From 60f47851873878d09acff3ecee72834ecaa8bd56 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Fri, 2 Sep 2022 03:12:05 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- app/models/project.rb | 6 +--- app/models/users/ghost_user_migration.rb | 12 ++++++++ ...variable_for_group_gitlab_deploy_token.yml | 8 ------ .../15-4-non-expiring-access-tokens.yml | 17 +++++++++++ db/docs/ghost_user_migrations.yml | 9 ++++++ ...0726171440_create_ghost_user_migrations.rb | 12 ++++++++ ...50_add_user_fk_to_ghost_user_migrations.rb | 15 ++++++++++ db/schema_migrations/20220726171440 | 1 + db/schema_migrations/20220726171450 | 1 + db/structure.sql | 28 +++++++++++++++++++ doc/api/groups.md | 12 ++++++-- doc/update/deprecations.md | 24 ++++++++++++++++ doc/user/clusters/agent/install/index.md | 4 +-- doc/user/project/deploy_tokens/index.md | 3 +- lib/gitlab/database/gitlab_schemas.yml | 1 + qa/qa/page/base.rb | 2 ++ spec/db/schema_spec.rb | 1 + spec/factories/users/ghost_user_migrations.rb | 9 ++++++ spec/models/ci/build_spec.rb | 11 -------- spec/models/project_spec.rb | 16 ----------- .../models/users/ghost_user_migration_spec.rb | 14 ++++++++++ 21 files changed, 160 insertions(+), 46 deletions(-) create mode 100644 app/models/users/ghost_user_migration.rb delete mode 100644 config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml create mode 100644 data/deprecations/15-4-non-expiring-access-tokens.yml create mode 100644 db/docs/ghost_user_migrations.yml create mode 100644 db/migrate/20220726171440_create_ghost_user_migrations.rb create mode 100644 db/migrate/20220726171450_add_user_fk_to_ghost_user_migrations.rb create mode 100644 db/schema_migrations/20220726171440 create mode 100644 db/schema_migrations/20220726171450 create mode 100644 spec/factories/users/ghost_user_migrations.rb create mode 100644 spec/models/users/ghost_user_migration_spec.rb diff --git a/app/models/project.rb b/app/models/project.rb index 3053055bd77..eb2231e8910 100644 --- a/app/models/project.rb +++ b/app/models/project.rb @@ -2610,11 +2610,7 @@ class Project < ApplicationRecord def gitlab_deploy_token strong_memoize(:gitlab_deploy_token) do - if Feature.enabled?(:ci_variable_for_group_gitlab_deploy_token, self) - deploy_tokens.gitlab_deploy_token || group&.gitlab_deploy_token - else - deploy_tokens.gitlab_deploy_token - end + deploy_tokens.gitlab_deploy_token || group&.gitlab_deploy_token end end diff --git a/app/models/users/ghost_user_migration.rb b/app/models/users/ghost_user_migration.rb new file mode 100644 index 00000000000..1d93498e88b --- /dev/null +++ b/app/models/users/ghost_user_migration.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module Users + class GhostUserMigration < ApplicationRecord + self.table_name = 'ghost_user_migrations' + + belongs_to :user + belongs_to :initiator_user, class_name: 'User' + + validates :user_id, presence: true + end +end diff --git a/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml b/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml deleted file mode 100644 index 155a6c385fc..00000000000 --- a/config/feature_flags/development/ci_variable_for_group_gitlab_deploy_token.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: ci_variable_for_group_gitlab_deploy_token -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88696 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/363621 -milestone: '15.1' -type: development -group: group::pipeline authoring -default_enabled: true diff --git a/data/deprecations/15-4-non-expiring-access-tokens.yml b/data/deprecations/15-4-non-expiring-access-tokens.yml new file mode 100644 index 00000000000..8363e2e8818 --- /dev/null +++ b/data/deprecations/15-4-non-expiring-access-tokens.yml @@ -0,0 +1,17 @@ +- name: "Non-expiring access tokens" + announcement_milestone: "15.4" + announcement_date: "2022-09-22" + removal_milestone: "16.0" + removal_date: "2022-05-22" + breaking_change: true + reporter: hsutor + body: | # Do not modify this line, instead modify the lines below. + Currently, you can create access tokens that have no expiration date. These access tokens are valid indefinitely, which presents a security risk if the access token is + divulged. Because expiring access tokens are better, from GitLab 15.3 we [populate a default expiration date](https://gitlab.com/gitlab-org/gitlab/-/issues/348660). + + In GitLab 16.0, any personal, project, or group access token that does not have an expiration date will automatically have an expiration date set at one year. + + We recommend giving your tokens an expiration date in line with your company's security policies before the default is applied in GitLab 16.0. + stage: Manage + tiers: [Free, Premium, Ultimate] + issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/369122 diff --git a/db/docs/ghost_user_migrations.yml b/db/docs/ghost_user_migrations.yml new file mode 100644 index 00000000000..f4e69e71baa --- /dev/null +++ b/db/docs/ghost_user_migrations.yml @@ -0,0 +1,9 @@ +--- +table_name: ghost_user_migrations +classes: +- GhostUserMigration +feature_categories: +- users +description: Users records awaiting for their associated records to be migrated to ghost user +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/95473 +milestone: '15.4' diff --git a/db/migrate/20220726171440_create_ghost_user_migrations.rb b/db/migrate/20220726171440_create_ghost_user_migrations.rb new file mode 100644 index 00000000000..c64ca4f7765 --- /dev/null +++ b/db/migrate/20220726171440_create_ghost_user_migrations.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +class CreateGhostUserMigrations < Gitlab::Database::Migration[2.0] + def change + create_table :ghost_user_migrations do |t| + t.bigint :user_id, index: { unique: true }, null: false + t.bigint :initiator_user_id + t.timestamps_with_timezone null: false + t.boolean :hard_delete, default: false, null: false + end + end +end diff --git a/db/migrate/20220726171450_add_user_fk_to_ghost_user_migrations.rb b/db/migrate/20220726171450_add_user_fk_to_ghost_user_migrations.rb new file mode 100644 index 00000000000..5904d132d1b --- /dev/null +++ b/db/migrate/20220726171450_add_user_fk_to_ghost_user_migrations.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +class AddUserFkToGhostUserMigrations < Gitlab::Database::Migration[2.0] + disable_ddl_transaction! + + def up + add_concurrent_foreign_key :ghost_user_migrations, :users, column: :user_id, on_delete: :cascade + end + + def down + with_lock_retries do + remove_foreign_key :ghost_user_migrations, column: :user_id + end + end +end diff --git a/db/schema_migrations/20220726171440 b/db/schema_migrations/20220726171440 new file mode 100644 index 00000000000..3bd56cb8346 --- /dev/null +++ b/db/schema_migrations/20220726171440 @@ -0,0 +1 @@ +5fce175152ab9c954b35d612800b381634248fe0c02b5dfc06c4650b8df9e787 \ No newline at end of file diff --git a/db/schema_migrations/20220726171450 b/db/schema_migrations/20220726171450 new file mode 100644 index 00000000000..76a5597f9fe --- /dev/null +++ b/db/schema_migrations/20220726171450 @@ -0,0 +1 @@ +86d469a9dc2d22451728d310bd2b830c5cdb69033bdf6b5fe30d45c6c6b8ae4b \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 9a2b9805046..03bacc37988 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -15741,6 +15741,24 @@ CREATE SEQUENCE geo_reset_checksum_events_id_seq ALTER SEQUENCE geo_reset_checksum_events_id_seq OWNED BY geo_reset_checksum_events.id; +CREATE TABLE ghost_user_migrations ( + id bigint NOT NULL, + user_id bigint NOT NULL, + initiator_user_id bigint, + created_at timestamp with time zone NOT NULL, + updated_at timestamp with time zone NOT NULL, + hard_delete boolean DEFAULT false NOT NULL +); + +CREATE SEQUENCE ghost_user_migrations_id_seq + START WITH 1 + INCREMENT BY 1 + NO MINVALUE + NO MAXVALUE + CACHE 1; + +ALTER SEQUENCE ghost_user_migrations_id_seq OWNED BY ghost_user_migrations.id; + CREATE TABLE gitlab_subscription_histories ( id bigint NOT NULL, gitlab_subscription_created_at timestamp with time zone, @@ -23470,6 +23488,8 @@ ALTER TABLE ONLY geo_repository_updated_events ALTER COLUMN id SET DEFAULT nextv ALTER TABLE ONLY geo_reset_checksum_events ALTER COLUMN id SET DEFAULT nextval('geo_reset_checksum_events_id_seq'::regclass); +ALTER TABLE ONLY ghost_user_migrations ALTER COLUMN id SET DEFAULT nextval('ghost_user_migrations_id_seq'::regclass); + ALTER TABLE ONLY gitlab_subscription_histories ALTER COLUMN id SET DEFAULT nextval('gitlab_subscription_histories_id_seq'::regclass); ALTER TABLE ONLY gitlab_subscriptions ALTER COLUMN id SET DEFAULT nextval('gitlab_subscriptions_id_seq'::regclass); @@ -25367,6 +25387,9 @@ ALTER TABLE ONLY geo_repository_updated_events ALTER TABLE ONLY geo_reset_checksum_events ADD CONSTRAINT geo_reset_checksum_events_pkey PRIMARY KEY (id); +ALTER TABLE ONLY ghost_user_migrations + ADD CONSTRAINT ghost_user_migrations_pkey PRIMARY KEY (id); + ALTER TABLE ONLY gitlab_subscription_histories ADD CONSTRAINT gitlab_subscription_histories_pkey PRIMARY KEY (id); @@ -28687,6 +28710,8 @@ CREATE INDEX index_geo_repository_updated_events_on_source ON geo_repository_upd CREATE INDEX index_geo_reset_checksum_events_on_project_id ON geo_reset_checksum_events USING btree (project_id); +CREATE UNIQUE INDEX index_ghost_user_migrations_on_user_id ON ghost_user_migrations USING btree (user_id); + CREATE INDEX index_gin_ci_namespace_mirrors_on_traversal_ids ON ci_namespace_mirrors USING gin (traversal_ids); CREATE INDEX index_gin_ci_pending_builds_on_namespace_traversal_ids ON ci_pending_builds USING gin (namespace_traversal_ids); @@ -32223,6 +32248,9 @@ ALTER TABLE ONLY boards ALTER TABLE ONLY epics ADD CONSTRAINT fk_1fbed67632 FOREIGN KEY (start_date_sourcing_milestone_id) REFERENCES milestones(id) ON DELETE SET NULL; +ALTER TABLE ONLY ghost_user_migrations + ADD CONSTRAINT fk_202e642a2f FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; + ALTER TABLE ONLY coverage_fuzzing_corpuses ADD CONSTRAINT fk_204d40056a FOREIGN KEY (project_id) REFERENCES projects(id) ON DELETE CASCADE; diff --git a/doc/api/groups.md b/doc/api/groups.md index b5e6fb15204..8d3b016e8fa 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1111,12 +1111,16 @@ curl --request PUT --header "PRIVATE-TOKEN: " "https://gitlab ## Remove group +> - Immediately deleting subgroups was [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/360008) in GitLab 15.3 [with a flag](../administration/feature_flags.md) named `immediate_delete_subgroup_api`. Disabled by default. +> - Immediately deleting subgroups was [enabled on GitLab.com and self-managed](https://gitlab.com/gitlab-org/gitlab/-/issues/368276) in GitLab 15.4. + Only available to group owners and administrators. This endpoint either: - Removes group, and queues a background job to delete all projects in the group as well. - Since [GitLab 12.8](https://gitlab.com/gitlab-org/gitlab/-/issues/33257), on [Premium](https://about.gitlab.com/pricing/) or higher tiers, marks a group for deletion. The deletion happens 7 days later by default, but this can be changed in the [instance settings](../user/admin_area/settings/visibility_and_access_controls.md#deletion-protection). +- Deletes a subgroup immediately if the subgroup is marked for deletion (GitLab 15.4 and later). The endpoint does not immediately delete top-level groups. ```plaintext DELETE /groups/:id @@ -1124,9 +1128,11 @@ DELETE /groups/:id Parameters: -| Attribute | Type | Required | Description | -| --------------- | -------------- | -------- | ----------- | -| `id` | integer/string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) | +| Attribute | Type | Required | Description | +|----------------------|------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `id` | integer/string | yes | The ID or [URL-encoded path of the group](index.md#namespaced-path-encoding) | +| `permanently_remove` **(PREMIUM)** | boolean/string | no | Immediately deletes a subgroup if it is marked for deletion. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/368276) in GitLab 15.4 | +| `full_path` **(PREMIUM)** | string | no | Full path of subgroup to use with `permanently_remove`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/368276) in GitLab 15.4. To find the subgroup path, see the [group details](groups.md#details-of-a-group) | The response is `202 Accepted` if the user has authorization. diff --git a/doc/update/deprecations.md b/doc/update/deprecations.md index 378ea7d5d87..505b247cbd7 100644 --- a/doc/update/deprecations.md +++ b/doc/update/deprecations.md @@ -45,6 +45,30 @@ sole discretion of GitLab Inc.
+## Announced in 15.4 + +
+ +### Non-expiring access tokens + +Planned removal: GitLab 16.0 (2022-05-22) + +WARNING: +This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/). +Review the details carefully before upgrading. + +Currently, you can create access tokens that have no expiration date. These access tokens are valid indefinitely, which presents a security risk if the access token is +divulged. Because expiring access tokens are better, from GitLab 15.3 we [populate a default expiration date](https://gitlab.com/gitlab-org/gitlab/-/issues/348660). + +In GitLab 16.0, any personal, project, or group access token that does not have an expiration date will automatically have an expiration date set at one year. + +We recommend giving your tokens an expiration date in line with your company's security policies before the default is applied in GitLab 16.0. + +
+
+ +
+ ## Announced in 15.3
diff --git a/doc/user/clusters/agent/install/index.md b/doc/user/clusters/agent/install/index.md index 4b0d8b77493..e826544261c 100644 --- a/doc/user/clusters/agent/install/index.md +++ b/doc/user/clusters/agent/install/index.md @@ -40,7 +40,7 @@ To install the agent in your cluster: > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) in GitLab 13.7, the agent configuration file can be added to multiple directories (or subdirectories) of the repository. > - Group authorization was [introduced](https://gitlab.com/groups/gitlab-org/-/epics/5784) in GitLab 14.3. -The agent uses a YAML file for configuration settings. You must create this file if: +For configuration settings, the agent uses a YAML file in the GitLab project. You must create this file if: - You use [a GitOps workflow](../gitops.md#gitops-workflow-steps). - You use [a GitLab CI/CD workflow](../ci_cd_workflow.md#gitlab-cicd-workflow-steps) and want to authorize a different project to use the agent. @@ -56,7 +56,7 @@ To create an agent configuration file: - Start with an alphanumeric character. - End with an alphanumeric character. -1. In the repository, create a directory in this location: +1. In the repository, in the default branch, create this directory at the root: ```plaintext .gitlab/agents/ diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md index 595f5e541b7..84d504a994a 100644 --- a/doc/user/project/deploy_tokens/index.md +++ b/doc/user/project/deploy_tokens/index.md @@ -190,7 +190,8 @@ To pull images from the Dependency Proxy, you must: ### GitLab deploy token -> Support for `gitlab-deploy-token` at the group level [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214014) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `ci_variable_for_group_gitlab_deploy_token`. Enabled by default. +> - Support for `gitlab-deploy-token` at the group level [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/214014) in GitLab 15.1 [with a flag](../../../administration/feature_flags.md) named `ci_variable_for_group_gitlab_deploy_token`. Enabled by default. +> - [Feature flag `ci_variable_for_group_gitlab_deploy_token`](https://gitlab.com/gitlab-org/gitlab/-/issues/363621) removed in GitLab 15.4. There's a special case when it comes to deploy tokens. If a user creates one named `gitlab-deploy-token`, the username and token of the deploy token is diff --git a/lib/gitlab/database/gitlab_schemas.yml b/lib/gitlab/database/gitlab_schemas.yml index bc53e3da441..93fe5871a9b 100644 --- a/lib/gitlab/database/gitlab_schemas.yml +++ b/lib/gitlab/database/gitlab_schemas.yml @@ -228,6 +228,7 @@ geo_repository_deleted_events: :gitlab_main geo_repository_renamed_events: :gitlab_main geo_repository_updated_events: :gitlab_main geo_reset_checksum_events: :gitlab_main +ghost_user_migrations: :gitlab_main gitlab_subscription_histories: :gitlab_main gitlab_subscriptions: :gitlab_main gpg_keys: :gitlab_main diff --git a/qa/qa/page/base.rb b/qa/qa/page/base.rb index d7e0101ff2c..03f753b1d61 100644 --- a/qa/qa/page/base.rb +++ b/qa/qa/page/base.rb @@ -500,3 +500,5 @@ module QA end end end + +QA::Page::Base.prepend_mod_with('Page::Base', namespace: QA) diff --git a/spec/db/schema_spec.rb b/spec/db/schema_spec.rb index bd13f86034a..4092f639eae 100644 --- a/spec/db/schema_spec.rb +++ b/spec/db/schema_spec.rb @@ -50,6 +50,7 @@ RSpec.describe 'Database schema' do geo_node_statuses: %w[last_event_id cursor_last_event_id], geo_nodes: %w[oauth_application_id], geo_repository_deleted_events: %w[project_id], + ghost_user_migrations: %w[initiator_user_id], gitlab_subscription_histories: %w[gitlab_subscription_id hosted_plan_id namespace_id], identities: %w[user_id], import_failures: %w[project_id], diff --git a/spec/factories/users/ghost_user_migrations.rb b/spec/factories/users/ghost_user_migrations.rb new file mode 100644 index 00000000000..0fe7cded4f3 --- /dev/null +++ b/spec/factories/users/ghost_user_migrations.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +FactoryBot.define do + factory :ghost_user_migration, class: 'Users::GhostUserMigration' do + association :user + initiator_user { association(:user) } + hard_delete { false } + end +end diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb index 64cb547a048..e5b6e88f399 100644 --- a/spec/models/ci/build_spec.rb +++ b/spec/models/ci/build_spec.rb @@ -3607,17 +3607,6 @@ RSpec.describe Ci::Build do it 'includes deploy token variables' do is_expected.to include(*deploy_token_variables) end - - context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do - before do - stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) - end - - it 'does not include deploy token variables' do - expect(subject.find { |v| v[:key] == 'CI_DEPLOY_USER' }).to be_nil - expect(subject.find { |v| v[:key] == 'CI_DEPLOY_PASSWORD' }).to be_nil - end - end end end end diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb index a1a38e012c6..77abb7c4dae 100644 --- a/spec/models/project_spec.rb +++ b/spec/models/project_spec.rb @@ -6157,14 +6157,6 @@ RSpec.describe Project, factory_default: :keep do let!(:deploy_token) { create(:deploy_token, :gitlab_deploy_token, :group, groups: [group]) } it { is_expected.to eq(deploy_token) } - - context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do - before do - stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) - end - - it { is_expected.to be_nil } - end end context 'when the project and its group has a gitlab deploy token associated' do @@ -6174,14 +6166,6 @@ RSpec.describe Project, factory_default: :keep do let!(:group_deploy_token) { create(:deploy_token, :gitlab_deploy_token, :group, groups: [group]) } it { is_expected.to eq(project_deploy_token) } - - context 'when the FF ci_variable_for_group_gitlab_deploy_token is disabled' do - before do - stub_feature_flags(ci_variable_for_group_gitlab_deploy_token: false) - end - - it { is_expected.to eq(project_deploy_token) } - end end end diff --git a/spec/models/users/ghost_user_migration_spec.rb b/spec/models/users/ghost_user_migration_spec.rb new file mode 100644 index 00000000000..d4a0657c3be --- /dev/null +++ b/spec/models/users/ghost_user_migration_spec.rb @@ -0,0 +1,14 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Users::GhostUserMigration do + describe 'associations' do + it { is_expected.to belong_to(:user) } + it { is_expected.to belong_to(:initiator_user) } + end + + describe 'validation' do + it { is_expected.to validate_presence_of(:user_id) } + end +end