From e6f10cb4b38644d88a2e0016af206d2eb68a25d8 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 30 Jun 2022 06:09:06 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- .rubocop_todo/gitlab/namespaced_class.yml | 5 ----- app/helpers/storage_helper.rb | 1 + app/models/x509_certificate.rb | 2 +- app/models/x509_issuer.rb | 2 +- ...orage_limit_show_preenforcement_banner.yml | 8 ++++++++ .../cloud_deployment/ecs/deploy_to_aws_ecs.md | 19 ++++++++++++++++--- doc/development/migration_style_guide.md | 8 ++++++++ lib/feature.rb | 2 +- lib/feature/definition.rb | 2 +- lib/feature/gitaly.rb | 2 +- lib/feature/logger.rb | 2 +- lib/feature/shared.rb | 2 +- .../ci/templates/AWS/Deploy-ECS.gitlab-ci.yml | 1 + lib/gitlab/regex.rb | 4 ++++ lib/tasks/gitlab/graphql.rake | 6 ++---- spec/helpers/storage_helper_spec.rb | 6 ++++++ .../AWS/deploy_ecs_gitlab_ci_yaml_spec.rb | 10 ++++++++++ spec/lib/gitlab/regex_spec.rb | 14 ++++++++++++++ spec/models/x509_certificate_spec.rb | 5 +++-- spec/models/x509_issuer_spec.rb | 5 +++-- 20 files changed, 83 insertions(+), 23 deletions(-) create mode 100644 config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml diff --git a/.rubocop_todo/gitlab/namespaced_class.yml b/.rubocop_todo/gitlab/namespaced_class.yml index 103628c577c..ffa0f4d0b2f 100644 --- a/.rubocop_todo/gitlab/namespaced_class.yml +++ b/.rubocop_todo/gitlab/namespaced_class.yml @@ -1105,11 +1105,6 @@ Gitlab/NamespacedClass: - 'lib/carrier_wave_string_file.rb' - 'lib/csv_builder.rb' - 'lib/event_filter.rb' - - 'lib/feature.rb' - - 'lib/feature/definition.rb' - - 'lib/feature/gitaly.rb' - - 'lib/feature/logger.rb' - - 'lib/feature/shared.rb' - 'lib/file_size_validator.rb' - 'lib/forever.rb' - 'lib/generators/gitlab/snowplow_event_definition_generator.rb' diff --git a/app/helpers/storage_helper.rb b/app/helpers/storage_helper.rb index f978b9f51f3..ca81d5af4af 100644 --- a/app/helpers/storage_helper.rb +++ b/app/helpers/storage_helper.rb @@ -31,6 +31,7 @@ module StorageHelper return if root_ancestor.paid? return unless future_enforcement_date?(root_ancestor) return if user_dismissed_storage_enforcement_banner?(root_ancestor) + return unless ::Feature.enabled?(:namespace_storage_limit_show_preenforcement_banner, root_ancestor) { text: html_escape_once(s_("UsageQuota|From %{storage_enforcement_date} storage limits will apply to this namespace. " \ diff --git a/app/models/x509_certificate.rb b/app/models/x509_certificate.rb index 2c1d0110b7c..7c2581b8bb2 100644 --- a/app/models/x509_certificate.rb +++ b/app/models/x509_certificate.rb @@ -16,7 +16,7 @@ class X509Certificate < ApplicationRecord has_many :x509_commit_signatures, class_name: 'CommitSignatures::X509CommitSignature', inverse_of: 'x509_certificate' # rfc 5280 - 4.2.1.2 Subject Key Identifier - validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ } + validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex } # rfc 5280 - 4.1.2.6 Subject validates :subject, presence: true # rfc 5280 - 4.1.2.6 Subject (subjectAltName contains the email address) diff --git a/app/models/x509_issuer.rb b/app/models/x509_issuer.rb index 4b75e38bbde..81491d8e507 100644 --- a/app/models/x509_issuer.rb +++ b/app/models/x509_issuer.rb @@ -4,7 +4,7 @@ class X509Issuer < ApplicationRecord has_many :x509_certificates, inverse_of: 'x509_issuer' # rfc 5280 - 4.2.1.1 Authority Key Identifier - validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ } + validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex } # rfc 5280 - 4.1.2.4 Issuer validates :subject, presence: true # rfc 5280 - 4.2.1.13 CRL Distribution Points diff --git a/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml new file mode 100644 index 00000000000..754a6a16356 --- /dev/null +++ b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml @@ -0,0 +1,8 @@ +--- +name: namespace_storage_limit_show_preenforcement_banner +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350632 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/362340 +milestone: '15.2' +type: development +group: group::utilization +default_enabled: false diff --git a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md index a2f50fdc741..5356ebb84f1 100644 --- a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md +++ b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md @@ -256,13 +256,26 @@ Since this service is shared by all review apps, there is a limitation that only ### Configure SAST -Using [SAST](../../../user/application_security/sast/index.md) with ECS requires no extra configuration. For more -details about how to configure SAST, see the SAST [documentation](../../../user/application_security/sast/index.md). +To use [SAST](../../../user/application_security/sast/index.md) with ECS, add the following to your `.gitlab-ci.yml` file: + +```yaml +include: + - template: Security/SAST.gitlab-ci.yml +``` + +For more details and configuration options, see the [SAST documentation](../../../user/application_security/sast/index.md#configuration). ### Configure DAST To use [DAST](../../../user/application_security/dast/index.md) on non-default branches, [set up review apps](#set-up-review-apps) -and then follow the steps outlined in the DAST [documentation](../../../user/application_security/dast/index.md). +and add the following to your `.gitlab-ci.yml` file: + +```yaml +include: + - template: Security/DAST.gitlab-ci.yml +``` + +For more details and configuration options, see the [DAST documentation](../../../user/application_security/dast/index.md). ## Further reading diff --git a/doc/development/migration_style_guide.md b/doc/development/migration_style_guide.md index c9b59ba66b5..4a1d4389ceb 100644 --- a/doc/development/migration_style_guide.md +++ b/doc/development/migration_style_guide.md @@ -90,6 +90,14 @@ Keep in mind that all durations should be measured against GitLab.com. | Post-deployment migrations | `<= 10 minutes` | A valid exception are schema changes, since they must not happen in background migrations. | | Background migrations | `> 10 minutes` | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any single query must stay below [`1 second` execution time](query_performance.md#timing-guidelines-for-queries) with cold caches. | +## Decide which database to target + +GitLab connects to two different Postgres databases: `main` and `ci`. This split can affect migrations +as they may run on either or both of these databases. + +Read [Migrations for Multiple databases](database/migrations_for_multiple_databases.md) to understand if or how +a migration you add should account for this. + ## Create a regular schema migration To create a migration you can use the following Rails generator: diff --git a/lib/feature.rb b/lib/feature.rb index 3bba4be7514..36d2456ec6f 100644 --- a/lib/feature.rb +++ b/lib/feature.rb @@ -3,7 +3,7 @@ require 'flipper/adapters/active_record' require 'flipper/adapters/active_support_cache_store' -class Feature +module Feature # Classes to override flipper table names class FlipperFeature < Flipper::Adapters::ActiveRecord::Feature include DatabaseReflection diff --git a/lib/feature/definition.rb b/lib/feature/definition.rb index 1551af730db..270bf46221d 100644 --- a/lib/feature/definition.rb +++ b/lib/feature/definition.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Feature +module Feature class Definition include ::Feature::Shared diff --git a/lib/feature/gitaly.rb b/lib/feature/gitaly.rb index 04ed78b8a51..0c6b9dfde7a 100644 --- a/lib/feature/gitaly.rb +++ b/lib/feature/gitaly.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Feature +module Feature class Gitaly PREFIX = "gitaly_" diff --git a/lib/feature/logger.rb b/lib/feature/logger.rb index 784a619e182..95e160273b6 100644 --- a/lib/feature/logger.rb +++ b/lib/feature/logger.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Feature +module Feature class Logger < ::Gitlab::JsonLogger def self.file_name_noext 'features_json' diff --git a/lib/feature/shared.rb b/lib/feature/shared.rb index 40f21fc4f50..edfc39aea0c 100644 --- a/lib/feature/shared.rb +++ b/lib/feature/shared.rb @@ -4,7 +4,7 @@ # 1. `Pure Ruby`: `bin/feature-flag` # 2. `GitLab Rails`: `lib/feature/definition.rb` -class Feature +module Feature module Shared # optional: defines if a on-disk definition is required for this feature flag type # rollout_issue: defines if `bin/feature-flag` asks for rollout issue diff --git a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml index 17e49440784..1ac9c319429 100644 --- a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml @@ -7,6 +7,7 @@ stages: - build - test - review + - dast - deploy - production - cleanup diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb index b0f4194b7a0..0534f890152 100644 --- a/lib/gitlab/regex.rb +++ b/lib/gitlab/regex.rb @@ -486,6 +486,10 @@ module Gitlab def sep_by_1(separator, part) %r(#{part} (#{separator} #{part})*)x end + + def x509_subject_key_identifier_regex + @x509_subject_key_identifier_regex ||= /\A(?:\h{2}:)*\h{2}\z/.freeze + end end end diff --git a/lib/tasks/gitlab/graphql.rake b/lib/tasks/gitlab/graphql.rake index b9137aa0d4c..a05b749a60e 100644 --- a/lib/tasks/gitlab/graphql.rake +++ b/lib/tasks/gitlab/graphql.rake @@ -15,10 +15,8 @@ namespace :gitlab do # Also avoids pipeline failures in case developer # dumps schema with flags disabled locally before pushing task enable_feature_flags: :environment do - class Feature - def self.enabled?(*args) - true - end + def Feature.enabled?(*args) + true end end diff --git a/spec/helpers/storage_helper_spec.rb b/spec/helpers/storage_helper_spec.rb index 4732076ab13..cd5701db83b 100644 --- a/spec/helpers/storage_helper_spec.rb +++ b/spec/helpers/storage_helper_spec.rb @@ -89,6 +89,12 @@ RSpec.describe StorageHelper do expect(helper.storage_enforcement_banner_info(free_group)).to be(nil) end + it 'returns nil when namespace_storage_limit_show_preenforcement_banner FF is disabled' do + stub_feature_flags(namespace_storage_limit_show_preenforcement_banner: false) + + expect(helper.storage_enforcement_banner_info(free_group)).to be(nil) + end + context 'when current_user can access the usage quotas page' do it 'returns a hash' do expect(helper.storage_enforcement_banner_info(free_group)).to eql({ diff --git a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb index 27de8324206..65fd2b016ac 100644 --- a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb +++ b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb @@ -34,6 +34,16 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do expect(build_names).to include('production_ecs') end + context 'when the DAST template is also included' do + let(:dast_template) { Gitlab::Template::GitlabCiYmlTemplate.find('Security/DAST') } + + before do + stub_ci_pipeline_yaml_file(template.content + dast_template.content) + end + + include_examples 'no pipeline yaml error' + end + context 'when running a pipeline for a branch' do let(:pipeline_branch) { 'test_branch' } diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb index d48e8183650..a3afbed18e2 100644 --- a/spec/lib/gitlab/regex_spec.rb +++ b/spec/lib/gitlab/regex_spec.rb @@ -968,4 +968,18 @@ RSpec.describe Gitlab::Regex do it { is_expected.not_to match('abc!abc') } it { is_expected.not_to match((['abc'] * 100).join('.') + '!') } end + + describe '.x509_subject_key_identifier_regex' do + subject { described_class.x509_subject_key_identifier_regex } + + it { is_expected.to match('AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB') } + it { is_expected.to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD') } + it { is_expected.to match('79:FB:C1:E5:6B:53:8B:0A') } + it { is_expected.to match('79:fb:c1:e5:6b:53:8b:0a') } + + it { is_expected.not_to match('') } + it { is_expected.not_to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG') } + it { is_expected.not_to match('random string') } + it { is_expected.not_to match('12321342545356434523412341245452345623453542345234523453245') } + end end diff --git a/spec/models/x509_certificate_spec.rb b/spec/models/x509_certificate_spec.rb index d3b4470d3f4..5723bd80739 100644 --- a/spec/models/x509_certificate_spec.rb +++ b/spec/models/x509_certificate_spec.rb @@ -73,7 +73,9 @@ RSpec.describe X509Certificate do it 'accepts correct subject_key_identifier' do subject_key_identifiers = [ 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB', - 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD' + 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD', + '79:FB:C1:E5:6B:53:8B:0A', + '79:fb:c1:e5:6b:53:8b:0a' ] subject_key_identifiers.each do |identifier| @@ -83,7 +85,6 @@ RSpec.describe X509Certificate do it 'rejects invalid subject_key_identifier' do subject_key_identifiers = [ - 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB', 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG', 'random string', '12321342545356434523412341245452345623453542345234523453245' diff --git a/spec/models/x509_issuer_spec.rb b/spec/models/x509_issuer_spec.rb index f1067cad655..3d04adf7e26 100644 --- a/spec/models/x509_issuer_spec.rb +++ b/spec/models/x509_issuer_spec.rb @@ -39,7 +39,9 @@ RSpec.describe X509Issuer do it 'accepts correct subject_key_identifier' do subject_key_identifiers = [ 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB', - 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD' + 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD', + '79:FB:C1:E5:6B:53:8B:0A', + '79:fb:c1:e5:6b:53:8b:0a' ] subject_key_identifiers.each do |identifier| @@ -49,7 +51,6 @@ RSpec.describe X509Issuer do it 'rejects invalid subject_key_identifier' do subject_key_identifiers = [ - 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB', 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG', 'random string', '12321342545356434523412341245452345623453542345234523453245'