root
/
gitlab-ce
mirror of https://gitlab.com/free-releases/gitlab-ce.git
1
0
Fork 0
Code Issues Actions Packages Projects Releases Wiki Activity

Add latest changes from gitlab-org/gitlab@master

This commit is contained in:
GitLab Bot 2023-02-09 00:12:09 +00:00
parent 3d42e098d9
commit c46d8e7601
21 changed files with 371 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
app/helpers/application_settings_helper.rb
View File

@ -75,16 +75,38 @@ module ApplicationSettingsHelper
end
def restricted_level_checkboxes(form)
Gitlab::VisibilityLevel.values.map do |level|
restricted_visibility_levels_help_text = {
Gitlab::VisibilityLevel::PUBLIC => s_(
'AdminSettings|If selected, only administrators are able to create public groups, projects, ' \
'and snippets. Also, profiles are only visible to authenticated users.'
),
Gitlab::VisibilityLevel::INTERNAL => s_(
'AdminSettings|If selected, only administrators are able to create internal groups, projects, and ' \
'snippets.'
),
Gitlab::VisibilityLevel::PRIVATE => s_(
'AdminSettings|If selected, only administrators are able to create private groups, projects, and ' \
'snippets.'
)
}
Gitlab::VisibilityLevel.options.map do |label, level|
checked = restricted_visibility_levels(true).include?(level)
form.gitlab_ui_checkbox_component(
:restricted_visibility_levels,
"#{visibility_level_icon(level)} #{visibility_level_label(level)}".html_safe,
checkbox_options: { checked: checked, multiple: true, autocomplete: 'off' },
checked_value: level,
unchecked_value: nil
)
) do |c|
c.label do
visibility_level_icon(level) + content_tag(:span, label, { class: 'gl-ml-2' })
end
c.help_text do
restricted_visibility_levels_help_text.fetch(level)
end
end
end
end

13
app/models/ci/job_token/project_scope_link.rb
View File

@ -8,6 +8,8 @@ module Ci
class ProjectScopeLink < Ci::ApplicationRecord
self.table_name = 'ci_job_token_project_scope_links'
PROJECT_LINK_DIRECTIONAL_LIMIT = 100
belongs_to :source_project, class_name: 'Project'
# the project added to the scope's allowlist
belongs_to :target_project, class_name: 'Project'
@ -20,6 +22,7 @@ module Ci
validates :source_project, presence: true
validates :target_project, presence: true
validate :not_self_referential_link
validate :source_project_under_link_limit, on: :create
# When outbound the target project is allowed to be accessed by the source job token.
# When inbound the source project is allowed to be accessed by the target job token.
@ -41,6 +44,16 @@ module Ci
self.errors.add(:target_project, _("can't be the same as the source project"))
end
end
def source_project_under_link_limit
return unless source_project
existing_links_count = self.class.with_source(source_project).with_access_direction(direction).count
if existing_links_count >= PROJECT_LINK_DIRECTIONAL_LIMIT
errors.add(:source_project, "exceeds the allowable number of project links in this direction")
end
end
end
end
end

14
app/views/admin/application_settings/_visibility_and_access.html.haml
View File

@ -14,13 +14,15 @@
.form-group.visibility-level-setting
= f.label :default_group_visibility, class: 'label-bold'
= render('shared/visibility_radios', model_method: :default_group_visibility, form: f, selected_level: @application_setting.default_group_visibility, form_model: Group.new)
.form-group
= f.label :restricted_visibility_levels, class: 'label-bold gl-mb-0'
%span.form-text.gl-mt-0.gl-mb-3#restricted-visibility-help
= _('Selected levels cannot be used by non-admin users for groups, projects or snippets. If the public level is restricted, user profiles are only visible to logged in users.')
%fieldset.form-group.gl-form-group{ data: { testid: 'restricted-visibility-levels' } }
%legend.col-form-label
= s_('AdminSettings|Restricted visibility levels')
%small.form-text.text-gl-muted
= s_('AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets.')
= hidden_field_tag 'application_setting[restricted_visibility_levels][]'
- restricted_level_checkboxes(f).each do |level|
= level
.gl-form-checkbox-group
- restricted_level_checkboxes(f).each do |checkbox|
= checkbox
.form-group
= f.label :import_sources, s_('AdminSettings|Import sources'), class: 'label-bold gl-mb-0'
%span.form-text.gl-mt-0.gl-mb-3#import-sources-help

2
app/views/admin/application_settings/general.html.haml
View File

@ -3,7 +3,7 @@
- add_page_specific_style 'page_bundles/settings'
- @content_class = "limit-container-width" unless fluid_layout
%section.settings.as-visibility-access.no-animate#js-visibility-settings{ class: ('expanded' if expanded_by_default?) }
%section.settings.as-visibility-access.no-animate#js-visibility-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'admin-visibility-access-settings' } }
.settings-header
%h4.settings-title.js-settings-toggle.js-settings-toggle-trigger-only
= _('Visibility and access controls')

10
data/deprecations/15-9-deprecate-legacy-requirements-iid.yml Normal file
View File

@ -0,0 +1,10 @@
- title: 'The GitLab legacy requirement IID is deprecated in favor of work item IID'
announcement_milestone: '15.9'
removal_milestone: '17.0'
breaking_change: true
reporter: mmacfarlane
body: |
We will be transitioning to a new IID as a result of moving requirements to a [work item type](https://docs.gitlab.com/ee/development/work_items.html#work-items-and-work-item-types). Users should begin using the new IID as support for the legacy IID and existing formatting will end in GitLab 17.0. The legacy requirement IID remains available until its removal in GitLab 17.0.
stage: plan
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/390263

16
data/deprecations/15-9-rails-error-tracking.yml Normal file
View File

@ -0,0 +1,16 @@
- title: "Error Tracking UI in GitLab Rails is deprecated"
announcement_milestone: "15.9"
removal_milestone: "16.0"
breaking_change: true
reporter: kbychu
stage: monitor
issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/389991
body: |
The [Error Tracking UI](https://docs.gitlab.com/ee/operations/error_tracking.html) is deprecated in 15.9 and will be removed in 16.0. In future versions, you should use the [GitLab Observability UI](https://gitlab.com/gitlab-org/opstrace/opstrace-ui/), which will gradually be made available on GitLab.com over the next few releases.
During the transition to the GitLab Observability UI, we will migrate the [GitLab Observability Backend](https://gitlab.com/gitlab-org/opstrace/opstrace) from a per-cluster deployment model to a per-tenant deployment model. Because [Integrated Error Tracking](https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking) is in Open Beta, we will not migrate any existing user data. For more details about the migration, see the direction pages for:
- [Observability](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
- The [Observability Backend](https://about.gitlab.com/direction/monitor/observability/data-management/).
- [Data visualization](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
documentation_url: https://docs.gitlab.com/ee/operations/error_tracking.html

7
doc/administration/geo/replication/container_registry.md
View File

@ -7,7 +7,12 @@ type: howto
# Container Registry for a secondary site **(PREMIUM SELF)**
You can set up a Container Registry on your **secondary** Geo site that mirrors the one on the **primary** Geo site.
You can set up a Container Registry on your **secondary** Geo site that mirrors the one on the **primary** Geo site.
NOTE:
The Container Registry replication is used only for disaster recovery purposes. We do not recommend
pulling the Container Registry data from the secondary. For a feature proposal to implement it in the
future, see [Geo: Accelerate container images by serving read request from secondary site](https://gitlab.com/gitlab-org/gitlab/-/issues/365864) for details.
## Supported container registries

108
doc/administration/operations/fast_ssh_key_lookup.md
View File

@ -134,11 +134,8 @@ This overview is brief. Refer to the above instructions for more context.
## Use `gitlab-sshd` instead of OpenSSH
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299109) in GitLab 14.5 as an **Alpha** release for self-managed customers.
WARNING:
`gitlab-sshd` is in [**Alpha**](../../policy/alpha-beta-support.md#alpha-features).
It is not ready for production use.
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/299109) in GitLab 14.5 as an **Alpha** release for self-managed customers.
> - Ready for production use with [Cloud Native GitLab in GitLab 15.1](https://gitlab.com/gitlab-org/charts/gitlab/-/issues/2540) and [Omnibus GitLab in GitLab 15.9](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/5937).
`gitlab-sshd` is [a standalone SSH server](https://gitlab.com/gitlab-org/gitlab-shell/-/tree/main/internal/sshd)
written in Go. It is provided as a part of the `gitlab-shell` package. It has a lower memory
@ -150,21 +147,58 @@ running behind the proxy.
[SSH operations](https://gitlab.com/gitlab-org/gitlab-shell/-/blob/71a7f34a476f778e62f8fe7a453d632d395eaf8f/doc/features.md).
While OpenSSH uses a restricted shell approach, `gitlab-sshd` behaves more like a
modern multi-threaded server application, responding to incoming requests. The major
difference is that OpenSSH uses SSH as a transport protocol while `gitlab-sshd` uses Remote Procedure Calls (RPCs).
difference is that OpenSSH uses SSH as a transport protocol while `gitlab-sshd` uses Remote Procedure Calls (RPCs). See [the blog post](https://about.gitlab.com/blog/2022/08/17/why-we-have-implemented-our-own-sshd-solution-on-gitlab-sass/) for more details.
The capabilities of GitLab Shell are not limited to Git operations.
If you are considering switching from OpenSSH to `gitlab-sshd`, consider these concerns:
- The `gitlab-sshd` component is only available for
[GitLab Helm chart](https://docs.gitlab.com/charts/) deployments.
- `gitlab-sshd` supports the PROXY protocol. It can run behind proxy servers that rely
on it, such as HAProxy. The PROXY protocol not enabled by default, but can be enabled with a Helm chart setting.
- By default, `gitlab-sshd` binds to port 22, but you can configure a different port in the Helm chart.
on it, such as HAProxy. The PROXY protocol is not enabled by default, but [it can be enabled](#proxy-protocol-support).
- `gitlab-sshd` **does not** support SSH certificates. For more details, read
[issue #495](https://gitlab.com/gitlab-org/gitlab-shell/-/issues/495).
To switch from OpenSSH to `gitlab-sshd`:
To use `gitlab-sshd`:
::Tabs
:::TabTitle Linux package (Omnibus)
The following instructions enable `gitlab-sshd` on a different port than OpenSSH:
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_sshd['enable'] = true
gitlab_sshd['listen_address'] = '[::]:2222' # Adjust the port accordingly
```
1. Optional. By default, Omnibus GitLab generates SSH host keys for `gitlab-sshd` if
they do not exist in `/var/opt/gitlab/gitlab-sshd`. If you wish to disable this automatic generation, add this line:
```ruby
gitlab_sshd['generate_host_keys'] = false
```
1. Save the file and reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
By default, `gitlab-sshd` runs as the `git` user. As a result, `gitlab-sshd` cannot
run on privileged port numbers lower than 1024. This means users must
access Git with the `gitlab-sshd` port, or use a load balancer that
directs SSH traffic to the `gitlab-sshd` port to hide this.
Users may see host key warnings because the newly-generated host keys
differ from the OpenSSH host keys. Consider disabling host key
generation and copy the existing OpenSSH host keys into
`/var/opt/gitlab/gitlab-sshd` if this is an issue.
:::TabTitle Helm chart (Kubernetes)
The following instructions switch OpenSSH in favor of `gitlab-sshd`:
1. Set the `gitlab-shell` charts `sshDaemon` option to
[`gitlab-sshd`](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/index.html#installation-command-line-options).
@ -178,6 +212,58 @@ To switch from OpenSSH to `gitlab-sshd`:
1. Perform a Helm upgrade.
By default, `gitlab-sshd` listens for:
- External requests on port 22 (`global.shell.port`).
- Internal requests on port 2222 (`gitlab.gitlab-shell.service.internalPort`).
You can [configure different ports in the Helm chart](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/#configuration).
::EndTabs
### PROXY protocol support
When a load balancer is used in front of `gitlab-sshd`, GitLab reports the IP
address of the proxy instead of the actual IP address of the client. `gitlab-sshd`
supports the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) to
obtain the real IP address.
::Tabs
:::TabTitle Linux package (Omnibus)
To enable the PROXY protocol:
1. Edit `/etc/gitlab/gitlab.rb`:
```ruby
gitlab_sshd['proxy_protocol'] = true
# # Proxy protocol policy ("use", "require", "reject", "ignore"), "use" is the default value
gitlab_sshd['proxy_policy'] = "use"
```
1. Save the file and reconfigure GitLab:
```shell
sudo gitlab-ctl reconfigure
```
:::TabTitle Helm chart (Kubernetes)
1. Set the [`gitlab.gitlab-shell.config` options](https://docs.gitlab.com/charts/charts/gitlab/gitlab-shell/index.html#installation-command-line-options). For example:
```yaml
gitlab:
gitlab-shell:
config:
proxyProtocol: true
proxyPolicy: "use"
```
1. Perform a Helm upgrade.
::EndTabs
## SELinux support and limitations
GitLab supports `authorized_keys` database lookups with [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux).

2
doc/api/environments.md
View File

@ -293,7 +293,7 @@ PUT /projects/:id/environments/:environments_id
|------------------|----------------|----------|---------------------------------------------------------------------------------------------------------------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project](rest/index.md#namespaced-path-encoding). |
| `environment_id` | integer | yes | The ID of the environment. |
| `name` | string | no | [Deprecated and will be removed in GitLab 15.0](https://gitlab.com/gitlab-org/gitlab/-/issues/338897). |
| `name` | string | no | [Deprecated and will be removed in GitLab 16.0](https://gitlab.com/gitlab-org/gitlab/-/issues/338897). |
| `external_url` | string | no | The new `external_url`. |
| `tier` | string | no | The tier of the new environment. Allowed values are `production`, `staging`, `testing`, `development`, and `other`. |

4
doc/raketasks/backup_restore.md
View File

@ -761,7 +761,9 @@ Backup failed
If this happens, examine the following:
- Confirm there is sufficient disk space for the Gzip operation.
- Confirm there is sufficient disk space for the Gzip operation. It's not uncommon for backups that
use the [default strategy](backup_gitlab.md#backup-strategy-option) to require half the instance size
in free disk space during backup creation.
- If NFS is being used, check if the mount option `timeout` is set. The
default is `600`, and changing this to smaller values results in this error.

34
doc/update/deprecations.md
View File

@ -121,6 +121,26 @@ We intend to replace this feature with the ability to [embed charts](https://git
</div>
<div class="deprecation removal-160 breaking-change">
### Error Tracking UI in GitLab Rails is deprecated
Planned removal: GitLab <span class="removal-milestone">16.0</span> <span class="removal-date"></span>
WARNING:
This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
Review the details carefully before upgrading.
The [Error Tracking UI](https://docs.gitlab.com/ee/operations/error_tracking.html) is deprecated in 15.9 and will be removed in 16.0. In future versions, you should use the [GitLab Observability UI](https://gitlab.com/gitlab-org/opstrace/opstrace-ui/), which will gradually be made available on GitLab.com over the next few releases.
During the transition to the GitLab Observability UI, we will migrate the [GitLab Observability Backend](https://gitlab.com/gitlab-org/opstrace/opstrace) from a per-cluster deployment model to a per-tenant deployment model. Because [Integrated Error Tracking](https://docs.gitlab.com/ee/operations/error_tracking.html#integrated-error-tracking) is in Open Beta, we will not migrate any existing user data. For more details about the migration, see the direction pages for:
- [Observability](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
- The [Observability Backend](https://about.gitlab.com/direction/monitor/observability/data-management/).
- [Data visualization](https://about.gitlab.com/direction/monitor/observability/data-visualization/).
</div>
<div class="deprecation removal-170 breaking-change">
### GitLab Runner platforms and setup instructions in GraphQL API
@ -189,6 +209,20 @@ This change means the following metrics will become unavailable on `/metrics`:
This may require updating your metrics collection targets to also scrape `/db_metrics`.
</div>
<div class="deprecation removal-170 breaking-change">
### The GitLab legacy requirement IID is deprecated in favor of work item IID
Planned removal: GitLab <span class="removal-milestone">17.0</span> <span class="removal-date"></span>
WARNING:
This is a [breaking change](https://docs.gitlab.com/ee/development/deprecation_guidelines/).
Review the details carefully before upgrading.
We will be transitioning to a new IID as a result of moving requirements to a [work item type](https://docs.gitlab.com/ee/development/work_items.html#work-items-and-work-item-types). Users should begin using the new IID as support for the legacy IID and existing formatting will end in GitLab 17.0. The legacy requirement IID remains available until its removal in GitLab 17.0.
</div>
</div>

2
doc/update/index.md
View File

@ -266,7 +266,7 @@ and [Helm Chart deployments](https://docs.gitlab.com/charts/). They come with ap
### 15.9.0
- This version removes `SanitizeConfidentialTodos` background migration which was [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87908/diffs) in 15.6 and removed any user inaccessible Todos. Make sure that this migration is finished before upgrading to 15.9.
- This version removes `SanitizeConfidentialTodos` background migration [added](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/87908/diffs) in 15.6, which removed any user inaccessible to-do items. Make sure that this migration is finished before upgrading to 15.9.
- As part of the [CI Partitioning effort](../architecture/blueprints/ci_data_decay/pipeline_partitioning.md), a [new Foreign Key](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107547) was added to `ci_builds_needs`. On GitLab instances with large CI tables, adding this constraint can take longer than usual. Make sure that this migration is finished before upgrading to 15.9.
### 15.8.0

17
doc/user/admin_area/settings/visibility_and_access_controls.md
View File

@ -155,18 +155,23 @@ For more details on group visibility, see
## Restrict visibility levels
To restrict visibility levels for projects, snippets, and selected pages:
To restrict visibility levels for groups, projects, snippets, and selected pages:
1. Sign in to GitLab as a user with Administrator access level.
1. On the top bar, select **Main menu > Admin**.
1. On the left sidebar, select **Settings > General**.
1. Expand the **Visibility and access controls** section.
1. In the **Restricted visibility levels** section, select the desired visibility levels to restrict.
If you restrict the **Public** level:
- User profiles are only visible to authenticated users via the Web interface.
- User attributes via the GraphQL API are:
- Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
- Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
- If you restrict the **Public** level:
- Only administrators are able to create public groups, projects, and snippets.
- User profiles are only visible to authenticated users through the Web interface.
- User attributes through the GraphQL API are:
- Not visible in [GitLab 15.1 and later](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/88020).
- Only visible to authenticated users between [GitLab 13.1](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/33195) and GitLab 15.0.
- If you restrict the **Internal** level:
- Only administrators are able to create internal groups, projects, and snippets.
- If you restrict the **Private** level:
- Only administrators are able to create private groups, projects, and snippets.
1. Select **Save changes**.
For more details on project visibility, see

1
doc/user/application_security/container_scanning/index.md
View File

@ -268,6 +268,7 @@ including a large number of false positives.
| `CS_REGISTRY_PASSWORD` | `$CI_REGISTRY_PASSWORD` | Password for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
| `CS_REGISTRY_USER` | `$CI_REGISTRY_USER` | Username for accessing a Docker registry requiring authentication. The default is only set if `$CS_IMAGE` resides at [`$CI_REGISTRY`](../../../ci/variables/predefined_variables.md). Not supported when [FIPS mode](../../../development/fips_compliance.md#enable-fips-mode) is enabled. | All |
| `CS_DOCKERFILE_PATH` | `Dockerfile` | The path to the `Dockerfile` to use for generating remediations. By default, the scanner looks for a file named `Dockerfile` in the root directory of the project. You should configure this variable only if your `Dockerfile` is in a non-standard location, such as a subdirectory. See [Solutions for vulnerabilities](#solutions-for-vulnerabilities-auto-remediation) for more details. | All |
| `CS_QUIET` | `""` | If set, this variable disables output of the [vulnerabilities table](#container-scanning-job-log-format) in the job log. [Introduced](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning/-/merge_requests/50) in GitLab 15.1. | All |
| `SECURE_LOG_LEVEL` | `info` | Set the minimum logging level. Messages of this logging level or higher are output. From highest to lowest severity, the logging levels are: `fatal`, `error`, `warn`, `info`, `debug`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/10880) in GitLab 13.1. | All |
### Supported distributions

21
locale/gitlab.pot
View File

@ -2929,6 +2929,15 @@ msgstr ""
msgid "AdminSettings|If not specified at the group or instance level, the default is %{default_initial_branch_name}. Does not affect existing repositories."
msgstr ""
msgid "AdminSettings|If selected, only administrators are able to create internal groups, projects, and snippets."
msgstr ""
msgid "AdminSettings|If selected, only administrators are able to create private groups, projects, and snippets."
msgstr ""
msgid "AdminSettings|If selected, only administrators are able to create public groups, projects, and snippets. Also, profiles are only visible to authenticated users."
msgstr ""
msgid "AdminSettings|If there isn't any existing index, GitLab creates one."
msgstr ""
@ -3010,6 +3019,9 @@ msgstr ""
msgid "AdminSettings|Pause Elasticsearch indexing"
msgstr ""
msgid "AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets."
msgstr ""
msgid "AdminSettings|Preview payload"
msgstr ""
@ -3037,6 +3049,9 @@ msgstr ""
msgid "AdminSettings|Restrict group access by IP address. %{link_start}Learn more%{link_end}."
msgstr ""
msgid "AdminSettings|Restricted visibility levels"
msgstr ""
msgid "AdminSettings|Save %{name} limits"
msgstr ""
@ -29368,6 +29383,9 @@ msgstr ""
msgid "OnDemandScans|Unable to fetch runner tags. Try reloading the page."
msgstr ""
msgid "OnDemandScans|Verify"
msgstr ""
msgid "OnDemandScans|Verify configuration"
msgstr ""
@ -38996,9 +39014,6 @@ msgstr ""
msgid "Selected for some items."
msgstr ""
msgid "Selected levels cannot be used by non-admin users for groups, projects or snippets. If the public level is restricted, user profiles are only visible to logged in users."
msgstr ""
msgid "Selected tag is already in use. Choose another option."
msgstr ""

17
spec/controllers/projects/pipelines_controller_spec.rb
View File

@ -2,7 +2,7 @@
require 'spec_helper'
RSpec.describe Projects::PipelinesController do
RSpec.describe Projects::PipelinesController, feature_category: :continuous_integration do
include ApiHelpers
let_it_be(:user) { create(:user) }
@ -52,21 +52,6 @@ RSpec.describe Projects::PipelinesController do
expect(stages.count).to eq 3
end
end
it 'does not execute N+1 queries', quarantine: 'https://gitlab.com/gitlab-org/gitlab/-/issues/345470' do
get_pipelines_index_json
control_count = ActiveRecord::QueryRecorder.new do
get_pipelines_index_json
end.count
create_all_pipeline_types
# There appears to be one extra query for Pipelines#has_warnings? for some reason
expect { get_pipelines_index_json }.not_to exceed_query_limit(control_count + 1)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['pipelines'].count).to eq 12
end
end
it 'does not include coverage data for the pipelines' do

1
spec/controllers/registrations_controller_spec.rb
View File

@ -8,7 +8,6 @@ RSpec.describe RegistrationsController, feature_category: :user_profile do
before do
stub_application_setting(require_admin_approval_after_user_signup: false)
stub_feature_flags(arkose_labs_signup_challenge: false)
end
describe '#new' do

30
spec/features/admin/admin_settings_spec.rb
View File

@ -24,7 +24,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
end
it 'change visibility settings' do
page.within('.as-visibility-access') do
page.within('[data-testid="admin-visibility-access-settings"]') do
choose "application_setting_default_project_visibility_20"
click_button 'Save changes'
end
@ -33,23 +33,29 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
end
it 'uncheck all restricted visibility levels' do
page.within('.as-visibility-access') do
find('#application_setting_restricted_visibility_levels_0').set(false)
find('#application_setting_restricted_visibility_levels_10').set(false)
find('#application_setting_restricted_visibility_levels_20').set(false)
page.within('[data-testid="restricted-visibility-levels"]') do
uncheck s_('VisibilityLevel|Public')
uncheck s_('VisibilityLevel|Internal')
uncheck s_('VisibilityLevel|Private')
end
page.within('[data-testid="admin-visibility-access-settings"]') do
click_button 'Save changes'
end
expect(page).to have_content "Application settings saved successfully"
expect(find('#application_setting_restricted_visibility_levels_0')).not_to be_checked
expect(find('#application_setting_restricted_visibility_levels_10')).not_to be_checked
expect(find('#application_setting_restricted_visibility_levels_20')).not_to be_checked
page.within('[data-testid="restricted-visibility-levels"]') do
expect(find_field(s_('VisibilityLevel|Public'))).not_to be_checked
expect(find_field(s_('VisibilityLevel|Internal'))).not_to be_checked
expect(find_field(s_('VisibilityLevel|Private'))).not_to be_checked
end
end
it 'modify import sources' do
expect(current_settings.import_sources).not_to be_empty
page.within('.as-visibility-access') do
page.within('[data-testid="admin-visibility-access-settings"]') do
Gitlab::ImportSources.options.map do |name, _|
uncheck name
end
@ -60,7 +66,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
expect(page).to have_content "Application settings saved successfully"
expect(current_settings.import_sources).to be_empty
page.within('.as-visibility-access') do
page.within('[data-testid="admin-visibility-access-settings"]') do
check "Repository by URL"
click_button 'Save changes'
end
@ -70,7 +76,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
end
it 'change Visibility and Access Controls' do
page.within('.as-visibility-access') do
page.within('[data-testid="admin-visibility-access-settings"]') do
page.within('[data-testid="project-export"]') do
uncheck 'Enabled'
end
@ -88,7 +94,7 @@ RSpec.describe 'Admin updates settings', feature_category: :not_owned do
end
it 'change Keys settings' do
page.within('.as-visibility-access') do
page.within('[data-testid="admin-visibility-access-settings"]') do
select 'Are forbidden', from: 'RSA SSH keys'
select 'Are allowed', from: 'DSA SSH keys'
select 'Must be at least 384 bits', from: 'ECDSA SSH keys'

61
spec/helpers/application_settings_helper_spec.rb
View File

@ -3,6 +3,14 @@
require 'spec_helper'
RSpec.describe ApplicationSettingsHelper do
include Devise::Test::ControllerHelpers
let_it_be(:current_user) { create(:admin) }
before do
allow(helper).to receive(:current_user).and_return(current_user)
end
context 'when all protocols in use' do
before do
stub_application_setting(enabled_git_access_protocol: '')
@ -360,13 +368,10 @@ RSpec.describe ApplicationSettingsHelper do
end
describe '#instance_clusters_enabled?', :request_store do
let_it_be(:user) { create(:user) }
subject { helper.instance_clusters_enabled? }
before do
allow(helper).to receive(:current_user).and_return(user)
allow(helper).to receive(:can?).with(user, :read_cluster, instance_of(Clusters::Instance)).and_return(true)
allow(helper).to receive(:can?).with(current_user, :read_cluster, instance_of(Clusters::Instance)).and_return(true)
end
it { is_expected.to be_truthy }
@ -379,4 +384,52 @@ RSpec.describe ApplicationSettingsHelper do
it { is_expected.to be_falsey }
end
end
describe '#restricted_level_checkboxes' do
let_it_be(:application_setting) { create(:application_setting) }
before do
allow(current_user).to receive(:can_admin_all_resources?).and_return(true)
stub_application_setting(
restricted_visibility_levels: [
Gitlab::VisibilityLevel::PUBLIC,
Gitlab::VisibilityLevel::INTERNAL,
Gitlab::VisibilityLevel::PRIVATE
]
)
end
it 'returns restricted level checkboxes with correct label, description, and HTML attributes' do
helper.gitlab_ui_form_for(application_setting, url: '/admin/application_settings/general') do |form|
result = helper.restricted_level_checkboxes(form)
expect(result[0]).to have_checked_field(s_('VisibilityLevel|Private'), with: Gitlab::VisibilityLevel::PRIVATE)
expect(result[0]).to have_selector('[data-testid="lock-icon"]')
expect(result[0]).to have_content(
s_(
'AdminSettings|If selected, only administrators are able to create private groups, projects, and ' \
'snippets.'
)
)
expect(result[1]).to have_checked_field(s_('VisibilityLevel|Internal'), with: Gitlab::VisibilityLevel::INTERNAL)
expect(result[1]).to have_selector('[data-testid="shield-icon"]')
expect(result[1]).to have_content(
s_(
'AdminSettings|If selected, only administrators are able to create internal groups, projects, and ' \
'snippets.'
)
)
expect(result[2]).to have_checked_field(s_('VisibilityLevel|Public'), with: Gitlab::VisibilityLevel::PUBLIC)
expect(result[2]).to have_selector('[data-testid="earth-icon"]')
expect(result[2]).to have_content(
s_(
'AdminSettings|If selected, only administrators are able to create public groups, projects, ' \
'and snippets. Also, profiles are only visible to authenticated users.'
)
)
end
end
end
end

24
spec/models/ci/job_token/project_scope_link_spec.rb
View File

@ -28,6 +28,30 @@ RSpec.describe Ci::JobToken::ProjectScopeLink, feature_category: :continuous_int
end
end
describe '.create' do
let_it_be(:target) { create(:project) }
let(:new_link) { described_class.create(source_project: project, target_project: target) } # rubocop:disable Rails/SaveBang
context 'when there are more than PROJECT_LINK_DIRECTIONAL_LIMIT existing links' do
before do
create_list(:ci_job_token_project_scope_link, 5, source_project: project)
stub_const("#{described_class}::PROJECT_LINK_DIRECTIONAL_LIMIT", 3)
end
it 'invalidates new links and prevents them from being created' do
expect { new_link }.not_to change { described_class.count }
expect(new_link).not_to be_persisted
expect(new_link.errors.full_messages)
.to include('Source project exceeds the allowable number of project links in this direction')
end
it 'does not invalidate existing links' do
expect(described_class.count).to be > described_class::PROJECT_LINK_DIRECTIONAL_LIMIT
expect(described_class.all).to all(be_valid)
end
end
end
describe 'validations' do
it 'must have a source project', :aggregate_failures do
link = build(:ci_job_token_project_scope_link, source_project: nil)

26
spec/requests/projects/pipelines_controller_spec.rb
View File

@ -19,6 +19,32 @@ RSpec.describe Projects::PipelinesController, feature_category: :continuous_inte
login_as(user)
end
describe "GET index.json" do
it 'does not execute N+1 queries' do
get_pipelines_index
control_count = ActiveRecord::QueryRecorder.new do
get_pipelines_index
end.count
%w[pending running success failed canceled].each do |status|
create(:ci_pipeline, project: project, status: status)
end
# There appears to be one extra query for Pipelines#has_warnings? for some reason
expect { get_pipelines_index }.not_to exceed_query_limit(control_count + 1)
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['pipelines'].count).to eq 6
end
def get_pipelines_index
get namespace_project_pipelines_path(
namespace_id: project.namespace.to_param,
project_id: project.to_param,
format: :json)
end
end
describe "GET stages.json" do
it 'does not execute N+1 queries' do
request_build_stage