diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-31 13:48:17 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-12-31 13:48:17 +0300 |
commit | c11b8def68caa0d2a079f393d07d9469a6775238 (patch) | |
tree | 4a8bf80b055c94f2a909f883d9d99e3c46ff74bb | |
parent | 52d0c8331f2b76d61f8a2747d68aee16f88a2ce6 (diff) |
Add latest changes from gitlab-org/security/gitlab@12-4-stable-ee
32 files changed, 405 insertions, 201 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 630c82bcc5c..ed2862edfa1 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -33,7 +33,6 @@ include: - local: .gitlab/ci/frontend.gitlab-ci.yml - local: .gitlab/ci/global.gitlab-ci.yml - local: .gitlab/ci/memory.gitlab-ci.yml - - local: .gitlab/ci/notifications.gitlab-ci.yml - local: .gitlab/ci/pages.gitlab-ci.yml - local: .gitlab/ci/qa.gitlab-ci.yml - local: .gitlab/ci/reports.gitlab-ci.yml diff --git a/.gitlab/ci/cng.gitlab-ci.yml b/.gitlab/ci/cng.gitlab-ci.yml index 35859a1ab33..bd11042eb11 100644 --- a/.gitlab/ci/cng.gitlab-ci.yml +++ b/.gitlab/ci/cng.gitlab-ci.yml @@ -1,4 +1,5 @@ cloud-native-image: + extends: .only:variables-canonical-dot-com image: ruby:2.6-alpine dependencies: [] stage: post-test @@ -12,5 +13,3 @@ cloud-native-image: only: refs: - tags - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" diff --git a/.gitlab/ci/docs.gitlab-ci.yml b/.gitlab/ci/docs.gitlab-ci.yml index 14eeebb9db9..e1808281b3a 100644 --- a/.gitlab/ci/docs.gitlab-ci.yml +++ b/.gitlab/ci/docs.gitlab-ci.yml @@ -2,12 +2,11 @@ extends: - .default-tags - .default-retry - - .only-docs-changes + - .only:variables-canonical-dot-com + - .only:changes-docs only: refs: - merge_requests - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" image: ruby:2.6-alpine stage: review dependencies: [] @@ -50,7 +49,7 @@ docs lint: - .default-tags - .default-retry - .default-only - - .only-docs-changes + - .only:changes-docs image: "registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-docs-lint" stage: test dependencies: [] @@ -76,7 +75,7 @@ graphql-docs-verify: - .default-cache - .default-only - .default-before_script - - .only-graphql-changes + - .only:changes-graphql variables: SETUP_DB: "false" stage: test diff --git a/.gitlab/ci/frontend.gitlab-ci.yml b/.gitlab/ci/frontend.gitlab-ci.yml index 2f457bc0ee2..0b72461a9fd 100644 --- a/.gitlab/ci/frontend.gitlab-ci.yml +++ b/.gitlab/ci/frontend.gitlab-ci.yml @@ -12,7 +12,7 @@ - .default-only - .default-before_script - .assets-compile-cache - - .only-code-qa-changes + - .only:changes-code-backstage-qa image: registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-git-2.22-chrome-73.0-node-12.x-yarn-1.16-graphicsmagick-1.3.33-docker-18.06.1 stage: test dependencies: ["setup-test-env"] @@ -73,7 +73,7 @@ gitlab:assets:compile pull-cache: - .default-only - .default-before_script - .assets-compile-cache - - .only-code-qa-changes + - .only:changes-code-backstage-qa - .use-pg9 stage: prepare script: @@ -128,7 +128,7 @@ compile-assets pull-cache foss: - .default-cache - .default-only - .default-before_script - - .only-code-changes + - .only:changes-code-backstage - .use-pg9 stage: test needs: ["setup-test-env", "compile-assets pull-cache"] @@ -205,7 +205,7 @@ jest-foss: - .default-retry - .default-cache - .default-only - - .only-code-changes + - .only:changes-code-backstage stage: test dependencies: [] cache: @@ -238,7 +238,7 @@ webpack-dev-server: - .default-retry - .default-cache - .default-only - - .only-code-changes + - .only:changes-code-backstage stage: test needs: ["setup-test-env", "compile-assets pull-cache"] dependencies: ["setup-test-env", "compile-assets pull-cache"] diff --git a/.gitlab/ci/global.gitlab-ci.yml b/.gitlab/ci/global.gitlab-ci.yml index fc9b00b5d3c..b04a67ed9bb 100644 --- a/.gitlab/ci/global.gitlab-ci.yml +++ b/.gitlab/ci/global.gitlab-ci.yml @@ -40,14 +40,104 @@ - merge_requests - tags -.only-code-changes: +.only:variables-canonical-dot-com: + only: + variables: + - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/ # Matches the gitlab-org group or its subgroups + +.only:variables_refs-canonical-dot-com-schedules: + extends: .only:variables-canonical-dot-com + only: + refs: + - schedules + +.except:refs-deploy: + except: + refs: + - /^\d+-\d+-auto-deploy-\d+$/ + +.except:refs-master-tags-stable-deploy: + except: + refs: + - master + - tags + - /^[\d-]+-stable(-ee)?$/ + - /^\d+-\d+-auto-deploy-\d+$/ + +.only:kubernetes: + only: + kubernetes: active + +.only-review: + extends: + - .only:variables-canonical-dot-com + - .only:kubernetes + - .except:refs-master-tags-stable-deploy + +.only-review-schedules: + extends: + - .only:variables_refs-canonical-dot-com-schedules + - .only:kubernetes + - .except:refs-deploy + +.code-patterns: &code-patterns + - ".gitlab/ci/**/*" + - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" + - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" + - ".csscomb.json" + - "Dockerfile.assets" + - "*_VERSION" + - "Gemfile{,.lock}" + - "Rakefile" + - "{babel.config,jest.config}.js" + - "config.ru" + - "{package.json,yarn.lock}" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + +.backstage-patterns: &backstage-patterns + - "Dangerfile" + - "danger/**/*" + - "{,ee/}fixtures/**/*" + - "{,ee/}rubocop/**/*" + - "{,ee/}spec/**/*" + - "doc/README.md" # Some RSpec test rely on this file + +.qa-patterns: &qa-patterns + - ".dockerignore" + - "qa/**/*" + +.docs-patterns: &docs-patterns + - ".gitlab/route-map.yml" + - "doc/**/*" + - ".markdownlint.json" + +.graphql-patterns: &graphql-patterns + - "{,ee/}app/graphql/**/*" + - "{,ee/}lib/gitlab/graphql/**/*" + +.only:changes-code: + only: + changes: *code-patterns + +.only:changes-qa: + only: + changes: *qa-patterns + +.only:changes-docs: + only: + changes: *docs-patterns + +.only:changes-graphql: + only: + changes: *graphql-patterns + +.only:changes-code-backstage: only: changes: - ".gitlab/ci/**/*" - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" - ".csscomb.json" - - "Dangerfile" - "Dockerfile.assets" - "*_VERSION" - "Gemfile{,.lock}" @@ -55,36 +145,41 @@ - "{babel.config,jest.config}.js" - "config.ru" - "{package.json,yarn.lock}" - - "{app,bin,config,danger,db,ee,fixtures,haml_lint,lib,locale,public,rubocop,scripts,spec,symbol,vendor}/**/*" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + # Backstage changes + - "Dangerfile" + - "danger/**/*" + - "{,ee/}fixtures/**/*" + - "{,ee/}rubocop/**/*" + - "{,ee/}spec/**/*" - "doc/README.md" # Some RSpec test rely on this file -.only-qa-changes: +.only:changes-code-qa: only: changes: + - ".gitlab/ci/**/*" + - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" + - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" + - ".csscomb.json" + - "Dockerfile.assets" + - "*_VERSION" + - "Gemfile{,.lock}" + - "Rakefile" + - "{babel.config,jest.config}.js" + - "config.ru" + - "{package.json,yarn.lock}" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + # QA changes - ".dockerignore" - "qa/**/*" -.only-docs-changes: - only: - changes: - - ".gitlab/route-map.yml" - - "doc/**/*" - - ".markdownlint.json" - -.only-graphql-changes: - only: - changes: - - "{,ee/}app/graphql/**/*" - - "{,ee/}lib/gitlab/graphql/**/*" - -.only-code-qa-changes: +.only:changes-code-backstage-qa: only: changes: - ".gitlab/ci/**/*" - ".{eslintignore,gitattributes,nvmrc,prettierrc,stylelintrc,yamllint}" - ".{codeclimate,eslintrc,gitlab-ci,haml-lint,haml-lint_todo,rubocop,rubocop_todo,scss-lint}.yml" - ".csscomb.json" - - "Dangerfile" - "Dockerfile.assets" - "*_VERSION" - "Gemfile{,.lock}" @@ -92,36 +187,18 @@ - "{babel.config,jest.config}.js" - "config.ru" - "{package.json,yarn.lock}" - - "{app,bin,config,danger,db,ee,fixtures,haml_lint,lib,locale,public,rubocop,scripts,spec,symbol,vendor}/**/*" + - "{,ee/}{app,bin,config,db,haml_lint,lib,locale,public,scripts,symbol,vendor}/**/*" + # Backstage changes + - "Dangerfile" + - "danger/**/*" + - "{,ee/}fixtures/**/*" + - "{,ee/}rubocop/**/*" + - "{,ee/}spec/**/*" - "doc/README.md" # Some RSpec test rely on this file + # QA changes - ".dockerignore" - "qa/**/*" -.only-review: - only: - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" - kubernetes: active - except: - refs: - - master - - /^\d+-\d+-auto-deploy-\d+$/ - - /^[\d-]+-stable(-ee)?$/ - -.only-review-schedules: - only: - refs: - - schedules - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" - kubernetes: active - -.only-canonical-schedules: - only: - refs: - - schedules@gitlab-org/gitlab - - schedules@gitlab-org/gitlab-foss - .use-pg9: services: - name: postgres:9.6 diff --git a/.gitlab/ci/memory.gitlab-ci.yml b/.gitlab/ci/memory.gitlab-ci.yml index 93bf87b24b2..ba14024df34 100644 --- a/.gitlab/ci/memory.gitlab-ci.yml +++ b/.gitlab/ci/memory.gitlab-ci.yml @@ -5,7 +5,7 @@ - .default-cache - .default-only - .default-before_script - - .only-code-changes + - .only:changes-code memory-static: extends: .only-code-memory-job-base diff --git a/.gitlab/ci/pages.gitlab-ci.yml b/.gitlab/ci/pages.gitlab-ci.yml index a30772d5664..6a2d3702bdd 100644 --- a/.gitlab/ci/pages.gitlab-ci.yml +++ b/.gitlab/ci/pages.gitlab-ci.yml @@ -4,12 +4,11 @@ pages: - .default-retry - .default-cache - .default-only - - .only-code-qa-changes + - .only:variables-canonical-dot-com + - .only:changes-code-backstage-qa only: refs: - master - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" stage: pages dependencies: ["coverage", "karma", "gitlab:assets:compile pull-cache"] script: diff --git a/.gitlab/ci/qa.gitlab-ci.yml b/.gitlab/ci/qa.gitlab-ci.yml index 1194948a76f..3cb5a40a8b5 100644 --- a/.gitlab/ci/qa.gitlab-ci.yml +++ b/.gitlab/ci/qa.gitlab-ci.yml @@ -3,7 +3,7 @@ - .default-tags - .default-retry - .default-only - - .only-code-qa-changes + - .only:changes-code-qa stage: test dependencies: [] cache: @@ -31,7 +31,6 @@ qa:selectors-foss: - .only-ee-as-if-foss .package-and-qa-base: - extends: .default-only image: ruby:2.6-alpine stage: qa dependencies: [] @@ -40,35 +39,31 @@ qa:selectors-foss: - source scripts/utils.sh - install_gitlab_gem - ./scripts/trigger-build omnibus - only: - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE =~ /^gitlab-org($|\/)/ # Matches the gitlab-org group or its subgroups package-and-qa-manual: extends: - .package-and-qa-base - - .only-code-changes - except: - refs: - - master - - /^\d+-\d+-auto-deploy-\d+$/ + - .default-only + - .only:variables-canonical-dot-com + - .except:refs-deploy + - .only:changes-code when: manual needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] package-and-qa: extends: - .package-and-qa-base - - .only-qa-changes - except: - refs: - - master - - /^\d+-\d+-auto-deploy-\d+$/ + - .default-only + - .only:variables-canonical-dot-com + - .except:refs-master-tags-stable-deploy + - .only:changes-qa needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] allow_failure: true schedule:package-and-qa: extends: - .package-and-qa-base - - .only-code-qa-changes - - .only-canonical-schedules + - .default-only + - .only:variables_refs-canonical-dot-com-schedules needs: ["build-qa-image", "gitlab:assets:compile pull-cache"] + allow_failure: true diff --git a/.gitlab/ci/rails.gitlab-ci.yml b/.gitlab/ci/rails.gitlab-ci.yml index bf478b68765..5b1930faabb 100644 --- a/.gitlab/ci/rails.gitlab-ci.yml +++ b/.gitlab/ci/rails.gitlab-ci.yml @@ -22,7 +22,7 @@ - .default-cache - .default-only - .default-before_script - - .only-code-changes + - .only:changes-code-backstage .only-code-qa-rails-job-base: extends: @@ -31,7 +31,7 @@ - .default-cache - .default-only - .default-before_script - - .only-code-qa-changes + - .only:changes-code-backstage-qa setup-test-env: extends: @@ -251,13 +251,8 @@ static-analysis: downtime_check: extends: - .rake-exec - - .only-code-changes - except: - refs: - - master - - tags - variables: - - $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ + - .only:changes-code-backstage + - .except:refs-master-tags-stable-deploy stage: test needs: ["setup-test-env"] dependencies: ["setup-test-env"] diff --git a/.gitlab/ci/reports.gitlab-ci.yml b/.gitlab/ci/reports.gitlab-ci.yml index 16c3f0e4f8c..fbb7826b6f2 100644 --- a/.gitlab/ci/reports.gitlab-ci.yml +++ b/.gitlab/ci/reports.gitlab-ci.yml @@ -11,7 +11,7 @@ code_quality: extends: - .default-retry - .default-only - - .only-code-changes + - .only:changes-code-backstage stage: test image: docker:stable allow_failure: true @@ -50,7 +50,7 @@ sast: extends: - .default-retry - .default-only - - .only-code-changes + - .only:changes-code-backstage-qa stage: test image: docker:stable variables: @@ -132,7 +132,7 @@ dependency_scanning: extends: - .default-retry - .default-only - - .only-code-changes + - .only:changes-code-backstage-qa stage: test image: docker:stable variables: @@ -195,7 +195,7 @@ dast: extends: - .default-retry - .default-only - - .only-code-qa-changes + - .only:changes-code-qa - .only-review stage: qa needs: ["review-deploy"] diff --git a/.gitlab/ci/review.gitlab-ci.yml b/.gitlab/ci/review.gitlab-ci.yml index c78c6a82815..4ed9ac03d0c 100644 --- a/.gitlab/ci/review.gitlab-ci.yml +++ b/.gitlab/ci/review.gitlab-ci.yml @@ -1,14 +1,8 @@ -.except-deploys: - except: - refs: - - /^\d+-\d+-auto-deploy-\d+$/ - .review-docker: extends: - .default-tags - .default-retry - .default-only - - .except-deploys image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-qa-alpine services: - docker:19.03.0-dind @@ -23,10 +17,9 @@ build-qa-image: extends: - .review-docker - - .only-code-qa-changes - only: - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" + - .only:variables-canonical-dot-com + - .except:refs-deploy + - .only:changes-code-qa stage: prepare script: - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"' @@ -35,14 +28,11 @@ build-qa-image: - echo "${CI_JOB_TOKEN}" | docker login --username gitlab-ci-token --password-stdin ${CI_REGISTRY} - time docker push ${QA_IMAGE} -schedule:review-cleanup: +.base-review-cleanup: extends: - .default-tags - .default-retry - .default-only - - .only-code-qa-changes - - .only-review-schedules - - .except-deploys stage: prepare image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base allow_failure: true @@ -55,11 +45,22 @@ schedule:review-cleanup: script: - ruby -rrubygems scripts/review_apps/automated_cleanup.rb +schedule:review-cleanup: + extends: + - .base-review-cleanup + - .only-review-schedules + +manual:review-cleanup: + extends: + - .base-review-cleanup + - .only:changes-code-qa + when: manual + .review-build-cng-base: extends: + - .default-tags + - .default-retry - .default-only - - .only-code-qa-changes - - .except-deploys image: ruby:2.6-alpine stage: review-prepare before_script: @@ -74,6 +75,7 @@ review-build-cng: extends: - .review-build-cng-base - .only-review + - .only:changes-code-qa needs: ["gitlab:assets:compile pull-cache"] schedule:review-build-cng: @@ -82,26 +84,30 @@ schedule:review-build-cng: - .only-review-schedules needs: ["gitlab:assets:compile pull-cache"] -.review-deploy-base: +.review-workflow-base: extends: - .default-tags - .default-retry - .default-only - - .only-code-qa-changes - - .except-deploys - stage: review image: registry.gitlab.com/gitlab-org/gitlab-build-images:gitlab-charts-build-base dependencies: [] - allow_failure: true variables: HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}" DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}" - GITLAB_HELM_CHART_REF: "v2.3.7" + # v2.4.4 + two improvements: + # - Allow to pass an EE license when installing the chart: https://gitlab.com/gitlab-org/charts/gitlab/merge_requests/1008 + # - Allow to customize the livenessProbe for `gitlab-shell`: https://gitlab.com/gitlab-org/charts/gitlab/merge_requests/1021 + GITLAB_HELM_CHART_REF: "6c655ed77e60f1f7f533afb97bef8c9cb7dc61eb" GITLAB_EDITION: "ce" environment: name: review/${CI_COMMIT_REF_NAME} url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN} on_stop: review-stop + +.review-deploy-base: + extends: .review-workflow-base + stage: review + allow_failure: true before_script: - '[[ ! -d "ee/" ]] || export GITLAB_EDITION="ee"' - export GITLAB_SHELL_VERSION=$(<GITLAB_SHELL_VERSION) @@ -112,21 +118,13 @@ schedule:review-build-cng: - install_api_client_dependencies_with_apk - source scripts/review_apps/review-apps.sh script: - - date - check_kube_domain - - date - ensure_namespace - - date - install_tiller - - date - install_external_dns - - date - download_chart - date - deploy || (display_deployment_debug && exit 1) - - date - - add_license - - date artifacts: paths: [review_app_url.txt] expire_in: 2 days @@ -136,6 +134,7 @@ review-deploy: extends: - .review-deploy-base - .only-review + - .only:changes-code-qa needs: ["review-build-cng"] schedule:review-deploy: @@ -144,11 +143,11 @@ schedule:review-deploy: - .only-review-schedules needs: ["schedule:review-build-cng"] -review-stop: +.base-review-stop: extends: - - .review-deploy-base + - .review-workflow-base - .only-review - when: manual + - .only:changes-code-qa environment: action: stop variables: @@ -161,24 +160,26 @@ review-stop: - wget $CI_PROJECT_URL/raw/$CI_COMMIT_SHA/scripts/utils.sh - source utils.sh - source review-apps.sh - script: - - delete_release - artifacts: - paths: [] -review-cleanup-failed-deployment: - extends: review-stop +review-stop-failed-deployment: + extends: .base-review-stop stage: prepare - when: on_success - allow_failure: false script: - delete_failed_release +review-stop: + extends: .base-review-stop + stage: review + when: manual + allow_failure: true + script: + - delete_release + .review-qa-base: extends: - .review-docker - .only-review - - .only-code-qa-changes + - .only:changes-code-qa stage: qa allow_failure: true variables: @@ -223,9 +224,7 @@ review-qa-all: - gitlab-qa Test::Instance::Any "${QA_IMAGE}" "${CI_ENVIRONMENT_URL}" -- --format RspecJunitFormatter --out tmp/rspec-${CI_JOB_ID}.xml --format html --out tmp/rspec.htm --color --format documentation .review-performance-base: - extends: - - .review-docker - - .only-code-qa-changes + extends: .review-docker stage: qa allow_failure: true before_script: @@ -248,6 +247,7 @@ review-performance: extends: - .review-performance-base - .only-review + - .only:changes-code-qa needs: ["review-deploy"] dependencies: ["review-deploy"] before_script: @@ -277,9 +277,8 @@ parallel-spec-reports: extends: - .default-tags - .default-only - - .only-code-qa-changes - .only-review - - .except-deploys + - .only:changes-code-qa image: ruby:2.6-alpine stage: post-test dependencies: ["review-qa-all"] @@ -310,18 +309,13 @@ danger-review: - .default-retry - .default-cache - .default-only + - .except:refs-master-tags-stable-deploy image: registry.gitlab.com/gitlab-org/gitlab-build-images:danger stage: test dependencies: [] only: variables: - $DANGER_GITLAB_API_TOKEN - except: - refs: - - master - variables: - - $CI_COMMIT_REF_NAME =~ /^\d+-\d+-auto-deploy-\d+$/ - - $CI_COMMIT_REF_NAME =~ /^[\d-]+-stable(-ee)?$/ script: - git version - node --version diff --git a/.gitlab/ci/setup.gitlab-ci.yml b/.gitlab/ci/setup.gitlab-ci.yml index 861f3f1af5b..24267584393 100644 --- a/.gitlab/ci/setup.gitlab-ci.yml +++ b/.gitlab/ci/setup.gitlab-ci.yml @@ -6,7 +6,8 @@ cache gems: - .default-retry - .default-cache - .default-before_script - - .only-code-qa-changes + - .only:variables-canonical-dot-com + - .only:changes-code-backstage-qa stage: test dependencies: ["setup-test-env"] needs: ["setup-test-env"] @@ -21,15 +22,13 @@ cache gems: refs: - master - tags - variables: - - $CI_SERVER_HOST == "gitlab.com" && $CI_PROJECT_NAMESPACE == "gitlab-org" .minimal-job: extends: - .default-tags - .default-retry - .default-only - - .only-code-changes + - .only:changes-code-backstage dependencies: [] gitlab_git_test: diff --git a/.gitlab/ci/test-metadata.gitlab-ci.yml b/.gitlab/ci/test-metadata.gitlab-ci.yml index 6a7f3157d59..21af0d373bc 100644 --- a/.gitlab/ci/test-metadata.gitlab-ci.yml +++ b/.gitlab/ci/test-metadata.gitlab-ci.yml @@ -1,7 +1,7 @@ .tests-metadata-state: extends: - .default-only - - .only-code-changes + - .only:changes-code-backstage variables: TESTS_METADATA_S3_BUCKET: "gitlab-ce-cache" before_script: @@ -48,7 +48,7 @@ flaky-examples-check: - .default-tags - .default-retry - .default-only - - .only-code-changes + - .only:changes-code-backstage image: ruby:2.6-alpine stage: post-test variables: diff --git a/app/controllers/profiles/notifications_controller.rb b/app/controllers/profiles/notifications_controller.rb index 5f44e55f3ef..d295b64082c 100644 --- a/app/controllers/profiles/notifications_controller.rb +++ b/app/controllers/profiles/notifications_controller.rb @@ -11,6 +11,7 @@ class Profiles::NotificationsController < Profiles::ApplicationController exclude_group_ids: @group_notifications.select(:source_id) ).execute.map { |group| current_user.notification_settings_for(group, inherit: true) } @project_notifications = current_user.notification_settings.for_projects.order(:id) + .select { |notification| current_user.can?(:read_project, notification.source) } @global_notification_setting = current_user.global_notification_setting end # rubocop: enable CodeReuse/ActiveRecord diff --git a/app/helpers/notifications_helper.rb b/app/helpers/notifications_helper.rb index 8855e0cdd70..9a64fe98f86 100644 --- a/app/helpers/notifications_helper.rb +++ b/app/helpers/notifications_helper.rb @@ -116,4 +116,8 @@ module NotificationsHelper def show_unsubscribe_title?(noteable) can?(current_user, "read_#{noteable.to_ability_name}".to_sym, noteable) end + + def can_read_project?(project) + can?(current_user, :read_project, project) + end end diff --git a/app/models/user.rb b/app/models/user.rb index eec8ad6edbb..2fe74617102 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1308,7 +1308,7 @@ class User < ApplicationRecord .select('ci_runners.*') group_runners = Ci::RunnerNamespace - .where(namespace_id: owned_or_maintainers_groups.select(:id)) + .where(namespace_id: owned_groups.select(:id)) .joins(:runner) .select('ci_runners.*') diff --git a/app/views/sent_notifications/unsubscribe.html.haml b/app/views/sent_notifications/unsubscribe.html.haml index 22fcfcda297..1eecbe3bc0e 100644 --- a/app/views/sent_notifications/unsubscribe.html.haml +++ b/app/views/sent_notifications/unsubscribe.html.haml @@ -1,13 +1,16 @@ - noteable = @sent_notification.noteable - noteable_type = @sent_notification.noteable_type.titleize.downcase - noteable_text = show_unsubscribe_title?(noteable) ? %(#{noteable.title} (#{noteable.to_reference})) : %(#{noteable.to_reference}) -- page_title _("Unsubscribe"), noteable_text, noteable_type.pluralize, @sent_notification.project.full_name +- show_project_path = can_read_project?(@sent_notification.project) +- project_path = show_project_path ? @sent_notification.project.full_name : _("GitLab / Unsubscribe") +- noteable_url = show_project_path ? url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable]) : breadcrumb_title_link +- page_title _('Unsubscribe'), noteable_text, noteable_type.pluralize, project_path %h3.page-title = _("Unsubscribe from %{type}") % { type: noteable_type } %p - - link_to_noteable_text = link_to(noteable_text, url_for([@sent_notification.project.namespace.becomes(Namespace), @sent_notification.project, noteable])) + - link_to_noteable_text = link_to(noteable_text, noteable_url) = _("Are you sure you want to unsubscribe from the %{type}: %{link_to_noteable_text}?").html_safe % { type: noteable_type, link_to_noteable_text: link_to_noteable_text } %p diff --git a/changelogs/unreleased/security-11-graphql-timeout-12-4.yml b/changelogs/unreleased/security-11-graphql-timeout-12-4.yml new file mode 100644 index 00000000000..1d06aaced9d --- /dev/null +++ b/changelogs/unreleased/security-11-graphql-timeout-12-4.yml @@ -0,0 +1,5 @@ +--- +title: 'GraphQL: Add timeout to all queries' +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-12-4-mc-api-runner-owner-permissions.yml b/changelogs/unreleased/security-12-4-mc-api-runner-owner-permissions.yml new file mode 100644 index 00000000000..2f23dbf7b9f --- /dev/null +++ b/changelogs/unreleased/security-12-4-mc-api-runner-owner-permissions.yml @@ -0,0 +1,5 @@ +--- +title: Return only runners from groups where user is owner for user CI owned runners. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-29983-private-project-name-exposed.yml b/changelogs/unreleased/security-29983-private-project-name-exposed.yml new file mode 100644 index 00000000000..2cae417ec1d --- /dev/null +++ b/changelogs/unreleased/security-29983-private-project-name-exposed.yml @@ -0,0 +1,5 @@ +--- +title: Filter out notification settings for projects that a user does not have at least read access +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-34072-project-name-disclosed.yml b/changelogs/unreleased/security-34072-project-name-disclosed.yml new file mode 100644 index 00000000000..f14c7728273 --- /dev/null +++ b/changelogs/unreleased/security-34072-project-name-disclosed.yml @@ -0,0 +1,5 @@ +--- +title: Hide project name and path when unsusbcribing from an issue or merge request +merge_request: +author: +type: security diff --git a/changelogs/unreleased/security-fix-invalid-byte-sequence-upload-links-master.yml b/changelogs/unreleased/security-fix-invalid-byte-sequence-upload-links-master.yml new file mode 100644 index 00000000000..afe48b448b0 --- /dev/null +++ b/changelogs/unreleased/security-fix-invalid-byte-sequence-upload-links-master.yml @@ -0,0 +1,5 @@ +--- +title: Fix 500 error caused by invalid byte sequences in uploads links +merge_request: +author: +type: security diff --git a/config/initializers/graphql.rb b/config/initializers/graphql.rb index f1bc289f1f0..2b21c9d9729 100644 --- a/config/initializers/graphql.rb +++ b/config/initializers/graphql.rb @@ -5,3 +5,7 @@ GraphQL::Field.accepts_definitions(authorize: GraphQL::Define.assign_metadata_ke GraphQL::Schema::Object.accepts_definition(:authorize) GraphQL::Schema::Field.accepts_definition(:authorize) + +GitlabSchema.middleware << GraphQL::Schema::TimeoutMiddleware.new(max_seconds: ENV.fetch('GITLAB_RAILS_GRAPHQL_TIMEOUT', 30).to_i) do |timeout_error, query| + Gitlab::GraphqlLogger.error(message: timeout_error.to_s, query: query.query_string, query_variables: query.provided_variables) +end diff --git a/doc/development/pipelines.md b/doc/development/pipelines.md index 5954de03db4..b3e157eaef9 100644 --- a/doc/development/pipelines.md +++ b/doc/development/pipelines.md @@ -38,7 +38,8 @@ The current stages are: ## Default image The default image is currently -`gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.11-git-2.22-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33`. +`registry.gitlab.com/gitlab-org/gitlab-build-images:ruby-2.6.3-golang-1.11-git-2.22-chrome-73.0-node-12.x-yarn-1.16-postgresql-9.6-graphicsmagick-1.3.33`. + It includes Ruby 2.6.3, Go 1.11, Git 2.22, Chrome 73, Node 12, Yarn 1.16, PostgreSQL 9.6, and Graphics Magick 1.3.33. @@ -48,24 +49,13 @@ project, which is push-mirrored to <https://dev.gitlab.org/gitlab/gitlab-build-i for redundancy. The current version of the build images can be found in the -["Used by GitLab CE/EE section"](https://gitlab.com/gitlab-org/gitlab-build-images/blob/master/.gitlab-ci.yml). +["Used by GitLab section"](https://gitlab.com/gitlab-org/gitlab-build-images/blob/master/.gitlab-ci.yml). ## Default variables In addition to the [predefined variables](../ci/variables/predefined_variables.md), -each pipeline includes the following [variables](../ci/variables/README.md): - -- `RAILS_ENV: "test"` -- `NODE_ENV: "test"` -- `SIMPLECOV: "true"` -- `GIT_DEPTH: "50"` -- `GIT_SUBMODULE_STRATEGY: "none"` -- `GET_SOURCES_ATTEMPTS: "3"` -- `KNAPSACK_RSPEC_SUITE_REPORT_PATH: knapsack/${CI_PROJECT_NAME}/rspec_report-master.json` -- `FLAKY_RSPEC_SUITE_REPORT_PATH: rspec_flaky/report-suite.json` -- `BUILD_ASSETS_IMAGE: "false"` -- `ES_JAVA_OPTS: "-Xms256m -Xmx256m"` -- `ELASTIC_URL: "http://elastic:changeme@docker.elastic.co-elasticsearch-elasticsearch:9200"` +each pipeline includes default variables defined in +<https://gitlab.com/gitlab-org/gitlab/blob/master/.gitlab-ci.yml>. ## Common job definitions @@ -85,22 +75,35 @@ These common definitions are: Ruby/Rails and frontend tasks. - `.default-only`: Restricts the cases where a job is created. This currently includes `master`, `/^[\d-]+-stable(-ee)?$/` (stable branches), - `/^\d+-\d+-auto-deploy-\d+$/` (security branches), `merge_requests`, `tags`. + `/^\d+-\d+-auto-deploy-\d+$/` (auto-deploy branches), `/^security\//` (security branches), `merge_requests`, `tags`. Note that jobs won't be created for branches with this default configuration. -- `.only-review`: Only creates a job for the `gitlab-org` namespace and if - Kubernetes integration is available. Also, prevents a job from being created - for `master` and auto-deploy branches. -- `.only-review-schedules`: Same as `.only-review` but also restrict a job to - only run for [schedules](../user/project/pipelines/schedules.md). -- `.only-canonical-schedules`: Only creates a job for scheduled pipelines in - the `gitlab-org/gitlab` and `gitlab-org/gitlab-foss` projects +- `.only:variables-canonical-dot-com`: Only creates a job if the project is + located under <https://gitlab.com/gitlab-org>. +- `.only:variables_refs-canonical-dot-com-schedules`: Same as + `.only:variables-canonical-dot-com` but add the condition that pipeline is scheduled. +- `.except:refs-deploy`: Don't create a job if the `ref` is an auto-deploy branch. +- `.except:refs-master-tags-stable-deploy`: Don't create a job if the `ref` is one of: + - `master` + - a tag + - a stable branch + - an auto-deploy branch +- `.only:kubernetes`: Only creates a job if a Kubernetes integration is enabled + on the project. +- `.only-review`: This extends from: + - `.only:variables-canonical-dot-com` + - `.only:kubernetes` + - `.except:refs-master-tags-stable-deploy` +- `.only-review-schedules`: This extends from: + - `.only:variables_refs-canonical-dot-com-schedules` + - `.only:kubernetes` + - `.except:refs-deploy` - `.use-pg9`: Allows a job to use the `postgres:9.6` and `redis:alpine` services. - `.use-pg10`: Allows a job to use the `postgres:10.9` and `redis:alpine` services. - `.use-pg9-ee`: Same as `.use-pg9` but also use the `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services. - `.use-pg10-ee`: Same as `.use-pg10` but also use the `docker.elastic.co/elasticsearch/elasticsearch:5.6.12` services. -- `.only-ee`: Only creates a job for the `gitlab` project. +- `.only-ee`: Only creates a job for the `gitlab` or `gitlab-ee` project. - `.only-ee-as-if-foss`: Same as `.only-ee` but simulate the FOSS project by setting the `FOSS_ONLY='1'` environment variable. @@ -111,11 +114,13 @@ the cases where it should be created [based on the changes](../ci/yaml/README.md#onlychangesexceptchanges) from a commit or MR by extending from the following CI definitions: -- `.only-code-changes`: Allows a job to only be created upon code-related changes. -- `.only-qa-changes`: Allows a job to only be created upon QA-related changes. -- `.only-docs-changes`: Allows a job to only be created upon docs-related changes. -- `.only-code-qa-changes`: Allows a job to only be created upon code-related or QA-related changes. -- `.only-graphql-changes`: Allows a job to only be created upon graphql-related changes. +- `.only:changes-code`: Allows a job to only be created upon code-related changes. +- `.only:changes-qa`: Allows a job to only be created upon QA-related changes. +- `.only:changes-docs`: Allows a job to only be created upon docs-related changes. +- `.only:changes-graphql`: Allows a job to only be created upon GraphQL-related changes. +- `.only:changes-code-backstage`: Allows a job to only be created upon code-related or backstage-related (e.g. Danger, RuboCop, specs) changes. +- `.only:changes-code-qa`: Allows a job to only be created upon code-related or QA-related changes. +- `.only:changes-code-backstage-qa`: Allows a job to only be created upon code-related, backstage-related (e.g. Danger, RuboCop, specs) or QA-related changes. **See <https://gitlab.com/gitlab-org/gitlab/blob/master/.gitlab/ci/global.gitlab-ci.yml> for the list of exact patterns.** diff --git a/lib/banzai/filter/relative_link_filter.rb b/lib/banzai/filter/relative_link_filter.rb index 583b0081319..4f257189f8e 100644 --- a/lib/banzai/filter/relative_link_filter.rb +++ b/lib/banzai/filter/relative_link_filter.rb @@ -116,7 +116,7 @@ module Banzai end def process_link_to_upload_attr(html_attr) - path_parts = [Addressable::URI.unescape(html_attr.value)] + path_parts = [unescape_and_scrub_uri(html_attr.value)] if project path_parts.unshift(relative_url_root, project.full_path) @@ -172,7 +172,7 @@ module Banzai end def cleaned_file_path(uri) - Addressable::URI.unescape(uri.path).scrub.delete("\0").chomp("/") + unescape_and_scrub_uri(uri.path).delete("\0").chomp("/") end def relative_file_path(uri) @@ -184,7 +184,7 @@ module Banzai def request_path return unless context[:requested_path] - Addressable::URI.unescape(context[:requested_path]).chomp("/") + unescape_and_scrub_uri(context[:requested_path]).chomp("/") end # Convert a relative path into its correct location based on the currently @@ -266,6 +266,12 @@ module Banzai def repository @repository ||= project&.repository end + + private + + def unescape_and_scrub_uri(uri) + Addressable::URI.unescape(uri).scrub + end end end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 1f39a7f5477..a4a91273025 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -7886,6 +7886,9 @@ msgstr "" msgid "GitHub import" msgstr "" +msgid "GitLab / Unsubscribe" +msgstr "" + msgid "GitLab CI Linter has been moved" msgstr "" diff --git a/spec/controllers/profiles/notifications_controller_spec.rb b/spec/controllers/profiles/notifications_controller_spec.rb index dbc408bcdd9..ede68744ac6 100644 --- a/spec/controllers/profiles/notifications_controller_spec.rb +++ b/spec/controllers/profiles/notifications_controller_spec.rb @@ -52,6 +52,35 @@ describe Profiles::NotificationsController do end.to exceed_query_limit(control) end end + + context 'with project notifications' do + let!(:notification_setting) { create(:notification_setting, source: project, user: user, level: :watch) } + + before do + sign_in(user) + get :show + end + + context 'when project is public' do + let(:project) { create(:project, :public) } + + it 'shows notification setting for project' do + expect(assigns(:project_notifications).map(&:source_id)).to include(project.id) + end + end + + context 'when project is public' do + let(:project) { create(:project, :private) } + + it 'shows notification setting for project' do + # notification settings for given project were created before project was set to private + expect(user.notification_settings.for_projects.map(&:source_id)).to include(project.id) + + # check that notification settings for project where user does not have access are filtered + expect(assigns(:project_notifications)).to be_empty + end + end + end end describe 'POST update' do diff --git a/spec/controllers/sent_notifications_controller_spec.rb b/spec/controllers/sent_notifications_controller_spec.rb index 0e634d8ba99..4dd4f49dcf1 100644 --- a/spec/controllers/sent_notifications_controller_spec.rb +++ b/spec/controllers/sent_notifications_controller_spec.rb @@ -56,7 +56,7 @@ describe SentNotificationsController do get(:unsubscribe, params: { id: sent_notification.reply_key }) end - shared_examples 'unsubscribing as anonymous' do + shared_examples 'unsubscribing as anonymous' do |project_visibility| it 'does not unsubscribe the user' do expect(noteable.subscribed?(user, target_project)).to be_truthy end @@ -69,6 +69,18 @@ describe SentNotificationsController do expect(response.status).to eq(200) expect(response).to render_template :unsubscribe end + + if project_visibility == :private + it 'does not show project name or path' do + expect(response.body).not_to include(noteable.project.name) + expect(response.body).not_to include(noteable.project.full_name) + end + else + it 'shows project name or path' do + expect(response.body).to include(noteable.project.name) + expect(response.body).to include(noteable.project.full_name) + end + end end context 'when project is public' do @@ -79,7 +91,7 @@ describe SentNotificationsController do expect(response.body).to include(issue.title) end - it_behaves_like 'unsubscribing as anonymous' + it_behaves_like 'unsubscribing as anonymous', :public end context 'when unsubscribing from confidential issue' do @@ -90,7 +102,7 @@ describe SentNotificationsController do expect(response.body).to include(confidential_issue.to_reference) end - it_behaves_like 'unsubscribing as anonymous' + it_behaves_like 'unsubscribing as anonymous', :public end context 'when unsubscribing from merge request' do @@ -100,7 +112,12 @@ describe SentNotificationsController do expect(response.body).to include(merge_request.title) end - it_behaves_like 'unsubscribing as anonymous' + it 'shows project name or path' do + expect(response.body).to include(issue.project.name) + expect(response.body).to include(issue.project.full_name) + end + + it_behaves_like 'unsubscribing as anonymous', :public end end @@ -110,11 +127,11 @@ describe SentNotificationsController do context 'when unsubscribing from issue' do let(:noteable) { issue } - it 'shows issue title' do + it 'does not show issue title' do expect(response.body).not_to include(issue.title) end - it_behaves_like 'unsubscribing as anonymous' + it_behaves_like 'unsubscribing as anonymous', :private end context 'when unsubscribing from confidential issue' do @@ -125,17 +142,17 @@ describe SentNotificationsController do expect(response.body).to include(confidential_issue.to_reference) end - it_behaves_like 'unsubscribing as anonymous' + it_behaves_like 'unsubscribing as anonymous', :private end context 'when unsubscribing from merge request' do let(:noteable) { merge_request } - it 'shows merge request title' do + it 'dos not show merge request title' do expect(response.body).not_to include(merge_request.title) end - it_behaves_like 'unsubscribing as anonymous' + it_behaves_like 'unsubscribing as anonymous', :private end end end diff --git a/spec/lib/banzai/filter/relative_link_filter_spec.rb b/spec/lib/banzai/filter/relative_link_filter_spec.rb index 371c7a2347c..fdd6b0c8ae4 100644 --- a/spec/lib/banzai/filter/relative_link_filter_spec.rb +++ b/spec/lib/banzai/filter/relative_link_filter_spec.rb @@ -124,6 +124,15 @@ describe Banzai::Filter::RelativeLinkFilter do expect { filter(act) }.not_to raise_error end + it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in uploads' do + act = link("/uploads/%FF") + expect { filter(act) }.not_to raise_error + end + + it 'does not raise an exception on URIs containing invalid utf-8 byte sequences in context requested path' do + expect { filter(link("files/test.md"), requested_path: '%FF') }.not_to raise_error + end + it 'does not raise an exception with a garbled path' do act = link("open(/var/tmp/):%20/location%0Afrom:%20/test") expect { filter(act) }.not_to raise_error diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 8eb2f9b5bc0..7325fadbdda 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -2533,8 +2533,8 @@ describe User do add_user(:maintainer) end - it 'loads' do - expect(user.ci_owned_runners).to contain_exactly(runner) + it 'does not load' do + expect(user.ci_owned_runners).to be_empty end end @@ -2549,6 +2549,20 @@ describe User do end end + shared_examples :group_member do + context 'when the user is owner' do + before do + add_user(:owner) + end + + it 'loads' do + expect(user.ci_owned_runners).to contain_exactly(runner) + end + end + + it_behaves_like :member + end + context 'with groups projects runners' do let(:group) { create(:group) } let!(:project) { create(:project, group: group) } @@ -2557,7 +2571,7 @@ describe User do group.add_user(user, access) end - it_behaves_like :member + it_behaves_like :group_member end context 'with groups runners' do @@ -2568,14 +2582,14 @@ describe User do group.add_user(user, access) end - it_behaves_like :member + it_behaves_like :group_member end context 'with other projects runners' do let!(:project) { create(:project) } def add_user(access) - project.add_role(user, access) + project.add_user(user, access) end it_behaves_like :member @@ -2593,7 +2607,7 @@ describe User do subgroup.add_user(another_user, :owner) end - it_behaves_like :member + it_behaves_like :group_member end end diff --git a/spec/requests/api/graphql/gitlab_schema_spec.rb b/spec/requests/api/graphql/gitlab_schema_spec.rb index 1e799a0a42a..f4e0c8aede3 100644 --- a/spec/requests/api/graphql/gitlab_schema_spec.rb +++ b/spec/requests/api/graphql/gitlab_schema_spec.rb @@ -6,6 +6,18 @@ describe 'GitlabSchema configurations' do set(:project) { create(:project) } shared_examples 'imposing query limits' do + describe 'timeouts' do + context 'when timeout is reached' do + it 'shows an error' do + Timecop.scale(50000000) do # ludicrously large number because the timeout has to happen before the query even begins + subject + + expect_graphql_errors_to_include /Timeout/ + end + end + end + end + describe '#max_complexity' do context 'when complexity is too high' do it 'shows an error' do diff --git a/spec/requests/api/runners_spec.rb b/spec/requests/api/runners_spec.rb index d26fbee6957..4e15945ff4a 100644 --- a/spec/requests/api/runners_spec.rb +++ b/spec/requests/api/runners_spec.rb @@ -4,6 +4,7 @@ describe API::Runners do let(:admin) { create(:user, :admin) } let(:user) { create(:user) } let(:user2) { create(:user) } + let(:group_maintainer) { create(:user) } let(:project) { create(:project, creator_id: user.id) } let(:project2) { create(:project, creator_id: user.id) } @@ -18,6 +19,7 @@ describe API::Runners do before do # Set project access for users + create(:group_member, :maintainer, user: group_maintainer, group: group) create(:project_member, :maintainer, user: user, project: project) create(:project_member, :maintainer, user: user, project: project2) create(:project_member, :reporter, user: user2, project: project) @@ -523,6 +525,20 @@ describe API::Runners do end.to change { Ci::Runner.project_type.count }.by(-1) end + it 'does not delete group runner with maintainer access' do + delete api("/runners/#{group_runner.id}", group_maintainer) + + expect(response).to have_http_status(403) + end + + it 'deletes group runner with owner access' do + expect do + delete api("/runners/#{group_runner.id}", user) + + expect(response).to have_http_status(204) + end.to change { Ci::Runner.group_type.count }.by(-1) + end + it_behaves_like '412 response' do let(:request) { api("/runners/#{project_runner.id}", user) } end |