diff --git a/.gitlab/ci/package-and-test/main.gitlab-ci.yml b/.gitlab/ci/package-and-test/main.gitlab-ci.yml index 20f6ea2fcc1..50b0b3531c7 100644 --- a/.gitlab/ci/package-and-test/main.gitlab-ci.yml +++ b/.gitlab/ci/package-and-test/main.gitlab-ci.yml @@ -7,7 +7,7 @@ include: - local: .gitlab/ci/package-and-test/rules.gitlab-ci.yml - local: .gitlab/ci/package-and-test/variables.gitlab-ci.yml - project: gitlab-org/quality/pipeline-common - ref: 1.3.0 + ref: 1.5.0 file: - /ci/base.gitlab-ci.yml - /ci/allure-report.yml diff --git a/.gitlab/ci/review-apps/qa.gitlab-ci.yml b/.gitlab/ci/review-apps/qa.gitlab-ci.yml index 0214f5ef3f2..f567f896734 100644 --- a/.gitlab/ci/review-apps/qa.gitlab-ci.yml +++ b/.gitlab/ci/review-apps/qa.gitlab-ci.yml @@ -1,6 +1,6 @@ include: - project: gitlab-org/quality/pipeline-common - ref: 1.3.0 + ref: 1.5.0 file: - /ci/base.gitlab-ci.yml - /ci/allure-report.yml @@ -140,7 +140,7 @@ e2e-test-report: variables: ALLURE_JOB_NAME: e2e-review-qa ALLURE_PROJECT_PATH: $CI_PROJECT_PATH - ALLURE_RESULTS_GLOB: qa/tmp/allure-results/* + ALLURE_RESULTS_GLOB: qa/tmp/allure-results ALLURE_MERGE_REQUEST_IID: $CI_MERGE_REQUEST_IID GITLAB_AUTH_TOKEN: $GITLAB_QA_MR_ALLURE_REPORT_TOKEN GIT_STRATEGY: none diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 0fdd05e194c..32cf5ea70fb 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -f94d4abfae5a3ee09caacd1b2dd28dca875eafa0 +aaf6f16ca40fdb671858e38662a72d96d51987df diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 7a0fb10928a..341f22120eb 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -22,7 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? } condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } - condition(:migration_bot, scope: :user) { @user.migration_bot? } + condition(:migration_bot, scope: :user) { @user&.migration_bot? } condition(:can_read_group_member) { can_read_group_member? } desc "User is a project bot" diff --git a/db/post_migrate/20221021160735_add_index_for_common_finder_query_desc_with_namespace_id.rb b/db/post_migrate/20221021160735_add_index_for_common_finder_query_desc_with_namespace_id.rb new file mode 100644 index 00000000000..d7c50010b72 --- /dev/null +++ b/db/post_migrate/20221021160735_add_index_for_common_finder_query_desc_with_namespace_id.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class AddIndexForCommonFinderQueryDescWithNamespaceId < Gitlab::Database::Migration[2.0] + INDEX_NAME = 'index_group_vulnerability_reads_common_finder_query_desc' + + disable_ddl_transaction! + + def up + add_concurrent_index :vulnerability_reads, + [:namespace_id, :state, :report_type, :severity, :vulnerability_id], + name: INDEX_NAME, + order: { severity: :desc, vulnerability_id: :desc } + end + + def down + remove_concurrent_index_by_name :vulnerability_reads, INDEX_NAME + end +end diff --git a/db/schema_migrations/20221021160735 b/db/schema_migrations/20221021160735 new file mode 100644 index 00000000000..73c10f7e23d --- /dev/null +++ b/db/schema_migrations/20221021160735 @@ -0,0 +1 @@ +0b7727e942f6e3fa2e1b0ed9e22c504a64aceac19adf25f126baba587db4b764 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 947f0d01b61..e56f9bbc4dc 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -29113,6 +29113,8 @@ CREATE INDEX index_group_stages_on_stage_event_hash_id ON analytics_cycle_analyt CREATE UNIQUE INDEX index_group_user_callouts_feature ON user_group_callouts USING btree (user_id, feature_name, group_id); +CREATE INDEX index_group_vulnerability_reads_common_finder_query_desc ON vulnerability_reads USING btree (namespace_id, state, report_type, severity DESC, vulnerability_id DESC); + CREATE UNIQUE INDEX index_group_wiki_repositories_on_disk_path ON group_wiki_repositories USING btree (disk_path); CREATE INDEX index_group_wiki_repositories_on_shard_id ON group_wiki_repositories USING btree (shard_id); diff --git a/doc/.vale/gitlab/InternalLinkCase.yml b/doc/.vale/gitlab/InternalLinkCase.yml index 3e40f9f4a61..45a0c88e47e 100644 --- a/doc/.vale/gitlab/InternalLinkCase.yml +++ b/doc/.vale/gitlab/InternalLinkCase.yml @@ -6,7 +6,7 @@ # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence message: 'Links to subheadings in GitLab docs must be in lower-case: "%s"' -link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation +link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository level: error scope: raw raw: diff --git a/doc/.vale/gitlab/InternalLinkExtension.yml b/doc/.vale/gitlab/InternalLinkExtension.yml index 45794708a3f..5d5687966ee 100644 --- a/doc/.vale/gitlab/InternalLinkExtension.yml +++ b/doc/.vale/gitlab/InternalLinkExtension.yml @@ -6,7 +6,7 @@ # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence message: 'Link "%s" must link directly to a file and use the .md file extension.' -link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation +link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository level: error scope: raw raw: diff --git a/doc/.vale/gitlab/InternalLinkFormat.yml b/doc/.vale/gitlab/InternalLinkFormat.yml index d5572d8d485..08b48f9e3e5 100644 --- a/doc/.vale/gitlab/InternalLinkFormat.yml +++ b/doc/.vale/gitlab/InternalLinkFormat.yml @@ -6,8 +6,8 @@ # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence message: 'Link "%s" must not start with "./".' -link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation +link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository level: error scope: raw raw: - - '\[.+\]\(\.\/.*?\)' + - '\[[^\]]+\]\(\.\/.*?\)' diff --git a/doc/.vale/gitlab/RelativeLinksDoubleSlashes.yml b/doc/.vale/gitlab/RelativeLinksDoubleSlashes.yml index 0e0d1fdbb52..6f54ecbabc2 100644 --- a/doc/.vale/gitlab/RelativeLinksDoubleSlashes.yml +++ b/doc/.vale/gitlab/RelativeLinksDoubleSlashes.yml @@ -6,7 +6,7 @@ # For a list of all options, see https://vale.sh/docs/topics/styles/ extends: existence message: 'Relative links must not include a double slash.' -link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-to-internal-documentation +link: https://docs.gitlab.com/ee/development/documentation/styleguide/index.html#links-within-the-same-repository level: error scope: raw raw: diff --git a/doc/user/group/manage.md b/doc/user/group/manage.md index 19620890253..bb76101556e 100644 --- a/doc/user/group/manage.md +++ b/doc/user/group/manage.md @@ -66,6 +66,7 @@ This action removes the group. It also adds a background job to delete all proje Specifically: - In [GitLab 12.8 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [GitLab Premium](https://about.gitlab.com/pricing/premium/) or higher tiers, this action adds a background job to mark a group for deletion. By default, the job schedules the deletion 7 days in the future. You can modify this waiting period through the [instance settings](../admin_area/settings/visibility_and_access_controls.md#deletion-protection). + - In [GitLab 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/39504), if the user who sets up the deletion is removed from the group before the deletion happens, the job is cancelled, and the group is no longer scheduled for deletion. @@ -262,6 +263,12 @@ If you are changing the path so it can be claimed by another group or user, you must rename the group too. Both names and paths must be unique. +After you change the group path, the new group path is a new namespace and you must update the existing project URL in the following resources: + +- [Include statements](../../ci/yaml/includes.md#include-a-single-configuration-file). +- Docker image references in CI files. +- Variables that specify a project or namespace. + To retain ownership of the original namespace and protect the URL redirects, create a new group and transfer projects to it instead. diff --git a/doc/user/project/integrations/webhooks.md b/doc/user/project/integrations/webhooks.md index 9fc9d6e2eda..4605642399a 100644 --- a/doc/user/project/integrations/webhooks.md +++ b/doc/user/project/integrations/webhooks.md @@ -177,9 +177,13 @@ that the request is legitimate. ## Filter push events by branch -Push events can be filtered by branch using a branch name or wildcard pattern -to limit which push events are sent to your webhook endpoint. By default, -all push events are sent to your webhook endpoint. You can configure branch filtering +You can filter push events by branch. Use one of the following options to filter which push events are sent to your webhook endpoint: + +- **All branches**: push events from all branches. +- **Wildcard pattern**: push events from a branch that matches a wildcard pattern (for example, `*-stable` or `production/*`). +- **Regular expression**: push events from a branch that matches a regular expression (for example, `(feature|hotfix)/*`). + +You can configure branch filtering in the [webhook settings](#configure-a-webhook-in-gitlab) in your project. ## How image URLs are displayed in the webhook body diff --git a/qa/qa/specs/features/api/12_systems/gitaly/distributed_reads_spec.rb b/qa/qa/specs/features/api/12_systems/gitaly/distributed_reads_spec.rb index 692297e40ce..a07342e6ba1 100644 --- a/qa/qa/specs/features/api/12_systems/gitaly/distributed_reads_spec.rb +++ b/qa/qa/specs/features/api/12_systems/gitaly/distributed_reads_spec.rb @@ -45,7 +45,11 @@ module QA end it 'does not read from the unhealthy node', - testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834' do + testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347834', + quarantine: { + issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/378174', + type: :flaky + } do pre_read_data = praefect_manager.query_read_distribution read_from_project(project, number_of_reads_per_loop * 10) diff --git a/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb index 21052f03cb8..cf27d185103 100644 --- a/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb +++ b/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb @@ -3,8 +3,20 @@ require 'spec_helper' RSpec.describe 'Jobs/Build.gitlab-ci.yml' do + include Ci::TemplateHelpers + subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') } + describe 'AUTO_BUILD_IMAGE_VERSION' do + it 'corresponds to a published image in the registry' do + registry = "https://#{template_registry_host}" + repository = "gitlab-org/cluster-integration/auto-build-image" + reference = YAML.safe_load(template.content).dig('variables', 'AUTO_BUILD_IMAGE_VERSION') + + expect(public_image_exist?(registry, repository, reference)).to be true + end + end + describe 'the created pipeline' do let_it_be(:project) { create(:project, :repository) } let_it_be(:user) { project.first_owner } diff --git a/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb index b657f73fa77..5b9e1a0d18d 100644 --- a/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb +++ b/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb @@ -3,6 +3,8 @@ require 'spec_helper' RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do + include Ci::TemplateHelpers + subject(:template) do <<~YAML stages: @@ -26,6 +28,17 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do YAML end + describe 'AUTO_DEPLOY_IMAGE_VERSION' do + it 'corresponds to a published image in the registry' do + template = Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Deploy') + registry = "https://#{template_registry_host}" + repository = "gitlab-org/cluster-integration/auto-deploy-image" + reference = YAML.safe_load(template.content, aliases: true).dig('variables', 'AUTO_DEPLOY_IMAGE_VERSION') + + expect(public_image_exist?(registry, repository, reference)).to be true + end + end + describe 'the created pipeline' do let_it_be(:project, refind: true) { create(:project, :repository) } diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index c65933c5208..60acacac814 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do it_behaves_like 'deploy token does not get confused with user' do let(:user_id) { migration_bot.id } end + + context 'with no user' do + let(:current_user) { nil } + + it :aggregate_failures do + expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens) + expect_disallowed(*guest_permissions) + expect_disallowed(*reporter_permissions) + expect_disallowed(*developer_permissions) + expect_disallowed(*maintainer_permissions) + expect_disallowed(*owner_permissions) + end + end end describe 'private nested group use the highest access level from the group and inherited permissions' do diff --git a/spec/support/helpers/ci/template_helpers.rb b/spec/support/helpers/ci/template_helpers.rb index 2e9b6f748cd..2cdd242ac22 100644 --- a/spec/support/helpers/ci/template_helpers.rb +++ b/spec/support/helpers/ci/template_helpers.rb @@ -5,6 +5,51 @@ module Ci def template_registry_host 'registry.gitlab.com' end + + def public_image_exist?(registry, repository, image) + public_image_manifest(registry, repository, image).present? + end + + def public_image_manifest(registry, repository, reference) + token = public_image_repository_token(registry, repository) + + response = with_net_connect_allowed do + Gitlab::HTTP.get(image_manifest_url(registry, repository, reference), + headers: { 'Authorization' => "Bearer #{token}" }) + end + + return unless response.success? + + Gitlab::Json.parse(response.body) + end + + def public_image_repository_token(registry, repository) + @public_image_repository_tokens ||= {} + @public_image_repository_tokens[[registry, repository]] ||= + begin + response = with_net_connect_allowed do + Gitlab::HTTP.get(image_manifest_url(registry, repository, 'latest')) + end + + return unless response.unauthorized? + + www_authenticate = response.headers['www-authenticate'] + return unless www_authenticate + + realm, service, scope = www_authenticate.split(',').map { |s| s[/\w+="(.*)"/, 1] } + token_response = with_net_connect_allowed do + Gitlab::HTTP.get(realm, query: { service: service, scope: scope }) + end + + return unless token_response.success? + + token_response['token'] + end + end + + def image_manifest_url(registry, repository, reference) + "#{registry}/v2/#{repository}/manifests/#{reference}" + end end end diff --git a/spec/support/webmock.rb b/spec/support/webmock.rb index f952f7f0985..b9bd3f82f65 100644 --- a/spec/support/webmock.rb +++ b/spec/support/webmock.rb @@ -15,6 +15,13 @@ def webmock_allowed_hosts end.compact.uniq end +def with_net_connect_allowed + WebMock.allow_net_connect! + yield +ensure + webmock_enable! +end + # This prevents Selenium/WebMock from spawning thousands of connections # while waiting for an element to appear via Capybara's find: # https://github.com/teamcapybara/capybara/issues/2322#issuecomment-619321520