Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2023-10-30 16:00:37 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2023-10-30 16:00:40 +0300
commitfce23e13968a87a1e2de96a6e945166c372736f4 (patch)
treee30bcd8dc2df7c37af6bf3b2d6f8b8a68bacb4c7
parente11efedcfcd80b2d55a1bdd17b317cef82ce0a0e (diff)
Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee
Diffstat
-rw-r--r--app/helpers/version_check_helper.rb4
-rw-r--r--doc/ci/examples/authenticating-with-hashicorp-vault/index.md52
-rw-r--r--doc/ci/secrets/id_token_authentication.md52
-rw-r--r--lib/gitlab/ci/jwt.rb3
-rw-r--r--spec/helpers/version_check_helper_spec.rb52
-rw-r--r--spec/lib/gitlab/ci/jwt_spec.rb19
6 files changed, 106 insertions, 76 deletions
diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb
index 45a4b292eb5..895155e00d1 100644
--- a/app/helpers/version_check_helper.rb
+++ b/app/helpers/version_check_helper.rb
@@ -10,12 +10,14 @@ module VersionCheckHelper
end
def gitlab_version_check
+ return unless show_version_check?
+
VersionCheck.new.response
end
strong_memoize_attr :gitlab_version_check
def show_security_patch_upgrade_alert?
- return false unless show_version_check? && gitlab_version_check
+ return false unless gitlab_version_check
Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability'])
end
diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
index 5f969472aad..f494ff6dffb 100644
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -33,31 +33,32 @@ ID tokens are JSON Web Tokens (JWTs) used for OIDC authentication with third-par
The following fields are included in the JWT:
-| Field | When | Description |
-|-------------------------|------------------------------|-------------|
-| `jti` | Always | Unique identifier for this token |
-| `iss` | Always | Issuer, the domain of your GitLab instance |
-| `iat` | Always | Issued at |
-| `nbf` | Always | Not valid before |
-| `exp` | Always | Expires at |
-| `sub` | Always | Subject (job ID) |
-| `namespace_id` | Always | Use this to scope to group or user level namespace by ID |
-| `namespace_path` | Always | Use this to scope to group or user level namespace by path |
-| `project_id` | Always | Use this to scope to project by ID |
-| `project_path` | Always | Use this to scope to project by path |
-| `user_id` | Always | ID of the user executing the job |
-| `user_login` | Always | Username of the user executing the job |
-| `user_email` | Always | Email of the user executing the job |
-| `pipeline_id` | Always | ID of this pipeline |
-| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) |
-| `job_id` | Always | ID of this job |
-| `ref` | Always | Git ref for this job |
-| `ref_type` | Always | Git ref type, either `branch` or `tag` |
-| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
-| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
-| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
-| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| Field | When | Description |
+|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `jti` | Always | Unique identifier for this token |
+| `iss` | Always | Issuer, the domain of your GitLab instance |
+| `iat` | Always | Issued at |
+| `nbf` | Always | Not valid before |
+| `exp` | Always | Expires at |
+| `sub` | Always | Subject (job ID) |
+| `namespace_id` | Always | Use this to scope to group or user level namespace by ID |
+| `namespace_path` | Always | Use this to scope to group or user level namespace by path |
+| `project_id` | Always | Use this to scope to project by ID |
+| `project_path` | Always | Use this to scope to project by path |
+| `user_id` | Always | ID of the user executing the job |
+| `user_login` | Always | Username of the user executing the job |
+| `user_email` | Always | Email of the user executing the job |
+| `pipeline_id` | Always | ID of this pipeline |
+| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) |
+| `job_id` | Always | ID of this job |
+| `ref` | Always | Git ref for this job |
+| `ref_type` | Always | Git ref type, either `branch` or `tag` |
+| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
+| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
+| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
+| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
+| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
Example JWT payload:
@@ -84,7 +85,8 @@ Example JWT payload:
"ref_path": "refs/heads/auto-deploy-2020-04-01",
"ref_protected": "true",
"environment": "production",
- "environment_protected": "true"
+ "environment_protected": "true",
+ "environment_action": "start"
}
```
diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md
index 62429a160d4..325972e06c2 100644
--- a/doc/ci/secrets/id_token_authentication.md
+++ b/doc/ci/secrets/id_token_authentication.md
@@ -51,32 +51,33 @@ The following standard claims are included in each ID token:
The token also includes custom claims provided by GitLab:
-| Field | When | Description |
-|-------------------------|------------------------------|-------------|
-| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. |
-| `namespace_path` | Always | Use this to scope to group or user level namespace by path. |
-| `project_id` | Always | Use this to scope to project by ID. |
-| `project_path` | Always | Use this to scope to project by path. |
-| `user_id` | Always | ID of the user executing the job. |
-| `user_login` | Always | Username of the user executing the job. |
-| `user_email` | Always | Email of the user executing the job. |
-| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). |
-| `pipeline_id` | Always | ID of the pipeline. |
-| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). |
-| `job_id` | Always | ID of the job. |
-| `ref` | Always | Git ref for the job. |
-| `ref_type` | Always | Git ref type, either `branch` or `tag`. |
-| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
-| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
-| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
-| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
-| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
-| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
-| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
-| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
+| Field | When | Description |
+|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. |
+| `namespace_path` | Always | Use this to scope to group or user level namespace by path. |
+| `project_id` | Always | Use this to scope to project by ID. |
+| `project_path` | Always | Use this to scope to project by path. |
+| `user_id` | Always | ID of the user executing the job. |
+| `user_login` | Always | Username of the user executing the job. |
+| `user_email` | Always | Email of the user executing the job. |
+| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). |
+| `pipeline_id` | Always | ID of the pipeline. |
+| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). |
+| `job_id` | Always | ID of the job. |
+| `ref` | Always | Git ref for the job. |
+| `ref_type` | Always | Git ref type, either `branch` or `tag`. |
+| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
+| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
+| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
+| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
+| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
+| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
+| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
+| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
+| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `ci_config_ref_uri` | Always | The ref path to the top-level pipeline definition, for example, `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
-| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
-| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. |
+| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
+| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. |
```json
{
@@ -101,6 +102,7 @@ The token also includes custom claims provided by GitLab:
"environment": "test-environment2",
"environment_protected": "false",
"deployment_tier": "testing",
+ "environment_action": "start",
"runner_id": 1,
"runner_environment": "self-hosted",
"sha": "714a629c0b401fdce83e847fc9589983fc6f46bc",
diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 4ba7b4cc6e1..3d63ec6dfb7 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -71,7 +71,8 @@ module Gitlab
fields.merge!(
environment: environment.name,
environment_protected: environment_protected?.to_s,
- deployment_tier: build.environment_tier
+ deployment_tier: build.environment_tier,
+ environment_action: build.environment_action
)
end
diff --git a/spec/helpers/version_check_helper_spec.rb b/spec/helpers/version_check_helper_spec.rb
index ce5aade2b1c..9c697dbe21e 100644
--- a/spec/helpers/version_check_helper_spec.rb
+++ b/spec/helpers/version_check_helper_spec.rb
@@ -38,43 +38,49 @@ RSpec.describe VersionCheckHelper do
end
describe '#gitlab_version_check' do
+ let(:show_version_check) { false }
+
before do
- allow_next_instance_of(VersionCheck) do |instance|
- allow(instance).to receive(:response).and_return({ "severity" => "success" })
- end
+ allow(helper).to receive(:show_version_check?).and_return(show_version_check)
end
- it 'returns an instance of the VersionCheck class' do
- expect(helper.gitlab_version_check).to eq({ "severity" => "success" })
+ it 'when show_version_check? is false it returns nil' do
+ expect(helper.gitlab_version_check).to be nil
+ end
+
+ context 'when show_version_check? is true' do
+ let(:show_version_check) { true }
+
+ before do
+ allow_next_instance_of(VersionCheck) do |instance|
+ allow(instance).to receive(:response).and_return({ "severity" => "success" })
+ end
+ end
+
+ it 'returns an instance of the VersionCheck class if the user has access' do
+ expect(helper.gitlab_version_check).to eq({ "severity" => "success" })
+ end
end
end
describe '#show_security_patch_upgrade_alert?' do
describe 'return conditions' do
- where(:show_version_check, :gitlab_version_check, :result) do
+ where(:gitlab_version_check, :result) do
[
- [false, nil, false],
- [false, { "severity" => "success" }, false],
- [false, { "severity" => "danger" }, false],
- [false, { "severity" => "danger", "critical_vulnerability" => 'some text' }, false],
- [false, { "severity" => "danger", "critical_vulnerability" => 'false' }, false],
- [false, { "severity" => "danger", "critical_vulnerability" => false }, false],
- [false, { "severity" => "danger", "critical_vulnerability" => 'true' }, false],
- [false, { "severity" => "danger", "critical_vulnerability" => true }, false],
- [true, nil, false],
- [true, { "severity" => "success" }, nil],
- [true, { "severity" => "danger" }, nil],
- [true, { "severity" => "danger", "critical_vulnerability" => 'some text' }, nil],
- [true, { "severity" => "danger", "critical_vulnerability" => 'false' }, false],
- [true, { "severity" => "danger", "critical_vulnerability" => false }, false],
- [true, { "severity" => "danger", "critical_vulnerability" => 'true' }, true],
- [true, { "severity" => "danger", "critical_vulnerability" => true }, true]
+ [nil, false],
+ [{}, nil],
+ [{ "severity" => "success" }, nil],
+ [{ "severity" => "danger" }, nil],
+ [{ "severity" => "danger", "critical_vulnerability" => 'some text' }, nil],
+ [{ "severity" => "danger", "critical_vulnerability" => 'false' }, false],
+ [{ "severity" => "danger", "critical_vulnerability" => false }, false],
+ [{ "severity" => "danger", "critical_vulnerability" => 'true' }, true],
+ [{ "severity" => "danger", "critical_vulnerability" => true }, true]
]
end
with_them do
before do
- allow(helper).to receive(:show_version_check?).and_return(show_version_check)
allow(helper).to receive(:gitlab_version_check).and_return(gitlab_version_check)
end
diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb
index a6de5b9879c..f0b203961b4 100644
--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -49,6 +49,7 @@ RSpec.describe Gitlab::Ci::Jwt do
expect(payload[:environment]).to be_nil
expect(payload[:environment_protected]).to be_nil
expect(payload[:deployment_tier]).to be_nil
+ expect(payload[:environment_action]).to be_nil
end
end
@@ -109,7 +110,10 @@ RSpec.describe Gitlab::Ci::Jwt do
project: project,
user: user,
pipeline: pipeline,
- environment: environment.name
+ environment: {
+ name: environment.name,
+ action: 'start'
+ }
)
end
@@ -121,6 +125,7 @@ RSpec.describe Gitlab::Ci::Jwt do
expect(payload[:environment]).to eq('production')
expect(payload[:environment_protected]).to eq('false')
expect(payload[:deployment_tier]).to eq('production')
+ expect(payload[:environment_action]).to eq('start')
end
describe 'deployment_tier' do
@@ -134,6 +139,18 @@ RSpec.describe Gitlab::Ci::Jwt do
end
end
end
+
+ describe 'environment_action' do
+ context 'when build options specifies a different environment_action' do
+ before do
+ build.options[:environment] = { name: environment.name, action: 'prepare' }
+ end
+
+ it 'uses environment_action from build options' do
+ expect(payload[:environment_action]).to eq('prepare')
+ end
+ end
+ end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 19:20:56 +0300