From fce23e13968a87a1e2de96a6e945166c372736f4 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 30 Oct 2023 13:00:37 +0000 Subject: Add latest changes from gitlab-org/security/gitlab@16-5-stable-ee --- app/helpers/version_check_helper.rb | 4 +- .../authenticating-with-hashicorp-vault/index.md | 52 +++++++++++----------- doc/ci/secrets/id_token_authentication.md | 52 +++++++++++----------- lib/gitlab/ci/jwt.rb | 3 +- spec/helpers/version_check_helper_spec.rb | 52 ++++++++++++---------- spec/lib/gitlab/ci/jwt_spec.rb | 19 +++++++- 6 files changed, 106 insertions(+), 76 deletions(-) diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb index 45a4b292eb5..895155e00d1 100644 --- a/app/helpers/version_check_helper.rb +++ b/app/helpers/version_check_helper.rb @@ -10,12 +10,14 @@ module VersionCheckHelper end def gitlab_version_check + return unless show_version_check? + VersionCheck.new.response end strong_memoize_attr :gitlab_version_check def show_security_patch_upgrade_alert? - return false unless show_version_check? && gitlab_version_check + return false unless gitlab_version_check Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability']) end diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index 5f969472aad..f494ff6dffb 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -33,31 +33,32 @@ ID tokens are JSON Web Tokens (JWTs) used for OIDC authentication with third-par The following fields are included in the JWT: -| Field | When | Description | -|-------------------------|------------------------------|-------------| -| `jti` | Always | Unique identifier for this token | -| `iss` | Always | Issuer, the domain of your GitLab instance | -| `iat` | Always | Issued at | -| `nbf` | Always | Not valid before | -| `exp` | Always | Expires at | -| `sub` | Always | Subject (job ID) | -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path | -| `project_id` | Always | Use this to scope to project by ID | -| `project_path` | Always | Use this to scope to project by path | -| `user_id` | Always | ID of the user executing the job | -| `user_login` | Always | Username of the user executing the job | -| `user_email` | Always | Email of the user executing the job | -| `pipeline_id` | Always | ID of this pipeline | -| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | -| `job_id` | Always | ID of this job | -| `ref` | Always | Git ref for this job | -| `ref_type` | Always | Git ref type, either `branch` or `tag` | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | -| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | -| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| Field | When | Description | +|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `jti` | Always | Unique identifier for this token | +| `iss` | Always | Issuer, the domain of your GitLab instance | +| `iat` | Always | Issued at | +| `nbf` | Always | Not valid before | +| `exp` | Always | Expires at | +| `sub` | Always | Subject (job ID) | +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path | +| `project_id` | Always | Use this to scope to project by ID | +| `project_path` | Always | Use this to scope to project by path | +| `user_id` | Always | ID of the user executing the job | +| `user_login` | Always | Username of the user executing the job | +| `user_email` | Always | Email of the user executing the job | +| `pipeline_id` | Always | ID of this pipeline | +| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) | +| `job_id` | Always | ID of this job | +| `ref` | Always | Git ref for this job | +| `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | +| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | +| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) | +| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | Example JWT payload: @@ -84,7 +85,8 @@ Example JWT payload: "ref_path": "refs/heads/auto-deploy-2020-04-01", "ref_protected": "true", "environment": "production", - "environment_protected": "true" + "environment_protected": "true", + "environment_action": "start" } ``` diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 62429a160d4..325972e06c2 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -51,32 +51,33 @@ The following standard claims are included in each ID token: The token also includes custom claims provided by GitLab: -| Field | When | Description | -|-------------------------|------------------------------|-------------| -| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | -| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | -| `project_id` | Always | Use this to scope to project by ID. | -| `project_path` | Always | Use this to scope to project by path. | -| `user_id` | Always | ID of the user executing the job. | -| `user_login` | Always | Username of the user executing the job. | -| `user_email` | Always | Email of the user executing the job. | -| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | -| `pipeline_id` | Always | ID of the pipeline. | -| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | -| `job_id` | Always | ID of the job. | -| `ref` | Always | Git ref for the job. | -| `ref_type` | Always | Git ref type, either `branch` or `tag`. | -| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | -| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | -| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | -| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | -| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| Field | When | Description | +|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. | +| `namespace_path` | Always | Use this to scope to group or user level namespace by path. | +| `project_id` | Always | Use this to scope to project by ID. | +| `project_path` | Always | Use this to scope to project by path. | +| `user_id` | Always | ID of the user executing the job. | +| `user_login` | Always | Username of the user executing the job. | +| `user_email` | Always | Email of the user executing the job. | +| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). | +| `pipeline_id` | Always | ID of the pipeline. | +| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). | +| `job_id` | Always | ID of the job. | +| `ref` | Always | Git ref for the job. | +| `ref_type` | Always | Git ref type, either `branch` or `tag`. | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | +| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | +| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | +| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. | +| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) | +| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | +| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. | | `ci_config_ref_uri` | Always | The ref path to the top-level pipeline definition, for example, `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | -| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | +| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. | +| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. | ```json { @@ -101,6 +102,7 @@ The token also includes custom claims provided by GitLab: "environment": "test-environment2", "environment_protected": "false", "deployment_tier": "testing", + "environment_action": "start", "runner_id": 1, "runner_environment": "self-hosted", "sha": "714a629c0b401fdce83e847fc9589983fc6f46bc", diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index 4ba7b4cc6e1..3d63ec6dfb7 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -71,7 +71,8 @@ module Gitlab fields.merge!( environment: environment.name, environment_protected: environment_protected?.to_s, - deployment_tier: build.environment_tier + deployment_tier: build.environment_tier, + environment_action: build.environment_action ) end diff --git a/spec/helpers/version_check_helper_spec.rb b/spec/helpers/version_check_helper_spec.rb index ce5aade2b1c..9c697dbe21e 100644 --- a/spec/helpers/version_check_helper_spec.rb +++ b/spec/helpers/version_check_helper_spec.rb @@ -38,43 +38,49 @@ RSpec.describe VersionCheckHelper do end describe '#gitlab_version_check' do + let(:show_version_check) { false } + before do - allow_next_instance_of(VersionCheck) do |instance| - allow(instance).to receive(:response).and_return({ "severity" => "success" }) - end + allow(helper).to receive(:show_version_check?).and_return(show_version_check) end - it 'returns an instance of the VersionCheck class' do - expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) + it 'when show_version_check? is false it returns nil' do + expect(helper.gitlab_version_check).to be nil + end + + context 'when show_version_check? is true' do + let(:show_version_check) { true } + + before do + allow_next_instance_of(VersionCheck) do |instance| + allow(instance).to receive(:response).and_return({ "severity" => "success" }) + end + end + + it 'returns an instance of the VersionCheck class if the user has access' do + expect(helper.gitlab_version_check).to eq({ "severity" => "success" }) + end end end describe '#show_security_patch_upgrade_alert?' do describe 'return conditions' do - where(:show_version_check, :gitlab_version_check, :result) do + where(:gitlab_version_check, :result) do [ - [false, nil, false], - [false, { "severity" => "success" }, false], - [false, { "severity" => "danger" }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'some text' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => false }, false], - [false, { "severity" => "danger", "critical_vulnerability" => 'true' }, false], - [false, { "severity" => "danger", "critical_vulnerability" => true }, false], - [true, nil, false], - [true, { "severity" => "success" }, nil], - [true, { "severity" => "danger" }, nil], - [true, { "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], - [true, { "severity" => "danger", "critical_vulnerability" => 'false' }, false], - [true, { "severity" => "danger", "critical_vulnerability" => false }, false], - [true, { "severity" => "danger", "critical_vulnerability" => 'true' }, true], - [true, { "severity" => "danger", "critical_vulnerability" => true }, true] + [nil, false], + [{}, nil], + [{ "severity" => "success" }, nil], + [{ "severity" => "danger" }, nil], + [{ "severity" => "danger", "critical_vulnerability" => 'some text' }, nil], + [{ "severity" => "danger", "critical_vulnerability" => 'false' }, false], + [{ "severity" => "danger", "critical_vulnerability" => false }, false], + [{ "severity" => "danger", "critical_vulnerability" => 'true' }, true], + [{ "severity" => "danger", "critical_vulnerability" => true }, true] ] end with_them do before do - allow(helper).to receive(:show_version_check?).and_return(show_version_check) allow(helper).to receive(:gitlab_version_check).and_return(gitlab_version_check) end diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index a6de5b9879c..f0b203961b4 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -49,6 +49,7 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to be_nil expect(payload[:environment_protected]).to be_nil expect(payload[:deployment_tier]).to be_nil + expect(payload[:environment_action]).to be_nil end end @@ -109,7 +110,10 @@ RSpec.describe Gitlab::Ci::Jwt do project: project, user: user, pipeline: pipeline, - environment: environment.name + environment: { + name: environment.name, + action: 'start' + } ) end @@ -121,6 +125,7 @@ RSpec.describe Gitlab::Ci::Jwt do expect(payload[:environment]).to eq('production') expect(payload[:environment_protected]).to eq('false') expect(payload[:deployment_tier]).to eq('production') + expect(payload[:environment_action]).to eq('start') end describe 'deployment_tier' do @@ -134,6 +139,18 @@ RSpec.describe Gitlab::Ci::Jwt do end end end + + describe 'environment_action' do + context 'when build options specifies a different environment_action' do + before do + build.options[:environment] = { name: environment.name, action: 'prepare' } + end + + it 'uses environment_action from build options' do + expect(payload[:environment_action]).to eq('prepare') + end + end + end end end -- cgit v1.2.3