kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-04-05 15:08:37 +00:00
parent 7e964f54ed
commit 4001deba73
42 changed files with 583 additions and 379 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
app/assets/javascripts/lib/utils/confirm_via_gl_modal/confirm_modal.vue
View File

@ -26,6 +26,16 @@ export default {
required: false,
default: 'confirm',
},
secondaryText: {
type: String,
required: false,
default: '',
},
secondaryVariant: {
type: String,
required: false,
default: 'confirm',
},
modalHtmlMessage: {
type: String,
required: false,
@ -47,6 +57,18 @@ export default {
},
};
},
secondaryAction() {
if (!this.secondaryText) {
return null;
}
return {
text: this.secondaryText,
attributes: {
variant: this.secondaryVariant,
},
};
},
cancelAction() {
return this.hideCancel ? null : this.$options.cancelAction;
},
@ -69,6 +91,7 @@ export default {
:title="title"
:action-primary="primaryAction"
:action-cancel="cancelAction"
:action-secondary="secondaryAction"
:hide-header="!shouldShowHeader"
@primary="$emit('confirmed')"
@hidden="$emit('closed')"

12
app/assets/javascripts/lib/utils/confirm_via_gl_modal/confirm_via_gl_modal.js
View File

@ -2,7 +2,15 @@ import Vue from 'vue';
export function confirmAction(
message,
{ primaryBtnVariant, primaryBtnText, modalHtmlMessage, title, hideCancel } = {},
{
primaryBtnVariant,
primaryBtnText,
secondaryBtnVariant,
secondaryBtnText,
modalHtmlMessage,
title,
hideCancel,
} = {},
) {
return new Promise((resolve) => {
let confirmed = false;
@ -16,6 +24,8 @@ export function confirmAction(
'confirm-modal',
{
props: {
secondaryText: secondaryBtnText,
secondaryVariant: secondaryBtnVariant,
primaryVariant: primaryBtnVariant,
primaryText: primaryBtnText,
title,

10
app/finders/keys_finder.rb
View File

@ -52,11 +52,11 @@ class KeysFinder
end
def valid_fingerprint_param?
if fingerprint_type == "sha256"
Base64.decode64(fingerprint).length == 32
else
fingerprint =~ /^(\h{2}:){15}\h{2}/
end
return Base64.decode64(fingerprint).length == 32 if fingerprint_type == "sha256"
return false if Gitlab::FIPS.enabled?
fingerprint =~ /^(\h{2}:){15}\h{2}/
end
def fingerprint_query

2
app/views/projects/runners/_runner.html.haml
View File

@ -8,7 +8,7 @@
%span
= "##{runner.id} (#{runner.short_sha})"
- if runner.locked?
%span.has-tooltip{ title: _('Locked to current projects') }
%span.has-tooltip{ title: s_('Runners|Runner is locked and available for currently assigned projects only. Only administrators can change the assigned projects.') }
= sprite_icon('lock')
.gl-ml-2
.btn-group.btn-group-sm

8
config/feature_flags/development/import_project_from_remote_file.yml
View File

@ -1,8 +0,0 @@
---
name: import_project_from_remote_file
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/59033
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/330039
milestone: '13.12'
type: development
group: group::import
default_enabled: true

11
doc/administration/raketasks/doctor.md
View File

@ -1,11 +0,0 @@
---
redirect_to: 'check.md#verify-database-values-can-be-decrypted-using-the-current-secrets'
remove_date: '2022-03-04'
---
This document was moved to [another location](check.md#verify-database-values-can-be-decrypted-using-the-current-secrets).
<!-- This redirect file can be deleted after 2022-03-04. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

11
doc/development/feature_flags/process.md
View File

@ -1,11 +0,0 @@
---
redirect_to: 'https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/'
remove_date: '2022-03-01'
---
This document was moved to [another location](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/).
<!-- This redirect file can be deleted after 2022-03-01. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

11
doc/install/pivotal/index.md
View File

@ -1,11 +0,0 @@
---
redirect_to: '../index.md'
remove_date: '2022-03-08'
---
This document was removed. For information about installing GitLab, see [this page](../index.md).
<!-- This redirect file can be deleted after <2022-03-08>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

16
doc/user/application_security/iac_scanning/index.md
View File

@ -44,7 +44,7 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
| Terraform <sup>2</sup> | [KICS](https://kics.io/) | 14.5 |
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
### Making IaC analyzers available to all GitLab tiers
@ -55,13 +55,13 @@ All open source (OSS) analyzers are available with the GitLab Free tier. Future
Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
as shown in the following table:
| Capability | In Free | In Ultimate |
|:---------------------------------------------------------------------------------------|:--------------------|:-------------------|
| [Configure IaC Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in merge request | **{dotted-circle}** | **{check-circle}** |
| [Address vulnerabilities](../../application_security/vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| Capability | In Free & Premium | In Ultimate |
|:----------------------------------------------------------------|:--------------------|:-------------------|
| [Configure IaC scanner](#configuration) | **{check-circle}** | **{check-circle}** |
| Download [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| See new findings in merge request widget | **{dotted-circle}** | **{check-circle}** |
| [Manage vulnerabilities](../vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access the Security Dashboard](../security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
## Contribute your scanner

26
doc/user/application_security/sast/index.md
View File

@ -141,17 +141,17 @@ All open source (OSS) analyzers have been moved to the GitLab Free tier as of Gi
Different features are available in different [GitLab tiers](https://about.gitlab.com/pricing/),
as shown in the following table:
| Capability | In Free | In Ultimate |
|:---------------------------------------------------------------------------------------|:--------------------|:-------------------|
| [Configure SAST Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize SAST Settings](#available-cicd-variables) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in Merge Request | **{dotted-circle}** | **{check-circle}** |
| [Address vulnerabilities](../../application_security/vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../../application_security/security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST Rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
| [False Positive Detection](#false-positive-detection) | **{dotted-circle}** | **{check-circle}** |
| Capability | In Free & Premium | In Ultimate |
|:----------------------------------------------------------------|:--------------------|:-------------------|
| [Configure SAST scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize SAST settings](#available-cicd-variables) | **{check-circle}** | **{check-circle}** |
| Download [JSON Report](#reports-json-format) | **{check-circle}** | **{check-circle}** |
| See new findings in merge request widget | **{dotted-circle}** | **{check-circle}** |
| [Manage vulnerabilities](../vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access the Security Dashboard](../security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Configure SAST in the UI](#configure-sast-in-the-ui) | **{dotted-circle}** | **{check-circle}** |
| [Customize SAST rulesets](#customize-rulesets) | **{dotted-circle}** | **{check-circle}** |
| [Detect False Positives](#false-positive-detection) | **{dotted-circle}** | **{check-circle}** |
## Contribute your scanner
@ -524,7 +524,7 @@ Several passthrouh types generate a configuration for the target analyzer:
the configuration.
- If there is a filename collision between files in both repositories, files
from the `sast` repository overwrite files from the `myrules` repository,
as `sast-rules` has higher precedence.
as `sast-rules` has higher precedence.
- The `raw` entry creates a file named `insecure.yml` under `/sgrules`. The
full path is `/sgrules/insecure.yml`.
- The `url` entry fetches a configuration made available through a URL and
@ -991,7 +991,7 @@ Support for custom certificate authorities was introduced in the following versi
| `phpcs-security-audit` | [v2.8.2](https://gitlab.com/gitlab-org/security-products/analyzers/phpcs-security-audit/-/releases/v2.8.2) |
| `pmd-apex` | [v2.1.0](https://gitlab.com/gitlab-org/security-products/analyzers/pmd-apex/-/releases/v2.1.0) |
| `security-code-scan` | [v2.7.3](https://gitlab.com/gitlab-org/security-products/analyzers/security-code-scan/-/releases/v2.7.3) |
| `semgrep` | [v0.0.1](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/releases/v0.0.1) |
| `semgrep` | [v0.0.1](https://gitlab.com/gitlab-org/security-products/analyzers/semgrep/-/releases/v0.0.1) |
| `sobelow` | [v2.2.0](https://gitlab.com/gitlab-org/security-products/analyzers/sobelow/-/releases/v2.2.0) |
| `spotbugs` | [v2.7.1](https://gitlab.com/gitlab-org/security-products/analyzers/spotbugs/-/releases/v2.7.1) |

13
doc/user/application_security/secret_detection/index.md
View File

@ -60,13 +60,14 @@ as shown in the following table:
| Capability | In Free & Premium | In Ultimate |
|:----------------------------------------------------------------|:--------------------|:-------------------|
| [Configure Secret Detection Scanners](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize Secret Detection Settings](#customizing-settings) | **{check-circle}** | **{check-circle}** |
| View [JSON Report](../sast/index.md#reports-json-format) | **{check-circle}** | **{check-circle}** |
| Presentation of JSON Report in merge request | **{dotted-circle}** | **{check-circle}** |
| [Configure Secret Detection scanner](#configuration) | **{check-circle}** | **{check-circle}** |
| [Customize Secret Detection settings](#customizing-settings) | **{check-circle}** | **{check-circle}** |
| Download [JSON Report](../sast/index.md#reports-json-format) | **{check-circle}** | **{check-circle}** |
| See new findings in the merge request widget | **{dotted-circle}** | **{check-circle}** |
| View identified secrets in the pipelines' **Security** tab | **{dotted-circle}** | **{check-circle}** |
| [Interaction with Vulnerabilities](../vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access to Security Dashboard](../security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Manage vulnerabilities](../vulnerabilities/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Access the Security Dashboard](../security_dashboard/index.md) | **{dotted-circle}** | **{check-circle}** |
| [Customize Secret Detection rulesets](#custom-rulesets) | **{dotted-circle}** | **{check-circle}** |
## Configuration

BIN
doc/user/compliance/compliance_report/img/failed_icon_v13_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.0 KiB

BIN
doc/user/compliance/compliance_report/img/success_icon_v13_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.0 KiB

BIN
doc/user/compliance/compliance_report/img/warning_icon_v13_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 4.0 KiB

122
doc/user/compliance/compliance_report/index.md
View File

@ -9,17 +9,19 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36524) in GitLab 12.8 as Compliance Dashboard.
> - [Renamed](https://gitlab.com/gitlab-org/gitlab/-/issues/299360) to compliance report in GitLab 14.2.
> - [Replaced](https://gitlab.com/groups/gitlab-org/-/epics/5237) by merge request violations in GitLab 14.6 [with a flag](../../../administration/feature_flags.md) named `compliance_violations_report`. Disabled by default.
> - GraphQL API [introduced](https://gitlab.com/groups/gitlab-org/-/epics/7222) in GitLab 14.9.
> - [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/5237) in GitLab 14.10. [Feature flag `compliance_violations_report`](https://gitlab.com/gitlab-org/gitlab/-/issues/346266) removed.
Compliance report gives you the ability to see a group's merge request activity. It provides a
high-level view for all projects in the group. For example, code approved for merging into
production.
You can use the report to:
You can use the report to get:
- Get an overview of the latest merge request for each project.
- See if merge requests were approved and by whom.
- See merge request authors.
- See the latest [CI/CD pipeline](../../../ci/pipelines/index.md) result for each merge request.
- A list of compliance violations from all merged merge requests within the group.
- The reason and severity of each compliance violation.
- A link to the merge request that caused each compliance violation.
## View the compliance report for a group
@ -32,8 +34,36 @@ To view the compliance report:
1. On the top bar, select **Menu > Groups** and find your group.
1. On the left sidebar, select **Security & Compliance > Compliance report**.
NOTE:
The compliance report shows only the latest merge request on each project.
### Severity levels scale
The following is a list of available violation severity levels, ranked from most to least severe:
| Icon | Severity level |
|:----------------------------------------------|:---------------|
| **{severity-critical, 18, gl-fill-red-800}** | Critical |
| **{severity-high, 18, gl-fill-red-600}** | High |
| **{severity-medium, 18, gl-fill-orange-400}** | Medium |
| **{severity-low, 18, gl-fill-orange-300}** | Low |
| **{severity-info, 18, gl-fill-blue-400}** | Info |
### Violation types
The following is a list of violations that are either:
- Already available.
- Aren't available, but which we are tracking in issues.
| Violation | Severity level | Category | Description | Availability |
|:-------------------------------------|:----------------|:---------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------------------|
| Author approved merge request | High | [Separation of duties](#separation-of-duties) | The author of the merge request approved their own merge request. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Committers approved merge request | High | [Separation of duties](#separation-of-duties) | The committers of the merge request approved the merge request they contributed to. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Fewer than two approvals | High | [Separation of duties](#separation-of-duties) | The merge request was merged with fewer than two approvals. [Learn more](../../project/merge_requests/approvals/rules.md). | [Available in GitLab 14.10](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Pipeline failed | Medium | [Pipeline results](../../../ci/pipelines/index.md) | The merge requests pipeline failed and was merged. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Pipeline passed with warnings | Info | [Pipeline results](../../../ci/pipelines/index.md) | The merge request pipeline passed with warnings and was merged. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down more than 10% | High | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of more than 10%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down between 5% to 10% | Medium | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 5% to 10%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down between 1% to 5% | Low | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 1% to 5%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down less than 1% | Info | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of less than 1%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
## Merge request drawer
@ -51,30 +81,15 @@ request:
- A list of users that approved the merge request.
- The user that merged the merge request.
## Approval status and separation of duties
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217939) in GitLab 13.3.
## Separation of duties
We support a separation of duties policy between users who create and approve merge requests.
The approval status column can help you identify violations of this policy.
Our criteria for the separation of duties is as follows:
- [A merge request author is **not** allowed to approve their merge request](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author)
- [A merge request committer is **not** allowed to approve a merge request they have added commits to](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits)
- [The minimum number of approvals required to merge a merge request is **at least** two](../../project/merge_requests/approvals/rules.md)
The **Approval status** column shows you at a glance whether a merge request is complying with the above.
This column has four states:
| State | Description |
|:------|:------------|
| Empty | The merge request approval status is unknown |
| ![Failed](img/failed_icon_v13_3.png) | The merge request **does not** comply with any of the above criteria |
| ![Warning](img/warning_icon_v13_3.png) | The merge request complies with **some** of the above criteria |
| ![Success](img/success_icon_v13_3.png) | The merge request complies with **all** of the above criteria |
If you see a non-success state, review the criteria for the merge request's project to ensure it complies with the separation of duties.
## Chain of Custody report
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/213364) in GitLab 13.3.
@ -105,64 +120,3 @@ You can generate a commit-specific Chain of Custody report for a given commit SH
NOTE:
The Chain of Custody report download is a CSV file, with a maximum size of 15 MB.
The remaining records are truncated when this limit is reached.
## Merge request violations
> - Introduced in GitLab 14.6. [Deployed behind the `compliance_violations_report` flag](../../../administration/feature_flags.md). Disabled by default.
> - GraphQL API [introduced](https://gitlab.com/groups/gitlab-org/-/epics/7222) in GitLab 14.9.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available,
ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `compliance_violations_report`.
On GitLab.com, this feature is not available. This feature is not ready for production use.
Merge request violations provide a view of all the [separation of duties](#approval-status-and-separation-of-duties) compliance violations
that exist in projects in a specific group. For each separation of duties compliance violation, you can see:
- A list of compliance violations.
- The severity of each compliance violation.
- Reason for the compliance violation.
- A link to the merge request that caused the compliance violation.
Merge request violations can be accessed:
- In the GitLab UI.
- Using the [GraphQL API](../../../api/graphql/reference/index.md#complianceviolation) (GitLab 14.9 and later).
### View merge request violations
To view merge request violations:
1. On the top bar, select **Menu > Groups** and find your group.
1. On the left sidebar, select **Security & Compliance > Compliance report**.
### Severity levels scale
The following is a list of available violation severity levels, ranked from most to least severe:
| Icon | Severity level |
|:----------------------------------------------|:---------------|
| **{severity-critical, 18, gl-fill-red-800}** | Critical |
| **{severity-high, 18, gl-fill-red-600}** | High |
| **{severity-medium, 18, gl-fill-orange-400}** | Medium |
| **{severity-low, 18, gl-fill-orange-300}** | Low |
| **{severity-info, 18, gl-fill-blue-400}** | Info |
### Violation types
The following is a list of violations that are either:
- Already available.
- Aren't available, but which we are tracking in issues.
| Violation | Severity level | Category | Description | Availability |
|:-------------------------------------|:----------------|:----------------------------------------------------------------------------------------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:--------------------------------------------------------------------|
| Author approved merge request | High | [Separation of duties](#approval-status-and-separation-of-duties) | The author of the merge request approved their own merge request. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approval-by-author). | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Committers approved merge request | High | [Separation of duties](#approval-status-and-separation-of-duties) | The committers of the merge request approved the merge request they contributed to. [Learn more](../../project/merge_requests/approvals/settings.md#prevent-approvals-by-users-who-add-commits). | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Fewer than two approvals | High | [Separation of duties](#approval-status-and-separation-of-duties) | The merge request was merged with fewer than two approvals. [Learn more](../../project/merge_requests/approvals/rules.md). | [Unavailable](https://gitlab.com/groups/gitlab-org/-/epics/6870) |
| Pipeline failed | Medium | [Pipeline results](../../../ci/pipelines/index.md) | The merge requests pipeline failed and was merged. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Pipeline passed with warnings | Info | [Pipeline results](../../../ci/pipelines/index.md) | The merge request pipeline passed with warnings and was merged. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down more than 10% | High | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of more than 10%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down between 5% to 10% | Medium | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 5% to 10%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down between 1% to 5% | Low | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of between 1% to 5%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |
| Code coverage down less than 1% | Info | [Code coverage](../../../ci/pipelines/settings.md#merge-request-test-coverage-results) | The code coverage report for the merge request indicates a reduction in coverage of less than 1%. | [Unavailable](https://gitlab.com/gitlab-org/gitlab/-/issues/346011) |

4
doc/user/project/code_owners.md
View File

@ -124,8 +124,8 @@ Only one CODEOWNERS pattern can match per file path.
### Organize Code Owners by putting them into sections
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12137) in GitLab 13.2 behind a feature flag, enabled by default.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/42389) in GitLab 13.4.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/12137) in GitLab 13.2 [with a flag](../../administration/feature_flags.md) named `sectional_codeowners`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/42389) in GitLab 13.4. Feature flag `sectional_codeowners` removed.
You can organize Code Owners by putting them into named sections.

11
doc/user/project/issues/issue_data_and_actions.md
View File

@ -1,11 +0,0 @@
---
redirect_to: 'index.md'
remove_date: '2022-02-24'
---
This file was moved to [another location](index.md).
<!-- This redirect file can be deleted after <2022-02-24>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

2
doc/user/project/pages/custom_domains_ssl_tls_certification/lets_encrypt_integration.md
View File

@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
# GitLab Pages integration with Let's Encrypt **(FREE)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/28996) in GitLab 12.1. For versions earlier than GitLab 12.1, see the [manual Let's Encrypt instructions](../lets_encrypt_for_gitlab_pages.md).
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/28996) in GitLab 12.1.
The GitLab Pages integration with Let's Encrypt (LE) allows you
to use LE certificates for your Pages website with custom domains

11
doc/user/project/pages/lets_encrypt_for_gitlab_pages.md
View File

@ -1,11 +0,0 @@
---
redirect_to: 'custom_domains_ssl_tls_certification/lets_encrypt_integration.md'
remove_date: '2022-03-14'
---
This file was moved to [another location](custom_domains_ssl_tls_certification/lets_encrypt_integration.md).
<!-- This redirect file can be deleted after <2022-03-14>. -->
<!-- Redirects that point to other docs in the same project expire in three months. -->
<!-- Redirects that point to docs in a different project or site (for example, link is not relative and starts with `https:`) expire in one year. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/redirects.html -->

4
doc/user/project/protected_branches.md
View File

@ -147,8 +147,8 @@ Deploy keys are not available in the **Allowed to merge** dropdown list.
## Allow force push on a protected branch
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/15611) in GitLab 13.10 behind a disabled feature flag.
> - [Feature flag removed](https://gitlab.com/gitlab-org/gitlab/-/issues/323431) in GitLab 14.0.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/15611) in GitLab 13.10 [with a flag](../../administration/feature_flags.md) named `allow_force_push_to_protected_branches`. Disabled by default.
> - [Enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/323431) in GitLab 14.0. Feature flag `allow_force_push_to_protected_branches` removed.
You can allow [force pushes](../../topics/git/git_rebase.md#force-push) to
protected branches.

9
doc/user/project/repository/repository_mirroring.md
View File

@ -1,9 +0,0 @@
---
redirect_to: 'mirror/index.md'
remove_date: '2022-03-22'
---
This document was moved to [another location](mirror/index.md).
<!-- This redirect file can be deleted after <2022-03-22>. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page -->

2
lib/api/project_import.rb
View File

@ -135,8 +135,6 @@ module API
success Entities::ProjectImportStatus
end
post 'remote-import' do
not_found! unless ::Feature.enabled?(:import_project_from_remote_file, default_enabled: :yaml)
check_rate_limit! :project_import, scope: [current_user, :project_import]
response = ::Import::GitlabProjects::CreateProjectService.new(

18
lib/gitlab/ci/parsers/security/common.rb
View File

@ -14,6 +14,7 @@ module Gitlab
def initialize(json_data, report, vulnerability_finding_signatures_enabled = false, validate: false)
@json_data = json_data
@report = report
@project = report.project
@validate = validate
@vulnerability_finding_signatures_enabled = vulnerability_finding_signatures_enabled
end
@ -51,22 +52,27 @@ module Gitlab
#
# After 15.0 we will enforce schema validation by default
# See: https://gitlab.com/groups/gitlab-org/-/epics/6968
schema_validation_passed = schema_validator.valid?
schema_validator.deprecation_warnings.each { |deprecation_warning| report.add_warning('Schema', deprecation_warning) }
if validate
schema_validator.errors.each { |error| report.add_error('Schema', error) } unless schema_validation_passed
schema_validation_passed = schema_validator.valid?
# Validation warnings are errors
schema_validator.errors.each { |error| report.add_error('Schema', error) }
schema_validator.warnings.each { |warning| report.add_error('Schema', warning) }
schema_validation_passed
else
# We treat all schema validation errors as warnings
# Validation warnings are warnings
schema_validator.errors.each { |error| report.add_warning('Schema', error) }
schema_validator.warnings.each { |warning| report.add_warning('Schema', warning) }
true
end
end
def schema_validator
@schema_validator ||= ::Gitlab::Ci::Parsers::Security::Validators::SchemaValidator.new(report.type, report_data, report.version)
@schema_validator ||= ::Gitlab::Ci::Parsers::Security::Validators::SchemaValidator.new(report.type, report_data, report.version, project: @project)
end
def report_data
@ -136,7 +142,7 @@ module Gitlab
metadata_version: report_version,
details: data['details'] || {},
signatures: signatures,
project_id: report.project_id,
project_id: @project.id,
vulnerability_finding_signatures_enabled: @vulnerability_finding_signatures_enabled))
end
@ -279,7 +285,7 @@ module Gitlab
report_type: report.type,
primary_identifier_fingerprint: primary_identifier&.fingerprint,
location_fingerprint: location_fingerprint,
project_id: report.project_id
project_id: @project.id
}
if uuid_v5_name_components.values.any?(&:nil?)

62
lib/gitlab/ci/parsers/security/validators/schema_validator.rb
View File

@ -26,19 +26,19 @@ module Gitlab
8.0.0-rc1 8.0.1-rc1 8.1.0-rc1 9.0.0-rc1].freeze
# These come from https://app.periscopedata.com/app/gitlab/895813/Secure-Scan-metrics?widget=12248944&udv=1385516
KNOWN_VERSIONS_TO_DEPRECATE = %w[0.1 1.0 1.0.0 1.2 1.3 10.0.0 12.1.0 13.1.0 2.0 2.1 2.1.0 2.3 2.3.0 2.4 3.0 3.0.0 3.0.6 3.13.2 V2.7.0].freeze
KNOWN_VERSIONS_TO_REMOVE = %w[0.1 1.0 1.0.0 1.2 1.3 10.0.0 12.1.0 13.1.0 2.0 2.1 2.1.0 2.3 2.3.0 2.4 3.0 3.0.0 3.0.6 3.13.2 V2.7.0].freeze
VERSIONS_TO_DEPRECATE_IN_15_0 = (PREVIOUS_RELEASES + KNOWN_VERSIONS_TO_DEPRECATE).freeze
VERSIONS_TO_REMOVE_IN_15_0 = (PREVIOUS_RELEASES + KNOWN_VERSIONS_TO_REMOVE).freeze
DEPRECATED_VERSIONS = {
cluster_image_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
container_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
coverage_fuzzing: VERSIONS_TO_DEPRECATE_IN_15_0,
dast: VERSIONS_TO_DEPRECATE_IN_15_0,
api_fuzzing: VERSIONS_TO_DEPRECATE_IN_15_0,
dependency_scanning: VERSIONS_TO_DEPRECATE_IN_15_0,
sast: VERSIONS_TO_DEPRECATE_IN_15_0,
secret_detection: VERSIONS_TO_DEPRECATE_IN_15_0
cluster_image_scanning: VERSIONS_TO_REMOVE_IN_15_0,
container_scanning: VERSIONS_TO_REMOVE_IN_15_0,
coverage_fuzzing: VERSIONS_TO_REMOVE_IN_15_0,
dast: VERSIONS_TO_REMOVE_IN_15_0,
api_fuzzing: VERSIONS_TO_REMOVE_IN_15_0,
dependency_scanning: VERSIONS_TO_REMOVE_IN_15_0,
sast: VERSIONS_TO_REMOVE_IN_15_0,
secret_detection: VERSIONS_TO_REMOVE_IN_15_0
}.freeze
class Schema
@ -86,15 +86,18 @@ module Gitlab
end
end
def initialize(report_type, report_data, report_version = nil)
def initialize(report_type, report_data, report_version = nil, project: nil)
@report_type = report_type&.to_sym
@report_data = report_data
@report_version = report_version
@project = project
@errors = []
@warnings = []
@deprecation_warnings = []
populate_errors
populate_warnings
populate_deprecation_warnings
end
def valid?
@ -102,25 +105,46 @@ module Gitlab
end
def populate_errors
if Feature.enabled?(:enforce_security_report_validation)
@errors += schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
schema_validation_errors = schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
log_warnings(problem_type: 'schema_validation_fails') unless schema_validation_errors.empty?
if Feature.enabled?(:enforce_security_report_validation, @project)
@errors += schema_validation_errors
else
@warnings += schema.validate(report_data).map { |error| JSONSchemer::Errors.pretty(error) }
@warnings += schema_validation_errors
end
end
def populate_warnings
add_deprecated_report_version_message if report_uses_deprecated_schema_version?
add_unsupported_report_version_message if !report_uses_supported_schema_version? && !report_uses_deprecated_schema_version?
end
def populate_deprecation_warnings
add_deprecated_report_version_message if report_uses_deprecated_schema_version?
end
def add_deprecated_report_version_message
log_warnings(problem_type: 'using_deprecated_schema_version')
message = "Version #{report_version} for report type #{report_type} has been deprecated, supported versions for this report type are: #{supported_schema_versions}"
add_message_as(level: :warning, message: message)
add_message_as(level: :deprecation_warning, message: message)
end
def log_warnings(problem_type:)
Gitlab::AppLogger.info(
message: 'security report schema validation problem',
security_report_type: report_type,
security_report_version: report_version,
project_id: @project.id,
security_report_failure: problem_type
)
end
def add_unsupported_report_version_message
if Feature.enabled?(:enforce_security_report_validation)
log_warnings(problem_type: 'using_unsupported_schema_version')
if Feature.enabled?(:enforce_security_report_validation, @project)
handle_unsupported_report_version(treat_as: :error)
else
handle_unsupported_report_version(treat_as: :warning)
@ -152,6 +176,8 @@ module Gitlab
def add_message_as(level:, message:)
case level
when :deprecation_warning
@deprecation_warnings << message
when :error
@errors << message
when :warning
@ -159,7 +185,7 @@ module Gitlab
end
end
attr_reader :errors, :warnings
attr_reader :errors, :warnings, :deprecation_warnings
private

5
lib/gitlab/ci/reports/security/report.rb
View File

@ -9,6 +9,7 @@ module Gitlab
attr_accessor :scan, :scanned_resources, :errors, :analyzer, :version, :schema_validation_status, :warnings
delegate :project_id, to: :pipeline
delegate :project, to: :pipeline
def initialize(type, pipeline, created_at)
@type = type
@ -38,6 +39,10 @@ module Gitlab
errors.present?
end
def warnings?
warnings.present?
end
def add_scanner(scanner)
scanners[scanner.key] ||= scanner
end

4
lib/gitlab/diff/file.rb
View File

@ -375,7 +375,7 @@ module Gitlab
end
def rendered
return unless use_renderable_diff? && ipynb?
return unless use_renderable_diff? && ipynb? && modified_file? && !too_large?
strong_memoize(:rendered) { Rendered::Notebook::DiffFile.new(self) }
end
@ -410,7 +410,7 @@ module Gitlab
end
def ipynb?
modified_file? && file_path.ends_with?('.ipynb')
file_path.ends_with?('.ipynb')
end
# We can't use Object#try because Blob doesn't inherit from Object, but

6
lib/gitlab/usage_data_counters/known_events/epic_events.yml
View File

@ -194,3 +194,9 @@
redis_slot: project_management
aggregation: daily
feature_flag: track_epics_activity
- name: g_project_management_epic_related_removed
category: epics_usage
redis_slot: project_management
aggregation: daily
feature_flag: track_epics_activity

3
locale/gitlab.pot
View File

@ -22773,9 +22773,6 @@ msgstr ""
msgid "Locked the discussion."
msgstr ""
msgid "Locked to current projects"
msgstr ""
msgid "Locks give the ability to lock specific file or folder."
msgstr ""

8
spec/factories/keys.rb
View File

@ -19,6 +19,12 @@ FactoryBot.define do
user
end
factory :personal_key_4096 do
user
key { SSHData::PrivateKey::RSA.generate(4096, unsafe_allow_small_key: true).public_key.openssh(comment: 'dummy@gitlab.com') }
end
factory :another_key do
factory :another_deploy_key, class: 'DeployKey'
end
@ -74,6 +80,8 @@ FactoryBot.define do
qpPN5jAskkAUzOh5L/M+dmq2jNn03U9xwORCYPZj+fFM9bL99/0knsV0ypZDZyWH dummy@gitlab.com
KEY
end
factory :rsa_deploy_key_5120, class: 'DeployKey'
end
factory :rsa_key_8192 do

55
spec/finders/keys_finder_spec.rb
View File

@ -5,23 +5,22 @@ require 'spec_helper'
RSpec.describe KeysFinder do
subject { described_class.new(params).execute }
let(:user) { create(:user) }
let(:params) { {} }
let!(:key_1) do
create(:personal_key,
let_it_be(:user) { create(:user) }
let_it_be(:key_1) do
create(:rsa_key_4096,
last_used_at: 7.days.ago,
user: user,
key: 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt1016k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=',
fingerprint: 'ba:81:59:68:d7:6c:cd:02:02:bf:6a:9b:55:4e:af:d1',
fingerprint_sha256: 'nUhzNyftwADy8AH3wFY31tAKs7HufskYTte2aXo/lCg')
fingerprint: 'df:73:db:29:3c:a5:32:cf:09:17:7e:8e:9d:de:d7:f7',
fingerprint_sha256: 'ByDU7hQ1JB95l6p53rHrffc4eXvEtqGUtQhS+Dhyy7g')
end
let!(:key_2) { create(:personal_key, last_used_at: nil, user: user) }
let!(:key_3) { create(:personal_key, last_used_at: 2.days.ago) }
let_it_be(:key_2) { create(:personal_key_4096, last_used_at: nil, user: user) }
let_it_be(:key_3) { create(:personal_key_4096, last_used_at: 2.days.ago) }
let(:params) { {} }
context 'key_type' do
let!(:deploy_key) { create(:deploy_key) }
let_it_be(:deploy_key) { create(:deploy_key) }
context 'when `key_type` is `ssh`' do
before do
@ -64,35 +63,41 @@ RSpec.describe KeysFinder do
end
context 'with valid fingerprints' do
let!(:deploy_key) do
create(:deploy_key,
user: user,
key: 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt1017k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=',
fingerprint: '8a:4a:12:92:0b:50:47:02:d4:5a:8e:a9:44:4e:08:b4',
fingerprint_sha256: '4DPHOVNh53i9dHb5PpY2vjfyf5qniTx1/pBFPoZLDdk')
end
let_it_be(:deploy_key) { create(:rsa_deploy_key_5120, user: user) }
context 'personal key with valid MD5 params' do
context 'with an existent fingerprint' do
before do
params[:fingerprint] = 'ba:81:59:68:d7:6c:cd:02:02:bf:6a:9b:55:4e:af:d1'
params[:fingerprint] = 'df:73:db:29:3c:a5:32:cf:09:17:7e:8e:9d:de:d7:f7'
end
it 'returns the key' do
expect(subject).to eq(key_1)
expect(subject.user).to eq(user)
end
context 'with FIPS mode', :fips_mode do
it 'raises InvalidFingerprint' do
expect { subject }.to raise_error(KeysFinder::InvalidFingerprint)
end
end
end
context 'deploy key with an existent fingerprint' do
before do
params[:fingerprint] = '8a:4a:12:92:0b:50:47:02:d4:5a:8e:a9:44:4e:08:b4'
params[:fingerprint] = 'fe:fa:3a:4d:7d:51:ec:bf:c7:64:0c:96:d0:17:8a:d0'
end
it 'returns the key' do
expect(subject).to eq(deploy_key)
expect(subject.user).to eq(user)
end
context 'with FIPS mode', :fips_mode do
it 'raises InvalidFingerprint' do
expect { subject }.to raise_error(KeysFinder::InvalidFingerprint)
end
end
end
context 'with a non-existent fingerprint' do
@ -103,13 +108,19 @@ RSpec.describe KeysFinder do
it 'returns nil' do
expect(subject).to be_nil
end
context 'with FIPS mode', :fips_mode do
it 'raises InvalidFingerprint' do
expect { subject }.to raise_error(KeysFinder::InvalidFingerprint)
end
end
end
end
context 'personal key with valid SHA256 params' do
context 'with an existent fingerprint' do
before do
params[:fingerprint] = 'SHA256:nUhzNyftwADy8AH3wFY31tAKs7HufskYTte2aXo/lCg'
params[:fingerprint] = 'SHA256:ByDU7hQ1JB95l6p53rHrffc4eXvEtqGUtQhS+Dhyy7g'
end
it 'returns key' do
@ -120,7 +131,7 @@ RSpec.describe KeysFinder do
context 'deploy key with an existent fingerprint' do
before do
params[:fingerprint] = 'SHA256:4DPHOVNh53i9dHb5PpY2vjfyf5qniTx1/pBFPoZLDdk'
params[:fingerprint] = 'SHA256:PCCupLbFHScm4AbEufbGDvhBU27IM0MVAor715qKQK8'
end
it 'returns key' do

26
spec/frontend/lib/utils/confirm_via_gl_modal/confirm_modal_spec.js
View File

@ -5,12 +5,23 @@ import ConfirmModal from '~/lib/utils/confirm_via_gl_modal/confirm_modal.vue';
describe('Confirm Modal', () => {
let wrapper;
let modal;
const SECONDARY_TEXT = 'secondaryText';
const SECONDARY_VARIANT = 'danger';
const createComponent = ({ primaryText, primaryVariant, title, hideCancel = false } = {}) => {
const createComponent = ({
primaryText,
primaryVariant,
secondaryText,
secondaryVariant,
title,
hideCancel = false,
} = {}) => {
wrapper = mount(ConfirmModal, {
propsData: {
primaryText,
primaryVariant,
secondaryText,
secondaryVariant,
hideCancel,
title,
},
@ -65,6 +76,19 @@ describe('Confirm Modal', () => {
expect(props.actionCancel).toBeNull();
});
it('should not show secondary Button when secondary Text is not set', () => {
createComponent();
const props = findGlModal().props();
expect(props.actionSecondary).toBeNull();
});
it('should show secondary Button when secondaryText is set', () => {
createComponent({ secondaryText: SECONDARY_TEXT, secondaryVariant: SECONDARY_VARIANT });
const actionSecondary = findGlModal().props('actionSecondary');
expect(actionSecondary.text).toEqual(SECONDARY_TEXT);
expect(actionSecondary.attributes.variant).toEqual(SECONDARY_VARIANT);
});
it('should set the modal title when the `title` prop is set', () => {
const title = 'Modal title';
createComponent({ title });

9
spec/graphql/mutations/ci/runner/delete_spec.rb
View File

@ -37,7 +37,9 @@ RSpec.describe Mutations::Ci::Runner::Delete do
it 'raises an error' do
mutation_params[:id] = two_projects_runner.to_global_id
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ResourceNotAvailable) do
subject
end
end
end
end
@ -115,7 +117,10 @@ RSpec.describe Mutations::Ci::Runner::Delete do
allow_next_instance_of(::Ci::Runners::UnregisterRunnerService) do |service|
expect(service).not_to receive(:execute)
end
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ResourceNotAvailable) do
subject
end
end
end
end

14
spec/graphql/resolvers/blobs_resolver_spec.rb
View File

@ -75,10 +75,9 @@ RSpec.describe Resolvers::BlobsResolver do
let(:ref) { 'ma:in' }
it 'raises an ArgumentError' do
expect { resolve_blobs }.to raise_error(
Gitlab::Graphql::Errors::ArgumentError,
'Ref is not valid'
)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ArgumentError, 'Ref is not valid') do
resolve_blobs
end
end
end
@ -86,10 +85,9 @@ RSpec.describe Resolvers::BlobsResolver do
let(:ref) { '' }
it 'raises an ArgumentError' do
expect { resolve_blobs }.to raise_error(
Gitlab::Graphql::Errors::ArgumentError,
'Ref is not valid'
)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ArgumentError, 'Ref is not valid') do
resolve_blobs
end
end
end
end

4
spec/graphql/resolvers/group_members/notification_email_resolver_spec.rb
View File

@ -35,7 +35,9 @@ RSpec.describe Resolvers::GroupMembers::NotificationEmailResolver do
let(:current_user) { create(:user) }
it 'raises ResourceNotAvailable error' do
expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ResourceNotAvailable) do
subject
end
end
end
end

4
spec/graphql/resolvers/users_resolver_spec.rb
View File

@ -74,7 +74,9 @@ RSpec.describe Resolvers::UsersResolver do
let_it_be(:current_user) { nil }
it 'prohibits search without usernames passed' do
expect { resolve_users }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ResourceNotAvailable) do
resolve_users
end
end
it 'allows to search by username' do

4
spec/graphql/resolvers/work_item_resolver_spec.rb
View File

@ -22,7 +22,9 @@ RSpec.describe Resolvers::WorkItemResolver do
let(:current_user) { create(:user) }
it 'raises a resource not available error' do
expect { resolved_work_item }.to raise_error(::Gitlab::Graphql::Errors::ResourceNotAvailable)
expect_graphql_error_to_be_created(Gitlab::Graphql::Errors::ResourceNotAvailable) do
resolved_work_item
end
end
end

34
spec/lib/gitlab/ci/parsers/security/common_spec.rb
View File

@ -42,11 +42,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
let(:validate) { false }
let(:valid?) { false }
let(:errors) { ['foo'] }
let(:warnings) { ['bar'] }
before do
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
allow(instance).to receive(:warnings).and_return(warnings)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
@ -55,12 +57,17 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
it 'instantiates the validator with correct params' do
parse_report
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
expect(validator_class).to have_received(:new).with(report.type, {}, report.version, project: pipeline.project)
end
context 'when the report data is not valid according to the schema' do
it 'adds warnings to the report' do
expect { parse_report }.to change { report.warnings }.from([]).to([{ message: 'foo', type: 'Schema' }])
expect { parse_report }.to change { report.warnings }.from([]).to(
[
{ message: 'foo', type: 'Schema' },
{ message: 'bar', type: 'Schema' }
]
)
end
it 'keeps the execution flow as normal' do
@ -74,9 +81,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
let(:warnings) { [] }
it 'does not add errors to the report' do
expect { parse_report }.not_to change { report.errors }
end
it 'does not add warnings to the report' do
expect { parse_report }.not_to change { report.errors }
expect { parse_report }.not_to change { report.warnings }
end
it 'keeps the execution flow as normal' do
@ -92,11 +104,13 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
let(:validate) { true }
let(:valid?) { false }
let(:errors) { ['foo'] }
let(:warnings) { ['bar'] }
before do
allow_next_instance_of(validator_class) do |instance|
allow(instance).to receive(:valid?).and_return(valid?)
allow(instance).to receive(:errors).and_return(errors)
allow(instance).to receive(:warnings).and_return(warnings)
end
allow(parser).to receive_messages(create_scanner: true, create_scan: true)
@ -105,12 +119,17 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
it 'instantiates the validator with correct params' do
parse_report
expect(validator_class).to have_received(:new).with(report.type, {}, report.version)
expect(validator_class).to have_received(:new).with(report.type, {}, report.version, project: pipeline.project)
end
context 'when the report data is not valid according to the schema' do
it 'adds errors to the report' do
expect { parse_report }.to change { report.errors }.from([]).to([{ message: 'foo', type: 'Schema' }])
expect { parse_report }.to change { report.errors }.from([]).to(
[
{ message: 'foo', type: 'Schema' },
{ message: 'bar', type: 'Schema' }
]
)
end
it 'does not try to create report entities' do
@ -124,11 +143,16 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common do
context 'when the report data is valid according to the schema' do
let(:valid?) { true }
let(:errors) { [] }
let(:warnings) { [] }
it 'does not add errors to the report' do
expect { parse_report }.not_to change { report.errors }.from([])
end
it 'does not add warnings to the report' do
expect { parse_report }.not_to change { report.warnings }.from([])
end
it 'keeps the execution flow as normal' do
parse_report

198
spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb
View File

@ -3,7 +3,9 @@
require 'spec_helper'
RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
let(:validator) { described_class.new(report_type, report_data, report_version) }
let_it_be(:project) { create(:project) }
let(:validator) { described_class.new(report_type, report_data, report_version, project: project) }
describe 'SUPPORTED_VERSIONS' do
schema_path = Rails.root.join("lib", "gitlab", "ci", "parsers", "security", "validators", "schemas")
@ -75,6 +77,18 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
end
it { is_expected.to be_falsey }
it 'logs related information' do
expect(Gitlab::AppLogger).to receive(:info).with(
message: "security report schema validation problem",
security_report_type: report_type,
security_report_version: report_version,
project_id: project.id,
security_report_failure: 'schema_validation_fails'
)
subject
end
end
end
@ -91,6 +105,18 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
end
it { is_expected.to be_truthy }
it 'logs related information' do
expect(Gitlab::AppLogger).to receive(:info).with(
message: "security report schema validation problem",
security_report_type: report_type,
security_report_version: report_version,
project_id: project.id,
security_report_failure: 'using_deprecated_schema_version'
)
subject
end
end
context 'and the report does not pass schema validation' do
@ -142,6 +168,18 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
end
it { is_expected.to be_falsey }
it 'logs related information' do
expect(Gitlab::AppLogger).to receive(:info).with(
message: "security report schema validation problem",
security_report_type: report_type,
security_report_version: report_version,
project_id: project.id,
security_report_failure: 'using_unsupported_schema_version'
)
subject
end
end
context 'and the report is invalid' do
@ -211,13 +249,29 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
}
end
let(:expected_errors) do
[
'root is missing required keys: vulnerabilities'
]
context 'if enforce_security_report_validation is enabled' do
before do
stub_feature_flags(enforce_security_report_validation: project)
end
let(:expected_errors) do
[
'root is missing required keys: vulnerabilities'
]
end
it { is_expected.to match_array(expected_errors) }
end
it { is_expected.to match_array(expected_errors) }
context 'if enforce_security_report_validation is disabled' do
before do
stub_feature_flags(enforce_security_report_validation: false)
end
let(:expected_errors) { [] }
it { is_expected.to match_array(expected_errors) }
end
end
end
@ -355,6 +409,83 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
end
end
describe '#deprecation_warnings' do
subject { validator.deprecation_warnings }
context 'when given a supported schema version' do
let(:report_type) { :dast }
let(:report_version) { described_class::SUPPORTED_VERSIONS[report_type].last }
let(:expected_deprecation_warnings) { [] }
context 'and the report is valid' do
let(:report_data) do
{
'version' => report_version,
'vulnerabilities' => []
}
end
it { is_expected.to match_array(expected_deprecation_warnings) }
end
context 'and the report is invalid' do
let(:report_data) do
{
'version' => report_version
}
end
it { is_expected.to match_array(expected_deprecation_warnings) }
end
end
context 'when given a deprecated schema version' do
let(:report_type) { :dast }
let(:report_version) { described_class::DEPRECATED_VERSIONS[report_type].last }
let(:expected_deprecation_warnings) do
[
"Version V2.7.0 for report type dast has been deprecated, supported versions for this report type are: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.1.0"
]
end
context 'and the report passes schema validation' do
let(:report_data) do
{
'version' => report_version,
'vulnerabilities' => []
}
end
it { is_expected.to match_array(expected_deprecation_warnings) }
end
context 'and the report does not pass schema validation' do
let(:report_data) do
{
'version' => 'V2.7.0'
}
end
it { is_expected.to match_array(expected_deprecation_warnings) }
end
end
context 'when given an unsupported schema version' do
let(:report_type) { :dast }
let(:report_version) { "21.37.0" }
let(:expected_deprecation_warnings) { [] }
let(:report_data) do
{
'version' => report_version,
'vulnerabilities' => []
}
end
it { is_expected.to match_array(expected_deprecation_warnings) }
end
end
describe '#warnings' do
subject { validator.warnings }
@ -382,9 +513,29 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
}
end
let(:expected_warnings) { [] }
context 'if enforce_security_report_validation is enabled' do
before do
stub_feature_flags(enforce_security_report_validation: project)
end
it { is_expected.to match_array(expected_warnings) }
let(:expected_warnings) { [] }
it { is_expected.to match_array(expected_warnings) }
end
context 'if enforce_security_report_validation is disabled' do
before do
stub_feature_flags(enforce_security_report_validation: false)
end
let(:expected_warnings) do
[
'root is missing required keys: vulnerabilities'
]
end
it { is_expected.to match_array(expected_warnings) }
end
end
end
@ -399,32 +550,24 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
}
end
let(:expected_warnings) do
[
"Version V2.7.0 for report type dast has been deprecated, supported versions for this report type are: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.1.0"
]
end
let(:expected_warnings) { [] }
it { is_expected.to match_array(expected_warnings) }
end
context 'and the report does not pass schema validation' do
let(:report_data) do
{
'version' => 'V2.7.0'
}
end
context 'and enforce_security_report_validation is enabled' do
before do
stub_feature_flags(enforce_security_report_validation: true)
end
let(:report_data) do
{
'version' => 'V2.7.0'
}
end
let(:expected_warnings) do
[
"Version V2.7.0 for report type dast has been deprecated, supported versions for this report type are: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.1.0"
]
end
let(:expected_warnings) { [] }
it { is_expected.to match_array(expected_warnings) }
end
@ -434,15 +577,8 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do
stub_feature_flags(enforce_security_report_validation: false)
end
let(:report_data) do
{
'version' => 'V2.7.0'
}
end
let(:expected_warnings) do
[
"Version V2.7.0 for report type dast has been deprecated, supported versions for this report type are: 14.0.0, 14.0.1, 14.0.2, 14.0.3, 14.0.4, 14.0.5, 14.0.6, 14.1.0",
"property '/version' does not match pattern: ^[0-9]+\\.[0-9]+\\.[0-9]+$",
"root is missing required keys: vulnerabilities"
]

16
spec/lib/gitlab/ci/reports/security/report_spec.rb
View File

@ -184,6 +184,22 @@ RSpec.describe Gitlab::Ci::Reports::Security::Report do
end
end
describe 'warnings?' do
subject { report.warnings? }
context 'when the report does not have any errors' do
it { is_expected.to be_falsey }
end
context 'when the report has warnings' do
before do
report.add_warning('foo', 'bar')
end
it { is_expected.to be_truthy }
end
end
describe '#primary_scanner_order_to' do
let(:scanner_1) { build(:ci_reports_security_scanner) }
let(:scanner_2) { build(:ci_reports_security_scanner) }

30
spec/lib/gitlab/diff/file_spec.rb
View File

@ -76,10 +76,34 @@ RSpec.describe Gitlab::Diff::File do
end
describe '#rendered' do
let(:commit) { project.commit("532c837") }
context 'when not ipynb' do
it 'is nil' do
expect(diff_file.rendered).to be_nil
end
end
it 'creates a NotebookDiffFile for rendering' do
expect(diff_file.rendered).to be_kind_of(Gitlab::Diff::Rendered::Notebook::DiffFile)
context 'when ipynb' do
let(:commit) { project.commit("532c837") }
it 'creates a NotebookDiffFile for rendering' do
expect(diff_file.rendered).to be_kind_of(Gitlab::Diff::Rendered::Notebook::DiffFile)
end
context 'when too large' do
it 'is nil' do
expect(diff).to receive(:too_large?).and_return(true)
expect(diff_file.rendered).to be_nil
end
end
context 'when not modified' do
it 'is nil' do
expect(diff_file).to receive(:modified_file?).and_return(false)
expect(diff_file.rendered).to be_nil
end
end
end
end

66
spec/requests/api/keys_spec.rb
View File

@ -3,10 +3,11 @@
require 'spec_helper'
RSpec.describe API::Keys do
let(:user) { create(:user) }
let(:admin) { create(:admin) }
let(:key) { create(:key, user: user, expires_at: 1.day.from_now) }
let(:email) { create(:email, user: user) }
let_it_be(:user) { create(:user) }
let_it_be(:admin) { create(:admin) }
let_it_be(:email) { create(:email, user: user) }
let_it_be(:key) { create(:rsa_key_4096, user: user, expires_at: 1.day.from_now) }
let_it_be(:fingerprint_md5) { 'df:73:db:29:3c:a5:32:cf:09:17:7e:8e:9d:de:d7:f7' }
describe 'GET /keys/:uid' do
context 'when unauthenticated' do
@ -24,7 +25,6 @@ RSpec.describe API::Keys do
end
it 'returns single ssh key with user information' do
user.keys << key
get api("/keys/#{key.id}", admin)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['title']).to eq(key.title)
@ -43,23 +43,50 @@ RSpec.describe API::Keys do
describe 'GET /keys?fingerprint=' do
it 'returns authentication error' do
get api("/keys?fingerprint=#{key.fingerprint}")
get api("/keys?fingerprint=#{fingerprint_md5}")
expect(response).to have_gitlab_http_status(:unauthorized)
end
it 'returns authentication error when authenticated as user' do
get api("/keys?fingerprint=#{key.fingerprint}", user)
get api("/keys?fingerprint=#{fingerprint_md5}", user)
expect(response).to have_gitlab_http_status(:forbidden)
end
context 'when authenticated as admin' do
it 'returns 404 for non-existing SSH md5 fingerprint' do
get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin)
context 'MD5 fingerprint' do
it 'returns 404 for non-existing SSH md5 fingerprint' do
get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin)
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 Key Not Found')
expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['message']).to eq('404 Key Not Found')
end
it 'returns user if SSH md5 fingerprint found' do
get api("/keys?fingerprint=#{fingerprint_md5}", admin)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['title']).to eq(key.title)
expect(json_response['user']['id']).to eq(user.id)
expect(json_response['user']['username']).to eq(user.username)
end
context 'with FIPS mode', :fips_mode do
it 'returns 404 for non-existing SSH md5 fingerprint' do
get api("/keys?fingerprint=11:11:11:11:11:11:11:11:11:11:11:11:11:11:11:11", admin)
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['message']).to eq('Failed to return the key')
end
it 'returns 404 for existing SSH md5 fingerprint' do
get api("/keys?fingerprint=#{fingerprint_md5}", admin)
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['message']).to eq('Failed to return the key')
end
end
end
it 'returns 404 for non-existing SSH sha256 fingerprint' do
@ -69,20 +96,7 @@ RSpec.describe API::Keys do
expect(json_response['message']).to eq('404 Key Not Found')
end
it 'returns user if SSH md5 fingerprint found' do
user.keys << key
get api("/keys?fingerprint=#{key.fingerprint}", admin)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['title']).to eq(key.title)
expect(json_response['user']['id']).to eq(user.id)
expect(json_response['user']['username']).to eq(user.username)
end
it 'returns user if SSH sha256 fingerprint found' do
user.keys << key
get api("/keys?fingerprint=#{URI.encode_www_form_component("SHA256:" + key.fingerprint_sha256)}", admin)
expect(response).to have_gitlab_http_status(:ok)
@ -92,8 +106,6 @@ RSpec.describe API::Keys do
end
it 'returns user if SSH sha256 fingerprint found' do
user.keys << key
get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin)
expect(response).to have_gitlab_http_status(:ok)
@ -103,7 +115,7 @@ RSpec.describe API::Keys do
end
it "does not include the user's `is_admin` flag" do
get api("/keys?fingerprint=#{key.fingerprint}", admin)
get api("/keys?fingerprint=#{URI.encode_www_form_component("sha256:" + key.fingerprint_sha256)}", admin)
expect(json_response['user']['is_admin']).to be_nil
end

88
spec/requests/api/project_import_spec.rb
View File

@ -306,63 +306,49 @@ RSpec.describe API::ProjectImport, :aggregate_failures do
it_behaves_like 'requires authentication'
it 'returns NOT FOUND when the feature is disabled' do
stub_feature_flags(import_project_from_remote_file: false)
context 'when the response is successful' do
it 'schedules the import successfully' do
project = create(
:project,
namespace: user.namespace,
name: 'test-import',
path: 'test-import'
)
subject
service_response = ServiceResponse.success(payload: project)
expect_next(::Import::GitlabProjects::CreateProjectService)
.to receive(:execute)
.and_return(service_response)
expect(response).to have_gitlab_http_status(:not_found)
subject
expect(response).to have_gitlab_http_status(:created)
expect(json_response).to include({
'id' => project.id,
'name' => 'test-import',
'name_with_namespace' => "#{user.namespace.name} / test-import",
'path' => 'test-import',
'path_with_namespace' => "#{user.namespace.path}/test-import"
})
end
end
context 'when the feature flag is enabled' do
before do
stub_feature_flags(import_project_from_remote_file: true)
end
context 'when the service returns an error' do
it 'fails to schedule the import' do
service_response = ServiceResponse.error(
message: 'Failed to import',
http_status: :bad_request
)
expect_next(::Import::GitlabProjects::CreateProjectService)
.to receive(:execute)
.and_return(service_response)
context 'when the response is successful' do
it 'schedules the import successfully' do
project = create(
:project,
namespace: user.namespace,
name: 'test-import',
path: 'test-import'
)
subject
service_response = ServiceResponse.success(payload: project)
expect_next(::Import::GitlabProjects::CreateProjectService)
.to receive(:execute)
.and_return(service_response)
subject
expect(response).to have_gitlab_http_status(:created)
expect(json_response).to include({
'id' => project.id,
'name' => 'test-import',
'name_with_namespace' => "#{user.namespace.name} / test-import",
'path' => 'test-import',
'path_with_namespace' => "#{user.namespace.path}/test-import"
})
end
end
context 'when the service returns an error' do
it 'fails to schedule the import' do
service_response = ServiceResponse.error(
message: 'Failed to import',
http_status: :bad_request
)
expect_next(::Import::GitlabProjects::CreateProjectService)
.to receive(:execute)
.and_return(service_response)
subject
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response).to eq({
'message' => 'Failed to import'
})
end
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response).to eq({
'message' => 'Failed to import'
})
end
end
end