diff options
31 files changed, 414 insertions, 278 deletions
diff --git a/app/helpers/x509_helper.rb b/app/helpers/x509_helper.rb new file mode 100644 index 00000000000..c330b599d74 --- /dev/null +++ b/app/helpers/x509_helper.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +require 'net/ldap/dn' + +module X509Helper + def x509_subject(subject, search_keys) + subjects = {} + + Net::LDAP::DN.new(subject).each_pair do |key, value| + if key.upcase.start_with?(*search_keys.map(&:upcase)) + subjects[key.upcase] = value + end + end + + subjects + rescue + {} + end +end diff --git a/app/views/projects/commit/x509/_certificate_details.html.haml b/app/views/projects/commit/x509/_certificate_details.html.haml index 2357c6d803b..51667010d6f 100644 --- a/app/views/projects/commit/x509/_certificate_details.html.haml +++ b/app/views/projects/commit/x509/_certificate_details.html.haml @@ -1,17 +1,15 @@ .gpg-popover-certificate-details %strong= _('Certificate Subject') %ul - - signature.x509_certificate.subject.split(",").each do |i| - - if i.start_with?("CN", "O") - %li= i + - x509_subject(signature.x509_certificate.subject, ["CN", "O"]).map do |key, value| + %li= key + "=" + value %li= _('Subject Key Identifier:') %li.unstyled= signature.x509_certificate.subject_key_identifier.gsub(":", " ") .gpg-popover-certificate-details %strong= _('Certificate Issuer') %ul - - signature.x509_certificate.x509_issuer.subject.split(",").each do |i| - - if i.start_with?("CN", "OU", "O") - %li= i + - x509_subject(signature.x509_certificate.x509_issuer.subject, ["CN", "OU", "O"]).map do |key, value| + %li= key + "=" + value %li= _('Subject Key Identifier:') %li.unstyled= signature.x509_certificate.x509_issuer.subject_key_identifier.gsub(":", " ") diff --git a/app/workers/concerns/gitlab/github_import/notify_upon_death.rb b/app/workers/concerns/gitlab/github_import/notify_upon_death.rb deleted file mode 100644 index 3d7120665b6..00000000000 --- a/app/workers/concerns/gitlab/github_import/notify_upon_death.rb +++ /dev/null @@ -1,31 +0,0 @@ -# frozen_string_literal: true - -module Gitlab - module GithubImport - # NotifyUponDeath can be included into a GitHub worker class if it should - # notify any JobWaiter instances upon being moved to the Sidekiq dead queue. - # - # Note that this will only notify the waiter upon graceful termination, a - # SIGKILL will still result in the waiter _not_ being notified. - # - # Workers including this module must have jobs passed where the last - # argument is the key to notify, as a String. - module NotifyUponDeath - extend ActiveSupport::Concern - - included do - # If a job is being exhausted we still want to notify the - # AdvanceStageWorker. This prevents the entire import from getting stuck - # just because 1 job threw too many errors. - sidekiq_retries_exhausted do |job| - args = job['args'] - jid = job['jid'] - - if args.length == 3 && (key = args.last) && key.is_a?(String) - JobWaiter.notify(key, jid) - end - end - end - end - end -end diff --git a/app/workers/concerns/gitlab/github_import/object_importer.rb b/app/workers/concerns/gitlab/github_import/object_importer.rb index bd0b566658e..63c1ba8e699 100644 --- a/app/workers/concerns/gitlab/github_import/object_importer.rb +++ b/app/workers/concerns/gitlab/github_import/object_importer.rb @@ -11,7 +11,7 @@ module Gitlab include ApplicationWorker include GithubImport::Queue include ReschedulingMethods - include NotifyUponDeath + include Gitlab::NotifyUponDeath feature_category :importers worker_has_external_dependencies! diff --git a/app/workers/concerns/gitlab/notify_upon_death.rb b/app/workers/concerns/gitlab/notify_upon_death.rb new file mode 100644 index 00000000000..66dc6270637 --- /dev/null +++ b/app/workers/concerns/gitlab/notify_upon_death.rb @@ -0,0 +1,29 @@ +# frozen_string_literal: true + +module Gitlab + # NotifyUponDeath can be included into a worker class if it should + # notify any JobWaiter instances upon being moved to the Sidekiq dead queue. + # + # Note that this will only notify the waiter upon graceful termination, a + # SIGKILL will still result in the waiter _not_ being notified. + # + # Workers including this module must have jobs passed where the last + # argument is the key to notify, as a String. + module NotifyUponDeath + extend ActiveSupport::Concern + + included do + # If a job is being exhausted we still want to notify the + # Gitlab::Import::AdvanceStageWorker. This prevents the entire import from getting stuck + # just because 1 job threw too many errors. + sidekiq_retries_exhausted do |job| + args = job['args'] + jid = job['jid'] + + if args.length == 3 && (key = args.last) && key.is_a?(String) + JobWaiter.notify(key, jid) + end + end + end + end +end diff --git a/changelogs/unreleased/199790-approval-settings-target-branch-api.yml b/changelogs/unreleased/199790-approval-settings-target-branch-api.yml new file mode 100644 index 00000000000..b71e9323624 --- /dev/null +++ b/changelogs/unreleased/199790-approval-settings-target-branch-api.yml @@ -0,0 +1,5 @@ +--- +title: Filter rules by target_branch in approval_settings +merge_request: 26439 +author: +type: added diff --git a/changelogs/unreleased/fix-x509-signed-commit.yml b/changelogs/unreleased/fix-x509-signed-commit.yml new file mode 100644 index 00000000000..d3d0f70ce15 --- /dev/null +++ b/changelogs/unreleased/fix-x509-signed-commit.yml @@ -0,0 +1,5 @@ +--- +title: Fix crl_url parsing and certificate visualization +merge_request: 25876 +author: Roger Meier +type: fixed diff --git a/doc/administration/job_artifacts.md b/doc/administration/job_artifacts.md index 54eab36b0bb..6f927d8f920 100644 --- a/doc/administration/job_artifacts.md +++ b/doc/administration/job_artifacts.md @@ -3,7 +3,7 @@ > - Introduced in GitLab 8.2 and GitLab Runner 0.7.0. > - Starting with GitLab 8.4 and GitLab Runner 1.0, the artifacts archive format changed to `ZIP`. > - Starting with GitLab 8.17, builds are renamed to jobs. -> - This is the administration documentation. For the user guide see [pipelines/job_artifacts](../user/project/pipelines/job_artifacts.md). +> - This is the administration documentation. For the user guide see [pipelines/job_artifacts](../ci/pipelines/job_artifacts.md). Artifacts is a list of files and directories which are attached to a job after it finishes. This feature is enabled by default in all GitLab installations. Keep reading @@ -79,7 +79,7 @@ _The artifacts are stored by default in > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/1762) in > [GitLab Premium](https://about.gitlab.com/pricing/) 9.4. -> - Since version 9.5, artifacts are [browsable](../user/project/pipelines/job_artifacts.md#browsing-artifacts), +> - Since version 9.5, artifacts are [browsable](../ci/pipelines/job_artifacts.md#browsing-artifacts), > when object storage is enabled. 9.4 lacks this feature. > - Since version 10.6, available in [GitLab Core](https://about.gitlab.com/pricing/) > - Since version 11.0, we support `direct_upload` to S3. @@ -386,7 +386,7 @@ If you need to manually remove job artifacts associated with multiple jobs while NOTE: **NOTE:** This step will also erase artifacts that users have chosen to - ["keep"](../user/project/pipelines/job_artifacts.md#browsing-artifacts). + ["keep"](../ci/pipelines/job_artifacts.md#browsing-artifacts). ```ruby builds_to_clear = builds_with_artifacts.where("finished_at < ?", 1.week.ago) diff --git a/doc/administration/pages/index.md b/doc/administration/pages/index.md index 36c5c29a6fb..08d0cb6d691 100644 --- a/doc/administration/pages/index.md +++ b/doc/administration/pages/index.md @@ -345,7 +345,7 @@ pages: ### Using a custom Certificate Authority (CA) When using certificates issued by a custom CA, [Access Control](../../user/project/pages/pages_access_control.md#gitlab-pages-access-control) and -the [online view of HTML job artifacts](../../user/project/pipelines/job_artifacts.md#browsing-artifacts) +the [online view of HTML job artifacts](../../ci/pipelines/job_artifacts.md#browsing-artifacts) will fail to work if the custom CA is not recognized. This usually results in this error: diff --git a/doc/ci/README.md b/doc/ci/README.md index 32747651d4f..1ec91dd8522 100644 --- a/doc/ci/README.md +++ b/doc/ci/README.md @@ -83,7 +83,7 @@ GitLab CI/CD supports numerous configuration options: | [Pipelines](pipelines.md) | Structure your CI/CD process through pipelines. | | [Environment variables](variables/README.md) | Reuse values based on a variable/value key pair. | | [Environments](environments.md) | Deploy your application to different environments (e.g., staging, production). | -| [Job artifacts](../user/project/pipelines/job_artifacts.md) | Output, use, and reuse job artifacts. | +| [Job artifacts](pipelines/job_artifacts.md) | Output, use, and reuse job artifacts. | | [Cache dependencies](caching/index.md) | Cache your dependencies for a faster execution. | | [Schedule pipelines](pipelines/schedules.md) | Schedule pipelines to run as often as you need. | | [Custom path for `.gitlab-ci.yml`](../user/project/pipelines/settings.md#custom-ci-configuration-path) | Define a custom path for the CI/CD configuration file. | diff --git a/doc/ci/jenkins/index.md b/doc/ci/jenkins/index.md index 17dc479e1b8..de2b1956292 100644 --- a/doc/ci/jenkins/index.md +++ b/doc/ci/jenkins/index.md @@ -62,7 +62,7 @@ rspec: Artifacts may work a bit differently than you've used them with Jenkins. In GitLab, any job can define a set of artifacts to be saved by using the `artifacts:` keyword. This can be configured to point to a file -or set of files that can then be persisted from job to job. Read more on our detailed [artifacts documentation](../../user/project/pipelines/job_artifacts.md) +or set of files that can then be persisted from job to job. Read more on our detailed [artifacts documentation](../pipelines/job_artifacts.md) ```yaml pdf: diff --git a/doc/user/project/pipelines/img/job_artifacts_browser.png b/doc/ci/pipelines/img/job_artifacts_browser.png Binary files differindex d3d8de5ac60..d3d8de5ac60 100644 --- a/doc/user/project/pipelines/img/job_artifacts_browser.png +++ b/doc/ci/pipelines/img/job_artifacts_browser.png diff --git a/doc/user/project/pipelines/img/job_artifacts_browser_button.png b/doc/ci/pipelines/img/job_artifacts_browser_button.png Binary files differindex 21072ce1248..21072ce1248 100644 --- a/doc/user/project/pipelines/img/job_artifacts_browser_button.png +++ b/doc/ci/pipelines/img/job_artifacts_browser_button.png diff --git a/doc/user/project/pipelines/img/job_artifacts_builds_page.png b/doc/ci/pipelines/img/job_artifacts_builds_page.png Binary files differindex 13e039ba934..13e039ba934 100644 --- a/doc/user/project/pipelines/img/job_artifacts_builds_page.png +++ b/doc/ci/pipelines/img/job_artifacts_builds_page.png diff --git a/doc/user/project/pipelines/img/job_artifacts_pipelines_page.png b/doc/ci/pipelines/img/job_artifacts_pipelines_page.png Binary files differindex 983f903ca72..983f903ca72 100644 --- a/doc/user/project/pipelines/img/job_artifacts_pipelines_page.png +++ b/doc/ci/pipelines/img/job_artifacts_pipelines_page.png diff --git a/doc/user/project/pipelines/img/job_latest_artifacts_browser.png b/doc/ci/pipelines/img/job_latest_artifacts_browser.png Binary files differindex c6d8856078b..c6d8856078b 100644 --- a/doc/user/project/pipelines/img/job_latest_artifacts_browser.png +++ b/doc/ci/pipelines/img/job_latest_artifacts_browser.png diff --git a/doc/ci/pipelines/job_artifacts.md b/doc/ci/pipelines/job_artifacts.md new file mode 100644 index 00000000000..ef3a33e22ea --- /dev/null +++ b/doc/ci/pipelines/job_artifacts.md @@ -0,0 +1,214 @@ +--- +type: reference, howto +--- + +# Introduction to job artifacts + +> - Introduced in GitLab 8.2 and GitLab Runner 0.7.0. +> - Starting with GitLab 8.4 and GitLab Runner 1.0, the artifacts archive format changed to `ZIP`, and it is now possible to browse its contents, with the added ability of downloading the files separately. +> - In GitLab 8.17, builds were renamed to jobs. +> - The artifacts browser will be available only for new artifacts that are sent to GitLab using GitLab Runner version 1.0 and up. It will not be possible to browse old artifacts already uploaded to GitLab. + +Job artifacts are a list of files and directories created by a job +once it finishes. This feature is [enabled by default](../../administration/job_artifacts.md) in all +GitLab installations. + +Job artifacts created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI or the [GitLab API](../../api/jobs.md#get-job-artifacts). + +<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> +For an overview, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s). +Watch also [GitLab CI pipeline tutorial for beginners](https://www.youtube.com/watch?v=Jav4vbUrqII). + +## Defining artifacts in `.gitlab-ci.yml` + +A simple example of using the artifacts definition in `.gitlab-ci.yml` would be +the following: + +```yaml +pdf: + script: xelatex mycv.tex + artifacts: + paths: + - mycv.pdf + expire_in: 1 week +``` + +A job named `pdf` calls the `xelatex` command in order to build a pdf file from +the latex source file `mycv.tex`. We then define the `artifacts` paths which in +turn are defined with the `paths` keyword. All paths to files and directories +are relative to the repository that was cloned during the build. + +The artifacts will be uploaded when the job succeeds by default, but can be set to upload +when the job fails, or always, if the [`artifacts:when`](../yaml/README.md#artifactswhen) +parameter is used. These uploaded artifacts will be kept in GitLab for 1 week as defined +by the `expire_in` definition. You have the option to keep the artifacts from expiring +via the [web interface](#browsing-artifacts). If the expiry time is not defined, it defaults +to the [instance wide setting](../../user/admin_area/settings/continuous_integration.md#default-artifacts-expiration-core-only). + +For more examples on artifacts, follow the [artifacts reference in +`.gitlab-ci.yml`](../yaml/README.md#artifacts). + +## Browsing artifacts + +> - From GitLab 9.2, PDFs, images, videos and other formats can be previewed directly in the job artifacts browser without the need to download them. +> - Introduced in [GitLab 10.1][ce-14399], HTML files in a public project can be previewed directly in a new tab without the need to download them when [GitLab Pages](../../administration/pages/index.md) is enabled. The same applies for textual formats (currently supported extensions: `.txt`, `.json`, and `.log`). +> - Introduced in [GitLab 12.4][gitlab-16675], artifacts in private projects can be previewed when [GitLab Pages access control](../../administration/pages/index.md#access-control) is enabled. + +After a job finishes, if you visit the job's specific page, there are three +buttons. You can download the artifacts archive or browse its contents, whereas +the **Keep** button appears only if you have set an [expiry date] to the +artifacts in case you changed your mind and want to keep them. + +![Job artifacts browser button](img/job_artifacts_browser_button.png) + +The archive browser shows the name and the actual file size of each file in the +archive. If your artifacts contained directories, then you are also able to +browse inside them. + +Below you can see what browsing looks like. In this case we have browsed inside +the archive and at this point there is one directory, a couple files, and +one HTML file that you can view directly online when +[GitLab Pages](../../administration/pages/index.md) is enabled (opens in a new tab). + +![Job artifacts browser](img/job_artifacts_browser.png) + +## Downloading artifacts + +If you need to download the whole archive, there are buttons in various places +in the GitLab UI to do this: + +1. While on the pipelines page, you can see the download icon for each job's + artifacts archive in the right corner: + + ![Job artifacts in Pipelines page](img/job_artifacts_pipelines_page.png) + +1. While on the **Jobs** page, you can see the download icon for each job's + artifacts archive in the right corner: + + ![Job artifacts in Builds page](img/job_artifacts_builds_page.png) + +1. While inside a specific job, you are presented with a download button + along with the one that browses the archive: + + ![Job artifacts browser button](img/job_artifacts_browser_button.png) + +1. And finally, when browsing an archive you can see the download button at + the top right corner: + + ![Job artifacts browser](img/job_artifacts_browser.png) + +## Downloading the latest artifacts + +It is possible to download the latest artifacts of a job via a well known URL +so you can use it for scripting purposes. + +NOTE: **Note:** +The latest artifacts are created by jobs in the **most recent** successful pipeline +for the specific ref. If you run two types of pipelines for the same ref, the latest +artifact will be determined by timing. For example, if a branch pipeline created +by merging a merge request runs at the same time as a scheduled pipeline, the +latest artifact will be from the pipeline that completed most recently. + +Artifacts for other pipelines can be accessed with direct access to them. + +The structure of the URL to download the whole artifacts archive is the following: + +```plaintext +https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/download?job=<job_name> +``` + +To download a single file from the artifacts use the following URL: + +```plaintext +https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name> +``` + +For example, to download the latest artifacts of the job named `coverage` of +the `master` branch of the `gitlab` project that belongs to the `gitlab-org` +namespace, the URL would be: + +```plaintext +https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/download?job=coverage +``` + +To download the file `coverage/index.html` from the same +artifacts use the following URL: + +```plaintext +https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/raw/coverage/index.html?job=coverage +``` + +There is also a URL to browse the latest job artifacts: + +```plaintext +https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/browse?job=<job_name> +``` + +For example: + +```plaintext +https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/browse?job=coverage +``` + +There is also a URL to specific files, including html files that +are shown in [GitLab Pages](../../administration/pages/index.md): + +```plaintext +https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/file/<path>?job=<job_name> +``` + +For example, when a job `coverage` creates the artifact `htmlcov/index.html`, +you can access it at: + +```plaintext +https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/file/htmlcov/index.html?job=coverage +``` + +The latest builds are also exposed in the UI in various places. Specifically, +look for the download button in: + +- The main project's page +- The branches page +- The tags page + +If the latest job has failed to upload the artifacts, you can see that +information in the UI. + +![Latest artifacts button](img/job_latest_artifacts_browser.png) + +## Erasing artifacts + +DANGER: **Warning:** +This is a destructive action that leads to data loss. Use with caution. + +You can erase a single job via the UI, which will also remove the job's +artifacts and trace, if you are: + +- The owner of the job. +- A [Maintainer](../../user/permissions.md#gitlab-cicd-permissions) of the project. + +To erase a job: + +1. Navigate to a job's page. +1. Click the trash icon at the top right of the job's trace. +1. Confirm the deletion. + +## Retrieve artifacts of private projects when using GitLab CI + +In order to retrieve a job artifact of a different project, you might need to use a private token in order to [authenticate and download](../../api/jobs.md#get-job-artifacts) the artifacts. + +[expiry date]: ../yaml/README.md#artifactsexpire_in +[ce-14399]: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14399 +[gitlab-16675]: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16675 + +<!-- ## Troubleshooting + +Include any troubleshooting steps that you can foresee. If you know beforehand what issues +one might have when setting this up, or when something is changed, or on upgrading, it's +important to describe those, too. Think of things that may go wrong and include them here. +This is important to minimize requests for support, and to avoid doc comments with +questions that you know someone might ask. + +Each scenario can be a third-level heading, e.g. `### Getting error message X`. +If you have none to add when creating a doc, leave this section in place +but commented out to help encourage others to add to it in the future. --> diff --git a/doc/ci/yaml/README.md b/doc/ci/yaml/README.md index e86668cbe11..d4d3127b444 100644 --- a/doc/ci/yaml/README.md +++ b/doc/ci/yaml/README.md @@ -1902,7 +1902,7 @@ attached to the job when it [succeeds, fails, or always](#artifactswhen). The artifacts will be sent to GitLab after the job finishes and will be available for download in the GitLab UI. -[Read more about artifacts](../../user/project/pipelines/job_artifacts.md). +[Read more about artifacts](../pipelines/job_artifacts.md). #### `artifacts:paths` @@ -1956,7 +1956,7 @@ release-job: > [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/15018) in GitLab 12.5. -The `expose_as` keyword can be used to expose [job artifacts](../../user/project/pipelines/job_artifacts.md) +The `expose_as` keyword can be used to expose [job artifacts](../pipelines/job_artifacts.md) in the [merge request](../../user/project/merge_requests/index.md) UI. For example, to match a single file: @@ -1986,7 +1986,7 @@ Note the following: - A maximum of 10 job artifacts per merge request can be exposed. - Glob patterns are unsupported. -- If a directory is specified, the link will be to the job [artifacts browser](../../user/project/pipelines/job_artifacts.md#browsing-artifacts) if there is more than +- If a directory is specified, the link will be to the job [artifacts browser](../pipelines/job_artifacts.md#browsing-artifacts) if there is more than one file in the directory. - For exposed single file artifacts with `.html`, `.htm`, `.txt`, `.json`, `.xml`, and `.log` extensions, if [GitLab Pages](../../administration/pages/index.md) is: @@ -2368,7 +2368,7 @@ deploy: If the artifacts of the job that is set as a dependency have been [expired](#artifactsexpire_in) or -[erased](../../user/project/pipelines/job_artifacts.md#erasing-artifacts), then +[erased](../pipelines/job_artifacts.md#erasing-artifacts), then the dependent job will fail. NOTE: **Note:** diff --git a/doc/user/clusters/applications.md b/doc/user/clusters/applications.md index 3fa909357e6..db629b2cf34 100644 --- a/doc/user/clusters/applications.md +++ b/doc/user/clusters/applications.md @@ -523,7 +523,7 @@ A GitLab CI pipeline will then run on the `master` branch to install the applications you have configured. In case of pipeline failure, the output of the [Helm Tiller](https://v2.helm.sh/docs/install/#running-tiller-locally) binary -will be saved as a [CI job artifact](../project/pipelines/job_artifacts.md). +will be saved as a [CI job artifact](../../ci/pipelines/job_artifacts.md). ### Install Ingress using GitLab CI diff --git a/doc/user/packages/npm_registry/index.md b/doc/user/packages/npm_registry/index.md index 6c531dfe369..ac21459d137 100644 --- a/doc/user/packages/npm_registry/index.md +++ b/doc/user/packages/npm_registry/index.md @@ -117,11 +117,11 @@ npm config set @foo:registry https://gitlab.com/api/v4/packages/npm/ # Add the token for the scoped packages URL. This will allow you to download # `@foo/` packages from private projects. -npm config set '//gitlab.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken' "<your_token>" +npm config set '//gitlab.com/api/v4/packages/npm/:_authToken' "<your_token>" # Add token for uploading to the registry. Replace <your_project_id> # with the project you want your package to be uploaded to. -npm config set '//gitlab.com/api/v4/packages/npm/:_authToken' "<your_token>" +npm config set '//gitlab.com/api/v4/projects/<your_project_id>/packages/npm/:_authToken' "<your_token>" ``` Replace `<your_project_id>` with your project ID which can be found on the home page diff --git a/doc/user/project/merge_requests/accessibility_testing.md b/doc/user/project/merge_requests/accessibility_testing.md index 3d44f342715..a800ab6aec9 100644 --- a/doc/user/project/merge_requests/accessibility_testing.md +++ b/doc/user/project/merge_requests/accessibility_testing.md @@ -46,7 +46,7 @@ Pa11y against the webpage you defined in `a11y_urls` to build a report. NOTE: **Note:** Only one URL may be currently passed into `a11y_urls`. -The full HTML Pa11y report will be saved as an artifact that can be [viewed directly in your browser](../pipelines/job_artifacts.md#browsing-artifacts). +The full HTML Pa11y report will be saved as an artifact that can be [viewed directly in your browser](../../../ci/pipelines/job_artifacts.md#browsing-artifacts). NOTE: **Note:** The job definition provided by the template does not support Kubernetes yet. diff --git a/doc/user/project/merge_requests/code_quality.md b/doc/user/project/merge_requests/code_quality.md index 21153588c31..7e600338678 100644 --- a/doc/user/project/merge_requests/code_quality.md +++ b/doc/user/project/merge_requests/code_quality.md @@ -269,7 +269,7 @@ Once the Code Quality job has completed: The Code Quality widget in the merge request compares the reports from the base and head of the branch, then lists any violations that will be resolved or created when the branch is merged. - The full JSON report is available as a - [downloadable artifact](../../project/pipelines/job_artifacts.html#downloading-artifacts) + [downloadable artifact](../../../ci/pipelines/job_artifacts.html#downloading-artifacts) for the `code_quality` job. If multiple jobs in a pipeline generate a code quality artifact, only the artifact from diff --git a/doc/user/project/pipelines/job_artifacts.md b/doc/user/project/pipelines/job_artifacts.md index cc6450ff907..5892a1be494 100644 --- a/doc/user/project/pipelines/job_artifacts.md +++ b/doc/user/project/pipelines/job_artifacts.md @@ -1,214 +1,5 @@ --- -type: reference, howto +redirect_to: '../../../ci/pipelines/job_artifacts.md' --- -# Introduction to job artifacts - -> - Introduced in GitLab 8.2 and GitLab Runner 0.7.0. -> - Starting with GitLab 8.4 and GitLab Runner 1.0, the artifacts archive format changed to `ZIP`, and it is now possible to browse its contents, with the added ability of downloading the files separately. -> - In GitLab 8.17, builds were renamed to jobs. -> - The artifacts browser will be available only for new artifacts that are sent to GitLab using GitLab Runner version 1.0 and up. It will not be possible to browse old artifacts already uploaded to GitLab. - -Job artifacts are a list of files and directories created by a job -once it finishes. This feature is [enabled by default](../../../administration/job_artifacts.md) in all -GitLab installations. - -Job artifacts created by GitLab Runner are uploaded to GitLab and are downloadable as a single archive using the GitLab UI or the [GitLab API](../../../api/jobs.md#get-job-artifacts). - -<i class="fa fa-youtube-play youtube" aria-hidden="true"></i> -For an overview, watch the video [GitLab CI Pipeline, Artifacts, and Environments](https://www.youtube.com/watch?v=PCKDICEe10s). -Watch also [GitLab CI pipeline tutorial for beginners](https://www.youtube.com/watch?v=Jav4vbUrqII). - -## Defining artifacts in `.gitlab-ci.yml` - -A simple example of using the artifacts definition in `.gitlab-ci.yml` would be -the following: - -```yaml -pdf: - script: xelatex mycv.tex - artifacts: - paths: - - mycv.pdf - expire_in: 1 week -``` - -A job named `pdf` calls the `xelatex` command in order to build a pdf file from -the latex source file `mycv.tex`. We then define the `artifacts` paths which in -turn are defined with the `paths` keyword. All paths to files and directories -are relative to the repository that was cloned during the build. - -The artifacts will be uploaded when the job succeeds by default, but can be set to upload -when the job fails, or always, if the [`artifacts:when`](../../../ci/yaml/README.md#artifactswhen) -parameter is used. These uploaded artifacts will be kept in GitLab for 1 week as defined -by the `expire_in` definition. You have the option to keep the artifacts from expiring -via the [web interface](#browsing-artifacts). If the expiry time is not defined, it defaults -to the [instance wide setting](../../admin_area/settings/continuous_integration.md#default-artifacts-expiration-core-only). - -For more examples on artifacts, follow the [artifacts reference in -`.gitlab-ci.yml`](../../../ci/yaml/README.md#artifacts). - -## Browsing artifacts - -> - From GitLab 9.2, PDFs, images, videos, and other formats can be previewed directly in the job artifacts browser without the need to download them. -> - Introduced in [GitLab 10.1][ce-14399], HTML files in a public project can be previewed directly in a new tab without the need to download them when [GitLab Pages](../../../administration/pages/index.md) is enabled. The same applies for textual formats (currently supported extensions: `.txt`, `.json`, and `.log`). -> - Introduced in [GitLab 12.4][gitlab-16675], artifacts in private projects can be previewed when [GitLab Pages access control](../../../administration/pages/index.md#access-control) is enabled. - -After a job finishes, if you visit the job's specific page, there are three -buttons. You can download the artifacts archive or browse its contents, whereas -the **Keep** button appears only if you have set an [expiry date] to the -artifacts in case you changed your mind and want to keep them. - -![Job artifacts browser button](img/job_artifacts_browser_button.png) - -The archive browser shows the name and the actual file size of each file in the -archive. If your artifacts contained directories, then you are also able to -browse inside them. - -Below you can see what browsing looks like. In this case we have browsed inside -the archive and at this point there is one directory, a couple files, and -one HTML file that you can view directly online when -[GitLab Pages](../../../administration/pages/index.md) is enabled (opens in a new tab). - -![Job artifacts browser](img/job_artifacts_browser.png) - -## Downloading artifacts - -If you need to download the whole archive, there are buttons in various places -in the GitLab UI to do this: - -1. While on the pipelines page, you can see the download icon for each job's - artifacts archive in the right corner: - - ![Job artifacts in Pipelines page](img/job_artifacts_pipelines_page.png) - -1. While on the **Jobs** page, you can see the download icon for each job's - artifacts archive in the right corner: - - ![Job artifacts in Builds page](img/job_artifacts_builds_page.png) - -1. While inside a specific job, you are presented with a download button - along with the one that browses the archive: - - ![Job artifacts browser button](img/job_artifacts_browser_button.png) - -1. And finally, when browsing an archive you can see the download button at - the top right corner: - - ![Job artifacts browser](img/job_artifacts_browser.png) - -## Downloading the latest artifacts - -It is possible to download the latest artifacts of a job via a well known URL -so you can use it for scripting purposes. - -NOTE: **Note:** -The latest artifacts are created by jobs in the **most recent** successful pipeline -for the specific ref. If you run two types of pipelines for the same ref, the latest -artifact will be determined by timing. For example, if a branch pipeline created -by merging a merge request runs at the same time as a scheduled pipeline, the -latest artifact will be from the pipeline that completed most recently. - -Artifacts for other pipelines can be accessed with direct access to them. - -The structure of the URL to download the whole artifacts archive is the following: - -```plaintext -https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/download?job=<job_name> -``` - -To download a single file from the artifacts use the following URL: - -```plaintext -https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name> -``` - -For example, to download the latest artifacts of the job named `coverage` of -the `master` branch of the `gitlab` project that belongs to the `gitlab-org` -namespace, the URL would be: - -```plaintext -https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/download?job=coverage -``` - -To download the file `coverage/index.html` from the same -artifacts use the following URL: - -```plaintext -https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/raw/coverage/index.html?job=coverage -``` - -There is also a URL to browse the latest job artifacts: - -```plaintext -https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/browse?job=<job_name> -``` - -For example: - -```plaintext -https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/browse?job=coverage -``` - -There is also a URL to specific files, including html files that -are shown in [GitLab Pages](../../../administration/pages/index.md): - -```plaintext -https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/file/<path>?job=<job_name> -``` - -For example, when a job `coverage` creates the artifact `htmlcov/index.html`, -you can access it at: - -```plaintext -https://gitlab.com/gitlab-org/gitlab/-/jobs/artifacts/master/file/htmlcov/index.html?job=coverage -``` - -The latest builds are also exposed in the UI in various places. Specifically, -look for the download button in: - -- The main project's page -- The branches page -- The tags page - -If the latest job has failed to upload the artifacts, you can see that -information in the UI. - -![Latest artifacts button](img/job_latest_artifacts_browser.png) - -## Erasing artifacts - -DANGER: **Warning:** -This is a destructive action that leads to data loss. Use with caution. - -You can erase a single job via the UI, which will also remove the job's -artifacts and trace, if you are: - -- The owner of the job. -- A [Maintainer](../../permissions.md#gitlab-cicd-permissions) of the project. - -To erase a job: - -1. Navigate to a job's page. -1. Click the trash icon at the top right of the job's trace. -1. Confirm the deletion. - -## Retrieve artifacts of private projects when using GitLab CI - -In order to retrieve a job artifact of a different project, you might need to use a private token in order to [authenticate and download](../../../api/jobs.md#get-job-artifacts) the artifacts. - -[expiry date]: ../../../ci/yaml/README.md#artifactsexpire_in -[ce-14399]: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14399 -[gitlab-16675]: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/16675 - -<!-- ## Troubleshooting - -Include any troubleshooting steps that you can foresee. If you know beforehand what issues -one might have when setting this up, or when something is changed, or on upgrading, it's -important to describe those, too. Think of things that may go wrong and include them here. -This is important to minimize requests for support, and to avoid doc comments with -questions that you know someone might ask. - -Each scenario can be a third-level heading, e.g. `### Getting error message X`. -If you have none to add when creating a doc, leave this section in place -but commented out to help encourage others to add to it in the future. --> +This document was moved to [pipelines/job_artifacts.md](../../../ci/pipelines/job_artifacts.md). diff --git a/lib/gitlab/x509/commit.rb b/lib/gitlab/x509/commit.rb index ce298b80a4c..b1d15047981 100644 --- a/lib/gitlab/x509/commit.rb +++ b/lib/gitlab/x509/commit.rb @@ -105,13 +105,22 @@ module Gitlab def certificate_crl extension = get_certificate_extension('crlDistributionPoints') - extension.split('URI:').each do |item| - item.strip + crl_url = nil - if item.start_with?("http") - return item.strip + extension.each_line do |line| + break if crl_url + + line.split('URI:').each do |item| + item.strip + + if item.start_with?("http") + crl_url = item.strip + break + end end end + + crl_url end def get_certificate_extension(extension) diff --git a/package.json b/package.json index 03fa5799adc..6f44ec9924a 100644 --- a/package.json +++ b/package.json @@ -43,7 +43,7 @@ "@gitlab/ui": "^9.23.0", "@gitlab/visual-review-tools": "1.5.1", "@sentry/browser": "^5.10.2", - "@sourcegraph/code-host-integration": "0.0.30", + "@sourcegraph/code-host-integration": "0.0.31", "apollo-cache-inmemory": "^1.6.3", "apollo-client": "^2.6.4", "apollo-link": "^1.2.11", diff --git a/spec/helpers/x509_helper_spec.rb b/spec/helpers/x509_helper_spec.rb new file mode 100644 index 00000000000..dcdf57ce035 --- /dev/null +++ b/spec/helpers/x509_helper_spec.rb @@ -0,0 +1,60 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe X509Helper do + describe '#x509_subject' do + let(:search_uppercase) { %w[CN OU O] } + let(:search_lowercase) { %w[cn ou o] } + let(:certificate_attributes) do + { + 'CN' => 'CA Issuing', + 'OU' => 'Trust Center', + 'O' => 'Example' + } + end + + context 'with uppercase DN' do + let(:upper_dn) { 'CN=CA Issuing,OU=Trust Center,O=Example,L=World,C=Galaxy' } + + it 'returns the attributes on any case search' do + expect(x509_subject(upper_dn, search_lowercase)).to eq(certificate_attributes) + expect(x509_subject(upper_dn, search_uppercase)).to eq(certificate_attributes) + end + end + + context 'with lowercase DN' do + let(:lower_dn) { 'cn=CA Issuing,ou=Trust Center,o=Example,l=World,c=Galaxy' } + + it 'returns the attributes on any case search' do + expect(x509_subject(lower_dn, search_lowercase)).to eq(certificate_attributes) + expect(x509_subject(lower_dn, search_uppercase)).to eq(certificate_attributes) + end + end + + context 'with comma within DN' do + let(:comma_dn) { 'cn=CA\, Issuing,ou=Trust Center,o=Example,l=World,c=Galaxy' } + let(:certificate_attributes) do + { + 'CN' => 'CA, Issuing', + 'OU' => 'Trust Center', + 'O' => 'Example' + } + end + + it 'returns the attributes on any case search' do + expect(x509_subject(comma_dn, search_lowercase)).to eq(certificate_attributes) + expect(x509_subject(comma_dn, search_uppercase)).to eq(certificate_attributes) + end + end + + context 'with mal formed DN' do + let(:bad_dn) { 'cn=CA, Issuing,ou=Trust Center,o=Example,l=World,c=Galaxy' } + + it 'returns nil on any case search' do + expect(x509_subject(bad_dn, search_lowercase)).to eq({}) + expect(x509_subject(bad_dn, search_uppercase)).to eq({}) + end + end + end +end diff --git a/spec/lib/gitlab/x509/commit_spec.rb b/spec/lib/gitlab/x509/commit_spec.rb index 9cddf27ddce..c31e9e4b8e6 100644 --- a/spec/lib/gitlab/x509/commit_spec.rb +++ b/spec/lib/gitlab/x509/commit_spec.rb @@ -204,5 +204,38 @@ describe Gitlab::X509::Commit do expect(described_class.new(commit).signature).to be_nil end end + + context 'certificate_crl' do + let!(:commit) { create :commit, project: project, sha: commit_sha, created_at: Time.utc(2019, 1, 1, 20, 15, 0), committer_email: X509Helpers::User1.emails.first } + let(:signed_commit) { described_class.new(commit) } + + describe 'valid crlDistributionPoints' do + before do + allow(signed_commit).to receive(:get_certificate_extension).and_call_original + + allow(signed_commit).to receive(:get_certificate_extension) + .with('crlDistributionPoints') + .and_return("\nFull Name:\n URI:http://ch.siemens.com/pki?ZZZZZZA2.crl\n URI:ldap://cl.siemens.net/CN=ZZZZZZA2,L=PKI?certificateRevocationList\n URI:ldap://cl.siemens.com/CN=ZZZZZZA2,o=Trustcenter?certificateRevocationList\n") + end + + it 'returns an unverified signature' do + expect(signed_commit.signature.x509_certificate.x509_issuer).to have_attributes(user1_issuer_attributes) + end + end + + describe 'valid crlDistributionPoints providing multiple http URIs' do + before do + allow(signed_commit).to receive(:get_certificate_extension).and_call_original + + allow(signed_commit).to receive(:get_certificate_extension) + .with('crlDistributionPoints') + .and_return("\nFull Name:\n URI:http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl\n\nFull Name:\n URI:http://cdp2.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl\n") + end + + it 'extracts the first URI' do + expect(signed_commit.signature.x509_certificate.x509_issuer.crl_url).to eq("http://cdp1.pca.dfn.de/dfn-ca-global-g2/pub/crl/cacrl.crl") + end + end + end end end diff --git a/spec/support/shared_examples/models/cluster_application_status_shared_examples.rb b/spec/support/shared_examples/models/cluster_application_status_shared_examples.rb index 6c772ddf897..37f1b33d455 100644 --- a/spec/support/shared_examples/models/cluster_application_status_shared_examples.rb +++ b/spec/support/shared_examples/models/cluster_application_status_shared_examples.rb @@ -264,6 +264,8 @@ RSpec.shared_examples 'cluster application status specs' do |application_name| describe '#available?' do using RSpec::Parameterized::TableSyntax + let_it_be(:cluster) { create(:cluster, :provided_by_gcp) } + where(:trait, :available) do :not_installable | false :installable | false @@ -280,7 +282,7 @@ RSpec.shared_examples 'cluster application status specs' do |application_name| end with_them do - subject { build(application_name, trait) } + subject { build(application_name, trait, cluster: cluster) } if params[:available] it { is_expected.to be_available } diff --git a/spec/support/shared_examples/models/cluster_application_version_shared_examples.rb b/spec/support/shared_examples/models/cluster_application_version_shared_examples.rb index e293467774e..cf7010c48c2 100644 --- a/spec/support/shared_examples/models/cluster_application_version_shared_examples.rb +++ b/spec/support/shared_examples/models/cluster_application_version_shared_examples.rb @@ -2,16 +2,18 @@ RSpec.shared_examples 'cluster application version specs' do |application_name| describe 'update_available?' do + let_it_be(:cluster) { create(:cluster, :provided_by_gcp) } + let(:version) { '0.0.0' } - subject { create(application_name, :installed, version: version).update_available? } + subject { build(application_name, :installed, version: version, cluster: cluster).update_available? } context 'version is not the same as VERSION' do it { is_expected.to be_truthy } end context 'version is the same as VERSION' do - let(:application) { build(application_name) } + let(:application) { build(application_name, cluster: cluster) } let(:version) { application.class.const_get(:VERSION, false) } it { is_expected.to be_falsey } diff --git a/spec/workers/concerns/gitlab/github_import/notify_upon_death_spec.rb b/spec/workers/concerns/gitlab/notify_upon_death_spec.rb index 200cdffd560..1c75ac99227 100644 --- a/spec/workers/concerns/gitlab/github_import/notify_upon_death_spec.rb +++ b/spec/workers/concerns/gitlab/notify_upon_death_spec.rb @@ -2,11 +2,11 @@ require 'spec_helper' -describe Gitlab::GithubImport::NotifyUponDeath do +describe Gitlab::NotifyUponDeath do let(:worker_class) do Class.new do include Sidekiq::Worker - include Gitlab::GithubImport::NotifyUponDeath + include Gitlab::NotifyUponDeath end end diff --git a/yarn.lock b/yarn.lock index b15f8fb2ce1..83ec5ec912d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1051,10 +1051,10 @@ "@sentry/types" "5.10.0" tslib "^1.9.3" -"@sourcegraph/code-host-integration@0.0.30": - version "0.0.30" - resolved "https://registry.yarnpkg.com/@sourcegraph/code-host-integration/-/code-host-integration-0.0.30.tgz#85f52eca0f8fd5efb1526a7ec6a09d261ab43bda" - integrity sha512-5zBN0/oa1c0lY0+MPb2kEs9NqefvOg0NevDQXqQpLHDOx+TtMzC2uEOQiBnyHm2bWcCl/RFatjvNlEV+reGgnA== +"@sourcegraph/code-host-integration@0.0.31": + version "0.0.31" + resolved "https://registry.yarnpkg.com/@sourcegraph/code-host-integration/-/code-host-integration-0.0.31.tgz#c4d6c7adaaf937e4b8a143c206020e110ba73e25" + integrity sha512-b0WQ1CKlEx9S+IHRs1YNRO7CcwW06ulQU6D+W9cQlfjJu+qQVTAvkyv1xjySkfrCNK8IcfVd8WZzWIhP16VVfw== "@types/anymatch@*": version "1.3.0" |