Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
d588fa9e6e
commit
154cc38c02
|
@ -114,7 +114,7 @@ export const PathIdSeparator = {
|
|||
};
|
||||
|
||||
export const issuablesBlockHeaderTextMap = {
|
||||
[issuableTypesMap.ISSUE]: __('Linked issues'),
|
||||
[issuableTypesMap.ISSUE]: __('Linked items'),
|
||||
[issuableTypesMap.INCIDENT]: __('Related incidents or issues'),
|
||||
[issuableTypesMap.EPIC]: __('Linked epics'),
|
||||
};
|
||||
|
|
|
@ -25,6 +25,9 @@ Rails.application.configure do
|
|||
# Print deprecation notices to the Rails logger
|
||||
config.active_support.deprecation = :log
|
||||
|
||||
# Raise exceptions for disallowed deprecations.
|
||||
config.active_support.disallowed_deprecation = :raise
|
||||
|
||||
# Raise an error on page load if there are pending migrations
|
||||
config.active_record.migration_error = :page_load
|
||||
|
||||
|
|
|
@ -68,6 +68,9 @@ Rails.application.configure do
|
|||
# Send deprecation notices to registered listeners
|
||||
config.active_support.deprecation = :notify
|
||||
|
||||
# Silence disallowed deprecations.
|
||||
config.active_support.disallowed_deprecation = :silence
|
||||
|
||||
config.action_mailer.delivery_method = :sendmail
|
||||
# Defaults to:
|
||||
# # config.action_mailer.sendmail_settings = {
|
||||
|
|
|
@ -49,6 +49,9 @@ Rails.application.configure do
|
|||
# Print deprecation notices to the stderr
|
||||
config.active_support.deprecation = :stderr
|
||||
|
||||
# Raise exceptions for disallowed deprecations.
|
||||
config.active_support.disallowed_deprecation = :raise
|
||||
|
||||
config.eager_load = Gitlab::Utils.to_boolean(ENV['GITLAB_TEST_EAGER_LOAD'], default: ENV['CI'].present?)
|
||||
|
||||
config.cache_store = :null_store
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
# Disallowed deprecation warnings are silenced in production. For performance
|
||||
# reasons we even skip the definition of disallowed warnings in production.
|
||||
#
|
||||
# See
|
||||
# * https://gitlab.com/gitlab-org/gitlab/-/issues/368379 for a follow-up
|
||||
# * https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92557#note_1032212676
|
||||
# for benchmarks
|
||||
#
|
||||
# In Rails 7 we will use `config.active_support.report_deprecations = false`
|
||||
# instead of this early return.
|
||||
return if Rails.env.production?
|
||||
|
||||
# Ban the following deprecation warnings and turn them into runtime errors
|
||||
# in `development` and `test` environments.
|
||||
#
|
||||
# This way we prevent already fixed warnings from sneaking back into the codebase silently.
|
||||
rails7_deprecation_warnings = [
|
||||
# https://gitlab.com/gitlab-org/gitlab/-/issues/339739
|
||||
/ActiveModel::Errors#keys is deprecated/,
|
||||
# https://gitlab.com/gitlab-org/gitlab/-/issues/342492
|
||||
/Rendering actions with '\.' in the name is deprecated/,
|
||||
# https://gitlab.com/gitlab-org/gitlab/-/issues/333086
|
||||
/default_hash is deprecated/
|
||||
]
|
||||
|
||||
ActiveSupport::Deprecation.disallowed_warnings.concat rails7_deprecation_warnings
|
|
@ -0,0 +1,16 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class AddTemporaryIndexForVulnerabilityReadsClusterAgentIdMigration < Gitlab::Database::Migration[2.0]
|
||||
INDEX_VULNERABILITY_READS_NAME = 'tmp_index_cis_vulnerability_reads_on_id'
|
||||
|
||||
disable_ddl_transaction!
|
||||
|
||||
def up
|
||||
# this index is used in 20220525221133_schedule_backfill_vulnerability_reads_cluster_agent
|
||||
add_concurrent_index :vulnerability_reads, :id, name: INDEX_VULNERABILITY_READS_NAME, where: 'report_type = 7'
|
||||
end
|
||||
|
||||
def down
|
||||
remove_concurrent_index_by_name :vulnerability_reads, INDEX_VULNERABILITY_READS_NAME
|
||||
end
|
||||
end
|
|
@ -0,0 +1,29 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class ScheduleBackfillVulnerabilityReadsClusterAgent < Gitlab::Database::Migration[2.0]
|
||||
restrict_gitlab_migration gitlab_schema: :gitlab_main
|
||||
|
||||
BATCH_SIZE = 10_000
|
||||
SUB_BATCH_SIZE = 1_000
|
||||
DELAY_INTERVAL = 2.minutes
|
||||
MIGRATION_NAME = 'BackfillVulnerabilityReadsClusterAgent'
|
||||
BATCH_CLASS_NAME = 'BackfillVulnerabilityReadsClusterAgentBatchingStrategy'
|
||||
|
||||
disable_ddl_transaction!
|
||||
|
||||
def up
|
||||
queue_batched_background_migration(
|
||||
MIGRATION_NAME,
|
||||
:vulnerability_reads,
|
||||
:id,
|
||||
job_interval: DELAY_INTERVAL,
|
||||
batch_size: BATCH_SIZE,
|
||||
batch_class_name: BATCH_CLASS_NAME,
|
||||
sub_batch_size: SUB_BATCH_SIZE
|
||||
)
|
||||
end
|
||||
|
||||
def down
|
||||
delete_batched_background_migration(MIGRATION_NAME, :vulnerability_reads, :id, [])
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
c2b2fc7674b99791f6d239e42add7db3c72f2b27e653e2348887d0178f77686a
|
|
@ -0,0 +1 @@
|
|||
b22a0dd285d383f556a5402441f3e82a6db6dd47008444b94303351b295b414e
|
|
@ -30305,6 +30305,8 @@ CREATE INDEX tmp_index_ci_job_artifacts_on_expire_at_where_locked_unknown ON ci_
|
|||
|
||||
CREATE INDEX tmp_index_ci_job_artifacts_on_id_where_trace_and_expire_at ON ci_job_artifacts USING btree (id) WHERE ((file_type = 3) AND (expire_at = ANY (ARRAY['2021-04-22 00:00:00+00'::timestamp with time zone, '2021-05-22 00:00:00+00'::timestamp with time zone, '2021-06-22 00:00:00+00'::timestamp with time zone, '2022-01-22 00:00:00+00'::timestamp with time zone, '2022-02-22 00:00:00+00'::timestamp with time zone, '2022-03-22 00:00:00+00'::timestamp with time zone, '2022-04-22 00:00:00+00'::timestamp with time zone])));
|
||||
|
||||
CREATE INDEX tmp_index_cis_vulnerability_reads_on_id ON vulnerability_reads USING btree (id) WHERE (report_type = 7);
|
||||
|
||||
CREATE INDEX tmp_index_container_repositories_on_id_migration_state ON container_repositories USING btree (id, migration_state);
|
||||
|
||||
CREATE INDEX tmp_index_for_namespace_id_migration_on_group_members ON members USING btree (id) WHERE ((member_namespace_id IS NULL) AND ((type)::text = 'GroupMember'::text));
|
||||
|
|
|
@ -319,7 +319,7 @@ Supported attributes:
|
|||
| `date` | datetime | no | The date and time of the release, defaults to the current time. |
|
||||
| `branch` | string | no | The branch to commit the changelog changes to, defaults to the project's default branch. |
|
||||
| `trailer` | string | no | The Git trailer to use for including commits, defaults to `Changelog`. |
|
||||
| `config_file` | string | no | The path of changelog configuration file in the project's Git repository, defaults to `.gitlab/changelog_config.yml`. |
|
||||
| `config_file` | string | no | Path to the changelog configuration file in the project's Git repository. Defaults to `.gitlab/changelog_config.yml`. |
|
||||
| `file` | string | no | The file to commit the changes to, defaults to `CHANGELOG.md`. |
|
||||
| `message` | string | no | The commit message to produce when committing the changes, defaults to `Add changelog for version X` where X is the value of the `version` argument. |
|
||||
|
||||
|
|
|
@ -12,12 +12,9 @@ to ensure a certain security floor is met by vendors selling products to U.S.
|
|||
Federal institutions.
|
||||
|
||||
WARNING:
|
||||
GitLab is not FIPS compliant, even when built and run on a FIPS-enforcing
|
||||
system. Large parts of the build are broken, and many features use forbidden
|
||||
cryptographic primitives. Running GitLab on a FIPS-enforcing system is not
|
||||
supported and may result in data loss. This document is intended to help
|
||||
engineers looking to develop FIPS-related fixes. It is not intended to be used
|
||||
to run a production GitLab instance.
|
||||
You can build a FIPS-compliant instance of GitLab, but [not all features are included](#unsupported-features-in-fips-mode).
|
||||
A FIPS-compliant instance must be configured following the [FIPS install instructions](#install-gitlab-with-fips-compliance)
|
||||
exactly.
|
||||
|
||||
There are two current FIPS standards: [140-2](https://en.wikipedia.org/wiki/FIPS_140-2)
|
||||
and [140-3](https://en.wikipedia.org/wiki/FIPS_140-3). At GitLab we usually
|
||||
|
@ -25,10 +22,7 @@ mean FIPS 140-2.
|
|||
|
||||
## Current status
|
||||
|
||||
Read [Epic &5104](https://gitlab.com/groups/gitlab-org/-/epics/5104) for more
|
||||
information on the status of the investigation.
|
||||
|
||||
GitLab is actively working towards FIPS compliance.
|
||||
GitLab is actively working towards FIPS compliance. Progress on this initiative can be tracked with this [FIPS compliance Epic](https://gitlab.com/groups/gitlab-org/-/epics/6452).
|
||||
|
||||
## FIPS compliance at GitLab
|
||||
|
||||
|
@ -56,6 +50,29 @@ The supported hybrid environments are:
|
|||
- Omnibus: Ubuntu 20.04 FIPS
|
||||
- EKS: Amazon Linux 2
|
||||
|
||||
### Unsupported features in FIPS mode
|
||||
|
||||
Some GitLab features may not work when FIPS mode is enabled. The following features
|
||||
are known to not work in FIPS mode. However, there may be additional features not
|
||||
listed here that also do not work properly in FIPS mode:
|
||||
|
||||
- [Container Scanning](../user/application_security/container_scanning/index.md) support for scanning images in repositories that require authentication.
|
||||
- [Code Quality](../ci/testing/code_quality.md) does not support operating in FIPS-compliant mode.
|
||||
- [Dependency scanning](../user/application_security/dependency_scanning/index.md) support for Gradle.
|
||||
- [Dynamic Application Security Testing (DAST)](../user/application_security/dast/index.md)
|
||||
does not support operating in FIPS-compliant mode.
|
||||
- [License compliance](../user/compliance/license_compliance/index.md).
|
||||
- [Solutions for vulnerabilities](../user/application_security/vulnerabilities/index.md#resolve-a-vulnerability)
|
||||
for yarn projects.
|
||||
- [Static Application Security Testing (SAST)](../user/application_security/sast/index.md)
|
||||
supports a reduced set of [analyzers](../user/application_security/sast/#fips-enabled-images)
|
||||
when operating in FIPS-compliant mode.
|
||||
|
||||
Additionally, these package repositories are disabled in FIPS mode:
|
||||
|
||||
- [Conan package repository](../user/packages/conan_repository/index.md).
|
||||
- [Debian package repository](../user/packages/debian_repository/index.md).
|
||||
|
||||
## FIPS validation at GitLab
|
||||
|
||||
Unlike FIPS compliance, FIPS validation is a formal declaration of compliance by
|
||||
|
@ -417,29 +434,6 @@ def default_min_key_size(name)
|
|||
end
|
||||
```
|
||||
|
||||
#### Unsupported features in FIPS mode
|
||||
|
||||
Some GitLab features may not work when FIPS mode is enabled. The following features
|
||||
are known to not work in FIPS mode. However, there may be additional features not
|
||||
listed here that also do not work properly in FIPS mode:
|
||||
|
||||
- [Container Scanning](../user/application_security/container_scanning/index.md) support for scanning images in repositories that require authentication.
|
||||
- [Code Quality](../ci/testing/code_quality.md) does not support operating in FIPS-compliant mode.
|
||||
- [Dependency scanning](../user/application_security/dependency_scanning/index.md) support for Gradle.
|
||||
- [Dynamic Application Security Testing (DAST)](../user/application_security/dast/index.md)
|
||||
does not support operating in FIPS-compliant mode.
|
||||
- [License compliance](../user/compliance/license_compliance/index.md).
|
||||
- [Solutions for vulnerabilities](../user/application_security/vulnerabilities/index.md#resolve-a-vulnerability)
|
||||
for yarn projects.
|
||||
- [Static Application Security Testing (SAST)](../user/application_security/sast/index.md)
|
||||
supports a reduced set of [analyzers](../user/application_security/sast/#fips-enabled-images)
|
||||
when operating in FIPS-compliant mode.
|
||||
|
||||
Additionally, these package repositories are disabled in FIPS mode:
|
||||
|
||||
- [Conan package repository](../user/packages/conan_repository/index.md).
|
||||
- [Debian package repository](../user/packages/debian_repository/index.md).
|
||||
|
||||
## Nightly Omnibus FIPS builds
|
||||
|
||||
The Distribution team has created [nightly FIPS Omnibus builds](https://packages.gitlab.com/gitlab/nightly-fips-builds). These
|
||||
|
|
|
@ -130,3 +130,24 @@ The IaC tool emits a JSON report file in the existing SAST report format. For mo
|
|||
|
||||
The JSON report file can be downloaded from the CI pipelines page, or the
|
||||
pipelines tab on merge requests by [setting `artifacts: paths`](../../../ci/yaml/index.md#artifactspaths) to `gl-sast-report.json`. For more information see [Downloading artifacts](../../../ci/pipelines/job_artifacts.md).
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### IaC debug logging
|
||||
|
||||
To help troubleshoot IaC jobs, you can increase the [Secure scanner log verbosity](../sast/index.md#logging-level)
|
||||
by using a global CI/CD variable set to `debug`:
|
||||
|
||||
```yaml
|
||||
variables:
|
||||
SECURE_LOG_LEVEL: "debug"
|
||||
```
|
||||
|
||||
### IaC Scanning findings show as `No longer detected` unexpectedly
|
||||
|
||||
If a previously detected finding unexpectedly shows as `No longer detected`, it might
|
||||
be due to an update to the scanner. An update can disable rules that are found to
|
||||
be ineffective or false positives, and the findings are marked as `No longer detected`:
|
||||
|
||||
- In GitLab 15.3, [secret detection in the KICS SAST IaC scanner was disabled](https://gitlab.com/gitlab-org/gitlab/-/issues/346181),
|
||||
so IaC findings in the "Passwords and Secrets" family show as `No longer detected`.
|
||||
|
|
|
@ -4,10 +4,11 @@ group: Configure
|
|||
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
|
||||
---
|
||||
|
||||
# Using GitOps with a Kubernetes cluster **(PREMIUM)**
|
||||
# Using GitOps with a Kubernetes cluster **(FREE)**
|
||||
|
||||
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7.
|
||||
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332227) in GitLab 14.0, the `resource_inclusions` and `resource_exclusions` attributes were removed and `reconcile_timeout`, `dry_run_strategy`, `prune`, `prune_timeout`, `prune_propagation_policy`, and `inventory_policy` attributes were added.
|
||||
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/346567) from GitLab Premium to GitLab Free in 15.3.
|
||||
|
||||
With GitOps, you can manage containerized clusters and applications from a Git repository that:
|
||||
|
||||
|
|
|
@ -4,9 +4,10 @@ group: Configure
|
|||
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
|
||||
---
|
||||
|
||||
# Tracking cluster resources managed by GitLab **(PREMIUM)**
|
||||
# Tracking cluster resources managed by GitLab **(FREE)**
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332227) in GitLab 14.0.
|
||||
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332227) in GitLab 14.0.
|
||||
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/346567) from GitLab Premium to GitLab Free in 15.3.
|
||||
|
||||
GitLab uses an inventory object to track the resources you deploy to your cluster.
|
||||
The inventory object is a `ConfigMap` that contains a list of controlled objects.
|
||||
|
|
|
@ -1398,6 +1398,42 @@ For example:
|
|||
|
||||
1. Another item
|
||||
|
||||
---
|
||||
|
||||
Ordered lists that are the first sub-item of an unordered list item must have a preceding blank line if they don't start with `1.`.
|
||||
|
||||
**Good**
|
||||
|
||||
```markdown
|
||||
- Unordered list item
|
||||
|
||||
5. First ordered list item
|
||||
```
|
||||
|
||||
**Bad**
|
||||
|
||||
```markdown
|
||||
- Unordered list item
|
||||
5. First ordered list item
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
CommonMark ignores blank lines between ordered and unordered list items, and considers them part of a single list. These are rendered as a
|
||||
_[loose](https://spec.commonmark.org/0.30/#loose)_ list. Each list item is enclosed in a paragraph tag and, therefore, has paragraph spacing and margins.
|
||||
This makes the list look like there is extra spacing between each item.
|
||||
|
||||
For example:
|
||||
|
||||
```markdown
|
||||
- First list item
|
||||
- Second list item
|
||||
|
||||
- A different list
|
||||
```
|
||||
|
||||
CommonMark ignores the blank line and renders this as one list with paragraph spacing.
|
||||
|
||||
### Superscripts / Subscripts
|
||||
|
||||
CommonMark and GitLab Flavored Markdown don't support the Redcarpet superscript syntax ( `x^2` ).
|
||||
|
|
|
@ -54,6 +54,10 @@ module API
|
|||
|
||||
::Clusters::AgentTokens::TrackUsageService.new(agent_token).execute
|
||||
end
|
||||
|
||||
def agent_has_access_to_project?(project)
|
||||
Guest.can?(:download_code, project) || agent.has_access_to?(project)
|
||||
end
|
||||
end
|
||||
|
||||
namespace 'internal' do
|
||||
|
@ -79,6 +83,24 @@ module API
|
|||
default_branch: project.default_branch_or_main
|
||||
}
|
||||
end
|
||||
|
||||
desc 'Gets project info' do
|
||||
detail 'Retrieves project info (if authorized)'
|
||||
end
|
||||
route_setting :authentication, cluster_agent_token_allowed: true
|
||||
get '/project_info', urgency: :low do
|
||||
project = find_project(params[:id])
|
||||
|
||||
not_found! unless agent_has_access_to_project?(project)
|
||||
|
||||
status 200
|
||||
{
|
||||
project_id: project.id,
|
||||
gitaly_info: gitaly_info(project),
|
||||
gitaly_repository: gitaly_repository(project),
|
||||
default_branch: project.default_branch_or_main
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
namespace 'kubernetes/agent_configuration', urgency: :low do
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Gitlab
|
||||
module BackgroundMigration
|
||||
# Backfills the `vulnerability_reads.casted_cluster_agent_id` column
|
||||
class BackfillVulnerabilityReadsClusterAgent < Gitlab::BackgroundMigration::BatchedMigrationJob
|
||||
CLUSTER_AGENTS_JOIN = <<~SQL
|
||||
INNER JOIN cluster_agents
|
||||
ON CAST(vulnerability_reads.cluster_agent_id AS bigint) = cluster_agents.id AND
|
||||
vulnerability_reads.project_id = cluster_agents.project_id
|
||||
SQL
|
||||
|
||||
RELATION = ->(relation) do
|
||||
relation
|
||||
.where(report_type: 7)
|
||||
end
|
||||
|
||||
def perform
|
||||
each_sub_batch(
|
||||
operation_name: :update_all,
|
||||
batching_scope: RELATION
|
||||
) do |sub_batch|
|
||||
sub_batch
|
||||
.joins(CLUSTER_AGENTS_JOIN)
|
||||
.update_all('casted_cluster_agent_id = CAST(vulnerability_reads.cluster_agent_id AS bigint)')
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,19 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Gitlab
|
||||
module BackgroundMigration
|
||||
module BatchingStrategies
|
||||
# Batching class to use for back-filling vulnerability_read's casted_cluster_agent_id from cluster_agent_id.
|
||||
# Batches will be scoped to records where the report_type belongs to cluster_image_scanning.
|
||||
#
|
||||
# If no more batches exist in the table, returns nil.
|
||||
class BackfillVulnerabilityReadsClusterAgentBatchingStrategy < PrimaryKeyBatchingStrategy
|
||||
CLUSTER_IMAGE_SCANNING_REPORT_TYPE = 7
|
||||
|
||||
def apply_additional_filters(relation, job_arguments: [], job_class: nil)
|
||||
relation.where(report_type: CLUSTER_IMAGE_SCANNING_REPORT_TYPE)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -23477,7 +23477,7 @@ msgstr ""
|
|||
msgid "Linked epics"
|
||||
msgstr ""
|
||||
|
||||
msgid "Linked issues"
|
||||
msgid "Linked items"
|
||||
msgstr ""
|
||||
|
||||
msgid "LinkedIn"
|
||||
|
|
|
@ -37,9 +37,9 @@ describe('RelatedIssuesBlock', () => {
|
|||
});
|
||||
|
||||
it.each`
|
||||
issuableType | pathIdSeparator | titleText | helpLinkText | addButtonText
|
||||
${'issue'} | ${PathIdSeparator.Issue} | ${'Linked issues'} | ${'Read more about related issues'} | ${'Add a related issue'}
|
||||
${'epic'} | ${PathIdSeparator.Epic} | ${'Linked epics'} | ${'Read more about related epics'} | ${'Add a related epic'}
|
||||
issuableType | pathIdSeparator | titleText | helpLinkText | addButtonText
|
||||
${'issue'} | ${PathIdSeparator.Issue} | ${'Linked items'} | ${'Read more about related issues'} | ${'Add a related issue'}
|
||||
${'epic'} | ${PathIdSeparator.Epic} | ${'Linked epics'} | ${'Read more about related epics'} | ${'Add a related epic'}
|
||||
`(
|
||||
'displays "$titleText" in the header, "$helpLinkText" aria-label for help link, and "$addButtonText" aria-label for add button when issuableType is set to "$issuableType"',
|
||||
({ issuableType, pathIdSeparator, titleText, helpLinkText, addButtonText }) => {
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe '00_deprecations' do
|
||||
where(:warning) do
|
||||
[
|
||||
"ActiveModel::Errors#keys is deprecated and will be removed in Rails 6.2",
|
||||
"Rendering actions with '.' in the name is deprecated:",
|
||||
"default_hash is deprecated and will be removed from Rails 6.2"
|
||||
]
|
||||
end
|
||||
|
||||
with_them do
|
||||
specify do
|
||||
expect { ActiveSupport::Deprecation.warn(warning) }
|
||||
.to raise_error(ActiveSupport::DeprecationException)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,93 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe Gitlab::BackgroundMigration::BackfillVulnerabilityReadsClusterAgent, :migration, schema: 20220525221133 do # rubocop:disable Layout/LineLength
|
||||
let(:migration) do
|
||||
described_class.new(start_id: 1, end_id: 10,
|
||||
batch_table: table_name, batch_column: batch_column,
|
||||
sub_batch_size: sub_batch_size, pause_ms: pause_ms,
|
||||
connection: ApplicationRecord.connection)
|
||||
end
|
||||
|
||||
let(:users_table) { table(:users) }
|
||||
let(:vulnerability_reads_table) { table(:vulnerability_reads) }
|
||||
let(:vulnerability_scanners_table) { table(:vulnerability_scanners) }
|
||||
let(:vulnerabilities_table) { table(:vulnerabilities) }
|
||||
let(:namespaces_table) { table(:namespaces) }
|
||||
let(:projects_table) { table(:projects) }
|
||||
let(:cluster_agents_table) { table(:cluster_agents) }
|
||||
|
||||
let(:table_name) { 'vulnerability_reads' }
|
||||
let(:batch_column) { :id }
|
||||
let(:sub_batch_size) { 1_000 }
|
||||
let(:pause_ms) { 0 }
|
||||
|
||||
subject(:perform_migration) { migration.perform }
|
||||
|
||||
before do
|
||||
users_table.create!(id: 1, name: 'John Doe', email: 'test@example.com', projects_limit: 5)
|
||||
|
||||
namespaces_table.create!(id: 1, name: 'Namespace 1', path: 'namespace-1')
|
||||
namespaces_table.create!(id: 2, name: 'Namespace 2', path: 'namespace-2')
|
||||
|
||||
projects_table.create!(id: 1, namespace_id: 1, name: 'Project 1', path: 'project-1', project_namespace_id: 1)
|
||||
projects_table.create!(id: 2, namespace_id: 2, name: 'Project 2', path: 'project-2', project_namespace_id: 2)
|
||||
|
||||
cluster_agents_table.create!(id: 1, name: 'Agent 1', project_id: 1)
|
||||
cluster_agents_table.create!(id: 2, name: 'Agent 2', project_id: 2)
|
||||
|
||||
vulnerability_scanners_table.create!(id: 1, project_id: 1, external_id: 'starboard', name: 'Starboard')
|
||||
vulnerability_scanners_table.create!(id: 2, project_id: 2, external_id: 'starboard', name: 'Starboard')
|
||||
|
||||
add_vulnerability_read!(1, project_id: 1, cluster_agent_id: 1, report_type: 7)
|
||||
add_vulnerability_read!(3, project_id: 1, cluster_agent_id: 2, report_type: 7)
|
||||
add_vulnerability_read!(5, project_id: 2, cluster_agent_id: 2, report_type: 5)
|
||||
add_vulnerability_read!(7, project_id: 2, cluster_agent_id: 3, report_type: 7)
|
||||
add_vulnerability_read!(9, project_id: 2, cluster_agent_id: 2, report_type: 7)
|
||||
add_vulnerability_read!(10, project_id: 1, cluster_agent_id: 1, report_type: 7)
|
||||
add_vulnerability_read!(11, project_id: 1, cluster_agent_id: 1, report_type: 7)
|
||||
end
|
||||
|
||||
it 'backfills `casted_cluster_agent_id` for the selected records', :aggregate_failures do
|
||||
queries = ActiveRecord::QueryRecorder.new do
|
||||
perform_migration
|
||||
end
|
||||
|
||||
expect(queries.count).to eq(3)
|
||||
expect(vulnerability_reads_table.where.not(casted_cluster_agent_id: nil).count).to eq 3
|
||||
expect(vulnerability_reads_table.where.not(casted_cluster_agent_id: nil).pluck(:id)).to match_array([1, 9, 10])
|
||||
end
|
||||
|
||||
it 'tracks timings of queries' do
|
||||
expect(migration.batch_metrics.timings).to be_empty
|
||||
|
||||
expect { perform_migration }.to change { migration.batch_metrics.timings }
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def add_vulnerability_read!(id, project_id:, cluster_agent_id:, report_type:)
|
||||
vulnerabilities_table.create!(
|
||||
id: id,
|
||||
project_id: project_id,
|
||||
author_id: 1,
|
||||
title: "Vulnerability #{id}",
|
||||
severity: 5,
|
||||
confidence: 5,
|
||||
report_type: report_type
|
||||
)
|
||||
|
||||
vulnerability_reads_table.create!(
|
||||
id: id,
|
||||
uuid: SecureRandom.uuid,
|
||||
severity: 5,
|
||||
state: 1,
|
||||
vulnerability_id: id,
|
||||
scanner_id: project_id,
|
||||
cluster_agent_id: cluster_agent_id.to_s,
|
||||
project_id: project_id,
|
||||
report_type: report_type
|
||||
)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,24 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
require_migration!
|
||||
|
||||
RSpec.describe ScheduleBackfillVulnerabilityReadsClusterAgent do
|
||||
let_it_be(:batched_migration) { described_class::MIGRATION_NAME }
|
||||
|
||||
it 'schedules background jobs for each batch of vulnerability reads' do
|
||||
reversible_migration do |migration|
|
||||
migration.before -> {
|
||||
expect(batched_migration).not_to have_scheduled_batched_migration
|
||||
}
|
||||
|
||||
migration.after -> {
|
||||
expect(batched_migration).to have_scheduled_batched_migration(
|
||||
table_name: :vulnerability_reads,
|
||||
column_name: :id,
|
||||
interval: described_class::DELAY_INTERVAL
|
||||
)
|
||||
}
|
||||
end
|
||||
end
|
||||
end
|
|
@ -180,4 +180,95 @@ RSpec.describe API::Internal::Kubernetes do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'GET /internal/kubernetes/project_info' do
|
||||
def send_request(headers: {}, params: {})
|
||||
get api('/internal/kubernetes/project_info'), params: params, headers: headers.reverse_merge(jwt_auth_headers)
|
||||
end
|
||||
|
||||
include_examples 'authorization'
|
||||
include_examples 'agent authentication'
|
||||
|
||||
context 'an agent is found' do
|
||||
let_it_be(:agent_token) { create(:cluster_agent_token) }
|
||||
|
||||
shared_examples 'agent token tracking'
|
||||
|
||||
context 'project is public' do
|
||||
let(:project) { create(:project, :public) }
|
||||
|
||||
it 'returns expected data', :aggregate_failures do
|
||||
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:success)
|
||||
|
||||
expect(json_response).to match(
|
||||
a_hash_including(
|
||||
'project_id' => project.id,
|
||||
'gitaly_info' => a_hash_including(
|
||||
'address' => match(/\.socket$/),
|
||||
'token' => 'secret',
|
||||
'features' => {}
|
||||
),
|
||||
'gitaly_repository' => a_hash_including(
|
||||
'storage_name' => project.repository_storage,
|
||||
'relative_path' => project.disk_path + '.git',
|
||||
'gl_repository' => "project-#{project.id}",
|
||||
'gl_project_path' => project.full_path
|
||||
),
|
||||
'default_branch' => project.default_branch_or_main
|
||||
)
|
||||
)
|
||||
end
|
||||
|
||||
context 'repository is for project members only' do
|
||||
let(:project) { create(:project, :public, :repository_private) }
|
||||
|
||||
it 'returns 404' do
|
||||
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'project is private' do
|
||||
let(:project) { create(:project, :private) }
|
||||
|
||||
it 'returns 404' do
|
||||
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
|
||||
context 'and agent belongs to project' do
|
||||
let(:agent_token) { create(:cluster_agent_token, agent: create(:cluster_agent, project: project)) }
|
||||
|
||||
it 'returns 200' do
|
||||
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:success)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'project is internal' do
|
||||
let(:project) { create(:project, :internal) }
|
||||
|
||||
it 'returns 404' do
|
||||
send_request(params: { id: project.id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
end
|
||||
|
||||
context 'project does not exist' do
|
||||
it 'returns 404' do
|
||||
send_request(params: { id: non_existing_record_id }, headers: { 'Authorization' => "Bearer #{agent_token.token}" })
|
||||
|
||||
expect(response).to have_gitlab_http_status(:not_found)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue