From 48d9e7ff8ddfe152686d450fa5ac511f12d42d5b Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 12 May 2022 03:08:58 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .rubocop_todo/database/multiple_databases.yml | 1 - .../components/service_desk_setting.vue | 22 +++-- app/graphql/types/ci/runner_status_enum.rb | 7 +- app/models/ci/runner.rb | 4 +- .../concerns/bulk_member_access_load.rb | 5 ++ app/models/project_team.rb | 4 + .../members/projects/creator_service.rb | 15 ++-- app/services/projects/create_service.rb | 7 ++ .../initializers/active_record_lifecycle.rb | 8 +- ..._api_new_stale_status_breaking_change.yml} | 7 +- doc/administration/gitaly/praefect.md | 31 +++++-- doc/api/graphql/reference/index.md | 4 +- doc/update/deprecations.md | 17 ---- doc/update/removals.md | 15 ++++ .../vulnerabilities/index.md | 2 +- .../vulnerability_report/index.md | 87 +++++++++++-------- lib/gitlab/safe_request_purger.rb | 37 ++++++++ .../components/service_desk_setting_spec.js | 6 +- spec/lib/gitlab/safe_request_purger_spec.rb | 73 ++++++++++++++++ spec/models/ci/runner_spec.rb | 9 +- spec/models/project_team_spec.rb | 16 ++++ spec/requests/api/graphql/ci/runner_spec.rb | 4 +- spec/services/projects/create_service_spec.rb | 2 +- 23 files changed, 280 insertions(+), 103 deletions(-) rename data/{deprecations/14-6-runner_api_new_stale_status_breaking_change.yml => removals/15_0/15-0-runner_api_new_stale_status_breaking_change.yml} (68%) create mode 100644 lib/gitlab/safe_request_purger.rb create mode 100644 spec/lib/gitlab/safe_request_purger_spec.rb diff --git a/.rubocop_todo/database/multiple_databases.yml b/.rubocop_todo/database/multiple_databases.yml index 7cc54a5b373..08ce72f7f51 100644 --- a/.rubocop_todo/database/multiple_databases.yml +++ b/.rubocop_todo/database/multiple_databases.yml @@ -2,7 +2,6 @@ Database/MultipleDatabases: Exclude: - 'config/initializers/active_record_data_types.rb' - - 'config/initializers/active_record_lifecycle.rb' - 'config/initializers/sidekiq.rb' - 'db/post_migrate/20210317104032_set_iteration_cadence_automatic_to_false.rb' - 'db/post_migrate/20210811122206_update_external_project_bots.rb' diff --git a/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue b/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue index 05c1f2d4a1e..8a9a0b541f3 100644 --- a/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue +++ b/app/assets/javascripts/projects/settings_service_desk/components/service_desk_setting.vue @@ -270,18 +270,16 @@ export default { -
- - {{ __('Save changes') }} - -
+ + {{ __('Save changes') }} + diff --git a/app/graphql/types/ci/runner_status_enum.rb b/app/graphql/types/ci/runner_status_enum.rb index 9ba680975f4..e8bd3d15a54 100644 --- a/app/graphql/types/ci/runner_status_enum.rb +++ b/app/graphql/types/ci/runner_status_enum.rb @@ -28,12 +28,13 @@ module Types value: :online value 'OFFLINE', - description: "Runner that has not contacted this instance within the last #{::Ci::Runner::ONLINE_CONTACT_TIMEOUT.inspect}.", - deprecated: { reason: 'This field will have a slightly different scope starting in 15.0, with STALE being returned after a certain period offline', milestone: '14.6' }, + description: "Runner that has not contacted this instance within the " \ + "last #{::Ci::Runner::ONLINE_CONTACT_TIMEOUT.inspect}. Will be considered `STALE` if offline for " \ + "more than #{::Ci::Runner::STALE_TIMEOUT.inspect}.", value: :offline value 'STALE', - description: "Runner that has not contacted this instance within the last #{::Ci::Runner::STALE_TIMEOUT.inspect}. Only available if legacyMode is null. Will be a possible return value starting in 15.0.", + description: "Runner that has not contacted this instance within the last #{::Ci::Runner::STALE_TIMEOUT.inspect}.", value: :stale value 'NEVER_CONTACTED', diff --git a/app/models/ci/runner.rb b/app/models/ci/runner.rb index 53cf7c080ad..7a1d52f5aea 100644 --- a/app/models/ci/runner.rb +++ b/app/models/ci/runner.rb @@ -60,7 +60,7 @@ module Ci AVAILABLE_TYPES_LEGACY = %w[specific shared].freeze AVAILABLE_TYPES = runner_types.keys.freeze - AVAILABLE_STATUSES = %w[active paused online offline never_contacted stale].freeze # TODO: Remove in %16.0: active, paused. Relevant issues: https://gitlab.com/gitlab-org/gitlab/-/issues/347303, https://gitlab.com/gitlab-org/gitlab/-/issues/344648 + AVAILABLE_STATUSES = %w[active paused online offline never_contacted stale].freeze # TODO: Remove in %16.0: active, paused. Relevant issue: https://gitlab.com/gitlab-org/gitlab/-/issues/344648 AVAILABLE_SCOPES = (AVAILABLE_TYPES_LEGACY + AVAILABLE_TYPES + AVAILABLE_STATUSES).freeze FORM_EDITABLE = %i[description tag_list active run_untagged locked access_level maximum_timeout_human_readable].freeze @@ -336,6 +336,8 @@ module Ci # DEPRECATED # TODO Remove in %16.0 in favor of `status` for REST calls, see https://gitlab.com/gitlab-org/gitlab/-/issues/344648 def deprecated_rest_status + return :stale if stale? + if contacted_at.nil? :never_contacted elsif active? diff --git a/app/models/concerns/bulk_member_access_load.rb b/app/models/concerns/bulk_member_access_load.rb index efc65e55e40..c3aa3019abb 100644 --- a/app/models/concerns/bulk_member_access_load.rb +++ b/app/models/concerns/bulk_member_access_load.rb @@ -12,6 +12,11 @@ module BulkMemberAccessLoad end end + def purge_resource_id_from_request_store(resource_klass, resource_id) + Gitlab::SafeRequestPurger.execute(resource_key: max_member_access_for_resource_key(resource_klass), + resource_ids: [resource_id]) + end + def max_member_access_for_resource_key(klass) "max_member_access_for_#{klass.name.underscore.pluralize}:#{self.class}:#{self.id}" end diff --git a/app/models/project_team.rb b/app/models/project_team.rb index 4b89d95c1a3..bb5363598df 100644 --- a/app/models/project_team.rb +++ b/app/models/project_team.rb @@ -193,6 +193,10 @@ class ProjectTeam project.merge_value_to_request_store(User, user_id, project_access_level) end + def purge_member_access_cache_for_user_id(user_id) + project.purge_resource_id_from_request_store(User, user_id) + end + def max_member_access(user_id) max_member_access_for_user_ids([user_id])[user_id] end diff --git a/app/services/members/projects/creator_service.rb b/app/services/members/projects/creator_service.rb index d92fe60c54a..9e9389d3c18 100644 --- a/app/services/members/projects/creator_service.rb +++ b/app/services/members/projects/creator_service.rb @@ -6,16 +6,11 @@ module Members private def can_create_new_member? - # order is important here! - # The `admin_project_member` check has side-effects that causes projects not be created if this area is hit - # during project creation. - # Call that triggers is current_user.can?(:admin_project_member, member.project) - # I tracked back to base_policy.rb admin check and specifically in - # Gitlab::Auth::CurrentUserMode.new(@user).admin_mode? call. - # This calls user.admin? and that specific call causes issues with project creation in - # spec/requests/api/projects_spec.rb specs and others, mostly around project creation. - # https://gitlab.com/gitlab-org/gitlab/-/issues/358931 for investigation - adding_the_creator_as_owner_in_a_personal_project? || current_user.can?(:admin_project_member, member.project) + # This access check(`admin_project_member`) will write to safe request store cache for the user being added. + # This means any operations inside the same request will need to purge that safe request + # store cache if operations are needed to be done inside the same request that checks max member access again on + # that user. + current_user.can?(:admin_project_member, member.project) || adding_the_creator_as_owner_in_a_personal_project? end def can_update_existing_member? diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb index b051efcde94..c7f284bec9b 100644 --- a/app/services/projects/create_service.rb +++ b/app/services/projects/create_service.rb @@ -161,6 +161,13 @@ module Projects ) else @project.add_owner(@project.namespace.owner, current_user: current_user) + # During the process of adding a project owner, a check on permissions is made on the user which caches + # the max member access for that user on this project. + # Since that is `0` before the member is created - and we are still inside the request + # cycle when we need to do other operations that might check those permissions (e.g. write a commit) + # we need to purge that cache so that the updated permissions is fetched instead of using the outdated cached value of 0 + # from before member creation + @project.team.purge_member_access_cache_for_user_id(@project.namespace.owner.id) end end diff --git a/config/initializers/active_record_lifecycle.rb b/config/initializers/active_record_lifecycle.rb index 92cc1d81617..73df2b41a04 100644 --- a/config/initializers/active_record_lifecycle.rb +++ b/config/initializers/active_record_lifecycle.rb @@ -5,7 +5,9 @@ if defined?(ActiveRecord::Base) && !Gitlab::Runtime.sidekiq? Gitlab::Cluster::LifecycleEvents.on_worker_start do ActiveSupport.on_load(:active_record) do - ActiveRecord::Base.establish_connection # rubocop: disable Database/EstablishConnection + # rubocop:disable Database/MultipleDatabases + ActiveRecord::Base.establish_connection # rubocop:disable Database/EstablishConnection + # rubocop:enable Database/MultipleDatabases Gitlab::AppLogger.debug("ActiveRecord connection established") end @@ -18,8 +20,8 @@ if defined?(ActiveRecord::Base) # the following is highly recommended for Rails + "preload_app true" # as there's no need for the master process to hold a connection - ActiveRecord::Base.connection.disconnect! + ActiveRecord::Base.clear_all_connections! # rubocop:disable Database/MultipleDatabases - Gitlab::AppLogger.debug("ActiveRecord connection disconnected") + Gitlab::AppLogger.debug("ActiveRecord connections disconnected") end end diff --git a/data/deprecations/14-6-runner_api_new_stale_status_breaking_change.yml b/data/removals/15_0/15-0-runner_api_new_stale_status_breaking_change.yml similarity index 68% rename from data/deprecations/14-6-runner_api_new_stale_status_breaking_change.yml rename to data/removals/15_0/15-0-runner_api_new_stale_status_breaking_change.yml index 0f21318d329..905bc3befce 100644 --- a/data/deprecations/14-6-runner_api_new_stale_status_breaking_change.yml +++ b/data/removals/15_0/15-0-runner_api_new_stale_status_breaking_change.yml @@ -5,9 +5,12 @@ removal_date: "2022-05-22" breaking_change: true body: | # Do not modify this line, instead modify the lines below. - A breaking change will occur for the Runner [API](https://docs.gitlab.com/ee/api/runners.html#runners-api) endpoints in 15.0. + A breaking change was made to the Runner [API](https://docs.gitlab.com/ee/api/runners.html#runners-api) endpoints + in 15.0. - Instead of the GitLab Runner API endpoints returning `offline` and `not_connected` for runners that have not contacted the GitLab instance in the past three months, the API endpoints will return the `stale` value, which was introduced in 14.6. + Instead of the GitLab Runner API endpoints returning `offline` and `not_connected` for runners that have not + contacted the GitLab instance in the past three months, the API endpoints now return the `stale` value, + which was introduced in 14.6. stage: Verify tiers: [Core, Premium, Ultimate] issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/347303 diff --git a/doc/administration/gitaly/praefect.md b/doc/administration/gitaly/praefect.md index 6083b9e1dd8..bd986b75142 100644 --- a/doc/administration/gitaly/praefect.md +++ b/doc/administration/gitaly/praefect.md @@ -1245,12 +1245,14 @@ workers from verifying the same replica concurrently. The worker releases the le Praefect contains a background goroutine that releases stale leases every 10 seconds when workers are terminated for some reason without releasing the lease. -The worker logs each of the metadata removals prior to executing them. For example: +The worker logs each of the metadata removals prior to executing them. The `perform_deletions` key +indicates whether the invalid metadata records are actually deleted or not. For example: ```json { "level": "info", "msg": "removing metadata records of non-existent replicas", + "perform_deletions": false, "replicas": { "default": { "@hashed/6b/86/6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b.git": [ @@ -1261,15 +1263,15 @@ The worker logs each of the metadata removals prior to executing them. For examp } ``` -### Enable verification worker +### Configure the verification worker -The worker is disabled by default. It can be enabled by configuring the verification interval. The interval -accepts any valid [Go duration string](https://pkg.go.dev/time#ParseDuration). +The worker is enabled by default and verifies the metadata records every seven days. The verification +interval is configurable with any valid [Go duration string](https://pkg.go.dev/time#ParseDuration). -To enable the worker and verify replicas every 7 days: +To verify the metadata every three days: ```ruby -praefect['background_verification_verification_interval'] = '168h' +praefect['background_verification_verification_interval'] = '72h' ``` Values of 0 and below disable the background verifier. @@ -1278,6 +1280,23 @@ Values of 0 and below disable the background verifier. praefect['background_verification_verification_interval'] = '0' ``` +#### Enable deletions + +WARNING: +Deletions are disabled by default due to a race condition with repository renames that can cause incorrect +deletions. This is especially prominent in Geo instances as Geo performs more renames than instances without Geo. +See [Handle repository creations, deletions and renames atomically](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/4101) +for progress on a fix. We do not recommend enabling the deletions until this is fixed. + +By default, the worker does not delete invalid metadata records but simply logs them and outputs Prometheus +metrics for them. + +You can enable deleting invalid metadata records with: + +```ruby +praefect['background_verification_delete_invalid_records'] = true +``` + ### Prioritize verification manually You can prioritize verification of some replicas ahead of their next scheduled verification time. diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 477936d8ed0..2c12f99ad06 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -17994,10 +17994,10 @@ Values for sorting runners. | ----- | ----------- | | `ACTIVE` **{warning-solid}** | **Deprecated** in 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). | | `NEVER_CONTACTED` | Runner that has never contacted this instance. | -| `OFFLINE` **{warning-solid}** | **Deprecated** in 14.6. This field will have a slightly different scope starting in 15.0, with STALE being returned after a certain period offline. | +| `OFFLINE` | Runner that has not contacted this instance within the last 2 hours. Will be considered `STALE` if offline for more than 3 months. | | `ONLINE` | Runner that contacted this instance within the last 2 hours. | | `PAUSED` **{warning-solid}** | **Deprecated** in 14.6. This was renamed. Use: [`CiRunner.paused`](#cirunnerpaused). | -| `STALE` | Runner that has not contacted this instance within the last 3 months. Only available if legacyMode is null. Will be a possible return value starting in 15.0. | +| `STALE` | Runner that has not contacted this instance within the last 3 months. | ### `CiRunnerType` diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 2e104ea79d9..c626ca094fb 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -1433,23 +1433,6 @@ The `merged_by` field in the [merge request API](https://docs.gitlab.com/ee/api/
-### API: `stale` status returned instead of `offline` or `not_connected` - -WARNING: -This feature will be changed or removed in 15.0 -as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). -Before updating GitLab, review the details carefully to determine if you need to make any -changes to your code, settings, or workflow. - -A breaking change will occur for the Runner [API](https://docs.gitlab.com/ee/api/runners.html#runners-api) endpoints in 15.0. - -Instead of the GitLab Runner API endpoints returning `offline` and `not_connected` for runners that have not contacted the GitLab instance in the past three months, the API endpoints will return the `stale` value, which was introduced in 14.6. - -**Planned removal milestone: 15.0 (2022-05-22)** -
- -
- ### CI/CD job name length limit WARNING: diff --git a/doc/update/removals.md b/doc/update/removals.md index b796d70cea9..e1d87ef4616 100644 --- a/doc/update/removals.md +++ b/doc/update/removals.md @@ -30,6 +30,21 @@ For removal reviewers (Technical Writers only): ## 15.0 +### API: `stale` status returned instead of `offline` or `not_connected` + +WARNING: +This feature was changed or removed in 15.0 +as a [breaking change](https://docs.gitlab.com/ee/development/contributing/#breaking-changes). +Before updating GitLab, review the details carefully to determine if you need to make any +changes to your code, settings, or workflow. + +A breaking change was made to the Runner [API](https://docs.gitlab.com/ee/api/runners.html#runners-api) endpoints +in 15.0. + +Instead of the GitLab Runner API endpoints returning `offline` and `not_connected` for runners that have not +contacted the GitLab instance in the past three months, the API endpoints now return the `stale` value, +which was introduced in 14.6. + ### Background upload for object storage WARNING: diff --git a/doc/user/application_security/vulnerabilities/index.md b/doc/user/application_security/vulnerabilities/index.md index 18b99e06299..87344e4ff65 100644 --- a/doc/user/application_security/vulnerabilities/index.md +++ b/doc/user/application_security/vulnerabilities/index.md @@ -42,7 +42,7 @@ A vulnerability's status can be one of the following: | Dismissed | A user has seen this vulnerability and dismissed it because it is not accurate or otherwise not to be resolved. | | Resolved | The vulnerability has been fixed or is no longer present. | -Dismissed vulnerabilities are ignored if detected in subsequent scans. Resolved vulnerabilities that are reintroduced and detected by subsequent scans have a _new_ vulnerability record created. When an existing vulnerability is no longer detected in a project's `default` branch, you should change its status to Resolved. This ensures that if it is accidentally reintroduced in a future merge, it will be visible again as a new record. You can use the [Activity filter](../vulnerability_report/#activity-filter) to select all vulnerabilities that are no longer detected, and [change their status](../vulnerability_report#change-status-of-multiple-vulnerabilities). +Dismissed vulnerabilities are ignored if detected in subsequent scans. Resolved vulnerabilities that are reintroduced and detected by subsequent scans have a _new_ vulnerability record created. When an existing vulnerability is no longer detected in a project's `default` branch, you should change its status to Resolved. This ensures that if it is accidentally reintroduced in a future merge, it will be visible again as a new record. You can use the [Activity filter](../vulnerability_report/#activity-filter) to select all vulnerabilities that are no longer detected, and [change their status](../vulnerability_report#change-status-of-vulnerabilities). ## Change vulnerability status diff --git a/doc/user/application_security/vulnerability_report/index.md b/doc/user/application_security/vulnerability_report/index.md index cda9c4eccf0..e499ddbbd6b 100644 --- a/doc/user/application_security/vulnerability_report/index.md +++ b/doc/user/application_security/vulnerability_report/index.md @@ -34,13 +34,18 @@ in that row: > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/6165) in GitLab 11.1. -The project-level Vulnerability Report also contains: +At the project level, the Vulnerability Report also contains: - A time stamp showing when it was updated, including a link to the latest pipeline. - The number of failures that occurred in the most recent pipeline. Select the failure notification to view the **Failed jobs** tab of the pipeline's page. -To access the report, navigate to **Security & Compliance > Vulnerability Report**. +### View the project-level vulnerability report + +To view the project-level vulnerability report: + +1. On the top bar, select **Menu > Projects** and find your project. +1. On the left sidebar, select **Security & Compliance > Vulnerability report**. ## Vulnerability Report actions @@ -56,17 +61,22 @@ From the Vulnerability Report you can: ## Vulnerability Report filters -You can filter the vulnerabilities table by: +You can filter the Vulnerability Report to narrow focus on only vulnerabilities matching specific +criteria. + +The available filters are: -| Filter | Available options | -|:---------|:------------------| -| Status | Detected, Confirmed, Dismissed, Resolved. | -| Severity | Critical, High, Medium, Low, Info, Unknown. | -| Tool | For more details, see [Tool filter](#tool-filter). | -| Project | For more details, see [Project filter](#project-filter). | -| Activity | For more details, see [Activity filter](#activity-filter). | +- **Status**: Detected, Confirmed, Dismissed, Resolved. +- **Severity**: Critical, High, Medium, Low, Info, Unknown. +- **Tool**: For more details, see [Tool filter](#tool-filter). +- **Project**: For more details, see [Project filter](#project-filter). +- **Activity**: For more details, see [Activity filter](#activity-filter). + +The filters' criteria are combined to show only vulnerabilities matching all criteria. +An exception to this behavior is the Activity filter. For more details about how it works, see +[Activity filter](#activity-filter). @@ -75,7 +85,7 @@ You can filter the vulnerabilities table by: To filter the list of vulnerabilities: 1. Select a filter. -1. Select values from the dropdown. +1. Select values from the dropdown list. 1. Repeat the above steps for each desired filter. After each filter is selected: @@ -83,11 +93,9 @@ After each filter is selected: - The list of matching vulnerabilities is updated. - The vulnerability severity totals are updated. -The filters' criteria are combined to show only vulnerabilities matching all criteria. -An exception to this behavior is the Activity filter. For more details about how it works, see -[Activity filter](#activity-filter). +### Tool filter -## Tool filter +> The third-party tool filter was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12. The tool filter allows you to focus on vulnerabilities detected by selected tools. @@ -95,7 +103,7 @@ When using the tool filter, you can choose: - **All tools** (default). - Individual GitLab-provided tools. -- Any integrated 3rd-party tool. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/229661) in GitLab 13.12. +- Any integrated third-party tool. For details of each of the available tools, see [Security scanning tools](../index.md#security-scanning-tools). @@ -103,11 +111,9 @@ For details of each of the available tools, see [Security scanning tools](../ind The content of the Project filter depends on the current level: -| Level | Content of the Project filter | -|:---------------|:------------------------------| -| Security Center | Only projects you've [added to your personal Security Center](../security_dashboard/index.md#add-projects-to-the-security-center). | -| Group level | All projects in the group. | -| Project level | Not applicable. | +- **Security Center**: Only projects you've [added to your personal Security Center](../security_dashboard/index.md#add-projects-to-the-security-center). +- **Group level**: All projects in the group. +- **Project level**: Not applicable. ### Activity filter @@ -119,13 +125,11 @@ all options can be selected in combination. Selection behavior when using the Activity filter: -| Activity selection | Results displayed | -|:------------------------------------|:------------------| -| All | Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this deselects any other Activity filter options. | -| No activity | Only vulnerabilities without either an associated Issue or that are no longer detected. Selecting this deselects any other Activity filter options. | -| With issues | Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected. | -| No longer detected | Only vulnerabilities that are no longer detected in the latest pipeline scan of the `default` branch. Does not include vulnerabilities with one or more associated issues. | -| With issues and No longer detected | Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the `default` branch. | +- **All**: Vulnerabilities with any Activity status (same as ignoring this filter). Selecting this deselects any other Activity filter options. +- **No activity**: Only vulnerabilities without either an associated issue or that are no longer detected. Selecting this deselects any other Activity filter options. +- **With issues**: Only vulnerabilities with one or more associated issues. Does not include vulnerabilities that also are no longer detected. +- **No longer detected**: Only vulnerabilities that are no longer detected in the latest pipeline scan of the `default` branch. Does not include vulnerabilities with one or more associated issues. +- **With issues** and **No longer detected**: Only vulnerabilities that have one or more associated issues and also are no longer detected in the latest pipeline scan of the `default` branch. ## View details of a vulnerability @@ -155,23 +159,32 @@ If Jira issue support is enabled, the issue link found in the Activity entry lin > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292636) in GitLab 13.10, all statuses became selectable. +From the Vulnerability Report you can change the status of one or more vulnerabilities. + To change the status of vulnerabilities in the table: -1. Select the checkbox for each vulnerability you want to update the status of. -1. In the dropdown that appears select the desired status, then select **Change status**. +1. Select the checkbox beside each vulnerability you want to update the status of. To select all, + select the checkbox in the table header. +1. In the **Set status** dropdown list, select the desired status. +1. Select **Change status**. ![Project Vulnerability Report](img/project_security_dashboard_status_change_v14_2.png) -### Change status of multiple vulnerabilities +## Dismissing a vulnerability -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/35816) in GitLab 12.9. +When you evaluate a vulnerability and decide it requires no more action, you can mark it +as **Dismissed**. Dismissed vulnerabilities don't appear in the merge request security widget +when detected in future scans. -You can change the status of multiple vulnerabilities at once: +When a vulnerability is dismissed, a record is made of: -1. In the list of vulnerabilities, select the checkbox for each vulnerability you want to update. - To select all, select the checkbox in the table header. -1. Above the table, select a new status. -1. Click **Change status** to save. +- Who dismissed it. +- Date and time when it was dismissed. +- Optionally, a reason why it was dismissed. + +Vulnerability records cannot be deleted, so a permanent record always remains. + +If a vulnerability is dismissed in error, reverse the dismissal by changing its status. ## Export vulnerability details diff --git a/lib/gitlab/safe_request_purger.rb b/lib/gitlab/safe_request_purger.rb new file mode 100644 index 00000000000..b8795f1cc88 --- /dev/null +++ b/lib/gitlab/safe_request_purger.rb @@ -0,0 +1,37 @@ +# frozen_string_literal: true + +module Gitlab + class SafeRequestPurger + def self.execute(args) + new(**args).execute + end + + def initialize(resource_key:, resource_ids:) + @resource_key = resource_key + @resource_ids = resource_ids.uniq + @resource_data = {} + end + + def execute + load_resource_data + purge_resource_ids + write_resource_data_to_store + end + + private + + attr_reader :resource_key, :resource_ids, :resource_data + + def load_resource_data + @resource_data = Gitlab::SafeRequestStore.fetch(resource_key) { resource_data } + end + + def purge_resource_ids + @resource_data.delete_if { |id| resource_ids.include?(id) } + end + + def write_resource_data_to_store + Gitlab::SafeRequestStore.write(resource_key, resource_data) + end + end +end diff --git a/spec/frontend/projects/settings_service_desk/components/service_desk_setting_spec.js b/spec/frontend/projects/settings_service_desk/components/service_desk_setting_spec.js index 57e515723e5..aac1a418142 100644 --- a/spec/frontend/projects/settings_service_desk/components/service_desk_setting_spec.js +++ b/spec/frontend/projects/settings_service_desk/components/service_desk_setting_spec.js @@ -165,8 +165,12 @@ describe('ServiceDeskSetting', () => { describe('save button', () => { it('renders a save button to save a template', () => { wrapper = createComponent(); + const saveButton = findButton(); - expect(findButton().text()).toContain('Save changes'); + expect(saveButton.text()).toContain('Save changes'); + expect(saveButton.props()).toMatchObject({ + variant: 'confirm', + }); }); it('emits a save event with the chosen template when the save button is clicked', async () => { diff --git a/spec/lib/gitlab/safe_request_purger_spec.rb b/spec/lib/gitlab/safe_request_purger_spec.rb new file mode 100644 index 00000000000..02f3f11d469 --- /dev/null +++ b/spec/lib/gitlab/safe_request_purger_spec.rb @@ -0,0 +1,73 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::SafeRequestPurger do + let(:resource_key) { '_key_' } + let(:resource_ids) { ['foo'] } + let(:args) { { resource_key: resource_key, resource_ids: resource_ids } } + let(:resource_data) { { 'foo' => 'bar' } } + + before do + Gitlab::SafeRequestStore[resource_key] = resource_data + end + + describe '.execute', :request_store do + subject(:execute_instance) { described_class.execute(**args) } + + it 'purges an entry from the store' do + execute_instance + + expect(Gitlab::SafeRequestStore.fetch(resource_key)).to be_empty + end + end + + describe '#execute' do + subject(:execute_instance) { described_class.new(**args).execute } + + context 'when request store is active', :request_store do + it 'purges an entry from the store' do + execute_instance + + expect(Gitlab::SafeRequestStore.fetch(resource_key)).to be_empty + end + + context 'when there are multiple resource_ids to purge' do + let(:resource_data) do + { + 'foo' => 'bar', + 'two' => '_two_', + 'three' => '_three_', + 'four' => '_four_' + } + end + + let(:resource_ids) { %w[two three] } + + it 'purges an entry from the store' do + execute_instance + + expect(Gitlab::SafeRequestStore.fetch(resource_key)).to eq resource_data.slice('foo', 'four') + end + end + + context 'when there is no matching resource_ids' do + let(:resource_ids) { ['_bogus_resource_id_'] } + + it 'purges an entry from the store' do + execute_instance + + expect(Gitlab::SafeRequestStore.fetch(resource_key)).to eq resource_data + end + end + end + + context 'when request store is not active' do + let(:resource_ids) { ['_bogus_resource_id_'] } + + it 'does offer the ability to interact with data store' do + expect(execute_instance).to eq({}) + end + end + end +end diff --git a/spec/models/ci/runner_spec.rb b/spec/models/ci/runner_spec.rb index 2983034868c..8a1dcbfbdeb 100644 --- a/spec/models/ci/runner_spec.rb +++ b/spec/models/ci/runner_spec.rb @@ -838,7 +838,7 @@ RSpec.describe Ci::Runner do context 'with legacy_mode enabled' do let(:legacy_mode) { '14.5' } - it { is_expected.to eq(:never_contacted) } + it { is_expected.to eq(:stale) } end context 'with legacy_mode disabled' do @@ -895,7 +895,7 @@ RSpec.describe Ci::Runner do context 'with legacy_mode enabled' do let(:legacy_mode) { '14.5' } - it { is_expected.to eq(:offline) } + it { is_expected.to eq(:stale) } end context 'with legacy_mode disabled' do @@ -905,7 +905,7 @@ RSpec.describe Ci::Runner do end describe '#deprecated_rest_status' do - let(:runner) { build(:ci_runner, :instance, contacted_at: 1.second.ago) } + let(:runner) { create(:ci_runner, :instance, contacted_at: 1.second.ago) } subject { runner.deprecated_rest_status } @@ -927,10 +927,11 @@ RSpec.describe Ci::Runner do context 'contacted long time ago' do before do + runner.created_at = 1.year.ago runner.contacted_at = 1.year.ago end - it { is_expected.to eq(:offline) } + it { is_expected.to eq(:stale) } end context 'inactive' do diff --git a/spec/models/project_team_spec.rb b/spec/models/project_team_spec.rb index 5b11f9d828a..2ddbab7779e 100644 --- a/spec/models/project_team_spec.rb +++ b/spec/models/project_team_spec.rb @@ -410,6 +410,22 @@ RSpec.describe ProjectTeam do end end + describe '#purge_member_access_cache_for_user_id', :request_store do + let(:project) { create(:project) } + let(:user_id) { 1 } + let(:resource_data) { { user_id => 50, 42 => 50 } } + + before do + Gitlab::SafeRequestStore[project.max_member_access_for_resource_key(User)] = resource_data + end + + it 'removes cached max access for user from store' do + project.team.purge_member_access_cache_for_user_id(user_id) + + expect(Gitlab::SafeRequestStore[project.max_member_access_for_resource_key(User)]).to eq({ 42 => 50 }) + end + end + describe '#member?' do let(:group) { create(:group) } let(:developer) { create(:user) } diff --git a/spec/requests/api/graphql/ci/runner_spec.rb b/spec/requests/api/graphql/ci/runner_spec.rb index 16352c4dfec..46361e49d5e 100644 --- a/spec/requests/api/graphql/ci/runner_spec.rb +++ b/spec/requests/api/graphql/ci/runner_spec.rb @@ -237,8 +237,8 @@ RSpec.describe 'Query.runner(id)' do stale_runner_data = graphql_data_at(:stale_runner) expect(stale_runner_data).to match a_hash_including( - 'status' => 'NEVER_CONTACTED', - 'legacyStatusWithExplicitVersion' => 'NEVER_CONTACTED', + 'status' => 'STALE', + 'legacyStatusWithExplicitVersion' => 'STALE', 'newStatus' => 'STALE' ) diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb index 556461e6e6d..cd1e629e1d2 100644 --- a/spec/services/projects/create_service_spec.rb +++ b/spec/services/projects/create_service_spec.rb @@ -824,7 +824,7 @@ RSpec.describe Projects::CreateService, '#execute' do it 'saves the project when the user has access to the label' do expect(::Gitlab::ExternalAuthorization) - .to receive(:access_allowed?).with(user, 'new-label', any_args) { true } + .to receive(:access_allowed?).with(user, 'new-label', any_args) { true }.at_least(1).time project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' }))