GitLab

This reverts commit a5378665.

This update has two important fixes:

1. It reverts the monkey patch introduced in
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/23385 since
https://github.com/rack/rack/pull/1201 is now part of the release.

2. Preserve forwarded IP address for trusted proxy chains
(https://github.com/rack/rack/pull/1343).

This fixes a number of issues as described in
https://weblog.rubyonrails.org/releases/.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/58963

Add `GetArchiveRequest` to git-archive params.

Modifies `Git::Repository#archive_metadata` to append `path`
to `ArchivePrefix` so it'll not hit the cache of repository archive
when it already exists.

The new version requires `python3` to be available. In omnibus
installation this is already a reality as we are currently pathing
previous `gitlab-markup` version to use `python3` instead of `python2`.

We are now requiring `python3` with the gem without having to patch it.

As a consequence to also make it easy to use it in development, we've
introduced a `Pipfile` and `Pipfile.lock`, working similarly to
`Gemfile` and `Gemfile.lock`, and added documentation on how to use
them.

- Also remove boostrap 4 migration adapter

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

This version bump makes things consistent between Gitaly and
fixes a significant number of bugs:
https://github.com/libgit2/libgit2/releases

This also decreases disk space of Omnibus builds by ~30 MB.

There is also a workaround for
https://github.com/libgit2/rugged/issues/785. If Gitaly or another
process changes .gitconfig while Rugged has the file loaded,
Rugged::Repository#each_key will report stale values unless a lookup is
done first.

This bug only manifests in a spec because we are using both Gitaly and
Rugged at the same time there, and we normally don't use Rugged in the
CE/EE code in this way.

Signed-off-by: Rémy Coutable <remy@rymai.me>

Remove references to the vendored copies of At.js and jquery.carat
as well as the legacy rails wrapper gem.

This reverts merge request !17871

When `force` is set to `true` and `start_branch` is set, the
branch will be ovewritten with the new commit based on the
`HEAD` of the `start_branch`.

This commit includes changes to update the `gitaly-proto` gem.

We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.

1.4.1 contains a number of bug fixes and performance improvements:
https://github.com/Shopify/bootsnap/blob/master/CHANGELOG.md

Fixes issue with AWS V4 signatures not working with Ceph S3:
https://github.com/fog/fog-aws/issues/462

Adds the ground work for writing into
the merge ref refs/merge-requests/:iid/merge the
merge result between source and target branches of
a MR, without further side-effects such as
mailing, MR updates and target branch changes.

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Webmock 3.5.0 brings Ruby 2.6 support.

Unicorn 5.3.1 fixes a GC issue that causes a crash, and Unicorn 5.4.1
quiets some warnings for Ruby 2.6. More details:

https://github.com/defunkt/unicorn/releases

This release fixes a bug in handling certain ed25519 keys. For more
details, see this GitHub issue:

https://github.com/bensie/sshkey/issues/34

Upgrade gitaly-proto to 1.10.0 to have this field.

This engine was replaced with CommonMarker in 11.4, it was deprecated
since then.

In commit 6fa5fd85 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.

pages:deploy step was failing with the following error:

```
unitialized constant SafeZip::Extract::Zip
```

Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.

RubyZip allows us to perform strong validation of
expanded paths where we do extract file.

We introduce the following additional checks
to extract routines:

1. None of path components can be symlinked,
2. We drop privileges support for directories,
3. Symlink source needs to point within the target directory,
   like `public/`,
4. The symlink source needs to exist ahead of time.

v2.1.0 was published wrongly by the package author.

In commit 6fa5fd85 the `require: false`
was removed to ensure the Gem was loaded at run time. Unfortunately, the
`require` necessary for the rubyzip Gem is "zip" and not "rubyzip". As a
result, Bundler would not require the Gem. This meant that we would
still run into constant errors when referring to `Zip::File`.

pages:deploy step was failing with the following error:

```
unitialized constant SafeZip::Extract::Zip
```

Since license_finder already pulls in rubyzip, we can make it
a required gem. We also use the scope operator to make the reference to
Zip::File explicit.

http_max_redirects was introduced in 4.2.2, so upgrade kubeclient.

The monkey-patch was global so we will have to check that all instances
of Kubeclient::Client are handled.

Spec all methods of KubeClient

This should provide better confidence that we are indeed disallowing
redirection in all cases

RubyZip allows us to perform strong validation of
expanded paths where we do extract file.

We introduce the following additional checks
to extract routines:

1. None of path components can be symlinked,
2. We drop privileges support for directories,
3. Symlink source needs to point within the target directory,
   like `public/`,
4. The symlink source needs to exist ahead of time.

This change will instantiate an OpenTracing tracer and configure it
as the global tracer when the GITLAB_TRACING environment variable is
configured. GITLAB_TRACING takes a "connection string"-like value,
encapsulating the driver (eg jaeger, etc) and options for the driver.

Since each service, whether it's written in Ruby or Golang, uses the
same connection-string, it should be very easy to configure all
services in a cluster, or even a single development machine to be
setup to use tracing.

Note that this change does not include instrumentation or propagation
changes as this is a way of breaking a previous larger change into
components. The instrumentation and propagation changes will follow
in separate changes.