root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2023-10-13 12:12:01 +00:00
parent ce79b3dd66
commit 447ad69728
32 changed files with 526 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
GITALY_SERVER_VERSION
View File

@ -1 +1 @@
94a42419e0b56cf05ba233a39ed699b907056809
2177ee1ccbc6f2ae8b7c03b192a2a328443a3512

27
app/models/packages/protection/rule.rb
View File

@ -14,6 +14,33 @@ module Packages
length: { maximum: 255 }
validates :package_type, presence: true
validates :push_protected_up_to_access_level, presence: true
before_save :set_package_name_pattern_ilike_query, if: :package_name_pattern_changed?
scope :for_package_name, ->(package_name) {
return none if package_name.blank?
where(":package_name ILIKE package_name_pattern_ilike_query", package_name: package_name)
}
def self.push_protected_from?(access_level:, package_name:, package_type:)
return true if [access_level, package_name, package_type].any?(&:blank?)
where(package_type: package_type, push_protected_up_to_access_level: access_level..)
.for_package_name(package_name)
.exists?
end
private
# We want to allow wildcard pattern (`*`) for the field `package_name_pattern`
# , e.g. `@my-scope/my-package-*`, etc.
# Therefore, we need to preprocess the field value before we can use the field in the ILIKE clause.
# E.g. convert wildcard character (`*`) to LIKE match character (`%`), escape certain characters, etc.
def set_package_name_pattern_ilike_query
self.package_name_pattern_ilike_query = self.class.sanitize_sql_like(package_name_pattern)
.tr('*', '%')
end
end
end
end

2
config/initializers/click_house.rb
View File

@ -29,7 +29,7 @@ ClickHouse::Client.configure do |config|
options = {
multipart: true,
headers: headers,
allow_local_requests: Rails.env.development? || Rails.env.test?
allow_local_requests: true
}
body_key = body.is_a?(IO) ? :body_stream : :body

22
db/migrate/20230917144717_add_package_name_pattern_query_to_packages_protection_rule.rb Normal file
View File

@ -0,0 +1,22 @@
# frozen_string_literal: true
class AddPackageNamePatternQueryToPackagesProtectionRule < Gitlab::Database::Migration[2.1]
disable_ddl_transaction!
def up
with_lock_retries do
unless column_exists?(
:packages_protection_rules, :package_name_pattern_ilike_query)
# rubocop:disable Rails/NotNullColumn
add_column :packages_protection_rules, :package_name_pattern_ilike_query, :text, null: false
# rubocop:enable Rails/NotNullColumn
end
end
add_text_limit :packages_protection_rules, :package_name_pattern_ilike_query, 255
end
def down
remove_column :packages_protection_rules, :package_name_pattern_ilike_query
end
end

15
db/post_migrate/20231009104202_add_holder_name_hash_index_on_credit_card_validations.rb Normal file
View File

@ -0,0 +1,15 @@
# frozen_string_literal: true
class AddHolderNameHashIndexOnCreditCardValidations < Gitlab::Database::Migration[2.1]
disable_ddl_transaction!
INDEX_NAME = 'idx_user_credit_card_validations_on_holder_name_hash'
def up
add_concurrent_index :user_credit_card_validations, :holder_name_hash, name: INDEX_NAME
end
def down
remove_concurrent_index_by_name :user_credit_card_validations, INDEX_NAME
end
end

16
db/post_migrate/20231009104325_add_partial_match_index_of_hashes_on_credit_card_validations.rb Normal file
View File

@ -0,0 +1,16 @@
# frozen_string_literal: true
class AddPartialMatchIndexOfHashesOnCreditCardValidations < Gitlab::Database::Migration[2.1]
disable_ddl_transaction!
INDEX_NAME = 'idx_user_credit_card_validations_on_similar_to_meta_data'
INDEX_FIELDS = [:expiration_date_hash, :last_digits_hash, :network_hash, :credit_card_validated_at]
def up
add_concurrent_index :user_credit_card_validations, INDEX_FIELDS, name: INDEX_NAME
end
def down
remove_concurrent_index_by_name :user_credit_card_validations, INDEX_NAME
end
end

1
db/schema_migrations/20230917144717 Normal file
View File

@ -0,0 +1 @@
9273a3cf36500228db63a9fbe0a0c51a77c0d88c5a401fa68261a4488c0b7c33

1
db/schema_migrations/20231009104202 Normal file
View File

@ -0,0 +1 @@
e95a1d1e260aca83026b0ba379c520c21627416eee44ab9a1fb4959614541b0a

1
db/schema_migrations/20231009104325 Normal file
View File

@ -0,0 +1 @@
e24acc9cc5bd2ce38f02f514d63acfd69f6b657edc4f1d404d179b14976d1650

8
db/structure.sql
View File

@ -20219,7 +20219,9 @@ CREATE TABLE packages_protection_rules (
push_protected_up_to_access_level smallint NOT NULL,
package_type smallint NOT NULL,
package_name_pattern text NOT NULL,
CONSTRAINT check_d2d75d206d CHECK ((char_length(package_name_pattern) <= 255))
package_name_pattern_ilike_query text NOT NULL,
CONSTRAINT check_d2d75d206d CHECK ((char_length(package_name_pattern) <= 255)),
CONSTRAINT check_ff47b09794 CHECK ((char_length(package_name_pattern_ilike_query) <= 255))
);
CREATE SEQUENCE packages_protection_rules_id_seq
@ -31156,6 +31158,10 @@ CREATE INDEX idx_test_reports_on_issue_id_created_at_and_id ON requirements_mana
CREATE UNIQUE INDEX idx_uniq_analytics_dashboards_pointers_on_project_id ON analytics_dashboards_pointers USING btree (project_id);
CREATE INDEX idx_user_credit_card_validations_on_holder_name_hash ON user_credit_card_validations USING btree (holder_name_hash);
CREATE INDEX idx_user_credit_card_validations_on_similar_to_meta_data ON user_credit_card_validations USING btree (expiration_date_hash, last_digits_hash, network_hash, credit_card_validated_at);
CREATE INDEX idx_user_details_on_provisioned_by_group_id_user_id ON user_details USING btree (provisioned_by_group_id, user_id);
CREATE INDEX idx_vuln_reads_for_filtering ON vulnerability_reads USING btree (project_id, state, dismissal_reason, severity DESC, vulnerability_id DESC NULLS LAST);

2
doc/administration/monitoring/prometheus/gitlab_exporter.md
View File

@ -8,7 +8,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
> Renamed from `GitLab monitor exporter` to `GitLab exporter` in [GitLab 12.3](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16511).
The [GitLab exporter](https://gitlab.com/gitlab-org/gitlab-exporter) enables you to
The [GitLab exporter](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter) enables you to
measure various GitLab metrics pulled from Redis and the database in Linux package
instances.

9
doc/administration/settings/visibility_and_access_controls.md
View File

@ -85,10 +85,11 @@ To configure delayed project deletion:
1. Select **Settings > General**.
1. Expand the **Visibility and access controls** section.
1. Scroll to:
- (In GitLab 15.11 and later with `always_perform_delayed_deletion` feature flag enabled, or GitLab 16.0 and later) **Deletion protection** and set the retention period to a value between `1` and `90`.
- (GitLab 15.1 and later) **Deletion protection** and select keep deleted groups and projects, and select a retention period.
- (GitLab 15.0 and earlier) **Default delayed project protection** and select **Enable delayed project deletion by
default for newly-created groups.** Then set a retention period in **Default deletion delay**.
- In GitLab 16.0 and later: **Deletion protection** and set the retention period to a value between `1` and `90`.
- In GitLab 15.11 with `always_perform_delayed_deletion` feature flag enabled: **Deletion protection** and set the retention period to a value between `1` and `90`.
- In GitLab 15.1 to 15.10: **Deletion protection** and select **Keep deleted groups and projects**, then set the retention period.
- In GitLab 15.0 and earlier: **Default delayed project protection** and select **Enable delayed project deletion by
default for newly-created groups**, then set the retention period.
1. Select **Save changes**.
Deletion protection is not available for projects only (without being also being enabled for groups).

15
doc/api/namespaces.md
View File

@ -55,7 +55,8 @@ Example response:
"plan": "default",
"trial_ends_on": null,
"trial": false,
"root_repository_size": 100
"root_repository_size": 100,
"projects_count": 3
},
{
"id": 2,
@ -71,7 +72,8 @@ Example response:
"plan": "default",
"trial_ends_on": null,
"trial": false,
"root_repository_size": 100
"root_repository_size": 100,
"projects_count": 3
},
{
"id": 3,
@ -87,8 +89,10 @@ Example response:
"plan": "default",
"trial_ends_on": null,
"trial": false,
"root_repository_size": 100
"root_repository_size": 100,
"projects_count": 3
}
"projects_count": 3
]
```
@ -127,7 +131,7 @@ once a day.
```
NOTE:
Only group owners are presented with `members_count_with_descendants`, `root_repository_size` and `plan`.
Only group owners are presented with `members_count_with_descendants`, `root_repository_size`, `projects_count` and `plan`.
## Get namespace by ID
@ -166,7 +170,8 @@ Example response:
"plan": "default",
"trial_ends_on": null,
"trial": false,
"root_repository_size": 100
"root_repository_size": 100,
"projects_count": 3
}
```

87
doc/architecture/blueprints/new_diffs.md Normal file
View File

@ -0,0 +1,87 @@
---
status: proposed
creation-date: "2023-10-10"
authors: [ "@iamphill" ]
coach: [ "@ntepluhina" ]
approvers: [ ]
owning-stage: "~devops::create"
participating-stages: []
---
<!-- Blueprints often contain forward-looking statements -->
<!-- vale gitlab.FutureTense = NO -->
# New diffs
## Summary
Diffs at GitLab are spread across several places with each area using their own method. We are aiming
to develop a single, performant way for diffs to be rendered across the application. Our aim here is
to improve all areas of diff rendering, from the backend creation of diffs to the frontend rendering
the diffs.
## Motivation
### Goals
- improved perceived performance
- improved maintainability
- consistent coverage of all scenarios
### Non-Goals
<!--
Listing non-goals helps to focus discussion and make progress. This section is
optional.
- What is out of scope for this blueprint?
-->
## Proposal
<!--
This is where we get down to the specifics of what the proposal actually is,
but keep it simple! This should have enough detail that reviewers can
understand exactly what you're proposing, but should not include things like
API designs or implementation. The "Design Details" section below is for the
real nitty-gritty.
You might want to consider including the pros and cons of the proposed solution so that they can be
compared with the pros and cons of alternatives.
-->
## Design and implementation details
<!--
This section should contain enough information that the specifics of your
change are understandable. This may include API specs (though not always
required) or even code snippets. If there's any ambiguity about HOW your
proposal will be implemented, this is the place to discuss them.
If you are not sure how many implementation details you should include in the
blueprint, the rule of thumb here is to provide enough context for people to
understand the proposal. As you move forward with the implementation, you may
need to add more implementation details to the blueprint, as those may become
an important context for important technical decisions made along the way. A
blueprint is also a register of such technical decisions. If a technical
decision requires additional context before it can be made, you probably should
document this context in a blueprint. If it is a small technical decision that
can be made in a merge request by an author and a maintainer, you probably do
not need to document it here. The impact a technical decision will have is
another helpful information - if a technical decision is very impactful,
documenting it, along with associated implementation details, is advisable.
If it's helpful to include workflow diagrams or any other related images.
Diagrams authored in GitLab flavored markdown are preferred. In cases where
that is not feasible, images should be placed under `images/` in the same
directory as the `index.md` for the proposal.
-->
## Alternative Solutions
<!--
It might be a good idea to include a list of alternative solutions or paths considered, although it is not required. Include pros and cons for
each alternative solution/path.
"Do nothing" and its pros and cons could be included in the list too.
-->

4
doc/development/architecture.md
View File

@ -490,7 +490,7 @@ Geo is a premium feature built to help speed up the development of distributed t
#### GitLab Exporter
- [Project page](https://gitlab.com/gitlab-org/gitlab-exporter)
- [Project page](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter)
- Configuration:
- [Omnibus](../administration/monitoring/prometheus/gitlab_exporter.md)
- [Charts](https://docs.gitlab.com/charts/charts/gitlab/gitlab-exporter/index.html)
@ -498,7 +498,7 @@ Geo is a premium feature built to help speed up the development of distributed t
- Process: `gitlab-exporter`
- GitLab.com: [Monitoring of GitLab.com](https://about.gitlab.com/handbook/engineering/monitoring/)
GitLab Exporter is a process designed in house that allows us to export metrics about GitLab application internals to Prometheus. You can read more [in the project's README](https://gitlab.com/gitlab-org/gitlab-exporter).
GitLab Exporter is a process designed in house that allows us to export metrics about GitLab application internals to Prometheus. You can read more [in the project's README](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter).
#### GitLab agent

19
doc/development/documentation/styleguide/word_list.md
View File

@ -208,6 +208,14 @@ Instead, use **assign**. For example:
Use **authenticated user** instead of other variations, like **signed in user** or **logged in user**.
## before you begin
Use **before you begin** when documenting the tasks that must be completed or the conditions that must be met before a user can complete a tutorial. Do not use **requirements** or **prerequisites**.
For more information, see [the tutorial page type](../topic_types/tutorial.md).
For task topic types, use [**prerequisites**](#prerequisites) instead.
## below
Try to avoid **below** when referring to an example or table in a documentation page. If required, use **following** instead. For example:
@ -1253,10 +1261,12 @@ in the context of other subscription tiers, follow [the subscription tier](#subs
## prerequisites
Use **prerequisites** when documenting the steps before a task. Do not use **requirements**.
Use **prerequisites** when documenting the tasks that must be completed or the conditions that must be met before a user can complete a task. Do not use **requirements**.
For more information, see [the task topic type](../topic_types/task.md).
For tutorial page types, use [**before you begin**](#before-you-begin) instead.
## press
Use **press** when talking about keyboard keys. For example:
@ -1321,9 +1331,12 @@ Use title case for **Repository Mirroring**.
## requirements
Use **prerequisites** when documenting the steps before a task. Do not use **requirements**.
When documenting the tasks that must be completed or the conditions that must be met before a user can complete the steps:
For more information, see [the task topic type](../topic_types/task.md).
- Use **prerequisites** for tasks. For more information, see [the task topic type](../topic_types/task.md).
- Use **before you begin** for tutorials. For more information, see [the tutorial page type](../topic_types/tutorial.md).
Do not use **requirements**.
## respectively

8
doc/development/documentation/topic_types/tutorial.md
View File

@ -25,7 +25,7 @@ In general, you might consider using a tutorial when:
ideal to duplicate content that is available elsewhere, it's worse to force the reader to
leave the page to find what they need.
## Tutorial file name and location
## Tutorial filename and location
For tutorial Markdown files, you can either:
@ -50,9 +50,9 @@ To create a website:
1. [Do the first task](#do-the-first-task)
1. [Do the second task](#do-the-second-task)
## Prerequisites
## Before you begin
This topic is optional.
This section is optional.
- Thing 1
- Thing 2
@ -85,7 +85,7 @@ An example of a tutorial that follows this format is
Start the page title with `Tutorial:` followed by an active verb, like `Tutorial: Create a website`.
In the left nav, use the full page title. Do not abbreviate it.
Put the text in quotes so the pipeline will pass. For example,
Put the text in quotes so the pipeline succeeds. For example,
`"Tutorial: Make your first Git commit"`.
On [the **Learn GitLab with tutorials** page](../../../tutorials/index.md),

2
doc/development/internal_analytics/service_ping/implement.md
View File

@ -725,7 +725,7 @@ Three kinds of components may export data to Prometheus, and are included in Ser
- [`node_exporter`](https://github.com/prometheus/node_exporter): Exports node metrics
from the host machine.
- [`gitlab-exporter`](https://gitlab.com/gitlab-org/gitlab-exporter): Exports process metrics
- [`gitlab-exporter`](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter): Exports process metrics
from various GitLab components.
- Other various GitLab services, such as Sidekiq and the Rails server, which export their own metrics.

2
doc/development/redis.md
View File

@ -137,7 +137,7 @@ concern.
<!-- vale gitlab.Substitutions = YES -->
The
[`fluent-plugin-redis-slowlog`](https://gitlab.com/gitlab-org/fluent-plugin-redis-slowlog)
[`fluent-plugin-redis-slowlog`](https://gitlab.com/gitlab-org/ruby/gems/fluent-plugin-redis-slowlog)
project is responsible for taking the `slowlog` entries from Redis and
passing to Fluentd (and ultimately Elasticsearch).

2
doc/development/ruby_upgrade.md
View File

@ -145,7 +145,7 @@ When upgrading Ruby, consider updating the following repositories:
- [Gitaly](https://gitlab.com/gitlab-org/gitaly) ([example](https://gitlab.com/gitlab-org/gitaly/-/merge_requests/3771))
- [GitLab LabKit](https://gitlab.com/gitlab-org/labkit-ruby) ([example](https://gitlab.com/gitlab-org/labkit-ruby/-/merge_requests/79))
- [GitLab Exporter](https://gitlab.com/gitlab-org/gitlab-exporter) ([example](https://gitlab.com/gitlab-org/gitlab-exporter/-/merge_requests/150))
- [GitLab Exporter](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter) ([example](https://gitlab.com/gitlab-org/ruby/gems/gitlab-exporter/-/merge_requests/150))
- [GitLab Experiment](https://gitlab.com/gitlab-org/ruby/gems/gitlab-experiment) ([example](https://gitlab.com/gitlab-org/ruby/gems/gitlab-experiment/-/merge_requests/128))
- [Gollum Lib](https://gitlab.com/gitlab-org/gollum-lib) ([example](https://gitlab.com/gitlab-org/gollum-lib/-/merge_requests/21))
- [GitLab Helm Chart](https://gitlab.com/gitlab-org/charts/gitlab) ([example](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/2162))

4
doc/security/email_verification.md
View File

@ -36,9 +36,9 @@ To unlock your account, sign in and enter the verification code. You can also
## Accounts with 2FA or OAuth
An account is locked when there are five or more failed sign-in attempts in 10 minutes.
An account is locked when there are three or more failed sign-in attempts.
Accounts with 2FA or OAuth are automatically unlocked after 10 minutes. To unlock an account manually,
Accounts with 2FA or OAuth are automatically unlocked after 30 minutes. To unlock an account manually,
reset your password.
## Related topics

13
doc/security/unlock_user.md
View File

@ -9,11 +9,20 @@ type: howto
## Self-managed users
Users are locked after ten failed sign-in attempts. These users remain locked:
> Configurable locked user policy [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/27048) in GitLab 16.5.
By default, users are locked after 10 failed sign-in attempts. These users remain locked:
- For 10 minutes, after which time they are automatically unlocked.
- Until an administrator unlocks them from the [Admin Area](../administration/admin_area.md) or the command line in under 10 minutes.
In GitLab 16.5 and later, administrators can [use the API](../api/settings.md#list-of-settings-that-can-be-accessed-via-api-calls) to configure:
- The number of failed sign-in attempts that locks a user.
- The time period in minutes that the locked user is locked for, after the maximum number of failed sign-in attempts is reached.
For example, an administrator can configure that five failed sign-in attempts locks a user, and that user will be locked for 60 minutes.
## GitLab.com users
If 2FA is not enabled users are locked after three failed sign-in attempts within 24 hours. These users remain locked until:
@ -21,7 +30,7 @@ If 2FA is not enabled users are locked after three failed sign-in attempts withi
- Their next successful sign-in, at which point they are sent an email with a six-digit unlock code and redirected to a verification page where they can unlock their account by entering the code.
- GitLab Support [manually unlock](https://about.gitlab.com/handbook/support/workflows/reinstating-blocked-accounts.html#manual-unlock) the account after account ownership is verified.
If 2FA is enabled, users are locked after five failed sign-in attempts within 10 minutes. Accounts are unlocked automatically after 10 minutes.
If 2FA is enabled, users are locked after three failed sign-in attempts. Accounts are unlocked automatically after 30 minutes.
## Unlock a user from the Admin Area

8
lib/api/entities/namespace.rb
View File

@ -11,11 +11,15 @@ module API
namespace.kind == 'group' && Ability.allowed?(opts[:current_user], :admin_group, namespace)
end
expose :root_repository_size, documentation: { type: 'integer', example: 123 }, if: -> (namespace, opts) { expose_root_repository_size?(namespace, opts) } do |namespace, _|
expose :root_repository_size, documentation: { type: 'integer', example: 123 }, if: -> (namespace, opts) { admin_request_for_group?(namespace, opts) } do |namespace, _|
namespace.root_storage_statistics&.repository_size
end
def expose_root_repository_size?(namespace, opts)
expose :projects_count, documentation: { type: 'integer', example: 123 }, if: -> (namespace, opts) { admin_request_for_group?(namespace, opts) } do |namespace, _|
namespace.all_projects.count
end
def admin_request_for_group?(namespace, opts)
namespace.kind == 'group' && Ability.allowed?(opts[:current_user], :admin_group, namespace)
end
end

4
lib/gitlab/auth/o_auth/user.rb
View File

@ -225,7 +225,7 @@ module Gitlab
if creating_linked_ldap_user?
username = ldap_person.username.presence
name = ldap_person.name.presence
email = ldap_person.email.first.presence
email = ldap_person.email&.first.presence
end
username ||= auth_hash.username
@ -272,7 +272,7 @@ module Gitlab
if creating_linked_ldap_user?
metadata.set_attribute_synced(:name, true) if gl_user.name == ldap_person.name
metadata.set_attribute_synced(:email, true) if gl_user.email == ldap_person.email.first
metadata.set_attribute_synced(:email, true) if gl_user.email == ldap_person.email&.first
metadata.provider = ldap_person.provider
end
end

5
lib/gitlab/ci/parsers/security/common.rb
View File

@ -140,7 +140,10 @@ module Gitlab
signatures: signatures,
project_id: @project.id,
found_by_pipeline: report.pipeline,
vulnerability_finding_signatures_enabled: @signatures_enabled))
vulnerability_finding_signatures_enabled: @signatures_enabled,
cvss: data['cvss'] || []
)
)
end
def create_signatures(tracking)

5
locale/gitlab.pot
View File

@ -13829,6 +13829,9 @@ msgstr ""
msgid "Couldn't link %{issuable}. You must have at least the Reporter role in both projects."
msgstr ""
msgid "Couldn't link epics. You must have at least the Guest role in the epic's group."
msgstr ""
msgid "Country / Region"
msgstr ""
@ -49982,7 +49985,7 @@ msgstr ""
msgid "Tracing|Status Code"
msgstr ""
msgid "Tracing|Time Range"
msgid "Tracing|Time range"
msgstr ""
msgid "Tracing|Toggle children spans"

9
scripts/internal_events/monitor.rb
View File

@ -133,6 +133,15 @@ def generate_metrics_table
)
end
begin
snowplow_data
rescue Errno::ECONNREFUSED
puts "Could not connect to Snowplow Micro."
puts "Please follow these instruction to set up Snowplow Micro:"
puts "https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/snowplow_micro.md"
exit 1
end
print "\e[?1049h" # Stores the original screen buffer
print "\e[H" # Moves the cursor home
begin

14
spec/fixtures/security_reports/master/gl-common-scanning-report.json vendored
View File

@ -12,6 +12,12 @@
"id": "gemnasium",
"name": "Gemnasium"
},
"cvss": [
{
"vendor": "GitLab",
"vector_string": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"location": {
"file": "some/kind/of/file.c",
"dependency": {
@ -414,7 +420,9 @@
"value": "foo"
}
],
"links": []
"links": [
]
}
],
"remediations": [
@ -476,7 +484,9 @@
"diff": "dG90YWxseSBsZWdpdGltYXRlIGRpZmYsIDEwLzEwIHdvdWxkIGFwcGx5"
}
],
"dependency_files": [],
"dependency_files": [
],
"scan": {
"analyzer": {
"id": "common-analyzer",

31
spec/lib/gitlab/auth/o_auth/user_spec.rb
View File

@ -535,6 +535,37 @@ RSpec.describe Gitlab::Auth::OAuth::User, feature_category: :system_access do
end
end
context "and a corresponding LDAP person with some values being nil" do
before do
allow(ldap_user).to receive(:uid) { uid }
allow(ldap_user).to receive(:username) { uid }
allow(ldap_user).to receive(:name) { nil }
allow(ldap_user).to receive(:email) { nil }
allow(ldap_user).to receive(:dn) { dn }
allow(Gitlab::Auth::Ldap::Person).to receive(:find_by_uid).and_return(ldap_user)
oauth_user.save # rubocop:disable Rails/SaveBang
end
it "creates the user correctly" do
expect(gl_user).to be_valid
expect(gl_user.username).to eq(uid)
expect(gl_user.name).to eq(info_hash[:name])
expect(gl_user.email).to eq(info_hash[:email])
end
it "does not have the attributes not provided by LDAP set as synced" do
expect(gl_user.user_synced_attributes_metadata.name_synced).to be_falsey
expect(gl_user.user_synced_attributes_metadata.email_synced).to be_falsey
end
it "does not have the attributes not provided by LDAP set as read-only" do
expect(gl_user.read_only_attribute?(:name)).to be_falsey
expect(gl_user.read_only_attribute?(:email)).to be_falsey
end
end
context 'and a corresponding LDAP person with a non-default username' do
before do
allow(ldap_user).to receive(:uid) { uid }

8
spec/lib/gitlab/ci/parsers/security/common_spec.rb
View File

@ -370,6 +370,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Common, feature_category: :vulnera
end
end
describe 'setting CVSS' do
let(:cvss_vectors) { report.findings.filter_map(&:cvss).reject(&:empty?) }
it 'ingests the provided CVSS vectors' do
expect(cvss_vectors.count).to eq(1)
end
end
describe 'setting the uuid' do
let(:finding_uuids) { report.findings.map(&:uuid) }
let(:uuid_1) do

215
spec/models/packages/protection/rule_spec.rb
View File

@ -3,6 +3,8 @@
require 'spec_helper'
RSpec.describe Packages::Protection::Rule, type: :model, feature_category: :package_registry do
using RSpec::Parameterized::TableSyntax
it_behaves_like 'having unique enum values'
describe 'relationships' do
@ -42,4 +44,217 @@ RSpec.describe Packages::Protection::Rule, type: :model, feature_category: :pack
it { is_expected.to validate_presence_of(:push_protected_up_to_access_level) }
end
end
describe 'before_save' do
describe '#set_package_name_pattern_ilike_query' do
subject { create(:package_protection_rule, package_name_pattern: package_name_pattern) }
context 'with different package name patterns' do
where(:package_name_pattern, :expected_pattern_query) do
'@my-scope/my-package' | '@my-scope/my-package'
'*@my-scope/my-package-with-wildcard-start' | '%@my-scope/my-package-with-wildcard-start'
'@my-scope/my-package-with-wildcard-end*' | '@my-scope/my-package-with-wildcard-end%'
'@my-scope/*my-package-with-wildcard-inbetween' | '@my-scope/%my-package-with-wildcard-inbetween'
'**@my-scope/**my-package-with-wildcard-multiple**' | '%%@my-scope/%%my-package-with-wildcard-multiple%%'
'@my-scope/my-package-with_____underscore' | '@my-scope/my-package-with\_\_\_\_\_underscore'
'@my-scope/my-package-with-percent-sign-%' | '@my-scope/my-package-with-percent-sign-\%'
'@my-scope/my-package-with-regex-characters.+' | '@my-scope/my-package-with-regex-characters.+'
end
with_them do
it { is_expected.to have_attributes(package_name_pattern_ilike_query: expected_pattern_query) }
end
end
end
end
describe '.for_package_name' do
let_it_be(:package_protection_rule) do
create(:package_protection_rule, package_name_pattern: '@my-scope/my_package')
end
let_it_be(:ppr_with_wildcard_start) do
create(:package_protection_rule, package_name_pattern: '*@my-scope/my_package-with-wildcard-start')
end
let_it_be(:ppr_with_wildcard_end) do
create(:package_protection_rule, package_name_pattern: '@my-scope/my_package-with-wildcard-end*')
end
let_it_be(:ppr_with_wildcard_inbetween) do
create(:package_protection_rule, package_name_pattern: '@my-scope/*my_package-with-wildcard-inbetween')
end
let_it_be(:ppr_with_wildcard_multiples) do
create(:package_protection_rule, package_name_pattern: '**@my-scope/**my_package-with-wildcard-multiple**')
end
let_it_be(:ppr_with_underscore) do
create(:package_protection_rule, package_name_pattern: '@my-scope/my_package-with_____underscore')
end
let_it_be(:ppr_with_regex_characters) do
create(:package_protection_rule, package_name_pattern: '@my-scope/my_package-with-regex-characters.+')
end
let(:package_name) { package_protection_rule.package_name_pattern }
subject { described_class.for_package_name(package_name) }
context 'with several package protection rule scenarios' do
where(:package_name, :expected_package_protection_rules) do
'@my-scope/my_package' | [ref(:package_protection_rule)]
'@my-scope/my2package' | []
'@my-scope/my_package-2' | []
# With wildcard pattern at the start
'@my-scope/my_package-with-wildcard-start' | [ref(:ppr_with_wildcard_start)]
'@my-scope/my_package-with-wildcard-start-any' | []
'prefix-@my-scope/my_package-with-wildcard-start' | [ref(:ppr_with_wildcard_start)]
'prefix-@my-scope/my_package-with-wildcard-start-any' | []
# With wildcard pattern at the end
'@my-scope/my_package-with-wildcard-end' | [ref(:ppr_with_wildcard_end)]
'@my-scope/my_package-with-wildcard-end:1234567890' | [ref(:ppr_with_wildcard_end)]
'prefix-@my-scope/my_package-with-wildcard-end' | []
'prefix-@my-scope/my_package-with-wildcard-end:1234567890' | []
# With wildcard pattern inbetween
'@my-scope/my_package-with-wildcard-inbetween' | [ref(:ppr_with_wildcard_inbetween)]
'@my-scope/any-my_package-with-wildcard-inbetween' | [ref(:ppr_with_wildcard_inbetween)]
'@my-scope/any-my_package-my_package-wildcard-inbetween-any' | []
# With multiple wildcard pattern are used
'@my-scope/my_package-with-wildcard-multiple' | [ref(:ppr_with_wildcard_multiples)]
'prefix-@my-scope/any-my_package-with-wildcard-multiple-any' | [ref(:ppr_with_wildcard_multiples)]
'****@my-scope/****my_package-with-wildcard-multiple****' | [ref(:ppr_with_wildcard_multiples)]
'prefix-@other-scope/any-my_package-with-wildcard-multiple-any' | []
# With underscore
'@my-scope/my_package-with_____underscore' | [ref(:ppr_with_underscore)]
'@my-scope/my_package-with_any_underscore' | []
'@my-scope/my_package-with-regex-characters.+' | [ref(:ppr_with_regex_characters)]
'@my-scope/my_package-with-regex-characters.' | []
'@my-scope/my_package-with-regex-characters' | []
'@my-scope/my_package-with-regex-characters-any' | []
# Special cases
nil | []
'' | []
'any_package' | []
end
with_them do
it { is_expected.to match_array(expected_package_protection_rules) }
end
end
context 'with multiple matching package protection rules' do
let!(:package_protection_rule_second_match) do
create(:package_protection_rule, package_name_pattern: "#{package_name}*")
end
it { is_expected.to contain_exactly(package_protection_rule_second_match, package_protection_rule) }
end
end
describe '.push_protected_from?' do
let_it_be(:project_with_ppr) { create(:project) }
let_it_be(:project_without_ppr) { create(:project) }
let_it_be(:ppr_for_developer) do
create(:package_protection_rule,
package_name_pattern: '@my-scope/my-package-stage*',
project: project_with_ppr,
package_type: :npm,
push_protected_up_to_access_level: :developer
)
end
let_it_be(:ppr_for_maintainer) do
create(:package_protection_rule,
package_name_pattern: '@my-scope/my-package-prod*',
project: project_with_ppr,
package_type: :npm,
push_protected_up_to_access_level: :maintainer
)
end
let_it_be(:ppr_owner) do
create(:package_protection_rule,
package_name_pattern: '@my-scope/my-package-release*',
project: project_with_ppr,
package_type: :npm,
push_protected_up_to_access_level: :owner
)
end
let_it_be(:ppr_2_for_developer) do
create(:package_protection_rule,
package_name_pattern: '@my-scope/my-package-*',
project: project_with_ppr,
package_type: :npm,
push_protected_up_to_access_level: :developer
)
end
subject do
project
.package_protection_rules
.push_protected_from?(
access_level: access_level,
package_name: package_name,
package_type: package_type
)
end
describe "with different users and protection levels" do
# rubocop:disable Layout/LineLength
where(:project, :access_level, :package_name, :package_type, :push_protected) do
ref(:project_with_ppr) | Gitlab::Access::REPORTER | '@my-scope/my-package-stage-sha-1234' | :npm | true
ref(:project_with_ppr) | :developer | '@my-scope/my-package-stage-sha-1234' | :npm | true
ref(:project_with_ppr) | :maintainer | '@my-scope/my-package-stage-sha-1234' | :npm | false
ref(:project_with_ppr) | :maintainer | '@my-scope/my-package-stage-sha-1234' | :npm | false
ref(:project_with_ppr) | :owner | '@my-scope/my-package-stage-sha-1234' | :npm | false
ref(:project_with_ppr) | Gitlab::Access::ADMIN | '@my-scope/my-package-stage-sha-1234' | :npm | false
ref(:project_with_ppr) | :developer | '@my-scope/my-package-prod-sha-1234' | :npm | true
ref(:project_with_ppr) | :maintainer | '@my-scope/my-package-prod-sha-1234' | :npm | true
ref(:project_with_ppr) | :owner | '@my-scope/my-package-prod-sha-1234' | :npm | false
ref(:project_with_ppr) | Gitlab::Access::ADMIN | '@my-scope/my-package-prod-sha-1234' | :npm | false
ref(:project_with_ppr) | :developer | '@my-scope/my-package-release-v1' | :npm | true
ref(:project_with_ppr) | :owner | '@my-scope/my-package-release-v1' | :npm | true
ref(:project_with_ppr) | Gitlab::Access::ADMIN | '@my-scope/my-package-release-v1' | :npm | false
ref(:project_with_ppr) | :developer | '@my-scope/my-package-any-suffix' | :npm | true
ref(:project_with_ppr) | :maintainer | '@my-scope/my-package-any-suffix' | :npm | false
ref(:project_with_ppr) | :owner | '@my-scope/my-package-any-suffix' | :npm | false
# For non-matching package_name
ref(:project_with_ppr) | :developer | '@my-scope/non-matching-package' | :npm | false
# For non-matching package_type
ref(:project_with_ppr) | :developer | '@my-scope/my-package-any-suffix' | :conan | false
# For no access level
ref(:project_with_ppr) | Gitlab::Access::NO_ACCESS | '@my-scope/my-package-prod' | :npm | true
# Edge cases
ref(:project_with_ppr) | 0 | '' | nil | true
ref(:project_with_ppr) | nil | nil | nil | true
# For projects that have no package protection rules
ref(:project_without_ppr) | :developer | '@my-scope/my-package-prod' | :npm | false
ref(:project_without_ppr) | :maintainer | '@my-scope/my-package-prod' | :npm | false
ref(:project_without_ppr) | :owner | '@my-scope/my-package-prod' | :npm | false
end
# rubocop:enable Layout/LineLength
with_them do
it { is_expected.to eq push_protected }
end
end
end
end

4
spec/requests/api/namespaces_spec.rb
View File

@ -30,7 +30,7 @@ RSpec.describe API::Namespaces, :aggregate_failures, feature_category: :groups_a
expect(response).to have_gitlab_http_status(:ok)
expect(response).to include_pagination_headers
expect(group_kind_json_response.keys).to include('id', 'kind', 'name', 'path', 'full_path',
'parent_id', 'members_count_with_descendants', 'root_repository_size')
'parent_id', 'members_count_with_descendants', 'root_repository_size', 'projects_count')
expect(user_kind_json_response.keys).to include('id', 'kind', 'name', 'path', 'full_path', 'parent_id')
end
@ -66,7 +66,7 @@ RSpec.describe API::Namespaces, :aggregate_failures, feature_category: :groups_a
owned_group_response = json_response.find { |resource| resource['id'] == group1.id }
expect(owned_group_response.keys).to include('id', 'kind', 'name', 'path', 'full_path',
'parent_id', 'members_count_with_descendants', 'root_repository_size')
'parent_id', 'members_count_with_descendants', 'root_repository_size', 'projects_count')
end
it "returns correct attributes when user cannot admin group" do