Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
82013498a3
commit
8ed964b660
|
@ -39,8 +39,8 @@ export default {
|
|||
</template>
|
||||
</gl-sprintf>
|
||||
</div>
|
||||
<div class="discussion-filter-actions mt-2">
|
||||
<gl-button variant="default" @click="selectFilter(0)">
|
||||
<div class="discussion-filter-actions gl-mt-3 gl-display-flex">
|
||||
<gl-button variant="default" class="gl-mr-3" @click="selectFilter(0)">
|
||||
{{ __('Show all activity') }}
|
||||
</gl-button>
|
||||
<gl-button variant="default" @click="selectFilter(1)">
|
||||
|
|
|
@ -3,6 +3,7 @@
|
|||
module Terraform
|
||||
class State < ApplicationRecord
|
||||
include UsageStatistics
|
||||
include AfterCommitQueue
|
||||
|
||||
HEX_REGEXP = %r{\A\h+\z}.freeze
|
||||
UUID_LENGTH = 32
|
||||
|
|
|
@ -12,9 +12,11 @@ module Terraform
|
|||
return unauthorized_response unless can_destroy_state?
|
||||
return state_locked_response if state.locked?
|
||||
|
||||
state.update!(deleted_at: Time.current)
|
||||
state.run_after_commit do
|
||||
Terraform::States::DestroyWorker.perform_async(id)
|
||||
end
|
||||
|
||||
Terraform::States::DestroyWorker.perform_async(state.id)
|
||||
state.update!(deleted_at: Time.current)
|
||||
|
||||
ServiceResponse.success
|
||||
end
|
||||
|
|
|
@ -642,6 +642,18 @@ To delete a stopped environment in the GitLab UI:
|
|||
1. Next to the environment you want to delete, select **Delete environment**.
|
||||
1. On the confirmation dialog box, select **Delete environment**.
|
||||
|
||||
#### Delete an active environment without running a stop job
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225794) in GitLab 15.1.
|
||||
|
||||
You can delete an active environment without running a stop job.
|
||||
This is useful when you have an active environment, but the corresponding `action: stop` job can't run or succeed for some reason.
|
||||
|
||||
To delete an active environment:
|
||||
|
||||
1. Execute the [Stop an environment API](../../api/environments.md#stop-an-environment) while specifying `force=true`.
|
||||
1. Execute the [Delete an environment API](../../api/environments.md#delete-an-environment).
|
||||
|
||||
### Access an environment for preparation or verification purposes
|
||||
|
||||
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/208655) in GitLab 13.2.
|
||||
|
|
|
@ -74,41 +74,42 @@ GitLab SAST supports a variety of languages, package managers, and frameworks. O
|
|||
|
||||
You can also [view our language roadmap](https://about.gitlab.com/direction/secure/static-analysis/sast/#language-support) and [request other language support by opening an issue](https://gitlab.com/groups/gitlab-org/-/epics/297).
|
||||
|
||||
| Language (package managers) / framework | Scan tool | Introduced in GitLab Version |
|
||||
|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
|
||||
| .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0 |
|
||||
| .NET Framework | [Security Code Scan](https://security-code-scan.github.io) | 13.0 |
|
||||
| Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1 |
|
||||
| C | [Semgrep](https://semgrep.dev) | 14.2 |
|
||||
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 |
|
||||
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 |
|
||||
| Go | [Gosec](https://github.com/securego/gosec) | 10.7 |
|
||||
| Go | [Semgrep](https://semgrep.dev) | 14.4 |
|
||||
| Groovy ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
|
||||
| Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 |
|
||||
| Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 |
|
||||
| Java ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
|
||||
| Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 |
|
||||
| JavaScript | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
| Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| Kotlin (General) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 |
|
||||
| Kubernetes manifests | [Kubesec](https://github.com/controlplaneio/kubesec) | 12.6 |
|
||||
| Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 |
|
||||
| Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| PHP | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8 |
|
||||
| Python ([pip](https://pip.pypa.io/en/stable/)) | [bandit](https://github.com/PyCQA/bandit) | 10.3 |
|
||||
| Python | [Semgrep](https://semgrep.dev) | 13.9 |
|
||||
| React | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 |
|
||||
| React | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
| Ruby | [brakeman](https://brakemanscanner.org) | 13.9 |
|
||||
| Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 |
|
||||
| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
|
||||
| Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
|
||||
| TypeScript | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
| Language (package managers) / framework | Scan tool | Introduced in GitLab Version |
|
||||
|------------------------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
|
||||
| .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0 |
|
||||
| .NET Framework<sup>1</sup> | [Security Code Scan](https://security-code-scan.github.io) | 13.0 |
|
||||
| Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1 |
|
||||
| C | [Semgrep](https://semgrep.dev) | 14.2 |
|
||||
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 |
|
||||
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 |
|
||||
| Go | [Gosec](https://github.com/securego/gosec) | 10.7 |
|
||||
| Go | [Semgrep](https://semgrep.dev) | 14.4 |
|
||||
| Groovy<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
|
||||
| Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 |
|
||||
| Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 |
|
||||
| Java<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
|
||||
| Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 |
|
||||
| JavaScript | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
| Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| Kotlin (General)<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 |
|
||||
| Kubernetes manifests | [Kubesec](https://github.com/controlplaneio/kubesec) | 12.6 |
|
||||
| Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 |
|
||||
| Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| PHP | [phpcs-security-audit](https://github.com/FloeDesignTechnologies/phpcs-security-audit) | 10.8 |
|
||||
| Python ([pip](https://pip.pypa.io/en/stable/)) | [bandit](https://github.com/PyCQA/bandit) | 10.3 |
|
||||
| Python | [Semgrep](https://semgrep.dev) | 13.9 |
|
||||
| React | [ESLint react plugin](https://github.com/yannickcr/eslint-plugin-react) | 12.5 |
|
||||
| React | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
| Ruby | [brakeman](https://brakemanscanner.org) | 13.9 |
|
||||
| Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 |
|
||||
| Scala<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
|
||||
| Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
|
||||
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
|
||||
| TypeScript | [Semgrep](https://semgrep.dev) | 13.10 |
|
||||
|
||||
Note that the Java analyzers can also be used for variants like the
|
||||
1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. We currently plan to [migrate C# coverage to Semgrep-based scanning](https://gitlab.com/gitlab-org/gitlab/-/issues/347258) to make it easier to scan C# projects.
|
||||
1. The SpotBugs-based analyzer supports [Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/). It can also be used with variants like the
|
||||
[Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html),
|
||||
[Grails](https://grails.org/),
|
||||
and the [Maven wrapper](https://github.com/takari/maven-wrapper).
|
||||
|
|
|
@ -81,7 +81,7 @@ module API
|
|||
delete do
|
||||
authorize! :admin_terraform_state, user_project
|
||||
|
||||
remote_state_handler.handle_with_lock do |state|
|
||||
remote_state_handler.find_with_lock do |state|
|
||||
::Terraform::States::TriggerDestroyService.new(state, current_user: current_user).execute
|
||||
end
|
||||
|
||||
|
|
|
@ -217,7 +217,7 @@ module Gitlab
|
|||
return unless valid_scoped_token?(token, all_available_scopes)
|
||||
|
||||
if project && token.user.project_bot?
|
||||
return unless token_bot_in_resource?(token.user, project)
|
||||
return unless can_read_project?(token.user, project)
|
||||
end
|
||||
|
||||
if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
|
||||
|
@ -225,22 +225,8 @@ module Gitlab
|
|||
end
|
||||
end
|
||||
|
||||
def token_bot_in_project?(user, project)
|
||||
project.bots.include?(user)
|
||||
end
|
||||
|
||||
# rubocop: disable CodeReuse/ActiveRecord
|
||||
|
||||
# A workaround for adding group-level automation is to add the bot user of a project access token as a group member.
|
||||
# In order to make project access tokens work this way during git authentication, we need to add an additional check for group membership.
|
||||
# This is a temporary workaround until service accounts are implemented.
|
||||
def token_bot_in_group?(user, project)
|
||||
project.group && project.group.members_with_parents.where(user_id: user.id).exists?
|
||||
end
|
||||
# rubocop: enable CodeReuse/ActiveRecord
|
||||
|
||||
def token_bot_in_resource?(user, project)
|
||||
token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
|
||||
def can_read_project?(user, project)
|
||||
user.can?(:read_project, project)
|
||||
end
|
||||
|
||||
def valid_oauth_token?(token)
|
||||
|
@ -323,7 +309,7 @@ module Gitlab
|
|||
return unless build.project.builds_enabled?
|
||||
|
||||
if build.user
|
||||
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project))
|
||||
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && can_read_project?(build.user, build.project))
|
||||
|
||||
# If user is assigned to build, use restricted credentials of user
|
||||
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)
|
||||
|
|
|
@ -1,10 +1,13 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module QA
|
||||
RSpec.describe 'Manage', :requires_admin, :skip_live_env do
|
||||
RSpec.describe 'Manage', :requires_admin, :skip_live_env, :reliable do
|
||||
describe '2FA' do
|
||||
let(:owner_user) do
|
||||
Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_2fa_owner_username_1, Runtime::Env.gitlab_qa_2fa_owner_password_1)
|
||||
Resource::User.fabricate_or_use(
|
||||
Runtime::Env.gitlab_qa_2fa_owner_username_1,
|
||||
Runtime::Env.gitlab_qa_2fa_owner_password_1
|
||||
)
|
||||
end
|
||||
|
||||
let(:developer_user) do
|
||||
|
@ -32,7 +35,10 @@ module QA
|
|||
group.add_member(developer_user, Resource::Members::AccessLevel::DEVELOPER)
|
||||
end
|
||||
|
||||
it 'allows using 2FA recovery code once only', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347937' do
|
||||
it(
|
||||
'allows using 2FA recovery code once only',
|
||||
testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347937'
|
||||
) do
|
||||
recovery_code = enable_2fa_for_user_and_fetch_recovery_code(developer_user)
|
||||
|
||||
Flow::Login.sign_in(as: developer_user, skip_page_validation: true)
|
||||
|
@ -56,13 +62,6 @@ module QA
|
|||
expect(page).to have_text('Invalid two-factor code')
|
||||
end
|
||||
|
||||
after do
|
||||
group.set_require_two_factor_authentication(value: 'false')
|
||||
group.remove_via_api!
|
||||
sandbox_group.remove_via_api!
|
||||
developer_user.remove_via_api!
|
||||
end
|
||||
|
||||
def admin_api_client
|
||||
@admin_api_client ||= Runtime::API::Client.as_admin
|
||||
end
|
||||
|
@ -74,9 +73,9 @@ module QA
|
|||
def enable_2fa_for_user_and_fetch_recovery_code(user)
|
||||
Flow::Login.while_signed_in(as: user) do
|
||||
Page::Profile::TwoFactorAuth.perform do |two_fa_auth|
|
||||
@otp = QA::Support::OTP.new(two_fa_auth.otp_secret_content)
|
||||
otp = QA::Support::OTP.new(two_fa_auth.otp_secret_content)
|
||||
|
||||
two_fa_auth.set_pin_code(@otp.fresh_otp)
|
||||
two_fa_auth.set_pin_code(otp.fresh_otp)
|
||||
two_fa_auth.set_current_password(user.password)
|
||||
two_fa_auth.click_register_2fa_app_button
|
||||
|
||||
|
|
|
@ -481,6 +481,17 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
|
|||
end
|
||||
|
||||
it_behaves_like 'with an invalid access token'
|
||||
|
||||
context 'when the token belongs to a group via project share' do
|
||||
let_it_be(:invited_group) { create(:group) }
|
||||
|
||||
before do
|
||||
invited_group.add_maintainer(project_bot_user)
|
||||
create(:project_group_link, group: invited_group, project: project)
|
||||
end
|
||||
|
||||
it_behaves_like 'with a valid access token'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -9,7 +9,9 @@ RSpec.describe Terraform::States::TriggerDestroyService do
|
|||
describe '#execute', :aggregate_failures do
|
||||
let_it_be(:state) { create(:terraform_state, project: project) }
|
||||
|
||||
subject { described_class.new(state, current_user: user).execute }
|
||||
let(:service) { described_class.new(state, current_user: user) }
|
||||
|
||||
subject { service.execute }
|
||||
|
||||
it 'marks the state as deleted and schedules a cleanup worker' do
|
||||
expect(Terraform::States::DestroyWorker).to receive(:perform_async).with(state.id).once
|
||||
|
@ -18,6 +20,15 @@ RSpec.describe Terraform::States::TriggerDestroyService do
|
|||
expect(state.deleted_at).to be_like_time(Time.current)
|
||||
end
|
||||
|
||||
context 'within a database transaction' do
|
||||
subject { state.with_lock { service.execute } }
|
||||
|
||||
it 'does not raise an EnqueueFromTransactionError' do
|
||||
expect { subject }.not_to raise_error
|
||||
expect(state.deleted_at).to be_like_time(Time.current)
|
||||
end
|
||||
end
|
||||
|
||||
shared_examples 'unable to delete state' do
|
||||
it 'does not modify the state' do
|
||||
expect(Terraform::States::DestroyWorker).not_to receive(:perform_async)
|
||||
|
|
Loading…
Reference in New Issue