diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-26 00:09:19 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-11-26 00:09:19 +0300 |
commit | 53b40a871dc13d9c1d743b1f57fcf50eceb0a64f (patch) | |
tree | 89dcf6d8dd885bfd5d0f3f15e6a5b99e0073b671 | |
parent | d612723c35d7fdaeb8b09e91232053e04850c2ae (diff) |
Add latest changes from gitlab-org/gitlab@master
-rw-r--r-- | .gitlab/merge_request_templates/Security Release.md | 4 | ||||
-rw-r--r-- | app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js | 19 | ||||
-rw-r--r-- | app/controllers/concerns/lfs_request.rb | 3 | ||||
-rw-r--r-- | app/services/clusters/agents/refresh_authorization_service.rb | 6 | ||||
-rw-r--r-- | doc/user/clusters/agent/ci_cd_workflow.md | 3 | ||||
-rw-r--r-- | lib/api/api.rb | 2 | ||||
-rw-r--r-- | lib/api/clusters/agent_tokens.rb | 3 | ||||
-rw-r--r-- | lib/api/entities/event.rb | 16 | ||||
-rw-r--r-- | lib/api/entities/push_event_payload.rb | 10 | ||||
-rw-r--r-- | lib/api/events.rb | 14 | ||||
-rw-r--r-- | spec/requests/api/clusters/agent_tokens_spec.rb | 15 | ||||
-rw-r--r-- | spec/requests/api/groups_spec.rb | 2 | ||||
-rw-r--r-- | spec/requests/lfs_http_spec.rb | 15 | ||||
-rw-r--r-- | spec/services/clusters/agents/refresh_authorization_service_spec.rb | 10 |
14 files changed, 86 insertions, 36 deletions
diff --git a/.gitlab/merge_request_templates/Security Release.md b/.gitlab/merge_request_templates/Security Release.md index 93912f5cefb..334bcb16023 100644 --- a/.gitlab/merge_request_templates/Security Release.md +++ b/.gitlab/merge_request_templates/Security Release.md @@ -25,7 +25,7 @@ See [the general developer security release guidelines](https://gitlab.com/gitla - [ ] For a backport MR targeting a versioned stable branch (`X-Y-stable-ee`). - [ ] Milestone is set to the version this backport applies to. A closed milestone can be assigned via [quick actions]. - [ ] Ensure it's approved by a maintainer. -- [ ] Ensure this issue and all related MRs have a `~severity::x` label +- [ ] Ensure this merge request and the related security issue have a `~severity::x` label **Note:** Reviewer/maintainer should not be a Release Manager. @@ -33,7 +33,7 @@ See [the general developer security release guidelines](https://gitlab.com/gitla - [ ] Correct milestone is applied and the title is matching across all backports. - [ ] Assigned (_not_ as reviewer) to `@gitlab-release-tools-bot` with passing CI pipelines. -- [ ] Correct `~severity::x` label is applied to this issue and all related MRs +- [ ] Correct `~severity::x` label is applied to this merge request and the related security issue. /label ~security diff --git a/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js b/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js index 2e295f7565b..f9f4e981863 100644 --- a/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js +++ b/app/assets/javascripts/vue_shared/components/filtered_search_bar/constants.js @@ -27,23 +27,16 @@ export const OPERATORS_IS_NOT_OR = [...OPERATORS_IS, ...OPERATORS_NOT, ...OPERAT export const OPTION_NONE = { value: FILTER_NONE, text: __('None'), title: __('None') }; export const OPTION_ANY = { value: FILTER_ANY, text: __('Any'), title: __('Any') }; export const OPTION_CURRENT = { value: FILTER_CURRENT, text: __('Current') }; - -export const OPTIONS_NONE_ANY = [OPTION_NONE, OPTION_ANY]; - -export const DEFAULT_MILESTONE_UPCOMING = { +export const OPTION_STARTED = { value: FILTER_STARTED, text: __('Started'), title: __('Started') }; +export const OPTION_UPCOMING = { value: FILTER_UPCOMING, text: __('Upcoming'), title: __('Upcoming'), }; -export const DEFAULT_MILESTONE_STARTED = { - value: FILTER_STARTED, - text: __('Started'), - title: __('Started'), -}; -export const DEFAULT_MILESTONES = OPTIONS_NONE_ANY.concat([ - DEFAULT_MILESTONE_UPCOMING, - DEFAULT_MILESTONE_STARTED, -]); + +export const OPTIONS_NONE_ANY = [OPTION_NONE, OPTION_ANY]; + +export const DEFAULT_MILESTONES = OPTIONS_NONE_ANY.concat([OPTION_UPCOMING, OPTION_STARTED]); export const SORT_DIRECTION = { descending: 'descending', diff --git a/app/controllers/concerns/lfs_request.rb b/app/controllers/concerns/lfs_request.rb index 97df3c7caea..8acbba0621b 100644 --- a/app/controllers/concerns/lfs_request.rb +++ b/app/controllers/concerns/lfs_request.rb @@ -85,8 +85,7 @@ module LfsRequest def deploy_token_can_download_code? deploy_token.present? && - deploy_token.project == project && - deploy_token.active? && + deploy_token.has_access_to?(project) && deploy_token.read_repository? end diff --git a/app/services/clusters/agents/refresh_authorization_service.rb b/app/services/clusters/agents/refresh_authorization_service.rb index 54b90a7304c..53b14ab54da 100644 --- a/app/services/clusters/agents/refresh_authorization_service.rb +++ b/app/services/clusters/agents/refresh_authorization_service.rb @@ -83,11 +83,7 @@ module Clusters end def allowed_projects - if group_root_ancestor? - root_ancestor.all_projects - else - ::Project.id_in(project.id) - end + root_ancestor.all_projects end def allowed_groups diff --git a/doc/user/clusters/agent/ci_cd_workflow.md b/doc/user/clusters/agent/ci_cd_workflow.md index 454be3c53c7..7645398e84e 100644 --- a/doc/user/clusters/agent/ci_cd_workflow.md +++ b/doc/user/clusters/agent/ci_cd_workflow.md @@ -60,6 +60,7 @@ Authorization configuration can take one or two minutes to propagate. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/327850) in GitLab 14.4. > - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/346566) to remove hierarchy restrictions in GitLab 15.6. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/issues/356831) to allow authorizing projects in a user namespace in GitLab 15.7. To authorize the agent to access the GitLab project where you keep Kubernetes manifests: @@ -73,7 +74,7 @@ To authorize the agent to access the GitLab project where you keep Kubernetes ma - id: path/to/project ``` - - Authorized projects must have the same root group as the agent's configuration project. + - Authorized projects must have the same root group or user namespace as the agent's configuration project. - You can install additional agents into the same cluster to accommodate additional hierarchies. - You can authorize up to 100 projects. diff --git a/lib/api/api.rb b/lib/api/api.rb index 2a671c240cb..8bc01cef625 100644 --- a/lib/api/api.rb +++ b/lib/api/api.rb @@ -202,6 +202,7 @@ module API mount ::API::Environments mount ::API::ErrorTracking::ClientKeys mount ::API::ErrorTracking::ProjectSettings + mount ::API::Events mount ::API::FeatureFlags mount ::API::FeatureFlagsUserLists mount ::API::Features @@ -294,7 +295,6 @@ module API mount ::API::DebianProjectPackages mount ::API::Discussions mount ::API::ErrorTracking::Collector - mount ::API::Events mount ::API::GenericPackages mount ::API::GroupBoards mount ::API::GroupDebianDistributions diff --git a/lib/api/clusters/agent_tokens.rb b/lib/api/clusters/agent_tokens.rb index 04e9d421228..68eef21903d 100644 --- a/lib/api/clusters/agent_tokens.rb +++ b/lib/api/clusters/agent_tokens.rb @@ -84,8 +84,7 @@ module API authorize! :admin_cluster, user_project agent = ::Clusters::AgentsFinder.new(user_project, current_user).find(params[:agent_id]) - - token = agent.agent_tokens.find(params[:token_id]) + token = ::Clusters::AgentTokensFinder.new(agent, current_user).find(params[:token_id]) # Skipping explicit error handling and relying on exceptions token.revoked! diff --git a/lib/api/entities/event.rb b/lib/api/entities/event.rb index f750d728e03..e81e89a8393 100644 --- a/lib/api/entities/event.rb +++ b/lib/api/entities/event.rb @@ -3,11 +3,15 @@ module API module Entities class Event < Grape::Entity - expose :id - expose :project_id, :action_name - expose :target_id, :target_iid, :target_type, :author_id - expose :target_title - expose :created_at + expose :id, documentation: { type: 'integer', example: 1 } + expose :project_id, documentation: { type: 'integer', example: 2 } + expose :action_name, documentation: { type: 'string', example: 'closed' } + expose :target_id, documentation: { type: 'integer', example: 160 } + expose :target_iid, documentation: { type: 'integer', example: 157 } + expose :target_type, documentation: { type: 'string', example: 'Issue' } + expose :author_id, documentation: { type: 'integer', example: 25 } + expose :target_title, documentation: { type: 'string', example: 'Public project search field' } + expose :created_at, documentation: { type: 'string', example: '2017-02-09T10:43:19.667Z' } expose :note, using: Entities::Note, if: ->(event, options) { event.note? } expose :author, using: Entities::UserBasic, if: ->(event, options) { event.author } expose :wiki_page, using: Entities::WikiPageBasic, if: ->(event, _options) { event.wiki_page? } @@ -17,7 +21,7 @@ module API using: Entities::PushEventPayload, if: -> (event, _) { event.push_action? } - expose :author_username do |event, options| + expose :author_username, documentation: { type: 'string', example: 'root' } do |event, options| event.author&.username end end diff --git a/lib/api/entities/push_event_payload.rb b/lib/api/entities/push_event_payload.rb index 6aad5f10177..2d8f0d9344c 100644 --- a/lib/api/entities/push_event_payload.rb +++ b/lib/api/entities/push_event_payload.rb @@ -3,8 +3,14 @@ module API module Entities class PushEventPayload < Grape::Entity - expose :commit_count, :action, :ref_type, :commit_from, :commit_to, :ref, - :commit_title, :ref_count + expose :commit_count, documentation: { type: 'integer', example: 1 } + expose :action, documentation: { type: 'string', example: 'pushed' } + expose :ref_type, documentation: { type: 'string', example: 'branch' } + expose :commit_from, documentation: { type: 'string', example: '50d4420237a9de7be1304607147aec22e4a14af7' } + expose :commit_to, documentation: { type: 'string', example: 'c5feabde2d8cd023215af4d2ceeb7a64839fc428' } + expose :ref, documentation: { type: 'string', example: 'master' } + expose :commit_title, documentation: { type: 'string', example: 'Add simple search to projects in public area' } + expose :ref_count, documentation: { type: 'integer', example: 1 } end end end diff --git a/lib/api/events.rb b/lib/api/events.rb index 0a0141484ef..d3e8892f3bc 100644 --- a/lib/api/events.rb +++ b/lib/api/events.rb @@ -15,8 +15,15 @@ module API desc "List currently authenticated user's events" do detail 'This feature was introduced in GitLab 9.3.' success Entities::Event + is_array true + failure [ + { code: 401, message: 'Unauthorized' } + ] end params do + optional :scope, type: String, + desc: 'Include all events across a user’s projects', + documentation: { example: 'all' } use :pagination use :event_filter_params use :sort_params @@ -32,12 +39,17 @@ module API end params do - requires :id, type: String, desc: 'The ID or Username of the user' + requires :id, type: String, desc: 'The ID or username of the user' end resource :users do desc 'Get the contribution events of a specified user' do detail 'This feature was introduced in GitLab 8.13.' success Entities::Event + tags %w[events] + is_array true + failure [ + { code: 404, message: 'Not found' } + ] end params do use :pagination diff --git a/spec/requests/api/clusters/agent_tokens_spec.rb b/spec/requests/api/clusters/agent_tokens_spec.rb index 7b9aed80e9d..ecf94ef7c50 100644 --- a/spec/requests/api/clusters/agent_tokens_spec.rb +++ b/spec/requests/api/clusters/agent_tokens_spec.rb @@ -181,6 +181,21 @@ RSpec.describe API::Clusters::AgentTokens do expect(agent_token_one.reload).to be_revoked end + it 'returns a success response when revoking an already revoked agent token', :aggregate_failures do + delete api("/projects/#{project.id}/cluster_agents/#{agent.id}/tokens/#{revoked_agent_token.id}", user) + + expect(response).to have_gitlab_http_status(:no_content) + expect(revoked_agent_token.reload).to be_revoked + end + + it 'returns a 404 error when given agent_id does not exist' do + path = "/projects/#{project.id}/cluster_agents/#{non_existing_record_id}/tokens/#{non_existing_record_id}" + + delete api(path, user) + + expect(response).to have_gitlab_http_status(:not_found) + end + it 'returns a 404 error when revoking non existent agent token' do delete api("/projects/#{project.id}/cluster_agents/#{agent.id}/tokens/#{non_existing_record_id}", user) diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index ce6140d8da8..c94bc1e1bac 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -1236,7 +1236,7 @@ RSpec.describe API::Groups do expect(json_response.length).to eq(6) end - it 'avoids N+1 queries', :use_sql_query_cache do + it 'avoids N+1 queries', :use_sql_query_cache, quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/383788' do control = ActiveRecord::QueryRecorder.new(skip_cached: false) do get api("/groups/#{group1.id}/projects", user1), params: { include_subgroups: true } end diff --git a/spec/requests/lfs_http_spec.rb b/spec/requests/lfs_http_spec.rb index 310ee24c2a8..c072e6d48db 100644 --- a/spec/requests/lfs_http_spec.rb +++ b/spec/requests/lfs_http_spec.rb @@ -378,6 +378,21 @@ RSpec.describe 'Git LFS API and storage' do it_behaves_like 'LFS http 401 response' end + context 'when deploy token is from an unrelated group to the project' do + let(:group) { create(:group) } + let(:deploy_token) { create(:deploy_token, :group, groups: [group]) } + + it_behaves_like 'LFS http 401 response' + end + + context 'when deploy token is from a parent group of the project and valid' do + let(:group) { create(:group) } + let(:project) { create(:project, group: group) } + let(:deploy_token) { create(:deploy_token, :group, groups: [group]) } + + it_behaves_like 'an authorized request', renew_authorization: false + end + # TODO: We should fix this test case that causes flakyness by alternating the result of the above test cases. context 'when Deploy Token is valid' do let(:deploy_token) { create(:deploy_token, projects: [project]) } diff --git a/spec/services/clusters/agents/refresh_authorization_service_spec.rb b/spec/services/clusters/agents/refresh_authorization_service_spec.rb index 09bec7ae0e8..fa38bc202e7 100644 --- a/spec/services/clusters/agents/refresh_authorization_service_spec.rb +++ b/spec/services/clusters/agents/refresh_authorization_service_spec.rb @@ -113,6 +113,16 @@ RSpec.describe Clusters::Agents::RefreshAuthorizationService do expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' }) end + context 'project does not belong to a group, and is in the same namespace as the agent' do + let(:root_ancestor) { create(:namespace) } + let(:added_project) { create(:project, namespace: root_ancestor) } + + it 'creates an authorization record for the project' do + expect(subject).to be_truthy + expect(agent.authorized_projects).to contain_exactly(added_project) + end + end + context 'project does not belong to a group, and is authorizing itself' do let(:root_ancestor) { create(:namespace) } let(:added_project) { project } |