From 849c67f6da8d997d9fa54bba3526c64c7678aae6 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 3 Aug 2022 15:11:10 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- app/channels/awareness_channel.rb | 1 + app/models/ci/secure_file.rb | 3 - app/views/groups/runners/show.html.haml | 12 +- .../profiles/two_factor_auths/show.html.haml | 3 +- .../enforce_security_report_validation.yml | 8 - .../development/group_runner_view_ui.yml | 8 - db/docs/project_statistics.yml | 8 +- doc/administration/libravatar.md | 113 ++-- .../documentation/styleguide/index.md | 2 +- doc/development/feature_flags/index.md | 3 + doc/development/pages/index.md | 26 + .../infrastructure/iac/terraform_state.md | 120 ++--- doc/user/project/repository/mirror/pull.md | 5 + .../security/validators/schema_validator.rb | 16 +- locale/gitlab.pot | 9 +- spec/channels/awareness_channel_spec.rb | 1 + spec/features/groups/group_runners_spec.rb | 84 +-- .../validators/schema_validator_spec.rb | 486 +++++------------- 18 files changed, 335 insertions(+), 573 deletions(-) delete mode 100644 config/feature_flags/development/enforce_security_report_validation.yml delete mode 100644 config/feature_flags/development/group_runner_view_ui.yml diff --git a/app/channels/awareness_channel.rb b/app/channels/awareness_channel.rb index 554e057ca83..cf85e4b3d33 100644 --- a/app/channels/awareness_channel.rb +++ b/app/channels/awareness_channel.rb @@ -66,6 +66,7 @@ class AwarenessChannel < ApplicationCable::Channel # rubocop:disable Gitlab/Name { id: user.id, name: user.name, + username: user.username, avatar_url: user.avatar_url(size: 36), last_activity: last_activity, last_activity_humanized: ActionController::Base.helpers.distance_of_time_in_words( diff --git a/app/models/ci/secure_file.rb b/app/models/ci/secure_file.rb index 1d7c935aa95..9a35f1876c9 100644 --- a/app/models/ci/secure_file.rb +++ b/app/models/ci/secure_file.rb @@ -3,11 +3,8 @@ module Ci class SecureFile < Ci::ApplicationRecord include FileStoreMounter - include IgnorableColumns include Limitable - ignore_column :permissions, remove_with: '15.2', remove_after: '2022-06-22' - FILE_SIZE_LIMIT = 5.megabytes.freeze CHECKSUM_ALGORITHM = 'sha256' diff --git a/app/views/groups/runners/show.html.haml b/app/views/groups/runners/show.html.haml index c7e0bf8943c..2fc314cc37f 100644 --- a/app/views/groups/runners/show.html.haml +++ b/app/views/groups/runners/show.html.haml @@ -1,12 +1,8 @@ - add_page_specific_style 'page_bundles/runner_details' - add_to_breadcrumbs _('Runners'), group_runners_path(@group) +- title = "##{@runner.id} (#{@runner.short_sha})" +- breadcrumb_title title +- page_title title -- if Feature.enabled?(:group_runner_view_ui, @group) - - title = "##{@runner.id} (#{@runner.short_sha})" - - breadcrumb_title title - - page_title title - - #js-group-runner-show{ data: {runner_id: @runner.id, runners_path: group_runners_path(@group), edit_group_runner_path: edit_group_runner_path(@group, @runner)} } -- else - = render 'shared/runners/runner_details', runner: @runner +#js-group-runner-show{ data: {runner_id: @runner.id, runners_path: group_runners_path(@group), edit_group_runner_path: edit_group_runner_path(@group, @runner)} } diff --git a/app/views/profiles/two_factor_auths/show.html.haml b/app/views/profiles/two_factor_auths/show.html.haml index 6304d42896d..6f60785f20c 100644 --- a/app/views/profiles/two_factor_auths/show.html.haml +++ b/app/views/profiles/two_factor_auths/show.html.haml @@ -21,8 +21,9 @@ - else %p - - register_2fa_token = _('We recommend cloud-based mobile authenticator apps such as Authy, Duo Mobile, and LastPass. They can restore access if you lose your hardware device.') + - register_2fa_token = _('We recommend using cloud-based authenticator applications that can restore access if you lose your hardware device.') = register_2fa_token.html_safe + = link_to _('What are some examples?'), help_page_path('user/profile/account/two_factor_authentication', anchor: 'enable-one-time-password'), target: '_blank', rel: 'noopener noreferrer' .row.gl-mb-3 .col-md-4.gl-min-w-fit-content .gl-p-2.gl-mb-3{ style: 'background: #fff' } diff --git a/config/feature_flags/development/enforce_security_report_validation.yml b/config/feature_flags/development/enforce_security_report_validation.yml deleted file mode 100644 index 2a8d3e32ec4..00000000000 --- a/config/feature_flags/development/enforce_security_report_validation.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: enforce_security_report_validation -introduced_by_url: -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/351000 -milestone: '14.9' -type: development -group: group::threat insights -default_enabled: true diff --git a/config/feature_flags/development/group_runner_view_ui.yml b/config/feature_flags/development/group_runner_view_ui.yml deleted file mode 100644 index f3a9eb15f0f..00000000000 --- a/config/feature_flags/development/group_runner_view_ui.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: group_runner_view_ui -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89638/ -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/364811 -milestone: '15.1' -type: development -group: group::runner -default_enabled: false diff --git a/db/docs/project_statistics.yml b/db/docs/project_statistics.yml index 75d4af85ce4..323ba1d60d4 100644 --- a/db/docs/project_statistics.yml +++ b/db/docs/project_statistics.yml @@ -3,7 +3,7 @@ table_name: project_statistics classes: - ProjectStatistics feature_categories: -- source_code_management -description: TODO -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/3ef4f74b1acc9399db320b53dffc592542de0126 -milestone: '9.0' +- utilization +description: Records statistics about the usage of various product features +introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/7754 +milestone: '8.16' diff --git a/doc/administration/libravatar.md b/doc/administration/libravatar.md index eac7c6f848b..3f258a4893f 100644 --- a/doc/administration/libravatar.md +++ b/doc/administration/libravatar.md @@ -11,32 +11,83 @@ GitLab by default supports the [Gravatar](https://gravatar.com) avatar service. Libravatar is another service that delivers your avatar (profile picture) to other websites. The Libravatar API is -[heavily based on gravatar](https://wiki.libravatar.org/api/), so you can +[heavily based on Gravatar](https://wiki.libravatar.org/api/), so you can switch to the Libravatar avatar service or even your own Libravatar server. -## Configuration +## Change the Libravatar service to your own service -In the [`gitlab.yml` gravatar section](https://gitlab.com/gitlab-org/gitlab/-/blob/672bd3902d86b78d730cea809fce312ec49d39d7/config/gitlab.yml.example#L122), set +In the [`gitlab.yml` gravatar section](https://gitlab.com/gitlab-org/gitlab/-/blob/68dac188ec6b1b03d53365e7579422f44cbe7a1c/config/gitlab.yml.example#L469-476), set the configuration options as follows: -### For HTTP +**For Omnibus installations** -```yaml - gravatar: - enabled: true - # gravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} - plain_url: "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" -``` +1. Edit `/etc/gitlab/gitlab.rb`: -### For HTTPS + ```ruby + gitlab_rails['gravatar_enabled'] = true + #### For HTTPS + gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" + #### Use this line instead for HTTP + # gitlab_rails['gravatar_plain_url'] = "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" + ``` -```yaml - gravatar: - enabled: true - # gravatar URLs: possible placeholders: %{hash} %{size} %{email} %{username} - ssl_url: "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" -``` +1. To apply the changes, run `sudo gitlab-ctl reconfigure`. + +**For installations from source** + +1. Edit `config/gitlab.yml`: + + ```yaml + gravatar: + enabled: true + # default: https://www.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + plain_url: "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" + # default: https://secure.gravatar.com/avatar/%{hash}?s=%{size}&d=identicon + ssl_url: https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" + ``` + +1. Save the file, and then [restart](restart_gitlab.md#installations-from-source) + GitLab for the changes to take effect. + +## Set the Libravatar service to default (Gravatar) + +**For Omnibus installations** + +1. Delete `gitlab_rails['gravatar_ssl_url']` or `gitlab_rails['gravatar_plain_url']` from `/etc/gitlab/gitlab.rb`. +1. To apply the changes, run `sudo gitlab-ctl reconfigure`. + +**For installations from source** + +1. Remove `gravatar:` section from `config/gitlab.yml`. +1. Save the file, then [restart](restart_gitlab.md#installations-from-source) + GitLab to apply the changes. + +## Disable Gravatar service + +To disable Gravatar, for example, to prohibit third-party services, complete the following steps: + +**For Omnibus installations** + +1. Edit `/etc/gitlab/gitlab.rb`: + + ```ruby + gitlab_rails['gravatar_enabled'] = false + ``` + +1. To apply the changes, run `sudo gitlab-ctl reconfigure`. + +**For installations from source** + +1. Edit `config/gitlab.yml`: + + ```yaml + gravatar: + enabled: false + ``` + +1. Save the file, then [restart](restart_gitlab.md#installations-from-source) + GitLab to apply the changes. ### Your own Libravatar server @@ -44,30 +95,10 @@ If you are [running your own Libravatar service](https://wiki.libravatar.org/run the URL is different in the configuration, but you must provide the same placeholders so GitLab can parse the URL correctly. -For example, you host a service on `http://libravatar.example.com` and the -`plain_url` you must supply in `gitlab.yml` is +For example, you host a service on `https://libravatar.example.com` and the +`ssl_url` you must supply in `gitlab.yml` is: -`http://libravatar.example.com/avatar/%{hash}?s=%{size}&d=identicon` - -### Omnibus GitLab example - -In `/etc/gitlab/gitlab.rb`: - -#### For HTTP - -```ruby -gitlab_rails['gravatar_enabled'] = true -gitlab_rails['gravatar_plain_url'] = "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" -``` - -#### For HTTPS - -```ruby -gitlab_rails['gravatar_enabled'] = true -gitlab_rails['gravatar_ssl_url'] = "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=identicon" -``` - -Then run `sudo gitlab-ctl reconfigure` for the changes to take effect. +`https://libravatar.example.com/avatar/%{hash}?s=%{size}&d=identicon` ## Default URL for missing images @@ -77,7 +108,7 @@ service. To use a set other than `identicon`, replace the `&d=identicon` portion of the URL with another supported set. For example, you can use the `retro` set, in -which case the URL would look like: `plain_url: "http://cdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"` +which case the URL would look like: `ssl_url: "https://seccdn.libravatar.org/avatar/%{hash}?s=%{size}&d=retro"` ## Usage examples for Microsoft Office 365 diff --git a/doc/development/documentation/styleguide/index.md b/doc/development/documentation/styleguide/index.md index fe699c19a96..6149e187567 100644 --- a/doc/development/documentation/styleguide/index.md +++ b/doc/development/documentation/styleguide/index.md @@ -150,7 +150,7 @@ the page is rendered to HTML. There can be only **one** level 1 heading per page - For each subsection, increment the heading level. In other words, increment the number of `#` characters in front of the heading. -- Avoid headings greater than `H5` (`#####`). If you need more than five headings, move the topics to a new page instead. +- Avoid headings greater than `H5` (`#####`). If you need more than five heading levels, move the topics to a new page instead. Headings greater than `H5` do not display in the right sidebar navigation. - Do not skip a level. For example: `##` > `####`. - Leave one blank line before and after the heading. diff --git a/doc/development/feature_flags/index.md b/doc/development/feature_flags/index.md index 140d5f826cf..a8dc16f2895 100644 --- a/doc/development/feature_flags/index.md +++ b/doc/development/feature_flags/index.md @@ -178,6 +178,9 @@ All validations are skipped when running in `RAILS_ENV=production`. ## Create a new feature flag +NOTE: +GitLab Pages uses [a different process](../pages/index.md#feature-flags) for feature flags. + The GitLab codebase provides [`bin/feature-flag`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/bin/feature-flag), a dedicated tool to create new feature flag definitions. The tool asks various questions about the new feature flag, then creates diff --git a/doc/development/pages/index.md b/doc/development/pages/index.md index 02019db48ba..42a15c1eb90 100644 --- a/doc/development/pages/index.md +++ b/doc/development/pages/index.md @@ -236,3 +236,29 @@ make acceptance # so we want to have the latest changes in the build that is tested make && go test ./ -run TestRedirect ``` + +## Contributing + +### Feature flags + +WARNING: +All newly-introduced feature flags should be [disabled by default](https://about.gitlab.com/handbook/product-development-flow/feature-flag-lifecycle/#feature-flags-in-gitlab-development). + +Consider adding a [feature flag](../feature_flags/index.md) for any non-trivial changes. +Feature flags can make the release and rollback of these changes easier, avoiding +incidents and downtime. To add a new feature flag to GitLab Pages: + +1. Create the feature flag in + [`internal/feature/feature.go`](https://gitlab.com/gitlab-org/gitlab-pages/-/blob/master/internal/feature/feature.go), + which must be **off** by default. +1. Create an issue to track the feature flag using the `Feature Flag` template. +1. Add the `~"feature flag"` label to any merge requests that handle feature flags. + +For GitLab Pages, the feature flags are controlled by environment variables at a global level. It +A deployment at the service level is required to change the state of a feature flag. +Example of an merge request enabling a GitLab Pages feature flag: +[Enforce GitLab Pages rate limits](https://gitlab.com/gitlab-com/gl-infra/k8s-workloads/gitlab-com/-/merge_requests/1500) + +## Related topics + +- [Feature flags in the development of GitLab](../feature_flags/index.md) diff --git a/doc/user/infrastructure/iac/terraform_state.md b/doc/user/infrastructure/iac/terraform_state.md index 24203e8d922..469c65b4c0e 100644 --- a/doc/user/infrastructure/iac/terraform_state.md +++ b/doc/user/infrastructure/iac/terraform_state.md @@ -109,66 +109,6 @@ You should use a local terminal to run the commands needed for migrating to GitL The following example demonstrates how to change the state name. The same workflow is needed to migrate to GitLab-managed Terraform state from a different state storage backend. -## Use your GitLab backend as a remote data source - -You can use a GitLab-managed Terraform state backend as a -[Terraform data source](https://www.terraform.io/language/state/remote-state-data). - -1. In your `main.tf` or other relevant file, declare these variables. Leave the values empty. - - ```hcl - variable "example_remote_state_address" { - type = string - description = "Gitlab remote state file address" - } - - variable "example_username" { - type = string - description = "Gitlab username to query remote state" - } - - variable "example_access_token" { - type = string - description = "GitLab access token to query remote state" - } - ``` - -1. To override the values from the previous step, create a file named `example.auto.tfvars`. This file should **not** be versioned in your project repository. - - ```plaintext - example_remote_state_address = "https://gitlab.com/api/v4/projects//terraform/state/" - example_username = "" - example_access_token = "" - ``` - -1. In a `.tf` file, define the data source by using [Terraform input variables](https://www.terraform.io/language/values/variables): - - ```hcl - data "terraform_remote_state" "example" { - backend = "http" - - config = { - address = var.example_remote_state_address - username = var.example_username - password = var.example_access_token - } - } - ``` - - - **address**: The URL of the remote state backend you want to use as a data source. - For example, `https://gitlab.com/api/v4/projects//terraform/state/`. - - **username**: The username to authenticate with the data source. If you are using - a [Personal Access Token](../../profile/personal_access_tokens.md) for - authentication, this value is your GitLab username. If you are using GitLab CI/CD, this value is `'gitlab-ci-token'`. - - **password**: The password to authenticate with the data source. If you are using a Personal Access Token for - authentication, this value is the token value (the token must have the **API** scope). - If you are using GitLab CI/CD, this value is the contents of the `${CI_JOB_TOKEN}` CI/CD variable. - -Outputs from the data source can now be referenced in your Terraform resources -using `data.terraform_remote_state.example.outputs.`. - -To read the Terraform state in the target project, you need at least the Developer role. - ### Set up the initial backend ```shell @@ -264,6 +204,66 @@ commands will detect it and remind you to do so if necessary. If you type `yes`, it copies your state from the old location to the new location. You can then go back to running it in GitLab CI/CD. +## Use your GitLab backend as a remote data source + +You can use a GitLab-managed Terraform state backend as a +[Terraform data source](https://www.terraform.io/language/state/remote-state-data). + +1. In your `main.tf` or other relevant file, declare these variables. Leave the values empty. + + ```hcl + variable "example_remote_state_address" { + type = string + description = "Gitlab remote state file address" + } + + variable "example_username" { + type = string + description = "Gitlab username to query remote state" + } + + variable "example_access_token" { + type = string + description = "GitLab access token to query remote state" + } + ``` + +1. To override the values from the previous step, create a file named `example.auto.tfvars`. This file should **not** be versioned in your project repository. + + ```plaintext + example_remote_state_address = "https://gitlab.com/api/v4/projects//terraform/state/" + example_username = "" + example_access_token = "" + ``` + +1. In a `.tf` file, define the data source by using [Terraform input variables](https://www.terraform.io/language/values/variables): + + ```hcl + data "terraform_remote_state" "example" { + backend = "http" + + config = { + address = var.example_remote_state_address + username = var.example_username + password = var.example_access_token + } + } + ``` + + - **address**: The URL of the remote state backend you want to use as a data source. + For example, `https://gitlab.com/api/v4/projects//terraform/state/`. + - **username**: The username to authenticate with the data source. If you are using + a [Personal Access Token](../../profile/personal_access_tokens.md) for + authentication, this value is your GitLab username. If you are using GitLab CI/CD, this value is `'gitlab-ci-token'`. + - **password**: The password to authenticate with the data source. If you are using a Personal Access Token for + authentication, this value is the token value (the token must have the **API** scope). + If you are using GitLab CI/CD, this value is the contents of the `${CI_JOB_TOKEN}` CI/CD variable. + +Outputs from the data source can now be referenced in your Terraform resources +using `data.terraform_remote_state.example.outputs.`. + +To read the Terraform state in the target project, you need at least the Developer role. + ## Manage Terraform state files > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/273592) in GitLab 13.8. diff --git a/doc/user/project/repository/mirror/pull.md b/doc/user/project/repository/mirror/pull.md index 88104e34eb4..d0f2b9a8088 100644 --- a/doc/user/project/repository/mirror/pull.md +++ b/doc/user/project/repository/mirror/pull.md @@ -28,6 +28,11 @@ local repository, GitLab stops updating the branch. This prevents data loss. Deleted branches and tags in the upstream repository are not reflected in the downstream repository. +NOTE: +Items deleted from the downstream pull mirror repository, but still in the upstream repository, +are restored upon the next pull. For example: a branch deleted _only_ in the mirrored repository +reappears after the next pull. + ## How pull mirroring works After you configure a GitLab repository as a pull mirror: diff --git a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb index ee7733a081d..3a6b9ccdc33 100644 --- a/lib/gitlab/ci/parsers/security/validators/schema_validator.rb +++ b/lib/gitlab/ci/parsers/security/validators/schema_validator.rb @@ -93,11 +93,7 @@ module Gitlab log_warnings(problem_type: 'schema_validation_fails') unless schema_validation_errors.empty? - if Feature.enabled?(:enforce_security_report_validation, @project) - @errors += schema_validation_errors - else - @warnings += schema_validation_errors - end + @errors += schema_validation_errors end def populate_warnings @@ -130,11 +126,7 @@ module Gitlab def add_unsupported_report_version_message log_warnings(problem_type: 'using_unsupported_schema_version') - if Feature.enabled?(:enforce_security_report_validation, @project) - handle_unsupported_report_version(treat_as: :error) - else - handle_unsupported_report_version(treat_as: :warning) - end + handle_unsupported_report_version end def report_uses_deprecated_schema_version? @@ -145,14 +137,14 @@ module Gitlab SUPPORTED_VERSIONS[report_type].include?(report_version) end - def handle_unsupported_report_version(treat_as:) + def handle_unsupported_report_version if report_version.nil? message = "Report version not provided, #{report_type} report type supports versions: #{supported_schema_versions}" else message = "Version #{report_version} for report type #{report_type} is unsupported, supported versions for this report type are: #{supported_schema_versions}" end - add_message_as(level: treat_as, message: message) + add_message_as(level: :error, message: message) end def supported_schema_versions diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 6ca4f353dda..1cf256e2484 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -43512,9 +43512,6 @@ msgstr "" msgid "We recommend a work email address." msgstr "" -msgid "We recommend cloud-based mobile authenticator apps such as Authy, Duo Mobile, and LastPass. They can restore access if you lose your hardware device." -msgstr "" - msgid "We recommend leaving all SAST analyzers enabled" msgstr "" @@ -43524,6 +43521,9 @@ msgstr "" msgid "We recommend that you buy additional Pipeline minutes to resume normal service." msgstr "" +msgid "We recommend using cloud-based authenticator applications that can restore access if you lose your hardware device." +msgstr "" + msgid "We sent you an email with reset password instructions" msgstr "" @@ -43824,6 +43824,9 @@ msgstr "" msgid "What are project audit events?" msgstr "" +msgid "What are some examples?" +msgstr "" + msgid "What does the setting affect?" msgstr "" diff --git a/spec/channels/awareness_channel_spec.rb b/spec/channels/awareness_channel_spec.rb index 8d6dc36f6bd..2bc62a2d44a 100644 --- a/spec/channels/awareness_channel_spec.rb +++ b/spec/channels/awareness_channel_spec.rb @@ -36,6 +36,7 @@ RSpec.describe AwarenessChannel, :clean_gitlab_redis_shared_state, type: :channe collaborator = { id: user.id, name: user.name, + username: user.username, avatar_url: user.avatar_url(size: 36), last_activity: Time.zone.now, last_activity_humanized: ActionController::Base.helpers.distance_of_time_in_words( diff --git a/spec/features/groups/group_runners_spec.rb b/spec/features/groups/group_runners_spec.rb index 1fe7f76949a..b98c94b030d 100644 --- a/spec/features/groups/group_runners_spec.rb +++ b/spec/features/groups/group_runners_spec.rb @@ -149,79 +149,39 @@ RSpec.describe "Group Runners" do create(:ci_runner, :group, groups: [group], description: 'runner-foo', contacted_at: Time.zone.now) end - context 'when group_runner_view_ui is disabled' do - before do - stub_feature_flags(group_runner_view_ui: false) - end + it 'user views runner details' do + visit group_runner_path(group, runner) - it 'user edits the runner to be protected' do - visit edit_group_runner_path(group, runner) - - expect(page.find_field('runner[access_level]')).not_to be_checked - - check 'runner_access_level' - click_button 'Save changes' - - expect(page).to have_content 'Protected Yes' - end - - context 'when a runner has a tag' do - before do - runner.update!(tag_list: ['tag']) - end - - it 'user edits runner not to run untagged jobs' do - visit edit_group_runner_path(group, runner) - - expect(page.find_field('runner[run_untagged]')).to be_checked - - uncheck 'runner_run_untagged' - click_button 'Save changes' - - expect(page).to have_content 'Can run untagged jobs No' - end - end + expect(page).to have_content "#{s_('Runners|Description')} runner-foo" end - context 'when group_runner_view_ui is enabled' do + it 'user edits the runner to be protected' do + visit edit_group_runner_path(group, runner) + + expect(page.find_field('runner[access_level]')).not_to be_checked + + check 'runner_access_level' + click_button _('Save changes') + + expect(page).to have_content "#{s_('Runners|Configuration')} #{s_('Runners|Protected')}" + end + + context 'when a runner has a tag' do before do - stub_feature_flags(group_runner_view_ui: true) + runner.update!(tag_list: ['tag1']) end - it 'user views runner details' do - visit group_runner_path(group, runner) - - expect(page).to have_content "#{s_('Runners|Description')} runner-foo" - end - - it 'user edits the runner to be protected' do + it 'user edits runner not to run untagged jobs' do visit edit_group_runner_path(group, runner) - expect(page.find_field('runner[access_level]')).not_to be_checked + page.find_field('runner[tag_list]').set('tag1, tag2') - check 'runner_access_level' + uncheck 'runner_run_untagged' click_button _('Save changes') - expect(page).to have_content "#{s_('Runners|Configuration')} #{s_('Runners|Protected')}" - end - - context 'when a runner has a tag' do - before do - runner.update!(tag_list: ['tag1']) - end - - it 'user edits runner not to run untagged jobs' do - visit edit_group_runner_path(group, runner) - - page.find_field('runner[tag_list]').set('tag1, tag2') - - uncheck 'runner_run_untagged' - click_button _('Save changes') - - # Tags can be in any order - expect(page).to have_content /#{s_('Runners|Tags')}.*tag1/ - expect(page).to have_content /#{s_('Runners|Tags')}.*tag2/ - end + # Tags can be in any order + expect(page).to have_content /#{s_('Runners|Tags')}.*tag1/ + expect(page).to have_content /#{s_('Runners|Tags')}.*tag2/ end end end diff --git a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb index d06077d69b6..aaac75e072f 100644 --- a/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb +++ b/spec/lib/gitlab/ci/parsers/security/validators/schema_validator_spec.rb @@ -6,6 +6,10 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let_it_be(:project) { create(:project) } let(:supported_dast_versions) { described_class::SUPPORTED_VERSIONS[:dast].join(', ') } + let(:deprecated_schema_version_message) { } + let(:missing_schema_version_message) do + "Report version not provided, dast report type supports versions: #{supported_dast_versions}" + end let(:scanner) do { @@ -24,7 +28,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do expect(described_class::SUPPORTED_VERSIONS.keys).to eq(described_class::DEPRECATED_VERSIONS.keys) end - context 'when a schema JSON file exists for a particular report type version' do + context 'when all files under schema path are explicitly listed' do # We only care about the part that comes before report-format.json # https://rubular.com/r/N8Juz7r8hYDYgD filename_regex = /(?[-\w]*)\-report-format.json/ @@ -38,7 +42,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do matches = filename_regex.match(file) report_type = matches[:report_type].tr("-", "_").to_sym - it "#{report_type} #{version} is in the constant" do + it "#{report_type} #{version}" do expect(described_class::SUPPORTED_VERSIONS[report_type]).to include(version) end end @@ -68,7 +72,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { described_class::SUPPORTED_VERSIONS[report_type].last } - context 'when the report is valid' do + context 'and the report is valid' do let(:report_data) do { 'version' => report_version, @@ -79,7 +83,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_truthy } end - context 'when the report is invalid' do + context 'and the report is invalid' do let(:report_data) do { 'version' => report_version @@ -118,7 +122,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do stub_const("#{described_class}::DEPRECATED_VERSIONS", deprecations_hash) end - context 'when the report passes schema validation' do + context 'and the report passes schema validation' do let(:report_data) do { 'version' => '10.0.0', @@ -143,34 +147,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do end end - context 'when the report does not pass schema validation' do - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) - end - - let(:report_data) do - { - 'version' => 'V2.7.0' - } - end - - it { is_expected.to be_falsey } + context 'and the report does not pass schema validation' do + let(:report_data) do + { + 'version' => 'V2.7.0' + } end - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - let(:report_data) do - { - 'version' => 'V2.7.0' - } - end - - it { is_expected.to be_truthy } - end + it { is_expected.to be_falsey } end end @@ -178,100 +162,67 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { "12.37.0" } - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) + context 'and the report is valid' do + let(:report_data) do + { + 'version' => report_version, + 'vulnerabilities' => [] + } end - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end + it { is_expected.to be_falsey } - it { is_expected.to be_falsey } + it 'logs related information' do + expect(Gitlab::AppLogger).to receive(:info).with( + message: "security report schema validation problem", + security_report_type: report_type, + security_report_version: report_version, + project_id: project.id, + security_report_failure: 'using_unsupported_schema_version', + security_report_scanner_id: 'gemnasium', + security_report_scanner_version: '2.1.0' + ) + + subject + end + end + + context 'and the report is invalid' do + let(:report_data) do + { + 'version' => report_version + } + end + + context 'and scanner information is empty' do + let(:scanner) { {} } it 'logs related information' do + expect(Gitlab::AppLogger).to receive(:info).with( + message: "security report schema validation problem", + security_report_type: report_type, + security_report_version: report_version, + project_id: project.id, + security_report_failure: 'schema_validation_fails', + security_report_scanner_id: nil, + security_report_scanner_version: nil + ) + expect(Gitlab::AppLogger).to receive(:info).with( message: "security report schema validation problem", security_report_type: report_type, security_report_version: report_version, project_id: project.id, security_report_failure: 'using_unsupported_schema_version', - security_report_scanner_id: 'gemnasium', - security_report_scanner_version: '2.1.0' + security_report_scanner_id: nil, + security_report_scanner_version: nil ) subject end end - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - context 'when scanner information is empty' do - let(:scanner) { {} } - - it 'logs related information' do - expect(Gitlab::AppLogger).to receive(:info).with( - message: "security report schema validation problem", - security_report_type: report_type, - security_report_version: report_version, - project_id: project.id, - security_report_failure: 'schema_validation_fails', - security_report_scanner_id: nil, - security_report_scanner_version: nil - ) - - expect(Gitlab::AppLogger).to receive(:info).with( - message: "security report schema validation problem", - security_report_type: report_type, - security_report_version: report_version, - project_id: project.id, - security_report_failure: 'using_unsupported_schema_version', - security_report_scanner_id: nil, - security_report_scanner_version: nil - ) - - subject - end - end - - it { is_expected.to be_falsey } - end - end - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end - - it { is_expected.to be_truthy } - end - - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - it { is_expected.to be_truthy } - end + it { is_expected.to be_falsey } end end @@ -284,19 +235,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do } end - before do - stub_feature_flags(enforce_security_report_validation: true) - end - it { is_expected.to be_falsey } - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - it { is_expected.to be_truthy } - end end end @@ -307,7 +246,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { described_class::SUPPORTED_VERSIONS[report_type].last } - context 'when the report is valid' do + context 'and the report is valid' do let(:report_data) do { 'version' => report_version, @@ -318,34 +257,20 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_empty } end - context 'when the report is invalid' do + context 'and the report is invalid' do let(:report_data) do { 'version' => report_version } end - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: project) - end - - let(:expected_errors) do - [ - 'root is missing required keys: vulnerabilities' - ] - end - - it { is_expected.to match_array(expected_errors) } + let(:expected_errors) do + [ + 'root is missing required keys: vulnerabilities' + ] end - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - it { is_expected.to be_empty } - end + it { is_expected.to match_array(expected_errors) } end end @@ -363,7 +288,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do stub_const("#{described_class}::DEPRECATED_VERSIONS", deprecations_hash) end - context 'when the report passes schema validation' do + context 'and the report passes schema validation' do let(:report_data) do { 'version' => '10.0.0', @@ -374,41 +299,21 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_empty } end - context 'when the report does not pass schema validation' do - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) - end - - let(:report_data) do - { - 'version' => 'V2.7.0' - } - end - - let(:expected_errors) do - [ - "property '/version' does not match pattern: ^[0-9]+\\.[0-9]+\\.[0-9]+$", - "root is missing required keys: vulnerabilities" - ] - end - - it { is_expected.to match_array(expected_errors) } + context 'and the report does not pass schema validation' do + let(:report_data) do + { + 'version' => 'V2.7.0' + } end - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - let(:report_data) do - { - 'version' => 'V2.7.0' - } - end - - it { is_expected.to be_empty } + let(:expected_errors) do + [ + "property '/version' does not match pattern: ^[0-9]+\\.[0-9]+\\.[0-9]+$", + "root is missing required keys: vulnerabilities" + ] end + + it { is_expected.to match_array(expected_errors) } end end @@ -416,71 +321,38 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { "12.37.0" } - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) + context 'and the report is valid' do + let(:report_data) do + { + 'version' => report_version, + 'vulnerabilities' => [] + } end - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end - - let(:expected_errors) do - [ - "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}" - ] - end - - it { is_expected.to match_array(expected_errors) } + let(:expected_errors) do + [ + "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}" + ] end - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - let(:expected_errors) do - [ - "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}", - "root is missing required keys: vulnerabilities" - ] - end - - it { is_expected.to match_array(expected_errors) } - end + it { is_expected.to match_array(expected_errors) } end - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) + context 'and the report is invalid' do + let(:report_data) do + { + 'version' => report_version + } end - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end - - it { is_expected.to be_empty } + let(:expected_errors) do + [ + "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}", + "root is missing required keys: vulnerabilities" + ] end - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - it { is_expected.to be_empty } - end + it { is_expected.to match_array(expected_errors) } end end @@ -501,14 +373,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do end it { is_expected.to match_array(expected_errors) } - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - it { is_expected.to be_empty } - end end end @@ -519,7 +383,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { described_class::SUPPORTED_VERSIONS[report_type].last } - context 'when the report is valid' do + context 'and the report is valid' do let(:report_data) do { 'version' => report_version, @@ -530,7 +394,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_empty } end - context 'when the report is invalid' do + context 'and the report is invalid' do let(:report_data) do { 'version' => report_version @@ -560,7 +424,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do stub_const("#{described_class}::DEPRECATED_VERSIONS", deprecations_hash) end - context 'when the report passes schema validation' do + context 'and the report passes schema validation' do let(:report_data) do { 'version' => report_version, @@ -571,7 +435,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to match_array(expected_deprecation_warnings) } end - context 'when the report does not pass schema validation' do + context 'and the report does not pass schema validation' do let(:report_data) do { 'version' => 'V2.7.0' @@ -604,7 +468,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { described_class::SUPPORTED_VERSIONS[report_type].last } - context 'when the report is valid' do + context 'and the report is valid' do let(:report_data) do { 'version' => report_version, @@ -615,34 +479,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_empty } end - context 'when the report is invalid' do + context 'and the report is invalid' do let(:report_data) do { 'version' => report_version } end - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: project) - end - - it { is_expected.to be_empty } - end - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - let(:expected_warnings) do - [ - 'root is missing required keys: vulnerabilities' - ] - end - - it { is_expected.to match_array(expected_warnings) } - end + it { is_expected.to be_empty } end end @@ -660,7 +504,7 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do stub_const("#{described_class}::DEPRECATED_VERSIONS", deprecations_hash) end - context 'when the report passes schema validation' do + context 'and the report passes schema validation' do let(:report_data) do { 'vulnerabilities' => [] @@ -670,35 +514,14 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do it { is_expected.to be_empty } end - context 'when the report does not pass schema validation' do + context 'and the report does not pass schema validation' do let(:report_data) do { 'version' => 'V2.7.0' } end - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) - end - - it { is_expected.to be_empty } - end - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - let(:expected_warnings) do - [ - "property '/version' does not match pattern: ^[0-9]+\\.[0-9]+\\.[0-9]+$", - "root is missing required keys: vulnerabilities" - ] - end - - it { is_expected.to match_array(expected_warnings) } - end + it { is_expected.to be_empty } end end @@ -706,71 +529,25 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do let(:report_type) { :dast } let(:report_version) { "12.37.0" } - context 'when enforce_security_report_validation is enabled' do - before do - stub_feature_flags(enforce_security_report_validation: true) + context 'and the report is valid' do + let(:report_data) do + { + 'version' => report_version, + 'vulnerabilities' => [] + } end - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end - - it { is_expected.to be_empty } - end - - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - it { is_expected.to be_empty } - end + it { is_expected.to be_empty } end - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) + context 'and the report is invalid' do + let(:report_data) do + { + 'version' => report_version + } end - context 'when the report is valid' do - let(:report_data) do - { - 'version' => report_version, - 'vulnerabilities' => [] - } - end - - let(:expected_warnings) do - [ - "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}" - ] - end - - it { is_expected.to match_array(expected_warnings) } - end - - context 'when the report is invalid' do - let(:report_data) do - { - 'version' => report_version - } - end - - let(:expected_warnings) do - [ - "Version 12.37.0 for report type dast is unsupported, supported versions for this report type are: #{supported_dast_versions}", - "root is missing required keys: vulnerabilities" - ] - end - - it { is_expected.to match_array(expected_warnings) } - end + it { is_expected.to be_empty } end end @@ -784,21 +561,6 @@ RSpec.describe Gitlab::Ci::Parsers::Security::Validators::SchemaValidator do end it { is_expected.to be_empty } - - context 'when enforce_security_report_validation is disabled' do - before do - stub_feature_flags(enforce_security_report_validation: false) - end - - let(:expected_warnings) do - [ - "root is missing required keys: version", - "Report version not provided, dast report type supports versions: #{supported_dast_versions}" - ] - end - - it { is_expected.to match_array(expected_warnings) } - end end end end