kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-02-18 03:17:36 +00:00
parent 51d1545877
commit 20b517258a
33 changed files with 331 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.rubocop_todo/rails/include_url_helper.yml
View File

@ -19,14 +19,7 @@ Rails/IncludeUrlHelper:
- app/models/integrations/redmine.rb
- app/models/integrations/webex_teams.rb
- app/models/integrations/youtrack.rb
- app/presenters/alert_management/alert_presenter.rb
- app/presenters/environment_presenter.rb
- app/presenters/gitlab/blame_presenter.rb
- app/presenters/merge_request_presenter.rb
- app/presenters/project_presenter.rb
- app/presenters/release_presenter.rb
- app/presenters/releases/evidence_presenter.rb
- ee/app/helpers/license_helper.rb
- ee/app/models/integrations/github.rb
- ee/spec/helpers/ee/projects/security/configuration_helper_spec.rb
- ee/spec/lib/banzai/filter/cross_project_issuable_information_filter_spec.rb

7
app/assets/javascripts/blob/template_selector.js
View File

@ -78,7 +78,12 @@ export default class TemplateSelector {
setEditorContent(file, { skipFocus } = {}) {
if (!file) return;
const newValue = file.content;
let newValue = file.content;
const urlParams = new URLSearchParams(window.location.search);
if (urlParams.has('issue[description]')) {
newValue += `\n${urlParams.get('issue[description]')}`;
}
this.editor.setValue(newValue, 1);

9
app/controllers/clusters/clusters_controller.rb
View File

@ -18,6 +18,15 @@ class Clusters::ClustersController < Clusters::BaseController
helper_method :token_in_session
STATUS_POLLING_INTERVAL = 10_000
AWS_CSP_DOMAINS = %w[https://ec2.ap-east-1.amazonaws.com https://ec2.ap-northeast-1.amazonaws.com https://ec2.ap-northeast-2.amazonaws.com https://ec2.ap-northeast-3.amazonaws.com https://ec2.ap-south-1.amazonaws.com https://ec2.ap-southeast-1.amazonaws.com https://ec2.ap-southeast-2.amazonaws.com https://ec2.ca-central-1.amazonaws.com https://ec2.eu-central-1.amazonaws.com https://ec2.eu-north-1.amazonaws.com https://ec2.eu-west-1.amazonaws.com https://ec2.eu-west-2.amazonaws.com https://ec2.eu-west-3.amazonaws.com https://ec2.me-south-1.amazonaws.com https://ec2.sa-east-1.amazonaws.com https://ec2.us-east-1.amazonaws.com https://ec2.us-east-2.amazonaws.com https://ec2.us-west-1.amazonaws.com https://ec2.us-west-2.amazonaws.com https://ec2.af-south-1.amazonaws.com https://iam.amazonaws.com].freeze
content_security_policy do |p|
next if p.directives.blank?
default_connect_src = p.directives['connect-src'] || p.directives['default-src']
connect_src_values = Array.wrap(default_connect_src) | AWS_CSP_DOMAINS
p.connect_src(*connect_src_values)
end
def index
@clusters = cluster_list

1
app/presenters/alert_management/alert_presenter.rb
View File

@ -3,7 +3,6 @@
module AlertManagement
class AlertPresenter < Gitlab::View::Presenter::Delegated
include IncidentManagement::Settings
include ActionView::Helpers::UrlHelper
presents ::AlertManagement::Alert
delegator_override_with Gitlab::Utils::StrongMemoize # This module inclusion is expected. See https://gitlab.com/gitlab-org/gitlab/-/issues/352884.

2
app/presenters/environment_presenter.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true
class EnvironmentPresenter < Gitlab::View::Presenter::Delegated
include ActionView::Helpers::UrlHelper
presents ::Environment, as: :environment
def path

6
app/presenters/merge_request_presenter.rb
View File

@ -1,7 +1,6 @@
# frozen_string_literal: true
class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
include ActionView::Helpers::UrlHelper
include GitlabRoutingHelper
include MarkupHelper
include TreeHelper
@ -290,6 +289,11 @@ class MergeRequestPresenter < Gitlab::View::Presenter::Delegated
def user_can_fork_project?
can?(current_user, :fork_project, project)
end
# Avoid including ActionView::Helpers::UrlHelper
def link_to(*args)
ApplicationController.helpers.link_to(*args)
end
end
MergeRequestPresenter.prepend_mod_with('MergeRequestPresenter')

6
app/presenters/project_presenter.rb
View File

@ -2,7 +2,6 @@
class ProjectPresenter < Gitlab::View::Presenter::Delegated
include ActionView::Helpers::NumberHelper
include ActionView::Helpers::UrlHelper
include GitlabRoutingHelper
include StorageHelper
include TreeHelper
@ -473,6 +472,11 @@ class ProjectPresenter < Gitlab::View::Presenter::Delegated
project.topics.map(&:name)
end
end
# Avoid including ActionView::Helpers::UrlHelper
def content_tag(*args)
ActionController::Base.helpers.content_tag(*args)
end
end
ProjectPresenter.prepend_mod_with('ProjectPresenter')

2
app/presenters/release_presenter.rb
View File

@ -1,8 +1,6 @@
# frozen_string_literal: true
class ReleasePresenter < Gitlab::View::Presenter::Delegated
include ActionView::Helpers::UrlHelper
presents ::Release, as: :release
# TODO: Remove `delegate` as it's redundant due to SimpleDelegator.

2
app/presenters/releases/evidence_presenter.rb
View File

@ -2,8 +2,6 @@
module Releases
class EvidencePresenter < Gitlab::View::Presenter::Delegated
include ActionView::Helpers::UrlHelper
presents ::Releases::Evidence, as: :evidence
def filepath

2
app/services/projects/destroy_service.rb
View File

@ -37,7 +37,7 @@ module Projects
system_hook_service.execute_hooks_for(project, :destroy)
log_info("Project \"#{project.full_path}\" was deleted")
publish_project_deleted_event_for(project) if Feature.enabled?(:publish_project_deleted_event, default_enabled: :yaml)
publish_project_deleted_event_for(project)
current_user.invalidate_personal_projects_count

3
app/views/shared/access_tokens/_form.html.haml
View File

@ -19,8 +19,9 @@
.row
= f.label :name, _('Token name'), class: 'label-bold col-md-12'
.col-md-6
- resource_type = resource.is_a?(Group) ? "group" : "project"
= f.text_field :name, class: 'form-control gl-form-input', required: true, data: { qa_selector: 'access_token_name_field' }, :'aria-describedby' => 'access_token_help_text'
%span.form-text.text-muted.col-md-12#access_token_help_text= _('For example, the application using the token or the purpose of the token.')
%span.form-text.text-muted.col-md-12#access_token_help_text= _("For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members.") % { resource_type: resource_type }
.row
.form-group.col-md-6

8
config/feature_flags/development/publish_project_deleted_event.yml
View File

@ -1,8 +0,0 @@
---
name: publish_project_deleted_event
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78862
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351073
milestone: '14.8'
type: development
group: group::pipeline insights
default_enabled: false

9
data/deprecations/data/deprecations/14-9-secure-and-protect-analyzer-bump.yml.yml → data/deprecations/14-8-secure-and-protect-analyzer-bump.yml
View File

@ -1,8 +1,8 @@
- name: "Secure and Protect analyzer major version update" # The name of the feature to be deprecated
announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated.
announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone: "15.00" # The milestone when this feature is planned to be removed
removal_date: # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
removal_milestone: "15.0" # The milestone when this feature is planned to be removed
removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post.
breaking_change: true # If this deprecation is a breaking change, set this value to true
reporter: NicoleSchwartz # GitLab username of the person reporting the deprecation
body: | # Do not modify this line, instead modify the lines below.
@ -20,9 +20,10 @@
- Coverage-guided fuzz testing: version 2
- Dependency Scanning: version 2
- Dynamic Application Security Testing (DAST): version 2
- Infrastructure as Code (IaC) Scanning: version 1
- License Scanning: version 3
- Secret Detection: version 3
- Static Application Security Testing (SAST): version 2, except security-code-scan which is version 3
- Static Application Security Testing (SAST): version 2 of [all analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks), except `gosec` which is currently at version 3
- `bandit`: version 2
- `brakeman`: version 2
- `eslint`: version 2
@ -33,7 +34,7 @@
- `nodejs-scan`: version 2
- `phpcs-security-audit`: version 2
- `pmd-apex`: version 2
- `security-code-scan`: version 3
- `security-code-scan`: version 2
- `semgrep`: version 2
- `sobelow`: version 2
- `spotbugs`: version 2

7
doc/ci/cloud_services/index.md
View File

@ -18,6 +18,13 @@ GitLab CI/CD supports [OpenID Connect (OIDC)](https://openid.net/connect/faq/) t
The original implementation of `CI_JOB_JWT` supports [HashiCorp Vault integration](../examples/authenticating-with-hashicorp-vault/). The updated implementation of `CI_JOB_JWT_V2` supports additional cloud providers with OIDC including AWS, GCP, and Vault.
NOTE:
Configuring OIDC enables JWT token access to the target environments for all pipelines.
When you configure OIDC for a pipeline, you should complete a software supply chain security
review for the pipeline, focusing on the additional access. You can use the [software supply chain security awareness assessment](https://about.gitlab.com/quiz/software-supply-chain-security/)
as a starting point, and for more information about supply chain attacks, see
[How a DevOps Platform helps protect against supply chain attacks](https://about.gitlab.com/blog/2021/04/28/devops-platform-supply-chain-attacks/).
WARNING:
The `CI_JOB_JWT_V2` variable is under development [(alpha)](../../policy/alpha-beta-support.md#alpha-features) and is not yet suitable for production use.

BIN
doc/ci/environments/img/environments_list_v14_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
doc/ci/environments/img/environments_list_v14_8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

2
doc/ci/environments/index.md
View File

@ -35,7 +35,7 @@ To view a list of environments and deployments:
1. On the left sidebar, select **Deployments > Environments**.
The environments are displayed.
![Environments list](img/environments_list_v14_3.png)
![Environments list](img/environments_list_v14_8.png)
1. To view a list of deployments for an environment, select the environment name,
for example, `staging`.

9
doc/update/deprecations.md
View File

@ -1292,7 +1292,7 @@ See the [deprecation issue](https://gitlab.com/gitlab-org/gitlab/-/issues/352564
### Secure and Protect analyzer major version update
WARNING:
This feature will be changed or removed in 15.00
This feature will be changed or removed in 15.0
as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes).
Before updating GitLab, review the details carefully to determine if you need to make any
changes to your code, settings, or workflow.
@ -1311,9 +1311,10 @@ Specifically, the following are being deprecated and will no longer be updated a
- Coverage-guided fuzz testing: version 2
- Dependency Scanning: version 2
- Dynamic Application Security Testing (DAST): version 2
- Infrastructure as Code (IaC) Scanning: version 1
- License Scanning: version 3
- Secret Detection: version 3
- Static Application Security Testing (SAST): version 2, except security-code-scan which is version 3
- Static Application Security Testing (SAST): version 2 of [all analyzers](https://docs.gitlab.com/ee/user/application_security/sast/#supported-languages-and-frameworks), except `gosec` which is currently at version 3
- `bandit`: version 2
- `brakeman`: version 2
- `eslint`: version 2
@ -1324,12 +1325,12 @@ Specifically, the following are being deprecated and will no longer be updated a
- `nodejs-scan`: version 2
- `phpcs-security-audit`: version 2
- `pmd-apex`: version 2
- `security-code-scan`: version 3
- `security-code-scan`: version 2
- `semgrep`: version 2
- `sobelow`: version 2
- `spotbugs`: version 2
**Planned removal milestone: 15.00 ()**
**Planned removal milestone: 15.0 (2022-05-22)**
### Support for gRPC-aware proxy deployed between Gitaly and rest of GitLab

119
doc/user/infrastructure/clusters/connect/new_eks_cluster.md Normal file
View File

@ -0,0 +1,119 @@
---
stage: Configure
group: Configure
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Create a new EKS cluster through IaC
Learn how to create a new cluster on Amazon Elastic Kubernetes Service (EKS) through
[Infrastructure as Code (IaC)](../../index.md).
This process combines the AWS and Kubernetes Terraform providers to help you create EKS clusters
and connect them to GitLab using the [GitLab agent for Kubernetes](../../../clusters/agent/index.md).
This document describes how to set up a Kubernetes cluster on EKS by importing an example project to get you started.
You can then modify the project files according to your needs.
**Prerequisites:**
- An Amazon Web Services (AWS) account, with a set of configured
[security credentials](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-prereqs.html).
- [Configured GitLab Runners](https://docs.gitlab.com/runner/install/) to run the infrastructure pipeline from GitLab CI/CD.
**Steps:**
1. [Import the example project](#import-the-example-project).
1. [Register the Agent](#register-the-agent).
1. [Configure your project](#configure-your-project).
1. [Provision your cluster](#provision-your-cluster).
## Import the example project
To create a new cluster from GitLab using Infrastructure as Code, it is necessary
to create a project to manage the cluster from. In this tutorial, we import a pre-configured
sample project to help you get started.
Start by [importing the example project by URL](../../../project/import/repo_by_url.md). Use `https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks.git` as the URL.
This project provides you with the following resources:
- An Amazon [Virtual Private Cloud (VPC)](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/vpc.tf).
- An Amazon [Elastic Kubernetes Service (EKS)](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/eks.tf) cluster.
- The [GitLab agent for Kubernetes](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/agent.tf) installed into the cluster.
## Register the Agent
To create an Agent in GitLab:
1. From your project's sidebar, select **Infrastructure > Kubernetes clusters**.
1. Select **Actions**.
1. From the **Select an Agent** dropdown list, select `eks-agent` and select **Register an Agent**.
1. GitLab generates a registration token for this Agent. Securely store this secret token, as you will need it to [configure your project](#configure-your-project) below.
1. GitLab provides you with a KAS address, which will also be needed when configuring your project below.
## Configure your project
Use CI/CD environment variables to configure your project as detailed below.
**Required configuration:**
1. On the left sidebar, select **Settings > CI/CD**.
1. Expand **Variables**.
1. Set the variable `AWS_ACCESS_KEY_ID` to your AWS access key ID.
1. Set the variable `AWS_SECRET_ACCESS_KEY` to your AWS secret access key.
1. Set the variable `TF_VAR_agent_token` to the Agent token displayed in the previous step.
1. Set the variable `TF_VAR_kas_address` to the KAS address displayed in the previous step.
**Optional configuration:**
The file [`variables.tf`](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-eks/-/blob/main/variables.tf)
contains other variables that you can override according to your needs:
- `TF_VAR_region`: Set your cluster's region.
- `TF_VAR_cluster_name`: Set your cluster's name.
- `TF_VAR_cluster_version`: Set the version of Kubernetes.
- `TF_VAR_instance_type`: Set the instance type for the Kubernetes nodes.
- `TF_VAR_instance_count`: Set the number of Kubernetes nodes.
- `TF_VAR_agent_version`: Set the version of the GitLab Agent.
- `TF_VAR_agent_namespace`: Set the Kubernetes namespace for the GitLab Agent.
Refer to the [AWS Terraform provider](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) and the [Kubernetes Terraform provider](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs) documentation for further resource options.
## Provision your cluster
After configuring your project, manually trigger the provisioning of your cluster. In GitLab:
1. From your project's sidebar, go to **CI/CD > Pipelines**.
1. Select the dropdown icon (**{angle-down}**) next to the play icon (**{play}**).
1. Select **deploy** to manually trigger the deployment job.
When the pipeline finishes successfully, you can see your new cluster:
- In AWS: from the [EKS console](https://console.aws.amazon.com/eks/home) select **Amazon EKS > Clusters**.
- In GitLab: from your project's sidebar, select **Infrastructure > Kubernetes clusters**.
## Removing the cluster
A cleanup job is not included in your pipeline by default. To remove all created resources, you
need to modify your GitLab CI/CD template before running the cleanup job.
To remove all resources:
1. Add the following to your `.gitlab-ci.yml`:
```yaml
stages:
- init
- validate
- build
- deploy
- cleanup
destroy:
extends: .destroy
needs: []
```
1. From your project's sidebar, go to **CI/CD > Pipelines** and select the most recent pipeline.
1. Click the play icon (**{play}**) for the `destroy` job.

7
doc/user/infrastructure/iac/index.md
View File

@ -105,12 +105,13 @@ owned by GitLab, where everyone can contribute.
The [documentation of the provider](https://registry.terraform.io/providers/gitlabhq/gitlab/latest/docs)
is available as part of the official Terraform provider documentation.
## Create a new cluster through IaC (DEPRECATED)
## Create a new cluster through IaC
Learn how to [create a new cluster on Google Kubernetes Engine (GKE)](../clusters/connect/new_gke_cluster.md).
- Learn how to [create a new cluster on Amazon Elastic Kubernetes Service (EKS)](../clusters/connect/new_eks_cluster.md).
- Learn how to [create a new cluster on Google Kubernetes Engine (GKE)](../clusters/connect/new_gke_cluster.md) (DEPRECATED).
NOTE:
The linked tutorial connects the cluster to GitLab through cluster certificates,
The linked GKE tutorial connects the cluster to GitLab through cluster certificates,
and this method was [deprecated](https://gitlab.com/groups/gitlab-org/configure/-/epics/8)
in GitLab 14.5. You can still create a cluster through IaC and then connect it to GitLab
through the [agent](../../clusters/agent/index.md), the default and fully supported

4
doc/user/project/clusters/add_eks_clusters.md
View File

@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Deprecated](https://gitlab.com/groups/gitlab-org/configure/-/epics/8) in GitLab 14.5.
WARNING:
This feature was deprecated in GitLab 14.5. Use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated)
This feature was deprecated in GitLab 14.5. Use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac)
to create new clusters.
Through GitLab, you can create new clusters and add existing clusters hosted on Amazon Elastic
@ -23,7 +23,7 @@ use the [GitLab Agent](../../clusters/agent/index.md).
## Create a new EKS cluster
To create a new cluster from GitLab, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated).
To create a new cluster from GitLab, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac).
### How to create a new cluster on EKS through cluster certificates (DEPRECATED)

4
doc/user/project/clusters/add_remove_clusters.md
View File

@ -10,7 +10,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
WARNING:
This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/327908) in GitLab 14.0.
To create a new cluster use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated).
To create a new cluster use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac).
NOTE:
Every new Google Cloud Platform (GCP) account receives
@ -29,7 +29,7 @@ in a few clicks.
> [Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/327908) in GitLab 14.0.
As of GitLab 14.0, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac-deprecated)
As of GitLab 14.0, use [Infrastructure as Code](../../infrastructure/iac/index.md#create-a-new-cluster-through-iac)
to **safely create new clusters from GitLab**.
Creating clusters from GitLab using cluster certificates is still available on the

6
doc/user/project/issues/managing_issues.md
View File

@ -160,6 +160,8 @@ To regenerate the email address:
### Using a URL with prefilled values
> Ability to use both `issuable_template` and `issue[description]` in the same URL [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/340529) in GitLab 14.8.
To link directly to the new issue page with prefilled fields, use query
string parameters in a URL. You can embed a URL in an external
HTML page to create issues with certain fields prefilled.
@ -168,8 +170,8 @@ HTML page to create issues with certain fields prefilled.
| -------------------- | --------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| Title | `issue[title]` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). |
| Issue type | `issue[issue_type]` | Either `incident` or `issue`. |
| Description template | `issuable_template` | Cannot be used at the same time as `issue[description]`. Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). |
| Description | `issue[description]` | Cannot be used at the same time as `issuable_template`. Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). |
| Description template | `issuable_template` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). |
| Description | `issue[description]` | Must be [URL-encoded](../../../api/index.md#namespaced-path-encoding). If used in combination with `issuable_template` or a [default issue template](../description_templates.md#set-a-default-template-for-merge-requests-and-issues), the `issue[description]` value is appended to the template. |
| Confidential | `issue[confidential]` | If `true`, the issue is marked as confidential. |
Adapt these examples to form your new issue URL with prefilled fields.

2
lefthook.yml
View File

@ -42,7 +42,7 @@ pre-push:
tags: documentation style
files: git diff --name-only --diff-filter=d $(git merge-base origin/master HEAD)..HEAD
glob: 'doc/*.md'
run: if command -v vale 2> /dev/null; then vale --config .vale.ini --minAlertLevel error {files}; else echo "Vale not found. Install Vale"; fi
run: 'if command -v vale > /dev/null 2>&1; then if ! vale --config .vale.ini --minAlertLevel error {files}; then echo "ERROR: Fix any linting errors and make sure you are using the latest version of Vale."; fi; else echo "ERROR: Vale not found. For more information, see https://docs.errata.ai/vale/install."; fi'
gettext:
skip: true # This is disabled by default. You can enable this check by adding skip: false in lefhook-local.yml https://github.com/evilmartians/lefthook/blob/master/docs/full_guide.md#skipping-commands
tags: backend frontend view haml

2
lib/gitlab/content_security_policy/config_loader.rb
View File

@ -15,7 +15,7 @@ module Gitlab
directives = {
'default_src' => "'self'",
'base_uri' => "'self'",
'connect_src' => "'self'",
'connect_src' => ContentSecurityPolicy::Directives.connect_src,
'font_src' => "'self'",
'form_action' => "'self' https: http:",
'frame_ancestors' => "'self'",

4
lib/gitlab/content_security_policy/directives.rb
View File

@ -7,6 +7,10 @@
module Gitlab
module ContentSecurityPolicy
module Directives
def self.connect_src
"'self'"
end
def self.frame_src
"https://www.google.com/recaptcha/ https://www.recaptcha.net/ https://content.googleapis.com https://content-compute.googleapis.com https://content-cloudbilling.googleapis.com https://content-cloudresourcemanager.googleapis.com https://www.googletagmanager.com/ns.html"
end

2
locale/gitlab.pot
View File

@ -15700,7 +15700,7 @@ msgstr ""
msgid "For each job, re-use the project workspace. If the workspace doesn't exist, use %{code_open}git clone%{code_close}."
msgstr ""
msgid "For example, the application using the token or the purpose of the token."
msgid "For example, the application using the token or the purpose of the token. Do not give sensitive information for the name of the token, as it will be visible to all %{resource_type} members."
msgstr ""
msgid "For files larger than this limit, only index the file name. The file content is neither indexed nor searchable."

37
qa/qa/service/praefect_manager.rb
View File

@ -327,6 +327,22 @@ module QA
end
end
def accept_dataloss_for_project(project_id, authoritative_storage)
repository_hash = "#{Digest::SHA256.hexdigest(project_id.to_s)}"
repository = "@hashed/#{repository_hash[0, 2]}/#{repository_hash[2, 2]}/#{repository_hash}.git"
cmd = %{
docker exec #{@praefect} \
praefect \
-config /var/opt/gitlab/praefect/config.toml \
accept-dataloss \
--virtual-storage=default \
--repository=#{repository} \
--authoritative-storage=#{authoritative_storage}
}
shell(cmd)
end
def wait_for_health_check_all_nodes
wait_for_gitaly_health_check(@primary_node)
wait_for_gitaly_health_check(@secondary_node)
@ -415,6 +431,27 @@ module QA
Support::Waiter.wait_until(sleep_interval: 1) { replication_queue_incomplete_count == 0 && replicated?(project_id) }
end
def wait_for_replication_to_node(project_id, node)
Support::Waiter.wait_until(sleep_interval: 1) do
result = []
shell sql_to_docker_exec_cmd(%{
select * from replication_queue
where state = 'ready'
and job ->> 'change' = 'update'
and job ->> 'target_node_storage' = '#{node}'
and job ->> 'relative_path' = '#{Digest::SHA256.hexdigest(project_id.to_s)}.git';
}) do |line|
result << line.strip
QA::Runtime::Logger.debug(line.strip)
end
# The result should look like this when all items are replicated
# id | state | created_at | updated_at | attempt | lock_id | job | meta
# ----+-------+------------+------------+---------+---------+-----+------
# (0 rows)
result[2] == '(0 rows)'
end
end
def replication_pending?
result = []
shell sql_to_docker_exec_cmd(

47
qa/qa/specs/features/api/3_create/gitaly/praefect_dataloss_spec.rb
View File

@ -52,6 +52,53 @@ module QA
expect(project_data_loss).to include('gitaly3, assigned host, unhealthy')
end
end
it 'allows admin resolve scenario where data cannot be recovered', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/352708' do
# Ensure everything is in sync before begining test
praefect_manager.wait_for_project_synced_across_all_storages(project.id)
Resource::Repository::Commit.fabricate_via_api! do |commit|
commit.project = project
commit.commit_message = 'accept-dataloss-1'
commit.add_files([
{ file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly1,gitaly2,gitaly3' }
])
end
praefect_manager.wait_for_replication_to_node(project.id, praefect_manager.primary_node)
praefect_manager.stop_primary_node
Resource::Repository::Commit.fabricate_via_api! do |commit|
commit.project = project
commit.commit_message = 'accept-dataloss-2'
commit.add_files([
{ file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly2,gitaly3' }
])
end
praefect_manager.wait_for_replication_to_node(project.id, praefect_manager.secondary_node)
praefect_manager.stop_secondary_node
Resource::Repository::Commit.fabricate_via_api! do |commit|
commit.project = project
commit.commit_message = 'accept-dataloss-3'
commit.add_files([
{ file_path: "new_file-#{SecureRandom.hex(8)}.txt", content: 'Add a commit to gitaly3' }
])
end
# Confirms that they want to accept dataloss, using gitaly2 as authoritative storage to use as a base
praefect_manager.accept_dataloss_for_project(project.id, praefect_manager.secondary_node)
# Restart nodes, and allow replication to apply dataloss changes
praefect_manager.start_all_nodes
praefect_manager.wait_for_project_synced_across_all_storages(project.id)
# Validate that gitaly2 was accepted as the authorative storage
aggregate_failures "validate correct set of commits available" do
expect(project.commits.map { |commit| commit[:message].chomp }).to include('accept-dataloss-1')
expect(project.commits.map { |commit| commit[:message].chomp }).to include('accept-dataloss-2')
expect(project.commits.map { |commit| commit[:message].chomp }).not_to include('accept-dataloss-3')
end
end
end
end
end

14
spec/features/clusters/cluster_detail_page_spec.rb
View File

@ -36,6 +36,20 @@ RSpec.describe 'Clusterable > Show page' do
expect(page).not_to have_selector('[data-testid="cluster-environments-tab"]')
end
context 'content-security policy' do
it 'has AWS domains in the CSP' do
visit cluster_path
expect(response_headers['Content-Security-Policy']).to include(::Clusters::ClustersController::AWS_CSP_DOMAINS.join(' '))
end
it 'keeps existing connect-src in the CSP' do
visit cluster_path
expect(response_headers['Content-Security-Policy']).to include("connect-src #{Gitlab::ContentSecurityPolicy::Directives.connect_src}")
end
end
end
shared_examples 'editing a GCP cluster' do

49
spec/features/issues/form_spec.rb
View File

@ -5,7 +5,7 @@ require 'spec_helper'
RSpec.describe 'New/edit issue', :js do
include ActionView::Helpers::JavaScriptHelper
let_it_be(:project) { create(:project) }
let_it_be(:project) { create(:project, :repository) }
let_it_be(:user) { create(:user) }
let_it_be(:user2) { create(:user) }
let_it_be(:milestone) { create(:milestone, project: project) }
@ -310,6 +310,53 @@ RSpec.describe 'New/edit issue', :js do
end
end
describe 'new issue with query parameters' do
before do
project.repository.create_file(
current_user,
'.gitlab/issue_templates/test_template.md',
'description from template',
message: 'Add test_template.md',
branch_name: project.default_branch_or_main
)
end
after do
project.repository.delete_file(
current_user,
'.gitlab/issue_templates/test_template.md',
message: 'Remove test_template.md',
branch_name: project.default_branch_or_main
)
end
it 'leaves the description blank if no query parameters are specified' do
visit new_project_issue_path(project)
expect(find('#issue_description').value).to be_empty
end
it 'fills the description from the issue[description] query parameter' do
visit new_project_issue_path(project, issue: { description: 'description from query parameter' })
expect(find('#issue_description').value).to match('description from query parameter')
end
it 'fills the description from the issuable_template query parameter' do
visit new_project_issue_path(project, issuable_template: 'test_template')
wait_for_requests
expect(find('#issue_description').value).to match('description from template')
end
it 'fills the description from the issuable_template and issue[description] query parameters' do
visit new_project_issue_path(project, issuable_template: 'test_template', issue: { description: 'description from query parameter' })
wait_for_requests
expect(find('#issue_description').value).to match('description from template\ndescription from query parameter')
end
end
describe 'edit issue' do
before do
visit edit_project_issue_path(project, issue)

12
spec/services/projects/destroy_service_spec.rb
View File

@ -36,18 +36,6 @@ RSpec.describe Projects::DestroyService, :aggregate_failures do
destroy_project(project, user, {})
end
context 'when feature flag publish_project_deleted_event is disabled' do
before do
stub_feature_flags(publish_project_deleted_event: false)
end
it 'does not publish an event' do
expect(Gitlab::EventStore).not_to receive(:publish).with(event_type(Projects::ProjectDeletedEvent))
destroy_project(project, user, {})
end
end
end
shared_examples 'deleting the project with pipeline and build' do

2
spec/support/shared_examples/models/atomic_internal_id_shared_examples.rb
View File

@ -155,7 +155,7 @@ RSpec.shared_examples 'AtomicInternalId' do |validate_presence: true|
end
def expect_iid_to_be_set_and_rollback
ActiveRecord::Base.transaction(requires_new: true) do
instance.transaction(requires_new: true) do
instance.save!
expect(read_internal_id).not_to be_nil