Add latest changes from gitlab-org/gitlab@master

2022-05-06 09:07:38 +00:00 · 2022-05-06 09:07:38 +00:00 · 3c21cbd6a8
commit 3c21cbd6a8
parent a5185ab986
21 changed files with 308 additions and 36 deletions
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@ -116,8 +116,6 @@ Dangerfile @gl-quality/eng-prod
 /ee/spec/services/network_policies/** @gitlab-org/protect/container-security-backend
 /app/models/clusters/applications/cilium.rb @gitlab-org/protect/container-security-backend
 /spec/models/clusters/applications/cilium_spec.rb @gitlab-org/protect/container-security-backend
-/ee/app/controllers/projects/security/network_policies_controller.rb @gitlab-org/protect/container-security-backend
-/ee/spec/controllers/projects/security/network_policies_controller_spec.rb  @gitlab-org/protect/container-security-backend
 /ee/app/services/network_policies/** @gitlab-org/protect/container-security-backend
 /ee/spec/services/network_policies/** @gitlab-org/protect/container-security-backend
 /ee/app/services/security/orchestration/** @gitlab-org/protect/container-security-backend
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@ -241,13 +241,6 @@ Style/KeywordParametersOrder:
 Style/Lambda:
  Enabled: false

-# Offense count: 35
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, MinBodyLength.
-# SupportedStyles: skip_modifier_ifs, always
-Style/Next:
-  Enabled: false
-
 # Offense count: 101
 # Cop supports --auto-correct.
 # Configuration parameters: EnforcedOctalStyle.
--- a/.rubocop_todo/layout/hash_alignment.yml
+++ b/.rubocop_todo/layout/hash_alignment.yml
@ -386,7 +386,6 @@ Layout/HashAlignment:
    - 'ee/spec/controllers/ee/projects/variables_controller_spec.rb'
    - 'ee/spec/controllers/groups/epic_boards_controller_spec.rb'
    - 'ee/spec/controllers/groups/issues_controller_spec.rb'
-    - 'ee/spec/controllers/projects/security/network_policies_controller_spec.rb'
    - 'ee/spec/controllers/projects/settings/operations_controller_spec.rb'
    - 'ee/spec/controllers/trials_controller_spec.rb'
    - 'ee/spec/factories/dependencies.rb'
--- a/.rubocop_todo/layout/line_length.yml
+++ b/.rubocop_todo/layout/line_length.yml
@ -1179,7 +1179,6 @@ Layout/LineLength:
    - 'ee/app/controllers/projects/licenses_controller.rb'
    - 'ee/app/controllers/projects/protected_environments_controller.rb'
    - 'ee/app/controllers/projects/requirements_management/requirements_controller.rb'
-    - 'ee/app/controllers/projects/security/network_policies_controller.rb'
    - 'ee/app/controllers/projects/security/policies_controller.rb'
    - 'ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb'
    - 'ee/app/controllers/projects/threat_monitoring_controller.rb'
@ -1904,7 +1903,6 @@ Layout/LineLength:
    - 'ee/spec/controllers/projects/push_rules_controller_spec.rb'
    - 'ee/spec/controllers/projects/runners_controller_spec.rb'
    - 'ee/spec/controllers/projects/security/configuration_controller_spec.rb'
-    - 'ee/spec/controllers/projects/security/network_policies_controller_spec.rb'
    - 'ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb'
    - 'ee/spec/controllers/projects/subscriptions_controller_spec.rb'
    - 'ee/spec/controllers/projects/threat_monitoring_controller_spec.rb'
--- a/.rubocop_todo/rspec/verified_doubles.yml
+++ b/.rubocop_todo/rspec/verified_doubles.yml
@ -7,7 +7,6 @@ RSpec/VerifiedDoubles:
    - ee/spec/controllers/groups/sso_controller_spec.rb
    - ee/spec/controllers/oauth/geo_auth_controller_spec.rb
    - ee/spec/controllers/projects/clusters_controller_spec.rb
-    - ee/spec/controllers/projects/security/network_policies_controller_spec.rb
    - ee/spec/db/production/license_spec.rb
    - ee/spec/elastic/migrate/20210510113500_delete_merge_requests_from_original_index_spec.rb
    - ee/spec/elastic/migrate/20210510143200_delete_notes_from_original_index_spec.rb
--- a/.rubocop_todo/style/next.yml
+++ b/.rubocop_todo/style/next.yml
@ -0,0 +1,46 @@
+---
+# Cop supports --auto-correct.
+Style/Next:
+  # Offense count: 41
+  # Temporarily disabled due to too many offenses
+  Enabled: false
+  Exclude:
+    - 'app/finders/projects/serverless/functions_finder.rb'
+    - 'app/models/preloaders/environments/deployment_preloader.rb'
+    - 'app/models/route.rb'
+    - 'app/services/authorized_project_update/find_records_due_for_refresh_service.rb'
+    - 'app/validators/nested_attributes_duplicates_validator.rb'
+    - 'config/initializers/01_secret_token.rb'
+    - 'config/initializers/sidekiq_cluster.rb'
+    - 'ee/app/controllers/groups/analytics/cycle_analytics/value_streams_controller.rb'
+    - 'ee/app/services/app_sec/dast/profiles/create_associations_service.rb'
+    - 'ee/app/services/elastic/cluster_reindexing_service.rb'
+    - 'ee/app/services/gitlab_subscriptions/fetch_purchase_eligible_namespaces_service.rb'
+    - 'ee/app/services/security/auto_fix_service.rb'
+    - 'ee/db/fixtures/development/20_vulnerabilities.rb'
+    - 'ee/lib/ee/audit/protected_branches_changes_auditor.rb'
+    - 'ee/lib/gitlab/elastic/search_results.rb'
+    - 'ee/lib/system_check/geo/authorized_keys_check.rb'
+    - 'lib/backup/manager.rb'
+    - 'lib/banzai/filter/external_link_filter.rb'
+    - 'lib/banzai/filter/footnote_filter.rb'
+    - 'lib/banzai/filter/kroki_filter.rb'
+    - 'lib/banzai/filter/math_filter.rb'
+    - 'lib/banzai/filter/plantuml_filter.rb'
+    - 'lib/banzai/filter/table_of_contents_filter.rb'
+    - 'lib/gitlab/background_migration/encrypt_static_object_token.rb'
+    - 'lib/gitlab/database.rb'
+    - 'lib/gitlab/fogbugz_import/importer.rb'
+    - 'lib/gitlab/gitaly_client/repository_service.rb'
+    - 'lib/gitlab/import_export/attributes_permitter.rb'
+    - 'lib/gitlab/import_export/base/relation_object_saver.rb'
+    - 'lib/gitlab/metrics/samplers/base_sampler.rb'
+    - 'lib/gitlab/pagination/keyset/in_operator_optimization/strategies/record_loader_strategy.rb'
+    - 'lib/gitlab/reference_extractor.rb'
+    - 'lib/gitlab/tree_summary.rb'
+    - 'lib/tasks/gitlab/assets.rake'
+    - 'lib/tasks/gitlab/db/validate_config.rake'
+    - 'rubocop/cop/static_translation_definition.rb'
+    - 'scripts/perf/query_limiting_report.rb'
+    - 'spec/lib/gitlab/import_export/import_test_coverage_spec.rb'
+    - 'spec/presenters/packages/npm/package_presenter_spec.rb'
--- a/app/assets/javascripts/vue_shared/security_reports/store/utils.js
+++ b/app/assets/javascripts/vue_shared/security_reports/store/utils.js
@ -90,7 +90,7 @@ const createStatusMessage = ({ reportType, status, total }) => {
  if (status) {
    message = __('%{reportType} %{status}');
  } else if (!total) {
-    message = __('%{reportType} detected %{totalStart}no%{totalEnd} vulnerabilities.');
+    message = __('%{reportType} detected %{totalStart}no%{totalEnd} new vulnerabilities.');
  } else {
    message = __(
      '%{reportType} detected %{totalStart}%{total}%{totalEnd} potential %{vulnMessage}',
--- a/app/assets/stylesheets/pages/projects.scss
+++ b/app/assets/stylesheets/pages/projects.scss
@ -548,15 +548,6 @@ pre.light-well {
  }
 }

-.git-clone-holder,
-.mobile-git-clone {
-  .btn {
-    .icon {
-      fill: $white;
-    }
-  }
-}
-
 .new-protected-branch,
 .new-protected-tag {
  label {
--- a/app/assets/stylesheets/pages/tree.scss
+++ b/app/assets/stylesheets/pages/tree.scss
@ -6,10 +6,6 @@
  .nav-block {
    margin: 16px 0;

-    .btn svg {
-      color: $gl-text-color-secondary;
-    }
-
    .tree-ref-holder {
      margin-right: 15px;
    }
--- a/app/services/database/consistency_fix_service.rb
+++ b/app/services/database/consistency_fix_service.rb
@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Database
+  class ConsistencyFixService
+    def initialize(source_model:, target_model:, sync_event_class:, source_sort_key:, target_sort_key:)
+      @source_model = source_model
+      @target_model = target_model
+      @sync_event_class = sync_event_class
+      @source_sort_key = source_sort_key
+      @target_sort_key = target_sort_key
+    end
+
+    attr_accessor :source_model, :target_model, :sync_event_class, :source_sort_key, :target_sort_key
+
+    def execute(ids:)
+      ids.each do |id|
+        if source_object(id) && target_object(id)
+          create_sync_event_for(id)
+        elsif target_object(id)
+          target_object(id).destroy!
+        end
+      end
+      sync_event_class.enqueue_worker
+    end
+
+    private
+
+    # rubocop: disable CodeReuse/ActiveRecord
+    def source_object(id)
+      source_model.find_by(source_sort_key => id)
+    end
+
+    def target_object(id)
+      target_model.find_by(target_sort_key => id)
+    end
+    # rubocop: enable CodeReuse/ActiveRecord
+
+    def create_sync_event_for(id)
+      if source_model == Namespace
+        sync_event_class.create!(namespace_id: id)
+      elsif source_model == Project
+        sync_event_class.create!(project_id: id)
+      else
+        raise("Unknown Source Model #{source_model.name}")
+      end
+    end
+  end
+end
--- a/app/workers/database/ci_namespace_mirrors_consistency_check_worker.rb
+++ b/app/workers/database/ci_namespace_mirrors_consistency_check_worker.rb
@ -13,7 +13,7 @@ module Database
    version 1

    def perform
-      return if Feature.disabled?(:ci_namespace_mirrors_consistency_check, default_enabled: :yaml)
+      return if Feature.disabled?(:ci_namespace_mirrors_consistency_check)

      results = ConsistencyCheckService.new(
        source_model: Namespace,
@ -22,6 +22,16 @@ module Database
        target_columns: %w[namespace_id traversal_ids]
      ).execute

+      if results[:mismatches_details].any?
+        ConsistencyFixService.new(
+          source_model: Namespace,
+          target_model: Ci::NamespaceMirror,
+          sync_event_class: Namespaces::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :namespace_id
+        ).execute(ids: results[:mismatches_details].map { |h| h[:id] })
+      end
+
      log_extra_metadata_on_done(:results, results)
    end
  end
--- a/app/workers/database/ci_project_mirrors_consistency_check_worker.rb
+++ b/app/workers/database/ci_project_mirrors_consistency_check_worker.rb
@ -13,7 +13,7 @@ module Database
    version 1

    def perform
-      return if Feature.disabled?(:ci_project_mirrors_consistency_check, default_enabled: :yaml)
+      return if Feature.disabled?(:ci_project_mirrors_consistency_check)

      results = ConsistencyCheckService.new(
        source_model: Project,
@ -22,6 +22,16 @@ module Database
        target_columns: %w[project_id namespace_id]
      ).execute

+      if results[:mismatches_details].any?
+        ConsistencyFixService.new(
+          source_model: Project,
+          target_model: Ci::ProjectMirror,
+          sync_event_class: Projects::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :project_id
+        ).execute(ids: results[:mismatches_details].map { |h| h[:id] })
+      end
+
      log_extra_metadata_on_done(:results, results)
    end
  end
--- a/config/feature_categories.yml
+++ b/config/feature_categories.yml
@ -52,6 +52,7 @@
 - experimentation_conversion
 - experimentation_expansion
 - feature_flags
+- free_user_caps_conversion
 - five_minute_production_app
 - fulfillment_platform
 - fuzz_testing
--- a/config/feature_flags/development/ci_namespace_mirrors_consistency_check.yml
+++ b/config/feature_flags/development/ci_namespace_mirrors_consistency_check.yml
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356577
 milestone: '14.10'
 type: development
 group: group::sharding
-default_enabled: false
+default_enabled: true
--- a/config/feature_flags/development/ci_project_mirrors_consistency_check.yml
+++ b/config/feature_flags/development/ci_project_mirrors_consistency_check.yml
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/356583
 milestone: '14.10'
 type: development
 group: group::sharding
-default_enabled: false
+default_enabled: true
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@ -709,6 +709,9 @@ Gitlab.ee do
  Settings.cron_jobs['ldap_sync_worker'] ||= Settingslogic.new({})
  Settings.cron_jobs['ldap_sync_worker']['cron'] ||= '30 1 * * *'
  Settings.cron_jobs['ldap_sync_worker']['job_class'] = 'LdapSyncWorker'
+  Settings.cron_jobs['free_user_cap_data_remediation'] ||= Settingslogic.new({})
+  Settings.cron_jobs['free_user_cap_data_remediation']['cron'] ||= '17 6,10,14,18 * * *'
+  Settings.cron_jobs['free_user_cap_data_remediation']['job_class'] = 'Namespaces::FreeUserCapWorker'
  Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker'] ||= Settingslogic.new({})
  Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker']['cron'] ||= '0 12 * * *'
  Settings.cron_jobs['update_max_seats_used_for_gitlab_com_subscriptions_worker']['job_class'] = 'UpdateMaxSeatsUsedForGitlabComSubscriptionsWorker'
--- a/doc/user/project/protected_branches.md
+++ b/doc/user/project/protected_branches.md
@ -10,7 +10,7 @@ In GitLab, [permissions](../permissions.md) are fundamentally defined around the
 idea of having read or write permission to the repository and branches. To impose
 further restrictions on certain branches, they can be protected.

-The default branch for your repository is protected by default.
+The [default branch](repository/branches/default.md) for your repository is protected by default.

 ## Who can modify a protected branch

@ -50,6 +50,10 @@ The protected branch displays in the list of protected branches.

 ## Configure multiple protected branches by using a wildcard

+If both a specific rule and a wildcard rule apply to the same branch, the most
+permissive rule controls how the branch behaves. For merge controls to work properly,
+set **Allowed to push** to a broader set of users than **Allowed to merge**.
+
 Prerequisite:

 - You must have at least the Maintainer role.
@ -96,14 +100,19 @@ To create a new branch through the user interface:

 ## Require everyone to submit merge requests for a protected branch

-You can force everyone to submit a merge request, rather than allowing them to check in directly
-to a protected branch. This is compatible with workflows like the [GitLab workflow](../../topics/gitlab_flow.md).
+You can force everyone to submit a merge request, rather than allowing them to
+check in directly to a protected branch. This setting is compatible with workflows
+like the [GitLab workflow](../../topics/gitlab_flow.md).

 1. Go to your project and select **Settings > Repository**.
 1. Expand **Protected branches**.
 1. From the **Branch** dropdown list, select the branch you want to protect.
 1. From the **Allowed to merge** list, select **Developers + Maintainers**.
 1. From the **Allowed to push** list, select **No one**.
+
+   NOTE:
+   Setting a role, group or user as **Allowed to push** also allows those users to merge.
+
 1. Select **Protect**.

 ## Allow everyone to push directly to a protected branch
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@ -911,7 +911,7 @@ msgstr ""
 msgid "%{reportType} detected %{totalStart}%{total}%{totalEnd} potential %{vulnMessage}"
 msgstr ""

-msgid "%{reportType} detected %{totalStart}no%{totalEnd} vulnerabilities."
+msgid "%{reportType} detected %{totalStart}no%{totalEnd} new vulnerabilities."
 msgstr ""

 msgid "%{retryButtonStart}Try again%{retryButtonEnd} or %{newFileButtonStart}attach a new file%{newFileButtonEnd}."
--- a/spec/services/database/consistency_fix_service_spec.rb
+++ b/spec/services/database/consistency_fix_service_spec.rb
@ -0,0 +1,153 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Database::ConsistencyFixService do
+  describe '#execute' do
+    context 'fixing namespaces inconsistencies' do
+      subject(:consistency_fix_service) do
+        described_class.new(
+          source_model: Namespace,
+          target_model: Ci::NamespaceMirror,
+          sync_event_class: Namespaces::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :namespace_id
+        )
+      end
+
+      let(:table) { 'public.namespaces' }
+      let!(:namespace) { create(:namespace) }
+      let!(:namespace_mirror) { Ci::NamespaceMirror.find_by(namespace_id: namespace.id) }
+
+      context 'when both objects exist' do
+        it 'creates a Namespaces::SyncEvent to modify the target object' do
+          expect do
+            consistency_fix_service.execute(ids: [namespace.id])
+          end.to change {
+            Namespaces::SyncEvent.where(namespace_id: namespace.id).count
+          }.by(1)
+        end
+
+        it 'enqueues the worker to process the Namespaces::SyncEvents' do
+          expect(::Namespaces::ProcessSyncEventsWorker).to receive(:perform_async)
+          consistency_fix_service.execute(ids: [namespace.id])
+        end
+      end
+
+      context 'when the source object has been deleted, but not the target' do
+        before do
+          namespace.delete
+        end
+
+        it 'deletes the target object' do
+          expect do
+            consistency_fix_service.execute(ids: [namespace.id])
+          end.to change { Ci::NamespaceMirror.where(namespace_id: namespace.id).count }.by(-1)
+        end
+      end
+    end
+
+    context 'fixing projects inconsistencies' do
+      subject(:consistency_fix_service) do
+        described_class.new(
+          source_model: Project,
+          target_model: Ci::ProjectMirror,
+          sync_event_class: Projects::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :project_id
+        )
+      end
+
+      let(:table) { 'public.projects' }
+      let!(:project) { create(:project) }
+      let!(:project_mirror) { Ci::ProjectMirror.find_by(project_id: project.id) }
+
+      context 'when both objects exist' do
+        it 'creates a Projects::SyncEvent to modify the target object' do
+          expect do
+            consistency_fix_service.execute(ids: [project.id])
+          end.to change {
+            Projects::SyncEvent.where(project_id: project.id).count
+          }.by(1)
+        end
+
+        it 'enqueues the worker to process the Projects::SyncEvents' do
+          expect(::Projects::ProcessSyncEventsWorker).to receive(:perform_async)
+          consistency_fix_service.execute(ids: [project.id])
+        end
+      end
+
+      context 'when the source object has been deleted, but not the target' do
+        before do
+          project.delete
+        end
+
+        it 'deletes the target object' do
+          expect do
+            consistency_fix_service.execute(ids: [project.id])
+          end.to change { Ci::ProjectMirror.where(project_id: project.id).count }.by(-1)
+        end
+      end
+    end
+  end
+
+  describe '#create_sync_event_for' do
+    context 'when the source model is Namespace' do
+      let(:namespace) { create(:namespace) }
+
+      let(:service) do
+        described_class.new(
+          source_model: Namespace,
+          target_model: Ci::NamespaceMirror,
+          sync_event_class: Namespaces::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :namespace_id
+        )
+      end
+
+      it 'creates a Namespaces::SyncEvent object' do
+        expect do
+          service.send(:create_sync_event_for, namespace.id)
+        end.to change { Namespaces::SyncEvent.where(namespace_id: namespace.id).count }.by(1)
+      end
+    end
+
+    context 'when the source model is Project' do
+      let(:project) { create(:project) }
+
+      let(:service) do
+        described_class.new(
+          source_model: Project,
+          target_model: Ci::ProjectMirror,
+          sync_event_class: Projects::SyncEvent,
+          source_sort_key: :id,
+          target_sort_key: :project_id
+        )
+      end
+
+      it 'creates a Projects::SyncEvent object' do
+        expect do
+          service.send(:create_sync_event_for, project.id)
+        end.to change { Projects::SyncEvent.where(project_id: project.id).count }.by(1)
+      end
+    end
+  end
+
+  context 'when the source model is User' do
+    let(:service) do
+      described_class.new(
+        source_model: User,
+        target_model: Ci::ProjectMirror,
+        sync_event_class: Projects::SyncEvent,
+        source_sort_key: :id,
+        target_sort_key: :project_id
+      )
+    end
+
+    it 'raises an error' do
+      expect do
+        service.send(:create_sync_event_for, 1)
+      end.to raise_error("Unknown Source Model User")
+    end
+  end
+end
--- a/spec/workers/database/ci_namespace_mirrors_consistency_check_worker_spec.rb
+++ b/spec/workers/database/ci_namespace_mirrors_consistency_check_worker_spec.rb
@ -62,6 +62,15 @@ RSpec.describe Database::CiNamespaceMirrorsConsistencyCheckWorker do
        expect(worker).to receive(:log_extra_metadata_on_done).with(:results, expected_result)
        worker.perform
      end
+
+      it 'calls the consistency_fix_service to fix the inconsistencies' do
+        allow_next_instance_of(Database::ConsistencyFixService) do |instance|
+          expect(instance).to receive(:execute).with(
+            ids: [missing_namespace.id]
+          ).and_call_original
+        end
+        worker.perform
+      end
    end
  end
 end
--- a/spec/workers/database/ci_project_mirrors_consistency_check_worker_spec.rb
+++ b/spec/workers/database/ci_project_mirrors_consistency_check_worker_spec.rb
@ -38,7 +38,7 @@ RSpec.describe Database::CiProjectMirrorsConsistencyCheckWorker do
      before do
        redis_shared_state_cleanup!
        stub_feature_flags(ci_project_mirrors_consistency_check: true)
-        create_list(:project, 10) # This will also create Ci::NameSpaceMirror objects
+        create_list(:project, 10) # This will also create Ci::ProjectMirror objects
        missing_project.delete

        allow_next_instance_of(Database::ConsistencyCheckService) do |instance|
@ -62,6 +62,15 @@ RSpec.describe Database::CiProjectMirrorsConsistencyCheckWorker do
        expect(worker).to receive(:log_extra_metadata_on_done).with(:results, expected_result)
        worker.perform
      end
+
+      it 'calls the consistency_fix_service to fix the inconsistencies' do
+        expect_next_instance_of(Database::ConsistencyFixService) do |instance|
+          expect(instance).to receive(:execute).with(
+            ids: [missing_project.id]
+          ).and_call_original
+        end
+        worker.perform
+      end
    end
  end
 end