diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-04-27 03:16:05 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-04-27 03:16:05 +0300 |
| commit | 417ef56d244c6c22016fda7c78e69071d14887c3 (patch) | |
| tree | f88c8de13f17687915402d61261b31d8b5b18c97 | |
| parent | 90e793301a277d8d88be2003c455bcbf9d007f7e (diff) | |
Add latest changes from gitlab-org/gitlab@master
39 files changed, 251 insertions, 118 deletions
diff --git a/.rubocop_todo/layout/argument_alignment.yml b/.rubocop_todo/layout/argument_alignment.yml index ec7edb2d33a..3f376505b09 100644 --- a/.rubocop_todo/layout/argument_alignment.yml +++ b/.rubocop_todo/layout/argument_alignment.yml @@ -2522,17 +2522,6 @@ Layout/ArgumentAlignment: - 'spec/support/shared_examples/observability/csp_shared_examples.rb' - 'spec/support/shared_examples/projects/container_repository/cleanup_tags_service_shared_examples.rb' - 'spec/support/shared_examples/quick_actions/issuable/max_issuable_examples.rb' - - 'spec/support/shared_examples/requests/api/discussions_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/graphql/mutations/subscription_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/graphql/projects/branch_protections/access_level_request_examples.rb' - - 'spec/support/shared_examples/requests/api/hooks_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/notes_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/packages_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/resolvable_discussions_shared_examples.rb' - - 'spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb' - - 'spec/support/shared_examples/requests/graphql_shared_examples.rb' - - 'spec/support/shared_examples/requests/rack_attack_shared_examples.rb' - 'spec/support/shared_examples/views/pipeline_status_changes_email.rb' - 'spec/tasks/cache/clear/redis_spec.rb' - 'spec/tasks/gitlab/cleanup_rake_spec.rb' diff --git a/.rubocop_todo/search/namespaced_class.yml b/.rubocop_todo/search/namespaced_class.yml index 62d7945a2fd..f057e2b9552 100644 --- a/.rubocop_todo/search/namespaced_class.yml +++ b/.rubocop_todo/search/namespaced_class.yml @@ -118,6 +118,7 @@ Search/NamespacedClass: - 'ee/lib/elastic/latest/user_class_proxy.rb' - 'ee/lib/elastic/latest/user_config.rb' - 'ee/lib/elastic/latest/user_instance_proxy.rb' + - 'ee/lib/elastic/latest/wiki_config.rb' - 'ee/lib/elastic/metrics_update_service.rb' - 'ee/lib/elastic/migration.rb' - 'ee/lib/elastic/multi_version_class_proxy.rb' diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 4e14aa56be1..b23603b3330 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -715,6 +715,18 @@ class ApplicationSetting < MainClusterwide::ApplicationRecord attr_encrypted :product_analytics_clickhouse_connection_string, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) attr_encrypted :product_analytics_configurator_connection_string, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) attr_encrypted :openai_api_key, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + # TOFA API integration settngs + attr_encrypted :tofa_client_library_args, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_client_library_class, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_client_library_create_credentials_method, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_client_library_fetch_access_token_method, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_credentials, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_host, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_request_json_keys, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_request_payload, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_response_json_keys, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_url, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) + attr_encrypted :tofa_access_token_expires_in, encryption_options_base_32_aes_256_gcm.merge(encode: false, encode_iv: false) validates :disable_feed_token, inclusion: { in: [true, false], message: N_('must be a boolean value') } diff --git a/app/models/namespace.rb b/app/models/namespace.rb index b99c07056ed..f3da8856efb 100644 --- a/app/models/namespace.rb +++ b/app/models/namespace.rb @@ -36,12 +36,6 @@ class Namespace < ApplicationRecord SHARED_RUNNERS_SETTINGS = [SR_DISABLED_AND_UNOVERRIDABLE, SR_DISABLED_WITH_OVERRIDE, SR_DISABLED_AND_OVERRIDABLE, SR_ENABLED].freeze URL_MAX_LENGTH = 255 - # This date is just a placeholder until namespace storage enforcement timeline is confirmed at which point - # this should be replaced, see https://about.gitlab.com/pricing/faq-efficient-free-tier/#user-limits-on-gitlab-saas-free-tier - MIN_STORAGE_ENFORCEMENT_DATE = 3.months.from_now.to_date - # https://gitlab.com/gitlab-org/gitlab/-/issues/367531 - MIN_STORAGE_ENFORCEMENT_USAGE = 5.gigabytes - cache_markdown_field :description, pipeline: :description has_many :projects, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent @@ -587,12 +581,6 @@ class Namespace < ApplicationRecord Feature.enabled?(:block_issue_repositioning, self, type: :ops) end - def storage_enforcement_date - return Date.current if Feature.enabled?(:namespace_storage_limit_bypass_date_check, self) - - MIN_STORAGE_ENFORCEMENT_DATE - end - def certificate_based_clusters_enabled? cluster_enabled_granted? || certificate_based_clusters_enabled_ff? end diff --git a/app/models/users/callout.rb b/app/models/users/callout.rb index 70c31f0a8ec..1fb8519a865 100644 --- a/app/models/users/callout.rb +++ b/app/models/users/callout.rb @@ -43,10 +43,9 @@ module Users verification_reminder: 40, # EE-only ci_deprecation_warning_for_types_keyword: 41, security_training_feature_promotion: 42, # EE-only - storage_enforcement_banner_first_enforcement_threshold: 43, # EE-only - storage_enforcement_banner_second_enforcement_threshold: 44, # EE-only - storage_enforcement_banner_third_enforcement_threshold: 45, # EE-only - storage_enforcement_banner_fourth_enforcement_threshold: 46, # EE-only + namespace_storage_pre_enforcement_banner: 43, # EE-only + # 44, 45, 46 were unused and removed with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118330, + # they can be replaced. # 47 and 48 were removed with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95446 # 49 was removed with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/91533 # because the banner was no longer relevant. diff --git a/app/models/users/group_callout.rb b/app/models/users/group_callout.rb index fe04800539c..601622b8c4c 100644 --- a/app/models/users/group_callout.rb +++ b/app/models/users/group_callout.rb @@ -11,10 +11,9 @@ module Users enum feature_name: { invite_members_banner: 1, approaching_seat_count_threshold: 2, # EE-only - storage_enforcement_banner_first_enforcement_threshold: 3, # EE-only - storage_enforcement_banner_second_enforcement_threshold: 4, # EE-only - storage_enforcement_banner_third_enforcement_threshold: 5, # EE-only - storage_enforcement_banner_fourth_enforcement_threshold: 6, # EE-only + namespace_storage_pre_enforcement_banner: 3, # EE-only + # 4,5,6 were unused and removed with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118330, + # they can be replaced. preview_user_over_limit_free_plan_alert: 7, # EE-only user_reached_limit_free_plan_alert: 8, # EE-only free_group_limited_alert: 9, # EE-only diff --git a/app/models/users/project_callout.rb b/app/models/users/project_callout.rb index e7229abd147..6199c3697f7 100644 --- a/app/models/users/project_callout.rb +++ b/app/models/users/project_callout.rb @@ -12,10 +12,9 @@ module Users awaiting_members_banner: 1, # EE-only web_hook_disabled: 2, ultimate_feature_removal_banner: 3, - storage_enforcement_banner_first_enforcement_threshold: 4, # EE-only - storage_enforcement_banner_second_enforcement_threshold: 5, # EE-only - storage_enforcement_banner_third_enforcement_threshold: 6, # EE-only - storage_enforcement_banner_fourth_enforcement_threshold: 7, # EE-only + namespace_storage_pre_enforcement_banner: 4, # EE-only + # 5,6,7 were unused and removed with https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118330, + # they can be replaced. license_check_deprecation_alert: 8 # EE-only } diff --git a/app/workers/all_queues.yml b/app/workers/all_queues.yml index 387f817ac5e..446cba267ad 100644 --- a/app/workers/all_queues.yml +++ b/app/workers/all_queues.yml @@ -1245,6 +1245,15 @@ :weight: 1 :idempotent: false :tags: [] +- :name: github_importer:github_import_import_release_attachments + :worker_name: Gitlab::GithubImport::ImportReleaseAttachmentsWorker + :feature_category: :importers + :has_external_dependencies: true + :urgency: :low + :resource_boundary: :unknown + :weight: 1 + :idempotent: false + :tags: [] - :name: github_importer:github_import_pull_requests_import_review_request :worker_name: Gitlab::GithubImport::PullRequests::ImportReviewRequestWorker :feature_category: :importers diff --git a/app/workers/gitlab/github_import/import_release_attachments_worker.rb b/app/workers/gitlab/github_import/import_release_attachments_worker.rb new file mode 100644 index 00000000000..bf901f2f7b8 --- /dev/null +++ b/app/workers/gitlab/github_import/import_release_attachments_worker.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +# TODO: remove in 16.X milestone +# https://gitlab.com/gitlab-org/gitlab/-/issues/377059 +module Gitlab + module GithubImport + class ImportReleaseAttachmentsWorker # rubocop:disable Scalability/IdempotentWorker + include ObjectImporter + + def representation_class + Representation::NoteText + end + + def importer_class + Importer::NoteAttachmentsImporter + end + + def object_type + :release_attachment + end + end + end +end diff --git a/config/feature_flags/development/tofa_experimentation.yml b/config/feature_flags/development/tofa_experimentation.yml new file mode 100644 index 00000000000..b00f1679793 --- /dev/null +++ b/config/feature_flags/development/tofa_experimentation.yml @@ -0,0 +1,8 @@ +--- +name: tofa_experimentation +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/118754 +rollout_issue_url: +milestone: '16.0' +type: development +group: group::threat insights +default_enabled: false diff --git a/config/feature_flags/ops/search_index_curation_wikis.yml b/config/feature_flags/ops/search_index_curation_wikis.yml new file mode 100644 index 00000000000..67bbef665a5 --- /dev/null +++ b/config/feature_flags/ops/search_index_curation_wikis.yml @@ -0,0 +1,8 @@ +--- +name: search_index_curation_wikis +introduced_by_url: "https://gitlab.com/gitlab-org/gitlab/-/merge_requests/104423" +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/383093 +milestone: '16.0' +type: ops +group: group::global search +default_enabled: false diff --git a/data/whats_new/202304220001_15_11.yml b/data/whats_new/202304220001_15_11.yml index 190af784830..cda793f672c 100644 --- a/data/whats_new/202304220001_15_11.yml +++ b/data/whats_new/202304220001_15_11.yml @@ -8,7 +8,7 @@ gitlab-com: true available_in: [Premium, Ultimate] documentation_link: 'https://docs.gitlab.com/ee/user/project/repository/code_suggestions.html#code-suggestions-beta' - image_url: 'https://about.gitlab.com/images/15_11/DemoFastApi-lg.gif' + image_url: 'https://about.gitlab.com/images/15_11/code-suggestions-loop.gif' published_at: 2023-04-22 release: 15.11 - name: Manage project compliance frameworks report at group level @@ -36,7 +36,7 @@ gitlab-com: true available_in: [Free, Premium, Ultimate] documentation_link: 'https://docs.gitlab.com/ee/ci/pipelines/downstream_pipelines.html#recreate-a-downstream-pipeline' - image_url: 'https://www.youtube-nocookie.com/embed/xCqGWWRx-1E' + image_url: 'https://img.youtube.com/vi/xCqGWWRx-1E/hqdefault.jpg' published_at: 2023-04-22 release: 15.11 - name: Vulnerability dismissal reasons @@ -53,6 +53,6 @@ gitlab-com: true available_in: [Ultimate] documentation_link: https://docs.gitlab.com/ee/user/application_security/vulnerabilities/#vulnerability-dismissal-reasons' - image_url: 'https://about.gitlab.com//images/15_11/vulnerability_dismissal_types__reasons.png' + image_url: 'https://about.gitlab.com/images/15_11/vulnerability_dismissal_types__reasons.png' published_at: 2023-04-22 release: 15.11 diff --git a/db/migrate/20230419130952_remove_github_import_job_instances.rb b/db/migrate/20230419130952_remove_github_import_job_instances.rb index 3e1ccd3c74d..e7028032eb4 100644 --- a/db/migrate/20230419130952_remove_github_import_job_instances.rb +++ b/db/migrate/20230419130952_remove_github_import_job_instances.rb @@ -1,18 +1,11 @@ # frozen_string_literal: true -# See https://docs.gitlab.com/ee/development/migration_style_guide.html -# for more information on how to write migrations for GitLab. - class RemoveGithubImportJobInstances < Gitlab::Database::Migration[2.1] - DEPRECATED_JOB_CLASSES = %w[ - Gitlab::GithubImport::ImportReleaseAttachmentsWorker - ] - def up - sidekiq_remove_jobs(job_klasses: DEPRECATED_JOB_CLASSES) + # no-op to mitigate https://gitlab.com/gitlab-com/gl-infra/production/-/issues/9300 end def down - # This migration removes any instances of deprecated workers and cannot be undone. + # no-op to mitigate https://gitlab.com/gitlab-com/gl-infra/production/-/issues/9300 end end diff --git a/db/migrate/20230424194721_add_tofa_application_settings.rb b/db/migrate/20230424194721_add_tofa_application_settings.rb new file mode 100644 index 00000000000..c39e85a1a87 --- /dev/null +++ b/db/migrate/20230424194721_add_tofa_application_settings.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class AddTofaApplicationSettings < Gitlab::Database::Migration[2.1] + def change + change_table(:application_settings, bulk: true) do |t| + t.column :encrypted_tofa_credentials, :binary + t.column :encrypted_tofa_credentials_iv, :binary + t.column :encrypted_tofa_host, :binary + t.column :encrypted_tofa_host_iv, :binary + t.column :encrypted_tofa_url, :binary + t.column :encrypted_tofa_url_iv, :binary + t.column :encrypted_tofa_response_json_keys, :binary + t.column :encrypted_tofa_response_json_keys_iv, :binary + t.column :encrypted_tofa_request_json_keys, :binary + t.column :encrypted_tofa_request_json_keys_iv, :binary + t.column :encrypted_tofa_request_payload, :binary + t.column :encrypted_tofa_request_payload_iv, :binary + t.column :encrypted_tofa_client_library_class, :binary + t.column :encrypted_tofa_client_library_class_iv, :binary + t.column :encrypted_tofa_client_library_args, :binary + t.column :encrypted_tofa_client_library_args_iv, :binary + t.column :encrypted_tofa_client_library_create_credentials_method, :binary + t.column :encrypted_tofa_client_library_create_credentials_method_iv, :binary + t.column :encrypted_tofa_client_library_fetch_access_token_method, :binary + t.column :encrypted_tofa_client_library_fetch_access_token_method_iv, :binary + t.column :encrypted_tofa_access_token_expires_in, :binary + t.column :encrypted_tofa_access_token_expires_in_iv, :binary + end + end +end diff --git a/db/schema_migrations/20230424194721 b/db/schema_migrations/20230424194721 new file mode 100644 index 00000000000..da92827dfd6 --- /dev/null +++ b/db/schema_migrations/20230424194721 @@ -0,0 +1 @@ +c400976f894b3d451bbf1a58e57f376cd86916680bb10623217b851a593cd4ea
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 2b6c2cb4196..d75c7822a92 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -11805,6 +11805,28 @@ CREATE TABLE application_settings ( silent_mode_enabled boolean DEFAULT false NOT NULL, package_metadata_purl_types smallint[] DEFAULT '{}'::smallint[], ci_max_includes integer DEFAULT 150 NOT NULL, + encrypted_tofa_credentials bytea, + encrypted_tofa_credentials_iv bytea, + encrypted_tofa_host bytea, + encrypted_tofa_host_iv bytea, + encrypted_tofa_url bytea, + encrypted_tofa_url_iv bytea, + encrypted_tofa_response_json_keys bytea, + encrypted_tofa_response_json_keys_iv bytea, + encrypted_tofa_request_json_keys bytea, + encrypted_tofa_request_json_keys_iv bytea, + encrypted_tofa_request_payload bytea, + encrypted_tofa_request_payload_iv bytea, + encrypted_tofa_client_library_class bytea, + encrypted_tofa_client_library_class_iv bytea, + encrypted_tofa_client_library_args bytea, + encrypted_tofa_client_library_args_iv bytea, + encrypted_tofa_client_library_create_credentials_method bytea, + encrypted_tofa_client_library_create_credentials_method_iv bytea, + encrypted_tofa_client_library_fetch_access_token_method bytea, + encrypted_tofa_client_library_fetch_access_token_method_iv bytea, + encrypted_tofa_access_token_expires_in bytea, + encrypted_tofa_access_token_expires_in_iv bytea, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), diff --git a/doc/.vale/gitlab/ElementDescriptors.yml b/doc/.vale/gitlab/ElementDescriptors.yml index f806f5878e1..fd3acace744 100644 --- a/doc/.vale/gitlab/ElementDescriptors.yml +++ b/doc/.vale/gitlab/ElementDescriptors.yml @@ -11,4 +11,4 @@ level: warning ignorecase: true scope: raw raw: - - \*\*.+?\*\* button + - \*\*[^*]+\*\*\s+button diff --git a/doc/administration/gitaly/troubleshooting.md b/doc/administration/gitaly/troubleshooting.md index 2bb87b20058..dbbd348556c 100644 --- a/doc/administration/gitaly/troubleshooting.md +++ b/doc/administration/gitaly/troubleshooting.md @@ -380,6 +380,12 @@ push, which causes a significant delay. If Git pushes are too slow when Dynatrace is enabled, disable Dynatrace. +### `gitaly check` fails with `401` status code + +`gitaly check` can fail with `401` status code if Gitaly can't access the internal GitLab API. + +One way to resolve this is to make sure the entry is correct for the GitLab internal API URL configured in `gitlab.rb` with `gitlab_rails['internal_api_url']`. + ## Gitaly fails to fork processes stored on `noexec` file systems Because of changes [introduced](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/5999) in GitLab 14.10, applying the `noexec` option to a mount diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 791c6c2677a..14c446d464f 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -24989,6 +24989,7 @@ Name of the feature that the callout is for. | <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_error_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_ERROR_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_error_threshold. | | <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_info_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_INFO_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_info_threshold. | | <a id="usercalloutfeaturenameenumnamespace_storage_limit_banner_warning_threshold"></a>`NAMESPACE_STORAGE_LIMIT_BANNER_WARNING_THRESHOLD` | Callout feature name for namespace_storage_limit_banner_warning_threshold. | +| <a id="usercalloutfeaturenameenumnamespace_storage_pre_enforcement_banner"></a>`NAMESPACE_STORAGE_PRE_ENFORCEMENT_BANNER` | Callout feature name for namespace_storage_pre_enforcement_banner. | | <a id="usercalloutfeaturenameenumnew_top_level_group_alert"></a>`NEW_TOP_LEVEL_GROUP_ALERT` | Callout feature name for new_top_level_group_alert. | | <a id="usercalloutfeaturenameenumnew_user_signups_cap_reached"></a>`NEW_USER_SIGNUPS_CAP_REACHED` | Callout feature name for new_user_signups_cap_reached. | | <a id="usercalloutfeaturenameenumpersonal_access_token_expiry"></a>`PERSONAL_ACCESS_TOKEN_EXPIRY` | Callout feature name for personal_access_token_expiry. | @@ -25003,10 +25004,6 @@ Name of the feature that the callout is for. | <a id="usercalloutfeaturenameenumsecurity_configuration_upgrade_banner"></a>`SECURITY_CONFIGURATION_UPGRADE_BANNER` | Callout feature name for security_configuration_upgrade_banner. | | <a id="usercalloutfeaturenameenumsecurity_newsletter_callout"></a>`SECURITY_NEWSLETTER_CALLOUT` | Callout feature name for security_newsletter_callout. | | <a id="usercalloutfeaturenameenumsecurity_training_feature_promotion"></a>`SECURITY_TRAINING_FEATURE_PROMOTION` | Callout feature name for security_training_feature_promotion. | -| <a id="usercalloutfeaturenameenumstorage_enforcement_banner_first_enforcement_threshold"></a>`STORAGE_ENFORCEMENT_BANNER_FIRST_ENFORCEMENT_THRESHOLD` | Callout feature name for storage_enforcement_banner_first_enforcement_threshold. | -| <a id="usercalloutfeaturenameenumstorage_enforcement_banner_fourth_enforcement_threshold"></a>`STORAGE_ENFORCEMENT_BANNER_FOURTH_ENFORCEMENT_THRESHOLD` | Callout feature name for storage_enforcement_banner_fourth_enforcement_threshold. | -| <a id="usercalloutfeaturenameenumstorage_enforcement_banner_second_enforcement_threshold"></a>`STORAGE_ENFORCEMENT_BANNER_SECOND_ENFORCEMENT_THRESHOLD` | Callout feature name for storage_enforcement_banner_second_enforcement_threshold. | -| <a id="usercalloutfeaturenameenumstorage_enforcement_banner_third_enforcement_threshold"></a>`STORAGE_ENFORCEMENT_BANNER_THIRD_ENFORCEMENT_THRESHOLD` | Callout feature name for storage_enforcement_banner_third_enforcement_threshold. | | <a id="usercalloutfeaturenameenumsubmit_license_usage_data_banner"></a>`SUBMIT_LICENSE_USAGE_DATA_BANNER` | Callout feature name for submit_license_usage_data_banner. | | <a id="usercalloutfeaturenameenumsuggest_pipeline"></a>`SUGGEST_PIPELINE` | Callout feature name for suggest_pipeline. | | <a id="usercalloutfeaturenameenumsuggest_popover_dismissed"></a>`SUGGEST_POPOVER_DISMISSED` | Callout feature name for suggest_popover_dismissed. | diff --git a/doc/development/github_importer.md b/doc/development/github_importer.md index bca1fc276d5..86142efa679 100644 --- a/doc/development/github_importer.md +++ b/doc/development/github_importer.md @@ -146,10 +146,10 @@ comments. This worker imports note attachments that are linked inside Markdown. For each entity with Markdown text in the project, we schedule a job of: -- `Gitlab::GithubImport::Attachments::ImportReleaseWorker` for every release. -- `Gitlab::GithubImport::Attachments::ImportNoteWorker` for every note. -- `Gitlab::GithubImport::Attachments::ImportIssueWorker` for every issue. -- `Gitlab::GithubImport::Attachments::ImportMergeRequestWorker` for every merge request. +- `Gitlab::GithubImport::ImportReleaseAttachmentsWorker` for every release. +- `Gitlab::GithubImport::ImportNoteAttachmentsWorker` for every note. +- `Gitlab::GithubImport::ImportIssueAttachmentsWorker` for every issue. +- `Gitlab::GithubImport::ImportMergeRequestAttachmentsWorker` for every merge request. Each job: diff --git a/doc/user/application_security/policies/index.md b/doc/user/application_security/policies/index.md index 05996a70d3d..723b55a884d 100644 --- a/doc/user/application_security/policies/index.md +++ b/doc/user/application_security/policies/index.md @@ -138,3 +138,17 @@ When you create a new security policy or change an existing policy, a new branch If you have group or instance [push rules that do not allow branch name patterns](../../project/repository/push_rules.md#validate-branch-names) that contain the text `update-policy-<timestamp>`, you will get an error that states `Branch name 'update-policy-<timestamp>' does not follow the pattern '<branch_name_regex>'`. The workaround is to amend your group or instance push rules to allow branches following the pattern `update-policy-` followed by an integer timestamp. + +### Troubleshooting common issues configuring security policies + +- Confirm that projects contain a `.gitlab-ci.yml` file. This file is required for scan execution policies. +- Confirm that scanners are properly configured and producing results for the latest branch. Security Policies are designed to require approval when there are no results (no security report), as this ensures that no vulnerabilities are introduced. We cannot know if there are any vulnerabilities unless the scans enforced by the policy complete successfully and are evaluated. +- When running scan execution policies based on a SAST action, ensure target repositories contain proper code files. SAST runs different analyzers [based on the types of files in the repo](../sast/index.md#supported-languages-and-frameworks), and if no supported files are found it will not run any jobs. See the [SAST CI template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Jobs/SAST.gitlab-ci.yml) for more details. +- Check for any branch configuration conflicts. If your policy is configured to enforce rules on `main` but some projects within the scope are using `master` as their default branch, the policy is not applied for the latter. Support for specifying the `default` branch in your policies is proposed in [epic 9468](https://gitlab.com/groups/gitlab-org/-/epics/9468). +- Scan result policies created at the group or sub-group level can take some time to apply to all the merge requests in the group. +- Scheduled scan execution policies run with a minimum 15 minute cadence. Learn more [about the schedule rule type](../policies/scan-execution-policies.md#schedule-rule-type). +- When scheduling pipelines, keep in mind that CRON scheduling is based on UTC on GitLab SaaS and is based on your server time for self managed instances. When testing new policies, it may appear pipelines are not running properly when in fact they are scheduled in your server's timezone. +- When enforcing scan execution policies, the target project's pipeline is triggered by the user who last updated the security policy project's `policy.yml` file. The user must have permission to trigger the pipeline in the project for the policy to be enforced, and the pipeline to run. Work to address this is being tracked in [issue 394958]. +- You should not link a security policy project to a development project and to the group or sub-group the development project belongs to at the same time. Linking this way will result in approval rules from the Scan Result Policy not being applied to merge requests in the development project. + +If you are still experiencing issues, you can [view recent reported bugs](https://gitlab.com/gitlab-org/gitlab/-/issues/?sort=popularity&state=opened&label_name%5B%5D=group%3A%3Asecurity%20policies&label_name%5B%5D=type%3A%3Abug&first_page_size=20) and raise new unreported issues. diff --git a/doc/user/group/import/index.md b/doc/user/group/import/index.md index c5a12d3fc8e..f69506efe33 100644 --- a/doc/user/group/import/index.md +++ b/doc/user/group/import/index.md @@ -119,7 +119,7 @@ To ensure GitLab maps users and their contributions correctly: - Set up or use your existing [SAML SSO provider](../saml_sso/index.md) and leverage user synchronization of SAML SSO groups supported through [SCIM](../../group/saml_sso/scim_setup.md). You can [bypass the GitLab user account verification with verified email domains](../saml_sso/index.md#bypass-user-email-confirmation-with-verified-domains). -1. Ensure that users have a public email on the source GitLab instance that matches any confirmed email address on the destination GitLab instance. Most +1. Ensure that users have a [public email](../../profile/index.md#set-your-public-email) on the source GitLab instance that matches any confirmed email address on the destination GitLab instance. Most users receive an email asking them to confirm their email address. 1. If users already exist on the destination instance and you use [SAML SSO for GitLab.com groups](../../group/saml_sso/index.md), all users must [link their SAML identity to their GitLab.com account](../../group/saml_sso/index.md#link-saml-to-your-existing-gitlabcom-account). diff --git a/doc/user/project/merge_requests/allow_collaboration.md b/doc/user/project/merge_requests/allow_collaboration.md index 4a22cc71349..d5851050fd4 100644 --- a/doc/user/project/merge_requests/allow_collaboration.md +++ b/doc/user/project/merge_requests/allow_collaboration.md @@ -68,7 +68,7 @@ To change or add a commit to the contributor's merge request: ```shell git fetch "git@gitlab.com:contributor/forked-project.git" 'fork-branch' - git checkout -b contributor/fork-branch' FETCH_HEAD + git checkout -b 'contributor/fork-branch' FETCH_HEAD ``` Those commands fetch the branch from the forked project, and create a local branch diff --git a/spec/frontend/merge_request_tabs_spec.js b/spec/frontend/merge_request_tabs_spec.js index 76d1fa3a332..399c1446f37 100644 --- a/spec/frontend/merge_request_tabs_spec.js +++ b/spec/frontend/merge_request_tabs_spec.js @@ -1,6 +1,7 @@ import MockAdapter from 'axios-mock-adapter'; import $ from 'jquery'; -import { loadHTMLFixture, resetHTMLFixture } from 'helpers/fixtures'; +import htmlMergeRequestsWithTaskList from 'test_fixtures/merge_requests/merge_request_with_task_list.html'; +import { setHTMLFixture, resetHTMLFixture } from 'helpers/fixtures'; import initMrPage from 'helpers/init_vue_mr_page_helper'; import { stubPerformanceWebAPI } from 'helpers/performance'; import axios from '~/lib/utils/axios_utils'; @@ -84,7 +85,7 @@ describe('MergeRequestTabs', () => { let tabUrl; beforeEach(() => { - loadHTMLFixture('merge_requests/merge_request_with_task_list.html'); + setHTMLFixture(htmlMergeRequestsWithTaskList); tabUrl = $('.commits-tab a').attr('href'); diff --git a/spec/models/ci/resource_group_spec.rb b/spec/models/ci/resource_group_spec.rb index 87537f36311..6d518d5c874 100644 --- a/spec/models/ci/resource_group_spec.rb +++ b/spec/models/ci/resource_group_spec.rb @@ -118,7 +118,7 @@ RSpec.describe Ci::ResourceGroup do let!(:resource_group) { create(:ci_resource_group, process_mode: process_mode, project: project) } - Ci::HasStatus::STATUSES_ENUM.keys.each do |status| + Ci::HasStatus::STATUSES_ENUM.keys.each do |status| # rubocop:diable RSpec/UselessDynamicDefinition let!("build_1_#{status}") { create(:ci_build, pipeline: pipeline_1, status: status, resource_group: resource_group) } let!("build_2_#{status}") { create(:ci_build, pipeline: pipeline_2, status: status, resource_group: resource_group) } end diff --git a/spec/models/namespace_spec.rb b/spec/models/namespace_spec.rb index 408f0849ca0..dd522018e52 100644 --- a/spec/models/namespace_spec.rb +++ b/spec/models/namespace_spec.rb @@ -2617,28 +2617,6 @@ RSpec.describe Namespace, feature_category: :subgroups do end end - describe 'storage_enforcement_date', :freeze_time do - let_it_be(:namespace) { create(:group) } - - before do - stub_feature_flags(namespace_storage_limit_bypass_date_check: false) - end - - it 'returns correct date' do - expect(namespace.storage_enforcement_date).to eql(3.months.from_now.to_date) - end - - context 'when :storage_banner_bypass_date_check is enabled' do - before do - stub_feature_flags(namespace_storage_limit_bypass_date_check: true) - end - - it 'returns the current date' do - expect(namespace.storage_enforcement_date).to eq(Date.current) - end - end - end - describe 'serialization' do let(:object) { build(:namespace) } diff --git a/spec/support/shared_examples/requests/api/discussions_shared_examples.rb b/spec/support/shared_examples/requests/api/discussions_shared_examples.rb index a90fa06d458..2996c794e52 100644 --- a/spec/support/shared_examples/requests/api/discussions_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/discussions_shared_examples.rb @@ -231,8 +231,7 @@ RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name, it 'returns a 404 error when note id not found' do put api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/"\ - "discussions/#{note.discussion_id}/notes/#{non_existing_record_id}", user), - params: { body: 'Hello!' } + "discussions/#{note.discussion_id}/notes/#{non_existing_record_id}", user), params: { body: 'Hello!' } expect(response).to have_gitlab_http_status(:not_found) end diff --git a/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb b/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb index b459e479c91..53329c5caec 100644 --- a/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/graphql/mutations/snippets_shared_examples.rb @@ -6,7 +6,7 @@ RSpec.shared_examples 'when the snippet is not found' do end it_behaves_like 'a mutation that returns top-level errors', - errors: [Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR] + errors: [Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR] end RSpec.shared_examples 'snippet edit usage data counters' do diff --git a/spec/support/shared_examples/requests/api/graphql/mutations/subscription_shared_examples.rb b/spec/support/shared_examples/requests/api/graphql/mutations/subscription_shared_examples.rb index 40b88ef370f..4dc0264172f 100644 --- a/spec/support/shared_examples/requests/api/graphql/mutations/subscription_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/graphql/mutations/subscription_shared_examples.rb @@ -36,9 +36,9 @@ RSpec.shared_examples 'a subscribable resource api' do context 'when the user is not authorized' do it_behaves_like 'a mutation that returns top-level errors', - errors: ["The resource that you are attempting to access "\ - "does not exist or you don't have permission to "\ - "perform this action"] + errors: ["The resource that you are attempting to access "\ + "does not exist or you don't have permission to "\ + "perform this action"] end context 'when user is authorized' do diff --git a/spec/support/shared_examples/requests/api/graphql/projects/branch_protections/access_level_request_examples.rb b/spec/support/shared_examples/requests/api/graphql/projects/branch_protections/access_level_request_examples.rb index 6b4d8cae2ce..6648c18fb70 100644 --- a/spec/support/shared_examples/requests/api/graphql/projects/branch_protections/access_level_request_examples.rb +++ b/spec/support/shared_examples/requests/api/graphql/projects/branch_protections/access_level_request_examples.rb @@ -13,13 +13,15 @@ RSpec.shared_examples 'a GraphQL query for access levels' do |access_level_kind| let(:maintainer_access_level) { access_levels.for_role.first } let(:maintainer_access_level_data) { access_levels_data.first } let(:access_levels_data) do - graphql_data_at('project', - 'branchRules', - 'nodes', - 0, - 'branchProtection', - "#{access_level_kind.to_s.camelize(:lower)}AccessLevels", - 'nodes') + graphql_data_at( + 'project', + 'branchRules', + 'nodes', + 0, + 'branchProtection', + "#{access_level_kind.to_s.camelize(:lower)}AccessLevels", + 'nodes' + ) end let(:query) do diff --git a/spec/support/shared_examples/requests/api/hooks_shared_examples.rb b/spec/support/shared_examples/requests/api/hooks_shared_examples.rb index 44bd943950a..a2c34aa6a54 100644 --- a/spec/support/shared_examples/requests/api/hooks_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/hooks_shared_examples.rb @@ -176,8 +176,7 @@ RSpec.shared_examples 'web-hook API endpoints' do |prefix| it "adds hook", :aggregate_failures do expect do - post api(collection_uri, user, admin_mode: user.admin?), - params: hook_creation_params + post api(collection_uri, user, admin_mode: user.admin?), params: hook_creation_params end.to change { hooks_count }.by(1) expect(response).to have_gitlab_http_status(:created) @@ -201,8 +200,7 @@ RSpec.shared_examples 'web-hook API endpoints' do |prefix| token = "secret token" expect do - post api(collection_uri, user, admin_mode: user.admin?), - params: { url: "http://example.com", token: token } + post api(collection_uri, user, admin_mode: user.admin?), params: { url: "http://example.com", token: token } end.to change { hooks_count }.by(1) expect(response).to have_gitlab_http_status(:created) @@ -352,7 +350,7 @@ RSpec.shared_examples 'web-hook API endpoints' do |prefix| it 'sets the variable' do expect do put api("#{hook_uri}/url_variables/abc", user, admin_mode: user.admin?), - params: { value: 'some secret value' } + params: { value: 'some secret value' } end.to change { hook.reload.url_variables }.to(eq('abc' => 'some secret value')) expect(response).to have_gitlab_http_status(:no_content) @@ -362,7 +360,7 @@ RSpec.shared_examples 'web-hook API endpoints' do |prefix| hook.update!(url_variables: { 'abc' => 'xyz', 'def' => 'other value' }) put api("#{hook_uri}/url_variables/abc", user, admin_mode: user.admin?), - params: { value: 'some secret value' } + params: { value: 'some secret value' } expect(response).to have_gitlab_http_status(:no_content) expect(hook.reload.url_variables).to eq('abc' => 'some secret value', 'def' => 'other value') @@ -370,21 +368,21 @@ RSpec.shared_examples 'web-hook API endpoints' do |prefix| it "returns a 404 error when editing non existent hook" do put api("#{hook_uri(non_existing_record_id)}/url_variables/abc", user, admin_mode: user.admin?), - params: { value: 'xyz' } + params: { value: 'xyz' } expect(response).to have_gitlab_http_status(:not_found) end it "returns a 422 error when the key is illegal" do put api("#{hook_uri}/url_variables/abc%20def", user, admin_mode: user.admin?), - params: { value: 'xyz' } + params: { value: 'xyz' } expect(response).to have_gitlab_http_status(:unprocessable_entity) end it "returns a 422 error when the value is illegal" do put api("#{hook_uri}/url_variables/abc", user, admin_mode: user.admin?), - params: { value: '' } + params: { value: '' } expect(response).to have_gitlab_http_status(:unprocessable_entity) end diff --git a/spec/support/shared_examples/requests/api/notes_shared_examples.rb b/spec/support/shared_examples/requests/api/notes_shared_examples.rb index 1299899ecd2..0518749452e 100644 --- a/spec/support/shared_examples/requests/api/notes_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/notes_shared_examples.rb @@ -330,7 +330,7 @@ RSpec.shared_examples 'noteable API' do |parent_type, noteable_type, id_name| it 'returns a 404 error when note id not found' do put api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/notes/#{non_existing_record_id}", user, admin_mode: user.admin?), - params: { body: 'Hello!' } + params: { body: 'Hello!' } expect(response).to have_gitlab_http_status(:not_found) end diff --git a/spec/support/shared_examples/requests/api/packages_shared_examples.rb b/spec/support/shared_examples/requests/api/packages_shared_examples.rb index 678c73637ee..3168f25e4fa 100644 --- a/spec/support/shared_examples/requests/api/packages_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/packages_shared_examples.rb @@ -144,17 +144,25 @@ end RSpec.shared_examples 'a package tracking event' do |category, action, service_ping_context = true| let(:context) do - [Gitlab::Tracking::ServicePingContext.new(data_source: :redis_hll, - event: snowplow_gitlab_standard_context[:property]).to_h] + [ + Gitlab::Tracking::ServicePingContext.new( + data_source: :redis_hll, + event: snowplow_gitlab_standard_context[:property] + ).to_h + ] end it "creates a gitlab tracking event #{action}", :snowplow, :aggregate_failures do subject if service_ping_context - expect_snowplow_event(category: category, action: action, - label: "redis_hll_counters.user_packages.user_packages_total_unique_counts_monthly", - context: context, **snowplow_gitlab_standard_context) + expect_snowplow_event( + category: category, + action: action, + label: "redis_hll_counters.user_packages.user_packages_total_unique_counts_monthly", + context: context, + **snowplow_gitlab_standard_context + ) else expect_snowplow_event(category: category, action: action, **snowplow_gitlab_standard_context) end diff --git a/spec/support/shared_examples/requests/api/resolvable_discussions_shared_examples.rb b/spec/support/shared_examples/requests/api/resolvable_discussions_shared_examples.rb index b5139bd8c99..2770e293683 100644 --- a/spec/support/shared_examples/requests/api/resolvable_discussions_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/resolvable_discussions_shared_examples.rb @@ -71,8 +71,7 @@ RSpec.shared_examples 'resolvable discussions API' do |parent_type, noteable_typ it 'returns a 404 error when note id not found' do put api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/"\ - "discussions/#{note.discussion_id}/notes/#{non_existing_record_id}", user), - params: { body: 'Hello!' } + "discussions/#{note.discussion_id}/notes/#{non_existing_record_id}", user), params: { body: 'Hello!' } expect(response).to have_gitlab_http_status(:not_found) end diff --git a/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb b/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb index 86a1fd76d09..398421c7a79 100644 --- a/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/time_tracking_shared_examples.rb @@ -173,8 +173,7 @@ RSpec.shared_examples 'time tracking endpoints' do |issuable_name| describe "GET /projects/:id/#{issuable_collection_name}/:#{issuable_name}_id/time_stats" do it "returns the time stats for #{issuable_name}" do - issuable.update!(spend_time: { duration: 1800, user_id: user.id }, - time_estimate: 3600) + issuable.update!(spend_time: { duration: 1800, user_id: user.id }, time_estimate: 3600) get api("/projects/#{project.id}/#{issuable_collection_name}/#{issuable.iid}/time_stats", user) diff --git a/spec/support/shared_examples/requests/graphql_shared_examples.rb b/spec/support/shared_examples/requests/graphql_shared_examples.rb index d133c5ea641..2c08f946468 100644 --- a/spec/support/shared_examples/requests/graphql_shared_examples.rb +++ b/spec/support/shared_examples/requests/graphql_shared_examples.rb @@ -58,5 +58,5 @@ end RSpec.shared_examples 'a mutation on an unauthorized resource' do it_behaves_like 'a mutation that returns top-level errors', - errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR] + errors: [::Gitlab::Graphql::Authorize::AuthorizeResource::RESOURCE_ACCESS_ERROR] end diff --git a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb index 3f457890f35..dafa324b3c6 100644 --- a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb +++ b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb @@ -567,8 +567,8 @@ RSpec.shared_examples 'rate-limited unauthenticated requests' do it 'does not throttle the requests' do (1 + requests_per_period).times do post registry_endpoint, - params: { events: events }.to_json, - headers: registry_headers.merge('Authorization' => secret_token) + params: { events: events }.to_json, + headers: registry_headers.merge('Authorization' => secret_token) expect(response).to have_gitlab_http_status(:ok) end diff --git a/spec/workers/every_sidekiq_worker_spec.rb b/spec/workers/every_sidekiq_worker_spec.rb index 5778bc47b35..0a4dd38de13 100644 --- a/spec/workers/every_sidekiq_worker_spec.rb +++ b/spec/workers/every_sidekiq_worker_spec.rb @@ -262,6 +262,7 @@ RSpec.describe 'Every Sidekiq worker', feature_category: :shared do 'GeoRepositoryDestroyWorker' => 3, 'GitGarbageCollectWorker' => false, 'Gitlab::GithubImport::AdvanceStageWorker' => 3, + 'Gitlab::GithubImport::ImportReleaseAttachmentsWorker' => 5, 'Gitlab::GithubImport::Attachments::ImportReleaseWorker' => 5, 'Gitlab::GithubImport::Attachments::ImportNoteWorker' => 5, 'Gitlab::GithubImport::Attachments::ImportIssueWorker' => 5, diff --git a/spec/workers/gitlab/github_import/import_release_attachments_worker_spec.rb b/spec/workers/gitlab/github_import/import_release_attachments_worker_spec.rb new file mode 100644 index 00000000000..62a9e3446f8 --- /dev/null +++ b/spec/workers/gitlab/github_import/import_release_attachments_worker_spec.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::GithubImport::ImportReleaseAttachmentsWorker, feature_category: :importers do + subject(:worker) { described_class.new } + + describe '#import' do + let(:import_state) { create(:import_state, :started) } + + let(:project) do + instance_double('Project', full_path: 'foo/bar', id: 1, import_state: import_state) + end + + let(:client) { instance_double('Gitlab::GithubImport::Client') } + let(:importer) { instance_double('Gitlab::GithubImport::Importer::NoteAttachmentsImporter') } + + let(:release_hash) do + { + 'record_db_id' => rand(100), + 'record_type' => 'Release', + 'tag' => 'v1.0', + 'text' => <<-TEXT + Some text... + +  + TEXT + } + end + + it 'imports an issue event' do + expect(Gitlab::GithubImport::Importer::NoteAttachmentsImporter) + .to receive(:new) + .with( + an_instance_of(Gitlab::GithubImport::Representation::NoteText), + project, + client + ) + .and_return(importer) + + expect(importer).to receive(:execute) + + expect(Gitlab::GithubImport::ObjectCounter) + .to receive(:increment) + .and_call_original + + worker.import(project, client, release_hash) + end + end +end |