bmo sync - 2020-08-23 (#49)

* Bug 1646559 - Phabricator to BMO OAuth2 authentication fails to work properly due to CSP protections

* Bumped version to 20200624.1

* no bug - fix broken build script when no new commits to master since last prod deploy

* no bug - remove warning "Odd number of elements"

The callback jwt_claims is called in list context.
Without an explicit return, when the if (!...) does not match it will
return a single false item. This causes the "Odd number of elements..."
perl warning.

Adding a `return` will prevent the warning and is also probably the
intent of the code.

* Bug 1645768 - Please add 'See Also' support for GitLab

* no bug - Updated tasks.json to include some admin tasks

* no bug - Fix build data script to help find the Mozilla CA cert

* Bug 1651591 - remove preloading of fonts and ga; r=dkl

Font preloading has been broken for more than a year, and doesn't appear
to work correctly even when provided URLs which exist; removed.

google-analytics likely does little to improve page load time
performance against all the other assets, is loaded async, and exists
outside of the GoogleAnalytics making it easy to miss when updating that
extension (eg. the preloading doesn't honour DNT); also removed.

* Bug 1535000 - Allow anyone with edit-comments to edit any bug's comment 0

* Bug 1652863 - setting the needinfo flag when filing a new bug in Core or Toolkit does not cause the textbox for user information to pop up

* Bumped version 20200722.1

* Bug 1647642 - when commenting on patch or reviewing one, bugzilla clears other (review, ui-review) flags

* Bumped version to 20200723.1

* Bug 1643526 - Attachment comments don't render markdown, but their preview does

* Bug 1654456 - needinfo? request email enhancements (#1594)

* Start WIP PR

* Modify default need info text

* Fix breaking bugwords.t

* You have to fix all the instances of the word.

* Adding conditional for needinfo to reporter

* fix failing bugwords.t again

* Don't divert people with questions to bmo team

* don't repeat bug url

* fix terms.bug

* Remove 'to see question,' question is in email

* Keep the link to the bug

* move text into a conditional branch

* link to needinfo docs

* Bug 1654370 - Remove remaining code that references Firefox OS from BMO code base

* Bug 1655808: send users in guided bug flow to GitHub for Android and iOS bug reports (#1600)

* Move all the products to the product template

* Link mobile products to GitHub

* Better boilerplate text

* Fix failing terms test

* no bug - Use standard docker mysql for docker-compose instead of bmo-mysql

* no bug - Updated docker-compose.test.yml for mysql settings in CircleCI environment.

* Bumped version to 20200805.1

* Bug 1657542 - During recent bmo deployment, emails were delivered to a file instead of SES which caused interruption of email service

* Bug 1658622 - "product responsibilities" on editusers should include Triage Owner

* Bug 1588661 - Design for Webhooks

* Bug 1659177 - Replace mozillians.org with people.mozilla.org in Reps Mentorship Form

* Bug 1649841 - Include data-review? requests in notification count

* Bug 1658317 - Make scopes more descriptive and user friendly when authenticating to BMO using OAuth2

* Bug 1656609: Make <html> the scrolling element

* Bug 1657778 - Offer link to Bugzilla for filing security issues in Fenix and iOS

* no bug - Show Bounty Attachments to the Bug Reporter

This will allow most bug bounty recipients to view the amount of their bounty. It will not show it to reporters if we filed the bug for them, however those are less liekly to be repeat filers.

* Bug 1658846 - Allow users to enable and disable their webhooks

Co-authored-by: dklawren <dklawren@users.noreply.github.com>
Co-authored-by: byron jones <byron@glob.com.au>
Co-authored-by: Emma Humphries <emceeaich@users.noreply.github.com>
Co-authored-by: David Lawrence <dkl@mozilla.com>
Co-authored-by: Lisset Cuevas <lisset.cuevasj@gmail.com>
Co-authored-by: Michael Kohler <me@michaelkohler.info>
Co-authored-by: Tom Ritter <tom@ritter.vg>

Author: 7 people

.vscode/tasks.json

@@ -19,6 +19,20 @@
         "isDefault": true
       },
       "problemMatcher": []
-    }
+    },
+    {
+      "label": "Docker: Generate new cpanfile and cpanfile.snapshot",
+      "type": "shell",
+      "command": "docker build -t bmo-cpanfile -f Dockerfile.cpanfile . ; docker run -it -v $(pwd):/app/result bmo-cpanfile cp cpanfile cpanfile.snapshot /app/result",
+      "group": "none",
+      "problemMatcher": []
+    },
+    {
+      "label": "Docker: Generate mozillabteam/bmo-perl-slim image",
+      "type": "shell",
+      "command": "docker build -t mozillabteam/bmo-perl-slim:$(date +%Y%m%d.1) -f Dockerfile.bmo-slim .",
+      "group": "none",
+      "problemMatcher": []
+    },
   ]
 }

Bugzilla.pm

@@ -13,7 +13,7 @@ use warnings;
 
 use Bugzilla::Logging;
 
-our $VERSION = '20200603.1';
+our $VERSION = '20200805.1';
 
 use Bugzilla::Auth;
 use Bugzilla::Auth::Persist::Cookie;

Bugzilla/App/Plugin/OAuth2.pm

@@ -40,6 +40,7 @@ sub register {
     if (!$args->{user_id}) {
       return (user_id => Bugzilla->user->id);
     }
+    return;
   };
 
   $app->helper(
@@ -81,6 +82,7 @@ sub _resource_owner_confirm_scopes {
   my (%args) = @_;
   my ($c, $client_id, $scopes_ref)
     = @args{qw/ mojo_controller client_id scopes /};
+  my $dbh = Bugzilla->dbh;
 
   $c->bugzilla->login(LOGIN_REQUIRED) || return undef;
 
@@ -90,12 +92,18 @@ sub _resource_owner_confirm_scopes {
   # access last time, we check [again] with the user for access
   if (!defined $is_allowed) {
     my $client
-      = Bugzilla->dbh->selectrow_hashref(
-      'SELECT * FROM oauth2_client WHERE client_id = ?',
+      = $dbh->selectrow_hashref('SELECT * FROM oauth2_client WHERE client_id = ?',
       undef, $client_id);
+    my $scopes = $dbh->selectall_arrayref(
+      'SELECT * FROM oauth2_scope WHERE name IN ('
+        . join(',', map { $dbh->quote($_) } @{$scopes_ref}) . ')',
+      {Slice => {}}
+    );
+
+
     my $vars = {
       client => $client,
-      scopes => $scopes_ref,
+      scopes => $scopes,
       token  => scalar issue_session_token('oauth_confirm_scopes')
     };
     $c->stash(%{$vars});

Bugzilla/Attachment.pm

@@ -542,13 +542,20 @@ sub get_attachments_by_bug {
   my $dbh  = Bugzilla->dbh;
 
   # By default, private attachments are not accessible, unless the user
-  # is in the insider group or submitted the attachment.
+  # is in the insider group, submitted the attachment, or it's a bounty
+  # attachment and they reported the bug.
   my $and_restriction = '';
   my @values          = ($bug->id);
 
   unless ($user->is_insider) {
-    $and_restriction = 'AND (isprivate = 0 OR submitter_id = ?)';
+    $and_restriction = 'AND (isprivate = 0 OR submitter_id = ?';
     push(@values, $user->id);
+    if ($user->id == $bug->reporter->id) {
+      # Keep these conditions in sync with _attachment_is_bounty_attachment
+      # in extensions/BMO/Extension.pm
+      $and_restriction .= " OR (filename = 'bugbounty.data' AND mimetype = 'text/plain')";
+    }
+    $and_restriction .= ')';
   }
 
   # BMO - allow loading of just non-obsolete attachments

Bugzilla/BugUrl/GitLab.pm

@@ -20,9 +20,9 @@ use base qw(Bugzilla::BugUrl);
 sub should_handle {
   my ($class, $uri) = @_;
 
-# GitLab issue URLs can have the form:
-# https://gitlab.com/projectA/subprojectB/subprojectC/../issues/53
-  return ($uri->path =~ m!^/.*/issues/\d+$!) ? 1 : 0;
+  # GitLab issue and merge request URLs can have the form:
+  # https://gitlab.com/projectA/subprojectB/subprojectC/../(issues|merge_requests)/53
+  return ($uri->path =~ m!^/.*/(issues|merge_requests)/\d+$!) ? 1 : 0;
 }
 
 sub _check_value {

Bugzilla/CGI.pm

@@ -410,26 +410,6 @@ sub header {
 
   $self->{_header_done} = 1;
 
-  if (Bugzilla->usage_mode == USAGE_MODE_BROWSER) {
-    my @fonts = (
-      "skins/standard/fonts/FiraMono-Regular.woff2?v=3.202",
-      "skins/standard/fonts/FiraSans-Bold.woff2?v=4.203",
-      "skins/standard/fonts/FiraSans-Italic.woff2?v=4.203",
-      "skins/standard/fonts/FiraSans-Regular.woff2?v=4.203",
-      "skins/standard/fonts/FiraSans-SemiBold.woff2?v=4.203",
-      "skins/standard/fonts/MaterialIcons-Regular.woff2",
-    );
-    $headers{'-link'} = join(
-      ", ",
-      map {
-        sprintf('</static/v%s/%s>; rel="preload"; as="font"', Bugzilla->VERSION, $_)
-      } @fonts
-    );
-    if (Bugzilla->params->{google_analytics_tracking_id}) {
-      $headers{'-link'}
-        .= ', <https://www.google-analytics.com>; rel="preconnect"; crossorigin';
-    }
-  }
   my $headers = $self->SUPER::header(%headers) || '';
   if ($self->server_software eq 'Bugzilla::App::CGI') {
     my $c = $Bugzilla::App::CGI::C;

Bugzilla/Constants.pm

@@ -789,6 +789,11 @@ sub DEFAULT_CSP {
       'https://github.com/login';
   }
 
+  # This is for Mozilla Phabricator and authentication
+  if (Bugzilla->params->{phabricator_enabled}) {
+    push @{$policy{form_action}}, Bugzilla->params->{phabricator_base_uri};
+  }
+
   return %policy;
 }
 

Bugzilla/DB/Schema.pm

@@ -1851,7 +1851,12 @@ use constant ABSTRACT_SCHEMA => {
   oauth2_scope => {
     FIELDS => [
       id          => {TYPE => 'INTSERIAL',    NOTNULL => 1, PRIMARYKEY => 1},
-      description => {TYPE => 'varchar(255)', NOTNULL => 1},
+      name        => {TYPE => 'varchar(255)', NOTNULL => 1},
+      description => {TYPE => 'TINYTEXT',     NOTNULL => 1},
+    ],
+    INDEXES => [
+      oauth2_scope_idx =>
+        {FIELDS => ['name'], TYPE => 'UNIQUE'},
     ],
   },
 

Bugzilla/Install/DB.pm

@@ -4262,8 +4262,19 @@ sub _populate_oauth2_scopes {
 
   # if there are no scopes, then we're creating a database from scratch
   my ($scope_count) = $dbh->selectrow_array('SELECT COUNT(*) FROM oauth2_scope');
-  return if $scope_count;
-  $dbh->do("INSERT INTO oauth2_scope (id, description) VALUES (1, 'user:read')");
+    if (!$scope_count) {
+    $dbh->do(
+      "INSERT INTO oauth2_scope (id, name, description) VALUES " .
+      "(1, 'user:read', 'View basic account information such as email address.')"
+    );
+  }
+
+  # Bug 1658317 - dkl@mozilla - Update column names if this is an existing DB
+  if (!$dbh->bz_column_info('oauth2_scope', 'name')) {
+    $dbh->bz_rename_column("oauth2_scope", "description", "name");
+    $dbh->bz_add_column('oauth2_scope', 'description',
+      {TYPE => 'TINYTEXT', NOTNULL => 1, DEFAULT => "'Needs Description'"});
+  }
 }
 
 sub _add_oauth2_jwt_support {

Bugzilla/Test/Util.pm

@@ -59,7 +59,7 @@ sub create_oauth_client {
 
   foreach my $scope (@{$scopes}) {
     my $scope_id
-      = $dbh->selectrow_array('SELECT id FROM oauth2_scope WHERE description = ?',
+      = $dbh->selectrow_array('SELECT id FROM oauth2_scope WHERE name = ?',
       undef, $scope);
     if (!$scope_id) {
       die "Scope $scope not found";