root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2022-09-16 06:14:23 +00:00
parent 0e6ff93eba
commit 2800e6ea59
33 changed files with 442 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.gitlab/CODEOWNERS
View File

@ -12,13 +12,13 @@ docs/CODEOWNERS @clefelhocz1 @timzallmann @cdu1 @wayne @dsatcher @sgoldstein @je
GITALY_SERVER_VERSION @project_278964_bot6 @gitlab-org/maintainers/rails-backend @gitlab-org/delivery
## Files that are excluded from required approval
/.gitlab/issue_templates/
/.gitlab/merge_request_templates/
/.gitlab/issue_templates/*.md
/.gitlab/merge_request_templates/*.md
/doc/*.md
/doc/**/*.md
/doc/**/*.png
/data/deprecations/
/data/removals/
/data/deprecations/*.yml
/data/removals/*.yml
^[Backend]
*.rb @gitlab-org/maintainers/rails-backend
@ -1160,7 +1160,7 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
/ee/app/controllers/groups/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/controllers/groups/scim_oauth_controller.rb @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/controllers/oauth/ @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/controllers/omniauth_kerberos_spnego_controller.rb @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/controllers/omniauth_kerberos_controller.rb @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/finders/auth/ @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/helpers/ee/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization/approvers
/ee/app/helpers/ee/auth_helper.rb @gitlab-org/manage/authentication-and-authorization/approvers

2
.rubocop_todo/gitlab/namespaced_class.yml
View File

@ -851,7 +851,7 @@ Gitlab/NamespacedClass:
- 'app/workers/x509_issuer_crl_check_worker.rb'
- 'ee/app/controllers/countries_controller.rb'
- 'ee/app/controllers/country_states_controller.rb'
- 'ee/app/controllers/omniauth_kerberos_spnego_controller.rb'
- 'ee/app/controllers/omniauth_kerberos_controller.rb'
- 'ee/app/controllers/operations_controller.rb'
- 'ee/app/controllers/sitemap_controller.rb'
- 'ee/app/controllers/smartcard_controller.rb'

2
.rubocop_todo/rails/helper_instance_variable.yml
View File

@ -66,7 +66,7 @@ Rails/HelperInstanceVariable:
- 'ee/app/helpers/ee/groups/group_members_helper.rb'
- 'ee/app/helpers/ee/groups_helper.rb'
- 'ee/app/helpers/ee/integrations_helper.rb'
- 'ee/app/helpers/ee/kerberos_spnego_helper.rb'
- 'ee/app/helpers/ee/kerberos_helper.rb'
- 'ee/app/helpers/ee/labels_helper.rb'
- 'ee/app/helpers/ee/lock_helper.rb'
- 'ee/app/helpers/ee/merge_requests_helper.rb'

2
.rubocop_todo/rspec/any_instance_of.yml
View File

@ -73,7 +73,7 @@ RSpec/AnyInstanceOf:
- ee/spec/requests/api/projects_spec.rb
- ee/spec/requests/git_http_spec.rb
- ee/spec/requests/groups_controller_spec.rb
- ee/spec/requests/omniauth_kerberos_spnego_spec.rb
- ee/spec/requests/omniauth_kerberos_spec.rb
- ee/spec/requests/repositories/git_http_controller_spec.rb
- ee/spec/services/ee/git/branch_push_service_spec.rb
- ee/spec/services/ee/merge_requests/create_from_vulnerability_data_service_spec.rb

4
.rubocop_todo/rspec/expect_in_hook.yml
View File

@ -32,7 +32,7 @@ RSpec/ExpectInHook:
- 'ee/spec/helpers/ee/issues_helper_spec.rb'
- 'ee/spec/helpers/ee/projects/security/dast_configuration_helper_spec.rb'
- 'ee/spec/helpers/ee/welcome_helper_spec.rb'
- 'ee/spec/helpers/kerberos_spnego_helper_spec.rb'
- 'ee/spec/helpers/kerberos_helper_spec.rb'
- 'ee/spec/helpers/vulnerabilities_helper_spec.rb'
- 'ee/spec/lib/ee/api/helpers/members_helpers_spec.rb'
- 'ee/spec/lib/ee/gitlab/auth/ldap/sync/group_spec.rb'
@ -69,7 +69,7 @@ RSpec/ExpectInHook:
- 'ee/spec/requests/api/geo_spec.rb'
- 'ee/spec/requests/api/internal/base_spec.rb'
- 'ee/spec/requests/groups/analytics/devops_adoption_controller_spec.rb'
- 'ee/spec/requests/omniauth_kerberos_spnego_spec.rb'
- 'ee/spec/requests/omniauth_kerberos_spec.rb'
- 'ee/spec/services/analytics/cycle_analytics/stages/update_service_spec.rb'
- 'ee/spec/services/app_sec/dast/profiles/update_service_spec.rb'
- 'ee/spec/services/auto_merge/add_to_merge_train_when_pipeline_succeeds_service_spec.rb'

2
.rubocop_todo/rspec/verified_doubles.yml
View File

@ -41,7 +41,7 @@ RSpec/VerifiedDoubles:
- ee/spec/helpers/ee/subscribable_banner_helper_spec.rb
- ee/spec/helpers/ee/trial_helper_spec.rb
- ee/spec/helpers/ee/trial_registration_helper_spec.rb
- ee/spec/helpers/kerberos_spnego_helper_spec.rb
- ee/spec/helpers/kerberos_helper_spec.rb
- ee/spec/helpers/license_helper_spec.rb
- ee/spec/helpers/roadmaps_helper_spec.rb
- ee/spec/helpers/routing/pseudonymization_helper_spec.rb

2
.rubocop_todo/style/empty_else.yml
View File

@ -29,7 +29,7 @@ Style/EmptyElse:
- 'config/initializers/doorkeeper_openid_connect.rb'
- 'ee/app/controllers/admin/audit_logs_controller.rb'
- 'ee/app/controllers/ee/groups_controller.rb'
- 'ee/app/helpers/ee/kerberos_spnego_helper.rb'
- 'ee/app/helpers/ee/kerberos_helper.rb'
- 'ee/app/helpers/ee/trial_helper.rb'
- 'ee/app/models/ee/audit_event.rb'
- 'ee/app/services/ee/users/update_service.rb'

2
.rubocop_todo/style/string_concatenation.yml
View File

@ -74,7 +74,7 @@ Style/StringConcatenation:
- 'ee/lib/elastic/latest/git_class_proxy.rb'
- 'ee/lib/gitlab/elastic/search_results.rb'
- 'ee/lib/gitlab/geo/git_ssh_proxy.rb'
- 'ee/lib/omni_auth/strategies/kerberos_spnego.rb'
- 'ee/lib/omni_auth/strategies/kerberos.rb'
- 'ee/lib/tasks/gitlab/elastic.rake'
- 'ee/lib/tasks/gitlab/license.rake'
- 'ee/spec/controllers/trial_registrations_controller_spec.rb'

6
app/controllers/repositories/git_http_client_controller.rb
View File

@ -3,7 +3,7 @@
module Repositories
class GitHttpClientController < Repositories::ApplicationController
include ActionController::HttpAuthentication::Basic
include KerberosSpnegoHelper
include KerberosHelper
include Gitlab::Utils::StrongMemoize
attr_reader :authentication_result, :redirected_path
@ -49,7 +49,7 @@ module Repositories
if handle_basic_authentication(login, password)
return # Allow access
end
elsif allow_kerberos_spnego_auth? && spnego_provided?
elsif allow_kerberos_auth? && spnego_provided?
kerberos_user = find_kerberos_user
if kerberos_user
@ -91,7 +91,7 @@ module Repositories
def send_challenges
challenges = []
challenges << 'Basic realm="GitLab"' if allow_basic_auth?
challenges << spnego_challenge if allow_kerberos_spnego_auth?
challenges << spnego_challenge if allow_kerberos_auth?
headers['Www-Authenticate'] = challenges.join("\n") if challenges.any?
end

6
app/helpers/kerberos_spnego_helper.rb → app/helpers/kerberos_helper.rb
View File

@ -1,13 +1,13 @@
# frozen_string_literal: true
module KerberosSpnegoHelper
module KerberosHelper
def allow_basic_auth?
true # different behavior in GitLab Enterprise Edition
end
def allow_kerberos_spnego_auth?
def allow_kerberos_auth?
false # different behavior in GitLab Enterprise Edition
end
end
KerberosSpnegoHelper.prepend_mod_with('KerberosSpnegoHelper')
KerberosHelper.prepend_mod_with('KerberosHelper')

30
app/services/merge_requests/ff_merge_service.rb
View File

@ -8,26 +8,22 @@ module MergeRequests
# Executed when you do fast-forward merge via GitLab UI
#
class FfMergeService < MergeRequests::MergeService
extend ::Gitlab::Utils::Override
private
def commit
ff_merge = repository.ff_merge(current_user,
source,
merge_request.target_branch,
merge_request: merge_request)
override :execute_git_merge
def execute_git_merge
repository.ff_merge(current_user,
source,
merge_request.target_branch,
merge_request: merge_request)
end
if merge_request.squash_on_merge?
merge_request.update_column(:squash_commit_sha, merge_request.in_progress_merge_commit_sha)
end
ff_merge
rescue Gitlab::Git::PreReceiveError => e
Gitlab::ErrorTracking.track_exception(e, pre_receive_message: e.raw_message, merge_request_id: merge_request&.id)
raise MergeError, e.message
rescue StandardError => e
raise MergeError, "Something went wrong during merge: #{e.message}"
ensure
merge_request.update_and_mark_in_progress_merge_commit_sha(nil)
override :merge_success_data
def merge_success_data(commit_id)
# There is no merge commit to update, so this is just blank.
{}
end
end
end

22
app/services/merge_requests/merge_service.rb
View File

@ -92,16 +92,26 @@ module MergeRequests
raise_error(GENERIC_ERROR_MESSAGE)
end
data_to_update = { merge_commit_sha: commit_id }
data_to_update[:squash_commit_sha] = source if merge_request.squash_on_merge?
update_merge_sha_metadata(commit_id)
merge_request.update!(**data_to_update)
commit_id
ensure
merge_request.update_and_mark_in_progress_merge_commit_sha(nil)
end
def update_merge_sha_metadata(commit_id)
data_to_update = merge_success_data(commit_id)
data_to_update[:squash_commit_sha] = source if merge_request.squash_on_merge?
merge_request.update!(**data_to_update) if data_to_update.present?
end
def merge_success_data(commit_id)
{ merge_commit_sha: commit_id }
end
def try_merge
repository.merge(current_user, source, merge_request, commit_message)
execute_git_merge
rescue Gitlab::Git::PreReceiveError => e
raise MergeError,
"Something went wrong during merge pre-receive hook. #{e.message}".strip
@ -110,6 +120,10 @@ module MergeRequests
raise_error(GENERIC_ERROR_MESSAGE)
end
def execute_git_merge
repository.merge(current_user, source, merge_request, commit_message)
end
def after_merge
log_info("Post merge started on JID #{merge_jid} with state #{state}")
MergeRequests::PostMergeService.new(project: project, current_user: current_user).execute(merge_request)

2
app/views/admin/sessions/_signin_box.html.haml
View File

@ -4,8 +4,6 @@
.login-body
= render 'devise/sessions/new_crowd'
= render_if_exists 'devise/sessions/new_kerberos_tab'
- ldap_servers.each_with_index do |server, i|
.login-box.tab-pane{ id: "#{server['provider_name']}", role: 'tabpanel', class: active_when(i == 0 && form_based_auth_provider_has_active_class?(:ldapmain)) }
.login-body

2
app/views/devise/shared/_signin_box.html.haml
View File

@ -4,8 +4,6 @@
.login-body
= render 'devise/sessions/new_crowd'
= render_if_exists 'devise/sessions/new_kerberos_tab'
- ldap_servers.each_with_index do |server, i|
.login-box.tab-pane{ id: "#{server['provider_name']}", role: 'tabpanel', class: active_when(i == 0 && form_based_auth_provider_has_active_class?(:ldapmain)) }
.login-body

16
app/views/notify/new_user_email.html.haml
View File

@ -1,17 +1,19 @@
%p
Hi #{sanitize_name(@user['name'])}!
= s_('Notify|Hi %{username}!') % {username: sanitize_name(@user['name'])}
%p
- if Gitlab::CurrentSettings.allow_signup?
Your account has been created successfully.
= s_('Notify|Your account has been created successfully.')
- else
The Administrator created an account for you. Now you are a member of the company GitLab application.
= s_('Notify|The Administrator created an account for you. Now you are a member of the company GitLab application.')
%p
login..........................................
= s_('Notify|login..........................................')
%code= @user['email']
- if @user.created_by_id
%p
= link_to "Click here to set your password", edit_password_url(@user, reset_password_token: @token)
= link_to s_('Notify|Click here to set your password'), edit_password_url(@user, reset_password_token: @token)
%p
This link is valid for #{password_reset_token_valid_time}.
After it expires, you can #{link_to("request a new one", new_user_password_url(user_email: @user.email))}.
= s_('Notify|This link is valid for %{password_reset_token_valid_time}.') % {password_reset_token_valid_time: password_reset_token_valid_time}
- a_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % {url: new_user_password_url(user_email: @user.email)}
- a_end = '</a>'.html_safe
= html_escape(s_('Notify|After it expires, you can %{a_start} request a new one %{a_end}.')) % {a_start: a_start, a_end: a_end}

2
app/views/projects/blame/show.html.haml
View File

@ -59,7 +59,7 @@
- current_line += line_count
- if @blame_pagination
- if @blame_pagination && @blame_pagination.total_pages > 1
.gl-display-flex.gl-justify-content-center.gl-flex-direction-column.gl-align-items-center.gl-p-3.gl-bg-gray-50.gl-border-t-solid.gl-border-t-1.gl-border-gray-100
= _('For faster browsing, not all history is shown.')
= render Pajamas::ButtonComponent.new(href: namespace_project_blame_path(namespace_id: @project.namespace, project_id: @project, id: @id, no_pagination: true), size: :small, button_options: { class: 'gl-mt-3' }) do |c|

25
config/initializers/1_settings.rb
View File

@ -117,6 +117,27 @@ Settings.omniauth.cas3['session_duration'] ||= 8.hours
Settings.omniauth['session_tickets'] ||= Settingslogic.new({})
Settings.omniauth.session_tickets['cas3'] = 'ticket'
# Handle backward compatibility with the renamed kerberos_spnego provider
# https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96335#note_1094265436
Gitlab.ee do
kerberos_spnego = Settings.omniauth.providers.find { |p| p.name == 'kerberos_spnego' }
if kerberos_spnego
Settings.omniauth.providers.delete_if { |p| p.name == 'kerberos' }
kerberos_spnego['name'] = 'kerberos'
omniauth_keys = %w(allow_single_sign_on auto_link_user external_providers sync_profile_from_provider allow_bypass_two_factor)
omniauth_keys.each do |key|
next unless Settings.omniauth[key].is_a?(Array)
Settings.omniauth[key].map! { |p| p == 'kerberos_spnego' ? 'kerberos' : p }
end
if Settings.omniauth['auto_sign_in_with_provider'] == 'kerberos_spnego'
Settings.omniauth['auto_sign_in_with_provider'] = 'kerberos'
end
end
end
# Fill out omniauth-gitlab settings. It is needed for easy set up GHE or GH by just specifying url.
github_default_url = "https://github.com"
@ -909,8 +930,8 @@ Gitlab.ee do
Settings.kerberos['https'] = Settings.gitlab.https if Settings.kerberos['https'].nil?
Settings.kerberos['port'] ||= Settings.kerberos.https ? 8443 : 8088
if Settings.kerberos['enabled'] && !Settings.omniauth.providers.map(&:name).include?('kerberos_spnego')
Settings.omniauth.providers << Settingslogic.new({ 'name' => 'kerberos_spnego' })
if Settings.kerberos['enabled'] && !Settings.omniauth.providers.map(&:name).include?('kerberos')
Settings.omniauth.providers << Settingslogic.new({ 'name' => 'kerberos' })
end
end

17
db/post_migrate/20220913030552_add_tmp_index_system_note_metadata_on_attention_request_actions.rb Normal file
View File

@ -0,0 +1,17 @@
# frozen_string_literal: true
class AddTmpIndexSystemNoteMetadataOnAttentionRequestActions < Gitlab::Database::Migration[2.0]
INDEX_NAME = "tmp_index_system_note_metadata_on_attention_request_actions"
disable_ddl_transaction!
def up
add_concurrent_index :system_note_metadata, [:id],
where: "action IN ('attention_requested', 'attention_request_removed')",
name: INDEX_NAME
end
def down
remove_concurrent_index_by_name :system_note_metadata, INDEX_NAME
end
end

30
db/post_migrate/20220913030624_cleanup_attention_request_related_system_notes.rb Normal file
View File

@ -0,0 +1,30 @@
# frozen_string_literal: true
class CleanupAttentionRequestRelatedSystemNotes < Gitlab::Database::Migration[2.0]
disable_ddl_transaction!
restrict_gitlab_migration gitlab_schema: :gitlab_main
BATCH_SIZE = 100
class SystemNoteMetadata < MigrationRecord
include EachBatch
self.table_name = 'system_note_metadata'
end
class Note < MigrationRecord
self.table_name = 'notes'
end
def up
SystemNoteMetadata
.where(action: %w[attention_requested attention_request_removed])
.each_batch(of: BATCH_SIZE) do |batch|
Note.where(id: batch.pluck(:note_id)).delete_all
end
end
def down
# no op
end
end

1
db/schema_migrations/20220913030552 Normal file
View File

@ -0,0 +1 @@
39538feebc6f7f4e1822148567ed369eee1a7ed7ee718f7e913e2b585cc0e808

1
db/schema_migrations/20220913030624 Normal file
View File

@ -0,0 +1 @@
baac0b236b7e91f9aacd03f3cf1ce84974f6c389529143e9b2813d9b70224e53

2
db/structure.sql
View File

@ -30864,6 +30864,8 @@ CREATE INDEX tmp_index_on_vulnerabilities_non_dismissed ON vulnerabilities USING
CREATE INDEX tmp_index_project_statistics_cont_registry_size ON project_statistics USING btree (project_id) WHERE (container_registry_size = 0);
CREATE INDEX tmp_index_system_note_metadata_on_attention_request_actions ON system_note_metadata USING btree (id) WHERE ((action)::text = ANY ((ARRAY['attention_requested'::character varying, 'attention_request_removed'::character varying])::text[]));
CREATE INDEX tmp_index_system_note_metadata_on_id_where_task ON system_note_metadata USING btree (id, action) WHERE ((action)::text = 'task'::text);
CREATE INDEX tmp_index_user_callouts_on_attention_request_feature_names ON user_callouts USING btree (id) WHERE (feature_name = ANY (ARRAY[47, 48]));

4
doc/ci/environments/protected_environments.md
View File

@ -24,6 +24,10 @@ Maintainer role.
## Protecting environments
Prerequisites:
- When granting the **Allowed to deploy** permission to a group or sub-group, the user configuring the protected environment must be a **direct member** of the group or sub-group to be added. Otherwise, the group or sub-group will not show up in the dropdown. For more information see [issue #345140](https://gitlab.com/gitlab-org/gitlab/-/issues/345140).
To protect an environment:
1. On the top bar, select **Main menu > Projects** and find your project.

6
doc/development/feature_flags/index.md
View File

@ -535,16 +535,18 @@ Feature.remove(:feature_flag_name)
```mermaid
graph LR
A[flag: default off] -->|'added' / 'changed'| B(flag: default on)
A[flag: default off] -->|'added' / 'changed' / 'fixed' / '...'| B(flag: default on)
B -->|'other'| C(remove flag, keep new code)
B -->|'removed' / 'changed'| D(remove flag, keep old code)
A -->|'added' / 'changed'| C
A -->|'added' / 'changed' / 'fixed' / '...'| C
A -->|no changelog| D
```
- Any change behind a feature flag that is **enabled** by default **should** have a changelog entry.
- The changelog for a feature flag should describe the feature and not the
flag, unless a default on feature flag is removed keeping the new code (`other` in the flowchart above).
- A feature flag can also be used for rolling out a bug fix or a maintenance work. In this scenario, the changelog
must be related to it, for example; `fixed` or `other`.
## Feature flags in tests

21
doc/integration/kerberos.md
View File

@ -110,13 +110,15 @@ set up GitLab to create a new account when a Kerberos user tries to sign in.
### Link a Kerberos account to an existing GitLab account
> Kerberos SPNEGO [renamed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/96335) to Kerberos in GitLab 15.4.
If you're an administrator, you can link a Kerberos account to an
existing GitLab account. To do so:
1. On the top bar, select **Main menu > Admin**.
1. On the left sidebar, select **Overview > Users**.
1. Select a user, then select the **Identities** tab.
1. Select 'Kerberos SPNEGO' in the 'Provider' dropdown box.
1. From the **Provider** dropdown list, select **Kerberos**.
1. Make sure the **Identifier** corresponds to the Kerberos username.
1. Select **Save changes**.
@ -125,7 +127,7 @@ If you're not an administrator:
1. In the top-right corner, select your avatar.
1. Select **Edit profile**.
1. On the left sidebar, select **Account**.
1. In the **Service sign-in** section, select **Connect Kerberos SPNEGO**.
1. In the **Service sign-in** section, select **Connect Kerberos**.
If you don't see a **Service sign-in** Kerberos option, follow the
requirements in [Enable single sign-on](#enable-single-sign-on).
@ -305,15 +307,12 @@ We [deprecated](../update/deprecations.md#omniauth-kerberos-gem) password-based
Kerberos sign-ins in GitLab 14.3 and [removed](https://gitlab.com/gitlab-org/gitlab/-/issues/2908)
it in GitLab 15.0. You must switch to ticket-based sign in.
Depending on your existing GitLab configuration, the 'Sign in with:
Kerberos SPNEGO' button may already be visible on your GitLab sign-in
page. If not, then add the settings [described above](#configuration).
Depending on your existing GitLab configuration, **Sign in with:
Kerberos** may already be visible on your GitLab sign-in page.
If not, then add the settings [described above](#configuration).
Once you have verified that the 'Kerberos SPNEGO' button works
without entering any passwords, you can proceed to disable
password-based Kerberos sign-ins. To do this you need only need to
remove the OmniAuth provider named `kerberos` from your `gitlab.yml` /
`gitlab.rb` file.
To disable password-based Kerberos sign-ins, remove the OmniAuth provider
`kerberos` from your `gitlab.yml`/`gitlab.rb` file.
**For installations from source**
@ -365,7 +364,7 @@ mechanisms it supports to GitLab. If it doesn't support any of the mechanisms
GitLab supports, authentication fails with a message like this in the log:
```plaintext
OmniauthKerberosSpnegoController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error
OmniauthKerberosController: failed to process Negotiate/Kerberos authentication: gss_accept_sec_context did not return GSS_S_COMPLETE: An unsupported mechanism was requested Unknown error
```
There are a number of potential causes and solutions for this error message.

4
doc/raketasks/backup_gitlab.md
View File

@ -346,12 +346,14 @@ To create an incremental backup, run:
sudo gitlab-backup create INCREMENTAL=yes PREVIOUS_BACKUP=<timestamp_of_backup>
```
Incremental backups can also be created from [an untarred backup](#skipping-tar-creation) by using `SKIP=tar`:
To create an [untarred](#skipping-tar-creation) incremental backup from a tarred backup, use `SKIP=tar`:
```shell
sudo gitlab-backup create INCREMENTAL=yes SKIP=tar
```
You can't create an incremental backup from an [untarred](#skipping-tar-creation) backup.
### Back up specific repository storages
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/86896) in GitLab 15.0.

120
doc/user/application_security/api_fuzzing/index.md
View File

@ -39,6 +39,7 @@ or other scanners) during a scan could cause inaccurate results.
You can run a Web API fuzzing scan using the following methods:
- [OpenAPI Specification](#openapi-specification) - version 2, and 3.
- [GraphQL Schema](#graphql-schema)
- [HTTP Archive](#http-archive-har) (HAR)
- [Postman Collection](#postman-collection) - version 2.0 or 2.1
@ -76,6 +77,7 @@ To enable Web API fuzzing:
- For manual configuration instructions, see the respective section, depending on the API type:
- [OpenAPI Specification](#openapi-specification)
- [GraphQL Schema](#graphql-schema)
- [HTTP Archive (HAR)](#http-archive-har)
- [Postman Collection](#postman-collection)
- Otherwise, see [Web API fuzzing configuration form](#web-api-fuzzing-configuration-form).
@ -262,7 +264,7 @@ Example `.gitlab-ci.yml` file using a HAR file:
FUZZAPI_TARGET_URL: http://test-deployment/
```
This is a minimal configuration for API fuzzing. From here you can:
This example is a minimal configuration for API fuzzing. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
@ -270,6 +272,118 @@ This is a minimal configuration for API fuzzing. From here you can:
For details of API fuzzing configuration options, see [Available CI/CD variables](#available-cicd-variables).
### GraphQL Schema
> Support for GraphQL Schema was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4.
GraphQL is a query language for your API and an alternative to REST APIs.
API Fuzzing supports testing GraphQL endpoints multiple ways:
- Test using the GraphQL Schema. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4.
- Test using a recording (HAR) of GraphQL queries.
- Test using a Postman Collection containing GraphQL queries.
This section documents how to test using a GraphQL schema. The GraphQL schema support in
API Fuzzing is able to query the schema from endpoints that support introspection.
Introspection is enabled by default to allow tools like GraphiQL to work.
#### API Fuzzing scanning with a GraphQL endpoint URL
The GraphQL support in API Fuzzing is able to query a GraphQL endpoint for the schema.
NOTE:
The GraphQL endpoint must support introspection queries for this method to work correctly.
To configure API Fuzzing to use an GraphQL endpoint URL that provides information about the target API to test:
1. [Include](../../../ci/yaml/index.md#includetemplate)
the [`API-Fuzzing.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml) in your `.gitlab-ci.yml` file.
1. Provide the GraphQL endpoint path, for example `/api/graphql`. Specify the path by adding the `FUZZAPI_GRAPHQL` variable.
1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL`
variable or an `environment_url.txt` file.
Adding the URL in an `environment_url.txt` file at your project's root is great for testing in
dynamic environments. See the [dynamic environment solutions](#dynamic-environment-solutions) section of our documentation for more information.
Complete example configuration of using a GraphQL endpoint URL:
```yaml
stages:
- fuzz
include:
- template: API-Fuzzing.gitlab-ci.yml
apifuzzer_fuzz:
variables:
FUZZAPI_GRAPHQL: /api/graphql
FUZZAPI_TARGET_URL: http://test-deployment/
```
This example is a minimal configuration for API Fuzzing. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
- Learn how to [handle false positives](#handling-false-positives).
#### API Fuzzing with a GraphQL Schema file
To configure API Fuzzing to use a GraphQl schema file that provides information about the target API to test:
1. [Include](../../../ci/yaml/index.md#includetemplate)
the [`API-Fuzzing.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/API-Fuzzing.gitlab-ci.yml) in your `.gitlab-ci.yml` file.
1. Provide the GraphQL endpoint path, for example `/api/graphql`. Specify the path by adding the `FUZZAPI_GRAPHQL` variable.
1. Provide the location of the GraphQL schema file. You can provide the location as a file path
or URL. Specify the location by adding the `FUZZAPI_GRAPHQL_SCHEMA` variable.
1. The target API instance's base URL is also required. Provide it by using the `FUZZAPI_TARGET_URL`
variable or an `environment_url.txt` file.
Adding the URL in an `environment_url.txt` file at your project's root is great for testing in
dynamic environments. See the [dynamic environment solutions](#dynamic-environment-solutions) section of our documentation for more information.
Complete example configuration of using an GraphQL schema file:
```yaml
stages:
- fuzz
include:
- template: API-Fuzzing.gitlab-ci.yml
apifuzzer_fuzz:
variables:
FUZZAPI_GRAPHQL: /api/graphql
FUZZAPI_GRAPHQL_SCHEMA: test-api-graphql.schema
FUZZAPI_TARGET_URL: http://test-deployment/
```
Complete example configuration of using an GraphQL schema file URL:
```yaml
stages:
- fuzz
include:
- template: API-Fuzzing.gitlab-ci.yml
apifuzzer_fuzz:
variables:
FUZZAPI_GRAPHQL: /api/graphql
FUZZAPI_GRAPHQL_SCHEMA: http://file-store/files/test-api-graphql.schema
FUZZAPI_TARGET_URL: http://test-deployment/
```
This example is a minimal configuration for API Fuzzing. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
- Learn how to [handle false positives](#handling-false-positives).
### Postman Collection
The [Postman API Client](https://www.postman.com/product/api-client/) is a popular tool that
@ -991,6 +1105,8 @@ profile increases as the number of tests increases.
|[`FUZZAPI_OPENAPI_ALL_MEDIA_TYPES`](#openapi-specification) | Use all supported media types instead of one when generating requests. Causes test duration to be longer. Default is disabled. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333304) in GitLab 14.10. |
|[`FUZZAPI_OPENAPI_MEDIA_TYPES`](#openapi-specification) | Colon (`:`) separated media types accepted for testing. Default is disabled. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333304) in GitLab 14.10. |
|[`FUZZAPI_HAR`](#http-archive-har) | HTTP Archive (HAR) file. |
|[`FUZZAPI_GRAPHQL`](#graphql-schema) | Path to GraphQL endpoint, for example `/api/graphql`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4. |
|[`FUZZAPI_GRAPHQL_SCHEMA`](#graphql-schema) | A URL or filename for a GraphQL schema in JSON format. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4. |
|[`FUZZAPI_POSTMAN_COLLECTION`](#postman-collection) | Postman Collection file. |
|[`FUZZAPI_POSTMAN_COLLECTION_VARIABLES`](#postman-variables) | Path to a JSON file to extract Postman variable values. The support for comma-separated (`,`) files was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356312) in GitLab 15.1. |
|[`FUZZAPI_POSTMAN_COLLECTION_VARIABLES`](#postman-variables) | Path to a JSON file to extract Postman variable values. |
@ -2103,7 +2219,7 @@ A bug exists in versions of the API Fuzzing analyzer prior to v1.6.196 that can
The version information can be found in the job details for the `apifuzzer_fuzz` job.
If the issue is occurring with versions v1.6.196 or greater, please contact Support and provide the following information:
If the issue is occurring with versions v1.6.196 or greater, contact Support and provide the following information:
1. Reference this troubleshooting section and ask for the issue to be escalated to the Dynamic Analysis Team.
1. The full console output of the job.

117
doc/user/application_security/dast_api/index.md
View File

@ -55,6 +55,7 @@ The following projects demonstrate DAST API scanning:
You can specify the API you want to scan by using:
- [OpenAPI v2 or v3 Specification](#openapi-specification)
- [GraphQL Schema](#graphql-schema)
- [HTTP Archive (HAR)](#http-archive-har)
- [Postman Collection v2.0 or v2.1](#postman-collection)
@ -199,7 +200,119 @@ variables:
DAST_API_TARGET_URL: http://test-deployment/
```
This is a minimal configuration for DAST API. From here you can:
This example is a minimal configuration for DAST API. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
- Learn how to [handle false positives](#handling-false-positives).
### GraphQL Schema
> Support for GraphQL Schema was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4.
GraphQL is a query language for your API and an alternative to REST APIs.
DAST API supports testing GraphQL endpoints multiple ways:
- Test using the GraphQL Schema. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4.
- Test using a recording (HAR) of GraphQL queries.
- Test using a Postman Collection containing GraphQL queries.
This section documents how to test using a GraphQL schema. The GraphQL schema support in
DAST API is able to query the schema from endpoints that support introspection.
Introspection is enabled by default to allow tools like GraphiQL to work.
#### DAST API scanning with a GraphQL endpoint URL
The GraphQL support in DAST API is able to query a GraphQL endpoint for the schema.
NOTE:
The GraphQL endpoint must support introspection queries for this method to work correctly.
To configure DAST API to use a GraphQL endpoint URL that provides information about the target API to test:
1. [Include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) in your `.gitlab-ci.yml` file.
1. Provide the path to the GraphQL endpoint, for example `/api/graphql`. Specify the location by adding the `DAST_API_GRAPHQL` variable.
1. The target API instance's base URL is also required. Provide it by using the `DAST_API_TARGET_URL`
variable or an `environment_url.txt` file.
Adding the URL in an `environment_url.txt` file at your project's root is great for testing in
dynamic environments. See the [dynamic environment solutions](#dynamic-environment-solutions) section of our documentation for more information.
Complete example configuration of using a GraphQL endpoint path:
```yaml
stages:
- dast
include:
- template: DAST-API.gitlab-ci.yml
dast_api:
variables:
DAST_API_GRAPHQL: /api/graphql
DAST_API_TARGET_URL: http://test-deployment/
```
This example is a minimal configuration for DAST API. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
- Learn how to [handle false positives](#handling-false-positives).
#### DAST API scanning with a GraphQL Schema file
To configure DAST API to use a GraphQL schema file that provides information about the target API to test:
1. [Include](../../../ci/yaml/index.md#includetemplate)
the [`DAST-API.gitlab-ci.yml` template](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Security/DAST-API.gitlab-ci.yml) in your `.gitlab-ci.yml` file.
1. Provide the GraphQL endpoint path, for example `/api/graphql`. Specify the path by adding the `DAST_API_GRAPHQL` variable.
1. Provide the location of the GraphQL schema file. You can provide the location as a file path
or URL. Specify the location by adding the `DAST_API_GRAPHQL_SCHEMA` variable.
1. The target API instance's base URL is also required. Provide it by using the `DAST_API_TARGET_URL`
variable or an `environment_url.txt` file.
Adding the URL in an `environment_url.txt` file at your project's root is great for testing in
dynamic environments. See the [dynamic environment solutions](#dynamic-environment-solutions) section of our documentation for more information.
Complete example configuration of using an GraphQL schema file:
```yaml
stages:
- dast
include:
- template: DAST-API.gitlab-ci.yml
dast_api:
variables:
DAST_API_GRAPHQL: /api/graphql
DAST_API_GRAPHQL_SCHEMA: test-api-graphql.schema
DAST_API_TARGET_URL: http://test-deployment/
```
Complete example configuration of using an GraphQL schema file URL:
```yaml
stages:
- dast
include:
- template: DAST-API.gitlab-ci.yml
dast_api:
variables:
DAST_API_GRAPHQL: /api/graphql
DAST_API_GRAPHQL_SCHEMA: http://file-store/files/test-api-graphql.schema
DAST_API_TARGET_URL: http://test-deployment/
```
This example is a minimal configuration for DAST API. From here you can:
- [Run your first scan](#running-your-first-scan).
- [Add authentication](#authentication).
@ -938,6 +1051,8 @@ can be added, removed, and modified by creating a custom configuration.
|[`DAST_API_OPENAPI_ALL_MEDIA_TYPES`](#openapi-specification) | Use all supported media types instead of one when generating requests. Causes test duration to be longer. Default is disabled. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333304) in GitLab 14.10. |
|[`DAST_API_OPENAPI_MEDIA_TYPES`](#openapi-specification) | Colon (`:`) separated media types accepted for testing. Default is disabled. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/333304) in GitLab 14.10. |
|[`DAST_API_HAR`](#http-archive-har) | HTTP Archive (HAR) file. |
|[`DAST_API_GRAPHQL`](#graphql-schema) | Path to GraphQL endpoint, for example `/api/graphql`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4. |
|[`DAST_API_GRAPHQL_SCHEMA`](#graphql-schema) | A URL or filename for a GraphQL schema in JSON format. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/352780) in GitLab 15.4. |
|[`DAST_API_POSTMAN_COLLECTION`](#postman-collection) | Postman Collection file. |
|[`DAST_API_POSTMAN_COLLECTION_VARIABLES`](#postman-variables) | Path to a JSON file to extract Postman variable values. The support for comma-separated (`,`) files was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/356312) in GitLab 15.1. |
|[`DAST_API_OVERRIDES_FILE`](#overrides) | Path to a JSON file containing overrides. |

21
locale/gitlab.pot
View File

@ -27087,6 +27087,9 @@ msgstr ""
msgid "Notify|A remote mirror update has failed."
msgstr ""
msgid "Notify|After it expires, you can %{a_start} request a new one %{a_end}."
msgstr ""
msgid "Notify|All discussions on merge request %{mr_link} were resolved by %{name}"
msgstr ""
@ -27108,6 +27111,9 @@ msgstr ""
msgid "Notify|CI/CD project settings"
msgstr ""
msgid "Notify|Click here to set your password"
msgstr ""
msgid "Notify|Commit Author"
msgstr ""
@ -27126,6 +27132,9 @@ msgstr ""
msgid "Notify|Fingerprint: %{fingerprint}"
msgstr ""
msgid "Notify|Hi %{username}!"
msgstr ""
msgid "Notify|Hi %{user}!"
msgstr ""
@ -27198,6 +27207,9 @@ msgstr ""
msgid "Notify|Remote mirror"
msgstr ""
msgid "Notify|The Administrator created an account for you. Now you are a member of the company GitLab application."
msgstr ""
msgid "Notify|The Auto DevOps pipeline failed for pipeline %{pipeline_link} and has been disabled for %{project_link}. In order to use the Auto DevOps pipeline with your project, please review the %{supported_langs_link}, adjust your project accordingly, and turn on the Auto DevOps pipeline within your %{settings_link}."
msgstr ""
@ -27213,6 +27225,9 @@ msgstr ""
msgid "Notify|This issue is due on: %{issue_due_date}"
msgstr ""
msgid "Notify|This link is valid for %{password_reset_token_valid_time}."
msgstr ""
msgid "Notify|Unless you verify your domain by %{time_start}%{time}%{time_end} it will be removed from your GitLab project."
msgstr ""
@ -27228,6 +27243,9 @@ msgstr ""
msgid "Notify|Your CSV import for project %{project_link} has been completed."
msgstr ""
msgid "Notify|Your account has been created successfully."
msgstr ""
msgid "Notify|Your request to join the %{target_to_join} %{target_type} has been %{denied_tag}."
msgstr ""
@ -27237,6 +27255,9 @@ msgstr ""
msgid "Notify|deleted"
msgstr ""
msgid "Notify|login.........................................."
msgstr ""
msgid "Notify|pushed new"
msgstr ""

1
spec/features/projects/blobs/blame_spec.rb
View File

@ -38,6 +38,7 @@ RSpec.describe 'File blame', :js do
within '[data-testid="blob-content-holder"]' do
expect(page).to have_css('.blame-commit')
expect(page).not_to have_css('.gl-pagination')
expect(page).not_to have_link _('View entire blame')
end
end

26
spec/migrations/20220913030624_cleanup_attention_request_related_system_notes_spec.rb Normal file
View File

@ -0,0 +1,26 @@
# frozen_string_literal: true
require 'spec_helper'
require_migration!
RSpec.describe CleanupAttentionRequestRelatedSystemNotes, :migration do
let(:notes) { table(:notes) }
let(:system_note_metadata) { table(:system_note_metadata) }
it 'removes all notes with attention request related system_note_metadata' do
notes.create!(id: 1, note: 'Attention request note', noteable_type: 'MergeRequest')
notes.create!(id: 2, note: 'Attention request remove note', noteable_type: 'MergeRequest')
notes.create!(id: 3, note: 'MergeRequest note', noteable_type: 'MergeRequest')
notes.create!(id: 4, note: 'Commit note', noteable_type: 'Commit')
system_note_metadata.create!(id: 11, action: 'attention_requested', note_id: 1)
system_note_metadata.create!(id: 22, action: 'attention_request_removed', note_id: 2)
system_note_metadata.create!(id: 33, action: 'merged', note_id: 3)
expect { migrate! }.to change(notes, :count).by(-2)
expect(system_note_metadata.where(action: %w[attention_requested attention_request_removed]).size).to eq(0)
expect(notes.where(noteable_type: 'MergeRequest').size).to eq(1)
expect(notes.where(noteable_type: 'Commit').size).to eq(1)
expect(system_note_metadata.where(action: 'merged').size).to eq(1)
end
end

8
spec/services/merge_requests/ff_merge_service_spec.rb
View File

@ -75,6 +75,7 @@ RSpec.describe MergeRequests::FfMergeService do
expect(merge_request).to receive(:update_and_mark_in_progress_merge_commit_sha).twice.and_call_original
expect { execute_ff_merge }.not_to change { merge_request.squash_commit_sha }
expect(merge_request.merge_commit_sha).to be_nil
expect(merge_request.in_progress_merge_commit_sha).to be_nil
end
@ -87,6 +88,7 @@ RSpec.describe MergeRequests::FfMergeService do
.to change { merge_request.squash_commit_sha }
.from(nil)
expect(merge_request.merge_commit_sha).to be_nil
expect(merge_request.in_progress_merge_commit_sha).to be_nil
end
end
@ -106,7 +108,6 @@ RSpec.describe MergeRequests::FfMergeService do
service.execute(merge_request)
expect(merge_request.merge_error).to include(error_message)
expect(Gitlab::AppLogger).to have_received(:error).with(a_string_matching(error_message))
end
@ -117,11 +118,6 @@ RSpec.describe MergeRequests::FfMergeService do
pre_receive_error = Gitlab::Git::PreReceiveError.new(raw_message, fallback_message: error_message)
allow(service).to receive(:repository).and_raise(pre_receive_error)
allow(service).to receive(:execute_hooks)
expect(Gitlab::ErrorTracking).to receive(:track_exception).with(
pre_receive_error,
pre_receive_message: raw_message,
merge_request_id: merge_request.id
)
service.execute(merge_request)

6
spec/support/rspec_order_todo.yml
View File

@ -1080,7 +1080,7 @@
- './ee/spec/helpers/groups/sso_helper_spec.rb'
- './ee/spec/helpers/incident_management/escalation_policy_helper_spec.rb'
- './ee/spec/helpers/incident_management/oncall_schedule_helper_spec.rb'
- './ee/spec/helpers/kerberos_spnego_helper_spec.rb'
- './ee/spec/helpers/kerberos_helper_spec.rb'
- './ee/spec/helpers/license_helper_spec.rb'
- './ee/spec/helpers/license_monitoring_helper_spec.rb'
- './ee/spec/helpers/manual_quarterly_co_term_banner_helper_spec.rb'
@ -1692,7 +1692,7 @@
- './ee/spec/lib/gitlab/web_ide/config/entry/schema/uri_spec.rb'
- './ee/spec/lib/incident_management/oncall_shift_generator_spec.rb'
- './ee/spec/lib/omni_auth/strategies/group_saml_spec.rb'
- './ee/spec/lib/omni_auth/strategies/kerberos_spnego_spec.rb'
- './ee/spec/lib/omni_auth/strategies/kerberos_spec.rb'
- './ee/spec/lib/peek/views/elasticsearch_spec.rb'
- './ee/spec/lib/sidebars/groups/menus/administration_menu_spec.rb'
- './ee/spec/lib/sidebars/groups/menus/analytics_menu_spec.rb'
@ -2511,7 +2511,7 @@
- './ee/spec/requests/jwt_controller_spec.rb'
- './ee/spec/requests/lfs_http_spec.rb'
- './ee/spec/requests/lfs_locks_api_spec.rb'
- './ee/spec/requests/omniauth_kerberos_spnego_spec.rb'
- './ee/spec/requests/omniauth_kerberos_spec.rb'
- './ee/spec/requests/projects/analytics/code_reviews_controller_spec.rb'
- './ee/spec/requests/projects/audit_events_spec.rb'
- './ee/spec/requests/projects/incidents_controller_spec.rb'