diff --git a/db/docs/project_statistics.yml b/db/docs/project_statistics.yml index 58260cdf415..48ebf66a3d9 100644 --- a/db/docs/project_statistics.yml +++ b/db/docs/project_statistics.yml @@ -17,3 +17,6 @@ schema_inconsistencies: - type: missing_indexes object_name: index_project_statistics_on_storage_size_and_project_id introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156005 +- type: missing_indexes + object_name: index_project_statistics_on_packages_size_and_project_id + introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/156008 diff --git a/db/post_migrate/20240611121818_remove_project_statistics_packages_size_and_project_id_index.rb b/db/post_migrate/20240611121818_remove_project_statistics_packages_size_and_project_id_index.rb new file mode 100644 index 00000000000..e443724a83a --- /dev/null +++ b/db/post_migrate/20240611121818_remove_project_statistics_packages_size_and_project_id_index.rb @@ -0,0 +1,25 @@ +# frozen_string_literal: true + +class RemoveProjectStatisticsPackagesSizeAndProjectIdIndex < Gitlab::Database::Migration[2.2] + milestone '17.2' + + INDEX_NAME = 'index_project_statistics_on_packages_size_and_project_id' + COLUMNS = %i[packages_size project_id] + + # TODO: Index to be destroyed synchronously in https://gitlab.com/gitlab-org/gitlab/-/issues/466691 + def up + return unless should_run? + + prepare_async_index_removal :project_statistics, COLUMNS, name: INDEX_NAME + end + + def down + return unless should_run? + + unprepare_async_index :project_statistics, COLUMNS, name: INDEX_NAME + end + + def should_run? + Gitlab.com_except_jh? + end +end diff --git a/db/schema_migrations/20240611121818 b/db/schema_migrations/20240611121818 new file mode 100644 index 00000000000..a4b2cdfd889 --- /dev/null +++ b/db/schema_migrations/20240611121818 @@ -0,0 +1 @@ +a79d6464d995015034a5534f63bbed10ab899d6b01d5424b7e00d426b6dedd82 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index a06dd2e2ac4..acf02184ab7 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -2013,6 +2013,502 @@ RETURN NULL; END $$; +CREATE TABLE audit_events ( + id bigint NOT NULL, + author_id integer NOT NULL, + entity_id integer NOT NULL, + entity_type character varying NOT NULL, + details text, + ip_address inet, + author_name text, + entity_path text, + target_details text, + created_at timestamp without time zone NOT NULL, + target_type text, + target_id bigint, + CONSTRAINT check_492aaa021d CHECK ((char_length(entity_path) <= 5500)), + CONSTRAINT check_83ff8406e2 CHECK ((char_length(author_name) <= 255)), + CONSTRAINT check_97a8c868e7 CHECK ((char_length(target_type) <= 255)), + CONSTRAINT check_d493ec90b5 CHECK ((char_length(target_details) <= 5500)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE batched_background_migration_job_transition_logs ( + id bigint NOT NULL, + batched_background_migration_job_id bigint NOT NULL, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + previous_status smallint NOT NULL, + next_status smallint NOT NULL, + exception_class text, + exception_message text, + CONSTRAINT check_50e580811a CHECK ((char_length(exception_message) <= 1000)), + CONSTRAINT check_76e202c37a CHECK ((char_length(exception_class) <= 100)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE p_ci_build_names ( + build_id bigint NOT NULL, + partition_id bigint NOT NULL, + project_id bigint NOT NULL, + name text NOT NULL, + search_vector tsvector GENERATED ALWAYS AS (to_tsvector('english'::regconfig, COALESCE(name, ''::text))) STORED, + CONSTRAINT check_1722c96346 CHECK ((char_length(name) <= 255)) +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_build_sources ( + build_id bigint NOT NULL, + partition_id bigint NOT NULL, + project_id bigint NOT NULL, + source smallint NOT NULL +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_builds ( + status character varying, + finished_at timestamp without time zone, + created_at timestamp without time zone, + updated_at timestamp without time zone, + started_at timestamp without time zone, + runner_id_convert_to_bigint integer, + coverage double precision, + commit_id_convert_to_bigint integer, + name character varying, + options text, + allow_failure boolean DEFAULT false NOT NULL, + stage character varying, + trigger_request_id_convert_to_bigint integer, + stage_idx integer, + tag boolean, + ref character varying, + user_id_convert_to_bigint integer, + type character varying, + target_url character varying, + description character varying, + project_id_convert_to_bigint integer, + erased_by_id_convert_to_bigint integer, + erased_at timestamp without time zone, + artifacts_expire_at timestamp without time zone, + environment character varying, + "when" character varying, + yaml_variables text, + queued_at timestamp without time zone, + lock_version integer DEFAULT 0, + coverage_regex character varying, + auto_canceled_by_id_convert_to_bigint integer, + retried boolean, + protected boolean, + failure_reason integer, + scheduled_at timestamp with time zone, + token_encrypted character varying, + upstream_pipeline_id_convert_to_bigint integer, + resource_group_id bigint, + waiting_for_resource_at timestamp with time zone, + processed boolean, + scheduling_type smallint, + id bigint NOT NULL, + stage_id bigint, + partition_id bigint NOT NULL, + auto_canceled_by_partition_id bigint, + auto_canceled_by_id bigint, + commit_id bigint, + erased_by_id bigint, + project_id bigint, + runner_id bigint, + trigger_request_id bigint, + upstream_pipeline_id bigint, + user_id bigint, + execution_config_id bigint, + CONSTRAINT check_1e2fbd1b39 CHECK ((lock_version IS NOT NULL)) +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_builds_execution_configs ( + id bigint NOT NULL, + partition_id bigint NOT NULL, + project_id bigint NOT NULL, + pipeline_id bigint NOT NULL, + run_steps jsonb DEFAULT '{}'::jsonb NOT NULL +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_builds_metadata ( + project_id integer NOT NULL, + timeout integer, + timeout_source integer DEFAULT 1 NOT NULL, + interruptible boolean, + config_options jsonb, + config_variables jsonb, + has_exposed_artifacts boolean, + environment_auto_stop_in character varying(255), + expanded_environment_name character varying(255), + secrets jsonb DEFAULT '{}'::jsonb NOT NULL, + build_id bigint NOT NULL, + id bigint NOT NULL, + runtime_runner_features jsonb DEFAULT '{}'::jsonb NOT NULL, + id_tokens jsonb DEFAULT '{}'::jsonb NOT NULL, + partition_id bigint NOT NULL, + debug_trace_enabled boolean DEFAULT false NOT NULL, + exit_code smallint +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_job_annotations ( + id bigint NOT NULL, + partition_id bigint NOT NULL, + job_id bigint NOT NULL, + name text NOT NULL, + data jsonb DEFAULT '[]'::jsonb NOT NULL, + CONSTRAINT check_bac9224e45 CHECK ((char_length(name) <= 255)), + CONSTRAINT data_is_array CHECK ((jsonb_typeof(data) = 'array'::text)) +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_job_artifacts ( + project_id integer NOT NULL, + file_type integer NOT NULL, + size bigint, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + expire_at timestamp with time zone, + file character varying, + file_store integer DEFAULT 1, + file_sha256 bytea, + file_format smallint, + file_location smallint, + id bigint NOT NULL, + job_id bigint NOT NULL, + locked smallint DEFAULT 2, + partition_id bigint NOT NULL, + accessibility smallint DEFAULT 0 NOT NULL, + file_final_path text, + CONSTRAINT check_27f0f6dbab CHECK ((file_store IS NOT NULL)), + CONSTRAINT check_9f04410cf4 CHECK ((char_length(file_final_path) <= 1024)) +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_pipeline_variables ( + key character varying NOT NULL, + value text, + encrypted_value text, + encrypted_value_salt character varying, + encrypted_value_iv character varying, + variable_type smallint DEFAULT 1 NOT NULL, + partition_id bigint NOT NULL, + raw boolean DEFAULT false NOT NULL, + id bigint NOT NULL, + pipeline_id bigint NOT NULL +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_runner_machine_builds ( + partition_id bigint NOT NULL, + build_id bigint NOT NULL, + runner_machine_id bigint NOT NULL +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_stages ( + project_id integer, + created_at timestamp without time zone, + updated_at timestamp without time zone, + name character varying, + status integer, + lock_version integer DEFAULT 0, + "position" integer, + id bigint NOT NULL, + partition_id bigint NOT NULL, + pipeline_id bigint, + CONSTRAINT check_81b431e49b CHECK ((lock_version IS NOT NULL)) +) +PARTITION BY LIST (partition_id); + +CREATE SEQUENCE shared_audit_event_id_seq + START WITH 1 + INCREMENT BY 1 + NO MINVALUE + NO MAXVALUE + CACHE 1; + +CREATE TABLE group_audit_events ( + id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, + created_at timestamp with time zone NOT NULL, + group_id bigint NOT NULL, + author_id bigint NOT NULL, + target_id bigint, + event_name text, + details text, + ip_address inet, + author_name text, + entity_path text, + target_details text, + target_type text, + CONSTRAINT group_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), + CONSTRAINT group_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), + CONSTRAINT group_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), + CONSTRAINT group_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), + CONSTRAINT group_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE groups_visits ( + id bigint NOT NULL, + entity_id bigint NOT NULL, + user_id bigint NOT NULL, + visited_at timestamp with time zone NOT NULL +) +PARTITION BY RANGE (visited_at); + +CREATE TABLE incident_management_pending_alert_escalations ( + id bigint NOT NULL, + rule_id bigint NOT NULL, + alert_id bigint NOT NULL, + process_at timestamp with time zone NOT NULL, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL +) +PARTITION BY RANGE (process_at); + +CREATE TABLE incident_management_pending_issue_escalations ( + id bigint NOT NULL, + rule_id bigint NOT NULL, + issue_id bigint NOT NULL, + process_at timestamp with time zone NOT NULL, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL +) +PARTITION BY RANGE (process_at); + +CREATE TABLE instance_audit_events ( + id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, + created_at timestamp with time zone NOT NULL, + author_id bigint NOT NULL, + target_id bigint, + event_name text, + details text, + ip_address inet, + author_name text, + entity_path text, + target_details text, + target_type text, + CONSTRAINT instance_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), + CONSTRAINT instance_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), + CONSTRAINT instance_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), + CONSTRAINT instance_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), + CONSTRAINT instance_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE loose_foreign_keys_deleted_records ( + id bigint NOT NULL, + partition bigint DEFAULT 1 NOT NULL, + primary_key_value bigint NOT NULL, + status smallint DEFAULT 1 NOT NULL, + created_at timestamp with time zone DEFAULT now() NOT NULL, + fully_qualified_table_name text NOT NULL, + consume_after timestamp with time zone DEFAULT now(), + cleanup_attempts smallint DEFAULT 0, + CONSTRAINT check_1a541f3235 CHECK ((char_length(fully_qualified_table_name) <= 150)) +) +PARTITION BY LIST (partition); + +CREATE TABLE merge_request_diff_commits_b5377a7a34 ( + authored_date timestamp without time zone, + committed_date timestamp without time zone, + sha bytea NOT NULL, + message text, + trailers jsonb DEFAULT '{}'::jsonb NOT NULL, + commit_author_id bigint, + committer_id bigint, + merge_request_diff_id bigint NOT NULL, + relative_order integer NOT NULL +) +PARTITION BY RANGE (merge_request_diff_id); + +CREATE TABLE merge_request_diff_files_99208b8fac ( + new_file boolean NOT NULL, + renamed_file boolean NOT NULL, + deleted_file boolean NOT NULL, + too_large boolean NOT NULL, + a_mode character varying NOT NULL, + b_mode character varying NOT NULL, + new_path text NOT NULL, + old_path text NOT NULL, + diff text, + "binary" boolean, + external_diff_offset integer, + external_diff_size integer, + generated boolean, + merge_request_diff_id bigint NOT NULL, + relative_order integer NOT NULL +) +PARTITION BY RANGE (merge_request_diff_id); + +CREATE TABLE p_batched_git_ref_updates_deletions ( + id bigint NOT NULL, + project_id bigint NOT NULL, + partition_id bigint DEFAULT 1 NOT NULL, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + status smallint DEFAULT 1 NOT NULL, + ref text NOT NULL, + CONSTRAINT check_f322d53b92 CHECK ((char_length(ref) <= 1024)) +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_catalog_resource_component_usages ( + id bigint NOT NULL, + component_id bigint NOT NULL, + catalog_resource_id bigint NOT NULL, + project_id bigint NOT NULL, + used_by_project_id bigint NOT NULL, + used_date date NOT NULL +) +PARTITION BY RANGE (used_date); + +CREATE TABLE p_catalog_resource_sync_events ( + id bigint NOT NULL, + catalog_resource_id bigint NOT NULL, + project_id bigint NOT NULL, + partition_id bigint DEFAULT 1 NOT NULL, + status smallint DEFAULT 1 NOT NULL, + created_at timestamp with time zone DEFAULT now() NOT NULL, + updated_at timestamp with time zone DEFAULT now() NOT NULL +) +PARTITION BY LIST (partition_id); + +CREATE TABLE p_ci_finished_build_ch_sync_events ( + build_id bigint NOT NULL, + partition bigint DEFAULT 1 NOT NULL, + build_finished_at timestamp without time zone NOT NULL, + processed boolean DEFAULT false NOT NULL +) +PARTITION BY LIST (partition); + +CREATE TABLE project_audit_events ( + id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, + created_at timestamp with time zone NOT NULL, + project_id bigint NOT NULL, + author_id bigint NOT NULL, + target_id bigint, + event_name text, + details text, + ip_address inet, + author_name text, + entity_path text, + target_details text, + target_type text, + CONSTRAINT project_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), + CONSTRAINT project_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), + CONSTRAINT project_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), + CONSTRAINT project_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), + CONSTRAINT project_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE projects_visits ( + id bigint NOT NULL, + entity_id bigint NOT NULL, + user_id bigint NOT NULL, + visited_at timestamp with time zone NOT NULL +) +PARTITION BY RANGE (visited_at); + +CREATE TABLE security_findings ( + id bigint NOT NULL, + scan_id bigint NOT NULL, + scanner_id bigint NOT NULL, + severity smallint NOT NULL, + confidence smallint, + project_fingerprint text, + deduplicated boolean DEFAULT false NOT NULL, + uuid uuid, + overridden_uuid uuid, + partition_number integer DEFAULT 1 NOT NULL, + finding_data jsonb DEFAULT '{}'::jsonb NOT NULL, + CONSTRAINT check_6c2851a8c9 CHECK ((uuid IS NOT NULL)), + CONSTRAINT check_b9508c6df8 CHECK ((char_length(project_fingerprint) <= 40)) +) +PARTITION BY LIST (partition_number); + +CREATE TABLE user_audit_events ( + id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, + created_at timestamp with time zone NOT NULL, + user_id bigint NOT NULL, + author_id bigint NOT NULL, + target_id bigint, + event_name text, + details text, + ip_address inet, + author_name text, + entity_path text, + target_details text, + target_type text, + CONSTRAINT user_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), + CONSTRAINT user_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), + CONSTRAINT user_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), + CONSTRAINT user_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), + CONSTRAINT user_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) +) +PARTITION BY RANGE (created_at); + +CREATE TABLE value_stream_dashboard_counts ( + id bigint NOT NULL, + namespace_id bigint NOT NULL, + count bigint NOT NULL, + recorded_at timestamp with time zone NOT NULL, + metric smallint NOT NULL +) +PARTITION BY RANGE (recorded_at); + +CREATE TABLE verification_codes ( + created_at timestamp with time zone DEFAULT now() NOT NULL, + visitor_id_code text NOT NULL, + code text NOT NULL, + phone text NOT NULL, + CONSTRAINT check_9b84e6aaff CHECK ((char_length(code) <= 8)), + CONSTRAINT check_ccc542256b CHECK ((char_length(visitor_id_code) <= 64)), + CONSTRAINT check_f5684c195b CHECK ((char_length(phone) <= 50)) +) +PARTITION BY RANGE (created_at); + +COMMENT ON TABLE verification_codes IS 'JiHu-specific table'; + +CREATE TABLE web_hook_logs ( + id bigint NOT NULL, + web_hook_id integer NOT NULL, + trigger character varying, + url character varying, + request_headers text, + request_data text, + response_headers text, + response_body text, + response_status character varying, + execution_duration double precision, + internal_error_message character varying, + updated_at timestamp without time zone NOT NULL, + created_at timestamp without time zone NOT NULL, + url_hash text +) +PARTITION BY RANGE (created_at); + +CREATE TABLE zoekt_tasks ( + id bigint NOT NULL, + partition_id bigint DEFAULT 1 NOT NULL, + zoekt_node_id bigint NOT NULL, + zoekt_repository_id bigint NOT NULL, + project_identifier bigint NOT NULL, + perform_at timestamp with time zone DEFAULT now() NOT NULL, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + state smallint DEFAULT 0 NOT NULL, + task_type smallint NOT NULL, + retries_left smallint DEFAULT 5 NOT NULL, + CONSTRAINT c_zoekt_tasks_on_retries_left CHECK (((retries_left > 0) OR ((retries_left = 0) AND (state = 255)))) +) +PARTITION BY LIST (partition_id); + CREATE TABLE analytics_cycle_analytics_issue_stage_events ( stage_event_hash_id bigint NOT NULL, issue_id bigint NOT NULL, @@ -5619,26 +6115,6 @@ CREATE SEQUENCE atlassian_identities_user_id_seq ALTER SEQUENCE atlassian_identities_user_id_seq OWNED BY atlassian_identities.user_id; -CREATE TABLE audit_events ( - id bigint NOT NULL, - author_id integer NOT NULL, - entity_id integer NOT NULL, - entity_type character varying NOT NULL, - details text, - ip_address inet, - author_name text, - entity_path text, - target_details text, - created_at timestamp without time zone NOT NULL, - target_type text, - target_id bigint, - CONSTRAINT check_492aaa021d CHECK ((char_length(entity_path) <= 5500)), - CONSTRAINT check_83ff8406e2 CHECK ((char_length(author_name) <= 255)), - CONSTRAINT check_97a8c868e7 CHECK ((char_length(target_type) <= 255)), - CONSTRAINT check_d493ec90b5 CHECK ((char_length(target_details) <= 5500)) -) -PARTITION BY RANGE (created_at); - CREATE TABLE audit_events_amazon_s3_configurations ( id bigint NOT NULL, created_at timestamp with time zone NOT NULL, @@ -6119,20 +6595,6 @@ CREATE TABLE banned_users ( user_id bigint NOT NULL ); -CREATE TABLE batched_background_migration_job_transition_logs ( - id bigint NOT NULL, - batched_background_migration_job_id bigint NOT NULL, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL, - previous_status smallint NOT NULL, - next_status smallint NOT NULL, - exception_class text, - exception_message text, - CONSTRAINT check_50e580811a CHECK ((char_length(exception_message) <= 1000)), - CONSTRAINT check_76e202c37a CHECK ((char_length(exception_class) <= 100)) -) -PARTITION BY RANGE (created_at); - CREATE SEQUENCE batched_background_migration_job_transition_logs_id_seq START WITH 1 INCREMENT BY 1 @@ -6918,65 +7380,6 @@ CREATE TABLE ci_build_trace_metadata ( partition_id bigint NOT NULL ); -CREATE TABLE p_ci_builds ( - status character varying, - finished_at timestamp without time zone, - created_at timestamp without time zone, - updated_at timestamp without time zone, - started_at timestamp without time zone, - runner_id_convert_to_bigint integer, - coverage double precision, - commit_id_convert_to_bigint integer, - name character varying, - options text, - allow_failure boolean DEFAULT false NOT NULL, - stage character varying, - trigger_request_id_convert_to_bigint integer, - stage_idx integer, - tag boolean, - ref character varying, - user_id_convert_to_bigint integer, - type character varying, - target_url character varying, - description character varying, - project_id_convert_to_bigint integer, - erased_by_id_convert_to_bigint integer, - erased_at timestamp without time zone, - artifacts_expire_at timestamp without time zone, - environment character varying, - "when" character varying, - yaml_variables text, - queued_at timestamp without time zone, - lock_version integer DEFAULT 0, - coverage_regex character varying, - auto_canceled_by_id_convert_to_bigint integer, - retried boolean, - protected boolean, - failure_reason integer, - scheduled_at timestamp with time zone, - token_encrypted character varying, - upstream_pipeline_id_convert_to_bigint integer, - resource_group_id bigint, - waiting_for_resource_at timestamp with time zone, - processed boolean, - scheduling_type smallint, - id bigint NOT NULL, - stage_id bigint, - partition_id bigint NOT NULL, - auto_canceled_by_partition_id bigint, - auto_canceled_by_id bigint, - commit_id bigint, - erased_by_id bigint, - project_id bigint, - runner_id bigint, - trigger_request_id bigint, - upstream_pipeline_id bigint, - user_id bigint, - execution_config_id bigint, - CONSTRAINT check_1e2fbd1b39 CHECK ((lock_version IS NOT NULL)) -) -PARTITION BY LIST (partition_id); - CREATE TABLE ci_builds ( status character varying, finished_at timestamp without time zone, @@ -7044,27 +7447,6 @@ CREATE SEQUENCE ci_builds_id_seq ALTER SEQUENCE ci_builds_id_seq OWNED BY p_ci_builds.id; -CREATE TABLE p_ci_builds_metadata ( - project_id integer NOT NULL, - timeout integer, - timeout_source integer DEFAULT 1 NOT NULL, - interruptible boolean, - config_options jsonb, - config_variables jsonb, - has_exposed_artifacts boolean, - environment_auto_stop_in character varying(255), - expanded_environment_name character varying(255), - secrets jsonb DEFAULT '{}'::jsonb NOT NULL, - build_id bigint NOT NULL, - id bigint NOT NULL, - runtime_runner_features jsonb DEFAULT '{}'::jsonb NOT NULL, - id_tokens jsonb DEFAULT '{}'::jsonb NOT NULL, - partition_id bigint NOT NULL, - debug_trace_enabled boolean DEFAULT false NOT NULL, - exit_code smallint -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE ci_builds_metadata_id_seq START WITH 1 INCREMENT BY 1 @@ -7248,29 +7630,6 @@ CREATE TABLE ci_job_artifact_states ( CONSTRAINT check_df832b66ea CHECK ((char_length(verification_failure) <= 255)) ); -CREATE TABLE p_ci_job_artifacts ( - project_id integer NOT NULL, - file_type integer NOT NULL, - size bigint, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL, - expire_at timestamp with time zone, - file character varying, - file_store integer DEFAULT 1, - file_sha256 bytea, - file_format smallint, - file_location smallint, - id bigint NOT NULL, - job_id bigint NOT NULL, - locked smallint DEFAULT 2, - partition_id bigint NOT NULL, - accessibility smallint DEFAULT 0 NOT NULL, - file_final_path text, - CONSTRAINT check_27f0f6dbab CHECK ((file_store IS NOT NULL)), - CONSTRAINT check_9f04410cf4 CHECK ((char_length(file_final_path) <= 1024)) -) -PARTITION BY LIST (partition_id); - CREATE TABLE ci_job_artifacts ( project_id integer NOT NULL, file_type integer NOT NULL, @@ -7569,20 +7928,6 @@ CREATE SEQUENCE ci_pipeline_schedules_id_seq ALTER SEQUENCE ci_pipeline_schedules_id_seq OWNED BY ci_pipeline_schedules.id; -CREATE TABLE p_ci_pipeline_variables ( - key character varying NOT NULL, - value text, - encrypted_value text, - encrypted_value_salt character varying, - encrypted_value_iv character varying, - variable_type smallint DEFAULT 1 NOT NULL, - partition_id bigint NOT NULL, - raw boolean DEFAULT false NOT NULL, - id bigint NOT NULL, - pipeline_id bigint NOT NULL -) -PARTITION BY LIST (partition_id); - CREATE TABLE ci_pipeline_variables ( key character varying NOT NULL, value text, @@ -7970,21 +8315,6 @@ CREATE SEQUENCE ci_sources_projects_id_seq ALTER SEQUENCE ci_sources_projects_id_seq OWNED BY ci_sources_projects.id; -CREATE TABLE p_ci_stages ( - project_id integer, - created_at timestamp without time zone, - updated_at timestamp without time zone, - name character varying, - status integer, - lock_version integer DEFAULT 0, - "position" integer, - id bigint NOT NULL, - partition_id bigint NOT NULL, - pipeline_id bigint, - CONSTRAINT check_81b431e49b CHECK ((lock_version IS NOT NULL)) -) -PARTITION BY LIST (partition_id); - CREATE TABLE ci_stages ( project_id integer, created_at timestamp without time zone, @@ -10395,34 +10725,6 @@ CREATE SEQUENCE grafana_integrations_id_seq ALTER SEQUENCE grafana_integrations_id_seq OWNED BY grafana_integrations.id; -CREATE SEQUENCE shared_audit_event_id_seq - START WITH 1 - INCREMENT BY 1 - NO MINVALUE - NO MAXVALUE - CACHE 1; - -CREATE TABLE group_audit_events ( - id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, - created_at timestamp with time zone NOT NULL, - group_id bigint NOT NULL, - author_id bigint NOT NULL, - target_id bigint, - event_name text, - details text, - ip_address inet, - author_name text, - entity_path text, - target_details text, - target_type text, - CONSTRAINT group_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), - CONSTRAINT group_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), - CONSTRAINT group_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), - CONSTRAINT group_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), - CONSTRAINT group_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) -) -PARTITION BY RANGE (created_at); - CREATE TABLE group_crm_settings ( group_id bigint NOT NULL, created_at timestamp with time zone NOT NULL, @@ -10675,14 +10977,6 @@ CREATE SEQUENCE group_wiki_repository_states_id_seq ALTER SEQUENCE group_wiki_repository_states_id_seq OWNED BY group_wiki_repository_states.id; -CREATE TABLE groups_visits ( - id bigint NOT NULL, - entity_id bigint NOT NULL, - user_id bigint NOT NULL, - visited_at timestamp with time zone NOT NULL -) -PARTITION BY RANGE (visited_at); - CREATE SEQUENCE groups_visits_id_seq START WITH 1 INCREMENT BY 1 @@ -10947,16 +11241,6 @@ CREATE SEQUENCE incident_management_oncall_shifts_id_seq ALTER SEQUENCE incident_management_oncall_shifts_id_seq OWNED BY incident_management_oncall_shifts.id; -CREATE TABLE incident_management_pending_alert_escalations ( - id bigint NOT NULL, - rule_id bigint NOT NULL, - alert_id bigint NOT NULL, - process_at timestamp with time zone NOT NULL, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL -) -PARTITION BY RANGE (process_at); - CREATE SEQUENCE incident_management_pending_alert_escalations_id_seq START WITH 1 INCREMENT BY 1 @@ -10966,16 +11250,6 @@ CREATE SEQUENCE incident_management_pending_alert_escalations_id_seq ALTER SEQUENCE incident_management_pending_alert_escalations_id_seq OWNED BY incident_management_pending_alert_escalations.id; -CREATE TABLE incident_management_pending_issue_escalations ( - id bigint NOT NULL, - rule_id bigint NOT NULL, - issue_id bigint NOT NULL, - process_at timestamp with time zone NOT NULL, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL -) -PARTITION BY RANGE (process_at); - CREATE SEQUENCE incident_management_pending_issue_escalations_id_seq START WITH 1 INCREMENT BY 1 @@ -11084,26 +11358,6 @@ CREATE SEQUENCE insights_id_seq ALTER SEQUENCE insights_id_seq OWNED BY insights.id; -CREATE TABLE instance_audit_events ( - id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, - created_at timestamp with time zone NOT NULL, - author_id bigint NOT NULL, - target_id bigint, - event_name text, - details text, - ip_address inet, - author_name text, - entity_path text, - target_details text, - target_type text, - CONSTRAINT instance_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), - CONSTRAINT instance_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), - CONSTRAINT instance_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), - CONSTRAINT instance_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), - CONSTRAINT instance_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) -) -PARTITION BY RANGE (created_at); - CREATE TABLE instance_audit_events_streaming_headers ( id bigint NOT NULL, created_at timestamp with time zone NOT NULL, @@ -11878,19 +12132,6 @@ CREATE SEQUENCE lists_id_seq ALTER SEQUENCE lists_id_seq OWNED BY lists.id; -CREATE TABLE loose_foreign_keys_deleted_records ( - id bigint NOT NULL, - partition bigint DEFAULT 1 NOT NULL, - primary_key_value bigint NOT NULL, - status smallint DEFAULT 1 NOT NULL, - created_at timestamp with time zone DEFAULT now() NOT NULL, - fully_qualified_table_name text NOT NULL, - consume_after timestamp with time zone DEFAULT now(), - cleanup_attempts smallint DEFAULT 0, - CONSTRAINT check_1a541f3235 CHECK ((char_length(fully_qualified_table_name) <= 150)) -) -PARTITION BY LIST (partition); - CREATE SEQUENCE loose_foreign_keys_deleted_records_id_seq START WITH 1 INCREMENT BY 1 @@ -12131,19 +12372,6 @@ CREATE TABLE merge_request_diff_commits ( committer_id bigint ); -CREATE TABLE merge_request_diff_commits_b5377a7a34 ( - authored_date timestamp without time zone, - committed_date timestamp without time zone, - sha bytea NOT NULL, - message text, - trailers jsonb DEFAULT '{}'::jsonb NOT NULL, - commit_author_id bigint, - committer_id bigint, - merge_request_diff_id bigint NOT NULL, - relative_order integer NOT NULL -) -PARTITION BY RANGE (merge_request_diff_id); - CREATE TABLE merge_request_diff_details ( merge_request_diff_id bigint NOT NULL, verification_retry_at timestamp with time zone, @@ -12183,25 +12411,6 @@ CREATE TABLE merge_request_diff_files ( generated boolean ); -CREATE TABLE merge_request_diff_files_99208b8fac ( - new_file boolean NOT NULL, - renamed_file boolean NOT NULL, - deleted_file boolean NOT NULL, - too_large boolean NOT NULL, - a_mode character varying NOT NULL, - b_mode character varying NOT NULL, - new_path text NOT NULL, - old_path text NOT NULL, - diff text, - "binary" boolean, - external_diff_offset integer, - external_diff_size integer, - generated boolean, - merge_request_diff_id bigint NOT NULL, - relative_order integer NOT NULL -) -PARTITION BY RANGE (merge_request_diff_id); - CREATE TABLE merge_request_diffs ( id integer NOT NULL, state character varying, @@ -13490,18 +13699,6 @@ CREATE SEQUENCE organizations_id_seq ALTER SEQUENCE organizations_id_seq OWNED BY organizations.id; -CREATE TABLE p_batched_git_ref_updates_deletions ( - id bigint NOT NULL, - project_id bigint NOT NULL, - partition_id bigint DEFAULT 1 NOT NULL, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL, - status smallint DEFAULT 1 NOT NULL, - ref text NOT NULL, - CONSTRAINT check_f322d53b92 CHECK ((char_length(ref) <= 1024)) -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE p_batched_git_ref_updates_deletions_id_seq START WITH 1 INCREMENT BY 1 @@ -13511,16 +13708,6 @@ CREATE SEQUENCE p_batched_git_ref_updates_deletions_id_seq ALTER SEQUENCE p_batched_git_ref_updates_deletions_id_seq OWNED BY p_batched_git_ref_updates_deletions.id; -CREATE TABLE p_catalog_resource_component_usages ( - id bigint NOT NULL, - component_id bigint NOT NULL, - catalog_resource_id bigint NOT NULL, - project_id bigint NOT NULL, - used_by_project_id bigint NOT NULL, - used_date date NOT NULL -) -PARTITION BY RANGE (used_date); - CREATE SEQUENCE p_catalog_resource_component_usages_id_seq START WITH 1 INCREMENT BY 1 @@ -13530,17 +13717,6 @@ CREATE SEQUENCE p_catalog_resource_component_usages_id_seq ALTER SEQUENCE p_catalog_resource_component_usages_id_seq OWNED BY p_catalog_resource_component_usages.id; -CREATE TABLE p_catalog_resource_sync_events ( - id bigint NOT NULL, - catalog_resource_id bigint NOT NULL, - project_id bigint NOT NULL, - partition_id bigint DEFAULT 1 NOT NULL, - status smallint DEFAULT 1 NOT NULL, - created_at timestamp with time zone DEFAULT now() NOT NULL, - updated_at timestamp with time zone DEFAULT now() NOT NULL -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE p_catalog_resource_sync_events_id_seq START WITH 1 INCREMENT BY 1 @@ -13550,33 +13726,6 @@ CREATE SEQUENCE p_catalog_resource_sync_events_id_seq ALTER SEQUENCE p_catalog_resource_sync_events_id_seq OWNED BY p_catalog_resource_sync_events.id; -CREATE TABLE p_ci_build_names ( - build_id bigint NOT NULL, - partition_id bigint NOT NULL, - project_id bigint NOT NULL, - name text NOT NULL, - search_vector tsvector GENERATED ALWAYS AS (to_tsvector('english'::regconfig, COALESCE(name, ''::text))) STORED, - CONSTRAINT check_1722c96346 CHECK ((char_length(name) <= 255)) -) -PARTITION BY LIST (partition_id); - -CREATE TABLE p_ci_build_sources ( - build_id bigint NOT NULL, - partition_id bigint NOT NULL, - project_id bigint NOT NULL, - source smallint NOT NULL -) -PARTITION BY LIST (partition_id); - -CREATE TABLE p_ci_builds_execution_configs ( - id bigint NOT NULL, - partition_id bigint NOT NULL, - project_id bigint NOT NULL, - pipeline_id bigint NOT NULL, - run_steps jsonb DEFAULT '{}'::jsonb NOT NULL -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE p_ci_builds_execution_configs_id_seq START WITH 1 INCREMENT BY 1 @@ -13586,25 +13735,6 @@ CREATE SEQUENCE p_ci_builds_execution_configs_id_seq ALTER SEQUENCE p_ci_builds_execution_configs_id_seq OWNED BY p_ci_builds_execution_configs.id; -CREATE TABLE p_ci_finished_build_ch_sync_events ( - build_id bigint NOT NULL, - partition bigint DEFAULT 1 NOT NULL, - build_finished_at timestamp without time zone NOT NULL, - processed boolean DEFAULT false NOT NULL -) -PARTITION BY LIST (partition); - -CREATE TABLE p_ci_job_annotations ( - id bigint NOT NULL, - partition_id bigint NOT NULL, - job_id bigint NOT NULL, - name text NOT NULL, - data jsonb DEFAULT '[]'::jsonb NOT NULL, - CONSTRAINT check_bac9224e45 CHECK ((char_length(name) <= 255)), - CONSTRAINT data_is_array CHECK ((jsonb_typeof(data) = 'array'::text)) -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE p_ci_job_annotations_id_seq START WITH 1 INCREMENT BY 1 @@ -13614,13 +13744,6 @@ CREATE SEQUENCE p_ci_job_annotations_id_seq ALTER SEQUENCE p_ci_job_annotations_id_seq OWNED BY p_ci_job_annotations.id; -CREATE TABLE p_ci_runner_machine_builds ( - partition_id bigint NOT NULL, - build_id bigint NOT NULL, - runner_machine_id bigint NOT NULL -) -PARTITION BY LIST (partition_id); - CREATE TABLE packages_build_infos ( id bigint NOT NULL, package_id integer NOT NULL, @@ -15199,27 +15322,6 @@ CREATE SEQUENCE project_aliases_id_seq ALTER SEQUENCE project_aliases_id_seq OWNED BY project_aliases.id; -CREATE TABLE project_audit_events ( - id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, - created_at timestamp with time zone NOT NULL, - project_id bigint NOT NULL, - author_id bigint NOT NULL, - target_id bigint, - event_name text, - details text, - ip_address inet, - author_name text, - entity_path text, - target_details text, - target_type text, - CONSTRAINT project_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), - CONSTRAINT project_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), - CONSTRAINT project_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), - CONSTRAINT project_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), - CONSTRAINT project_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) -) -PARTITION BY RANGE (created_at); - CREATE TABLE project_authorizations ( user_id integer NOT NULL, project_id integer NOT NULL, @@ -15893,14 +15995,6 @@ CREATE SEQUENCE projects_sync_events_id_seq ALTER SEQUENCE projects_sync_events_id_seq OWNED BY projects_sync_events.id; -CREATE TABLE projects_visits ( - id bigint NOT NULL, - entity_id bigint NOT NULL, - user_id bigint NOT NULL, - visited_at timestamp with time zone NOT NULL -) -PARTITION BY RANGE (visited_at); - CREATE SEQUENCE projects_visits_id_seq START WITH 1 INCREMENT BY 1 @@ -16981,23 +17075,6 @@ CREATE SEQUENCE search_namespace_index_assignments_id_seq ALTER SEQUENCE search_namespace_index_assignments_id_seq OWNED BY search_namespace_index_assignments.id; -CREATE TABLE security_findings ( - id bigint NOT NULL, - scan_id bigint NOT NULL, - scanner_id bigint NOT NULL, - severity smallint NOT NULL, - confidence smallint, - project_fingerprint text, - deduplicated boolean DEFAULT false NOT NULL, - uuid uuid, - overridden_uuid uuid, - partition_number integer DEFAULT 1 NOT NULL, - finding_data jsonb DEFAULT '{}'::jsonb NOT NULL, - CONSTRAINT check_6c2851a8c9 CHECK ((uuid IS NOT NULL)), - CONSTRAINT check_b9508c6df8 CHECK ((char_length(project_fingerprint) <= 40)) -) -PARTITION BY LIST (partition_number); - CREATE SEQUENCE security_findings_id_seq START WITH 1 INCREMENT BY 1 @@ -18162,27 +18239,6 @@ CREATE SEQUENCE user_agent_details_id_seq ALTER SEQUENCE user_agent_details_id_seq OWNED BY user_agent_details.id; -CREATE TABLE user_audit_events ( - id bigint DEFAULT nextval('shared_audit_event_id_seq'::regclass) NOT NULL, - created_at timestamp with time zone NOT NULL, - user_id bigint NOT NULL, - author_id bigint NOT NULL, - target_id bigint, - event_name text, - details text, - ip_address inet, - author_name text, - entity_path text, - target_details text, - target_type text, - CONSTRAINT user_audit_events_author_name_check CHECK ((char_length(author_name) <= 255)), - CONSTRAINT user_audit_events_entity_path_check CHECK ((char_length(entity_path) <= 5500)), - CONSTRAINT user_audit_events_event_name_check CHECK ((char_length(event_name) <= 255)), - CONSTRAINT user_audit_events_target_details_check CHECK ((char_length(target_details) <= 5500)), - CONSTRAINT user_audit_events_target_type_check CHECK ((char_length(target_type) <= 255)) -) -PARTITION BY RANGE (created_at); - CREATE TABLE user_broadcast_message_dismissals ( id bigint NOT NULL, user_id bigint NOT NULL, @@ -18603,15 +18659,6 @@ CREATE TABLE value_stream_dashboard_aggregations ( enabled boolean DEFAULT true NOT NULL ); -CREATE TABLE value_stream_dashboard_counts ( - id bigint NOT NULL, - namespace_id bigint NOT NULL, - count bigint NOT NULL, - recorded_at timestamp with time zone NOT NULL, - metric smallint NOT NULL -) -PARTITION BY RANGE (recorded_at); - CREATE SEQUENCE value_stream_dashboard_counts_id_seq START WITH 1 INCREMENT BY 1 @@ -18621,19 +18668,6 @@ CREATE SEQUENCE value_stream_dashboard_counts_id_seq ALTER SEQUENCE value_stream_dashboard_counts_id_seq OWNED BY value_stream_dashboard_counts.id; -CREATE TABLE verification_codes ( - created_at timestamp with time zone DEFAULT now() NOT NULL, - visitor_id_code text NOT NULL, - code text NOT NULL, - phone text NOT NULL, - CONSTRAINT check_9b84e6aaff CHECK ((char_length(code) <= 8)), - CONSTRAINT check_ccc542256b CHECK ((char_length(visitor_id_code) <= 64)), - CONSTRAINT check_f5684c195b CHECK ((char_length(phone) <= 50)) -) -PARTITION BY RANGE (created_at); - -COMMENT ON TABLE verification_codes IS 'JiHu-specific table'; - CREATE TABLE vs_code_settings ( id bigint NOT NULL, user_id bigint NOT NULL, @@ -19201,24 +19235,6 @@ CREATE SEQUENCE vulnerability_user_mentions_id_seq ALTER SEQUENCE vulnerability_user_mentions_id_seq OWNED BY vulnerability_user_mentions.id; -CREATE TABLE web_hook_logs ( - id bigint NOT NULL, - web_hook_id integer NOT NULL, - trigger character varying, - url character varying, - request_headers text, - request_data text, - response_headers text, - response_body text, - response_status character varying, - execution_duration double precision, - internal_error_message character varying, - updated_at timestamp without time zone NOT NULL, - created_at timestamp without time zone NOT NULL, - url_hash text -) -PARTITION BY RANGE (created_at); - CREATE SEQUENCE web_hook_logs_id_seq START WITH 1 INCREMENT BY 1 @@ -19801,22 +19817,6 @@ CREATE SEQUENCE zoekt_shards_id_seq ALTER SEQUENCE zoekt_shards_id_seq OWNED BY zoekt_shards.id; -CREATE TABLE zoekt_tasks ( - id bigint NOT NULL, - partition_id bigint DEFAULT 1 NOT NULL, - zoekt_node_id bigint NOT NULL, - zoekt_repository_id bigint NOT NULL, - project_identifier bigint NOT NULL, - perform_at timestamp with time zone DEFAULT now() NOT NULL, - created_at timestamp with time zone NOT NULL, - updated_at timestamp with time zone NOT NULL, - state smallint DEFAULT 0 NOT NULL, - task_type smallint NOT NULL, - retries_left smallint DEFAULT 5 NOT NULL, - CONSTRAINT c_zoekt_tasks_on_retries_left CHECK (((retries_left > 0) OR ((retries_left = 0) AND (state = 255)))) -) -PARTITION BY LIST (partition_id); - CREATE SEQUENCE zoekt_tasks_id_seq START WITH 1 INCREMENT BY 1 diff --git a/doc/user/application_security/api_fuzzing/troubleshooting.md b/doc/user/application_security/api_fuzzing/troubleshooting.md index 77d461ae8c7..ff95690ffe1 100644 --- a/doc/user/application_security/api_fuzzing/troubleshooting.md +++ b/doc/user/application_security/api_fuzzing/troubleshooting.md @@ -364,17 +364,72 @@ sudo: If sudo is running in a container, you may need to adjust the container co This issue can be worked around in the following ways: -1. Run the container as the `root` user. This can be done by modifying the CICD configuration: +- Run the container as the `root` user. It's recommended to test this configuration as it may not work in all cases. This can be done by modifying the CICD configuration and checking the job output to make sure that `whoami` returns `root` and not `gitlab`. If `gitlab` is displayed, use another workaround. Once tested the `before_script` can be removed. ```yaml - api_security: + apifuzzer_fuzz: image: name: $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX docker: user: root + before_script: + - whoami ``` -1. Change the GitLab Runner configuration, disabling the no-new-privileges flag. + _Example job console output:_ + + ```log + Executing "step_script" stage of the job script + Using docker image sha256:8b95f188b37d6b342dc740f68557771bb214fe520a5dc78a88c7a9cc6a0f9901 for registry.gitlab.com/security-products/api-security:5 with digest registry.gitlab.com/security-products/api-security@sha256:092909baa2b41db8a7e3584f91b982174772abdfe8ceafc97cf567c3de3179d1 ... + $ whoami + root + $ /peach/analyzer-api-fuzzing + 17:17:14 [INF] API Security: Gitlab API Security + 17:17:14 [INF] API Security: ------------------- + 17:17:14 [INF] API Security: + 17:17:14 [INF] API Security: version: 5.7.0 + ``` + +- Wrap the container and add any dependencies at build time. This option has the benefit of running with lower privileges than root which may be a requirement for some customers. + 1. Create a new `Dockerfile` that wraps the existing image. + + ```yaml + ARG SECURE_ANALYZERS_PREFIX + ARG FUZZAPI_IMAGE + ARG FUZZAPI_VERSION + ARG FUZZAPI_IMAGE_SUFFIX + FROM $SECURE_ANALYZERS_PREFIX/$FUZZAPI_IMAGE:$FUZZAPI_VERSION$FUZZAPI_IMAGE_SUFFIX + USER root + + RUN pip install ... + RUN apk add ... + + USER gitlab + ``` + + 1. Build the new image and push it to your local container registry before the API Fuzzing job starts. The image should be removed after the `` job has been completed. + + ```shell + TARGET_NAME=apifuzz-$CI_COMMIT_SHA + docker build -t $TARGET_IMAGE \ + --build-arg "SECURE_ANALYZERS_PREFIX=$SECURE_ANALYZERS_PREFIX" \ + --build-arg "FUZZAPI_IMAGE=$APISEC_IMAGE" \ + --build-arg "FUZZAPI_VERSION=$APISEC_VERSION" \ + --build-arg "FUZZAPI_IMAGE_SUFFIX=$APISEC_IMAGE_SUFFIX" \ + . + docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + docker push $TARGET_IMAGE + ``` + + 1. Extend the `apifuzzer_fuzz` job and use the new image name. + + ```yaml + apifuzzer_fuzz: + image: apifuzz-$CI_COMMIT_SHA + ``` + + 1. Remove the temporary container from the registry. See [this documentation page for information on removing container images.](../../packages/container_registry/delete_container_registry_images.md) +- Change the GitLab Runner configuration, disabling the no-new-privileges flag. This could have security implications and should be discussed with your operations and security teams. ## `Index was outside the bounds of the array. at Peach.Web.Runner.Services.RunnerOptions.GetHeaders()` diff --git a/doc/user/application_security/api_security_testing/troubleshooting.md b/doc/user/application_security/api_security_testing/troubleshooting.md index 5ed435835c0..10c2eb26d0c 100644 --- a/doc/user/application_security/api_security_testing/troubleshooting.md +++ b/doc/user/application_security/api_security_testing/troubleshooting.md @@ -340,17 +340,72 @@ sudo: If sudo is running in a container, you may need to adjust the container co This issue can be worked around in the following ways: -1. Run the container as the `root` user. This can be done by modifying the CICD configuration: +- Run the container as the `root` user. You should test this configuration as it may not work in all cases. This can be done by modifying the CICD configuration and checking the job output to make sure that `whoami` returns `root` and not `gitlab`. If `gitlab` is displayed, use another workaround. After testing has confirmed the change is successful, the `before_script` can be removed. ```yaml api_security: image: - name: $SECURE_ANALYZERS_PREFIX/$DAST_API_IMAGE:$DAST_API_VERSION$DAST_API_IMAGE_SUFFIX + name: $SECURE_ANALYZERS_PREFIX/$APISEC_IMAGE:$APISEC_VERSION$APISEC_IMAGE_SUFFIX docker: user: root + before_script: + - whoami ``` -1. Change the GitLab Runner configuration, disabling the no-new-privileges flag. + _Example job console output:_ + + ```log + Executing "step_script" stage of the job script + Using docker image sha256:8b95f188b37d6b342dc740f68557771bb214fe520a5dc78a88c7a9cc6a0f9901 for registry.gitlab.com/security-products/api-security:5 with digest registry.gitlab.com/security-products/api-security@sha256:092909baa2b41db8a7e3584f91b982174772abdfe8ceafc97cf567c3de3179d1 ... + $ whoami + root + $ /peach/analyzer-api-security + 17:17:14 [INF] API Security: Gitlab API Security + 17:17:14 [INF] API Security: ------------------- + 17:17:14 [INF] API Security: + 17:17:14 [INF] API Security: version: 5.7.0 + ``` + +- Wrap the container and add any dependencies at build time. This option has the benefit of running with lower privileges than root which may be a requirement for some customers. + 1. Create a new `Dockerfile` that wraps the existing image. + + ```yaml + ARG SECURE_ANALYZERS_PREFIX + ARG APISEC_IMAGE + ARG APISEC_VERSION + ARG APISEC_IMAGE_SUFFIX + FROM $SECURE_ANALYZERS_PREFIX/$APISEC_IMAGE:$APISEC_VERSION$APISEC_IMAGE_SUFFIX + USER root + + RUN pip install ... + RUN apk add ... + + USER gitlab + ``` + + 1. Build the new image and push it to your local container registry before the API Security Testing job starts. The image should be removed after the `api_security` job has been completed. + + ```shell + TARGET_NAME=apisec-$CI_COMMIT_SHA + docker build -t $TARGET_IMAGE \ + --build-arg "SECURE_ANALYZERS_PREFIX=$SECURE_ANALYZERS_PREFIX" \ + --build-arg "APISEC_IMAGE=$APISEC_IMAGE" \ + --build-arg "APISEC_VERSION=$APISEC_VERSION" \ + --build-arg "APISEC_IMAGE_SUFFIX=$APISEC_IMAGE_SUFFIX" \ + . + docker login -u gitlab-ci-token -p $CI_JOB_TOKEN $CI_REGISTRY + docker push $TARGET_IMAGE + ``` + + 1. Extend the `api_security` job and use the new image name. + + ```yaml + api_security: + image: apisec-$CI_COMMIT_SHA + ``` + + 1. Remove the temporary container from the registry. See [this documentation page for information on removing container images.](../../packages/container_registry/delete_container_registry_images.md) +- Change the GitLab Runner configuration, disabling the no-new-privileges flag. This could have security implications and should be discussed with your operations and security teams. ## `Index was outside the bounds of the array. at Peach.Web.Runner.Services.RunnerOptions.GetHeaders()` diff --git a/doc/user/project/merge_requests/approvals/rules.md b/doc/user/project/merge_requests/approvals/rules.md index 164ea99a5c2..565d57d3b56 100644 --- a/doc/user/project/merge_requests/approvals/rules.md +++ b/doc/user/project/merge_requests/approvals/rules.md @@ -33,6 +33,8 @@ enforce a [minimum number of required approvers](settings.md) in the project's s Merge requests that target a different project, such as from a fork to the upstream project, use the default approval rules from the target (upstream) project, not the source (fork). +Merge request approvals can be configured globally to apply across all (or a subset) projects with [policies](../../../application_security/policies/index.md). [Merge request approval policies](../../../application_security/policies/scan-result-policies.md) also provide additional flexibility with more granular configuration options. + ## Add an approval rule > - Approval rules for all protected branches introduced in GitLab 15.3. diff --git a/spec/migrations/20240611121818_remove_project_statistics_packages_size_and_project_id_index_spec.rb b/spec/migrations/20240611121818_remove_project_statistics_packages_size_and_project_id_index_spec.rb new file mode 100644 index 00000000000..656aaa825ba --- /dev/null +++ b/spec/migrations/20240611121818_remove_project_statistics_packages_size_and_project_id_index_spec.rb @@ -0,0 +1,42 @@ +# frozen_string_literal: true + +require 'spec_helper' + +require_migration! + +RSpec.describe RemoveProjectStatisticsPackagesSizeAndProjectIdIndex, feature_category: :consumables_cost_management do + let(:migration) { described_class.new } + let(:postgres_async_indexes) { table(:postgres_async_indexes) } + + describe '#up' do + subject(:up) { migration.up } + + it 'does nothing when not on gitlab.com' do + expect { up }.not_to change { postgres_async_indexes.count } + end + + it 'prepares async index removal when on gitlab.com', :saas do + expect { up }.to change { postgres_async_indexes.count }.from(0).to(1) + end + end + + describe '#down' do + subject(:down) { migration.down } + + before do + postgres_async_indexes.create!( + name: 'index_project_statistics_on_packages_size_and_project_id', + table_name: 'project_statistics', + definition: 'test index' + ) + end + + it 'does nothing when not on gitlab.com' do + expect { down }.not_to change { postgres_async_indexes.count } + end + + it 'unprepares async index removal when on gitlab.com', :saas do + expect { down }.to change { postgres_async_indexes.count }.from(1).to(0) + end + end +end