diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-23 18:10:34 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-23 18:10:34 +0300 |
| commit | a8b96c3072b3bd4d45e6364931042b350bf7fa2e (patch) | |
| tree | 70d8a5faa2171c82a0007364f89c11d2e45aeac5 | |
| parent | 8137303e47baaff97a36396cfb05efc0d99879a2 (diff) | |
Add latest changes from gitlab-org/gitlab@master
36 files changed, 297 insertions, 76 deletions
@@ -73,7 +73,10 @@ gem 'omniauth-shibboleth', '~> 1.3.0' gem 'omniauth-twitter', '~> 1.4' gem 'omniauth_crowd', '~> 2.4.0', path: 'vendor/gems/omniauth_crowd' # See vendor/gems/omniauth_crowd/README.md gem 'omniauth-authentiq', '~> 0.3.3' -gem 'gitlab-omniauth-openid-connect', '~> 0.10.0', require: 'omniauth_openid_connect' +gem 'omniauth_openid_connect', '~> 0.6.0' +# Locked until Ruby 3.0 upgrade since upgrading will pull in an updated net-smtp gem. +# See https://docs.gitlab.com/ee/development/emails.html#rationale. +gem 'openid_connect', '= 1.3.0' gem 'omniauth-salesforce', '~> 1.0.5', path: 'vendor/gems/omniauth-salesforce' # See gem README.md gem 'omniauth-atlassian-oauth2', '~> 0.2.0' gem 'rack-oauth2', '~> 1.21.3' diff --git a/Gemfile.checksum b/Gemfile.checksum index 0b949733701..87e6502f8fa 100644 --- a/Gemfile.checksum +++ b/Gemfile.checksum @@ -210,7 +210,6 @@ {"name":"gitlab-mail_room","version":"0.0.9","platform":"ruby","checksum":"6700374b5c0aa9d9ad4e711aeb677f0b7d415a6d01d3baa699efab25349d851c"}, {"name":"gitlab-markup","version":"1.8.1","platform":"ruby","checksum":"ab1f9fd016977497c2af25b76341dea670533014f406861834a0bd99f646707b"}, {"name":"gitlab-net-dns","version":"0.9.1","platform":"ruby","checksum":"bcd1a08dcb31b731e8ff602d828de619d2d9f53f5812f6abacf11c720873d4cb"}, -{"name":"gitlab-omniauth-openid-connect","version":"0.10.0","platform":"ruby","checksum":"ea44a23ea93457057bba6a9912e883f5aefab36a941c6c58512c8a7095fb1153"}, {"name":"gitlab-sidekiq-fetcher","version":"0.9.0","platform":"ruby","checksum":"54041aec059f20c8e6dfce394e1b60e0c0a9c7cef32da912a58abbd333e13897"}, {"name":"gitlab-styles","version":"9.2.0","platform":"ruby","checksum":"7106e7fb2de01f0c4a8d074ccff5c1f37502eab98cc51c8b5dd72a081785cea4"}, {"name":"gitlab_chronic_duration","version":"0.10.6.2","platform":"ruby","checksum":"6dda4cfe7dca9b958f163ac8835c3d9cc70cf8df8cbb89bb2fbf9ba4375105fb"}, @@ -401,6 +400,7 @@ {"name":"omniauth-saml","version":"2.0.0","platform":"ruby","checksum":"02594fd6630de26a9e65a2e64223e9ad32324fa97a6c7f1f22a1553ea3dd44c7"}, {"name":"omniauth-shibboleth","version":"1.3.0","platform":"ruby","checksum":"b0bb725ced5cb76fbfc187ddbb8ad6864d0cd5df714cab36a528df8ee4b1d113"}, {"name":"omniauth-twitter","version":"1.4.0","platform":"ruby","checksum":"c5cc6c77cd767745ffa9ebbd5fbd694a3fa99d1d2d82a4d7def0bf3b6131b264"}, +{"name":"omniauth_openid_connect","version":"0.6.0","platform":"ruby","checksum":"b8e48ca67fdea2dff56cc161855b88707a290ae01125149dbe0f8c94e818cfd3"}, {"name":"open4","version":"1.3.4","platform":"ruby","checksum":"a1df037310624ecc1ea1d81264b11c83e96d0c3c1c6043108d37d396dcd0f4b1"}, {"name":"openid_connect","version":"1.3.0","platform":"ruby","checksum":"a796855096850cc01140e37ea6ae9fd14f2be818b9b5bc698418063dfe228770"}, {"name":"openssl","version":"2.2.2","platform":"ruby","checksum":"53f72382bac046c36c37049c7ec9d5597d42628d140b5cfbcd61e0226c0ca077"}, diff --git a/Gemfile.lock b/Gemfile.lock index 832102ce337..787bec68aeb 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -599,10 +599,6 @@ GEM gitlab-mail_room (0.0.9) gitlab-markup (1.8.1) gitlab-net-dns (0.9.1) - gitlab-omniauth-openid-connect (0.10.0) - addressable (~> 2.7) - omniauth (>= 1.9, < 3) - openid_connect (~> 1.2) gitlab-sidekiq-fetcher (0.9.0) json (>= 2.5) sidekiq (~> 6.1) @@ -1025,6 +1021,9 @@ GEM omniauth-twitter (1.4.0) omniauth-oauth (~> 1.1) rack + omniauth_openid_connect (0.6.0) + omniauth (>= 1.9, < 3) + openid_connect (~> 1.1) open4 (1.3.4) openid_connect (1.3.0) activemodel @@ -1679,7 +1678,6 @@ DEPENDENCIES gitlab-mail_room (~> 0.0.9) gitlab-markup (~> 1.8.0) gitlab-net-dns (~> 0.9.1) - gitlab-omniauth-openid-connect (~> 0.10.0) gitlab-sidekiq-fetcher (= 0.9.0) gitlab-styles (~> 9.2.0) gitlab_chronic_duration (~> 0.10.6.2) @@ -1770,6 +1768,8 @@ DEPENDENCIES omniauth-shibboleth (~> 1.3.0) omniauth-twitter (~> 1.4) omniauth_crowd (~> 2.4.0)! + omniauth_openid_connect (~> 0.6.0) + openid_connect (= 1.3.0) openssl (= 2.2.2) org-ruby (~> 0.9.12) pact (~> 1.63) diff --git a/app/helpers/issuables_helper.rb b/app/helpers/issuables_helper.rb index fb407aa7eed..7ae7d126414 100644 --- a/app/helpers/issuables_helper.rb +++ b/app/helpers/issuables_helper.rb @@ -242,7 +242,6 @@ module IssuablesHelper updateEndpoint: "#{issuable_path(issuable)}.json", canUpdate: can?(current_user, :"update_#{issuable.to_ability_name}", issuable), canDestroy: can?(current_user, :"destroy_#{issuable.to_ability_name}", issuable), - canUpdateTimelineEvent: can?(current_user, :admin_incident_management_timeline_event, issuable), issuableRef: issuable.to_reference, markdownPreviewPath: preview_markdown_path(parent, target_type: issuable.model_name, target_id: issuable.iid), markdownDocsPath: help_page_path('user/markdown'), @@ -272,7 +271,17 @@ module IssuablesHelper sentryIssueIdentifier: SentryIssue.find_by(issue: issuable)&.sentry_issue_identifier, # rubocop:disable CodeReuse/ActiveRecord iid: issuable.iid.to_s, isHidden: issue_hidden?(issuable), - canCreateIncident: create_issue_type_allowed?(issuable.project, :incident) + canCreateIncident: create_issue_type_allowed?(issuable.project, :incident), + **incident_only_initial_data(issuable) + } + end + + def incident_only_initial_data(issue) + return {} unless issue.incident? + + { + hasLinkedAlerts: issue.alert_management_alerts.any?, + canUpdateTimelineEvent: can?(current_user, :admin_incident_management_timeline_event, issue) } end diff --git a/app/models/repository.rb b/app/models/repository.rb index cedfed16b20..228ebf1d665 100644 --- a/app/models/repository.rb +++ b/app/models/repository.rb @@ -603,10 +603,16 @@ class Repository cache_method_asymmetrically :has_visible_content? def avatar - # n+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/38327 - Gitlab::GitalyClient.allow_n_plus_1_calls do - if tree = file_on_head(:avatar) - tree.path + if Feature.enabled?(:readme_from_gitaly) + Gitlab::GitalyClient.allow_n_plus_1_calls do + avatar_path_gitaly + end + else + # n+1: https://gitlab.com/gitlab-org/gitlab-foss/issues/38327 + Gitlab::GitalyClient.allow_n_plus_1_calls do + if tree = file_on_head(:avatar) + tree.path + end end end end @@ -1247,19 +1253,31 @@ class Repository end def readme_path_gitaly - return if empty? || root_ref.nil? - # (?i) to enable case-insensitive mode # # Note: `Gitlab::FileDetector::PATTERNS[:readme]#to_s` won't work because of # incompatibility of regex engines between Rails and Gitaly. - regex = "(?i)#{Gitlab::FileDetector::PATTERNS[:readme].source}" + pattern = "(?i)#{Gitlab::FileDetector::PATTERNS[:readme].source}" - readmes = search_files_by_regexp(regex, root_ref) + readmes = fetch_file_paths_from_gitaly(pattern) choose_readme_to_display(readmes) end + def avatar_path_gitaly + # Note: `Gitlab::FileDetector::PATTERNS[:avatar]#to_s` won't work because of + # incompatibility of regex engines between Rails and Gitaly. + pattern = Gitlab::FileDetector::PATTERNS[:avatar].source + + fetch_file_paths_from_gitaly(pattern, limit: 1).first + end + + def fetch_file_paths_from_gitaly(pattern, limit: 0) + return [] if empty? || root_ref.nil? + + search_files_by_regexp(pattern, root_ref, limit: limit) + end + # Extracted from Tree#readme_path def choose_readme_to_display(readmes) previewable_readme = readmes.find { |name| Gitlab::MarkupHelper.previewable?(name) } diff --git a/app/views/import/github/new.html.haml b/app/views/import/github/new.html.haml index 7d0a46f3630..5293013b813 100644 --- a/app/views/import/github/new.html.haml +++ b/app/views/import/github/new.html.haml @@ -10,8 +10,9 @@ = import_github_authorize_message - if github_import_configured? && !has_ci_cd_only_params? - = link_to status_import_github_path(namespace_id: params[:namespace_id]), class: 'gl-button btn btn-confirm' do - = sprite_icon('github', css_class: 'gl-mr-2') + = render Pajamas::ButtonComponent.new(variant: :confirm, + href: status_import_github_path(namespace_id: params[:namespace_id]), + icon: 'github') do = title %hr @@ -31,5 +32,9 @@ = render_if_exists 'import/github/ci_cd_only' .form-actions.gl-display-flex.gl-justify-content-end - = link_to _('Cancel'), new_project_path, class: 'gl-button btn btn-default' - = submit_tag _('Authenticate'), class: 'gl-button btn btn-confirm gl-ml-3', data: { qa_selector: 'authenticate_button' } + = render Pajamas::ButtonComponent.new(href: new_project_path) do + = _('Cancel') + = render Pajamas::ButtonComponent.new(variant: :confirm, + type: :submit, + button_options: { class: 'gl-ml-3', data: { qa_selector: 'authenticate_button' } }) do + = _('Authenticate') diff --git a/config/routes/issues.rb b/config/routes/issues.rb index cc4399693ed..25e59022272 100644 --- a/config/routes/issues.rb +++ b/config/routes/issues.rb @@ -21,6 +21,12 @@ resources :issues, concerns: :awardable, constraints: { id: /\d+/ } do post :bulk_update post :import_csv post :export_csv + + scope :incident do + get '/:id', + to: 'incidents#show', + as: :incident + end end resources :issue_links, only: [:index, :create, :destroy], as: 'links', path: 'links' diff --git a/config/routes/project.rb b/config/routes/project.rb index 798829484da..eb7950694aa 100644 --- a/config/routes/project.rb +++ b/config/routes/project.rb @@ -375,8 +375,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do end end - get 'issues/incident/:id' => 'incidents#show', as: :issues_incident - namespace :error_tracking do resources :projects, only: :index end diff --git a/db/fixtures/development/33_triage_ops.rb b/db/fixtures/development/33_triage_ops.rb index f2266e49efc..080e985fc5f 100644 --- a/db/fixtures/development/33_triage_ops.rb +++ b/db/fixtures/development/33_triage_ops.rb @@ -73,6 +73,8 @@ class Gitlab::Seeder::TriageOps pipeline:run-single-db pipeline:skip-undercoverage pipeline:update-cache + documentation + Community contribution LABELS def seed! diff --git a/doc/administration/auth/cognito.md b/doc/administration/auth/cognito.md index bb06d5d1a58..d12797b5359 100644 --- a/doc/administration/auth/cognito.md +++ b/doc/administration/auth/cognito.md @@ -33,7 +33,7 @@ To enable AWS Cognito as an authentication provider, complete the following step - **Enabled Identity Providers** - select all - **Callback URL** - `https://<your_gitlab_instance_url>/users/auth/cognito/callback` - **Allowed OAuth Flows** - Authorization code grant - - **Allowed OAuth2 Scopes** - `email`, `openid`, and `profile` + - **Allowed OAuth 2.0 Scopes** - `email`, `openid`, and `profile` 1. Save changes for the app client settings. 1. Under **Domain name**, include the AWS domain name for your AWS Cognito application. diff --git a/doc/administration/gitaly/reference.md b/doc/administration/gitaly/reference.md index cec18960dfd..1516b82a906 100644 --- a/doc/administration/gitaly/reference.md +++ b/doc/administration/gitaly/reference.md @@ -26,7 +26,7 @@ At the top level, `config.toml` defines the items described on the table below. | `socket_path` | string | yes (if `listen_addr` is not set) | A path which Gitaly should open a Unix socket. | | `listen_addr` | string | yes (if `socket_path` is not set) | TCP address for Gitaly to listen on. | | `tls_listen_addr` | string | no | TCP over TLS address for Gitaly to listen on. | -| `bin_dir` | string | yes | Directory containing Gitaly's executables. | +| `bin_dir` | string | yes | Directory containing Gitaly executables. | | `prometheus_listen_addr` | string | no | TCP listen address for Prometheus metrics. If not set, no Prometheus listener is started. | For example: @@ -100,7 +100,7 @@ by GitLab with names, such as `default`. These names and paths are also defined in the `gitlab.yml` configuration file of GitLab. When you run Gitaly on the same machine as GitLab (the default -and recommended configuration) storage paths defined in Gitaly's `config.toml` +and recommended configuration) storage paths defined in the Gitaly `config.toml` must match those in `gitlab.yml`. | Name | Type | Required | Description | @@ -146,7 +146,7 @@ The default limit is 100 `cat-file`s, which constitute a pair of you are seeing errors complaining about "too many open files", or an inability to create new processes, you may want to lower this limit. -Ideally, the number should be large enough to handle normal +Ideally, the number should be large enough to handle standard traffic. If you raise the limit, you should measure the cache hit ratio before and after. If the hit ratio does not improve, the higher limit is probably not making a meaningful difference. Here is an example diff --git a/doc/administration/monitoring/prometheus/web_exporter.md b/doc/administration/monitoring/prometheus/web_exporter.md index 5539526c501..0212091f14c 100644 --- a/doc/administration/monitoring/prometheus/web_exporter.md +++ b/doc/administration/monitoring/prometheus/web_exporter.md @@ -22,7 +22,7 @@ We provide two mechanisms by which web application metrics can be exported: makes metric data available via its own `/-/metrics` endpoint. This is the default, and is described in [GitLab Metrics](index.md#gitlab-metrics). We recommend this default for small GitLab installations where the amount of metrics collected is small. -- Through a dedicated metrics server. Enabling this server will cause Puma to launch an +- Through a dedicated metrics server. Enabling this server causes Puma to launch an additional process whose sole responsibility is to serve metrics. This approach leads to better fault isolation and performance for very large GitLab installations, but comes with additional memory use. We recommend this approach for medium to large @@ -69,5 +69,5 @@ To serve metrics via HTTPS instead of HTTP, enable TLS in the exporter settings: 1. Save the file and [reconfigure GitLab](../../restart_gitlab.md#omnibus-gitlab-reconfigure) for the changes to take effect. -When TLS is enabled, the same `port` and `address` will be used as described above. +When TLS is enabled, the same `port` and `address` is used as described above. The metrics server cannot serve both HTTP and HTTPS at the same time. diff --git a/doc/api/groups.md b/doc/api/groups.md index dd3f8baf338..c39b8584e93 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1201,7 +1201,8 @@ GET /groups?search=foobar > Introduced in GitLab 14.8. -Get a list of users provisioned by a given group. Does not include users provisioned by subgroups. +Get a list of users provisioned by a given group. Does not include subgroups. +Users in this list are considered [enterprise users](../user/enterprise_user/index.md). Requires at least the Maintainer role on the group. diff --git a/doc/api/members.md b/doc/api/members.md index 2da84866b92..4032ab1d651 100644 --- a/doc/api/members.md +++ b/doc/api/members.md @@ -29,8 +29,7 @@ In GitLab 14.8 and earlier, projects in personal namespaces have an `access_leve The `group_saml_identity` attribute is only visible to a group owner for [SSO enabled groups](../user/group/saml_sso/index.md). -The `email` attribute is only visible to group owners when the user was provisioned by the group. -Users are provisioned by the group when the account was created via [SCIM](../user/group/saml_sso/scim_setup.md) or by first sign-in with [SAML SSO for GitLab.com groups](../user/group/saml_sso/index.md). +The `email` attribute is only visible to group Owners for any [enterprise user](../user/enterprise_user/index.md). ## List all members of a group or project diff --git a/doc/architecture/blueprints/ci_data_decay/pipeline_partitioning.md b/doc/architecture/blueprints/ci_data_decay/pipeline_partitioning.md index 261390d1d14..e7e031fb82a 100644 --- a/doc/architecture/blueprints/ci_data_decay/pipeline_partitioning.md +++ b/doc/architecture/blueprints/ci_data_decay/pipeline_partitioning.md @@ -796,18 +796,16 @@ strategy here to share knowledge and solicit feedback from other team members. ## Who -Authors: +DRIs: <!-- vale gitlab.Spelling = NO --> -| Role | Who | -|--------|----------------| -| Author | Grzegorz Bizon | - -Recommenders: - -| Role | Who | -|-------------------------------|-----------------| -| Senior Distingiushed Engineer | Kamil Trzciński | +| Role | Who | +|---------------------|------------------------------------------------| +| Author | Grzegorz Bizon, Principal Engineer | +| Recommender | Kamil Trzciński, Senior Distingiushed Engineer | +| Product Manager | James Heimbuck, Senior Product Manager | +| Engineering Manager | Scott Hampton, Engineering Manager | +| Lead Engineer | Marius Bobin, Senior Backend Engineer | <!-- vale gitlab.Spelling = YES --> diff --git a/doc/ci/git_submodules.md b/doc/ci/git_submodules.md index 0f206b3fceb..07ba3d8f916 100644 --- a/doc/ci/git_submodules.md +++ b/doc/ci/git_submodules.md @@ -67,7 +67,7 @@ To make submodules work correctly in CI/CD jobs: GIT_SUBMODULE_DEPTH: 1 ``` -1. You can filter or exclude specific submodules to control which submodules will be synced using +1. You can filter or exclude specific submodules to control which submodules are synchronized using [`GIT_SUBMODULE_PATHS`](runners/configure_runners.md#sync-or-exclude-specific-submodules-from-ci-jobs). ```yaml diff --git a/doc/ci/migration/jenkins.md b/doc/ci/migration/jenkins.md index 63e9993be90..71deaadf9ec 100644 --- a/doc/ci/migration/jenkins.md +++ b/doc/ci/migration/jenkins.md @@ -99,7 +99,7 @@ Some high level differences between the products worth mentioning are: feature. - The [`parallel`](../yaml/index.md#parallel) keyword can automatically parallelize tasks, like tests that support parallelization. -- Normally all jobs in a single stage run in parallel, and all stages run in sequence. +- Usually all jobs in a single stage run in parallel, and all stages run in sequence. Different [pipeline architectures](../pipelines/pipeline_architectures.md) allow you to change this behavior. - The new [`rules` syntax](../yaml/index.md#rules) is the recommended method of controlling when different jobs run. It is more powerful than the `only/except` syntax. diff --git a/doc/ci/troubleshooting.md b/doc/ci/troubleshooting.md index 6783ab1bfed..17ce184ee28 100644 --- a/doc/ci/troubleshooting.md +++ b/doc/ci/troubleshooting.md @@ -324,6 +324,13 @@ On a self-managed instance, you can [increase the size limits](../administration A [loop of included configuration files](pipeline_editor/index.md#configuration-validation-currently-not-available-message) can cause a `500` error when editing the `.gitlab-ci.yml` file with the [web editor](../user/project/repository/web_editor.md). +### A CI/CD job does not use newer configuration when run again + +The configuration for a pipeline is only fetched when the pipeline is created. +When you rerun a job, uses the same configuration each time. If you update configuration files, +including separate files added with [`include`](yaml/index.md#include), you must +start a new pipeline to use the new configuration. + ## Pipeline warnings Pipeline configuration warnings are shown when you: diff --git a/doc/user/enterprise_user/index.md b/doc/user/enterprise_user/index.md new file mode 100644 index 00000000000..d8305f0288b --- /dev/null +++ b/doc/user/enterprise_user/index.md @@ -0,0 +1,71 @@ +--- +stage: Manage +group: Authentication and Authorization +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments +type: reference +--- + +# Enterprise users **(PREMIUM SAAS)** + +Enterprise users have user accounts that are administered by an organization that +has purchased a [GitLab subscription](../../subscriptions/index.md). + +Enterprise users are identified by the [**Enterprise** badge](../project/badges.md) +next to their names on the [Members list](../group/manage.md#filter-and-sort-members-in-a-group). + +## Provision an enterprise user + +A user account is considered an enterprise account when: + +- A user without an existing GitLab user account uses the group's + [SAML SSO](../group/saml_sso/index.md) to sign in for the first time. +- [SCIM](../group/saml_sso/scim_setup.md) creates the user account on behalf of + the group. + +A user can also [manually connect an identity provider (IdP) to a GitLab account whose email address matches the subscribing organization's domain](../group/saml_sso/index.md#linking-saml-to-your-existing-gitlabcom-account). +By selecting **Authorize** when connecting these two accounts, the user account +with the matching email address is classified as an enterprise user. However, this +user account does not have an **Enterprise** badge in GitLab. + +Although a user can be a member of more than one group, each user account can be +provisioned by only one group. As a result, a user is considered an enterprise +user under one top-level group only. + +## Manage enterprise users in a namespace + +A top-level Owner of a namespace on a paid plan can retrieve information about and +manage enterprise user accounts in that namespace. + +These enterprise user-specific actions are in addition to the standard +[group member permissions](../permissions.md#group-members-permissions). + +### Disable two-factor authentication + +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/9484) in GitLab 15.8. + +Top-level group Owners can disable two-factor authentication (2FA) for enterprise users. + +To disable 2FA: + +1. On the top bar, select **Main menu > Groups** and find your group. +1. On the left sidebar, select **Group information > Members**. +1. Find a user with the **Enterprise** and **2FA** badges. +1. Select **More actions** (**{ellipsis_v}**) and select **Disable two-factor authentication**. + +### Prevent users from creating groups and projects outside the corporate group + +A SAML IdP administrator or a top-level group Owner can use a SAML response to set: + +- Whether users can create groups. +- The maximum number of personal projects users can create. + +For more information, see the [supported user attributes for SAML responses](../group/saml_sso/index.md#supported-user-attributes). + +### Bypass email confirmation for provisioned users + +A top-level group Owner can [set up verified domains to bypass confirmation emails](../group/saml_sso/index.md#bypass-user-email-confirmation-with-verified-domains). + +### Get users' email addresses through the API + +A top-level group Owner can use the [group and project members API](../../api/members.md) +to access users' information, including email addresses. diff --git a/doc/user/group/manage.md b/doc/user/group/manage.md index a755447c47c..aec2932a9e4 100644 --- a/doc/user/group/manage.md +++ b/doc/user/group/manage.md @@ -131,7 +131,7 @@ Filter a group to find members. By default, all members in the group and subgrou In lists of group members, entries can display the following badges: - **SAML**, to indicate the member has a [SAML account](saml_sso/index.md) connected to them. -- **Enterprise**, to indicate that [SCIM created the account](saml_sso/scim_setup.md). +- **Enterprise**, to indicate that the member is an [enterprise user](../enterprise_user/index.md). 1. On the top bar, select **Main menu > Groups** and find your group. 1. Above the list of members, in the **Filter members** box, enter filter criteria. diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index fcb02e76095..35695c14f1a 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -333,7 +333,7 @@ To migrate users to a new email domain, users must: ## User access and management > - SAML user provisioning [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/268142) in GitLab 13.7. -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an **Enterprise** badge in the **Members** view. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an ][**Enterprise**](../../enterprise_user/index.md) badge in the **Members** view. After group SSO is configured and enabled, users can access the GitLab.com group through the identity provider's dashboard. If [SCIM](scim_setup.md) is configured, see [user access](scim_setup.md#user-access) on the SCIM page. @@ -431,7 +431,7 @@ convert the information to XML. An example SAML response is shown here. By default, users provisioned with SAML or SCIM are sent a verification email to verify their identity. Instead, you can [configure GitLab with a custom domain](../../project/pages/custom_domains_ssl_tls_certification/index.md) and GitLab -automatically confirms user accounts. Users still receive an enterprise user welcome email. Confirmation is bypassed for +automatically confirms user accounts. Users still receive an [enterprise user](../../enterprise_user/index.md) welcome email. Confirmation is bypassed for users: - That are provisioned with SAML or SCIM. diff --git a/doc/user/group/saml_sso/scim_setup.md b/doc/user/group/saml_sso/scim_setup.md index 8c30c246566..79fc1ab310a 100644 --- a/doc/user/group/saml_sso/scim_setup.md +++ b/doc/user/group/saml_sso/scim_setup.md @@ -170,7 +170,7 @@ encounter issues. ## User access -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an **Enterprise** badge in the **Members** view. +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/325712) in GitLab 14.0, GitLab users created by [SAML SSO](index.md#user-access-and-management) or SCIM provisioning are displayed with an [**Enterprise**](../../enterprise_user/index.md) badge in the **Members** view. During the synchronization process, all new users: diff --git a/doc/user/group/saml_sso/troubleshooting.md b/doc/user/group/saml_sso/troubleshooting.md index f24fa4c5bac..0151ae52bb6 100644 --- a/doc/user/group/saml_sso/troubleshooting.md +++ b/doc/user/group/saml_sso/troubleshooting.md @@ -58,6 +58,16 @@ You can use one of the following to troubleshoot SAML: For convenience, we've included some [example resources](../../../user/group/saml_sso/example_saml_config.md) used by our Support Team. While they may help you verify the SAML app configuration, they are not guaranteed to reflect the current state of third-party products. +### Calculate the fingerprint + +If you use a `idp_cert_fingerprint`, it must be a SHA1 fingerprint. To calculate a SHA1 fingerprint, download the certificate file and run: + +```shell +openssl x509 -in <filename.crt> -noout -fingerprint -sha1 +``` + +Replace `filename.crt` with the name of the certificate file. + ## Searching Rails log for a SAML response **(FREE SELF)** You can find the base64-encoded SAML Response in the [`production_json.log`](../../../administration/logs/index.md#production_jsonlog). @@ -122,13 +132,17 @@ must be validated using either a fingerprint, a certificate, or a validator. For this requirement, be sure to take the following into account: -- If a fingerprint is used, it must be the SHA1 fingerprint +- If you use a fingerprint, it must be the correct SHA1 fingerprint. To confirm that you are using + the correct SHA1 fingerprint: + 1. Re-download the certificate file. + 1. [Calculate the fingerprint](#calculate-the-fingerprint). + 1. Compare the fingerprint to the value provided in `idp_cert_fingerprint`. The values should be the same. - If no certificate is provided in the settings, a fingerprint or fingerprint validator needs to be provided and the response from the server must contain - a certificate (`<ds:KeyInfo><ds:X509Data><ds:X509Certificate>`) + a certificate (`<ds:KeyInfo><ds:X509Data><ds:X509Certificate>`). - If a certificate is provided in the settings, it is no longer necessary for the request to contain one. In this case the fingerprint or fingerprint - validators are optional + validators are optional. If none of the above described scenarios is valid, the request fails with one of the mentioned errors. diff --git a/lib/gitlab/database.rb b/lib/gitlab/database.rb index e750edc393f..b9173c96928 100644 --- a/lib/gitlab/database.rb +++ b/lib/gitlab/database.rb @@ -34,10 +34,8 @@ module Gitlab # https://gitlab.com/gitlab-org/gitlab-foss/issues/61974 MAX_TEXT_SIZE_LIMIT = 1_000_000 - # Minimum schema version from which migrations are supported # Migrations before this version may have been removed - MIN_SCHEMA_VERSION = 20190506135400 - MIN_SCHEMA_GITLAB_VERSION = '11.11.0' + MIN_SCHEMA_GITLAB_VERSION = '15.0' # Schema we store dynamically managed partitions in (e.g. for time partitioning) DYNAMIC_PARTITIONS_SCHEMA = :gitlab_partitions_dynamic @@ -304,6 +302,14 @@ module Gitlab !read_only? end + # Determines minimum viable migration version, determined by the timestamp + # of the earliest migration file. + def self.read_minimum_migration_version + Dir.open( + Rails.root.join('db/migrate') + ).filter_map { |f| /\A\d{14}/.match(f)&.to_s }.map(&:to_i).min + end + # Monkeypatch rails with upgraded database observability def self.install_transaction_metrics_patches! ActiveRecord::Base.prepend(ActiveRecordBaseTransactionMetrics) diff --git a/lib/tasks/migrate/schema_check.rake b/lib/tasks/migrate/schema_check.rake index 76f1f23c7bd..e15304afcff 100644 --- a/lib/tasks/migrate/schema_check.rake +++ b/lib/tasks/migrate/schema_check.rake @@ -6,10 +6,14 @@ task schema_version_check: :environment do schema_version = ActiveRecord::Migrator.current_version + minimum_migration_version = Gitlab::Database.read_minimum_migration_version + + raise 'Unable to find any migration files in db/migrate.' if minimum_migration_version.nil? + # Ensure migrations are being run from a supported schema version # A schema verison of 0 is a fresh db, and should be safe to run migrations # But a database with existing migrations less than our min version is not - if schema_version > 0 && schema_version < Gitlab::Database::MIN_SCHEMA_VERSION + if schema_version > 0 && schema_version < minimum_migration_version raise "Your current database version is too old to be migrated. " \ "You should upgrade to GitLab #{Gitlab::Database::MIN_SCHEMA_GITLAB_VERSION} before moving to this version. " \ "Please see https://docs.gitlab.com/ee/policy/maintenance.html#upgrade-recommendations" diff --git a/qa/qa/service/cluster_provider/gcloud.rb b/qa/qa/service/cluster_provider/gcloud.rb index 14c13eecb8d..f00d802007e 100644 --- a/qa/qa/service/cluster_provider/gcloud.rb +++ b/qa/qa/service/cluster_provider/gcloud.rb @@ -55,7 +55,7 @@ module QA shell <<~CMD.tr("\n", ' ') curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 && chmod 700 get_helm.sh && - ./get_helm.sh + DESIRED_VERSION=3.7.0 ./get_helm.sh CMD end diff --git a/spec/features/abuse_report_spec.rb b/spec/features/abuse_report_spec.rb index 31b86244dd1..1267025a7bf 100644 --- a/spec/features/abuse_report_spec.rb +++ b/spec/features/abuse_report_spec.rb @@ -56,7 +56,7 @@ RSpec.describe 'Abuse reports', :js, feature_category: :insider_threat do let_it_be(:incident) { create(:incident, project: project, author: abusive_user) } before do - visit project_issues_incident_path(project, incident) + visit incident_project_issues_path(project, incident) click_button 'Incident actions' end diff --git a/spec/features/incidents/incident_details_spec.rb b/spec/features/incidents/incident_details_spec.rb index e1167285464..34f8dadcf11 100644 --- a/spec/features/incidents/incident_details_spec.rb +++ b/spec/features/incidents/incident_details_spec.rb @@ -19,7 +19,7 @@ RSpec.describe 'Incident details', :js, feature_category: :incident_management d context 'when a developer+ displays the incident' do before do - visit project_issues_incident_path(project, incident) + visit incident_project_issues_path(project, incident) wait_for_requests end @@ -108,7 +108,7 @@ RSpec.describe 'Incident details', :js, feature_category: :incident_management d end it 'routes the user to the issue details page when the `issue_type` is set to issue' do - visit project_issues_incident_path(project, incident) + visit incident_project_issues_path(project, incident) wait_for_requests project_path = "/#{project.full_path}" diff --git a/spec/features/incidents/incident_timeline_events_spec.rb b/spec/features/incidents/incident_timeline_events_spec.rb index 80b46078389..45518671c57 100644 --- a/spec/features/incidents/incident_timeline_events_spec.rb +++ b/spec/features/incidents/incident_timeline_events_spec.rb @@ -14,7 +14,7 @@ RSpec.describe 'Incident timeline events', :js, feature_category: :incident_mana before do sign_in(developer) - visit project_issues_incident_path(project, incident) + visit incident_project_issues_path(project, incident) wait_for_requests click_link s_('Incident|Timeline') end diff --git a/spec/features/incidents/user_views_incident_spec.rb b/spec/features/incidents/user_views_incident_spec.rb index 49041d187dd..0265960fce7 100644 --- a/spec/features/incidents/user_views_incident_spec.rb +++ b/spec/features/incidents/user_views_incident_spec.rb @@ -19,7 +19,7 @@ RSpec.describe "User views incident", feature_category: :incident_management do before do sign_in(user) - visit(project_issues_incident_path(project, incident)) + visit(incident_project_issues_path(project, incident)) end specify do @@ -75,7 +75,7 @@ RSpec.describe "User views incident", feature_category: :incident_management do describe 'user status' do context 'when showing status of the author of the incident' do - subject { visit(project_issues_incident_path(project, incident)) } + subject { visit(incident_project_issues_path(project, incident)) } it_behaves_like 'showing user status' do let(:user_with_status) { user } diff --git a/spec/features/issues/incident_issue_spec.rb b/spec/features/issues/incident_issue_spec.rb index 2fba1ca9141..41bbd79202f 100644 --- a/spec/features/issues/incident_issue_spec.rb +++ b/spec/features/issues/incident_issue_spec.rb @@ -29,7 +29,7 @@ RSpec.describe 'Incident Detail', :js, feature_category: :team_planning do project.add_developer(user) sign_in(user) - visit project_issues_incident_path(project, incident) + visit incident_project_issues_path(project, incident) wait_for_requests end diff --git a/spec/features/issues/issue_detail_spec.rb b/spec/features/issues/issue_detail_spec.rb index 44e9bbad1ba..5af761ad7a4 100644 --- a/spec/features/issues/issue_detail_spec.rb +++ b/spec/features/issues/issue_detail_spec.rb @@ -130,7 +130,7 @@ RSpec.describe 'Issue Detail', :js, feature_category: :team_planning do page.within('[data-testid="issuable-form"]') do update_type_select('Issue', 'Incident') - expect(page).to have_current_path(project_issues_incident_path(project, issue)) + expect(page).to have_current_path(incident_project_issues_path(project, issue)) end end end diff --git a/spec/helpers/issuables_helper_spec.rb b/spec/helpers/issuables_helper_spec.rb index f2e3e401766..467c8d96cfb 100644 --- a/spec/helpers/issuables_helper_spec.rb +++ b/spec/helpers/issuables_helper_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe IssuablesHelper do +RSpec.describe IssuablesHelper, feature_category: :team_planning do let(:label) { build_stubbed(:label) } let(:label2) { build_stubbed(:label) } @@ -387,6 +387,32 @@ RSpec.describe IssuablesHelper do expect(helper.issuable_initial_data(issue)).to match(hash_including(expected_data)) end + context 'for incident tab' do + let(:incident) { create(:incident) } + let(:params) do + ActionController::Parameters.new({ + controller: "projects/incidents", + action: "show", + namespace_id: "foo", + project_id: "bar", + id: incident.iid + }).permit! + end + + it 'includes incident attributes' do + @project = incident.project + allow(helper).to receive(:safe_params).and_return(params) + + expected_data = { + issueType: 'incident', + hasLinkedAlerts: false, + canUpdateTimelineEvent: true + } + + expect(helper.issuable_initial_data(incident)).to match(hash_including(expected_data)) + end + end + describe '#sentryIssueIdentifier' do let(:issue) { create(:issue, author: user) } diff --git a/spec/lib/gitlab/database_spec.rb b/spec/lib/gitlab/database_spec.rb index 86bc8e71fd7..6423c93d1dc 100644 --- a/spec/lib/gitlab/database_spec.rb +++ b/spec/lib/gitlab/database_spec.rb @@ -516,4 +516,33 @@ RSpec.describe Gitlab::Database do end end end + + describe '.read_minimum_migration_version' do + before do + allow(Dir).to receive(:open).with(Rails.root.join('db/migrate')).and_return(migration_files) + end + + context 'valid migration files exist' do + let(:migration_files) do + [ + '20211004170422_init_schema.rb', + '20211005182304_add_users.rb' + ] + end + + let(:valid_schema) { 20211004170422 } + + it 'finds the correct ID' do + expect(described_class.read_minimum_migration_version).to eq valid_schema + end + end + + context 'no valid migration files exist' do + let(:migration_files) { ['readme.txt', 'INSTALL'] } + + it 'returns nil' do + expect(described_class.read_minimum_migration_version).to be_nil + end + end + end end diff --git a/spec/models/repository_spec.rb b/spec/models/repository_spec.rb index a3d2f9a09fb..b7dcf9919c7 100644 --- a/spec/models/repository_spec.rb +++ b/spec/models/repository_spec.rb @@ -2572,28 +2572,52 @@ RSpec.describe Repository, feature_category: :source_code_management do describe '#avatar' do let(:project) { create(:project, :repository) } - it 'returns nil if repo does not exist' do - allow(repository).to receive(:root_ref).and_raise(Gitlab::Git::Repository::NoRepository) + it 'returns nil if repo is empty' do + allow(repository).to receive(:empty).and_return(true) expect(repository.avatar).to be_nil end it 'returns the first avatar file found in the repository' do - expect(repository).to receive(:file_on_head) - .with(:avatar) - .and_return(double(:tree, path: 'logo.png')) + expect(repository).to receive(:search_files_by_regexp).and_return(['logo.png']) expect(repository.avatar).to eq('logo.png') end it 'caches the output' do - expect(repository).to receive(:file_on_head) - .with(:avatar) - .once - .and_return(double(:tree, path: 'logo.png')) + expect(repository).to receive(:search_files_by_regexp).once.and_return(['logo.png']) 2.times { expect(repository.avatar).to eq('logo.png') } end + + context 'when feature flag readme_from_gitaly is disabled' do + before do + stub_feature_flags(readme_from_gitaly: false) + end + + it 'returns nil if repo does not exist' do + allow(repository).to receive(:root_ref).and_raise(Gitlab::Git::Repository::NoRepository) + + expect(repository.avatar).to be_nil + end + + it 'returns the first avatar file found in the repository' do + expect(repository).to receive(:file_on_head) + .with(:avatar) + .and_return(double(:tree, path: 'logo.png')) + + expect(repository.avatar).to eq('logo.png') + end + + it 'caches the output' do + expect(repository).to receive(:file_on_head) + .with(:avatar) + .once + .and_return(double(:tree, path: 'logo.png')) + + 2.times { expect(repository.avatar).to eq('logo.png') } + end + end end describe '#expire_exists_cache' do diff --git a/spec/tasks/migrate/schema_check_rake_spec.rb b/spec/tasks/migrate/schema_check_rake_spec.rb index 1b60b63ad84..ede55f23ba8 100644 --- a/spec/tasks/migrate/schema_check_rake_spec.rb +++ b/spec/tasks/migrate/schema_check_rake_spec.rb @@ -5,6 +5,7 @@ require 'rake' RSpec.describe 'schema_version_check rake task', :silence_stdout do include StubENV + let(:valid_schema_version) { 20211004170422 } before :all do Rake.application.rake_require 'active_record/railties/databases' @@ -15,8 +16,8 @@ RSpec.describe 'schema_version_check rake task', :silence_stdout do end before do - allow(ActiveRecord::Migrator).to receive(:current_version).and_return(Gitlab::Database::MIN_SCHEMA_VERSION) - + allow(ActiveRecord::Migrator).to receive(:current_version).and_return(valid_schema_version) + allow(Gitlab::Database).to receive(:read_minimum_migration_version).and_return(valid_schema_version) # Ensure our check can re-run each time Rake::Task[:schema_version_check].reenable end |