|Selecting \"Authorize\" will transfer ownership of your GitLab account \"%{username}\" (%{email}) to your organization."
+msgstr ""
+
+msgid "SAML|Sign in to GitLab to connect your organization's account"
+msgstr ""
+
+msgid "SAML|The \"%{group_path}\" group allows you to sign in with your Single Sign-On Account."
+msgstr ""
+
+msgid "SAML|To access \"%{group_name}\" you must sign in with your Single Sign-On account, through an external sign-in page."
+msgstr ""
+
+msgid "SAML|Your organization's SSO has been connected to your GitLab account"
+msgstr ""
+
 msgid "SAST Configuration"
 msgstr ""
@@ -38180,9 +38195,6 @@ msgstr ""
 msgid "That's it, well done!"
 msgstr ""
-msgid "The \"%{group_path}\" group allows you to sign in with your Single Sign-On Account"
-msgstr ""
-
 msgid "The %{link_start}true-up model%{link_end} allows having more users, and additional users will incur a retroactive charge on renewal."
 msgstr ""
@@ -39653,9 +39665,6 @@ msgstr ""
 msgid "This will invalidate your registered applications and U2F devices."
 msgstr ""
-msgid "This will redirect you to an external sign in page."
-msgstr ""
-
 msgid "This will remove the fork relationship between this project and %{fork_source}."
 msgstr ""

qa/qa/page/merge_request/show.rb

@@ -318,11 +318,15 @@ def rebase!
         end
 
         def merge_immediately!
-          if has_element?(:merge_moment_dropdown)
-            click_element(:merge_moment_dropdown, skip_finished_loading_check: true)
-            click_element(:merge_immediately_menu_item, skip_finished_loading_check: true)
-          else
-            click_element(:merge_button, skip_finished_loading_check: true)
+          retry_until(reload: true, sleep_interval: 1, max_attempts: 12) do
+            if has_element?(:merge_moment_dropdown)
+              click_element(:merge_moment_dropdown, skip_finished_loading_check: true)
+              click_element(:merge_immediately_menu_item, skip_finished_loading_check: true)
+            else
+              click_element(:merge_button, skip_finished_loading_check: true)
+            end
+
+            merged?
           end
         end
 

qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb

@@ -72,7 +72,7 @@ module QA
 
           Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
 
-          expect(page).to have_text("Login to a GitLab account to link with your SAML identity")
+          expect(page).to have_text("Sign in to GitLab to connect your organization's account")
 
           Flow::Saml.logout_from_idp(saml_idp_service)
 

qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb

@@ -39,7 +39,7 @@ module QA
             EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
             Flow::Saml.login_to_idp_if_required('user3', 'user3pass')
 
-            expect(page).to have_content("SAML for #{@group.path} was added to your connected accounts")
+            expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
 
             member_details = @group.list_members.find { |item| item['username'] == user.username }
 
@@ -58,7 +58,7 @@ module QA
 
           Flow::Saml.login_to_idp_if_required('user1', 'user1pass')
 
-          expect(page).to have_content("SAML for #{@group.path} was added to your connected accounts")
+          expect(page).to have_content("Your organization's SSO has been connected to your GitLab account")
 
           page.visit managed_group_url
 

spec/controllers/graphql_controller_spec.rb

@@ -27,6 +27,18 @@
       )
     end
 
+    it 'handles a timeout nicely' do
+      allow(subject).to receive(:execute) do
+        raise ActiveRecord::QueryCanceled, '**taps wristwatch**'
+      end
+
+      post :execute
+
+      expect(json_response).to include(
+        'errors' => include(a_hash_including('message' => /Request timed out/))
+      )
+    end
+
     it 'handles StandardError' do
       allow(subject).to receive(:execute) do
         raise StandardError, message