kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2022-06-15 00:09:28 +00:00
parent 9a3208fad1
commit 0624d0c79f
35 changed files with 197 additions and 210 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Gemfile
View file

@ -167,7 +167,7 @@ gem 'asciidoctor', '~> 2.0.10'
gem 'asciidoctor-include-ext', '~> 0.4.0', require: false
gem 'asciidoctor-plantuml', '~> 0.0.12'
gem 'asciidoctor-kroki', '~> 0.5.0', require: false
gem 'rouge', '~> 3.27.0'
gem 'rouge', '~> 3.29.0'
gem 'truncato', '~> 0.7.11'
gem 'bootstrap_form', '~> 4.2.0'
gem 'nokogiri', '~> 1.13.6'

4
Gemfile.lock
View file

@ -1090,7 +1090,7 @@ GEM
rexml (3.2.5)
rinku (2.0.0)
rotp (6.2.0)
rouge (3.27.0)
rouge (3.29.0)
rqrcode (0.7.0)
chunky_png
rqrcode-rails3 (0.1.7)
@ -1663,7 +1663,7 @@ DEPENDENCIES
responders (~> 3.0)
retriable (~> 3.1.2)
rexml (~> 3.2.5)
rouge (~> 3.27.0)
rouge (~> 3.29.0)
rqrcode-rails3 (~> 0.1.7)
rspec-benchmark (~> 0.6.0)
rspec-parameterized

5
app/models/integration.rb
View file

@ -499,10 +499,7 @@ class Integration < ApplicationRecord
end
def api_field_names
fields
.reject { _1[:type] == 'password' }
.pluck(:name)
.grep_v(/password|token|key/)
fields.reject { _1[:type] == 'password' }.pluck(:name)
end
def global_fields

1
app/views/groups/projects.html.haml
View file

@ -1,5 +1,6 @@
- breadcrumb_title _("Projects")
- page_title _("Projects")
- @content_class = "limit-container-width" unless fluid_layout
.card.gl-mt-3
.card-header

6
app/views/projects/tags/new.html.haml
View file

@ -50,7 +50,9 @@
= render 'shared/zen', attr: :release_description, classes: 'note-textarea', placeholder: s_('TagsPage|Write your release notes or drag files here…'), current_text: @release_description, qa_selector: 'release_notes_field'
= render 'shared/notes/hints'
.form-actions.gl-display-flex
= button_tag s_('TagsPage|Create tag'), class: 'gl-button btn btn-confirm gl-mr-3', data: { qa_selector: "create_tag_button" }
= link_to s_('TagsPage|Cancel'), project_tags_path(@project), class: 'gl-button btn btn-default btn-cancel'
= render Pajamas::ButtonComponent.new(variant: :confirm, button_options: { class: 'gl-mr-3', data: { qa_selector: "create_tag_button" }, type: 'submit' }) do
= s_('TagsPage|Create tag')
= render Pajamas::ButtonComponent.new(href: project_tags_path(@project)) do
= s_('TagsPage|Cancel')
-# haml-lint:disable InlineJavaScript
%script#availableRefs{ type: "application/json" }= @project.repository.ref_names.to_json.html_safe

10
app/views/shared/_label.html.haml
View file

@ -19,8 +19,7 @@
button_options: { class: 'remove-priority has-tooltip', 'title': _('Remove priority'), 'aria_label': _('Deprioritize label'), data: { placement: 'bottom' } })
- if can?(current_user, :admin_label, label)
%li.gl-display-inline-block
= link_to label.edit_path, class: 'btn gl-button btn-default-tertiary btn-sm edit has-tooltip', title: _('Edit'), data: { placement: 'bottom' }, aria_label: _('Edit') do
= sprite_icon('pencil')
= render Pajamas::ButtonComponent.new(href: label.edit_path, category: :tertiary, icon: 'pencil', button_options: { class: 'edit has-tooltip', 'title': _('Edit'), 'aria_label': _('Edit'), data: { placement: 'bottom' } })
- if can?(current_user, :admin_label, label)
%li.gl-display-inline-block
.dropdown
@ -48,10 +47,9 @@
%button.js-unsubscribe-button.gl-button.btn.btn-default.gl-w-full{ class: ('hidden' if status.unsubscribed?), data: { url: toggle_subscription_path, toggle: 'tooltip' }, title: tooltip_title }
%span.gl-button-text= _('Unsubscribe')
.dropdown.dropdown-group-label{ class: ('hidden' unless status.unsubscribed?) }
%button.gl-button.btn.btn-default.gl-w-full{ data: { toggle: 'dropdown' } }
%span.gl-button-text
= _('Subscribe')
= sprite_icon('chevron-down')
= render Pajamas::ButtonComponent.new(button_options: { class: 'gl-w-full', data: { toggle: 'dropdown' } }) do
= _('Subscribe')
= sprite_icon('chevron-down')
.dropdown-menu.dropdown-open-left
%ul
%li

58
doc/api/deploy_keys.md
View file

@ -69,7 +69,7 @@ Example response:
]
```
## List project deploy keys
## List deploy keys for project
Get a list of a project's deploy keys.
@ -106,6 +106,62 @@ Example response:
]
```
## List project deploy keys for user
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88917) in GitLab 15.1.
Get a list of a specified user (requestee) and the authenticated user's (requester) common [project deploy keys](../user/project/deploy_keys/index.md#scope). It lists only the **enabled project keys from the common projects of requester and requestee**.
```plaintext
GET /users/:id_or_username/project_deploy_keys
```
Parameters:
| Attribute | Type | Required | Description |
|------------------- |--------|----------|------------------------------------------------------------------- |
| `id_or_username` | string | yes | The ID or username of the user to get the project deploy keys for. |
```json
[
{
"id": 1,
"title": "Key A",
"created_at": "2022-05-30T12:28:27.855Z",
"expires_at": null,
"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key",
"fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f"
},
{
"id": 2,
"title": "Key B",
"created_at": "2022-05-30T13:34:56.219Z",
"expires_at": null,
"key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=",
"fingerprint": "75:33:44:7e:55:84:dd:70:29:a3:8e:a3:c0:b9:8b:65"
}
]
```
```shell
curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/users/20/project_deploy_keys"
```
Example response:
```json
[
{
"id": 1,
"title": "Key A",
"created_at": "2022-05-30T12:28:27.855Z",
"expires_at": "2022-10-30T12:28:27.855Z",
"key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTEVaAtU5wiVducsOa01InRFf7QSTxoAm6Xy0PGv/k48M6xCALa9nY+BzlOv47jUT57 Key",
"fingerprint": "60:8e:10:f0:6a:82:c8:29:5f:bf:c0:38:72:00:6f:8f"
}
]
```
## Get a single deploy key
Get a single key.

2
doc/ci/runners/index.md
View file

@ -12,7 +12,7 @@ No configuration is required. Your jobs can run on:
- [Linux runners](saas/linux_saas_runner.md).
- [Windows runners](saas/windows_saas_runner.md) ([Beta](../../policy/alpha-beta-support.md#beta-features)).
- [macOS runners](saas/macos_saas_runner.md) ([Beta](../../policy/alpha-beta-support.md#beta-features)).
- [macOS runners](saas/macos_saas_runner.md) ([Limited Availability](../../policy/alpha-beta-support.md#limited-availability-la)).
The number of minutes you can use on these runners depends on the
[maximum number of CI/CD minutes](../pipelines/cicd_minutes.md)

2
doc/ci/runners/saas/macos_saas_runner.md
View file

@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# SaaS runners on macOS (Limited Availability) **(PREMIUM SAAS)**
SaaS runners on macOS are in [Beta](../../../policy/alpha-beta-support.md#limited-availability-la) for approved open source programs and customers in Premium and Ultimate plans.
SaaS runners on macOS are in [Limited Availability](../../../policy/alpha-beta-support.md#limited-availability-la) for approved open source programs and customers in Premium and Ultimate plans.
SaaS runners on macOS provide an on-demand macOS build environment integrated with
GitLab SaaS [CI/CD](../../../ci/index.md).

14
doc/development/database/multiple_databases.md
View file

@ -23,7 +23,8 @@ Each table of GitLab needs to have a `gitlab_schema` assigned:
- `gitlab_main`: describes all tables that are being stored in the `main:` database (for example, like `projects`, `users`).
- `gitlab_ci`: describes all CI tables that are being stored in the `ci:` database (for example, `ci_pipelines`, `ci_builds`).
- `gitlab_shared`: describe all application tables that contain data across all decomposed databases (for example, `loose_foreign_keys_deleted_records`).
- `gitlab_shared`: describe all application tables that contain data across all decomposed databases (for example, `loose_foreign_keys_deleted_records`) for models that inherit from `Gitlab::Database::SharedModel`.
- `gitlab_internal`: describe all internal tables of Rails and PostgreSQL (for example, `ar_internal_metadata`, `schema_migrations`, `pg_*`).
- `...`: more schemas to be introduced with additional decomposed databases
The usage of schema enforces the base class to be used:
@ -44,10 +45,8 @@ This is used as a primary source of classification for:
### The special purpose of `gitlab_shared`
`gitlab_shared` is a special case describing tables or views that by design contain data across
all decomposed databases. This does describe application-defined tables (like `loose_foreign_keys_deleted_records`),
Rails-defined tables (like `schema_migrations` or `ar_internal_metadata` as well as internal PostgreSQL tables
(for example, `pg_attribute`).
`gitlab_shared` is a special case that describes tables or views that, by design, contain data across
all decomposed databases. This classification describes application-defined tables (like `loose_foreign_keys_deleted_records`).
**Be careful** to use `gitlab_shared` as it requires special handling while accessing data.
Since `gitlab_shared` shares not only structure but also data, the application needs to be written in a way
@ -62,6 +61,11 @@ end
As such, migrations modifying data of `gitlab_shared` tables are expected to run across
all decomposed databases.
### The special purpose of `gitlab_internal`
`gitlab_internal` describes Rails-defined tables (like `schema_migrations` or `ar_internal_metadata`), as well as internal PostgreSQL tables (for example, `pg_attribute`). Its primary purpose is to [support other databases](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/85842#note_943453682), like Geo, that
might be missing some of those application-defined `gitlab_shared` tables (like `loose_foreign_keys_deleted_records`), but are valid Rails databases.
## Migrations
Read [Migrations for Multiple Databases](migrations_for_multiple_databases.md).

35
doc/user/application_security/dependency_scanning/index.md
View file

@ -194,8 +194,16 @@ table.supported-languages ul {
</tr>
<tr>
<td rowspan="2">Java</td>
<td rowspan="2">8, 11, 13, 14, 15, 16, or 17</td>
<td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup></td>
<td rowspan="2">
8,
11,
13<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
14<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
15<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
16<sup><b><a href="#notes-regarding-supported-languages-and-package-managers-1">1</a></b></sup>,
or 17
</td>
<td><a href="https://gradle.org/">Gradle</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-2">2</a></b></sup></td>
<td>
<ul>
<li><code>build.gradle</code></li>
@ -267,14 +275,14 @@ table.supported-languages ul {
<td>
<ul>
<li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile</code></a></li>
<li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-2">2</a></b></sup></li>
<li><a href="https://pipenv.pypa.io/en/latest/basics/#example-pipfile-pipfile-lock"><code>Pipfile.lock</code></a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-3">3</a></b></sup></li>
</ul>
</td>
<td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
<td>N</td>
</tr>
<tr>
<td><a href="https://python-poetry.org/">Poetry</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-4">4</a></b></sup></td>
<td><a href="https://python-poetry.org/">Poetry</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-5">5</a></b></sup></td>
<td><code>poetry.lock</code></td>
<td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
<td>N</td>
@ -282,7 +290,7 @@ table.supported-languages ul {
<tr>
<td>Scala</td>
<td>Not applicable</td>
<td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-3">3</a></b></sup></td>
<td><a href="https://www.scala-sbt.org/">sbt</a><sup><b><a href="#notes-regarding-supported-languages-and-package-managers-4">4</a></b></sup></td>
<td><code>build.sbt</code></td>
<td><a href="https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium">Gemnasium</a></td>
<td>N</td>
@ -293,6 +301,12 @@ table.supported-languages ul {
<ol>
<li>
<a id="notes-regarding-supported-languages-and-package-managers-1"></a>
<p>
This version of Java is not supported by the FIPS-enabled image of <code>gemnasium-maven</code>.
</p>
</li>
<li>
<a id="notes-regarding-supported-languages-and-package-managers-2"></a>
<p>
Although Gradle with Java 8 is supported, there are other issues such that Android project builds are not supported at this time.
Please see the backlog issue <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/336866">Android support for Dependency
@ -300,7 +314,7 @@ table.supported-languages ul {
</p>
</li>
<li>
<a id="notes-regarding-supported-languages-and-package-managers-2"></a>
<a id="notes-regarding-supported-languages-and-package-managers-3"></a>
<p>
The presence of a <code>Pipfile.lock</code> file alone will <i>not</i> trigger the analyzer; the presence of a <code>Pipfile</code> is
still required in order for the analyzer to be executed. However, if a <code>Pipfile.lock</code> file is found, it will be used by
@ -313,13 +327,13 @@ table.supported-languages ul {
</p>
</li>
<li>
<a id="notes-regarding-supported-languages-and-package-managers-3"></a>
<a id="notes-regarding-supported-languages-and-package-managers-4"></a>
<p>
Support for <a href="https://www.scala-sbt.org/">sbt</a> 1.3 and above was added in GitLab 13.9.
</p>
</li>
<li>
<a id="notes-regarding-supported-languages-and-package-managers-4"></a>
<a id="notes-regarding-supported-languages-and-package-managers-5"></a>
<p>
Support for <a href="https://python-poetry.org/">Poetry</a> projects with a <code>poetry.lock</code> file was <a href="https://gitlab.com/gitlab-org/gitlab/-/issues/7006">added in GitLab 15.0</a>.
Support for projects without a <code>poetry.lock</code> file is tracked in issue:
@ -599,7 +613,7 @@ The following variables are used for configuring specific analyzers (used for a
| `GEMNASIUM_DB_REF_NAME` | `gemnasium` | `master` | Branch name for remote repository database. `GEMNASIUM_DB_REMOTE_URL` is required. |
| `DS_REMEDIATE` | `gemnasium` | `"true"` | Enable automatic remediation of vulnerable dependencies. |
| `GEMNASIUM_LIBRARY_SCAN_ENABLED` | `gemnasium` | `"true"` | Enable detecting vulnerabilities in vendored JavaScript libraries. For now, `gemnasium` leverages [`Retire.js`](https://github.com/RetireJS/retire.js) to do this job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/350512) in GitLab 14.8. |
| `DS_JAVA_VERSION` | `gemnasium-maven` | `17` | Version of Java. Available versions: `8`, `11`, `13`, `14`, `15`, `16`, `17`. |
| `DS_JAVA_VERSION` | `gemnasium-maven` | `17` | Version of Java. Available versions: `8`, `11`, `13`, `14`, `15`, `16`, `17`. Available versions in FIPS-enabled image: `8`, `11`, `17`. |
| `MAVEN_CLI_OPTS` | `gemnasium-maven` | `"-DskipTests --batch-mode"` | List of command line arguments that are passed to `maven` by the analyzer. See an example for [using private repositories](../index.md#using-private-maven-repositories). |
| `GRADLE_CLI_OPTS` | `gemnasium-maven` | | List of command line arguments that are passed to `gradle` by the analyzer. |
| `SBT_CLI_OPTS` | `gemnasium-maven` | | List of command-line arguments that the analyzer passes to `sbt`. |
@ -671,6 +685,9 @@ Gemnasium scanning jobs automatically use FIPS-enabled image when FIPS mode is e
To manually switch to FIPS-enabled images, set the variable `DS_IMAGE_SUFFIX` to `"-fips"`.
To ensure compliance with FIPS, the FIPS-enabled image of `gemnasium-maven` uses the OpenJDK packages for RedHat UBI.
As a result, it only supports Java 8, 11, and 17.
## Interacting with the vulnerabilities
Once a vulnerability is found, you can interact with it. Read more on how to

2
doc/user/group/index.md
View file

@ -770,8 +770,6 @@ By default, projects in a group can be forked.
Optionally, on [GitLab Premium](https://about.gitlab.com/pricing/) or higher tiers,
you can prevent the projects in a group from being forked outside of the current top-level group.
Previously, this setting was available only for groups enforcing a
[Group Managed Account](saml_sso/group_managed_accounts.md) in SAML.
This setting will be removed from the SAML setting page, and migrated to the
group settings page. In the interim period, both of these settings are taken into consideration.
If even one is set to `true`, then the group does not allow outside forks.

119
doc/user/group/saml_sso/group_managed_accounts.md
View file

@ -3,121 +3,12 @@ type: reference, howto
stage: Manage
group: Authentication and Authorization
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
remove_date: '2022-06-13'
redirect_to: 'index.md'
---
# Group Managed Accounts **(PREMIUM)**
WARNING:
This [Closed Beta](https://about.gitlab.com/handbook/product/gitlab-the-product/#sts=Closed%20Beta) feature is being re-evaluated in favor of a different
[approach](https://gitlab.com/groups/gitlab-org/-/epics/4786) that aligns more closely with our [Subscription Agreement](https://about.gitlab.com/handbook/legal/subscription-agreement/).
We recommend that group owners who haven't yet implemented this feature wait for the new solution.
> - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/709) in GitLab 12.1.
> - It's deployed behind a feature flag, disabled by default.
When [SSO for Groups](index.md) is enforced, groups can enable an additional level of protection by enforcing the creation of dedicated user accounts to access the group.
With group-managed accounts enabled, users are required to create a new, dedicated user linked to the group.
The notification email address associated with the user is locked to the email address received from the configured identity provider.
Without group-managed accounts, users can link their SAML identity with any existing user on the instance.
When this option is enabled:
- All users in the group are required to log in via the SSO URL associated with the group.
- After the group-managed account has been created, group activity requires the use of this user account.
- Users can't share a project in the group outside the top-level group (also applies to forked projects).
Upon successful authentication, GitLab prompts the user with options, based on the email address received from the configured identity provider:
- To create a unique account with the newly received email address.
- If the received email address matches one of the user's verified GitLab email addresses, the option to convert the existing account to a group-managed account. ([Introduced in GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/13481).)
Since use of the group-managed account requires the use of SSO, users of group-managed accounts lose access to these accounts when they are no longer able to authenticate with the connected identity provider. In the case of an offboarded employee who has been removed from your identity provider:
- The user is unable to access the group (their credentials no longer work on the identity provider when prompted to use SSO).
- Contributions in the group (for example, issues and merge requests) remains intact.
Please refer to our [SAML SSO for Groups page](../index.md) for information on how to configure SAML.
## Feature flag **(PREMIUM SELF)**
The group-managed accounts feature is behind these feature flags: `group_managed_accounts`, `sign_up_on_sso` and `convert_user_to_group_managed_accounts`. The flags are disabled by default.
To activate the feature, ask a GitLab administrator with Rails console access to run:
```ruby
Feature.enable(:group_managed_accounts)
Feature.enable(:sign_up_on_sso)
Feature.enable(:convert_user_to_group_managed_accounts)
```
## Project restrictions for Group-managed accounts
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12420) in GitLab 12.9.
Projects within groups with enabled group-managed accounts are not to be shared with:
- Groups outside of the parent group.
- Members who are not users managed by this group.
This restriction also applies to projects forked from or to those groups.
## Outer forks restriction for Group-managed accounts
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/34648) in GitLab 12.9.
Groups with group-managed accounts can prevent forking of projects to destinations outside the group.
To do so, enable the "Prohibit outer forks" option in **Settings > SAML SSO**.
When enabled **at the parent group level**, projects within the group can be forked
only to other destinations within the group (including its subgroups).
## Credentials inventory for Group-managed accounts **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/38133) in GitLab 12.8.
Owners who manage user accounts in a group can view the following details of personal access tokens and SSH keys:
- Owners
- Scopes
- Usage patterns
To access the Credentials inventory of a group, navigate to **{shield}** **Security & Compliance > Credentials** in your group's sidebar.
This feature is similar to the [Credentials inventory for self-managed instances](../../admin_area/credentials_inventory.md).
### Revoke a group-managed account's personal access token
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214811) in GitLab 13.5.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/267184) in GitLab 13.10.
Group owners can revoke the personal access tokens of accounts in their group. To do so, select
the Personal Access Tokens tab, and select Revoke.
When a personal access token is revoked, the group-managed account user is notified by email.
## Limiting lifetime of personal access tokens of users in Group-managed accounts **(ULTIMATE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/118893) in GitLab 12.10.
Users in a group managed account can optionally specify an expiration date for
[personal access tokens](../../profile/personal_access_tokens.md).
This expiration date is not a requirement, and can be set to any arbitrary date.
Since personal access tokens are the only token needed for programmatic access to GitLab, organizations with security requirements may want to enforce more protection to require regular rotation of these tokens.
### Set a limit
Only a GitLab administrator or an owner of a group-managed account can set a limit. When this field
is left empty, the [instance-level restriction](../../admin_area/settings/account_and_limit_settings.md#limit-the-lifetime-of-access-tokens)
on the lifetime of personal access tokens apply.
To set a limit on how long personal access tokens are valid for users in a group managed account:
1. Navigate to the **Settings > General** page in your group's sidebar.
1. Expand the **Permissions and group features** section.
1. Fill in the **Maximum allowable lifetime for access tokens (days)** field.
1. Select **Save changes**.
Once a lifetime for personal access tokens is set:
- GitLab applies the lifetime for new personal access tokens and requires users managed by the group to set an expiration date that's no later than the allowed lifetime.
- After three hours, revoke old tokens with no expiration date or with a lifetime longer than the allowed lifetime. Three hours is given to allow administrators/group owner to change the allowed lifetime, or remove it, before revocation takes place.
This [closed beta](https://about.gitlab.com/handbook/product/gitlab-the-product/#sts=Closed%20Beta) feature was never enabled globally. See
[this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/296544) for progress on removing the feature.
Use [SAML SSO](index.md) instead.

3
lib/gitlab/database.rb
View file

@ -68,7 +68,8 @@ module Gitlab
@schemas_to_base_models ||= {
gitlab_main: [self.database_base_models.fetch(:main)],
gitlab_ci: [self.database_base_models[:ci] || self.database_base_models.fetch(:main)], # use CI or fallback to main
gitlab_shared: self.database_base_models.values # all models
gitlab_shared: self.database_base_models.values, # all models
gitlab_internal: self.database_base_models.values # all models
}.with_indifferent_access.freeze
end

8
lib/gitlab/database/gitlab_schema.rb
View file

@ -75,8 +75,8 @@ module Gitlab
return gitlab_schema
end
# All tables from `information_schema.` are `:gitlab_shared`
return :gitlab_shared if schema_name == 'information_schema'
# All tables from `information_schema.` are marked as `internal`
return :gitlab_internal if schema_name == 'information_schema'
return :gitlab_main if table_name.start_with?('_test_gitlab_main_')
@ -85,8 +85,8 @@ module Gitlab
# All tables that start with `_test_` without a following schema are shared and ignored
return :gitlab_shared if table_name.start_with?('_test_')
# All `pg_` tables are marked as `shared`
return :gitlab_shared if table_name.start_with?('pg_')
# All `pg_` tables are marked as `internal`
return :gitlab_internal if table_name.start_with?('pg_')
# When undefined it's best to return a unique name so that we don't incorrectly assume that 2 undefined schemas belong on the same database
:"undefined_#{table_name}"

4
lib/gitlab/database/gitlab_schemas.yml
View file

@ -35,7 +35,7 @@ approval_project_rules_users: :gitlab_main
approvals: :gitlab_main
approver_groups: :gitlab_main
approvers: :gitlab_main
ar_internal_metadata: :gitlab_shared
ar_internal_metadata: :gitlab_internal
atlassian_identities: :gitlab_main
audit_events_external_audit_event_destinations: :gitlab_main
audit_events: :gitlab_main
@ -467,7 +467,7 @@ routes: :gitlab_main
saml_group_links: :gitlab_main
saml_providers: :gitlab_main
saved_replies: :gitlab_main
schema_migrations: :gitlab_shared
schema_migrations: :gitlab_internal
scim_identities: :gitlab_main
scim_oauth_access_tokens: :gitlab_main
security_findings: :gitlab_main

2
lib/gitlab/database/query_analyzers/restrict_allowed_schemas.rb
View file

@ -9,7 +9,7 @@ module Gitlab
DMLNotAllowedError = Class.new(UnsupportedSchemaError)
DMLAccessDeniedError = Class.new(UnsupportedSchemaError)
IGNORED_SCHEMAS = %i[gitlab_shared].freeze
IGNORED_SCHEMAS = %i[gitlab_shared gitlab_internal].freeze
class << self
def enabled?

9
lib/gitlab/database/shared_model.rb
View file

@ -20,6 +20,15 @@ module Gitlab
"to '#{Gitlab::Database.db_config_name(connection)}'"
end
# connection might not be yet adopted (returning nil, and no gitlab_schemas)
# in such cases it is fine to ignore such connections
gitlab_schemas = Gitlab::Database.gitlab_schemas_for_connection(connection)
unless gitlab_schemas.nil? || gitlab_schemas.include?(:gitlab_shared)
raise "Cannot set `SharedModel` to connection from `#{Gitlab::Database.db_config_name(connection)}` " \
"since this connection does not include `:gitlab_shared` schema."
end
self.overriding_connection = connection
yield

8
lib/tasks/gitlab/db.rake
View file

@ -348,7 +348,13 @@ namespace :gitlab do
Rake::Task['db:drop'].invoke
Rake::Task['db:create'].invoke
ActiveRecord::Base.configurations.configs_for(env_name: ActiveRecord::Tasks::DatabaseTasks.env).each do |db_config|
ActiveRecord::Base.establish_connection(db_config.configuration_hash.merge(username: username)) # rubocop: disable Database/EstablishConnection
config = ActiveRecord::DatabaseConfigurations::HashConfig.new(
db_config.env_name,
db_config.name,
db_config.configuration_hash.merge(username: username)
)
ActiveRecord::Base.establish_connection(config) # rubocop: disable Database/EstablishConnection
Gitlab::Database.check_for_non_superuser
Rake::Task['db:migrate'].invoke
end

5
spec/graphql/features/authorization_spec.rb
View file

@ -17,10 +17,7 @@ RSpec.describe 'DeclarativePolicy authorization in GraphQL ' do
let(:permission_object_two) { authorizing_object }
let(:query_string) { '{ item { name } }' }
let(:result) do
schema = empty_schema
execute_query(query_type, schema: schema)
end
let(:result) { execute_query(query_type) }
subject { result.dig('data', 'item') }

2
spec/lib/gitlab/asciidoc_spec.rb
View file

@ -390,7 +390,7 @@ module Gitlab
<div>class.cpp</div>
<div>
<div class="gl-relative markdown-code-block js-markdown-code">
<pre class="code highlight js-syntax-highlight language-cpp" lang="cpp" v-pre="true"><code><span id="LC1" class="line" lang="cpp"><span class="cp">#include &lt;stdio.h&gt;</span></span>
<pre class="code highlight js-syntax-highlight language-cpp" lang="cpp" v-pre="true"><code><span id="LC1" class="line" lang="cpp"><span class="cp">#include</span> <span class="cpf">&lt;stdio.h&gt;</span></span>
<span id="LC2" class="line" lang="cpp"></span>
<span id="LC3" class="line" lang="cpp"><span class="k">for</span> <span class="p">(</span><span class="kt">int</span> <span class="n">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span> <span class="o">&lt;</span> <span class="mi">5</span><span class="p">;</span> <span class="n">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span></span>
<span id="LC4" class="line" lang="cpp"> <span class="n">std</span><span class="o">::</span><span class="n">cout</span><span class="o">&lt;&lt;</span><span class="s">"*"</span><span class="o">&lt;&lt;</span><span class="n">std</span><span class="o">::</span><span class="n">endl</span><span class="p">;</span></span>

6
spec/lib/gitlab/database/each_database_spec.rb
View file

@ -61,7 +61,11 @@ RSpec.describe Gitlab::Database::EachDatabase do
context 'when shared connections are not included' do
it 'only yields the unshared connections' do
expect(Gitlab::Database).to receive(:db_config_share_with).twice.and_return(nil, 'main')
if Gitlab::Database.has_config?(:ci)
expect(Gitlab::Database).to receive(:db_config_share_with).exactly(3).times.and_return(nil, 'main', 'main')
else
expect(Gitlab::Database).to receive(:db_config_share_with).twice.and_return(nil, 'main')
end
expect { |b| described_class.each_database_connection(include_shared: false, &b) }
.to yield_successive_args([ActiveRecord::Base.connection, 'main'])

6
spec/lib/gitlab/database/gitlab_schema_spec.rb
View file

@ -7,7 +7,7 @@ RSpec.describe Gitlab::Database::GitlabSchema do
it 'all tables have assigned a known gitlab_schema' do
is_expected.to all(
match([be_a(String), be_in([:gitlab_shared, :gitlab_main, :gitlab_ci])])
match([be_a(String), be_in([:gitlab_internal, :gitlab_shared, :gitlab_main, :gitlab_ci])])
)
end
@ -42,12 +42,12 @@ RSpec.describe Gitlab::Database::GitlabSchema do
where(:name, :classification) do
'ci_builds' | :gitlab_ci
'my_schema.ci_builds' | :gitlab_ci
'information_schema.columns' | :gitlab_shared
'information_schema.columns' | :gitlab_internal
'audit_events_part_5fc467ac26' | :gitlab_main
'_test_gitlab_main_table' | :gitlab_main
'_test_gitlab_ci_table' | :gitlab_ci
'_test_my_table' | :gitlab_shared
'pg_attribute' | :gitlab_shared
'pg_attribute' | :gitlab_internal
'my_other_table' | :undefined_my_other_table
end

13
spec/lib/gitlab/database/shared_model_spec.rb
View file

@ -27,6 +27,19 @@ RSpec.describe Gitlab::Database::SharedModel do
end
end
it 'raises an error if the connection does not include `:gitlab_shared` schema' do
allow(Gitlab::Database)
.to receive(:gitlab_schemas_for_connection)
.with(new_connection)
.and_return([:gitlab_main])
expect_original_connection_around do
expect do
described_class.using_connection(new_connection) {}
end.to raise_error(/Cannot set `SharedModel` to connection/)
end
end
context 'when multiple connection overrides are nested', :aggregate_failures do
let(:second_connection) { double('connection') }

3
spec/lib/gitlab/graphql/markdown_field_spec.rb
View file

@ -27,8 +27,7 @@ RSpec.describe Gitlab::Graphql::MarkdownField do
context 'resolving markdown' do
let_it_be(:note) { build(:note, note: '# Markdown!') }
let_it_be(:expected_markdown) { '<h1 data-sourcepos="1:1-1:11" dir="auto">Markdown!</h1>' }
let_it_be(:schema) { empty_schema }
let_it_be(:query) { GraphQL::Query.new(schema, document: nil, context: {}, variables: {}) }
let_it_be(:query) { GraphQL::Query.new(empty_schema, document: nil, context: {}, variables: {}) }
let_it_be(:context) { GraphQL::Query::Context.new(query: query, values: {}, object: nil) }
let(:type_class) { class_with_markdown_field(:note_html, null: false) }

3
spec/lib/gitlab/graphql/pagination/keyset/connection_generic_keyset_spec.rb
View file

@ -9,8 +9,7 @@ RSpec.describe Gitlab::Graphql::Pagination::Keyset::Connection do
# The spec will be merged with connection_spec.rb in the future.
let(:nodes) { Project.all.order(id: :asc) }
let(:arguments) { {} }
let(:schema) { empty_schema }
let(:context) { GraphQL::Query::Context.new(query: query_double(schema: schema), values: nil, object: nil) }
let(:context) { GraphQL::Query::Context.new(query: query_double, values: nil, object: nil) }
let_it_be(:column_order_id) { Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(attribute_name: 'id', order_expression: Project.arel_table[:id].asc) }
let_it_be(:column_order_id_desc) { Gitlab::Pagination::Keyset::ColumnOrderDefinition.new(attribute_name: 'id', order_expression: Project.arel_table[:id].desc) }

3
spec/lib/gitlab/graphql/pagination/keyset/connection_spec.rb
View file

@ -7,8 +7,7 @@ RSpec.describe Gitlab::Graphql::Pagination::Keyset::Connection do
let(:nodes) { Project.all.order(id: :asc) }
let(:arguments) { {} }
let(:schema) { empty_schema }
let(:context) { GraphQL::Query::Context.new(query: query_double(schema: schema), values: nil, object: nil) }
let(:context) { GraphQL::Query::Context.new(query: query_double, values: nil, object: nil) }
subject(:connection) do
described_class.new(nodes, **{ context: context, max_page_size: 3 }.merge(arguments))

2
spec/lib/gitlab/seeder_spec.rb
View file

@ -24,7 +24,7 @@ RSpec.describe Gitlab::Seeder do
describe '.quiet' do
let(:database_base_models) do
{
main: ApplicationRecord,
main: ActiveRecord::Base,
ci: Ci::ApplicationRecord
}
end

33
spec/models/integration_spec.rb
View file

@ -812,14 +812,14 @@ RSpec.describe Integration do
Class.new(Integration) do
def fields
[
{ name: 'token' },
{ name: 'api_token' },
{ name: 'token_api' },
{ name: 'safe_token' },
{ name: 'key' },
{ name: 'api_key' },
{ name: 'password' },
{ name: 'password_field' },
{ name: 'token', type: 'password' },
{ name: 'api_token', type: 'password' },
{ name: 'token_api', type: 'password' },
{ name: 'safe_token', type: 'password' },
{ name: 'key', type: 'password' },
{ name: 'api_key', type: 'password' },
{ name: 'password', type: 'password' },
{ name: 'password_field', type: 'password' },
{ name: 'some_safe_field' },
{ name: 'safe_field' },
{ name: 'url' },
@ -837,15 +837,14 @@ RSpec.describe Integration do
context 'when the class uses the field DSL' do
let(:fake_integration) do
Class.new(described_class) do
field :token
field :token
field :api_token
field :token_api
field :safe_token
field :key
field :api_key
field :password
field :password_field
field :token, type: 'password'
field :api_token, type: 'password'
field :token_api, type: 'password'
field :safe_token, type: 'password'
field :key, type: 'password'
field :api_key, type: 'password'
field :password, type: 'password'
field :password_field, type: 'password'
field :some_safe_field
field :safe_field
field :url

6
spec/requests/admin/background_migrations_controller_spec.rb
View file

@ -40,15 +40,17 @@ RSpec.describe Admin::BackgroundMigrationsController, :enable_admin_mode do
describe 'GET #index' do
let(:default_model) { ActiveRecord::Base }
let(:db_config) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig, name: 'fake_db') }
before do
allow(Gitlab::Database).to receive(:db_config_for_connection).and_return(db_config)
allow(Gitlab::Database).to receive(:database_base_models).and_return(base_models)
end
let!(:main_database_migration) { create(:batched_background_migration, :active) }
context 'when no database is provided' do
let(:base_models) { { 'fake_db' => default_model } }
let(:base_models) { { 'fake_db' => default_model }.with_indifferent_access }
before do
stub_const('Gitlab::Database::MAIN_DATABASE_NAME', 'fake_db')
@ -68,7 +70,7 @@ RSpec.describe Admin::BackgroundMigrationsController, :enable_admin_mode do
end
context 'when multiple database is enabled', :add_ci_connection do
let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model } }
let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model }.with_indifferent_access }
let(:ci_model) { Ci::ApplicationRecord }
context 'when CI database is provided' do

2
spec/requests/admin/batched_jobs_controller_spec.rb
View file

@ -42,7 +42,7 @@ RSpec.describe Admin::BatchedJobsController, :enable_admin_mode do
end
context 'when multiple database is enabled', :add_ci_connection do
let(:base_models) { { 'fake_db' => default_model, 'ci' => ci_model } }
let(:base_models) { { 'main' => default_model, 'ci' => ci_model }.with_indifferent_access }
let(:ci_model) { Ci::ApplicationRecord }
before do

2
spec/support/helpers/graphql_helpers.rb
View file

@ -425,7 +425,7 @@ module GraphqlHelpers
end
end
def query_double(schema:)
def query_double(schema: empty_schema)
double('query', schema: schema, warden: GraphQL::Schema::Warden::PassThruWarden)
end

2
spec/tasks/gitlab/background_migrations_rake_spec.rb
View file

@ -112,7 +112,7 @@ RSpec.describe 'gitlab:background_migrations namespace rake tasks' do
let(:main_database_name) { Gitlab::Database::MAIN_DATABASE_NAME }
let(:model) { Gitlab::Database.database_base_models[main_database_name] }
let(:connection) { double(:connection) }
let(:base_models) { { 'main' => model } }
let(:base_models) { { 'main' => model }.with_indifferent_access }
around do |example|
Gitlab::Database::SharedModel.using_connection(model.connection) do

17
spec/tasks/gitlab/db_rake_spec.rb
View file

@ -822,18 +822,20 @@ RSpec.describe 'gitlab:db namespace rake task', :silence_stdout do
let(:connection_pool) { instance_double(ActiveRecord::ConnectionAdapters::ConnectionPool ) }
let(:connection) { instance_double(ActiveRecord::ConnectionAdapters::PostgreSQLAdapter) }
let(:configurations) { double(ActiveRecord::DatabaseConfigurations) }
let(:configuration) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig) }
let(:configuration) { instance_double(ActiveRecord::DatabaseConfigurations::HashConfig, env_name: 'test', name: 'main') }
let(:config_hash) { { username: 'foo' } }
it 'migrate as nonsuperuser check with default username' do
before do
allow(Rake::Task['db:drop']).to receive(:invoke)
allow(Rake::Task['db:create']).to receive(:invoke)
allow(ActiveRecord::Base).to receive(:configurations).and_return(configurations)
allow(configurations).to receive(:configs_for).and_return([configuration])
allow(configuration).to receive(:configuration_hash).and_return(config_hash)
allow(ActiveRecord::Base).to receive(:establish_connection).and_return(connection_pool)
end
expect(config_hash).to receive(:merge).with({ username: 'gitlab' })
it 'migrate as nonsuperuser check with default username' do
expect(config_hash).to receive(:merge).with({ username: 'gitlab' }).and_call_original
expect(Gitlab::Database).to receive(:check_for_non_superuser)
expect(Rake::Task['db:migrate']).to receive(:invoke)
@ -841,14 +843,7 @@ RSpec.describe 'gitlab:db namespace rake task', :silence_stdout do
end
it 'migrate as nonsuperuser check with specified username' do
allow(Rake::Task['db:drop']).to receive(:invoke)
allow(Rake::Task['db:create']).to receive(:invoke)
allow(ActiveRecord::Base).to receive(:configurations).and_return(configurations)
allow(configurations).to receive(:configs_for).and_return([configuration])
allow(configuration).to receive(:configuration_hash).and_return(config_hash)
allow(ActiveRecord::Base).to receive(:establish_connection).and_return(connection_pool)
expect(config_hash).to receive(:merge).with({ username: 'foo' })
expect(config_hash).to receive(:merge).with({ username: 'foo' }).and_call_original
expect(Gitlab::Database).to receive(:check_for_non_superuser)
expect(Rake::Task['db:migrate']).to receive(:invoke)

8
spec/workers/loose_foreign_keys/cleanup_worker_spec.rb
View file

@ -157,10 +157,10 @@ RSpec.describe LooseForeignKeys::CleanupWorker do
describe 'multi-database support' do
where(:current_minute, :configured_base_models, :expected_connection_model) do
2 | { main: 'ApplicationRecord', ci: 'Ci::ApplicationRecord' } | 'ApplicationRecord'
3 | { main: 'ApplicationRecord', ci: 'Ci::ApplicationRecord' } | 'Ci::ApplicationRecord'
2 | { main: 'ApplicationRecord' } | 'ApplicationRecord'
3 | { main: 'ApplicationRecord' } | 'ApplicationRecord'
2 | { main: 'ActiveRecord::Base', ci: 'Ci::ApplicationRecord' } | 'ActiveRecord::Base'
3 | { main: 'ActiveRecord::Base', ci: 'Ci::ApplicationRecord' } | 'Ci::ApplicationRecord'
2 | { main: 'ActiveRecord::Base' } | 'ActiveRecord::Base'
3 | { main: 'ActiveRecord::Base' } | 'ActiveRecord::Base'
end
with_them do