diff --git a/changelogs/unreleased/philipcunningham-add-backend-for-specifying-target-type-for-on-demand-294.yml b/changelogs/unreleased/philipcunningham-add-backend-for-specifying-target-type-for-on-demand-294.yml new file mode 100644 index 00000000000..485a475a249 --- /dev/null +++ b/changelogs/unreleased/philipcunningham-add-backend-for-specifying-target-type-for-on-demand-294.yml @@ -0,0 +1,5 @@ +--- +title: Add target_type column to dast_site_profiles database table +merge_request: 58723 +author: +type: added diff --git a/config/feature_flags/development/security_dast_site_profiles_api_option.yml b/config/feature_flags/development/security_dast_site_profiles_api_option.yml new file mode 100644 index 00000000000..a92e761d3ce --- /dev/null +++ b/config/feature_flags/development/security_dast_site_profiles_api_option.yml @@ -0,0 +1,8 @@ +--- +name: security_dast_site_profiles_api_option +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/58723 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/325130 +milestone: '13.12' +type: development +group: group::dynamic analysis +default_enabled: false diff --git a/db/migrate/20210407002511_add_type_to_dast_site_profile.rb b/db/migrate/20210407002511_add_type_to_dast_site_profile.rb new file mode 100644 index 00000000000..99d9970a2a8 --- /dev/null +++ b/db/migrate/20210407002511_add_type_to_dast_site_profile.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AddTypeToDastSiteProfile < ActiveRecord::Migration[6.0] + def change + add_column :dast_site_profiles, :target_type, :integer, limit: 2, default: 0, null: false + end +end diff --git a/db/schema_migrations/20210407002511 b/db/schema_migrations/20210407002511 new file mode 100644 index 00000000000..60a45fd29ec --- /dev/null +++ b/db/schema_migrations/20210407002511 @@ -0,0 +1 @@ +174d2c4dc57847060cb19405cc08fffd038c7bfbd4ad749e3e1eccf0e281230b \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 4855d94dbfa..db463645810 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -11861,6 +11861,7 @@ CREATE TABLE dast_site_profiles ( auth_username_field text, auth_password_field text, auth_username text, + target_type smallint DEFAULT 0 NOT NULL, CONSTRAINT check_5203110fee CHECK ((char_length(auth_username_field) <= 255)), CONSTRAINT check_6cfab17b48 CHECK ((char_length(name) <= 255)), CONSTRAINT check_c329dffdba CHECK ((char_length(auth_password_field) <= 255)), diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index a2547b9a691..e353346b0b1 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -2117,6 +2117,7 @@ Represents a DAST Site Profile. | `profileName` | [`String`](#string) | The name of the site profile. | | `referencedInSecurityPolicies` | [`[String!]`](#string) | List of security policy names that are referencing given project. | | `requestHeaders` | [`String`](#string) | Comma-separated list of request header names and values to be added to every request made by DAST. Will always return `null` if `security_dast_site_profiles_additional_fields` feature flag is disabled. | +| `targetType` | [`DastTargetTypeEnum`](#dasttargettypeenum) | The type of target to be scanned. Will always return `null` if `security_dast_site_profiles_api_option` feature flag is disabled. | | `targetUrl` | [`String`](#string) | The URL of the target to be scanned. | | `userPermissions` | [`DastSiteProfilePermissions!`](#dastsiteprofilepermissions) | Permissions for the current user on the resource. | | `validationStatus` | [`DastSiteProfileValidationStatusEnum`](#dastsiteprofilevalidationstatusenum) | The current validation status of the site profile. | @@ -7871,6 +7872,13 @@ Status of a container repository. | `HEADER` | Header validation. | | `TEXT_FILE` | Text file validation. | +### `DastTargetTypeEnum` + +| Value | Description | +| ----- | ----------- | +| `API` | API target. | +| `WEBSITE` | Website target. | + ### `DataVisualizationColorEnum` Color of the data visualization palette. diff --git a/doc/api/projects.md b/doc/api/projects.md index a6d7e538509..50c1356dfd8 100644 --- a/doc/api/projects.md +++ b/doc/api/projects.md @@ -1125,7 +1125,7 @@ POST /projects | `build_timeout` | integer | **{dotted-circle}** No | The maximum amount of time, in seconds, that a job can run. | | `builds_access_level` | string | **{dotted-circle}** No | One of `disabled`, `private`, or `enabled`. | | `ci_config_path` | string | **{dotted-circle}** No | The path to CI configuration file. | -| `container_expiration_policy_attributes` | hash | **{dotted-circle}** No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). | +| `container_expiration_policy_attributes` | hash | **{dotted-circle}** No | Update the image cleanup policy for this project. Accepts: `cadence` (string), `keep_n` (integer), `older_than` (string), `name_regex` (string), `name_regex_delete` (string), `name_regex_keep` (string), `enabled` (boolean). Valid values for `cadence` are: `1d` (every day), `7d` (every week), `14d` (every two weeks), `1month` (every month), or `3month` (every quarter). | | `container_registry_enabled` | boolean | **{dotted-circle}** No | Enable container registry for this project. | | `default_branch` | string | **{dotted-circle}** No | The [default branch](../user/project/repository/branches/default.md) name. | | `description` | string | **{dotted-circle}** No | Short project description. | diff --git a/doc/ci/services/gitlab.md b/doc/ci/services/gitlab.md index d9962d9d1f2..8a582cc87eb 100644 --- a/doc/ci/services/gitlab.md +++ b/doc/ci/services/gitlab.md @@ -5,40 +5,36 @@ info: To determine the technical writer assigned to the Stage/Group associated w type: reference --- -# Using GitLab +# Use GitLab as a microservice -As many applications depend on accessing JSON apis you eventually need them in order for your tests to run. -In this example we are providing GitLab as a Microservice to be accessible for API clients. -Below you are guided how to do this with the Docker executors of GitLab Runner. +Many applications need to access JSON APIs, so application tests might need access +to APIs too. The following example shows how to use GitLab as a microservice to give +tests access to the GitLab API. -## Use GitLab with the Docker executor +1. Configure a [runner](../runners/README.md) with the Docker or Kubernetes executor. +1. In your `.gitlab-ci.yml` add: -If you're using [GitLab Runner](../runners/README.md) with the Docker/Kubernetes executor, -you basically have everything set up already. + ```yaml + services: + - name: gitlab/gitlab-ce:latest + alias: gitlab -First, in your `.gitlab-ci.yml` add: + variables: + GITLAB_HTTPS: "false" # ensure that plain http works + GITLAB_ROOT_PASSWORD: "password" # to access the api with user root:password + ``` -```yaml -services: - - name: gitlab/gitlab-ce:latest - alias: gitlab +1. To set values for the `GITLAB_HTTPS` and `GITLAB_ROOT_PASSWORD`, + [assign them to a variable in the user interface](../variables/README.md#project-cicd-variables). + Then assign that variable to the corresponding variable in your + `.gitlab-ci.yml` file. + +Then, commands in `script:` sections in your `.gitlab-ci.yml` file can access the API at `http://gitlab/api/v4`. -variables: - GITLAB_HTTPS: "false" # ensure that plain http will work - GITLAB_ROOT_PASSWORD: "password" # in order to access the api with user root:password -``` - -To set values for the `GITLAB_HTTPS`, `GITLAB_ROOT_PASSWORD`, -[assign them to a variable in the user interface](../variables/README.md#project-cicd-variables), -then assign that variable to the corresponding variable in your -`.gitlab-ci.yml` file. - -From your ci `script:` the API will then be availible at `http://gitlab/api/v4` - -If you're wondering why we used `gitlab` for the `Host`, read more at +For more information about why `gitlab` is used for the `Host`, see [How services are linked to the job](../docker/using_docker_images.md#extended-docker-configuration-options). You can also use any other Docker image available on [Docker Hub](https://hub.docker.com/u/gitlab). -The `gitlab` image can accept some environment variables. For more details, -see the [omnibus documentation](../../install/README.md). +The `gitlab` image can accept environment variables. For more details, +see the [Omnibus documentation](../../install/README.md). diff --git a/doc/push_rules/push_rules.md b/doc/push_rules/push_rules.md index 9be76416ba7..2117a961957 100644 --- a/doc/push_rules/push_rules.md +++ b/doc/push_rules/push_rules.md @@ -103,6 +103,28 @@ The following options are available: NOTE: GitLab uses [RE2 syntax](https://github.com/google/re2/wiki/Syntax) for regular expressions in push rules, and you can test them at the [regex101 regex tester](https://regex101.com/). +### Caveat to "Reject unsigned commits" push rule **(PREMIUM)** + +This push rule ignores commits that are authenticated and created by GitLab +(either through the UI or API). When the **Reject unsigned commits** push rule is +enabled, unsigned commits may still show up in the commit history if a commit was +created **within** GitLab itself. As expected, commits created outside GitLab and +pushed to the repository are rejected. For more information about how GitLab +plans to fix this issue, read [issue #19185](https://gitlab.com/gitlab-org/gitlab/-/issues/19185). + +#### "Reject unsigned commits" push rule disables Web IDE + +In 13.10, if a project has the "Reject unsigned commits" push rule, the user will not be allowed to +commit through GitLab Web IDE. + +To allow committing through the Web IDE on a project with this push rule, a GitLab administrator will +need to disable the feature flag `reject_unsigned_commits_by_gitlab`. This can be done through a +[rails console](../administration/operations/rails_console.md) and running: + +```ruby +Feature.disable(:reject_unsigned_commits_by_gitlab) +``` + ## Prevent pushing secrets to the repository > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/385) in GitLab 8.12. diff --git a/doc/user/packages/container_registry/index.md b/doc/user/packages/container_registry/index.md index 102defacffa..bc96d3c937c 100644 --- a/doc/user/packages/container_registry/index.md +++ b/doc/user/packages/container_registry/index.md @@ -636,6 +636,14 @@ Examples: curl --request PUT --header 'Content-Type: application/json;charset=UTF-8' --header "PRIVATE-TOKEN: " --data-binary '{"container_expiration_policy_attributes":{"cadence":"1month","enabled":true,"keep_n":1,"older_than":"14d","name_regex":"","name_regex_delete":".*","name_regex_keep":".*-master"}}' "https://gitlab.example.com/api/v4/projects/2" ``` +Valid values for `cadence` when using the API are: + +- `1d` (every day) +- `7d` (every week) +- `14d` (every two weeks) +- `1month` (every month) +- `3month` (every quarter) + See the API documentation for further details: [Edit project](../../../api/projects.md#edit-project). ### Use with external container registries diff --git a/qa/qa/specs/features/browser_ui/3_create/merge_request/merge_when_pipeline_succeeds_spec.rb b/qa/qa/specs/features/browser_ui/3_create/merge_request/merge_when_pipeline_succeeds_spec.rb index 4baddb10c2b..2b1ac75b9f5 100644 --- a/qa/qa/specs/features/browser_ui/3_create/merge_request/merge_when_pipeline_succeeds_spec.rb +++ b/qa/qa/specs/features/browser_ui/3_create/merge_request/merge_when_pipeline_succeeds_spec.rb @@ -3,97 +3,97 @@ module QA RSpec.describe 'Create', :runner do describe 'Merge requests' do - let(:project) do - Resource::Project.fabricate_via_api! do |project| - project.name = 'merge-when-pipeline-succeeds' - project.initialize_with_readme = true - end - end - - let!(:runner) do - Resource::Runner.fabricate! do |runner| - runner.project = project - runner.name = "runner-for-#{project.name}" - runner.tags = ["runner-for-#{project.name}"] - end - end - - before do - Resource::Repository::Commit.fabricate_via_api! do |commit| - commit.project = project - commit.commit_message = 'Add .gitlab-ci.yml' - commit.add_files( - [ - { - file_path: '.gitlab-ci.yml', - content: <<~EOF - test: - tags: ["runner-for-#{project.name}"] - script: sleep 10 - only: - - merge_requests - EOF - } - ] - ) + shared_examples 'merge when pipeline succeeds' do |repeat: 1| + let(:project) do + Resource::Project.fabricate_via_api! do |project| + project.name = 'merge-when-pipeline-succeeds' + project.initialize_with_readme = true + end end - Flow::Login.sign_in - end - - after do - runner&.remove_via_api! - project&.remove_via_api! - end - - it 'merges when pipeline succeeds', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1684' do - verify_merge_when_pipeline_succeeds - end - - it 'reliably merges when pipeline succeeds', :transient, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1684' do - verify_merge_when_pipeline_succeeds(repeat: Runtime::Env.transient_trials) do |i| - QA::Runtime::Logger.info("Transient bug test - Trial #{i}") + let!(:runner) do + Resource::Runner.fabricate! do |runner| + runner.project = project + runner.name = "runner-for-#{project.name}" + runner.tags = ["runner-for-#{project.name}"] + end end - end - def verify_merge_when_pipeline_succeeds(repeat: 1) - repeat.times do |i| - yield i if block_given? - - branch_name = "merge-request-test-#{SecureRandom.hex(8)}" - - # Create a branch that will be merged into the default branch - Resource::Repository::ProjectPush.fabricate! do |project_push| - project_push.project = project - project_push.new_branch = true - project_push.branch_name = branch_name - project_push.file_name = "file-#{SecureRandom.hex(8)}.txt" + before do + Resource::Repository::Commit.fabricate_via_api! do |commit| + commit.project = project + commit.commit_message = 'Add .gitlab-ci.yml' + commit.add_files( + [ + { + file_path: '.gitlab-ci.yml', + content: <<~EOF + test: + tags: ["runner-for-#{project.name}"] + script: sleep 10 + only: + - merge_requests + EOF + } + ] + ) end - # Create a merge request to merge the branch we just created - merge_request = Resource::MergeRequest.fabricate_via_api! do |merge_request| - merge_request.project = project - merge_request.source_branch = branch_name - merge_request.no_preparation = true - end + Flow::Login.sign_in + end - merge_request.visit! + after do + runner&.remove_via_api! + project&.remove_via_api! + end - Page::MergeRequest::Show.perform do |mr| - mr.merge_when_pipeline_succeeds! + it 'merges after pipeline succeeds' do + repeat.times do |i| + QA::Runtime::Logger.info("Transient bug test - Trial #{i}") if repeat > 1 - Support::Waiter.wait_until(sleep_interval: 5) do - merge_request = merge_request.reload! - merge_request.state == 'merged' + branch_name = "mr-test-#{SecureRandom.hex(6)}-#{i}" + + # Create a branch that will be merged into the default branch + Resource::Repository::ProjectPush.fabricate! do |project_push| + project_push.project = project + project_push.new_branch = true + project_push.branch_name = branch_name + project_push.file_name = "#{branch_name}.txt" end - aggregate_failures do - expect(merge_request.merge_when_pipeline_succeeds).to be_truthy - expect(mr.merged?).to be_truthy, "Expected content 'The changes were merged' but it did not appear." + # Create a merge request to merge the branch we just created + merge_request = Resource::MergeRequest.fabricate_via_api! do |merge_request| + merge_request.project = project + merge_request.source_branch = branch_name + merge_request.no_preparation = true + end + + merge_request.visit! + + Page::MergeRequest::Show.perform do |mr| + mr.merge_when_pipeline_succeeds! + + Support::Waiter.wait_until(sleep_interval: 5) do + merge_request = merge_request.reload! + merge_request.state == 'merged' + end + + aggregate_failures do + expect(merge_request.merge_when_pipeline_succeeds).to be_truthy + expect(mr.merged?).to be_truthy, "Expected content 'The changes were merged' but it did not appear." + end end end end end + + context 'when merging once', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1684' do + it_behaves_like 'merge when pipeline succeeds' + end + + context 'when merging several times', :transient, testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1684' do + it_behaves_like 'merge when pipeline succeeds', repeat: Runtime::Env.transient_trials + end end end end