root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2024-05-09 21:18:12 +00:00
parent 5b2beecd98
commit 637510720d
55 changed files with 464 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitlab/ci/frontend.gitlab-ci.yml
View File

@ -110,7 +110,7 @@ update-storybook-yarn-cache:
- .shared:rules:update-cache
stage: prepare
script:
- yarn_install_script
- yarn_install_script_storybook
retrieve-frontend-fixtures:
variables:
@ -420,7 +420,7 @@ bundle-size-review:
- .frontend-test-base
- .storybook-yarn-cache
script:
- run_timed_command "retry yarn run storybook:install --frozen-lockfile"
- yarn_install_script_storybook
- run_timed_command "yarn run storybook:build"
needs: ["graphql-schema-dump"]

11
.rubocop_todo/layout/space_in_lambda_literal.yml
View File

@ -200,17 +200,6 @@ Layout/SpaceInLambdaLiteral:
- 'ee/app/serializers/vulnerabilities/feedback_entity.rb'
- 'ee/app/serializers/vulnerabilities/finding_entity.rb'
- 'ee/app/serializers/vulnerability_note_entity.rb'
- 'ee/app/services/analytics/cycle_analytics/consistency_check_service.rb'
- 'ee/app/services/analytics/cycle_analytics/data_loader_service.rb'
- 'ee/app/services/audit_events/export_csv_service.rb'
- 'ee/app/services/ee/ci/register_job_service.rb'
- 'ee/app/services/groups/memberships/export_service.rb'
- 'ee/app/services/groups/seat_usage_export_service.rb'
- 'ee/app/services/historical_user_data/csv_service.rb'
- 'ee/app/services/user_permissions/export_service.rb'
- 'ee/app/services/vulnerability_exports/exporters/csv_service.rb'
- 'ee/app/workers/update_all_mirrors_worker.rb'
- 'ee/lib/api/entities/pending_member.rb'
- 'ee/lib/ee/api/entities/ci/job_request/response.rb'
- 'ee/lib/ee/api/entities/epic.rb'
- 'ee/lib/ee/api/entities/issue.rb'

2
app/assets/javascripts/ci/job_details/components/sidebar/commit_block.vue
View File

@ -45,6 +45,6 @@ export default {
</span>
</p>
<p class="gl-mb-0">{{ commit.title }}</p>
<p class="gl-mb-0 gl-break-all">{{ commit.title }}</p>
</div>
</template>

9
app/assets/javascripts/ci/job_details/components/sidebar/stages_dropdown.vue
View File

@ -94,13 +94,10 @@ export default {
</script>
<template>
<div class="dropdown">
<div
class="gl-display-flex gl-flex-wrap gl-align-items-center gl-gap-2 js-pipeline-info"
data-testid="pipeline-info"
>
<div class="gl-display-block js-pipeline-info" data-testid="pipeline-info">
<gl-sprintf :message="pipelineInfo">
<template #bold="{ content }">
<span class="gl-display-flex gl-font-weight-bold">{{ content }}</span>
<span class="gl-display-inline-flex gl-font-weight-bold">{{ content }}</span>
</template>
<template #id>
<gl-link
@ -128,7 +125,7 @@ export default {
<template #ref>
<gl-link
:href="pipeline.ref.path"
class="link-commit ref-name"
class="link-commit ref-name gl-break-all"
data-testid="source-ref-link"
>{{ pipeline.ref.name }}</gl-link
><clipboard-button

1
app/models/integration.rb
View File

@ -155,6 +155,7 @@ class Integration < ApplicationRecord
scope :deployment, -> { where(category: 'deployment') }
scope :group_mention_hooks, -> { where(group_mention_events: true, active: true) }
scope :group_confidential_mention_hooks, -> { where(group_confidential_mention_events: true, active: true) }
scope :exclusions_for_project, ->(project) { where(project: project, active: false) }
class << self
private

32
app/services/integrations/exclusions/base_service.rb Normal file
View File

@ -0,0 +1,32 @@
# frozen_string_literal: true
module Integrations
module Exclusions
class BaseService
def initialize(current_user:, integration_name:, projects:)
@user = current_user
@integration_name = integration_name
@projects = projects
end
def execute
return ServiceResponse.error(message: 'not authorized') unless allowed?
return ServiceResponse.error(message: 'not instance specific') unless instance_specific_integration?
yield
end
private
attr_reader :user, :integration_name, :projects
def allowed?
user.can?(:admin_all_resources)
end
def instance_specific_integration?
Integration::INSTANCE_SPECIFIC_INTEGRATION_NAMES.include?(integration_name)
end
end
end
end

32
app/services/integrations/exclusions/create_service.rb Normal file
View File

@ -0,0 +1,32 @@
# frozen_string_literal: true
module Integrations
module Exclusions
class CreateService < BaseService
def execute
super do
break ServiceResponse.success(payload: []) unless projects.present?
create_exclusions
end
end
private
def create_exclusions
integration_type = Integration.integration_name_to_type(integration_name)
integration_attrs = projects.map do |project|
{
project_id: project.id,
type_new: integration_type,
active: false,
inherit_from_id: nil
}
end
result = Integration.upsert_all(integration_attrs, unique_by: [:project_id, :type_new])
ServiceResponse.success(payload: Integration.id_in(result.rows.flatten))
end
end
end
end

29
app/services/integrations/exclusions/destroy_service.rb Normal file
View File

@ -0,0 +1,29 @@
# frozen_string_literal: true
module Integrations
module Exclusions
class DestroyService < BaseService
def execute
super do
destroy_exclusions
end
end
private
def destroy_exclusions
integration_class = Integration.integration_name_to_model(integration_name)
exclusions = integration_class.exclusions_for_project(projects)
return ServiceResponse.success(payload: []) unless exclusions.present?
instance_integration = integration_class.for_instance.first
return ServiceResponse.success(payload: exclusions.destroy_all) unless instance_integration # rubocop: disable Cop/DestroyAll -- We load exclusions so we can have the deleted exclusions in the response
::Integrations::Propagation::BulkUpdateService.new(instance_integration, exclusions).execute
ServiceResponse.success(payload: exclusions)
end
end
end
end

8
app/views/search/results/_milestone.html.haml
View File

@ -1,7 +1,9 @@
.search-result-row
%h4
= link_to project_milestone_path(milestone.project, milestone), data: {track_action: 'click_text', track_label: 'milestone_title', track_property: 'search_result'} do
%span.term.str-truncated= simple_search_highlight_and_truncate(milestone.title, @search_term)
= link_to project_milestone_path(milestone.project, milestone), class: 'gl-font-bold gl-text-black-normal', data: {track_action: 'click_text', track_label: 'milestone_title', track_property: 'search_result'} do
%span.term.str-truncated= simple_search_highlight_and_truncate(milestone.title, @search_term)
- if milestone.project_milestone?
.gl-mt-2= gl_badge_tag milestone.project.full_name, { variant: :muted }, { class: 'gl-white-space-normal gl-text-left' }
- if milestone.description.present?
.description.term

16
app/views/search/results/_note.html.haml
View File

@ -3,11 +3,12 @@
- noteable_identifier = note.noteable.try(:iid) || note.noteable.try(:id)
.search-result-row
%h5.note-search-caption.gl-max-w-full
%span.gl-display-inline-block.gl-text-truncate.search-max-w-inherit.gl-align-bottom
= sprite_icon('comment', css_class: 'gl-vertical-align-text-bottom')
= link_to_member(project, note.author, avatar: false)
= _("commented on %{link_to_project}").html_safe % { link_to_project: link_to(project.full_name, project) }
.note-search-caption.gl-max-w-full
.gl-font-sm.gl-text-secondary.gl-float-right= time_ago_with_tooltip(note.created_at, placement: 'bottom', html_class: 'note-created-ago')
.gl-display-inline-block.gl-text-truncate.search-max-w-inherit.gl-align-bottom
.gl-font-bold= link_to_member(project, note.author, avatar: true, extra_class: 'gl-text-black-normal')
.gl-text-secondary
= _("Commented on %{link_to_project}").html_safe % { link_to_project: link_to(project.full_name, project) }
&middot;
- if note.for_commit?
@ -20,11 +21,6 @@
&middot;
= link_to note.noteable.title, note_url, data: {track_action: 'click_text', track_label: 'noteable_title', track_property: 'search_result'}
%span.note-headline-light.note-headline-meta
%span.system-note-separator
&middot;
%span.system-note-separator= time_ago_with_tooltip(note.created_at, placement: 'bottom', html_class: 'note-created-ago')
.note-search-result
.term
= simple_search_highlight_and_truncate(note.note, @search_term)

9
config/feature_flags/gitlab_com_derisk/native_header_anchors.yml
View File

@ -1,9 +0,0 @@
---
name: native_header_anchors
feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/440733
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144690
rollout_issue_url:
milestone: '17.0'
group: group::project management
type: gitlab_com_derisk
default_enabled: false

18
db/post_migrate/20240508064453_drop_index_ci_pipeline_config_on_pipeline_id.rb Normal file
View File

@ -0,0 +1,18 @@
# frozen_string_literal: true
class DropIndexCiPipelineConfigOnPipelineId < Gitlab::Database::Migration[2.2]
milestone '17.1'
disable_ddl_transaction!
TABLE_NAME = :ci_pipelines_config
INDEX_NAME = :index_ci_pipelines_config_on_pipeline_id
def up
remove_concurrent_index_by_name(TABLE_NAME, INDEX_NAME)
end
def down
add_concurrent_index(TABLE_NAME, :pipeline_id, name: INDEX_NAME)
end
end

1
db/schema_migrations/20240508064453 Normal file
View File

@ -0,0 +1 @@
198cd0c7bf89e14cd2c0cdbf1f4680184f35f9df5844df5470f6bc4873b3a616

2
db/structure.sql
View File

@ -24874,8 +24874,6 @@ CREATE INDEX index_ci_pipeline_schedules_on_owner_id_and_id_and_active ON ci_pip
CREATE INDEX index_ci_pipeline_schedules_on_project_id ON ci_pipeline_schedules USING btree (project_id);
CREATE INDEX index_ci_pipelines_config_on_pipeline_id ON ci_pipelines_config USING btree (pipeline_id);
CREATE INDEX index_ci_pipelines_for_ondemand_dast_scans ON ci_pipelines USING btree (id) WHERE (source = 13);
CREATE INDEX index_ci_pipelines_on_auto_canceled_by_id ON ci_pipelines USING btree (auto_canceled_by_id);

2
doc/architecture/blueprints/gitlab_agent_deployments/index.md
View File

@ -187,7 +187,7 @@ The microservice project setup can be improved by [Multi-Project Deployment Pipe
- Environments can be created within the application projects. It gives more visibility of environments for developers.
- Deployment Project can be managed under Operator group. More segregation of duties.
- Users don't need to set up [RBAC to restrict CI/CD jobs](../../../user/clusters/agent/ci_cd_workflow.md#restrict-project-and-group-access-by-using-impersonation).
- This is especitially helpful for [dynamic environments](../../../ci/environments/index.md#create-a-dynamic-environment), such as Review Apps.
- This is especially helpful for [dynamic environments](../../../ci/environments/index.md#create-a-dynamic-environment) like review apps.
```mermaid
flowchart LR

4
doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
View File

@ -244,9 +244,9 @@ NOTE:
ECS deploy jobs wait for the rollout to complete before exiting. To disable this behavior,
set `CI_AWS_ECS_WAIT_FOR_ROLLOUT_COMPLETE_DISABLED` to a non-empty value.
## Set up Review Apps
## Set up review apps
To use [Review Apps](../../../development/testing_guide/review_apps.md) with ECS:
To use [review apps](../../../development/testing_guide/review_apps.md) with ECS:
1. Set up a new [service](#create-an-ecs-service).
1. Use the `CI_AWS_ECS_SERVICE` variable to set the name.

10
doc/ci/environments/index.md
View File

@ -401,7 +401,7 @@ For example:
#### Go from source files to public pages
With GitLab [Route Maps](../review_apps/index.md#route-maps), you can go directly
from source files to public pages in the environment set for Review Apps.
from source files to public pages in the environment set for review apps.
### Stopping an environment
@ -784,7 +784,9 @@ problematic deployment, they can roll back to a previous stable version.
GitLab Auto Rollback eases this workflow by automatically triggering a rollback when a
[critical alert](../../operations/incident_management/alerts.md)
is detected. GitLab selects and redeploys the most recent successful deployment.
is detected.
For GitLab to select the appropriate environment for the rollback, the alert should contain a `gitlab_environment_name` key with the name of the environment.
GitLab selects and redeploys the most recent successful deployment.
Limitations of GitLab Auto Rollback:
@ -946,7 +948,7 @@ See [Deployment-only access to protected environments](protected_environments.md
- [Dashboard for Kubernetes](kubernetes_dashboard.md)
- [Downstream pipelines for deployments](../pipelines/downstream_pipelines.md#downstream-pipelines-for-deployments)
- [Deploy to multiple environments with GitLab CI/CD (blog post)](https://about.gitlab.com/blog/2021/02/05/ci-deployment-and-environments/)
- [Review Apps](../review_apps/index.md)
- [Review apps](../review_apps/index.md)
- [Protected environments](protected_environments.md)
- [Environments Dashboard](../environments/environments_dashboard.md)
- [Deployment safety](deployment_safety.md#restrict-write-access-to-a-critical-environment)
@ -1048,7 +1050,7 @@ To fix this, use one of the following solutions:
- Ensure the variable exists in the pipeline. Review the
[limitation on supported variables](../variables/where_variables_can_be_used.md#gitlab-ciyml-file).
#### If you get this error on Review Apps
#### If you get this error on review apps
For example, if you have the following in your `.gitlab-ci.yml`:

4
doc/ci/examples/end_to_end_testing_webdriverio/index.md
View File

@ -15,7 +15,7 @@ DETAILS:
**Tier:** Free, Premium, Ultimate
**Offering:** GitLab.com, Self-managed, GitLab Dedicated
[Review Apps](../../review_apps/index.md) are great: for every merge request
[Review apps](../../review_apps/index.md) are great: for every merge request
(or branch, for that matter), the new code can be copied and deployed to a fresh production-like live
environment, reducing the effort to assess the impact of changes. Thus, when we use a dependency manager like
[Dependencies.io](https://www.dependencies.io/), it can submit a merge request with an updated dependency,
@ -35,7 +35,7 @@ to write such end-to-end tests, and how to set up GitLab CI/CD to automatically
against your new code, on a branch-by-branch basis. For the scope of this article, we will walk you
through the process of setting up GitLab CI/CD for end-to-end testing JavaScript-based applications
with WebdriverIO, but the general strategy should carry over to other languages.
We assume you are familiar with GitLab, [GitLab CI/CD](../../index.md), [Review Apps](../../review_apps/index.md), and running your app locally, for example, on `localhost:8000`.
We assume you are familiar with GitLab, [GitLab CI/CD](../../index.md), [review apps](../../review_apps/index.md), and running your app locally, for example, on `localhost:8000`.
## What to test

4
doc/ci/examples/index.md
View File

@ -17,7 +17,7 @@ Examples are available in several forms. As a collection of:
- `.gitlab-ci.yml` [template files](#cicd-templates) maintained in GitLab, for many
common frameworks and programming languages.
- Repositories with [example projects](https://gitlab.com/gitlab-examples) for various languages. You can fork and adjust them to your own needs. Projects include an example of using [Review Apps with a static site served by NGINX](https://gitlab.com/gitlab-examples/review-apps-nginx/).
- Repositories with [example projects](https://gitlab.com/gitlab-examples) for various languages. You can fork and adjust them to your own needs. Projects include an example of using [review apps with a static site served by NGINX](https://gitlab.com/gitlab-examples/review-apps-nginx/).
- Examples and [other resources](#other-resources) listed below.
## CI/CD examples
@ -160,7 +160,7 @@ For examples of others who have implemented GitLab CI/CD, see:
- [GitBot - automating boring Git operations with CI](https://about.gitlab.com/blog/2017/11/02/automating-boring-git-operations-gitlab-ci/)
- [How to use GitLab CI for Vue.js](https://about.gitlab.com/blog/2017/09/12/vuejs-app-gitlab/)
- Video: [GitLab CI/CD Deep Dive](https://youtu.be/pBe4t1CD8Fc?t=195)
- [Dockerizing GitLab Review Apps](https://about.gitlab.com/blog/2017/07/11/dockerizing-review-apps/)
- [Dockerizing GitLab review apps](https://about.gitlab.com/blog/2017/07/11/dockerizing-review-apps/)
- [Fast and natural continuous integration with GitLab CI](https://about.gitlab.com/blog/2017/05/22/fast-and-natural-continuous-integration-with-gitlab-ci/)
- [Demo: CI/CD with GitLab in action](https://about.gitlab.com/blog/2017/03/13/ci-cd-demo/)

2
doc/ci/testing/browser_performance_testing.md
View File

@ -132,7 +132,7 @@ browser_performance:
The `Total Score` metric is based on sitespeed.io's [coach performance score](https://www.sitespeed.io/documentation/sitespeed.io/metrics/#performance-score). There is more information in [the coach documentation](https://www.sitespeed.io/documentation/coach/how-to/#what-do-the-coach-do).
### Performance testing on Review Apps
### Performance testing on review apps
The above CI YAML configuration is great for testing against static environments, and it can
be extended for dynamic environments, but a few extra steps are required:

2
doc/ci/testing/load_performance_testing.md
View File

@ -147,7 +147,7 @@ summary values from the test.
If [GitLab Pages](../../user/project/pages/index.md) is enabled, you can view the report directly in your browser.
### Load Performance testing in Review Apps
### Load Performance testing in review apps
The CI/CD YAML configuration example above works for testing against static environments,
but it can be extended to work with [review apps](../review_apps/index.md) or

2
doc/ci/yaml/index.md
View File

@ -2385,7 +2385,7 @@ for inclusion in URLs. If the `deploy as review app` job runs in a branch named
`pow`, this environment would be accessible with a URL like `https://review-pow.example.com/`.
The common use case is to create dynamic environments for branches and use them
as Review Apps. You can see an example that uses Review Apps at
as review apps. You can see an example that uses review apps at
<https://gitlab.com/gitlab-examples/review-apps-nginx/>.
### `extends`

2
doc/development/documentation/review_apps.md
View File

@ -60,7 +60,7 @@ The following GitLab features are used among others:
- [Manual jobs](../../ci/jobs/job_control.md#create-a-job-that-must-be-run-manually)
- [Multi project pipelines](../../ci/pipelines/downstream_pipelines.md#multi-project-pipelines)
- [Review Apps](../../ci/review_apps/index.md)
- [Review apps](../../ci/review_apps/index.md)
- [Artifacts](../../ci/yaml/index.md#artifacts)
- [Merge request pipelines](../../ci/pipelines/merge_request_pipelines.md)

4
doc/development/pipelines/index.md
View File

@ -243,7 +243,7 @@ When this label is assigned, the following steps of the CI/CD pipeline are skipp
- The `e2e:package-and-test` job.
- The `rspec:undercoverage` job.
- The entire [Review Apps process](../testing_guide/review_apps.md).
- The entire [review apps process](../testing_guide/review_apps.md).
Apply the label to the merge request, and run a new pipeline for the MR.
@ -283,7 +283,7 @@ the specific list of rules.
If you want to force a Review App to be deployed regardless of your changes, you can add the
`pipeline:run-review-app` label to the merge request.
Consult the [Review Apps](../testing_guide/review_apps.md) dedicated page for more information.
Consult the [review apps](../testing_guide/review_apps.md) dedicated page for more information.
### As-if-FOSS jobs and cross project downstream pipeline

2
doc/development/pipelines/internals.md
View File

@ -106,7 +106,7 @@ The current stages are:
- `post-test`: This stage includes jobs that build reports or gather data from
the `test` stage's jobs (for example, coverage, Knapsack metadata, and so on).
- `review`: This stage includes jobs that build the CNG images, deploy them, and
run end-to-end tests against Review Apps (see [Review Apps](../testing_guide/review_apps.md) for details).
run end-to-end tests against review apps (see [review apps](../testing_guide/review_apps.md) for details).
It also includes Docs Review App jobs.
- `qa`: This stage includes jobs that perform QA tasks against the Review App
that is deployed in stage `review`.

2
doc/development/testing_guide/end_to_end/test_pipelines.md
View File

@ -138,7 +138,7 @@ ee:my-new-job:
## `e2e:test-on-gdk`
The `e2e:test-on-gdk` child pipeline supports development of the GitLab platform by providing feedback to engineers on
end-to-end test execution faster than via `e2e:package-and-test` or [Review Apps](../review_apps.md).
end-to-end test execution faster than via `e2e:package-and-test` or [review apps](../review_apps.md).
This is achieved by running tests against the [GitLab Development Kit](https://gitlab.com/gitlab-org/gitlab-development-kit) (GDK),
which can be built and installed in less time than when testing against [Omnibus GitLab](https://gitlab.com/gitlab-org/omnibus-gitlab).

2
doc/topics/autodevops/customize.md
View File

@ -353,7 +353,7 @@ To use an external managed provider:
1. Disable the built-in PostgreSQL installation for the required environments with
environment-scoped [CI/CD variables](../../ci/environments/index.md#limit-the-environment-scope-of-a-cicd-variable).
Because the built-in PostgreSQL setup for Review Apps and staging is sufficient, you might only need to
Because the built-in PostgreSQL setup for review apps and staging is sufficient, you might only need to
disable the installation for `production`.
![Auto Metrics](img/disable_postgres.png)

2
doc/topics/autodevops/index.md
View File

@ -15,7 +15,7 @@ that work together to support your software delivery process.
Auto DevOps detects your programming language and uses [CI/CD templates](https://gitlab.com/gitlab-org/gitlab/-/tree/master/lib/gitlab/ci/templates)
to create and run default pipelines to build and test your application. Then, you can [configure deployments](requirements.md) to deploy your apps to staging
and production, and set up [Review Apps](stages.md#auto-review-apps)
and production, and set up [review apps](stages.md#auto-review-apps)
to preview your changes per branch.
You can use default settings to quickly ship your apps, and iterate and [customize](customize.md) later.

2
doc/topics/autodevops/multiple_clusters_auto_devops.md
View File

@ -47,7 +47,7 @@ NOTE:
| Cluster name | Cluster environment scope | `KUBE_INGRESS_BASE_DOMAIN` value | `KUBE CONTEXT` value | Variable environment scope | Notes |
| :------------| :-------------------------| :------------------------------- | :--------------------------------- | :--------------------------|:--|
| review | `review/*` | `review.example.com` | `path/to/project:review-agent` | `review/*` | A review cluster that runs all [Review Apps](../../ci/review_apps/index.md).|
| review | `review/*` | `review.example.com` | `path/to/project:review-agent` | `review/*` | A review cluster that runs all [review apps](../../ci/review_apps/index.md).|
| staging | `staging` | `staging.example.com` | `path/to/project:staging-agent` | `staging` | Optional. A staging cluster that runs the deployments of the staging environments. You must [enable it first](cicd_variables.md#deploy-policy-for-staging-and-production-environments). |
| production | `production` | `example.com` | `path/to/project:production-agent` | `production` | A production cluster that runs the production environment deployments. You can use [incremental rollouts](cicd_variables.md#incremental-rollout-to-production). |

2
doc/topics/autodevops/stages.md
View File

@ -225,7 +225,7 @@ This is an optional step, since many projects don't have a Kubernetes cluster
available. If the [requirements](requirements.md) are not met, the job is
silently skipped.
[Review Apps](../../ci/review_apps/index.md) are temporary application environments based on the
[Review apps](../../ci/review_apps/index.md) are temporary application environments based on the
branch's code so developers, designers, QA, product managers, and other
reviewers can actually see and interact with code changes as part of the review
process. Auto Review Apps create a Review App for each branch.

2
doc/topics/release_your_application.md
View File

@ -17,7 +17,7 @@ release features incrementally.
- [Environments and deployments](../ci/environments/index.md)
- [Releases](../user/project/releases/index.md)
- [Packages and registries](../user/packages/index.md)
- [Review Apps](../ci/review_apps/index.md)
- [Review apps](../ci/review_apps/index.md)
- [Feature flags](../operations/feature_flags.md)
- [GitLab Pages](../user/project/pages/index.md)

8
doc/user/application_security/api_fuzzing/configuration/requirements.md
View File

@ -50,13 +50,13 @@ API Fuzzing requires a deployed application to be available to scan.
Depending on the complexity of the target application, there are a few options as to how to deploy and configure
the API Fuzzing template.
### Review Apps
### Review apps
Review Apps are the most involved method of deploying your API Fuzzing target application. To assist in the process,
Review apps are the most involved method of deploying your API Fuzzing target application. To assist in the process,
we created a Review App deployment using Google Kubernetes Engine (GKE). This example can be found in our
[Review Apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
[Review apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
instructions in the [README.md](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke/-/blob/master/README.md)
on how to configure Review Apps for DAST.
on how to configure review apps for DAST.
### Docker Services

8
doc/user/application_security/api_security_testing/configuration/requirements.md
View File

@ -50,13 +50,13 @@ API security testing requires a deployed application to be available to scan.
Depending on the complexity of the target application, there are a few options as to how to deploy and configure
the API security testing template.
### Review Apps
### Review apps
Review Apps are the most involved method of deploying your DAST target application. To assist in the process,
Review apps are the most involved method of deploying your DAST target application. To assist in the process,
we created a Review App deployment using Google Kubernetes Engine (GKE). This example can be found in our
[Review Apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
[Review apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
instructions in the [README.md](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke/-/blob/master/README.md)
on how to configure Review Apps for DAST.
on how to configure review apps for DAST.
### Docker Services

8
doc/user/application_security/dast/browser/configuration/requirements.md
View File

@ -42,13 +42,13 @@ Depending on the complexity of the target application, there are a few options a
the DAST template. A set of example applications have been provided with their configurations in the
[DAST demonstrations](https://gitlab.com/gitlab-org/security-products/demos/dast/) project.
### Review Apps
### Review apps
Review Apps are the most involved method of deploying your DAST target application. To assist in the process,
Review apps are the most involved method of deploying your DAST target application. To assist in the process,
we created a Review App deployment using Google Kubernetes Engine (GKE). This example can be found in our
[Review Apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
[Review apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
instructions in the [README.md](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke/-/blob/master/README.md)
on how to configure Review Apps for DAST.
on how to configure review apps for DAST.
### Docker Services

8
doc/user/application_security/dast/index.md
View File

@ -142,13 +142,13 @@ Depending on the complexity of the target application, there are a few options a
the DAST template. A set of example applications have been provided with their configurations in the
[DAST demonstrations](https://gitlab.com/gitlab-org/security-products/demos/dast/) project.
#### Review Apps
#### Review apps
Review Apps are the most involved method of deploying your DAST target application. To assist in the process,
Review apps are the most involved method of deploying your DAST target application. To assist in the process,
we created a Review App deployment using Google Kubernetes Engine (GKE). This example can be found in our
[Review Apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
[Review apps - GKE](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke) project, along with detailed
instructions in the [README.md](https://gitlab.com/gitlab-org/security-products/demos/dast/review-app-gke/-/blob/master/README.md)
on how to configure Review Apps for DAST.
on how to configure review apps for DAST.
#### Docker Services

2
doc/user/application_security/dast/proxy-based.md
View File

@ -35,7 +35,7 @@ The analyzer uses the [Software Security Project Zed Attack Proxy](https://www.z
actively attack your application.
- Passive and active (or full) scan. DAST can be [configured](#full-scan) to also perform an active scan
to attack your application and produce a more extensive security report. It can be very
useful when combined with [Review Apps](../../../ci/review_apps/index.md).
useful when combined with [review apps](../../../ci/review_apps/index.md).
## Templates

2
doc/user/application_security/get-started-security.md
View File

@ -56,7 +56,7 @@ After you've gotten familiar with how scanning works, you can then choose to:
1. Use [Compliance Pipelines](../group/compliance_pipelines.md)
or [Scan Execution Policies](policies/scan-execution-policies.md) to enforce required scan types
and ensure separation of duties between security and engineering.
1. Consider enabling [Review Apps](../../development/testing_guide/review_apps.md) to allow for DAST
1. Consider enabling [review apps](../../development/testing_guide/review_apps.md) to allow for DAST
and [Web API fuzzing](api_fuzzing/index.md) on ephemeral test environments.
1. Enable [operational container scanning](../../user/clusters/agent/vulnerabilities.md) to scan
container images in your production cluster for security vulnerabilities.

7
doc/user/application_security/vulnerability_report/index.md
View File

@ -90,13 +90,14 @@ To filter the list of vulnerabilities:
1. On the left sidebar, select **Search or go to** and find your project.
1. Select **Secure > Vulnerability report**.
1. Optional. To remove the default filters, select **Clear** (**{clear}**) in the filter field.
1. Select the filter field.
1. Optional. To remove the default filters, select **Clear** (**{clear}**).
1. Above the list of vulnerabilities, select the filter bar.
1. In the dropdown list that appears, select an attribute you want to filter by, then select the
values from the dropdown list.
1. Select outside the filter field. The vulnerability severity totals and list of matching
vulnerabilities are updated.
1. To filter by multiple attributes, repeat the three previous steps.
1. To filter by multiple attributes, repeat the three previous steps. Multiple attributes are joined
by a logical AND.
### Tool filter

2
doc/user/permissions.md
View File

@ -163,7 +163,7 @@ The following table lists project permissions available for each role:
| [Projects](project/index.md):<br>Create, edit, delete [milestones](project/milestones/index.md). | | ✓ | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>Create, edit, delete [releases](project/releases/index.md) | | | ✓ | ✓ | ✓ | If the [tag is protected](project/protected_tags.md), this depends on the access given to Developers and Maintainers. |
| [Projects](project/index.md):<br>Create, edit [wiki](project/wiki/index.md) pages | | | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>Enable [Review Apps](../ci/review_apps/index.md) | | | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>Enable [review apps](../ci/review_apps/index.md) | | | ✓ | ✓ | ✓ | |
| [Projects](project/index.md):<br>View project [Audit Events](../administration/audit_event_reports.md) | | | ✓ | ✓ | ✓ | Users can only view events based on their individual actions. |
| [Projects](project/index.md):<br>Add [deploy keys](project/deploy_keys/index.md) | | | | ✓ | ✓ | |
| [Projects](project/index.md):<br>Add new [team members](project/members/index.md) | | | | ✓ | ✓ | |

2
doc/user/project/merge_requests/index.md
View File

@ -279,7 +279,7 @@ For a web developer writing a webpage for your company's website:
1. You check out a new branch and submit a new page through a merge request.
1. You gather feedback from your reviewers.
1. You preview your changes with [Review Apps](../../../ci/review_apps/index.md).
1. You preview your changes with [review apps](../../../ci/review_apps/index.md).
1. You request your web designers for their implementation.
1. You request the [approval](approvals/index.md) from your manager.
1. Once approved, your merge request is [squashed and merged](squash_and_merge.md), and [deployed to staging with GitLab Pages](https://about.gitlab.com/blog/2021/02/05/ci-deployment-and-environments/).

8
doc/user/project/merge_requests/widgets.md
View File

@ -54,18 +54,18 @@ For more information, [read about pipelines](../../../ci/pipelines/index.md).
Set a merge request that looks ready to merge to
[merge automatically when CI pipeline succeeds](merge_when_pipeline_succeeds.md).
## Live preview with Review Apps
## Live preview with review apps
If you configured [Review Apps](../../../ci/review_apps/index.md) for your project,
If you configured [review apps](../../../ci/review_apps/index.md) for your project,
you can preview the changes submitted to a feature branch through a merge request
on a per-branch basis. You don't need to check out the branch, install, and preview locally.
All your changes are available to preview by anyone with the Review Apps link.
All your changes are available to preview by anyone with the review apps link.
With GitLab [Route Maps](../../../ci/review_apps/index.md#route-maps) set, the
merge request widget takes you directly to the pages changed, making it easier and
faster to preview proposed modifications.
[Read more about Review Apps](../../../ci/review_apps/index.md).
[Read more about review apps](../../../ci/review_apps/index.md).
## License compliance

2
lib/banzai/filter/markdown_engines/glfm_markdown.rb
View File

@ -46,7 +46,7 @@ module Banzai
end
def headers_disabled?
context[:no_header_anchors] || Feature.disabled?(:native_header_anchors)
context[:no_header_anchors]
end
end
end

2
lib/banzai/filter/table_of_contents_legacy_filter.rb
View File

@ -30,7 +30,7 @@ module Banzai
XPATH = Gitlab::Utils::Nokogiri.css_to_xpath(CSS).freeze
def call
return doc if MarkdownFilter.glfm_markdown?(context) && Feature.enabled?(:native_header_anchors)
return doc if MarkdownFilter.glfm_markdown?(context)
return doc if context[:no_header_anchors]
result[:toc] = +""

2
lib/banzai/filter/table_of_contents_tag_filter.rb
View File

@ -44,7 +44,7 @@ module Banzai
# Replace an entire `[TOC]` node
def process_toc_tag(node)
build_toc if Feature.enabled?(:native_header_anchors)
build_toc
# we still need to go one step up to also replace the surrounding <p></p>
node.parent.replace(result[:toc].presence || '')

8
lib/gitlab/checks/integrations/beyond_identity_check.rb
View File

@ -10,7 +10,6 @@ module Gitlab
def initialize(integration_check)
@changes_access = integration_check.changes_access
@integration = ::Integrations::BeyondIdentity.for_instance.first
end
def validate!
@ -40,8 +39,6 @@ module Gitlab
private
attr_reader :integration
def skip_validation?
return true unless integration&.activated?
return true if updated_from_web?
@ -71,6 +68,11 @@ module Gitlab
rescue ::Gitlab::BeyondIdentity::Client::ApiError => _
false
end
def integration
project.beyond_identity_integration || ::Integrations::BeyondIdentity.for_instance.first
end
strong_memoize_attr :integration
end
end
end

6
locale/gitlab.pot
View File

@ -12771,6 +12771,9 @@ msgstr ""
msgid "Comment/Reply (quoting selected text)"
msgstr ""
msgid "Commented on %{link_to_project}"
msgstr ""
msgid "Commenting on files that are only moved or renamed is not supported"
msgstr ""
@ -61014,9 +61017,6 @@ msgstr ""
msgid "commented"
msgstr ""
msgid "commented on %{link_to_project}"
msgstr ""
msgid "commit"
msgid_plural "commits"
msgstr[0] ""

8
scripts/utils.sh
View File

@ -122,9 +122,15 @@ function yarn_install_script() {
retry yarn install --frozen-lockfile
section_end "yarn-install"
}
function yarn_install_script_storybook() {
section_start "yarn-install-storybook" "Installing Yarn packages for Storybook"
retry yarn storybook:install --frozen-lockfile
section_end "yarn-install"
section_end "yarn-install-storybook"
}
function assets_compile_script() {

95
spec/features/integrations/exclusions/adding_exclusions_for_projects_spec.rb Normal file
View File

@ -0,0 +1,95 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe "Adding and removing exclusions to Beyond Identity integration", :sidekiq_inline, feature_category: :integrations do
let_it_be_with_reload(:project) { create(:project, :in_subgroup) }
let_it_be(:admin_user) { create :admin }
def create_exclusion
Integrations::Exclusions::CreateService.new(
current_user: admin_user,
integration_name: 'beyond_identity',
projects: [project]
).execute
end
def destroy_exclusion
Integrations::Exclusions::DestroyService.new(
current_user: admin_user,
integration_name: 'beyond_identity',
projects: [project]
).execute
end
context 'when the integration is active for the instance', :enable_admin_mode do
let(:instance_integration) { create :beyond_identity_integration }
before do
::Integrations::PropagateService.new(instance_integration).execute
end
it { expect(project.reload.beyond_identity_integration).to be_activated }
context 'when the integration is deactivated' do
before do
instance_integration.update!(active: false)
::Integrations::PropagateService.new(instance_integration).execute
end
it { expect(project.reload.beyond_identity_integration).not_to be_activated }
end
context 'and the project is excluded from the integration' do
before do
create_exclusion
end
it { expect(project.reload.beyond_identity_integration).not_to be_activated }
context 'and the exclusion is removed again' do
before do
destroy_exclusion
end
it { expect(project.reload.beyond_identity_integration).to be_activated }
context 'and the exclusion is added again' do
before do
create_exclusion
end
it { expect(project.reload.beyond_identity_integration).not_to be_activated }
end
end
end
end
context 'when the instance integration has not been activated', :enable_admin_mode do
context 'and an exclusion is created' do
before do
create_exclusion
end
it { expect(project.reload.beyond_identity_integration).not_to be_activated }
context 'and the integration is activated for the instance' do
let(:instance_integration) { create :beyond_identity_integration }
before do
::Integrations::PropagateService.new(instance_integration).execute
end
it { expect(project.reload.beyond_identity_integration).not_to be_activated }
end
context 'and the exclusion is deleted' do
before do
destroy_exclusion
end
it { expect(project.reload.beyond_identity_integration).to be_nil }
end
end
end
end

15
spec/lib/banzai/filter/markdown_engines/glfm_markdown_spec.rb
View File

@ -29,19 +29,4 @@ RSpec.describe Banzai::Filter::MarkdownEngines::GlfmMarkdown, feature_category:
expect(engine.render('# hi')).to eq expected
end
context 'when feature flag is disabled' do
before do
stub_feature_flags(native_header_anchors: false)
end
it 'turns off header anchors' do
engine = described_class.new({ no_sourcepos: true })
expected = <<~TEXT
<h1>hi</h1>
TEXT
expect(engine.render('# hi')).to eq expected
end
end
end

8
spec/lib/banzai/filter/table_of_contents_legacy_filter_spec.rb
View File

@ -13,13 +13,7 @@ RSpec.describe Banzai::Filter::TableOfContentsLegacyFilter, feature_category: :t
"<h#{level}>#{text}</h#{level}>\n"
end
before do
stub_feature_flags(native_header_anchors: false)
end
# TODO: enable when feature flag is removed
# let_it_be(:context) { { markdown_engine: Banzai::Filter::MarkdownFilter::CMARK_ENGINE } }
let_it_be(:context) { {} }
let_it_be(:context) { { markdown_engine: Banzai::Filter::MarkdownFilter::CMARK_ENGINE } }
it 'does nothing when :no_header_anchors is truthy' do
exp = act = header(1, 'Header')

32
spec/lib/gitlab/checks/integrations/beyond_identity_check_spec.rb
View File

@ -4,16 +4,34 @@ require 'spec_helper'
RSpec.describe Gitlab::Checks::Integrations::BeyondIdentityCheck, feature_category: :source_code_management do
include_context 'changes access checks context'
let!(:beyond_identity_integration) { create(:beyond_identity_integration) }
let(:integration_check) { Gitlab::Checks::IntegrationsCheck.new(changes_access) }
let!(:beyond_identity_integration) { create(:beyond_identity_integration) }
subject(:check) { described_class.new(integration_check) }
describe '#validate!' do
shared_examples_for 'exclusion from the check' do
context 'when the project is excluded from the check' do
let!(:integration_exclusion) do
create(:beyond_identity_integration, active: false, project: project, inherit_from_id: nil, instance: false)
end
it 'does not raise an error' do
expect { check.validate! }.not_to raise_error
end
context 'and the integration is not activated' do
let(:beyond_identity_integration) { nil }
it 'does not raise an error' do
expect { check.validate! }.not_to raise_error
end
end
end
end
context 'when commit without GPG signature' do
let_it_be(:project) { create(:project, :repository) }
let_it_be_with_reload(:project) { create(:project, :repository) }
let_it_be(:oldrev) { '1e292f8fedd741b75372e19097c76d327140c312' }
let_it_be(:newrev) { '7b5160f9bb23a3d58a0accdbe89da13b96b1ece9' }
@ -27,6 +45,8 @@ RSpec.describe Gitlab::Checks::Integrations::BeyondIdentityCheck, feature_catego
.to raise_error(::Gitlab::GitAccess::ForbiddenError, 'Commit is not signed with a GPG signature')
end
it_behaves_like 'exclusion from the check'
context 'when the push happens from web' do
let(:protocol) { 'web' }
@ -56,7 +76,7 @@ RSpec.describe Gitlab::Checks::Integrations::BeyondIdentityCheck, feature_catego
end
context 'when a commit with GPG signature' do
let_it_be(:project) { create(:project, :repository) }
let_it_be_with_reload(:project) { create(:project, :repository) }
let_it_be(:oldrev) { 'ddd0f15ae83993f5cb66a927a28673882e99100b' }
let_it_be(:newrev) { 'f0a5ed60d24c98ec6d00ac010c1f3f01ee0a8373' }
let!(:gpg_key) { create :gpg_key, externally_verified: true }
@ -66,6 +86,8 @@ RSpec.describe Gitlab::Checks::Integrations::BeyondIdentityCheck, feature_catego
project.repository.delete_branch('trailers')
end
it_behaves_like 'exclusion from the check'
context 'and the signature is unverified' do
it 'is rejected' do
expect { check.validate! }

18
spec/services/integrations/exclusions/base_service_spec.rb Normal file
View File

@ -0,0 +1,18 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe ::Integrations::Exclusions::BaseService, feature_category: :integrations do
let(:integration_name) { 'beyond_identity' }
let_it_be(:admin_user) { create(:admin) }
let_it_be(:user) { create(:user) }
let(:current_user) { admin_user }
let_it_be(:project) { create(:project) }
let(:service) do
described_class.new(current_user: current_user, integration_name: integration_name, projects: [project])
end
subject(:execute) { service.execute }
it_behaves_like 'exclusions base service'
end

60
spec/services/integrations/exclusions/create_service_spec.rb Normal file
View File

@ -0,0 +1,60 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Integrations::Exclusions::CreateService, feature_category: :integrations do
let(:integration_name) { 'beyond_identity' }
let_it_be(:admin_user) { create(:admin) }
let_it_be(:user) { create(:user) }
let(:current_user) { admin_user }
let_it_be(:project) { create(:project) }
let(:projects) { [project] }
let(:service) do
described_class.new(current_user: current_user, integration_name: integration_name, projects: projects)
end
describe '#execute', :enable_admin_mode do
subject(:execute) { service.execute }
it_behaves_like 'exclusions base service'
context 'when there are existing custom settings' do
let!(:existing_integration) do
create(:beyond_identity_integration)
end
let!(:existing_integration2) do
create(
:beyond_identity_integration,
active: true,
project: project,
instance: false,
inherit_from_id: existing_integration.id
)
end
it 'updates those custom settings' do
execute
existing_integration2.reload
expect(existing_integration2.active).to be_falsey
expect(existing_integration2.inherit_from_id).to be_nil
end
end
it 'creates custom settings' do
expect { execute }.to change { Integration.count }.from(0).to(1)
created_integrations = execute.payload
expect(created_integrations.first.active).to be_falsey
expect(created_integrations.first.inherit_from_id).to be_nil
end
context 'when there are no projects passed' do
let(:projects) { [] }
it 'returns success response' do
expect(execute).to be_success
expect(execute.payload).to eq([])
end
end
end
end

40
spec/services/integrations/exclusions/destroy_service_spec.rb Normal file
View File

@ -0,0 +1,40 @@
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Integrations::Exclusions::DestroyService, feature_category: :integrations do
let(:integration_name) { 'beyond_identity' }
let_it_be(:admin_user) { create(:admin) }
let_it_be(:user) { create(:user) }
let(:current_user) { admin_user }
let_it_be(:project) { create(:project) }
let(:service) do
described_class.new(current_user: current_user, integration_name: integration_name, projects: [project])
end
describe '#execute', :enable_admin_mode do
subject(:execute) { service.execute }
it_behaves_like 'exclusions base service'
context 'when there are existing custom settings' do
let!(:exclusion) do
create(:beyond_identity_integration, active: false, project: project, instance: false, inherit_from_id: nil)
end
it 'deletes the exclusions' do
expect { execute }.to change { Integration.count }.from(1).to(0)
expect(execute.payload).to contain_exactly(exclusion)
end
context 'and the integration is active for the instance' do
let!(:instance_integration) { create(:beyond_identity_integration) }
it 'updates the exclusion integration to be active' do
expect { execute }.to change { exclusion.reload.active }.from(false).to(true)
expect(exclusion.inherit_from_id).to eq(instance_integration.id)
end
end
end
end
end

21
spec/support/shared_examples/integrations/exclusions/base_service_examples.rb Normal file
View File

@ -0,0 +1,21 @@
# frozen_string_literal: true
RSpec.shared_examples 'exclusions base service' do
context 'when the integration is not instance specific', :enable_admin_mode do
let(:integration_name) { 'mock_ci' }
it 'returns an error response' do
expect(execute).to be_error
expect(execute.message).to eq('not instance specific')
end
end
context 'when the user is not authorized', :enable_admin_mode do
let(:current_user) { user }
it 'returns an error response' do
expect(execute).to be_error
expect(execute.message).to eq('not authorized')
end
end
end