Add latest changes from gitlab-org/gitlab@master

2022-06-30 06:09:06 +00:00 · 2022-06-30 06:09:06 +00:00 · e6f10cb4b3
commit e6f10cb4b3
parent eddf359962
20 changed files with 83 additions and 23 deletions
--- a/.rubocop_todo/gitlab/namespaced_class.yml
+++ b/.rubocop_todo/gitlab/namespaced_class.yml
@ -1105,11 +1105,6 @@ Gitlab/NamespacedClass:
    - 'lib/carrier_wave_string_file.rb'
    - 'lib/csv_builder.rb'
    - 'lib/event_filter.rb'
-    - 'lib/feature.rb'
-    - 'lib/feature/definition.rb'
-    - 'lib/feature/gitaly.rb'
-    - 'lib/feature/logger.rb'
-    - 'lib/feature/shared.rb'
    - 'lib/file_size_validator.rb'
    - 'lib/forever.rb'
    - 'lib/generators/gitlab/snowplow_event_definition_generator.rb'
--- a/app/helpers/storage_helper.rb
+++ b/app/helpers/storage_helper.rb
@ -31,6 +31,7 @@ module StorageHelper
    return if root_ancestor.paid?
    return unless future_enforcement_date?(root_ancestor)
    return if user_dismissed_storage_enforcement_banner?(root_ancestor)
+    return unless ::Feature.enabled?(:namespace_storage_limit_show_preenforcement_banner, root_ancestor)

    {
      text: html_escape_once(s_("UsageQuota|From %{storage_enforcement_date} storage limits will apply to this namespace. " \
--- a/app/models/x509_certificate.rb
+++ b/app/models/x509_certificate.rb
@ -16,7 +16,7 @@ class X509Certificate < ApplicationRecord
  has_many :x509_commit_signatures, class_name: 'CommitSignatures::X509CommitSignature', inverse_of: 'x509_certificate'

  # rfc 5280 - 4.2.1.2  Subject Key Identifier
-  validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+  validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
  # rfc 5280 - 4.1.2.6  Subject
  validates :subject, presence: true
  # rfc 5280 - 4.1.2.6  Subject (subjectAltName contains the email address)
--- a/app/models/x509_issuer.rb
+++ b/app/models/x509_issuer.rb
@ -4,7 +4,7 @@ class X509Issuer < ApplicationRecord
  has_many :x509_certificates, inverse_of: 'x509_issuer'

  # rfc 5280 - 4.2.1.1  Authority Key Identifier
-  validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+  validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
  # rfc 5280 - 4.1.2.4  Issuer
  validates :subject, presence: true
  # rfc 5280 - 4.2.1.13  CRL Distribution Points
--- a/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
+++ b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
@ -0,0 +1,8 @@
+---
+name: namespace_storage_limit_show_preenforcement_banner
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350632
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/362340
+milestone: '15.2'
+type: development
+group: group::utilization
+default_enabled: false
--- a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
+++ b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
@ -256,13 +256,26 @@ Since this service is shared by all review apps, there is a limitation that only

 ### Configure SAST

-Using [SAST](../../../user/application_security/sast/index.md) with ECS requires no extra configuration. For more
-details about how to configure SAST, see the SAST [documentation](../../../user/application_security/sast/index.md).
+To use [SAST](../../../user/application_security/sast/index.md) with ECS, add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+   - template: Security/SAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [SAST documentation](../../../user/application_security/sast/index.md#configuration).

 ### Configure DAST

 To use [DAST](../../../user/application_security/dast/index.md) on non-default branches, [set up review apps](#set-up-review-apps)
-and then follow the steps outlined in the DAST [documentation](../../../user/application_security/dast/index.md).
+and add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+  - template: Security/DAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [DAST documentation](../../../user/application_security/dast/index.md).

 ## Further reading

--- a/doc/development/migration_style_guide.md
+++ b/doc/development/migration_style_guide.md
@ -90,6 +90,14 @@ Keep in mind that all durations should be measured against GitLab.com.
 | Post-deployment migrations | `<= 10 minutes` | A valid exception are schema changes, since they must not happen in background migrations. |
 | Background migrations | `> 10 minutes` | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any single query must stay below [`1 second` execution time](query_performance.md#timing-guidelines-for-queries) with cold caches. |

+## Decide which database to target
+
+GitLab connects to two different Postgres databases: `main` and `ci`. This split can affect migrations
+as they may run on either or both of these databases.
+
+Read [Migrations for Multiple databases](database/migrations_for_multiple_databases.md) to understand if or how
+a migration you add should account for this.
+
 ## Create a regular schema migration

 To create a migration you can use the following Rails generator:
--- a/lib/feature.rb
+++ b/lib/feature.rb
@ -3,7 +3,7 @@
 require 'flipper/adapters/active_record'
 require 'flipper/adapters/active_support_cache_store'

-class Feature
+module Feature
  # Classes to override flipper table names
  class FlipperFeature < Flipper::Adapters::ActiveRecord::Feature
    include DatabaseReflection
--- a/lib/feature/definition.rb
+++ b/lib/feature/definition.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-class Feature
+module Feature
  class Definition
    include ::Feature::Shared

--- a/lib/feature/gitaly.rb
+++ b/lib/feature/gitaly.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-class Feature
+module Feature
  class Gitaly
    PREFIX = "gitaly_"

--- a/lib/feature/logger.rb
+++ b/lib/feature/logger.rb
@ -1,6 +1,6 @@
 # frozen_string_literal: true

-class Feature
+module Feature
  class Logger < ::Gitlab::JsonLogger
    def self.file_name_noext
      'features_json'
--- a/lib/feature/shared.rb
+++ b/lib/feature/shared.rb
@ -4,7 +4,7 @@
 # 1. `Pure Ruby`: `bin/feature-flag`
 # 2. `GitLab Rails`: `lib/feature/definition.rb`

-class Feature
+module Feature
  module Shared
    # optional: defines if a on-disk definition is required for this feature flag type
    # rollout_issue: defines if `bin/feature-flag` asks for rollout issue
--- a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
@ -7,6 +7,7 @@ stages:
  - build
  - test
  - review
+  - dast
  - deploy
  - production
  - cleanup
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@ -486,6 +486,10 @@ module Gitlab
    def sep_by_1(separator, part)
      %r(#{part} (#{separator} #{part})*)x
    end
+
+    def x509_subject_key_identifier_regex
+      @x509_subject_key_identifier_regex ||= /\A(?:\h{2}:)*\h{2}\z/.freeze
+    end
  end
 end

--- a/lib/tasks/gitlab/graphql.rake
+++ b/lib/tasks/gitlab/graphql.rake
@ -15,10 +15,8 @@ namespace :gitlab do
  # Also avoids pipeline failures in case developer
  # dumps schema with flags disabled locally before pushing
  task enable_feature_flags: :environment do
-    class Feature
-      def self.enabled?(*args)
-        true
-      end
+    def Feature.enabled?(*args)
+      true
    end
  end

--- a/spec/helpers/storage_helper_spec.rb
+++ b/spec/helpers/storage_helper_spec.rb
@ -89,6 +89,12 @@ RSpec.describe StorageHelper do
          expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
        end

+        it 'returns nil when namespace_storage_limit_show_preenforcement_banner FF is disabled' do
+          stub_feature_flags(namespace_storage_limit_show_preenforcement_banner: false)
+
+          expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
+        end
+
        context 'when current_user can access the usage quotas page' do
          it 'returns a hash' do
            expect(helper.storage_enforcement_banner_info(free_group)).to eql({
--- a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
@ -34,6 +34,16 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
      expect(build_names).to include('production_ecs')
    end

+    context 'when the DAST template is also included' do
+      let(:dast_template) { Gitlab::Template::GitlabCiYmlTemplate.find('Security/DAST') }
+
+      before do
+        stub_ci_pipeline_yaml_file(template.content + dast_template.content)
+      end
+
+      include_examples 'no pipeline yaml error'
+    end
+
    context 'when running a pipeline for a branch' do
      let(:pipeline_branch) { 'test_branch' }

--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@ -968,4 +968,18 @@ RSpec.describe Gitlab::Regex do
    it { is_expected.not_to match('abc!abc') }
    it { is_expected.not_to match((['abc'] * 100).join('.') + '!') }
  end
+
+  describe '.x509_subject_key_identifier_regex' do
+    subject { described_class.x509_subject_key_identifier_regex }
+
+    it { is_expected.to match('AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB') }
+    it { is_expected.to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD') }
+    it { is_expected.to match('79:FB:C1:E5:6B:53:8B:0A') }
+    it { is_expected.to match('79:fb:c1:e5:6b:53:8b:0a') }
+
+    it { is_expected.not_to match('') }
+    it { is_expected.not_to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG') }
+    it { is_expected.not_to match('random string') }
+    it { is_expected.not_to match('12321342545356434523412341245452345623453542345234523453245') }
+  end
 end
--- a/spec/models/x509_certificate_spec.rb
+++ b/spec/models/x509_certificate_spec.rb
@ -73,7 +73,9 @@ RSpec.describe X509Certificate do
    it 'accepts correct subject_key_identifier' do
      subject_key_identifiers = [
        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
-        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+        '79:FB:C1:E5:6B:53:8B:0A',
+        '79:fb:c1:e5:6b:53:8b:0a'
      ]

      subject_key_identifiers.each do |identifier|
@ -83,7 +85,6 @@ RSpec.describe X509Certificate do

    it 'rejects invalid subject_key_identifier' do
      subject_key_identifiers = [
-        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
        'random string',
        '12321342545356434523412341245452345623453542345234523453245'
--- a/spec/models/x509_issuer_spec.rb
+++ b/spec/models/x509_issuer_spec.rb
@ -39,7 +39,9 @@ RSpec.describe X509Issuer do
    it 'accepts correct subject_key_identifier' do
      subject_key_identifiers = [
        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
-        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+        '79:FB:C1:E5:6B:53:8B:0A',
+        '79:fb:c1:e5:6b:53:8b:0a'
      ]

      subject_key_identifiers.each do |identifier|
@ -49,7 +51,6 @@ RSpec.describe X509Issuer do

    it 'rejects invalid subject_key_identifier' do
      subject_key_identifiers = [
-        'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
        'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
        'random string',
        '12321342545356434523412341245452345623453542345234523453245'