diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb
index 17613240c4f..f1451a0a67d 100644
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -105,7 +105,6 @@ module Ci
delegate :trigger_short_token, to: :trigger_request, allow_nil: true
delegate :ensure_persistent_ref, to: :pipeline
delegate :enable_debug_trace!, to: :metadata
- delegate :debug_trace_enabled?, to: :metadata
serialize :options # rubocop:disable Cop/ActiveRecordSerialize
serialize :yaml_variables, Gitlab::Serializer::Ci::Variables # rubocop:disable Cop/ActiveRecordSerialize
@@ -1018,7 +1017,7 @@ module Ci
def debug_mode?
# perform the check on both sides in case the runner version is old
- debug_trace_enabled? ||
+ metadata&.debug_trace_enabled? ||
Gitlab::Utils.to_boolean(variables['CI_DEBUG_SERVICES']&.value, default: false) ||
Gitlab::Utils.to_boolean(variables['CI_DEBUG_TRACE']&.value, default: false)
end
diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb
index ff012368e85..6ed7434397b 100644
--- a/app/models/ci/pipeline.rb
+++ b/app/models/ci/pipeline.rb
@@ -1468,8 +1468,6 @@ module Ci
end
def track_ci_pipeline_created_event
- return unless Feature.enabled?(:track_ci_pipeline_created_event, project, type: :gitlab_com_derisk)
-
Gitlab::InternalEvents.track_event('create_ci_internal_pipeline', project: project, user: user)
end
end
diff --git a/app/workers/personal_access_tokens/expiring_worker.rb b/app/workers/personal_access_tokens/expiring_worker.rb
index 5f8316d184d..9a52a64bde1 100644
--- a/app/workers/personal_access_tokens/expiring_worker.rb
+++ b/app/workers/personal_access_tokens/expiring_worker.rb
@@ -3,6 +3,7 @@
module PersonalAccessTokens
class ExpiringWorker # rubocop:disable Scalability/IdempotentWorker
include ApplicationWorker
+ include Gitlab::Utils::StrongMemoize
data_consistency :always
@@ -12,44 +13,73 @@ module PersonalAccessTokens
MAX_TOKENS = 100
+ # For the worker is timing out with a bigger batch size
+ # https://gitlab.com/gitlab-org/gitlab/-/issues/432518
+ BATCH_SIZE = 100
+
def perform(*args)
- notification_service = NotificationService.new
limit_date = PersonalAccessToken::DAYS_TO_EXPIRE.days.from_now.to_date
- User.with_expiring_and_not_notified_personal_access_tokens(limit_date).find_each do |user|
- with_context(user: user) do
- expiring_user_tokens = user.personal_access_tokens.without_impersonation.expiring_and_not_notified(limit_date)
+ # rubocop: disable CodeReuse/ActiveRecord -- We need to specify batch size to avoid timing out of worker
+ loop do
+ tokens = PersonalAccessToken.without_impersonation.expiring_and_not_notified(limit_date)
+ .select(:user_id).limit(BATCH_SIZE).to_a
- # rubocop: disable CodeReuse/ActiveRecord
- # We never materialise the token instances. We need the names to mention them in the
- # email. Later we trigger an update query on the entire relation, not on individual instances.
- token_names = expiring_user_tokens.limit(MAX_TOKENS).pluck(:name)
- # We're limiting to 100 tokens so we avoid loading too many tokens into memory.
- # At the time of writing this would only affect 69 users on GitLab.com
+ break if tokens.empty?
- # rubocop: enable CodeReuse/ActiveRecord
+ users = User.where(id: tokens.pluck(:user_id).uniq)
- message = if user.project_bot?
- notification_service.resource_access_tokens_about_to_expire(user, token_names)
+ users.each do |user|
+ with_context(user: user) do
+ expiring_user_tokens = user.personal_access_tokens
+ .without_impersonation.expiring_and_not_notified(limit_date)
- "Notifying Bot User resource owners about expiring tokens"
- else
- notification_service.access_token_about_to_expire(user, token_names)
+ next if expiring_user_tokens.empty?
- "Notifying User about expiring tokens"
- end
+ # We never materialise the token instances. We need the names to mention them in the
+ # email. Later we trigger an update query on the entire relation, not on individual instances.
+ token_names = expiring_user_tokens.limit(MAX_TOKENS).pluck(:name)
+ # We're limiting to 100 tokens so we avoid loading too many tokens into memory.
+ # At the time of writing this would only affect 69 users on GitLab.com
- Gitlab::AppLogger.info(
- message: message,
- class: self.class,
- user_id: user.id
- )
+ # rubocop: enable CodeReuse/ActiveRecord
+ if user.project_bot?
+ deliver_bot_notifications(token_names, user)
+ else
+ deliver_user_notifications(token_names, user)
+ end
- expiring_user_tokens.each_batch do |expiring_tokens|
- expiring_tokens.update_all(expire_notification_delivered: true)
+ expiring_user_tokens.update_all(expire_notification_delivered: true)
end
end
end
end
+
+ private
+
+ def deliver_bot_notifications(token_names, user)
+ notification_service.resource_access_tokens_about_to_expire(user, token_names)
+
+ Gitlab::AppLogger.info(
+ message: "Notifying Bot User resource owners about expiring tokens",
+ class: self.class,
+ user_id: user.id
+ )
+ end
+
+ def deliver_user_notifications(token_names, user)
+ notification_service.access_token_about_to_expire(user, token_names)
+
+ Gitlab::AppLogger.info(
+ message: "Notifying User about expiring tokens",
+ class: self.class,
+ user_id: user.id
+ )
+ end
+
+ def notification_service
+ NotificationService.new
+ end
+ strong_memoize_attr :notification_service
end
end
diff --git a/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml b/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml
deleted file mode 100644
index 4a7379156ae..00000000000
--- a/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-name: track_ci_pipeline_created_event
-feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/429065
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142356
-rollout_issue_url: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17445
-milestone: '16.9'
-group: group::pipeline execution
-type: gitlab_com_derisk
-default_enabled: false
diff --git a/doc/administration/audit_event_reports.md b/doc/administration/audit_event_reports.md
index 479a5e6ca6d..15c7995d4a2 100644
--- a/doc/administration/audit_event_reports.md
+++ b/doc/administration/audit_event_reports.md
@@ -51,7 +51,7 @@ To view a group's audit events:
1. Select **Secure > Audit events**.
1. Filter the audit events by the member of the project (user) who performed the action and date range.
-Group audit events can also be accessed using the [Group Audit Events API](../api/audit_events.md#group-audit-events). Group audit event queries are limited to a maximum of 30 days.
+Group audit events can also be accessed using the [Group Audit Events API](../api/audit_events.md#group-audit-events). Group audit event queries `created_after` and `created_before` parameters are limited to a maximum 30 day difference between the dates.
### Project audit events
@@ -59,7 +59,7 @@ Group audit events can also be accessed using the [Group Audit Events API](../ap
1. Select **Secure > Audit events**.
1. Filter the audit events by the member of the project (user) who performed the action and date range.
-Project audit events can also be accessed using the [Project Audit Events API](../api/audit_events.md#project-audit-events). Project audit event queries are limited to a maximum of 30 days.
+Project audit events can also be accessed using the [Project Audit Events API](../api/audit_events.md#project-audit-events). Project audit event queries `created_after` and `created_before` parameters are limited to a maximum 30 day difference between the dates.
### Instance audit events
diff --git a/doc/administration/logs/log_parsing.md b/doc/administration/logs/log_parsing.md
index 4dc69cac2fb..b884f25877e 100644
--- a/doc/administration/logs/log_parsing.md
+++ b/doc/administration/logs/log_parsing.md
@@ -165,24 +165,25 @@ CT: 190 ROUTE: /api/:version/projects/:id/repository/commits DURS: 1079.02,
#### Print top API user agents
```shell
-jq --raw-output '[.route, .ua] | @tsv' api_json.log | sort | uniq -c | sort -n
+jq --raw-output 'select(.remote_ip != "127.0.0.1") | [.remote_ip, .username, .route, .ua] | @tsv' api_json.log |
+ sort | uniq -c | sort -n | tail
```
**Example output**:
```plaintext
- 89 /api/:version/usage_data/increment_unique_users # plus browser details
- 567 /api/:version/jobs/:id/trace gitlab-runner # plus version details
-1234 /api/:version/internal/allowed GitLab-Shell
+ 89 1.2.3.4, 127.0.0.1 some_user /api/:version/projects/:id/pipelines # plus browser details; OK
+ 567 5.6.7.8, 127.0.0.1 /api/:version/jobs/:id/trace gitlab-runner # plus version details; OK
+1234 98.76.54.31, 127.0.0.1 some_bot /api/:version/projects/:id/repository/files/:file_path/raw
```
-This sample response seems typical. A custom tool or script might be causing a high load
-if the output contains many:
+This example shows a custom tool or script causing an unexpectedly high number of requests.
+User agents in this situation can be:
- Third party libraries like `python-requests` or `curl`.
- [GitLab CLI clients](https://about.gitlab.com/partners/technology-partners/#cli-clients).
-You can also [use `fast-stats top`](#parsing-gitlab-logs-with-jq) to extract performance statistics.
+You can also [use `fast-stats top`](#parsing-gitlab-logs-with-jq) to extract performance statistics for those users or bots.
### Parsing `gitlab-rails/importer.log`
@@ -200,19 +201,13 @@ For common issues, see [troubleshooting](../../administration/raketasks/project_
#### Print top Workhorse user agents
```shell
-jq --raw-output '[.uri, .user_agent] | @tsv' current | sort | uniq -c | sort -n
+jq --raw-output 'select(.remote_ip != "127.0.0.1") | [.remote_ip, .uri, .user_agent] | @tsv' current |
+ sort | uniq -c | sort -n | tail
```
-**Example output**:
-
-```plaintext
- 89 /api/graphql # plus browser details
- 567 /api/v4/internal/allowed GitLab-Shell
-1234 /api/v4/jobs/request gitlab-runner # plus version details
-```
-
-Similar to the [API `ua` data](#print-top-api-user-agents),
-deviations from this common order might indicate scripts that could be optimized.
+Similar to the [API `ua` example](#print-top-api-user-agents),
+many unexpected user agents in this output indicate unoptimized scripts.
+Expected user agents include `gitlab-runner`, `GitLab-Shell`, and browsers.
The performance impact of runners checking for new jobs can be reduced by increasing
[the `check_interval` setting](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section),
diff --git a/doc/api/geo_nodes.md b/doc/api/geo_nodes.md
index 6363e4538ab..566f9f5b1b0 100644
--- a/doc/api/geo_nodes.md
+++ b/doc/api/geo_nodes.md
@@ -4,12 +4,17 @@ group: Geo
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
---
-# Geo Nodes API
+# Geo Nodes API (deprecated)
DETAILS:
**Tier:** Premium, Ultimate
**Offering:** Self-managed
+WARNING:
+The Geo Nodes API was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/369140) in GitLab 16.0
+and is planned for removal in v5 of the API. Use the [Geo Sites API](geo_sites.md) instead.
+This change is a breaking change.
+
To interact with Geo node endpoints, you must authenticate yourself as an
administrator.
diff --git a/doc/user/application_security/breach_and_attack_simulation/index.md b/doc/user/application_security/breach_and_attack_simulation/index.md
index ab00de5fb36..f0b172444d3 100644
--- a/doc/user/application_security/breach_and_attack_simulation/index.md
+++ b/doc/user/application_security/breach_and_attack_simulation/index.md
@@ -4,13 +4,18 @@ group: Incubation
info: Breach and Attack Simulation is a GitLab Incubation Engineering program. No technical writer assigned to this group.
---
-# Breach and Attack Simulation
+
+
+# Breach and Attack Simulation (deprecated)
DETAILS:
**Tier:** Ultimate
**Offering:** SaaS, self-managed
**Status:** Experiment
+WARNING:
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9 and will be removed in 17.0. This change is a breaking change.
+
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/402784) in GitLab 15.11 as an Incubating feature.
> - [Included](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119981) in the `Security/BAS.latest.gitlab-ci.yml` in GitLab 16.0.
@@ -147,3 +152,5 @@ You can also manually enable callback attacks by making sure to:
1. Enable both the application being tested and callback service container using [services](../../../ci/services/index.md).
1. Enable container-to-container networking [making the callback service accessible](../../../ci/services/index.md#connecting-services) in the job.
1. Set `DAST_BROWSER_CALLBACK` to include `Address:$YOUR_CALLBACK_URL` key/value pair where the callback service is accessible to the Runner/DAST container.
+
+
diff --git a/doc/user/application_security/dast/browser/index.md b/doc/user/application_security/dast/browser/index.md
index 427c02b1fbe..4df225e2fd9 100644
--- a/doc/user/application_security/dast/browser/index.md
+++ b/doc/user/application_security/dast/browser/index.md
@@ -11,26 +11,29 @@ DETAILS:
**Tier:** Ultimate
**Offering:** SaaS, self-managed
-> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323423) in GitLab 13.12 as a Beta feature.
> - [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/9023) in GitLab 15.7 (GitLab DAST v3.0.50).
-Browser-based DAST helps you identify security weaknesses (CWEs) in your web applications. After you deploy your web application, it
-becomes exposed to new types of attacks, many of which cannot be detected prior to deployment. For example, misconfigurations of your
-application server or incorrect assumptions about security controls may not be visible from the source code, but they can be detected with browser-based DAST.
+Browser-based DAST helps you identify security weaknesses (CWEs) in your web applications. After you
+deploy your web application, it becomes exposed to new types of attacks, many of which cannot be
+detected prior to deployment. For example, misconfigurations of your application server or incorrect
+assumptions about security controls may not be visible from the source code, but they can be
+detected with browser-based DAST.
-Dynamic Application Security Testing (DAST) examines applications for
-vulnerabilities like these in deployed environments.
+Dynamic Application Security Testing (DAST) examines applications for vulnerabilities like these in
+deployed environments.
For an overview, see [Dynamic Application Security Testing (DAST)](https://www.youtube.com/watch?v=nbeDUoLZJTo).
WARNING:
-Do not run DAST scans against a production server. Not only can it perform *any* function that
-a user can, such as clicking buttons or submitting forms, but it may also trigger bugs, leading to modification or loss of production data. Only run DAST scans against a test server.
+Do not run DAST scans against a production server. Not only can it perform *any* function that a
+user can, such as clicking buttons or submitting forms, but it may also trigger bugs, leading to
+modification or loss of production data. Only run DAST scans against a test server.
-The DAST browser-based analyzer was built by GitLab to scan modern-day web applications for vulnerabilities.
-Scans run in a browser to optimize testing applications heavily dependent on JavaScript, such as single-page applications.
-See [how DAST scans an application](#how-dast-scans-an-application) for more information.
+The DAST browser-based analyzer was built by GitLab to scan modern-day web applications for
+vulnerabilities. Scans run in a browser to optimize testing applications heavily dependent on
+JavaScript, such as single-page applications. See
+[how DAST scans an application](#how-dast-scans-an-application) for more information.
To add the analyzer to your CI/CD pipeline, see [enabling the analyzer](configuration/enabling_the_analyzer.md).
diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md
index c26ff196543..6d8671f2741 100644
--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
@@ -10,11 +10,27 @@ DETAILS:
**Tier:** Ultimate
**Offering:** SaaS, Self-managed
-Dynamic Application Security Testing (DAST) runs automated penetration tests to find vulnerabilities in your web applications and APIs as they are running. DAST automates a hacker’s approach and simulates real-world attacks for critical threats such as cross-site scripting (XSS), SQL injection (SQLi), and cross-site request forgery (CSRF) to uncover vulnerabilities and misconfigurations that other security tools cannot detect.
+WARNING:
+Proxy-based DAST was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab
+16.9 and is planned for removal in 17.0. Use [browser-based DAST](browser_based.md) instead. This
+change is a breaking change.
-DAST is completely language agnostic and examines your application from the outside in. With a running application in a test environment, DAST scans can be automated via your CI/CD pipeline, automated on a schedule, or run independently via on-demand scans. Utilizing DAST during the SDLC enables teams to uncover vulnerabilities before their applications are in production. DAST is a foundational component of software security and should be used in tandem with SAST, dependency and license scanning, and secret detection to provide a comprehensive security assessment of your applications.
+Dynamic Application Security Testing (DAST) runs automated penetration tests to find vulnerabilities
+in your web applications and APIs as they are running. DAST automates a hacker’s approach and
+simulates real-world attacks for critical threats such as cross-site scripting (XSS), SQL injection
+(SQLi), and cross-site request forgery (CSRF) to uncover vulnerabilities and misconfigurations that
+other security tools cannot detect.
-GitLab’s Browser-based DAST and DAST API are proprietary runtime tools, which provide broad security coverage for modern-day web applications and APIs.
+DAST is completely language agnostic and examines your application from the outside in. With a
+running application in a test environment, DAST scans can be automated in a CI/CD pipeline,
+automated on a schedule, or run independently by using on-demand scans. Using DAST during the
+software development life cycle enables teams to uncover vulnerabilities before their applications
+are in production. DAST is a foundational component of software security and should be used in
+tandem with SAST, dependency and license scanning, and secret detection, to provide a comprehensive
+security assessment of your applications.
+
+GitLab’s Browser-based DAST and DAST API are proprietary runtime tools, which provide broad security
+coverage for modern-day web applications and APIs.
For an overview, see [Dynamic Application Security Testing (DAST)](https://www.youtube.com/watch?v=nbeDUoLZJTo).
diff --git a/doc/user/application_security/dast/proxy-based.md b/doc/user/application_security/dast/proxy-based.md
index 30e673172ae..410d1848508 100644
--- a/doc/user/application_security/dast/proxy-based.md
+++ b/doc/user/application_security/dast/proxy-based.md
@@ -12,9 +12,7 @@ DETAILS:
**Offering:** SaaS, Self-managed
WARNING:
-This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9
-and is planned for removal in 17.0. Use [browser-based DAST](browser_based.md) instead.
-This change is a breaking change.
+This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9 and will be removed in 17.0. Use [browser-based DAST](browser_based.md) instead. This change is a breaking change.
The DAST proxy-based analyzer can be added to your [GitLab CI/CD](../../../ci/index.md) pipeline.
This helps you discover vulnerabilities in web applications that do not use JavaScript heavily. For applications that do,
diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md
index 677f500c48c..535fb194eba 100644
--- a/doc/user/application_security/policies/scan-result-policies.md
+++ b/doc/user/application_security/policies/scan-result-policies.md
@@ -144,15 +144,15 @@ This rule enforces the defined actions based on security scan findings.
This rule enforces the defined actions based on license findings.
-| Field | Type | Required | Possible values | Description |
-|------------|------|----------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `type` | `string` | true | `license_finding` | The rule's type. |
-| `branches` | `array` of `string` | true if `branch_type` field does not exist | `[]` or the branch's name | Applicable only to protected target branches. An empty array, `[]`, applies the rule to all protected target branches. Cannot be used with the `branch_type` field. |
-| `branch_type` | `string` | true if `branches` field does not exist | `default` or `protected` | The types of protected branches the given policy applies to. Cannot be used with the `branches` field. Default branches must also be `protected`. |
-| `branch_exceptions` | `array` of `string` | false | Names of branches | Branches to exclude from this rule. |
-| `match_on_inclusion` | `boolean` | true | `true`, `false` | **{warning}** **[Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/424513)** in GitLab 16.9. Whether the rule matches inclusion or exclusion of licenses listed in `license_types`. |
-| `license_types` | `array` of `string` | true | license types | [SPDX license names](https://spdx.org/licenses) to match on, for example `Affero General Public License v1.0` or `MIT License`. |
-| `license_states` | `array` of `string` | true | `newly_detected`, `detected` | Whether to match newly detected and/or previously detected licenses. The `newly_detected` state triggers approval when either a new package is introduced or when a new license for an existing package is detected. |
+| Field | Type | Required | Possible values | Description |
+|----------------------|---------------------|--------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `type` | `string` | true | `license_finding` | The rule's type. |
+| `branches` | `array` of `string` | true if `branch_type` field does not exist | `[]` or the branch's name | Applicable only to protected target branches. An empty array, `[]`, applies the rule to all protected target branches. Cannot be used with the `branch_type` field. |
+| `branch_type` | `string` | true if `branches` field does not exist | `default` or `protected` | The types of protected branches the given policy applies to. Cannot be used with the `branches` field. Default branches must also be `protected`. |
+| `branch_exceptions` | `array` of `string` | false | Names of branches | Branches to exclude from this rule. |
+| `match_on_inclusion` | `boolean` | true | `true`, `false` | **{warning}** **[Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/424513)** in GitLab 16.9. Whether the rule matches inclusion or exclusion of licenses listed in `license_types`. When `false`, any detected licenses excluded from `license_types` require approval. |
+| `license_types` | `array` of `string` | true | license types | [SPDX license names](https://spdx.org/licenses) to match on, for example `Affero General Public License v1.0` or `MIT License`. |
+| `license_states` | `array` of `string` | true | `newly_detected`, `detected` | Whether to match newly detected and/or previously detected licenses. The `newly_detected` state triggers approval when either a new package is introduced or when a new license for an existing package is detected. |
## `any_merge_request` rule type
diff --git a/doc/user/gitlab_com/index.md b/doc/user/gitlab_com/index.md
index 9093d62dbd6..1feaa15e105 100644
--- a/doc/user/gitlab_com/index.md
+++ b/doc/user/gitlab_com/index.md
@@ -343,28 +343,27 @@ code. The client should wait before attempting the request again. There
are also informational headers with this response detailed in
[rate limiting responses](#rate-limiting-responses).
-The following table describes the rate limits for GitLab.com, both before and
-after the limits change in January, 2021:
+The following table describes the rate limits for GitLab.com:
-| Rate limit | From 2021-02-12 | From 2022-02-03 |
-|:---------------------------------------------------------------------------|:------------------------------|:-------------------------------------|
-| **Protected paths** (for a given **IP address**) | **10** requests per minute | **10** requests per minute |
-| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute | **300** requests per minute |
-| **Unauthenticated** traffic (from a given **IP address**) | **500** requests per minute | **500** requests per minute |
-| **Authenticated** API traffic (for a given **user**) | **2,000** requests per minute | **2,000** requests per minute |
-| **Authenticated** non-API HTTP traffic (for a given **user**) | **1,000** requests per minute | **1,000** requests per minute |
-| **All** traffic (from a given **IP address**) | **2,000** requests per minute | **2,000** requests per minute |
-| **Issue creation** | **300** requests per minute | **200** requests per minute |
-| **Note creation** (on issues and merge requests) | **60** requests per minute | **60** requests per minute |
-| **Advanced, project, and group search** API (for a given **IP address**) | **10** requests per minute | **10** requests per minute |
-| **GitLab Pages** requests (for a given **IP address**) | | **1000** requests per **50 seconds** |
-| **GitLab Pages** requests (for a given **GitLab Pages domain**) | | **5000** requests per **10 seconds** |
-| **GitLab Pages** TLS connections (for a given **IP address**) | | **1000** requests per **50 seconds** |
-| **GitLab Pages** TLS connections (for a given **GitLab Pages domain**) | | **400** requests per **10 seconds** |
-| **Pipeline creation** requests (for a given **project, user, and commit**) | | **25** requests per minute |
-| **Alert integration endpoint** requests (for a given **project**) | | **3600** requests per hour |
-| **[Pull mirroring](../project/repository/mirror/pull.md)** intervals | **5** minutes | **5** minutes |
-| **API Requests** (from a given **user**) to `/api/v4/users/:id` | | **300** requests per **10 minutes** |
+| Rate limit | Setting |
+|:---------------------------------------------------------------------------|:-------------------------------------|
+| **Protected paths** (for a given **IP address**) | **10** requests per minute |
+| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute |
+| **Unauthenticated** traffic (from a given **IP address**) | **500** requests per minute |
+| **Authenticated** API traffic (for a given **user**) | **2,000** requests per minute |
+| **Authenticated** non-API HTTP traffic (for a given **user**) | **1,000** requests per minute |
+| **All** traffic (from a given **IP address**) | **2,000** requests per minute |
+| **Issue creation** | **200** requests per minute |
+| **Note creation** (on issues and merge requests) | **60** requests per minute |
+| **Advanced, project, and group search** API (for a given **IP address**) | **10** requests per minute |
+| **GitLab Pages** requests (for a given **IP address**) | **1000** requests per **50 seconds** |
+| **GitLab Pages** requests (for a given **GitLab Pages domain**) | **5000** requests per **10 seconds** |
+| **GitLab Pages** TLS connections (for a given **IP address**) | **1000** requests per **50 seconds** |
+| **GitLab Pages** TLS connections (for a given **GitLab Pages domain**) | **400** requests per **10 seconds** |
+| **Pipeline creation** requests (for a given **project, user, and commit**) | **25** requests per minute |
+| **Alert integration endpoint** requests (for a given **project**) | **3600** requests per hour |
+| **[Pull mirroring](../project/repository/mirror/pull.md)** intervals | **5** minutes |
+| **API Requests** (from a given **user**) to `/api/v4/users/:id` | **300** requests per **10 minutes** |
More details are available on the rate limits for
[protected paths](#protected-paths-throttle) and
diff --git a/doc/user/project/import/gitea.md b/doc/user/project/import/gitea.md
index a83512f9d7a..ce7197ca2da 100644
--- a/doc/user/project/import/gitea.md
+++ b/doc/user/project/import/gitea.md
@@ -31,6 +31,11 @@ in your GitLab instance. This means the project creator (usually the user that
started the import process) is set as the author. A reference, however, is kept
on the issue about the original Gitea author.
+## Known issue
+
+Because of [issue 434175](https://gitlab.com/gitlab-org/gitlab/-/issues/434175), projects with a dot
+in their path must be renamed for all items to be imported correctly.
+
## Prerequisites
> - Requirement for Maintainer role instead of Developer role introduced in GitLab 16.0 and backported to GitLab 15.11.1 and GitLab 15.10.5.
diff --git a/package.json b/package.json
index 2897da4e85c..43cba167c23 100644
--- a/package.json
+++ b/package.json
@@ -61,7 +61,7 @@
"@gitlab/favicon-overlay": "2.0.0",
"@gitlab/fonts": "^1.3.0",
"@gitlab/svgs": "3.83.0",
- "@gitlab/ui": "^74.2.0",
+ "@gitlab/ui": "^74.3.0",
"@gitlab/visual-review-tools": "1.7.3",
"@gitlab/web-ide": "^0.0.1-dev-20240208022507",
"@mattiasbuelens/web-streams-adapter": "^0.1.0",
diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb
index 84369b9bfc3..8741d347c36 100644
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -121,7 +121,7 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
context 'when transitioning to any state from running' do
it 'removes runner_session' do
%w[success drop cancel].each do |event|
- build = FactoryBot.create(:ci_build, :running, :with_runner_session, pipeline: pipeline)
+ build = create(:ci_build, :running, :with_runner_session, pipeline: pipeline)
build.fire_events!(event)
@@ -5064,6 +5064,14 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def
it { is_expected.to eq false }
end
+
+ context 'when metadata does not exist' do
+ before do
+ build.metadata.destroy!
+ end
+
+ it { is_expected.to eq false }
+ end
end
describe '#drop_with_exit_code!' do
diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb
index 74f011e3496..60665f4b779 100644
--- a/spec/models/ci/pipeline_spec.rb
+++ b/spec/models/ci/pipeline_spec.rb
@@ -190,18 +190,6 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category:
pipeline.save!
end
end
-
- context 'with FF track_ci_pipeline_created_event disabled' do
- before do
- stub_feature_flags(track_ci_pipeline_created_event: false)
- end
-
- it 'does not track the creation event' do
- expect(Gitlab::InternalEvents).not_to receive(:track_event)
-
- pipeline.save!
- end
- end
end
end
diff --git a/spec/workers/personal_access_tokens/expiring_worker_spec.rb b/spec/workers/personal_access_tokens/expiring_worker_spec.rb
index 0cc63fdb85e..3879d55668e 100644
--- a/spec/workers/personal_access_tokens/expiring_worker_spec.rb
+++ b/spec/workers/personal_access_tokens/expiring_worker_spec.rb
@@ -25,15 +25,26 @@ RSpec.describe PersonalAccessTokens::ExpiringWorker, type: :worker, feature_cate
it 'marks the notification as delivered' do
expect { worker.perform }.to change { expiring_token.reload.expire_notification_delivered }.from(false).to(true)
end
+
+ it 'avoids N+1 queries', :use_sql_query_cache do
+ control = ActiveRecord::QueryRecorder.new(skip_cached: false) { worker.perform }
+
+ user1 = create(:user)
+ create(:personal_access_token, user: user1, expires_at: 5.days.from_now)
+
+ user2 = create(:user)
+ create(:personal_access_token, user: user2, expires_at: 5.days.from_now)
+
+ # Query count increased for the user look up
+ expect { worker.perform }.not_to exceed_all_query_limit(control).with_threshold(4)
+ end
end
context 'when no tokens need to be notified' do
let_it_be(:pat) { create(:personal_access_token, expires_at: 5.days.from_now, expire_notification_delivered: true) }
- it "doesn't use notification service to send the email" do
- expect_next_instance_of(NotificationService) do |notification_service|
- expect(notification_service).not_to receive(:access_token_about_to_expire).with(pat.user, [pat.name])
- end
+ it "doesn't call notification services" do
+ expect(worker).not_to receive(:notification_service)
worker.perform
end
@@ -47,9 +58,7 @@ RSpec.describe PersonalAccessTokens::ExpiringWorker, type: :worker, feature_cate
let_it_be(:pat) { create(:personal_access_token, :impersonation, expires_at: 5.days.from_now) }
it "doesn't use notification service to send the email" do
- expect_next_instance_of(NotificationService) do |notification_service|
- expect(notification_service).not_to receive(:access_token_about_to_expire).with(pat.user, [pat.name])
- end
+ expect(worker).not_to receive(:notification_service)
worker.perform
end
diff --git a/yarn.lock b/yarn.lock
index e088e95e0b6..b82ec9fddf3 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1321,10 +1321,10 @@
resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-3.83.0.tgz#5d6799e5fe3fb564b7e4190d90876469bd1608ba"
integrity sha512-881f6OsxREgBXYn9fkg+XGweBFbrGdrssrIzFIZFSG95GF/K+HILw1mXZ9nq7C5Xb5JDWPKJGYnKuHw5vvWm5Q==
-"@gitlab/ui@^74.2.0":
- version "74.2.0"
- resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-74.2.0.tgz#520bbf06eddd0da61cd79bd5678b610ecfd291ef"
- integrity sha512-bSYWZ9tlzl8oX57Xou2aQN4bnEVzEr/vzBqGpdpTizjsf3RF4K3BHhD2CuRXex3AwFYxQX89QIO5LZKlX2KhrA==
+"@gitlab/ui@^74.3.0":
+ version "74.3.0"
+ resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-74.3.0.tgz#f5a7ee3f31fd8cd221ccf56b82f65e390ef8f142"
+ integrity sha512-q5twfOd8nrD0bGK+UiUnJ3c2yIJlYG+qdl3/HKoMBcqXu0IJA4XcvM9Fp1gUYdZ23ritSbFwPVjPGoryeGjjbw==
dependencies:
"@floating-ui/dom" "1.4.3"
bootstrap-vue "2.23.1"