Add latest changes from gitlab-org/gitlab@master

2023-05-31 12:07:08 +00:00 · 2023-05-31 12:07:08 +00:00 · 07f6ded1cb
parent b7a422e845
commit 07f6ded1cb
21 changed files with 46 additions and 109 deletions
--- a/.gitlab/ci/frontend.gitlab-ci.yml
+++ b/.gitlab/ci/frontend.gitlab-ci.yml
@ -260,7 +260,7 @@ jest:
      - tmp/tests/frontend/
    reports:
      junit: junit_jest.xml
-  parallel: 7
+  parallel: 12

 jest predictive:
  extends:
@ -278,7 +278,7 @@ jest as-if-foss:
    - .frontend:rules:jest:as-if-foss
    - .as-if-foss
  needs: ["rspec-all frontend_fixture as-if-foss"]
-  parallel: 4
+  parallel: 10

 jest predictive as-if-foss:
  extends:
--- a/.gitlab/ci/review-apps/main.gitlab-ci.yml
+++ b/.gitlab/ci/review-apps/main.gitlab-ci.yml
@ -44,7 +44,7 @@ review-build-cng:
  variables:
    HOST_SUFFIX: "${CI_ENVIRONMENT_SLUG}"
    DOMAIN: "-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}"
-    GITLAB_HELM_CHART_REF: "a468cd56328c55df994ba0678ba1add8691d3f7f"  # 6.11.5: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/a468cd56328c55df994ba0678ba1add8691d3f7f
+    GITLAB_HELM_CHART_REF: "75b1486a9aec212d0f49ef1251526d8e51004bbc"  # 7.0.1: https://gitlab.com/gitlab-org/charts/gitlab/-/commit/75b1486a9aec212d0f49ef1251526d8e51004bbc
  environment:
    name: review/${CI_COMMIT_REF_SLUG}${SCHEDULE_TYPE}  # No separator for SCHEDULE_TYPE so it's compatible as before and looks nice without it
    url: https://gitlab-${CI_ENVIRONMENT_SLUG}.${REVIEW_APPS_DOMAIN}
--- a/app/models/personal_access_token.rb
+++ b/app/models/personal_access_token.rb
@ -24,11 +24,6 @@ class PersonalAccessToken < ApplicationRecord
  after_initialize :set_default_scopes, if: :persisted?
  before_save :ensure_token

-  # During the implementation of Admin Mode for API, tokens of
-  # administrators should automatically get the `admin_mode` scope as well
-  # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692
-  before_create :add_admin_mode_scope, if: -> { Feature.disabled?(:admin_mode_for_api) && user_admin? }
-
  scope :active, -> { not_revoked.not_expired }
  scope :expiring_and_not_notified, ->(date) { where(["revoked = false AND expire_notification_delivered = false AND expires_at >= CURRENT_DATE AND expires_at <= ?", date]) }
  scope :expired_today_and_not_notified, -> { where(["revoked = false AND expires_at = CURRENT_DATE AND after_expiry_notification_delivered = false"]) }
@ -91,10 +86,7 @@ class PersonalAccessToken < ApplicationRecord
  protected

  def validate_scopes
-    valid_scopes = Gitlab::Auth.all_available_scopes
-    valid_scopes += [Gitlab::Auth::ADMIN_MODE_SCOPE] if Feature.disabled?(:admin_mode_for_api)
-
-    unless revoked || scopes.all? { |scope| valid_scopes.include?(scope.to_sym) }
+    unless revoked || scopes.all? { |scope| Gitlab::Auth.all_available_scopes.include?(scope.to_sym) }
      errors.add :scopes, "can only contain available scopes"
    end
  end
@ -111,10 +103,6 @@ class PersonalAccessToken < ApplicationRecord
    user.admin? # rubocop: disable Cop/UserAdmin
  end

-  def add_admin_mode_scope
-    self.scopes += [Gitlab::Auth::ADMIN_MODE_SCOPE.to_s]
-  end
-
  def prefix_from_application_current_settings
    self.class.token_prefix
  end
--- a/config/feature_flags/development/add_validation_for_push_rules.yml
+++ b/config/feature_flags/development/add_validation_for_push_rules.yml
@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/411901
 milestone: '16.1'
 type: development
 group: group::source code
-default_enabled: false
+default_enabled: true
--- a/config/feature_flags/development/admin_mode_for_api.yml
+++ b/config/feature_flags/development/admin_mode_for_api.yml
@ -1,8 +0,0 @@
---
-name: admin_mode_for_api
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107925
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/387729
-milestone: '15.8'
-type: development
-group: group::authentication and authorization
-default_enabled: false
--- a/db/post_migrate/20230523210653_remove_file_md5_from_debian_project_component_files.rb
+++ b/db/post_migrate/20230523210653_remove_file_md5_from_debian_project_component_files.rb
@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class RemoveFileMd5FromDebianProjectComponentFiles < Gitlab::Database::Migration[2.1]
+  enable_lock_retries!
+
+  def change
+    remove_column :packages_debian_project_component_files, :file_md5, :bytea
+  end
+end
--- a/db/post_migrate/20230523210758_remove_file_md5_from_debian_group_component_files.rb
+++ b/db/post_migrate/20230523210758_remove_file_md5_from_debian_group_component_files.rb
@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class RemoveFileMd5FromDebianGroupComponentFiles < Gitlab::Database::Migration[2.1]
+  enable_lock_retries!
+
+  def change
+    remove_column :packages_debian_group_component_files, :file_md5, :bytea
+  end
+end
--- a/db/schema_migrations/20230523210653
+++ b/db/schema_migrations/20230523210653
@ -0,0 +1 @@
+20696f0e2e6e7bc7df4696fd91e621538f7a2f8f55e2059bc83f0081811bc365
--- a/db/schema_migrations/20230523210758
+++ b/db/schema_migrations/20230523210758
@ -0,0 +1 @@
+5cae86aed3b05da49cfa963f0c601763ef433839be4360b6280f8f66f60b279d
--- a/db/structure.sql
+++ b/db/structure.sql
@ -19358,7 +19358,6 @@ CREATE TABLE packages_debian_group_component_files (
    compression_type smallint,
    file_store smallint DEFAULT 1 NOT NULL,
    file text NOT NULL,
-    file_md5 bytea,
    file_sha256 bytea NOT NULL,
    CONSTRAINT check_839e1685bc CHECK ((char_length(file) <= 255))
 );
@ -19483,7 +19482,6 @@ CREATE TABLE packages_debian_project_component_files (
    compression_type smallint,
    file_store smallint DEFAULT 1 NOT NULL,
    file text NOT NULL,
-    file_md5 bytea,
    file_sha256 bytea NOT NULL,
    CONSTRAINT check_e5af03fa2d CHECK ((char_length(file) <= 255))
 );
--- a/doc/administration/packages/container_registry.md
+++ b/doc/administration/packages/container_registry.md
@ -598,7 +598,7 @@ The default configuration for the storage driver is scheduled to be [changed](ht
 <!--- end_remove -->

 When moving from an existing file system or another object storage provider to Azure Object Storage, you must configure the registry to use the standard root directory.
-Configure it by setting [`trimlegacyrootprefix: true]`](https://gitlab.com/gitlab-org/container-registry/-/blob/a3f64464c3ec1c5a599c0a2daa99ebcbc0100b9a/docs-gitlab/README.md#azure-storage-driver) in the Azure storage driver section of the registry configuration.
+Configure it by setting [`trimlegacyrootprefix: true`](https://gitlab.com/gitlab-org/container-registry/-/blob/a3f64464c3ec1c5a599c0a2daa99ebcbc0100b9a/docs-gitlab/README.md#azure-storage-driver) in the Azure storage driver section of the registry configuration.
 Without this configuration, the Azure storage driver uses `//` instead of `/` as the first section of the root path, rendering the migrated images inaccessible.

 **Omnibus GitLab installations**
--- a/doc/development/ai_features.md
+++ b/doc/development/ai_features.md
@ -457,6 +457,13 @@ module Gitlab
 end
 ```

+Because we support multiple AI providers, you may also use those providers for the same example:
+
+```ruby
+Gitlab::Llm::VertexAi::Client.new(user)
+Gitlab::Llm::Anthropic::Client.new(user)
+```
+
 ### Add Ai Action to GraphQL

 TODO
--- a/doc/user/project/service_desk.md
+++ b/doc/user/project/service_desk.md
@ -182,6 +182,11 @@ Behind the scenes, Service Desk works by the special Support Bot user creating i
 This user isn't a [billable user](../../subscriptions/self_managed/index.md#billable-users),
 so it does not count toward the license limit count.

+In GitLab 16.0 and earlier, comments generated from Service Desk emails show `GitLab Support Bot`
+as the author. In [GitLab 16.1 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/226995),
+these comments show the email of the user who sent the email.
+This feature only applies to comments made in GitLab 16.1 and later.
+
 #### Change the Support Bot's display name

 You can change the display name of the Support Bot user. Emails sent from Service Desk have
--- a/lib/api/api_guard.rb
+++ b/lib/api/api_guard.rb
@ -83,10 +83,7 @@ module API
      private

      def bypass_session_for_admin_mode?(user)
-        return user.is_a?(User) && Gitlab::CurrentSettings.admin_mode if Feature.disabled?(:admin_mode_for_api)
-
-        return false unless Gitlab::CurrentSettings.admin_mode
-        return false unless user.is_a?(User)
+        return false unless user.is_a?(User) && Gitlab::CurrentSettings.admin_mode

        Gitlab::Session.with_session(current_request.session) { Gitlab::Auth::CurrentUserMode.new(user).admin_mode? } ||
          Gitlab::Auth::RequestAuthenticator.new(current_request).valid_access_token?(scopes: [:admin_mode])
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@ -401,7 +401,7 @@ module Gitlab
          scopes = non_admin_available_scopes

          if resource.admin? # rubocop: disable Cop/UserAdmin
-            scopes += Feature.enabled?(:admin_mode_for_api) ? ADMIN_SCOPES : [SUDO_SCOPE]
+            scopes += ADMIN_SCOPES
          end

          scopes
--- a/qa/qa/specs/features/browser_ui/1_manage/login/login_via_oauth_and_oidc_with_gitlab_as_idp_spec.rb
+++ b/qa/qa/specs/features/browser_ui/1_manage/login/login_via_oauth_and_oidc_with_gitlab_as_idp_spec.rb
@ -2,11 +2,7 @@

 module QA
  RSpec.describe 'Manage', :skip_live_env, requires_admin: 'creates users and instance OAuth application',
-    product_group: :authentication_and_authorization, quarantine: {
-      only: { pipeline: :nightly },
-      type: :investigating,
-      issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/408317'
-    } do
+    product_group: :authentication_and_authorization do
    let!(:user) { Resource::User.fabricate_via_api! }
    let(:consumer_host) { "http://#{consumer_name}.#{Runtime::Env.running_in_ci? ? 'test' : 'bridge'}" }
    let(:instance_oauth_app) do
@ -65,7 +61,9 @@ module QA

        expect(page.driver.current_url).to include(Runtime::Scenario.gitlab_address)

-        Flow::Login.sign_in(as: user)
+        Flow::Login.sign_in(as: user, skip_page_validation: true)
+
+        Flow::UserOnboarding.onboard_user

        expect(page.driver.current_url).to include(consumer_host)

--- a/scripts/lint-doc.sh
+++ b/scripts/lint-doc.sh
@ -197,7 +197,7 @@ then
  # shellcheck disable=2059
  printf "${COLOR_GREEN}INFO: Merged results pipeline detected, but no markdown files found. Skipping.${COLOR_RESET}\n"
 else
-  if ! yarn markdownlint --config .markdownlint.yml "${MD_DOC_PATH}" --rules doc/.markdownlint/rules;
+  if ! yarn markdownlint --rules doc/.markdownlint/rules ${MD_DOC_PATH};
  then
    # shellcheck disable=2059
    printf "${COLOR_RED}ERROR: Markdownlint failed with errors!${COLOR_RESET}\n" >&2
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@ -115,26 +115,6 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
      end
    end

-    context 'with admin_mode_for_api feature flag disabled' do
-      before do
-        stub_feature_flags(admin_mode_for_api: false)
-      end
-
-      it 'contains all non-default scopes' do
-        expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability]
-      end
-
-      it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
-        user = build_stubbed(:user, admin: true)
-
-        expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo]
-      end
-
-      it 'optional_scopes contains all non-default scopes' do
-        expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability]
-      end
-    end
-
    context 'registry_scopes' do
      context 'when registry is disabled' do
        before do
--- a/spec/models/personal_access_token_spec.rb
+++ b/spec/models/personal_access_token_spec.rb
@ -216,18 +216,6 @@ RSpec.describe PersonalAccessToken, feature_category: :system_access do
      expect(personal_access_token).to be_valid
    end

-    context 'with feature flag disabled' do
-      before do
-        stub_feature_flags(admin_mode_for_api: false)
-      end
-
-      it "allows creating a token with `admin_mode` scope" do
-        personal_access_token.scopes = [:api, :admin_mode]
-
-        expect(personal_access_token).to be_valid
-      end
-    end
-
    context 'when registry is disabled' do
      before do
        stub_container_registry_config(enabled: false)
@ -403,28 +391,6 @@ RSpec.describe PersonalAccessToken, feature_category: :system_access do
        end
      end
    end
-
-    context 'with feature flag disabled' do
-      before do
-        stub_feature_flags(admin_mode_for_api: false)
-      end
-
-      context 'with administrator user' do
-        let_it_be(:user) { create(:user, :admin) }
-
-        it 'adds `admin_mode` scope before created' do
-          expect(subject.scopes).to contain_exactly('api', 'admin_mode')
-        end
-      end
-
-      context 'with normal user' do
-        let_it_be(:user) { create(:user) }
-
-        it 'does not add `admin_mode` scope before created' do
-          expect(subject.scopes).to contain_exactly('api')
-        end
-      end
-    end
  end

  describe 'token format' do
--- a/spec/requests/api/features_spec.rb
+++ b/spec/requests/api/features_spec.rb
@ -26,8 +26,6 @@ RSpec.describe API::Features, stub_feature_flags: false, feature_category: :feat
      actor.respond_to?(:admin) && actor.admin?
    end

-    stub_feature_flags(admin_mode_for_api: true)
-
    skip_feature_flags_yaml_validation
    skip_default_enabled_yaml_check
  end
@ -86,9 +84,7 @@ RSpec.describe API::Features, stub_feature_flags: false, feature_category: :feat
      expect(response).to have_gitlab_http_status(:unauthorized)
    end

-    # Skipping this spec here, because the spec clears all the feature flags to have a deterministic list of features returned.
-    # which in turns causes the `admin_mode` feature not to be enabled and the spec to fail.
-    it 'returns the feature list for admins', :skip do
+    it 'returns the feature list for admins' do
      get api('/features', admin, admin_mode: true)

      expect(json_response).to match_array(expected_features)
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@ -351,16 +351,6 @@ RSpec.configure do |config|
      end
    end

-    # See https://gitlab.com/gitlab-org/gitlab/-/issues/42692
-    # The ongoing implementation of Admin Mode for API is behind the :admin_mode_for_api feature flag.
-    # All API specs will be adapted continuously. The following list contains the specs that have not yet been adapted.
-    # The feature flag is disabled for these specs as long as they are not yet adapted.
-    admin_mode_for_api_feature_flag_paths = %w[]
-
-    if example.metadata[:file_path].start_with?(*admin_mode_for_api_feature_flag_paths)
-      stub_feature_flags(admin_mode_for_api: false)
-    end
-
    # Make sure specs test by default admin mode setting on, unless forced to the opposite
    stub_application_setting(admin_mode: true) unless example.metadata[:do_not_mock_admin_mode_setting]
				`@ -0,0 +1 @@`
				`20696f0e2e6e7bc7df4696fd91e621538f7a2f8f55e2059bc83f0081811bc365`
				`@ -0,0 +1 @@`
				`5cae86aed3b05da49cfa963f0c601763ef433839be4360b6280f8f66f60b279d`