kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-03-21 21:08:16 +00:00
parent 49f2ba9ed5
commit 39e49bee4a
18 changed files with 218 additions and 200 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/models/concerns/sensitive_serializable_hash.rb
View File

@ -19,7 +19,6 @@ module SensitiveSerializableHash
# In general, prefer NOT to use serializable_hash / to_json / as_json in favor
# of serializers / entities instead which has an allowlist of attributes
def serializable_hash(options = nil)
return super unless prevent_sensitive_fields_from_serializable_hash?
return super if options && options[:unsafe_serialization_hash]
options = options.try(:dup) || {}
@ -37,10 +36,4 @@ module SensitiveSerializableHash
super(options)
end
private
def prevent_sensitive_fields_from_serializable_hash?
Feature.enabled?(:prevent_sensitive_fields_from_serializable_hash, default_enabled: :yaml)
end
end

4
app/views/admin/application_settings/service_usage_data.html.haml
View File

@ -8,9 +8,9 @@
%h3= name
%button.gl-button.btn.btn-default.js-payload-preview-trigger{ type: 'button', data: { payload_selector: ".#{payload_class}" } }
.gl-spinner.js-spinner.gl-display-none.gl-mr-2
= gl_loading_icon(css_class: 'js-spinner gl-display-none gl-mr-2')
.js-text.gl-display-inline= _('Preview payload')
%button.gl-button.btn.btn-default.js-payload-download-trigger{ type: 'button', data: { endpoint: usage_data_admin_application_settings_path(format: :json) } }
.gl-spinner.js-spinner.gl-display-none.gl-mr-2
= gl_loading_icon(css_class: 'js-spinner gl-display-none gl-mr-2')
.js-text.d-inline= _('Download payload')
%pre.js-syntax-highlight.code.highlight.gl-mt-2.gl-display-none{ class: payload_class, data: { endpoint: usage_data_admin_application_settings_path(format: :html) } }

8
config/feature_flags/development/prevent_sensitive_fields_from_serializable_hash.yml
View File

@ -1,8 +0,0 @@
---
name: prevent_sensitive_fields_from_serializable_hash
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81773
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353878
milestone: '14.9'
type: development
group: group::sharding
default_enabled: false

8
config/feature_flags/development/show_report_validation_warnings.yml
View File

@ -1,8 +0,0 @@
---
name: show_report_validation_warnings
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80930
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353125
milestone: '14.9'
type: development
group: group::threat insights
default_enabled: true

5
config/webpack.config.js
View File

@ -702,7 +702,10 @@ module.exports = {
const incrementalCompilerMiddleware = incrementalCompiler.createMiddleware(devServer);
if (incrementalCompilerMiddleware) {
middlewares.unshift(incrementalCompilerMiddleware);
middlewares.unshift({
name: 'incremental-compiler',
middleware: incrementalCompilerMiddleware,
});
}
return middlewares;

23
db/post_migrate/20220315211043_add_index_to_vulnerability_reads.rb Normal file
View File

@ -0,0 +1,23 @@
# frozen_string_literal: true
class AddIndexToVulnerabilityReads < Gitlab::Database::Migration[1.0]
INDEX_NAME = 'index_vulnerability_reads_common_finder_query'
disable_ddl_transaction!
def up
add_concurrent_index(
:vulnerability_reads,
%i[project_id state report_type severity vulnerability_id],
name: INDEX_NAME,
order: { vulnerability_id: :desc }
)
end
def down
remove_concurrent_index_by_name(
:vulnerability_reads,
INDEX_NAME
)
end
end

1
db/schema_migrations/20220315211043 Normal file
View File

@ -0,0 +1 @@
ae734a1ae3555a237e427dbcc0ace6c461c50cf98bc1076ca59c90b603b88c29

2
db/structure.sql
View File

@ -29437,6 +29437,8 @@ CREATE UNIQUE INDEX index_vulnerability_occurrences_on_uuid ON vulnerability_occ
CREATE INDEX index_vulnerability_occurrences_on_vulnerability_id ON vulnerability_occurrences USING btree (vulnerability_id);
CREATE INDEX index_vulnerability_reads_common_finder_query ON vulnerability_reads USING btree (project_id, state, report_type, severity, vulnerability_id DESC);
CREATE INDEX index_vulnerability_reads_on_cluster_agent_id ON vulnerability_reads USING btree (cluster_agent_id) WHERE (report_type = 7);
CREATE INDEX index_vulnerability_reads_on_location_image ON vulnerability_reads USING btree (location_image) WHERE (report_type = ANY (ARRAY[2, 7]));

90
doc/api/merge_request_approvals.md
View File

@ -776,6 +776,82 @@ GET /projects/:id/merge_requests/:merge_request_iid/approval_rules
]
```
### Get a single merge request level rule
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/82767) in GitLab 14.10.
You can request information about a single merge request approval rule using the following endpoint:
```plaintext
GET /projects/:id/merge_requests/:merge_request_iid/approval_rules/:approval_rule_id
```
**Parameters:**
| Attribute | Type | Required | Description |
|---------------------|---------|----------|------------------------------------------------------------------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of a project](index.md#namespaced-path-encoding). |
| `merge_request_iid` | integer | yes | The IID of a merge request. |
| `approval_rule_id` | integer | yes | The ID of an approval rule. |
```json
{
"id": 1,
"name": "security",
"rule_type": "regular",
"eligible_approvers": [
{
"id": 5,
"name": "John Doe",
"username": "jdoe",
"state": "active",
"avatar_url": "https://www.gravatar.com/avatar/0?s=80&d=identicon",
"web_url": "http://localhost/jdoe"
},
{
"id": 50,
"name": "Group Member 1",
"username": "group_member_1",
"state": "active",
"avatar_url": "https://www.gravatar.com/avatar/0?s=80&d=identicon",
"web_url": "http://localhost/group_member_1"
}
],
"approvals_required": 3,
"source_rule": null,
"users": [
{
"id": 5,
"name": "John Doe",
"username": "jdoe",
"state": "active",
"avatar_url": "https://www.gravatar.com/avatar/0?s=80&d=identicon",
"web_url": "http://localhost/jdoe"
}
],
"groups": [
{
"id": 5,
"name": "group1",
"path": "group1",
"description": "",
"visibility": "public",
"lfs_enabled": false,
"avatar_url": null,
"web_url": "http://localhost/groups/group1",
"request_access_enabled": false,
"full_name": "group1",
"full_path": "group1",
"parent_id": null,
"ldap_cn": null,
"ldap_access": null
}
],
"contains_hidden_groups": false,
"overridden": false
}
```
### Create merge request level rule
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/11877) in GitLab 12.3.
@ -881,13 +957,13 @@ These are system generated rules.
| Attribute | Type | Required | Description |
|----------------------|---------|----------|------------------------------------------------|
| `id` | integer or string | yes | The ID or [URL-encoded path of a project](index.md#namespaced-path-encoding) |
| `merge_request_iid` | integer | yes | The ID of MR |
| `approval_rule_id` | integer | yes | The ID of a approval rule |
| `name` | string | yes | The name of the approval rule |
| `approvals_required` | integer | yes | The number of required approvals for this rule |
| `user_ids` | Array | no | The ids of users as approvers |
| `group_ids` | Array | no | The ids of groups as approvers |
| `id` | integer or string | yes | The ID or [URL-encoded path of a project](index.md#namespaced-path-encoding). |
| `merge_request_iid` | integer | yes | The IID of a merge request. |
| `approval_rule_id` | integer | yes | The ID of an approval rule. |
| `name` | string | yes | The name of the approval rule. |
| `approvals_required` | integer | yes | The number of required approvals for this rule. |
| `user_ids` | Array | no | The IDs of users as approvers. |
| `group_ids` | Array | no | The IDs of groups as approvers. |
```json
{

2
doc/ci/variables/predefined_variables.md
View File

@ -105,7 +105,7 @@ There are also a number of [variables you can use to configure runner behavior](
| `CI_RUNNER_EXECUTABLE_ARCH` | all | 10.6 | The OS/architecture of the GitLab Runner executable. Might not be the same as the environment of the executor. |
| `CI_RUNNER_ID` | 8.10 | 0.5 | The unique ID of the runner being used. |
| `CI_RUNNER_REVISION` | all | 10.6 | The revision of the runner running the job. |
| `CI_RUNNER_SHORT_TOKEN` | all | 12.3 | First eight characters of the runner's token used to authenticate new job requests. Used as the runner's unique ID. |
| `CI_RUNNER_SHORT_TOKEN` | all | 12.3 | The runner's unique ID, used to authenticate new job requests. In [GitLab 14.9](https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2251) and later, the token contains a prefix, and the first 17 characters are used. Prior to 14.9, the first eight characters are used. |
| `CI_RUNNER_TAGS` | 8.10 | 0.5 | A comma-separated list of the runner tags. |
| `CI_RUNNER_VERSION` | all | 10.6 | The version of the GitLab Runner running the job. |
| `CI_SERVER_HOST` | 12.1 | all | The host of the GitLab instance URL, without protocol or port. For example `gitlab.example.com`. |

1
doc/development/chatops_on_gitlabcom.md
View File

@ -25,6 +25,7 @@ To request access to ChatOps on GitLab.com:
- The same username you use on GitLab.com. You may have to choose a different
username later.
- Clicking the **Sign in with Google** button to sign in with your GitLab.com email address.
- Clicking the **Sign in with Okta** button to sign in with Okta.
1. Confirm that your username in [Internal GitLab for Operations](https://ops.gitlab.net/)
is the same as your username in [GitLab.com](https://gitlab.com/). If the usernames

16
doc/user/clusters/agent/gitops.md
View File

@ -90,6 +90,22 @@ gitops:
| `prune_propagation_policy` | The deletion propagation policy that [should be used for pruning](https://github.com/kubernetes/apimachinery/blob/44113beed5d39f1b261a12ec398a356e02358307/pkg/apis/meta/v1/types.go#L456-L470). Can be: `orphan`, `background`, or `foreground`. Default is `foreground`. |
| `inventory_policy` | Determines whether an inventory object can take over objects that belong to another inventory object or don't belong to any inventory object. This is done by determining if the apply/prune operation can go through for a resource based on comparison of the `inventory-id` value in the package and the `owning-inventory` annotation (`config.k8s.io/owning-inventory`) [in the live object](https://github.com/kubernetes-sigs/cli-utils/blob/d6968048dcd80b1c7b55d9e4f31fc25f71c9b490/pkg/inventory/policy.go#L12-L66). Can be: `must_match`, `adopt_if_no_inventory`, or `adopt_all`. Default is `must_match`. |
## GitOps annotations
The GitLab agent for Kubernetes has annotations you can use to:
- **Sort resources**: Apply or delete resources in a specific order.
- **Use apply-time mutation**: Dynamically substitute fields from one resource configuration to another.
The agent has [default sorting](https://github.com/kubernetes-sigs/cli-utils/blob/d7d63f4b62897f584ca9e02b6faf4d2f327a9b09/pkg/ordering/sort.go#L74),
but with annotations, you can fine-tune the order and apply time-value injection.
To provide the GitOps functionality, the GitLab agent for Kubernetes uses the [`cli-utils` library](https://github.com/kubernetes-sigs/cli-utils/),
a Kubernetes SIG project. You can read more about the available annotations in the [`cli-utils` documentation](https://github.com/kubernetes-sigs/cli-utils/blob/master/README.md#apply-sort-ordering).
- [Learn more about apply sort ordering](https://github.com/kubernetes-sigs/cli-utils#apply-sort-ordering).
- [Learn more about apply-time mutation](https://github.com/kubernetes-sigs/cli-utils#apply-time-mutation).
## Additional resources
The following documentation and examples can help you get started with a GitOps workflow.

2
doc/user/project/issues/managing_issues.md
View File

@ -342,7 +342,7 @@ To do it:
issues.each do |issue|
if issue.state != "closed" && issue.moved_to.nil?
Issues::MoveService.new(project, admin_user).execute(issue, target_project)
Issues::MoveService.new(project: project, current_user: admin_user).execute(issue, target_project)
else
puts "issue with id: #{issue.id} and title: #{issue.title} was not moved"
end

31
lib/gitlab/ci/parsers/security/common.rb
View File

@ -43,26 +43,25 @@ module Gitlab
attr_reader :json_data, :report, :validate
def valid?
if Feature.enabled?(:show_report_validation_warnings, default_enabled: :yaml)
# We want validation to happen regardless of VALIDATE_SCHEMA CI variable
schema_validation_passed = schema_validator.valid?
# We want validation to happen regardless of VALIDATE_SCHEMA
# CI variable.
#
# Previously it controlled BOTH validation and enforcement of
# schema validation result.
#
# After 15.0 we will enforce schema validation by default
# See: https://gitlab.com/groups/gitlab-org/-/epics/6968
schema_validation_passed = schema_validator.valid?
if validate
schema_validator.errors.each { |error| report.add_error('Schema', error) } unless schema_validation_passed
if validate
schema_validator.errors.each { |error| report.add_error('Schema', error) } unless schema_validation_passed
schema_validation_passed
else
# We treat all schema validation errors as warnings
schema_validator.errors.each { |error| report.add_warning('Schema', error) }
true
end
schema_validation_passed
else
return true if !validate || schema_validator.valid?
# We treat all schema validation errors as warnings
schema_validator.errors.each { |error| report.add_warning('Schema', error) }
schema_validator.errors.each { |error| report.add_error('Schema', error) }
false
true
end
end

2
package.json
View File

@ -253,7 +253,7 @@
"webpack-dev-server": "4.7.4",
"xhr-mock": "^2.5.1",
"yarn-check-webpack-plugin": "^1.2.0",
"yarn-deduplicate": "^3.1.0"
"yarn-deduplicate": "^4.0.0"
},
"blockedDependencies": {
"bootstrap-vue": "https://docs.gitlab.com/ee/development/fe_guide/dependencies.html#bootstrapvue"

192
spec/lib/gitlab/ci/parsers/security/common_spec.rb
View File

@ -38,172 +38,102 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
allow(validator_class).to receive(:new).and_call_original
end
context 'when show_report_validation_warnings is enabled' do
context 'when the validate flag is set to `false`' do
let(:validate) { false }
let(:valid?) { false }
let(:errors) { ['foo'] }
before do
stub_feature_flags(show_report_validation_warnings: true)
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
end
context 'when the validate flag is set to `false`' do
let(:validate) { false }
let(:valid?) { false }
let(:errors) { ['foo'] }
it 'instantiates the validator with correct params' do
parse_report
before do
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
end
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
context 'when the report data is not valid according to the schema' do
it 'adds warnings to the report' do
expect { parse_report }.to change { report.warnings }.from([]).to([{ message: 'foo', type: 'Schema' }])
end
it 'instantiates the validator with correct params' do
it 'keeps the execution flow as normal' do
parse_report
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
end
context 'when the report data is not valid according to the schema' do
it 'adds warnings to the report' do
expect { parse_report }.to change { report.warnings }.from([]).to([{ message: 'foo', type: 'Schema' }])
end
it 'keeps the execution flow as normal' do
parse_report
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
end
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
it 'does not add warnings to the report' do
expect { parse_report }.not_to change { report.errors }
end
it 'keeps the execution flow as normal' do
parse_report
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
end
context 'when the validate flag is set to `true`' do
let(:validate) { true }
let(:valid?) { false }
let(:errors) { ['foo'] }
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
before do
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
it 'does not add warnings to the report' do
expect { parse_report }.not_to change { report.errors }
end
it 'instantiates the validator with correct params' do
it 'keeps the execution flow as normal' do
parse_report
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
end
context 'when the report data is not valid according to the schema' do
it 'adds errors to the report' do
expect { parse_report }.to change { report.errors }.from([]).to([{ message: 'foo', type: 'Schema' }])
end
it 'does not try to create report entities' do
parse_report
expect(parser).not_to have_received(:create_scanner)
expect(parser).not_to have_received(:create_scan)
end
end
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
it 'does not add errors to the report' do
expect { parse_report }.not_to change { report.errors }.from([])
end
it 'keeps the execution flow as normal' do
parse_report
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
end
end
context 'when show_report_validation_warnings is disabled' do
context 'when the validate flag is set to `true`' do
let(:validate) { true }
let(:valid?) { false }
let(:errors) { ['foo'] }
before do
stub_feature_flags(show_report_validation_warnings: false)
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
end
context 'when the validate flag is set as `false`' do
let(:validate) { false }
it 'instantiates the validator with correct params' do
parse_report
it 'does not run the validation logic' do
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
end
context 'when the report data is not valid according to the schema' do
it 'adds errors to the report' do
expect { parse_report }.to change { report.errors }.from([]).to([{ message: 'foo', type: 'Schema' }])
end
it 'does not try to create report entities' do
parse_report
expect(validator_class).not_to have_received(:new)
expect(parser).not_to have_received(:create_scanner)
expect(parser).not_to have_received(:create_scan)
end
end
context 'when the validate flag is set as `true`' do
let(:validate) { true }
let(:valid?) { false }
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
before do
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(['foo'])
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
it 'does not add errors to the report' do
expect { parse_report }.not_to change { report.errors }.from([])
end
it 'instantiates the validator with correct params' do
it 'keeps the execution flow as normal' do
parse_report
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
end
context 'when the report data is not valid according to the schema' do
it 'adds errors to the report' do
expect { parse_report }.to change { report.errors }.from([]).to([{ message: 'foo', type: 'Schema' }])
end
it 'does not try to create report entities' do
parse_report
expect(parser).not_to have_received(:create_scanner)
expect(parser).not_to have_received(:create_scan)
end
end
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
it 'does not add errors to the report' do
expect { parse_report }.not_to change { report.errors }.from([])
end
it 'keeps the execution flow as normal' do
parse_report
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
expect(parser).to have_received(:create_scanner)
expect(parser).to have_received(:create_scan)
end
end
end

10
spec/models/concerns/sensitive_serializable_hash_spec.rb
View File

@ -30,16 +30,6 @@ RSpec.describe SensitiveSerializableHash do
expect(model.serializable_hash(unsafe_serialization_hash: true)).to include('super_secret')
end
end
context 'when prevent_sensitive_fields_from_serializable_hash feature flag is disabled' do
before do
stub_feature_flags(prevent_sensitive_fields_from_serializable_hash: false)
end
it 'includes the field in serializable_hash' do
expect(model.serializable_hash).to include('super_secret')
end
end
end
describe '#serializable_hash' do

14
yarn.lock
View File

@ -3626,12 +3626,12 @@ commander@7, commander@^7.0.0:
resolved "https://registry.yarnpkg.com/commander/-/commander-7.2.0.tgz#a36cb57d0b501ce108e4d20559a150a391d97ab7"
integrity sha512-QrWXB+ZQSVPmIWIhtEO9H+gwHaMGYiF5ChvoJ+K9ZGHG/sVsa6yiesAD1GC/x46sET00Xlwo1u49RVVVzvcSkw==
commander@^6.0.0, commander@^6.1.0, commander@^6.2.0:
commander@^6.0.0, commander@^6.2.0:
version "6.2.1"
resolved "https://registry.yarnpkg.com/commander/-/commander-6.2.1.tgz#0792eb682dfbc325999bb2b84fddddba110ac73c"
integrity sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==
commander@~9.0.0:
commander@^9.0.0, commander@~9.0.0:
version "9.0.0"
resolved "https://registry.yarnpkg.com/commander/-/commander-9.0.0.tgz#86d58f24ee98126568936bd1d3574e0308a99a40"
integrity sha512-JJfP2saEKbQqvW+FI93OYUB4ByV5cizMpFMiiJI8xDbBvQvSkIk0VvQdn1CZ8mqAO8Loq2h0gYTYtDFUZUeERw==
@ -12555,13 +12555,13 @@ yarn-check-webpack-plugin@^1.2.0:
dependencies:
chalk "^2.4.2"
yarn-deduplicate@^3.1.0:
version "3.1.0"
resolved "https://registry.yarnpkg.com/yarn-deduplicate/-/yarn-deduplicate-3.1.0.tgz#3018d93e95f855f236a215b591fe8bc4bcabba3e"
integrity sha512-q2VZ6ThNzQpGfNpkPrkmV7x5HT9MOhCUsTxVTzyyZB0eSXz1NTodHn+r29DlLb+peKk8iXxzdUVhQG9pI7moFw==
yarn-deduplicate@^4.0.0:
version "4.0.0"
resolved "https://registry.yarnpkg.com/yarn-deduplicate/-/yarn-deduplicate-4.0.0.tgz#0fcd11a83c2629ee41bc38a97d78fbd810c5825f"
integrity sha512-1sI617aM8WNplWA7O58peEq3gC14Ah/Ld55CF1aB2v4pTaxDpOgb+mTaWhIKzOCqJjwnaSqmYVrfgABUlc9bNA==
dependencies:
"@yarnpkg/lockfile" "^1.1.0"
commander "^6.1.0"
commander "^9.0.0"
semver "^7.3.2"
yn@3.1.1: