From 83315ad1b32b92f96cbf57bbaf623c782f5b08da Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 4 Jul 2023 03:09:16 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- app/models/merge_request.rb | 4 + doc/administration/auth/oidc.md | 81 ++++++++++++- doc/ci/environments/deployment_approvals.md | 6 +- .../dast/browser_based.md | 69 +++++++++++ locale/gitlab.pot | 3 - .../maven/gradle/build.gradle.erb | 51 ++++++++ .../maven/gradle/build_install.gradle.erb | 27 ----- .../maven/gradle/build_upload.gradle.erb | 27 ----- .../gradle/gradle_install_package.yaml.erb | 8 -- .../gradle_upload_install_package.yaml.erb | 23 ++++ .../gradle/gradle_upload_package.yaml.erb | 8 -- .../request_forwarding/gitlab_ci.yaml.erb | 8 -- .../request_forwarding/settings.xml.erb | 23 ---- .../request_forwarding/gitlab_ci.yaml.erb | 8 -- .../request_forwarding/settings.xml.erb | 23 ---- .../pypi/pypi_upload_install_package.yaml.erb | 2 +- .../maven/maven_project_level_spec.rb | 2 +- .../maven_gradle_repository_spec.rb | 110 +++++++++++------- .../package_registry/pypi_repository_spec.rb | 8 +- qa/qa/support/helpers/mask_token.rb | 1 + 20 files changed, 306 insertions(+), 186 deletions(-) create mode 100644 qa/qa/fixtures/package_managers/maven/gradle/build.gradle.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/gradle/build_install.gradle.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/gradle/build_upload.gradle.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/gradle/gradle_install_package.yaml.erb create mode 100644 qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_install_package.yaml.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_package.yaml.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/gitlab_ci.yaml.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/settings.xml.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/project/request_forwarding/gitlab_ci.yaml.erb delete mode 100644 qa/qa/fixtures/package_managers/maven/project/request_forwarding/settings.xml.erb diff --git a/app/models/merge_request.rb b/app/models/merge_request.rb index 2b4d0949a92..36c09770503 100644 --- a/app/models/merge_request.rb +++ b/app/models/merge_request.rb @@ -1553,6 +1553,10 @@ class MergeRequest < ApplicationRecord %r{\Arefs/#{Repository::REF_MERGE_REQUEST}/\d+/train\z}o.match?(ref) end + def train + MergeTrains::Train.new(target_project.id, target_branch) + end + def in_locked_state lock_mr yield diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md index 23d2ab512db..2e97696b58f 100644 --- a/doc/administration/auth/oidc.md +++ b/doc/administration/auth/oidc.md @@ -757,8 +757,8 @@ For more information, see the [GitLab API user method documentation](https://pyt You can configure OIDC group membership to: - Require users to be members of a certain group. -- Assign users [external roles](../../user/admin_area/external_users.md), or as - administrators based on group membership. +- Assign users [external](../../user/admin_area/external_users.md), administrator or + [auditor](../auditor_users.md) roles based on group membership. GitLab checks these groups on each sign in and updates user attributes as necessary. This feature **does not** allow you to automatically add users to GitLab @@ -921,6 +921,83 @@ For self-compiled installations: 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source) for the changes to take effect. +### Auditor groups **(PREMIUM SELF)** + +Your IdP must pass group information to GitLab in the OIDC response. To use this +response to assign users as auditors based on group membership, configure GitLab to identify: + +- Where to look for the groups in the OIDC response, using the `groups_attribute` setting. +- Which group memberships grant the user auditor access, using the `auditor_groups` + setting. + +For Linux package installations: + +1. Edit `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_rails['omniauth_providers'] = [ + { + name: "openid_connect", + label: "Provider name", + args: { + name: "openid_connect", + scope: ["openid","profile","email","groups"], + response_type: "code", + issuer: "", + discovery: true, + client_auth_method: "query", + uid_field: "", + client_options: { + identifier: "", + secret: "", + redirect_uri: "/users/auth/openid_connect/callback", + gitlab: { + groups_attribute: "groups", + auditor_groups: ["Auditor"] + } + } + } + } + ] + ``` + +1. Save the file and [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation) + for the changes to take effect. + +For self-compiled installations: + +1. Edit `/home/git/gitlab/config/gitlab.yml`: + + ```yaml + production: &base + omniauth: + providers: + - { name: 'openid_connect', + label: 'Provider name', + args: { + name: 'openid_connect', + scope: ['openid','profile','email','groups'], + response_type: 'code', + issuer: '', + discovery: true, + client_auth_method: 'query', + uid_field: '', + client_options: { + identifier: '', + secret: '', + redirect_uri: '/users/auth/openid_connect/callback', + gitlab: { + groups_attribute: "groups", + auditor_groups: ["Auditor"] + } + } + } + } + ``` + +1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source) + for the changes to take effect. + ### Administrator groups Your IdP must pass group information to GitLab in the OIDC response. To use this diff --git a/doc/ci/environments/deployment_approvals.md b/doc/ci/environments/deployment_approvals.md index 0ef37452cbb..4d5297dce7c 100644 --- a/doc/ci/environments/deployment_approvals.md +++ b/doc/ci/environments/deployment_approvals.md @@ -165,7 +165,8 @@ require `Administrator` to approve every deployment job in `Production`. ### Allow self-approval **(PREMIUM)** -> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381418) in GitLab 15.8. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/381418) in GitLab 15.8. +> - Automatic approval [removed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124638) in GitLab 16.2 due to [usability issues](https://gitlab.com/gitlab-org/gitlab/-/issues/391258). By default, the user who triggers a deployment pipeline can't also approve the deployment job. To allow self-approval of a deployment job: @@ -175,9 +176,6 @@ To allow self-approval of a deployment job: 1. Expand **Protected environments**. 1. From the **Approval options**, select the **Allow pipeline triggerer to approve deployment** checkbox. -When a pipeline runs, deployment jobs are automatically approved in the pipeline if the user who -triggered the deployment is allowed to approve. - ## Approve or reject a deployment > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/342180/) in GitLab 14.9 diff --git a/doc/user/application_security/dast/browser_based.md b/doc/user/application_security/dast/browser_based.md index c8ddcfbb201..0338555598c 100644 --- a/doc/user/application_security/dast/browser_based.md +++ b/doc/user/application_security/dast/browser_based.md @@ -212,6 +212,75 @@ For authentication CI/CD variables, see [Authentication](authentication.md). | `DAST_WEBSITE` | URL | `https://example.com` | The URL of the website to scan. | | `SECURE_ANALYZERS_PREFIX` | URL | `registry.organization.com` | Set the Docker registry base address from which to download the analyzer. | +## Managing scope + +Scope controls what URLs DAST follows when crawling the target application. Properly managed scope minimizes scan run time while ensuring only the target application is checked for vulnerabilities. + +### Types of scope + +There are three types of scope: + +- in scope +- out of scope +- excluded from scope + +#### In scope + +DAST follows in-scope URLs and searches the DOM for subsequent actions to perform to continue the crawl. +Recorded in-scope HTTP messages are passively checked for vulnerabilities and used to build attacks when running a full scan. + +#### Out of scope + +DAST follows out-of-scope URLs for non-document content types such as image, stylesheet, font, script, or AJAX request. +[Authentication](#scope-works-differently-during-authentication) aside, DAST does not follow out-of-scope URLs for full page loads, such as when clicking a link to an external website. +Except for passive checks that search for information leaks, recorded HTTP messages for out-of-scope URLs are not checked for vulnerabilities. + +#### Excluded from scope + +DAST does not follow excluded-from-scope URLs. Except for passive checks that search for information leaks, recorded HTTP messages for excluded-from-scope URLs are not checked for vulnerabilities. + +### Scope works differently during authentication + +Many target applications have an authentication process that depends on external websites, such as when using an identity access management provider for single sign on (SSO). +To ensure that DAST can authenticate with these providers, DAST follows out-of-scope URLs for full page loads during authentication. DAST does not follow excluded-from-scope URLs. + +### How DAST blocks HTTP requests + +DAST instructs the browser to make the HTTP request as usual when blocking a request due to scope rules. The request is subsequently intercepted and rejected with the reason `BlockedByClient`. +This approach allows DAST to record the HTTP request while ensuring it never reaches the target server. Passive checks such as [200.1](checks/200.1.md) use these recorded requests to verify information sent to external hosts. + +### How to configure scope + +By default, URLs matching the host of the target application are considered in-scope. All other hosts are considered out-of-scope. + +Scope is configured using the following variables: + +- Use `DAST_BROWSER_ALLOWED_HOSTS` to add in-scope hosts. +- Use `DAST_BROWSER_IGNORED_HOSTS` to add to out-of-scope hosts. +- Use `DAST_BROWSER_EXCLUDED_HOSTS` to add to excluded-from-scope hosts. +- Use `DAST_EXCLUDE_URLS` to set specific URLs to be excluded-from-scope. + +Rules: + +- Excluding a host is given priority over ignoring a host, which is given priority over allowing a host. +- Configuring scope for a host does not configure scope for the subdomains of that host. +- Configuring scope for a host does not configure scope for all ports on that host. + +The following could be a typical configuration: + +```yaml +include: + - template: DAST.gitlab-ci.yml + +dast: + variables: + DAST_WEBSITE: "https://my.site.com" # my.site.com URLs are considered in-scope by default + DAST_BROWSER_ALLOWED_HOSTS: "api.site.com:8443" # include the API as part of the scan + DAST_BROWSER_IGNORED_HOSTS: "analytics.site.com" # explicitly disregard analytics from the scan + DAST_BROWSER_EXCLUDED_HOSTS: "ads.site.com" # don't visit any URLs on the ads subdomain + DAST_EXCLUDE_URLS: "https://my.site.com/user/logout" # don't visit this URL +``` + ## Vulnerability detection Vulnerability detection is gradually being migrated from the default Zed Attack Proxy (ZAP) solution diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 07e4c5a1843..19033ea67d3 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -15527,9 +15527,6 @@ msgstr "" msgid "DeploymentApprovals|Set how approval rules are applied to deployments in protected environments." msgstr "" -msgid "DeploymentApprovals|When a pipeline runs, deployment jobs will automatically be approved in the pipeline if the triggerer is allowed to approve." -msgstr "" - msgid "DeploymentApproval| Current approvals: %{current}" msgstr "" diff --git a/qa/qa/fixtures/package_managers/maven/gradle/build.gradle.erb b/qa/qa/fixtures/package_managers/maven/gradle/build.gradle.erb new file mode 100644 index 00000000000..77e5398bf13 --- /dev/null +++ b/qa/qa/fixtures/package_managers/maven/gradle/build.gradle.erb @@ -0,0 +1,51 @@ +plugins { + id 'java' + id 'maven-publish' + id 'application' +} + +repositories { + maven { + url "<%= gitlab_address_with_port %>/api/v4/projects/<%= project.id %>/packages/maven" + name "GitLab" + credentials(HttpHeaderCredentials) { + name = '<%= maven_header_name %>' + value = project.property('Token') + } + authentication { + header(HttpHeaderAuthentication) + } + } +} + +dependencies { + implementation group: '<%= group_id %>', name: '<%= artifact_id %>', version: '<%= package_version %>' + testImplementation 'junit:junit:4.12' +} + +publishing { + publications { + mavenJava(MavenPublication) { + groupId '<%= group_id %>' + artifactId '<%= artifact_id %>' + version '<%= package_version %>' + from components.java + } + } + repositories { + maven { + url "<%= gitlab_address_with_port %>/api/v4/projects/<%= project.id %>/packages/maven" + credentials(HttpHeaderCredentials) { + name = '<%= maven_header_name %>' + value = project.property('Token') + } + authentication { + header(HttpHeaderAuthentication) + } + } + } +} + +application { + mainClassName = 'gradle_maven_app.App' +} diff --git a/qa/qa/fixtures/package_managers/maven/gradle/build_install.gradle.erb b/qa/qa/fixtures/package_managers/maven/gradle/build_install.gradle.erb deleted file mode 100644 index 31543d30e88..00000000000 --- a/qa/qa/fixtures/package_managers/maven/gradle/build_install.gradle.erb +++ /dev/null @@ -1,27 +0,0 @@ -plugins { - id 'java' - id 'application' -} - -repositories { - maven { - url "<%= gitlab_address_with_port %>/api/v4/projects/<%= package_project.id %>/packages/maven" - name "GitLab" - credentials(HttpHeaderCredentials) { - name = '<%= maven_header_name %>' - value = <%= token %> - } - authentication { - header(HttpHeaderAuthentication) - } - } -} - -dependencies { - implementation group: '<%= group_id %>', name: '<%= artifact_id %>', version: '<%= package_version %>' - testImplementation 'junit:junit:4.12' -} - -application { - mainClassName = 'gradle_maven_app.App' -} \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/gradle/build_upload.gradle.erb b/qa/qa/fixtures/package_managers/maven/gradle/build_upload.gradle.erb deleted file mode 100644 index c14e63e11df..00000000000 --- a/qa/qa/fixtures/package_managers/maven/gradle/build_upload.gradle.erb +++ /dev/null @@ -1,27 +0,0 @@ -plugins { - id 'java' - id 'maven-publish' -} - -publishing { - publications { - library(MavenPublication) { - groupId '<%= group_id %>' - artifactId '<%= artifact_id %>' - version '<%= package_version %>' - from components.java - } - } - repositories { - maven { - url "<%= gitlab_address_with_port %>/api/v4/projects/<%= package_project.id %>/packages/maven" - credentials(HttpHeaderCredentials) { - name = "Private-Token" - value = "<%= personal_access_token %>" - } - authentication { - header(HttpHeaderAuthentication) - } - } - } -} \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/gradle/gradle_install_package.yaml.erb b/qa/qa/fixtures/package_managers/maven/gradle/gradle_install_package.yaml.erb deleted file mode 100644 index 49873f124cc..00000000000 --- a/qa/qa/fixtures/package_managers/maven/gradle/gradle_install_package.yaml.erb +++ /dev/null @@ -1,8 +0,0 @@ - build: - image: gradle:6.5-jdk11 - script: - - 'gradle build' - only: - - "<%= client_project.default_branch %>" - tags: - - "runner-for-<%= client_project.group.name %>" \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_install_package.yaml.erb b/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_install_package.yaml.erb new file mode 100644 index 00000000000..35f4dba6130 --- /dev/null +++ b/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_install_package.yaml.erb @@ -0,0 +1,23 @@ +stages: + - publish + - install + +publish: + stage: publish + image: gradle:6.5-jdk11 + script: + - 'gradle -PToken=<%= token %> publish' + only: + - "<%= project.default_branch %>" + tags: + - "runner-for-<%= project.name %>" + +install: + stage: install + image: gradle:6.5-jdk11 + script: + - 'gradle -PToken=<%= token %> build' + only: + - "<%= project.default_branch %>" + tags: + - "runner-for-<%= project.name %>" diff --git a/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_package.yaml.erb b/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_package.yaml.erb deleted file mode 100644 index 3f3c7dce03c..00000000000 --- a/qa/qa/fixtures/package_managers/maven/gradle/gradle_upload_package.yaml.erb +++ /dev/null @@ -1,8 +0,0 @@ -deploy: - image: gradle:6.5-jdk11 - script: - - 'gradle publish' - only: - - "<%= package_project.default_branch %>" - tags: - - "runner-for-<%= package_project.group.name %>" \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/gitlab_ci.yaml.erb b/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/gitlab_ci.yaml.erb deleted file mode 100644 index 394c6689eef..00000000000 --- a/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/gitlab_ci.yaml.erb +++ /dev/null @@ -1,8 +0,0 @@ -install: - image: maven:3.6-jdk-11 - script: - - "mvn install -U -s settings.xml" - only: - - "<%= imported_project.default_branch %>" - tags: - - "runner-for-<%= imported_project.group.name %>" \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/settings.xml.erb b/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/settings.xml.erb deleted file mode 100644 index 4bcd63b3c6d..00000000000 --- a/qa/qa/fixtures/package_managers/maven/group/consumer/request_forwarding/settings.xml.erb +++ /dev/null @@ -1,23 +0,0 @@ - - - - central-proxy - - - - Private-Token - <%= personal_access_token %> - - - - - - - - central-proxy - GitLab proxy of central repo - <%= gitlab_address_with_port %>/api/v4/groups/<%= imported_project.group.id %>/-/packages/maven - central - - - \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/project/request_forwarding/gitlab_ci.yaml.erb b/qa/qa/fixtures/package_managers/maven/project/request_forwarding/gitlab_ci.yaml.erb deleted file mode 100644 index a41bdc4d650..00000000000 --- a/qa/qa/fixtures/package_managers/maven/project/request_forwarding/gitlab_ci.yaml.erb +++ /dev/null @@ -1,8 +0,0 @@ -install: - image: maven:3.6-jdk-11 - script: - - 'mvn install -U -s settings.xml' - only: - - "<%= imported_project.default_branch %>" - tags: - - "runner-for-<%= imported_project.name %>" \ No newline at end of file diff --git a/qa/qa/fixtures/package_managers/maven/project/request_forwarding/settings.xml.erb b/qa/qa/fixtures/package_managers/maven/project/request_forwarding/settings.xml.erb deleted file mode 100644 index caf1fc9b761..00000000000 --- a/qa/qa/fixtures/package_managers/maven/project/request_forwarding/settings.xml.erb +++ /dev/null @@ -1,23 +0,0 @@ - - - - central-proxy - - - - Private-Token - <%= personal_access_token %> - - - - - - - - central-proxy - GitLab proxy of central repo - <%= gitlab_address_with_port %>/api/v4/projects/<%= imported_project.id %>/packages/maven - central - - - diff --git a/qa/qa/fixtures/package_managers/pypi/pypi_upload_install_package.yaml.erb b/qa/qa/fixtures/package_managers/pypi/pypi_upload_install_package.yaml.erb index 87c01fb5477..3cd1b1e630f 100644 --- a/qa/qa/fixtures/package_managers/pypi/pypi_upload_install_package.yaml.erb +++ b/qa/qa/fixtures/package_managers/pypi/pypi_upload_install_package.yaml.erb @@ -14,6 +14,6 @@ run: install: stage: install script: - - "pip install <%= package.name %> --no-deps --index-url <%= uri.scheme %>://<%= personal_access_token %>:<%= personal_access_token %>@<%= gitlab_host_with_port %>/api/v4/projects/${CI_PROJECT_ID}/packages/pypi/simple --trusted-host <%= gitlab_host_with_port %>" + - "pip install <%= package.name %> --no-deps --index-url <%= uri.scheme %>://${PERSONAL_ACCESS_TOKEN}:${PERSONAL_ACCESS_TOKEN}@<%= gitlab_host_with_port %>/api/v4/projects/${CI_PROJECT_ID}/packages/pypi/simple --trusted-host <%= gitlab_host_with_port %>" tags: - runner-for-<%= project.name %> diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/maven/maven_project_level_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/maven/maven_project_level_spec.rb index d87be118dfe..91d8f0dc181 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/maven/maven_project_level_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/maven/maven_project_level_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module QA - RSpec.describe 'Package', :object_storage, :skip_live_env, except: { job: 'relative-url' } do + RSpec.describe 'Package', :object_storage, except: { job: 'relative-url' } do describe 'Maven project level endpoint', product_group: :package_registry do include Runtime::Fixtures include Support::Helpers::MaskToken diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/maven_gradle_repository_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/maven_gradle_repository_spec.rb index e961bc41dc0..82588bb63cb 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/maven_gradle_repository_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/maven_gradle_repository_spec.rb @@ -1,11 +1,11 @@ # frozen_string_literal: true module QA - RSpec.describe 'Package', :object_storage, :skip_live_env, except: { job: 'relative-url' }, product_group: :package_registry do + RSpec.describe 'Package', :object_storage, except: { job: 'relative-url' }, product_group: :package_registry do describe 'Maven Repository with Gradle' do using RSpec::Parameterized::TableSyntax include Runtime::Fixtures - include_context 'packages registry qa scenario' + include Support::Helpers::MaskToken let(:group_id) { 'com.gitlab.qa' } let(:artifact_id) { "maven_gradle-#{SecureRandom.hex(8)}" } @@ -13,6 +13,52 @@ module QA let(:package_version) { '1.3.7' } let(:package_type) { 'maven_gradle' } + let(:project) do + Resource::Project.fabricate_via_api! do |project| + project.name = "#{package_type}_project" + project.initialize_with_readme = true + project.visibility = :private + end + end + + let(:runner) do + Resource::ProjectRunner.fabricate! do |runner| + runner.name = "qa-runner-#{Time.now.to_i}" + runner.tags = ["runner-for-#{project.name}"] + runner.executor = :docker + runner.project = project + end + end + + let(:gitlab_address_with_port) do + uri = URI.parse(Runtime::Scenario.gitlab_address) + "#{uri.scheme}://#{uri.host}:#{uri.port}" + end + + let(:project_deploy_token) do + Resource::ProjectDeployToken.fabricate_via_api! do |deploy_token| + deploy_token.name = 'package-deploy-token' + deploy_token.project = project + deploy_token.scopes = %w[ + read_repository + read_package_registry + write_package_registry + ] + end + end + + let(:project_inbound_job_token_disabled) do + Resource::CICDSettings.fabricate_via_api! do |settings| + settings.project_path = project.full_path + settings.inbound_job_token_scope_enabled = false + end + end + + before do + Flow::Login.sign_in_unless_signed_in + runner + end + where(:case_name, :authentication_token_type, :maven_header_name, :testcase) do 'using personal access token' | :personal_access_token | 'Private-Token' | 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347601' 'using ci job token' | :ci_job_token | 'Job-Token' | 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/347603' @@ -23,38 +69,47 @@ module QA let(:token) do case authentication_token_type when :personal_access_token - "\"#{personal_access_token}\"" + use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: Runtime::Env.personal_access_token, project: project) when :ci_job_token - package_project_inbound_job_token_disabled - client_project_inbound_job_token_disabled - 'System.getenv("CI_JOB_TOKEN")' + project_inbound_job_token_disabled + '${CI_JOB_TOKEN}' when :project_deploy_token - "\"#{project_deploy_token.token}\"" + use_ci_variable(name: 'PROJECT_DEPLOY_TOKEN', value: project_deploy_token.token, project: project) end end it 'pushes and pulls a maven package via gradle', testcase: params[:testcase] do Support::Retrier.retry_on_exception(max_attempts: 3, sleep_interval: 2) do Resource::Repository::Commit.fabricate_via_api! do |commit| - gradle_upload_yaml = ERB.new(read_fixture('package_managers/maven/gradle', 'gradle_upload_package.yaml.erb')).result(binding) - build_upload_gradle = ERB.new(read_fixture('package_managers/maven/gradle', 'build_upload.gradle.erb')).result(binding) + gradle_publish_install_yaml = ERB.new(read_fixture('package_managers/maven/gradle', 'gradle_upload_install_package.yaml.erb')).result(binding) + build_gradle = ERB.new(read_fixture('package_managers/maven/gradle', 'build.gradle.erb')).result(binding) - commit.project = package_project + commit.project = project commit.commit_message = 'Add .gitlab-ci.yml' commit.add_files( [ - { file_path: '.gitlab-ci.yml', content: gradle_upload_yaml }, - { file_path: 'build.gradle', content: build_upload_gradle } + { file_path: '.gitlab-ci.yml', content: gradle_publish_install_yaml }, + { file_path: 'build.gradle', content: build_gradle } ]) end end - package_project.visit! + project.visit! Flow::Pipeline.visit_latest_pipeline Page::Project::Pipeline::Show.perform do |pipeline| - pipeline.click_job('deploy') + pipeline.click_job('publish') + end + + Page::Project::Job::Show.perform do |job| + expect(job).to be_successful(timeout: 800) + + job.click_element(:pipeline_path) + end + + Page::Project::Pipeline::Show.perform do |pipeline| + pipeline.click_job('install') end Page::Project::Job::Show.perform do |job| @@ -72,33 +127,6 @@ module QA Page::Project::Packages::Show.perform do |show| expect(show).to have_package_info(package_name, package_version) end - - Support::Retrier.retry_on_exception(max_attempts: 3, sleep_interval: 2) do - Resource::Repository::Commit.fabricate_via_api! do |commit| - gradle_install_yaml = ERB.new(read_fixture('package_managers/maven/gradle', 'gradle_install_package.yaml.erb')).result(binding) - build_install_gradle = ERB.new(read_fixture('package_managers/maven/gradle', 'build_install.gradle.erb')).result(binding) - - commit.project = client_project - commit.commit_message = 'Add files' - commit.add_files( - [ - { file_path: '.gitlab-ci.yml', content: gradle_install_yaml }, - { file_path: 'build.gradle', content: build_install_gradle } - ]) - end - end - - client_project.visit! - - Flow::Pipeline.visit_latest_pipeline - - Page::Project::Pipeline::Show.perform do |pipeline| - pipeline.click_job('build') - end - - Page::Project::Job::Show.perform do |job| - expect(job).to be_successful(timeout: 800) - end end end end diff --git a/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb b/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb index f29a9691849..8001208d56b 100644 --- a/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb +++ b/qa/qa/specs/features/browser_ui/5_package/package_registry/pypi_repository_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module QA - RSpec.describe 'Package', :object_storage, :skip_live_env, except: { job: 'relative-url' }, product_group: :package_registry do + RSpec.describe 'Package', :object_storage, except: { job: 'relative-url' }, product_group: :package_registry do describe 'PyPI Repository' do include Runtime::Fixtures include Support::Helpers::MaskToken @@ -30,7 +30,11 @@ module QA end let(:uri) { URI.parse(Runtime::Scenario.gitlab_address) } - let(:personal_access_token) { use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: Runtime::Env.personal_access_token, project: project) } + + let!(:personal_access_token) do + use_ci_variable(name: 'PERSONAL_ACCESS_TOKEN', value: Runtime::Env.personal_access_token, project: project) + end + let(:gitlab_address_with_port) { "#{uri.scheme}://#{uri.host}:#{uri.port}" } let(:gitlab_host_with_port) do # Don't specify port if it is a standard one diff --git a/qa/qa/support/helpers/mask_token.rb b/qa/qa/support/helpers/mask_token.rb index 3aea77779ad..401a4f145d5 100644 --- a/qa/qa/support/helpers/mask_token.rb +++ b/qa/qa/support/helpers/mask_token.rb @@ -9,6 +9,7 @@ module QA ci_variable.project = project ci_variable.key = name ci_variable.value = value + ci_variable.masked = true end "${#{name}}" end