diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-09 00:09:21 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-07-09 00:09:21 +0300 |
| commit | 4bf6e1412904e793931be84045d11df9ce55e1a3 (patch) | |
| tree | e711b00da5ef1c939029cfdbd24e2da89a922b37 | |
| parent | 7e17b031fa8e57a698fc474ded12eaa2553c87f5 (diff) | |
Add latest changes from gitlab-org/gitlab@master
| -rw-r--r-- | Gemfile | 2 | ||||
| -rw-r--r-- | Gemfile.lock | 4 | ||||
| -rw-r--r-- | app/models/user.rb | 3 | ||||
| -rw-r--r-- | lib/gitlab/template/gitlab_ci_yml_template.rb | 2 | ||||
| -rw-r--r-- | spec/graphql/types/project_type_spec.rb | 18 | ||||
| -rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 4 | ||||
| -rw-r--r-- | spec/lib/gitlab/lfs_token_spec.rb | 2 | ||||
| -rw-r--r-- | spec/models/user_spec.rb | 66 | ||||
| -rw-r--r-- | spec/policies/global_policy_spec.rb | 6 | ||||
| -rw-r--r-- | spec/requests/git_http_spec.rb | 16 | ||||
| -rw-r--r-- | spec/requests/lfs_http_spec.rb | 6 | ||||
| -rw-r--r-- | spec/services/security/ci_configuration/sast_parser_service_spec.rb | 12 | ||||
| -rw-r--r-- | spec/support/helpers/ci/template_helpers.rb | 11 |
13 files changed, 113 insertions, 39 deletions
@@ -481,7 +481,7 @@ gem 'grpc', '~> 1.30.2' gem 'google-protobuf', '~> 3.17.1' -gem 'toml-rb', '~> 1.0.0' +gem 'toml-rb', '~> 2.0' # Feature toggles gem 'flipper', '~> 0.21.0' diff --git a/Gemfile.lock b/Gemfile.lock index cbad24f5639..9237261d7c1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1290,7 +1290,7 @@ GEM to_regexp (0.2.1) toml (0.2.0) parslet (~> 1.8.0) - toml-rb (1.0.0) + toml-rb (2.0.1) citrus (~> 3.0, > 3.0) tomlrb (1.3.0) tpm-key_attestation (0.9.0) @@ -1660,7 +1660,7 @@ DEPENDENCIES thin (~> 1.8.0) thrift (>= 0.14.0) timecop (~> 0.9.1) - toml-rb (~> 1.0.0) + toml-rb (~> 2.0) truncato (~> 0.7.11) u2f (~> 0.2.1) unf (~> 0.1.4) diff --git a/app/models/user.rb b/app/models/user.rb index 077f11d574f..eb93d717e9b 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -1887,7 +1887,8 @@ class User < ApplicationRecord end def password_expired_if_applicable? - return false unless password_expired? + return false if bot? + return false unless password_expired? && password_automatically_set? return false unless allow_password_authentication? true diff --git a/lib/gitlab/template/gitlab_ci_yml_template.rb b/lib/gitlab/template/gitlab_ci_yml_template.rb index e302865c897..da925f0f83a 100644 --- a/lib/gitlab/template/gitlab_ci_yml_template.rb +++ b/lib/gitlab/template/gitlab_ci_yml_template.rb @@ -92,4 +92,4 @@ module Gitlab end end -Gitlab::Template::GitlabCiYmlTemplate.prepend_mod_with('Gitlab::Template::GitlabCiYmlTemplate') +Gitlab::Template::GitlabCiYmlTemplate.prepend_mod diff --git a/spec/graphql/types/project_type_spec.rb b/spec/graphql/types/project_type_spec.rb index 22a1f065aa6..8a1a4b17cc6 100644 --- a/spec/graphql/types/project_type_spec.rb +++ b/spec/graphql/types/project_type_spec.rb @@ -4,6 +4,7 @@ require 'spec_helper' RSpec.describe GitlabSchema.types['Project'] do include GraphqlHelpers + include Ci::TemplateHelpers specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Project) } @@ -103,15 +104,14 @@ RSpec.describe GitlabSchema.types['Project'] do subject { GitlabSchema.execute(query, context: { current_user: user }).as_json } it "returns the project's sast configuration for global variables" do - secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first - expect(secure_analyzers_prefix['type']).to eq('string') - expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX') - expect(secure_analyzers_prefix['label']).to eq('Image prefix') - expect(secure_analyzers_prefix['defaultValue']) - .to eq('registry.gitlab.com/gitlab-org/security-products/analyzers') - expect(secure_analyzers_prefix['value']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers') - expect(secure_analyzers_prefix['size']).to eq('LARGE') - expect(secure_analyzers_prefix['options']).to be_nil + secure_analyzers = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first + expect(secure_analyzers['type']).to eq('string') + expect(secure_analyzers['field']).to eq('SECURE_ANALYZERS_PREFIX') + expect(secure_analyzers['label']).to eq('Image prefix') + expect(secure_analyzers['defaultValue']).to eq(secure_analyzers_prefix) + expect(secure_analyzers['value']).to eq(secure_analyzers_prefix) + expect(secure_analyzers['size']).to eq('LARGE') + expect(secure_analyzers['options']).to be_nil end it "returns the project's sast configuration for pipeline variables" do diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index 3a10ce1a30e..bf682e4e4c6 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do it 'disallows users with expired password to pull' do project.add_maintainer(user) - user.update!(password_expires_at: 2.minutes.ago) + user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") end @@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do end it 'disallows users with expired password to push' do - user.update!(password_expires_at: 2.minutes.ago) + user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.") end diff --git a/spec/lib/gitlab/lfs_token_spec.rb b/spec/lib/gitlab/lfs_token_spec.rb index 4b40e8960b2..a8472062f03 100644 --- a/spec/lib/gitlab/lfs_token_spec.rb +++ b/spec/lib/gitlab/lfs_token_spec.rb @@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do end context 'when the user password is expired' do - let(:actor) { create(:user, password_expires_at: 1.minute.ago) } + let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) } it 'returns false' do expect(lfs_token.token_valid?(lfs_token.token)).to be false diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 62c482baa44..6cc7e78fbd0 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -5275,11 +5275,43 @@ RSpec.describe User do end describe '#password_expired_if_applicable?' do - let(:user) { build(:user, password_expires_at: password_expires_at) } + let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) } subject { user.password_expired_if_applicable? } context 'when user is not ldap user' do + context 'when user has password set automatically' do + let(:set_automatically?) { true } + + context 'when password_expires_at is not set' do + let(:password_expires_at) {} + + it 'returns false' do + is_expected.to be_falsey + end + end + + context 'when password_expires_at is in the past' do + let(:password_expires_at) { 1.minute.ago } + + it 'returns true' do + is_expected.to be_truthy + end + end + + context 'when password_expires_at is in the future' do + let(:password_expires_at) { 1.minute.from_now } + + it 'returns false' do + is_expected.to be_falsey + end + end + end + end + + context 'when user has password not set automatically' do + let(:set_automatically?) { false } + context 'when password_expires_at is not set' do let(:password_expires_at) {} @@ -5291,8 +5323,8 @@ RSpec.describe User do context 'when password_expires_at is in the past' do let(:password_expires_at) { 1.minute.ago } - it 'returns true' do - is_expected.to be_truthy + it 'returns false' do + is_expected.to be_falsey end end @@ -5336,6 +5368,34 @@ RSpec.describe User do end end end + + context 'when user is a project bot' do + let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) } + + context 'when password_expires_at is not set' do + let(:password_expires_at) {} + + it 'returns false' do + is_expected.to be_falsey + end + end + + context 'when password_expires_at is in the past' do + let(:password_expires_at) { 1.minute.ago } + + it 'returns false' do + is_expected.to be_falsey + end + end + + context 'when password_expires_at is in the future' do + let(:password_expires_at) { 1.minute.from_now } + + it 'returns false' do + is_expected.to be_falsey + end + end + end end describe '#read_only_attribute?' do diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 85026ced466..122612df355 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do context 'user with expired password' do before do - current_user.update!(password_expires_at: 2.minutes.ago) + current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) end it { is_expected.not_to be_allowed(:access_api) } @@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do context 'user with expired password' do before do - current_user.update!(password_expires_at: 2.minutes.ago) + current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) end it { is_expected.not_to be_allowed(:access_git) } @@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do context 'user with expired password' do before do - current_user.update!(password_expires_at: 2.minutes.ago) + current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true) end it { is_expected.not_to be_allowed(:use_slash_commands) } diff --git a/spec/requests/git_http_spec.rb b/spec/requests/git_http_spec.rb index 40005596c3e..b80b3f4e159 100644 --- a/spec/requests/git_http_spec.rb +++ b/spec/requests/git_http_spec.rb @@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do shared_examples 'operations are not allowed with expired password' do context "when password is expired" do it "responds to downloads with status 401 Unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) download(path, user: user.username, password: user.password) do |response| expect(response).to have_gitlab_http_status(:unauthorized) @@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do end it "responds to uploads with status 401 Unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) upload(path, user: user.username, password: user.password) do |response| expect(response).to have_gitlab_http_status(:unauthorized) @@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do context "when password is expired" do it "responds to downloads with status 401 unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) download(path, **env) do |response| expect(response).to have_gitlab_http_status(:unauthorized) @@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do context "when password is expired" do it "responds to uploads with status 401 unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository]) @@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do context 'when users password is expired' do it 'rejects pulls with 401 unauthorized' do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) download(path, user: 'gitlab-ci-token', password: build.token) do |response| expect(response).to have_gitlab_http_status(:unauthorized) @@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do context "when password is expired" do it "responds to downloads with status 401 unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) download(path, **env) do |response| expect(response).to have_gitlab_http_status(:unauthorized) @@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do context "when password is expired" do it "responds to uploads with status 401 unauthorized" do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository]) @@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do context 'when users password is expired' do it 'rejects pulls with 401 unauthorized' do - user.update!(password_expires_at: 2.days.ago) + user.update!(password_expires_at: 2.days.ago, password_automatically_set: true) download(path, user: 'gitlab-ci-token', password: build.token) do |response| expect(response).to have_gitlab_http_status(:unauthorized) diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index 975026c724e..833889431e9 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do it_behaves_like 'LFS http 200 blob response' context 'when user password is expired' do - let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} + let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)} it_behaves_like 'LFS http 401 response' end @@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do end context 'when user password is expired' do - let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} + let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)} let(:role) { :reporter} @@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do it_behaves_like 'LFS http 200 workhorse response' context 'when user password is expired' do - let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)} + let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) } it_behaves_like 'LFS http 401 response' end diff --git a/spec/services/security/ci_configuration/sast_parser_service_spec.rb b/spec/services/security/ci_configuration/sast_parser_service_spec.rb index 4fe99f20879..4346d0a9e07 100644 --- a/spec/services/security/ci_configuration/sast_parser_service_spec.rb +++ b/spec/services/security/ci_configuration/sast_parser_service_spec.rb @@ -3,11 +3,13 @@ require 'spec_helper' RSpec.describe Security::CiConfiguration::SastParserService do + include Ci::TemplateHelpers + describe '#configuration' do include_context 'read ci configuration for sast enabled project' let(:configuration) { described_class.new(project).configuration } - let(:secure_analyzers_prefix) { configuration['global'][0] } + let(:secure_analyzers) { configuration['global'][0] } let(:sast_excluded_paths) { configuration['global'][1] } let(:sast_pipeline_stage) { configuration['pipeline'][0] } let(:sast_search_max_depth) { configuration['pipeline'][1] } @@ -16,7 +18,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do let(:sast_brakeman_level) { brakeman['variables'][0] } it 'parses the configuration for SAST' do - expect(secure_analyzers_prefix['default_value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers') + expect(secure_analyzers['default_value']).to eql(secure_analyzers_prefix) expect(sast_excluded_paths['default_value']).to eql('spec, test, tests, tmp') expect(sast_pipeline_stage['default_value']).to eql('test') expect(sast_search_max_depth['default_value']).to eql('4') @@ -28,7 +30,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do context 'when .gitlab-ci.yml is present' do it 'populates the current values from the file' do allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content) - expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers2') + expect(secure_analyzers['value']).to eql("registry.gitlab.com/gitlab-org/security-products/analyzers2") expect(sast_excluded_paths['value']).to eql('spec, executables') expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage') expect(sast_search_max_depth['value']).to eql('8') @@ -50,7 +52,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do context 'when .gitlab-ci.yml is absent' do it 'populates the current values with the default values' do allow(project.repository).to receive(:blob_data_at).and_return(nil) - expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers') + expect(secure_analyzers['value']).to eql(secure_analyzers_prefix) expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp') expect(sast_pipeline_stage['value']).to eql('test') expect(sast_search_max_depth['value']).to eql('4') @@ -67,7 +69,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do end it 'populates the current values with the default values' do - expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers') + expect(secure_analyzers['value']).to eql(secure_analyzers_prefix) expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp') expect(sast_pipeline_stage['value']).to eql('test') expect(sast_search_max_depth['value']).to eql('4') diff --git a/spec/support/helpers/ci/template_helpers.rb b/spec/support/helpers/ci/template_helpers.rb new file mode 100644 index 00000000000..7bab58a574e --- /dev/null +++ b/spec/support/helpers/ci/template_helpers.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +module Ci + module TemplateHelpers + def secure_analyzers_prefix + 'registry.gitlab.com/gitlab-org/security-products/analyzers' + end + end +end + +Ci::TemplateHelpers.prepend_mod |