Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
7e17b031fa
commit
4bf6e14129
2
Gemfile
2
Gemfile
|
@ -481,7 +481,7 @@ gem 'grpc', '~> 1.30.2'
|
|||
|
||||
gem 'google-protobuf', '~> 3.17.1'
|
||||
|
||||
gem 'toml-rb', '~> 1.0.0'
|
||||
gem 'toml-rb', '~> 2.0'
|
||||
|
||||
# Feature toggles
|
||||
gem 'flipper', '~> 0.21.0'
|
||||
|
|
|
@ -1290,7 +1290,7 @@ GEM
|
|||
to_regexp (0.2.1)
|
||||
toml (0.2.0)
|
||||
parslet (~> 1.8.0)
|
||||
toml-rb (1.0.0)
|
||||
toml-rb (2.0.1)
|
||||
citrus (~> 3.0, > 3.0)
|
||||
tomlrb (1.3.0)
|
||||
tpm-key_attestation (0.9.0)
|
||||
|
@ -1660,7 +1660,7 @@ DEPENDENCIES
|
|||
thin (~> 1.8.0)
|
||||
thrift (>= 0.14.0)
|
||||
timecop (~> 0.9.1)
|
||||
toml-rb (~> 1.0.0)
|
||||
toml-rb (~> 2.0)
|
||||
truncato (~> 0.7.11)
|
||||
u2f (~> 0.2.1)
|
||||
unf (~> 0.1.4)
|
||||
|
|
|
@ -1887,7 +1887,8 @@ class User < ApplicationRecord
|
|||
end
|
||||
|
||||
def password_expired_if_applicable?
|
||||
return false unless password_expired?
|
||||
return false if bot?
|
||||
return false unless password_expired? && password_automatically_set?
|
||||
return false unless allow_password_authentication?
|
||||
|
||||
true
|
||||
|
|
|
@ -92,4 +92,4 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
|
||||
Gitlab::Template::GitlabCiYmlTemplate.prepend_mod_with('Gitlab::Template::GitlabCiYmlTemplate')
|
||||
Gitlab::Template::GitlabCiYmlTemplate.prepend_mod
|
||||
|
|
|
@ -4,6 +4,7 @@ require 'spec_helper'
|
|||
|
||||
RSpec.describe GitlabSchema.types['Project'] do
|
||||
include GraphqlHelpers
|
||||
include Ci::TemplateHelpers
|
||||
|
||||
specify { expect(described_class).to expose_permissions_using(Types::PermissionTypes::Project) }
|
||||
|
||||
|
@ -103,15 +104,14 @@ RSpec.describe GitlabSchema.types['Project'] do
|
|||
subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
|
||||
|
||||
it "returns the project's sast configuration for global variables" do
|
||||
secure_analyzers_prefix = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
|
||||
expect(secure_analyzers_prefix['type']).to eq('string')
|
||||
expect(secure_analyzers_prefix['field']).to eq('SECURE_ANALYZERS_PREFIX')
|
||||
expect(secure_analyzers_prefix['label']).to eq('Image prefix')
|
||||
expect(secure_analyzers_prefix['defaultValue'])
|
||||
.to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
|
||||
expect(secure_analyzers_prefix['value']).to eq('registry.gitlab.com/gitlab-org/security-products/analyzers')
|
||||
expect(secure_analyzers_prefix['size']).to eq('LARGE')
|
||||
expect(secure_analyzers_prefix['options']).to be_nil
|
||||
secure_analyzers = subject.dig('data', 'project', 'sastCiConfiguration', 'global', 'nodes').first
|
||||
expect(secure_analyzers['type']).to eq('string')
|
||||
expect(secure_analyzers['field']).to eq('SECURE_ANALYZERS_PREFIX')
|
||||
expect(secure_analyzers['label']).to eq('Image prefix')
|
||||
expect(secure_analyzers['defaultValue']).to eq(secure_analyzers_prefix)
|
||||
expect(secure_analyzers['value']).to eq(secure_analyzers_prefix)
|
||||
expect(secure_analyzers['size']).to eq('LARGE')
|
||||
expect(secure_analyzers['options']).to be_nil
|
||||
end
|
||||
|
||||
it "returns the project's sast configuration for pipeline variables" do
|
||||
|
|
|
@ -435,7 +435,7 @@ RSpec.describe Gitlab::GitAccess do
|
|||
|
||||
it 'disallows users with expired password to pull' do
|
||||
project.add_maintainer(user)
|
||||
user.update!(password_expires_at: 2.minutes.ago)
|
||||
user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
|
||||
|
||||
expect { pull_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
|
||||
end
|
||||
|
@ -987,7 +987,7 @@ RSpec.describe Gitlab::GitAccess do
|
|||
end
|
||||
|
||||
it 'disallows users with expired password to push' do
|
||||
user.update!(password_expires_at: 2.minutes.ago)
|
||||
user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
|
||||
|
||||
expect { push_access_check }.to raise_forbidden("Your password expired. Please access GitLab from a web browser to update your password.")
|
||||
end
|
||||
|
|
|
@ -126,7 +126,7 @@ RSpec.describe Gitlab::LfsToken, :clean_gitlab_redis_shared_state do
|
|||
end
|
||||
|
||||
context 'when the user password is expired' do
|
||||
let(:actor) { create(:user, password_expires_at: 1.minute.ago) }
|
||||
let(:actor) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
|
||||
|
||||
it 'returns false' do
|
||||
expect(lfs_token.token_valid?(lfs_token.token)).to be false
|
||||
|
|
|
@ -5275,11 +5275,43 @@ RSpec.describe User do
|
|||
end
|
||||
|
||||
describe '#password_expired_if_applicable?' do
|
||||
let(:user) { build(:user, password_expires_at: password_expires_at) }
|
||||
let(:user) { build(:user, password_expires_at: password_expires_at, password_automatically_set: set_automatically?) }
|
||||
|
||||
subject { user.password_expired_if_applicable? }
|
||||
|
||||
context 'when user is not ldap user' do
|
||||
context 'when user has password set automatically' do
|
||||
let(:set_automatically?) { true }
|
||||
|
||||
context 'when password_expires_at is not set' do
|
||||
let(:password_expires_at) {}
|
||||
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
|
||||
context 'when password_expires_at is in the past' do
|
||||
let(:password_expires_at) { 1.minute.ago }
|
||||
|
||||
it 'returns true' do
|
||||
is_expected.to be_truthy
|
||||
end
|
||||
end
|
||||
|
||||
context 'when password_expires_at is in the future' do
|
||||
let(:password_expires_at) { 1.minute.from_now }
|
||||
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user has password not set automatically' do
|
||||
let(:set_automatically?) { false }
|
||||
|
||||
context 'when password_expires_at is not set' do
|
||||
let(:password_expires_at) {}
|
||||
|
||||
|
@ -5291,8 +5323,8 @@ RSpec.describe User do
|
|||
context 'when password_expires_at is in the past' do
|
||||
let(:password_expires_at) { 1.minute.ago }
|
||||
|
||||
it 'returns true' do
|
||||
is_expected.to be_truthy
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -5336,6 +5368,34 @@ RSpec.describe User do
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is a project bot' do
|
||||
let(:user) { build(:user, :project_bot, password_expires_at: password_expires_at) }
|
||||
|
||||
context 'when password_expires_at is not set' do
|
||||
let(:password_expires_at) {}
|
||||
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
|
||||
context 'when password_expires_at is in the past' do
|
||||
let(:password_expires_at) { 1.minute.ago }
|
||||
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
|
||||
context 'when password_expires_at is in the future' do
|
||||
let(:password_expires_at) { 1.minute.from_now }
|
||||
|
||||
it 'returns false' do
|
||||
is_expected.to be_falsey
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe '#read_only_attribute?' do
|
||||
|
|
|
@ -249,7 +249,7 @@ RSpec.describe GlobalPolicy do
|
|||
|
||||
context 'user with expired password' do
|
||||
before do
|
||||
current_user.update!(password_expires_at: 2.minutes.ago)
|
||||
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
|
||||
end
|
||||
|
||||
it { is_expected.not_to be_allowed(:access_api) }
|
||||
|
@ -445,7 +445,7 @@ RSpec.describe GlobalPolicy do
|
|||
|
||||
context 'user with expired password' do
|
||||
before do
|
||||
current_user.update!(password_expires_at: 2.minutes.ago)
|
||||
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
|
||||
end
|
||||
|
||||
it { is_expected.not_to be_allowed(:access_git) }
|
||||
|
@ -537,7 +537,7 @@ RSpec.describe GlobalPolicy do
|
|||
|
||||
context 'user with expired password' do
|
||||
before do
|
||||
current_user.update!(password_expires_at: 2.minutes.ago)
|
||||
current_user.update!(password_expires_at: 2.minutes.ago, password_automatically_set: true)
|
||||
end
|
||||
|
||||
it { is_expected.not_to be_allowed(:use_slash_commands) }
|
||||
|
|
|
@ -61,7 +61,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
shared_examples 'operations are not allowed with expired password' do
|
||||
context "when password is expired" do
|
||||
it "responds to downloads with status 401 Unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
download(path, user: user.username, password: user.password) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
@ -69,7 +69,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
end
|
||||
|
||||
it "responds to uploads with status 401 Unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
upload(path, user: user.username, password: user.password) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
@ -614,7 +614,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context "when password is expired" do
|
||||
it "responds to downloads with status 401 unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
download(path, **env) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
@ -697,7 +697,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context "when password is expired" do
|
||||
it "responds to uploads with status 401 unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
|
||||
|
||||
|
@ -920,7 +920,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context 'when users password is expired' do
|
||||
it 'rejects pulls with 401 unauthorized' do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
download(path, user: 'gitlab-ci-token', password: build.token) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
@ -1215,7 +1215,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context "when password is expired" do
|
||||
it "responds to downloads with status 401 unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
download(path, **env) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
@ -1298,7 +1298,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context "when password is expired" do
|
||||
it "responds to uploads with status 401 unauthorized" do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
write_access_token = create(:personal_access_token, user: user, scopes: [:write_repository])
|
||||
|
||||
|
@ -1521,7 +1521,7 @@ RSpec.describe 'Git HTTP requests' do
|
|||
|
||||
context 'when users password is expired' do
|
||||
it 'rejects pulls with 401 unauthorized' do
|
||||
user.update!(password_expires_at: 2.days.ago)
|
||||
user.update!(password_expires_at: 2.days.ago, password_automatically_set: true)
|
||||
|
||||
download(path, user: 'gitlab-ci-token', password: build.token) do |response|
|
||||
expect(response).to have_gitlab_http_status(:unauthorized)
|
||||
|
|
|
@ -126,7 +126,7 @@ RSpec.describe 'Git LFS API and storage' do
|
|||
it_behaves_like 'LFS http 200 blob response'
|
||||
|
||||
context 'when user password is expired' do
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
|
||||
|
||||
it_behaves_like 'LFS http 401 response'
|
||||
end
|
||||
|
@ -344,7 +344,7 @@ RSpec.describe 'Git LFS API and storage' do
|
|||
end
|
||||
|
||||
context 'when user password is expired' do
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true)}
|
||||
|
||||
let(:role) { :reporter}
|
||||
|
||||
|
@ -958,7 +958,7 @@ RSpec.describe 'Git LFS API and storage' do
|
|||
it_behaves_like 'LFS http 200 workhorse response'
|
||||
|
||||
context 'when user password is expired' do
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago)}
|
||||
let_it_be(:user) { create(:user, password_expires_at: 1.minute.ago, password_automatically_set: true) }
|
||||
|
||||
it_behaves_like 'LFS http 401 response'
|
||||
end
|
||||
|
|
|
@ -3,11 +3,13 @@
|
|||
require 'spec_helper'
|
||||
|
||||
RSpec.describe Security::CiConfiguration::SastParserService do
|
||||
include Ci::TemplateHelpers
|
||||
|
||||
describe '#configuration' do
|
||||
include_context 'read ci configuration for sast enabled project'
|
||||
|
||||
let(:configuration) { described_class.new(project).configuration }
|
||||
let(:secure_analyzers_prefix) { configuration['global'][0] }
|
||||
let(:secure_analyzers) { configuration['global'][0] }
|
||||
let(:sast_excluded_paths) { configuration['global'][1] }
|
||||
let(:sast_pipeline_stage) { configuration['pipeline'][0] }
|
||||
let(:sast_search_max_depth) { configuration['pipeline'][1] }
|
||||
|
@ -16,7 +18,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
|
|||
let(:sast_brakeman_level) { brakeman['variables'][0] }
|
||||
|
||||
it 'parses the configuration for SAST' do
|
||||
expect(secure_analyzers_prefix['default_value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers')
|
||||
expect(secure_analyzers['default_value']).to eql(secure_analyzers_prefix)
|
||||
expect(sast_excluded_paths['default_value']).to eql('spec, test, tests, tmp')
|
||||
expect(sast_pipeline_stage['default_value']).to eql('test')
|
||||
expect(sast_search_max_depth['default_value']).to eql('4')
|
||||
|
@ -28,7 +30,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
|
|||
context 'when .gitlab-ci.yml is present' do
|
||||
it 'populates the current values from the file' do
|
||||
allow(project.repository).to receive(:blob_data_at).and_return(gitlab_ci_yml_content)
|
||||
expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers2')
|
||||
expect(secure_analyzers['value']).to eql("registry.gitlab.com/gitlab-org/security-products/analyzers2")
|
||||
expect(sast_excluded_paths['value']).to eql('spec, executables')
|
||||
expect(sast_pipeline_stage['value']).to eql('our_custom_security_stage')
|
||||
expect(sast_search_max_depth['value']).to eql('8')
|
||||
|
@ -50,7 +52,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
|
|||
context 'when .gitlab-ci.yml is absent' do
|
||||
it 'populates the current values with the default values' do
|
||||
allow(project.repository).to receive(:blob_data_at).and_return(nil)
|
||||
expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers')
|
||||
expect(secure_analyzers['value']).to eql(secure_analyzers_prefix)
|
||||
expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp')
|
||||
expect(sast_pipeline_stage['value']).to eql('test')
|
||||
expect(sast_search_max_depth['value']).to eql('4')
|
||||
|
@ -67,7 +69,7 @@ RSpec.describe Security::CiConfiguration::SastParserService do
|
|||
end
|
||||
|
||||
it 'populates the current values with the default values' do
|
||||
expect(secure_analyzers_prefix['value']).to eql('registry.gitlab.com/gitlab-org/security-products/analyzers')
|
||||
expect(secure_analyzers['value']).to eql(secure_analyzers_prefix)
|
||||
expect(sast_excluded_paths['value']).to eql('spec, test, tests, tmp')
|
||||
expect(sast_pipeline_stage['value']).to eql('test')
|
||||
expect(sast_search_max_depth['value']).to eql('4')
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Ci
|
||||
module TemplateHelpers
|
||||
def secure_analyzers_prefix
|
||||
'registry.gitlab.com/gitlab-org/security-products/analyzers'
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Ci::TemplateHelpers.prepend_mod
|
Loading…
Reference in New Issue