diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-04 00:08:05 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-04 00:08:05 +0300 |
| commit | 2eff77c2efe8ad71796561cae3bcd993b9065721 (patch) | |
| tree | 964b2537abbfa9b8c5290ca82327003be52417e3 | |
| parent | 8f9307985ea047abb5b8a7c6c56bb644e0b7c363 (diff) | |
Add latest changes from gitlab-org/gitlab@master
76 files changed, 1065 insertions, 269 deletions
diff --git a/.rubocop_todo/performance/redundant_equality_comparison_block.yml b/.rubocop_todo/performance/redundant_equality_comparison_block.yml deleted file mode 100644 index 44da9710249..00000000000 --- a/.rubocop_todo/performance/redundant_equality_comparison_block.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# Cop supports --autocorrect. -Performance/RedundantEqualityComparisonBlock: - Details: grace period - Exclude: - - 'app/graphql/types/work_item_id_type.rb' - - 'app/models/concerns/group_descendant.rb' - - 'app/models/concerns/id_in_ordered.rb' - - 'app/models/todo.rb' - - 'app/validators/feature_flag_strategies_validator.rb' - - 'ee/app/helpers/ee/dashboard_helper.rb' - - 'ee/lib/compliance_management/merge_request_approval_settings/resolver.rb' - - 'ee/lib/elastic/latest/user_instance_proxy.rb' - - 'ee/lib/gitlab/geo/geo_node_status_check.rb' - - 'ee/spec/lib/ee/sidebars/projects/panel_spec.rb' - - 'lib/gitlab/ci/config/yaml/tags/reference.rb' - - 'lib/gitlab/config/entry/validators.rb' - - 'lib/gitlab/i18n/translation_entry.rb' - - 'lib/gitlab/push_options.rb' - - 'lib/gitlab/utils/delegator_override.rb' - - 'lib/gitlab/view/presenter/base.rb' - - 'spec/lib/object_storage/direct_upload_spec.rb' - - 'spec/support/import_export/project_tree_expectations.rb' diff --git a/.rubocop_todo/style/arguments_forwarding.yml b/.rubocop_todo/style/arguments_forwarding.yml index d3096575481..7ed20dbae66 100644 --- a/.rubocop_todo/style/arguments_forwarding.yml +++ b/.rubocop_todo/style/arguments_forwarding.yml @@ -13,22 +13,6 @@ Style/ArgumentsForwarding: - 'ee/lib/ee/gitlab/background_migration/migrate_approver_to_approval_rules.rb' - 'ee/spec/features/projects/mirror_spec.rb' - 'ee/spec/lib/gitlab/status_page/storage/s3_multipart_upload_spec.rb' - - 'lib/atlassian/jira_issue_key_extractor.rb' - - 'lib/bulk_imports/clients/graphql.rb' - - 'lib/gitlab/allowable.rb' - - 'lib/gitlab/auth/ldap/adapter.rb' - - 'lib/gitlab/ci/config/external/mapper/base.rb' - - 'lib/gitlab/database/migrations/background_migration_helpers.rb' - - 'lib/gitlab/dependency_linker/base_linker.rb' - - 'lib/gitlab/git/repository.rb' - - 'lib/gitlab/github_import/markdown_text.rb' - - 'lib/gitlab/graphql/authorize/authorize_resource.rb' - - 'lib/gitlab/import_export/base/object_builder.rb' - - 'lib/gitlab/metrics/dashboard/url.rb' - - 'lib/gitlab/nav/top_nav_view_model_builder.rb' - - 'lib/gitlab/omniauth_initializer.rb' - - 'lib/gitlab/push_options.rb' - - 'lib/tasks/import.rake' - 'qa/qa/runtime/application_settings.rb' - 'spec/features/dashboard/issues_filter_spec.rb' - 'spec/features/merge_request/batch_comments_spec.rb' diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 65023816ad5..03971a269b4 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -57e11eb9431c93a6349ffc0222cf447705c0fada +4c0a6bccd88d334bc12c5d90f234f1d1c14ac13f diff --git a/app/graphql/mutations/ci/job_token_scope/add_project.rb b/app/graphql/mutations/ci/job_token_scope/add_project.rb index e16c08cb116..6f0f87b47a1 100644 --- a/app/graphql/mutations/ci/job_token_scope/add_project.rb +++ b/app/graphql/mutations/ci/job_token_scope/add_project.rb @@ -18,18 +18,23 @@ module Mutations required: true, description: 'Project to be added to the CI job token scope.' + argument :direction, + ::Types::Ci::JobTokenScope::DirectionEnum, + required: false, + description: 'Direction of access, which defaults to outbound.' + field :ci_job_token_scope, - Types::Ci::JobTokenScopeType, - null: true, - description: "CI job token's scope of access." + Types::Ci::JobTokenScopeType, + null: true, + description: "CI job token's access scope." - def resolve(project_path:, target_project_path:) + def resolve(project_path:, target_project_path:, direction: :outbound) project = authorized_find!(project_path) target_project = Project.find_by_full_path(target_project_path) result = ::Ci::JobTokenScope::AddProjectService .new(project, current_user) - .execute(target_project) + .execute(target_project, direction: direction) if result.success? { diff --git a/app/graphql/types/ci/job_token_scope/direction_enum.rb b/app/graphql/types/ci/job_token_scope/direction_enum.rb new file mode 100644 index 00000000000..f52cf891af8 --- /dev/null +++ b/app/graphql/types/ci/job_token_scope/direction_enum.rb @@ -0,0 +1,21 @@ +# frozen_string_literal: true + +module Types + module Ci + module JobTokenScope + class DirectionEnum < BaseEnum + graphql_name 'CiJobTokenScopeDirection' + description 'Direction of access.' + + value 'OUTBOUND', + value: :outbound, + description: 'Job token scope project can access target project in the outbound allowlist.' + + value 'INBOUND', + value: :inbound, + description: 'Target projects in the inbound allowlist can access the scope project ' \ + 'through their job tokens.' + end + end + end +end diff --git a/app/graphql/types/ci/job_token_scope_type.rb b/app/graphql/types/ci/job_token_scope_type.rb index 9c9c7ccb8d1..639bbaa22af 100644 --- a/app/graphql/types/ci/job_token_scope_type.rb +++ b/app/graphql/types/ci/job_token_scope_type.rb @@ -11,7 +11,23 @@ module Types Types::ProjectType.connection_type, null: false, description: 'Allow list of projects that can be accessed by CI Job tokens created by this project.', + method: :outbound_projects, + deprecated: { + reason: 'The `projects` attribute is being deprecated. Use `outbound_allowlist`', + milestone: '15.9' + } + + field :outbound_allowlist, + Types::ProjectType.connection_type, + null: false, + description: "Allow list of projects that are accessible using the current project's CI Job tokens.", method: :outbound_projects + + field :inbound_allowlist, + Types::ProjectType.connection_type, + null: false, + description: "Allow list of projects that can access the current project through its CI Job tokens.", + method: :inbound_projects end end # rubocop: enable Graphql/AuthorizeTypes diff --git a/app/graphql/types/work_item_id_type.rb b/app/graphql/types/work_item_id_type.rb index bb01f865414..777edfad529 100644 --- a/app/graphql/types/work_item_id_type.rb +++ b/app/graphql/types/work_item_id_type.rb @@ -37,7 +37,11 @@ module Types def suitable?(gid) return false if gid&.model_name&.safe_constantize.blank? + # Using === operation doesn't work for model classes. + # See https://github.com/rails/rails/blob/v6.1.6.1/activerecord/lib/active_record/core.rb#L452 + # rubocop:disable Performance/RedundantEqualityComparisonBlock [::WorkItem, ::Issue].any? { |model_class| gid.model_class == model_class } + # rubocop:enable Performance/RedundantEqualityComparisonBlock end private diff --git a/app/helpers/emails_helper.rb b/app/helpers/emails_helper.rb index f6de405cecb..212d72c479a 100644 --- a/app/helpers/emails_helper.rb +++ b/app/helpers/emails_helper.rb @@ -290,15 +290,27 @@ module EmailsHelper added_reviewers = new_reviewers - previous_reviewers removed_reviewers = previous_reviewers - new_reviewers - added_reviewers_template_text = added_reviewers.size > 1 ? "were added as reviewers.<br>" : "was added as a reviewer.<br>" - removed_reviewers_template_text = removed_reviewers.size > 1 ? "were removed from reviewers." : "was removed from reviewers." - - added = format_reviewers_string(added_reviewers, html_tag) - removed = format_reviewers_string(removed_reviewers, html_tag) - - added_reviewers_text = added ? "#{added} #{added_reviewers_template_text}".html_safe : '' - removed_reviewers_text = removed ? "#{removed} #{removed_reviewers_template_text}".html_safe : '' - s_('ChangeReviewer|%{added_reviewers_text}%{removed_reviewers_text}').html_safe % { added_reviewers_text: added_reviewers_text, removed_reviewers_text: removed_reviewers_text } + added_reviewers_text = if added_reviewers.any? + n_( + '%{reviewer_names} was added as a reviewer.', + '%{reviewer_names} were added as reviewers.', + added_reviewers.size) % { + reviewer_names: format_reviewers_string(added_reviewers, html_tag) + } + end + + removed_reviewers_text = if removed_reviewers.any? + n_( + '%{reviewer_names} was removed from reviewers.', + '%{reviewer_names} were removed from reviewers.', + removed_reviewers.size) % { + reviewer_names: format_reviewers_string(removed_reviewers, html_tag) + } + end + + line_delimiter = html_tag.present? ? '<br>' : "\n" + + [added_reviewers_text, removed_reviewers_text].compact.join(line_delimiter).html_safe end end diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index d58136717b9..e1eda95f19c 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -13,6 +13,7 @@ class ApplicationSetting < ApplicationRecord ignore_column :user_email_lookup_limit, remove_with: '15.0', remove_after: '2022-04-18' ignore_column :send_user_confirmation_email, remove_with: '15.8', remove_after: '2022-12-18' ignore_column :web_ide_clientside_preview_enabled, remove_with: '15.11', remove_after: '2023-04-22' + ignore_column :clickhouse_connection_string, remove_with: '15.11', remove_after: '2023-04-22' INSTANCE_REVIEW_MIN_USERS = 50 GRAFANA_URL_ERROR_MESSAGE = 'Please check your Grafana URL setting in ' \ diff --git a/app/models/ci/job_token/allowlist.rb b/app/models/ci/job_token/allowlist.rb index 9e9a0a68ebd..618dc2da05c 100644 --- a/app/models/ci/job_token/allowlist.rb +++ b/app/models/ci/job_token/allowlist.rb @@ -17,6 +17,15 @@ module Ci Project.from_union(target_projects, remove_duplicates: false) end + def add!(target_project, user:) + Ci::JobToken::ProjectScopeLink.create!( + source_project: @source_project, + direction: @direction, + target_project: target_project, + added_by: user + ) + end + private def source_links diff --git a/app/models/ci/job_token/scope.rb b/app/models/ci/job_token/scope.rb index 93bfa35f5c6..96faf3792d1 100644 --- a/app/models/ci/job_token/scope.rb +++ b/app/models/ci/job_token/scope.rb @@ -39,6 +39,15 @@ module Ci inbound_allowlist.projects end + def add!(added_project, user:, direction:) + case direction + when :inbound + inbound_allowlist.add!(added_project, user: user) + when :outbound + outbound_allowlist.add!(added_project, user: user) + end + end + private def outbound_accessible?(accessed_project) diff --git a/app/models/concerns/group_descendant.rb b/app/models/concerns/group_descendant.rb index b376537a418..224ac8930b5 100644 --- a/app/models/concerns/group_descendant.rb +++ b/app/models/concerns/group_descendant.rb @@ -21,7 +21,7 @@ module GroupDescendant descendants = Array.wrap(descendants).uniq return [] if descendants.empty? - unless descendants.all? { |hierarchy| hierarchy.is_a?(GroupDescendant) } + unless descendants.all?(GroupDescendant) raise ArgumentError, _('element is not a hierarchy') end diff --git a/app/models/concerns/id_in_ordered.rb b/app/models/concerns/id_in_ordered.rb index b89409e6841..39067574520 100644 --- a/app/models/concerns/id_in_ordered.rb +++ b/app/models/concerns/id_in_ordered.rb @@ -5,7 +5,7 @@ module IdInOrdered included do scope :id_in_ordered, -> (ids) do - raise ArgumentError, "ids must be an array of integers" unless ids.is_a?(Enumerable) && ids.all? { |id| id.is_a?(Integer) } + raise ArgumentError, "ids must be an array of integers" unless ids.is_a?(Enumerable) && ids.all?(Integer) # No need to sort if no more than 1 and the sorting code doesn't work # with an empty array diff --git a/app/models/todo.rb b/app/models/todo.rb index 37f66916b85..8708d856dc2 100644 --- a/app/models/todo.rb +++ b/app/models/todo.rb @@ -251,7 +251,7 @@ class Todo < ApplicationRecord end def for_issue_or_work_item? - [Issue.name, WorkItem.name].any? { |klass_name| target_type == klass_name } + [Issue.name, WorkItem.name].any?(target_type) end # override to return commits, which are not active record diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index fa7b117f3cd..d028738ccc9 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,6 +22,10 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -115,6 +119,11 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement + enable :create_instance_runners + end + + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_instance_runners end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 1dae2682772..abb3616c58f 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -84,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + condition(:group_runner_registration_allowed, scope: :subject) do Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? end @@ -200,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners + enable :create_group_runners enable :set_note_created_at enable :set_emails_disabled @@ -308,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners + prevent :create_group_runners end rule { migration_bot }.policy do @@ -319,6 +325,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_group_runners + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 4b9e999231e..d198b3bed72 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -234,6 +234,10 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -272,6 +276,7 @@ class ProjectPolicy < BasePolicy enable :set_warn_about_potentially_unwanted_characters enable :register_project_runners + enable :create_project_runners enable :manage_owners end @@ -522,6 +527,7 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :register_project_runners + enable :create_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud enable :admin_secure_files @@ -826,6 +832,7 @@ class ProjectPolicy < BasePolicy rule { ~admin & ~project_runner_registration_allowed }.policy do prevent :register_project_runners + prevent :create_project_runners end rule { can?(:admin_project_member) }.policy do @@ -850,6 +857,10 @@ class ProjectPolicy < BasePolicy enable :read_code end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_project_runners + end + private def user_is_user? diff --git a/app/services/ci/job_token_scope/add_project_service.rb b/app/services/ci/job_token_scope/add_project_service.rb index d03ae434b69..15553ad6e92 100644 --- a/app/services/ci/job_token_scope/add_project_service.rb +++ b/app/services/ci/job_token_scope/add_project_service.rb @@ -5,10 +5,14 @@ module Ci class AddProjectService < ::BaseService include EditScopeValidations - def execute(target_project) + def execute(target_project, direction: :outbound) + direction = :outbound if Feature.disabled?(:ci_inbound_job_token_scope) + validate_edit!(project, target_project, current_user) - link = add_project!(target_project) + link = allowlist(direction) + .add!(target_project, user: current_user) + ServiceResponse.success(payload: { project_link: link }) rescue ActiveRecord::RecordNotUnique @@ -19,12 +23,10 @@ module Ci ServiceResponse.error(message: e.message) end - def add_project!(target_project) - ::Ci::JobToken::ProjectScopeLink.create!( - source_project: project, - target_project: target_project, - added_by: current_user - ) + private + + def allowlist(direction) + Ci::JobToken::Allowlist.new(project, direction: direction) end end end diff --git a/app/validators/feature_flag_strategies_validator.rb b/app/validators/feature_flag_strategies_validator.rb index a933a307626..6008074414b 100644 --- a/app/validators/feature_flag_strategies_validator.rb +++ b/app/validators/feature_flag_strategies_validator.rb @@ -15,7 +15,7 @@ class FeatureFlagStrategiesValidator < ActiveModel::EachValidator def validate_each(record, attribute, value) return unless value - if value.is_a?(Array) && value.all? { |s| s.is_a?(Hash) } + if value.is_a?(Array) && value.all?(Hash) value.each do |strategy| strategy_validations(record, attribute, strategy) end diff --git a/app/views/groups/settings/packages_and_registries/show.html.haml b/app/views/groups/settings/packages_and_registries/show.html.haml index 2861e696e31..faed486b20f 100644 --- a/app/views/groups/settings/packages_and_registries/show.html.haml +++ b/app/views/groups/settings/packages_and_registries/show.html.haml @@ -1,5 +1,5 @@ -- breadcrumb_title _('Package and registry settings') -- page_title _('Package and registry settings') +- breadcrumb_title _('Packages and registries settings') +- page_title _('Packages and registries settings') - @content_class = 'limit-container-width' unless fluid_layout %section#js-packages-and-registries-settings{ data: { group_path: @group.full_path, diff --git a/app/views/projects/settings/packages_and_registries/cleanup_tags.html.haml b/app/views/projects/settings/packages_and_registries/cleanup_tags.html.haml index 5244587c16d..d27d268d65e 100644 --- a/app/views/projects/settings/packages_and_registries/cleanup_tags.html.haml +++ b/app/views/projects/settings/packages_and_registries/cleanup_tags.html.haml @@ -1,6 +1,6 @@ -- add_to_breadcrumbs _('Package and registry settings'), project_settings_packages_and_registries_path(@project) +- add_to_breadcrumbs _('Packages and registries settings'), project_settings_packages_and_registries_path(@project) - breadcrumb_title s_('ContainerRegistry|Clean up image tags') -- page_title s_('ContainerRegistry|Clean up image tags'), _('Package and registry settings') +- page_title s_('ContainerRegistry|Clean up image tags'), _('Packages and registries settings') - @content_class = 'limit-container-width' unless fluid_layout #js-registry-settings-cleanup-image-tags{ data: cleanup_settings_data } diff --git a/app/views/projects/settings/packages_and_registries/show.html.haml b/app/views/projects/settings/packages_and_registries/show.html.haml index e0ac07f5f31..c81b38f44dd 100644 --- a/app/views/projects/settings/packages_and_registries/show.html.haml +++ b/app/views/projects/settings/packages_and_registries/show.html.haml @@ -1,5 +1,5 @@ -- breadcrumb_title _('Package and registry settings') -- page_title _('Package and registry settings') +- breadcrumb_title _('Packages and registries settings') +- page_title _('Packages and registries settings') - @content_class = 'limit-container-width' unless fluid_layout #js-registry-settings{ data: settings_data } diff --git a/config/feature_categories.yml b/config/feature_categories.yml index 2d279c7506c..31a71913f4f 100644 --- a/config/feature_categories.yml +++ b/config/feature_categories.yml @@ -87,6 +87,7 @@ - mlops - mobile_signing_deployment - navigation +- no_code_automation - omnibus_package - on_call_schedule_management - onboarding diff --git a/db/init_structure.sql b/db/init_structure.sql index 00f06078426..0883ef40d82 100644 --- a/db/init_structure.sql +++ b/db/init_structure.sql @@ -10,6 +10,8 @@ CREATE EXTENSION IF NOT EXISTS btree_gist; CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS plpgsql; + CREATE FUNCTION set_has_external_issue_tracker() RETURNS trigger LANGUAGE plpgsql AS $$ diff --git a/db/structure.sql b/db/structure.sql index aa0a4f486ca..7cac710290a 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -10,6 +10,8 @@ CREATE EXTENSION IF NOT EXISTS btree_gist; CREATE EXTENSION IF NOT EXISTS pg_trgm; +CREATE EXTENSION IF NOT EXISTS plpgsql; + CREATE FUNCTION delete_associated_project_namespace() RETURNS trigger LANGUAGE plpgsql AS $$ diff --git a/doc/administration/dedicated/index.md b/doc/administration/dedicated/index.md new file mode 100644 index 00000000000..22b8cc13637 --- /dev/null +++ b/doc/administration/dedicated/index.md @@ -0,0 +1,140 @@ +--- +stage: SaaS Platforms +group: GitLab Dedicated +info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments" +description: 'Learn how to configure your GitLab Dedicated instance.' +--- + +# Configure GitLab Dedicated **(ULTIMATE)** + +GitLab Dedicated is a single-tenant SaaS solution, fully managed and hosted by GitLab. For more information about this offering, see the [subscription page](../../subscriptions/gitlab_dedicated/index.md). + +The instructions on this page guide you through: + +1. Onboarding and initial setup of your GitLab Dedicated instance. +1. Configuring your GitLab Dedicated instance including enabling and updating the settings for [available functionality](../../subscriptions/gitlab_dedicated/index.md#available-features). + +Any functionality in the GitLab application that is not controlled by the SaaS environment can be configured by using the [Admin Panel](../../user/admin_area/index.md). + +## Onboarding + +To request the creation of a new GitLab Dedicated environment for your organization, you must provide the following information to your account team: + +- Expected number of users. +- Desired primary region: Primary AWS region in which your data is stored (do note the [list of unsupported regions](../../subscriptions/gitlab_dedicated/index.md#aws-regions-not-supported)). +- Desired secondary region: Secondary AWS region in which your data is stored. This region is used to recover your GitLab Dedicated instance in case of a disaster. +- Desired backup region: An AWS region where the primary backups of your data are replicated. This can be the same as the primary or secondary region or different. +- Desired instance subdomain: The main domain for GitLab Dedicated instances is `gitlab-dedicated.com`. You get to choose the subdomain name where your instance is accessible from (for example, `customer_name.gitlab-dedicated.com`). +- Initial storage: Initial storage size for your repositories in GB. +- Availability Zone IDs for PrivateLink: If you plan to later add a PrivateLink connection (either [inbound](#inbound-private-link) or [outbound](#outbound-private-link)) to your environment, and you require the connections to be available in specific Availability Zones, you must provide up to two [Availability Zone IDs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids) during onboarding. If not specified, GitLab will select two random Availability Zone IDs in which the connections will be available. + +### Maintenance window + +When onboarding, you must also specify your preference for the weekly four-hour timeslot that GitLab uses to perform maintenance and upgrade operations on the tenant instance. + +- APAC (outside working hours): Wednesday 1pm-5pm UTC +- EU (outside working hours): Tuesday 1am-5am UTC +- AMER (outside working hours): Tuesday 7am-11am UTC + +NOTE: +Some downtime may be incurred during this window. This downtime is not counting towards [the system SLA](https://about.gitlab.com/handbook/engineering/infrastructure/team/gitlab-dedicated/slas/). + +## Configuration changes + +To change or update the configuration for your GitLab Dedicated instance, open a [support ticket](https://support.gitlab.com/hc/en-us/requests/new?ticket_form_id=4414917877650) with your request. You can request configuration changes for the options originally specified during onboarding, or for any of the optional features below. + +The turnaround time for processing configuration change requests is [documented in the GitLab handbook](https://about.gitlab.com/handbook/engineering/infrastructure/team/gitlab-dedicated/#handling-configuration-changes-for-tenant-environments). + +### Inbound Private Link + +[AWS Private Link](https://docs.aws.amazon.com/vpc/latest/privatelink/what-is-privatelink.html) allows users and applications in your VPC on AWS to securely connect to the GitLab Dedicated endpoint without network traffic going over the public internet. + +To enable the Inbound Private Link: + +1. In the body of your [support ticket](#configuration-changes), include the IAM Principal for the AWS user or role in your own AWS Organization that will be establishing the VPC endpoint within your AWS account. GitLab Dedicated uses this IAM Principal for access-control. This IAM principal will be the only one able to set up an endpoint to the service. +1. After your IAM Principal has been allowlisted, GitLab [creates the Endpoint Service](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) and communicates the `Service Endpoint Name` on the support ticket. The service name is generated by AWS upon creation of the service endpoint. + - GitLab handles the domain verification for the Private DNS name, so that DNS resolution of the tenant instance domain name in your VPC resolves to the PrivateLink endpoint. + - GitLab makes the Endpoint Service available in the Availability Zones you specified during the initial onboarding. If you did not specify any Availability Zones, GitLab randomly selects the Availability Zones IDs. +1. In your own AWS account, create an [Endpoint Interface](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html) in your VPC, with the following settings: + - Service Endpoint Name: use the name provided by GitLab on the support ticket. + - Private DNS names enabled: yes. + - Subnets: choose all matching subnets. + +1. After you create the endpoint, use the instance URL provided to you during onboarding to securely connect to your GitLab Dedicated instance from your VPC, without the traffic going over the public internet. + +### Outbound Private Link + +Outbound Private Links allow the GitLab Dedicated instance to securely communicate with services running in your VPC on AWS. This type of connection can execute [webhooks](../../user/project/integrations/webhooks.md) where the targeted services are running in your VPC, import or mirror projects and repositories, or use any other GitLab functionality to access private services. + +To enable an Outbound Private Link: + +1. In your [support ticket](#configuration-changes), GitLab provides you with an IAM role ARN that connects to your endpoint service. You can then add this ARN to the allowlist on your side to restrict connections to your endpoint service. +1. [Create the Endpoint service](https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html) through which your internal service will be made available to GitLab Dedicated. Provide the associated `Service Endpoint Name` on the [support ticket](#configuration-changes). +1. When creating the Endpoint service, you must provide GitLab with a [verified Private DNS Name](https://docs.aws.amazon.com/vpc/latest/privatelink/manage-dns-names.html#verify-domain-ownership) for your service. Optionally, if you would like GitLab Dedicated to reach your service via other aliases, you have the ability to specify a list of Private Hosted Zone (PHZ) entries. With this option, GitLab sets up a Private Hosted Zone with DNS names aliased to the verified Private DNS name. To enable this functionality, you must provide GitLab a list of PHZ entries on your support ticket. After the PHZ has been created in the tenant environment, DNS resolution of any of the provided records will correctly resolve to the PrivateLink endpoint. +1. GitLab then configures the tenant instance to create the necessary Endpoint Interfaces based on the service names you provided. Any outbound calls made from the tenant GitLab instance are directed through the PrivateLink into your VPC. + +#### Custom certificates + +In some cases, the GitLab Dedicated instance can't reach an internal service you own because it exposes a certificate that can't be validated using a public Certification Authority (CA). In these cases, custom certificates are required. + +To request that GitLab add custom certificates when communicating with your services over PrivateLink, attach the custom public certificate files to your [support ticket](#configuration-changes). + +#### Maximum number of reverse PrivateLink connections + +GitLab Dedicated limits the number of reverse PrivateLink connections to 10. + +### IP allowlist + +GitLab Dedicated allows you to control which IP addresses can access your instance through an IP allowlist. + +Specify a comma separated list of IP addresses that can access your GitLab Dedicated instance in your [support ticket](#configuration-changes). After the configuration has been applied, when an IP not on the allowlist tries to access your instance, the connection is refused. + +### SAML + +Prerequisites: + +- You must configure the identity provider before sending the required data to GitLab. + +To activate SAML for your GitLab Dedicated instance: + +1. Read the [GitLab documentation about SAML](../../integration/saml.md#https://docs.gitlab.com/ee/integration/saml.html#configure-saml-on-your-idp) to gather all data your identity provider requires for configuration. You can also find some providers and their requirements in the [group SAML documentation](../../user/group/saml_sso/index.md#providers). +1. To make the necessary changes, include in your [support ticket](#configuration-changes) the desired [SAML configuration block](../../integration/saml.md#configure-saml-support-in-gitlab) that will be set on the GitLab application. At a minimum, GitLab needs the following information to enable SAML for your instance: + - Assertion consumer service URL + - Certificate fingerprint or certificate + - NameID format + - SSO login button description + +1. After GitLab deploys the SAML configuration to your instance, you will be notified on your support ticket. +1. To verify the SAML configuration is successful: + - Check that the SSO login button description is displayed on your instance's login page. + - Go to the metadata URL of your instance (`https://INSTANCE-URL/users/auth/saml/metadata`). This page can be used to simplify much of the configuration of the identity provider, as well as manually validate the settings. + +#### Request signing + +If [SAML request signing](../../integration/saml.md#sign-saml-authentication-requests-optional) is desired, a certificate must be obtained. This certificate can be self-signed which has the advantage of not having to prove ownership of an arbitrary Common Name (CN) to a public Certificate Authority (CA)). + +To enable SAML request signing, indicate on your SAML [support ticket](#configuration-changes) that you would like request signing enabled. GitLab will then work with you on sending the Certificate Signing Request (CSR) for you to sign. Alternatively, the CSR can be signed with a public CA. After the certificate is signed, GitLab will add the certificate and its associated private key to the `security` section of the SAML configuration. Authentication requests from GitLab to your identity provider will then be signed. + +#### SAML groups + +With SAML groups you can configure GitLab users based on SAML group membership. + +To enable SAML groups, add the [required elements](../../integration/saml.md#configure-users-based-on-saml-group-membership) to the SAML configuration block you provide in your [support ticket](#configuration-changes). + +#### Group sync + +With [group sync](../../user/group/saml_sso/group_sync.md), you can sync users across identity provider groups to mapped groups in GitLab. + +To enable group sync: + +1. Add the [required elements](../../user/group/saml_sso/group_sync.md#configure-saml-group-sync) to the SAML configuration block you provide in your [support ticket](#configuration-changes). +1. Configure the [Group Links](../../user/group/saml_sso/group_sync.md#configure-saml-group-links). + +### Access to application logs + +GitLab [application logs](../../administration/logs/index.md) are delivered to an S3 bucket in the GitLab tenant account, which can be shared with you. + +To gain read only access to this bucket: + +1. Open a [support ticket](#configuration-changes) with the title "Customer Log Access". In the body of the ticket, include a list of IAM Principal ARNs (users or roles) that will be fetching the logs from S3. +1. GitLab will then inform you of the name of the S3 bucket. Your nominated users/roles will then be able to list and get all objects in the S3 bucket. diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 3ab763526f5..18fe7435f1d 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -1183,6 +1183,7 @@ Input type: `CiJobTokenScopeAddProjectInput` | Name | Type | Description | | ---- | ---- | ----------- | | <a id="mutationcijobtokenscopeaddprojectclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | +| <a id="mutationcijobtokenscopeaddprojectdirection"></a>`direction` | [`CiJobTokenScopeDirection`](#cijobtokenscopedirection) | Direction of access, which defaults to outbound. | | <a id="mutationcijobtokenscopeaddprojectprojectpath"></a>`projectPath` | [`ID!`](#id) | Project that the CI job token scope belongs to. | | <a id="mutationcijobtokenscopeaddprojecttargetprojectpath"></a>`targetProjectPath` | [`ID!`](#id) | Project to be added to the CI job token scope. | @@ -1190,7 +1191,7 @@ Input type: `CiJobTokenScopeAddProjectInput` | Name | Type | Description | | ---- | ---- | ----------- | -| <a id="mutationcijobtokenscopeaddprojectcijobtokenscope"></a>`ciJobTokenScope` | [`CiJobTokenScopeType`](#cijobtokenscopetype) | CI job token's scope of access. | +| <a id="mutationcijobtokenscopeaddprojectcijobtokenscope"></a>`ciJobTokenScope` | [`CiJobTokenScopeType`](#cijobtokenscopetype) | CI job token's access scope. | | <a id="mutationcijobtokenscopeaddprojectclientmutationid"></a>`clientMutationId` | [`String`](#string) | A unique identifier for the client performing the mutation. | | <a id="mutationcijobtokenscopeaddprojecterrors"></a>`errors` | [`[String!]!`](#string) | Errors encountered during execution of the mutation. | @@ -11348,7 +11349,9 @@ CI/CD variables for a GitLab instance. | Name | Type | Description | | ---- | ---- | ----------- | -| <a id="cijobtokenscopetypeprojects"></a>`projects` | [`ProjectConnection!`](#projectconnection) | Allow list of projects that can be accessed by CI Job tokens created by this project. (see [Connections](#connections)) | +| <a id="cijobtokenscopetypeinboundallowlist"></a>`inboundAllowlist` | [`ProjectConnection!`](#projectconnection) | Allow list of projects that can access the current project through its CI Job tokens. (see [Connections](#connections)) | +| <a id="cijobtokenscopetypeoutboundallowlist"></a>`outboundAllowlist` | [`ProjectConnection!`](#projectconnection) | Allow list of projects that are accessible using the current project's CI Job tokens. (see [Connections](#connections)) | +| <a id="cijobtokenscopetypeprojects"></a>`projects` **{warning-solid}** | [`ProjectConnection!`](#projectconnection) | **Deprecated** in 15.9. The `projects` attribute is being deprecated. Use `outbound_allowlist`. | ### `CiJobsDurationStatistics` @@ -21800,6 +21803,15 @@ Deploy freeze period status. | <a id="cijobstatussuccess"></a>`SUCCESS` | A job that is success. | | <a id="cijobstatuswaiting_for_resource"></a>`WAITING_FOR_RESOURCE` | A job that is waiting for resource. | +### `CiJobTokenScopeDirection` + +Direction of access. + +| Value | Description | +| ----- | ----------- | +| <a id="cijobtokenscopedirectioninbound"></a>`INBOUND` | Target projects in the inbound allowlist can access the scope project through their job tokens. | +| <a id="cijobtokenscopedirectionoutbound"></a>`OUTBOUND` | Job token scope project can access target project in the outbound allowlist. | + ### `CiRunnerAccessLevel` | Value | Description | diff --git a/doc/development/code_review.md b/doc/development/code_review.md index ee85c34b54d..a3906990402 100644 --- a/doc/development/code_review.md +++ b/doc/development/code_review.md @@ -718,7 +718,7 @@ Enterprise Edition instance. This has some implications: cached value returns (say, from a string or nil to an array), change the cache key at the same time. 1. **Settings** should be added as a - [last resort](https://about.gitlab.com/handbook/product/#convention-over-configuration). + [last resort](https://about.gitlab.com/handbook/product/product-principles/#convention-over-configuration). If you're adding a new setting in `gitlab.yml`: 1. Try to avoid that, and add to `ApplicationSetting` instead. 1. Ensure that it is also diff --git a/doc/integration/advanced_search/elasticsearch.md b/doc/integration/advanced_search/elasticsearch.md index b693140ae18..9a42a6112e7 100644 --- a/doc/integration/advanced_search/elasticsearch.md +++ b/doc/integration/advanced_search/elasticsearch.md @@ -237,7 +237,7 @@ in your Sidekiq logs. For more information, see #### Elasticsearch with role privileges -To access Elasticsearch, you must have at least the following privileges in GitLab: +To access and perform operations in Elasticsearch, GitLab requires a role with the following privileges: ```json { diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md index b87c6328d99..179cd6d6fa2 100644 --- a/doc/user/application_security/policies/scan-result-policies.md +++ b/doc/user/application_security/policies/scan-result-policies.md @@ -79,7 +79,7 @@ This rule enforces the defined actions based on security scan findings. | `scanners` | `array` of `string` | `sast`, `secret_detection`, `dependency_scanning`, `container_scanning`, `dast`, `coverage_fuzzing`, `api_fuzzing` | The security scanners for this rule to consider. | | `vulnerabilities_allowed` | `integer` | Greater than or equal to zero | Number of vulnerabilities allowed before this rule is considered. | | `severity_levels` | `array` of `string` | `info`, `unknown`, `low`, `medium`, `high`, `critical`| The severity levels for this rule to consider. | -| `vulnerability_states` | `array` of `string` | `newly_detected`, `detected`, `confirmed`, `resolved`, `dismissed` | All vulnerabilities fall into two categories:<br><br>**Newly Detected Vulnerabilities** - the `newly_detected` policy option covers vulnerabilities that are both `Detected` or `Dismissed` within the merge request itself where the vulnerabilities do not currently exist on the default branch. This policy option requires a pipeline to complete before the rule is evaluated so that it knows whether vulnerabilities are newly detected or not. Merge requests are blocked until the pipeline, and necessary security scans are complete.<br><br> • Detected<br> • Dismissed<br><br>**Pre-Existing Vulnerabilities** - these policy options are evaluated immediately and do not require a pipeline complete as they consider only vulnerabilities previously detected in the default branch.<br><br> • `Detected` - the policy looks for vulnerabilities in the detected state.<br> • `Confirmed` - the policy looks for vulnerabilities in the confirmed state.<br> • `Dismissed` - the policy looks for vulnerabilities in the dismissed state.<br> • `Resolved` - the policy looks for vulnerabilities in the resolved state. | +| `vulnerability_states` | `array` of `string` | `newly_detected`, `detected`, `confirmed`, `resolved`, `dismissed` | All vulnerabilities fall into two categories:<br><br>**Newly Detected Vulnerabilities** - the `newly_detected` policy option covers vulnerabilities identified in the merge request branch itself but that do not currently exist on the default branch. This policy option requires a pipeline to complete before the rule is evaluated so that it knows whether vulnerabilities are newly detected or not. Merge requests are blocked until the pipeline and necessary security scans are complete. The `newly_detected` option considers both of the following statuses:<br><br> • Detected<br> • Dismissed<br><br>**Pre-Existing Vulnerabilities** - these policy options are evaluated immediately and do not require a pipeline complete as they consider only vulnerabilities previously detected in the default branch.<br><br> • `Detected` - the policy looks for vulnerabilities in the detected state.<br> • `Confirmed` - the policy looks for vulnerabilities in the confirmed state.<br> • `Dismissed` - the policy looks for vulnerabilities in the dismissed state.<br> • `Resolved` - the policy looks for vulnerabilities in the resolved state. | ## `license_finding` rule type diff --git a/lib/api/draft_notes.rb b/lib/api/draft_notes.rb index ece4e1a6584..0cf0f43a839 100644 --- a/lib/api/draft_notes.rb +++ b/lib/api/draft_notes.rb @@ -16,6 +16,10 @@ module API def load_draft_notes(params:) merge_request(params: params).draft_notes.authored_by(current_user) end + + def get_draft_note(params:) + load_draft_notes(params: params).find(params[:draft_note_id]) + end end resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do @@ -34,6 +38,28 @@ module API get ":id/merge_requests/:merge_request_iid/draft_notes", feature_category: :code_review_workflow do present load_draft_notes(params: params), with: Entities::DraftNote end + + desc "Get a single draft note" do + success Entities::DraftNote + failure [ + { code: 401, message: 'Unauthorized' }, + { code: 404, message: 'Not found' } + ] + end + params do + requires :id, type: String, desc: "The ID of a project" + requires :merge_request_iid, type: Integer, desc: "The ID of a merge request" + requires :draft_note_id, type: Integer, desc: "The ID of a draft note" + end + get ":id/merge_requests/:merge_request_iid/draft_notes/:draft_note_id", feature_category: :code_review_workflow do + draft_note = get_draft_note(params: params) + + if draft_note + present draft_note, with: Entities::DraftNote + else + not_found!("Draft Note") + end + end end end end diff --git a/lib/atlassian/jira_issue_key_extractor.rb b/lib/atlassian/jira_issue_key_extractor.rb index f1b432787ac..968e8b0f82e 100644 --- a/lib/atlassian/jira_issue_key_extractor.rb +++ b/lib/atlassian/jira_issue_key_extractor.rb @@ -2,8 +2,8 @@ module Atlassian class JiraIssueKeyExtractor - def self.has_keys?(*text) - new(*text).issue_keys.any? + def self.has_keys?(...) + new(...).issue_keys.any? end def initialize(*text) diff --git a/lib/bulk_imports/clients/graphql.rb b/lib/bulk_imports/clients/graphql.rb index a9f908a4247..b8c80886a60 100644 --- a/lib/bulk_imports/clients/graphql.rb +++ b/lib/bulk_imports/clients/graphql.rb @@ -34,10 +34,10 @@ module BulkImports @compatible_instance_version = false end - def execute(*args) + def execute(...) validate_instance_version! - client.execute(*args) + client.execute(...) end def options(extra = {}) diff --git a/lib/gitlab/allowable.rb b/lib/gitlab/allowable.rb index 4518c8a862c..879247d0174 100644 --- a/lib/gitlab/allowable.rb +++ b/lib/gitlab/allowable.rb @@ -2,8 +2,8 @@ module Gitlab module Allowable - def can?(*args) - Ability.allowed?(*args) + def can?(...) + Ability.allowed?(...) end end end diff --git a/lib/gitlab/auth/ldap/adapter.rb b/lib/gitlab/auth/ldap/adapter.rb index 9aedc131e92..0201f1f8725 100644 --- a/lib/gitlab/auth/ldap/adapter.rb +++ b/lib/gitlab/auth/ldap/adapter.rb @@ -33,8 +33,8 @@ module Gitlab users_search(options) end - def user(*args) - users(*args).first + def user(...) + users(...).first end def dn_matches_filter?(dn, filter) diff --git a/lib/gitlab/ci/config/external/mapper/base.rb b/lib/gitlab/ci/config/external/mapper/base.rb index d2f56d0b8f6..d898ddb356c 100644 --- a/lib/gitlab/ci/config/external/mapper/base.rb +++ b/lib/gitlab/ci/config/external/mapper/base.rb @@ -11,9 +11,9 @@ module Gitlab @context = context end - def process(*args) + def process(...) context.logger.instrument(mapper_instrumentation_key) do - process_without_instrumentation(*args) + process_without_instrumentation(...) end end diff --git a/lib/gitlab/ci/config/yaml/tags/reference.rb b/lib/gitlab/ci/config/yaml/tags/reference.rb index 45787077c91..5ecab033109 100644 --- a/lib/gitlab/ci/config/yaml/tags/reference.rb +++ b/lib/gitlab/ci/config/yaml/tags/reference.rb @@ -16,7 +16,7 @@ module Gitlab def valid? data[:seq].is_a?(Array) && !data[:seq].empty? && - data[:seq].all? { |identifier| identifier.is_a?(String) } + data[:seq].all?(String) end private diff --git a/lib/gitlab/config/entry/validators.rb b/lib/gitlab/config/entry/validators.rb index 9e6a3d86e92..fad2260d818 100644 --- a/lib/gitlab/config/entry/validators.rb +++ b/lib/gitlab/config/entry/validators.rb @@ -98,7 +98,7 @@ module Gitlab private def validate_array_of_hashes(value) - value.is_a?(Array) && value.all? { |obj| obj.is_a?(Hash) } + value.is_a?(Array) && value.all?(Hash) end end diff --git a/lib/gitlab/database/migrations/background_migration_helpers.rb b/lib/gitlab/database/migrations/background_migration_helpers.rb index 25e75a10bb3..60df3370046 100644 --- a/lib/gitlab/database/migrations/background_migration_helpers.rb +++ b/lib/gitlab/database/migrations/background_migration_helpers.rb @@ -200,11 +200,14 @@ module Gitlab end end + # rubocop: disable Style/ArgumentsForwarding + # Reason: the default argument will not apply if we just forward via `...` def migrate_in(*args, coordinator: coordinator_for_tracking_database) with_migration_context do coordinator.perform_in(*args) end end + # rubocop: enable Style/ArgumentsForwarding def delete_queued_jobs(class_name) coordinator_for_tracking_database.steal(class_name) do |job| diff --git a/lib/gitlab/dependency_linker/base_linker.rb b/lib/gitlab/dependency_linker/base_linker.rb index 6d114de8ae8..203cee1fd5e 100644 --- a/lib/gitlab/dependency_linker/base_linker.rb +++ b/lib/gitlab/dependency_linker/base_linker.rb @@ -13,8 +13,8 @@ module Gitlab Gitlab::FileDetector.type_of(blob_name) == file_type end - def self.link(*args) - new(*args).link + def self.link(...) + new(...).link end attr_accessor :plain_text, :highlighted_text diff --git a/lib/gitlab/git/repository.rb b/lib/gitlab/git/repository.rb index ad49e9e7221..678e298c378 100644 --- a/lib/gitlab/git/repository.rb +++ b/lib/gitlab/git/repository.rb @@ -465,9 +465,9 @@ module Gitlab end # Returns the SHA of the most recent common ancestor of +from+ and +to+ - def merge_base(*commits) + def merge_base(...) wrapped_gitaly_errors do - gitaly_repository_client.find_merge_base(*commits) + gitaly_repository_client.find_merge_base(...) end end @@ -720,9 +720,9 @@ module Gitlab raise DeleteBranchError, e end - def delete_refs(*ref_names) + def delete_refs(...) wrapped_gitaly_errors do - gitaly_delete_refs(*ref_names) + gitaly_delete_refs(...) end end diff --git a/lib/gitlab/gitaly_client/server_service.rb b/lib/gitlab/gitaly_client/server_service.rb index 48fd0e66354..36bda67c26e 100644 --- a/lib/gitlab/gitaly_client/server_service.rb +++ b/lib/gitlab/gitaly_client/server_service.rb @@ -26,19 +26,6 @@ module Gitlab storage_specific(disk_statistics) end - def readiness_check - request = Gitaly::ReadinessCheckRequest.new(timeout: GitalyClient.medium_timeout) - response = GitalyClient.call(@storage, :server_service, :readiness_check, request, timeout: GitalyClient.default_timeout) - - return { success: true } if response.ok_response - - failed_checks = response.failure_response.failed_checks.map do |failed_check| - ["#{failed_check.name}: #{failed_check.error_message}"] - end - - { success: false, message: failed_checks.join("\n") } - end - private def storage_specific(response) diff --git a/lib/gitlab/github_import/markdown_text.rb b/lib/gitlab/github_import/markdown_text.rb index 2424b3e8c1f..8e9d6d8dd50 100644 --- a/lib/gitlab/github_import/markdown_text.rb +++ b/lib/gitlab/github_import/markdown_text.rb @@ -16,8 +16,8 @@ module Gitlab PULL_REF_MATCHER = '%{github_url}/%{import_source}/pull' class << self - def format(*args) - new(*args).to_s + def format(...) + new(...).to_s end # Links like `https://domain.github.com/<namespace>/<project>/pull/<iid>` needs to be converted diff --git a/lib/gitlab/graphql/authorize/authorize_resource.rb b/lib/gitlab/graphql/authorize/authorize_resource.rb index 884fc85c4ec..983bdb9c0a2 100644 --- a/lib/gitlab/graphql/authorize/authorize_resource.rb +++ b/lib/gitlab/graphql/authorize/authorize_resource.rb @@ -67,8 +67,8 @@ module Gitlab self.class.authorization.ok?(object, current_user) end - def raise_resource_not_available_error!(*args) - self.class.raise_resource_not_available_error!(*args) + def raise_resource_not_available_error!(...) + self.class.raise_resource_not_available_error!(...) end end end diff --git a/lib/gitlab/health_checks/gitaly_check.rb b/lib/gitlab/health_checks/gitaly_check.rb index 2bd8ea711b5..f5f142c251f 100644 --- a/lib/gitlab/health_checks/gitaly_check.rb +++ b/lib/gitlab/health_checks/gitaly_check.rb @@ -27,35 +27,17 @@ module Gitlab end def check(storage_name) - storage_healthy = healthy(storage_name) - unless storage_healthy[:success] - return HealthChecks::Result.new( - name, - storage_healthy[:success], - storage_healthy[:message], - shard: storage_name - ) - end + serv = Gitlab::GitalyClient::HealthCheckService.new(storage_name) + result = serv.check - storage_ready = ready(storage_name) HealthChecks::Result.new( name, - storage_ready[:success], - storage_ready[:message], + result[:success], + result[:message], shard: storage_name ) end - def healthy(storage_name) - serv = Gitlab::GitalyClient::HealthCheckService.new(storage_name) - serv.check - end - - def ready(storage_name) - serv = Gitlab::GitalyClient::ServerService.new(storage_name) - serv.readiness_check - end - private def metric_prefix diff --git a/lib/gitlab/i18n/translation_entry.rb b/lib/gitlab/i18n/translation_entry.rb index f3cca97950d..6623d42f526 100644 --- a/lib/gitlab/i18n/translation_entry.rb +++ b/lib/gitlab/i18n/translation_entry.rb @@ -65,7 +65,7 @@ module Gitlab end def translations_have_multiple_lines? - translation_entries.any? { |translation| translation.is_a?(Array) } + translation_entries.any?(Array) end def msgid_contains_unescaped_chars? diff --git a/lib/gitlab/import_export/base/object_builder.rb b/lib/gitlab/import_export/base/object_builder.rb index 7dee0f783cc..0f24492ed3c 100644 --- a/lib/gitlab/import_export/base/object_builder.rb +++ b/lib/gitlab/import_export/base/object_builder.rb @@ -15,8 +15,8 @@ module Gitlab LRU_CACHE_SIZE = 1000 class ObjectBuilder - def self.build(*args) - new(*args).find + def self.build(...) + new(...).find end def initialize(klass, attributes) diff --git a/lib/gitlab/metrics/dashboard/url.rb b/lib/gitlab/metrics/dashboard/url.rb index d4f779ad79d..bdd28744137 100644 --- a/lib/gitlab/metrics/dashboard/url.rb +++ b/lib/gitlab/metrics/dashboard/url.rb @@ -100,8 +100,8 @@ module Gitlab end # Builds a metrics dashboard url based on the passed in arguments - def build_dashboard_url(*args) - Gitlab::Routing.url_helpers.metrics_dashboard_namespace_project_environment_url(*args) + def build_dashboard_url(...) + Gitlab::Routing.url_helpers.metrics_dashboard_namespace_project_environment_url(...) end private diff --git a/lib/gitlab/nav/top_nav_view_model_builder.rb b/lib/gitlab/nav/top_nav_view_model_builder.rb index 8cb2729ff61..10b841f777e 100644 --- a/lib/gitlab/nav/top_nav_view_model_builder.rb +++ b/lib/gitlab/nav/top_nav_view_model_builder.rb @@ -11,12 +11,12 @@ module Gitlab # Using delegate hides the stacktrace for some errors, so we choose to be explicit. # https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62047#note_579031091 - def add_primary_menu_item(**args) - @menu_builder.add_primary_menu_item(**args) + def add_primary_menu_item(...) + @menu_builder.add_primary_menu_item(...) end - def add_secondary_menu_item(**args) - @menu_builder.add_secondary_menu_item(**args) + def add_secondary_menu_item(...) + @menu_builder.add_secondary_menu_item(...) end def add_shortcut(**args) diff --git a/lib/gitlab/omniauth_initializer.rb b/lib/gitlab/omniauth_initializer.rb index b78cd2a6b95..fb7ffa03d0e 100644 --- a/lib/gitlab/omniauth_initializer.rb +++ b/lib/gitlab/omniauth_initializer.rb @@ -69,8 +69,8 @@ module Gitlab private - def add_provider_to_devise(*args) - @devise_config.omniauth(*args) + def add_provider_to_devise(...) + @devise_config.omniauth(...) end def arguments_for(provider) diff --git a/lib/gitlab/push_options.rb b/lib/gitlab/push_options.rb index 8a1dcc083e8..28d195238ea 100644 --- a/lib/gitlab/push_options.rb +++ b/lib/gitlab/push_options.rb @@ -46,8 +46,8 @@ module Gitlab @options = parse_options(options) end - def get(*args) - options.dig(*args) + def get(...) + options.dig(...) end # Allow #to_json serialization @@ -83,7 +83,7 @@ module Gitlab end def option_multi_value?(namespace, key) - MULTI_VALUE_OPTIONS.any? { |arr| arr == [namespace, key] } + MULTI_VALUE_OPTIONS.any?([namespace, key]) end def parse_option(option) diff --git a/lib/gitlab/utils/delegator_override.rb b/lib/gitlab/utils/delegator_override.rb index 3478931b170..446419378f8 100644 --- a/lib/gitlab/utils/delegator_override.rb +++ b/lib/gitlab/utils/delegator_override.rb @@ -17,7 +17,7 @@ module Gitlab def delegator_override(*names) return unless Gitlab::Environment.static_verification? - raise TypeError unless names.all? { |n| n.is_a?(Symbol) } + raise TypeError unless names.all?(Symbol) DelegatorOverride.validator(self).add_allowlist(names) end diff --git a/lib/gitlab/view/presenter/base.rb b/lib/gitlab/view/presenter/base.rb index 2a57ca9ae02..cb7f0a18a88 100644 --- a/lib/gitlab/view/presenter/base.rb +++ b/lib/gitlab/view/presenter/base.rb @@ -59,9 +59,7 @@ module Gitlab end def presents(*target_classes, as: nil) - if target_classes.any? { |k| k.is_a?(Symbol) } - raise ArgumentError, "Unsupported target class type: #{target_classes}." - end + raise ArgumentError, "Unsupported target class type: #{target_classes}." if target_classes.any?(Symbol) if self < ::Gitlab::View::Presenter::Delegated target_classes.each { |k| delegator_target(k) } diff --git a/lib/tasks/import.rake b/lib/tasks/import.rake index c93be95e2e0..1e17a6a1073 100644 --- a/lib/tasks/import.rake +++ b/lib/tasks/import.rake @@ -4,8 +4,8 @@ require 'benchmark' require 'rainbow/ext/string' class GithubImport - def self.run!(*args) - new(*args).run! + def self.run!(...) + new(...).run! end def initialize(token, gitlab_username, project_path, extras) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 50d0286cd54..79fb72bbbb0 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -990,6 +990,16 @@ msgstr[1] "" msgid "%{retryButtonStart}Try again%{retryButtonEnd} or %{newFileButtonStart}attach a new file%{newFileButtonEnd}." msgstr "" +msgid "%{reviewer_names} was added as a reviewer." +msgid_plural "%{reviewer_names} were added as reviewers." +msgstr[0] "" +msgstr[1] "" + +msgid "%{reviewer_names} was removed from reviewers." +msgid_plural "%{reviewer_names} were removed from reviewers." +msgstr[0] "" +msgstr[1] "" + msgid "%{rotation} has been recalculated with the remaining participants. Please review the new setup for %{rotation_link}. It is recommended that you reach out to the current on-call responder to ensure continuity of on-call coverage." msgstr "" @@ -8131,9 +8141,6 @@ msgstr "" msgid "Change your password or recover your current one" msgstr "" -msgid "ChangeReviewer|%{added_reviewers_text}%{removed_reviewers_text}" -msgstr "" - msgid "ChangeReviewer|All reviewers were removed." msgstr "" @@ -15653,6 +15660,18 @@ msgstr "" msgid "Enterprise" msgstr "" +msgid "EnterpriseUsers|The user detail cannot be updated" +msgstr "" + +msgid "EnterpriseUsers|The user does not match the \"Enterprise User\" definition for the group" +msgstr "" + +msgid "EnterpriseUsers|The user is already an enterprise user" +msgstr "" + +msgid "EnterpriseUsers|The user is not a member of the group" +msgstr "" + msgid "Environment" msgstr "" @@ -29655,9 +29674,6 @@ msgstr "" msgid "Package already exists" msgstr "" -msgid "Package and registry settings" -msgstr "" - msgid "Package deleted successfully" msgstr "" @@ -30146,6 +30162,9 @@ msgstr "" msgid "Packages and registries" msgstr "" +msgid "Packages and registries settings" +msgstr "" + msgid "Page not found" msgstr "" diff --git a/spec/features/groups/settings/packages_and_registries_spec.rb b/spec/features/groups/settings/packages_and_registries_spec.rb index 60aad8452ce..80e2dcd5174 100644 --- a/spec/features/groups/settings/packages_and_registries_spec.rb +++ b/spec/features/groups/settings/packages_and_registries_spec.rb @@ -46,7 +46,7 @@ RSpec.describe 'Group Package and registry settings', feature_category: :package it 'has a page title set' do visit_settings_page - expect(page).to have_title _('Package and registry settings') + expect(page).to have_title _('Packages and registries settings') end it 'sidebar menu is open' do diff --git a/spec/frontend/issues/show/issue_spec.js b/spec/frontend/issues/show/issue_spec.js index 892c5d79181..2980a6c33ee 100644 --- a/spec/frontend/issues/show/issue_spec.js +++ b/spec/frontend/issues/show/issue_spec.js @@ -19,7 +19,9 @@ const setupHTML = (initialData) => { describe('Issue show index', () => { describe('initIssueApp', () => { - it('should initialize app with no potential XSS attack', async () => { + // https://gitlab.com/gitlab-org/gitlab/-/issues/390368 + // eslint-disable-next-line jest/no-disabled-tests + it.skip('should initialize app with no potential XSS attack', async () => { const alertSpy = jest.spyOn(window, 'alert').mockImplementation(() => {}); const parseDataSpy = jest.spyOn(parseData, 'parseIssuableData'); diff --git a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb index 07c2755a3f7..44147987ebb 100644 --- a/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb +++ b/spec/graphql/mutations/ci/job_token_scope/add_project_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'spec_helper' -RSpec.describe Mutations::Ci::JobTokenScope::AddProject do +RSpec.describe Mutations::Ci::JobTokenScope::AddProject, feature_category: :continuous_integration do let(:mutation) do described_class.new(object: nil, context: { current_user: current_user }, field: nil) end @@ -14,9 +14,10 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do let_it_be(:target_project) { create(:project) } let(:target_project_path) { target_project.full_path } + let(:mutation_args) { { project_path: project.full_path, target_project_path: target_project_path } } subject do - mutation.resolve(project_path: project.full_path, target_project_path: target_project_path) + mutation.resolve(**mutation_args) end context 'when user is not logged in' do @@ -42,18 +43,45 @@ RSpec.describe Mutations::Ci::JobTokenScope::AddProject do target_project.add_guest(current_user) end - it 'adds target project to the job token scope' do + it 'adds target project to the outbound job token scope by default' do expect do expect(subject).to include(ci_job_token_scope: be_present, errors: be_empty) end.to change { Ci::JobToken::ProjectScopeLink.outbound.count }.by(1) end + context 'when mutation uses the direction argument' do + let(:mutation_args) { super().merge!(direction: direction) } + + context 'when targeting the outbound allowlist' do + let(:direction) { :outbound } + + it 'adds the target project' do + expect do + expect(subject).to include(ci_job_token_scope: be_present, errors: be_empty) + end.to change { Ci::JobToken::ProjectScopeLink.outbound.count }.by(1) + end + end + + context 'when targeting the inbound allowlist' do + let(:direction) { :inbound } + + it 'adds the target project' do + expect do + expect(subject).to include(ci_job_token_scope: be_present, errors: be_empty) + end.to change { Ci::JobToken::ProjectScopeLink.inbound.count }.by(1) + end + end + end + context 'when the service returns an error' do let(:service) { double(:service) } it 'returns an error response' do - expect(::Ci::JobTokenScope::AddProjectService).to receive(:new).with(project, current_user).and_return(service) - expect(service).to receive(:execute).with(target_project).and_return(ServiceResponse.error(message: 'The error message')) + expect(::Ci::JobTokenScope::AddProjectService).to receive(:new).with( + project, + current_user + ).and_return(service) + expect(service).to receive(:execute).with(target_project, direction: :outbound).and_return(ServiceResponse.error(message: 'The error message')) expect(subject.fetch(:ci_job_token_scope)).to be_nil expect(subject.fetch(:errors)).to include("The error message") diff --git a/spec/graphql/types/ci/job_token_scope_type_spec.rb b/spec/graphql/types/ci/job_token_scope_type_spec.rb index 569b59d6c70..01044364881 100644 --- a/spec/graphql/types/ci/job_token_scope_type_spec.rb +++ b/spec/graphql/types/ci/job_token_scope_type_spec.rb @@ -2,17 +2,24 @@ require 'spec_helper' -RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do +RSpec.describe GitlabSchema.types['CiJobTokenScopeType'], feature_category: :continuous_integration do specify { expect(described_class.graphql_name).to eq('CiJobTokenScopeType') } it 'has the correct fields' do - expected_fields = [:projects] + expected_fields = [:projects, :inboundAllowlist, :outboundAllowlist] expect(described_class).to have_graphql_fields(*expected_fields) end describe 'query' do - let(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } + let(:project) do + create( + :project, + ci_outbound_job_token_scope_enabled: true, + ci_inbound_job_token_scope_enabled: true + ).tap(&:save!) + end + let_it_be(:current_user) { create(:user) } let(:query) do @@ -25,6 +32,16 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do path } } + inboundAllowlist { + nodes { + path + } + } + outboundAllowlist { + nodes { + path + } + } } } } @@ -33,30 +50,73 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do subject { GitlabSchema.execute(query, context: { current_user: current_user }).as_json } - let(:projects_field) { subject.dig('data', 'project', 'ciJobTokenScope', 'projects', 'nodes') } - let(:returned_project_paths) { projects_field.map { |project| project['path'] } } + let(:scope_field) { subject.dig('data', 'project', 'ciJobTokenScope') } + let(:errors_field) { subject['errors'] } + let(:projects_field) { scope_field&.dig('projects', 'nodes') } + let(:outbound_allowlist_field) { scope_field&.dig('outboundAllowlist', 'nodes') } + let(:inbound_allowlist_field) { scope_field&.dig('inboundAllowlist', 'nodes') } + let(:returned_project_paths) { projects_field.map { |p| p['path'] } } + let(:returned_outbound_paths) { outbound_allowlist_field.map { |p| p['path'] } } + let(:returned_inbound_paths) { inbound_allowlist_field.map { |p| p['path'] } } + + context 'without access to scope' do + before do + project.add_member(current_user, :developer) + end + + it 'returns no projects' do + expect(projects_field).to be_nil + expect(outbound_allowlist_field).to be_nil + expect(inbound_allowlist_field).to be_nil + expect(errors_field.first['message']).to include "don't have permission" + end + end context 'with access to scope' do before do project.add_member(current_user, :maintainer) end - context 'when multiple projects in the allow list' do - let!(:link) { create(:ci_job_token_project_scope_link, source_project: project) } + context 'when multiple projects in the allow lists' do + include Ci::JobTokenScopeHelpers + let!(:outbound_allowlist_project) { create_project_in_allowlist(project, direction: :outbound) } + let!(:inbound_allowlist_project) { create_project_in_allowlist(project, direction: :inbound) } + let!(:both_allowlists_project) { create_project_in_both_allowlists(project) } context 'when linked projects are readable' do before do - link.target_project.add_member(current_user, :developer) + outbound_allowlist_project.add_member(current_user, :developer) + inbound_allowlist_project.add_member(current_user, :developer) + both_allowlists_project.add_member(current_user, :developer) end - it 'returns readable projects in scope' do - expect(returned_project_paths).to contain_exactly(project.path, link.target_project.path) + shared_examples 'returns projects' do + it 'returns readable projects in scope' do + outbound_paths = [project.path, outbound_allowlist_project.path, both_allowlists_project.path] + inbound_paths = [project.path, inbound_allowlist_project.path, both_allowlists_project.path] + + expect(returned_project_paths).to contain_exactly(*outbound_paths) + expect(returned_outbound_paths).to contain_exactly(*outbound_paths) + expect(returned_inbound_paths).to contain_exactly(*inbound_paths) + end + end + + it_behaves_like 'returns projects' + + context 'when job token scope is disabled' do + before do + project.ci_cd_settings.update!(job_token_scope_enabled: false) + end + + it_behaves_like 'returns projects' end end - context 'when linked project is not readable' do + context 'when linked projects are not readable' do it 'returns readable projects in scope' do expect(returned_project_paths).to contain_exactly(project.path) + expect(returned_outbound_paths).to contain_exactly(project.path) + expect(returned_inbound_paths).to contain_exactly(project.path) end end @@ -71,6 +131,8 @@ RSpec.describe GitlabSchema.types['CiJobTokenScopeType'] do it 'returns readable projects in scope' do expect(returned_project_paths).to contain_exactly(project.path) + expect(returned_outbound_paths).to contain_exactly(project.path) + expect(returned_inbound_paths).to contain_exactly(project.path) end end end diff --git a/spec/helpers/emails_helper_spec.rb b/spec/helpers/emails_helper_spec.rb index 1f7400983da..dbc6bd2eb28 100644 --- a/spec/helpers/emails_helper_spec.rb +++ b/spec/helpers/emails_helper_spec.rb @@ -385,7 +385,7 @@ RSpec.describe EmailsHelper do context 'with no html tag' do let(:expected_output) do - 'John was added as a reviewer.<br>' + 'John was added as a reviewer.' end it 'returns the expected output' do @@ -395,7 +395,7 @@ RSpec.describe EmailsHelper do context 'with <strong> tag' do let(:expected_output) do - '<strong>John</strong> was added as a reviewer.<br>' + '<strong>John</strong> was added as a reviewer.' end it 'returns the expected output' do @@ -410,7 +410,7 @@ RSpec.describe EmailsHelper do context 'with no html tag' do let(:expected_output) do - 'Ted was added as a reviewer.<br>John and Mary were removed from reviewers.' + "Ted was added as a reviewer.\nJohn and Mary were removed from reviewers." end it 'returns the expected output' do @@ -460,7 +460,7 @@ RSpec.describe EmailsHelper do let(:fishy_user) { build(:user, name: "<script>alert('hi')</script>") } let(:expected_output) do - '<strong><script>alert('hi')</script></strong> was added as a reviewer.<br>' + '<strong><script>alert('hi')</script></strong> was added as a reviewer.' end it 'escapes the html tag' do @@ -476,7 +476,7 @@ RSpec.describe EmailsHelper do let(:fishy_user) { build(:user, name: "example.com") } let(:expected_output) do - 'example_com was added as a reviewer.<br>' + 'example_com was added as a reviewer.' end it "sanitizes user's name" do diff --git a/spec/lib/gitlab/gitaly_client/server_service_spec.rb b/spec/lib/gitlab/gitaly_client/server_service_spec.rb deleted file mode 100644 index 615f2ce0c21..00000000000 --- a/spec/lib/gitlab/gitaly_client/server_service_spec.rb +++ /dev/null @@ -1,42 +0,0 @@ -# frozen_string_literal: true - -require 'spec_helper' - -RSpec.describe Gitlab::GitalyClient::ServerService do - let(:storage) { 'default' } - - describe '#readiness_check' do - before do - ::Gitlab::GitalyClient.clear_stubs! - end - - let(:request) do - Gitaly::ReadinessCheckRequest.new(timeout: 30) - end - - subject(:readiness_check) { described_class.new(storage).readiness_check } - - it 'returns a positive success if no failures happened' do - expect_next_instance_of(Gitaly::ServerService::Stub) do |service| - response = Gitaly::ReadinessCheckResponse.new(ok_response: Gitaly::ReadinessCheckResponse::Ok.new) - expect(service).to receive(:readiness_check).with(request, kind_of(Hash)).and_return(response) - end - - expect(readiness_check[:success]).to eq(true) - end - - it 'returns a negative success and a compiled message if at least one failure happened' do - failure1 = Gitaly::ReadinessCheckResponse::Failure::Response.new(name: '1', error_message: 'msg 1') - failure2 = Gitaly::ReadinessCheckResponse::Failure::Response.new(name: '2', error_message: 'msg 2') - failures = Gitaly::ReadinessCheckResponse::Failure.new(failed_checks: [failure1, failure2]) - response = Gitaly::ReadinessCheckResponse.new(failure_response: failures) - - expect_next_instance_of(Gitaly::ServerService::Stub) do |service| - expect(service).to receive(:readiness_check).with(request, kind_of(Hash)).and_return(response) - end - - expect(readiness_check[:success]).to eq(false) - expect(readiness_check[:message]).to eq("1: msg 1\n2: msg 2") - end - end -end diff --git a/spec/lib/gitlab/health_checks/gitaly_check_spec.rb b/spec/lib/gitlab/health_checks/gitaly_check_spec.rb index 948452c0b58..64c4e92f80b 100644 --- a/spec/lib/gitlab/health_checks/gitaly_check_spec.rb +++ b/spec/lib/gitlab/health_checks/gitaly_check_spec.rb @@ -14,36 +14,20 @@ RSpec.describe Gitlab::HealthChecks::GitalyCheck do subject { described_class.readiness } before do - expect(Gitlab::GitalyClient::HealthCheckService).to receive(:new).and_return(healthy_check) + expect(Gitlab::GitalyClient::HealthCheckService).to receive(:new).and_return(gitaly_check) end context 'Gitaly server is up' do - before do - expect(Gitlab::GitalyClient::ServerService).to receive(:new).and_return(ready_check) - end - - let(:healthy_check) { double(check: { success: true }) } - let(:ready_check) { double(readiness_check: { success: true }) } + let(:gitaly_check) { double(check: { success: true }) } it { is_expected.to eq([result_class.new('gitaly_check', true, nil, shard: 'default')]) } end context 'Gitaly server is down' do - let(:healthy_check) { double(check: { success: false, message: 'Connection refused' }) } + let(:gitaly_check) { double(check: { success: false, message: 'Connection refused' }) } it { is_expected.to eq([result_class.new('gitaly_check', false, 'Connection refused', shard: 'default')]) } end - - context 'Gitaly server is not ready' do - before do - expect(Gitlab::GitalyClient::ServerService).to receive(:new).and_return(ready_check) - end - - let(:healthy_check) { double(check: { success: true }) } - let(:ready_check) { double(readiness_check: { success: false, message: 'A readiness check has failed' }) } - - it { is_expected.to match_array([result_class.new('gitaly_check', false, 'A readiness check has failed', shard: 'default')]) } - end end describe '#metrics' do diff --git a/spec/lib/gitlab/health_checks/probes/collection_spec.rb b/spec/lib/gitlab/health_checks/probes/collection_spec.rb index f1791375cea..09e1a828aeb 100644 --- a/spec/lib/gitlab/health_checks/probes/collection_spec.rb +++ b/spec/lib/gitlab/health_checks/probes/collection_spec.rb @@ -18,10 +18,6 @@ RSpec.describe Gitlab::HealthChecks::Probes::Collection do end it 'responds with readiness checks data' do - expect_next_instance_of(Gitlab::GitalyClient::ServerService) do |service| - expect(service).to receive(:readiness_check).and_return({ success: true }) - end - expect(subject.http_status).to eq(200) expect(subject.json[:status]).to eq('ok') diff --git a/spec/lib/object_storage/direct_upload_spec.rb b/spec/lib/object_storage/direct_upload_spec.rb index 569e6a3a7c6..82eede96deb 100644 --- a/spec/lib/object_storage/direct_upload_spec.rb +++ b/spec/lib/object_storage/direct_upload_spec.rb @@ -272,7 +272,7 @@ RSpec.describe ObjectStorage::DirectUpload do it 'uses only strings in query parameters' do expect(direct_upload.send(:connection)).to receive(:signed_url).at_least(:once) do |params| if params[:query] - expect(params[:query].keys.all? { |key| key.is_a?(String) }).to be_truthy + expect(params[:query].keys.all?(String)).to be_truthy end end diff --git a/spec/models/ci/job_token/allowlist_spec.rb b/spec/models/ci/job_token/allowlist_spec.rb index c69dcba765a..3a2673c7c26 100644 --- a/spec/models/ci/job_token/allowlist_spec.rb +++ b/spec/models/ci/job_token/allowlist_spec.rb @@ -40,6 +40,26 @@ RSpec.describe Ci::JobToken::Allowlist, feature_category: :continuous_integratio end end + describe 'add!' do + let_it_be(:added_project) { create(:project) } + let_it_be(:user) { create(:user) } + + subject { allowlist.add!(added_project, user: user) } + + [:inbound, :outbound].each do |d| + let(:direction) { d } + + it 'adds the project' do + subject + + expect(allowlist.projects).to contain_exactly(source_project, added_project) + expect(subject.added_by_id).to eq(user.id) + expect(subject.source_project_id).to eq(source_project.id) + expect(subject.target_project_id).to eq(added_project.id) + end + end + end + describe '#includes?' do subject { allowlist.includes?(includes_project) } diff --git a/spec/models/ci/job_token/scope_spec.rb b/spec/models/ci/job_token/scope_spec.rb index da632622f1b..5fa0775e1f5 100644 --- a/spec/models/ci/job_token/scope_spec.rb +++ b/spec/models/ci/job_token/scope_spec.rb @@ -57,6 +57,35 @@ RSpec.describe Ci::JobToken::Scope, feature_category: :continuous_integration, f end end + describe 'add!' do + let_it_be(:new_project) { create(:project) } + + subject { scope.add!(new_project, direction: direction, user: user) } + + [:inbound, :outbound].each do |d| + let(:direction) { d } + + it 'adds the project' do + subject + + expect(scope.send("#{direction}_projects")).to contain_exactly(current_project, new_project) + end + end + + # Context and before block can go away leaving just the example in 16.0 + context 'with inbound only enabled' do + before do + project.ci_cd_settings.update!(job_token_scope_enabled: false) + end + + it 'provides access' do + expect do + scope.add!(new_project, direction: :inbound, user: user) + end.to change { described_class.new(new_project).accessible?(current_project) }.from(false).to(true) + end + end + end + RSpec.shared_examples 'enforces outbound scope only' do include_context 'with accessible and inaccessible projects' diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 1538f8a70c8..7120975a420 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -591,4 +591,102 @@ RSpec.describe GlobalPolicy, feature_category: :security_policies do it { is_expected.to be_disallowed(:log_in) } end end + + describe 'create_instance_runners' do + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin_user } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_instance_runners) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'with project_bot' do + let(:current_user) { project_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with migration_bot' do + let(:current_user) { migration_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with security_bot' do + let(:current_user) { security_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with regular user' do + let(:current_user) { user } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin_user } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + + context 'with project_bot' do + let(:current_user) { project_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with migration_bot' do + let(:current_user) { migration_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with security_bot' do + let(:current_user) { security_bot } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with regular user' do + let(:current_user) { user } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_instance_runners) } + end + end + end end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 2d4c86845c9..451db9eaf9c 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe GroupPolicy do +RSpec.describe GroupPolicy, feature_category: :authentication_and_authorization do include AdminModeHelper include_context 'GroupPolicy context' @@ -1274,6 +1274,178 @@ RSpec.describe GroupPolicy do end end + describe 'create_group_runners' do + shared_examples 'disallowed when group runner registration disabled' do + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + group.runner_registration_enabled = runner_registration_enabled + end + + context 'with specific group runner registration enabled' do + let(:runner_registration_enabled) { true } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with specific group runner registration disabled' do + let(:runner_registration_enabled) { false } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + end + + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_group_runners) } + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_allowed(:create_group_runners) } + end + + context 'with group runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['project']) + group.runner_registration_enabled = runner_registration_enabled + end + + context 'with specific group runner registration enabled' do + let(:runner_registration_enabled) { true } + + it { is_expected.to be_allowed(:create_group_runners) } + end + + context 'with specific group runner registration disabled' do + let(:runner_registration_enabled) { false } + + it { is_expected.to be_allowed(:create_group_runners) } + end + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_group_runners) } + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_group_runners) } + + context 'with specific group runner registration disabled' do + before do + group.runner_registration_enabled = false + end + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:create_group_runners) } + + it_behaves_like 'disallowed when group runner registration disabled' + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_group_runners) } + end + end + end + describe 'read_group_all_available_runners' do context 'admin' do let(:current_user) { admin } diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 434f7a43665..2fe204a403b 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2735,6 +2735,148 @@ RSpec.describe ProjectPolicy, feature_category: :authentication_and_authorizatio end end + describe 'create_project_runners' do + context 'create_runner_workflow flag enabled' do + before do + stub_feature_flags(create_runner_workflow: true) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_allowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_allowed(:create_project_runners) } + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:create_project_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'create_runner_workflow flag disabled' do + before do + stub_feature_flags(create_runner_workflow: false) + end + + context 'admin' do + let(:current_user) { admin } + + context 'when admin mode is enabled', :enable_admin_mode do + it { is_expected.to be_disallowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'when admin mode is disabled' do + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with owner' do + let(:current_user) { owner } + + it { is_expected.to be_disallowed(:create_project_runners) } + + context 'with project runner registration disabled' do + before do + stub_application_setting(valid_runner_registrars: ['group']) + end + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + + context 'with maintainer' do + let(:current_user) { maintainer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with reporter' do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with guest' do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with developer' do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + + context 'with anonymous' do + let(:current_user) { nil } + + it { is_expected.to be_disallowed(:create_project_runners) } + end + end + end + describe 'update_sentry_issue' do using RSpec::Parameterized::TableSyntax diff --git a/spec/requests/api/draft_notes_spec.rb b/spec/requests/api/draft_notes_spec.rb index fad93fff839..cff8c34e4a1 100644 --- a/spec/requests/api/draft_notes_spec.rb +++ b/spec/requests/api/draft_notes_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' RSpec.describe API::DraftNotes, feature_category: :code_review_workflow do let_it_be(:user) { create(:user) } + let_it_be(:user_2) { create(:user) } let_it_be(:project) { create(:project, :public) } let_it_be(:merge_request) { create(:merge_request, source_project: project, target_project: project, author: user) } @@ -32,4 +33,45 @@ RSpec.describe API::DraftNotes, feature_category: :code_review_workflow do expect(draft_note_ids).not_to include(merge_request_note.id) end end + + describe "Get a single draft note" do + context "when requesting an existing draft note by the user" do + before do + get api( + "/projects/#{project.id}/merge_requests/#{merge_request.iid}/draft_notes/#{draft_note_by_current_user.id}", + user + ) + end + + it "returns 200 OK status" do + expect(response).to have_gitlab_http_status(:ok) + end + + it "returns the requested draft note" do + expect(json_response["id"]).to eq(draft_note_by_current_user.id) + end + + context "when requesting a non-existent draft note" do + it "returns a 404 Not Found response" do + get api( + "/projects/#{project.id}/merge_requests/#{merge_request.iid}/draft_notes/#{DraftNote.last.id + 1}", + user + ) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + + context "when requesting an existing draft note by another user" do + it "returns a 404 Not Found response" do + get api( + "/projects/#{project.id}/merge_requests/#{merge_request.iid}/draft_notes/#{draft_note_by_random_user.id}", + user + ) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + end end diff --git a/spec/requests/api/graphql/ci/jobs_spec.rb b/spec/requests/api/graphql/ci/jobs_spec.rb index 131cdb77107..674407c0a0e 100644 --- a/spec/requests/api/graphql/ci/jobs_spec.rb +++ b/spec/requests/api/graphql/ci/jobs_spec.rb @@ -96,7 +96,7 @@ RSpec.describe 'Query.project.pipeline', feature_category: :continuous_integrati create(:ci_build_need, build: test_job, name: 'my test job') end - it 'reports the build needs and execution requirements', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/347290' do + it 'reports the build needs and execution requirements' do post_graphql(query, current_user: user) expect(jobs_graphql_data).to contain_exactly( diff --git a/spec/requests/health_controller_spec.rb b/spec/requests/health_controller_spec.rb index 83ec1565095..639f6194af9 100644 --- a/spec/requests/health_controller_spec.rb +++ b/spec/requests/health_controller_spec.rb @@ -127,10 +127,6 @@ RSpec.describe HealthController, feature_category: :database do end it 'responds with readiness checks data' do - expect_next_instance_of(Gitlab::GitalyClient::ServerService) do |service| - expect(service).to receive(:readiness_check).and_return({ success: true }) - end - subject expect(json_response['db_check']).to contain_exactly({ 'status' => 'ok' }) diff --git a/spec/services/ci/job_token_scope/add_project_service_spec.rb b/spec/services/ci/job_token_scope/add_project_service_spec.rb index bf7df3a5595..e6674ee384f 100644 --- a/spec/services/ci/job_token_scope/add_project_service_spec.rb +++ b/spec/services/ci/job_token_scope/add_project_service_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'spec_helper' -RSpec.describe Ci::JobTokenScope::AddProjectService do +RSpec.describe Ci::JobTokenScope::AddProjectService, feature_category: :continuous_integration do let(:service) { described_class.new(project, current_user) } let_it_be(:project) { create(:project, ci_outbound_job_token_scope_enabled: true).tap(&:save!) } @@ -21,6 +21,8 @@ RSpec.describe Ci::JobTokenScope::AddProjectService do it_behaves_like 'editable job token scope' do context 'when user has permissions on source and target projects' do + let(:resulting_direction) { result.payload.fetch(:project_link)&.direction } + before do project.add_maintainer(current_user) target_project.add_developer(current_user) @@ -34,6 +36,26 @@ RSpec.describe Ci::JobTokenScope::AddProjectService do end it_behaves_like 'adds project' + + it 'creates an outbound link by default' do + expect(resulting_direction).to eq('outbound') + end + + context 'when direction is specified' do + subject(:result) { service.execute(target_project, direction: direction) } + + context 'when the direction is outbound' do + let(:direction) { :outbound } + + specify { expect(resulting_direction).to eq('outbound') } + end + + context 'when the direction is inbound' do + let(:direction) { :inbound } + + specify { expect(resulting_direction).to eq('inbound') } + end + end end end diff --git a/spec/support/helpers/ci/job_token_scope_helpers.rb b/spec/support/helpers/ci/job_token_scope_helpers.rb index 09084bc8715..2de3e29f82c 100644 --- a/spec/support/helpers/ci/job_token_scope_helpers.rb +++ b/spec/support/helpers/ci/job_token_scope_helpers.rb @@ -2,14 +2,21 @@ module Ci module JobTokenScopeHelpers - def create_project_in_allowlist(root_project, direction:) - create(:project).tap do |scoped_project| - create( - :ci_job_token_project_scope_link, - source_project: root_project, - target_project: scoped_project, - direction: direction - ) + def create_project_in_allowlist(root_project, direction:, target_project: nil) + included_project = target_project || create(:project) + create( + :ci_job_token_project_scope_link, + source_project: root_project, + target_project: included_project, + direction: direction + ) + + included_project + end + + def create_project_in_both_allowlists(root_project) + create_project_in_allowlist(root_project, direction: :outbound).tap do |new_project| + create_project_in_allowlist(root_project, target_project: new_project, direction: :inbound) end end diff --git a/spec/support/import_export/project_tree_expectations.rb b/spec/support/import_export/project_tree_expectations.rb index 2423a58a3e6..0049d0fbd06 100644 --- a/spec/support/import_export/project_tree_expectations.rb +++ b/spec/support/import_export/project_tree_expectations.rb @@ -59,7 +59,7 @@ module ImportExport end def match_arrays(left_node, right_node, stats, location_stack, failures) - has_simple_elements = left_node.none? { |el| Enumerable === el } + has_simple_elements = left_node.none?(Enumerable) # for simple types, we can do a direct order-less set comparison if has_simple_elements && left_node.to_set != right_node.to_set stats[:arrays][:direct] += 1 diff --git a/spec/workers/repository_check/dispatch_worker_spec.rb b/spec/workers/repository_check/dispatch_worker_spec.rb index 146228c0852..829abc7d895 100644 --- a/spec/workers/repository_check/dispatch_worker_spec.rb +++ b/spec/workers/repository_check/dispatch_worker_spec.rb @@ -22,10 +22,6 @@ RSpec.describe RepositoryCheck::DispatchWorker do end it 'dispatches work to RepositoryCheck::BatchWorker' do - expect_next_instance_of(Gitlab::GitalyClient::ServerService) do |service| - expect(service).to receive(:readiness_check).and_return({ success: true }) - end - expect(RepositoryCheck::BatchWorker).to receive(:perform_async).at_least(:once) subject.perform |