Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
488e1b59fe
commit
836ddfc35d
|
@ -263,6 +263,7 @@ Style/StringConcatenation:
|
|||
- 'spec/models/custom_emoji_spec.rb'
|
||||
- 'spec/models/grafana_integration_spec.rb'
|
||||
- 'spec/models/integrations/campfire_spec.rb'
|
||||
- 'spec/models/integrations/datadog_spec.rb'
|
||||
- 'spec/models/integrations/chat_message/pipeline_message_spec.rb'
|
||||
- 'spec/models/integrations/chat_message/push_message_spec.rb'
|
||||
- 'spec/models/integrations/jenkins_spec.rb'
|
||||
|
|
61
CHANGELOG.md
61
CHANGELOG.md
|
@ -2,6 +2,26 @@
|
|||
documentation](doc/development/changelog.md) for instructions on adding your own
|
||||
entry.
|
||||
|
||||
## 15.4.1 (2022-09-29)
|
||||
|
||||
### Security (15 changes)
|
||||
|
||||
- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@f556c625f37d1be801b54c5a1ff3dd37434d48e4) ([merge request](gitlab-org/security/gitlab!2809))
|
||||
- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@7101edbc7fc27e2d2d23b8f9f84611943b310b71) ([merge request](gitlab-org/security/gitlab!2805))
|
||||
- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@ba3e62fc30f475b9334440409f5bad481b3c5dd6) ([merge request](gitlab-org/security/gitlab!2798))
|
||||
- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@fba573834091aec7bde7856bfddd080cc74fb3ae) ([merge request](gitlab-org/security/gitlab!2819))
|
||||
- [Add security protection for Github](gitlab-org/security/gitlab@6265bdb12496d34f30d9ae6889288c6857fd4fd0) ([merge request](gitlab-org/security/gitlab!2803))
|
||||
- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@7580a2d62cd421b5176a3ce7f23c7d192e69989e) ([merge request](gitlab-org/security/gitlab!2806))
|
||||
- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@e1162719cc9e62692c911c992175d6ef3b5f996f) ([merge request](gitlab-org/security/gitlab!2817))
|
||||
- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@fde2bb115242a9af3678e5c8547c7c9ccd2b0c1e) ([merge request](gitlab-org/security/gitlab!2790))
|
||||
- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@d56ebc1a207618ec846e6ee2c842d3a5019444b7) ([merge request](gitlab-org/security/gitlab!2811))
|
||||
- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@dc5dd5be3f3f681ca499d3a59eb469bd12dad51b) ([merge request](gitlab-org/security/gitlab!2796))
|
||||
- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@e0b09653ff468b65a73155a2e28077a0e94dc7e8) ([merge request](gitlab-org/security/gitlab!2781))
|
||||
- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@d1842119756b8a69a5d1b14ebd902dc2f4b24dbf) ([merge request](gitlab-org/security/gitlab!2818))
|
||||
- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@cddab943af028c4653dacdd832be5e3e8ac778d3) ([merge request](gitlab-org/security/gitlab!2833))
|
||||
- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@fff740c7ab046c5e8ef6495ffa3b45228e11841a) ([merge request](gitlab-org/security/gitlab!2801))
|
||||
- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@459becb7a1b0336ddf67f867eecbdf37d579f881) ([merge request](gitlab-org/security/gitlab!2832))
|
||||
|
||||
## 15.4.0 (2022-09-21)
|
||||
|
||||
### Added (162 changes)
|
||||
|
@ -634,6 +654,26 @@ entry.
|
|||
- [Improve specs with shared examples](gitlab-org/gitlab@dd3f2ecd882e89511eaa927102fc4101f684a38f) ([merge request](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95539)) **GitLab Enterprise Edition**
|
||||
- [Fix Style/Next offenses](gitlab-org/gitlab@bdf877063ba1d8d4df1216f7875905343d9e5e33) ([merge request](gitlab-org/gitlab!93329))
|
||||
|
||||
## 15.3.4 (2022-09-29)
|
||||
|
||||
### Security (15 changes)
|
||||
|
||||
- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@172b8a57bd4acca14d65a4b7a5fd021babacb146) ([merge request](gitlab-org/security/gitlab!2794))
|
||||
- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@7394ab9b32a7bd83b98f93e904312e469f34cd9c) ([merge request](gitlab-org/security/gitlab!2737))
|
||||
- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@1b556c33aa11c32994be562cfea0ff2e5e13a54e) ([merge request](gitlab-org/security/gitlab!2799))
|
||||
- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@2a5a51b5b2839963fe7084261c8a7fcc6f09f19c) ([merge request](gitlab-org/security/gitlab!2785))
|
||||
- [Add security protection for Github](gitlab-org/security/gitlab@bc23f46dba26bcdf0c773c24081e4ae3597bf751) ([merge request](gitlab-org/security/gitlab!2802))
|
||||
- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@a31a652c331877e0f97269310ec5f1bc6266398f) ([merge request](gitlab-org/security/gitlab!2807))
|
||||
- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@b62fd774b6f311988c7e10f3544f2aeabeab85d1) ([merge request](gitlab-org/security/gitlab!2815))
|
||||
- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@2eea36acbc5687aa9806946861e73f2fb11a9654) ([merge request](gitlab-org/security/gitlab!2791))
|
||||
- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@0b340ef6d6e54804445916f5b1fa53185de4b1f7) ([merge request](gitlab-org/security/gitlab!2760))
|
||||
- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@2d2a7b8652dbd1085fe1bfc0b69138aecdeaf9c8) ([merge request](gitlab-org/security/gitlab!2782))
|
||||
- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@559b23e6942a650cafa358ea96b7ee549f76fbd6) ([merge request](gitlab-org/security/gitlab!2780))
|
||||
- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@f712d58af3aeb3f0fe1c56a290188e19fce72ad6) ([merge request](gitlab-org/security/gitlab!2771))
|
||||
- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@6bd37cd0595bbf4c744a5b212fc41181c9dc88ef) ([merge request](gitlab-org/security/gitlab!2748))
|
||||
- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@cc42b5e91e04e77ade63f1fdb91e88b998c156f7) ([merge request](gitlab-org/security/gitlab!2764))
|
||||
- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@1d10849c7eee6207435bfd223e1f8639b2816c1e) ([merge request](gitlab-org/security/gitlab!2759))
|
||||
|
||||
## 15.3.3 (2022-09-01)
|
||||
|
||||
### Fixed (5 changes)
|
||||
|
@ -1277,6 +1317,27 @@ entry.
|
|||
- [Remove FF import_release_authors_from_github](gitlab-org/gitlab@c4d6871e4438a1626d688856903778623138f671) ([merge request](gitlab-org/gitlab!92686))
|
||||
- [Remove unused feature](gitlab-org/gitlab@0ef95d341e4a15150d6ccb3d104ebbe064aa062a) ([merge request](gitlab-org/gitlab!92753))
|
||||
|
||||
## 15.2.5 (2022-09-29)
|
||||
|
||||
### Security (16 changes)
|
||||
|
||||
- [Geo: Do not delete object stored files when not GitLab managed](gitlab-org/security/gitlab@340554d933823b0424e16318673ccd6a82e87d35) ([merge request](gitlab-org/security/gitlab!2775))
|
||||
- [Redact user's private email in group member event webhook](gitlab-org/security/gitlab@dcc5fd6bcef40109c92e0faa34bf52b568465e80) ([merge request](gitlab-org/security/gitlab!2795))
|
||||
- [Redact secrets from WebHookLogs](gitlab-org/security/gitlab@e53429f776d06b9881f20a000d1a2b40e2f13a2c) ([merge request](gitlab-org/security/gitlab!2657))
|
||||
- [Forbid creating a tag using default branch name](gitlab-org/security/gitlab@ff172ca5d5550d3ff263efaef9ce18b6b78cbfbb) ([merge request](gitlab-org/security/gitlab!2800))
|
||||
- [Sanitize Url and check for valid numerical errorId in error tracking](gitlab-org/security/gitlab@2d983dc2b99f387c1e30312cb452cf21a4aa6f27) ([merge request](gitlab-org/security/gitlab!2786))
|
||||
- [Add security protection for Github](gitlab-org/security/gitlab@9f6d284039431f1376c4be03f5d364e12090fbc7) ([merge request](gitlab-org/security/gitlab!2804))
|
||||
- [Fix leaking emails in WebHookLogs](gitlab-org/security/gitlab@7e0e629f7559ad1ad7375a4ab94748febe5fd1ef) ([merge request](gitlab-org/security/gitlab!2808))
|
||||
- [Restrict max duration to 1 year for trace display](gitlab-org/security/gitlab@2df0b5b9978b09bbc95efbea5f227e3afaa220c7) ([merge request](gitlab-org/security/gitlab!2816))
|
||||
- [Use UntrustedRegexp for upload rewriter](gitlab-org/security/gitlab@c0bd5867a091ed7d04e19a6598c2e112daca4861) ([merge request](gitlab-org/security/gitlab!2792))
|
||||
- [Validate httpUrlToRepo to be http or https only](gitlab-org/security/gitlab@98ee48505898f3b5535587c0081292d82b94009e) ([merge request](gitlab-org/security/gitlab!2761))
|
||||
- [Respect instance level rule for editing approval rules](gitlab-org/security/gitlab@7157ddbaf6be664a708b24f59be541d7e16fbbd6) ([merge request](gitlab-org/security/gitlab!2783))
|
||||
- [Prevent users creating issues in ay project via board/issues controller](gitlab-org/security/gitlab@55b2ba96fa53b2aa3e8de889bc05671339f7aa76) ([merge request](gitlab-org/security/gitlab!2779))
|
||||
- [Prevent serialization of sensible attributes from JsonCache](gitlab-org/security/gitlab@809aff4805a2916425f7ec0cd995101140f663f8) ([merge request](gitlab-org/security/gitlab!2772))
|
||||
- [Update TodoPolicy to handle confidential notes](gitlab-org/security/gitlab@b95b1bc4ea7b5d69ff02283789c68f821ec54cee) ([merge request](gitlab-org/security/gitlab!2749))
|
||||
- [Enforce group IP restriction on Dependency Proxy](gitlab-org/security/gitlab@4342542081be434e013110f9dd456b5caf286464) ([merge request](gitlab-org/security/gitlab!2765))
|
||||
- [Fixes XSS in widget extensions](gitlab-org/security/gitlab@e3d4d46967e72f12645d08ef1879223a1ec2d398) ([merge request](gitlab-org/security/gitlab!2675))
|
||||
|
||||
## 15.2.4 (2022-08-30)
|
||||
|
||||
### Security (18 changes)
|
||||
|
|
|
@ -22,12 +22,16 @@ import AccessorUtils from '~/lib/utils/accessor';
|
|||
import { __ } from '~/locale';
|
||||
import Tracking from '~/tracking';
|
||||
import TimeAgo from '~/vue_shared/components/time_ago_tooltip.vue';
|
||||
import { sanitizeUrl } from '~/lib/utils/url_utility';
|
||||
import { trackErrorListViewsOptions, trackErrorStatusUpdateOptions } from '../utils';
|
||||
import { I18N_ERROR_TRACKING_LIST } from '../constants';
|
||||
import ErrorTrackingActions from './error_tracking_actions.vue';
|
||||
|
||||
export const tableDataClass = 'table-col d-flex d-md-table-cell align-items-center';
|
||||
|
||||
const isValidErrorId = (errorId) => {
|
||||
return /^[0-9]+$/.test(errorId);
|
||||
};
|
||||
export default {
|
||||
FIRST_PAGE: 1,
|
||||
PREV_PAGE: 1,
|
||||
|
@ -202,6 +206,9 @@ export default {
|
|||
this.searchByQuery(text);
|
||||
},
|
||||
getDetailsLink(errorId) {
|
||||
if (!isValidErrorId(errorId)) {
|
||||
return 'about:blank';
|
||||
}
|
||||
return `error_tracking/${errorId}/details`;
|
||||
},
|
||||
goToNextPage() {
|
||||
|
@ -222,7 +229,10 @@ export default {
|
|||
return filter === this.statusFilter;
|
||||
},
|
||||
getIssueUpdatePath(errorId) {
|
||||
return `/${this.projectPath}/-/error_tracking/${errorId}.json`;
|
||||
if (!isValidErrorId(errorId)) {
|
||||
return 'about:blank';
|
||||
}
|
||||
return sanitizeUrl(`/${this.projectPath}/-/error_tracking/${errorId}.json`);
|
||||
},
|
||||
filterErrors(status, label) {
|
||||
this.filterValue = label;
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
<script>
|
||||
import { GlBadge, GlLink, GlSafeHtmlDirective, GlModalDirective } from '@gitlab/ui';
|
||||
import { isArray } from 'lodash';
|
||||
import Actions from '../action_buttons.vue';
|
||||
import StatusIcon from './status_icon.vue';
|
||||
import { generateText } from './utils';
|
||||
|
@ -35,6 +36,20 @@ export default {
|
|||
required: true,
|
||||
},
|
||||
},
|
||||
computed: {
|
||||
subtext() {
|
||||
const { subtext } = this.data;
|
||||
if (subtext) {
|
||||
if (isArray(subtext)) {
|
||||
return subtext.map((t) => generateText(t)).join('<br />');
|
||||
}
|
||||
|
||||
return generateText(subtext);
|
||||
}
|
||||
|
||||
return null;
|
||||
},
|
||||
},
|
||||
methods: {
|
||||
isArray(arr) {
|
||||
return Array.isArray(arr);
|
||||
|
@ -93,11 +108,7 @@ export default {
|
|||
@clickedAction="onClickedAction"
|
||||
/>
|
||||
</div>
|
||||
<p
|
||||
v-if="data.subtext"
|
||||
v-safe-html="generateText(data.subtext)"
|
||||
class="gl-m-0 gl-font-sm"
|
||||
></p>
|
||||
<p v-if="subtext" v-safe-html="subtext" class="gl-m-0 gl-font-sm"></p>
|
||||
</div>
|
||||
</div>
|
||||
<template v-if="data.children && level === 2">
|
||||
|
|
|
@ -35,6 +35,9 @@ const textStyleTags = {
|
|||
[getStartTag('small')]: '<span class="gl-font-sm gl-text-gray-700">',
|
||||
};
|
||||
|
||||
const escapeText = (text) =>
|
||||
document.createElement('div').appendChild(document.createTextNode(text)).parentNode.innerHTML;
|
||||
|
||||
const createText = (text) => {
|
||||
return text
|
||||
.replace(
|
||||
|
@ -61,7 +64,7 @@ const createText = (text) => {
|
|||
|
||||
export const generateText = (text) => {
|
||||
if (typeof text === 'string') {
|
||||
return createText(text);
|
||||
return createText(escapeText(text));
|
||||
} else if (
|
||||
typeof text === 'object' &&
|
||||
typeof text.text === 'string' &&
|
||||
|
@ -69,8 +72,8 @@ export const generateText = (text) => {
|
|||
) {
|
||||
return createText(
|
||||
`${
|
||||
text.prependText ? `${text.prependText} ` : ''
|
||||
}<a class="gl-text-decoration-underline" href="${text.href}">${text.text}</a>`,
|
||||
text.prependText ? `${escapeText(text.prependText)} ` : ''
|
||||
}<a class="gl-text-decoration-underline" href="${text.href}">${escapeText(text.text)}</a>`,
|
||||
);
|
||||
}
|
||||
|
||||
|
|
|
@ -19,25 +19,23 @@ export default {
|
|||
if (errorSummary.errored >= 1 && errorSummary.resolved >= 1) {
|
||||
const improvements = sprintf(
|
||||
n__(
|
||||
'%{strongOpen}%{errors}%{strongClose} point',
|
||||
'%{strongOpen}%{errors}%{strongClose} points',
|
||||
'%{strong_start}%{errors}%{strong_end} point',
|
||||
'%{strong_start}%{errors}%{strong_end} points',
|
||||
resolvedErrors.length,
|
||||
),
|
||||
{
|
||||
errors: resolvedErrors.length,
|
||||
strongOpen: '<strong>',
|
||||
strongClose: '</strong>',
|
||||
},
|
||||
false,
|
||||
);
|
||||
|
||||
const degradations = sprintf(
|
||||
n__(
|
||||
'%{strongOpen}%{errors}%{strongClose} point',
|
||||
'%{strongOpen}%{errors}%{strongClose} points',
|
||||
'%{strong_start}%{errors}%{strong_end} point',
|
||||
'%{strong_start}%{errors}%{strong_end} points',
|
||||
newErrors.length,
|
||||
),
|
||||
{ errors: newErrors.length, strongOpen: '<strong>', strongClose: '</strong>' },
|
||||
{ errors: newErrors.length },
|
||||
false,
|
||||
);
|
||||
return sprintf(
|
||||
|
@ -96,14 +94,11 @@ export default {
|
|||
this.collapsedData.resolvedErrors.map((e) => {
|
||||
return fullData.push({
|
||||
text: `${capitalizeFirstCharacter(e.severity)} - ${e.description}`,
|
||||
subtext: sprintf(
|
||||
s__(`ciReport|in %{open_link}${e.file_path}:${e.line}%{close_link}`),
|
||||
{
|
||||
open_link: `<a class="gl-text-decoration-underline" href="${e.urlPath}">`,
|
||||
close_link: '</a>',
|
||||
},
|
||||
false,
|
||||
),
|
||||
subtext: {
|
||||
prependText: s__(`ciReport|in`),
|
||||
text: `${e.file_path}:${e.line}`,
|
||||
href: e.urlPath,
|
||||
},
|
||||
icon: {
|
||||
name: SEVERITY_ICONS_EXTENSION[e.severity],
|
||||
},
|
||||
|
|
|
@ -63,13 +63,16 @@ export default {
|
|||
if (valid.length) {
|
||||
title = validText;
|
||||
if (invalid.length) {
|
||||
subtitle = sprintf(`<br>%{small_start}${invalidText}%{small_end}`);
|
||||
subtitle = invalidText;
|
||||
}
|
||||
} else {
|
||||
title = invalidText;
|
||||
}
|
||||
|
||||
return `${title}${subtitle}`;
|
||||
return {
|
||||
subject: title,
|
||||
meta: subtitle,
|
||||
};
|
||||
},
|
||||
fetchCollapsedData() {
|
||||
return axios
|
||||
|
@ -152,9 +155,8 @@ export default {
|
|||
}
|
||||
|
||||
return {
|
||||
text: `${title}
|
||||
<br>
|
||||
${subtitle}`,
|
||||
text: title,
|
||||
supportingText: subtitle,
|
||||
icon: { name: iconName },
|
||||
actions,
|
||||
};
|
||||
|
|
|
@ -60,7 +60,7 @@ export const reportSubTextBuilder = ({ suite_errors: suiteErrors, summary }) =>
|
|||
if (suiteErrors?.base) {
|
||||
errors.push(`${i18n.baseReportParsingError} ${suiteErrors.base}`);
|
||||
}
|
||||
return errors.join('<br />');
|
||||
return errors;
|
||||
}
|
||||
return recentFailuresTextBuilder(summary);
|
||||
};
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module BatchLoaders
|
||||
module AwardEmojiVotesBatchLoader
|
||||
private
|
||||
|
||||
def load_votes(object, vote_type)
|
||||
BatchLoader::GraphQL.for(object.id).batch(key: "#{object.issuing_parent_id}-#{vote_type}") do |ids, loader, args|
|
||||
counts = AwardEmoji.votes_for_collection(ids, object.class.name).named(vote_type).index_by(&:awardable_id)
|
||||
|
||||
ids.each do |id|
|
||||
loader.call(id, counts[id]&.count || 0)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def authorized_resource?(object)
|
||||
Ability.allowed?(current_user, "read_#{object.to_ability_name}".to_sym, object)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Resolvers
|
||||
class DownVotesCountResolver < BaseResolver
|
||||
include Gitlab::Graphql::Authorize::AuthorizeResource
|
||||
include BatchLoaders::AwardEmojiVotesBatchLoader
|
||||
|
||||
type GraphQL::Types::Int, null: true
|
||||
|
||||
def resolve
|
||||
authorize!(object)
|
||||
load_votes(object, AwardEmoji::DOWNVOTE_NAME)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Resolvers
|
||||
class UpVotesCountResolver < BaseResolver
|
||||
include Gitlab::Graphql::Authorize::AuthorizeResource
|
||||
include BatchLoaders::AwardEmojiVotesBatchLoader
|
||||
|
||||
type GraphQL::Types::Int, null: true
|
||||
|
||||
def resolve
|
||||
authorize!(object)
|
||||
load_votes(object, AwardEmoji::UPVOTE_NAME)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -58,15 +58,20 @@ module Types
|
|||
description: 'Indicates the issue is hidden because the author has been banned. ' \
|
||||
'Will always return `null` if `ban_user_feature_flag` feature flag is disabled.'
|
||||
|
||||
field :downvotes, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of downvotes the issue has received.'
|
||||
field :downvotes, GraphQL::Types::Int,
|
||||
null: false,
|
||||
description: 'Number of downvotes the issue has received.',
|
||||
resolver: Resolvers::DownVotesCountResolver
|
||||
field :merge_requests_count, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of merge requests that close the issue on merge.',
|
||||
resolver: Resolvers::MergeRequestsCountResolver
|
||||
field :relative_position, GraphQL::Types::Int, null: true,
|
||||
description: 'Relative position of the issue (used for positioning in epic tree and issue boards).'
|
||||
field :upvotes, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of upvotes the issue has received.'
|
||||
field :upvotes, GraphQL::Types::Int,
|
||||
null: false,
|
||||
description: 'Number of upvotes the issue has received.',
|
||||
resolver: Resolvers::UpVotesCountResolver
|
||||
|
||||
field :user_discussions_count, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of user discussions in the issue.',
|
||||
resolver: Resolvers::UserDiscussionsCountResolver
|
||||
|
|
|
@ -75,8 +75,12 @@ module Types
|
|||
null: false, calls_gitaly: true,
|
||||
method: :diverged_from_target_branch?,
|
||||
description: 'Indicates if the source branch is behind the target branch.'
|
||||
field :downvotes, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of downvotes for the merge request.'
|
||||
|
||||
field :downvotes, GraphQL::Types::Int,
|
||||
null: false,
|
||||
description: 'Number of downvotes for the merge request.',
|
||||
resolver: Resolvers::DownVotesCountResolver
|
||||
|
||||
field :force_remove_source_branch, GraphQL::Types::Boolean, method: :force_remove_source_branch?, null: true,
|
||||
description: 'Indicates if the project settings will lead to source branch deletion after merge.'
|
||||
field :in_progress_merge_commit_sha, GraphQL::Types::String, null: true,
|
||||
|
@ -118,8 +122,12 @@ module Types
|
|||
null: false, calls_gitaly: true,
|
||||
method: :target_branch_exists?,
|
||||
description: 'Indicates if the target branch of the merge request exists.'
|
||||
field :upvotes, GraphQL::Types::Int, null: false,
|
||||
description: 'Number of upvotes for the merge request.'
|
||||
|
||||
field :upvotes, GraphQL::Types::Int,
|
||||
null: false,
|
||||
description: 'Number of upvotes for the merge request.',
|
||||
resolver: Resolvers::UpVotesCountResolver
|
||||
|
||||
field :user_discussions_count, GraphQL::Types::Int, null: true,
|
||||
description: 'Number of user discussions in the merge request.',
|
||||
resolver: Resolvers::UserDiscussionsCountResolver
|
||||
|
|
|
@ -441,7 +441,8 @@ module ApplicationSettingsHelper
|
|||
:group_runner_token_expiration_interval,
|
||||
:project_runner_token_expiration_interval,
|
||||
:pipeline_limit_per_project_user_sha,
|
||||
:invitation_flow_enforcement
|
||||
:invitation_flow_enforcement,
|
||||
:can_create_group
|
||||
].tap do |settings|
|
||||
next if Gitlab.com?
|
||||
|
||||
|
|
|
@ -406,7 +406,7 @@ class ApplicationSetting < ApplicationRecord
|
|||
validates :invisible_captcha_enabled,
|
||||
inclusion: { in: [true, false], message: _('must be a boolean value') }
|
||||
|
||||
validates :invitation_flow_enforcement,
|
||||
validates :invitation_flow_enforcement, :can_create_group,
|
||||
allow_nil: false,
|
||||
inclusion: { in: [true, false], message: _('must be a boolean value') }
|
||||
|
||||
|
@ -792,6 +792,10 @@ class ApplicationSetting < ApplicationRecord
|
|||
::AsciidoctorExtensions::Kroki::SUPPORTED_DIAGRAM_NAMES.include?(diagram_type)
|
||||
end
|
||||
|
||||
def personal_access_tokens_disabled?
|
||||
false
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def parsed_grafana_url
|
||||
|
|
|
@ -240,7 +240,8 @@ module ApplicationSettingImplementation
|
|||
search_rate_limit: 30,
|
||||
search_rate_limit_unauthenticated: 10,
|
||||
users_get_by_id_limit: 300,
|
||||
users_get_by_id_limit_allowlist: []
|
||||
users_get_by_id_limit_allowlist: [],
|
||||
can_create_group: true
|
||||
}
|
||||
end
|
||||
|
||||
|
|
|
@ -112,6 +112,8 @@ module Ci
|
|||
|
||||
has_one :pipeline_config, class_name: 'Ci::PipelineConfig', inverse_of: :pipeline
|
||||
|
||||
has_one :pipeline_metadata, class_name: 'Ci::PipelineMetadata', inverse_of: :pipeline
|
||||
|
||||
has_many :daily_build_group_report_results, class_name: 'Ci::DailyBuildGroupReportResult', foreign_key: :last_pipeline_id
|
||||
has_many :latest_builds_report_results, through: :latest_builds, source: :report_results
|
||||
has_many :pipeline_artifacts, class_name: 'Ci::PipelineArtifact', inverse_of: :pipeline, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
|
||||
|
@ -119,6 +121,7 @@ module Ci
|
|||
accepts_nested_attributes_for :variables, reject_if: :persisted?
|
||||
|
||||
delegate :full_path, to: :project, prefix: true
|
||||
delegate :title, to: :pipeline_metadata, allow_nil: true
|
||||
|
||||
validates :sha, presence: { unless: :importing? }
|
||||
validates :ref, presence: { unless: :importing? }
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Ci
|
||||
class PipelineMetadata < Ci::ApplicationRecord
|
||||
self.primary_key = :pipeline_id
|
||||
|
||||
belongs_to :pipeline, class_name: "Ci::Pipeline", inverse_of: :pipeline_metadata
|
||||
belongs_to :project, class_name: "Project", inverse_of: :pipeline_metadata
|
||||
|
||||
validates :pipeline, presence: true
|
||||
validates :project, presence: true
|
||||
validates :title, presence: true, length: { minimum: 1, maximum: 255 }
|
||||
end
|
||||
end
|
|
@ -14,6 +14,11 @@ module Integrations
|
|||
raise NotImplementedError
|
||||
end
|
||||
|
||||
# Return the url variables to be used for the webhook.
|
||||
def url_variables
|
||||
raise NotImplementedError
|
||||
end
|
||||
|
||||
# Return whether the webhook should use SSL verification.
|
||||
def hook_ssl_verification
|
||||
if respond_to?(:enable_ssl_verification)
|
||||
|
@ -26,7 +31,11 @@ module Integrations
|
|||
# Create or update the webhook, raising an exception if it cannot be saved.
|
||||
def update_web_hook!
|
||||
hook = service_hook || build_service_hook
|
||||
hook.url = hook_url if hook.url != hook_url # avoid reencryption
|
||||
|
||||
# Avoid reencryption
|
||||
hook.url = hook_url if hook.url != hook_url
|
||||
hook.url_variables = url_variables if hook.url_variables != url_variables
|
||||
|
||||
hook.enable_ssl_verification = hook_ssl_verification
|
||||
hook.save! if hook.changed?
|
||||
hook
|
||||
|
|
|
@ -3,13 +3,16 @@
|
|||
module SafeUrl
|
||||
extend ActiveSupport::Concern
|
||||
|
||||
# Return the URL with obfuscated userinfo
|
||||
# and keeping it intact
|
||||
def safe_url(allowed_usernames: [])
|
||||
return if url.nil?
|
||||
|
||||
uri = URI.parse(url)
|
||||
escaped = Addressable::URI.escape(url)
|
||||
uri = URI.parse(escaped)
|
||||
uri.password = '*****' if uri.password
|
||||
uri.user = '*****' if uri.user && allowed_usernames.exclude?(uri.user)
|
||||
uri.to_s
|
||||
rescue URI::Error
|
||||
Addressable::URI.unescape(uri.to_s)
|
||||
rescue URI::Error, TypeError
|
||||
end
|
||||
end
|
||||
|
|
|
@ -22,7 +22,7 @@ class WebHookLog < ApplicationRecord
|
|||
validates :web_hook, presence: true
|
||||
|
||||
before_save :obfuscate_basic_auth
|
||||
before_save :redact_author_email
|
||||
before_save :redact_user_emails
|
||||
|
||||
def self.recent
|
||||
where(created_at: 2.days.ago.beginning_of_day..Time.zone.now)
|
||||
|
@ -54,9 +54,9 @@ class WebHookLog < ApplicationRecord
|
|||
self.url = safe_url
|
||||
end
|
||||
|
||||
def redact_author_email
|
||||
return unless self.request_data.dig('commit', 'author', 'email').present?
|
||||
|
||||
self.request_data['commit']['author']['email'] = _('[REDACTED]')
|
||||
def redact_user_emails
|
||||
self.request_data.deep_transform_values! do |value|
|
||||
value =~ URI::MailTo::EMAIL_REGEXP ? _('[REDACTED]') : value
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -50,7 +50,11 @@ module Integrations
|
|||
|
||||
override :hook_url
|
||||
def hook_url
|
||||
"#{buildkite_endpoint('webhook')}/deliver/#{webhook_token}"
|
||||
"#{buildkite_endpoint('webhook')}/deliver/{webhook_token}"
|
||||
end
|
||||
|
||||
def url_variables
|
||||
{ 'webhook_token' => webhook_token }
|
||||
end
|
||||
|
||||
def execute(data)
|
||||
|
|
|
@ -154,13 +154,17 @@ module Integrations
|
|||
url = api_url.presence || sprintf(URL_TEMPLATE, datadog_domain: datadog_domain)
|
||||
url = URI.parse(url)
|
||||
query = {
|
||||
"dd-api-key" => api_key,
|
||||
"dd-api-key" => 'THIS_VALUE_WILL_BE_REPLACED',
|
||||
service: datadog_service.presence,
|
||||
env: datadog_env.presence,
|
||||
tags: datadog_tags_query_param.presence
|
||||
}.compact
|
||||
url.query = query.to_query
|
||||
url.to_s
|
||||
url.to_s.gsub('THIS_VALUE_WILL_BE_REPLACED', '{api_key}')
|
||||
end
|
||||
|
||||
def url_variables
|
||||
{ 'api_key' => api_key }
|
||||
end
|
||||
|
||||
def execute(data)
|
||||
|
|
|
@ -106,7 +106,11 @@ module Integrations
|
|||
|
||||
override :hook_url
|
||||
def hook_url
|
||||
[drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token=#{token}"].join
|
||||
[drone_url, "/hook", "?owner=#{project.namespace.full_path}", "&name=#{project.path}", "&access_token={token}"].join
|
||||
end
|
||||
|
||||
def url_variables
|
||||
{ 'token' => token }
|
||||
end
|
||||
|
||||
override :update_web_hook!
|
||||
|
|
|
@ -69,6 +69,10 @@ module Integrations
|
|||
url.to_s
|
||||
end
|
||||
|
||||
def url_variables
|
||||
{}
|
||||
end
|
||||
|
||||
def self.supported_events
|
||||
%w(push merge_request tag_push)
|
||||
end
|
||||
|
|
|
@ -66,7 +66,11 @@ module Integrations
|
|||
override :hook_url
|
||||
def hook_url
|
||||
base_url = server.presence || 'https://packagist.org'
|
||||
"#{base_url}/api/update-package?username=#{username}&apiToken=#{token}"
|
||||
"#{base_url}/api/update-package?username={username}&apiToken={token}"
|
||||
end
|
||||
|
||||
def url_variables
|
||||
{ 'username' => username, 'token' => token }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -112,6 +112,7 @@ class Issue < ApplicationRecord
|
|||
enum issue_type: WorkItems::Type.base_types
|
||||
|
||||
alias_method :issuing_parent, :project
|
||||
alias_attribute :issuing_parent_id, :project_id
|
||||
|
||||
alias_attribute :external_author, :service_desk_reply_to
|
||||
|
||||
|
|
|
@ -445,6 +445,7 @@ class MergeRequest < ApplicationRecord
|
|||
# we'd eventually rename the column for avoiding confusions, but in the mean time
|
||||
# please use `auto_merge_enabled` alias instead of `merge_when_pipeline_succeeds`.
|
||||
alias_attribute :auto_merge_enabled, :merge_when_pipeline_succeeds
|
||||
alias_attribute :issuing_parent_id, :target_project_id
|
||||
alias_method :issuing_parent, :target_project
|
||||
|
||||
delegate :builds_with_coverage, to: :head_pipeline, prefix: true, allow_nil: true
|
||||
|
|
|
@ -350,6 +350,7 @@ class Project < ApplicationRecord
|
|||
has_many :stages, class_name: 'Ci::Stage', inverse_of: :project
|
||||
has_many :ci_refs, class_name: 'Ci::Ref', inverse_of: :project
|
||||
|
||||
has_many :pipeline_metadata, class_name: 'Ci::PipelineMetadata', inverse_of: :project
|
||||
has_many :pending_builds, class_name: 'Ci::PendingBuild'
|
||||
has_many :builds, class_name: 'Ci::Build', inverse_of: :project
|
||||
has_many :processables, class_name: 'Ci::Processable', inverse_of: :project
|
||||
|
|
|
@ -60,7 +60,7 @@ class User < ApplicationRecord
|
|||
|
||||
default_value_for :admin, false
|
||||
default_value_for(:external) { Gitlab::CurrentSettings.user_default_external }
|
||||
default_value_for :can_create_group, gitlab_config.default_can_create_group
|
||||
default_value_for(:can_create_group) { Gitlab::CurrentSettings.can_create_group }
|
||||
default_value_for :can_create_team, false
|
||||
default_value_for :hide_no_ssh_key, false
|
||||
default_value_for :hide_no_password, false
|
||||
|
@ -2153,6 +2153,10 @@ class User < ApplicationRecord
|
|||
(Date.current - created_at.to_date).to_i
|
||||
end
|
||||
|
||||
def webhook_email
|
||||
public_email.presence || _('[REDACTED]')
|
||||
end
|
||||
|
||||
protected
|
||||
|
||||
# override, from Devise::Validatable
|
||||
|
@ -2288,7 +2292,7 @@ class User < ApplicationRecord
|
|||
self.projects_limit = 0
|
||||
else
|
||||
# Only revert these back to the default if they weren't specifically changed in this update.
|
||||
self.can_create_group = gitlab_config.default_can_create_group unless can_create_group_changed?
|
||||
self.can_create_group = Gitlab::CurrentSettings.can_create_group unless can_create_group_changed?
|
||||
self.projects_limit = Gitlab::CurrentSettings.default_projects_limit unless projects_limit_changed?
|
||||
end
|
||||
end
|
||||
|
|
|
@ -22,6 +22,12 @@ class IssuablePolicy < BasePolicy
|
|||
enable :reopen_issue
|
||||
end
|
||||
|
||||
# This rule replicates permissions in NotePolicy#can_read_confidential and it's used in
|
||||
# TodoPolicy for performance reasons
|
||||
rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
|
||||
enable :read_confidential_notes
|
||||
end
|
||||
|
||||
rule { can?(:read_merge_request) & assignee_or_author }.policy do
|
||||
enable :update_merge_request
|
||||
enable :reopen_merge_request
|
||||
|
|
|
@ -20,6 +20,7 @@ class NotePolicy < BasePolicy
|
|||
|
||||
condition(:confidential, scope: :subject) { @subject.confidential? }
|
||||
|
||||
# If this condition changes IssuablePolicy#read_confidential_notes should be updated too
|
||||
condition(:can_read_confidential) do
|
||||
access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
|
||||
end
|
||||
|
|
|
@ -5,10 +5,25 @@ class TodoPolicy < BasePolicy
|
|||
condition(:own_todo) do
|
||||
@user && @subject.user_id == @user.id
|
||||
end
|
||||
|
||||
desc "User can read the todo's target"
|
||||
condition(:can_read_target) do
|
||||
@user && @subject.target&.readable_by?(@user)
|
||||
end
|
||||
|
||||
desc "Todo has confidential note"
|
||||
condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
|
||||
|
||||
desc "User can read the todo's confidential note"
|
||||
condition(:can_read_todo_confidential_note) do
|
||||
@user && @user.can?(:read_confidential_notes, @subject.target)
|
||||
end
|
||||
|
||||
rule { own_todo & can_read_target }.enable :read_todo
|
||||
rule { own_todo & can_read_target }.enable :update_todo
|
||||
rule { can?(:read_todo) }.enable :update_todo
|
||||
|
||||
rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
|
||||
prevent :read_todo
|
||||
prevent :update_todo
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,7 +7,9 @@ class BaseProjectService < ::BaseContainerService
|
|||
attr_accessor :project
|
||||
|
||||
def initialize(project:, current_user: nil, params: {})
|
||||
super(container: project, current_user: current_user, params: params)
|
||||
# we need to exclude project params since they may come from external requests. project should always
|
||||
# be passed as part of the service's initializer
|
||||
super(container: project, current_user: current_user, params: params.except(:project, :project_id))
|
||||
|
||||
@project = project
|
||||
end
|
||||
|
|
|
@ -14,7 +14,12 @@ class FileUploader < GitlabUploader
|
|||
include ObjectStorage::Concern
|
||||
prepend ObjectStorage::Extension::RecordsUploads
|
||||
|
||||
MARKDOWN_PATTERN = %r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze
|
||||
# This pattern is vulnerable to malicious inputs, so use Gitlab::UntrustedRegexp
|
||||
# to place bounds on execution time
|
||||
MARKDOWN_PATTERN = Gitlab::UntrustedRegexp.new(
|
||||
'!?\[.*?\]\(/uploads/(?P<secret>[0-9a-f]{32})/(?P<file>.*?)\)'
|
||||
)
|
||||
|
||||
DYNAMIC_PATH_PATTERN = %r{.*(?<secret>\b(\h{10}|\h{32}))\/(?<identifier>.*)}.freeze
|
||||
VALID_SECRET_PATTERN = %r{\A\h{10,32}\z}.freeze
|
||||
|
||||
|
|
|
@ -67,6 +67,6 @@
|
|||
= f.gitlab_ui_checkbox_component :user_show_add_ssh_key_message, _("Inform users without uploaded SSH keys that they can't push over SSH until one is added")
|
||||
|
||||
= render 'admin/application_settings/invitation_flow_enforcement', form: f
|
||||
= render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: f
|
||||
= render 'admin/application_settings/user_restrictions', form: f
|
||||
= render_if_exists 'admin/application_settings/availability_on_namespace_setting', form: f
|
||||
= f.submit _('Save changes'), class: 'qa-save-changes-button', pajamas_button: true
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
- form = local_assigns.fetch(:form)
|
||||
|
||||
.form-group
|
||||
= label_tag _('User restrictions')
|
||||
= render_if_exists 'admin/application_settings/updating_name_disabled_for_users', form: form
|
||||
= form.gitlab_ui_checkbox_component :can_create_group, _("Allow users to create top-level groups")
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
name: audit_invalid_approver_rules
|
||||
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/98636
|
||||
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/375060
|
||||
milestone: '15.5'
|
||||
type: development
|
||||
group: group::code review
|
||||
default_enabled: false
|
|
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/372464
|
|||
milestone: '15.4'
|
||||
type: development
|
||||
group: group::optimize
|
||||
default_enabled: false
|
||||
default_enabled: true
|
||||
|
|
|
@ -70,6 +70,10 @@ ci_pipeline_chat_data:
|
|||
- table: chat_names
|
||||
column: chat_name_id
|
||||
on_delete: async_delete
|
||||
ci_pipeline_metadata:
|
||||
- table: projects
|
||||
column: project_id
|
||||
on_delete: async_delete
|
||||
ci_pipeline_schedules:
|
||||
- table: users
|
||||
column: owner_id
|
||||
|
|
|
@ -183,6 +183,7 @@ Settings.gitlab['default_project_creation'] ||= ::Gitlab::Access::DEVELOPER_MAIN
|
|||
Settings.gitlab['default_project_deletion_protection'] ||= false
|
||||
Settings.gitlab['default_projects_limit'] ||= 100000
|
||||
Settings.gitlab['default_branch_protection'] ||= 2
|
||||
# `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`.
|
||||
Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
|
||||
Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil?
|
||||
Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost'
|
||||
|
@ -1045,6 +1046,7 @@ Settings.shutdown['blackout_seconds'] ||= 10
|
|||
#
|
||||
if Rails.env.test?
|
||||
Settings.gitlab['default_projects_limit'] = 42
|
||||
# `default_can_create_group` is deprecated since GitLab 15.5 in favour of the `can_create_group` column on `ApplicationSetting`.
|
||||
Settings.gitlab['default_can_create_group'] = true
|
||||
Settings.gitlab['default_can_create_team'] = false
|
||||
end
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
table_name: ci_pipelines_metadata
|
||||
classes:
|
||||
- Ci::PipelineMetadata
|
||||
feature_categories:
|
||||
- continuous_integration
|
||||
description: 'Stores additional information about CI pipelines'
|
||||
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/97139
|
||||
milestone: '15.5'
|
|
@ -0,0 +1,7 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class AddCanCreateGroupToApplicationSettings < Gitlab::Database::Migration[2.0]
|
||||
def change
|
||||
add_column(:application_settings, :can_create_group, :boolean, default: true, null: false)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,26 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class UpdateCanCreateGroupApplicationSetting < Gitlab::Database::Migration[2.0]
|
||||
restrict_gitlab_migration gitlab_schema: :gitlab_main
|
||||
|
||||
def up
|
||||
value = gitlab_config.respond_to?(:default_can_create_group) ? gitlab_config.default_can_create_group : true
|
||||
value = Gitlab::Utils.to_boolean(value, default: true)
|
||||
|
||||
execute_update(value: value)
|
||||
end
|
||||
|
||||
def down
|
||||
execute_update(value: true)
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def execute_update(value:)
|
||||
execute "UPDATE application_settings SET can_create_group = #{value}"
|
||||
end
|
||||
|
||||
def gitlab_config
|
||||
Gitlab.config.gitlab
|
||||
end
|
||||
end
|
|
@ -0,0 +1,27 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class AddCiPipelineMetadataTitle < Gitlab::Database::Migration[2.0]
|
||||
enable_lock_retries!
|
||||
|
||||
def up
|
||||
create_table :ci_pipeline_metadata, id: false do |t|
|
||||
t.bigint :project_id, null: false
|
||||
|
||||
t.references :pipeline,
|
||||
null: false,
|
||||
primary_key: true,
|
||||
default: nil,
|
||||
index: false,
|
||||
foreign_key: { to_table: :ci_pipelines, on_delete: :cascade }
|
||||
|
||||
t.text :title, null: false, limit: 255
|
||||
|
||||
t.index [:pipeline_id, :title], name: 'index_ci_pipeline_metadata_on_pipeline_id_title'
|
||||
t.index [:project_id], name: 'index_ci_pipeline_metadata_on_project_id'
|
||||
end
|
||||
end
|
||||
|
||||
def down
|
||||
drop_table :ci_pipeline_metadata
|
||||
end
|
||||
end
|
|
@ -0,0 +1 @@
|
|||
eab8630158a70df1246bf5c12c2d93d9fa855140c65bde4665d1d13f371b561c
|
|
@ -0,0 +1 @@
|
|||
0d134b0f3ba5adcc515072a2c1f995f3f3a89f298ee84f1f58c2f7afb0b85a0f
|
|
@ -0,0 +1 @@
|
|||
184e634f62549f3fa2f183003957a2f5a5c53b34394ec3430eb0293076ae177a
|
|
@ -11484,6 +11484,7 @@ CREATE TABLE application_settings (
|
|||
dashboard_notification_limit integer DEFAULT 0 NOT NULL,
|
||||
dashboard_enforcement_limit integer DEFAULT 0 NOT NULL,
|
||||
dashboard_limit_new_namespace_creation_enforcement_date date,
|
||||
can_create_group boolean DEFAULT true NOT NULL,
|
||||
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
|
||||
CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)),
|
||||
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
|
||||
|
@ -13023,6 +13024,13 @@ CREATE SEQUENCE ci_pipeline_messages_id_seq
|
|||
|
||||
ALTER SEQUENCE ci_pipeline_messages_id_seq OWNED BY ci_pipeline_messages.id;
|
||||
|
||||
CREATE TABLE ci_pipeline_metadata (
|
||||
project_id bigint NOT NULL,
|
||||
pipeline_id bigint NOT NULL,
|
||||
title text NOT NULL,
|
||||
CONSTRAINT check_e6a636a3f3 CHECK ((char_length(title) <= 255))
|
||||
);
|
||||
|
||||
CREATE TABLE ci_pipeline_schedule_variables (
|
||||
id integer NOT NULL,
|
||||
key character varying NOT NULL,
|
||||
|
@ -25083,6 +25091,9 @@ ALTER TABLE ONLY ci_pipeline_chat_data
|
|||
ALTER TABLE ONLY ci_pipeline_messages
|
||||
ADD CONSTRAINT ci_pipeline_messages_pkey PRIMARY KEY (id);
|
||||
|
||||
ALTER TABLE ONLY ci_pipeline_metadata
|
||||
ADD CONSTRAINT ci_pipeline_metadata_pkey PRIMARY KEY (pipeline_id);
|
||||
|
||||
ALTER TABLE ONLY ci_pipeline_schedule_variables
|
||||
ADD CONSTRAINT ci_pipeline_schedule_variables_pkey PRIMARY KEY (id);
|
||||
|
||||
|
@ -28155,6 +28166,10 @@ CREATE UNIQUE INDEX index_ci_pipeline_chat_data_on_pipeline_id ON ci_pipeline_ch
|
|||
|
||||
CREATE INDEX index_ci_pipeline_messages_on_pipeline_id ON ci_pipeline_messages USING btree (pipeline_id);
|
||||
|
||||
CREATE INDEX index_ci_pipeline_metadata_on_pipeline_id_title ON ci_pipeline_metadata USING btree (pipeline_id, title);
|
||||
|
||||
CREATE INDEX index_ci_pipeline_metadata_on_project_id ON ci_pipeline_metadata USING btree (project_id);
|
||||
|
||||
CREATE UNIQUE INDEX index_ci_pipeline_schedule_variables_on_schedule_id_and_key ON ci_pipeline_schedule_variables USING btree (pipeline_schedule_id, key);
|
||||
|
||||
CREATE INDEX index_ci_pipeline_schedules_on_next_run_at_and_active ON ci_pipeline_schedules USING btree (next_run_at, active);
|
||||
|
@ -33729,6 +33744,9 @@ ALTER TABLE ONLY resource_iteration_events
|
|||
ALTER TABLE ONLY status_page_settings
|
||||
ADD CONSTRAINT fk_rails_506e5ba391 FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
|
||||
|
||||
ALTER TABLE ONLY ci_pipeline_metadata
|
||||
ADD CONSTRAINT fk_rails_50c1e9ea10 FOREIGN KEY (pipeline_id) REFERENCES ci_pipelines(id) ON DELETE CASCADE;
|
||||
|
||||
ALTER TABLE ONLY project_repository_storage_moves
|
||||
ADD CONSTRAINT fk_rails_5106dbd44a FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE;
|
||||
|
||||
|
|
|
@ -831,3 +831,49 @@ X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
|
|||
"event_type": "project_group_link_destroy"
|
||||
}
|
||||
```
|
||||
|
||||
## Audit event streaming on invalid merge request approver state
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/374566) in GitLab 15.5.
|
||||
|
||||
Stream audit events that relate to invalid merge request approver states within a project.
|
||||
|
||||
### Headers
|
||||
|
||||
Headers are formatted as follows:
|
||||
|
||||
```plaintext
|
||||
POST /logs HTTP/1.1
|
||||
Host: <DESTINATION_HOST>
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
X-Gitlab-Event-Streaming-Token: <DESTINATION_TOKEN>
|
||||
X-Gitlab-Audit-Event-Type: audit_operation
|
||||
```
|
||||
|
||||
### Example payload
|
||||
|
||||
```json
|
||||
{
|
||||
"id": 1,
|
||||
"author_id": 1,
|
||||
"entity_id": 6,
|
||||
"entity_type": "Project",
|
||||
"details": {
|
||||
"author_name": "example_username",
|
||||
"target_id": 20,
|
||||
"target_type": "MergeRequest",
|
||||
"target_details": { title: "Merge request title", iid: "Merge request iid", id: "Merge request id" },
|
||||
"custom_message": "Invalid merge request approver rules",
|
||||
"ip_address": "127.0.0.1",
|
||||
"entity_path": "example-group/example-project"
|
||||
},
|
||||
"ip_address": "127.0.0.1",
|
||||
"author_name": "example_username",
|
||||
"entity_path": "example-group/example-project",
|
||||
"target_details": "merge request title",
|
||||
"created_at": "2022-03-09T06:53:11.181Z",
|
||||
"target_type": "MergeRequest",
|
||||
"target_id": 20,
|
||||
"event_type": "audit_operation"
|
||||
}
|
||||
```
|
||||
|
|
|
@ -13,7 +13,7 @@ to support user authentication.
|
|||
This integration works with most LDAP-compliant directory servers, including:
|
||||
|
||||
- Microsoft Active Directory.
|
||||
[Microsoft Active Directory Trusts](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10))
|
||||
[Microsoft Active Directory Trusts](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771568(v=ws.10))
|
||||
are not supported.
|
||||
- Apple Open Directory.
|
||||
- Open LDAP.
|
||||
|
@ -312,7 +312,7 @@ To limit access to the nested members of an Active Directory group, use the foll
|
|||
```
|
||||
|
||||
For more information about `LDAP_MATCHING_RULE_IN_CHAIN` filters, see
|
||||
[Search Filter Syntax](https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax).
|
||||
[Search Filter Syntax](https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax).
|
||||
|
||||
Support for nested members in the user filter shouldn't be confused with
|
||||
[group sync nested groups](ldap_synchronization.md#supported-ldap-group-typesattributes) support.
|
||||
|
|
|
@ -158,14 +158,14 @@ gitlab_rails['omniauth_providers'] = [
|
|||
|
||||
### Microsoft Azure
|
||||
|
||||
The OpenID Connect (OIDC) protocol for Microsoft Azure uses the [Microsoft identity platform (v2) endpoints](https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison).
|
||||
The OpenID Connect (OIDC) protocol for Microsoft Azure uses the [Microsoft identity platform (v2) endpoints](https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/azure-ad-endpoint-comparison).
|
||||
To get started, sign in to the [Azure Portal](https://portal.azure.com). For your app, you need the
|
||||
following information:
|
||||
|
||||
- A tenant ID. You may already have one. For more information, review the
|
||||
[Microsoft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
|
||||
[Microsoft Azure Tenant](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
|
||||
- A client ID and a client secret. Follow the instructions in the
|
||||
[Microsoft Quickstart Register an Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) documentation
|
||||
[Microsoft Quickstart Register an Application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) documentation
|
||||
to obtain the tenant ID, client ID, and client secret for your app.
|
||||
|
||||
Example Omnibus configuration block:
|
||||
|
@ -193,26 +193,26 @@ gitlab_rails['omniauth_providers'] = [
|
|||
]
|
||||
```
|
||||
|
||||
Microsoft has documented how its platform works with [the OIDC protocol](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
|
||||
Microsoft has documented how its platform works with [the OIDC protocol](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc).
|
||||
|
||||
### Microsoft Azure Active Directory B2C
|
||||
|
||||
While GitLab works with [Azure Active Directory B2C](https://docs.microsoft.com/en-us/azure/active-directory-b2c/overview), it requires special
|
||||
While GitLab works with [Azure Active Directory B2C](https://learn.microsoft.com/en-us/azure/active-directory-b2c/overview), it requires special
|
||||
configuration to work. To get started, sign in to the [Azure Portal](https://portal.azure.com).
|
||||
For your app, you need the following information from Azure:
|
||||
|
||||
- A tenant ID. You may already have one. For more information, review the
|
||||
[Microsoft Azure Tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
|
||||
[Microsoft Azure Tenant](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) documentation.
|
||||
- A client ID and a client secret. Follow the instructions in the
|
||||
[Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga) documentation to obtain the
|
||||
[Microsoft tutorial](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga) documentation to obtain the
|
||||
client ID and client secret for your app.
|
||||
- The user flow or policy name. Follow the instructions in the [Microsoft tutorial](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
|
||||
- The user flow or policy name. Follow the instructions in the [Microsoft tutorial](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-user-flow).
|
||||
|
||||
If your GitLab domain is `gitlab.example.com`, ensure the app has the following `Redirect URI`:
|
||||
|
||||
`https://gitlab.example.com/users/auth/openid_connect/callback`
|
||||
|
||||
In addition, ensure that [ID tokens are enabled](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
|
||||
In addition, ensure that [ID tokens are enabled](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-register-applications?tabs=app-reg-ga#enable-id-token-implicit-grant).
|
||||
|
||||
Add the following API permissions to the app:
|
||||
|
||||
|
@ -221,10 +221,10 @@ Add the following API permissions to the app:
|
|||
|
||||
#### Configure custom policies
|
||||
|
||||
Azure B2C [offers two ways of defining the business logic for logging in a user](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview):
|
||||
Azure B2C [offers two ways of defining the business logic for logging in a user](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview):
|
||||
|
||||
- [User flows](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#user-flows)
|
||||
- [Custom policies](https://docs.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#custom-policies)
|
||||
- [User flows](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#user-flows)
|
||||
- [Custom policies](https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-overview#custom-policies)
|
||||
|
||||
While cumbersome to configure, custom policies are required because
|
||||
standard Azure B2C user flows [do not send the OpenID `email` claim](https://github.com/MicrosoftDocs/azure-docs/issues/16566). In
|
||||
|
@ -232,10 +232,10 @@ other words, they do not work with the [`allow_single_sign_on` or `auto_link_use
|
|||
With a standard Azure B2C policy, GitLab cannot create a new account or
|
||||
link to an existing one with an email address.
|
||||
|
||||
Carefully follow the instructions for [creating a custom policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy).
|
||||
Carefully follow the instructions for [creating a custom policy](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy).
|
||||
|
||||
The Microsoft instructions use `SocialAndLocalAccounts` in the [custom policy starter pack](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack),
|
||||
but `LocalAccounts` works for authenticating against local, Active Directory accounts. Before you follow the instructions to [upload the polices](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies), do the following:
|
||||
The Microsoft instructions use `SocialAndLocalAccounts` in the [custom policy starter pack](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#custom-policy-starter-pack),
|
||||
but `LocalAccounts` works for authenticating against local, Active Directory accounts. Before you follow the instructions to [upload the polices](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies), do the following:
|
||||
|
||||
1. To export the `email` claim, modify the `SignUpOrSignin.xml`. Replace the following line:
|
||||
|
||||
|
@ -251,7 +251,7 @@ but `LocalAccounts` works for authenticating against local, Active Directory acc
|
|||
|
||||
1. For OIDC discovery to work with B2C, the policy must be configured with an issuer compatible with the
|
||||
[OIDC specification](https://openid.net/specs/openid-connect-discovery-1_0.html#rfc.section.4.3).
|
||||
See the [token compatibility settings](https://docs.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
|
||||
See the [token compatibility settings](https://learn.microsoft.com/en-us/azure/active-directory-b2c/configure-tokens?pivots=b2c-custom-policy#token-compatibility-settings).
|
||||
In `TrustFrameworkBase.xml` under `JwtIssuer`, set `IssuanceClaimPattern` to `AuthorityWithTfp`:
|
||||
|
||||
```xml
|
||||
|
@ -267,7 +267,7 @@ but `LocalAccounts` works for authenticating against local, Active Directory acc
|
|||
...
|
||||
```
|
||||
|
||||
1. Now [upload the policy](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies). Overwrite
|
||||
1. Now [upload the policy](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#upload-the-policies). Overwrite
|
||||
the existing files if you are updating an existing policy.
|
||||
|
||||
1. Determine the issuer URL using the sign-in policy. The issuer URL is in the form:
|
||||
|
@ -326,10 +326,10 @@ The trailing forward slash is required.
|
|||
|
||||
- Ensure all occurrences of `yourtenant.onmicrosoft.com`, `ProxyIdentityExperienceFrameworkAppId`, and `IdentityExperienceFrameworkAppId` match your B2C tenant hostname and
|
||||
the respective client IDs in the XML policy files.
|
||||
- Add `https://jwt.ms` as a redirect URI to the app, and use the [custom policy tester](https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#test-the-custom-policy).
|
||||
- Add `https://jwt.ms` as a redirect URI to the app, and use the [custom policy tester](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#test-the-custom-policy).
|
||||
Make sure the payload includes `email` that matches the user's email access.
|
||||
- After you enable the custom policy, users might see "Invalid username or password" after they try to sign in. This might be a configuration
|
||||
issue with the `IdentityExperienceFramework` app. See [this Microsoft comment](https://docs.microsoft.com/en-us/answers/questions/50355/unable-to-sign-on-using-custom-policy.html?childToView=122370#comment-122370)
|
||||
issue with the `IdentityExperienceFramework` app. See [this Microsoft comment](https://learn.microsoft.com/en-us/answers/questions/50355/unable-to-sign-on-using-custom-policy.html?childToView=122370#comment-122370)
|
||||
that suggests checking that the app manifest contains these settings:
|
||||
|
||||
- `"accessTokenAcceptedVersion": null`
|
||||
|
|
|
@ -340,7 +340,7 @@ with the **secondary** site:
|
|||
1. Promote the replica database associated with the **secondary** site. This
|
||||
sets the database to read-write. The instructions vary depending on where your database is hosted:
|
||||
- [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote)
|
||||
- [Azure PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
|
||||
- [Azure PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
|
||||
- [Google Cloud SQL](https://cloud.google.com/sql/docs/mysql/replication/manage-replicas#promote-replica)
|
||||
- For other external PostgreSQL databases, save the following script in your
|
||||
secondary site, for example `/tmp/geo_promote.sh`, and modify the connection
|
||||
|
@ -411,7 +411,7 @@ required:
|
|||
1. Promote the replica database associated with the **secondary** site. This
|
||||
sets the database to read-write. The instructions vary depending on where your database is hosted:
|
||||
- [Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Promote)
|
||||
- [Azure PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
|
||||
- [Azure PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal#stop-replication)
|
||||
- [Google Cloud SQL](https://cloud.google.com/sql/docs/mysql/replication/manage-replicas#promote-replica)
|
||||
- For other external PostgreSQL databases, save the following script in your
|
||||
secondary site, for example `/tmp/geo_promote.sh`, and modify the connection
|
||||
|
|
|
@ -76,7 +76,7 @@ The following instructions detail how to create a read-only replica for common
|
|||
cloud providers:
|
||||
|
||||
- Amazon RDS - [Creating a Read Replica](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ReadRepl.html#USER_ReadRepl.Create)
|
||||
- Azure Database for PostgreSQL - [Create and manage read replicas in Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal)
|
||||
- Azure Database for PostgreSQL - [Create and manage read replicas in Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-read-replicas-portal)
|
||||
- Google Cloud SQL - [Creating read replicas](https://cloud.google.com/sql/docs/postgres/replication/create-replica)
|
||||
|
||||
Once your read-only replica is set up, you can skip to [configure your secondary site](#configure-secondary-site-to-use-the-external-read-replica)
|
||||
|
@ -195,7 +195,7 @@ to grant additional roles to your tracking database user (by default, this is
|
|||
`gitlab_geo`):
|
||||
|
||||
- Amazon RDS requires the [`rds_superuser`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Roles) role.
|
||||
- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role.
|
||||
- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role.
|
||||
- Google Cloud SQL requires the [`cloudsqlsuperuser`](https://cloud.google.com/sql/docs/postgres/users#default-users) role.
|
||||
|
||||
This is for the installation of extensions during installation and upgrades. As an alternative,
|
||||
|
|
|
@ -775,7 +775,7 @@ mailboxes.
|
|||
To configure GitLab for Microsoft Graph, you will need to register an
|
||||
OAuth2 application in your Azure Active Directory that has the
|
||||
`Mail.ReadWrite` permission for all mailboxes. See the [MailRoom step-by-step guide](https://github.com/tpitale/mail_room/#microsoft-graph-configuration)
|
||||
and [Microsoft instructions](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
|
||||
and [Microsoft instructions](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
|
||||
for more details.
|
||||
|
||||
Record the following when you configure your OAuth2 application:
|
||||
|
@ -792,7 +792,7 @@ to read/write mail in *all* mailboxes.
|
|||
|
||||
To mitigate security concerns, we recommend configuring an application access
|
||||
policy which limits the mailbox access for all accounts, as described in
|
||||
[Microsoft documentation](https://docs.microsoft.com/en-us/graph/auth-limit-mailbox-access).
|
||||
[Microsoft documentation](https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access).
|
||||
|
||||
This example for Omnibus GitLab assumes you're using the following mailbox: `incoming@example.onmicrosoft.com`:
|
||||
|
||||
|
@ -822,7 +822,7 @@ gitlab_rails['incoming_email_inbox_options'] = {
|
|||
}
|
||||
```
|
||||
|
||||
For Microsoft Cloud for US Government or [other Azure deployments](https://docs.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
|
||||
For Microsoft Cloud for US Government or [other Azure deployments](https://learn.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
|
||||
|
||||
- Example for Microsoft Cloud for US Government:
|
||||
|
||||
|
|
|
@ -28,7 +28,7 @@ documentation for some popular browsers.
|
|||
- [Network Monitor - Firefox Developer Tools](https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor)
|
||||
- [Inspect Network Activity In Chrome DevTools](https://developer.chrome.com/docs/devtools/network/)
|
||||
- [Safari Web Development Tools](https://developer.apple.com/safari/tools/)
|
||||
- [Microsoft Edge Network panel](https://docs.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/network/)
|
||||
- [Microsoft Edge Network panel](https://learn.microsoft.com/en-us/microsoft-edge/devtools-guide-chromium/network/)
|
||||
|
||||
To locate a relevant request and view its correlation ID:
|
||||
|
||||
|
|
|
@ -20,7 +20,7 @@ GitLab has been tested by vendors and customers on a number of object storage pr
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatible mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- On-premises hardware and appliances from various storage vendors, whose list is not officially established.
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
|
@ -342,7 +342,7 @@ containers. The [storage-specific form](#storage-specific-configuration)
|
|||
is not supported. For more details, see [how to transition to consolidated form](#transition-to-consolidated-form).
|
||||
|
||||
The following are the valid connection parameters for Azure. Read the
|
||||
[Azure Blob storage documentation](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
[Azure Blob storage documentation](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
to learn more.
|
||||
|
||||
| Setting | Description | Example |
|
||||
|
|
|
@ -21,7 +21,7 @@ If you use a cloud-managed service, or provide your own PostgreSQL instance:
|
|||
1. If you are using a cloud-managed service, you may need to grant additional
|
||||
roles to your `gitlab` user:
|
||||
- Amazon RDS requires the [`rds_superuser`](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.PostgreSQL.CommonDBATasks.html#Appendix.PostgreSQL.CommonDBATasks.Roles) role.
|
||||
- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://docs.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role. Azure Database for PostgreSQL - Flexible Server requires [allow-listing extensions before they can be installed](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions).
|
||||
- Azure Database for PostgreSQL requires the [`azure_pg_admin`](https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-create-users#how-to-create-additional-admin-users-in-azure-database-for-postgresql) role. Azure Database for PostgreSQL - Flexible Server requires [allow-listing extensions before they can be installed](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions).
|
||||
- Google Cloud SQL requires the [`cloudsqlsuperuser`](https://cloud.google.com/sql/docs/postgres/users#default-users) role.
|
||||
|
||||
This is for the installation of extensions during installation and upgrades. As an alternative,
|
||||
|
|
|
@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Praefect PostgreSQL
|
||||
|
||||
|
@ -2198,7 +2198,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -87,8 +87,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Swap
|
||||
|
||||
|
|
|
@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Praefect PostgreSQL
|
||||
|
||||
|
@ -2201,7 +2201,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -99,8 +99,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
## Setup components
|
||||
|
||||
|
@ -908,7 +908,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -169,8 +169,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Praefect PostgreSQL
|
||||
|
||||
|
@ -2139,7 +2139,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -163,8 +163,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Praefect PostgreSQL
|
||||
|
||||
|
@ -2218,7 +2218,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -166,8 +166,8 @@ As a general guidance, GitLab should run on most infrastructure such as reputabl
|
|||
Be aware of the following specific call outs:
|
||||
|
||||
- [Amazon Aurora](https://aws.amazon.com/rds/aurora/) is incompatible. See [14.4.0](../../update/index.md#1440) for more details.
|
||||
- [Azure Database for PostgreSQL](https://docs.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
- [Azure Database for PostgreSQL](https://learn.microsoft.com/en-us/azure/postgresql/#:~:text=Azure%20Database%20for%20PostgreSQL%20is,high%20availability%2C%20and%20dynamic%20scalability.) is [not recommended](https://gitlab.com/gitlab-org/quality/reference-architectures/-/issues/61) due to known performance issues or missing features.
|
||||
- [Azure Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/) is recommended to be configured with [Premium accounts](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-block-blob-premium) to ensure consistent performance.
|
||||
|
||||
### Praefect PostgreSQL
|
||||
|
||||
|
@ -2137,7 +2137,7 @@ GitLab has been tested on a number of object storage providers:
|
|||
- [Digital Ocean Spaces](https://www.digitalocean.com/products/spaces)
|
||||
- [Oracle Cloud Infrastructure](https://docs.cloud.oracle.com/en-us/iaas/Content/Object/Tasks/s3compatibleapi.htm)
|
||||
- [OpenStack Swift (S3 compatibility mode)](https://docs.openstack.org/swift/latest/s3_compat.html)
|
||||
- [Azure Blob storage](https://docs.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- [Azure Blob storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction)
|
||||
- MinIO. We have [a guide to deploying this](https://docs.gitlab.com/charts/advanced/external-object-storage/minio.html) within our Helm Chart documentation.
|
||||
|
||||
There are two ways of specifying object storage configuration in GitLab:
|
||||
|
|
|
@ -109,7 +109,7 @@ This section is for links to information elsewhere in the GitLab documentation.
|
|||
|
||||
- Deploying PostgreSQL on Azure Database for PostgreSQL - Flexible Server may result in an error stating `extension "btree_gist" is not allow-listed for "azure_pg_admin" users in Azure Database for PostgreSQL`
|
||||
|
||||
To resolve the above error, [allow-list the extension](https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions) prior to install.
|
||||
To resolve the above error, [allow-list the extension](https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-extensions#how-to-use-postgresql-extensions) prior to install.
|
||||
|
||||
## Support topics
|
||||
|
||||
|
|
|
@ -8,10 +8,17 @@ info: To determine the technical writer assigned to the Stage/Group associated w
|
|||
|
||||
GitLab administrators can modify user settings for the entire GitLab instance.
|
||||
|
||||
## Prevent new users from creating top-level groups
|
||||
## Use configuration files to prevent new users from creating top-level groups
|
||||
|
||||
By default, new users can create top-level groups. To disable new users'
|
||||
ability to create top-level groups (does not affect existing users' setting):
|
||||
ability to create top-level groups (does not affect existing users' setting), GitLab administrators can modify this setting:
|
||||
|
||||
- In GitLab 15.5 and later, using either:
|
||||
- The [GitLab UI](../user/admin_area/settings/account_and_limit_settings.md#prevent-users-from-creating-top-level-groups).
|
||||
- The [application setting API](../api/settings.md#change-application-settings).
|
||||
- In GitLab 15.4 and earlier, in a configuration file by following the steps in this section.
|
||||
|
||||
To disable new users' ability to create top-level groups using the configuation file:
|
||||
|
||||
**Omnibus GitLab installations**
|
||||
|
||||
|
|
|
@ -216,7 +216,8 @@ Example response:
|
|||
"admin_mode": false,
|
||||
"external_pipeline_validation_service_timeout": null,
|
||||
"external_pipeline_validation_service_token": null,
|
||||
"external_pipeline_validation_service_url": null
|
||||
"external_pipeline_validation_service_url": null,
|
||||
"can_create_group": false
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -266,6 +267,7 @@ listed in the descriptions of the relevant settings.
|
|||
| `auto_devops_domain` | string | no | Specify a domain to use by default for every project's Auto Review Apps and Auto Deploy stages. |
|
||||
| `auto_devops_enabled` | boolean | no | Enable Auto DevOps for projects by default. It automatically builds, tests, and deploys applications based on a predefined CI/CD configuration. |
|
||||
| `automatic_purchased_storage_allocation` | boolean | no | Enabling this permits automatic allocation of purchased storage in a namespace. |
|
||||
| `can_create_group` | boolean | no | Indicates whether users can create top-level groups. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5. Defaults to `true`. |
|
||||
| `check_namespace_plan` **(PREMIUM)** | boolean | no | Enabling this makes only licensed EE features available to projects if the project namespace's plan includes the feature or if the project is public. |
|
||||
| `commit_email_hostname` | string | no | Custom hostname (for private commit emails). |
|
||||
| `container_expiration_policies_enable_historic_entries` | boolean | no | Enable [cleanup policies](../user/packages/container_registry/reduce_container_registry_storage.md#enable-the-cleanup-policy) for all projects. |
|
||||
|
|
|
@ -16,7 +16,7 @@ Prerequisites:
|
|||
|
||||
- Access to an existing Azure Subscription with `Owner` access level.
|
||||
- Access to the corresponding Azure Active Directory Tenant with at least the `Application Developer` access level.
|
||||
- A local installation of the [Azure CLI](https://docs.microsoft.com/cli/azure/install-azure-cli).
|
||||
- A local installation of the [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli).
|
||||
Alternatively, you can follow all the steps below with the [Azure Cloud Shell](https://shell.azure.com/).
|
||||
- A GitLab project.
|
||||
|
||||
|
@ -27,11 +27,11 @@ To complete this tutorial:
|
|||
1. [Grant permissions for the service principal](#grant-permissions-for-the-service-principal).
|
||||
1. [Retrieve a temporary credential](#retrieve-a-temporary-credential).
|
||||
|
||||
For more information, review Azure's documentation on [Workload identity federation](https://docs.microsoft.com/azure/active-directory/develop/workload-identity-federation).
|
||||
For more information, review Azure's documentation on [Workload identity federation](https://learn.microsoft.com/azure/active-directory/develop/workload-identity-federation).
|
||||
|
||||
## Create Azure AD application and service principal
|
||||
|
||||
To create an [Azure AD application](https://docs.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create)
|
||||
To create an [Azure AD application](https://learn.microsoft.com/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create)
|
||||
and service principal:
|
||||
|
||||
1. In the Azure CLI, create the AD application:
|
||||
|
@ -43,13 +43,13 @@ and service principal:
|
|||
Save the `appId` (Application client ID) output, as you need it later
|
||||
to configure your GitLab CI/CD pipeline.
|
||||
|
||||
1. Create a corresponding [Service Principal](https://docs.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create):
|
||||
1. Create a corresponding [Service Principal](https://learn.microsoft.com/cli/azure/ad/sp?view=azure-cli-latest#az-ad-sp-create):
|
||||
|
||||
```shell
|
||||
az ad sp create --id $appId --query appId -otsv
|
||||
```
|
||||
|
||||
Instead of the Azure CLI, you can [use the Azure Portal to create these resources](https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
|
||||
Instead of the Azure CLI, you can [use the Azure Portal to create these resources](https://learn.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal).
|
||||
|
||||
## Create Azure AD federated identity credentials
|
||||
|
||||
|
@ -88,7 +88,7 @@ identity credentials from the Azure Portal:
|
|||
|
||||
## Grant permissions for the service principal
|
||||
|
||||
After you create the credentials, use [`role assignment`](https://docs.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create)
|
||||
After you create the credentials, use [`role assignment`](https://learn.microsoft.com/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-create)
|
||||
to grant permissions to the above service principal to access to Azure resources:
|
||||
|
||||
```shell
|
||||
|
@ -97,13 +97,13 @@ az role assignment create --assignee $appId --role Reader --scope /subscriptions
|
|||
|
||||
You can find your subscription ID in:
|
||||
|
||||
- The [Azure Portal](https://docs.microsoft.com/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
|
||||
- The [Azure CLI](https://docs.microsoft.com/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription).
|
||||
- The [Azure Portal](https://learn.microsoft.com/azure/azure-portal/get-subscription-tenant-id#find-your-azure-subscription).
|
||||
- The [Azure CLI](https://learn.microsoft.com/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription).
|
||||
|
||||
## Retrieve a temporary credential
|
||||
|
||||
After you configure the Azure AD application and federated identity credentials,
|
||||
the CI/CD job can retrieve a temporary credential by using the [Azure CLI](https://docs.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-login):
|
||||
the CI/CD job can retrieve a temporary credential by using the [Azure CLI](https://learn.microsoft.com/cli/azure/reference-index?view=azure-cli-latest#az-login):
|
||||
|
||||
```yaml
|
||||
default:
|
||||
|
@ -123,7 +123,7 @@ The CI/CD variables are:
|
|||
|
||||
- `AZURE_CLIENT_ID`: The [application client ID you saved earlier](#create-azure-ad-application-and-service-principal).
|
||||
- `AZURE_TENANT_ID`: Your Azure Active Directory. You can
|
||||
[find it by using the Azure CLI or Azure Portal](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
|
||||
[find it by using the Azure CLI or Azure Portal](https://learn.microsoft.com/azure/active-directory/fundamentals/active-directory-how-to-find-tenant).
|
||||
- `CI_JOB_JWT_V2`: The JSON web token is a [predefined CI/CD variable](../../variables/predefined_variables.md).
|
||||
|
||||
## Troubleshooting
|
||||
|
|
|
@ -19,7 +19,7 @@ In addition to this page, the following resources can help you craft and contrib
|
|||
- [Doc style and consistency testing](../testing.md)
|
||||
- [Guidelines for UI error messages](https://design.gitlab.com/content/error-messages/)
|
||||
- [GitLab Handbook style guidelines](https://about.gitlab.com/handbook/communication/#writing-style-guidelines)
|
||||
- [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/welcome/)
|
||||
- [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/welcome/)
|
||||
- [Google Developer Documentation Style Guide](https://developers.google.com/style)
|
||||
- [Recent updates to this guide](https://gitlab.com/dashboard/merge_requests?scope=all&state=merged&label_name[]=tw-style¬[label_name][]=docs%3A%3Afix)
|
||||
|
||||
|
@ -333,7 +333,7 @@ When possible, try to avoid acronyms in headings.
|
|||
|
||||
### Numbers
|
||||
|
||||
When using numbers in text, spell out zero through nine, and use numbers for 10 and greater. For details, see the [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/numbers).
|
||||
When using numbers in text, spell out zero through nine, and use numbers for 10 and greater. For details, see the [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/numbers).
|
||||
|
||||
## Text
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ recommends these word choices. In addition:
|
|||
|
||||
For guidance not on this page, we defer to these style guides:
|
||||
|
||||
- [Microsoft Style Guide](https://docs.microsoft.com/en-us/style-guide/welcome/)
|
||||
- [Microsoft Style Guide](https://learn.microsoft.com/en-us/style-guide/welcome/)
|
||||
- [Google Developer Documentation Style Guide](https://developers.google.com/style)
|
||||
|
||||
<!-- vale off -->
|
||||
|
@ -125,7 +125,7 @@ Instead of:
|
|||
- This feature enables users to add files to their repository.
|
||||
|
||||
This phrasing is more active and is from the user perspective, rather than the person who implemented the feature.
|
||||
[View details in the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/allow-allows).
|
||||
[View details in the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/allow-allows).
|
||||
|
||||
## Alpha
|
||||
|
||||
|
@ -141,7 +141,7 @@ Instead of **and/or**, use **or** or rewrite the sentence to spell out both opti
|
|||
## and so on
|
||||
|
||||
Do not use **and so on**. Instead, be more specific. For details, see
|
||||
[the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/and-so-on).
|
||||
[the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/a/and-so-on).
|
||||
|
||||
## area
|
||||
|
||||
|
@ -316,7 +316,7 @@ Do not use **Developer permissions**. A user who is assigned the Developer role
|
|||
|
||||
## disable
|
||||
|
||||
See [the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/d/disable-disabled) for guidance on **disable**.
|
||||
See [the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/d/disable-disabled) for guidance on **disable**.
|
||||
Use **inactive** or **off** instead. ([Vale](../testing.md#vale) rule: [`InclusionAbleism.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/InclusionAbleism.yml))
|
||||
|
||||
## disallow
|
||||
|
@ -365,7 +365,7 @@ Do not use **e-mail** with a hyphen. When plural, use **emails** or **email mess
|
|||
|
||||
## enable
|
||||
|
||||
See [the Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/e/enable-enables) for guidance on **enable**.
|
||||
See [the Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/e/enable-enables) for guidance on **enable**.
|
||||
Use **active** or **on** instead. ([Vale](../testing.md#vale) rule: [`InclusionAbleism.yml`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/doc/.vale/gitlab/InclusionAbleism.yml))
|
||||
|
||||
## enter
|
||||
|
@ -818,7 +818,7 @@ Use lowercase for **personal access token**.
|
|||
|
||||
## please
|
||||
|
||||
Do not use **please**. For details, see the [Microsoft style guide](https://docs.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/p/please).
|
||||
Do not use **please**. For details, see the [Microsoft style guide](https://learn.microsoft.com/en-us/style-guide/a-z-word-list-term-collections/p/please).
|
||||
|
||||
## press
|
||||
|
||||
|
|
|
@ -180,7 +180,7 @@ Here are some examples to get you started:
|
|||
|
||||
As documented in the [Docker Official Images](https://github.com/docker-library/official-images#tags-and-aliases) project,
|
||||
it is strongly encouraged that version number tags be given aliases which allows the user to easily refer to the "most recent" release of a particular series.
|
||||
See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://docs.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images).
|
||||
See also [Docker Tagging: Best practices for tagging and versioning Docker images](https://learn.microsoft.com/en-us/archive/blogs/stevelasker/docker-tagging-best-practices-for-tagging-and-versioning-docker-images).
|
||||
|
||||
## Command line
|
||||
|
||||
|
|
|
@ -76,7 +76,7 @@ Build a Google Cloud image with the above shared runners repository by doing the
|
|||
1. Copy and save the password as it is not shown again.
|
||||
1. Select **RDP** down arrow.
|
||||
1. Select **Download the RDP file**.
|
||||
1. Open the downloaded RDP file with the Windows remote desktop app (<https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients>).
|
||||
1. Open the downloaded RDP file with the Windows remote desktop app (<https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-clients>).
|
||||
1. Select **Continue** to accept the certificate.
|
||||
1. Enter the password and select **Next**.
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ prompt, command shell, and command line). Here are some options:
|
|||
- [iTerm2](https://iterm2.com/). You can integrate it with [Zsh](https://git-scm.com/book/id/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Zsh) and [Oh My Zsh](https://ohmyz.sh/) for color highlighting and other advanced features.
|
||||
- For Windows users:
|
||||
- Built-in command line. On the Windows taskbar, select the search icon and type `cmd`.
|
||||
- [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7).
|
||||
- [PowerShell](https://learn.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7).
|
||||
- Git Bash. It is built into [Git for Windows](https://gitforwindows.org/).
|
||||
- For Linux users:
|
||||
- Built-in [Linux Terminal](https://ubuntu.com/tutorials/command-line-for-beginners#3-opening-a-terminal).
|
||||
|
|
|
@ -61,7 +61,7 @@ The first items you need to configure are the basic settings of the underlying v
|
|||
1. Enter a name for the VM, for example `GitLab`.
|
||||
1. Select a region.
|
||||
1. In **Availability options**, select **Availability zone** and set it to `1`.
|
||||
Read more about the [availability zones](https://docs.microsoft.com/en-us/azure/virtual-machines/availability).
|
||||
Read more about the [availability zones](https://learn.microsoft.com/en-us/azure/virtual-machines/availability).
|
||||
1. Ensure the selected image is set to **GitLab - Gen1**.
|
||||
1. Select the VM size based on the [hardware requirements](../requirements.md#hardware-requirements).
|
||||
Because the minimum system requirements to run a GitLab environment for up to 500 users
|
||||
|
@ -83,7 +83,7 @@ For the disks:
|
|||
1. For the OS disk type, select **Premium SSD**.
|
||||
1. Select the default encryption.
|
||||
|
||||
[Read more about the types of disks](https://docs.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview) that Azure provides.
|
||||
[Read more about the types of disks](https://learn.microsoft.com/en-us/azure/virtual-machines/managed-disks-overview) that Azure provides.
|
||||
|
||||
Review your settings, and then proceed to the Networking tab.
|
||||
|
||||
|
@ -159,7 +159,7 @@ to assign a descriptive DNS name to the VM:
|
|||
|
||||
Eventually, most users want to use their own domain name. For you to do this, you need to add a DNS `A` record
|
||||
with your domain registrar that points to the public IP address of your Azure VM.
|
||||
You can use [Azure's DNS](https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns)
|
||||
You can use [Azure's DNS](https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns)
|
||||
or some [other registrar](https://docs.gitlab.com/omnibus/settings/dns.html).
|
||||
|
||||
### Change the GitLab external URL
|
||||
|
@ -185,7 +185,7 @@ To set up the GitLab external URL:
|
|||
|
||||
NOTE:
|
||||
If you need to reset your credentials, read
|
||||
[how to reset SSH credentials for a user on an Azure VM](https://docs.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection#reset-ssh-credentials-for-a-user).
|
||||
[how to reset SSH credentials for a user on an Azure VM](https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/troubleshoot-ssh-connection#reset-ssh-credentials-for-a-user).
|
||||
|
||||
1. Open `/etc/gitlab/gitlab.rb` with your editor.
|
||||
1. Find `external_url` and replace it with your own domain name. For the sake
|
||||
|
|
|
@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
|
|||
|
||||
You can enable the Microsoft Azure OAuth 2.0 OmniAuth provider and sign in to
|
||||
GitLab with your Microsoft Azure credentials. You can configure the provider that uses
|
||||
[the earlier Azure Active Directory v1.0 endpoint](https://docs.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code),
|
||||
[the earlier Azure Active Directory v1.0 endpoint](https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-protocols-oauth-code),
|
||||
or the provider that uses the v2.0 endpoint.
|
||||
|
||||
NOTE:
|
||||
|
@ -23,7 +23,7 @@ an Azure application and get a client ID and secret key.
|
|||
|
||||
1. Sign in to the [Azure portal](https://portal.azure.com).
|
||||
1. If you have multiple Azure Active Directory tenants, switch to the desired tenant. Note the tenant ID.
|
||||
1. [Register an application](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
|
||||
1. [Register an application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app)
|
||||
and provide the following information:
|
||||
- The redirect URI, which requires the URL of the Azure OAuth callback of your GitLab
|
||||
installation. For example:
|
||||
|
@ -33,7 +33,7 @@ an Azure application and get a client ID and secret key.
|
|||
1. Save the client ID and client secret. The client secret is only
|
||||
displayed once.
|
||||
|
||||
If required, you can [create a new application secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
|
||||
If required, you can [create a new application secret](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#option-2-create-a-new-application-secret).
|
||||
|
||||
`client ID` and `client secret` are terms associated with OAuth 2.0.
|
||||
In some Microsoft documentation, the terms are named `Application ID` and
|
||||
|
@ -41,7 +41,7 @@ In some Microsoft documentation, the terms are named `Application ID` and
|
|||
|
||||
## Add API permissions (scopes)
|
||||
|
||||
If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis).
|
||||
If you're using the v2.0 endpoint, after you create the application, [configure it to expose a web API](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis).
|
||||
Add the following delegated permissions under the Microsoft Graph API:
|
||||
|
||||
- `email`
|
||||
|
@ -107,7 +107,7 @@ Alternatively, add the `User.Read.All` application permission.
|
|||
]
|
||||
```
|
||||
|
||||
For [alternative Azure clouds](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
|
||||
For [alternative Azure clouds](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
|
||||
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
|
||||
|
||||
```ruby
|
||||
|
@ -147,7 +147,7 @@ Alternatively, add the `User.Read.All` application permission.
|
|||
tenant_id: "<tenant_id>" } }
|
||||
```
|
||||
|
||||
For [alternative Azure clouds](https://docs.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
|
||||
For [alternative Azure clouds](https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-national-cloud),
|
||||
configure `base_azure_url` under the `args` section. For example, for Azure Government Community Cloud (GCC):
|
||||
|
||||
```yaml
|
||||
|
@ -159,7 +159,7 @@ Alternatively, add the `User.Read.All` application permission.
|
|||
base_azure_url: "https://login.microsoftonline.us" } }
|
||||
```
|
||||
|
||||
You can also optionally add the `scope` for [OAuth 2.0 scopes](https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) parameter to the `args` section. The default is `openid profile email`.
|
||||
You can also optionally add the `scope` for [OAuth 2.0 scopes](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) parameter to the `args` section. The default is `openid profile email`.
|
||||
|
||||
1. Save the configuration file.
|
||||
|
||||
|
|
|
@ -795,7 +795,7 @@ documentation on how to use SAML to sign in to GitLab.
|
|||
|
||||
Examples:
|
||||
|
||||
- [ADFS (Active Directory Federation Services)](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust)
|
||||
- [ADFS (Active Directory Federation Services)](https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust)
|
||||
- [Auth0](https://auth0.com/docs/authenticate/protocols/saml/saml-sso-integrations/configure-auth0-saml-identity-provider)
|
||||
|
||||
GitLab provides the following setup notes for guidance only.
|
||||
|
|
|
@ -288,6 +288,21 @@ When this ability is disabled, GitLab administrators can still use the
|
|||
[Admin Area](../index.md#administering-users) or the
|
||||
[API](../../../api/users.md#user-modification) to update usernames.
|
||||
|
||||
## Prevent users from creating top-level groups
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/367754) in GitLab 15.5.
|
||||
|
||||
By default, new users can create top-level groups. GitLab administrators can prevent users from creating top-level groups:
|
||||
|
||||
- In GitLab 15.5 and later, using either:
|
||||
- The GitLab UI using the steps in this section.
|
||||
- The [application setting API](../../../api/settings.md#change-application-settings).
|
||||
- In GitLab 15.4 and earlier, a [configuration file](../../../administration/user_settings.md#use-configuration-files-to-prevent-new-users-from-creating-top-level-groups).
|
||||
|
||||
1. On the top bar, select **Main menu > Admin**.
|
||||
1. On the left sidebar, select **Settings > General**, then expand **Account and limit**.
|
||||
1. Clear the **Allow users to create top-level groups** checkbox.
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### 413 Request Entity Too Large
|
||||
|
|
|
@ -41,4 +41,4 @@ the `Server` header.
|
|||
- [CWE](https://cwe.mitre.org/data/definitions/16.html)
|
||||
- [Apache ServerTokens](https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/)
|
||||
- [NGINX server_tokens](https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens)
|
||||
- [IIS 10 Remove Server Header](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
|
||||
- [IIS 10 Remove Server Header](https://learn.microsoft.com/en-us/iis/configuration/system.webserver/security/requestfiltering/#attributes)
|
||||
|
|
|
@ -42,4 +42,4 @@ indexing.
|
|||
- [CWE](https://cwe.mitre.org/data/definitions/548.html)
|
||||
- [Apache Options](https://httpd.apache.org/docs/2.4/mod/core.html#options)
|
||||
- [NGINX autoindex](https://nginx.org/en/docs/http/ngx_http_autoindex_module.html)
|
||||
- [IIS directoryBrowse element](https://docs.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)
|
||||
- [IIS directoryBrowse element](https://learn.microsoft.com/en-us/iis/configuration/system.webserver/directorybrowse)
|
||||
|
|
|
@ -237,7 +237,7 @@ table.supported-languages ul {
|
|||
<td>.NET</td>
|
||||
<td rowspan="2">All versions</td>
|
||||
<td rowspan="2"><a href="https://www.nuget.org/">NuGet</a></td>
|
||||
<td rowspan="2"><a href="https://docs.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td>
|
||||
<td rowspan="2"><a href="https://learn.microsoft.com/en-us/nuget/consume-packages/package-references-in-project-files#enabling-lock-file"><code>packages.lock.json</code></a></td>
|
||||
<td rowspan="2">Y</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
|
|
@ -43,7 +43,7 @@ GitLab IaC scanning supports a variety of IaC configuration files. Our IaC secur
|
|||
| OpenAPI | [KICS](https://kics.io/) | 14.5 |
|
||||
| Terraform <sup>2</sup> | [KICS](https://kics.io/) | 14.5 |
|
||||
|
||||
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://docs.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
|
||||
1. IaC scanning can analyze Azure Resource Manager templates in JSON format. If you write templates in the [Bicep](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/overview) language, you must use [the bicep CLI](https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-cli) to convert your Bicep files into JSON before GitLab IaC scanning can analyze them.
|
||||
1. Terraform modules in a custom registry are not scanned for vulnerabilities. You can follow [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/357004) for the proposed feature.
|
||||
|
||||
### Supported distributions
|
||||
|
|
|
@ -138,7 +138,7 @@ The following analyzers have multi-project support:
|
|||
#### Enable multi-project support for Security Code Scan
|
||||
|
||||
Multi-project support in the Security Code Scan requires a Solution (`.sln`) file in the root of
|
||||
the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://docs.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
|
||||
the repository. For details on the Solution format, see the Microsoft reference [Solution (`.sln`) file](https://learn.microsoft.com/en-us/visualstudio/extensibility/internals/solution-dot-sln-file?view=vs-2019).
|
||||
|
||||
### Supported distributions
|
||||
|
||||
|
|
|
@ -556,8 +556,8 @@ license_scanning:
|
|||
#### Using private NuGet registries
|
||||
|
||||
If you have a private NuGet registry you can add it as a source
|
||||
by adding it to the [`packageSources`](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file#package-source-sections)
|
||||
section of a [`nuget.config`](https://docs.microsoft.com/en-us/nuget/reference/nuget-config-file) file.
|
||||
by adding it to the [`packageSources`](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file#package-source-sections)
|
||||
section of a [`nuget.config`](https://learn.microsoft.com/en-us/nuget/reference/nuget-config-file) file.
|
||||
|
||||
For example:
|
||||
|
||||
|
|
|
@ -166,7 +166,7 @@ If you have any questions on configuring the SAML app, please contact your provi
|
|||
|
||||
### Azure setup notes
|
||||
|
||||
Follow the Azure documentation on [configuring single sign-on to applications](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) with the notes below for consideration.
|
||||
Follow the Azure documentation on [configuring single sign-on to applications](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal) with the notes below for consideration.
|
||||
|
||||
<i class="fa fa-youtube-play youtube" aria-hidden="true"></i>
|
||||
For a demo of the Azure SAML setup including SCIM, see [SCIM Provisioning on Azure Using SAML SSO for Groups Demo](https://youtu.be/24-ZxmTeEBU).
|
||||
|
|
|
@ -50,7 +50,7 @@ Prerequisites:
|
|||
- [GitLab is configured](#configure-gitlab).
|
||||
|
||||
The SAML application created during [single sign-on](index.md) set up for
|
||||
[Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal)
|
||||
[Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/view-applications-portal)
|
||||
must be set up for SCIM. For an example, see [example configuration](example_saml_config.md#scim-mapping).
|
||||
|
||||
To configure Azure Active Directory for SCIM:
|
||||
|
|
|
@ -48,6 +48,9 @@ You cannot use group access tokens to create other group, project, or personal a
|
|||
Group access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
|
||||
configured for personal access tokens.
|
||||
|
||||
NOTE:
|
||||
Group access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
|
||||
|
||||
## Create a group access token using UI
|
||||
|
||||
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214045) in GitLab 14.7.
|
||||
|
|
|
@ -15,8 +15,8 @@ packages whenever you need to use them as a dependency.
|
|||
|
||||
The Package Registry works with:
|
||||
|
||||
- [NuGet CLI](https://docs.microsoft.com/en-us/nuget/reference/nuget-exe-cli-reference)
|
||||
- [.NET Core CLI](https://docs.microsoft.com/en-us/dotnet/core/tools/)
|
||||
- [NuGet CLI](https://learn.microsoft.com/en-us/nuget/reference/nuget-exe-cli-reference)
|
||||
- [.NET Core CLI](https://learn.microsoft.com/en-us/dotnet/core/tools/)
|
||||
- [Visual Studio](https://visualstudio.microsoft.com/vs/)
|
||||
|
||||
For documentation of the specific API endpoints that these
|
||||
|
@ -342,7 +342,7 @@ When publishing packages:
|
|||
|
||||
Prerequisites:
|
||||
|
||||
- [A NuGet package created with NuGet CLI](https://docs.microsoft.com/en-us/nuget/create-packages/creating-a-package).
|
||||
- [A NuGet package created with NuGet CLI](https://learn.microsoft.com/en-us/nuget/create-packages/creating-a-package).
|
||||
- Set a [project-level endpoint](#use-the-gitlab-endpoint-for-nuget-packages).
|
||||
|
||||
Publish a package by running this command:
|
||||
|
@ -358,7 +358,7 @@ nuget push <package_file> -Source <source_name>
|
|||
|
||||
Prerequisites:
|
||||
|
||||
- [A NuGet package created with .NET CLI](https://docs.microsoft.com/en-us/nuget/create-packages/creating-a-package-dotnet-cli).
|
||||
- [A NuGet package created with .NET CLI](https://learn.microsoft.com/en-us/nuget/create-packages/creating-a-package-dotnet-cli).
|
||||
- Set a [project-level endpoint](#use-the-gitlab-endpoint-for-nuget-packages).
|
||||
|
||||
Publish a package by running this command:
|
||||
|
|
|
@ -71,9 +71,9 @@ To access these project settings, you must be at least a maintainer on the relat
|
|||
|
||||
### Available rules
|
||||
|
||||
- `Number of duplicated assets to keep`. The number of duplicated assets to keep. Some package formats allow you
|
||||
- `Number of duplicated assets to keep`: The number of duplicated assets to keep. Some package formats allow you
|
||||
to upload more than one copy of an asset. You can limit the number of duplicated assets to keep and automatically
|
||||
delete the oldest assets once the limit is reached.
|
||||
delete the oldest assets once the limit is reached. Unique filenames, such as those produced by Maven snapshots, are not considered when evaluating the number of duplicated assets to keep.
|
||||
|
||||
### Set cleanup limits to conserve resources
|
||||
|
||||
|
|
|
@ -45,6 +45,9 @@ For examples of how you can use a personal access token to authenticate with the
|
|||
Alternately, GitLab administrators can use the API to create [impersonation tokens](../../api/index.md#impersonation-tokens).
|
||||
Use impersonation tokens to automate authentication as a specific user.
|
||||
|
||||
NOTE:
|
||||
Personal access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../development/fips_compliance.md) is enabled.
|
||||
|
||||
## Create a personal access token
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/348660) in GitLab 15.3, default expiration of 30 days is populated in the UI.
|
||||
|
|
|
@ -9,7 +9,7 @@ type: concepts
|
|||
|
||||
Team Foundation Server (TFS), renamed [Azure DevOps Server](https://azure.microsoft.com/en-us/services/devops/server/)
|
||||
in 2019, is a set of tools developed by Microsoft which also includes
|
||||
[Team Foundation Version Control](https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops)
|
||||
[Team Foundation Version Control](https://learn.microsoft.com/en-us/azure/devops/repos/tfvc/what-is-tfvc?view=azure-devops)
|
||||
(TFVC), a centralized version control system similar to Git.
|
||||
|
||||
In this document, we focus on the TFVC to Git migration.
|
||||
|
@ -28,7 +28,7 @@ The main differences between TFVC and Git are:
|
|||
|
||||
For more information, see:
|
||||
|
||||
- Microsoft's [comparison of Git and TFVC](https://docs.microsoft.com/en-us/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops).
|
||||
- Microsoft's [comparison of Git and TFVC](https://learn.microsoft.com/en-us/azure/devops/repos/tfvc/comparison-git-tfvc?view=azure-devops).
|
||||
- The Wikipedia [comparison of version control software](https://en.wikipedia.org/wiki/Comparison_of_version_control_software).
|
||||
|
||||
## Why migrate
|
||||
|
|
|
@ -58,4 +58,4 @@ GitLab to send the notifications:
|
|||
|
||||
## Related topics
|
||||
|
||||
- [Setting up an incoming webhook on Microsoft Teams](https://docs.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using#setting-up-a-custom-incoming-webhook).
|
||||
- [Setting up an incoming webhook on Microsoft Teams](https://learn.microsoft.com/en-us/microsoftteams/platform/webhooks-and-connectors/how-to/connectors-using#setting-up-a-custom-incoming-webhook).
|
||||
|
|
|
@ -44,7 +44,7 @@ for the most popular hosting services:
|
|||
- [Hostgator](https://www.hostgator.com/help/article/changing-dns-records)
|
||||
- [Inmotion hosting](https://www.bluehost.com/help/article/dns-management-add-edit-or-delete-dns-entries)
|
||||
- [Media Temple](https://mediatemple.net/community/products/dv/204403794/how-can-i-change-the-dns-records-for-my-domain)
|
||||
- [Microsoft](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
|
||||
- [Microsoft](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb727018(v=technet.10))
|
||||
- [Namecheap](https://www.namecheap.com/support/knowledgebase/subcategory/2237/host-records-setup/)
|
||||
|
||||
<!-- vale gitlab.Spelling = YES -->
|
||||
|
|
|
@ -264,7 +264,7 @@ Graph API instead of IMAP. Follow the [documentation in the incoming email secti
|
|||
}
|
||||
```
|
||||
|
||||
For Microsoft Cloud for US Government or [other Azure deployments](https://docs.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
|
||||
For Microsoft Cloud for US Government or [other Azure deployments](https://learn.microsoft.com/en-us/graph/deployments), configure the `azure_ad_endpoint` and `graph_endpoint` settings.
|
||||
|
||||
- Example for Microsoft Cloud for US Government:
|
||||
|
||||
|
|
|
@ -48,6 +48,9 @@ You cannot use project access tokens to create other group, project, or personal
|
|||
Project access tokens inherit the [default prefix setting](../../admin_area/settings/account_and_limit_settings.md#personal-access-token-prefix)
|
||||
configured for personal access tokens.
|
||||
|
||||
NOTE:
|
||||
Project access tokens are not FIPS compliant and creation and use are disabled when [FIPS mode](../../../development/fips_compliance.md) is enabled.
|
||||
|
||||
## Create a project access token
|
||||
|
||||
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89114) in GitLab 15.1, Owners can select Owner role for project access tokens.
|
||||
|
|
|
@ -408,8 +408,8 @@ If you are using [EGit](https://www.eclipse.org/egit/), you can [add your SSH ke
|
|||
|
||||
## Use SSH on Microsoft Windows
|
||||
|
||||
If you're running Windows 10, you can either use the [Windows Subsystem for Linux (WSL)](https://docs.microsoft.com/en-us/windows/wsl/install)
|
||||
with [WSL 2](https://docs.microsoft.com/en-us/windows/wsl/install#update-to-wsl-2) which
|
||||
If you're running Windows 10, you can either use the [Windows Subsystem for Linux (WSL)](https://learn.microsoft.com/en-us/windows/wsl/install)
|
||||
with [WSL 2](https://learn.microsoft.com/en-us/windows/wsl/install#update-to-wsl-2) which
|
||||
has both `git` and `ssh` preinstalled, or install [Git for Windows](https://gitforwindows.org) to
|
||||
use SSH through PowerShell.
|
||||
|
||||
|
@ -421,7 +421,7 @@ as both have a different home directory:
|
|||
|
||||
You can either copy over the `.ssh/` directory to use the same key, or generate a key in each environment.
|
||||
|
||||
If you're running Windows 11 and using [OpenSSH for Windows](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview), ensure the `HOME`
|
||||
If you're running Windows 11 and using [OpenSSH for Windows](https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview), ensure the `HOME`
|
||||
environment variable is set correctly. Otherwise, your private SSH key might not be found.
|
||||
|
||||
Alternative tools include:
|
||||
|
|
|
@ -22,7 +22,7 @@ module BulkImports
|
|||
wiki = context.portable.wiki
|
||||
url = data[:url].sub("://", "://oauth2:#{context.configuration.access_token}@")
|
||||
|
||||
Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
|
||||
Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
|
||||
|
||||
wiki.ensure_repository
|
||||
wiki.repository.fetch_as_mirror(url)
|
||||
|
|
|
@ -21,7 +21,7 @@ module BulkImports
|
|||
url = url.sub("://", "://oauth2:#{context.configuration.access_token}@")
|
||||
project = context.portable
|
||||
|
||||
Gitlab::UrlBlocker.validate!(url, allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
|
||||
Gitlab::UrlBlocker.validate!(url, schemes: %w[http https], allow_local_network: allow_local_requests?, allow_localhost: allow_local_requests?)
|
||||
|
||||
project.ensure_repository
|
||||
project.repository.fetch_as_mirror(url)
|
||||
|
|
|
@ -55,7 +55,9 @@ module BulkImports
|
|||
Gitlab::UrlBlocker.validate!(
|
||||
url,
|
||||
allow_local_network: allow_local_requests?,
|
||||
allow_localhost: allow_local_requests?)
|
||||
allow_localhost: allow_local_requests?,
|
||||
schemes: %w[http https]
|
||||
)
|
||||
end
|
||||
|
||||
def cleanup_snippet_repository(snippet)
|
||||
|
|
|
@ -10,6 +10,7 @@ module ErrorTracking
|
|||
|
||||
Error = Class.new(StandardError)
|
||||
MissingKeysError = Class.new(StandardError)
|
||||
InvalidFieldValueError = Class.new(StandardError)
|
||||
ResponseInvalidSizeError = Class.new(StandardError)
|
||||
|
||||
RESPONSE_SIZE_LIMIT = 1.megabyte
|
||||
|
@ -110,5 +111,15 @@ module ErrorTracking
|
|||
def raise_error(message)
|
||||
raise SentryClient::Error, message
|
||||
end
|
||||
|
||||
def ensure_numeric!(field, value)
|
||||
return value if /\A\d+\z/.match?(value)
|
||||
|
||||
raise_invalid_field_value!(field, "#{value.inspect} is not numeric")
|
||||
end
|
||||
|
||||
def raise_invalid_field_value!(field, message)
|
||||
raise InvalidFieldValueError, %(Sentry API response contains invalid value for field "#{field}": #{message})
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue