diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-11 21:11:57 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-08-11 21:11:57 +0300 |
| commit | 603ee53dbdbd3adaced752e1a119eb40d64e9979 (patch) | |
| tree | 7c3e912fe4c02ea464063a4a224b02bbcdeea580 | |
| parent | c79523e3952dad31a9ab8ccbb9e38466fec3aec3 (diff) | |
Add latest changes from gitlab-org/gitlab@master
53 files changed, 531 insertions, 264 deletions
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 9a936a6ed12..f04d527d2fc 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -f20b8259797f3a1f3b59142c9789af97fcb0f69f +ac315ef254b265af5323387a1df1abb5d57daa95 diff --git a/app/assets/javascripts/related_issues/constants.js b/app/assets/javascripts/related_issues/constants.js index 72b8e70cdff..23ea93cd258 100644 --- a/app/assets/javascripts/related_issues/constants.js +++ b/app/assets/javascripts/related_issues/constants.js @@ -136,7 +136,7 @@ export const issuablesFormCategoryHeaderTextMap = { }; export const issuablesFormInputTextMap = { - [issuableTypesMap.ISSUE]: __('the following issue(s)'), - [issuableTypesMap.INCIDENT]: __('the following incident(s) or issue(s)'), - [issuableTypesMap.EPIC]: __('the following epic(s)'), + [issuableTypesMap.ISSUE]: __('the following issues'), + [issuableTypesMap.INCIDENT]: __('the following incidents or issues'), + [issuableTypesMap.EPIC]: __('the following epics'), }; diff --git a/app/controllers/projects_controller.rb b/app/controllers/projects_controller.rb index 3f844e9ed06..a9391159541 100644 --- a/app/controllers/projects_controller.rb +++ b/app/controllers/projects_controller.rb @@ -46,6 +46,10 @@ class ProjectsController < Projects::ApplicationController push_frontend_feature_flag(:work_items_hierarchy, @project) end + before_action only: :edit do + push_frontend_feature_flag(:split_operations_visibility_permissions, @project) + end + layout :determine_layout feature_category :projects, [ @@ -416,10 +420,19 @@ class ProjectsController < Projects::ApplicationController pages_access_level metrics_dashboard_access_level analytics_access_level - operations_access_level security_and_compliance_access_level container_registry_access_level - ] + ] + operations_feature_attributes + end + + def operations_feature_attributes + if Feature.enabled?(:split_operations_visibility_permissions, project) + %i[ + environments_access_level feature_flags_access_level + ] + else + %i[operations_access_level] + end end def project_setting_attributes diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb index 75622e7430c..b257d9896a2 100644 --- a/app/helpers/projects_helper.rb +++ b/app/helpers/projects_helper.rb @@ -640,7 +640,8 @@ module ProjectsHelper enforceAuthChecksOnUploads: project.enforce_auth_checks_on_uploads?, securityAndComplianceAccessLevel: project.security_and_compliance_access_level, containerRegistryAccessLevel: feature.container_registry_access_level, - environmentsAccessLevel: feature.environments_access_level + environmentsAccessLevel: feature.environments_access_level, + featureFlagsAccessLevel: feature.feature_flags_access_level } end diff --git a/app/models/concerns/project_features_compatibility.rb b/app/models/concerns/project_features_compatibility.rb index 65b1cf023ec..8f87e8b3f22 100644 --- a/app/models/concerns/project_features_compatibility.rb +++ b/app/models/concerns/project_features_compatibility.rb @@ -98,6 +98,10 @@ module ProjectFeaturesCompatibility write_feature_attribute_string(:environments_access_level, value) end + def feature_flags_access_level=(value) + write_feature_attribute_string(:feature_flags_access_level, value) + end + # TODO: Remove this method after we drop support for project create/edit APIs to set the # container_registry_enabled attribute. They can instead set the container_registry_access_level # attribute. diff --git a/app/models/project.rb b/app/models/project.rb index e7161053705..eb7cfe9a2fc 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -451,7 +451,7 @@ class Project < ApplicationRecord :repository_access_level, :package_registry_access_level, :pages_access_level, :metrics_dashboard_access_level, :analytics_access_level, :operations_access_level, :security_and_compliance_access_level, - :container_registry_access_level, :environments_access_level, + :container_registry_access_level, :environments_access_level, :feature_flags_access_level, to: :project_feature, allow_nil: true delegate :show_default_award_emojis, :show_default_award_emojis=, diff --git a/app/models/project_feature.rb b/app/models/project_feature.rb index 30d871a2756..82d98496b6b 100644 --- a/app/models/project_feature.rb +++ b/app/models/project_feature.rb @@ -22,6 +22,7 @@ class ProjectFeature < ApplicationRecord container_registry package_registry environments + feature_flags ].freeze EXPORTABLE_FEATURES = (FEATURES - [:security_and_compliance, :pages]).freeze diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index a36aa5721f2..c2bea7436eb 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -210,6 +210,7 @@ class ProjectPolicy < BasePolicy operations security_and_compliance environments + feature_flags ] features.each do |f| @@ -389,6 +390,12 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:deployment)) end + rule { split_operations_visibility_permissions & feature_flags_disabled }.policy do + prevent(*create_read_update_admin_destroy(:feature_flag)) + prevent(:admin_feature_flags_user_lists) + prevent(:admin_feature_flags_client) + end + rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus enable :read_deployment diff --git a/app/views/shared/members/_requests.html.haml b/app/views/shared/members/_requests.html.haml index ec08dde37bf..98e2c6c43b1 100644 --- a/app/views/shared/members/_requests.html.haml +++ b/app/views/shared/members/_requests.html.haml @@ -5,15 +5,16 @@ - return if requesters.empty? -.card.gl-mt-3{ data: { testid: 'access-requests' } } - .card-header - = _("Users requesting access to") += render Pajamas::CardComponent.new(card_options: { class: 'gl-mt-3 gl-mb-5', data: { testid: 'access-requests' } }, body_options: { class: 'gl-p-0' }) do |c| + - c.header do + = _('Users requesting access to') %strong= membership_source.name = gl_badge_tag requesters.size = render 'shared/members/manage_access_button', path: membership_source.is_a?(Project) ? project_project_members_path(@project, tab: 'access_requests') : group_group_members_path(@group, tab: 'access_requests') - %ul.content-list.members-list - = render partial: 'shared/members/member', - collection: requesters, as: :member, - locals: { membership_source: membership_source, + - c.body do + %ul.content-list.members-list + = render partial: 'shared/members/member', + collection: requesters, as: :member, + locals: { membership_source: membership_source, group: group, current_user_is_group_owner: current_user_is_group_owner } diff --git a/config/initializers/00_deprecations.rb b/config/initializers/00_deprecations.rb index 9cba0a90541..bfbd57c99fe 100644 --- a/config/initializers/00_deprecations.rb +++ b/config/initializers/00_deprecations.rb @@ -25,7 +25,9 @@ rails7_deprecation_warnings = [ # https://gitlab.com/gitlab-org/gitlab/-/issues/342492 /Rendering actions with '\.' in the name is deprecated/, # https://gitlab.com/gitlab-org/gitlab/-/issues/333086 - /default_hash is deprecated/ + /default_hash is deprecated/, + # https://gitlab.com/gitlab-org/gitlab/-/issues/369970 + /Passing an Active Record object to `\w+` directly is deprecated/ ] ActiveSupport::Deprecation.disallowed_warnings.concat rails7_deprecation_warnings diff --git a/config/locales/devise.zh-cn.yml b/config/locales/devise.zh-cn.yml new file mode 100644 index 00000000000..2a74df865f0 --- /dev/null +++ b/config/locales/devise.zh-cn.yml @@ -0,0 +1,70 @@ +# Additional translations at https://github.com/plataformatec/devise/wiki/I18n + +zh-CN: + devise: + confirmations: + confirmed: "您的电子邮件地址已成功确认。" + send_instructions: "您将收到一封电子邮件,说明如何在几分钟内确认您的电子邮件地址。" + send_paranoid_instructions: "如果您的电子邮件地址存在于我们的数据库中,您将在几分钟内收到一封电子邮件,其中包含如何确认您的电子邮件地址的说明。" + failure: + already_authenticated: "您已经登录。" + inactive: "您的帐户尚未激活。" + invalid: "无效的登录信息或密码。" + locked: "您的帐户已锁定。" + last_attempt: "在您的帐户被锁定之前,您还有一次尝试机会。" + not_found_in_database: "无效的登录信息或密码。" + timeout: "您的会话已过期,请重新登录。" + unauthenticated: "您需要先登录或注册,然后才能继续。" + unconfirmed: "在继续之前,您必须确认您的电子邮件地址。请检查您的电子邮件,获取我们发送给您的链接,或单击“重新发送确认电子邮件”。" + blocked: "您的帐户已被封禁。如果您认为存在错误,请联系您的管理员。" + forbidden: "您的帐户没有登录所需的权限。如果您认为存在错误,请联系您的管理员。" + blocked_pending_approval: "您的帐户正在等待管理员的批准,因此被阻止。如果您认为存在错误,请联系您的管理员。" + mailer: + confirmation_instructions: + subject: "确认说明" + reset_password_instructions: + subject: "重置密码说明" + unlock_instructions: + subject: "解锁说明" + password_change: + subject: "密码已更改" + password_change_by_admin: + subject: "密码已由管理员更改" + user_admin_approval: + subject: "欢迎使用极狐GitLab!" + omniauth_callbacks: + failure: "无法通过 %{kind} 对您进行身份验证,原因:\"%{reason}\"。" + success: "已成功通过 %{kind} 帐户进行身份验证。" + passwords: + no_token: "如果没有密码重置电子邮件,您将无法访问此页面。如果您确实从密码重置电子邮件访问此页面,请确保您使用了提供的完整 URL。" + send_instructions: "您将收到一封电子邮件,其中包含有关如何在几分钟内重置密码的说明。" + send_paranoid_instructions: "如果您的电子邮件地址存在于我们的数据库中,您将在几分钟后在您的电子邮件地址中收到一个密码恢复链接。" + updated: "您已成功更改密码。您现在已登录。" + updated_not_active: "您已成功更改密码。" + registrations: + destroyed: "再见!您的帐户已成功注销。我们希望很快再见到您。" + signed_up: "欢迎!您已成功注册。" + signed_up_but_inactive: "您已成功注册。但是,由于您的帐户尚未激活,我们无法让您登录。" + signed_up_but_locked: "您已成功注册。但是,由于您的帐户被锁定,我们无法让您登录。" + signed_up_but_unconfirmed: "带有确认链接的消息已发送到您的电子邮件地址。请点击链接激活您的帐户。" + signed_up_but_blocked_pending_approval: "您已成功注册。但是,由于您的帐户正在等待管理员的批准,我们无法让您登录。" + update_needs_confirmation: "您已成功更新您的帐户,但我们需要验证您的新电子邮件地址。请检查您的电子邮件并点击确认链接,确认您的新电子邮件地址。" + updated: "您的帐户已成功更新。" + sessions: + signed_in: "登录成功。" + signed_out: "登出成功。" + already_signed_out: "登出成功。" + unlocks: + send_instructions: "您将收到一封电子邮件,说明如何在几分钟内解锁您的帐户。" + send_paranoid_instructions: "如果您的帐户存在,您将在几分钟内收到一封电子邮件,其中包含如何解锁它的说明。" + unlocked: "您的帐户已成功解锁。请登录以继续。" + errors: + messages: + already_confirmed: "已确认,请尝试登录" + confirmation_period_expired: "需要在 %{period} 内确认,请在下方重新请求新的确认电子邮件" + expired: "已过期,请重新请求新的确认电子邮件" + not_found: "未找到" + not_locked: "未被锁定" + not_saved: + one: "发生 1 个错误,禁止保存此 %{resource}:" + other: "发生 %{count} 个错误,禁止保存此 %{resource}:" diff --git a/doc/administration/auditor_users.md b/doc/administration/auditor_users.md index d82683e1778..561aa5d7b2e 100644 --- a/doc/administration/auditor_users.md +++ b/doc/administration/auditor_users.md @@ -55,3 +55,9 @@ If you are signed in with auditor access, you: you can push commits or comment on issues. - Can access the same resources using the GitLab UI or API. - Can't view the Admin Area, or perform any administration actions. + +## Maintain auditor users using API + +> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/366404) in GitLab 15.3. + +Administrators can use the GitLab API to [create](../api/users.md#user-creation) and [modify](../api/users.md#user-modification) auditor users. diff --git a/doc/administration/geo/disaster_recovery/index.md b/doc/administration/geo/disaster_recovery/index.md index 76e2d7ae97d..0cae94fcec1 100644 --- a/doc/administration/geo/disaster_recovery/index.md +++ b/doc/administration/geo/disaster_recovery/index.md @@ -581,7 +581,7 @@ and after that you also need two extra steps. gitlab_rails['auto_migrate'] = false ``` - (For more details about these settings you can read [Configure the primary server](../setup/database.md#step-1-configure-the-primary-server)) + (For more details about these settings you can read [Configure the primary server](../setup/database.md#step-1-configure-the-primary-site)) 1. Save the file and reconfigure GitLab for the database listen changes and the replication slot changes to be applied: diff --git a/doc/administration/geo/setup/database.md b/doc/administration/geo/setup/database.md index 6c9ebb29116..8a919a0a269 100644 --- a/doc/administration/geo/setup/database.md +++ b/doc/administration/geo/setup/database.md @@ -8,7 +8,7 @@ type: howto # Geo database replication **(PREMIUM SELF)** This document describes the minimal required steps to replicate your primary -GitLab database to a secondary node's database. You may have to change some +GitLab database to a secondary site's database. You may have to change some values, based on attributes including your database's setup and size. NOTE: @@ -41,31 +41,31 @@ instructions on setting up replication with a Patroni cluster. ### PostgreSQL replication -The GitLab **primary** node where the write operations happen connects to -the **primary** database server, and **secondary** nodes +The GitLab **primary** site where the write operations happen connects to +the **primary** database server, and **secondary** sites connect to their own database servers (which are read-only). We recommend using [PostgreSQL replication slots](https://medium.com/@tk512/replication-slots-in-postgresql-b4b03d277c75) -to ensure that the **primary** node retains all the data necessary for the **secondary** nodes to +to ensure that the **primary** site retains all the data necessary for the **secondary** sites to recover. See below for more details. The following guide assumes that: - You are using Omnibus and therefore you are using PostgreSQL 12 or later which includes the [`pg_basebackup` tool](https://www.postgresql.org/docs/12/app-pgbasebackup.html). -- You have a **primary** node already set up (the GitLab server you are +- You have a **primary** site already set up (the GitLab server you are replicating from), running Omnibus' PostgreSQL (or equivalent version), and - you have a new **secondary** server set up with the same + you have a new **secondary** site set up with the same [versions of PostgreSQL](../index.md#requirements-for-running-geo), - OS, and GitLab on all nodes. + OS, and GitLab on all sites. WARNING: Geo works with streaming replication. Logical replication is not supported at this time. There is an [issue where support is being discussed](https://gitlab.com/gitlab-org/gitlab/-/issues/7420). -#### Step 1. Configure the **primary** server +#### Step 1. Configure the **primary** site -1. SSH into your GitLab **primary** server and login as root: +1. SSH into your GitLab **primary** site and login as root: ```shell sudo -i @@ -81,13 +81,13 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o gitlab_rails['geo_node_name'] = '<site_name_here>' ``` -1. Reconfigure the **primary** node for the change to take effect: +1. Reconfigure the **primary** site for the change to take effect: ```shell gitlab-ctl reconfigure ``` -1. Execute the command below to define the node as **primary** node: +1. Execute the command below to define the site as **primary** site: ```shell gitlab-ctl set-geo-primary-node @@ -154,17 +154,17 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o 1. Configure PostgreSQL to listen on network interfaces: For security reasons, PostgreSQL does not listen on any network interfaces - by default. However, Geo requires the **secondary** node to be able to - connect to the **primary** node's database. For this reason, we need the address of - each node. + by default. However, Geo requires the **secondary** site to be able to + connect to the **primary** site's database. For this reason, we need the IP address of + each site. NOTE: For external PostgreSQL instances, see [additional instructions](external_database.md). If you are using a cloud provider, you can lookup the addresses for each - Geo node through your cloud provider's management console. + Geo site through your cloud provider's management console. - To lookup the address of a Geo node, SSH in to the Geo node and execute: + To lookup the address of a Geo site, SSH in to the Geo site and execute: ```shell ## @@ -183,11 +183,11 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o | Configuration | Address | |:----------------------------------------|:----------------------------------------------------------------------| - | `postgresql['listen_address']` | **Primary** node's public or VPC private address. | - | `postgresql['md5_auth_cidr_addresses']` | **Primary** and **Secondary** nodes' public or VPC private addresses. | + | `postgresql['listen_address']` | **Primary** site's public or VPC private address. | + | `postgresql['md5_auth_cidr_addresses']` | **Primary** and **Secondary** sites' public or VPC private addresses. | If you are using Google Cloud Platform, SoftLayer, or any other vendor that - provides a virtual private cloud (VPC) you can use the **primary** and **secondary** nodes + provides a virtual private cloud (VPC) you can use the **primary** and **secondary** sites private addresses (corresponds to "internal address" for Google Cloud Platform) for `postgresql['md5_auth_cidr_addresses']` and `postgresql['listen_address']`. @@ -201,10 +201,10 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o `127.0.0.1`. For more information, see [omnibus-5258](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5258). Depending on your network configuration, the suggested addresses may not - be correct. If your **primary** node and **secondary** nodes connect over a local + be correct. If your **primary** site and **secondary** sites connect over a local area network, or a virtual network connecting availability zones like [Amazon's VPC](https://aws.amazon.com/vpc/) or [Google's VPC](https://cloud.google.com/vpc/) - you should use the **secondary** node's private address for `postgresql['md5_auth_cidr_addresses']`. + you should use the **secondary** site's private address for `postgresql['md5_auth_cidr_addresses']`. Edit `/etc/gitlab/gitlab.rb` and add the following, replacing the IP addresses with addresses appropriate to your network configuration: @@ -225,13 +225,13 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o ## Primary address ## - replace '<primary_node_ip>' with the public or VPC address of your Geo primary node ## - postgresql['listen_address'] = '<primary_node_ip>' + postgresql['listen_address'] = '<primary_site_ip>' ## # Allow PostgreSQL client authentication from the primary and secondary IPs. These IPs may be # public or VPC addresses in CIDR format, for example ['198.51.100.1/32', '198.51.100.2/32'] ## - postgresql['md5_auth_cidr_addresses'] = ['<primary_node_ip>/32', '<secondary_node_ip>/32'] + postgresql['md5_auth_cidr_addresses'] = ['<primary_site_ip>/32', '<secondary_site_ip>/32'] ## ## Replication settings @@ -247,10 +247,10 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o gitlab_rails['auto_migrate'] = false ``` -1. Optional: If you want to add another **secondary** node, the relevant setting would look like: +1. Optional: If you want to add another **secondary** site, the relevant setting would look like: ```ruby - postgresql['md5_auth_cidr_addresses'] = ['<primary_node_ip>/32', '<secondary_node_ip>/32', '<another_secondary_node_ip>/32'] + postgresql['md5_auth_cidr_addresses'] = ['<primary_site_ip>/32', '<secondary_site_ip>/32', '<another_secondary_site_ip>/32'] ``` You may also want to edit the `wal_keep_segments` and `max_wal_senders` to match your @@ -287,20 +287,20 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o 1. Now that the PostgreSQL server is set up to accept remote connections, run `netstat -plnt | grep 5432` to make sure that PostgreSQL is listening on port - `5432` to the **primary** server's private address. + `5432` to the **primary** site's private address. 1. A certificate was automatically generated when GitLab was reconfigured. This is used automatically to protect your PostgreSQL traffic from eavesdroppers, but to protect against active ("man-in-the-middle") attackers, - the **secondary** node needs a copy of the certificate. Make a copy of the PostgreSQL - `server.crt` file on the **primary** node by running this command: + the **secondary** site needs a copy of the certificate. Make a copy of the PostgreSQL + `server.crt` file on the **primary** site by running this command: ```shell cat ~gitlab-psql/data/server.crt ``` Copy the output into a clipboard or into a local file. You - need it when setting up the **secondary** node! The certificate is not sensitive + need it when setting up the **secondary** site! The certificate is not sensitive data. However, this certificate is created with a generic `PostgreSQL` Common Name. For this, @@ -323,7 +323,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o #### Step 2. Configure the **secondary** server -1. SSH into your GitLab **secondary** server and login as root: +1. SSH into your GitLab **secondary** site and login as root: ```shell sudo -i @@ -337,28 +337,28 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o ``` NOTE: - This step is important so we don't try to execute anything before the node is fully configured. + This step is important so we don't try to execute anything before the site is fully configured. -1. [Check TCP connectivity](../../raketasks/maintenance.md) to the **primary** node's PostgreSQL server: +1. [Check TCP connectivity](../../raketasks/maintenance.md) to the **primary** site's PostgreSQL server: ```shell - gitlab-rake gitlab:tcp_check[<primary_node_ip>,5432] + gitlab-rake gitlab:tcp_check[<primary_site_ip>,5432] ``` NOTE: If this step fails, you may be using the wrong IP address, or a firewall may - be preventing access to the server. Check the IP address, paying close + be preventing access to the site. Check the IP address, paying close attention to the difference between public and private addresses and ensure - that, if a firewall is present, the **secondary** node is permitted to connect to the - **primary** node on port 5432. + that, if a firewall is present, the **secondary** site is permitted to connect to the + **primary** site on port 5432. -1. Create a file `server.crt` in the **secondary** server, with the content you got on the last step of the **primary** node's setup: +1. Create a file `server.crt` in the **secondary** site, with the content you got on the last step of the **primary** site's setup: ```shell editor server.crt ``` -1. Set up PostgreSQL TLS verification on the **secondary** node: +1. Set up PostgreSQL TLS verification on the **secondary** site: Install the `server.crt` file: @@ -373,9 +373,9 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o PostgreSQL now only recognizes that exact certificate when verifying TLS connections. The certificate can only be replicated by someone with access - to the private key, which is **only** present on the **primary** node. + to the private key, which is **only** present on the **primary** site. -1. Test that the `gitlab-psql` user can connect to the **primary** node's database +1. Test that the `gitlab-psql` user can connect to the **primary** site's database (the default Omnibus database name is `gitlabhq_production`): ```shell @@ -385,7 +385,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o -U gitlab_replicator \ -d "dbname=gitlabhq_production sslmode=verify-ca" \ -W \ - -h <primary_node_ip> + -h <primary_site_ip> ``` NOTE: @@ -396,11 +396,11 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o When prompted enter the _plaintext_ password you set in the first step for the `gitlab_replicator` user. If all worked correctly, you should see - the list of **primary** node's databases. + the list of **primary** site's databases. A failure to connect here indicates that the TLS configuration is incorrect. - Ensure that the contents of `~gitlab-psql/data/server.crt` on the **primary** node - match the contents of `~gitlab-psql/.postgresql/root.crt` on the **secondary** node. + Ensure that the contents of `~gitlab-psql/data/server.crt` on the **primary** site + match the contents of `~gitlab-psql/.postgresql/root.crt` on the **secondary** site. 1. Configure PostgreSQL: @@ -419,14 +419,14 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o ## ## Secondary address - ## - replace '<secondary_node_ip>' with the public or VPC address of your Geo secondary node + ## - replace '<secondary_site_ip>' with the public or VPC address of your Geo secondary site ## - postgresql['listen_address'] = '<secondary_node_ip>' - postgresql['md5_auth_cidr_addresses'] = ['<secondary_node_ip>/32'] + postgresql['listen_address'] = '<secondary_site_ip>' + postgresql['md5_auth_cidr_addresses'] = ['<secondary_site_ip>/32'] ## - ## Database credentials password (defined previously in primary node) - ## - replicate same values here as defined in primary node + ## Database credentials password (defined previously in primary site) + ## - replicate same values here as defined in primary site ## postgresql['sql_replication_password'] = '<md5_hash_of_your_password>' postgresql['sql_user_password'] = '<md5_hash_of_your_password>' @@ -434,7 +434,7 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o ``` For external PostgreSQL instances, see [additional instructions](external_database.md). - If you bring a former **primary** node back online to serve as a **secondary** node, then you also must remove `roles(['geo_primary_role'])` or `geo_primary_role['enable'] = true`. + If you bring a former **primary** site back online to serve as a **secondary** site, then you also must remove `roles(['geo_primary_role'])` or `geo_primary_role['enable'] = true`. 1. Reconfigure GitLab for the changes to take effect: @@ -450,24 +450,24 @@ There is an [issue where support is being discussed](https://gitlab.com/gitlab-o #### Step 3. Initiate the replication process -Below we provide a script that connects the database on the **secondary** node to -the database on the **primary** node, replicates the database, and creates the +Below we provide a script that connects the database on the **secondary** site to +the database on the **primary** site, replicates the database, and creates the needed files for streaming replication. The directories used are the defaults that are set up in Omnibus. If you have changed any defaults, configure it as you see fit replacing the directories and paths. WARNING: -Make sure to run this on the **secondary** server as it removes all PostgreSQL's +Make sure to run this on the **secondary** site as it removes all PostgreSQL's data before running `pg_basebackup`. -1. SSH into your GitLab **secondary** server and login as root: +1. SSH into your GitLab **secondary** site and login as root: ```shell sudo -i ``` -1. Choose a database-friendly name to use for your **secondary** node to +1. Choose a database-friendly name to use for your **secondary** site to use as the replication slot name. For example, if your domain is `secondary.geo.example.com`, you may use `secondary_example` as the slot name as shown in the commands below. @@ -475,13 +475,13 @@ data before running `pg_basebackup`. 1. Execute the command below to start a backup/restore and begin the replication WARNING: - Each Geo **secondary** node must have its own unique replication slot name. + Each Geo **secondary** site must have its own unique replication slot name. Using the same slot name between two secondaries breaks PostgreSQL replication. ```shell gitlab-ctl replicate-geo-database \ - --slot-name=<secondary_node_name> \ - --host=<primary_node_ip> \ + --slot-name=<secondary_site_name> \ + --host=<primary_site_ip> \ --sslmode=verify-ca ``` @@ -515,7 +515,7 @@ data before running `pg_basebackup`. - Change the `--slot-name` to the name of the replication slot to be used on the **primary** database. The script attempts to create the replication slot automatically if it does not exist. - - If you're repurposing an old server into a Geo **secondary** node, you must + - If you're repurposing an old site into a Geo **secondary** site, you must add `--force` to the command line. - When not in a production machine you can disable backup step if you really sure this is what you want by adding `--skip-backup` @@ -539,7 +539,7 @@ see [High Availability with Omnibus GitLab](../../postgresql/replication_and_fai To change the password for the [replication user](https://wiki.postgresql.org/wiki/Streaming_Replication) when using Omnibus-managed PostgreSQL instances: -On the GitLab Geo **primary** server: +On the GitLab Geo **primary** site: 1. The default value for the replication user is `gitlab_replicator`, but if you've set a custom replication user in your `/etc/gitlab/gitlab.rb` under the `postgresql['sql_replication_user']` setting, make sure to @@ -573,19 +573,18 @@ On the GitLab Geo **primary** server: sudo gitlab-ctl restart postgresql ``` -Until the password is updated on any **secondary** servers, the [PostgreSQL log](../../logs/index.md#postgresql-logs) on +Until the password is updated on any **secondary** sites, the [PostgreSQL log](../../logs/index.md#postgresql-logs) on the secondaries will report the following error message: ```console FATAL: could not connect to the primary server: FATAL: password authentication failed for user "gitlab_replicator" ``` -On all GitLab Geo **secondary** servers: +On all GitLab Geo **secondary** sites: 1. The first step isn't necessary from a configuration perspective, because the hashed `'sql_replication_password'` - is not used on the GitLab Geo **secondary**. However in the event that **secondary** needs to be promoted - to the GitLab Geo **primary**, make sure to match the `'sql_replication_password'` in the secondary - server configuration. + is not used on the GitLab Geo **secondary** sites. However in the event that **secondary** site needs to be promoted + to the GitLab Geo **primary**, make sure to match the `'sql_replication_password'` in the **secondary** site configuration. Edit `/etc/gitlab/gitlab.rb`: @@ -615,6 +614,28 @@ In GitLab 14.0, Patroni replaced `repmgr` as the supported NOTE: If you still haven't [migrated from repmgr to Patroni](#migrating-from-repmgr-to-patroni) you're highly advised to do so. +### Migrating from repmgr to Patroni + +1. Before migrating, we recommend that there is no replication lag between the **primary** and **secondary** sites and that replication is paused. In GitLab 13.2 and later, you can pause and resume replication with `gitlab-ctl geo-replication-pause` and `gitlab-ctl geo-replication-resume` on a Geo secondary database node. +1. Follow the [instructions to migrate repmgr to Patroni](../../postgresql/replication_and_failover.md#switching-from-repmgr-to-patroni). When configuring Patroni on each **primary** site database node, add `patroni['replication_slots'] = { '<slot_name>' => 'physical' }` +to `gitlab.rb` where `<slot_name>` is the name of the replication slot for your **secondary** site. This ensures that Patroni recognizes the replication slot as permanent and not drop it upon restarting. +1. If database replication to the **secondary** site was paused before migration, resume replication once Patroni is confirmed working on the **primary** site. + +### Migrating a single PostgreSQL node to Patroni + +Before the introduction of Patroni, Geo had no Omnibus support for HA setups on the **secondary** site. + +With Patroni it's now possible to support that. To migrate the existing PostgreSQL to Patroni: + +1. Make sure you have a Consul cluster setup on the secondary (similar to how you set it up on the **primary** site). +1. [Configure a permanent replication slot](#step-1-configure-patroni-permanent-replication-slot-on-the-primary-site). +1. [Configure the internal load balancer](#step-2-configure-the-internal-load-balancer-on-the-primary-site). +1. [Configure a PgBouncer node](#step-3-configure-pgbouncer-nodes-on-the-secondary-site) +1. [Configure a Standby Cluster](#step-4-configure-a-standby-cluster-on-the-secondary-site) + on that single node machine. + +You end up with a “Standby Cluster” with a single node. That allows you to later on add additional Patroni nodes by following the same instructions above. + ### Patroni support Patroni is the official replication management solution for Geo. It @@ -647,11 +668,11 @@ and other database best practices. ##### Step 1. Configure Patroni permanent replication slot on the primary site -To set up database replication with Patroni on a secondary node, we must -configure a _permanent replication slot_ on the primary node's Patroni cluster, +To set up database replication with Patroni on a secondary site, we must +configure a _permanent replication slot_ on the primary site's Patroni cluster, and ensure password authentication is used. -For each Patroni instance on the primary site **starting on the Patroni +On each node running a Patroni instance on the primary site **starting on the Patroni Leader instance**: 1. SSH into your Patroni instance and login as root: @@ -754,7 +775,7 @@ backend postgresql Refer to your preferred Load Balancer's documentation for further guidance. -##### Step 3. Configure a PgBouncer node on the secondary site +##### Step 3. Configure PgBouncer nodes on the secondary site A production-ready and highly available configuration requires at least three Consul nodes, a minimum of one PgBouncer node, but it's recommended to have @@ -763,7 +784,7 @@ more than one PgBouncer service nodes. The internal load balancer provides a sin endpoint for connecting to the PgBouncer cluster. For more information, see [High Availability with Omnibus GitLab](../../postgresql/replication_and_failover.md). -Follow the minimal configuration for the PgBouncer node: +On each node running a PgBouncer instance on the **secondary** site: 1. SSH into your PgBouncer node and login as root: @@ -819,11 +840,10 @@ Follow the minimal configuration for the PgBouncer node: ##### Step 4. Configure a Standby cluster on the secondary site NOTE: -If you are converting a secondary site to a Patroni Cluster, you must start -on the PostgreSQL instance. It becomes the Patroni Standby Leader instance, -and then you can switchover to another replica if you need. +If you are converting a secondary site with a single PostgreSQL instance to a Patroni Cluster, you must start on the PostgreSQL instance. It becomes the Patroni Standby Leader instance, +and then you can switch over to another replica if you need. -For each Patroni instance on the secondary site: +For each node running a Patroni instance on the secondary site: 1. SSH into your Patroni node and login as root: @@ -893,39 +913,29 @@ For each Patroni instance on the secondary site: gitlab-ctl start patroni ``` -### Migrating from repmgr to Patroni - -1. Before migrating, we recommend that there is no replication lag between the primary and secondary sites and that replication is paused. In GitLab 13.2 and later, you can pause and resume replication with `gitlab-ctl geo-replication-pause` and `gitlab-ctl geo-replication-resume` on a Geo secondary database node. -1. Follow the [instructions to migrate repmgr to Patroni](../../postgresql/replication_and_failover.md#switching-from-repmgr-to-patroni). When configuring Patroni on each primary site database node, add `patroni['replication_slots'] = { '<slot_name>' => 'physical' }` -to `gitlab.rb` where `<slot_name>` is the name of the replication slot for your Geo secondary. This ensures that Patroni recognizes the replication slot as permanent and not drop it upon restarting. -1. If database replication to the secondary was paused before migration, resume replication once Patroni is confirmed working on the primary. - -### Migrating a single PostgreSQL node to Patroni - -Before the introduction of Patroni, Geo had no Omnibus support for HA setups on the secondary node. +### Migrating a single tracking database node to Patroni -With Patroni it's now possible to support that. To migrate the existing PostgreSQL to Patroni: +Before the introduction of Patroni, Geo had no Omnibus support for HA setups on +the secondary site. -1. Make sure you have a Consul cluster setup on the secondary (similar to how you set it up on the primary). -1. [Configure a permanent replication slot](#step-1-configure-patroni-permanent-replication-slot-on-the-primary-site). -1. [Configure the internal load balancer](#step-2-configure-the-internal-load-balancer-on-the-primary-site). -1. [Configure a PgBouncer node](#step-3-configure-a-pgbouncer-node-on-the-secondary-site) -1. [Configure a Standby Cluster](#step-4-configure-a-standby-cluster-on-the-secondary-site) - on that single node machine. +With Patroni, it's now possible to support that. Due to some restrictions on the +Patroni implementation on Omnibus that do not allow us to manage two different +clusters on the same machine, we recommend setting up a new Patroni cluster for +the tracking database by following the same instructions above. -You end up with a "Standby Cluster" with a single node. That allows you to later on add additional Patroni nodes -by following the same instructions above. +The secondary nodes backfill the new tracking database, and no data +synchronization is required. ### Configuring Patroni cluster for the tracking PostgreSQL database -Secondary sites use a separate PostgreSQL installation as a tracking database to +**Secondary** sites use a separate PostgreSQL installation as a tracking database to keep track of replication status and automatically recover from potential replication issues. Omnibus automatically configures a tracking database when `roles(['geo_secondary_role'])` is set. If you want to run this database in a highly available configuration, don't use the `geo_secondary_role` above. Instead, follow the instructions below. -A production-ready and secure setup requires at least three Consul nodes, two +A production-ready and secure setup for the tracking PostgreSQL DB requires at least three Consul nodes, two Patroni nodes and one PgBouncer node on the secondary site. Because of [omnibus-6587](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/6587), Consul can't track multiple @@ -934,9 +944,9 @@ services, so these must be different than the nodes used for the Standby Cluster Be sure to use [password credentials](../../postgresql/replication_and_failover.md#database-authorization-for-patroni) and other database best practices. -#### Step 1. Configure a PgBouncer node on the secondary site +#### Step 1. Configure PgBouncer nodes on the secondary site -Follow the minimal configuration for the PgBouncer node for the tracking database: +On each node running the PgBouncer service for the PostgreSQL tracking database: 1. SSH into your PgBouncer node and login as root: @@ -998,7 +1008,7 @@ Follow the minimal configuration for the PgBouncer node for the tracking databas #### Step 2. Configure a Patroni cluster -For each Patroni instance on the secondary site for the tracking database: +On each node running a Patroni instance on the secondary site for the PostgreSQL tracking database: 1. SSH into your Patroni node and login as root: @@ -1062,7 +1072,7 @@ For each Patroni instance on the secondary site for the tracking database: gitlab-ctl reconfigure ``` -#### Step 3. Configure the tracking database on the secondary nodes +#### Step 3. Configure the tracking database on the secondary sites For each node running the `gitlab-rails`, `sidekiq`, and `geo-logcursor` services: @@ -1099,19 +1109,6 @@ For each node running the `gitlab-rails`, `sidekiq`, and `geo-logcursor` service gitlab-rake db:migrate:geo ``` -### Migrating a single tracking database node to Patroni - -Before the introduction of Patroni, Geo had no Omnibus support for HA setups on -the secondary node. - -With Patroni, it's now possible to support that. Due to some restrictions on the -Patroni implementation on Omnibus that do not allow us to manage two different -clusters on the same machine, we recommend setting up a new Patroni cluster for -the tracking database by following the same instructions above. - -The secondary nodes backfill the new tracking database, and no data -synchronization is required. - ## Troubleshooting Read the [troubleshooting document](../replication/troubleshooting.md). diff --git a/doc/api/users.md b/doc/api/users.md index 7f6851fe6df..c30bac3c542 100644 --- a/doc/api/users.md +++ b/doc/api/users.md @@ -427,7 +427,8 @@ GET /users/:id?with_custom_attributes=true ## User creation **(FREE SELF)** -> The `namespace_id` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82045) in GitLab 14.10. +> - The `namespace_id` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82045) in GitLab 14.10. +> - Ability to create an auditor user was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/366404) in GitLab 15.3. Creates a new user. Note only administrators can create new users. Either `password`, `reset_password`, or `force_random_password` @@ -452,7 +453,8 @@ Parameters: | Attribute | Required | Description | | :----------------------------------- | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `admin` | No | User is an administrator - true or false (default) | +| `admin` | No | User is an administrator. Valid values are `true` or `false`. Defaults to false. +| `auditor` **(PREMIUM)** | No | User is an auditor. Valid values are `true` or `false`. Defaults to false. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/366404) in GitLab 15.3. | | `avatar` | No | Image file for user's avatar | | `bio` | No | User's biography | | `can_create_group` | No | User can create groups - true or false | @@ -484,7 +486,8 @@ Parameters: ## User modification **(FREE SELF)** -> The `namespace_id` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82045) in GitLab 14.10. +> - The `namespace_id` field in the response was [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82045) in GitLab 14.10. +> - Ability to modify an auditor user was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/366404) in GitLab 15.3. Modifies an existing user. Only administrators can change attributes of a user. @@ -496,7 +499,8 @@ Parameters: | Attribute | Required | Description | | :----------------------------------- | :------- | :------------------------------------------------------------------------------------------------------------------------------------------------------ | -| `admin` | No | User is an administrator - true or false (default) | +| `admin` | No |User is an administrator. Valid values are `true` or `false`. Defaults to false. +| `auditor` **(PREMIUM)** | No | User is an auditor. Valid values are `true` or `false`. Defaults to false. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/366404) in GitLab 15.3.(default) | | `avatar` | No | Image file for user's avatar | | `bio` | No | User's biography | | `can_create_group` | No | User can create groups - true or false | diff --git a/doc/development/backend/ruby_style_guide.md b/doc/development/backend/ruby_style_guide.md index c86f21d4bac..a9fee02a15a 100644 --- a/doc/development/backend/ruby_style_guide.md +++ b/doc/development/backend/ruby_style_guide.md @@ -16,6 +16,8 @@ document the new rule. For every new guideline, add it in a new section and link [version history note](../documentation/versions.md#add-a-version-history-item) to provide context and serve as a reference. +See also [guidelines for reusing abstractions](../reusing_abstractions.md). + Everything listed here can be [reopened for discussion](https://about.gitlab.com/handbook/values/#disagree-commit-and-disagree). ## Instance variable access using `attr_reader` diff --git a/doc/development/new_fe_guide/modules/widget_extensions.md b/doc/development/new_fe_guide/modules/widget_extensions.md index 3b663fac47a..a2ff10cc57f 100644 --- a/doc/development/new_fe_guide/modules/widget_extensions.md +++ b/doc/development/new_fe_guide/modules/widget_extensions.md @@ -311,16 +311,16 @@ To generate these known events for a single widget: 1. Generate known events on the command line with the following command. Replace `test_reports` with your appropriate name slug: - ```shell - bundle exec rails generate gitlab:usage_metric_definition \ - counts.i_code_review_merge_request_widget_test_reports_count_view \ - counts.i_code_review_merge_request_widget_test_reports_count_full_report_clicked \ - counts.i_code_review_merge_request_widget_test_reports_count_expand \ - counts.i_code_review_merge_request_widget_test_reports_count_expand_success \ - counts.i_code_review_merge_request_widget_test_reports_count_expand_warning \ - counts.i_code_review_merge_request_widget_test_reports_count_expand_failed \ - --dir=all - ``` + ```shell + bundle exec rails generate gitlab:usage_metric_definition \ + counts.i_code_review_merge_request_widget_test_reports_count_view \ + counts.i_code_review_merge_request_widget_test_reports_count_full_report_clicked \ + counts.i_code_review_merge_request_widget_test_reports_count_expand \ + counts.i_code_review_merge_request_widget_test_reports_count_expand_success \ + counts.i_code_review_merge_request_widget_test_reports_count_expand_warning \ + counts.i_code_review_merge_request_widget_test_reports_count_expand_failed \ + --dir=all + ``` 1. Modify each newly generated file to match the existing files for the merge request widget extension telemetry. - Find existing examples by doing a glob search, like: `metrics/**/*_i_code_review_merge_request_widget_*` @@ -333,9 +333,10 @@ To generate these known events for a single widget: 1. `introduced_by_url` = `'[your MR]'` 1. `options.events` = (the event in the command from above that generated this file, like `i_code_review_merge_request_widget_test_reports_count_view`) - This value is how the telemetry events are linked to "metrics" so this is probably one of the more important values. - 1. `data_source` = `redis` - 1. `data_category` = `optional` -1. Repeat steps 5 and 6 for the HLL metrics. Replace `test_reports` with your appropriate name slug. + 1. `data_source` = `redis` + 1. `data_category` = `optional` +1. Generate known HLL events on the command line with the following command. + Replace `test_reports` with your appropriate name slug. ```shell bundle exec rails generate gitlab:usage_metric_definition:redis_hll code_review \ @@ -348,7 +349,7 @@ To generate these known events for a single widget: --class_name=RedisHLLMetric ``` - - In step 6 for HLL, change the `data_source` to `redis_hll`. +1. Repeat step 6, but change the `data_source` to `redis_hll`. 1. Add each of the HLL metrics to `lib/gitlab/usage_data_counters/known_events/code_review_events.yml`: 1. `name` = (the event) 1. `redis_slot` = `code_review` @@ -397,14 +398,14 @@ Every placeholder contains starting and ending tags. For example, `success` uses `Hello %{success_start}world%{success_end}`. The extension then adds the start and end tags with the correct styling classes. -| Placeholder | Style | -|---|---| -| success | `gl-font-weight-bold gl-text-green-500` | -| danger | `gl-font-weight-bold gl-text-red-500` | -| critical | `gl-font-weight-bold gl-text-red-800` | -| same | `gl-font-weight-bold gl-text-gray-700` | -| strong | `gl-font-weight-bold` | -| small | `gl-font-sm` | +| Placeholder | Style | +|-------------|-----------------------------------------| +| success | `gl-font-weight-bold gl-text-green-500` | +| danger | `gl-font-weight-bold gl-text-red-500` | +| critical | `gl-font-weight-bold gl-text-red-800` | +| same | `gl-font-weight-bold gl-text-gray-700` | +| strong | `gl-font-weight-bold` | +| small | `gl-font-sm` | ## Action buttons diff --git a/doc/development/reusing_abstractions.md b/doc/development/reusing_abstractions.md index fa2a9fc6e1b..ef4e8b0310f 100644 --- a/doc/development/reusing_abstractions.md +++ b/doc/development/reusing_abstractions.md @@ -147,6 +147,27 @@ Legacy classes inherited from `BaseService` for historical reasons. In Service classes the use of `execute` and `#execute` is preferred over `call` and `#call`. +Model properties should be passed to the constructor in a `params` hash, and will be assigned directly. + +To pass extra parameters (which need to be processed, and are not model properties), +include an `options` hash in the constructor and store it in an instance variable: + +```ruby +# container: Project, or Group +# current_user: Current user +# params: Model properties from the controller, already allowlisted with strong parameters +# options: Configuration for this service, can be any of the following: +# notify: Whether to send a notifcation to the current user +# cc: Email address to copy when sending a notification +def initialize(container:, current_user: nil, params: {}, options: {}) + super(container, current_user, params) + @options = options +end +``` + +View the [initial discussion](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/90008#note_988744060) +and [further discussion](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/90853#note_1053425083). + Classes that are not service objects should be [created elsewhere](directory_structure.md#use-namespaces-to-define-bounded-contexts), such as in `lib`. #### ServiceResponse diff --git a/doc/integration/advanced_search/elasticsearch.md b/doc/integration/advanced_search/elasticsearch.md index bfe3f7d9a10..ac126c4b2f5 100644 --- a/doc/integration/advanced_search/elasticsearch.md +++ b/doc/integration/advanced_search/elasticsearch.md @@ -163,6 +163,12 @@ If you see an error such as `Permission denied - /home/git/gitlab-elasticsearch- may need to set the `production -> elasticsearch -> indexer_path` setting in your `gitlab.yml` file to `/usr/local/bin/gitlab-elasticsearch-indexer`, which is where the binary is installed. +### View indexing errors + +Errors from the [GitLab Elasticsearch Indexer](https://gitlab.com/gitlab-org/gitlab-elasticsearch-indexer) are reported in +the [`sidekiq.log`](../../administration/logs/index.md#sidekiqlog) file with a `json.exception.class` of `Gitlab::Elastic::Indexer::Error`. +These errors may occur when indexing Git repository data. + ## Enable Advanced Search For GitLab instances with more than 50GB repository data you can follow the instructions for [how to index large instances efficiently](#how-to-index-large-instances-efficiently) below. @@ -576,8 +582,8 @@ due to large volumes of data being indexed. WARNING: Indexing a large instance generates a lot of Sidekiq jobs. -Make sure to prepare for this task by having a -[Scalable and Highly Available Setup](../../administration/reference_architectures/index.md) or creating +Make sure to prepare for this task by having a +[scalable setup](../../administration/reference_architectures/index.md) or creating [extra Sidekiq processes](../../administration/operations/extra_sidekiq_processes.md). 1. [Configure your Elasticsearch host and port](#enable-advanced-search). diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md index 0d095c89d89..7bb3cb4f64c 100644 --- a/doc/user/application_security/container_scanning/index.md +++ b/doc/user/application_security/container_scanning/index.md @@ -7,7 +7,12 @@ info: To determine the technical writer assigned to the Stage/Group associated w # Container Scanning **(FREE)** -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/3672) in GitLab 10.4. +> - Improved support for FIPS [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263482) in GitLab 13.6 by upgrading `CS_MAJOR_VERSION` from `2` to `3`. +> - Integration with Trivy [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322656) in GitLab 13.9 by upgrading `CS_MAJOR_VERSION` from `3` to `4`. +> - Integration with Clair [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/321451) in GitLab 13.9. +> - Default container scanning with Trivy [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61850) in GitLab 14.0. +> - Integration with Grype as an alternative scanner [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326279) in GitLab 14.0. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86092) the major analyzer version from `4` to `5` in GitLab 15.0. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86783) from GitLab Ultimate to GitLab Free in 15.0. Your application's Docker image may itself be based on Docker images that contain known @@ -798,27 +803,5 @@ For information on this, see the [general Application Security troubleshooting s ## Changes -- GitLab 13.6 [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/263482) better support for - [FIPS](https://csrc.nist.gov/publications/detail/fips/140/2/final) by upgrading the - `CS_MAJOR_VERSION` from `2` to `3`. Version `3` of the `container_scanning` Docker image uses - [`centos:centos8`](https://hub.docker.com/_/centos) - as the new base. It also removes the use of the [start.sh](https://gitlab.com/gitlab-org/security-products/analyzers/klar/-/merge_requests/77) - script and instead executes the analyzer by default. Any customizations made to the - `container_scanning` job's [`before_script`](../../../ci/yaml/index.md#before_script) - and [`after_script`](../../../ci/yaml/index.md#after_script) - blocks may not work with the new version. To roll back to the previous [`alpine:3.11.3`](https://hub.docker.com/_/alpine)-based - Docker image, you can specify the major version through the [`CS_MAJOR_VERSION`](#available-cicd-variables) - variable. -- GitLab 13.9 [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/322656) integration with - [Trivy](https://github.com/aquasecurity/trivy) by upgrading `CS_MAJOR_VERSION` from `3` to `4`. -- GitLab 13.9 [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/321451) the integration with - [Clair](https://github.com/quay/clair/). -- GitLab 14.0 [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/61850) - an integration with [Trivy](https://github.com/aquasecurity/trivy) - as the default for container scanning, and also [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/326279) - an integration with [Grype](https://github.com/anchore/grype) - as an alternative scanner. -- GitLab 15.0 changed the major analyzer version from `4` to `5`. - -Other changes to the container scanning analyzer can be found in the project's +Changes to the container scanning analyzer can be found in the project's [changelog](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/blob/master/CHANGELOG.md). diff --git a/doc/user/infrastructure/clusters/manage/management_project_applications/certmanager.md b/doc/user/infrastructure/clusters/manage/management_project_applications/certmanager.md index c3f54d2a724..51fd626ce0f 100644 --- a/doc/user/infrastructure/clusters/manage/management_project_applications/certmanager.md +++ b/doc/user/infrastructure/clusters/manage/management_project_applications/certmanager.md @@ -18,6 +18,17 @@ uncomment this line from your `helmfile.yaml`: - path: applications/cert-manager/helmfile.yaml ``` +And update the `applications/cert-manager/helmfile.yaml` with a valid email address. + +```yaml + values: + - letsEncryptClusterIssuer: + # + # IMPORTANT: This value MUST be set to a valid email. + # + email: example@example.com +``` + NOTE: If your Kubernetes version is earlier than 1.20 and you are [migrating from GitLab Managed Apps to a cluster management project](../../../../clusters/migrating_from_gma_to_project_template.md), diff --git a/doc/user/project/merge_requests/approvals/settings.md b/doc/user/project/merge_requests/approvals/settings.md index f677b47598b..3ca8ddb508a 100644 --- a/doc/user/project/merge_requests/approvals/settings.md +++ b/doc/user/project/merge_requests/approvals/settings.md @@ -137,9 +137,15 @@ However, approvals are reset if the target branch is changed. If you only want to remove approvals by Code Owners whose files have been changed: +Prerequisite: + +- You must have at least the Maintainer role for a project. + +To do this: + 1. On the top bar, select **Menu > Projects** and find your project. 1. On the left sidebar, select **Settings > General**. -1. Expand **Merge request (MR) approvals**. +1. Expand **Merge request approvals**. 1. Select **Remove approvals by Code Owners if their files changed**. 1. Select **Save changes**. diff --git a/lib/bulk_imports/pipeline.rb b/lib/bulk_imports/pipeline.rb index dc2ebdddd14..68b86c68619 100644 --- a/lib/bulk_imports/pipeline.rb +++ b/lib/bulk_imports/pipeline.rb @@ -12,7 +12,7 @@ module BulkImports FailedError = Class.new(StandardError) CACHE_KEY_EXPIRATION = 2.hours - NDJSON_EXPORT_TIMEOUT = 30.minutes + NDJSON_EXPORT_TIMEOUT = 90.minutes def initialize(context) @context = context diff --git a/lib/gitlab/import_export/project/import_export.yml b/lib/gitlab/import_export/project/import_export.yml index b912eccf5fe..b6c3da8e564 100644 --- a/lib/gitlab/import_export/project/import_export.yml +++ b/lib/gitlab/import_export/project/import_export.yml @@ -286,6 +286,7 @@ included_attributes: - :container_registry_access_level - :package_registry_access_level - :environments_access_level + - :feature_flags_access_level prometheus_metrics: - :created_at - :updated_at @@ -691,6 +692,7 @@ included_attributes: - :container_registry_access_level - :package_registry_access_level - :environments_access_level + - :feature_flags_access_level - :allow_merge_on_skipped_pipeline - :auto_devops_deploy_strategy - :auto_devops_enabled diff --git a/lib/gitlab/object_hierarchy.rb b/lib/gitlab/object_hierarchy.rb index 9a850246221..0576aed811c 100644 --- a/lib/gitlab/object_hierarchy.rb +++ b/lib/gitlab/object_hierarchy.rb @@ -65,7 +65,8 @@ module Gitlab # Note: By default the order is breadth-first # rubocop: disable CodeReuse/ActiveRecord def base_and_ancestors(upto: nil, hierarchy_order: nil) - cte = base_and_ancestors_cte(upto, hierarchy_order) + upto_id = upto.try(:id) || upto + cte = base_and_ancestors_cte(upto_id, hierarchy_order) recursive_query = if hierarchy_order # othewise depth won't be available for outer query diff --git a/lib/tasks/gitlab/tw/codeowners.rake b/lib/tasks/gitlab/tw/codeowners.rake index 73d01fb5dfe..3bea8a62933 100644 --- a/lib/tasks/gitlab/tw/codeowners.rake +++ b/lib/tasks/gitlab/tw/codeowners.rake @@ -51,7 +51,7 @@ namespace :tw do CodeOwnerRule.new('Infrastructure', '@sselhorn'), CodeOwnerRule.new('Integrations', '@kpaizee'), CodeOwnerRule.new('Knowledge', '@aqualls'), - CodeOwnerRule.new('Memory', '@sselhorn'), + CodeOwnerRule.new('Application Performance', '@sselhorn'), CodeOwnerRule.new('Monitor', '@msedlakjakubowski'), CodeOwnerRule.new('Observability', 'msedlakjakubowski'), CodeOwnerRule.new('Optimize', '@fneill'), diff --git a/locale/gitlab.pot b/locale/gitlab.pot index cf163371623..87668a413b0 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -18667,7 +18667,7 @@ msgstr "" msgid "GroupSettings|Auto DevOps pipeline was updated for the group" msgstr "" -msgid "GroupSettings|Automatically ban users who download more than the specified number of projects within the specified interval." +msgid "GroupSettings|Automatically ban users who download more than a specified number of repositories in a given time." msgstr "" msgid "GroupSettings|Available only on the top-level group. Applies to all subgroups. Groups already shared with a group outside %{group} are still shared unless removed manually." @@ -18715,6 +18715,9 @@ msgstr "" msgid "GroupSettings|Export group" msgstr "" +msgid "GroupSettings|Git abuse rate limit" +msgstr "" + msgid "GroupSettings|Group members are not notified if the group is mentioned." msgstr "" @@ -18727,15 +18730,9 @@ msgstr "" msgid "GroupSettings|If the parent group's visibility is lower than the group's current visibility, visibility levels for subgroups and projects will be changed to match the new parent group's visibility." msgstr "" -msgid "GroupSettings|Interval (seconds)" -msgstr "" - msgid "GroupSettings|Members cannot invite groups outside of %{group} and its subgroups" msgstr "" -msgid "GroupSettings|Number of projects" -msgstr "" - msgid "GroupSettings|Organizations and contacts can be created and associated with issues." msgstr "" @@ -18754,9 +18751,6 @@ msgstr "" msgid "GroupSettings|Prevent forking setting was not saved" msgstr "" -msgid "GroupSettings|Project download rate limit" -msgstr "" - msgid "GroupSettings|Projects in %{group} cannot be shared with other groups" msgstr "" @@ -18781,15 +18775,9 @@ msgstr "" msgid "GroupSettings|Set the initial name and protections for the default branch of new repositories created in the group." msgstr "" -msgid "GroupSettings|Set to 0 to disable limiting." -msgstr "" - msgid "GroupSettings|The Auto DevOps pipeline runs if no alternative CI configuration file is found." msgstr "" -msgid "GroupSettings|The maximum number of unique projects a user can download within the specified interval before they're banned. Set to 0 to disable limiting." -msgstr "" - msgid "GroupSettings|The projects in this subgroup can be selected as templates for new projects created in the group. %{link_start}Learn more.%{link_end}" msgstr "" @@ -47326,13 +47314,13 @@ msgstr "" msgid "the correct format." msgstr "" -msgid "the following epic(s)" +msgid "the following epics" msgstr "" -msgid "the following incident(s) or issue(s)" +msgid "the following incidents or issues" msgstr "" -msgid "the following issue(s)" +msgid "the following issues" msgstr "" msgid "the wiki" diff --git a/package.json b/package.json index 32900036149..2eb3a52b0dd 100644 --- a/package.json +++ b/package.json @@ -51,7 +51,7 @@ "@babel/preset-env": "^7.18.2", "@gitlab/at.js": "1.5.7", "@gitlab/favicon-overlay": "2.0.0", - "@gitlab/svgs": "2.32.0", + "@gitlab/svgs": "2.33.0", "@gitlab/ui": "42.25.0", "@gitlab/visual-review-tools": "1.7.3", "@rails/actioncable": "6.1.4-7", diff --git a/rubocop/cop/gitlab/feature_available_usage.rb b/rubocop/cop/gitlab/feature_available_usage.rb index fafe6c35b5f..a153d3f7b2f 100644 --- a/rubocop/cop/gitlab/feature_available_usage.rb +++ b/rubocop/cop/gitlab/feature_available_usage.rb @@ -24,6 +24,7 @@ module RuboCop security_and_compliance container_registry environments + feature_flags ].freeze EE_FEATURES = %i[requirements].freeze ALL_FEATURES = (FEATURES + EE_FEATURES).freeze diff --git a/spec/controllers/projects_controller_spec.rb b/spec/controllers/projects_controller_spec.rb index 34477a7bb68..388d7c2266b 100644 --- a/spec/controllers/projects_controller_spec.rb +++ b/spec/controllers/projects_controller_spec.rb @@ -878,30 +878,81 @@ RSpec.describe ProjectsController do end context 'with project feature attributes' do - using RSpec::Parameterized::TableSyntax + let(:initial_value) { ProjectFeature::PRIVATE } + let(:update_to) { ProjectFeature::ENABLED } - where(:feature, :initial_value, :update_to) do - :metrics_dashboard_access_level | ProjectFeature::PRIVATE | ProjectFeature::ENABLED - :container_registry_access_level | ProjectFeature::ENABLED | ProjectFeature::PRIVATE + before do + project.project_feature.update!(feature_access_level => initial_value) end - with_them do - it "updates the project_feature new" do - params = { - namespace_id: project.namespace, - id: project.path, - project: { - project_feature_attributes: { - "#{feature}": update_to - } + def update_project_feature + put :update, params: { + namespace_id: project.namespace, + id: project.path, + project: { + project_feature_attributes: { + feature_access_level.to_s => update_to } } + } + end - expect { put :update, params: params }.to change { - project.reload.project_feature.public_send(feature) + shared_examples 'feature update success' do + it 'updates access level successfully' do + expect { update_project_feature }.to change { + project.reload.project_feature.public_send(feature_access_level) }.from(initial_value).to(update_to) end end + + shared_examples 'feature update failure' do + it 'cannot update access level' do + expect { update_project_feature }.not_to change { + project.reload.project_feature.public_send(feature_access_level) + } + end + end + + where(:feature_access_level) do + %i[ + metrics_dashboard_access_level + container_registry_access_level + environments_access_level + feature_flags_access_level + ] + end + + with_them do + it_behaves_like 'feature update success' + end + + context 'for feature_access_level operations_access_level' do + let(:feature_access_level) { :operations_access_level } + + include_examples 'feature update failure' + end + + context 'with feature flag split_operations_visibility_permissions disabled' do + before do + stub_feature_flags(split_operations_visibility_permissions: false) + end + + context 'for feature_access_level operations_access_level' do + let(:feature_access_level) { :operations_access_level } + + include_examples 'feature update success' + end + + where(:feature_access_level) do + %i[ + environments_access_level feature_flags_access_level + ] + end + + with_them do + it_behaves_like 'feature update failure' + end + end end end diff --git a/spec/factories/projects.rb b/spec/factories/projects.rb index 107fa28a639..98dfecb2888 100644 --- a/spec/factories/projects.rb +++ b/spec/factories/projects.rb @@ -38,6 +38,7 @@ FactoryBot.define do container_registry_access_level { ProjectFeature::ENABLED } security_and_compliance_access_level { ProjectFeature::PRIVATE } environments_access_level { ProjectFeature::ENABLED } + feature_flags_access_level { ProjectFeature::ENABLED } # we can't assign the delegated `#ci_cd_settings` attributes directly, as the # `#ci_cd_settings` relation needs to be created first diff --git a/spec/frontend/boards/components/board_new_item_spec.js b/spec/frontend/boards/components/board_new_item_spec.js index 86cebc8a719..dc6581e9360 100644 --- a/spec/frontend/boards/components/board_new_item_spec.js +++ b/spec/frontend/boards/components/board_new_item_spec.js @@ -93,7 +93,7 @@ describe('BoardNewItem', () => { titleInput().setValue('Foo'); await glForm().trigger('submit'); - expect(wrapper.emitted('form-submit')).toBeTruthy(); + expect(wrapper.emitted('form-submit')).toHaveLength(1); expect(wrapper.emitted('form-submit')[0]).toEqual([ { title: 'Foo', @@ -131,7 +131,7 @@ describe('BoardNewItem', () => { await glForm().trigger('reset'); expect(titleInput().element.value).toBe(''); - expect(wrapper.emitted('form-cancel')).toBeTruthy(); + expect(wrapper.emitted('form-cancel')).toHaveLength(1); }); }); }); diff --git a/spec/frontend/clusters/agents/components/activity_history_item_spec.js b/spec/frontend/clusters/agents/components/activity_history_item_spec.js index 100a280d0cc..68f6f11aa8f 100644 --- a/spec/frontend/clusters/agents/components/activity_history_item_spec.js +++ b/spec/frontend/clusters/agents/components/activity_history_item_spec.js @@ -23,7 +23,7 @@ describe('ActivityHistoryItem', () => { }; const findHistoryItem = () => wrapper.findComponent(HistoryItem); - const findTimeAgo = () => wrapper.find(TimeAgoTooltip); + const findTimeAgo = () => wrapper.findComponent(TimeAgoTooltip); afterEach(() => { wrapper.destroy(); diff --git a/spec/frontend/clusters/agents/components/create_token_modal_spec.js b/spec/frontend/clusters/agents/components/create_token_modal_spec.js index ad48afe10b6..0d10801e80e 100644 --- a/spec/frontend/clusters/agents/components/create_token_modal_spec.js +++ b/spec/frontend/clusters/agents/components/create_token_modal_spec.js @@ -55,7 +55,7 @@ describe('CreateTokenModal', () => { const findAgentInstructions = () => findModal().findComponent(AgentToken); const findButtonByVariant = (variant) => findModal() - .findAll(GlButton) + .findAllComponents(GlButton) .wrappers.find((button) => button.props('variant') === variant); const findActionButton = () => findButtonByVariant('confirm'); const findCancelButton = () => wrapper.findByTestId('agent-token-close-button'); diff --git a/spec/frontend/clusters/agents/components/token_table_spec.js b/spec/frontend/clusters/agents/components/token_table_spec.js index 6caeaf5c192..334615f1818 100644 --- a/spec/frontend/clusters/agents/components/token_table_spec.js +++ b/spec/frontend/clusters/agents/components/token_table_spec.js @@ -136,8 +136,8 @@ describe('ClusterAgentTokenTable', () => { const token = tokens.at(lineNumber); expect(token.text()).toContain(description); - expect(token.find(GlTruncate).exists()).toBe(truncatesText); - expect(token.find(GlTooltip).exists()).toBe(hasTooltip); + expect(token.findComponent(GlTruncate).exists()).toBe(truncatesText); + expect(token.findComponent(GlTooltip).exists()).toBe(hasTooltip); }, ); diff --git a/spec/frontend/clusters/components/new_cluster_spec.js b/spec/frontend/clusters/components/new_cluster_spec.js index f9df70b9f87..ef39c90aaef 100644 --- a/spec/frontend/clusters/components/new_cluster_spec.js +++ b/spec/frontend/clusters/components/new_cluster_spec.js @@ -12,9 +12,9 @@ describe('NewCluster', () => { await nextTick(); }; - const findDescription = () => wrapper.find(GlSprintf); + const findDescription = () => wrapper.findComponent(GlSprintf); - const findLink = () => wrapper.find(GlLink); + const findLink = () => wrapper.findComponent(GlLink); beforeEach(() => { return createWrapper(); diff --git a/spec/frontend/clusters/forms/components/integration_form_spec.js b/spec/frontend/clusters/forms/components/integration_form_spec.js index 67d442bfdc5..b17886a5826 100644 --- a/spec/frontend/clusters/forms/components/integration_form_spec.js +++ b/spec/frontend/clusters/forms/components/integration_form_spec.js @@ -32,8 +32,8 @@ describe('ClusterIntegrationForm', () => { wrapper = null; }; - const findSubmitButton = () => wrapper.find(GlButton); - const findGlToggle = () => wrapper.find(GlToggle); + const findSubmitButton = () => wrapper.findComponent(GlButton); + const findGlToggle = () => wrapper.findComponent(GlToggle); afterEach(() => { destroyWrapper(); diff --git a/spec/frontend/diffs/store/utils_spec.js b/spec/frontend/diffs/store/utils_spec.js index 8852c6c62c5..3f870a98396 100644 --- a/spec/frontend/diffs/store/utils_spec.js +++ b/spec/frontend/diffs/store/utils_spec.js @@ -424,8 +424,8 @@ describe('DiffsStoreUtils', () => { expect(firstChar).not.toBe('+'); expect(firstChar).not.toBe('-'); - expect(preparedDiff.diff_files[0].renderIt).toBeTruthy(); - expect(preparedDiff.diff_files[0].collapsed).toBeFalsy(); + expect(preparedDiff.diff_files[0].renderIt).toBe(true); + expect(preparedDiff.diff_files[0].collapsed).toBe(false); }); it('guarantees an empty array for both diff styles', () => { @@ -506,8 +506,8 @@ describe('DiffsStoreUtils', () => { }); it('sets the renderIt and collapsed attribute on files', () => { - expect(preparedDiffFiles[0].renderIt).toBeTruthy(); - expect(preparedDiffFiles[0].collapsed).toBeFalsy(); + expect(preparedDiffFiles[0].renderIt).toBe(true); + expect(preparedDiffFiles[0].collapsed).toBeUndefined(); }); it('guarantees an empty array of lines for both diff styles', () => { diff --git a/spec/frontend/dropzone_input_spec.js b/spec/frontend/dropzone_input_spec.js index a633de9ef56..0fe70bac6b7 100644 --- a/spec/frontend/dropzone_input_spec.js +++ b/spec/frontend/dropzone_input_spec.js @@ -29,7 +29,9 @@ describe('dropzone_input', () => { it('returns valid dropzone when successfully initialize', () => { const dropzone = dropzoneInput($(TEMPLATE)); - expect(dropzone.version).toBeTruthy(); + expect(dropzone).toMatchObject({ + version: expect.any(String), + }); }); describe('handlePaste', () => { diff --git a/spec/frontend/error_tracking_settings/components/project_dropdown_spec.js b/spec/frontend/error_tracking_settings/components/project_dropdown_spec.js index 1ba5a505f57..b44af547658 100644 --- a/spec/frontend/error_tracking_settings/components/project_dropdown_spec.js +++ b/spec/frontend/error_tracking_settings/components/project_dropdown_spec.js @@ -41,23 +41,23 @@ describe('error tracking settings project dropdown', () => { describe('empty project list', () => { it('renders the dropdown', () => { - expect(wrapper.find('#project-dropdown').exists()).toBeTruthy(); - expect(wrapper.find(GlDropdown).exists()).toBeTruthy(); + expect(wrapper.find('#project-dropdown').exists()).toBe(true); + expect(wrapper.find(GlDropdown).exists()).toBe(true); }); it('shows helper text', () => { - expect(wrapper.find('.js-project-dropdown-label').exists()).toBeTruthy(); + expect(wrapper.find('.js-project-dropdown-label').exists()).toBe(true); expect(wrapper.find('.js-project-dropdown-label').text()).toContain( 'To enable project selection', ); }); it('does not show an error', () => { - expect(wrapper.find('.js-project-dropdown-error').exists()).toBeFalsy(); + expect(wrapper.find('.js-project-dropdown-error').exists()).toBe(false); }); it('does not contain any dropdown items', () => { - expect(wrapper.find(GlDropdownItem).exists()).toBeFalsy(); + expect(wrapper.find(GlDropdownItem).exists()).toBe(false); expect(wrapper.find(GlDropdown).props('text')).toBe('No projects available'); }); }); @@ -70,12 +70,12 @@ describe('error tracking settings project dropdown', () => { }); it('renders the dropdown', () => { - expect(wrapper.find('#project-dropdown').exists()).toBeTruthy(); - expect(wrapper.find(GlDropdown).exists()).toBeTruthy(); + expect(wrapper.find('#project-dropdown').exists()).toBe(true); + expect(wrapper.find(GlDropdown).exists()).toBe(true); }); it('contains a number of dropdown items', () => { - expect(wrapper.find(GlDropdownItem).exists()).toBeTruthy(); + expect(wrapper.find(GlDropdownItem).exists()).toBe(true); expect(wrapper.findAll(GlDropdownItem).length).toBe(2); }); }); @@ -89,8 +89,8 @@ describe('error tracking settings project dropdown', () => { }); it('does not show helper text', () => { - expect(wrapper.find('.js-project-dropdown-label').exists()).toBeFalsy(); - expect(wrapper.find('.js-project-dropdown-error').exists()).toBeFalsy(); + expect(wrapper.find('.js-project-dropdown-label').exists()).toBe(false); + expect(wrapper.find('.js-project-dropdown-error').exists()).toBe(false); }); }); @@ -105,8 +105,8 @@ describe('error tracking settings project dropdown', () => { }); it('displays a error', () => { - expect(wrapper.find('.js-project-dropdown-label').exists()).toBeFalsy(); - expect(wrapper.find('.js-project-dropdown-error').exists()).toBeTruthy(); + expect(wrapper.find('.js-project-dropdown-label').exists()).toBe(false); + expect(wrapper.find('.js-project-dropdown-error').exists()).toBe(true); }); }); }); diff --git a/spec/frontend/ide/stores/actions/tree_spec.js b/spec/frontend/ide/stores/actions/tree_spec.js index d43393875eb..6e8a03b47ad 100644 --- a/spec/frontend/ide/stores/actions/tree_spec.js +++ b/spec/frontend/ide/stores/actions/tree_spec.js @@ -134,7 +134,7 @@ describe('Multi-file store tree actions', () => { it('toggles the tree open', async () => { await store.dispatch('toggleTreeOpen', tree.path); - expect(tree.opened).toBeTruthy(); + expect(tree.opened).toBe(true); }); }); diff --git a/spec/frontend/ide/stores/mutations/merge_request_spec.js b/spec/frontend/ide/stores/mutations/merge_request_spec.js index afbe6770c0d..2af06835181 100644 --- a/spec/frontend/ide/stores/mutations/merge_request_spec.js +++ b/spec/frontend/ide/stores/mutations/merge_request_spec.js @@ -30,7 +30,7 @@ describe('IDE store merge request mutations', () => { const newMr = localState.projects.abcproject.mergeRequests[1]; expect(newMr.title).toBe('mr'); - expect(newMr.active).toBeTruthy(); + expect(newMr.active).toBe(true); }); it('keeps original data', () => { diff --git a/spec/frontend/issuable/related_issues/components/add_issuable_form_spec.js b/spec/frontend/issuable/related_issues/components/add_issuable_form_spec.js index ce98a16dbb7..16d4459f597 100644 --- a/spec/frontend/issuable/related_issues/components/add_issuable_form_spec.js +++ b/spec/frontend/issuable/related_issues/components/add_issuable_form_spec.js @@ -157,8 +157,8 @@ describe('AddIssuableForm', () => { describe('categorized issuables', () => { it.each` issuableType | pathIdSeparator | contextHeader | contextFooter - ${issuableTypesMap.ISSUE} | ${PathIdSeparator.Issue} | ${'The current issue'} | ${'the following issue(s)'} - ${issuableTypesMap.EPIC} | ${PathIdSeparator.Epic} | ${'The current epic'} | ${'the following epic(s)'} + ${issuableTypesMap.ISSUE} | ${PathIdSeparator.Issue} | ${'The current issue'} | ${'the following issues'} + ${issuableTypesMap.EPIC} | ${PathIdSeparator.Epic} | ${'The current epic'} | ${'the following epics'} `( 'show header text as "$contextHeader" and footer text as "$contextFooter" issuableType is set to $issuableType', ({ issuableType, contextHeader, contextFooter }) => { diff --git a/spec/frontend/sidebar/assignees_spec.js b/spec/frontend/sidebar/assignees_spec.js index a4474ead956..c2aff456abb 100644 --- a/spec/frontend/sidebar/assignees_spec.js +++ b/spec/frontend/sidebar/assignees_spec.js @@ -70,7 +70,7 @@ describe('Assignee component', () => { wrapper.find('[data-testid="assign-yourself"]').trigger('click'); await nextTick(); - expect(wrapper.emitted('assign-self')).toBeTruthy(); + expect(wrapper.emitted('assign-self')).toHaveLength(1); }); }); diff --git a/spec/frontend/vue_shared/components/markdown/header_spec.js b/spec/frontend/vue_shared/components/markdown/header_spec.js index ffc0f873377..9831908f806 100644 --- a/spec/frontend/vue_shared/components/markdown/header_spec.js +++ b/spec/frontend/vue_shared/components/markdown/header_spec.js @@ -125,8 +125,8 @@ describe('Markdown field header component', () => { ), ]); - expect(wrapper.emitted('preview-markdown')).toBeFalsy(); - expect(wrapper.emitted('write-markdown')).toBeFalsy(); + expect(wrapper.emitted('preview-markdown')).toBeUndefined(); + expect(wrapper.emitted('write-markdown')).toBeUndefined(); }); it('blurs preview link after click', () => { diff --git a/spec/frontend/vue_shared/components/metric_images/metric_images_tab_spec.js b/spec/frontend/vue_shared/components/metric_images/metric_images_tab_spec.js index 2cefa77b72d..1789610dba9 100644 --- a/spec/frontend/vue_shared/components/metric_images/metric_images_tab_spec.js +++ b/spec/frontend/vue_shared/components/metric_images/metric_images_tab_spec.js @@ -114,7 +114,7 @@ describe('Metric images tab', () => { await waitForPromises(); - expect(findModal().attributes('visible')).toBeFalsy(); + expect(findModal().attributes('visible')).toBeUndefined(); }); it('should add files and url when selected', async () => { diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb index 200e93f8dff..214086a3823 100644 --- a/spec/helpers/projects_helper_spec.rb +++ b/spec/helpers/projects_helper_spec.rb @@ -967,7 +967,8 @@ RSpec.describe ProjectsHelper do showDefaultAwardEmojis: project.show_default_award_emojis?, securityAndComplianceAccessLevel: project.security_and_compliance_access_level, containerRegistryAccessLevel: project.project_feature.container_registry_access_level, - environmentsAccessLevel: project.project_feature.environments_access_level + environmentsAccessLevel: project.project_feature.environments_access_level, + featureFlagsAccessLevel: project.project_feature.feature_flags_access_level ) end diff --git a/spec/lib/gitlab/import_export/safe_model_attributes.yml b/spec/lib/gitlab/import_export/safe_model_attributes.yml index 1078d4587f7..72e13943bf5 100644 --- a/spec/lib/gitlab/import_export/safe_model_attributes.yml +++ b/spec/lib/gitlab/import_export/safe_model_attributes.yml @@ -584,6 +584,7 @@ ProjectFeature: - container_registry_access_level - package_registry_access_level - environments_access_level +- feature_flags_access_level - created_at - updated_at ProtectedBranch::MergeAccessLevel: diff --git a/spec/models/concerns/project_features_compatibility_spec.rb b/spec/models/concerns/project_features_compatibility_spec.rb index 6730b7a02f3..48c391451ed 100644 --- a/spec/models/concerns/project_features_compatibility_spec.rb +++ b/spec/models/concerns/project_features_compatibility_spec.rb @@ -5,7 +5,9 @@ require 'spec_helper' RSpec.describe ProjectFeaturesCompatibility do let(:project) { create(:project) } let(:features_enabled) { %w(issues wiki builds merge_requests snippets security_and_compliance) } - let(:features) { features_enabled + %w(repository pages operations container_registry package_registry environments) } + let(:features) do + features_enabled + %w(repository pages operations container_registry package_registry environments feature_flags) + end # We had issues_enabled, snippets_enabled, builds_enabled, merge_requests_enabled and issues_enabled fields on projects table # All those fields got moved to a new table called project_feature and are now integers instead of booleans diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index 2920278679f..05651f7d85a 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -833,6 +833,7 @@ RSpec.describe Project, factory_default: :keep do it { is_expected.to delegate_method(:container_registry_enabled?).to(:project_feature) } it { is_expected.to delegate_method(:container_registry_access_level).to(:project_feature) } it { is_expected.to delegate_method(:environments_access_level).to(:project_feature) } + it { is_expected.to delegate_method(:feature_flags_access_level).to(:project_feature) } describe 'read project settings' do %i( diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb index 01a0a96be30..c3817f67158 100644 --- a/spec/policies/project_policy_spec.rb +++ b/spec/policies/project_policy_spec.rb @@ -2100,6 +2100,77 @@ RSpec.describe ProjectPolicy do end end + describe 'feature flags feature' do + using RSpec::Parameterized::TableSyntax + + let(:guest_permissions) { [] } + + let(:developer_permissions) do + guest_permissions + [ + :read_feature_flag, :create_feature_flag, :update_feature_flag, :destroy_feature_flag, :admin_feature_flag, + :admin_feature_flags_user_lists + ] + end + + let(:maintainer_permissions) do + developer_permissions + [:admin_feature_flags_client] + end + + where(:project_visibility, :access_level, :role, :allowed) do + :public | ProjectFeature::ENABLED | :maintainer | true + :public | ProjectFeature::ENABLED | :developer | true + :public | ProjectFeature::ENABLED | :guest | true + :public | ProjectFeature::ENABLED | :anonymous | true + :public | ProjectFeature::PRIVATE | :maintainer | true + :public | ProjectFeature::PRIVATE | :developer | true + :public | ProjectFeature::PRIVATE | :guest | true + :public | ProjectFeature::PRIVATE | :anonymous | false + :public | ProjectFeature::DISABLED | :maintainer | false + :public | ProjectFeature::DISABLED | :developer | false + :public | ProjectFeature::DISABLED | :guest | false + :public | ProjectFeature::DISABLED | :anonymous | false + :internal | ProjectFeature::ENABLED | :maintainer | true + :internal | ProjectFeature::ENABLED | :developer | true + :internal | ProjectFeature::ENABLED | :guest | true + :internal | ProjectFeature::ENABLED | :anonymous | false + :internal | ProjectFeature::PRIVATE | :maintainer | true + :internal | ProjectFeature::PRIVATE | :developer | true + :internal | ProjectFeature::PRIVATE | :guest | true + :internal | ProjectFeature::PRIVATE | :anonymous | false + :internal | ProjectFeature::DISABLED | :maintainer | false + :internal | ProjectFeature::DISABLED | :developer | false + :internal | ProjectFeature::DISABLED | :guest | false + :internal | ProjectFeature::DISABLED | :anonymous | false + :private | ProjectFeature::ENABLED | :maintainer | true + :private | ProjectFeature::ENABLED | :developer | true + :private | ProjectFeature::ENABLED | :guest | false + :private | ProjectFeature::ENABLED | :anonymous | false + :private | ProjectFeature::PRIVATE | :maintainer | true + :private | ProjectFeature::PRIVATE | :developer | true + :private | ProjectFeature::PRIVATE | :guest | false + :private | ProjectFeature::PRIVATE | :anonymous | false + :private | ProjectFeature::DISABLED | :maintainer | false + :private | ProjectFeature::DISABLED | :developer | false + :private | ProjectFeature::DISABLED | :guest | false + :private | ProjectFeature::DISABLED | :anonymous | false + end + + with_them do + let(:current_user) { user_subject(role) } + let(:project) { project_subject(project_visibility) } + + it 'allows/disallows the abilities based on the feature flags access level' do + project.project_feature.update!(feature_flags_access_level: access_level) + + if allowed + expect_allowed(*permissions_abilities(role)) + else + expect_disallowed(*permissions_abilities(role)) + end + end + end + end + describe 'access_security_and_compliance' do context 'when the "Security & Compliance" is enabled' do before do @@ -2566,4 +2637,15 @@ RSpec.describe ProjectPolicy do anonymous end end + + def permissions_abilities(role) + case role + when :maintainer + maintainer_permissions + when :developer + developer_permissions + else + guest_permissions + end + end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 1b3ff4bf2b9..8acf3bcf9c0 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -53,10 +53,8 @@ end require 'rainbow/ext/string' Rainbow.enabled = false -# Require JH first because we need override some EE methods with JH methods, -# if we load EE first, we can't find JH modules in prepend_mod method -require_relative('../jh/spec/spec_helper') if Gitlab.jh? require_relative('../ee/spec/spec_helper') if Gitlab.ee? +require_relative('../jh/spec/spec_helper') if Gitlab.jh? # Requires supporting ruby files with custom matchers and macros, etc, # in spec/support/ and its subdirectories. diff --git a/yarn.lock b/yarn.lock index f657a0fbb41..3b72a9338a5 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1051,10 +1051,10 @@ stylelint-declaration-strict-value "1.8.0" stylelint-scss "4.2.0" -"@gitlab/svgs@2.32.0": - version "2.32.0" - resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-2.32.0.tgz#eb66dc76cc6242d97d16e05acb0dbad4f56555a0" - integrity sha512-ElblTUE26pddJS6EzHHtMHPkZ7JPB7vt3C2RoY9W3JPPSrcsOudeeLN5oW7Pz3MoXR3G0U/Wg+Bhe4M1STD+tA== +"@gitlab/svgs@2.33.0": + version "2.33.0" + resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-2.33.0.tgz#e970ae10ee558e1e2b01116b2fe6ea25161a4609" + integrity sha512-8B5pGmZ6QnywxmWCmqMTkJfPlETbx4R7AK7si8Jf2DyWZ7Agfg9NOdgBq++IuiVjbxBO7VTQcZbVSavxrce6QA== "@gitlab/ui@42.25.0": version "42.25.0" |