diff options
22 files changed, 129 insertions, 22 deletions
diff --git a/.gitattributes b/.gitattributes index f1c41c9bb76..7282c9e61b1 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ Dangerfile gitlab-language=ruby +db/schema.rb merge=merge_db_schema diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c99f6ed059..241dcaa7832 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ documentation](doc/development/changelog.md) for instructions on adding your own entry. +## 11.4.4 (2018-10-30) + +### Security (1 change) + +- Monkey kubeclient to not follow any redirects. + + ## 11.4.3 (2018-10-26) - No changes. @@ -250,6 +257,13 @@ entry. - Check frozen string in style builds. (gfyoung) +## 11.3.9 (2018-10-31) + +### Security (1 change) + +- Monkey kubeclient to not follow any redirects. + + ## 11.3.8 (2018-10-27) - No changes. @@ -555,6 +569,13 @@ entry. - Creates Vue component for artifacts block on job page. +## 11.2.8 (2018-10-31) + +### Security (1 change) + +- Monkey kubeclient to not follow any redirects. + + ## 11.2.7 (2018-10-27) - No changes. diff --git a/app/assets/javascripts/commons/gitlab_ui.js b/app/assets/javascripts/commons/gitlab_ui.js index e93e1f5ea2c..82a191d056b 100644 --- a/app/assets/javascripts/commons/gitlab_ui.js +++ b/app/assets/javascripts/commons/gitlab_ui.js @@ -1,7 +1,6 @@ import Vue from 'vue'; -import { GlProgressBar, GlLoadingIcon, GlTooltipDirective } from '@gitlab-org/gitlab-ui'; +import { GlLoadingIcon, GlTooltipDirective } from '@gitlab-org/gitlab-ui'; -Vue.component('gl-progress-bar', GlProgressBar); Vue.component('gl-loading-icon', GlLoadingIcon); Vue.directive('gl-tooltip', GlTooltipDirective); diff --git a/app/assets/javascripts/pages/projects/jobs/index/index.js b/app/assets/javascripts/pages/projects/jobs/index/index.js new file mode 100644 index 00000000000..1b57c67f16b --- /dev/null +++ b/app/assets/javascripts/pages/projects/jobs/index/index.js @@ -0,0 +1,16 @@ +import Vue from 'vue'; +import GlCountdown from '~/vue_shared/components/gl_countdown.vue'; + +document.addEventListener('DOMContentLoaded', () => { + const remainingTimeElements = document.querySelectorAll('.js-remaining-time'); + remainingTimeElements.forEach( + el => + new Vue({ + ...GlCountdown, + el, + propsData: { + endDateString: el.dateTime, + }, + }), + ); +}); diff --git a/app/assets/javascripts/sidebar/components/time_tracking/comparison_pane.vue b/app/assets/javascripts/sidebar/components/time_tracking/comparison_pane.vue index e74912d628f..b145e5dc5e2 100644 --- a/app/assets/javascripts/sidebar/components/time_tracking/comparison_pane.vue +++ b/app/assets/javascripts/sidebar/components/time_tracking/comparison_pane.vue @@ -1,9 +1,13 @@ <script> import { parseSeconds, stringifyTime } from '~/lib/utils/datetime_utility'; import tooltip from '../../../vue_shared/directives/tooltip'; +import { GlProgressBar } from '@gitlab-org/gitlab-ui'; export default { name: 'TimeTrackingComparisonPane', + components: { + GlProgressBar, + }, directives: { tooltip, }, diff --git a/app/assets/javascripts/vue_shared/components/markdown/header.vue b/app/assets/javascripts/vue_shared/components/markdown/header.vue index 3ddb39730c4..27e3f314dd3 100644 --- a/app/assets/javascripts/vue_shared/components/markdown/header.vue +++ b/app/assets/javascripts/vue_shared/components/markdown/header.vue @@ -1,17 +1,17 @@ <script> import $ from 'jquery'; -import Tooltip from '../../directives/tooltip'; +import { GlTooltipDirective } from '@gitlab-org/gitlab-ui'; import ToolbarButton from './toolbar_button.vue'; import Icon from '../icon.vue'; export default { - directives: { - Tooltip, - }, components: { ToolbarButton, Icon, }, + directives: { + GlTooltip: GlTooltipDirective, + }, props: { previewMarkdown: { type: Boolean, @@ -147,7 +147,7 @@ export default { icon="table" /> <button - v-tooltip + v-gl-tooltip aria-label="Go full screen" class="toolbar-btn toolbar-fullscreen-btn js-zen-enter" data-container="body" diff --git a/app/assets/javascripts/vue_shared/components/markdown/toolbar_button.vue b/app/assets/javascripts/vue_shared/components/markdown/toolbar_button.vue index 3e89e1c1e75..91d0bbfc21c 100644 --- a/app/assets/javascripts/vue_shared/components/markdown/toolbar_button.vue +++ b/app/assets/javascripts/vue_shared/components/markdown/toolbar_button.vue @@ -1,13 +1,13 @@ <script> -import tooltip from '../../directives/tooltip'; -import icon from '../icon.vue'; +import { GlTooltipDirective } from '@gitlab-org/gitlab-ui'; +import Icon from '../icon.vue'; export default { components: { - icon, + Icon, }, directives: { - tooltip, + GlTooltip: GlTooltipDirective, }, props: { buttonTitle: { @@ -43,7 +43,7 @@ export default { <template> <button - v-tooltip + v-gl-tooltip :data-md-tag="tag" :data-md-select="tagSelect" :data-md-block="tagBlock" diff --git a/app/models/key.rb b/app/models/key.rb index bdb83e12793..8f93418b88b 100644 --- a/app/models/key.rb +++ b/app/models/key.rb @@ -34,6 +34,10 @@ class Key < ActiveRecord::Base after_destroy :post_destroy_hook after_destroy :refresh_user_cache + def self.regular_keys + where(type: ['Key', nil]) + end + def key=(value) write_attribute(:key, value.present? ? Gitlab::SSHPublicKey.sanitize(value) : nil) diff --git a/app/models/user.rb b/app/models/user.rb index cc2cd1b7723..d3eb7162174 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -88,7 +88,7 @@ class User < ActiveRecord::Base has_one :namespace, -> { where(type: nil) }, dependent: :destroy, foreign_key: :owner_id, inverse_of: :owner, autosave: true # rubocop:disable Cop/ActiveRecordDependent # Profile - has_many :keys, -> { where(type: ['Key', nil]) }, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent + has_many :keys, -> { regular_keys }, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent has_many :deploy_keys, -> { where(type: 'DeployKey') }, dependent: :nullify # rubocop:disable Cop/ActiveRecordDependent has_many :gpg_keys @@ -941,12 +941,17 @@ class User < ActiveRecord::Base if !Gitlab.config.ldap.enabled false elsif ldap_user? - !last_credential_check_at || (last_credential_check_at + 1.hour) < Time.now + !last_credential_check_at || (last_credential_check_at + ldap_sync_time) < Time.now else false end end + def ldap_sync_time + # This number resides in this method so it can be redefined in EE. + 1.hour + end + def try_obtain_ldap_lease # After obtaining this lease LDAP checks will be blocked for 600 seconds # (10 minutes) for this user. diff --git a/app/views/projects/ci/builds/_build.html.haml b/app/views/projects/ci/builds/_build.html.haml index f5685d3b50d..0b10c66777a 100644 --- a/app/views/projects/ci/builds/_build.html.haml +++ b/app/views/projects/ci/builds/_build.html.haml @@ -105,10 +105,10 @@ = icon('remove', class: 'cred') - elsif job.scheduled? .btn-group - .btn.btn-default.has-tooltip{ disabled: true, - title: job.scheduled_at } + .btn.btn-default{ disabled: true } = sprite_icon('planning') - = duration_in_numbers(job.execute_in) + %time.js-remaining-time{ datetime: job.scheduled_at.utc.iso8601 } + = duration_in_numbers(job.execute_in) - confirmation_message = s_("DelayedJobs|Are you sure you want to run %{job_name} immediately? This job will run automatically after it's timer finishes.") % { job_name: job.name } = link_to play_project_job_path(job.project, job, return_to: request.original_url), method: :post, diff --git a/app/views/shared/projects/_search_form.html.haml b/app/views/shared/projects/_search_form.html.haml index b89194bcc67..3b5c13ed93a 100644 --- a/app/views/shared/projects/_search_form.html.haml +++ b/app/views/shared/projects/_search_form.html.haml @@ -21,3 +21,5 @@ - if params[:visibility_level].present? = hidden_field_tag :visibility_level, params[:visibility_level] + + = render_if_exists 'shared/projects/search_fields' diff --git a/changelogs/unreleased/gl-ui-progress-bar.yml b/changelogs/unreleased/gl-ui-progress-bar.yml new file mode 100644 index 00000000000..1e584dacd6f --- /dev/null +++ b/changelogs/unreleased/gl-ui-progress-bar.yml @@ -0,0 +1,5 @@ +--- +title: Remove gitlab-ui's progress bar from global +merge_request: +author: +type: performance diff --git a/changelogs/unreleased/kinolaev-master-patch-91872.yml b/changelogs/unreleased/kinolaev-master-patch-91872.yml new file mode 100644 index 00000000000..053e9101e39 --- /dev/null +++ b/changelogs/unreleased/kinolaev-master-patch-91872.yml @@ -0,0 +1,5 @@ +--- +title: Change HELM_HOST in Auto-DevOps template to work behind proxy +merge_request: 22596 +author: Sergej Nikolaev <kinolaev@gmail.com> +type: fixed diff --git a/changelogs/unreleased/replace-tooltip-in-markdown-component.yml b/changelogs/unreleased/replace-tooltip-in-markdown-component.yml new file mode 100644 index 00000000000..5047e75c06a --- /dev/null +++ b/changelogs/unreleased/replace-tooltip-in-markdown-component.yml @@ -0,0 +1,5 @@ +--- +title: Replace tooltip in markdown component with gl-tooltip +merge_request: 21989 +author: George Tsiolis +type: other diff --git a/changelogs/unreleased/security-kubeclient-ssrf.yml b/changelogs/unreleased/security-kubeclient-ssrf.yml new file mode 100644 index 00000000000..45fc41029fc --- /dev/null +++ b/changelogs/unreleased/security-kubeclient-ssrf.yml @@ -0,0 +1,5 @@ +--- +title: Monkey kubeclient to not follow any redirects. +merge_request: +author: +type: security diff --git a/changelogs/unreleased/winh-job-list-dynamic-timer.yml b/changelogs/unreleased/winh-job-list-dynamic-timer.yml new file mode 100644 index 00000000000..333a974d6aa --- /dev/null +++ b/changelogs/unreleased/winh-job-list-dynamic-timer.yml @@ -0,0 +1,5 @@ +--- +title: Add dynamic timer for delayed jobs in job list +merge_request: 22656 +author: +type: changed diff --git a/config/initializers/8_metrics.rb b/config/initializers/8_metrics.rb index c8d261d415e..468f80939d7 100644 --- a/config/initializers/8_metrics.rb +++ b/config/initializers/8_metrics.rb @@ -98,7 +98,11 @@ end # check: https://github.com/rspec/rspec-mocks#settings-mocks-or-stubs-on-any-instance-of-a-class # # Related issue: https://gitlab.com/gitlab-org/gitlab-ce/issues/33587 -if Gitlab::Metrics.enabled? && !Rails.env.test? +# +# In development mode, we turn off eager loading when we're running +# `rails generate migration` because eager loading short-circuits the +# loading of our custom migration templates. +if Gitlab::Metrics.enabled? && !Rails.env.test? && !(Rails.env.development? && defined?(Rails::Generators)) require 'pathname' require 'influxdb' require 'connection_pool' diff --git a/config/initializers/kubeclient.rb b/config/initializers/kubeclient.rb index 7f115268b37..2d9f439fdc0 100644 --- a/config/initializers/kubeclient.rb +++ b/config/initializers/kubeclient.rb @@ -13,4 +13,25 @@ class Kubeclient::Client ns_prefix = build_namespace_prefix(namespace) rest_client["#{ns_prefix}#{entity_name_plural}/#{name}:#{port}/proxy"].url end + + # Monkey patch to set `max_redirects: 0`, so that kubeclient + # does not follow redirects and expose internal services. + # See https://gitlab.com/gitlab-org/gitlab-ce/issues/53158 + def create_rest_client(path = nil) + path ||= @api_endpoint.path + options = { + ssl_ca_file: @ssl_options[:ca_file], + ssl_cert_store: @ssl_options[:cert_store], + verify_ssl: @ssl_options[:verify_ssl], + ssl_client_cert: @ssl_options[:client_cert], + ssl_client_key: @ssl_options[:client_key], + proxy: @http_proxy_uri, + user: @auth_options[:username], + password: @auth_options[:password], + open_timeout: @timeouts[:open], + read_timeout: @timeouts[:read], + max_redirects: 0 + } + RestClient::Resource.new(@api_endpoint.merge(path).to_s, options) + end end diff --git a/doc/user/project/import/index.md b/doc/user/project/import/index.md index 4ea35a30bbf..2f5efbe84d9 100644 --- a/doc/user/project/import/index.md +++ b/doc/user/project/import/index.md @@ -1,6 +1,7 @@ # Migrating projects to a GitLab instance -1. [From Bitbucket.org](bitbucket.md) +1. [From Bitbucket Cloud (aka bitbucket.org)](bitbucket.md) +1. [From Bitbucket Server (aka Stash)](bitbucket_server.md) 1. [From ClearCase](clearcase.md) 1. [From CVS](cvs.md) 1. [From FogBugz](fogbugz.md) diff --git a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml index db48b187e5e..734af5eba59 100644 --- a/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml +++ b/lib/gitlab/ci/templates/Auto-DevOps.gitlab-ci.yml @@ -823,7 +823,7 @@ rollout 100%: function initialize_tiller() { echo "Checking Tiller..." - export HELM_HOST=":44134" + export HELM_HOST="localhost:44134" tiller -listen ${HELM_HOST} -alsologtostderr > /dev/null 2>&1 & echo "Tiller is listening on ${HELM_HOST}" diff --git a/lib/gitlab/cluster/puma_worker_killer_initializer.rb b/lib/gitlab/cluster/puma_worker_killer_initializer.rb index 331c39f7d6b..4ed9a9a02ab 100644 --- a/lib/gitlab/cluster/puma_worker_killer_initializer.rb +++ b/lib/gitlab/cluster/puma_worker_killer_initializer.rb @@ -11,7 +11,11 @@ module Gitlab # Importantly RAM is for _all_workers (ie, the cluster), # not each worker as is the case with GITLAB_UNICORN_MEMORY_MAX worker_count = puma_options[:workers] || 1 - config.ram = worker_count * puma_per_worker_max_memory_mb + # The Puma Worker Killer checks the total RAM used by both the master + # and worker processes. Bump the limits to N+1 instead of N workers + # to account for this: + # https://github.com/schneems/puma_worker_killer/blob/v0.1.0/lib/puma_worker_killer/puma_memory.rb#L57 + config.ram = (worker_count + 1) * puma_per_worker_max_memory_mb config.frequency = 20 # seconds diff --git a/scripts/build_assets_image b/scripts/build_assets_image index 218606b9a40..1d77524d503 100755 --- a/scripts/build_assets_image +++ b/scripts/build_assets_image @@ -15,7 +15,7 @@ ASSETS_IMAGE_PATH=${CI_REGISTRY}/${CI_PROJECT_PATH}/${ASSETS_IMAGE_NAME} mkdir -p assets_container.build/public cp -r public/assets assets_container.build/public/ cp Dockerfile.assets assets_container.build/ -docker build -t ${ASSETS_IMAGE_PATH}:${CI_COMMIT_REF_NAME} -f assets_container.build/Dockerfile.assets assets_container.build/ +docker build -t ${ASSETS_IMAGE_PATH}:${CI_COMMIT_REF_SLUG} -f assets_container.build/Dockerfile.assets assets_container.build/ docker login -u gitlab-ci-token -p ${CI_JOB_TOKEN} ${CI_REGISTRY} docker push ${ASSETS_IMAGE_PATH} |