kotovalexarian-likes-gitlab
/
gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2021-10-26 18:09:19 +00:00
parent 5169b4a63b
commit 67049ac7aa
69 changed files with 455 additions and 501 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
.rubocop.yml
View File

@ -130,6 +130,7 @@ Naming/FileName:
- 'qa/spec/**/*'
- 'qa/qa/specs/**/*'
- 'qa/tasks/**/*.rake'
- '**/*.ru'
IgnoreExecutableScripts: true
AllowedAcronyms:
@ -151,6 +152,23 @@ Naming/FileName:
- CI
- CD
- OAuth
- CSP
- CSV
- SCA
- SAN
- CIDR
- SPDX
- MR
- SSE
- JWT
- HLL
- VSCode
- GPG
- OTP
- GID
- AR
- RSpec
- Javascript
# default ones:
- CLI
- DSL

9
app/assets/javascripts/vue_merge_request_widget/components/extensions/base.vue
View File

@ -8,6 +8,8 @@ import {
GlTooltipDirective,
GlIntersectionObserver,
} from '@gitlab/ui';
import { once } from 'lodash';
import api from '~/api';
import { sprintf, s__, __ } from '~/locale';
import SmartVirtualList from '~/vue_shared/components/smart_virtual_list.vue';
import { EXTENSION_ICON_CLASS } from '../../constants';
@ -102,8 +104,15 @@ export default {
});
},
methods: {
triggerRedisTracking: once(function triggerRedisTracking() {
if (this.$options.expandEvent) {
api.trackRedisHllUserEvent(this.$options.expandEvent);
}
}),
toggleCollapsed() {
this.isCollapsed = !this.isCollapsed;
this.triggerRedisTracking();
},
loadAllData() {
if (this.fullData) return;

1
app/assets/javascripts/vue_merge_request_widget/components/extensions/index.js
View File

@ -12,6 +12,7 @@ export const registerExtension = (extension) => {
name: extension.name,
props: extension.props,
i18n: extension.i18n,
expandEvent: extension.expandEvent,
computed: {
...Object.keys(extension.computed).reduce(
(acc, computedKey) => ({

1
app/assets/javascripts/vue_merge_request_widget/extensions/issues.js
View File

@ -11,6 +11,7 @@ export default {
label: 'Issues',
loading: 'Loading issues...',
},
expandEvent: 'i_testing_load_performance_widget_total',
// Add an array of props
// These then get mapped to values stored in the MR Widget store
props: ['targetProjectFullPath', 'conflictsDocsPath'],

1
app/controllers/search_controller.rb
View File

@ -46,6 +46,7 @@ class SearchController < ApplicationController
@search_results = @search_service.search_results
@search_objects = @search_service.search_objects
@search_highlight = @search_service.search_highlight
@aggregations = @search_service.search_aggregations
increment_search_counters
end

4
app/helpers/appearances_helper.rb
View File

@ -39,14 +39,14 @@ module AppearancesHelper
if current_appearance&.header_logo?
image_tag current_appearance.header_logo_path, class: 'brand-header-logo'
else
render 'shared/logo.svg'
render partial: 'shared/logo', formats: :svg
end
end
# Skip the 'GitLab' type logo when custom brand logo is set
def brand_header_logo_type
unless current_appearance&.header_logo?
render 'shared/logo_type.svg'
render partial: 'shared/logo_type', formats: :svg
end
end

4
app/services/search_service.rb
View File

@ -75,6 +75,10 @@ class SearchService
search_results.highlight_map(scope)
end
def search_aggregations
search_results.aggregations(scope)
end
private
def page

20
app/views/admin/application_settings/_protected_paths.html.haml
View File

@ -2,30 +2,26 @@
= form_errors(@application_setting)
%fieldset
- if omnibus_protected_paths_throttle?
.bs-callout.bs-callout-danger
- relative_url_link = 'https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#migrate-settings-from-gitlab-123-and-earlier'
- relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link }
= _("Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
.form-group
.form-check
= f.check_box :throttle_protected_paths_enabled, class: 'form-check-input'
= f.label :throttle_protected_paths_enabled, class: 'form-check-label' do
= _('Enable protected paths rate limit')
= _('Enable rate limiting for POST requests to the specified paths')
%span.form-text.text-muted
= _('Helps reduce request volume for protected paths')
= _('Helps reduce request volume for protected paths.')
.form-group
= f.label :throttle_protected_paths_requests_per_period, 'Max requests per period per user', class: 'label-bold'
= f.label :throttle_protected_paths_requests_per_period, 'Maximum requests per period per user', class: 'label-bold'
= f.number_field :throttle_protected_paths_requests_per_period, class: 'form-control gl-form-input'
.form-group
= f.label :throttle_protected_paths_period_in_seconds, 'Rate limit period in seconds', class: 'label-bold'
= f.label :throttle_protected_paths_period_in_seconds, 'Rate limit period (in seconds)', class: 'label-bold'
= f.number_field :throttle_protected_paths_period_in_seconds, class: 'form-control gl-form-input'
.form-group
= f.label :protected_paths, class: 'label-bold' do
= _('Paths to protect with rate limiting')
= f.text_area :protected_paths_raw, placeholder: '/users/sign_in,/users/password', class: 'form-control gl-form-input', rows: 10
%span.form-text.text-muted
- relative_url_link = 'https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-a-relative-url-for-gitlab'
- relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link }
= _('All paths are relative to the GitLab URL. Do not include %{relative_url_link_start}relative URL%{relative_url_link_end}.').html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
= f.text_area :protected_paths_raw, placeholder: '/users/sign_in,/users/password', class: 'form-control gl-form-input', rows: 10
= _('All paths are relative to the GitLab URL. Do not include %{relative_url_link_start}relative URLs%{relative_url_link_end}.').html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
= f.submit _('Save changes'), class: 'gl-button btn btn-confirm'

8
app/views/admin/application_settings/network.html.haml
View File

@ -87,14 +87,12 @@
%section.settings.as-protected-paths.no-animate#js-protected-paths-settings{ class: ('expanded' if expanded_by_default?) }
.settings-header
%h4
= _('Protected Paths')
= _('Protected paths')
%button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
= expanded_by_default? ? _('Collapse') : _('Expand')
%p
= _('Configure paths to be protected by Rack Attack.')
.help-block
= _('These paths are protected for POST requests.')
= link_to _('More information'), help_page_path('security/rack_attack', anchor: 'protected-paths-throttle'), target: '_blank'
= _('Rate limit access to specified paths.')
= link_to _('Learn more.'), help_page_path('user/admin_area/settings/protected_paths.md'), target: '_blank', rel: 'noopener noreferrer'
.settings-content
= render 'protected_paths'

3
app/views/issues/_issues_calendar.ics.ruby
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
cal = Icalendar::Calendar.new
@ -17,3 +18,5 @@ end
# rubocop: enable CodeReuse/ActiveRecord
cal.to_ical
# rubocop:enable Naming/FileName

15
app/workers/emails_on_push_worker.rb
View File

@ -87,13 +87,14 @@ class EmailsOnPushWorker # rubocop:disable Scalability/IdempotentWorker
private
def send_email(recipient, project_id, options)
# Generating the body of this email can be expensive, so only do it once
@skip_premailer ||= email.present?
@email ||= Notify.repository_push_email(project_id, options)
@email ||= Notify.repository_push_email(project_id, options).tap do |mail|
Premailer::Rails::Hook.perform(mail)
end
email.to = recipient
email.add_message_id
email.header[:skip_premailer] = true if skip_premailer
email.deliver_now
current_email = email.dup
current_email.to = recipient
current_email.add_message_id
current_email.header[:skip_premailer] = true
current_email.deliver_now
end
end

2
bin/pngquant
View File

@ -5,7 +5,7 @@ require 'rails'
require 'png_quantizator'
require 'parallel'
require 'rainbow/ext/string'
require_relative '../tooling/lib/tooling/images'
require_relative '../tooling/lib/tooling/image'
return if Rails.env.production?

8
config/feature_flags/ops/product_analytics_tracking.yml
View File

@ -1,8 +0,0 @@
---
name: product_analytics_tracking
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46482
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/285519
milestone: '13.7'
type: ops
group: group::product intelligence
default_enabled: false

1
doc/.vale/gitlab/spelling-exceptions.txt
View File

@ -150,6 +150,7 @@ denormalized
denormalizes
denormalizing
denylist
denylisted
denylisting
denylists
deployer

14
doc/administration/instance_limits.md
View File

@ -15,9 +15,7 @@ performance, data, or could even exhaust the allocated resources for the applica
Rate limits can be used to improve the security and durability of GitLab.
For example, one script can make thousands of web requests per second. Whether malicious, apathetic, or just a bug, your application and infrastructure may not be able to cope with the load. Rate limits can help to mitigate these types of attacks.
Read more about [configuring rate limits](../security/rate_limits.md) in the Security documentation.
Read more about [configuring rate limits](../security/rate_limits.md).
### Issue creation
@ -128,16 +126,6 @@ This setting limits the import/export actions for groups and projects.
Read more about [import/export rate limits](../user/admin_area/settings/import_export_rate_limits.md).
### Rack attack
This method of rate limiting is cumbersome, but has some advantages. It allows
throttling of specific paths, and is also integrated into Git and container
registry requests.
Read more about the [Rack Attack initializer](../security/rack_attack.md) method of setting rate limits.
- **Default rate limit**: Disabled.
### Member Invitations
Limit the maximum daily member invitations allowed per group hierarchy.

1
doc/administration/logs.md
View File

@ -752,7 +752,6 @@ Depending on your installation method, this file is located at:
This log records:
- Information whenever [Rack Attack](../security/rack_attack.md) registers an abusive request.
- Requests over the [Rate Limit](../user/admin_area/settings/rate_limits_on_raw_endpoints.md) on raw endpoints.
- [Protected paths](../user/admin_area/settings/protected_paths.md) abusive requests.
- In GitLab versions [12.3](https://gitlab.com/gitlab-org/gitlab/-/issues/29239) and later,

8
doc/api/settings.md
View File

@ -411,11 +411,11 @@ listed in the descriptions of the relevant settings.
| `terminal_max_session_time` | integer | no | Maximum time for web terminal websocket connection (in seconds). Set to `0` for unlimited time. |
| `terms` | text | required by: `enforce_terms` | (**Required by:** `enforce_terms`) Markdown content for the ToS. |
| `throttle_authenticated_api_enabled` | boolean | no | (**If enabled, requires:** `throttle_authenticated_api_period_in_seconds` and `throttle_authenticated_api_requests_per_period`) Enable authenticated API request rate limit. Helps reduce request volume (for example, from crawlers or abusive bots). |
| `throttle_authenticated_api_period_in_seconds` | integer | required by:<br>`throttle_authenticated_api_enabled` | Rate limit period in seconds. |
| `throttle_authenticated_api_requests_per_period` | integer | required by:<br>`throttle_authenticated_api_enabled` | Max requests per period per user. |
| `throttle_authenticated_api_period_in_seconds` | integer | required by:<br>`throttle_authenticated_api_enabled` | Rate limit period (in seconds). |
| `throttle_authenticated_api_requests_per_period` | integer | required by:<br>`throttle_authenticated_api_enabled` | Maximum requests per period per user. |
| `throttle_authenticated_web_enabled` | boolean | no | (**If enabled, requires:** `throttle_authenticated_web_period_in_seconds` and `throttle_authenticated_web_requests_per_period`) Enable authenticated web request rate limit. Helps reduce request volume (for example, from crawlers or abusive bots). |
| `throttle_authenticated_web_period_in_seconds` | integer | required by:<br>`throttle_authenticated_web_enabled` | Rate limit period in seconds. |
| `throttle_authenticated_web_requests_per_period` | integer | required by:<br>`throttle_authenticated_web_enabled` | Max requests per period per user. |
| `throttle_authenticated_web_period_in_seconds` | integer | required by:<br>`throttle_authenticated_web_enabled` | Rate limit period (in seconds). |
| `throttle_authenticated_web_requests_per_period` | integer | required by:<br>`throttle_authenticated_web_enabled` | Maximum requests per period per user. |
| `throttle_unauthenticated_enabled` | boolean | no | ([Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/335300) in GitLab 14.3. Use `throttle_unauthenticated_web_enabled` or `throttle_unauthenticated_api_enabled` instead.) (**If enabled, requires:** `throttle_unauthenticated_period_in_seconds` and `throttle_unauthenticated_requests_per_period`) Enable unauthenticated web request rate limit. Helps reduce request volume (for example, from crawlers or abusive bots). |
| `throttle_unauthenticated_period_in_seconds` | integer | required by:<br>`throttle_unauthenticated_enabled` | ([Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/335300) in GitLab 14.3. Use `throttle_unauthenticated_web_period_in_seconds` or `throttle_unauthenticated_api_period_in_seconds` instead.) Rate limit period in seconds. |
| `throttle_unauthenticated_requests_per_period` | integer | required by:<br>`throttle_unauthenticated_enabled` | ([Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/335300) in GitLab 14.3. Use `throttle_unauthenticated_web_requests_per_period` or `throttle_unauthenticated_api_requests_per_period` instead.) Max requests per period per IP. |

53
doc/development/documentation/styleguide/index.md
View File

@ -1026,18 +1026,13 @@ document to ensure it links to the most recent version of the file.
When documenting how to navigate through the GitLab UI:
- Always use location, then action.
- `From the **Visibility** list,` (location) `select **Public**.` (action)
- From the **Visibility** dropdown list (location), select **Public** (action).
- Be brief and specific. For example:
- Avoid: `Select **Save** for the changes to take effect.`
- Use instead: `Select **Save**.`
- When selecting from high-level UI elements, use the word **on**.
- Avoid: `From the left sidebar...` or `In the left sidebar...`
- Use instead: `On the left sidebar...`
- If a step must include a reason, start the step with it.
- Avoid: `Select the link in the merge request to view the changes.`
- Use instead: `To view the changes, select the link in the merge request.`
- If a step is optional, start the step with the word `Optional` followed by a period.
- `1. Optional. Enter a name for the dog.`
- Do: Select **Save**.
- Do not: Select **Save** for the changes to take effect.
- If a step must include a reason, start the step with it. This helps the user scan more quickly.
- Do: To view the changes, in the merge request, select the link.
- Do not: Select the link in the merge request to view the changes.
### Names for menus
@ -1082,6 +1077,42 @@ To select your avatar:
1. On the top bar, in the top right corner, select your avatar.
```
### Optional steps
If a step is optional, start the step with the word `Optional` followed by a period.
For example:
```markdown
1. Optional. Enter a description for the job.
```
### Documenting multiple fields at once
If the UI text sufficiently explains the fields in a section, do not include a task step for every field.
Instead, summarize multiple fields in a single task step.
Use the phrase **Complete the fields**.
For example:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > Repository**.
1. Expand **Push rules**.
1. Complete the fields.
If you are documenting multiple fields and only one field needs explanation, do it in the same step:
1. Expand **Push rules**.
1. Complete the fields. **Branch name** must be a regular expression.
To describe multiple fields, use bullets:
1. Expand **General pipelines**.
1. Complete the fields.
- **Branch name** must be a regular expression.
- **User** must be a user with at least the **Maintainer** role.
## Images
Images, including screenshots, can help a reader better understand a concept.

17
doc/development/documentation/styleguide/word_list.md
View File

@ -259,6 +259,16 @@ Use **box** instead of **field** or **text box**.
- Do: In the **Variable name** box, enter `my text`.
- Do not: In the **Variable name** field, enter `my text`.
However, you can make an exception when you are writing a task and you need to refer to all
of the fields at once. For example:
1. On the top bar, select **Menu > Projects** and find your project.
1. On the left sidebar, select **Settings > CI/CD**.
1. Expand **General pipelines**.
1. Complete the fields.
Learn more about [documenting multiple fields at once](index.md#documenting-multiple-fields-at-once).
## foo
Do not use **foo** in product documentation. You can use it in our API and contributor documentation, but try to use a clearer and more meaningful example instead.
@ -454,6 +464,13 @@ Do not use **note that** because it's wordy.
- Do: You can change the settings.
- Do not: Note that you can change the settings.
## on
When documenting how to select high-level UI elements, use the word **on**.
- Do: `On the left sidebar...`
- Do not: `From the left sidebar...` or `In the left sidebar...`
## once
The word **once** means **one time**. Don't use it to mean **after** or **when**.

46
doc/install/openshift_and_gitlab/index.md
View File

@ -1,9 +1,45 @@
---
redirect_to: 'https://docs.gitlab.com/charts/installation/operator.html'
remove_date: '2022-09-22'
stage: Enablement
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
This file was moved to [another location](https://docs.gitlab.com/charts/installation/operator.html).
# OpenShift support
<!-- This redirect file can be deleted after <2022-09-22>. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page -->
OpenShift - GitLab compatibility can be addressed in three different aspects. This page helps navigating between these aspects and provides introductory information for getting started with OpenShift and GitLab.
## What is OpenShift
OpenShift helps you to develop, deploy, and manage container-based applications. It provides you with a self-service platform to create, modify, and deploy applications on demand, thus enabling faster development and release life cycles.
## Use OpenShift to run GitLab Self-Managed
Running GitLab within an OpenShift cluster is officially supported using the GitLab Operator. You can learn more on
[setting up GitLab on OpenShift on the GitLab Operator's documentation](https://docs.gitlab.com/charts/installation/operator.html).
Some components (documented on the GitLab Operator doc) are not supported yet.
## Deploy to and integrate with OpenShift from GitLab
Deploying custom or COTS applications on top of OpenShift from GitLab is supported using [the GitLab Kubernetes Agent](../../user/clusters/agent/index.md).
## Use OpenShift to run a GitLab Runner Fleet
The GitLab Operator does not include the GitLab Runner. To install and manage a GitLab Runner fleet in an OpenShift cluster, use the
[GitLab Runner Operator](https://gitlab.com/gitlab-org/gl-openshift/gitlab-runner-operator).
## Unsupported GitLab features
### Docker-in-Docker
When using OpenShift to run a GitLab Runner Fleet, we do not support some GitLab features given OpenShift's security model.
Features requiring Docker-in-Docker might not work.
For Auto DevOps, the following features are not supported yet:
- Auto Code Quality
- Auto License Compliance
- Auto Browser Performance Testing
- Auto Build
For Auto Build, there's a [possible workaround using `kaniko`](../../ci/docker/using_kaniko.md).
You can check the progress of the implementation in this [issue](https://gitlab.com/gitlab-org/gitlab/-/issues/332560).

2
doc/integration/jira/index.md
View File

@ -63,7 +63,7 @@ The process for configuring Jira depends on whether you host Jira on your own se
how to [set up a user in Jira Server](jira_server_configuration.md).
- **Jira on Atlassian cloud** supports authentication through an API token. When connecting to Jira on
Atlassian cloud, an email and API token are required. For more information, read
[set up a user in Jira on Atlassian cloud](jira_cloud_configuration.md).
[create an API token for Jira in Atlassian cloud](jira_cloud_configuration.md).
## Privacy considerations

15
doc/integration/jira/jira_cloud_configuration.md
View File

@ -4,18 +4,19 @@ group: Integrations
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---
# Create an API token in Jira on Atlassian cloud **(FREE)**
# Create an API token for Jira in Atlassian cloud **(FREE)**
You need an API token to [integrate with Jira](index.md)
on Atlassian cloud. To create the API token:
1. Sign in to [`id.atlassian.com`](https://id.atlassian.com/manage-profile/security/api-tokens)
with your email address. Use an account with *write* access to Jira projects.
1. Go to **Settings > Atlassian account settings > Security > Create and manage API tokens**.
1. Select **Create API token** to display a modal window with an API token.
1. Sign in to [Atlassian](https://id.atlassian.com/manage-profile/security/api-tokens)
using an account with *write* access to Jira projects.
The link opens the API tokens page. Alternatively, to go to this page from your Atlassian
profile, select **Account Settings > Security > Create and manage API tokens**.
1. Select **Create API token**.
1. In the dialog, enter a label for your token and select **Create**.
1. To copy the API token, select **Copy**, then paste the token somewhere safe. You need this value when you
[configure GitLab](configure.md).
1. To copy the API token, select **Copy**, then paste the token somewhere safe.
You need the newly created token, and the email
address you used when you created it, when you

196
doc/security/rack_attack.md
View File

@ -1,195 +1,9 @@
---
stage: Manage
group: Access
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: reference, howto
redirect_to: '../user/admin_area/settings/protected_paths.md'
remove_date: '2022-01-14'
---
# Rack Attack initializer **(FREE SELF)**
This document was moved to [another location](../user/admin_area/settings/protected_paths.md).
[Rack Attack](https://github.com/kickstarter/rack-attack), also known as Rack::Attack, is a Ruby gem
that is meant to protect GitLab with the ability to customize throttling and
to block user IP addresses.
You can prevent brute-force passwords attacks, scrapers, or any other offenders
by throttling requests from IP addresses that are making large volumes of requests.
If you find throttling is not enough to protect you against abusive clients,
Rack Attack offers IP whitelisting, blacklisting, Fail2ban style filtering, and
tracking.
For more information on how to use these options see the [Rack Attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
NOTE:
See
[User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md)
for simpler limits that are configured in the UI.
NOTE:
Starting with GitLab 11.2, Rack Attack is disabled by default. If your
instance is not exposed to the public internet, it is recommended that you leave
Rack Attack disabled.
## Behavior
If set up as described in the [Settings](#settings) section below, two behaviors
are enabled:
- Protected paths are throttled.
- Failed authentications for Git and container registry requests trigger a temporary IP ban.
### Protected paths throttle
GitLab responds with HTTP status code `429` to POST requests at protected paths
that exceed 10 requests per minute per IP address.
By default, protected paths are:
- `/users/password`
- `/users/sign_in`
- `/api/#{API::API.version}/session.json`
- `/api/#{API::API.version}/session`
- `/users`
- `/users/confirmation`
- `/unsubscribes/`
- `/import/github/personal_access_token`
- `/admin/session`
See [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md#response-headers) for the headers responded to blocked requests.
For example, the following are limited to a maximum 10 requests per minute:
- User sign-in
- User sign-up (if enabled)
- User password reset
After 10 requests, the client must wait a minute before it can
try again.
### Git and container registry failed authentication ban
GitLab responds with HTTP status code `403` for 1 hour, if 30 failed
authentication requests were received in a 3-minute period from a single IP address.
This applies only to Git requests and container registry (`/jwt/auth`) requests
(combined).
This limit:
- Is reset by requests that authenticate successfully. For example, 29
failed authentication requests followed by 1 successful request, followed by 29
more failed authentication requests would not trigger a ban.
- Does not apply to JWT requests authenticated by `gitlab-ci-token`.
No response headers are provided.
## Settings
**Omnibus GitLab**
1. Open `/etc/gitlab/gitlab.rb` with your editor
1. Add the following:
```ruby
gitlab_rails['rack_attack_git_basic_auth'] = {
'enabled' => true,
'ip_whitelist' => ["127.0.0.1"],
'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
}
```
1. Reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
The following settings can be configured:
- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array.
CIDR notation is supported in GitLab 12.1 and later.
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"]`.
- `maxretry`: The maximum amount of times a request can be made in the
specified time.
- `findtime`: The maximum amount of time that failed requests can count against an IP
before it's blacklisted (in seconds).
- `bantime`: The total amount of time that a blacklisted IP is blocked (in
seconds).
**Installations from source**
These settings can be found in `config/initializers/rack_attack.rb`. If you are
missing `config/initializers/rack_attack.rb`, the following steps need to be
taken in order to enable protection for your GitLab instance:
1. In `config/application.rb` find and uncomment the following line:
```ruby
config.middleware.use Rack::Attack
```
1. Restart GitLab:
```shell
sudo service gitlab restart
```
If you want more restrictive/relaxed throttle rules, edit
`config/initializers/rack_attack.rb` and change the `limit` or `period` values.
For example, you can set more relaxed throttle rules with
`limit: 3` and `period: 1.seconds`, allowing 3 requests per second.
You can also add other paths to the protected list by adding to `paths_to_be_protected`
variable. If you change any of these settings you must restart your
GitLab instance.
## Remove blocked IPs from Rack Attack via Redis
In case you want to remove a blocked IP, follow these steps:
1. Find the IPs that have been blocked in the production log:
```shell
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
```
1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
```shell
/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
```
1. You can remove the block using the following syntax, replacing `<ip>` with
the actual IP that is blacklisted:
```plaintext
del cache:gitlab:rack::attack:allow2ban:ban:<ip>
```
1. Confirm that the key with the IP no longer shows up:
```plaintext
keys *rack::attack*
```
1. Optionally, add the IP to the whitelist to prevent it from being blacklisted
again (see [settings](#settings)).
## Troubleshooting
### Rack attack is blacklisting the load balancer
Rack Attack may block your load balancer if all traffic appears to come from
the load balancer. In that case, you must:
1. [Configure `nginx[real_ip_trusted_addresses]`](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module).
This keeps users' IPs from being listed as the load balancer IPs.
1. Whitelist the load balancer's IP address(es) in the Rack Attack [settings](#settings).
1. Reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
1. [Remove the block via Redis.](#remove-blocked-ips-from-rack-attack-via-redis)
<!-- This redirect file can be deleted after <2022-01-14>. -->
<!-- Before deletion, see: https://docs.gitlab.com/ee/development/documentation/#move-or-rename-a-page -->

88
doc/security/rate_limits.md
View File

@ -14,9 +14,13 @@ For GitLab.com, please see
Rate limiting is a common technique used to improve the security and durability
of a web application.
For example, a simple script can make thousands of web requests per second.
Whether malicious, apathetic, or just a bug, your application and infrastructure
may not be able to cope with the load. For more details, see
For example, a simple script can make thousands of web requests per second. The requests could be:
- Malicious.
- Apathetic.
- Just a bug.
Your application and infrastructure may not be able to cope with the load. For more details, see
[Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).
Most cases can be mitigated by limiting the rate of requests from a single IP address.
@ -25,7 +29,7 @@ similarly mitigated by a rate limit.
## Admin Area settings
These are rate limits you can set in the Admin Area of your instance:
You can set these rate limits in the Admin Area of your instance:
- [Import/Export rate limits](../user/admin_area/settings/import_export_rate_limits.md)
- [Issues rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md)
@ -38,14 +42,36 @@ These are rate limits you can set in the Admin Area of your instance:
- [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md)
- [Deprecated API rate limits](../user/admin_area/settings/deprecated_api_rate_limits.md)
## Failed authentication ban for Git and container registry
GitLab returns HTTP status code `403` for 1 hour, if 30 failed authentication requests were received
in a 3-minute period from a single IP address. This applies only to combined:
- Git requests.
- Container registry (`/jwt/auth`) requests.
This limit:
- Is reset by requests that authenticate successfully. For example, 29 failed authentication
requests followed by 1 successful request, followed by 29 more failed authentication requests
would not trigger a ban.
- Does not apply to JWT requests authenticated by `gitlab-ci-token`.
- Is disabled by default.
No response headers are provided.
For configuration information, see
[Omnibus GitLab configuration options](https://docs.gitlab.com/omnibus/settings/configuration.html#configure-a-failed-authentication-ban).
## Non-configurable limits
### Repository archives
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/25750) in GitLab 12.9.
There is a rate limit for [downloading repository archives](../api/repositories.md#get-file-archive),
which applies to the project and to the user initiating the download either through the UI or the API.
A rate limit for [downloading repository archives](../api/repositories.md#get-file-archive) is
available. The limit applies to the project and to the user initiating the download either through
the UI or the API.
The **rate limit** is 5 requests per minute per user.
@ -57,8 +83,50 @@ There is a rate limit for [testing webhooks](../user/project/integrations/webhoo
The **rate limit** is 5 requests per minute per user.
## Rack Attack initializer
## Troubleshooting
This method of rate limiting is cumbersome, but has some advantages. It allows
throttling of specific paths, and is also integrated into Git and container
registry requests. See [Rack Attack initializer](rack_attack.md).
### Rack Attack is denylisting the load balancer
Rack Attack may block your load balancer if all traffic appears to come from
the load balancer. In that case, you must:
1. [Configure `nginx[real_ip_trusted_addresses]`](https://docs.gitlab.com/omnibus/settings/nginx.html#configuring-gitlab-trusted_proxies-and-the-nginx-real_ip-module).
This keeps users' IPs from being listed as the load balancer IPs.
1. Allowlist the load balancer's IP addresses.
1. Reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
### Remove blocked IPs from Rack Attack with Redis
To remove a blocked IP:
1. Find the IPs that have been blocked in the production log:
```shell
grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
```
1. Since the denylist is stored in Redis, you must open up `redis-cli`:
```shell
/opt/gitlab/embedded/bin/redis-cli -s /var/opt/gitlab/redis/redis.socket
```
1. You can remove the block using the following syntax, replacing `<ip>` with
the actual IP that is denylisted:
```plaintext
del cache:gitlab:rack::attack:allow2ban:ban:<ip>
```
1. Confirm that the key with the IP no longer shows up:
```plaintext
keys *rack::attack*
```
1. Optionally, add [the IP to the allowlist](https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-rack-attack)
to prevent it being denylisted again.

36
doc/user/admin_area/settings/protected_paths.md
View File

@ -7,28 +7,11 @@ type: reference
# Protected paths **(FREE SELF)**
Rate limiting is a common technique used to improve the security and durability
of a web application. For more details, see
[Rate limits](../../../security/rate_limits.md).
Rate limiting is a technique that improves the security and durability of a web
application. For more details, see [Rate limits](../../../security/rate_limits.md).
GitLab rate limits the following paths with Rack Attack by default:
```plaintext
'/users/password',
'/users/sign_in',
'/api/#{API::API.version}/session.json',
'/api/#{API::API.version}/session',
'/users',
'/users/confirmation',
'/unsubscribes/',
'/import/github/personal_access_token',
'/admin/session'
```
GitLab responds with HTTP status code `429` to POST requests at protected paths
that exceed 10 requests per minute per IP address.
See [User and IP rate limits](../../admin_area/settings/user_and_ip_rate_limits.md#response-headers) for the headers responded to blocked requests.
You can rate limit (protect) specified paths. For these paths, GitLab responds with HTTP status
code `429` to POST requests at protected paths that exceed 10 requests per minute per IP address.
For example, the following are limited to a maximum 10 requests per minute:
@ -36,10 +19,15 @@ For example, the following are limited to a maximum 10 requests per minute:
- User sign-up (if enabled)
- User password reset
After 10 requests, the client must wait 60 seconds before it can
try again.
After 10 requests, the client must wait 60 seconds before it can try again.
## Configure using GitLab UI
See also:
- List of paths [protected by default](../../../administration/instance_limits.md#by-protected-path).
- [User and IP rate limits](../../admin_area/settings/user_and_ip_rate_limits.md#response-headers)
for the headers returned to blocked requests.
## Configure protected paths
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/31246) in GitLab 12.4.

4
doc/user/application_security/index.md
View File

@ -261,10 +261,6 @@ under your project's settings:
</settings>
```
## DAST On-Demand Scans
If you don't want scans running in your normal DevOps process you can use on-demand scans instead. For more details, see [on-demand scans](dast/index.md#on-demand-scans). This feature is only available for DAST. If you run an on-demand scan against the default branch, it is reported as a "successful pipeline" and these results are included in the security dashboard and vulnerability report.
## Security report validation
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/321918) in GitLab 13.11.

3
doc/user/application_security/vulnerabilities/index.md
View File

@ -20,6 +20,9 @@ vulnerability include:
- Linked issues
- Actions log
In GitLab 14.3 and later, if the scanner determined the vulnerability to be a false positive, an
alert message is included at the top of the vulnerability's page.
On the vulnerability's page, you can:
- [Change the vulnerability's status](#change-vulnerability-status).

BIN
doc/user/application_security/vulnerability_report/img/group_vulnerability_report_v14_2.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 64 KiB

BIN
doc/user/application_security/vulnerability_report/img/project_level_vulnerability_report_v14_5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

11
doc/user/application_security/vulnerability_report/index.md
View File

@ -16,7 +16,16 @@ At all levels, the Vulnerability Report contains:
- Filters for common vulnerability attributes.
- Details of each vulnerability, presented in tabular layout.
![Vulnerability Report](img/group_vulnerability_report_v14_2.png)
The **Activity** column contains icons to indicate the activity, if any, taken on the vulnerability
in that row:
- Issues **{issues}**: Links to issues created for the vulnerability. For more details, read
[Create an issue for a vulnerability](../vulnerabilities/index.md#create-an-issue-for-a-vulnerability).
- Wrench **{admin}**: The vulnerability has been remediated.
- False positive **{false-positive}**: The scanner determined this vulnerability to be a false
positive.
![Example project-level Vulnerability Report](img/project_level_vulnerability_report_v14_5.png)
## Project-level Vulnerability Report

18
doc/user/infrastructure/clusters/index.md
View File

@ -8,9 +8,11 @@ info: To determine the technical writer assigned to the Stage/Group associated w
WARNING:
In GitLab 14.5, the certificate-based method to connect Kubernetes clusters
to GitLab was deprecated, as well as the related [features](#deprecated-features).
to GitLab was [deprecated](https://gitlab.com/groups/gitlab-org/configure/-/epics/8),
as well as its related [features](#deprecated-features).
This feature is now deprecated. It had the following issues:
Connecting Kubernetes clusters to GitLab through cluster certificates is deprecated.
This method had the following issues:
- There were security issues as it required direct access to the Kube API by GitLab.
- The configuration options weren't flexible.
@ -54,10 +56,16 @@ the Kubernetes Agent model on the [Agent's blueprint documentation](../../../arc
- [Clusters health](manage/clusters_health.md)
- [Crossplane integration](../../clusters/crossplane.md)
- [Auto Deploy](../../../topics/autodevops/stages.md#auto-deploy)
- [Web terminals](../../../administration/integration/terminal.md)
### Cluster levels
The concept of project-level, group-level, and instance-level clusters becomes
The concept of [project-level](../../project/clusters/index.md),
[group-level](../../group/clusters/index.md), and
[instance-level](../../instance/clusters/index.md) clusters becomes
extinct in the new model, although the functionality remains to some extent.
The Agent is always configured in a GitLab project, but you can grant your
cluster's access to a GitLab group through the Agent.
The Agent is always configured in a GitLab project, but you can:
- [Grant your cluster's access to GitLab groups through the Agent](../../clusters/agent/repository.md#authorize-groups-to-use-an-agent).
- [Share access to the Agent with other projects and groups through the CI/CD Tunnel](../../clusters/agent/ci_cd_tunnel.md#share-the-cicd-tunnel-provided-by-an-agent-with-other-projects-and-group).

4
doc/user/project/code_owners.md
View File

@ -84,6 +84,10 @@ so that their members also become eligible Code Owners.
If you do not invite **Subgroup Y** to **Project A**, but make them Code Owners, their approval
of the merge request becomes optional.
Inviting **Subgroup Y** to a parent group of **Project A**
[is not supported](https://gitlab.com/gitlab-org/gitlab/-/issues/288851). To set **Subgroup Y** as
Code Owners, add this group directly to the project itself.
### Add a group as a Code Owner
To set a group as a Code Owner:

20
doc/user/project/import/bitbucket.md
View File

@ -52,20 +52,18 @@ namespace that started the import process.
## Import your Bitbucket repositories
1. Sign in to GitLab and go to your dashboard.
1. Click on **New project**.
1. Click on the "Bitbucket Cloud" button.
![Bitbucket](img/import_projects_from_new_project_page.png)
1. Grant GitLab access to your Bitbucket account
1. Sign in to GitLab.
1. On the top bar, select **New** (**{plus}**).
1. Select **New project/repository**.
1. Select **Import project**.
1. Select **Bitbucket Cloud**.
1. Log in to Bitbucket and grant GitLab access to your Bitbucket account.
![Grant access](img/bitbucket_import_grant_access.png)
1. Click on the projects that you'd like to import or **Import all projects**.
You can also filter projects by name and select the namespace under which
each project will be imported.
1. Select the projects that you'd like to import or import all projects.
You can filter projects by name and select the namespace
each project will be imported for.
![Import projects](img/bitbucket_import_select_project_v12_3.png)

26
doc/user/project/import/bitbucket_server.md
View File

@ -101,22 +101,22 @@ Feature.disable(:bitbucket_server_user_mapping_by_username)
## Import your Bitbucket repositories
1. Sign in to GitLab and go to your dashboard.
1. Click on **New project**.
1. Click on the "Bitbucket Server" button. If the button is not present, enable the importer in
**Admin > Application Settings > Visibility and access controls > Import sources**.
Prerequisite:
![Bitbucket](img/import_projects_from_new_project_page.png)
- An administrator must have enabled the importer in
**Admin > Application Settings > Visibility and access controls > Import sources**.
1. Enter your Bitbucket Server credentials.
To import your Bitbucket repositories:
![Grant access](img/bitbucket_server_import_credentials.png)
1. Click on the projects that you'd like to import or **Import all projects**.
You can also filter projects by name and select the namespace under which each project is
imported.
![Import projects](img/bitbucket_server_import_select_project_v12_3.png)
1. Sign in to GitLab.
1. On the top bar, select **New** (**{plus}**).
1. Select **New project/repository**.
1. Select **Import project**.
1. Select **Bitbucket Server**.
1. Log in to Bitbucket and grant GitLab access to your Bitbucket account.
1. Select the projects that you'd like to import or import all projects.
You can filter projects by name and select the namespace
each project will be imported for.
## Troubleshooting

2
doc/user/project/import/gitea.md
View File

@ -38,8 +38,6 @@ that started the import process.
The importer page is visible when you create a new project.
![New project page on GitLab](img/import_projects_from_new_project_page.png)
Select the **Gitea** link to start the import authorization process.
![New Gitea project import](img/import_projects_from_gitea_new_import.png)

BIN
doc/user/project/import/img/bitbucket_server_import_credentials.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
doc/user/project/import/img/bitbucket_server_import_select_project_v12_3.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
doc/user/project/import/img/import_projects_from_new_project_page.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

5
doc/user/project/repository/gpg_signed_commits/index.md
View File

@ -39,7 +39,10 @@ For a commit to be verified by GitLab:
- The committer's public key must have been uploaded to their GitLab
account.
- One of the emails in the GPG key must match a **verified** email address
used by the committer in GitLab.
used by the committer in GitLab. This address will be part of the public key.
If you want to keep this address private, use the automatically generated
[private commit email address](../../../profile/index.md#use-an-automatically-generated-private-commit-email)
GitLab provides in your profile.
- The committer's email address must match the verified email address from the
GPG key.

10
lib/api/error_tracking/collector.rb
View File

@ -96,7 +96,10 @@ module API
# Collector should never return any information back.
# Because DSN and public key are designed for public use,
# it is safe only for submission of new events.
no_content!
#
# Some clients sdk require status 200 OK to work correctly.
# See https://gitlab.com/gitlab-org/gitlab/-/issues/343531.
status 200
end
desc 'Submit error tracking event to the project' do
@ -129,7 +132,10 @@ module API
# Collector should never return any information back.
# Because DSN and public key are designed for public use,
# it is safe only for submission of new events.
no_content!
#
# Some clients sdk require status 200 OK to work correctly.
# See https://gitlab.com/gitlab-org/gitlab/-/issues/343531.
status 200
end
end
end

3
lib/gitlab/ci/pipeline/chain/command.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -144,3 +145,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/database/migrations/observation.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -14,3 +15,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/health_checks/metric.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -5,3 +6,5 @@ module Gitlab
Metric = Struct.new(:name, :value, :labels)
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/health_checks/probes/status.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -12,3 +13,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/health_checks/result.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -13,3 +14,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/middleware/release_env.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -14,3 +15,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/redis/hll.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -51,3 +52,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

5
lib/gitlab/search_results.rb
View File

@ -115,6 +115,11 @@ module Gitlab
{}
end
# aggregations are only performed by Elasticsearch backed results
def aggregations(scope)
[]
end
private
def collection_for(scope)

3
lib/gitlab/slash_commands/result.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -5,3 +6,5 @@ module Gitlab
Result = Struct.new(:type, :message)
end
end
# rubocop:enable Naming/FileName

3
lib/gitlab/template_parser/ast.rb
View File

@ -1,3 +1,4 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
module Gitlab
@ -155,3 +156,5 @@ module Gitlab
end
end
end
# rubocop:enable Naming/FileName

5
lib/gitlab/tracking.rb
View File

@ -13,7 +13,6 @@ module Gitlab
contexts = [Tracking::StandardContext.new(project: project, user: user, namespace: namespace, **extra).to_context, *context]
snowplow.event(category, action, label: label, property: property, value: value, context: contexts)
product_analytics.event(category, action, label: label, property: property, value: value, context: contexts)
rescue StandardError => error
Gitlab::ErrorTracking.track_and_raise_for_dev_exception(error, snowplow_category: category, snowplow_action: action)
end
@ -35,10 +34,6 @@ module Gitlab
def snowplow
@snowplow ||= Gitlab::Tracking::Destinations::Snowplow.new
end
def product_analytics
@product_analytics ||= Gitlab::Tracking::Destinations::ProductAnalytics.new
end
end
end
end

41
lib/gitlab/tracking/destinations/product_analytics.rb
View File

@ -1,41 +0,0 @@
# frozen_string_literal: true
module Gitlab
module Tracking
module Destinations
class ProductAnalytics < Base
extend ::Gitlab::Utils::Override
include ::Gitlab::Utils::StrongMemoize
override :event
def event(category, action, label: nil, property: nil, value: nil, context: nil)
return unless event_allowed?(category, action)
return unless enabled?
tracker.track_struct_event(category, action, label, property, value, context, (Time.now.to_f * 1000).to_i)
end
private
def event_allowed?(category, action)
category == 'epics' && action == 'promote'
end
def enabled?
Feature.enabled?(:product_analytics_tracking, type: :ops) &&
Gitlab::CurrentSettings.usage_ping_enabled? &&
Gitlab::CurrentSettings.self_monitoring_project_id.present?
end
def tracker
@tracker ||= SnowplowTracker::Tracker.new(
SnowplowTracker::AsyncEmitter.new(::ProductAnalytics::Tracker::COLLECTOR_URL, protocol: Gitlab.config.gitlab.protocol),
SnowplowTracker::Subject.new,
Gitlab::Tracking::SNOWPLOW_NAMESPACE,
Gitlab::CurrentSettings.self_monitoring_project_id.to_s
)
end
end
end
end
end

27
locale/gitlab.pot
View File

@ -3334,7 +3334,7 @@ msgstr ""
msgid "All merge request dependencies have been merged"
msgstr ""
msgid "All paths are relative to the GitLab URL. Do not include %{relative_url_link_start}relative URL%{relative_url_link_end}."
msgid "All paths are relative to the GitLab URL. Do not include %{relative_url_link_start}relative URLs%{relative_url_link_end}."
msgstr ""
msgid "All projects"
@ -8653,9 +8653,6 @@ msgstr ""
msgid "Configure existing installation"
msgstr ""
msgid "Configure paths to be protected by Rack Attack."
msgstr ""
msgid "Configure repository mirroring."
msgstr ""
@ -12709,7 +12706,7 @@ msgstr ""
msgid "Enable or disable version check and Service Ping."
msgstr ""
msgid "Enable protected paths rate limit"
msgid "Enable rate limiting for POST requests to the specified paths"
msgstr ""
msgid "Enable reCAPTCHA"
@ -16847,7 +16844,7 @@ msgstr ""
msgid "Helps reduce request volume (for example, from crawlers or abusive bots)"
msgstr ""
msgid "Helps reduce request volume for protected paths"
msgid "Helps reduce request volume for protected paths."
msgstr ""
msgid "Here you will find recent merge request activity"
@ -23640,9 +23637,6 @@ msgstr ""
msgid "OmniAuth"
msgstr ""
msgid "Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}."
msgstr ""
msgid "On"
msgstr ""
@ -24775,6 +24769,9 @@ msgstr ""
msgid "Paths can contain wildcards, like */welcome"
msgstr ""
msgid "Paths to protect with rate limiting"
msgstr ""
msgid "Pause"
msgstr ""
@ -27658,9 +27655,6 @@ msgstr ""
msgid "Protected Environment"
msgstr ""
msgid "Protected Paths"
msgstr ""
msgid "Protected Paths: requests"
msgstr ""
@ -27676,6 +27670,9 @@ msgstr ""
msgid "Protected environments"
msgstr ""
msgid "Protected paths"
msgstr ""
msgid "ProtectedBranch|%{wildcards_link_start}Wildcards%{wildcards_link_end} such as %{code_tag_start}*-stable%{code_tag_end} or %{code_tag_start}production/*%{code_tag_end} are supported."
msgstr ""
@ -28051,6 +28048,9 @@ msgstr ""
msgid "Rate limit"
msgstr ""
msgid "Rate limit access to specified paths."
msgstr ""
msgid "Rate limits can help reduce request volume (like from crawlers or abusive bots)."
msgstr ""
@ -34693,9 +34693,6 @@ msgstr ""
msgid "These existing issues have a similar title. It might be better to comment there instead of creating another similar issue."
msgstr ""
msgid "These paths are protected for POST requests."
msgstr ""
msgid "These runners are shared across projects in this group."
msgstr ""

0
rubocop/cop/gitlab/change_timzone.rb → rubocop/cop/gitlab/change_timezone.rb
View File

0
rubocop/cop/gitlab/keys-first-and-values-first.rb → rubocop/cop/gitlab/keys_first_and_values_first.rb
View File

3
rubocop/rubocop.rb
View File

@ -1,4 +1,7 @@
# rubocop:disable Naming/FileName
# frozen_string_literal: true
# Auto-require all cops under `rubocop/cop/**/*.rb`
Dir[File.join(__dir__, 'cop', '**', '*.rb')].sort.each(&method(:require))
# rubocop:enable Naming/FileName

2
scripts/docs_screenshots.rb
View File

@ -5,7 +5,7 @@
require 'png_quantizator'
require 'open3'
require 'parallel'
require_relative '../tooling/lib/tooling/images'
require_relative '../tooling/lib/tooling/image'
generator = ARGV[0]
milestone = ARGV[1]

15
spec/frontend/vue_mr_widget/mr_widget_options_spec.js
View File

@ -6,6 +6,7 @@ import VueApollo from 'vue-apollo';
import createMockApollo from 'helpers/mock_apollo_helper';
import waitForPromises from 'helpers/wait_for_promises';
import { securityReportMergeRequestDownloadPathsQueryResponse } from 'jest/vue_shared/security_reports/mock_data';
import api from '~/api';
import axios from '~/lib/utils/axios_utils';
import { setFaviconOverlay } from '~/lib/utils/favicon';
import notify from '~/lib/utils/notify';
@ -23,6 +24,8 @@ import { faviconDataUrl, overlayDataUrl } from '../lib/utils/mock_data';
import mockData from './mock_data';
import testExtension from './test_extension';
jest.mock('~/api.js');
jest.mock('~/smart_interval');
jest.mock('~/lib/utils/favicon');
@ -904,6 +907,18 @@ describe('MrWidgetOptions', () => {
expect(wrapper.text()).toContain('Test extension summary count: 1');
});
it('triggers trackRedisHllUserEvent API call', async () => {
await waitForPromises();
wrapper
.find('[data-testid="widget-extension"] [data-testid="toggle-button"]')
.trigger('click');
await Vue.nextTick();
expect(api.trackRedisHllUserEvent).toHaveBeenCalledWith('test_expand_event');
});
it('renders full data', async () => {
await waitForPromises();

1
spec/frontend/vue_mr_widget/test_extension.js
View File

@ -3,6 +3,7 @@ import { EXTENSION_ICONS } from '~/vue_merge_request_widget/constants';
export default {
name: 'WidgetTestExtension',
props: ['targetProjectFullPath'],
expandEvent: 'test_expand_event',
computed: {
summary({ count, targetProjectFullPath }) {
return `Test extension summary count: ${count} & ${targetProjectFullPath}`;

12
spec/lib/gitlab/search_results_spec.rb
View File

@ -96,6 +96,18 @@ RSpec.describe Gitlab::SearchResults do
end
end
describe '#aggregations' do
where(:scope) do
%w(projects issues merge_requests blobs commits wiki_blobs epics milestones users unknown)
end
with_them do
it 'returns an empty array' do
expect(results.aggregations(scope)).to match_array([])
end
end
end
context "when count_limit is lower than total amount" do
before do
allow(results).to receive(:count_limit).and_return(1)

84
spec/lib/gitlab/tracking/destinations/product_analytics_spec.rb
View File

@ -1,84 +0,0 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Tracking::Destinations::ProductAnalytics do
let(:emitter) { SnowplowTracker::Emitter.new('localhost', buffer_size: 1) }
let(:tracker) { SnowplowTracker::Tracker.new(emitter, SnowplowTracker::Subject.new, 'namespace', 'app_id') }
describe '#event' do
shared_examples 'does not send an event' do
it 'does not send an event' do
expect_any_instance_of(SnowplowTracker::Tracker).not_to receive(:track_struct_event)
subject.event(allowed_category, allowed_action)
end
end
let(:allowed_category) { 'epics' }
let(:allowed_action) { 'promote' }
let(:self_monitoring_project) { create(:project) }
before do
stub_feature_flags(product_analytics_tracking: true)
stub_application_setting(self_monitoring_project_id: self_monitoring_project.id)
stub_application_setting(usage_ping_enabled: true)
end
context 'with allowed event' do
it 'sends an event to Product Analytics snowplow collector' do
expect(SnowplowTracker::AsyncEmitter)
.to receive(:new)
.with(ProductAnalytics::Tracker::COLLECTOR_URL, protocol: Gitlab.config.gitlab.protocol)
.and_return(emitter)
expect(SnowplowTracker::Tracker)
.to receive(:new)
.with(emitter, an_instance_of(SnowplowTracker::Subject), Gitlab::Tracking::SNOWPLOW_NAMESPACE, self_monitoring_project.id.to_s)
.and_return(tracker)
freeze_time do
expect(tracker)
.to receive(:track_struct_event)
.with(allowed_category, allowed_action, 'label', 'property', 1.5, nil, (Time.now.to_f * 1000).to_i)
subject.event(allowed_category, allowed_action, label: 'label', property: 'property', value: 1.5)
end
end
end
context 'with non-allowed event' do
it 'does not send an event' do
expect_any_instance_of(SnowplowTracker::Tracker).not_to receive(:track_struct_event)
subject.event('category', 'action')
subject.event(allowed_category, 'action')
subject.event('category', allowed_action)
end
end
context 'when self-monitoring project does not exist' do
before do
stub_application_setting(self_monitoring_project_id: nil)
end
include_examples 'does not send an event'
end
context 'when product_analytics_tracking FF is disabled' do
before do
stub_feature_flags(product_analytics_tracking: false)
end
include_examples 'does not send an event'
end
context 'when usage ping is disabled' do
before do
stub_application_setting(usage_ping_enabled: false)
end
include_examples 'does not send an event'
end
end
end

2
spec/lib/gitlab/tracking_spec.rb
View File

@ -41,7 +41,6 @@ RSpec.describe Gitlab::Tracking do
shared_examples 'delegates to destination' do |klass|
before do
allow_any_instance_of(Gitlab::Tracking::Destinations::Snowplow).to receive(:event)
allow_any_instance_of(Gitlab::Tracking::Destinations::ProductAnalytics).to receive(:event)
end
it "delegates to #{klass} destination" do
@ -73,7 +72,6 @@ RSpec.describe Gitlab::Tracking do
end
it_behaves_like 'delegates to destination', Gitlab::Tracking::Destinations::Snowplow
it_behaves_like 'delegates to destination', Gitlab::Tracking::Destinations::ProductAnalytics
it 'tracks errors' do
expect(Gitlab::ErrorTracking).to receive(:track_and_raise_for_dev_exception).with(

8
spec/requests/api/error_tracking/collector_spec.rb
View File

@ -24,10 +24,10 @@ RSpec.describe API::ErrorTracking::Collector do
end
RSpec.shared_examples 'successful request' do
it 'writes to the database and returns no content' do
it 'writes to the database and returns OK' do
expect { subject }.to change { ErrorTracking::ErrorEvent.count }.by(1)
expect(response).to have_gitlab_http_status(:no_content)
expect(response).to have_gitlab_http_status(:ok)
end
end
@ -89,10 +89,10 @@ RSpec.describe API::ErrorTracking::Collector do
context 'transaction request type' do
let(:params) { fixture_file('error_tracking/transaction.txt') }
it 'does nothing and returns no content' do
it 'does nothing and returns ok' do
expect { subject }.not_to change { ErrorTracking::ErrorEvent.count }
expect(response).to have_gitlab_http_status(:no_content)
expect(response).to have_gitlab_http_status(:ok)
end
end

2
spec/rubocop/cop/gitlab/change_timezone_spec.rb
View File

@ -1,7 +1,7 @@
# frozen_string_literal: true
require 'fast_spec_helper'
require_relative '../../../../rubocop/cop/gitlab/change_timzone'
require_relative '../../../../rubocop/cop/gitlab/change_timezone'
RSpec.describe RuboCop::Cop::Gitlab::ChangeTimezone do
subject(:cop) { described_class.new }

3
spec/services/members/create_service_spec.rb
View File

@ -216,8 +216,7 @@ RSpec.describe Members::CreateService, :aggregate_failures, :clean_gitlab_redis_
expect(source.issues).to all have_attributes(
project: source,
author: user,
assignees: array_including(member)
author: user
)
end

6
spec/support/helpers/migrations_helpers.rb
View File

@ -2,7 +2,7 @@
module MigrationsHelpers
def active_record_base
ActiveRecord::Base
Gitlab::Database.database_base_models.fetch(self.class.metadata[:database] || :main)
end
def table(name)
@ -34,7 +34,7 @@ module MigrationsHelpers
end
def migrations_paths
ActiveRecord::Migrator.migrations_paths
active_record_base.connection.migrations_paths
end
def migration_context
@ -52,7 +52,7 @@ module MigrationsHelpers
end
def foreign_key_exists?(source, target = nil, column: nil)
ActiveRecord::Base.connection.foreign_keys(source).any? do |key|
active_record_base.connection.foreign_keys(source).any? do |key|
if column
key.options[:column].to_s == column.to_s
else

2
spec/support/stub_snowplow.rb
View File

@ -8,8 +8,6 @@ module StubSnowplow
host = 'localhost'
# rubocop:disable RSpec/AnyInstanceOf
allow_any_instance_of(Gitlab::Tracking::Destinations::ProductAnalytics).to receive(:event)
allow_any_instance_of(Gitlab::Tracking::Destinations::Snowplow)
.to receive(:emitter)
.and_return(SnowplowTracker::Emitter.new(host, buffer_size: buffer_size))

37
spec/workers/emails_on_push_worker_spec.rb
View File

@ -139,6 +139,43 @@ RSpec.describe EmailsOnPushWorker, :mailer do
perform
end
context 'when SMIME signing is enabled' do
include SmimeHelper
before :context do
@root_ca = generate_root
@cert = generate_cert(signer_ca: @root_ca)
end
let(:root_certificate) do
Gitlab::X509::Certificate.new(@root_ca[:key], @root_ca[:cert])
end
let(:certificate) do
Gitlab::X509::Certificate.new(@cert[:key], @cert[:cert])
end
before do
allow(Gitlab::X509::Certificate).to receive_messages(from_files: certificate)
Mail.register_interceptor(Gitlab::Email::Hook::SmimeSignatureInterceptor)
end
after do
Mail.unregister_interceptor(Gitlab::Email::Hook::SmimeSignatureInterceptor)
end
it 'does not sign the email multiple times' do
perform
ActionMailer::Base.deliveries.each do |mail|
expect(mail.header['Content-Type'].value).to match('multipart/signed').and match('protocol="application/x-pkcs7-signature"')
expect(mail.to_s.scan(/Content-Disposition: attachment;\r\n filename=smime.p7s/).size).to eq(1)
end
end
end
end
context "when recipients are invalid" do

0
tooling/lib/tooling/images.rb → tooling/lib/tooling/image.rb
View File