From cd70cfa3149aeff8b320e1ceb292bdfa153d75dd Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Fri, 9 Feb 2024 06:07:05 +0000 Subject: [PATCH] Add latest changes from gitlab-org/gitlab@master --- app/models/ci/build.rb | 3 +- app/models/ci/pipeline.rb | 2 - .../personal_access_tokens/expiring_worker.rb | 80 +++++++++++++------ .../track_ci_pipeline_created_event.yml | 9 --- doc/administration/audit_event_reports.md | 4 +- doc/administration/logs/log_parsing.md | 31 +++---- doc/api/geo_nodes.md | 7 +- .../breach_and_attack_simulation/index.md | 9 ++- .../dast/browser/index.md | 25 +++--- doc/user/application_security/dast/index.md | 22 ++++- .../application_security/dast/proxy-based.md | 4 +- .../policies/scan-result-policies.md | 18 ++--- doc/user/gitlab_com/index.md | 41 +++++----- doc/user/project/import/gitea.md | 5 ++ package.json | 2 +- spec/models/ci/build_spec.rb | 10 ++- spec/models/ci/pipeline_spec.rb | 12 --- .../expiring_worker_spec.rb | 23 ++++-- yarn.lock | 8 +- 19 files changed, 183 insertions(+), 132 deletions(-) delete mode 100644 config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml diff --git a/app/models/ci/build.rb b/app/models/ci/build.rb index 17613240c4f..f1451a0a67d 100644 --- a/app/models/ci/build.rb +++ b/app/models/ci/build.rb @@ -105,7 +105,6 @@ module Ci delegate :trigger_short_token, to: :trigger_request, allow_nil: true delegate :ensure_persistent_ref, to: :pipeline delegate :enable_debug_trace!, to: :metadata - delegate :debug_trace_enabled?, to: :metadata serialize :options # rubocop:disable Cop/ActiveRecordSerialize serialize :yaml_variables, Gitlab::Serializer::Ci::Variables # rubocop:disable Cop/ActiveRecordSerialize @@ -1018,7 +1017,7 @@ module Ci def debug_mode? # perform the check on both sides in case the runner version is old - debug_trace_enabled? || + metadata&.debug_trace_enabled? || Gitlab::Utils.to_boolean(variables['CI_DEBUG_SERVICES']&.value, default: false) || Gitlab::Utils.to_boolean(variables['CI_DEBUG_TRACE']&.value, default: false) end diff --git a/app/models/ci/pipeline.rb b/app/models/ci/pipeline.rb index ff012368e85..6ed7434397b 100644 --- a/app/models/ci/pipeline.rb +++ b/app/models/ci/pipeline.rb @@ -1468,8 +1468,6 @@ module Ci end def track_ci_pipeline_created_event - return unless Feature.enabled?(:track_ci_pipeline_created_event, project, type: :gitlab_com_derisk) - Gitlab::InternalEvents.track_event('create_ci_internal_pipeline', project: project, user: user) end end diff --git a/app/workers/personal_access_tokens/expiring_worker.rb b/app/workers/personal_access_tokens/expiring_worker.rb index 5f8316d184d..9a52a64bde1 100644 --- a/app/workers/personal_access_tokens/expiring_worker.rb +++ b/app/workers/personal_access_tokens/expiring_worker.rb @@ -3,6 +3,7 @@ module PersonalAccessTokens class ExpiringWorker # rubocop:disable Scalability/IdempotentWorker include ApplicationWorker + include Gitlab::Utils::StrongMemoize data_consistency :always @@ -12,44 +13,73 @@ module PersonalAccessTokens MAX_TOKENS = 100 + # For the worker is timing out with a bigger batch size + # https://gitlab.com/gitlab-org/gitlab/-/issues/432518 + BATCH_SIZE = 100 + def perform(*args) - notification_service = NotificationService.new limit_date = PersonalAccessToken::DAYS_TO_EXPIRE.days.from_now.to_date - User.with_expiring_and_not_notified_personal_access_tokens(limit_date).find_each do |user| - with_context(user: user) do - expiring_user_tokens = user.personal_access_tokens.without_impersonation.expiring_and_not_notified(limit_date) + # rubocop: disable CodeReuse/ActiveRecord -- We need to specify batch size to avoid timing out of worker + loop do + tokens = PersonalAccessToken.without_impersonation.expiring_and_not_notified(limit_date) + .select(:user_id).limit(BATCH_SIZE).to_a - # rubocop: disable CodeReuse/ActiveRecord - # We never materialise the token instances. We need the names to mention them in the - # email. Later we trigger an update query on the entire relation, not on individual instances. - token_names = expiring_user_tokens.limit(MAX_TOKENS).pluck(:name) - # We're limiting to 100 tokens so we avoid loading too many tokens into memory. - # At the time of writing this would only affect 69 users on GitLab.com + break if tokens.empty? - # rubocop: enable CodeReuse/ActiveRecord + users = User.where(id: tokens.pluck(:user_id).uniq) - message = if user.project_bot? - notification_service.resource_access_tokens_about_to_expire(user, token_names) + users.each do |user| + with_context(user: user) do + expiring_user_tokens = user.personal_access_tokens + .without_impersonation.expiring_and_not_notified(limit_date) - "Notifying Bot User resource owners about expiring tokens" - else - notification_service.access_token_about_to_expire(user, token_names) + next if expiring_user_tokens.empty? - "Notifying User about expiring tokens" - end + # We never materialise the token instances. We need the names to mention them in the + # email. Later we trigger an update query on the entire relation, not on individual instances. + token_names = expiring_user_tokens.limit(MAX_TOKENS).pluck(:name) + # We're limiting to 100 tokens so we avoid loading too many tokens into memory. + # At the time of writing this would only affect 69 users on GitLab.com - Gitlab::AppLogger.info( - message: message, - class: self.class, - user_id: user.id - ) + # rubocop: enable CodeReuse/ActiveRecord + if user.project_bot? + deliver_bot_notifications(token_names, user) + else + deliver_user_notifications(token_names, user) + end - expiring_user_tokens.each_batch do |expiring_tokens| - expiring_tokens.update_all(expire_notification_delivered: true) + expiring_user_tokens.update_all(expire_notification_delivered: true) end end end end + + private + + def deliver_bot_notifications(token_names, user) + notification_service.resource_access_tokens_about_to_expire(user, token_names) + + Gitlab::AppLogger.info( + message: "Notifying Bot User resource owners about expiring tokens", + class: self.class, + user_id: user.id + ) + end + + def deliver_user_notifications(token_names, user) + notification_service.access_token_about_to_expire(user, token_names) + + Gitlab::AppLogger.info( + message: "Notifying User about expiring tokens", + class: self.class, + user_id: user.id + ) + end + + def notification_service + NotificationService.new + end + strong_memoize_attr :notification_service end end diff --git a/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml b/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml deleted file mode 100644 index 4a7379156ae..00000000000 --- a/config/feature_flags/gitlab_com_derisk/track_ci_pipeline_created_event.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -name: track_ci_pipeline_created_event -feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/429065 -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/142356 -rollout_issue_url: https://gitlab.com/gitlab-com/gl-infra/production/-/issues/17445 -milestone: '16.9' -group: group::pipeline execution -type: gitlab_com_derisk -default_enabled: false diff --git a/doc/administration/audit_event_reports.md b/doc/administration/audit_event_reports.md index 479a5e6ca6d..15c7995d4a2 100644 --- a/doc/administration/audit_event_reports.md +++ b/doc/administration/audit_event_reports.md @@ -51,7 +51,7 @@ To view a group's audit events: 1. Select **Secure > Audit events**. 1. Filter the audit events by the member of the project (user) who performed the action and date range. -Group audit events can also be accessed using the [Group Audit Events API](../api/audit_events.md#group-audit-events). Group audit event queries are limited to a maximum of 30 days. +Group audit events can also be accessed using the [Group Audit Events API](../api/audit_events.md#group-audit-events). Group audit event queries `created_after` and `created_before` parameters are limited to a maximum 30 day difference between the dates. ### Project audit events @@ -59,7 +59,7 @@ Group audit events can also be accessed using the [Group Audit Events API](../ap 1. Select **Secure > Audit events**. 1. Filter the audit events by the member of the project (user) who performed the action and date range. -Project audit events can also be accessed using the [Project Audit Events API](../api/audit_events.md#project-audit-events). Project audit event queries are limited to a maximum of 30 days. +Project audit events can also be accessed using the [Project Audit Events API](../api/audit_events.md#project-audit-events). Project audit event queries `created_after` and `created_before` parameters are limited to a maximum 30 day difference between the dates. ### Instance audit events diff --git a/doc/administration/logs/log_parsing.md b/doc/administration/logs/log_parsing.md index 4dc69cac2fb..b884f25877e 100644 --- a/doc/administration/logs/log_parsing.md +++ b/doc/administration/logs/log_parsing.md @@ -165,24 +165,25 @@ CT: 190 ROUTE: /api/:version/projects/:id/repository/commits DURS: 1079.02, #### Print top API user agents ```shell -jq --raw-output '[.route, .ua] | @tsv' api_json.log | sort | uniq -c | sort -n +jq --raw-output 'select(.remote_ip != "127.0.0.1") | [.remote_ip, .username, .route, .ua] | @tsv' api_json.log | + sort | uniq -c | sort -n | tail ``` **Example output**: ```plaintext - 89 /api/:version/usage_data/increment_unique_users # plus browser details - 567 /api/:version/jobs/:id/trace gitlab-runner # plus version details -1234 /api/:version/internal/allowed GitLab-Shell + 89 1.2.3.4, 127.0.0.1 some_user /api/:version/projects/:id/pipelines # plus browser details; OK + 567 5.6.7.8, 127.0.0.1 /api/:version/jobs/:id/trace gitlab-runner # plus version details; OK +1234 98.76.54.31, 127.0.0.1 some_bot /api/:version/projects/:id/repository/files/:file_path/raw ``` -This sample response seems typical. A custom tool or script might be causing a high load -if the output contains many: +This example shows a custom tool or script causing an unexpectedly high number of requests. +User agents in this situation can be: - Third party libraries like `python-requests` or `curl`. - [GitLab CLI clients](https://about.gitlab.com/partners/technology-partners/#cli-clients). -You can also [use `fast-stats top`](#parsing-gitlab-logs-with-jq) to extract performance statistics. +You can also [use `fast-stats top`](#parsing-gitlab-logs-with-jq) to extract performance statistics for those users or bots. ### Parsing `gitlab-rails/importer.log` @@ -200,19 +201,13 @@ For common issues, see [troubleshooting](../../administration/raketasks/project_ #### Print top Workhorse user agents ```shell -jq --raw-output '[.uri, .user_agent] | @tsv' current | sort | uniq -c | sort -n +jq --raw-output 'select(.remote_ip != "127.0.0.1") | [.remote_ip, .uri, .user_agent] | @tsv' current | + sort | uniq -c | sort -n | tail ``` -**Example output**: - -```plaintext - 89 /api/graphql # plus browser details - 567 /api/v4/internal/allowed GitLab-Shell -1234 /api/v4/jobs/request gitlab-runner # plus version details -``` - -Similar to the [API `ua` data](#print-top-api-user-agents), -deviations from this common order might indicate scripts that could be optimized. +Similar to the [API `ua` example](#print-top-api-user-agents), +many unexpected user agents in this output indicate unoptimized scripts. +Expected user agents include `gitlab-runner`, `GitLab-Shell`, and browsers. The performance impact of runners checking for new jobs can be reduced by increasing [the `check_interval` setting](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-global-section), diff --git a/doc/api/geo_nodes.md b/doc/api/geo_nodes.md index 6363e4538ab..566f9f5b1b0 100644 --- a/doc/api/geo_nodes.md +++ b/doc/api/geo_nodes.md @@ -4,12 +4,17 @@ group: Geo info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments --- -# Geo Nodes API +# Geo Nodes API (deprecated) DETAILS: **Tier:** Premium, Ultimate **Offering:** Self-managed +WARNING: +The Geo Nodes API was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/369140) in GitLab 16.0 +and is planned for removal in v5 of the API. Use the [Geo Sites API](geo_sites.md) instead. +This change is a breaking change. + To interact with Geo node endpoints, you must authenticate yourself as an administrator. diff --git a/doc/user/application_security/breach_and_attack_simulation/index.md b/doc/user/application_security/breach_and_attack_simulation/index.md index ab00de5fb36..f0b172444d3 100644 --- a/doc/user/application_security/breach_and_attack_simulation/index.md +++ b/doc/user/application_security/breach_and_attack_simulation/index.md @@ -4,13 +4,18 @@ group: Incubation info: Breach and Attack Simulation is a GitLab Incubation Engineering program. No technical writer assigned to this group. --- -# Breach and Attack Simulation + + +# Breach and Attack Simulation (deprecated) DETAILS: **Tier:** Ultimate **Offering:** SaaS, self-managed **Status:** Experiment +WARNING: +This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9 and will be removed in 17.0. This change is a breaking change. + > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/402784) in GitLab 15.11 as an Incubating feature. > - [Included](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119981) in the `Security/BAS.latest.gitlab-ci.yml` in GitLab 16.0. @@ -147,3 +152,5 @@ You can also manually enable callback attacks by making sure to: 1. Enable both the application being tested and callback service container using [services](../../../ci/services/index.md). 1. Enable container-to-container networking [making the callback service accessible](../../../ci/services/index.md#connecting-services) in the job. 1. Set `DAST_BROWSER_CALLBACK` to include `Address:$YOUR_CALLBACK_URL` key/value pair where the callback service is accessible to the Runner/DAST container. + + diff --git a/doc/user/application_security/dast/browser/index.md b/doc/user/application_security/dast/browser/index.md index 427c02b1fbe..4df225e2fd9 100644 --- a/doc/user/application_security/dast/browser/index.md +++ b/doc/user/application_security/dast/browser/index.md @@ -11,26 +11,29 @@ DETAILS: **Tier:** Ultimate **Offering:** SaaS, self-managed -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/323423) in GitLab 13.12 as a Beta feature. > - [Generally available](https://gitlab.com/groups/gitlab-org/-/epics/9023) in GitLab 15.7 (GitLab DAST v3.0.50). -Browser-based DAST helps you identify security weaknesses (CWEs) in your web applications. After you deploy your web application, it -becomes exposed to new types of attacks, many of which cannot be detected prior to deployment. For example, misconfigurations of your -application server or incorrect assumptions about security controls may not be visible from the source code, but they can be detected with browser-based DAST. +Browser-based DAST helps you identify security weaknesses (CWEs) in your web applications. After you +deploy your web application, it becomes exposed to new types of attacks, many of which cannot be +detected prior to deployment. For example, misconfigurations of your application server or incorrect +assumptions about security controls may not be visible from the source code, but they can be +detected with browser-based DAST. -Dynamic Application Security Testing (DAST) examines applications for -vulnerabilities like these in deployed environments. +Dynamic Application Security Testing (DAST) examines applications for vulnerabilities like these in +deployed environments. For an overview, see [Dynamic Application Security Testing (DAST)](https://www.youtube.com/watch?v=nbeDUoLZJTo). WARNING: -Do not run DAST scans against a production server. Not only can it perform *any* function that -a user can, such as clicking buttons or submitting forms, but it may also trigger bugs, leading to modification or loss of production data. Only run DAST scans against a test server. +Do not run DAST scans against a production server. Not only can it perform *any* function that a +user can, such as clicking buttons or submitting forms, but it may also trigger bugs, leading to +modification or loss of production data. Only run DAST scans against a test server. -The DAST browser-based analyzer was built by GitLab to scan modern-day web applications for vulnerabilities. -Scans run in a browser to optimize testing applications heavily dependent on JavaScript, such as single-page applications. -See [how DAST scans an application](#how-dast-scans-an-application) for more information. +The DAST browser-based analyzer was built by GitLab to scan modern-day web applications for +vulnerabilities. Scans run in a browser to optimize testing applications heavily dependent on +JavaScript, such as single-page applications. See +[how DAST scans an application](#how-dast-scans-an-application) for more information. To add the analyzer to your CI/CD pipeline, see [enabling the analyzer](configuration/enabling_the_analyzer.md). diff --git a/doc/user/application_security/dast/index.md b/doc/user/application_security/dast/index.md index c26ff196543..6d8671f2741 100644 --- a/doc/user/application_security/dast/index.md +++ b/doc/user/application_security/dast/index.md @@ -10,11 +10,27 @@ DETAILS: **Tier:** Ultimate **Offering:** SaaS, Self-managed -Dynamic Application Security Testing (DAST) runs automated penetration tests to find vulnerabilities in your web applications and APIs as they are running. DAST automates a hacker’s approach and simulates real-world attacks for critical threats such as cross-site scripting (XSS), SQL injection (SQLi), and cross-site request forgery (CSRF) to uncover vulnerabilities and misconfigurations that other security tools cannot detect. +WARNING: +Proxy-based DAST was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab +16.9 and is planned for removal in 17.0. Use [browser-based DAST](browser_based.md) instead. This +change is a breaking change. -DAST is completely language agnostic and examines your application from the outside in. With a running application in a test environment, DAST scans can be automated via your CI/CD pipeline, automated on a schedule, or run independently via on-demand scans. Utilizing DAST during the SDLC enables teams to uncover vulnerabilities before their applications are in production. DAST is a foundational component of software security and should be used in tandem with SAST, dependency and license scanning, and secret detection to provide a comprehensive security assessment of your applications. +Dynamic Application Security Testing (DAST) runs automated penetration tests to find vulnerabilities +in your web applications and APIs as they are running. DAST automates a hacker’s approach and +simulates real-world attacks for critical threats such as cross-site scripting (XSS), SQL injection +(SQLi), and cross-site request forgery (CSRF) to uncover vulnerabilities and misconfigurations that +other security tools cannot detect. -GitLab’s Browser-based DAST and DAST API are proprietary runtime tools, which provide broad security coverage for modern-day web applications and APIs. +DAST is completely language agnostic and examines your application from the outside in. With a +running application in a test environment, DAST scans can be automated in a CI/CD pipeline, +automated on a schedule, or run independently by using on-demand scans. Using DAST during the +software development life cycle enables teams to uncover vulnerabilities before their applications +are in production. DAST is a foundational component of software security and should be used in +tandem with SAST, dependency and license scanning, and secret detection, to provide a comprehensive +security assessment of your applications. + +GitLab’s Browser-based DAST and DAST API are proprietary runtime tools, which provide broad security +coverage for modern-day web applications and APIs. For an overview, see [Dynamic Application Security Testing (DAST)](https://www.youtube.com/watch?v=nbeDUoLZJTo). diff --git a/doc/user/application_security/dast/proxy-based.md b/doc/user/application_security/dast/proxy-based.md index 30e673172ae..410d1848508 100644 --- a/doc/user/application_security/dast/proxy-based.md +++ b/doc/user/application_security/dast/proxy-based.md @@ -12,9 +12,7 @@ DETAILS: **Offering:** SaaS, Self-managed WARNING: -This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9 -and is planned for removal in 17.0. Use [browser-based DAST](browser_based.md) instead. -This change is a breaking change. +This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/430966) in GitLab 16.9 and will be removed in 17.0. Use [browser-based DAST](browser_based.md) instead. This change is a breaking change. The DAST proxy-based analyzer can be added to your [GitLab CI/CD](../../../ci/index.md) pipeline. This helps you discover vulnerabilities in web applications that do not use JavaScript heavily. For applications that do, diff --git a/doc/user/application_security/policies/scan-result-policies.md b/doc/user/application_security/policies/scan-result-policies.md index 677f500c48c..535fb194eba 100644 --- a/doc/user/application_security/policies/scan-result-policies.md +++ b/doc/user/application_security/policies/scan-result-policies.md @@ -144,15 +144,15 @@ This rule enforces the defined actions based on security scan findings. This rule enforces the defined actions based on license findings. -| Field | Type | Required | Possible values | Description | -|------------|------|----------|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `type` | `string` | true | `license_finding` | The rule's type. | -| `branches` | `array` of `string` | true if `branch_type` field does not exist | `[]` or the branch's name | Applicable only to protected target branches. An empty array, `[]`, applies the rule to all protected target branches. Cannot be used with the `branch_type` field. | -| `branch_type` | `string` | true if `branches` field does not exist | `default` or `protected` | The types of protected branches the given policy applies to. Cannot be used with the `branches` field. Default branches must also be `protected`. | -| `branch_exceptions` | `array` of `string` | false | Names of branches | Branches to exclude from this rule. | -| `match_on_inclusion` | `boolean` | true | `true`, `false` | **{warning}** **[Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/424513)** in GitLab 16.9. Whether the rule matches inclusion or exclusion of licenses listed in `license_types`. | -| `license_types` | `array` of `string` | true | license types | [SPDX license names](https://spdx.org/licenses) to match on, for example `Affero General Public License v1.0` or `MIT License`. | -| `license_states` | `array` of `string` | true | `newly_detected`, `detected` | Whether to match newly detected and/or previously detected licenses. The `newly_detected` state triggers approval when either a new package is introduced or when a new license for an existing package is detected. | +| Field | Type | Required | Possible values | Description | +|----------------------|---------------------|--------------------------------------------|------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `type` | `string` | true | `license_finding` | The rule's type. | +| `branches` | `array` of `string` | true if `branch_type` field does not exist | `[]` or the branch's name | Applicable only to protected target branches. An empty array, `[]`, applies the rule to all protected target branches. Cannot be used with the `branch_type` field. | +| `branch_type` | `string` | true if `branches` field does not exist | `default` or `protected` | The types of protected branches the given policy applies to. Cannot be used with the `branches` field. Default branches must also be `protected`. | +| `branch_exceptions` | `array` of `string` | false | Names of branches | Branches to exclude from this rule. | +| `match_on_inclusion` | `boolean` | true | `true`, `false` | **{warning}** **[Deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/424513)** in GitLab 16.9. Whether the rule matches inclusion or exclusion of licenses listed in `license_types`. When `false`, any detected licenses excluded from `license_types` require approval. | +| `license_types` | `array` of `string` | true | license types | [SPDX license names](https://spdx.org/licenses) to match on, for example `Affero General Public License v1.0` or `MIT License`. | +| `license_states` | `array` of `string` | true | `newly_detected`, `detected` | Whether to match newly detected and/or previously detected licenses. The `newly_detected` state triggers approval when either a new package is introduced or when a new license for an existing package is detected. | ## `any_merge_request` rule type diff --git a/doc/user/gitlab_com/index.md b/doc/user/gitlab_com/index.md index 9093d62dbd6..1feaa15e105 100644 --- a/doc/user/gitlab_com/index.md +++ b/doc/user/gitlab_com/index.md @@ -343,28 +343,27 @@ code. The client should wait before attempting the request again. There are also informational headers with this response detailed in [rate limiting responses](#rate-limiting-responses). -The following table describes the rate limits for GitLab.com, both before and -after the limits change in January, 2021: +The following table describes the rate limits for GitLab.com: -| Rate limit | From 2021-02-12 | From 2022-02-03 | -|:---------------------------------------------------------------------------|:------------------------------|:-------------------------------------| -| **Protected paths** (for a given **IP address**) | **10** requests per minute | **10** requests per minute | -| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute | **300** requests per minute | -| **Unauthenticated** traffic (from a given **IP address**) | **500** requests per minute | **500** requests per minute | -| **Authenticated** API traffic (for a given **user**) | **2,000** requests per minute | **2,000** requests per minute | -| **Authenticated** non-API HTTP traffic (for a given **user**) | **1,000** requests per minute | **1,000** requests per minute | -| **All** traffic (from a given **IP address**) | **2,000** requests per minute | **2,000** requests per minute | -| **Issue creation** | **300** requests per minute | **200** requests per minute | -| **Note creation** (on issues and merge requests) | **60** requests per minute | **60** requests per minute | -| **Advanced, project, and group search** API (for a given **IP address**) | **10** requests per minute | **10** requests per minute | -| **GitLab Pages** requests (for a given **IP address**) | | **1000** requests per **50 seconds** | -| **GitLab Pages** requests (for a given **GitLab Pages domain**) | | **5000** requests per **10 seconds** | -| **GitLab Pages** TLS connections (for a given **IP address**) | | **1000** requests per **50 seconds** | -| **GitLab Pages** TLS connections (for a given **GitLab Pages domain**) | | **400** requests per **10 seconds** | -| **Pipeline creation** requests (for a given **project, user, and commit**) | | **25** requests per minute | -| **Alert integration endpoint** requests (for a given **project**) | | **3600** requests per hour | -| **[Pull mirroring](../project/repository/mirror/pull.md)** intervals | **5** minutes | **5** minutes | -| **API Requests** (from a given **user**) to `/api/v4/users/:id` | | **300** requests per **10 minutes** | +| Rate limit | Setting | +|:---------------------------------------------------------------------------|:-------------------------------------| +| **Protected paths** (for a given **IP address**) | **10** requests per minute | +| **Raw endpoint** traffic (for a given **project, commit, and file path**) | **300** requests per minute | +| **Unauthenticated** traffic (from a given **IP address**) | **500** requests per minute | +| **Authenticated** API traffic (for a given **user**) | **2,000** requests per minute | +| **Authenticated** non-API HTTP traffic (for a given **user**) | **1,000** requests per minute | +| **All** traffic (from a given **IP address**) | **2,000** requests per minute | +| **Issue creation** | **200** requests per minute | +| **Note creation** (on issues and merge requests) | **60** requests per minute | +| **Advanced, project, and group search** API (for a given **IP address**) | **10** requests per minute | +| **GitLab Pages** requests (for a given **IP address**) | **1000** requests per **50 seconds** | +| **GitLab Pages** requests (for a given **GitLab Pages domain**) | **5000** requests per **10 seconds** | +| **GitLab Pages** TLS connections (for a given **IP address**) | **1000** requests per **50 seconds** | +| **GitLab Pages** TLS connections (for a given **GitLab Pages domain**) | **400** requests per **10 seconds** | +| **Pipeline creation** requests (for a given **project, user, and commit**) | **25** requests per minute | +| **Alert integration endpoint** requests (for a given **project**) | **3600** requests per hour | +| **[Pull mirroring](../project/repository/mirror/pull.md)** intervals | **5** minutes | +| **API Requests** (from a given **user**) to `/api/v4/users/:id` | **300** requests per **10 minutes** | More details are available on the rate limits for [protected paths](#protected-paths-throttle) and diff --git a/doc/user/project/import/gitea.md b/doc/user/project/import/gitea.md index a83512f9d7a..ce7197ca2da 100644 --- a/doc/user/project/import/gitea.md +++ b/doc/user/project/import/gitea.md @@ -31,6 +31,11 @@ in your GitLab instance. This means the project creator (usually the user that started the import process) is set as the author. A reference, however, is kept on the issue about the original Gitea author. +## Known issue + +Because of [issue 434175](https://gitlab.com/gitlab-org/gitlab/-/issues/434175), projects with a dot +in their path must be renamed for all items to be imported correctly. + ## Prerequisites > - Requirement for Maintainer role instead of Developer role introduced in GitLab 16.0 and backported to GitLab 15.11.1 and GitLab 15.10.5. diff --git a/package.json b/package.json index 2897da4e85c..43cba167c23 100644 --- a/package.json +++ b/package.json @@ -61,7 +61,7 @@ "@gitlab/favicon-overlay": "2.0.0", "@gitlab/fonts": "^1.3.0", "@gitlab/svgs": "3.83.0", - "@gitlab/ui": "^74.2.0", + "@gitlab/ui": "^74.3.0", "@gitlab/visual-review-tools": "1.7.3", "@gitlab/web-ide": "^0.0.1-dev-20240208022507", "@mattiasbuelens/web-streams-adapter": "^0.1.0", diff --git a/spec/models/ci/build_spec.rb b/spec/models/ci/build_spec.rb index 84369b9bfc3..8741d347c36 100644 --- a/spec/models/ci/build_spec.rb +++ b/spec/models/ci/build_spec.rb @@ -121,7 +121,7 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def context 'when transitioning to any state from running' do it 'removes runner_session' do %w[success drop cancel].each do |event| - build = FactoryBot.create(:ci_build, :running, :with_runner_session, pipeline: pipeline) + build = create(:ci_build, :running, :with_runner_session, pipeline: pipeline) build.fire_events!(event) @@ -5064,6 +5064,14 @@ RSpec.describe Ci::Build, feature_category: :continuous_integration, factory_def it { is_expected.to eq false } end + + context 'when metadata does not exist' do + before do + build.metadata.destroy! + end + + it { is_expected.to eq false } + end end describe '#drop_with_exit_code!' do diff --git a/spec/models/ci/pipeline_spec.rb b/spec/models/ci/pipeline_spec.rb index 74f011e3496..60665f4b779 100644 --- a/spec/models/ci/pipeline_spec.rb +++ b/spec/models/ci/pipeline_spec.rb @@ -190,18 +190,6 @@ RSpec.describe Ci::Pipeline, :mailer, factory_default: :keep, feature_category: pipeline.save! end end - - context 'with FF track_ci_pipeline_created_event disabled' do - before do - stub_feature_flags(track_ci_pipeline_created_event: false) - end - - it 'does not track the creation event' do - expect(Gitlab::InternalEvents).not_to receive(:track_event) - - pipeline.save! - end - end end end diff --git a/spec/workers/personal_access_tokens/expiring_worker_spec.rb b/spec/workers/personal_access_tokens/expiring_worker_spec.rb index 0cc63fdb85e..3879d55668e 100644 --- a/spec/workers/personal_access_tokens/expiring_worker_spec.rb +++ b/spec/workers/personal_access_tokens/expiring_worker_spec.rb @@ -25,15 +25,26 @@ RSpec.describe PersonalAccessTokens::ExpiringWorker, type: :worker, feature_cate it 'marks the notification as delivered' do expect { worker.perform }.to change { expiring_token.reload.expire_notification_delivered }.from(false).to(true) end + + it 'avoids N+1 queries', :use_sql_query_cache do + control = ActiveRecord::QueryRecorder.new(skip_cached: false) { worker.perform } + + user1 = create(:user) + create(:personal_access_token, user: user1, expires_at: 5.days.from_now) + + user2 = create(:user) + create(:personal_access_token, user: user2, expires_at: 5.days.from_now) + + # Query count increased for the user look up + expect { worker.perform }.not_to exceed_all_query_limit(control).with_threshold(4) + end end context 'when no tokens need to be notified' do let_it_be(:pat) { create(:personal_access_token, expires_at: 5.days.from_now, expire_notification_delivered: true) } - it "doesn't use notification service to send the email" do - expect_next_instance_of(NotificationService) do |notification_service| - expect(notification_service).not_to receive(:access_token_about_to_expire).with(pat.user, [pat.name]) - end + it "doesn't call notification services" do + expect(worker).not_to receive(:notification_service) worker.perform end @@ -47,9 +58,7 @@ RSpec.describe PersonalAccessTokens::ExpiringWorker, type: :worker, feature_cate let_it_be(:pat) { create(:personal_access_token, :impersonation, expires_at: 5.days.from_now) } it "doesn't use notification service to send the email" do - expect_next_instance_of(NotificationService) do |notification_service| - expect(notification_service).not_to receive(:access_token_about_to_expire).with(pat.user, [pat.name]) - end + expect(worker).not_to receive(:notification_service) worker.perform end diff --git a/yarn.lock b/yarn.lock index e088e95e0b6..b82ec9fddf3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1321,10 +1321,10 @@ resolved "https://registry.yarnpkg.com/@gitlab/svgs/-/svgs-3.83.0.tgz#5d6799e5fe3fb564b7e4190d90876469bd1608ba" integrity sha512-881f6OsxREgBXYn9fkg+XGweBFbrGdrssrIzFIZFSG95GF/K+HILw1mXZ9nq7C5Xb5JDWPKJGYnKuHw5vvWm5Q== -"@gitlab/ui@^74.2.0": - version "74.2.0" - resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-74.2.0.tgz#520bbf06eddd0da61cd79bd5678b610ecfd291ef" - integrity sha512-bSYWZ9tlzl8oX57Xou2aQN4bnEVzEr/vzBqGpdpTizjsf3RF4K3BHhD2CuRXex3AwFYxQX89QIO5LZKlX2KhrA== +"@gitlab/ui@^74.3.0": + version "74.3.0" + resolved "https://registry.yarnpkg.com/@gitlab/ui/-/ui-74.3.0.tgz#f5a7ee3f31fd8cd221ccf56b82f65e390ef8f142" + integrity sha512-q5twfOd8nrD0bGK+UiUnJ3c2yIJlYG+qdl3/HKoMBcqXu0IJA4XcvM9Fp1gUYdZ23ritSbFwPVjPGoryeGjjbw== dependencies: "@floating-ui/dom" "1.4.3" bootstrap-vue "2.23.1"