diff options
49 files changed, 262 insertions, 97 deletions
diff --git a/GITALY_SERVER_VERSION b/GITALY_SERVER_VERSION index 011f9310c90..16e5c4e4738 100644 --- a/GITALY_SERVER_VERSION +++ b/GITALY_SERVER_VERSION @@ -1 +1 @@ -381df30b1b49b9fcfbc1e4107a106a70f1403c7d +89c1ee804f273c9ccc7322644b9ec1cf8e38c0a4 @@ -48,7 +48,7 @@ gem 'omniauth-authentiq', '~> 0.3.3' gem 'omniauth_openid_connect', '~> 0.3.5' gem 'omniauth-salesforce', '~> 1.0.5' gem 'omniauth-atlassian-oauth2', '~> 0.2.0' -gem 'rack-oauth2', '~> 1.9.3' +gem 'rack-oauth2', '~> 1.16.0' gem 'jwt', '~> 2.1.0' # Kerberos authentication. EE-only diff --git a/Gemfile.lock b/Gemfile.lock index c95223b8ff1..64179847dd8 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -70,7 +70,7 @@ GEM memoizable (~> 0.4.0) addressable (2.7.0) public_suffix (>= 2.0.2, < 5.0) - aes_key_wrap (1.0.1) + aes_key_wrap (1.1.0) akismet (3.0.0) android_key_attestation (0.3.0) apollo_upload_server (2.0.2) @@ -132,7 +132,7 @@ GEM coderay (>= 1.0.0) erubi (>= 1.0.0) rack (>= 0.9.0) - bindata (2.4.3) + bindata (2.4.8) binding_ninja (0.2.3) bootsnap (1.4.6) msgpack (~> 1.0) @@ -613,7 +613,7 @@ GEM regexp_parser (~> 1.5) regexp_property_values (~> 0.3) json (2.3.0) - json-jwt (1.11.0) + json-jwt (1.13.0) activesupport (>= 4.2) aes_key_wrap bindata @@ -874,12 +874,12 @@ GEM rack (>= 1.0, < 3) rack-cors (1.0.6) rack (>= 1.6.0) - rack-oauth2 (1.9.3) + rack-oauth2 (1.16.0) activesupport attr_required httpclient - json-jwt (>= 1.9.0) - rack + json-jwt (>= 1.11.0) + rack (>= 2.1.0) rack-protection (2.0.5) rack rack-proxy (0.6.0) @@ -1449,7 +1449,7 @@ DEPENDENCIES rack (~> 2.2.3) rack-attack (~> 6.3.0) rack-cors (~> 1.0.6) - rack-oauth2 (~> 1.9.3) + rack-oauth2 (~> 1.16.0) rack-proxy (~> 0.6.0) rack-timeout (~> 0.5.1) rails (~> 6.0.3.1) diff --git a/app/assets/javascripts/feature_flags/components/feature_flags.vue b/app/assets/javascripts/feature_flags/components/feature_flags.vue index eb7046a3d9b..340cf68793f 100644 --- a/app/assets/javascripts/feature_flags/components/feature_flags.vue +++ b/app/assets/javascripts/feature_flags/components/feature_flags.vue @@ -278,7 +278,7 @@ export default { /> </feature-flags-tab> <template #tabs-end> - <div + <li class="gl-display-none gl-display-md-flex gl-align-items-center gl-flex-fill-1 gl-justify-content-end" > <gl-button @@ -313,7 +313,7 @@ export default { > {{ s__('FeatureFlags|New feature flag') }} </gl-button> - </div> + </li> </template> </gl-tabs> </div> diff --git a/changelogs/unreleased/sy-add-new-incidents-to-usage-ping.yml b/changelogs/unreleased/sy-add-new-incidents-to-usage-ping.yml new file mode 100644 index 00000000000..7b8f1af281c --- /dev/null +++ b/changelogs/unreleased/sy-add-new-incidents-to-usage-ping.yml @@ -0,0 +1,5 @@ +--- +title: Add new incident counts to usage ping +merge_request: 46602 +author: +type: changed diff --git a/changelogs/unreleased/token-revocation.yml b/changelogs/unreleased/token-revocation.yml new file mode 100644 index 00000000000..ea3df0ade6f --- /dev/null +++ b/changelogs/unreleased/token-revocation.yml @@ -0,0 +1,5 @@ +--- +title: Add a service for token revocation +merge_request: 46356 +author: +type: added diff --git a/changelogs/unreleased/vfazio-update-rack-oauth2.yml b/changelogs/unreleased/vfazio-update-rack-oauth2.yml new file mode 100644 index 00000000000..1f7612b573f --- /dev/null +++ b/changelogs/unreleased/vfazio-update-rack-oauth2.yml @@ -0,0 +1,5 @@ +--- +title: Update rack-oauth2 to v1.16.0 +merge_request: 47839 +author: Vincent Fazio @vfazio +type: changed diff --git a/config/feature_flags/development/codequality_mr_diff.yml b/config/feature_flags/development/codequality_mr_diff.yml new file mode 100644 index 00000000000..ca6846b9390 --- /dev/null +++ b/config/feature_flags/development/codequality_mr_diff.yml @@ -0,0 +1,8 @@ +--- +name: codequality_mr_diff +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/47938 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/284140 +milestone: '13.7' +type: development +group: group::testing +default_enabled: false diff --git a/db/migrate/20201102184743_add_index_to_incident_issues_on_project_and_created_at.rb b/db/migrate/20201102184743_add_index_to_incident_issues_on_project_and_created_at.rb new file mode 100644 index 00000000000..1fd900002c3 --- /dev/null +++ b/db/migrate/20201102184743_add_index_to_incident_issues_on_project_and_created_at.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class AddIndexToIncidentIssuesOnProjectAndCreatedAt < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + INCIDENT_TYPE = 1 + OLD_INDEX_NAME = 'index_issues_project_id_issue_type_incident' + NEW_INDEX_NAME = 'index_issues_on_project_id_and_created_at_issue_type_incident' + + DOWNTIME = false + disable_ddl_transaction! + + def up + add_concurrent_index :issues, + [:project_id, :created_at], + where: "issue_type = #{INCIDENT_TYPE}", + name: NEW_INDEX_NAME + + remove_concurrent_index_by_name :issues, OLD_INDEX_NAME + end + + def down + add_concurrent_index :issues, + :project_id, + where: "issue_type = #{INCIDENT_TYPE}", + name: OLD_INDEX_NAME + + remove_concurrent_index_by_name :issues, NEW_INDEX_NAME + end +end diff --git a/db/migrate/20201109180311_add_secret_detection_revocation_token_types_application_settings.rb b/db/migrate/20201109180311_add_secret_detection_revocation_token_types_application_settings.rb new file mode 100644 index 00000000000..0823655f92f --- /dev/null +++ b/db/migrate/20201109180311_add_secret_detection_revocation_token_types_application_settings.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +class AddSecretDetectionRevocationTokenTypesApplicationSettings < ActiveRecord::Migration[6.0] + DOWNTIME = false + + def up + add_column :application_settings, :secret_detection_revocation_token_types_url, :text, null: true # rubocop:disable Migration/AddLimitToTextColumns + end + + def down + remove_column :application_settings, :secret_detection_revocation_token_types_url + end +end diff --git a/db/migrate/20201109184023_add_text_limit_to_secret_detection_revocation_token_types_application_settings.rb b/db/migrate/20201109184023_add_text_limit_to_secret_detection_revocation_token_types_application_settings.rb new file mode 100644 index 00000000000..9e0329aafcc --- /dev/null +++ b/db/migrate/20201109184023_add_text_limit_to_secret_detection_revocation_token_types_application_settings.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +class AddTextLimitToSecretDetectionRevocationTokenTypesApplicationSettings < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + + disable_ddl_transaction! + + def up + add_text_limit :application_settings, :secret_detection_revocation_token_types_url, 255 + end + + def down + remove_text_limit :application_settings, :secret_detection_revocation_token_types_url + end +end diff --git a/db/schema_migrations/20201102184743 b/db/schema_migrations/20201102184743 new file mode 100644 index 00000000000..da002122e5d --- /dev/null +++ b/db/schema_migrations/20201102184743 @@ -0,0 +1 @@ +040e73d690cb315627fe16c931273aa1f86dfabb481dc2086f787d067b87642f
\ No newline at end of file diff --git a/db/schema_migrations/20201109180311 b/db/schema_migrations/20201109180311 new file mode 100644 index 00000000000..0752e2dabb3 --- /dev/null +++ b/db/schema_migrations/20201109180311 @@ -0,0 +1 @@ +49143d2a7dd0a53c051151b0cdc93745a0fa1b01e6d54bb663e147c2064d9290
\ No newline at end of file diff --git a/db/schema_migrations/20201109184023 b/db/schema_migrations/20201109184023 new file mode 100644 index 00000000000..7a66c0f0f4c --- /dev/null +++ b/db/schema_migrations/20201109184023 @@ -0,0 +1 @@ +698bcedf387fc01fbb7f1899f0f7660ba86a197fa72cf71d998cc90e3d1da9f3
\ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 9887a7c161e..f29f9178a26 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -9344,6 +9344,7 @@ CREATE TABLE application_settings ( new_user_signups_cap integer, encrypted_cloud_license_auth_token text, encrypted_cloud_license_auth_token_iv text, + secret_detection_revocation_token_types_url text, CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)), CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)), CONSTRAINT check_51700b31b5 CHECK ((char_length(default_branch_name) <= 255)), @@ -9351,6 +9352,7 @@ CREATE TABLE application_settings ( CONSTRAINT check_85a39b68ff CHECK ((char_length(encrypted_ci_jwt_signing_key_iv) <= 255)), CONSTRAINT check_9a719834eb CHECK ((char_length(secret_detection_token_revocation_url) <= 255)), CONSTRAINT check_9c6c447a13 CHECK ((char_length(maintenance_mode_message) <= 255)), + CONSTRAINT check_a5704163cc CHECK ((char_length(secret_detection_revocation_token_types_url) <= 255)), CONSTRAINT check_d03919528d CHECK ((char_length(container_registry_vendor) <= 255)), CONSTRAINT check_d820146492 CHECK ((char_length(spam_check_endpoint_url) <= 255)), CONSTRAINT check_e5aba18f02 CHECK ((char_length(container_registry_version) <= 255)), @@ -21047,6 +21049,8 @@ CREATE INDEX index_issues_on_moved_to_id ON issues USING btree (moved_to_id) WHE CREATE INDEX index_issues_on_project_id_and_closed_at ON issues USING btree (project_id, closed_at); +CREATE INDEX index_issues_on_project_id_and_created_at_issue_type_incident ON issues USING btree (project_id, created_at) WHERE (issue_type = 1); + CREATE UNIQUE INDEX index_issues_on_project_id_and_external_key ON issues USING btree (project_id, external_key) WHERE (external_key IS NOT NULL); CREATE UNIQUE INDEX index_issues_on_project_id_and_iid ON issues USING btree (project_id, iid); @@ -21061,8 +21065,6 @@ CREATE INDEX index_issues_on_updated_at ON issues USING btree (updated_at); CREATE INDEX index_issues_on_updated_by_id ON issues USING btree (updated_by_id) WHERE (updated_by_id IS NOT NULL); -CREATE INDEX index_issues_project_id_issue_type_incident ON issues USING btree (project_id) WHERE (issue_type = 1); - CREATE UNIQUE INDEX index_jira_connect_installations_on_client_key ON jira_connect_installations USING btree (client_key); CREATE INDEX index_jira_connect_subscriptions_on_namespace_id ON jira_connect_subscriptions USING btree (namespace_id); diff --git a/doc/.vale/gitlab/SubstitutionSuggestions.yml b/doc/.vale/gitlab/SubstitutionSuggestions.yml index 9a8d44c8e79..df68961b1ce 100644 --- a/doc/.vale/gitlab/SubstitutionSuggestions.yml +++ b/doc/.vale/gitlab/SubstitutionSuggestions.yml @@ -12,7 +12,6 @@ level: suggestion ignorecase: true swap: since: because - utilize: use once that: after that once the: after the once you: after you diff --git a/doc/.vale/gitlab/SubstitutionWarning.yml b/doc/.vale/gitlab/SubstitutionWarning.yml index 68313a37e7d..ed0f8b498fe 100644 --- a/doc/.vale/gitlab/SubstitutionWarning.yml +++ b/doc/.vale/gitlab/SubstitutionWarning.yml @@ -18,3 +18,4 @@ swap: filesystem: file system info: information repo: repository + utilize: use diff --git a/doc/administration/geo/index.md b/doc/administration/geo/index.md index 8cecebee105..02b907ae237 100644 --- a/doc/administration/geo/index.md +++ b/doc/administration/geo/index.md @@ -49,7 +49,7 @@ Geo provides: - Read-only **secondary** nodes: Maintain one **primary** GitLab node while still enabling read-only **secondary** nodes for each of your distributed teams. - Authentication system hooks: **Secondary** nodes receives all authentication data (like user accounts and logins) from the **primary** instance. -- An intuitive UI: **Secondary** nodes utilize the same web interface your team has grown accustomed to. In addition, there are visual notifications that block write operations and make it clear that a user is on a **secondary** node. +- An intuitive UI: **Secondary** nodes use the same web interface your team has grown accustomed to. In addition, there are visual notifications that block write operations and make it clear that a user is on a **secondary** node. ## How it works diff --git a/doc/administration/load_balancer.md b/doc/administration/load_balancer.md index ae4fa83662a..410381ff2b0 100644 --- a/doc/administration/load_balancer.md +++ b/doc/administration/load_balancer.md @@ -114,7 +114,7 @@ Configure DNS for an alternate SSH hostname such as `altssh.gitlab.example.com`. ## Readiness check -It is strongly recommend that multi-node deployments configure load balancers to utilize the [readiness check](../user/admin_area/monitoring/health_check.md#readiness) to ensure a node is ready to accept traffic, before routing traffic to it. This is especially important when utilizing Puma, as there is a brief period during a restart where Puma will not accept requests. +It is strongly recommend that multi-node deployments configure load balancers to use the [readiness check](../user/admin_area/monitoring/health_check.md#readiness) to ensure a node is ready to accept traffic, before routing traffic to it. This is especially important when utilizing Puma, as there is a brief period during a restart where Puma will not accept requests. <!-- ## Troubleshooting diff --git a/doc/administration/monitoring/prometheus/index.md b/doc/administration/monitoring/prometheus/index.md index cc982d4a5fd..91f810dc681 100644 --- a/doc/administration/monitoring/prometheus/index.md +++ b/doc/administration/monitoring/prometheus/index.md @@ -26,7 +26,7 @@ access to high quality time-series monitoring of GitLab services. Prometheus works by periodically connecting to data sources and collecting their performance metrics through the [various exporters](#bundled-software-metrics). To view and work with the monitoring data, you can either -[connect directly to Prometheus](#viewing-performance-metrics) or utilize a +[connect directly to Prometheus](#viewing-performance-metrics) or use a dashboard tool like [Grafana](https://grafana.com). ## Configuring Prometheus diff --git a/doc/administration/operations/puma.md b/doc/administration/operations/puma.md index 2d53a790428..5104b65c86d 100644 --- a/doc/administration/operations/puma.md +++ b/doc/administration/operations/puma.md @@ -33,7 +33,7 @@ will _not_ carry over automatically, due to differences between the two applicat deployments, see [Configuring Puma Settings](https://docs.gitlab.com/omnibus/settings/puma.html#configuring-puma-settings). For Helm based deployments, see the [Webservice Chart documentation](https://docs.gitlab.com/charts/charts/gitlab/webservice/index.html). -Additionally we strongly recommend that multi-node deployments [configure their load balancers to utilize the readiness check](../load_balancer.md#readiness-check) due to a difference between Unicorn and Puma in how they handle connections during a restart of the service. +Additionally we strongly recommend that multi-node deployments [configure their load balancers to use the readiness check](../load_balancer.md#readiness-check) due to a difference between Unicorn and Puma in how they handle connections during a restart of the service. ## Performance caveat when using Puma with Rugged diff --git a/doc/administration/packages/dependency_proxy.md b/doc/administration/packages/dependency_proxy.md index 7a37bf4dcea..56b39658dc2 100644 --- a/doc/administration/packages/dependency_proxy.md +++ b/doc/administration/packages/dependency_proxy.md @@ -9,7 +9,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/7934) in [GitLab Premium](https://about.gitlab.com/pricing/) 11.11. > - [Moved](https://gitlab.com/gitlab-org/gitlab/-/issues/273655) to [GitLab Core](https://about.gitlab.com/pricing/) in GitLab 13.6. -GitLab can be utilized as a dependency proxy for a variety of common package managers. +GitLab can be used as a dependency proxy for a variety of common package managers. This is the administration documentation. If you want to learn how to use the dependency proxies, see the [user guide](../../user/packages/dependency_proxy/index.md). diff --git a/doc/administration/packages/index.md b/doc/administration/packages/index.md index e2809e7fc35..4af0de864ca 100644 --- a/doc/administration/packages/index.md +++ b/doc/administration/packages/index.md @@ -6,7 +6,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w # GitLab Package Registry administration -GitLab Packages allows organizations to utilize GitLab as a private repository +GitLab Packages allows organizations to use GitLab as a private repository for a variety of common package managers. Users are able to build and publish packages, which can be easily consumed as a dependency in downstream projects. diff --git a/doc/administration/troubleshooting/elasticsearch.md b/doc/administration/troubleshooting/elasticsearch.md index 5f29ed31ad7..12aa91e6f14 100644 --- a/doc/administration/troubleshooting/elasticsearch.md +++ b/doc/administration/troubleshooting/elasticsearch.md @@ -171,7 +171,7 @@ The first step is to confirm GitLab is using Elasticsearch for the search functi To do this: 1. Confirm the integration is enabled in **Admin Area > Settings > General**. -1. Confirm searches utilize Elasticsearch by accessing the rails console +1. Confirm searches use Elasticsearch by accessing the rails console (`sudo gitlab-rails console`) and running the following commands: ```rails diff --git a/doc/api/container_registry.md b/doc/api/container_registry.md index b45169e6336..ddfe5d3f238 100644 --- a/doc/api/container_registry.md +++ b/doc/api/container_registry.md @@ -280,7 +280,7 @@ This action doesn't delete blobs. To delete them and recycle disk space, Delete registry repository tags in bulk based on given criteria. <i class="fa fa-youtube-play youtube" aria-hidden="true"></i> -For an overview, see [Utilize the Container Registry API to delete all tags except *](https://youtu.be/Hi19bKe_xsg). +For an overview, see [Use the Container Registry API to delete all tags except *](https://youtu.be/Hi19bKe_xsg). ```plaintext DELETE /projects/:id/registry/repositories/:repository_id/tags diff --git a/doc/architecture/blueprints/image_resizing/index.md b/doc/architecture/blueprints/image_resizing/index.md index 4e4a1dc739b..47e2ad24960 100644 --- a/doc/architecture/blueprints/image_resizing/index.md +++ b/doc/architecture/blueprints/image_resizing/index.md @@ -46,14 +46,14 @@ The MVC Avatar resizing implementation is integrated into Workhorse. With the ex ## Iterations -1. [x] POC on different image resizing solutions -1. [x] Review solutions with security team -1. [x] Implement avatar resizing MVC -1. [ ] Deploy, measure, monitor -1. [ ] Clarify features for content image resizing -1. [ ] Weigh options between using current implementation of image resizing vs new solution -1. [ ] Implement content image resizing MVC -1. [ ] Deploy, measure, monitor +1. ✓ POC on different image resizing solutions +1. ✓ Review solutions with security team +1. ✓ Implement avatar resizing MVC +1. Deploy, measure, monitor +1. Clarify features for content image resizing +1. Weigh options between using current implementation of image resizing vs new solution +1. Implement content image resizing MVC +1. Deploy, measure, monitor ## Who diff --git a/doc/ci/runners/README.md b/doc/ci/runners/README.md index 2812e7c1108..4392fa3c78b 100644 --- a/doc/ci/runners/README.md +++ b/doc/ci/runners/README.md @@ -37,10 +37,10 @@ multiple projects. If you are using a self-managed instance of GitLab: -- Your administrator can install and register shared runners by - going to your project's **Settings > CI / CD**, expanding the - **Runners** section, and clicking **Show runner installation instructions**. - These instructions are also available [in the documentation](https://docs.gitlab.com/runner/install/index.html). +- Your administrator can install and register shared runners by [following the documentation](https://docs.gitlab.com/runner/install/index.html). + <!-- going to your project's--> + <!-- **Settings > CI / CD**, expanding the **Runners** section, and clicking **Show runner installation instructions**.--> + <!-- These instructions are also available [in the documentation](https://docs.gitlab.com/runner/install/index.html).--> - The administrator can also configure a maximum number of shared runner [pipeline minutes for each group](../../user/admin_area/settings/continuous_integration.md#shared-runners-pipeline-minutes-quota). diff --git a/doc/development/approval_rules.md b/doc/development/approval_rules.md index 735cc3fc7e2..d190f2b7c63 100644 --- a/doc/development/approval_rules.md +++ b/doc/development/approval_rules.md @@ -147,7 +147,7 @@ Whenever an approval is given/revoked, a record is created/deleted. ## Controllers and Services -The following controllers and services below are being utilized for the approval +The following controllers and services below are being used for the approval rules feature to work. ### `API::ProjectApprovalSettings` diff --git a/doc/development/architecture.md b/doc/development/architecture.md index 886823c29c4..a1097ad4ed6 100644 --- a/doc/development/architecture.md +++ b/doc/development/architecture.md @@ -945,7 +945,7 @@ processes: `puma master` (1 process), `puma cluster worker` ### Repository access -Repositories get accessed via HTTP or SSH. HTTP cloning/push/pull utilizes the GitLab API and SSH cloning is handled by GitLab Shell (previously explained). +Repositories get accessed via HTTP or SSH. HTTP cloning/push/pull uses the GitLab API and SSH cloning is handled by GitLab Shell (previously explained). ## Troubleshooting diff --git a/doc/development/chaos_endpoints.md b/doc/development/chaos_endpoints.md index ef6772023a0..63218af857d 100644 --- a/doc/development/chaos_endpoints.md +++ b/doc/development/chaos_endpoints.md @@ -85,7 +85,7 @@ GET /-/chaos/cpu_spin?duration_s=50&async=true | Attribute | Type | Required | Description | | ------------ | ------- | -------- | --------------------------------------------------------------------- | -| `duration_s` | integer | no | Duration, in seconds, that the core will be utilized. Defaults to 30s | +| `duration_s` | integer | no | Duration, in seconds, that the core will be used. Defaults to 30s | | `async` | boolean | no | Set to true to consume CPU in a Sidekiq background worker process | ```shell @@ -110,7 +110,7 @@ GET /-/chaos/db_spin?duration_s=50&async=true | Attribute | Type | Required | Description | | ------------ | ------- | -------- | --------------------------------------------------------------------------- | | `interval_s` | float | no | Interval, in seconds, for every DB request. Defaults to 1s | -| `duration_s` | integer | no | Duration, in seconds, that the core will be utilized. Defaults to 30s | +| `duration_s` | integer | no | Duration, in seconds, that the core will be used. Defaults to 30s | | `async` | boolean | no | Set to true to perform the operation in a Sidekiq background worker process | ```shell diff --git a/doc/development/ee_features.md b/doc/development/ee_features.md index 5acbb0ba21e..26a1e9ec3aa 100644 --- a/doc/development/ee_features.md +++ b/doc/development/ee_features.md @@ -573,7 +573,7 @@ constants. #### EE parameters -We can define `params` and utilize `use` in another `params` definition to +We can define `params` and use `use` in another `params` definition to include parameters defined in EE. However, we need to define the "interface" first in CE in order for EE to override it. We don't have to do this in other places due to `prepend_if_ee`, but Grape is complex internally and we couldn't easily diff --git a/doc/development/fe_guide/vue.md b/doc/development/fe_guide/vue.md index bf6833e1ad6..77bdadfe8da 100644 --- a/doc/development/fe_guide/vue.md +++ b/doc/development/fe_guide/vue.md @@ -120,7 +120,7 @@ return new Vue({ Use Vue's [provide/inject](https://vuejs.org/v2/api/#provide-inject) mechanism to make feature flags available to any descendant components in a Vue application. The `glFeatures` object is already provided in `commons/vue.js`, so -only the mixin is required to utilize the flags: +only the mixin is required to use the flags: ```javascript // An arbitrary descendant component diff --git a/doc/development/product_analytics/snowplow.md b/doc/development/product_analytics/snowplow.md index fa9b0d1bd01..c5f48994d5c 100644 --- a/doc/development/product_analytics/snowplow.md +++ b/doc/development/product_analytics/snowplow.md @@ -52,7 +52,7 @@ Tracking can be enabled at: - The instance level, which enables tracking on both the frontend and backend layers. - User level, though user tracking can be disabled on a per-user basis. GitLab tracking respects the [Do Not Track](https://www.eff.org/issues/do-not-track) standard, so any user who has enabled the Do Not Track option in their browser is not tracked at a user level. -We utilize Snowplow for the majority of our tracking strategy and it is enabled on GitLab.com. On a self-managed instance, Snowplow can be enabled by navigating to: +We use Snowplow for the majority of our tracking strategy and it is enabled on GitLab.com. On a self-managed instance, Snowplow can be enabled by navigating to: - **Admin Area > Settings > General** in the UI. - `admin/application_settings/integrations` in your browser. @@ -112,7 +112,7 @@ The current method provides several attributes that are sent on each click event ## Implementing Snowplow JS (Frontend) tracking -GitLab provides `Tracking`, an interface that wraps the [Snowplow JavaScript Tracker](https://github.com/snowplow/snowplow/wiki/javascript-tracker) for tracking custom events. There are a few ways to utilize tracking, but each generally requires at minimum, a `category` and an `action`. Additional data can be provided that adheres to our [Structured event taxonomy](#structured-event-taxonomy). +GitLab provides `Tracking`, an interface that wraps the [Snowplow JavaScript Tracker](https://github.com/snowplow/snowplow/wiki/javascript-tracker) for tracking custom events. There are a few ways to use tracking, but each generally requires at minimum, a `category` and an `action`. Additional data can be provided that adheres to our [Structured event taxonomy](#structured-event-taxonomy). | field | type | default value | description | |:-----------|:-------|:---------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -294,7 +294,7 @@ Custom event tracking and instrumentation can be added by directly calling the ` | `action` | string | 'generic' | The action being taken, which can be anything from a controller action like `create` to something like an Active Record callback. | | `data` | object | {} | Additional data such as `label`, `property`, `value`, and `context` as described in [Structured event taxonomy](#structured-event-taxonomy). These are set as empty strings if you don't provide them. | -Tracking can be viewed as either tracking user behavior, or can be utilized for instrumentation to monitor and visualize performance over time in an area or aspect of code. +Tracking can be viewed as either tracking user behavior, or can be used for instrumentation to monitor and visualize performance over time in an area or aspect of code. For example: diff --git a/doc/development/secure_coding_guidelines.md b/doc/development/secure_coding_guidelines.md index e7dc24201aa..ebab0e59cc3 100644 --- a/doc/development/secure_coding_guidelines.md +++ b/doc/development/secure_coding_guidelines.md @@ -269,7 +269,7 @@ When user submitted data is included in responses to end users, which is just ab ### Mitigation -In most situations, a two-step solution can be utilized: input validation and output encoding in the appropriate context. +In most situations, a two-step solution can be used: input validation and output encoding in the appropriate context. #### Input validation @@ -505,3 +505,57 @@ out, _ = exec.Command("sh", "-c", "echo 1 | cat /etc/passwd").Output() ``` This outputs `1` followed by the content of `/etc/passwd`. + +## GitLab Internal Authorization + +### Introduction + +There are some cases where `users` passed in the code is actually referring to a `DeployToken`/`DeployKey` entity instead of a real `User`, because of the code below in **`/lib/api/api_guard.rb`** + +```ruby + def find_user_from_sources + strong_memoize(:find_user_from_sources) do + deploy_token_from_request || + find_user_from_bearer_token || + find_user_from_job_token || + user_from_warden + end + end +``` + +### Past Vulnerable Code + +In some scenarios such as [this one](https://gitlab.com/gitlab-org/gitlab/-/issues/237795), user impersonation is possible because a `DeployToken` ID can be used in place of a `User` ID. This happened because there was no check on the line with `Gitlab::Auth::CurrentUserMode.bypass_session!(user.id)`. In this case, the `id` is actually a `DeployToken` ID instead of a `User` ID. + +```ruby + def find_current_user! + user = find_user_from_sources + return unless user + + # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode + Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) if Feature.enabled?(:user_mode_in_session) + + unless api_access_allowed?(user) + forbidden!(api_access_denied_message(user)) + end +``` + +### Best Practices + +In order to prevent this from happening, it is recommended to use the method `user.is_a?(User)` to make sure it returns `true` when we are expecting to deal with a `User` object. This could prevent the ID confusion from the method `find_user_from_sources` mentioned above. Below code snippet shows the fixed code after applying the best practice to the vulnerable code above. + +```ruby + def find_current_user! + user = find_user_from_sources + return unless user + + if user.is_a?(User) && Feature.enabled?(:user_mode_in_session) + # Sessions are enforced to be unavailable for API calls, so ignore them for admin mode + Gitlab::Auth::CurrentUserMode.bypass_session!(user.id) + end + + unless api_access_allowed?(user) + forbidden!(api_access_denied_message(user)) + end +``` +
\ No newline at end of file diff --git a/doc/development/sidekiq_style_guide.md b/doc/development/sidekiq_style_guide.md index f2584c97968..13ae39997bc 100644 --- a/doc/development/sidekiq_style_guide.md +++ b/doc/development/sidekiq_style_guide.md @@ -821,7 +821,7 @@ This approach requires multiple releases. ##### Parameter hash This approach will not require multiple releases if an existing worker already -utilizes a parameter hash. +uses a parameter hash. 1. Use a parameter hash in the worker to allow future flexibility. diff --git a/doc/integration/elasticsearch.md b/doc/integration/elasticsearch.md index e7c88cecc13..095c58f17fc 100644 --- a/doc/integration/elasticsearch.md +++ b/doc/integration/elasticsearch.md @@ -58,7 +58,7 @@ A few notes on CPU and storage: see boosts in both query and indexing performance. Keep in mind, these are **minimum requirements** for Elasticsearch. -Heavily-utilized Elasticsearch clusters will likely require considerably more +Heavily-used Elasticsearch clusters will likely require considerably more resources. ## Installing Elasticsearch diff --git a/doc/operations/metrics/dashboards/yaml.md b/doc/operations/metrics/dashboards/yaml.md index c3523327c51..13397eb702a 100644 --- a/doc/operations/metrics/dashboards/yaml.md +++ b/doc/operations/metrics/dashboards/yaml.md @@ -87,8 +87,8 @@ is no longer used. | `id` | string | no | Used for associating dashboard metrics with database records. Must be unique across dashboard configuration files. Required for [alerting](../alerts.md) (support not yet enabled, see [relevant issue](https://gitlab.com/gitlab-org/gitlab/-/issues/27980)). | | `unit` | string | yes | Defines the unit of the query's return data. | | `label` | string | no, but highly encouraged | Defines the legend-label for the query. Should be unique within the panel's metrics. Can contain time series labels as interpolated variables. | -| `query` | string/number | yes if `query_range` is not defined | Defines the Prometheus query to be used to populate the chart/panel. If defined, the `query` endpoint of the [Prometheus API](https://prometheus.io/docs/prometheus/latest/querying/api/) will be utilized. | -| `query_range` | string/number | yes if `query` is not defined | Defines the Prometheus query to be used to populate the chart/panel. If defined, the `query_range` endpoint of the [Prometheus API](https://prometheus.io/docs/prometheus/latest/querying/api/) will be utilized. | +| `query` | string/number | yes if `query_range` is not defined | Defines the Prometheus query to be used to populate the chart/panel. If defined, the `query` endpoint of the [Prometheus API](https://prometheus.io/docs/prometheus/latest/querying/api/) will be used. | +| `query_range` | string/number | yes if `query` is not defined | Defines the Prometheus query to be used to populate the chart/panel. If defined, the `query_range` endpoint of the [Prometheus API](https://prometheus.io/docs/prometheus/latest/querying/api/) will be used. | | `step` | number | no, value is calculated if not defined | Defines query resolution step width in float number of seconds. Metrics on the same panel should use the same `step` value. | ## Dynamic labels diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index ab30b6d4b22..a06fe00ef0d 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -335,7 +335,7 @@ sudo -u git -H GITLAB_ASSUME_YES=1 bundle exec rake gitlab:backup:restore RAILS_ > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/37158) in GitLab 13.3. -Repositories can be backed up concurrently to help fully utilize CPU time. The +Repositories can be backed up concurrently to help fully use CPU time. The following variables are available to modify the default behavior of the Rake task: diff --git a/doc/topics/autodevops/index.md b/doc/topics/autodevops/index.md index e68253ad423..014690c4cdf 100644 --- a/doc/topics/autodevops/index.md +++ b/doc/topics/autodevops/index.md @@ -522,6 +522,55 @@ To fix your custom chart: You can find more information in [issue #263778, "Migrate PostgreSQL from stable Helm repo"](https://gitlab.com/gitlab-org/gitlab/-/issues/263778). +### Error: release .... failed: timed out waiting for the condition + +When getting started with Auto DevOps, you may encounter this error when first +deploying your application: + +```plaintext +INSTALL FAILED +PURGING CHART +Error: release staging failed: timed out waiting for the condition +``` + +This is most likely caused by a failed liveness (or readiness) probe attempted +during the deployment process. By default, these probes are run against the root +page of the deployed application on port 5000. If your application isn't configured +to serve anything at the root page, or is configured to run on a specific port +*other* than 5000, this check fails. + +If it fails, you should see these failures within the events for the relevant +Kubernetes namespace. These events look like the following example: + +```plaintext +LAST SEEN TYPE REASON OBJECT MESSAGE +3m20s Warning Unhealthy pod/staging-85db88dcb6-rxd6g Readiness probe failed: Get http://10.192.0.6:5000/: dial tcp 10.192.0.6:5000: connect: connection refused +3m32s Warning Unhealthy pod/staging-85db88dcb6-rxd6g Liveness probe failed: Get http://10.192.0.6:5000/: dial tcp 10.192.0.6:5000: connect: connection refused +``` + +To change the port used for the liveness checks, pass +[custom values to the Helm chart](customize.md#customize-values-for-helm-chart) +used by Auto DevOps: + +1. Create a directory and file at the root of your repository named `.gitlab/auto-deploy-values.yaml`. + +1. Populate the file with the following content, replacing the port values with + the actual port number your application is configured to use: + + ```yaml + service: + internalPort: <port_value> + externalPort: <port_value> + ``` + +1. Commit your changes. + +After committing your changes, subsequent probes should use the newly-defined ports. +The page that's probed can also be changed by overriding the `livenessProbe.path` +and `readinessProbe.path` values (shown in the +[default `values.yaml`](https://gitlab.com/gitlab-org/cluster-integration/auto-deploy-image/-/blob/master/assets/auto-deploy-app/values.yaml) +file) in the same fashion. + ## Development guides [Development guide for Auto DevOps](../../development/auto_devops.md) diff --git a/doc/topics/gitlab_flow.md b/doc/topics/gitlab_flow.md index 8c5a2092a92..32676658bff 100644 --- a/doc/topics/gitlab_flow.md +++ b/doc/topics/gitlab_flow.md @@ -250,7 +250,7 @@ Atlassian has a more thorough explanation of the tradeoffs between merging and r A good way to prevent creating many merge commits is to not frequently merge `master` into the feature branch. There are three reasons to merge in `master`: utilizing new code, resolving merge conflicts, and updating long-running branches. -If you need to utilize some code that was introduced in `master` after you created the feature branch, you can often solve this by just cherry-picking a commit. +If you need to use some code that was introduced in `master` after you created the feature branch, you can often solve this by just cherry-picking a commit. If your feature branch has a merge conflict, creating a merge commit is a standard way of solving this. diff --git a/doc/user/application_security/secret_detection/index.md b/doc/user/application_security/secret_detection/index.md index 9904862a787..025a37f684d 100644 --- a/doc/user/application_security/secret_detection/index.md +++ b/doc/user/application_security/secret_detection/index.md @@ -136,7 +136,7 @@ GitLab currently supports post-processing for following service providers: - Amazon Web Services (AWS) -Third party cloud and SaaS providers can [express integration interest by filling out this form](https://forms.gle/wWpvrtLRK21Q2WJL9). Learn more about the [techincal details of post-processing secrets](https://gitlab.com/groups/gitlab-org/-/epics/4639). +Third party cloud and SaaS providers can [express integration interest by filling out this form](https://forms.gle/wWpvrtLRK21Q2WJL9). Learn more about the [technical details of post-processing secrets](https://gitlab.com/groups/gitlab-org/-/epics/4639). ### Customizing settings diff --git a/doc/user/clusters/agent/index.md b/doc/user/clusters/agent/index.md index 0601a552c29..74c679d9bb9 100644 --- a/doc/user/clusters/agent/index.md +++ b/doc/user/clusters/agent/index.md @@ -160,7 +160,7 @@ gitops: ... ``` -GitLab [versions 13.6 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) also +GitLab [versions 13.7 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/259669) also supports manifest projects containing multiple directories (or subdirectories) of YAML files. To use multiple YAML files, specify a `paths` attribute: diff --git a/doc/user/group/iterations/index.md b/doc/user/group/iterations/index.md index df2b37ec0ad..90050e217ee 100644 --- a/doc/user/group/iterations/index.md +++ b/doc/user/group/iterations/index.md @@ -73,7 +73,7 @@ An iteration report displays a list of all the issues assigned to an iteration a To view an iteration report, go to the iterations list page and click an iteration's title. -### Iteration burndown and burnup charts **(STARTER ONLY)** +### Iteration burndown and burnup charts > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/222750) in [GitLab Starter](https://about.gitlab.com/pricing/) 13.5. > - It was deployed behind a feature flag, disabled by default. @@ -84,9 +84,12 @@ To view an iteration report, go to the iterations list page and click an iterati > - For GitLab self-managed instances, GitLab administrators can opt to [disable it](#disable-iteration-charts). **(STARTER ONLY)** The iteration report includes [burndown and burnup charts](../../project/milestones/burndown_and_burnup_charts.md), -similar to how they appear when viewing a [milestone](../../project/milestones/index.md) +similar to how they appear when viewing a [milestone](../../project/milestones/index.md). -## Disable Iterations **(STARTER ONLY)** +Burndown charts help track completion progress of total scope, and burnup charts track the daily +total count and weight of issues added to and completed in a given timebox. + +## Disable iterations **(STARTER ONLY)** GitLab Iterations feature is deployed with a feature flag that is **enabled by default**. [GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) diff --git a/doc/user/project/code_owners.md b/doc/user/project/code_owners.md index 82e4d127d2c..37ebef3a26e 100644 --- a/doc/user/project/code_owners.md +++ b/doc/user/project/code_owners.md @@ -27,7 +27,7 @@ who is responsible for each file or path. Code Owners allows for a version controlled, single source of truth file outlining the exact GitLab users or groups that own certain files or paths in a repository. Code Owners can be -utilized in the merge request approval process which can streamline +used in the merge request approval process which can streamline the process of finding the right reviewers and approvers for a given merge request. diff --git a/lib/gitlab/omniauth_initializer.rb b/lib/gitlab/omniauth_initializer.rb index b60ecb6631b..541f9b06842 100644 --- a/lib/gitlab/omniauth_initializer.rb +++ b/lib/gitlab/omniauth_initializer.rb @@ -96,16 +96,6 @@ module Gitlab args[:strategy_class] = args[:strategy_class].constantize end - # Providers that are known to depend on rack-oauth2, like those using - # Omniauth::Strategies::OpenIDConnect, need to be quirked so the - # client_auth_method argument value is passed as a symbol. - if (args[:strategy_class] == OmniAuth::Strategies::OpenIDConnect || - args[:name] == 'openid_connect') && - args[:client_auth_method].is_a?(String) - - args[:client_auth_method] = args[:client_auth_method].to_sym - end - args end diff --git a/lib/gitlab/usage_data.rb b/lib/gitlab/usage_data.rb index f57817d50ff..4b0dd54683b 100644 --- a/lib/gitlab/usage_data.rb +++ b/lib/gitlab/usage_data.rb @@ -632,7 +632,9 @@ module Gitlab start: user_minimum_id, finish: user_maximum_id), projects_with_tracing_enabled: distinct_count(::Project.with_tracing_enabled.where(time_period), :creator_id), - projects_with_error_tracking_enabled: distinct_count(::Project.with_enabled_error_tracking.where(time_period), :creator_id) + projects_with_error_tracking_enabled: distinct_count(::Project.with_enabled_error_tracking.where(time_period), :creator_id), + projects_with_incidents: distinct_count(::Issue.incident.where(time_period), :project_id), + projects_with_alert_incidents: distinct_count(::Issue.incident.with_alert_management_alerts.where(time_period), :project_id) } end # rubocop: enable CodeReuse/ActiveRecord diff --git a/spec/lib/gitlab/omniauth_initializer_spec.rb b/spec/lib/gitlab/omniauth_initializer_spec.rb index a38dffcfce0..577d15b8495 100644 --- a/spec/lib/gitlab/omniauth_initializer_spec.rb +++ b/spec/lib/gitlab/omniauth_initializer_spec.rb @@ -101,33 +101,5 @@ RSpec.describe Gitlab::OmniauthInitializer do subject.execute([google_config]) end - - it 'converts client_auth_method to a Symbol for openid_connect' do - openid_connect_config = { - 'name' => 'openid_connect', - 'args' => { name: 'openid_connect', client_auth_method: 'basic' } - } - - expect(devise_config).to receive(:omniauth).with( - :openid_connect, - { name: 'openid_connect', client_auth_method: :basic } - ) - - subject.execute([openid_connect_config]) - end - - it 'converts client_auth_method to a Symbol for strategy_class OpenIDConnect' do - openid_connect_config = { - 'name' => 'openid_connect', - 'args' => { strategy_class: OmniAuth::Strategies::OpenIDConnect, client_auth_method: 'jwt_bearer' } - } - - expect(devise_config).to receive(:omniauth).with( - :openid_connect, - { strategy_class: OmniAuth::Strategies::OpenIDConnect, client_auth_method: :jwt_bearer } - ) - - subject.execute([openid_connect_config]) - end end end diff --git a/spec/lib/gitlab/usage_data_spec.rb b/spec/lib/gitlab/usage_data_spec.rb index 7b47c79c3ef..d305b2c5bfe 100644 --- a/spec/lib/gitlab/usage_data_spec.rb +++ b/spec/lib/gitlab/usage_data_spec.rb @@ -300,6 +300,8 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do create(:clusters_applications_prometheus, :installed, cluster: cluster) create(:project_tracing_setting) create(:project_error_tracking_setting) + create(:incident) + create(:incident, alert_management_alert: create(:alert_management_alert)) end expect(described_class.usage_activity_by_stage_monitor({})).to include( @@ -307,7 +309,9 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do clusters_applications_prometheus: 2, operations_dashboard_default_dashboard: 2, projects_with_tracing_enabled: 2, - projects_with_error_tracking_enabled: 2 + projects_with_error_tracking_enabled: 2, + projects_with_incidents: 4, + projects_with_alert_incidents: 2 ) expect(described_class.usage_activity_by_stage_monitor(described_class.last_28_days_time_period)).to include( @@ -315,7 +319,9 @@ RSpec.describe Gitlab::UsageData, :aggregate_failures do clusters_applications_prometheus: 1, operations_dashboard_default_dashboard: 1, projects_with_tracing_enabled: 1, - projects_with_error_tracking_enabled: 1 + projects_with_error_tracking_enabled: 1, + projects_with_incidents: 2, + projects_with_alert_incidents: 1 ) end end diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index da6eaf0ae23..03320549e44 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -23,6 +23,7 @@ RSpec.describe API::Settings, 'Settings' do expect(json_response['sourcegraph_enabled']).to be_falsey expect(json_response['sourcegraph_url']).to be_nil expect(json_response['secret_detection_token_revocation_url']).to be_nil + expect(json_response['secret_detection_revocation_token_types_url']).to be_nil expect(json_response['sourcegraph_public_only']).to be_truthy expect(json_response['default_project_visibility']).to be_a String expect(json_response['default_snippet_visibility']).to be_a String |