diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-18 06:13:25 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-11-18 06:13:25 +0300 |
commit | ee34c4523b1d028a206d4a27d45c02bbce572c2e (patch) | |
tree | 3c9edcea87d1d6a6d7ed79a37b9dc2852a8cf96b | |
parent | da4f753e76a4fd162d35c0c79d1241583e88b685 (diff) |
Add latest changes from gitlab-org/gitlab@master
-rw-r--r-- | app/models/ci/pipeline.rb | 12 | ||||
-rw-r--r-- | config/feature_flags/development/ci_current_partition_value_101.yml | 8 | ||||
-rw-r--r-- | doc/user/application_security/policies/scan-result-policies.md | 2 | ||||
-rw-r--r-- | lib/gitlab/ci/pipeline/chain/assign_partition.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb | 11 | ||||
-rw-r--r-- | locale/gitlab.pot | 36 | ||||
-rw-r--r-- | spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb | 33 | ||||
-rw-r--r-- | spec/models/ci/pipeline_spec.rb | 16 |
8 files changed, 93 insertions, 27 deletions
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb index b9823bd4a07..0a910d6b125 100644 --- a/app/models/ci/pipeline.rb +++ b/app/models/ci/pipeline.rb @@ -42,7 +42,7 @@ module Ci sha_attribute :source_sha sha_attribute :target_sha - partitionable scope: ->(_) { Ci::Pipeline.current_partition_value } + partitionable scope: ->(pipeline) { Ci::Pipeline.current_partition_value(pipeline.project) } # Ci::CreatePipelineService returns Ci::Pipeline so this is the only place # where we can pass additional information from the service. This accessor # is used for storing the processed metadata for linting purposes. @@ -588,8 +588,14 @@ module Ci @auto_devops_pipelines_completed_total ||= Gitlab::Metrics.counter(:auto_devops_pipelines_completed_total, 'Number of completed auto devops pipelines') end - def self.current_partition_value - INITIAL_PARTITION_VALUE + def self.current_partition_value(project = nil) + Gitlab::SafeRequestStore.fetch(:ci_current_partition_value) do + if Feature.enabled?(:ci_current_partition_value_101, project) + NEXT_PARTITION_VALUE + else + INITIAL_PARTITION_VALUE + end + end end def self.object_hierarchy(relation, options = {}) diff --git a/config/feature_flags/development/ci_current_partition_value_101.yml b/config/feature_flags/development/ci_current_partition_value_101.yml new file mode 100644 index 00000000000..23a4914d759 --- /dev/null +++ b/config/feature_flags/development/ci_current_partition_value_101.yml @@ -0,0 +1,8 @@ +--- +name: ci_current_partition_value_101 +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/136425 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/431461 +milestone: '16.7' +type: development +group: group::pipeline execution +default_enabled: false diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md index 0e9a6ea1d72..d73cb73f0ac 100644 --- a/doc/user/application_security/policies/scan-result-policies.md +++ b/doc/user/application_security/policies/scan-result-policies.md @@ -199,7 +199,7 @@ The settings set in the policy overwrite settings in the project. | `prevent_approval_by_commit_author` | `boolean` | false | `true`, `false` | `Any merge request` | When enabled, users who have contributed code to the MR are ineligible for approval. This ensures code committers cannot introduce vulnerabilities and approve code to merge. | | `remove_approvals_with_new_commit` | `boolean` | false | `true`, `false` | `Any merge request` | When enabled, if an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required. This ensures new commits that may include vulnerabilities cannot be introduced. | | `require_password_to_approve` | `boolean` | false | `true`, `false` | `Any merge request` | When enabled, there will be password confirmation on approvals. Password confirmation adds an extra layer of security. | -| `prevent_pushing_and_force_pushing` | `boolean` | false | `true`, `false` | All | When enabled, prevents users from pushing and force pushing to a protected branch. This ensures users do not bypass the merge request process to add vulnerable code to a branch. | +| `prevent_pushing_and_force_pushing` | `boolean` | false | `true`, `false` | All | When enabled, prevents users from pushing and force pushing to a protected branch if that branch is included in the security policy. This ensures users do not bypass the merge request process to add vulnerable code to a branch. | ## Example security scan result policies project diff --git a/lib/gitlab/ci/pipeline/chain/assign_partition.rb b/lib/gitlab/ci/pipeline/chain/assign_partition.rb index 4b8efe13d44..0740226ac9b 100644 --- a/lib/gitlab/ci/pipeline/chain/assign_partition.rb +++ b/lib/gitlab/ci/pipeline/chain/assign_partition.rb @@ -21,7 +21,7 @@ module Gitlab if @command.creates_child_pipeline? @command.parent_pipeline_partition_id else - ::Ci::Pipeline.current_partition_value + ::Ci::Pipeline.current_partition_value(project) end end end diff --git a/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb b/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb index 69a69091b5c..de6319582cb 100644 --- a/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb +++ b/lib/gitlab/database/partitioning/ci_sliding_list_strategy.rb @@ -12,6 +12,13 @@ module Gitlab partition_for(active_partition.value + 1) end + def missing_partitions + partitions = [] + partitions << initial_partition if no_partitions_exist? + partitions << next_partition if next_partition_if.call(active_partition) + partitions + end + def validate_and_fix; end def after_adding_partitions; end @@ -20,6 +27,10 @@ module Gitlab [] end + def active_partition + super || initial_partition + end + private def ensure_partitioning_column_ignored_or_readonly!; end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 3b8701619a7..751c7977f92 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -42263,9 +42263,6 @@ msgstr "" msgid "ScanResultPolicy|Fix available is only applicable to container and dependency scanning" msgstr "" -msgid "ScanResultPolicy|If an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required. This ensures new commits that may include vulnerabilities cannot be introduced." -msgstr "" - msgid "ScanResultPolicy|If selected, the following choices will overwrite %{linkStart}project settings%{linkEnd} but only affect the branches selected in the policy." msgstr "" @@ -42317,15 +42314,9 @@ msgstr "" msgid "ScanResultPolicy|Override project approval settings" msgstr "" -msgid "ScanResultPolicy|Password confirmation on approvals provides an additional level of security. Enabling this enforces the setting on all projects targeted by this policy." -msgstr "" - msgid "ScanResultPolicy|Pre-existing" msgstr "" -msgid "ScanResultPolicy|Prevent a user from removing a branch from the protected branches list or from deleting a protected branch." -msgstr "" - msgid "ScanResultPolicy|Prevent approval by commit author" msgstr "" @@ -42338,9 +42329,6 @@ msgstr "" msgid "ScanResultPolicy|Prevent pushing and force pushing" msgstr "" -msgid "ScanResultPolicy|Prevent pushing and force pushing to a protected branch." -msgstr "" - msgid "ScanResultPolicy|Protected branch settings" msgstr "" @@ -42371,15 +42359,9 @@ msgstr "" msgid "ScanResultPolicy|Status is:" msgstr "" -msgid "ScanResultPolicy|The merge request author cannot approve their own merge request." -msgstr "" - msgid "ScanResultPolicy|Unknown" msgstr "" -msgid "ScanResultPolicy|Users who have contributed code to the MR are ineligible for approval, ensuring code committers cannot introduce vulnerabilities and approve code to merge." -msgstr "" - msgid "ScanResultPolicy|When %{scanType} %{scanners} runs against the %{branches} %{branchExceptions} and find(s) %{vulnerabilitiesNumber} %{boldDescription} of the following criteria:" msgstr "" @@ -42392,6 +42374,24 @@ msgstr "" msgid "ScanResultPolicy|When %{scanners} find scanner specified conditions in an open merge request targeting the %{branches} %{branchExceptions} and match %{boldDescription} of the following criteria" msgstr "" +msgid "ScanResultPolicy|When enabled, if an MR receives all necessary approvals to merge, but then a new commit is added, new approvals are required." +msgstr "" + +msgid "ScanResultPolicy|When enabled, merge request authors cannot approve their own MRs." +msgstr "" + +msgid "ScanResultPolicy|When enabled, prevents a user from removing a branch from the protected branches list, deleting a protected branch, or changing the default branch if that branch is included in the security policy." +msgstr "" + +msgid "ScanResultPolicy|When enabled, prevents pushing and force pushing to a protected branch if that branch is included in the security policy." +msgstr "" + +msgid "ScanResultPolicy|When enabled, there will be password confirmation on approvals." +msgstr "" + +msgid "ScanResultPolicy|When enabled, users who have contributed code to the MR are ineligible for approval." +msgstr "" + msgid "ScanResultPolicy|You have selected any protected branch option as a condition. To better protect your project, it is recommended to enable the protect branch settings. %{linkStart}Learn more.%{linkEnd}" msgstr "" diff --git a/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb b/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb index 79c2c9e32d2..337749446ed 100644 --- a/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb +++ b/spec/lib/gitlab/database/partitioning/ci_sliding_list_strategy_spec.rb @@ -6,8 +6,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca let(:connection) { ActiveRecord::Base.connection } let(:table_name) { :_test_gitlab_ci_partitioned_test } let(:model) { class_double(ApplicationRecord, table_name: table_name, connection: connection) } - let(:next_partition_if) { nil } - let(:detach_partition_if) { nil } + let(:next_partition_if) { ->(_) { false } } + let(:detach_partition_if) { ->(_) { false } } subject(:strategy) do described_class.new(model, :partition, @@ -62,6 +62,16 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca it 'is the partition with the largest value' do expect(strategy.active_partition.value).to eq(101) end + + context 'when there are no partitions' do + before do + drop_partitions + end + + it 'is the initial partition' do + expect(strategy.active_partition.value).to eq(100) + end + end end describe '#missing_partitions' do @@ -74,6 +84,17 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca expect(extra.length).to eq(1) expect(extra.first.value).to eq(102) end + + context 'when there are no partitions for the table' do + it 'returns partitions for value 100 and 101' do + drop_partitions + + missing_partitions = strategy.missing_partitions + + expect(missing_partitions.size).to eq(2) + expect(missing_partitions.map(&:value)).to match_array([100, 101]) + end + end end context 'when next_partition_if returns false' do @@ -85,8 +106,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca end context 'when there are no partitions for the table' do - it 'returns a partition for value 1' do - connection.execute("drop table #{table_name}_100; drop table #{table_name}_101;") + it 'returns a partition for value 100' do + drop_partitions missing_partitions = strategy.missing_partitions @@ -201,4 +222,8 @@ RSpec.describe Gitlab::Database::Partitioning::CiSlidingListStrategy, feature_ca }) end end + + def drop_partitions + connection.execute("drop table #{table_name}_100; drop table #{table_name}_101;") + end end diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb index 9abb97a3d09..53c4a7e24a7 100644 --- a/spec/models/ci/pipeline_spec.rb +++ b/spec/models/ci/pipeline_spec.rb @@ -5649,6 +5649,22 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category: end end + describe '.current_partition_value' do + subject { described_class.current_partition_value } + + it { is_expected.to eq(101) } + + it 'accepts an optional argument' do + expect(described_class.current_partition_value(build_stubbed(:project))).to eq(101) + end + + it 'returns 100 when the flag is disabled' do + stub_feature_flags(ci_current_partition_value_101: false) + + is_expected.to eq(100) + end + end + describe '#notes=' do context 'when notes already exist' do it 'does not create duplicate notes', :aggregate_failures do |