diff --git a/app/assets/stylesheets/pages/search.scss b/app/assets/stylesheets/pages/search.scss index cb38fb104dc..c84a83c1fab 100644 --- a/app/assets/stylesheets/pages/search.scss +++ b/app/assets/stylesheets/pages/search.scss @@ -252,7 +252,8 @@ input[type='checkbox']:hover { .btn-search, .btn-success, - .dropdown-menu-toggle { + .dropdown-menu-toggle, + .gl-new-dropdown { width: 100%; margin-top: 5px; @@ -270,7 +271,8 @@ input[type='checkbox']:hover { } } - .dropdown-menu-toggle { + .dropdown-menu-toggle, + .gl-new-dropdown { @include media-breakpoint-up(sm) { width: 180px; margin-top: 0; diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb index c1fa104ffda..f19333d5d57 100644 --- a/app/controllers/admin/users_controller.rb +++ b/app/controllers/admin/users_controller.rb @@ -2,6 +2,7 @@ class Admin::UsersController < Admin::ApplicationController include RoutableActions + include SortingHelper before_action :user, except: [:index, :new, :create] before_action :check_impersonation_availability, only: :impersonate @@ -18,7 +19,8 @@ class Admin::UsersController < Admin::ApplicationController @users = User.filter_items(params[:filter]).order_name_asc @users = @users.search(params[:search_query], with_private_emails: true) if params[:search_query].present? @users = users_with_included_associations(@users) - @users = @users.sort_by_attribute(@sort = params[:sort]) + @sort = params[:sort].presence || sort_value_name + @users = @users.sort_by_attribute(@sort) @users = @users.page(params[:page]) @users = @users.without_count if paginate_without_count? end diff --git a/app/helpers/sorting_helper.rb b/app/helpers/sorting_helper.rb index fb30e8ca059..4db14d5cc4d 100644 --- a/app/helpers/sorting_helper.rb +++ b/app/helpers/sorting_helper.rb @@ -328,6 +328,16 @@ module SortingHelper sort_direction_button(url, reverse_sort, sort_value) end + + def admin_users_sort_options(path_params) + users_sort_options_hash.map do |value, text| + { + value: value, + text: text, + href: admin_users_path(sort: value, **path_params) + } + end + end end SortingHelper.prepend_mod_with('SortingHelper') diff --git a/app/views/admin/users/_users.html.haml b/app/views/admin/users/_users.html.haml index 6fdf383d571..43bf29ca0e1 100644 --- a/app/views/admin/users/_users.html.haml +++ b/app/views/admin/users/_users.html.haml @@ -60,17 +60,9 @@ = hidden_field_tag :sort, @sort = sprite_icon('search', css_class: 'search-icon') = button_tag s_('AdminUsers|Search users') if Rails.env.test? - .dropdown.gl-ml-3 - = label_tag 'Sort by', nil, class: 'label-bold' - - toggle_text = @sort.present? ? users_sort_options_hash[@sort] : sort_title_name - = dropdown_toggle(toggle_text, { toggle: 'dropdown' }) - %ul.dropdown-menu.dropdown-menu-right - %li.dropdown-header - = s_('AdminUsers|Sort by') - %li - - users_sort_options_hash.each do |value, title| - = link_to admin_users_path(sort: value, filter: params[:filter], search_query: params[:search_query]) do - = title + .dropdown.gl-sm-ml-3 + = label_tag s_('AdminUsers|Sort by') + = gl_redirect_listbox_tag admin_users_sort_options(filter: params[:filter], search_query: params[:search_query]), @sort, data: { right: true } #js-admin-users-app{ data: admin_users_data_attributes(@users) } .gl-spinner-container.gl-my-7 diff --git a/app/views/groups/runners/_runner.html.haml b/app/views/groups/runners/_runner.html.haml index 78ce5b3e110..3297d3c473f 100644 --- a/app/views/groups/runners/_runner.html.haml +++ b/app/views/groups/runners/_runner.html.haml @@ -33,7 +33,7 @@ .table-mobile-header{ role: 'rowheader' }= _('Projects') .table-mobile-content - if runner.group_type? - = _('n/a') + \- - else = runner.runner_projects.count(:all) diff --git a/data/deprecations/JTW_v2_update.yml b/data/deprecations/15-0-JTW_v2_update.yml similarity index 92% rename from data/deprecations/JTW_v2_update.yml rename to data/deprecations/15-0-JTW_v2_update.yml index 53aa9ca2c19..39880d7fbe0 100644 --- a/data/deprecations/JTW_v2_update.yml +++ b/data/deprecations/15-0-JTW_v2_update.yml @@ -14,7 +14,7 @@ announcement_milestone: "14.8" # The milestone when this feature was first announced as deprecated. announcement_date: "2022-02-22" # The date of the milestone release when this feature was first announced as deprecated. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. removal_milestone: "15.0" # The milestone when this feature is planned to be removed - removal_date: # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. + removal_date: "2022-05-22" # The date of the milestone release when this feature is planned to be removed. This should almost always be the 22nd of a month (YYYY-MM-22), unless you did an out of band blog post. breaking_change: true # If this deprecation is a breaking change, set this value to true reporter: dhershkovitch # GitLab username of the person reporting the deprecation body: | # Do not modify this line, instead modify the lines below. diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index e96784c8d3e..eac968f2f34 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -48,7 +48,7 @@ changes to your code, settings, or workflow. The `CI_JOB_JWT` will be updated to support a wider variety of cloud providers. It will be changed to match [`CI_JOB_JWT_V2`](https://docs.gitlab.com/ee/ci/variables/predefined_variables.html), but this change may not be backwards compatible for all users, including Hashicorp Vault users. To maintain the current behavior, users can switch to using `CI_JOB_JWT_V1`, or update their configuration in GitLab 15.0 to use the improved `CI_JOB_JWT`. -**Planned removal milestone: 15.0 ()** +**Planned removal milestone: 15.0 (2022-05-22)** ### Configurable Gitaly `per_repository` election strategy diff --git a/doc/user/infrastructure/clusters/deploy/inventory_object.md b/doc/user/infrastructure/clusters/deploy/inventory_object.md index 64955b2d2b6..d76ef0b9359 100644 --- a/doc/user/infrastructure/clusters/deploy/inventory_object.md +++ b/doc/user/infrastructure/clusters/deploy/inventory_object.md @@ -4,66 +4,74 @@ group: Configure info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments --- -# Inventory object **(PREMIUM)** +# Tracking cluster resources managed by GitLab **(PREMIUM)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/332227) in GitLab 14.0. -An inventory object is a `ConfigMap` object for keeping track of the set of objects applied to a cluster. -When you remove objects from a manifest repository, the agent uses a corresponding inventory object to -prune (delete) objects from the cluster. +GitLab uses an inventory object to track the resources you deploy to your cluster. +The inventory object is a `ConfigMap` that contains a list of controlled objects. +The managed resources use the `cli-utils.sigs.k8s.io/inventory-id` annotation. -The agent creates an inventory object for each manifest project specified in the -`gitops.manifest_projects` configuration section. The inventory object has to be stored somewhere in the cluster. -The default behavior is: +## Default location of the inventory object -- The `namespace` used comes from `gitops.manifest_projects[].default_namespace`. If you don't specify this parameter - explicitly, the inventory object is stored in the `default` namespace. -- The `name` is generated from the numeric project ID of the manifest project and the numeric agent ID. - - This way, the agent constructs the name and location where the inventory object is - stored in the cluster. - -The agent cannot locate the existing inventory object if you: - -- Change `gitops.manifest_projects[].default_namespace` parameter. -- Move manifests into another project. - -## Inventory object template - -The inventory object template is a `ConfigMap` object that allows you to configure the namespace and the name of the inventory -object. Store this template with manifest files as a single logical group. - -Example inventory object template: +In the agent configuration file, you specify a list of projects. For example: ```yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: unique-name-for-the-inventory - namespace: my-project-namespace - labels: - cli-utils.sigs.k8s.io/inventory-id: unique-name-for-the-inventory +gitops: + manifest_projects: + - id: gitlab-org/cluster-integration/gitlab-agent + default_namespace: my-ns ``` -- The `namespace` and `name` fields configure where the real inventory object is created. -- The `cli-utils.sigs.k8s.io/inventory-id` label with its corresponding value is set on the inventory object, created - from this template. Make sure that the value is unique (for example, a string of random characters) and doesn't clash - with any existing or future inventory object templates. -- Objects tracked by this inventory object have the `config.k8s.io/owning-inventory` annotation set to the value of - the `cli-utils.sigs.k8s.io/inventory-id` label. -- The label's value doesn't have to match the `name` but it's convenient to have them set to the same value. -- Make sure that the `name` is unique so that it doesn't conflict with another inventory object in the same - namespace in the future. +The agent creates an inventory object for every item in the `manifest_projects` list. +The inventory object is stored in the namespace you specify for `default_namespace`. -## Using GitOps with pre-existing Kubernetes objects +The name and location of the inventory object is based on: -The agent treats manifest files in the manifest repository as the source of truth. When it applies -objects from the files to the cluster, it tracks them in an inventory object. If an object already exists, -The agent behaves differently based on the `gitops.manifest_projects[].inventory_policy` configuration. -Check the table below with the available options and when to use them. +- The `default_namespace`. If you don't specify this parameter, + the inventory object is stored in the `default` namespace. +- The `name`, which is the ID of the project with the manifest and the ID of the agent. + +WARNING: +The agent cannot locate the existing inventory object if you change +the `default_namespace` parameter or move manifests to another project. + +## Change the location of the inventory object + +You can configure the namespace and the name of the inventory object. +This action changes the location of the object in the cluster. + +1. Create an inventory object template, which is a `ConfigMap` object. + For example: + + ```yaml + apiVersion: v1 + kind: ConfigMap + metadata: + name: unique-name-for-the-inventory + namespace: my-project-namespace + labels: + cli-utils.sigs.k8s.io/inventory-id: unique-name-for-the-inventory + ``` + +1. Specify a `namespace` and `name`. Ensure that the `name` is unique so it doesn't conflict with other + inventory objects in the same namespace in the future. +1. Ensure the value for `cli-utils.sigs.k8s.io/inventory-id` is unique. This value is used for objects + tracked by this inventory object. Their `config.k8s.io/owning-inventory` annotation is set to this value. + + The value doesn't have to match the `name` but it's convenient to set them to the same value. + +1. Save the file with the manifest files as a single logical group. + +## `inventory_policy` options + +Sometimes your manifest changes affect resources that aren't tracked by the GitLab inventory object. + +To change how the agent behaves when it overwrites existing and previously untracked resources, +change the `inventory_policy` value. `inventory_policy` value | Description | ------------------------ | ------------------------------------------------------------------------------------------- | -`must_match` | This is the default policy. A live object must have the `config.k8s.io/owning-inventory` annotation set to the same value as the `cli-utils.sigs.k8s.io/inventory-id` label on the corresponding inventory object to be updated. Object is not updated and an error is reported if the values don't match or the object doesn't have the annotation. | -`adopt_if_no_inventory` | This mode allows to "adopt" an object if it doesn't have the `config.k8s.io/owning-inventory` annotation. Use this mode if you want to start managing existing objects using the GitOps feature. Once all objects have been "adopted", we recommend you to put the setting back into the default `must_match` mode to avoid any unexpected adoptions. | -`adopt_all` | This mode allows to "adopt" an object even if it has the `config.k8s.io/owning-inventory` annotation set to a different value. This mode can be useful if you want to migrate a set of objects from one agent to another one or from some other tool to the agent. Once all objects have been "adopted", we recommend you to put the setting back into the default `must_match` mode to avoid any unexpected adoptions. | +`must_match` | The default policy. To be updated, a live object must have the `config.k8s.io/owning-inventory` annotation set to the same value as the `cli-utils.sigs.k8s.io/inventory-id` label on the corresponding inventory object. If the values don't match or the object doesn't have the annotation, the object is not updated and an error is reported. | +`adopt_if_no_inventory` | Adopt an object if it doesn't have the `config.k8s.io/owning-inventory` annotation. Use this mode if you want to start managing existing objects by using the GitOps feature. To avoid unexpected adoptions, after all objects have been adopted, put the setting back to the default `must_match` mode. | +`adopt_all` | Adopt an object even if it has the `config.k8s.io/owning-inventory` annotation set to a different value. Use this mode if you want to migrate a set of objects from one agent to another, or from some other tool to the agent. To avoid unexpected adoptions, after all objects have been adopted, put the setting back to the default `must_match` mode. | diff --git a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb index a337fcc43c4..816ede4136a 100644 --- a/lib/gitlab/utils.rb +++ b/lib/gitlab/utils.rb @@ -5,6 +5,10 @@ module Gitlab extend self PathTraversalAttackError ||= Class.new(StandardError) + private_class_method def logger + @logger ||= Gitlab::AppLogger + end + # Ensure that the relative path will not traverse outside the base directory # We url decode the path to avoid passing invalid paths forward in url encoded format. # Also see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/24223#note_284122580 @@ -16,6 +20,7 @@ module Gitlab path_regex = %r{(\A(\.{1,2})\z|\A\.\.[/\\]|[/\\]\.\.\z|[/\\]\.\.[/\\]|\n)} if path.match?(path_regex) + logger.warn(message: "Potential path traversal attempt detected", path: "#{path}") raise PathTraversalAttackError, 'Invalid path' end diff --git a/qa/qa/specs/features/api/1_manage/migration/gitlab_migration_members_spec.rb b/qa/qa/specs/features/api/1_manage/migration/gitlab_migration_members_spec.rb index 6bc7fd65db1..704325d9235 100644 --- a/qa/qa/specs/features/api/1_manage/migration/gitlab_migration_members_spec.rb +++ b/qa/qa/specs/features/api/1_manage/migration/gitlab_migration_members_spec.rb @@ -35,7 +35,10 @@ module QA source_group.add_member(member, Resource::Members::AccessLevel::DEVELOPER) end - it 'member retains indirect membership in imported project' do + it( + 'member retains indirect membership in imported project', + testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/354416' + ) do expect_import_finished aggregate_failures do @@ -52,7 +55,10 @@ module QA source_project.add_member(member, Resource::Members::AccessLevel::DEVELOPER) end - it 'member retains direct membership in imported project' do + it( + 'member retains direct membership in imported project', + testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/354417' + ) do expect_import_finished aggregate_failures do diff --git a/spec/features/admin/users/users_spec.rb b/spec/features/admin/users/users_spec.rb index 3191a91a69f..4d9a7f31911 100644 --- a/spec/features/admin/users/users_spec.rb +++ b/spec/features/admin/users/users_spec.rb @@ -132,7 +132,7 @@ RSpec.describe 'Admin::Users' do end it 'searches with respect of sorting' do - visit admin_users_path(sort: 'Name') + visit admin_users_path(sort: 'name_asc') fill_in :search_query, with: 'Foo' click_button('Search users') @@ -604,8 +604,8 @@ RSpec.describe 'Admin::Users' do def sort_by(option) page.within('.filtered-search-block') do - find('.dropdown-menu-toggle').click - click_link option + find('.gl-new-dropdown').click + find('.gl-new-dropdown-item', text: option).click end end end diff --git a/spec/helpers/sorting_helper_spec.rb b/spec/helpers/sorting_helper_spec.rb index b49b4ad6e7e..e20fb77ad75 100644 --- a/spec/helpers/sorting_helper_spec.rb +++ b/spec/helpers/sorting_helper_spec.rb @@ -10,6 +10,18 @@ RSpec.describe SortingHelper do allow(self).to receive(:request).and_return(double(path: 'http://test.com', query_parameters: { label_name: option })) end + describe '#admin_users_sort_options' do + it 'returns correct link attributes in array' do + options = admin_users_sort_options(filter: 'filter', search_query: 'search') + + expect(options[0][:href]).to include('filter') + expect(options[0][:href]).to include('search') + options.each do |option| + expect(option[:href]).to include(option[:value]) + end + end + end + describe '#issuable_sort_option_title' do it 'returns correct title for issuable_sort_option_overrides key' do expect(issuable_sort_option_title('created_asc')).to eq('Created date') diff --git a/spec/lib/gitlab/utils_spec.rb b/spec/lib/gitlab/utils_spec.rb index 1c490f94e5f..6b12fb4a84a 100644 --- a/spec/lib/gitlab/utils_spec.rb +++ b/spec/lib/gitlab/utils_spec.rb @@ -53,6 +53,16 @@ RSpec.describe Gitlab::Utils do expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb') end + it 'logs potential path traversal attempts' do + expect(Gitlab::AppLogger).to receive(:warn).with(message: "Potential path traversal attempt detected", path: "..") + expect { check_path_traversal!('..') }.to raise_error(/Invalid path/) + end + + it 'logs does nothing for a safe string' do + expect(Gitlab::AppLogger).not_to receive(:warn).with(message: "Potential path traversal attempt detected", path: "dir/.foo.rb") + expect(check_path_traversal!('dir/.foo.rb')).to eq('dir/.foo.rb') + end + it 'does nothing for a non-string' do expect(check_path_traversal!(nil)).to be_nil end