diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-21 00:09:18 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-03-21 00:09:18 +0000 |
| commit | 1ccf61bdccd3f0cbcabd7fe335542014f465f46b (patch) | |
| tree | f6eb90ccf27bb2193251d1617e7b655429eb2ac6 | |
| parent | 68f1860e6f1f9e8441c434f4e62238c359ce8c7c (diff) | |
| download | gitlab-ce-1ccf61bdccd3f0cbcabd7fe335542014f465f46b.tar.gz | |
Add latest changes from gitlab-org/gitlab@master
| -rw-r--r-- | app/serializers/note_user_entity.rb | 2 | ||||
| -rw-r--r-- | app/views/admin/application_settings/_protected_paths.html.haml | 2 | ||||
| -rw-r--r-- | app/views/admin/application_settings/network.html.haml | 2 | ||||
| -rwxr-xr-x | bin/secpick | 3 | ||||
| -rw-r--r-- | doc/api/users.md | 2 | ||||
| -rw-r--r-- | doc/security/rate_limits.md | 1 | ||||
| -rw-r--r-- | doc/user/admin_area/settings/protected_paths.md | 6 | ||||
| -rw-r--r-- | doc/user/group/saml_sso/index.md | 11 | ||||
| -rw-r--r-- | lib/api/entities/discussion.rb | 2 | ||||
| -rw-r--r-- | lib/api/entities/note_with_gitlab_employee_badge.rb | 10 | ||||
| -rw-r--r-- | lib/api/entities/user_with_gitlab_employee_badge.rb | 9 | ||||
| -rw-r--r-- | locale/gitlab.pot | 4 | ||||
| -rw-r--r-- | spec/controllers/projects/issues_controller_spec.rb | 55 | ||||
| -rw-r--r-- | spec/fixtures/api/schemas/entities/user.json | 3 | ||||
| -rw-r--r-- | spec/support/shared_examples/requests/api/discussions_shared_examples.rb | 56 |
15 files changed, 82 insertions, 86 deletions
diff --git a/app/serializers/note_user_entity.rb b/app/serializers/note_user_entity.rb index b00dfa7d353..ffaf7664dae 100644 --- a/app/serializers/note_user_entity.rb +++ b/app/serializers/note_user_entity.rb @@ -1,5 +1,7 @@ # frozen_string_literal: true class NoteUserEntity < UserEntity + expose :gitlab_employee?, as: :is_gitlab_employee, if: ->(user, options) { ::Feature.enabled?(:gitlab_employee_badge) && user.gitlab_employee? } + unexpose :web_url end diff --git a/app/views/admin/application_settings/_protected_paths.html.haml b/app/views/admin/application_settings/_protected_paths.html.haml index f4d40e10f36..0220570daa9 100644 --- a/app/views/admin/application_settings/_protected_paths.html.haml +++ b/app/views/admin/application_settings/_protected_paths.html.haml @@ -6,7 +6,7 @@ .bs-callout.bs-callout-danger - relative_url_link = 'https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#migrate-settings-from-gitlab-123-and-earlier' - relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link } - = _("Omnibus Protected Paths throttle is active. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe } + = _("Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe } .form-group .form-check diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml index 7bd51172195..8d88dedf832 100644 --- a/app/views/admin/application_settings/network.html.haml +++ b/app/views/admin/application_settings/network.html.haml @@ -42,7 +42,7 @@ %button.btn.btn-default.js-settings-toggle{ type: 'button' } = expanded_by_default? ? _('Collapse') : _('Expand') %p - = _('Configure paths to be protected by Rack Attack. A web server restart is required after changing these settings.') + = _('Configure paths to be protected by Rack Attack.') .settings-content = render 'protected_paths' diff --git a/bin/secpick b/bin/secpick index 3609567249e..fd3de2756ec 100755 --- a/bin/secpick +++ b/bin/secpick @@ -120,7 +120,7 @@ module Secpick options[:branch] = branch end - opts.on('-s', '--sha abcd', 'SHA or SHA range to cherry pick') do |sha| + opts.on('-s', '--sha abcd', 'SHA or SHA range to cherry pick (optional, defaults to current)') do |sha| options[:sha] = sha end @@ -155,6 +155,7 @@ module Secpick parser.parse! + options[:sha] ||= `git rev-parse HEAD` options[:branch] ||= `git rev-parse --abbrev-ref HEAD` options[:remote] ||= DEFAULT_REMOTE diff --git a/doc/api/users.md b/doc/api/users.md index 239afa38548..8d7dad7ae35 100644 --- a/doc/api/users.md +++ b/doc/api/users.md @@ -387,7 +387,7 @@ Parameters: | `group_id_for_saml` | No | ID of group where SAML has been configured | | `linkedin` | No | LinkedIn | | `location` | No | User's location | -| `name` | No | Name | +| `name` | Yes | Name | | `organization` | No | Organization name | | `password` | No | Password | | `private_profile` | No | User's profile is private - true, false (default), or null (will be converted to false) | diff --git a/doc/security/rate_limits.md b/doc/security/rate_limits.md index 80088da77a0..036dcf80416 100644 --- a/doc/security/rate_limits.md +++ b/doc/security/rate_limits.md @@ -24,6 +24,7 @@ similarly mitigated by a rate limit. - [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md). - [Rate limits on raw endpoints](../user/admin_area/settings/rate_limits_on_raw_endpoints.md) +- [Protected paths](../user/admin_area/settings/protected_paths.md). ## Rack Attack initializer diff --git a/doc/user/admin_area/settings/protected_paths.md b/doc/user/admin_area/settings/protected_paths.md index 095c2845e53..56f99d3e725 100644 --- a/doc/user/admin_area/settings/protected_paths.md +++ b/doc/user/admin_area/settings/protected_paths.md @@ -4,7 +4,11 @@ type: reference # Protected paths **(CORE ONLY)** -GitLab protects the following paths with Rack Attack by default: +Rate limiting is a common technique used to improve the security and durability +of a web application. For more details, see +[Rate limits](../../../security/rate_limits.md). + +GitLab rate limits the following paths with Rack Attack by default: ```plaintext '/users/password', diff --git a/doc/user/group/saml_sso/index.md b/doc/user/group/saml_sso/index.md index faeb4225a39..69edfb91886 100644 --- a/doc/user/group/saml_sso/index.md +++ b/doc/user/group/saml_sso/index.md @@ -8,7 +8,7 @@ type: reference, howto SAML on GitLab.com allows users to be added to a group. Those users can then sign in to GitLab.com. If such users don't already have an account on the GitLab instance, they can create one when signing in for the first time. -If you follow our guidance to automate user provisioning using [SCIM](scim_setup.md) or [group managed accounts](#group-managed-accounts), you do not need to create such accounts manually. +If you follow our guidance to automate user provisioning using [SCIM](scim_setup.md) or [group-managed accounts](#group-managed-accounts), you do not need to create such accounts manually. User synchronization for GitLab.com is partially supported using [SCIM](scim_setup.md). @@ -86,6 +86,15 @@ Since use of the group-managed account requires the use of SSO, users of group-m - The user will be unable to access the group (their credentials will no longer work on the identity provider when prompted to SSO). - Contributions in the group (e.g. issues, merge requests) will remain intact. +##### Feature flag + +Currently the group-managed accounts feature is behind a feature flag: `group_managed_accounts`. The flag is disabled by default. +To activate the feature, ask a GitLab administrator with Rails console access to run: + +```ruby +Feature.enable(:group_managed_accounts) +``` + ##### Credentials inventory for Group-managed accounts **(ULTIMATE)** > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/38133) in GitLab 12.8. diff --git a/lib/api/entities/discussion.rb b/lib/api/entities/discussion.rb index 0740de97897..dd1dd40da23 100644 --- a/lib/api/entities/discussion.rb +++ b/lib/api/entities/discussion.rb @@ -5,7 +5,7 @@ module API class Discussion < Grape::Entity expose :id expose :individual_note?, as: :individual_note - expose :notes, using: Entities::NoteWithGitlabEmployeeBadge + expose :notes, using: Entities::Note end end end diff --git a/lib/api/entities/note_with_gitlab_employee_badge.rb b/lib/api/entities/note_with_gitlab_employee_badge.rb deleted file mode 100644 index 2ea300ffeb6..00000000000 --- a/lib/api/entities/note_with_gitlab_employee_badge.rb +++ /dev/null @@ -1,10 +0,0 @@ -# frozen_string_literal: true - -module API - module Entities - class NoteWithGitlabEmployeeBadge < Note - expose :author, using: Entities::UserWithGitlabEmployeeBadge - expose :resolved_by, using: Entities::UserWithGitlabEmployeeBadge, if: ->(note, options) { note.resolvable? } - end - end -end diff --git a/lib/api/entities/user_with_gitlab_employee_badge.rb b/lib/api/entities/user_with_gitlab_employee_badge.rb deleted file mode 100644 index 36b9f633132..00000000000 --- a/lib/api/entities/user_with_gitlab_employee_badge.rb +++ /dev/null @@ -1,9 +0,0 @@ -# frozen_string_literal: true - -module API - module Entities - class UserWithGitlabEmployeeBadge < UserBasic - expose :gitlab_employee?, as: :is_gitlab_employee, if: ->(user, options) { ::Feature.enabled?(:gitlab_employee_badge) && user.gitlab_employee? } - end - end -end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index f01401ab310..f22e415b51f 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -5172,7 +5172,7 @@ msgstr "" msgid "Configure limits on the number of inbound alerts able to be sent to a project." msgstr "" -msgid "Configure paths to be protected by Rack Attack. A web server restart is required after changing these settings." +msgid "Configure paths to be protected by Rack Attack." msgstr "" msgid "Configure repository mirroring." @@ -13652,7 +13652,7 @@ msgstr "" msgid "OmniAuth" msgstr "" -msgid "Omnibus Protected Paths throttle is active. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}." +msgid "Omnibus Protected Paths throttle is active, and takes priority over these settings. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}." msgstr "" msgid "On track" diff --git a/spec/controllers/projects/issues_controller_spec.rb b/spec/controllers/projects/issues_controller_spec.rb index 806a4e2f52c..add7778b57a 100644 --- a/spec/controllers/projects/issues_controller_spec.rb +++ b/spec/controllers/projects/issues_controller_spec.rb @@ -1390,6 +1390,61 @@ describe Projects::IssuesController do expect(note_json['author']['status_tooltip_html']).to be_present end + context 'is_gitlab_employee attribute' do + subject { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } } + + before do + allow(Gitlab).to receive(:com?).and_return(true) + note_user = discussion.author + note_user.update(email: email) + note_user.confirm + end + + shared_examples 'non inclusion of gitlab employee badge' do + it 'does not render the is_gitlab_employee attribute' do + subject + + note_json = json_response.first['notes'].first + + expect(note_json['author']['is_gitlab_employee']).to be nil + end + end + + context 'when user is a gitlab employee' do + let(:email) { 'test@gitlab.com' } + + it 'renders the is_gitlab_employee attribute' do + subject + + note_json = json_response.first['notes'].first + + expect(note_json['author']['is_gitlab_employee']).to be true + end + + context 'when feature flag is disabled' do + before do + stub_feature_flags(gitlab_employee_badge: false) + end + + it_behaves_like 'non inclusion of gitlab employee badge' + end + end + + context 'when user is not a gitlab employee' do + let(:email) { 'test@example.com' } + + it_behaves_like 'non inclusion of gitlab employee badge' + + context 'when feature flag is disabled' do + before do + stub_feature_flags(gitlab_employee_badge: false) + end + + it_behaves_like 'non inclusion of gitlab employee badge' + end + end + end + it 'does not cause an extra query for the status' do control = ActiveRecord::QueryRecorder.new do get :discussions, params: { namespace_id: project.namespace, project_id: project, id: issue.iid } diff --git a/spec/fixtures/api/schemas/entities/user.json b/spec/fixtures/api/schemas/entities/user.json index 1e0c8885609..82d80b75cef 100644 --- a/spec/fixtures/api/schemas/entities/user.json +++ b/spec/fixtures/api/schemas/entities/user.json @@ -17,8 +17,7 @@ "path": { "type": "string" }, "name": { "type": "string" }, "username": { "type": "string" }, - "status_tooltip_html": { "$ref": "../types/nullable_string.json" }, - "is_gitlab_employee": { "type": "boolean" } + "status_tooltip_html": { "$ref": "../types/nullable_string.json" } }, "additionalProperties": false } diff --git a/spec/support/shared_examples/requests/api/discussions_shared_examples.rb b/spec/support/shared_examples/requests/api/discussions_shared_examples.rb index 3ad2263688b..939ea405724 100644 --- a/spec/support/shared_examples/requests/api/discussions_shared_examples.rb +++ b/spec/support/shared_examples/requests/api/discussions_shared_examples.rb @@ -55,58 +55,6 @@ RSpec.shared_examples 'with cross-reference system notes' do end RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name, can_reply_to_individual_notes: false| - shared_examples 'is_gitlab_employee attribute presence' do - subject { get api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions", user) } - - before do - allow(Gitlab).to receive(:com?).and_return(true) - user.update(email: email) - user.confirm - end - - context 'when author is a gitlab employee' do - let(:email) { 'test@gitlab.com' } - - it 'returns is_gitlab_employee as true' do - subject - - expect(json_response.first["notes"].first["author"]['is_gitlab_employee']).to be true - end - end - - shared_examples 'non inclusion of gitlab employee badge' do - it 'does not include is_gitlab_employee attribute' do - subject - - expect(json_response.first["notes"].first["author"]).not_to have_key('is_gitlab_employee') - end - end - - context 'when author is not a gitlab employee' do - let(:email) { 'test@example.com' } - - it_behaves_like 'non inclusion of gitlab employee badge' - end - - describe 'when feature flag is disabled' do - before do - stub_feature_flags(gitlab_employee_badge: false) - end - - context 'when author is a gitlab employee' do - let(:email) { 'test@gitlab.com' } - - it_behaves_like 'non inclusion of gitlab employee badge' - end - - context 'when author is not a gitlab employee' do - let(:email) { 'test@example.com' } - - it_behaves_like 'non inclusion of gitlab employee badge' - end - end - end - describe "GET /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions" do it "returns an array of discussions" do get api("/#{parent_type}/#{parent.id}/#{noteable_type}/#{noteable[id_name]}/discussions", user) @@ -130,8 +78,6 @@ RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name, expect(response).to have_gitlab_http_status(:not_found) end - - it_behaves_like 'is_gitlab_employee attribute presence' end describe "GET /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions/:discussion_id" do @@ -250,8 +196,6 @@ RSpec.shared_examples 'discussions API' do |parent_type, noteable_type, id_name, end end end - - it_behaves_like 'is_gitlab_employee attribute presence' end describe "POST /#{parent_type}/:id/#{noteable_type}/:noteable_id/discussions/:discussion_id/notes" do |