From 475d5a7a176dcb87bd1fb8d55883ad2b3b2a7955 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 3 Mar 2022 00:20:18 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .../types/notes/diff_position_input_type.rb | 4 +- app/helpers/labels_helper.rb | 26 +- app/models/integration.rb | 36 +- app/models/label.rb | 13 +- .../namespaces/traversal/linear_scopes.rb | 28 +- app/presenters/label_presenter.rb | 4 + .../analytics/cycle_analytics/stage_entity.rb | 3 +- app/serializers/label_entity.rb | 4 +- app/services/labels/base_service.rb | 156 +---- .../security/merge_reports_service.rb | 5 +- app/validators/color_validator.rb | 10 +- .../profiles/two_factor_auths/show.html.haml | 2 +- ...ml => show_report_validation_warnings.yml} | 8 +- ...0_add_integrations_encrypted_properties.rb | 8 + ...04194347_encrypt_integration_properties.rb | 22 + db/schema_migrations/20220204193000 | 1 + db/schema_migrations/20220204194347 | 1 + db/structure.sql | 2 + doc/api/graphql/reference/index.md | 5 +- doc/development/secure_coding_guidelines.md | 3 +- doc/security/two_factor_authentication.md | 39 +- .../settings/account_and_limit_settings.md | 9 +- doc/user/permissions.md | 5 +- lib/api/entities/label_basic.rb | 6 +- lib/api/validations/validators/file_path.rb | 3 +- .../encrypt_integration_properties.rb | 84 +++ lib/gitlab/ci/parsers/security/common.rb | 19 +- lib/gitlab/ci/reports/security/report.rb | 7 +- lib/gitlab/color.rb | 222 +++++++ lib/gitlab/database/type/color.rb | 21 + lib/gitlab/json.rb | 20 +- lib/gitlab/performance_bar/stats.rb | 6 +- lib/gitlab/utils.rb | 7 + qa/qa/resource/group_base.rb | 18 +- qa/qa/resource/reusable_collection.rb | 4 + .../migration/gitlab_migration_group_spec.rb | 33 -- .../gitlab_migration_members_spec.rb | 68 +++ qa/spec/resource/reusable_collection_spec.rb | 22 +- .../projects/services_controller_spec.rb | 11 +- spec/helpers/labels_helper_spec.rb | 8 +- .../references/label_reference_filter_spec.rb | 2 +- .../common/pipelines/labels_pipeline_spec.rb | 2 +- .../encrypt_integration_properties_spec.rb | 63 ++ .../gitlab/ci/parsers/security/common_spec.rb | 556 ++++++++++-------- .../gitlab/ci/reports/security/report_spec.rb | 10 + spec/lib/gitlab/color_spec.rb | 132 +++++ spec/lib/gitlab/database/type/color_spec.rb | 41 ++ spec/lib/gitlab/utils_spec.rb | 61 +- ...347_encrypt_integration_properties_spec.rb | 40 ++ spec/models/integration_spec.rb | 78 +++ spec/models/label_spec.rb | 9 +- spec/requests/api/group_labels_spec.rb | 10 +- spec/requests/api/labels_spec.rb | 22 +- spec/serializers/label_serializer_spec.rb | 2 +- .../bulk_create_integration_service_spec.rb | 19 +- spec/services/labels/create_service_spec.rb | 3 +- spec/services/labels/promote_service_spec.rb | 2 +- spec/services/labels/update_service_spec.rb | 2 +- spec/services/projects/create_service_spec.rb | 10 +- .../security/merge_reports_service_spec.rb | 13 +- spec/support/helpers/migrations_helpers.rb | 2 + spec/support/matchers/be_color.rb | 20 + .../namespaces/traversal_scope_examples.rb | 10 + .../services/incident_shared_examples.rb | 2 +- spec/validators/color_validator_spec.rb | 23 + 65 files changed, 1441 insertions(+), 646 deletions(-) rename config/feature_flags/development/{enforce_security_report_validation.yml => show_report_validation_warnings.yml} (71%) create mode 100644 db/migrate/20220204193000_add_integrations_encrypted_properties.rb create mode 100644 db/post_migrate/20220204194347_encrypt_integration_properties.rb create mode 100644 db/schema_migrations/20220204193000 create mode 100644 db/schema_migrations/20220204194347 create mode 100644 lib/gitlab/background_migration/encrypt_integration_properties.rb create mode 100644 lib/gitlab/color.rb create mode 100644 lib/gitlab/database/type/color.rb create mode 100644 qa/qa/specs/features/api/1_manage/migration/gitlab_migration_members_spec.rb create mode 100644 spec/lib/gitlab/background_migration/encrypt_integration_properties_spec.rb create mode 100644 spec/lib/gitlab/color_spec.rb create mode 100644 spec/lib/gitlab/database/type/color_spec.rb create mode 100644 spec/migrations/20220204194347_encrypt_integration_properties_spec.rb create mode 100644 spec/support/matchers/be_color.rb diff --git a/app/graphql/types/notes/diff_position_input_type.rb b/app/graphql/types/notes/diff_position_input_type.rb index ad9fe028dfd..ccde4188f29 100644 --- a/app/graphql/types/notes/diff_position_input_type.rb +++ b/app/graphql/types/notes/diff_position_input_type.rb @@ -6,9 +6,9 @@ module Types graphql_name 'DiffPositionInput' argument :new_line, GraphQL::Types::Int, required: false, - description: copy_field_description(Types::Notes::DiffPositionType, :new_line) + description: "#{copy_field_description(Types::Notes::DiffPositionType, :new_line)} Please see the [REST API Documentation](https://docs.gitlab.com/ee/api/discussions.html#create-a-new-thread-in-the-merge-request-diff) for more information on how to use this field." argument :old_line, GraphQL::Types::Int, required: false, - description: copy_field_description(Types::Notes::DiffPositionType, :old_line) + description: "#{copy_field_description(Types::Notes::DiffPositionType, :old_line)} Please see the [REST API Documentation](https://docs.gitlab.com/ee/api/discussions.html#create-a-new-thread-in-the-merge-request-diff) for more information on how to use this field." end end end diff --git a/app/helpers/labels_helper.rb b/app/helpers/labels_helper.rb index 2150729cb2a..877785c9eaf 100644 --- a/app/helpers/labels_helper.rb +++ b/app/helpers/labels_helper.rb @@ -61,7 +61,7 @@ module LabelsHelper render_label_text( label.name, suffix: suffix, - css_class: "gl-label-text #{text_color_class_for_bg(label.color)}", + css_class: "gl-label-text #{label.text_color_class}", bg_color: label.color ) end @@ -114,30 +114,8 @@ module LabelsHelper end end - def text_color_class_for_bg(bg_color) - if light_color?(bg_color) - 'gl-label-text-dark' - else - 'gl-label-text-light' - end - end - def text_color_for_bg(bg_color) - if light_color?(bg_color) - '#333333' - else - '#FFFFFF' - end - end - - def light_color?(color) - if color.length == 4 - r, g, b = color[1, 4].scan(/./).map { |v| (v * 2).hex } - else - r, g, b = color[1, 7].scan(/.{2}/).map(&:hex) - end - - (r + g + b) > 500 + ::Gitlab::Color.of(bg_color).contrast end def labels_filter_path_with_defaults(only_group_labels: false, include_ancestor_groups: true, include_descendant_groups: false) diff --git a/app/models/integration.rb b/app/models/integration.rb index e64fff2d811..fd78649e372 100644 --- a/app/models/integration.rb +++ b/app/models/integration.rb @@ -49,6 +49,16 @@ class Integration < ApplicationRecord serialize :properties, JSON # rubocop:disable Cop/ActiveRecordSerialize + attr_encrypted :encrypted_properties_tmp, + attribute: :encrypted_properties, + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_32, + algorithm: 'aes-256-gcm', + marshal: true, + marshaler: ::Gitlab::Json, + encode: false, + encode_iv: false + alias_attribute :type, :type_new default_value_for :active, false @@ -67,6 +77,8 @@ class Integration < ApplicationRecord default_value_for :wiki_page_events, true after_initialize :initialize_properties + after_initialize :copy_properties_to_encrypted_properties + before_save :copy_properties_to_encrypted_properties after_commit :reset_updated_properties @@ -123,8 +135,10 @@ class Integration < ApplicationRecord def #{arg}=(value) self.properties ||= {} + self.encrypted_properties_tmp = properties updated_properties['#{arg}'] = #{arg} unless #{arg}_changed? self.properties['#{arg}'] = value + self.encrypted_properties_tmp['#{arg}'] = value end def #{arg}_changed? @@ -354,6 +368,12 @@ class Integration < ApplicationRecord self.properties = {} if has_attribute?(:properties) && properties.nil? end + def copy_properties_to_encrypted_properties + self.encrypted_properties_tmp = properties + rescue ActiveModel::MissingAttributeError + # ignore - in a record built from using a restricted select list + end + def title # implement inside child end @@ -394,7 +414,21 @@ class Integration < ApplicationRecord # return a hash of columns => values suitable for passing to insert_all def to_integration_hash column = self.class.attribute_aliases.fetch('type', 'type') - as_json(except: %w[id instance project_id group_id]).merge(column => type) + copy_properties_to_encrypted_properties + + as_json(except: %w[id instance project_id group_id encrypted_properties_tmp]) + .merge(column => type) + .merge(reencrypt_properties) + end + + def reencrypt_properties + unless properties.nil? || properties.empty? + alg = self.class.encrypted_attributes[:encrypted_properties_tmp][:algorithm] + iv = generate_iv(alg) + ep = self.class.encrypt(:encrypted_properties_tmp, properties, { iv: iv }) + end + + { 'encrypted_properties' => ep, 'encrypted_properties_iv' => iv } end def to_data_fields_hash diff --git a/app/models/label.rb b/app/models/label.rb index 0ebbb5b9bd3..b08b5bd63d5 100644 --- a/app/models/label.rb +++ b/app/models/label.rb @@ -12,8 +12,9 @@ class Label < ApplicationRecord cache_markdown_field :description, pipeline: :single_line - DEFAULT_COLOR = '#6699cc' + DEFAULT_COLOR = ::Gitlab::Color.of('#6699cc') + attribute :color, ::Gitlab::Database::Type::Color.new default_value_for :color, DEFAULT_COLOR has_many :lists, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent @@ -22,9 +23,9 @@ class Label < ApplicationRecord has_many :issues, through: :label_links, source: :target, source_type: 'Issue' has_many :merge_requests, through: :label_links, source: :target, source_type: 'MergeRequest' - before_validation :strip_whitespace_from_title_and_color + before_validation :strip_whitespace_from_title - validates :color, color: true, allow_blank: false + validates :color, color: true, presence: true # Don't allow ',' for label titles validates :title, presence: true, format: { with: /\A[^,]+\z/ } @@ -212,7 +213,7 @@ class Label < ApplicationRecord end def text_color - LabelsHelper.text_color_for_bg(self.color) + color.contrast end def title=(value) @@ -285,8 +286,8 @@ class Label < ApplicationRecord CGI.unescapeHTML(Sanitize.clean(value.to_s)) end - def strip_whitespace_from_title_and_color - %w(color title).each { |attr| self[attr] = self[attr]&.strip } + def strip_whitespace_from_title + self[:title] = title&.strip end end diff --git a/app/models/namespaces/traversal/linear_scopes.rb b/app/models/namespaces/traversal/linear_scopes.rb index 09d69a5f77a..0cac4c9143a 100644 --- a/app/models/namespaces/traversal/linear_scopes.rb +++ b/app/models/namespaces/traversal/linear_scopes.rb @@ -126,36 +126,26 @@ module Namespaces end def self_and_descendants_with_comparison_operators(include_self: true) - base = all.select( - :traversal_ids, - 'LEAD (namespaces.traversal_ids, 1) OVER (ORDER BY namespaces.traversal_ids ASC) next_traversal_ids' - ) + base = all.select(:traversal_ids) base_cte = Gitlab::SQL::CTE.new(:descendants_base_cte, base) namespaces = Arel::Table.new(:namespaces) # Bound the search space to ourselves (optional) and descendants. # - # WHERE (base_cte.next_traversal_ids IS NULL OR base_cte.next_traversal_ids > namespaces.traversal_ids) - # AND next_traversal_ids_sibling(base_cte.traversal_ids) > namespaces.traversal_ids + # WHERE next_traversal_ids_sibling(base_cte.traversal_ids) > namespaces.traversal_ids records = unscoped + .distinct + .with(base_cte.to_arel) .from([base_cte.table, namespaces]) - .where(base_cte.table[:next_traversal_ids].eq(nil).or(base_cte.table[:next_traversal_ids].gt(namespaces[:traversal_ids]))) .where(next_sibling_func(base_cte.table[:traversal_ids]).gt(namespaces[:traversal_ids])) # AND base_cte.traversal_ids <= namespaces.traversal_ids - records = if include_self - records.where(base_cte.table[:traversal_ids].lteq(namespaces[:traversal_ids])) - else - records.where(base_cte.table[:traversal_ids].lt(namespaces[:traversal_ids])) - end - - records_cte = Gitlab::SQL::CTE.new(:descendants_cte, records) - - unscoped - .unscope(where: [:type]) - .with(base_cte.to_arel, records_cte.to_arel) - .from(records_cte.alias_to(namespaces)) + if include_self + records.where(base_cte.table[:traversal_ids].lteq(namespaces[:traversal_ids])) + else + records.where(base_cte.table[:traversal_ids].lt(namespaces[:traversal_ids])) + end end def next_sibling_func(*args) diff --git a/app/presenters/label_presenter.rb b/app/presenters/label_presenter.rb index 8d604f9a0f6..6929bf79fdf 100644 --- a/app/presenters/label_presenter.rb +++ b/app/presenters/label_presenter.rb @@ -14,6 +14,10 @@ class LabelPresenter < Gitlab::View::Presenter::Delegated end end + def text_color_class + "gl-label-text-#{label.color.contrast.luminosity}" + end + def destroy_path case label when GroupLabel then group_label_path(label.group, label) diff --git a/app/serializers/analytics/cycle_analytics/stage_entity.rb b/app/serializers/analytics/cycle_analytics/stage_entity.rb index cfbf6f60e38..ac19998e90e 100644 --- a/app/serializers/analytics/cycle_analytics/stage_entity.rb +++ b/app/serializers/analytics/cycle_analytics/stage_entity.rb @@ -57,7 +57,8 @@ module Analytics def html_description(event) options = {} if event.label_based? - options[:label_html] = render_label(event.label, link: '', small: true, tooltip: true) + label = event.label.present + options[:label_html] = render_label(label, link: '', small: true, tooltip: true) end content_tag(:p) { event.html_description(options).html_safe } diff --git a/app/serializers/label_entity.rb b/app/serializers/label_entity.rb index e586d7f8407..5785715390f 100644 --- a/app/serializers/label_entity.rb +++ b/app/serializers/label_entity.rb @@ -4,7 +4,9 @@ class LabelEntity < Grape::Entity expose :id expose :title - expose :color + expose :color do |label| + label.color.to_s + end expose :description expose :group_id expose :project_id diff --git a/app/services/labels/base_service.rb b/app/services/labels/base_service.rb index ead7f2ea607..f694e6d47a0 100644 --- a/app/services/labels/base_service.rb +++ b/app/services/labels/base_service.rb @@ -2,162 +2,8 @@ module Labels class BaseService < ::BaseService - COLOR_NAME_TO_HEX = { - black: '#000000', - silver: '#C0C0C0', - gray: '#808080', - white: '#FFFFFF', - maroon: '#800000', - red: '#FF0000', - purple: '#800080', - fuchsia: '#FF00FF', - green: '#008000', - lime: '#00FF00', - olive: '#808000', - yellow: '#FFFF00', - navy: '#000080', - blue: '#0000FF', - teal: '#008080', - aqua: '#00FFFF', - orange: '#FFA500', - aliceblue: '#F0F8FF', - antiquewhite: '#FAEBD7', - aquamarine: '#7FFFD4', - azure: '#F0FFFF', - beige: '#F5F5DC', - bisque: '#FFE4C4', - blanchedalmond: '#FFEBCD', - blueviolet: '#8A2BE2', - brown: '#A52A2A', - burlywood: '#DEB887', - cadetblue: '#5F9EA0', - chartreuse: '#7FFF00', - chocolate: '#D2691E', - coral: '#FF7F50', - cornflowerblue: '#6495ED', - cornsilk: '#FFF8DC', - crimson: '#DC143C', - darkblue: '#00008B', - darkcyan: '#008B8B', - darkgoldenrod: '#B8860B', - darkgray: '#A9A9A9', - darkgreen: '#006400', - darkgrey: '#A9A9A9', - darkkhaki: '#BDB76B', - darkmagenta: '#8B008B', - darkolivegreen: '#556B2F', - darkorange: '#FF8C00', - darkorchid: '#9932CC', - darkred: '#8B0000', - darksalmon: '#E9967A', - darkseagreen: '#8FBC8F', - darkslateblue: '#483D8B', - darkslategray: '#2F4F4F', - darkslategrey: '#2F4F4F', - darkturquoise: '#00CED1', - darkviolet: '#9400D3', - deeppink: '#FF1493', - deepskyblue: '#00BFFF', - dimgray: '#696969', - dimgrey: '#696969', - dodgerblue: '#1E90FF', - firebrick: '#B22222', - floralwhite: '#FFFAF0', - forestgreen: '#228B22', - gainsboro: '#DCDCDC', - ghostwhite: '#F8F8FF', - gold: '#FFD700', - goldenrod: '#DAA520', - greenyellow: '#ADFF2F', - grey: '#808080', - honeydew: '#F0FFF0', - hotpink: '#FF69B4', - indianred: '#CD5C5C', - indigo: '#4B0082', - ivory: '#FFFFF0', - khaki: '#F0E68C', - lavender: '#E6E6FA', - lavenderblush: '#FFF0F5', - lawngreen: '#7CFC00', - lemonchiffon: '#FFFACD', - lightblue: '#ADD8E6', - lightcoral: '#F08080', - lightcyan: '#E0FFFF', - lightgoldenrodyellow: '#FAFAD2', - lightgray: '#D3D3D3', - lightgreen: '#90EE90', - lightgrey: '#D3D3D3', - lightpink: '#FFB6C1', - lightsalmon: '#FFA07A', - lightseagreen: '#20B2AA', - lightskyblue: '#87CEFA', - lightslategray: '#778899', - lightslategrey: '#778899', - lightsteelblue: '#B0C4DE', - lightyellow: '#FFFFE0', - limegreen: '#32CD32', - linen: '#FAF0E6', - mediumaquamarine: '#66CDAA', - mediumblue: '#0000CD', - mediumorchid: '#BA55D3', - mediumpurple: '#9370DB', - mediumseagreen: '#3CB371', - mediumslateblue: '#7B68EE', - mediumspringgreen: '#00FA9A', - mediumturquoise: '#48D1CC', - mediumvioletred: '#C71585', - midnightblue: '#191970', - mintcream: '#F5FFFA', - mistyrose: '#FFE4E1', - moccasin: '#FFE4B5', - navajowhite: '#FFDEAD', - oldlace: '#FDF5E6', - olivedrab: '#6B8E23', - orangered: '#FF4500', - orchid: '#DA70D6', - palegoldenrod: '#EEE8AA', - palegreen: '#98FB98', - paleturquoise: '#AFEEEE', - palevioletred: '#DB7093', - papayawhip: '#FFEFD5', - peachpuff: '#FFDAB9', - peru: '#CD853F', - pink: '#FFC0CB', - plum: '#DDA0DD', - powderblue: '#B0E0E6', - rosybrown: '#BC8F8F', - royalblue: '#4169E1', - saddlebrown: '#8B4513', - salmon: '#FA8072', - sandybrown: '#F4A460', - seagreen: '#2E8B57', - seashell: '#FFF5EE', - sienna: '#A0522D', - skyblue: '#87CEEB', - slateblue: '#6A5ACD', - slategray: '#708090', - slategrey: '#708090', - snow: '#FFFAFA', - springgreen: '#00FF7F', - steelblue: '#4682B4', - tan: '#D2B48C', - thistle: '#D8BFD8', - tomato: '#FF6347', - turquoise: '#40E0D0', - violet: '#EE82EE', - wheat: '#F5DEB3', - whitesmoke: '#F5F5F5', - yellowgreen: '#9ACD32', - rebeccapurple: '#663399' - }.freeze - def convert_color_name_to_hex - color = params[:color] - color_name = color.strip.downcase - - return color if color_name.start_with?('#') - - COLOR_NAME_TO_HEX[color_name.to_sym] || color + ::Gitlab::Color.of(params[:color]) end end end diff --git a/app/services/security/merge_reports_service.rb b/app/services/security/merge_reports_service.rb index 5f6f98a3c39..a982ec7efe2 100644 --- a/app/services/security/merge_reports_service.rb +++ b/app/services/security/merge_reports_service.rb @@ -21,7 +21,10 @@ module Security source_reports.first.type, source_reports.first.pipeline, source_reports.first.created_at - ).tap { |report| report.errors = source_reports.flat_map(&:errors) } + ).tap do |report| + report.errors = source_reports.flat_map(&:errors) + report.warnings = source_reports.flat_map(&:warnings) + end end def copy_resources_to_target_report diff --git a/app/validators/color_validator.rb b/app/validators/color_validator.rb index 974dfbbf394..d108e4c5426 100644 --- a/app/validators/color_validator.rb +++ b/app/validators/color_validator.rb @@ -12,11 +12,13 @@ # end # class ColorValidator < ActiveModel::EachValidator - PATTERN = /\A\#(?:[0-9A-Fa-f]{3}){1,2}\Z/.freeze - def validate_each(record, attribute, value) - unless value =~ PATTERN - record.errors.add(attribute, "must be a valid color code") + case value + when NilClass then return + when ::Gitlab::Color then return if value.valid? + when ::String then return if ::Gitlab::Color.new(value).valid? end + + record.errors.add(attribute, "must be a valid color code") end end diff --git a/app/views/profiles/two_factor_auths/show.html.haml b/app/views/profiles/two_factor_auths/show.html.haml index aae6212f964..67f24383b17 100644 --- a/app/views/profiles/two_factor_auths/show.html.haml +++ b/app/views/profiles/two_factor_auths/show.html.haml @@ -113,7 +113,7 @@ %span.gl-text-gray-500 = _("no name set") %td= registration[:created_at].to_date.to_s(:medium) - %td= link_to _('Delete'), registration[:delete_path], method: :delete, class: "gl-button btn btn-danger float-right", data: { confirm: _('Are you sure you want to delete this device? This action cannot be undone.') } + %td= link_to _('Delete'), registration[:delete_path], method: :delete, class: "gl-button btn btn-danger float-right", data: { confirm: _('Are you sure you want to delete this device? This action cannot be undone.'), confirm_btn_variant: "danger" }, aria: { label: _('Delete') } - else .settings-message.text-center diff --git a/config/feature_flags/development/enforce_security_report_validation.yml b/config/feature_flags/development/show_report_validation_warnings.yml similarity index 71% rename from config/feature_flags/development/enforce_security_report_validation.yml rename to config/feature_flags/development/show_report_validation_warnings.yml index ada5863b4d7..b184deecc0b 100644 --- a/config/feature_flags/development/enforce_security_report_validation.yml +++ b/config/feature_flags/development/show_report_validation_warnings.yml @@ -1,8 +1,8 @@ --- -name: enforce_security_report_validation -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/79798 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351000 -milestone: '14.8' +name: show_report_validation_warnings +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/80930 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353125 +milestone: '14.9' type: development group: group::threat insights default_enabled: false diff --git a/db/migrate/20220204193000_add_integrations_encrypted_properties.rb b/db/migrate/20220204193000_add_integrations_encrypted_properties.rb new file mode 100644 index 00000000000..7df88b68657 --- /dev/null +++ b/db/migrate/20220204193000_add_integrations_encrypted_properties.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +class AddIntegrationsEncryptedProperties < Gitlab::Database::Migration[1.0] + def change + add_column :integrations, :encrypted_properties, :binary + add_column :integrations, :encrypted_properties_iv, :binary + end +end diff --git a/db/post_migrate/20220204194347_encrypt_integration_properties.rb b/db/post_migrate/20220204194347_encrypt_integration_properties.rb new file mode 100644 index 00000000000..82dd3a05e1d --- /dev/null +++ b/db/post_migrate/20220204194347_encrypt_integration_properties.rb @@ -0,0 +1,22 @@ +# frozen_string_literal: true + +class EncryptIntegrationProperties < Gitlab::Database::Migration[1.0] + disable_ddl_transaction! + MIGRATION = 'EncryptIntegrationProperties' + BATCH_SIZE = 1_000 + INTERVAL = 2.minutes.to_i + + def up + queue_background_migration_jobs_by_range_at_intervals( + define_batchable_model('integrations').all, + MIGRATION, + INTERVAL, + track_jobs: true, + batch_size: BATCH_SIZE + ) + end + + def down + # this migration is not reversible + end +end diff --git a/db/schema_migrations/20220204193000 b/db/schema_migrations/20220204193000 new file mode 100644 index 00000000000..f0d16b9671c --- /dev/null +++ b/db/schema_migrations/20220204193000 @@ -0,0 +1 @@ +9d98618a1e9fd0474c45ac54420fc64a1d90ad77f36be594337e5b117fccdadb \ No newline at end of file diff --git a/db/schema_migrations/20220204194347 b/db/schema_migrations/20220204194347 new file mode 100644 index 00000000000..d506497e036 --- /dev/null +++ b/db/schema_migrations/20220204194347 @@ -0,0 +1 @@ +1593e935601ae1f2ab788109687bb40bad026f3f425339a39c8d13d3e4c7e306 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 8437f9bb2b5..357e332ee39 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -16093,6 +16093,8 @@ CREATE TABLE integrations ( type_new text, vulnerability_events boolean DEFAULT false NOT NULL, archive_trace_events boolean DEFAULT false NOT NULL, + encrypted_properties bytea, + encrypted_properties_iv bytea, CONSTRAINT check_a948a0aa7e CHECK ((char_length(type_new) <= 255)) ); diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 33c45443f69..36c4465add5 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -15255,6 +15255,7 @@ Represents the security scan information. | ---- | ---- | ----------- | | `errors` | [`[String!]!`](#string) | List of errors. | | `name` | [`String!`](#string) | Name of the scan. | +| `warnings` | [`[String!]!`](#string) | List of warnings. | ### `ScanExecutionPolicy` @@ -19814,8 +19815,8 @@ Input type for DastSiteProfile authentication. | ---- | ---- | ----------- | | `baseSha` | [`String`](#string) | Merge base of the branch the comment was made on. | | `headSha` | [`String!`](#string) | SHA of the HEAD at the time the comment was made. | -| `newLine` | [`Int`](#int) | Line on HEAD SHA that was changed. | -| `oldLine` | [`Int`](#int) | Line on start SHA that was changed. | +| `newLine` | [`Int`](#int) | Line on HEAD SHA that was changed. Please see the [REST API Documentation](https://docs.gitlab.com/ee/api/discussions.html#create-a-new-thread-in-the-merge-request-diff) for more information on how to use this field. | +| `oldLine` | [`Int`](#int) | Line on start SHA that was changed. Please see the [REST API Documentation](https://docs.gitlab.com/ee/api/discussions.html#create-a-new-thread-in-the-merge-request-diff) for more information on how to use this field. | | `paths` | [`DiffPathsInput!`](#diffpathsinput) | The paths of the file that was changed. Both of the properties of this input are optional, but at least one of them is required. | | `startSha` | [`String!`](#string) | SHA of the branch being compared against. | diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index 8d77467d1b5..bc876667f8d 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -460,8 +460,7 @@ parameter when using `check_allowed_absolute_path!()`. To use a combination of both checks, follow the example below: ```ruby -path = Gitlab::Utils.check_path_traversal!(path) -Gitlab::Utils.check_allowed_absolute_path!(path, path_allowlist) +Gitlab::Utils.check_allowed_absolute_path_and_path_traversal!(path, path_allowlist) ``` In the REST API, we have the [`FilePath`](https://gitlab.com/gitlab-org/security/gitlab/-/blob/master/lib/api/validations/validators/file_path.rb) diff --git a/doc/security/two_factor_authentication.md b/doc/security/two_factor_authentication.md index d0842ddb103..cab9f6a957e 100644 --- a/doc/security/two_factor_authentication.md +++ b/doc/security/two_factor_authentication.md @@ -33,10 +33,10 @@ To enable 2FA for all users: If you want 2FA enforcement to take effect during the next sign-in attempt, change the grace period to `0`. -## Disable 2FA enforcement through rails console +## Disable 2FA enforcement through Rails console -Using the [rails console](../administration/operations/rails_console.md), enforcing 2FA for -all user can be disabled. Connect to the rails console and run: +Using the [Rails console](../administration/operations/rails_console.md), enforcing 2FA for +all user can be disabled. Connect to the Rails console and run: ```ruby Gitlab::CurrentSettings.update!('require_two_factor_authentication': false) @@ -108,13 +108,10 @@ reactivate 2FA from scratch if they want to use it again. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/299088) from GitLab Free to GitLab Premium in 13.9. -> - It's [deployed behind a feature flag](../user/feature_flags.md), disabled by default. -> - It's disabled on GitLab.com. -> - It's not recommended for production use. -> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-2fa-for-git-operations). +> - It's deployed behind a feature flag, disabled by default. -WARNING: -This feature might not be available to you. Check the **version history** note above for details. +FLAG: +On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the feature flag](../administration/feature_flags.md) named `two_factor_for_cli`. On GitLab.com, this feature is not available. The feature is not ready for production use. This feature flag also affects [session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled). Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using [ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead. @@ -135,30 +132,6 @@ After the OTP is verified, Git over SSH operations can be used for a session dur Once an OTP is verified, anyone can run Git over SSH with that private SSH key for the configured [session duration](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled). -### Enable or disable 2FA for Git operations - -2FA for Git operations is under development and not -ready for production use. It is deployed behind a feature flag that is -**disabled by default**. [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md) -can enable it. - -To enable it: - -```ruby -Feature.enable(:two_factor_for_cli) -``` - -To disable it: - -```ruby -Feature.disable(:two_factor_for_cli) -``` - -The feature flag affects these features: - -- [Two-factor Authentication (2FA) for Git over SSH operations](#2fa-for-git-over-ssh-operations). -- [Customize session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled). -