Add latest changes from gitlab-org/gitlab@master

Author: GitLab Bot

app/assets/javascripts/notes/components/mr_discussion_filter.vue

@@ -11,7 +11,7 @@ import {
 import { mapActions, mapState } from 'vuex';
 import { InternalEvents } from '~/tracking';
 import LocalStorageSync from '~/vue_shared/components/local_storage_sync.vue';
-import { __ } from '~/locale';
+import { sprintf, __ } from '~/locale';
 import { SORT_DIRECTION_UI } from '~/search/sort/constants';
 import {
   MR_FILTER_OPTIONS,
@@ -63,7 +63,10 @@ export default {
         return __('All activity');
       }
       if (length > 1) {
-        return `%{strongStart}${firstSelected.text}%{strongEnd} +${length - 1} more`;
+        return sprintf(__('%{strongStart}%{firstSelected}%{strongEnd} +%{length} more'), {
+          firstSelected: firstSelected.text,
+          length: length - 1,
+        });
       }
 
       return firstSelected.text;

app/assets/javascripts/work_items/components/work_item_description.vue

@@ -46,11 +46,9 @@ export default {
   },
   mixins: [Tracking.mixin(), glFeatureFlagMixin()],
   provide: {
-    editorAiActions() {
-      return window.gon?.licensed_features?.generateDescription
-        ? [generateDescriptionAction()]
-        : [];
-    },
+    editorAiActions: window.gon?.licensed_features?.generateDescription
+      ? [generateDescriptionAction()]
+      : [],
   },
   inject: ['isGroup'],
   props: {

app/helpers/application_settings_helper.rb

@@ -400,6 +400,7 @@ def visible_attributes
       :restricted_visibility_levels,
       :rsa_key_restriction,
       :session_expire_delay,
+      :session_expire_from_init,
       :shared_runners_enabled,
       :shared_runners_text,
       :sign_in_restrictions,

app/helpers/releases_helper.rb

@@ -93,7 +93,6 @@ def deployments_for_release
     commit = project.repository.commit(@release.tag)
 
     deployments.map do |deployment|
-      user = deployment.deployable&.user
       environment = deployment.environment
 
       {
@@ -114,19 +113,24 @@ def deployments_for_release
           title: commit.title
         },
 
-        triggerer: if user
-                     {
-                       name: user.name,
-                       web_url: user_url(user),
-                       avatar_url: user.avatar_url
-                     }
-                   end,
+        triggerer: triggerer_data(deployment),
 
         created_at: deployment.created_at,
         finished_at: deployment.finished_at
       }
     end
   end
+
+  def triggerer_data(deployment)
+    user = deployment.deployable&.user
+    return unless user
+
+    {
+      name: user.name,
+      web_url: user_url(user),
+      avatar_url: user.avatar_url
+    }
+  end
 end
 
 ReleasesHelper.prepend_mod_with('ReleasesHelper')

app/helpers/sessions_helper.rb

@@ -13,7 +13,11 @@ def obfuscated_email(email)
   end
 
   def remember_me_enabled?
-    Gitlab::CurrentSettings.remember_me_enabled?
+    Gitlab::CurrentSettings.remember_me_enabled? &&
+      (
+        Feature.enabled?(:session_expire_from_init, :instance) &&
+          !Gitlab::CurrentSettings.session_expire_from_init
+      )
   end
 
   def unconfirmed_verification_email?(user)

app/models/active_session.rb

@@ -76,7 +76,8 @@ def self.set(user, request)
       session_private_id = request.session.id.private_id
       client = Gitlab::SafeDeviceDetector.new(request.user_agent)
       timestamp = Time.current
-      expiry = Settings.gitlab['session_expire_delay'] * 60
+      key = key_name(user.id, session_private_id)
+      expiry = expiry_time(key)
 
       active_user_session = new(
         ip_address: request.remote_ip,
@@ -94,7 +95,7 @@ def self.set(user, request)
       Gitlab::Instrumentation::RedisClusterValidator.allow_cross_slot_commands do
         redis.pipelined do |pipeline|
           pipeline.setex(
-            key_name(user.id, session_private_id),
+            key,
             expiry,
             active_user_session.dump
           )
@@ -169,6 +170,26 @@ def self.destroy_all_but_current(user, current_rack_session)
     "#{Gitlab::Redis::Sessions::SESSION_NAMESPACE}:#{session_id}"
   end
 
+  def self.expiry_time(key)
+    # initialize to defaults
+    ttl = Settings.gitlab['session_expire_delay'] * 60
+
+    return ttl unless Feature.enabled?(:session_expire_from_init, :instance) &&
+      Gitlab::CurrentSettings.session_expire_from_init
+
+    # If we're initializing a session, there won't already be a session
+    # Only use current session TTL if we have expire session from init enabled
+    Gitlab::Redis::Sessions.with do |redis|
+      # redis returns -2 if the key doesn't exist, -1 if no TTL
+      ttl_expire = redis.ttl(key)
+
+      # for new sessions, return default ttl, otherwise, keep same ttl
+      ttl = ttl_expire if ttl_expire > -1
+    end
+
+    ttl
+  end
+
   def self.key_name(user_id, session_id = '*')
     "#{Gitlab::Redis::Sessions::USER_SESSIONS_NAMESPACE}::v2:#{user_id}:#{session_id}"
   end

app/models/application_setting.rb

@@ -700,7 +700,8 @@ def self.kroki_formats_attributes
 
   jsonb_accessor :sign_in_restrictions,
     disable_password_authentication_for_users_with_sso_identities: [:boolean, { default: false }],
-    root_moved_permanently_redirection: [:boolean, { default: false }]
+    root_moved_permanently_redirection: [:boolean, { default: false }],
+    session_expire_from_init: [:boolean, { default: false }]
 
   validates :sign_in_restrictions, json_schema: { filename: 'application_setting_sign_in_restrictions' }
 

app/models/application_setting_implementation.rb

@@ -180,6 +180,7 @@ def defaults # rubocop:disable Metrics/AbcSize
         restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels'],
         rsa_key_restriction: default_min_key_size(:rsa),
         session_expire_delay: Settings.gitlab['session_expire_delay'],
+        session_expire_from_init: false,
         shared_runners_enabled: Settings.gitlab_ci['shared_runners_enabled'],
         shared_runners_text: nil,
         sidekiq_job_limiter_mode: Gitlab::SidekiqMiddleware::SizeLimiter::Validator::COMPRESS_MODE,

app/models/vulnerability.rb

@@ -6,8 +6,6 @@ class Vulnerability < Gitlab::Database::SecApplicationRecord
   include AfterCommitQueue
   include IgnorableColumns
 
-  ignore_column :confidence, :confidence_overridden, remove_after: '2025-01-19', remove_with: '17.9'
-
   alias_attribute :vulnerability_id, :id
 
   scope :with_projects, -> { preload(:project) }

app/validators/json_schemas/application_setting_sign_in_restrictions.json

@@ -11,6 +11,10 @@
     "root_moved_permanently_redirection": {
       "type": "boolean",
       "description": "When enabled, it will send 301 Moved Permanently instead of 302 if you want web crawlers to index a different site such as the Home Page URL."
+    },
+    "session_expire_from_init": {
+      "type": "boolean",
+      "description": "When enabled, sessions will expire a specific time after creation even if the session is active. Sessions cannot be extended."
     }
   }
 }

app/views/admin/application_settings/_account_and_limit.html.haml

@@ -19,9 +19,14 @@
       = f.label :receive_max_input_size, _('Maximum push size (MiB)'), class: 'label-light'
       = f.number_field :receive_max_input_size, class: 'form-control gl-form-input', title: _('Maximum size limit for a single commit.'), data: { toggle: 'tooltip', container: 'body', testid: 'receive-max-input-size-field' }
     .form-group
-      = f.label :session_expire_delay, _('Session duration (minutes)'), class: 'label-light'
-      = f.number_field :session_expire_delay, class: 'form-control gl-form-input', title: _('Maximum duration of a session.'), data: { toggle: 'tooltip', container: 'body' }
-      %span.form-text.gl-text-subtle#session_expire_delay_help_block= _('Restart GitLab to apply changes.')
+      = f.label :session_expire_delay, s_('Settings|Session timeout duration'), class: 'label-light'
+      = f.number_field :session_expire_delay, class: 'form-control gl-form-input', title: _('Maximum duration of a session. Restart GitLab to apply changes.'), data: { toggle: 'tooltip', container: 'body' }
+      .form-text.gl-text-subtle= s_('Settings|Session duration, in minutes. Restart GitLab to apply changes.')
+    - if Feature.enabled?(:session_expire_from_init, :instance)
+      .form-group
+        = f.label :session_expire_from_init, s_('Settings|Session settings')
+        = f.gitlab_ui_radio_component :session_expire_from_init, false, s_('Settings|Expire from time of last session activity')
+        = f.gitlab_ui_radio_component :session_expire_from_init, true, s_('Settings|Expire from time of session creation')
     .form-group
       = f.label :remember_me_enabled, _('Remember me'), class: 'label-light'
       - remember_me_help_link = help_page_path('user/profile/_index.md', anchor: 'stay-signed-in-for-two-weeks')

config/feature_flags/beta/session_expire_from_init.yml

@@ -0,0 +1,9 @@
+---
+name: session_expire_from_init
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/395038
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183472
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/471679
+milestone: '17.11'
+group: group::authentication
+type: beta
+default_enabled: false

config/initializers/1_settings.rb

@@ -231,6 +231,7 @@
 Settings.gitlab['graphql_timeout'] ||= 30
 Settings.gitlab['max_attachment_size'] ||= 100
 Settings.gitlab['session_expire_delay'] ||= 10080
+Settings.gitlab['session_expire_from_init'] ||= false
 Settings.gitlab['unauthenticated_session_expire_delay'] ||= 2.hours.to_i
 Settings.gitlab.default_projects_features['issues']             = true if Settings.gitlab.default_projects_features['issues'].nil?
 Settings.gitlab.default_projects_features['merge_requests']     = true if Settings.gitlab.default_projects_features['merge_requests'].nil?

db/migrate/20250319141850_add_organization_id_to_merge_request_diff_commit_users.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class AddOrganizationIdToMergeRequestDiffCommitUsers < Gitlab::Database::Migration[2.2]
+  milestone '17.11'
+
+  def change
+    add_column :merge_request_diff_commit_users, :organization_id, :bigint
+  end
+end

db/post_migrate/20250319152240_add_unique_index_on_org_id_name_email_to_merge_request_diff_commit_users.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AddUniqueIndexOnOrgIdNameEmailToMergeRequestDiffCommitUsers < Gitlab::Database::Migration[2.2]
+  milestone '17.11'
+  disable_ddl_transaction!
+
+  TABLE_NAME = :merge_request_diff_commit_users
+  INDEX_NAME = 'index_merge_request_diff_commit_users_on_org_id_name_email'
+
+  def up
+    add_concurrent_index TABLE_NAME, %w[organization_id name email], unique: true, name: INDEX_NAME
+  end
+
+  def down
+    remove_concurrent_index_by_name TABLE_NAME, INDEX_NAME
+  end
+end

db/post_migrate/20250319152360_add_foreign_key_to_merge_request_diff_commit_users_organization_id.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+class AddForeignKeyToMergeRequestDiffCommitUsersOrganizationId < Gitlab::Database::Migration[2.2]
+  milestone '17.11'
+  disable_ddl_transaction!
+
+  def up
+    add_concurrent_foreign_key :merge_request_diff_commit_users, :organizations, column: :organization_id,
+      on_delete: :cascade
+  end
+
+  def down
+    with_lock_retries do
+      remove_foreign_key :merge_request_diff_commit_users, column: :organization_id
+    end
+  end
+end

db/schema_migrations/20250319141850

@@ -0,0 +1 @@
+59d9aa96e89873696dae1f3efb2eaac19874b6b136d35814a55c4317a8a23548

db/schema_migrations/20250319152240

@@ -0,0 +1 @@
+06d4bd31858f437880fe1165d5070fa66c9b954e6298e2c4d28117025057ccd6

db/schema_migrations/20250319152360

@@ -0,0 +1 @@
+dbc8263402fcc24ca1538bb1c74f7e24daae6c8e59f445110ed39b18b262ec2f

db/structure.sql

@@ -16907,6 +16907,7 @@ CREATE TABLE merge_request_diff_commit_users (
     id bigint NOT NULL,
     name text,
     email text,
+    organization_id bigint,
     CONSTRAINT check_147358fc42 CHECK ((char_length(name) <= 512)),
     CONSTRAINT check_f5fa206cf7 CHECK ((char_length(email) <= 512)),
     CONSTRAINT merge_request_diff_commit_users_name_or_email_existence CHECK (((COALESCE(name, ''::text) <> ''::text) OR (COALESCE(email, ''::text) <> ''::text)))
@@ -35425,6 +35426,8 @@ CREATE INDEX index_merge_request_context_commits_on_project_id ON merge_request_
 
 CREATE UNIQUE INDEX index_merge_request_diff_commit_users_on_name_and_email ON merge_request_diff_commit_users USING btree (name, email);
 
+CREATE UNIQUE INDEX index_merge_request_diff_commit_users_on_org_id_name_email ON merge_request_diff_commit_users USING btree (organization_id, name, email);
+
 CREATE INDEX index_merge_request_diff_commits_on_sha ON merge_request_diff_commits USING btree (sha);
 
 CREATE INDEX index_merge_request_diff_details_failed_verification ON merge_request_diff_details USING btree (verification_retry_at NULLS FIRST) WHERE (verification_state = 3);
@@ -42423,6 +42426,9 @@ ALTER TABLE ONLY observability_logs_issues_connections
 ALTER TABLE ONLY packages_package_files
     ADD CONSTRAINT fk_86f0f182f8 FOREIGN KEY (package_id) REFERENCES packages_packages(id) ON DELETE CASCADE;
 
+ALTER TABLE ONLY merge_request_diff_commit_users
+    ADD CONSTRAINT fk_87f203759e FOREIGN KEY (organization_id) REFERENCES organizations(id) ON DELETE CASCADE;
+
 ALTER TABLE ONLY packages_pypi_metadata
     ADD CONSTRAINT fk_884056a10f FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
 

doc/administration/settings/account_and_limit_settings.md

@@ -238,6 +238,35 @@ If [Remember me](#turn-remember-me-on-or-off) is enabled, users' sessions can re
 
 For details, see [cookies used for sign-in](../../user/profile/_index.md#cookies-used-for-sign-in).
 
+### Set sessions to expire from creation date
+
+{{< history >}}
+
+- [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/395038) in GitLab 17.11 with a [flag](../feature_flags.md) named `session_expire_from_init`. Disabled by default.
+
+{{< /history >}}
+
+{{< alert type="flag" >}}
+
+The availability of session expiry from creation dates is controlled by a feature flag.
+For more information, see the history.
+
+{{< /alert >}}
+
+By default, sessions expire a set amount of time after the session becomes inactive. Instead, you can configure sessions to expire a set amount of time after the session is created.
+
+When the session duration is met, the session ends and the user is signed out even if:
+
+- The user is still actively using the session.
+- The user selected [remember me](#turn-remember-me-on-or-off) during sign in.
+
+1. On the left sidebar, at the bottom, select **Admin Area**.
+1. Select **Settings > General**.
+1. Expand **Account and limit**.
+1. Select the **Expire session from creation date** checkbox.
+
+After a session ends, a window prompts the user to sign in again.
+
 ### Turn **Remember me** on or off
 
 {{< history >}}

doc/api/settings.md

@@ -679,6 +679,7 @@ to configure other related settings. These requirements are
 | `restricted_visibility_levels`           | array of strings | no                                   | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot select levels that are set as `default_project_visibility` and `default_group_visibility`. |
 | `rsa_key_restriction`                    | integer          | no                                   | The minimum allowed bit length of an uploaded RSA key. Default is `0` (no restriction). `-1` disables RSA keys. |
 | `session_expire_delay`                   | integer          | no                                   | Session duration in minutes. GitLab restart is required to apply changes. |
+| `session_expire_from_init`               | boolean          | no                                   | If `true`, sessions expire a number of minutes after the session was created rather than after the last activity. This lifetime of a session is defined by `session_expire_delay`. |
 | `security_policy_global_group_approvers_enabled` | boolean  | no                                   | Whether to look up merge request approval policy approval groups globally or within project hierarchies. |
 | `security_approval_policies_limit`       | integer          | no                                   | Maximum number of active merge request approval policies per security policy project. Default: 5. Maximum: 20 |
 | `security_txt_content`                    | string          | no                                   | [Public security contact information](../administration/settings/security_contact_information.md). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/433210) in GitLab 16.7. |

doc/development/cells/application_settings_analysis.md

@@ -14,12 +14,12 @@ title: Application Settings analysis
 
 ## Statistics
 
-- Number of attributes: 492
+- Number of attributes: 493
 - Number of encrypted attributes: 41 (8.0%)
-- Number of attributes documented: 298 (61.0%)
+- Number of attributes documented: 298 (60.0%)
 - Number of attributes on GitLab.com different from the defaults: 222 (45.0%)
-- Number of attributes with `clusterwide` set: 492 (100.0%)
-- Number of attributes with `clusterwide: true` set: 123 (25.0%)
+- Number of attributes with `clusterwide` set: 493 (100.0%)
+- Number of attributes with `clusterwide: true` set: 124 (25.0%)
 
 ## Individual columns
 

doc/development/sec/analyzer_development_guide.md

@@ -429,7 +429,7 @@ Verify whether the underlying tool has:
 #### Dockerfile
 
 The `Dockerfile` should use an unprivileged user with the name `GitLab`.
-This is necessary is to provide compatibility with Red Hat OpenShift instances,
+This is necessary to provide compatibility with Red Hat OpenShift instances,
 which don't allow containers to run as an admin (root) user.
 There are certain limitations to keep in mind when running a container as an unprivileged user,
 such as the fact that any files that need to be written on the Docker filesystem will require the appropriate permissions for the `GitLab` user.

doc/user/workspace/_index.md

@@ -139,7 +139,7 @@ components:
     attributes:
       gl/inject-editor: true
     container:
-      image: "registry.gitlab.com/gitlab-org/gitlab-build-images/workspaces/ubuntu-24.04:20250303043223-golang-1.23-docker-27.5.1@sha256:98f36ddf5d7ac53d95a270f5791ab7f50132a4cc87676e22f4f632678d8e15e1"
+      image: "registry.gitlab.com/gitlab-org/gitlab-build-images/workspaces/ubuntu-24.04:20250321073701-golang-1.23-node-23.9-yarn-1.22-ruby-3.4.2-rust-1.85-docker-27.5.1@sha256:a059826e65f0bc0ee2f3fdfd62f16a108c5b99b24b4656734cd6b8f4631389ad"
 ```
 
 A GitLab default devfile might not be suitable for all development environments configurations.

lib/api/settings.rb

@@ -166,6 +166,7 @@ def filter_attributes_using_license(attrs)
       end
       optional :restricted_visibility_levels, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Selected levels cannot be used by non-admin users for groups, projects or snippets. If the public level is restricted, user profiles are only visible to logged in users.'
       optional :session_expire_delay, type: Integer, desc: 'Session duration in minutes. GitLab restart is required to apply changes.'
+      optional :session_expire_from_init, type: Boolean, desc: 'Expires sessions based off the creation date rather than last activity'
       optional :shared_runners_enabled, type: Boolean, desc: 'Enable shared runners for new projects'
       given shared_runners_enabled: ->(val) { val } do
         requires :shared_runners_text, type: String, desc: 'Shared runners text '