kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2021-09-14 06:11:25 +00:00
parent 23980cf690
commit 5628b1ec15
19 changed files with 121 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/finders/issuable_finder.rb
View file

@ -332,6 +332,7 @@ class IssuableFinder
def by_search(items)
return items unless search
return items if items.is_a?(ActiveRecord::NullRelation)
return items if Feature.enabled?(:disable_anonymous_search, type: :ops) && current_user.nil?
if use_cte_for_search?
cte = Gitlab::SQL::CTE.new(klass.table_name, items)

4
app/views/groups/_group_admin_settings.html.haml
View file

@ -30,8 +30,8 @@
= f.check_box :require_two_factor_authentication, class: 'form-check-input'
= f.label :require_two_factor_authentication, class: 'form-check-label' do
%strong
= _("Require all users in this group to setup Two-factor authentication")
= link_to sprite_icon('question-o'), help_page_path('security/two_factor_authentication', anchor: 'enforcing-2fa-for-all-users-in-a-group')
= _("Require all users in this group to set up two-factor authentication")
= link_to sprite_icon('question-o'), help_page_path('security/two_factor_authentication', anchor: 'enforce-2fa-for-all-users-in-a-group')
.form-group.row
.offset-sm-2.col-sm-10
.form-check

2
app/views/groups/settings/_two_factor_auth.html.haml
View file

@ -1,5 +1,5 @@
- return unless group.parent_allows_two_factor_authentication?
- docs_link_url = help_page_path('security/two_factor_authentication', anchor: 'enforcing-2fa-for-all-users-in-a-group')
- docs_link_url = help_page_path('security/two_factor_authentication', anchor: 'enforce-2fa-for-all-users-in-a-group')
- docs_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: docs_link_url }
%h5= _('Two-factor authentication')

8
config/feature_flags/ops/disable_anonymous_search.yml Normal file
View file

@ -0,0 +1,8 @@
---
name: disable_anonymous_search
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/70223
rollout_issue_url:
milestone: '14.3'
type: ops
group: group::project management
default_enabled: false

1
doc/.vale/gitlab/Acronyms.yml
View file

@ -107,6 +107,7 @@ exceptions:
- NTP
- ONLY
- OSS
- OTP
- OWASP
- PAT
- PCI-DSS

5
doc/administration/audit_events.md
View file

@ -127,8 +127,9 @@ From there, you can see the following actions:
- Permission to modify merge requests approval rules in merge requests was updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336211) in GitLab 14.2)
- New approvals requirement when new commits are added to an MR was updated ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/336211) in GitLab 14.2)
- When [strategies for feature flags](../operations/feature_flags.md#feature-flag-strategies) are changed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68408) in GitLab 14.3)
- Changed allow push force and code owner approval requirement ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
- Added or removed users and groups from protected branch allow to merge and allow to push ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
- Allowing force push to protected branch changed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
- Code owner approval requirement on merge requests targeting protected branch changed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
- Users and groups allowed to merge and push to protected branch added or removed ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/338873) in GitLab 14.3)
Project events can also be accessed via the [Project Audit Events API](../api/audit_events.md#project-audit-events).

2
doc/raketasks/backup_restore.md
View file

@ -1299,7 +1299,7 @@ Be sure to create a full database backup before attempting any changes.
#### Disable user two-factor authentication (2FA)
Users with 2FA enabled can't sign in to GitLab. In that case, you must
[disable 2FA for everyone](../security/two_factor_authentication.md#disabling-2fa-for-everyone),
[disable 2FA for everyone](../security/two_factor_authentication.md#disable-2fa-for-everyone),
after which users must reactivate 2FA.
#### Reset CI/CD variables

48
doc/security/two_factor_authentication.md
View file

@ -5,17 +5,15 @@ group: Access
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Enforce Two-factor Authentication (2FA)
# Enforce two-factor authentication **(FREE SELF)**
Two-factor Authentication (2FA) provides an additional level of security to your
users' GitLab account. After being enabled, in addition to supplying their
username and password to sign in, they are prompted for a code generated by an
application on their phone.
Two-factor authentication (2FA) provides an additional level of security to your
users' GitLab account. When enabled, users are prompted for a code generated by an application in
addition to supplying their username and password to sign in.
You can read more about it here:
[Two-factor Authentication (2FA)](../user/profile/account/two_factor_authentication.md)
Read more about [two-factor authentication (2FA)](../user/profile/account/two_factor_authentication.md)
## Enforcing 2FA for all users
## Enforce 2FA for all users
Users on GitLab can enable it without any administrator's intervention. If you
want to enforce everyone to set up 2FA, you can choose from two different ways:
@ -35,7 +33,7 @@ To enable 2FA for all users:
If you want 2FA enforcement to take effect during the next sign-in attempt,
change the grace period to `0`.
## Disabling 2FA enforcement through rails console
## Disable 2FA enforcement through rails console
Using the [rails console](../administration/operations/rails_console.md), enforcing 2FA for
all user can be disabled. Connect to the rails console and run:
@ -44,11 +42,11 @@ all user can be disabled. Connect to the rails console and run:
Gitlab::CurrentSettings.update!('require_two_factor_authentication': false)
```
## Enforcing 2FA for all users in a group
## Enforce 2FA for all users in a group **(FREE)**
> [Introduced in](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/24965) GitLab 12.0, 2FA settings for a group are also applied to subgroups.
If you want to enforce 2FA only for certain groups:
To enforce 2FA only for certain groups:
1. Go to the group's **Settings > General** page.
1. Expand the **Permissions, LFS, 2FA** section.
@ -56,11 +54,11 @@ If you want to enforce 2FA only for certain groups:
You can also specify a grace period in the **Time before enforced** option.
To change this setting, you need to be administrator or owner of the group.
To change this setting, you must be an administrator or owner of the group.
If you want to enforce 2FA only for certain groups, you can enable it in the
group settings and specify a grace period as above. To change this setting you
need to be administrator or owner of the group.
must be administrator or owner of the group.
The following are important notes about 2FA:
@ -83,13 +81,13 @@ The following are important notes about 2FA:
This action causes all subgroups with 2FA requirements to stop requiring that from their members.
## Disabling 2FA for everyone
## Disable 2FA for everyone
WARNING:
Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforcing-2fa-for-all-users)
or [enforce 2FA for all users in a group](#enforcing-2fa-for-all-users-in-a-group)
settings. In addition to the steps in this section, you must disable any enforced 2FA
settings so users aren't asked to set up 2FA again, the next time the user signs in to GitLab.
Disabling 2FA for everyone does not disable the [enforce 2FA for all users](#enforce-2fa-for-all-users)
or [enforce 2FA for all users in a group](#enforce-2fa-for-all-users-in-a-group)
settings. You must also disable any enforced 2FA settings so users aren't asked to set up 2FA again
when they next sign in to GitLab.
There may be some special situations where you want to disable 2FA for everyone
even when forced 2FA is disabled. There is a Rake task for that:
@ -106,26 +104,26 @@ WARNING:
This is a permanent and irreversible action. Users have to
reactivate 2FA from scratch if they want to use it again.
## Two-factor Authentication (2FA) for Git over SSH operations **(PREMIUM)**
## 2FA for Git over SSH operations **(PREMIUM)**
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/270554) in GitLab 13.7.
> - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/299088) from GitLab Free to GitLab Premium in 13.9.
> - It's [deployed behind a feature flag](../user/feature_flags.md), disabled by default.
> - It's disabled on GitLab.com.
> - It's not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-two-factor-authentication-2fa-for-git-operations).
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-2fa-for-git-operations).
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
Two-factor authentication can be enforced for Git over SSH operations. The OTP
Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP)
verification can be done via a GitLab Shell command:
```shell
ssh git@<hostname> 2fa_verify
```
Once the OTP is verified, Git over SSH operations can be used for a session duration of
After the OTP is verified, Git over SSH operations can be used for a session duration of
15 minutes (default) with the associated SSH key.
### Security limitation
@ -135,9 +133,9 @@ Once the OTP is verified, Git over SSH operations can be used for a session dura
Once an OTP is verified, anyone can run Git over SSH with that private SSH key for
the configured [session duration](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled).
### Enable or disable Two-factor Authentication (2FA) for Git operations
### Enable or disable 2FA for Git operations
Two-factor Authentication (2FA) for Git operations is under development and not
2FA for Git operations is under development and not
ready for production use. It is deployed behind a feature flag that is
**disabled by default**. [GitLab administrators with access to the GitLab Rails console](../administration/feature_flags.md)
can enable it.
@ -156,7 +154,7 @@ Feature.disable(:two_factor_for_cli)
The feature flag affects these features:
- [Two-factor Authentication (2FA) for Git over SSH operations](#two-factor-authentication-2fa-for-git-over-ssh-operations).
- [Two-factor Authentication (2FA) for Git over SSH operations](#2fa-for-git-over-ssh-operations).
- [Customize session duration for Git Operations when 2FA is enabled](../user/admin_area/settings/account_and_limit_settings.md#customize-session-duration-for-git-operations-when-2fa-is-enabled).
<!-- ## Troubleshooting

2
doc/ssh/index.md
View file

@ -318,7 +318,7 @@ on the files make them readable to you but not accessible to others.
## Configure two-factor authentication (2FA)
You can set up two-factor authentication (2FA) for
[Git over SSH](../security/two_factor_authentication.md#two-factor-authentication-2fa-for-git-over-ssh-operations).
[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations).
## Use EGit on Eclipse

4
doc/topics/authentication/index.md
View file

@ -11,7 +11,7 @@ This page gathers all the resources for the topic **Authentication** within GitL
## GitLab users
- [SSH](../../ssh/index.md)
- [Two-Factor Authentication (2FA)](../../user/profile/account/two_factor_authentication.md#two-factor-authentication)
- [Two-factor authentication (2FA)](../../user/profile/account/two_factor_authentication.md#two-factor-authentication)
- [Why do I keep getting signed out?](../../user/profile/index.md#why-do-i-keep-getting-signed-out)
- **Articles:**
- [Support for Universal 2nd Factor Authentication - YubiKeys](https://about.gitlab.com/blog/2016/06/22/gitlab-adds-support-for-u2f/)
@ -23,7 +23,7 @@ This page gathers all the resources for the topic **Authentication** within GitL
## GitLab administrators
- [LDAP](../../administration/auth/ldap/index.md)
- [Enforce Two-factor Authentication (2FA)](../../security/two_factor_authentication.md#enforce-two-factor-authentication-2fa)
- [Enforce two-factor authentication (2FA)](../../security/two_factor_authentication.md)
- **Articles:**
- [Feature Highlight: LDAP Integration](https://about.gitlab.com/blog/2014/07/10/feature-highlight-ldap-sync/)
- [Debugging LDAP](https://about.gitlab.com/handbook/support/workflows/debugging_ldap.html)

9
doc/user/admin_area/moderate_users.md
View file

@ -137,6 +137,10 @@ A deactivated user:
Personal projects, and group and user history of the deactivated user are left intact.
NOTE:
Users are notified about account deactivation if
[user deactivation emails](settings/email.md#user-deactivation-emails) are enabled.
A user can be deactivated from the Admin Area. To do this:
1. On the top bar, select **Menu > Admin**.
@ -145,7 +149,7 @@ A user can be deactivated from the Admin Area. To do this:
1. Select the **{settings}** **User administration** dropdown.
1. Select **Deactivate**.
For the deactivation option to be visible to an admin, the user:
For the deactivation option to be visible to an administrator, the user:
- Must be currently active.
- Must not have signed in, or have any activity, in the last 90 days.
@ -153,9 +157,6 @@ For the deactivation option to be visible to an admin, the user:
NOTE:
Users can also be deactivated using the [GitLab API](../../api/users.md#deactivate-user).
NOTE:
Users can be notified about account deactivation if [user deactivation emails](settings/email.md#enable-user-deactivation-emails) are enabled.
### Automatically deactivate dormant users
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/320875) in GitLab 14.0.

4
doc/user/admin_area/settings/account_and_limit_settings.md
View file

@ -154,12 +154,12 @@ nginx['client_max_body_size'] = "200m"
> - It's deployed behind a feature flag, disabled by default.
> - It's disabled on GitLab.com.
> - It's not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](../../../security/two_factor_authentication.md#enable-or-disable-two-factor-authentication-2fa-for-git-operations).
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](../../../security/two_factor_authentication.md#enable-or-disable-2fa-for-git-operations).
NOTE:
This feature is under development and not ready for production use. It is deployed
behind a feature flag that is **disabled by default**. To use it in GitLab
self-managed instances, ask a GitLab administrator to [enable it](../../../security/two_factor_authentication.md#enable-or-disable-two-factor-authentication-2fa-for-git-operations).
self-managed instances, ask a GitLab administrator to [enable it](../../../security/two_factor_authentication.md#enable-or-disable-2fa-for-git-operations).
GitLab administrators can choose to customize the session duration (in minutes) for Git operations when 2FA is enabled. The default is 15 and this can be set to a value between 1 and 10080.

8
doc/user/admin_area/settings/email.md
View file

@ -72,16 +72,16 @@ To add additional text to emails:
1. Enter your text in the **Additional text** field.
1. Select **Save changes**.
## Enable user deactivation emails **(FREE SELF)**
## User deactivation emails **(FREE SELF)**
GitLab can send email notifications to users when their account has been deactivated.
GitLab sends email notifications to users when their account has been deactivated.
To enable these notifications:
To disable these notifications:
1. On the top bar, select **Menu > Admin**.
1. On the left sidebar, select **Settings > Preferences** (`/admin/application_settings/preferences`).
1. Expand **Email**.
1. Select **Enable user deactivation emails**.
1. Clear the **Enable user deactivation emails** checkbox.
1. Select **Save changes**.
<!-- ## Troubleshooting

3
doc/user/application_security/sast/index.md
View file

@ -361,6 +361,9 @@ To create a custom ruleset:
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/292686) in GitLab 14.2.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available, ask an administrator to [enable the `vulnerability_flags` flag](../../../administration/feature_flags.md). On GitLab.com, this feature is available.
Vulnerabilities that have been detected and are false positives will be flagged as false positives in the security dashboard.
### Using CI/CD variables to pass credentials for private repositories

2
doc/user/group/index.md
View file

@ -754,7 +754,7 @@ The group's new subgroups have push rules set for them based on either:
- [Transfer a project into a group](../project/settings/index.md#transferring-an-existing-project-into-another-namespace).
- [Share a project with a group](../project/members/share_project_with_groups.md): Give all group members access to the project at once.
- [Lock the sharing with group feature](#prevent-a-project-from-being-shared-with-groups).
- [Enforce two-factor authentication (2FA)](../../security/two_factor_authentication.md#enforcing-2fa-for-all-users-in-a-group): Enforce 2FA
- [Enforce two-factor authentication (2FA)](../../security/two_factor_authentication.md#enforce-2fa-for-all-users-in-a-group): Enforce 2FA
for all group members.
- Namespaces [API](../../api/namespaces.md) and [Rake tasks](../../raketasks/features.md)..

2
locale/gitlab.pot
View file

@ -28543,7 +28543,7 @@ msgstr ""
msgid "Require additional authentication for administrative tasks."
msgstr ""
msgid "Require all users in this group to setup Two-factor authentication"
msgid "Require all users in this group to set up two-factor authentication"
msgstr ""
msgid "Require all users in this group to setup two-factor authentication"

29
spec/finders/issues_finder_spec.rb
View file

@ -567,6 +567,35 @@ RSpec.describe IssuesFinder do
it 'returns issues with title and description match for search term' do
expect(issues).to contain_exactly(issue1, issue2)
end
context 'with anonymous user' do
let_it_be(:public_project) { create(:project, :public, group: subgroup) }
let_it_be(:issue6) { create(:issue, project: public_project, title: 'tanuki') }
let_it_be(:issue7) { create(:issue, project: public_project, title: 'ikunat') }
let(:search_user) { nil }
let(:params) { { search: 'tanuki' } }
context 'with disable_anonymous_search feature flag enabled' do
before do
stub_feature_flags(disable_anonymous_search: true)
end
it 'does not perform search' do
expect(issues).to contain_exactly(issue6, issue7)
end
end
context 'with disable_anonymous_search feature flag disabled' do
before do
stub_feature_flags(disable_anonymous_search: false)
end
it 'finds one public issue' do
expect(issues).to contain_exactly(issue6)
end
end
end
end
context 'filtering by issue term in title' do

30
spec/finders/merge_requests_finder_spec.rb
View file

@ -729,6 +729,36 @@ RSpec.describe MergeRequestsFinder do
merge_requests = described_class.new(user, params).execute
expect { merge_requests.load }.not_to raise_error
end
context 'filtering by search text' do
let!(:merge_request6) { create(:merge_request, source_project: project1, target_project: project1, source_branch: 'tanuki-branch', title: 'tanuki') }
let(:params) { { project_id: project1.id, search: 'tanuki' } }
context 'with anonymous user' do
let(:merge_requests) { described_class.new(nil, params).execute }
context 'with disable_anonymous_search feature flag enabled' do
before do
stub_feature_flags(disable_anonymous_search: true)
end
it 'does not perform search' do
expect(merge_requests).to contain_exactly(merge_request1, merge_request2, merge_request6)
end
end
context 'with disable_anonymous_search feature flag disabled' do
before do
stub_feature_flags(disable_anonymous_search: false)
end
it 'returns matching merge requests' do
expect(merge_requests).to contain_exactly(merge_request6)
end
end
end
end
end
describe '#row_count', :request_store do

3
spec/spec_helper.rb
View file

@ -305,6 +305,9 @@ RSpec.configure do |config|
# For more information check https://gitlab.com/gitlab-com/gl-infra/production/-/issues/4321
stub_feature_flags(block_issue_repositioning: false)
# This is an ops feature flag that's disabled by default
stub_feature_flags(disable_anonymous_search: false)
# Disable the refactored top nav search until there is functionality
# Can be removed once all existing functionality has been replicated
# For more information check https://gitlab.com/gitlab-org/gitlab/-/issues/339348