kotovalexarian-likes-gitlab/gitlab-org--gitlab-foss
1
0
Fork 0
Code Releases Activity

Add latest changes from gitlab-org/gitlab@master

Browse source
This commit is contained in:
GitLab Bot 2022-06-20 06:09:26 +00:00
parent 82013498a3
commit 8ed964b660
10 changed files with 93 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
app/assets/javascripts/notes/components/discussion_filter_note.vue
View file

@ -39,8 +39,8 @@ export default {
</template> </template>
</gl-sprintf> </gl-sprintf>
</div> </div>
<div class="discussion-filter-actions mt-2"> <div class="discussion-filter-actions gl-mt-3 gl-display-flex">
<gl-button variant="default" @click="selectFilter(0)"> <gl-button variant="default" class="gl-mr-3" @click="selectFilter(0)">
{{ __('Show all activity') }} {{ __('Show all activity') }}
</gl-button> </gl-button>
<gl-button variant="default" @click="selectFilter(1)"> <gl-button variant="default" @click="selectFilter(1)">

1
app/models/terraform/state.rb
View file

@ -3,6 +3,7 @@
module Terraform module Terraform
class State < ApplicationRecord class State < ApplicationRecord
include UsageStatistics include UsageStatistics
include AfterCommitQueue
HEX_REGEXP = %r{\A\h+\z}.freeze HEX_REGEXP = %r{\A\h+\z}.freeze
UUID_LENGTH = 32 UUID_LENGTH = 32

6
app/services/terraform/states/trigger_destroy_service.rb
View file

@ -12,9 +12,11 @@ module Terraform
return unauthorized_response unless can_destroy_state? return unauthorized_response unless can_destroy_state?
return state_locked_response if state.locked? return state_locked_response if state.locked?
state.update!(deleted_at: Time.current) state.run_after_commit do
Terraform::States::DestroyWorker.perform_async(id)
end
Terraform::States::DestroyWorker.perform_async(state.id) state.update!(deleted_at: Time.current)
ServiceResponse.success ServiceResponse.success
end end

12
doc/ci/environments/index.md
View file

@ -642,6 +642,18 @@ To delete a stopped environment in the GitLab UI:
1. Next to the environment you want to delete, select **Delete environment**. 1. Next to the environment you want to delete, select **Delete environment**.
1. On the confirmation dialog box, select **Delete environment**. 1. On the confirmation dialog box, select **Delete environment**.
#### Delete an active environment without running a stop job
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225794) in GitLab 15.1.
You can delete an active environment without running a stop job.
This is useful when you have an active environment, but the corresponding `action: stop` job can't run or succeed for some reason.
To delete an active environment:
1. Execute the [Stop an environment API](../../api/environments.md#stop-an-environment) while specifying `force=true`.
1. Execute the [Delete an environment API](../../api/environments.md#delete-an-environment).
### Access an environment for preparation or verification purposes ### Access an environment for preparation or verification purposes
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/208655) in GitLab 13.2. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/208655) in GitLab 13.2.

15
doc/user/application_security/sast/index.md
View file

@ -75,24 +75,24 @@ GitLab SAST supports a variety of languages, package managers, and frameworks. O
You can also [view our language roadmap](https://about.gitlab.com/direction/secure/static-analysis/sast/#language-support) and [request other language support by opening an issue](https://gitlab.com/groups/gitlab-org/-/epics/297). You can also [view our language roadmap](https://about.gitlab.com/direction/secure/static-analysis/sast/#language-support) and [request other language support by opening an issue](https://gitlab.com/groups/gitlab-org/-/epics/297).
| Language (package managers) / framework | Scan tool | Introduced in GitLab Version | | Language (package managers) / framework | Scan tool | Introduced in GitLab Version |
|---------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------| |------------------------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
| .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0 | | .NET Core | [Security Code Scan](https://security-code-scan.github.io) | 11.0 |
| .NET Framework | [Security Code Scan](https://security-code-scan.github.io) | 13.0 | | .NET Framework<sup>1</sup> | [Security Code Scan](https://security-code-scan.github.io) | 13.0 |
| Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1 | | Apex (Salesforce) | [PMD](https://pmd.github.io/pmd/index.html) | 12.1 |
| C | [Semgrep](https://semgrep.dev) | 14.2 | | C | [Semgrep](https://semgrep.dev) | 14.2 |
| C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 | | C/C++ | [Flawfinder](https://github.com/david-a-wheeler/flawfinder) | 10.7 |
| Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 | | Elixir (Phoenix) | [Sobelow](https://github.com/nccgroup/sobelow) | 11.1 |
| Go | [Gosec](https://github.com/securego/gosec) | 10.7 | | Go | [Gosec](https://github.com/securego/gosec) | 10.7 |
| Go | [Semgrep](https://semgrep.dev) | 14.4 | | Go | [Semgrep](https://semgrep.dev) | 14.4 |
| Groovy ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) | | Groovy<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.3 (Gradle) & 11.9 (Ant, Maven, SBT) |
| Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 | | Helm Charts | [Kubesec](https://github.com/controlplaneio/kubesec) | 13.1 |
| Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 | | Java (any build system) | [Semgrep](https://semgrep.dev) | 14.10 |
| Java ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) | | Java<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 10.6 (Maven), 10.8 (Gradle) & 11.9 (Ant, SBT) |
| Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Java (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 | | JavaScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.8 |
| JavaScript | [Semgrep](https://semgrep.dev) | 13.10 | | JavaScript | [Semgrep](https://semgrep.dev) | 13.10 |
| Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Kotlin (Android) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| Kotlin (General) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 | | Kotlin (General)<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 13.11 |
| Kubernetes manifests | [Kubesec](https://github.com/controlplaneio/kubesec) | 12.6 | | Kubernetes manifests | [Kubesec](https://github.com/controlplaneio/kubesec) | 12.6 |
| Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 | | Node.js | [NodeJsScan](https://github.com/ajinabraham/NodeJsScan) | 11.1 |
| Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Objective-C (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
@ -103,12 +103,13 @@ You can also [view our language roadmap](https://about.gitlab.com/direction/secu
| React | [Semgrep](https://semgrep.dev) | 13.10 | | React | [Semgrep](https://semgrep.dev) | 13.10 |
| Ruby | [brakeman](https://brakemanscanner.org) | 13.9 | | Ruby | [brakeman](https://brakemanscanner.org) | 13.9 |
| Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 | | Ruby on Rails | [brakeman](https://brakemanscanner.org) | 10.3 |
| Scala ([Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/)) | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) | | Scala<sup>2</sup> | [SpotBugs](https://spotbugs.github.io/) with the [find-sec-bugs](https://find-sec-bugs.github.io/) plugin | 11.0 (SBT) & 11.9 (Ant, Gradle, Maven) |
| Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 | | Swift (iOS) | [MobSF (beta)](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | 13.5 |
| TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 | | TypeScript | [ESLint security plugin](https://github.com/nodesecurity/eslint-plugin-security) | 11.9, [merged](https://gitlab.com/gitlab-org/gitlab/-/issues/36059) with ESLint in 13.2 |
| TypeScript | [Semgrep](https://semgrep.dev) | 13.10 | | TypeScript | [Semgrep](https://semgrep.dev) | 13.10 |
Note that the Java analyzers can also be used for variants like the 1. .NET 4 support is limited. The analyzer runs in a Linux container and does not have access to Windows-specific libraries or features. We currently plan to [migrate C# coverage to Semgrep-based scanning](https://gitlab.com/gitlab-org/gitlab/-/issues/347258) to make it easier to scan C# projects.
1. The SpotBugs-based analyzer supports [Ant](https://ant.apache.org/), [Gradle](https://gradle.org/), [Maven](https://maven.apache.org/), and [SBT](https://www.scala-sbt.org/). It can also be used with variants like the
[Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html), [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html),
[Grails](https://grails.org/), [Grails](https://grails.org/),
and the [Maven wrapper](https://github.com/takari/maven-wrapper). and the [Maven wrapper](https://github.com/takari/maven-wrapper).

2
lib/api/terraform/state.rb
View file

@ -81,7 +81,7 @@ module API
delete do delete do
authorize! :admin_terraform_state, user_project authorize! :admin_terraform_state, user_project
remote_state_handler.handle_with_lock do |state| remote_state_handler.find_with_lock do |state|
::Terraform::States::TriggerDestroyService.new(state, current_user: current_user).execute ::Terraform::States::TriggerDestroyService.new(state, current_user: current_user).execute
end end

22
lib/gitlab/auth.rb
View file

@ -217,7 +217,7 @@ module Gitlab
return unless valid_scoped_token?(token, all_available_scopes) return unless valid_scoped_token?(token, all_available_scopes)
if project && token.user.project_bot? if project && token.user.project_bot?
return unless token_bot_in_resource?(token.user, project) return unless can_read_project?(token.user, project)
end end
if token.user.can_log_in_with_non_expired_password? || token.user.project_bot? if token.user.can_log_in_with_non_expired_password? || token.user.project_bot?
@ -225,22 +225,8 @@ module Gitlab
end end
end end
def token_bot_in_project?(user, project) def can_read_project?(user, project)
project.bots.include?(user) user.can?(:read_project, project)
end
# rubocop: disable CodeReuse/ActiveRecord
# A workaround for adding group-level automation is to add the bot user of a project access token as a group member.
# In order to make project access tokens work this way during git authentication, we need to add an additional check for group membership.
# This is a temporary workaround until service accounts are implemented.
def token_bot_in_group?(user, project)
project.group && project.group.members_with_parents.where(user_id: user.id).exists?
end
# rubocop: enable CodeReuse/ActiveRecord
def token_bot_in_resource?(user, project)
token_bot_in_project?(user, project) || token_bot_in_group?(user, project)
end end
def valid_oauth_token?(token) def valid_oauth_token?(token)
@ -323,7 +309,7 @@ module Gitlab
return unless build.project.builds_enabled? return unless build.project.builds_enabled?
if build.user if build.user
return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && token_bot_in_resource?(build.user, build.project)) return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && can_read_project?(build.user, build.project))
# If user is assigned to build, use restricted credentials of user # If user is assigned to build, use restricted credentials of user
Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities) Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)

23
qa/qa/specs/features/browser_ui/1_manage/login/2fa_recovery_spec.rb
View file

@ -1,10 +1,13 @@
# frozen_string_literal: true # frozen_string_literal: true
module QA module QA
RSpec.describe 'Manage', :requires_admin, :skip_live_env do RSpec.describe 'Manage', :requires_admin, :skip_live_env, :reliable do
describe '2FA' do describe '2FA' do
let(:owner_user) do let(:owner_user) do
Resource::User.fabricate_or_use(Runtime::Env.gitlab_qa_2fa_owner_username_1, Runtime::Env.gitlab_qa_2fa_owner_password_1) Resource::User.fabricate_or_use(
Runtime::Env.gitlab_qa_2fa_owner_username_1,
Runtime::Env.gitlab_qa_2fa_owner_password_1
)
end end
let(:developer_user) do let(:developer_user) do
@ -32,7 +35,10 @@ module QA
group.add_member(developer_user, Resource::Members::AccessLevel::DEVELOPER) group.add_member(developer_user, Resource::Members::AccessLevel::DEVELOPER)
end end
it 'allows using 2FA recovery code once only', testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347937' do it(
'allows using 2FA recovery code once only',
testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347937'
) do
recovery_code = enable_2fa_for_user_and_fetch_recovery_code(developer_user) recovery_code = enable_2fa_for_user_and_fetch_recovery_code(developer_user)
Flow::Login.sign_in(as: developer_user, skip_page_validation: true) Flow::Login.sign_in(as: developer_user, skip_page_validation: true)
@ -56,13 +62,6 @@ module QA
expect(page).to have_text('Invalid two-factor code') expect(page).to have_text('Invalid two-factor code')
end end
after do
group.set_require_two_factor_authentication(value: 'false')
group.remove_via_api!
sandbox_group.remove_via_api!
developer_user.remove_via_api!
end
def admin_api_client def admin_api_client
@admin_api_client ||= Runtime::API::Client.as_admin @admin_api_client ||= Runtime::API::Client.as_admin
end end
@ -74,9 +73,9 @@ module QA
def enable_2fa_for_user_and_fetch_recovery_code(user) def enable_2fa_for_user_and_fetch_recovery_code(user)
Flow::Login.while_signed_in(as: user) do Flow::Login.while_signed_in(as: user) do
Page::Profile::TwoFactorAuth.perform do |two_fa_auth| Page::Profile::TwoFactorAuth.perform do |two_fa_auth|
@otp = QA::Support::OTP.new(two_fa_auth.otp_secret_content) otp = QA::Support::OTP.new(two_fa_auth.otp_secret_content)
two_fa_auth.set_pin_code(@otp.fresh_otp) two_fa_auth.set_pin_code(otp.fresh_otp)
two_fa_auth.set_current_password(user.password) two_fa_auth.set_current_password(user.password)
two_fa_auth.click_register_2fa_app_button two_fa_auth.click_register_2fa_app_button

11
spec/lib/gitlab/auth_spec.rb
View file

@ -481,6 +481,17 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
end end
it_behaves_like 'with an invalid access token' it_behaves_like 'with an invalid access token'
context 'when the token belongs to a group via project share' do
let_it_be(:invited_group) { create(:group) }
before do
invited_group.add_maintainer(project_bot_user)
create(:project_group_link, group: invited_group, project: project)
end
it_behaves_like 'with a valid access token'
end
end end
end end
end end

13
spec/services/terraform/states/trigger_destroy_service_spec.rb
View file

@ -9,7 +9,9 @@ RSpec.describe Terraform::States::TriggerDestroyService do
describe '#execute', :aggregate_failures do describe '#execute', :aggregate_failures do
let_it_be(:state) { create(:terraform_state, project: project) } let_it_be(:state) { create(:terraform_state, project: project) }
subject { described_class.new(state, current_user: user).execute } let(:service) { described_class.new(state, current_user: user) }
subject { service.execute }
it 'marks the state as deleted and schedules a cleanup worker' do it 'marks the state as deleted and schedules a cleanup worker' do
expect(Terraform::States::DestroyWorker).to receive(:perform_async).with(state.id).once expect(Terraform::States::DestroyWorker).to receive(:perform_async).with(state.id).once
@ -18,6 +20,15 @@ RSpec.describe Terraform::States::TriggerDestroyService do
expect(state.deleted_at).to be_like_time(Time.current) expect(state.deleted_at).to be_like_time(Time.current)
end end
context 'within a database transaction' do
subject { state.with_lock { service.execute } }
it 'does not raise an EnqueueFromTransactionError' do
expect { subject }.not_to raise_error
expect(state.deleted_at).to be_like_time(Time.current)
end
end
shared_examples 'unable to delete state' do shared_examples 'unable to delete state' do
it 'does not modify the state' do it 'does not modify the state' do
expect(Terraform::States::DestroyWorker).not_to receive(:perform_async) expect(Terraform::States::DestroyWorker).not_to receive(:perform_async)