Add latest changes from gitlab-org/gitlab@master
This commit is contained in:
parent
99373ac711
commit
fe448fa0fc
|
@ -71,6 +71,7 @@ ui-docs-links lint:
|
|||
extends:
|
||||
- .docs:rules:docs-lint
|
||||
- .static-analysis-base
|
||||
- .ruby-cache
|
||||
stage: lint
|
||||
needs: []
|
||||
script:
|
||||
|
|
|
@ -2558,7 +2558,6 @@ Rails/IncludeUrlHelper:
|
|||
# TODO issue: https://gitlab.com/gitlab-org/gitlab/-/issues/344279
|
||||
Style/OpenStructUse:
|
||||
Exclude:
|
||||
- 'Guardfile'
|
||||
- 'app/finders/snippets_finder.rb'
|
||||
- 'app/helpers/application_settings_helper.rb'
|
||||
- 'ee/lib/gitlab/graphql/aggregations/epics/epic_node.rb'
|
||||
|
|
10
CHANGELOG.md
10
CHANGELOG.md
|
@ -3066,18 +3066,18 @@ No changes.
|
|||
|
||||
## 13.12.15 (2021-11-03)
|
||||
|
||||
No changes.
|
||||
|
||||
## 13.12.14 (2021-11-03)
|
||||
|
||||
### Fixed (2 changes)
|
||||
|
||||
- [Allow nil for remaining ci cd settings](gitlab-org/gitlab@896fd7ecf23714fa9f710efa4af245a26c677dce) ([merge request](gitlab-org/gitlab!73522))
|
||||
- [Allow nil on delegated CI/CD settings](gitlab-org/gitlab@d57a9ea79080fc473eb54c0ee696a50fd270e8a4) ([merge request](gitlab-org/gitlab!73522))
|
||||
|
||||
## 13.12.14 (2021-11-03)
|
||||
|
||||
This version has been skipped due to QA problems.
|
||||
|
||||
## 13.12.13 (2021-10-29)
|
||||
|
||||
No changes.
|
||||
This version has been skipped due to QA problems.
|
||||
|
||||
## 13.12.12 (2021-09-21)
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@ cmd = ENV['GUARD_CMD'] || (ENV['SPRING'] ? 'spring rspec' : 'bundle exec rspec')
|
|||
directories %w(app ee lib rubocop tooling spec)
|
||||
|
||||
rspec_context_for = proc do |context_path|
|
||||
OpenStruct.new(to_s: "spec").tap do |rspec|
|
||||
OpenStruct.new(to_s: "spec").tap do |rspec| # rubocop:disable Style/OpenStructUse
|
||||
rspec.spec_dir = "#{context_path}spec"
|
||||
rspec.spec = ->(m) { Guard::RSpec::Dsl.detect_spec_file_for(rspec, m) }
|
||||
rspec.spec_helper = "#{rspec.spec_dir}/spec_helper.rb"
|
||||
|
@ -19,7 +19,7 @@ rspec_context_for = proc do |context_path|
|
|||
end
|
||||
|
||||
rails_context_for = proc do |context_path, exts|
|
||||
OpenStruct.new.tap do |rails|
|
||||
OpenStruct.new.tap do |rails| # rubocop:disable Style/OpenStructUse
|
||||
rails.app_files = %r{^#{context_path}app/(.+)\.rb$}
|
||||
|
||||
rails.views = %r{^#{context_path}app/(views/.+/[^/]*\.(?:#{exts}))$}
|
||||
|
|
|
@ -5,7 +5,7 @@ module Types
|
|||
graphql_name 'ReleaseEvidence'
|
||||
description 'Evidence for a release'
|
||||
|
||||
authorize :download_code
|
||||
authorize :read_release_evidence
|
||||
|
||||
present_using Releases::EvidencePresenter
|
||||
|
||||
|
|
|
@ -14,6 +14,8 @@ module Types
|
|||
case object
|
||||
when ::Packages::Conan::FileMetadatum
|
||||
::Types::Packages::Conan::FileMetadatumType
|
||||
when ::Packages::Helm::FileMetadatum
|
||||
::Types::Packages::Helm::FileMetadatumType
|
||||
else
|
||||
# NOTE: This method must be kept in sync with `PackageFileType#file_metadata`,
|
||||
# which must never produce data that this discriminator cannot handle.
|
||||
|
@ -21,7 +23,8 @@ module Types
|
|||
end
|
||||
end
|
||||
|
||||
orphan_types Types::Packages::Conan::FileMetadatumType
|
||||
orphan_types Types::Packages::Conan::FileMetadatumType,
|
||||
Types::Packages::Helm::FileMetadatumType
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -0,0 +1,28 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Types
|
||||
module Packages
|
||||
module Helm
|
||||
# rubocop: disable Graphql/AuthorizeTypes
|
||||
class DependencyType < BaseObject
|
||||
graphql_name 'PackageHelmDependencyType'
|
||||
description 'Represents a Helm dependency'
|
||||
|
||||
# Need to be synced with app/validators/json_schemas/helm_metadata.json#dependencies
|
||||
field :name, GraphQL::Types::String, null: true, description: 'Name of the dependency.'
|
||||
field :version, GraphQL::Types::String, null: true, description: 'Version of the dependency.'
|
||||
field :repository, GraphQL::Types::String, null: true, description: 'Repository of the dependency.'
|
||||
field :condition, GraphQL::Types::String, null: true, description: 'Condition of the dependency.'
|
||||
field :tags, [GraphQL::Types::String], null: true, description: 'Tags of the dependency.'
|
||||
field :enabled, GraphQL::Types::Boolean, null: true, description: 'Indicates the dependency is enabled.'
|
||||
field :import_values, [GraphQL::Types::JSON], null: true, description: 'Import-values of the dependency.', hash_key: "import-values" # rubocop:disable Graphql/JSONType
|
||||
field :alias, GraphQL::Types::String, null: true, description: 'Alias of the dependency.', resolver_method: :resolve_alias
|
||||
|
||||
# field :alias` conflicts with a built-in method
|
||||
def resolve_alias
|
||||
object['alias']
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,19 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Types
|
||||
module Packages
|
||||
module Helm
|
||||
class FileMetadatumType < BaseObject
|
||||
graphql_name 'HelmFileMetadata'
|
||||
description 'Helm file metadata'
|
||||
|
||||
implements Types::Packages::FileMetadataType
|
||||
|
||||
authorize :read_package
|
||||
|
||||
field :channel, GraphQL::Types::String, null: false, description: 'Channel of the Helm chart.'
|
||||
field :metadata, Types::Packages::Helm::MetadataType, null: false, description: 'Metadata of the Helm chart.'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,18 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Types
|
||||
module Packages
|
||||
module Helm
|
||||
# rubocop: disable Graphql/AuthorizeTypes
|
||||
class MaintainerType < BaseObject
|
||||
graphql_name 'PackageHelmMaintainerType'
|
||||
description 'Represents a Helm maintainer'
|
||||
|
||||
# Need to be synced with app/validators/json_schemas/helm_metadata.json#maintainers
|
||||
field :name, GraphQL::Types::String, null: true, description: 'Name of the maintainer.'
|
||||
field :email, GraphQL::Types::String, null: true, description: 'Email of the maintainer.'
|
||||
field :url, GraphQL::Types::String, null: true, description: 'URL of the maintainer.'
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -0,0 +1,32 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
module Types
|
||||
module Packages
|
||||
module Helm
|
||||
# rubocop: disable Graphql/AuthorizeTypes
|
||||
class MetadataType < BaseObject
|
||||
graphql_name 'PackageHelmMetadataType'
|
||||
description 'Represents the contents of a Helm Chart.yml file'
|
||||
|
||||
# Need to be synced with app/validators/json_schemas/helm_metadata.json
|
||||
field :name, GraphQL::Types::String, null: false, description: 'Name of the chart.'
|
||||
field :home, GraphQL::Types::String, null: true, description: 'URL of the home page.'
|
||||
field :sources, [GraphQL::Types::String], null: true, description: 'URLs of the source code for the chart.'
|
||||
field :version, GraphQL::Types::String, null: false, description: 'Version of the chart.'
|
||||
field :description, GraphQL::Types::String, null: true, description: 'Description of the chart.'
|
||||
field :keywords, [GraphQL::Types::String], null: true, description: 'Keywords for the chart.'
|
||||
field :maintainers, [Types::Packages::Helm::MaintainerType], null: true, description: 'Maintainers of the chart.'
|
||||
field :icon, GraphQL::Types::String, null: true, description: 'URL to an SVG or PNG image for the chart.'
|
||||
field :api_version, GraphQL::Types::String, null: false, description: 'API version of the chart.', hash_key: "apiVersion"
|
||||
field :condition, GraphQL::Types::String, null: true, description: 'Condition for the chart.'
|
||||
field :tags, GraphQL::Types::String, null: true, description: 'Tags for the chart.'
|
||||
field :app_version, GraphQL::Types::String, null: true, description: 'App version of the chart.', hash_key: "appVersion"
|
||||
field :deprecated, GraphQL::Types::Boolean, null: true, description: 'Indicates if the chart is deprecated.'
|
||||
field :annotations, GraphQL::Types::JSON, null: true, description: 'Annotations for the chart.' # rubocop:disable Graphql/JSONType
|
||||
field :kube_version, GraphQL::Types::String, null: true, description: 'Kubernetes versions for the chart.', hash_key: "kubeVersion"
|
||||
field :dependencies, [Types::Packages::Helm::DependencyType], null: true, description: 'Dependencies of the chart.'
|
||||
field :type, GraphQL::Types::String, null: true, description: 'Type of the chart.', hash_key: "appVersion"
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
|
@ -27,6 +27,8 @@ module Types
|
|||
case object.package.package_type
|
||||
when 'conan'
|
||||
object.conan_file_metadatum
|
||||
when 'helm'
|
||||
object.helm_file_metadatum
|
||||
else
|
||||
nil
|
||||
end
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
# frozen_string_literal: true
|
||||
module Packages
|
||||
module Helm
|
||||
class FileMetadatumPolicy < BasePolicy
|
||||
delegate { @subject.package_file.package }
|
||||
end
|
||||
end
|
||||
end
|
|
@ -103,7 +103,23 @@
|
|||
"import-values": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
|
||||
"oneOf": [
|
||||
{
|
||||
"type": "string"
|
||||
},
|
||||
{
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"child": {
|
||||
"type": "string"
|
||||
},
|
||||
"parent": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"additionalProperties": false
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"alias": {
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
---
|
||||
name: linear_ee_group_ancestor_scopes
|
||||
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/70708
|
||||
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/341350
|
||||
milestone: '14.4'
|
||||
type: development
|
||||
group: group::access
|
||||
default_enabled: false
|
|
@ -10911,6 +10911,19 @@ Represents the Geo sync and verification state of a group wiki repository.
|
|||
| <a id="groupwikirepositoryregistryretrycount"></a>`retryCount` | [`Int`](#int) | Number of consecutive failed sync attempts of the GroupWikiRepositoryRegistry. |
|
||||
| <a id="groupwikirepositoryregistrystate"></a>`state` | [`RegistryState`](#registrystate) | Sync state of the GroupWikiRepositoryRegistry. |
|
||||
|
||||
### `HelmFileMetadata`
|
||||
|
||||
Helm file metadata.
|
||||
|
||||
#### Fields
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="helmfilemetadatachannel"></a>`channel` | [`String!`](#string) | Channel of the Helm chart. |
|
||||
| <a id="helmfilemetadatacreatedat"></a>`createdAt` | [`Time!`](#time) | Date of creation. |
|
||||
| <a id="helmfilemetadatametadata"></a>`metadata` | [`PackageHelmMetadataType!`](#packagehelmmetadatatype) | Metadata of the Helm chart. |
|
||||
| <a id="helmfilemetadataupdatedat"></a>`updatedAt` | [`Time!`](#time) | Date of most recent update. |
|
||||
|
||||
### `IncidentManagementOncallRotation`
|
||||
|
||||
Describes an incident management on-call rotation.
|
||||
|
@ -12381,6 +12394,61 @@ Represents the Geo sync and verification state of a package file.
|
|||
| <a id="packagefileregistryretrycount"></a>`retryCount` | [`Int`](#int) | Number of consecutive failed sync attempts of the PackageFileRegistry. |
|
||||
| <a id="packagefileregistrystate"></a>`state` | [`RegistryState`](#registrystate) | Sync state of the PackageFileRegistry. |
|
||||
|
||||
### `PackageHelmDependencyType`
|
||||
|
||||
Represents a Helm dependency.
|
||||
|
||||
#### Fields
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="packagehelmdependencytypealias"></a>`alias` | [`String`](#string) | Alias of the dependency. |
|
||||
| <a id="packagehelmdependencytypecondition"></a>`condition` | [`String`](#string) | Condition of the dependency. |
|
||||
| <a id="packagehelmdependencytypeenabled"></a>`enabled` | [`Boolean`](#boolean) | Indicates the dependency is enabled. |
|
||||
| <a id="packagehelmdependencytypeimportvalues"></a>`importValues` | [`[JSON!]`](#json) | Import-values of the dependency. |
|
||||
| <a id="packagehelmdependencytypename"></a>`name` | [`String`](#string) | Name of the dependency. |
|
||||
| <a id="packagehelmdependencytyperepository"></a>`repository` | [`String`](#string) | Repository of the dependency. |
|
||||
| <a id="packagehelmdependencytypetags"></a>`tags` | [`[String!]`](#string) | Tags of the dependency. |
|
||||
| <a id="packagehelmdependencytypeversion"></a>`version` | [`String`](#string) | Version of the dependency. |
|
||||
|
||||
### `PackageHelmMaintainerType`
|
||||
|
||||
Represents a Helm maintainer.
|
||||
|
||||
#### Fields
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="packagehelmmaintainertypeemail"></a>`email` | [`String`](#string) | Email of the maintainer. |
|
||||
| <a id="packagehelmmaintainertypename"></a>`name` | [`String`](#string) | Name of the maintainer. |
|
||||
| <a id="packagehelmmaintainertypeurl"></a>`url` | [`String`](#string) | URL of the maintainer. |
|
||||
|
||||
### `PackageHelmMetadataType`
|
||||
|
||||
Represents the contents of a Helm Chart.yml file.
|
||||
|
||||
#### Fields
|
||||
|
||||
| Name | Type | Description |
|
||||
| ---- | ---- | ----------- |
|
||||
| <a id="packagehelmmetadatatypeannotations"></a>`annotations` | [`JSON`](#json) | Annotations for the chart. |
|
||||
| <a id="packagehelmmetadatatypeapiversion"></a>`apiVersion` | [`String!`](#string) | API version of the chart. |
|
||||
| <a id="packagehelmmetadatatypeappversion"></a>`appVersion` | [`String`](#string) | App version of the chart. |
|
||||
| <a id="packagehelmmetadatatypecondition"></a>`condition` | [`String`](#string) | Condition for the chart. |
|
||||
| <a id="packagehelmmetadatatypedependencies"></a>`dependencies` | [`[PackageHelmDependencyType!]`](#packagehelmdependencytype) | Dependencies of the chart. |
|
||||
| <a id="packagehelmmetadatatypedeprecated"></a>`deprecated` | [`Boolean`](#boolean) | Indicates if the chart is deprecated. |
|
||||
| <a id="packagehelmmetadatatypedescription"></a>`description` | [`String`](#string) | Description of the chart. |
|
||||
| <a id="packagehelmmetadatatypehome"></a>`home` | [`String`](#string) | URL of the home page. |
|
||||
| <a id="packagehelmmetadatatypeicon"></a>`icon` | [`String`](#string) | URL to an SVG or PNG image for the chart. |
|
||||
| <a id="packagehelmmetadatatypekeywords"></a>`keywords` | [`[String!]`](#string) | Keywords for the chart. |
|
||||
| <a id="packagehelmmetadatatypekubeversion"></a>`kubeVersion` | [`String`](#string) | Kubernetes versions for the chart. |
|
||||
| <a id="packagehelmmetadatatypemaintainers"></a>`maintainers` | [`[PackageHelmMaintainerType!]`](#packagehelmmaintainertype) | Maintainers of the chart. |
|
||||
| <a id="packagehelmmetadatatypename"></a>`name` | [`String!`](#string) | Name of the chart. |
|
||||
| <a id="packagehelmmetadatatypesources"></a>`sources` | [`[String!]`](#string) | URLs of the source code for the chart. |
|
||||
| <a id="packagehelmmetadatatypetags"></a>`tags` | [`String`](#string) | Tags for the chart. |
|
||||
| <a id="packagehelmmetadatatypetype"></a>`type` | [`String`](#string) | Type of the chart. |
|
||||
| <a id="packagehelmmetadatatypeversion"></a>`version` | [`String!`](#string) | Version of the chart. |
|
||||
|
||||
### `PackageSettings`
|
||||
|
||||
Namespace-level Package Registry settings.
|
||||
|
@ -17759,6 +17827,7 @@ Represents metadata associated with a Package file.
|
|||
Implementations:
|
||||
|
||||
- [`ConanFileMetadata`](#conanfilemetadata)
|
||||
- [`HelmFileMetadata`](#helmfilemetadata)
|
||||
|
||||
##### Fields
|
||||
|
||||
|
|
|
@ -1652,10 +1652,12 @@ docker build:
|
|||
- docker/scripts/*
|
||||
- dockerfiles/**/*
|
||||
- more_scripts/*.{rb,py,sh}
|
||||
- "**/*.json"
|
||||
```
|
||||
|
||||
**Additional details**:
|
||||
|
||||
- If any of the matching files are changed (an `OR` operation), `changes` resolves to `true`.
|
||||
- If you use refs other than `branches`, `external_pull_requests`, or `merge_requests`,
|
||||
`changes` can't determine if a given file is new or old and always returns `true`.
|
||||
- If you use `only: changes` with other refs, jobs ignore the changes and always run.
|
||||
|
|
|
@ -55,7 +55,7 @@ to a gem, go through these steps:
|
|||
- For an example, see the [merge request !57805](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/57805).
|
||||
1. Once the gem is stable - we have been using it in production for a
|
||||
while with few, if any, changes - extract to its own project under
|
||||
the `gitlab-org` namespace.
|
||||
the [`gitlab-org/ruby/gems` namespace](https://gitlab.com/gitlab-org/ruby/gems/).
|
||||
1. When creating the project, follow the [instructions for new projects](https://about.gitlab.com/handbook/engineering/#creating-a-new-project).
|
||||
1. Follow the instructions for setting up a [CI/CD configuration](https://about.gitlab.com/handbook/engineering/#cicd-configuration).
|
||||
1. Follow the instructions for [publishing a project](https://about.gitlab.com/handbook/engineering/#publishing-a-project).
|
||||
|
|
|
@ -89,10 +89,14 @@ if you need help finding the correct person or labels:
|
|||
1. Schedule an update with the [GitLab Development Kit](https://gitlab.com/gitlab-org/gitlab-development-kit/-/issues):
|
||||
- Title the issue `Support using Go version <VERSION_NUMBER>`.
|
||||
- Set the issue as related to every issue created in the previous step.
|
||||
1. Schedule one issue per Secure Stage team and add the `devops::secure` label to each:
|
||||
1. Schedule one issue per Sec Section team that maintains Go based Security Analyzers and add the `section::sec` label to each:
|
||||
- [Static Analysis tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
|
||||
- [Composition Analysis tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
|
||||
- [Container Security tracker](https://gitlab.com/gitlab-org/gitlab/-/issues).
|
||||
|
||||
NOTE:
|
||||
Updates to these Security analyzers should not block upgrades to Charts or Omnibus since
|
||||
the analyzers are built independently as separate container images.
|
||||
1. Schedule builder updates with Distribution projects:
|
||||
- Dependency and GitLab Development Kit issues created in previous steps should be set as blockers.
|
||||
- Each issue should have the title `Support building with Go <VERSION_NUMBER>` and description as noted:
|
||||
|
|
|
@ -540,6 +540,94 @@ out, _ = exec.Command("sh", "-c", "echo 1 | cat /etc/passwd").Output()
|
|||
|
||||
This outputs `1` followed by the content of `/etc/passwd`.
|
||||
|
||||
## General recommendations
|
||||
|
||||
### TLS minimum recommended version
|
||||
|
||||
As we have [moved away from supporting TLS 1.0 and 1.1](https://about.gitlab.com/blog/2018/10/15/gitlab-to-deprecate-older-tls/), we should only use TLS 1.2 and above.
|
||||
|
||||
#### Ciphers
|
||||
|
||||
We recommend using the ciphers that Mozilla is providing in their [recommended SSL configuration generator](https://ssl-config.mozilla.org/#server=go&version=1.17&config=intermediate&guideline=5.6) for TLS 1.2:
|
||||
|
||||
- `ECDHE-ECDSA-AES128-GCM-SHA256`
|
||||
- `ECDHE-RSA-AES128-GCM-SHA256`
|
||||
- `ECDHE-ECDSA-AES256-GCM-SHA384`
|
||||
- `ECDHE-RSA-AES256-GCM-SHA384`
|
||||
- `ECDHE-ECDSA-CHACHA20-POLY1305`
|
||||
- `ECDHE-RSA-CHACHA20-POLY1305`
|
||||
|
||||
And the following cipher suites (according to the [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#appendix-B.4)) for TLS 1.3:
|
||||
|
||||
- `TLS_AES_128_GCM_SHA256`
|
||||
- `TLS_AES_256_GCM_SHA384`
|
||||
- `TLS_CHACHA20_POLY1305_SHA256`
|
||||
|
||||
*Note*: **Golang** does [not support](https://github.com/golang/go/blob/go1.17/src/crypto/tls/cipher_suites.go#L676) all cipher suites with TLS 1.3.
|
||||
|
||||
##### Implementation examples
|
||||
|
||||
##### TLS 1.3
|
||||
|
||||
For TLS 1.3, **Golang** only supports [3 cipher suites](https://github.com/golang/go/blob/go1.17/src/crypto/tls/cipher_suites.go#L676), as such we only need to set the TLS version:
|
||||
|
||||
```golang
|
||||
cfg := &tls.Config{
|
||||
MinVersion: tls.VersionTLS13,
|
||||
}
|
||||
```
|
||||
|
||||
For **Ruby**, you can use [HTTParty](https://github.com/jnunemaker/httparty) and specify TLS 1.3 version as well as ciphers:
|
||||
|
||||
Whenever possible this example should be **avoided** for security purposes:
|
||||
|
||||
```ruby
|
||||
response = HTTParty.get('https://gitlab.com', ssl_version: :TLSv1_3, ciphers: ['TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'])
|
||||
```
|
||||
|
||||
When using [`GitLab::HTTP`](#gitlab-http-library), the code looks like:
|
||||
|
||||
This is the **recommended** implementation to avoid security issues such as SSRF:
|
||||
|
||||
```ruby
|
||||
response = GitLab::HTTP.perform_request(Net::HTTP::Get, 'https://gitlab.com', ssl_version: :TLSv1_3, ciphers: ['TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256'])
|
||||
```
|
||||
|
||||
##### TLS 1.2
|
||||
|
||||
**Golang** does support multiple cipher suites that we do not want to use with TLS 1.2. We need to explicitly list authorised ciphers:
|
||||
|
||||
```golang
|
||||
func secureCipherSuites() []uint16 {
|
||||
return []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
}
|
||||
```
|
||||
|
||||
And then use `secureCipherSuites()` in `tls.Config`:
|
||||
|
||||
```golang
|
||||
tls.Config{
|
||||
(...),
|
||||
CipherSuites: secureCipherSuites(),
|
||||
MinVersion: tls.VersionTLS12,
|
||||
(...),
|
||||
}
|
||||
```
|
||||
|
||||
This example was taken [here](https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/871b52dc700f1a66f6644fbb1e78a6d463a6ff83/internal/tool/tlstool/tlstool.go#L72).
|
||||
|
||||
For **Ruby**, you can use again [HTTParty](https://github.com/jnunemaker/httparty) and specify this time TLS 1.2 version alongside with the recommended ciphers:
|
||||
|
||||
```ruby
|
||||
response = GitLab::HTTP.perform_request(Net::HTTP::Get, 'https://gitlab.com', ssl_version: :TLSv1_2, ciphers: ['ECDHE-ECDSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-ECDSA-AES256-GCM-SHA384', 'ECDHE-RSA-AES256-GCM-SHA384', 'ECDHE-ECDSA-CHACHA20-POLY1305', 'ECDHE-RSA-CHACHA20-POLY1305'])
|
||||
```
|
||||
|
||||
## GitLab Internal Authorization
|
||||
|
||||
### Introduction
|
||||
|
|
|
@ -169,5 +169,6 @@ You can do so by managing client keys with the [error tracking API](../api/error
|
|||
|
||||
#### Limitations
|
||||
|
||||
The Integrated Error Tracking feature was built and tested with Sentry SDK for Ruby. Other languages and frameworks
|
||||
are not tested and might not work. Check [the compatibility issue](https://gitlab.com/gitlab-org/gitlab/-/issues/340178) for more information.
|
||||
The Integrated Error Tracking feature was built and tested with Sentry SDK for Ruby on Rails.
|
||||
Support for other languages and frameworks is not guaranteed. For up-to-date information, see the
|
||||
[compatibility issue](https://gitlab.com/gitlab-org/gitlab/-/issues/340178).
|
||||
|
|
|
@ -109,6 +109,6 @@ The [built-in supported applications](https://gitlab.com/gitlab-org/project-temp
|
|||
|
||||
#### How to customize your applications
|
||||
|
||||
Each app has an `applications/{app}/values.yaml` file (`applicaton/{app}/values.yaml.gotmpl` in case of GitLab Runner). This is the
|
||||
Each app has an `applications/{app}/values.yaml` file (`applications/{app}/values.yaml.gotmpl` in case of GitLab Runner). This is the
|
||||
place where you can define default values for your app's Helm chart. Some apps already have defaults
|
||||
pre-defined by GitLab.
|
||||
|
|
|
@ -190,14 +190,25 @@ module API
|
|||
pipeline = current_authenticated_job.pipeline
|
||||
project = current_authenticated_job.project
|
||||
agent_authorizations = Clusters::AgentAuthorizationsFinder.new(project).execute
|
||||
project_groups = project.group&.self_and_ancestor_ids&.map { |id| { id: id } } || []
|
||||
user_access_level = project.team.max_member_access(current_user.id)
|
||||
roles_in_project = Gitlab::Access.sym_options_with_owner
|
||||
.select { |_role, role_access_level| role_access_level <= user_access_level }
|
||||
.map(&:first)
|
||||
|
||||
environment = if environment_slug = current_authenticated_job.deployment&.environment&.slug
|
||||
{ slug: environment_slug }
|
||||
end
|
||||
|
||||
# See https://gitlab.com/gitlab-org/cluster-integration/gitlab-agent/-/blob/master/doc/kubernetes_ci_access.md#apiv4joballowed_agents-api
|
||||
{
|
||||
allowed_agents: Entities::Clusters::AgentAuthorization.represent(agent_authorizations),
|
||||
job: Entities::Ci::JobRequest::JobInfo.represent(current_authenticated_job),
|
||||
pipeline: Entities::Ci::PipelineBasic.represent(pipeline),
|
||||
project: Entities::ProjectIdentity.represent(project),
|
||||
user: Entities::UserBasic.represent(current_user)
|
||||
}
|
||||
job: { id: current_authenticated_job.id },
|
||||
pipeline: { id: pipeline.id },
|
||||
project: { id: project.id, groups: project_groups },
|
||||
user: { id: current_user.id, username: current_user.username, roles_in_project: roles_in_project },
|
||||
environment: environment
|
||||
}.compact
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -44,7 +44,7 @@ module Gitlab
|
|||
new_blob_lazy
|
||||
old_blob_lazy
|
||||
|
||||
preprocess_before_diff(diff) if Feature.enabled?(:jupyter_clean_diffs, @project)
|
||||
preprocess_before_diff(diff) if Feature.enabled?(:jupyter_clean_diffs, repository.project)
|
||||
end
|
||||
|
||||
def position(position_marker, position_type: :text)
|
||||
|
|
|
@ -9,7 +9,11 @@ FactoryBot.define do
|
|||
package_file { association(:helm_package_file, without_loaded_metadatum: true) }
|
||||
sequence(:channel) { |n| "#{FFaker::Lorem.word}-#{n}" }
|
||||
metadata do
|
||||
{ 'name': package_file.package.name, 'version': package_file.package.version, 'apiVersion': 'v2' }.tap do |defaults|
|
||||
{
|
||||
'name': package_file.package.name,
|
||||
'version': package_file.package.version,
|
||||
'apiVersion': 'v2'
|
||||
}.tap do |defaults|
|
||||
defaults['description'] = description if description
|
||||
end
|
||||
end
|
||||
|
|
|
@ -146,8 +146,7 @@ RSpec.describe "Issues > User edits issue", :js do
|
|||
fill_in 'Comment', with: '/label ~syzygy'
|
||||
|
||||
click_button 'Comment'
|
||||
|
||||
wait_for_requests
|
||||
expect(page).to have_text('added syzygy label just now')
|
||||
|
||||
page.within '.block.labels' do
|
||||
# Remove `verisimilitude` label
|
||||
|
@ -155,8 +154,6 @@ RSpec.describe "Issues > User edits issue", :js do
|
|||
click_button
|
||||
end
|
||||
|
||||
wait_for_requests
|
||||
|
||||
expect(page).to have_text('syzygy')
|
||||
expect(page).not_to have_text('verisimilitude')
|
||||
end
|
||||
|
|
|
@ -12,7 +12,6 @@
|
|||
"tags",
|
||||
"pipelines",
|
||||
"versions",
|
||||
"metadata",
|
||||
"status",
|
||||
"canDestroy"
|
||||
],
|
||||
|
@ -47,7 +46,8 @@
|
|||
"GENERIC",
|
||||
"GOLANG",
|
||||
"RUBYGEMS",
|
||||
"DEBIAN"
|
||||
"DEBIAN",
|
||||
"HELM"
|
||||
]
|
||||
},
|
||||
"tags": {
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
require 'spec_helper'
|
||||
|
||||
RSpec.describe GitlabSchema.types['ReleaseEvidence'] do
|
||||
it { expect(described_class).to require_graphql_authorizations(:download_code) }
|
||||
specify { expect(described_class).to require_graphql_authorizations(:read_release_evidence) }
|
||||
|
||||
it 'has the expected fields' do
|
||||
expected_fields = %w[
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe GitlabSchema.types['PackageHelmDependencyType'] do
|
||||
it { expect(described_class.graphql_name).to eq('PackageHelmDependencyType') }
|
||||
|
||||
it 'includes helm dependency fields' do
|
||||
expected_fields = %w[
|
||||
name version repository condition tags enabled import_values alias
|
||||
]
|
||||
|
||||
expect(described_class).to include_graphql_fields(*expected_fields)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe GitlabSchema.types['HelmFileMetadata'] do
|
||||
it { expect(described_class.graphql_name).to eq('HelmFileMetadata') }
|
||||
|
||||
it 'includes helm file metadatum fields' do
|
||||
expected_fields = %w[
|
||||
created_at updated_at channel metadata
|
||||
]
|
||||
|
||||
expect(described_class).to include_graphql_fields(*expected_fields)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe GitlabSchema.types['PackageHelmMaintainerType'] do
|
||||
it { expect(described_class.graphql_name).to eq('PackageHelmMaintainerType') }
|
||||
|
||||
it 'includes helm maintainer fields' do
|
||||
expected_fields = %w[
|
||||
name email url
|
||||
]
|
||||
|
||||
expect(described_class).to include_graphql_fields(*expected_fields)
|
||||
end
|
||||
end
|
|
@ -0,0 +1,15 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe GitlabSchema.types['PackageHelmMetadataType'] do
|
||||
it { expect(described_class.graphql_name).to eq('PackageHelmMetadataType') }
|
||||
|
||||
it 'includes helm json fields' do
|
||||
expected_fields = %w[
|
||||
name home sources version description keywords maintainers icon apiVersion condition tags appVersion deprecated annotations kubeVersion dependencies type
|
||||
]
|
||||
|
||||
expect(described_class).to include_graphql_fields(*expected_fields)
|
||||
end
|
||||
end
|
|
@ -177,11 +177,16 @@ RSpec.describe API::Ci::Jobs do
|
|||
end
|
||||
|
||||
describe 'GET /job/allowed_agents' do
|
||||
let_it_be(:group_authorization) { create(:agent_group_authorization) }
|
||||
let_it_be(:associated_agent) { create(:cluster_agent, project: project) }
|
||||
let_it_be(:group) { create(:group) }
|
||||
let_it_be(:group_agent) { create(:cluster_agent, project: create(:project, group: group)) }
|
||||
let_it_be(:group_authorization) { create(:agent_group_authorization, agent: group_agent, group: group) }
|
||||
let_it_be(:project_agent) { create(:cluster_agent, project: project) }
|
||||
|
||||
let(:implicit_authorization) { Clusters::Agents::ImplicitAuthorization.new(agent: associated_agent) }
|
||||
let(:authorizations_finder) { double(execute: [implicit_authorization, group_authorization]) }
|
||||
before(:all) do
|
||||
project.update!(group: group_authorization.group)
|
||||
end
|
||||
|
||||
let(:implicit_authorization) { Clusters::Agents::ImplicitAuthorization.new(agent: project_agent) }
|
||||
|
||||
let(:headers) { { API::Ci::Helpers::Runner::JOB_TOKEN_HEADER => job.token } }
|
||||
let(:job) { create(:ci_build, :artifacts, pipeline: pipeline, user: api_user, status: job_status) }
|
||||
|
@ -193,44 +198,22 @@ RSpec.describe API::Ci::Jobs do
|
|||
end
|
||||
|
||||
before do
|
||||
allow(Clusters::AgentAuthorizationsFinder).to receive(:new).with(project).and_return(authorizations_finder)
|
||||
|
||||
subject
|
||||
end
|
||||
|
||||
context 'when token is valid and user is authorized' do
|
||||
it 'returns agent info', :aggregate_failures do
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
|
||||
expect(json_response.dig('job', 'id')).to eq(job.id)
|
||||
expect(json_response.dig('pipeline', 'id')).to eq(job.pipeline_id)
|
||||
expect(json_response.dig('project', 'id')).to eq(job.project_id)
|
||||
expect(json_response.dig('user', 'username')).to eq(api_user.username)
|
||||
expect(json_response['allowed_agents']).to match_array([
|
||||
{
|
||||
'id' => implicit_authorization.agent_id,
|
||||
'config_project' => hash_including('id' => implicit_authorization.agent.project_id),
|
||||
'configuration' => implicit_authorization.config
|
||||
},
|
||||
{
|
||||
'id' => group_authorization.agent_id,
|
||||
'config_project' => hash_including('id' => group_authorization.agent.project_id),
|
||||
'configuration' => group_authorization.config
|
||||
}
|
||||
])
|
||||
end
|
||||
|
||||
context 'when passing the token as params' do
|
||||
let(:headers) { {} }
|
||||
let(:params) { { job_token: job.token } }
|
||||
|
||||
shared_examples_for 'valid allowed_agents request' do
|
||||
it 'returns agent info', :aggregate_failures do
|
||||
expect(response).to have_gitlab_http_status(:ok)
|
||||
|
||||
expect(json_response.dig('job', 'id')).to eq(job.id)
|
||||
expect(json_response.dig('pipeline', 'id')).to eq(job.pipeline_id)
|
||||
expect(json_response.dig('project', 'id')).to eq(job.project_id)
|
||||
expect(json_response.dig('project', 'groups')).to match_array([{ 'id' => group_authorization.group.id }])
|
||||
expect(json_response.dig('user', 'id')).to eq(api_user.id)
|
||||
expect(json_response.dig('user', 'username')).to eq(api_user.username)
|
||||
expect(json_response.dig('user', 'roles_in_project')).to match_array %w(guest reporter developer)
|
||||
expect(json_response).not_to include('environment')
|
||||
expect(json_response['allowed_agents']).to match_array([
|
||||
{
|
||||
'id' => implicit_authorization.agent_id,
|
||||
|
@ -239,12 +222,29 @@ RSpec.describe API::Ci::Jobs do
|
|||
},
|
||||
{
|
||||
'id' => group_authorization.agent_id,
|
||||
'config_project' => a_hash_including('id' => group_authorization.agent.project_id),
|
||||
'config_project' => hash_including('id' => group_authorization.agent.project_id),
|
||||
'configuration' => group_authorization.config
|
||||
}
|
||||
])
|
||||
end
|
||||
end
|
||||
|
||||
it_behaves_like 'valid allowed_agents request'
|
||||
|
||||
context 'when deployment' do
|
||||
let(:job) { create(:ci_build, :artifacts, :with_deployment, environment: 'production', pipeline: pipeline, user: api_user, status: job_status) }
|
||||
|
||||
it 'includes environment slug' do
|
||||
expect(json_response.dig('environment', 'slug')).to eq('production')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when passing the token as params' do
|
||||
let(:headers) { {} }
|
||||
let(:params) { { job_token: job.token } }
|
||||
|
||||
it_behaves_like 'valid allowed_agents request'
|
||||
end
|
||||
end
|
||||
|
||||
context 'when user is anonymous' do
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
# frozen_string_literal: true
|
||||
require 'spec_helper'
|
||||
|
||||
RSpec.describe 'helm package details' do
|
||||
include GraphqlHelpers
|
||||
include_context 'package details setup'
|
||||
|
||||
let_it_be(:package) { create(:helm_package, project: project) }
|
||||
|
||||
let(:package_files_metadata) {query_graphql_fragment('HelmFileMetadata')}
|
||||
|
||||
let(:query) do
|
||||
graphql_query_for(:package, { id: package_global_id }, <<~FIELDS)
|
||||
#{all_graphql_fields_for('PackageDetailsType', max_depth: depth, excluded: excluded)}
|
||||
packageFiles {
|
||||
nodes {
|
||||
#{package_files}
|
||||
fileMetadata {
|
||||
#{package_files_metadata}
|
||||
}
|
||||
}
|
||||
}
|
||||
FIELDS
|
||||
end
|
||||
|
||||
subject { post_graphql(query, current_user: user) }
|
||||
|
||||
before do
|
||||
subject
|
||||
end
|
||||
|
||||
it_behaves_like 'a package detail'
|
||||
it_behaves_like 'a package with files'
|
||||
|
||||
it 'has the correct file metadata' do
|
||||
expect(first_file_response_metadata).to include(
|
||||
'channel' => first_file.helm_file_metadatum.channel
|
||||
)
|
||||
expect(first_file_response_metadata['metadata']).to include(
|
||||
'name' => first_file.helm_file_metadatum.metadata['name'],
|
||||
'home' => first_file.helm_file_metadatum.metadata['home'],
|
||||
'sources' => first_file.helm_file_metadatum.metadata['sources'],
|
||||
'version' => first_file.helm_file_metadatum.metadata['version'],
|
||||
'description' => first_file.helm_file_metadatum.metadata['description'],
|
||||
'keywords' => first_file.helm_file_metadatum.metadata['keywords'],
|
||||
'maintainers' => first_file.helm_file_metadatum.metadata['maintainers'],
|
||||
'icon' => first_file.helm_file_metadatum.metadata['icon'],
|
||||
'apiVersion' => first_file.helm_file_metadatum.metadata['apiVersion'],
|
||||
'condition' => first_file.helm_file_metadatum.metadata['condition'],
|
||||
'tags' => first_file.helm_file_metadatum.metadata['tags'],
|
||||
'appVersion' => first_file.helm_file_metadatum.metadata['appVersion'],
|
||||
'deprecated' => first_file.helm_file_metadatum.metadata['deprecated'],
|
||||
'annotations' => first_file.helm_file_metadatum.metadata['annotations'],
|
||||
'kubeVersion' => first_file.helm_file_metadatum.metadata['kubeVersion'],
|
||||
'dependencies' => first_file.helm_file_metadatum.metadata['dependencies'],
|
||||
'type' => first_file.helm_file_metadatum.metadata['type']
|
||||
)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue