kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2021-12-06 12:10:19 +00:00
parent 1b9b475faa
commit 7c31b0312b
13 changed files with 174 additions and 107 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/assets/javascripts/repository/pages/tree.vue
View file

@ -1,5 +1,5 @@
<script>
import TreeContent from '../components/tree_content.vue';
import TreeContent from 'jh_else_ce/repository/components/tree_content.vue';
import preloadMixin from '../mixins/preload';
import { updateElementsVisibility } from '../utils/dom';

2
app/controllers/concerns/authenticates_with_two_factor.rb
View file

@ -25,7 +25,7 @@ module AuthenticatesWithTwoFactor
session[:user_password_hash] = Digest::SHA256.hexdigest(user.encrypted_password)
push_frontend_feature_flag(:webauthn)
if user.two_factor_webauthn_enabled?
if Feature.enabled?(:webauthn)
setup_webauthn_authentication(user)
else
setup_u2f_authentication(user)

4
app/controllers/search_controller.rb
View file

@ -150,7 +150,7 @@ class SearchController < ApplicationController
end
def block_anonymous_global_searches
return if params[:project_id].present? || params[:group_id].present?
return unless search_service.global_search?
return if current_user
return unless ::Feature.enabled?(:block_anonymous_global_searches, type: :ops)
@ -160,7 +160,7 @@ class SearchController < ApplicationController
end
def check_scope_global_search_enabled
return if params[:project_id].present? || params[:group_id].present?
return unless search_service.global_search?
search_allowed = case params[:scope]
when 'blobs'

2
app/models/user.rb
View file

@ -917,6 +917,8 @@ class User < ApplicationRecord
end
def two_factor_u2f_enabled?
return false if Feature.enabled?(:webauthn)
if u2f_registrations.loaded?
u2f_registrations.any?
else

4
app/services/search_service.rb
View file

@ -45,6 +45,10 @@ class SearchService
# overridden in EE
end
def global_search?
project.blank? && group.blank?
end
def show_snippets?
return @show_snippets if defined?(@show_snippets)

8
doc/administration/monitoring/prometheus/index.md
View file

@ -259,9 +259,10 @@ To use an external Prometheus server:
- 1.1.1.1:9229
- job_name: gitlab-rails
metrics_path: "/-/metrics"
scheme: https
static_configs:
- targets:
- 1.1.1.1:8080
- 1.1.1.1
- job_name: gitlab-sidekiq
static_configs:
- targets:
@ -287,6 +288,11 @@ To use an external Prometheus server:
- 1.1.1.1:9236
```
WARNING:
The `gitlab-rails` job in the snippet assumes that GitLab is reachable through HTTPS. If your
deployment doesn't use HTTPS, the job configuration is adapted to use the `http` scheme and port
80.
1. Reload the Prometheus server.
## Viewing performance metrics

5
doc/administration/troubleshooting/tracing_correlation_id.md
View file

@ -2,13 +2,12 @@
stage: Enablement
group: Distribution
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
type: reference
---
# Finding relevant log entries with a correlation ID **(FREE SELF)**
In GitLab 11.6 and later, a unique request tracking ID, known as the "correlation ID" has been
logged by the GitLab instance for most requests. Each individual request to GitLab gets
GitLab instances log a unique request tracking ID (known as the
"correlation ID") for most requests. Each individual request to GitLab gets
its own correlation ID, which then gets logged in each GitLab component's logs for that
request. This makes it easier to trace behavior in a
distributed system. Without this ID it can be difficult or

5
qa/qa/page/project/pipeline/show.rb
View file

@ -77,7 +77,10 @@ module QA
end
def click_job(job_name)
click_element(:job_link, Project::Job::Show, text: job_name)
# Retry due to transient bug https://gitlab.com/gitlab-org/gitlab/-/issues/347126
QA::Support::Retrier.retry_on_exception do
click_element(:job_link, Project::Job::Show, text: job_name)
end
end
def child_pipelines

6
spec/controllers/search_controller_spec.rb
View file

@ -172,6 +172,12 @@ RSpec.describe SearchController do
expect(response).to redirect_to new_user_session_path
end
it 'redirects to login page when trying to circumvent the restriction' do
get :show, params: { scope: 'projects', project_id: non_existing_record_id, search: '*' }
expect(response).to redirect_to new_user_session_path
end
end
context 'for authenticated user' do

164
spec/features/webauthn_spec.rb
View file

@ -113,124 +113,94 @@ RSpec.describe 'Using WebAuthn Devices for Authentication', :js do
describe 'authentication' do
let(:otp_required_for_login) { true }
let(:user) { create(:user, webauthn_xid: WebAuthn.generate_user_id, otp_required_for_login: otp_required_for_login) }
let!(:webauthn_device) do
add_webauthn_device(app_id, user)
end
describe 'when there is only an U2F device' do
let!(:u2f_device) do
fake_device = U2F::FakeU2F.new(app_id) # "Client"
u2f = U2F::U2F.new(app_id) # "Server"
challenges = u2f.registration_requests.map(&:challenge)
device_response = fake_device.register_response(challenges[0])
device_registration_params = { device_response: device_response,
name: 'My device' }
U2fRegistration.register(user, app_id, device_registration_params, challenges)
FakeU2fDevice.new(page, 'My device', fake_device)
end
it 'falls back to U2F' do
# WebAuthn registration is automatically created with the U2fRegistration because of the after_create callback
# so we need to delete it
WebauthnRegistration.delete_all
describe 'when 2FA via OTP is disabled' do
let(:otp_required_for_login) { false }
it 'allows logging in with the WebAuthn device' do
gitlab_sign_in(user)
u2f_device.respond_to_u2f_authentication
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe 'when there is a WebAuthn device' do
let!(:webauthn_device) do
add_webauthn_device(app_id, user)
describe 'when 2FA via OTP is enabled' do
it 'allows logging in with the WebAuthn device' do
gitlab_sign_in(user)
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe 'when 2FA via OTP is disabled' do
let(:otp_required_for_login) { false }
describe 'when a given WebAuthn device has already been registered by another user' do
describe 'but not the current user' do
let(:other_user) { create(:user, webauthn_xid: WebAuthn.generate_user_id, otp_required_for_login: otp_required_for_login) }
it 'allows logging in with the WebAuthn device' do
gitlab_sign_in(user)
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe 'when 2FA via OTP is enabled' do
it 'allows logging in with the WebAuthn device' do
gitlab_sign_in(user)
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
describe 'when a given WebAuthn device has already been registered by another user' do
describe 'but not the current user' do
let(:other_user) { create(:user, webauthn_xid: WebAuthn.generate_user_id, otp_required_for_login: otp_required_for_login) }
it 'does not allow logging in with that particular device' do
# Register other user with a different WebAuthn device
other_device = add_webauthn_device(app_id, other_user)
# Try authenticating user with the old WebAuthn device
gitlab_sign_in(user)
other_device.respond_to_webauthn_authentication
expect(page).to have_content('Authentication via WebAuthn device failed')
end
end
describe "and also the current user" do
# TODO Uncomment once WebAuthn::FakeClient supports passing credential options
# (especially allow_credentials, as this is needed to specify which credential the
# fake client should use. Currently, the first credential is always used).
# There is an issue open for this: https://github.com/cedarcode/webauthn-ruby/issues/259
it "allows logging in with that particular device" do
pending("support for passing credential options in FakeClient")
# Register current user with the same WebAuthn device
current_user = gitlab_sign_in(:user)
visit profile_account_path
manage_two_factor_authentication
register_webauthn_device(webauthn_device)
gitlab_sign_out
# Try authenticating user with the same WebAuthn device
gitlab_sign_in(current_user)
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
end
end
end
describe 'when a given WebAuthn device has not been registered' do
it 'does not allow logging in with that particular device' do
unregistered_device = FakeWebauthnDevice.new(page, 'My device')
gitlab_sign_in(user)
unregistered_device.respond_to_webauthn_authentication
# Register other user with a different WebAuthn device
other_device = add_webauthn_device(app_id, other_user)
# Try authenticating user with the old WebAuthn device
gitlab_sign_in(user)
other_device.respond_to_webauthn_authentication
expect(page).to have_content('Authentication via WebAuthn device failed')
end
end
describe 'when more than one device has been registered by the same user' do
it 'allows logging in with either device' do
first_device = add_webauthn_device(app_id, user)
second_device = add_webauthn_device(app_id, user)
describe "and also the current user" do
# TODO Uncomment once WebAuthn::FakeClient supports passing credential options
# (especially allow_credentials, as this is needed to specify which credential the
# fake client should use. Currently, the first credential is always used).
# There is an issue open for this: https://github.com/cedarcode/webauthn-ruby/issues/259
it "allows logging in with that particular device" do
pending("support for passing credential options in FakeClient")
# Register current user with the same WebAuthn device
current_user = gitlab_sign_in(:user)
visit profile_account_path
manage_two_factor_authentication
register_webauthn_device(webauthn_device)
gitlab_sign_out
# Authenticate as both devices
[first_device, second_device].each do |device|
gitlab_sign_in(user)
# register_webauthn_device(device)
device.respond_to_webauthn_authentication
# Try authenticating user with the same WebAuthn device
gitlab_sign_in(current_user)
webauthn_device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
expect(page).to have_css('.sign-out-link', visible: false)
end
end
end
gitlab_sign_out
end
describe 'when a given WebAuthn device has not been registered' do
it 'does not allow logging in with that particular device' do
unregistered_device = FakeWebauthnDevice.new(page, 'My device')
gitlab_sign_in(user)
unregistered_device.respond_to_webauthn_authentication
expect(page).to have_content('Authentication via WebAuthn device failed')
end
end
describe 'when more than one device has been registered by the same user' do
it 'allows logging in with either device' do
first_device = add_webauthn_device(app_id, user)
second_device = add_webauthn_device(app_id, user)
# Authenticate as both devices
[first_device, second_device].each do |device|
gitlab_sign_in(user)
# register_webauthn_device(device)
device.respond_to_webauthn_authentication
expect(page).to have_css('.sign-out-link', visible: false)
gitlab_sign_out
end
end
end

2
spec/frontend/repository/components/tree_content_spec.js
View file

@ -2,7 +2,7 @@ import { shallowMount } from '@vue/test-utils';
import paginatedTreeQuery from 'shared_queries/repository/paginated_tree.query.graphql';
import FilePreview from '~/repository/components/preview/index.vue';
import FileTable from '~/repository/components/table/index.vue';
import TreeContent from '~/repository/components/tree_content.vue';
import TreeContent from 'jh_else_ce/repository/components/tree_content.vue';
import { loadCommits, isRequested, resetRequestedCommits } from '~/repository/commits_service';
jest.mock('~/repository/commits_service', () => ({

31
spec/helpers/numbers_helper_spec.rb Normal file
View file

@ -0,0 +1,31 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe NumbersHelper do
describe '#limited_counter_with_delimiter' do
using RSpec::Parameterized::TableSyntax
subject { limited_counter_with_delimiter(resource, **options) }
where(:count, :options, :expected_result) do
# Using explicit limit
9 | { limit: 10 } | '9'
10 | { limit: 10 } | '10'
11 | { limit: 10 } | '10+'
12 | { limit: 10 } | '10+'
# Using default limit
999 | {} | '999'
1000 | {} | '1,000'
1001 | {} | '1,000+'
1002 | {} | '1,000+'
end
with_them do
let(:page) { double('page', total_count_with_limit: [count, options.fetch(:limit, 1000) + 1].min) }
let(:resource) { class_double(Ci::Runner, page: page) }
it { is_expected.to eq(expected_result) }
end
end
end

46
spec/models/user_spec.rb
View file

@ -1726,6 +1726,52 @@ RSpec.describe User do
end
end
context 'two_factor_u2f_enabled?' do
let_it_be(:user) { create(:user, :two_factor) }
context 'when webauthn feature flag is enabled' do
context 'user has no U2F registration' do
it { expect(user.two_factor_u2f_enabled?).to eq(false) }
end
context 'user has existing U2F registration' do
it 'returns false' do
device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
create(:u2f_registration, name: 'my u2f device',
user: user,
certificate: Base64.strict_encode64(device.cert_raw),
key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
public_key: Base64.strict_encode64(device.origin_public_key_raw))
expect(user.two_factor_u2f_enabled?).to eq(false)
end
end
end
context 'when webauthn feature flag is disabled' do
before do
stub_feature_flags(webauthn: false)
end
context 'user has no U2F registration' do
it { expect(user.two_factor_u2f_enabled?).to eq(false) }
end
context 'user has existing U2F registration' do
it 'returns true' do
device = U2F::FakeU2F.new(FFaker::BaconIpsum.characters(5))
create(:u2f_registration, name: 'my u2f device',
user: user,
certificate: Base64.strict_encode64(device.cert_raw),
key_handle: U2F.urlsafe_encode64(device.key_handle_raw),
public_key: Base64.strict_encode64(device.origin_public_key_raw))
expect(user.two_factor_u2f_enabled?).to eq(true)
end
end
end
end
describe 'projects' do
before do
@user = create(:user)