diff options
73 files changed, 1230 insertions, 767 deletions
diff --git a/app/assets/javascripts/blob/pipeline_tour_success_modal.vue b/app/assets/javascripts/blob/pipeline_tour_success_modal.vue index 1412e49836d..02a522dda9d 100644 --- a/app/assets/javascripts/blob/pipeline_tour_success_modal.vue +++ b/app/assets/javascripts/blob/pipeline_tour_success_modal.vue @@ -9,8 +9,6 @@ const trackingMixin = Tracking.mixin(); export default { beginnerLink: 'https://about.gitlab.com/blog/2018/01/22/a-beginners-guide-to-continuous-integration/', - exampleLink: 'https://docs.gitlab.com/ee/ci/examples/', - codeQualityLink: 'https://docs.gitlab.com/ee/user/project/merge_requests/code_quality.html', goToTrackValuePipelines: 10, goToTrackValueMergeRequest: 20, trackEvent: 'click_button', @@ -39,6 +37,14 @@ export default { type: String, required: true, }, + exampleLink: { + type: String, + required: true, + }, + codeQualityLink: { + type: String, + required: true, + }, }, data() { return { @@ -93,7 +99,7 @@ export default { <p> <gl-sprintf :message="$options.i18n.bodyMessage"> <template #codeQualityLink="{content}"> - <gl-link :href="$options.codeQualityLink" target="_blank" class="font-size-inherit">{{ + <gl-link :href="codeQualityLink" target="_blank" class="font-size-inherit">{{ content }}</gl-link> </template> @@ -106,7 +112,7 @@ export default { </gl-link> </template> <template #exampleLink="{content}"> - <gl-link :href="$options.exampleLink" target="_blank"> + <gl-link :href="exampleLink" target="_blank"> {{ content }} </gl-link> </template> diff --git a/app/graphql/mutations/snippets/destroy.rb b/app/graphql/mutations/snippets/destroy.rb index dc9a1e82575..4915d7dd77a 100644 --- a/app/graphql/mutations/snippets/destroy.rb +++ b/app/graphql/mutations/snippets/destroy.rb @@ -7,8 +7,7 @@ module Mutations ERROR_MSG = 'Error deleting the snippet' - argument :id, - GraphQL::ID_TYPE, + argument :id, ::Types::GlobalIDType[::Snippet], required: true, description: 'The global id of the snippet to destroy' diff --git a/app/graphql/mutations/snippets/mark_as_spam.rb b/app/graphql/mutations/snippets/mark_as_spam.rb index 8cfbbae7c08..d6b96c699c0 100644 --- a/app/graphql/mutations/snippets/mark_as_spam.rb +++ b/app/graphql/mutations/snippets/mark_as_spam.rb @@ -5,8 +5,7 @@ module Mutations class MarkAsSpam < Base graphql_name 'MarkAsSpamSnippet' - argument :id, - GraphQL::ID_TYPE, + argument :id, ::Types::GlobalIDType[::Snippet], required: true, description: 'The global id of the snippet to update' diff --git a/app/graphql/mutations/snippets/update.rb b/app/graphql/mutations/snippets/update.rb index 74266880806..bcaa807e4c1 100644 --- a/app/graphql/mutations/snippets/update.rb +++ b/app/graphql/mutations/snippets/update.rb @@ -7,8 +7,7 @@ module Mutations graphql_name 'UpdateSnippet' - argument :id, - GraphQL::ID_TYPE, + argument :id, ::Types::GlobalIDType[::Snippet], required: true, description: 'The global id of the snippet to update' diff --git a/app/graphql/queries/snippet/snippet.query.graphql b/app/graphql/queries/snippet/snippet.query.graphql index 60a8fe000b0..2205dc26642 100644 --- a/app/graphql/queries/snippet/snippet.query.graphql +++ b/app/graphql/queries/snippet/snippet.query.graphql @@ -1,4 +1,4 @@ -query GetSnippetQuery($ids: [ID!]) { +query GetSnippetQuery($ids: [SnippetID!]) { snippets(ids: $ids) { __typename nodes { diff --git a/app/graphql/resolvers/concerns/resolves_snippets.rb b/app/graphql/resolvers/concerns/resolves_snippets.rb index 483372bbf63..ea1a22f80a6 100644 --- a/app/graphql/resolvers/concerns/resolves_snippets.rb +++ b/app/graphql/resolvers/concerns/resolves_snippets.rb @@ -6,7 +6,7 @@ module ResolvesSnippets included do type Types::SnippetType, null: false - argument :ids, [GraphQL::ID_TYPE], + argument :ids, [::Types::GlobalIDType[::Snippet]], required: false, description: 'Array of global snippet ids, e.g., "gid://gitlab/ProjectSnippet/1"' @@ -32,16 +32,15 @@ module ResolvesSnippets }.merge(options_by_type(args[:type])) end - def resolve_ids(ids) - Array.wrap(ids).map { |id| resolve_gid(id, :id) } - end - - def resolve_gid(gid, argument) - return unless gid.present? + def resolve_ids(ids, type = ::Types::GlobalIDType[::Snippet]) + Array.wrap(ids).map do |id| + next unless id.present? - GlobalID.parse(gid)&.model_id.tap do |id| - raise Gitlab::Graphql::Errors::ArgumentError, "Invalid global id format for param #{argument}" if id.nil? - end + # TODO: remove this line when the compatibility layer is removed + # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883 + id = type.coerce_isolated_input(id) + id.model_id + end.compact end def options_by_type(type) diff --git a/app/graphql/resolvers/snippets_resolver.rb b/app/graphql/resolvers/snippets_resolver.rb index 530a288a25b..652fbbe8593 100644 --- a/app/graphql/resolvers/snippets_resolver.rb +++ b/app/graphql/resolvers/snippets_resolver.rb @@ -8,11 +8,11 @@ module Resolvers alias_method :user, :object - argument :author_id, GraphQL::ID_TYPE, + argument :author_id, ::Types::GlobalIDType[::User], required: false, description: 'The ID of an author' - argument :project_id, GraphQL::ID_TYPE, + argument :project_id, ::Types::GlobalIDType[::Project], required: false, description: 'The ID of a project' @@ -36,9 +36,11 @@ module Resolvers private def snippet_finder_params(args) + # TODO: remove the type arguments when the compatibility layer is removed + # See: https://gitlab.com/gitlab-org/gitlab/-/issues/257883 super - .merge(author: resolve_gid(args[:author_id], :author), - project: resolve_gid(args[:project_id], :project), + .merge(author: resolve_ids(args[:author_id], ::Types::GlobalIDType[::User]), + project: resolve_ids(args[:project_id], ::Types::GlobalIDType[::Project]), explore: args[:explore]) end end diff --git a/app/graphql/types/snippet_type.rb b/app/graphql/types/snippet_type.rb index 495c25c1776..f587adf207f 100644 --- a/app/graphql/types/snippet_type.rb +++ b/app/graphql/types/snippet_type.rb @@ -13,7 +13,7 @@ module Types expose_permissions Types::PermissionTypes::Snippet - field :id, GraphQL::ID_TYPE, + field :id, Types::GlobalIDType[::Snippet], description: 'ID of the snippet', null: false diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index cc85a4b03d8..abd58ab62a2 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -415,6 +415,7 @@ class ApplicationSetting < ApplicationRecord attr_encrypted :slack_app_secret, encryption_options_base_truncated_aes_256_gcm attr_encrypted :slack_app_verification_token, encryption_options_base_truncated_aes_256_gcm attr_encrypted :ci_jwt_signing_key, encryption_options_base_truncated_aes_256_gcm + attr_encrypted :secret_detection_token_revocation_token, encryption_options_base_truncated_aes_256_gcm before_validation :ensure_uuid! diff --git a/app/models/design_management/design.rb b/app/models/design_management/design.rb index 4b4b29558bc..2f8232de592 100644 --- a/app/models/design_management/design.rb +++ b/app/models/design_management/design.rb @@ -11,12 +11,14 @@ module DesignManagement include WhereComposite include RelativePositioning include Todoable + include Participable belongs_to :project, inverse_of: :designs belongs_to :issue has_many :actions has_many :versions, through: :actions, class_name: 'DesignManagement::Version', inverse_of: :designs + has_many :authors, -> { distinct }, through: :versions, class_name: 'User' # This is a polymorphic association, so we can't count on FK's to delete the # data has_many :notes, as: :noteable, dependent: :delete_all # rubocop:disable Cop/ActiveRecordDependent @@ -31,6 +33,9 @@ module DesignManagement alias_attribute :title, :filename + participant :authors + participant :notes_with_associations + # Pre-fetching scope to include the data necessary to construct a # reference using `to_reference`. scope :for_reference, -> { includes(issue: [{ project: [:route, :namespace] }]) } @@ -136,6 +141,12 @@ module DesignManagement strong_memoize(:most_recent_action) { actions.ordered.last } end + def participants(current_user = nil) + return [] unless Feature.enabled?(:design_management_design_notification_participants, project) + + super + end + # A reference for a design is the issue reference, indexed by the filename # with an optional infix when full. # diff --git a/app/views/layouts/nav/_dashboard.html.haml b/app/views/layouts/nav/_dashboard.html.haml index cc3af4f5f45..7cbef6b00b1 100644 --- a/app/views/layouts/nav/_dashboard.html.haml +++ b/app/views/layouts/nav/_dashboard.html.haml @@ -71,11 +71,11 @@ - if Feature.enabled?(:user_mode_in_session) - if header_link?(:admin_mode) - = nav_link(controller: 'admin/sessions', html_options: { class: "d-none d-lg-block d-xl-block"}) do + = nav_link(controller: 'admin/sessions', html_options: { class: "d-none d-lg-block"}) do = link_to destroy_admin_session_path, method: :post, title: _('Leave Admin Mode'), aria: { label: _('Leave Admin Mode') }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do = sprite_icon('lock-open', size: 18) - elsif current_user.admin? - = nav_link(controller: 'admin/sessions', html_options: { class: "d-none d-lg-block d-xl-block"}) do + = nav_link(controller: 'admin/sessions', html_options: { class: "d-none d-lg-block"}) do = link_to new_admin_session_path, title: _('Enter Admin Mode'), aria: { label: _('Enter Admin Mode') }, data: { toggle: 'tooltip', placement: 'bottom', container: 'body' } do = sprite_icon('lock', size: 18) diff --git a/app/views/projects/blob/_pipeline_tour_success.html.haml b/app/views/projects/blob/_pipeline_tour_success.html.haml index 3ea2defb2b3..ef1fe25ba1b 100644 --- a/app/views/projects/blob/_pipeline_tour_success.html.haml +++ b/app/views/projects/blob/_pipeline_tour_success.html.haml @@ -1,4 +1,6 @@ .js-success-pipeline-modal{ data: { 'commit-cookie': suggest_pipeline_commit_cookie_name, 'go-to-pipelines-path': project_pipelines_path(@project), 'project-merge-requests-path': project_merge_requests_path(@project), + 'example-link': help_page_path('ci/examples/README.md', anchor: 'gitlab-cicd-examples'), + 'code-quality-link': help_page_path('user/project/merge_requests/code_quality'), 'human-access': @project.team.human_max_access(current_user&.id) } } diff --git a/app/views/projects/merge_requests/_mr_title.html.haml b/app/views/projects/merge_requests/_mr_title.html.haml index 7fe91fb6560..cd4ffa8602e 100644 --- a/app/views/projects/merge_requests/_mr_title.html.haml +++ b/app/views/projects/merge_requests/_mr_title.html.haml @@ -25,10 +25,10 @@ .detail-page-header-actions.js-issuable-actions .clearfix.issue-btn-group.dropdown - %button.btn.btn-default.float-left.d-md-none.d-lg-none.d-xl-none{ type: "button", data: { toggle: "dropdown" } } + %button.btn.btn-default.float-left.d-md-none{ type: "button", data: { toggle: "dropdown" } } Options = icon('caret-down') - .dropdown-menu.dropdown-menu-right.d-lg-none.d-xl-none + .dropdown-menu.dropdown-menu-right %ul - if can_update_merge_request %li= link_to 'Edit', edit_namespace_project_merge_request_path(@project.namespace, @project, @merge_request) @@ -45,6 +45,6 @@ %li= link_to 'Report abuse', new_abuse_report_path(user_id: @merge_request.author.id, ref_url: merge_request_url(@merge_request)) - if can_update_merge_request - = link_to 'Edit', edit_project_merge_request_path(@project, @merge_request), class: "d-none d-sm-none d-md-block btn gl-button btn-grouped js-issuable-edit qa-edit-button" + = link_to 'Edit', edit_project_merge_request_path(@project, @merge_request), class: "d-none d-md-block btn gl-button btn-grouped js-issuable-edit qa-edit-button" = render 'shared/issuable/close_reopen_button', issuable: @merge_request, can_update: can_update_merge_request, can_reopen: can_reopen_merge_request diff --git a/app/views/shared/milestones/_labels_tab.html.haml b/app/views/shared/milestones/_labels_tab.html.haml index 5202167e87a..a419e749f35 100644 --- a/app/views/shared/milestones/_labels_tab.html.haml +++ b/app/views/shared/milestones/_labels_tab.html.haml @@ -7,7 +7,7 @@ %span.prepend-description-left = markdown_field(label, :description) - .float-right.d-none.d-lg-block.d-xl-block + .float-right.d-none.d-lg-block = link_to milestones_issues_path(options.merge(state: 'opened')), class: 'btn gl-button btn-default-tertiary btn-action' do - pluralize milestone_issues_by_label_count(@milestone, label, state: :opened), _('open issue') = link_to milestones_issues_path(options.merge(state: 'closed')), class: 'btn gl-button btn-default-tertiary btn-action' do diff --git a/changelogs/unreleased/217095-design-notifications.yml b/changelogs/unreleased/217095-design-notifications.yml new file mode 100644 index 00000000000..7396777b5ff --- /dev/null +++ b/changelogs/unreleased/217095-design-notifications.yml @@ -0,0 +1,5 @@ +--- +title: Bugfix email notification recipients for comments on Designs +merge_request: 46642 +author: +type: fixed diff --git a/changelogs/unreleased/227808-improve-container-registry-client-supports-tag-delete.yml b/changelogs/unreleased/227808-improve-container-registry-client-supports-tag-delete.yml new file mode 100644 index 00000000000..8d4d28d8b23 --- /dev/null +++ b/changelogs/unreleased/227808-improve-container-registry-client-supports-tag-delete.yml @@ -0,0 +1,5 @@ +--- +title: Improve the container registry client tags delete method +merge_request: 46989 +author: +type: changed diff --git a/changelogs/unreleased/244380_populate_has_vulnerabilities_values.yml b/changelogs/unreleased/244380_populate_has_vulnerabilities_values.yml new file mode 100644 index 00000000000..96ef13081f4 --- /dev/null +++ b/changelogs/unreleased/244380_populate_has_vulnerabilities_values.yml @@ -0,0 +1,5 @@ +--- +title: Populate values for `has_vulnerabilities` column of `project_settings` table +merge_request: 46890 +author: +type: fixed diff --git a/changelogs/unreleased/270065-bs4-optimization-mr.yml b/changelogs/unreleased/270065-bs4-optimization-mr.yml new file mode 100644 index 00000000000..6b02e496665 --- /dev/null +++ b/changelogs/unreleased/270065-bs4-optimization-mr.yml @@ -0,0 +1,5 @@ +--- +title: Remove duplicated BS display properties from Merge Request title +merge_request: 47124 +author: Takuya Noguchi +type: other diff --git a/changelogs/unreleased/ajk-globalid-snippets.yml b/changelogs/unreleased/ajk-globalid-snippets.yml new file mode 100644 index 00000000000..157dea91f2d --- /dev/null +++ b/changelogs/unreleased/ajk-globalid-snippets.yml @@ -0,0 +1,5 @@ +--- +title: 'GraphQL Snippets: use Global-ID scalar' +merge_request: 36117 +author: +type: changed diff --git a/config/feature_flags/development/allow_unsafe_ruby_regexp.yml b/config/feature_flags/development/allow_unsafe_ruby_regexp.yml index aac5d6adf40..39ffa51cf9c 100644 --- a/config/feature_flags/development/allow_unsafe_ruby_regexp.yml +++ b/config/feature_flags/development/allow_unsafe_ruby_regexp.yml @@ -1,8 +1,8 @@ --- name: allow_unsafe_ruby_regexp -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/10566 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/257849 -milestone: +milestone: '11.10' type: development group: group::continuous integration default_enabled: false diff --git a/config/feature_flags/development/approvals_commented_by.yml b/config/feature_flags/development/approvals_commented_by.yml index c2851c4520f..55619b0e2db 100644 --- a/config/feature_flags/development/approvals_commented_by.yml +++ b/config/feature_flags/development/approvals_commented_by.yml @@ -1,8 +1,8 @@ --- name: approvals_commented_by -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/38136 rollout_issue_url: -milestone: +milestone: '13.3' type: development -group: +group: group::source code default_enabled: true diff --git a/config/feature_flags/development/ci_disable_validates_dependencies.yml b/config/feature_flags/development/ci_disable_validates_dependencies.yml index a61c7f97207..fd5b3d41eef 100644 --- a/config/feature_flags/development/ci_disable_validates_dependencies.yml +++ b/config/feature_flags/development/ci_disable_validates_dependencies.yml @@ -2,7 +2,7 @@ name: ci_disable_validates_dependencies introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14009 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/257847 -milestone: +milestone: '10.3' type: development group: group::continuous integration default_enabled: false diff --git a/config/feature_flags/development/ci_pipeline_editor_page.yml b/config/feature_flags/development/ci_pipeline_editor_page.yml index 27df4735ff1..9870f419842 100644 --- a/config/feature_flags/development/ci_pipeline_editor_page.yml +++ b/config/feature_flags/development/ci_pipeline_editor_page.yml @@ -1,8 +1,8 @@ --- name: ci_pipeline_editor_page -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46580 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/270059 -milestone: +milestone: '13.6' type: development group: group::pipeline authoring default_enabled: false diff --git a/config/feature_flags/development/ci_runners_tokens_optional_encryption.yml b/config/feature_flags/development/ci_runners_tokens_optional_encryption.yml index 451bc5229c6..d67bd6c591c 100644 --- a/config/feature_flags/development/ci_runners_tokens_optional_encryption.yml +++ b/config/feature_flags/development/ci_runners_tokens_optional_encryption.yml @@ -1,8 +1,8 @@ --- name: ci_runners_tokens_optional_encryption -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/commit/cbba8fe02b0ea3adabcfe18685c9af6be3859e2d +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/8638 rollout_issue_url: -milestone: +milestone: '11.6' type: development group: group::continuous integration default_enabled: true diff --git a/config/feature_flags/development/ci_yaml_limit_size.yml b/config/feature_flags/development/ci_yaml_limit_size.yml index 79107691efb..be013bfe864 100644 --- a/config/feature_flags/development/ci_yaml_limit_size.yml +++ b/config/feature_flags/development/ci_yaml_limit_size.yml @@ -1,8 +1,8 @@ --- name: ci_yaml_limit_size introduced_by_url: -rollout_issue_url: -milestone: +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab-foss/-/issues/56018 +milestone: '12.0' type: development group: group::continuous integration default_enabled: true diff --git a/config/feature_flags/development/coverage_fuzzing_mr_widget.yml b/config/feature_flags/development/coverage_fuzzing_mr_widget.yml index f5cde1d5785..589b7073b22 100644 --- a/config/feature_flags/development/coverage_fuzzing_mr_widget.yml +++ b/config/feature_flags/development/coverage_fuzzing_mr_widget.yml @@ -5,4 +5,4 @@ rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/257839 milestone: '13.6' type: development group: group::fuzz testing -default_enabled: false +default_enabled: true diff --git a/config/feature_flags/development/design_management_design_notification_participants.yml b/config/feature_flags/development/design_management_design_notification_participants.yml new file mode 100644 index 00000000000..a91d61ca44d --- /dev/null +++ b/config/feature_flags/development/design_management_design_notification_participants.yml @@ -0,0 +1,8 @@ +--- +name: design_management_design_notification_participants +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46642 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/277319 +milestone: '13.6' +type: development +group: group::knowledge +default_enabled: false diff --git a/config/feature_flags/development/git_push_create_all_pipelines.yml b/config/feature_flags/development/git_push_create_all_pipelines.yml index 912375cc098..3f651fab8ec 100644 --- a/config/feature_flags/development/git_push_create_all_pipelines.yml +++ b/config/feature_flags/development/git_push_create_all_pipelines.yml @@ -2,7 +2,7 @@ name: git_push_create_all_pipelines introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/27205 rollout_issue_url: -milestone: +milestone: '11.10' type: development group: group::continuous integration default_enabled: false diff --git a/config/feature_flags/development/highlight_current_diff_row.yml b/config/feature_flags/development/highlight_current_diff_row.yml index 323f4c3436c..fc872ea47fc 100644 --- a/config/feature_flags/development/highlight_current_diff_row.yml +++ b/config/feature_flags/development/highlight_current_diff_row.yml @@ -1,8 +1,8 @@ --- name: highlight_current_diff_row -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/27937 rollout_issue_url: -milestone: +milestone: '13.4' type: development -group: +group: group::source code default_enabled: false diff --git a/config/feature_flags/development/invisible_captcha.yml b/config/feature_flags/development/invisible_captcha.yml index 651f5b99573..bfe118c1826 100644 --- a/config/feature_flags/development/invisible_captcha.yml +++ b/config/feature_flags/development/invisible_captcha.yml @@ -2,7 +2,7 @@ name: invisible_captcha introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/31625 rollout_issue_url: -milestone: +milestone: '12.2' type: development group: group::acquisition default_enabled: false diff --git a/config/feature_flags/development/product_analytics_aggregated_metrics.yml b/config/feature_flags/development/product_analytics_aggregated_metrics.yml index 2ae385f6599..7f13b4c68a4 100644 --- a/config/feature_flags/development/product_analytics_aggregated_metrics.yml +++ b/config/feature_flags/development/product_analytics_aggregated_metrics.yml @@ -2,7 +2,7 @@ name: product_analytics_aggregated_metrics introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/44624 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/267550 -milestone: +milestone: '13.6' type: development group: group::product analytics default_enabled: false diff --git a/config/feature_flags/development/security_auto_fix.yml b/config/feature_flags/development/security_auto_fix.yml index f547ec72dd1..8cbb227728c 100644 --- a/config/feature_flags/development/security_auto_fix.yml +++ b/config/feature_flags/development/security_auto_fix.yml @@ -1,8 +1,8 @@ --- name: security_auto_fix -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/30530 rollout_issue_url: -milestone: +milestone: '13.0' type: development group: group::composition analysis default_enabled: false diff --git a/config/feature_flags/development/soft_email_confirmation.yml b/config/feature_flags/development/soft_email_confirmation.yml index b36b9533dc6..60ebcf1ee50 100644 --- a/config/feature_flags/development/soft_email_confirmation.yml +++ b/config/feature_flags/development/soft_email_confirmation.yml @@ -2,7 +2,7 @@ name: soft_email_confirmation introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/31245 rollout_issue_url: -milestone: +milestone: '12.2' type: development group: group::acquisition default_enabled: false diff --git a/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml b/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml index dbebdde8532..58a28139a35 100644 --- a/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml +++ b/config/feature_flags/development/usage_data_i_ci_secrets_management_vault_build_created.yml @@ -1,7 +1,7 @@ --- name: usage_data_i_ci_secrets_management_vault_build_created introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/46515 -rollout_issue_url: +rollout_issue_url: milestone: '13.6' type: development group: group::release management diff --git a/config/feature_flags/development/use_workhorse_s3_client.yml b/config/feature_flags/development/use_workhorse_s3_client.yml index 8f9d2bdcc87..7f14d51a66c 100644 --- a/config/feature_flags/development/use_workhorse_s3_client.yml +++ b/config/feature_flags/development/use_workhorse_s3_client.yml @@ -1,8 +1,8 @@ --- name: use_workhorse_s3_client -introduced_by_url: +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35480 rollout_issue_url: -milestone: +milestone: '13.2' type: development group: default_enabled: true diff --git a/config/feature_flags/ops/api_kaminari_count_with_limit.yml b/config/feature_flags/ops/api_kaminari_count_with_limit.yml index 78d4a55ddb9..a987d5c65b1 100644 --- a/config/feature_flags/ops/api_kaminari_count_with_limit.yml +++ b/config/feature_flags/ops/api_kaminari_count_with_limit.yml @@ -2,7 +2,7 @@ name: api_kaminari_count_with_limit introduced_by_url: https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/23931 rollout_issue_url: -milestone: +milestone: '11.8' type: ops group: group::ecosystem default_enabled: false diff --git a/config/feature_flags/ops/dynamic_image_resizing.yml b/config/feature_flags/ops/dynamic_image_resizing.yml index 960ce9c6dbd..f456fa8bf1e 100644 --- a/config/feature_flags/ops/dynamic_image_resizing.yml +++ b/config/feature_flags/ops/dynamic_image_resizing.yml @@ -2,6 +2,7 @@ name: dynamic_image_resizing introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45050 rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/266986 +milestone: '13.6' type: ops group: group::memory default_enabled: true diff --git a/db/post_migrate/20201103192526_schedule_populate_has_vulnerabilities.rb b/db/post_migrate/20201103192526_schedule_populate_has_vulnerabilities.rb new file mode 100644 index 00000000000..bed90af09dc --- /dev/null +++ b/db/post_migrate/20201103192526_schedule_populate_has_vulnerabilities.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +class SchedulePopulateHasVulnerabilities < ActiveRecord::Migration[6.0] + include Gitlab::Database::MigrationHelpers + + DOWNTIME = false + BATCH_SIZE = 1_000 + DELAY_INTERVAL = 2.minutes + MIGRATION_CLASS = 'PopulateHasVulnerabilities' + + disable_ddl_transaction! + + def up + Gitlab::BackgroundMigration::PopulateHasVulnerabilities::Vulnerability.distinct.each_batch(of: BATCH_SIZE, column: :project_id) do |batch, index| + project_ids = batch.pluck(:project_id) + + migrate_in(index * DELAY_INTERVAL, MIGRATION_CLASS, project_ids) + end + end + + def down + # no-op + end +end diff --git a/db/schema_migrations/20201103192526 b/db/schema_migrations/20201103192526 new file mode 100644 index 00000000000..8fe11ed16d6 --- /dev/null +++ b/db/schema_migrations/20201103192526 @@ -0,0 +1 @@ +bb137c3a41a40e740f8ae65b43d7f9218f52d6d5eaf53c8a64b3336a8f16141b
\ No newline at end of file diff --git a/doc/api/graphql/reference/gitlab_schema.graphql b/doc/api/graphql/reference/gitlab_schema.graphql index 18031185a18..df136e9c8c0 100644 --- a/doc/api/graphql/reference/gitlab_schema.graphql +++ b/doc/api/graphql/reference/gitlab_schema.graphql @@ -5955,7 +5955,7 @@ input DestroySnippetInput { """ The global id of the snippet to destroy """ - id: ID! + id: SnippetID! } """ @@ -11576,7 +11576,7 @@ input MarkAsSpamSnippetInput { """ The global id of the snippet to update """ - id: ID! + id: SnippetID! } """ @@ -15990,7 +15990,7 @@ type Project { """ Array of global snippet ids, e.g., "gid://gitlab/ProjectSnippet/1" """ - ids: [ID!] + ids: [SnippetID!] """ Returns the last _n_ elements from the list. @@ -17036,7 +17036,7 @@ type Query { """ The ID of an author """ - authorId: ID + authorId: UserID """ Returns the elements in the list that come before the specified cursor. @@ -17056,7 +17056,7 @@ type Query { """ Array of global snippet ids, e.g., "gid://gitlab/ProjectSnippet/1" """ - ids: [ID!] + ids: [SnippetID!] """ Returns the last _n_ elements from the list. @@ -17066,7 +17066,7 @@ type Query { """ The ID of a project """ - projectId: ID + projectId: ProjectID """ The type of snippet @@ -19638,7 +19638,7 @@ type Snippet implements Noteable { """ ID of the snippet """ - id: ID! + id: SnippetID! """ All notes on this noteable @@ -19916,6 +19916,11 @@ type SnippetEdge { node: Snippet } +""" +Identifier of Snippet +""" +scalar SnippetID + type SnippetPermissions { """ Indicates the user can perform `admin_snippet` on this resource @@ -21831,7 +21836,7 @@ input UpdateSnippetInput { """ The global id of the snippet to update """ - id: ID! + id: SnippetID! """ Title of the snippet @@ -22139,7 +22144,7 @@ type User { """ Array of global snippet ids, e.g., "gid://gitlab/ProjectSnippet/1" """ - ids: [ID!] + ids: [SnippetID!] """ Returns the last _n_ elements from the list. diff --git a/doc/api/graphql/reference/gitlab_schema.json b/doc/api/graphql/reference/gitlab_schema.json index 56752684541..375bdd036cc 100644 --- a/doc/api/graphql/reference/gitlab_schema.json +++ b/doc/api/graphql/reference/gitlab_schema.json @@ -16300,7 +16300,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } }, @@ -31712,7 +31712,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } }, @@ -46307,7 +46307,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } } @@ -49373,7 +49373,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } } @@ -49395,7 +49395,7 @@ "description": "The ID of an author", "type": { "kind": "SCALAR", - "name": "ID", + "name": "UserID", "ofType": null }, "defaultValue": null @@ -49405,7 +49405,7 @@ "description": "The ID of a project", "type": { "kind": "SCALAR", - "name": "ID", + "name": "ProjectID", "ofType": null }, "defaultValue": null @@ -56879,7 +56879,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } }, @@ -57746,6 +57746,16 @@ "possibleTypes": null }, { + "kind": "SCALAR", + "name": "SnippetID", + "description": "Identifier of Snippet", + "fields": null, + "inputFields": null, + "interfaces": null, + "enumValues": null, + "possibleTypes": null + }, + { "kind": "OBJECT", "name": "SnippetPermissions", "description": null, @@ -63283,7 +63293,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } }, @@ -64057,7 +64067,7 @@ "name": null, "ofType": { "kind": "SCALAR", - "name": "ID", + "name": "SnippetID", "ofType": null } } diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 94171220fad..1eeaab813f1 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -2841,7 +2841,7 @@ Represents a snippet entry. | `discussions` | DiscussionConnection! | All discussions on this noteable | | `fileName` | String | File Name of the snippet | | `httpUrlToRepo` | String | HTTP URL to the snippet repository | -| `id` | ID! | ID of the snippet | +| `id` | SnippetID! | ID of the snippet | | `notes` | NoteConnection! | All notes on this noteable | | `project` | Project | The project the snippet is associated with | | `rawUrl` | String! | Raw URL of the snippet | diff --git a/doc/api/releases/index.md b/doc/api/releases/index.md index da35caa0811..7c65e9da74b 100644 --- a/doc/api/releases/index.md +++ b/doc/api/releases/index.md @@ -584,7 +584,7 @@ Example response: "id":53, "iid":3, "project_id":24, - "title":"v1.0", + "title":"v1.2", "description":"Voluptate fugiat possimus quis quod aliquam expedita.", "state":"active", "created_at":"2019-09-01T13:00:00.256Z", diff --git a/doc/ci/pipelines/job_artifacts.md b/doc/ci/pipelines/job_artifacts.md index 6a9ae0cdaf6..160399e4bc4 100644 --- a/doc/ci/pipelines/job_artifacts.md +++ b/doc/ci/pipelines/job_artifacts.md @@ -139,10 +139,10 @@ third party ports for other languages like JavaScript, Python, Ruby, and so on. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/207528) in GitLab 13.0. > - Requires [GitLab Runner](https://docs.gitlab.com/runner/) 11.5 and above. -The `terraform` report obtains a Terraform `tfplan.json` file. [JQ processing required to remove credentials](../../user/infrastructure/index.md#output-terraform-plan-information-into-a-merge-request). The collected Terraform +The `terraform` report obtains a Terraform `tfplan.json` file. [JQ processing required to remove credentials](../../user/infrastructure/mr_integration.md#setup). The collected Terraform plan report uploads to GitLab as an artifact and displays in merge requests. For more information, see -[Output `terraform plan` information into a merge request](../../user/infrastructure/index.md#output-terraform-plan-information-into-a-merge-request). +[Output `terraform plan` information into a merge request](../../user/infrastructure/mr_integration.md). #### `artifacts:reports:codequality` diff --git a/doc/user/admin_area/approving_users.md b/doc/user/admin_area/approving_users.md index cc66a0d56d1..430ad4f8899 100644 --- a/doc/user/admin_area/approving_users.md +++ b/doc/user/admin_area/approving_users.md @@ -9,7 +9,7 @@ type: howto > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4491) in GitLab 13.5. -When [Require admin approval for new sign-ups](settings/sign_up_restrictions.md#require-admin-approval-for-new-sign-ups) is enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state. +When [Require admin approval for new sign-ups](settings/sign_up_restrictions.md#require-administrator-approval-for-new-sign-ups) is enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state. A user pending approval is functionally identical to a [blocked](blocking_unblocking_users.md) user. diff --git a/doc/user/admin_area/settings/img/disable_signup_v12_7.png b/doc/user/admin_area/settings/img/disable_signup_v12_7.png Binary files differdeleted file mode 100644 index be1a070a804..00000000000 --- a/doc/user/admin_area/settings/img/disable_signup_v12_7.png +++ /dev/null diff --git a/doc/user/admin_area/settings/img/sign_up_restrictions_v13_5.png b/doc/user/admin_area/settings/img/sign_up_restrictions_v13_5.png Binary files differdeleted file mode 100644 index ebbfad77e69..00000000000 --- a/doc/user/admin_area/settings/img/sign_up_restrictions_v13_5.png +++ /dev/null diff --git a/doc/user/admin_area/settings/sign_up_restrictions.md b/doc/user/admin_area/settings/sign_up_restrictions.md index a890e8f9ee8..335ddce4e2d 100644 --- a/doc/user/admin_area/settings/sign_up_restrictions.md +++ b/doc/user/admin_area/settings/sign_up_restrictions.md @@ -7,49 +7,44 @@ type: reference # Sign-up restrictions **(CORE ONLY)** -You can use sign-up restrictions to: +You can enforce the following restrictions on sign ups: -- Disable new sign-ups. -- Require admin approval for new sign-ups. +- Disable new sign ups. +- Require administrator approval for new sign ups. - Require user email confirmation. -- Denylist or allowlist email addresses belonging to specific domains. +- Allow or deny sign ups using specific email domains. -NOTE: **Note:** -These restrictions are only applied during sign-up from an external user. An admin can add a user through the admin panel with a disallowed domain. Also, note that the users can change their email addresses after sign-up to -disallowed domains. +## Disable new sign ups -## Disable new signups +By default, any user visiting your GitLab domain can sign up for an account. For customers running +public-facing GitLab instances, we **highly** recommend that you consider disabling new sign ups if +you do not expect public users to sign up for an account. -When this setting is enabled, any user visiting your GitLab domain will be able to sign up for an account. +To disable sign ups: - +1. Go to **Admin Area > Settings > General** and expand **Sign-up restrictions**. +1. Clear the **Sign-up enabled** checkbox, then select **Save changes**. -You can restrict new users from signing up by themselves for an account in your instance by disabling this setting. - -### Recommendations - -For customers running public-facing GitLab instances, we highly recommend that you -consider disabling new sign-ups if you do not expect public users to sign up for an -account. - -Alternatively, you could also consider setting up a -[allowlist](#allowlist-email-domains) or [denylist](#denylist-email-domains) on -email domains to prevent malicious users from creating accounts. - -## Require admin approval for new sign-ups +## Require administrator approval for new sign ups > [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/4491) in GitLab 13.5. -When this setting is enabled, any user visiting your GitLab domain and signing up for a new account will have to be explicitly [approved](../approving_users.md#approving-a-user) by an administrator before they can start using their account. +When this setting is enabled, any user visiting your GitLab domain and signing up for a new account must be explicitly [approved](../approving_users.md#approving-a-user) by an administrator before they can start using their account. This setting is only applicable if sign ups are enabled. + +To require administrator approval for new sign ups: - +1. Go to **Admin Area > Settings > General** and expand **Sign-up restrictions**. +1. Select the **Require admin approval for new sign-ups** checkbox, then select **Save changes**. ## Require email confirmation -You can send confirmation emails during sign-up and require that users confirm +You can send confirmation emails during sign up and require that users confirm their email address before they are allowed to sign in. - +To enforce confirmation of the email address used for new sign ups: + +1. Go to **Admin Area > Settings > General** and expand **Sign-up restrictions**. +1. Select the **Enable email restrictions for sign ups** checkbox, then select **Save changes**. ## Minimum password length limit @@ -58,40 +53,42 @@ their email address before they are allowed to sign in. You can [change](../../../security/password_length_limits.md#modify-minimum-password-length-using-gitlab-ui) the minimum number of characters a user must have in their password using the GitLab UI. -## Allowlist email domains +## Allow or deny sign ups using specific email domains + +You can specify an inclusive or exclusive list of email domains which can be used for user sign up. + +These restrictions are only applied during sign up from an external user. An administrator can add a +user through the admin panel with a disallowed domain. Also, note that the users can change their +email addresses to disallowed domains after sign up. + +### Allowlist email domains > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/598) in GitLab 7.11.0 You can restrict users only to sign up using email addresses matching the given domains list. -## Denylist email domains +### Denylist email domains > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5259) in GitLab 8.10. -With this feature enabled, you can block email addresses of a specific domain -from creating an account on your GitLab server. This is particularly useful -to prevent malicious users from creating spam accounts with disposable email -addresses. - -## Settings - -To access this feature: +You can block users from signing up when using an email addresses of specific domains. This can +reduce the risk of malicious users creating spam accounts with disposable email addresses. -1. Navigate to the **Admin Area > Settings > General**. -1. Expand the **Sign-up restrictions** section. +### Create email domain allowlist or denylist -For the denylist, you can enter the list manually or upload a `.txt` file that -contains list entries. +To create an email domain allowlist or denylist: -For the allowlist, you must enter the list manually. +1. Go to **Admin Area > Settings > General** and expand **Sign-up restrictions**. +1. For the allowlist, you must enter the list manually. For the denylist, you can enter the list + manually or upload a `.txt` file that contains list entries. -Both the allowlist and denylist accept wildcards. For example, you can use + Both the allowlist and denylist accept wildcards. For example, you can use `*.company.com` to accept every `company.com` subdomain, or `*.io` to block all -domains ending in `.io`. Domains should be separated by a whitespace, +domains ending in `.io`. Domains must be separated by a whitespace, semicolon, comma, or a new line. - +  <!-- ## Troubleshooting diff --git a/doc/user/application_security/coverage_fuzzing/img/coverage_fuzzing_report_v13_6.png b/doc/user/application_security/coverage_fuzzing/img/coverage_fuzzing_report_v13_6.png Binary files differnew file mode 100644 index 00000000000..b3b0e5def86 --- /dev/null +++ b/doc/user/application_security/coverage_fuzzing/img/coverage_fuzzing_report_v13_6.png diff --git a/doc/user/application_security/coverage_fuzzing/index.md b/doc/user/application_security/coverage_fuzzing/index.md index 0d619659bd1..4c5afcee3d0 100644 --- a/doc/user/application_security/coverage_fuzzing/index.md +++ b/doc/user/application_security/coverage_fuzzing/index.md @@ -222,6 +222,34 @@ This essentially creates two steps: The `covfuzz-ci.yml` is the same as that in the [original synchronous example](https://gitlab.com/gitlab-org/security-products/demos/coverage-fuzzing/go-fuzzing-example#running-go-fuzz-from-ci). +## Interacting with the vulnerabilities + +After a vulnerability is found, you can [interact with it](../index.md#interacting-with-the-vulnerabilities). +The merge request widget lists the vulnerability and contains a button for downloading the fuzzing +artifacts. By clicking one of the detected vulnerabilities, you can see its details. + + + +You can also view the vulnerability from the [Security Dashboard](../security_dashboard/index.md), +which shows an overview of all the security vulnerabilities in your groups, projects, and pipelines. + +Clicking the vulnerability opens a modal that provides additional information about the +vulnerability: + +- Status: The vulnerability's status. As with any type of vulnerability, a coverage fuzzing + vulnerability can be Detected, Confirmed, Dismissed, or Resolved. +- Project: The project in which the vulnerability exists. +- Crash type: The type of crash or weakness in the code. This typically maps to a [CWE](https://cwe.mitre.org/). +- Crash state: A normalized version of the stacktrace, containing the last three functions of the + crash (without random addresses). +- Stacktrace snippet: The last few lines of the stacktrace, which shows details about the crash. +- Identifier: The vulnerability's identifier. This maps to either a [CVE](https://cve.mitre.org/) + or [CWE](https://cwe.mitre.org/). +- Severity: The vulnerability's severity. This can be Critical, High, Medium, Low, Info, or Unknown. +- Scanner: The scanner that detected the vulnerability (for example, Coverage Fuzzing). +- Scanner Provider: The engine that did the scan. For Coverage Fuzzing, this can be any of the + engines listed in [Supported fuzzing engines and languages](#supported-fuzzing-engines-and-languages). + ### Glossary - Seed corpus: The set of test cases given as initial input to the fuzz target. This usually speeds diff --git a/doc/user/infrastructure/img/terraform_list_view.png b/doc/user/infrastructure/img/terraform_list_view.png Binary files differnew file mode 100644 index 00000000000..f1af3225833 --- /dev/null +++ b/doc/user/infrastructure/img/terraform_list_view.png diff --git a/doc/user/infrastructure/index.md b/doc/user/infrastructure/index.md index 9373743bf2c..ed79b819c00 100644 --- a/doc/user/infrastructure/index.md +++ b/doc/user/infrastructure/index.md @@ -13,35 +13,7 @@ workflows to tie into GitLab's authentication and authorization. These features lowering the barrier to entry for teams to adopt Terraform, collaborate effectively within GitLab, and support Terraform best practices. -## Quick Start - -Use the following `.gitlab-ci.yml` to set up a simple Terraform project integration -for GitLab versions 13.5 and greater: - -```yaml -include: - - template: Terraform.latest.gitlab-ci.yml - -variables: - # If not using GitLab's HTTP backend, remove this line and specify TF_HTTP_* variables - TF_STATE_NAME: default - TF_CACHE_KEY: default -``` - -This template uses `.latest.`, instead of stable, and may include breaking changes. -This template also includes some opinionated decisions, which you can override: - -- Including the latest [GitLab Terraform Image](https://gitlab.com/gitlab-org/terraform-images). -- Using the [GitLab managed Terraform State](#gitlab-managed-terraform-state) as - the Terraform state storage backend. -- Creating [four pipeline stages](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml): - `init`, `validate`, `build`, and `deploy`. These stages - [run the Terraform commands](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml) - `init`, `validate`, `plan`, `plan-json`, and `apply`. The `apply` command only runs on `master`. - -## GitLab managed Terraform State - -> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2673) in GitLab 13.0. +## GitLab Managed Terraform state [Terraform remote backends](https://www.terraform.io/docs/backends/index.html) enable you to store the state file in a remote, shared store. GitLab uses the @@ -57,517 +29,34 @@ Amazon S3 or Google Cloud Storage. Its features include: - Locking and unlocking state. - Remote Terraform plan and apply execution. -To get started with a GitLab-managed Terraform State, there are two different options: - -- [Use a local machine](#get-started-using-local-development). -- [Use GitLab CI](#get-started-using-gitlab-ci). - -Terraform States can be found by navigating to a Project's **{cloud-gear}** **Operations > Terraform** page. - -## Permissions for using Terraform - -In GitLab version 13.1, [Maintainer access](../permissions.md) was required to use a -GitLab managed Terraform state backend. In GitLab versions 13.2 and greater, -[Maintainer access](../permissions.md) is required to lock, unlock and write to the state -(using `terraform apply`), while [Developer access](../permissions.md) is required to read -the state (using `terraform plan -lock=false`). - -## Get started using local development - -If you plan to only run `terraform plan` and `terraform apply` commands from your -local machine, this is a simple way to get started: - -1. Create your project on your GitLab instance. -1. Navigate to **Settings > General** and note your **Project name** - and **Project ID**. -1. Define the Terraform backend in your Terraform project to be: - - ```hcl - terraform { - backend "http" { - } - } - ``` - -1. Create a [Personal Access Token](../profile/personal_access_tokens.md) with - the `api` scope. - -1. On your local machine, run `terraform init`, passing in the following options, - replacing `<YOUR-STATE-NAME>`, `<YOUR-PROJECT-ID>`, `<YOUR-USERNAME>` and - `<YOUR-ACCESS-TOKEN>` with the relevant values. This command initializes your - Terraform state, and stores that state within your GitLab project. The name of - your state can contain only uppercase and lowercase letters, decimal digits, - hyphens, and underscores. This example uses `gitlab.com`: - - ```shell - terraform init \ - -backend-config="address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>" \ - -backend-config="lock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ - -backend-config="unlock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ - -backend-config="username=<YOUR-USERNAME>" \ - -backend-config="password=<YOUR-ACCESS-TOKEN>" \ - -backend-config="lock_method=POST" \ - -backend-config="unlock_method=DELETE" \ - -backend-config="retry_wait_min=5" - ``` - -You can now run `terraform plan` and `terraform apply` as you normally would. - -## Get started using GitLab CI - -If you don't want to start with local development, you can also use GitLab CI to -run your `terraform plan` and `terraform apply` commands. - -Next, [configure the backend](#configure-the-backend). - -## Configure the backend - -After executing the `terraform init` command, you must configure the Terraform backend -and the CI YAML file: - -1. In your Terraform project, define the [HTTP backend](https://www.terraform.io/docs/backends/types/http.html) - by adding the following code block in a `.tf` file (such as `backend.tf`) to - define the remote backend: - - ```hcl - terraform { - backend "http" { - } - } - ``` - -1. In the root directory of your project repository, configure a - `.gitlab-ci.yaml` file. This example uses a pre-built image which includes a - `gitlab-terraform` helper. For supported Terraform versions, see the [GitLab - Terraform Images project](https://gitlab.com/gitlab-org/terraform-images). - - ```yaml - image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest - ``` - -1. In the `.gitlab-ci.yaml` file, define some environment variables to ease - development. In this example, `TF_ROOT` is the directory where the Terraform - commands must be executed, `TF_ADDRESS` is the URL to the state on the GitLab - instance where this pipeline runs, and the final path segment in `TF_ADDRESS` - is the name of the Terraform state. Projects may have multiple states, and - this name is arbitrary, so in this example we set it to `example-production` - which corresponds with the directory we're using as our `TF_ROOT`, and we - ensure that the `.terraform` directory is cached between jobs in the pipeline - using a cache key based on the state name (`example-production`): - - ```yaml - variables: - TF_ROOT: ${CI_PROJECT_DIR}/environments/example/production - TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/example-production - - cache: - key: example-production - paths: - - ${TF_ROOT}/.terraform - ``` - -1. In a `before_script`, change to your `TF_ROOT`: - - ```yaml - before_script: - - cd ${TF_ROOT} - - stages: - - prepare - - validate - - build - - deploy - - init: - stage: prepare - script: - - gitlab-terraform init - - validate: - stage: validate - script: - - gitlab-terraform validate - - plan: - stage: build - script: - - gitlab-terraform plan - - gitlab-terraform plan-json - artifacts: - name: plan - paths: - - ${TF_ROOT}/plan.cache - reports: - terraform: ${TF_ROOT}/plan.json - - apply: - stage: deploy - environment: - name: production - script: - - gitlab-terraform apply - dependencies: - - plan - when: manual - only: - - master - ``` - -1. Push your project to GitLab, which triggers a CI job pipeline. This pipeline - runs the `gitlab-terraform init`, `gitlab-terraform validate`, and - `gitlab-terraform plan` commands. - -The output from the above `terraform` commands should be viewable in the job logs. - -CAUTION: **Caution:** -Like any other job artifact, Terraform plan data is [viewable by anyone with Guest access](../permissions.md) to the repository. -Neither Terraform nor GitLab encrypts the plan file by default. If your Terraform plan -includes sensitive data such as passwords, access tokens, or certificates, GitLab strongly -recommends encrypting plan output or modifying the project visibility settings. - -## Example project - -See [this reference project](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-aws) using GitLab and Terraform to deploy a basic AWS EC2 within a custom VPC. - -## Copy Terraform state between backends - -Terraform supports copying the state when the backend is changed or -reconfigured. This can be useful if you need to migrate from another backend to -GitLab managed Terraform state. It's also useful if you need to change the state -name as in the following example: - -```shell -PROJECT_ID="<gitlab-project-id>" -TF_USERNAME="<gitlab-username>" -TF_PASSWORD="<gitlab-personal-access-token>" -TF_ADDRESS="https://gitlab.com/api/v4/projects/${PROJECT_ID}/terraform/state/old-state-name" - -terraform init \ - -backend-config=address=${TF_ADDRESS} \ - -backend-config=lock_address=${TF_ADDRESS}/lock \ - -backend-config=unlock_address=${TF_ADDRESS}/lock \ - -backend-config=username=${TF_USERNAME} \ - -backend-config=password=${TF_PASSWORD} \ - -backend-config=lock_method=POST \ - -backend-config=unlock_method=DELETE \ - -backend-config=retry_wait_min=5 -``` - -```plaintext -Initializing the backend... - -Successfully configured the backend "http"! Terraform will automatically -use this backend unless the backend configuration changes. - -Initializing provider plugins... - -Terraform has been successfully initialized! - -You may now begin working with Terraform. Try running "terraform plan" to see -any changes that are required for your infrastructure. All Terraform commands -should now work. - -If you ever set or change modules or backend configuration for Terraform, -rerun this command to reinitialize your working directory. If you forget, other -commands will detect it and remind you to do so if necessary. -``` - -Now that `terraform init` has created a `.terraform/` directory that knows where -the old state is, you can tell it about the new location: - -```shell -TF_ADDRESS="https://gitlab.com/api/v4/projects/${PROJECT_ID}/terraform/state/new-state-name" +Read more on setting up and [using GitLab Managed Terraform states](terraform_state.md) -terraform init \ - -backend-config=address=${TF_ADDRESS} \ - -backend-config=lock_address=${TF_ADDRESS}/lock \ - -backend-config=unlock_address=${TF_ADDRESS}/lock \ - -backend-config=username=${TF_USERNAME} \ - -backend-config=password=${TF_PASSWORD} \ - -backend-config=lock_method=POST \ - -backend-config=unlock_method=DELETE \ - -backend-config=retry_wait_min=5 -``` - -```plaintext -Initializing the backend... -Backend configuration changed! - -Terraform has detected that the configuration specified for the backend -has changed. Terraform will now check for existing state in the backends. - - -Acquiring state lock. This may take a few moments... -Do you want to copy existing state to the new backend? - Pre-existing state was found while migrating the previous "http" backend to the - newly configured "http" backend. No existing state was found in the newly - configured "http" backend. Do you want to copy this state to the new "http" - backend? Enter "yes" to copy and "no" to start with an empty state. - - Enter a value: yes - - -Successfully configured the backend "http"! Terraform will automatically -use this backend unless the backend configuration changes. - -Initializing provider plugins... - -Terraform has been successfully initialized! - -You may now begin working with Terraform. Try running "terraform plan" to see -any changes that are required for your infrastructure. All Terraform commands -should now work. - -If you ever set or change modules or backend configuration for Terraform, -rerun this command to reinitialize your working directory. If you forget, other -commands will detect it and remind you to do so if necessary. -``` - -If you type `yes`, it copies your state from the old location to the new -location. You can then go back to running it from within GitLab CI. - -## Removing a State file - -You can only remove a state file by making a request to the API, like the following example: - -```shell -curl --header "Private-Token: <your_access_token>" --request DELETE "https://gitlab.example.com/api/v4/projects/<your_project_id/terraform/state/<your_state_name>" -``` - -## Output Terraform Plan information into a merge request - -Using the [GitLab Terraform Report artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform), -you can expose details from `terraform plan` runs directly into a merge request widget, -enabling you to see statistics about the resources that Terraform creates, -modifies, or destroys. +## Terraform integration in Merge Requests -Let's explore how to configure a GitLab Terraform Report artifact. You can -either use a pre-built image which includes a `gitlab-terraform` helper as -above, where `gitlab-terraform plan-json` outputs the required artifact, or you -can configure this manually as follows: +Collaborating around Infrastructure as Code (IaC) changes requires both code changes and expected infrastructure changes to be checked and approved. GitLab provides a solution to help collaboration around Terraform code changes and their expected effects using the Merge Request pages. This way users don't have to build custom tools or rely on 3rd party solutions to streamline their IaC workflows. -1. For simplicity, let's define a few reusable variables to allow us to - refer to these files multiple times: - - ```yaml - variables: - PLAN: plan.cache - PLAN_JSON: plan.json - ``` - -1. Install `jq`, a - [lightweight and flexible command-line JSON processor](https://stedolan.github.io/jq/). -1. Create an alias for a specific `jq` command that parses out the information we - want to extract from the `terraform plan` output: - - ```yaml - before_script: - - apk --no-cache add jq - - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - ``` - - NOTE: **Note:** - In distributions that use Bash (for example, Ubuntu), `alias` statements are not - expanded in non-interactive mode. If your pipelines fail with the error - `convert_report: command not found`, alias expansion can be activated explicitly - by adding a `shopt` command to your script: - - ```yaml - before_script: - - shopt -s expand_aliases - - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" - ``` - -1. Define a `script` that runs `terraform plan` and `terraform show`. These commands - pipe the output and convert the relevant bits into a store variable `PLAN_JSON`. - This JSON is used to create a - [GitLab Terraform Report artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform). - The Terraform report obtains a Terraform `tfplan.json` file. The collected - Terraform plan report is uploaded to GitLab as an artifact, and is shown in merge requests. - - ```yaml - plan: - stage: build - script: - - terraform plan -out=$PLAN - - terraform show --json $PLAN | convert_report > $PLAN_JSON - artifacts: - reports: - terraform: $PLAN_JSON - ``` - - For a full example using the pre-built image, see [Example `.gitlab-ci.yaml` - file](#example-gitlab-ciyaml-file). - - For an example displaying multiple reports, see [`.gitlab-ci.yaml` multiple reports file](#multiple-terraform-plan-reports). - -1. Running the pipeline displays the widget in the merge request, like this: - -  - -1. Clicking the **View Full Log** button in the widget takes you directly to the - plan output present in the pipeline logs: - -  +## Quick Start -### Example `.gitlab-ci.yaml` file +Use the following `.gitlab-ci.yml` to set up a simple Terraform project integration +for GitLab versions 13.5 and greater: ```yaml -default: - image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest - - cache: - key: example-production - paths: - - ${TF_ROOT}/.terraform +include: + - template: Terraform.latest.gitlab-ci.yml variables: - TF_ROOT: ${CI_PROJECT_DIR}/environments/example/production - TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/example-production - -before_script: - - cd ${TF_ROOT} - -stages: - - prepare - - validate - - build - - deploy - -init: - stage: prepare - script: - - gitlab-terraform init - -validate: - stage: validate - script: - - gitlab-terraform validate - -plan: - stage: build - script: - - gitlab-terraform plan - - gitlab-terraform plan-json - artifacts: - name: plan - paths: - - ${TF_ROOT}/plan.cache - reports: - terraform: ${TF_ROOT}/plan.json - -apply: - stage: deploy - environment: - name: production - script: - - gitlab-terraform apply - dependencies: - - plan - when: manual - only: - - master -``` - -### Multiple Terraform Plan reports - -Starting with GitLab version 13.2, you can display multiple reports on the Merge Request -page. The reports also display the `artifacts: name:`. See example below for a suggested setup. - -```yaml -default: - image: - name: registry.gitlab.com/gitlab-org/gitlab-build-images:terraform - entrypoint: - - '/usr/bin/env' - - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' - - cache: - paths: - - .terraform - -stages: - - build - -.terraform-plan-generation: - stage: build - variables: - PLAN: plan.tfplan - JSON_PLAN_FILE: tfplan.json - before_script: - - cd ${TERRAFORM_DIRECTORY} - - terraform --version - - terraform init - - apk --no-cache add jq - script: - - terraform validate - - terraform plan -out=${PLAN} - - terraform show --json ${PLAN} | jq -r '([.resource_changes[]?.change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > ${JSON_PLAN_FILE} - artifacts: - reports: - terraform: ${TERRAFORM_DIRECTORY}/${JSON_PLAN_FILE} - -review_plan: - extends: .terraform-plan-generation - variables: - TERRAFORM_DIRECTORY: "review/" - # Review will not include an artifact name - -staging_plan: - extends: .terraform-plan-generation - variables: - TERRAFORM_DIRECTORY: "staging/" - artifacts: - name: Staging - -production_plan: - extends: .terraform-plan-generation - variables: - TERRAFORM_DIRECTORY: "production/" - artifacts: - name: Production + # If not using GitLab's HTTP backend, remove this line and specify TF_HTTP_* variables + TF_STATE_NAME: default + TF_CACHE_KEY: default ``` -## Using a GitLab managed Terraform state backend as a remote data source - -You can use a GitLab-managed Terraform state as a -[Terraform data source](https://www.terraform.io/docs/providers/terraform/d/remote_state.html). -To use your existing Terraform state backend as a data source, provide the following details -as [Terraform input variables](https://www.terraform.io/docs/configuration/variables.html): - -- **address**: The URL of the remote state backend you want to use as a data source. - For example, `https://gitlab.com/api/v4/projects/<TARGET-PROJECT-ID>/terraform/state/<TARGET-STATE-NAME>`. -- **username**: The username to authenticate with the data source. If you are using a [Personal Access Token](../profile/personal_access_tokens.md) for - authentication, this is your GitLab username. If you are using GitLab CI, this is `'gitlab-ci-token'`. -- **password**: The password to authenticate with the data source. If you are using a Personal Access Token for - authentication, this is the token value. If you are using GitLab CI, it is the contents of the `${CI_JOB_TOKEN}` CI variable. - -An example setup is shown below: - -1. Create a file named `example.auto.tfvars` with the following contents: - - ```plaintext - example_remote_state_address=https://gitlab.com/api/v4/projects/<TARGET-PROJECT-ID>/terraform/state/<TARGET-STATE-NAME> - example_username=<GitLab username> - example_access_token=<GitLab Personal Acceess Token> - ``` - -1. Define the data source by adding the following code block in a `.tf` file (such as `data.tf`): - - ```hcl - data "terraform_remote_state" "example" { - backend = "http" - - config = { - address = var.example_remote_state_address - username = var.example_username - password = var.example_access_token - } - } - ``` - -Outputs from the data source can now be referenced within your Terraform resources -using `data.terraform_remote_state.example.outputs.<OUTPUT-NAME>`. +This template uses `.latest.`, instead of stable, and may include breaking changes. +This template also includes some opinionated decisions, which you can override: -You need at least [developer access](../permissions.md) to the target project -to read the Terraform state. +- Including the latest [GitLab Terraform Image](https://gitlab.com/gitlab-org/terraform-images). +- Using the [GitLab managed Terraform State](#gitlab-managed-terraform-state) as + the Terraform state storage backend. +- Creating [four pipeline stages](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform.latest.gitlab-ci.yml): + `init`, `validate`, `build`, and `deploy`. These stages + [run the Terraform commands](https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Terraform/Base.latest.gitlab-ci.yml) + `init`, `validate`, `plan`, `plan-json`, and `apply`. The `apply` command only runs on `master`. diff --git a/doc/user/infrastructure/mr_integration.md b/doc/user/infrastructure/mr_integration.md new file mode 100644 index 00000000000..7d9a036cac8 --- /dev/null +++ b/doc/user/infrastructure/mr_integration.md @@ -0,0 +1,205 @@ +--- +stage: Configure +group: Configure +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +--- + +# Terraform integration in Merge Requests + +Collaborating around Infrastructure as Code (IaC) changes requires both code changes and expected infrastructure changes to be checked and approved. GitLab provides a solution to help collaboration around Terraform code changes and their expected effects using the Merge Request pages. This way users don't have to build custom tools or rely on 3rd party solutions to streamline their IaC workflows. + +## Output Terraform Plan information into a merge request + +Using the [GitLab Terraform Report artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform), +you can expose details from `terraform plan` runs directly into a merge request widget, +enabling you to see statistics about the resources that Terraform creates, +modifies, or destroys. + +## Setup + +NOTE: **Note:** +GitLab ships with a [pre-built CI template](index.md#quick-start) that uses GitLab Managed Terraform state and integrates Terraform changes into merge requests. We recommend customizing the pre-built image and relying on the `gitlab-terraform` helper provided within for a quick setup. + +To manually configure a GitLab Terraform Report artifact requires the following steps: + +1. For simplicity, let's define a few reusable variables to allow us to + refer to these files multiple times: + + ```yaml + variables: + PLAN: plan.cache + PLAN_JSON: plan.json + ``` + +1. Install `jq`, a + [lightweight and flexible command-line JSON processor](https://stedolan.github.io/jq/). +1. Create an alias for a specific `jq` command that parses out the information we + want to extract from the `terraform plan` output: + + ```yaml + before_script: + - apk --no-cache add jq + - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + ``` + + NOTE: **Note:** + In distributions that use Bash (for example, Ubuntu), `alias` statements are not + expanded in non-interactive mode. If your pipelines fail with the error + `convert_report: command not found`, alias expansion can be activated explicitly + by adding a `shopt` command to your script: + + ```yaml + before_script: + - shopt -s expand_aliases + - alias convert_report="jq -r '([.resource_changes[]?.change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'" + ``` + +1. Define a `script` that runs `terraform plan` and `terraform show`. These commands + pipe the output and convert the relevant bits into a store variable `PLAN_JSON`. + This JSON is used to create a + [GitLab Terraform Report artifact](../../ci/pipelines/job_artifacts.md#artifactsreportsterraform). + The Terraform report obtains a Terraform `tfplan.json` file. The collected + Terraform plan report is uploaded to GitLab as an artifact, and is shown in merge requests. + + ```yaml + plan: + stage: build + script: + - terraform plan -out=$PLAN + - terraform show --json $PLAN | convert_report > $PLAN_JSON + artifacts: + reports: + terraform: $PLAN_JSON + ``` + + For a full example using the pre-built image, see [Example `.gitlab-ci.yaml` + file](#example-gitlab-ciyaml-file). + + For an example displaying multiple reports, see [`.gitlab-ci.yaml` multiple reports file](#multiple-terraform-plan-reports). + +1. Running the pipeline displays the widget in the merge request, like this: + +  + +1. Clicking the **View Full Log** button in the widget takes you directly to the + plan output present in the pipeline logs: + +  + +### Example `.gitlab-ci.yaml` file + +```yaml +default: + image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest + + cache: + key: example-production + paths: + - ${TF_ROOT}/.terraform + +variables: + TF_ROOT: ${CI_PROJECT_DIR}/environments/example/production + TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/example-production + +before_script: + - cd ${TF_ROOT} + +stages: + - prepare + - validate + - build + - deploy + +init: + stage: prepare + script: + - gitlab-terraform init + +validate: + stage: validate + script: + - gitlab-terraform validate + +plan: + stage: build + script: + - gitlab-terraform plan + - gitlab-terraform plan-json + artifacts: + name: plan + paths: + - ${TF_ROOT}/plan.cache + reports: + terraform: ${TF_ROOT}/plan.json + +apply: + stage: deploy + environment: + name: production + script: + - gitlab-terraform apply + dependencies: + - plan + when: manual + only: + - master +``` + +### Multiple Terraform Plan reports + +Starting with GitLab version 13.2, you can display multiple reports on the Merge Request +page. The reports also display the `artifacts: name:`. See example below for a suggested setup. + +```yaml +default: + image: + name: registry.gitlab.com/gitlab-org/gitlab-build-images:terraform + entrypoint: + - '/usr/bin/env' + - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' + + cache: + paths: + - .terraform + +stages: + - build + +.terraform-plan-generation: + stage: build + variables: + PLAN: plan.tfplan + JSON_PLAN_FILE: tfplan.json + before_script: + - cd ${TERRAFORM_DIRECTORY} + - terraform --version + - terraform init + - apk --no-cache add jq + script: + - terraform validate + - terraform plan -out=${PLAN} + - terraform show --json ${PLAN} | jq -r '([.resource_changes[]?.change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > ${JSON_PLAN_FILE} + artifacts: + reports: + terraform: ${TERRAFORM_DIRECTORY}/${JSON_PLAN_FILE} + +review_plan: + extends: .terraform-plan-generation + variables: + TERRAFORM_DIRECTORY: "review/" + # Review will not include an artifact name + +staging_plan: + extends: .terraform-plan-generation + variables: + TERRAFORM_DIRECTORY: "staging/" + artifacts: + name: Staging + +production_plan: + extends: .terraform-plan-generation + variables: + TERRAFORM_DIRECTORY: "production/" + artifacts: + name: Production +``` diff --git a/doc/user/infrastructure/terraform_state.md b/doc/user/infrastructure/terraform_state.md new file mode 100644 index 00000000000..e85a34a8de8 --- /dev/null +++ b/doc/user/infrastructure/terraform_state.md @@ -0,0 +1,360 @@ +--- +stage: Configure +group: Configure +info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers +--- + +# GitLab managed Terraform State + +> [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/2673) in GitLab 13.0. + +[Terraform remote backends](https://www.terraform.io/docs/backends/index.html) +enable you to store the state file in a remote, shared store. GitLab uses the +[Terraform HTTP backend](https://www.terraform.io/docs/backends/types/http.html) +to securely store the state files in local storage (the default) or +[the remote store of your choice](../../administration/terraform_state.md). + +The GitLab managed Terraform state backend can store your Terraform state easily and +securely, and spares you from setting up additional remote resources like +Amazon S3 or Google Cloud Storage. Its features include: + +- Supporting encryption of the state file both in transit and at rest. +- Locking and unlocking state. +- Remote Terraform plan and apply execution. + +## Permissions for using Terraform + +In GitLab version 13.1, [Maintainer access](../permissions.md) was required to use a +GitLab managed Terraform state backend. In GitLab versions 13.2 and greater, +[Maintainer access](../permissions.md) is required to lock, unlock and write to the state +(using `terraform apply`), while [Developer access](../permissions.md) is required to read +the state (using `terraform plan -lock=false`). + +## Set up GitLab-managed Terraform state + +To get started with a GitLab-managed Terraform state, there are two different options: + +- [Use a local machine](#get-started-using-local-development). +- [Use GitLab CI](#get-started-using-gitlab-ci). + +Terraform States can be found by navigating to a Project's **{cloud-gear}** **Operations > Terraform** page. + +### Get started using local development + +If you plan to only run `terraform plan` and `terraform apply` commands from your +local machine, this is a simple way to get started: + +1. Create your project on your GitLab instance. +1. Navigate to **Settings > General** and note your **Project name** + and **Project ID**. +1. Define the Terraform backend in your Terraform project to be: + + ```hcl + terraform { + backend "http" { + } + } + ``` + +1. Create a [Personal Access Token](../profile/personal_access_tokens.md) with + the `api` scope. + +1. On your local machine, run `terraform init`, passing in the following options, + replacing `<YOUR-STATE-NAME>`, `<YOUR-PROJECT-ID>`, `<YOUR-USERNAME>` and + `<YOUR-ACCESS-TOKEN>` with the relevant values. This command initializes your + Terraform state, and stores that state within your GitLab project. The name of + your state can contain only uppercase and lowercase letters, decimal digits, + hyphens, and underscores. This example uses `gitlab.com`: + + ```shell + terraform init \ + -backend-config="address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>" \ + -backend-config="lock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ + -backend-config="unlock_address=https://gitlab.com/api/v4/projects/<YOUR-PROJECT-ID>/terraform/state/<YOUR-STATE-NAME>/lock" \ + -backend-config="username=<YOUR-USERNAME>" \ + -backend-config="password=<YOUR-ACCESS-TOKEN>" \ + -backend-config="lock_method=POST" \ + -backend-config="unlock_method=DELETE" \ + -backend-config="retry_wait_min=5" + ``` + +You can now run `terraform plan` and `terraform apply` as you normally would. + +### Get started using GitLab CI + +If you don't want to start with local development, you can also use GitLab CI to +run your `terraform plan` and `terraform apply` commands. + +Next, [configure the backend](#configure-the-backend). + +#### Configure the backend + +After executing the `terraform init` command, you must configure the Terraform backend +and the CI YAML file: + +1. In your Terraform project, define the [HTTP backend](https://www.terraform.io/docs/backends/types/http.html) + by adding the following code block in a `.tf` file (such as `backend.tf`) to + define the remote backend: + + ```hcl + terraform { + backend "http" { + } + } + ``` + +1. In the root directory of your project repository, configure a + `.gitlab-ci.yaml` file. This example uses a pre-built image which includes a + `gitlab-terraform` helper. For supported Terraform versions, see the [GitLab + Terraform Images project](https://gitlab.com/gitlab-org/terraform-images). + + ```yaml + image: registry.gitlab.com/gitlab-org/terraform-images/stable:latest + ``` + +1. In the `.gitlab-ci.yaml` file, define some environment variables to ease + development. In this example, `TF_ROOT` is the directory where the Terraform + commands must be executed, `TF_ADDRESS` is the URL to the state on the GitLab + instance where this pipeline runs, and the final path segment in `TF_ADDRESS` + is the name of the Terraform state. Projects may have multiple states, and + this name is arbitrary, so in this example we set it to `example-production` + which corresponds with the directory we're using as our `TF_ROOT`, and we + ensure that the `.terraform` directory is cached between jobs in the pipeline + using a cache key based on the state name (`example-production`): + + ```yaml + variables: + TF_ROOT: ${CI_PROJECT_DIR}/environments/example/production + TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/example-production + + cache: + key: example-production + paths: + - ${TF_ROOT}/.terraform + ``` + +1. In a `before_script`, change to your `TF_ROOT`: + + ```yaml + before_script: + - cd ${TF_ROOT} + + stages: + - prepare + - validate + - build + - deploy + + init: + stage: prepare + script: + - gitlab-terraform init + + validate: + stage: validate + script: + - gitlab-terraform validate + + plan: + stage: build + script: + - gitlab-terraform plan + - gitlab-terraform plan-json + artifacts: + name: plan + paths: + - ${TF_ROOT}/plan.cache + reports: + terraform: ${TF_ROOT}/plan.json + + apply: + stage: deploy + environment: + name: production + script: + - gitlab-terraform apply + dependencies: + - plan + when: manual + only: + - master + ``` + +1. Push your project to GitLab, which triggers a CI job pipeline. This pipeline + runs the `gitlab-terraform init`, `gitlab-terraform validate`, and + `gitlab-terraform plan` commands. + +The output from the above `terraform` commands should be viewable in the job logs. + +CAUTION: **Caution:** +Like any other job artifact, Terraform plan data is [viewable by anyone with Guest access](../permissions.md) to the repository. +Neither Terraform nor GitLab encrypts the plan file by default. If your Terraform plan +includes sensitive data such as passwords, access tokens, or certificates, GitLab strongly +recommends encrypting plan output or modifying the project visibility settings. + +### Example project + +See [this reference project](https://gitlab.com/gitlab-org/configure/examples/gitlab-terraform-aws) using GitLab and Terraform to deploy a basic AWS EC2 within a custom VPC. + +## Using a GitLab managed Terraform state backend as a remote data source + +You can use a GitLab-managed Terraform state as a +[Terraform data source](https://www.terraform.io/docs/providers/terraform/d/remote_state.html). +To use your existing Terraform state backend as a data source, provide the following details +as [Terraform input variables](https://www.terraform.io/docs/configuration/variables.html): + +- **address**: The URL of the remote state backend you want to use as a data source. + For example, `https://gitlab.com/api/v4/projects/<TARGET-PROJECT-ID>/terraform/state/<TARGET-STATE-NAME>`. +- **username**: The username to authenticate with the data source. If you are using a [Personal Access Token](../profile/personal_access_tokens.md) for + authentication, this is your GitLab username. If you are using GitLab CI, this is `'gitlab-ci-token'`. +- **password**: The password to authenticate with the data source. If you are using a Personal Access Token for + authentication, this is the token value. If you are using GitLab CI, it is the contents of the `${CI_JOB_TOKEN}` CI variable. + +An example setup is shown below: + +1. Create a file named `example.auto.tfvars` with the following contents: + + ```plaintext + example_remote_state_address=https://gitlab.com/api/v4/projects/<TARGET-PROJECT-ID>/terraform/state/<TARGET-STATE-NAME> + example_username=<GitLab username> + example_access_token=<GitLab Personal Acceess Token> + ``` + +1. Define the data source by adding the following code block in a `.tf` file (such as `data.tf`): + + ```hcl + data "terraform_remote_state" "example" { + backend = "http" + + config = { + address = var.example_remote_state_address + username = var.example_username + password = var.example_access_token + } + } + ``` + +Outputs from the data source can now be referenced within your Terraform resources +using `data.terraform_remote_state.example.outputs.<OUTPUT-NAME>`. + +You need at least [developer access](../permissions.md) to the target project +to read the Terraform state. + +## Migrating to GitLab Managed Terraform state + +Terraform supports copying the state when the backend is changed or +reconfigured. This can be useful if you need to migrate from another backend to +GitLab managed Terraform state. Using a local terminal is recommended to run the commands needed for migrating to GitLab Managed Terraform state. + +The following example demonstrates how to change the state name, the same workflow is needed to migrate to GitLab Managed Terraform state from a different state storage backend. + +### Setting up the initial backend + +```shell +PROJECT_ID="<gitlab-project-id>" +TF_USERNAME="<gitlab-username>" +TF_PASSWORD="<gitlab-personal-access-token>" +TF_ADDRESS="https://gitlab.com/api/v4/projects/${PROJECT_ID}/terraform/state/old-state-name" + +terraform init \ + -backend-config=address=${TF_ADDRESS} \ + -backend-config=lock_address=${TF_ADDRESS}/lock \ + -backend-config=unlock_address=${TF_ADDRESS}/lock \ + -backend-config=username=${TF_USERNAME} \ + -backend-config=password=${TF_PASSWORD} \ + -backend-config=lock_method=POST \ + -backend-config=unlock_method=DELETE \ + -backend-config=retry_wait_min=5 +``` + +```plaintext +Initializing the backend... + +Successfully configured the backend "http"! Terraform will automatically +use this backend unless the backend configuration changes. + +Initializing provider plugins... + +Terraform has been successfully initialized! + +You may now begin working with Terraform. Try running "terraform plan" to see +any changes that are required for your infrastructure. All Terraform commands +should now work. + +If you ever set or change modules or backend configuration for Terraform, +rerun this command to reinitialize your working directory. If you forget, other +commands will detect it and remind you to do so if necessary. +``` + +### Changing the backend + +Now that `terraform init` has created a `.terraform/` directory that knows where +the old state is, you can tell it about the new location: + +```shell +TF_ADDRESS="https://gitlab.com/api/v4/projects/${PROJECT_ID}/terraform/state/new-state-name" + +terraform init \ + -backend-config=address=${TF_ADDRESS} \ + -backend-config=lock_address=${TF_ADDRESS}/lock \ + -backend-config=unlock_address=${TF_ADDRESS}/lock \ + -backend-config=username=${TF_USERNAME} \ + -backend-config=password=${TF_PASSWORD} \ + -backend-config=lock_method=POST \ + -backend-config=unlock_method=DELETE \ + -backend-config=retry_wait_min=5 +``` + +```plaintext +Initializing the backend... +Backend configuration changed! + +Terraform has detected that the configuration specified for the backend +has changed. Terraform will now check for existing state in the backends. + + +Acquiring state lock. This may take a few moments... +Do you want to copy existing state to the new backend? + Pre-existing state was found while migrating the previous "http" backend to the + newly configured "http" backend. No existing state was found in the newly + configured "http" backend. Do you want to copy this state to the new "http" + backend? Enter "yes" to copy and "no" to start with an empty state. + + Enter a value: yes + + +Successfully configured the backend "http"! Terraform will automatically +use this backend unless the backend configuration changes. + +Initializing provider plugins... + +Terraform has been successfully initialized! + +You may now begin working with Terraform. Try running "terraform plan" to see +any changes that are required for your infrastructure. All Terraform commands +should now work. + +If you ever set or change modules or backend configuration for Terraform, +rerun this command to reinitialize your working directory. If you forget, other +commands will detect it and remind you to do so if necessary. +``` + +If you type `yes`, it copies your state from the old location to the new +location. You can then go back to running it from within GitLab CI. + +## Managing state files + +NOTE: **Note:** +We are currently working on [providing a graphical for managing state files](https://gitlab.com/groups/gitlab-org/-/epics/4563). + + + +The state files attached to a project can be found under Operations / Terraform. + +## Removing a State file + +You can only remove a state file by making a request to the API, like the following example: + +```shell +curl --header "Private-Token: <your_access_token>" --request DELETE "https://gitlab.example.com/api/v4/projects/<your_project_id/terraform/state/<your_state_name>" +``` diff --git a/doc/user/profile/notifications.md b/doc/user/profile/notifications.md index 73a83b08a23..64bc6e48b81 100644 --- a/doc/user/profile/notifications.md +++ b/doc/user/profile/notifications.md @@ -7,13 +7,15 @@ info: To determine the technical writer assigned to the Stage/Group associated w # GitLab Notification Emails -GitLab Notifications allow you to stay informed about what's happening in GitLab. With notifications enabled, you can receive updates about activity in issues, merge requests, and epics. Notifications are sent via email. +GitLab Notifications allow you to stay informed about what's happening in GitLab. With notifications +enabled, you can receive updates about activity in issues, merge requests, epics, and designs. +Notifications are sent via email. ## Receiving notifications You will receive notifications for one of the following reasons: -- You participate in an issue, merge request, or epic. In this context, _participate_ means comment, or edit. +- You participate in an issue, merge request, epic or design. In this context, _participate_ means comment, or edit. - You enable notifications in an issue, merge request, or epic. To enable notifications, click the **Notifications** toggle in the sidebar to _on_. While notifications are enabled, you will receive notification of actions occurring in that issue, merge request, or epic. @@ -209,6 +211,44 @@ If an open merge request becomes unmergeable due to conflict, its author will be If a user has also set the merge request to automatically merge once pipeline succeeds, then that user will also be notified. +## Design email notifications + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/217095) in GitLab 13.6. +> - It's [deployed behind a feature flag](../../user/feature_flags.md), disabled by default. +> - It's disabled on GitLab.com. +> - It's not recommended for production use. +> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-design-email-notifications). **(CORE ONLY)** + +CAUTION: **Warning:** +This feature might not be available to you. Check the **version history** note above for details. + +Email notifications are sent to the participants when comments are made on a design. + +The participants are: + +- Authors of the design (can be multiple people if different authors have uploaded different versions of the design). +- Authors of comments on the design. +- Anyone that is `@mentioned` in a comment on the design. + +### Enable or disable design email notifications **(CORE ONLY)** + +The design email notifications feature is under development and not ready for production use. It is +deployed behind a feature flag that is **disabled by default**. +[GitLab administrators with access to the GitLab Rails console](../../administration/feature_flags.md) +can enable it. + +To enable it: + +```ruby +Feature.enable(:design_management_design_notification_participants) +``` + +To disable it: + +```ruby +Feature.disable(:design_management_design_notification_participants) +``` + ## Filtering email Notification email messages include GitLab-specific headers. You can filter the notification emails based on the content of these headers to better manage your notifications. For example, you could filter all emails for a specific project where you are being assigned either a merge request or issue. diff --git a/lib/container_registry/client.rb b/lib/container_registry/client.rb index e6ca33d749b..35f299c17e4 100644 --- a/lib/container_registry/client.rb +++ b/lib/container_registry/client.rb @@ -15,6 +15,7 @@ module ContainerRegistry CONTAINER_IMAGE_V1_TYPE = 'application/vnd.docker.container.image.v1+json' REGISTRY_VERSION_HEADER = 'gitlab-container-registry-version' REGISTRY_FEATURES_HEADER = 'gitlab-container-registry-features' + REGISTRY_TAG_DELETE_FEATURE = 'tag_delete' ACCEPTED_TYPES = [DOCKER_DISTRIBUTION_MANIFEST_V2_TYPE, OCI_MANIFEST_V1_TYPE].freeze @@ -25,8 +26,6 @@ module ContainerRegistry registry_config = Gitlab.config.registry return false unless registry_config.enabled && registry_config.api_url.present? - return true if ::Gitlab.com? - token = Auth::ContainerRegistryAuthenticationService.access_token([], []) client = new(registry_config.api_url, token: token) client.supports_tag_delete? @@ -81,6 +80,9 @@ module ContainerRegistry # the DELETE method in the Allow header. Others reply with an 404 Not Found. def supports_tag_delete? strong_memoize(:supports_tag_delete) do + registry_features = Gitlab::CurrentSettings.container_registry_features || [] + next true if ::Gitlab.com? && registry_features.include?(REGISTRY_TAG_DELETE_FEATURE) + response = faraday.run_request(:options, '/v2/name/tags/reference/tag', '', {}) response.success? && response.headers['allow']&.include?('DELETE') end diff --git a/lib/gitlab/background_migration/populate_has_vulnerabilities.rb b/lib/gitlab/background_migration/populate_has_vulnerabilities.rb new file mode 100644 index 00000000000..c9e3ac2dc99 --- /dev/null +++ b/lib/gitlab/background_migration/populate_has_vulnerabilities.rb @@ -0,0 +1,63 @@ +# frozen_string_literal: true + +module Gitlab + module BackgroundMigration + # This class populates missing dismissal information for + # vulnerability entries. + class PopulateHasVulnerabilities + class ProjectSetting < ActiveRecord::Base # rubocop:disable Style/Documentation + self.table_name = 'project_settings' + + UPSERT_SQL = <<~SQL + INSERT INTO project_settings + (project_id, has_vulnerabilities, created_at, updated_at) + VALUES + %{values} + ON CONFLICT (project_id) + DO UPDATE SET + has_vulnerabilities = true, + updated_at = EXCLUDED.updated_at + SQL + + def self.upsert_for(project_ids) + timestamp = connection.quote(Time.now) + values = project_ids.map { |project_id| "(#{project_id}, true, #{timestamp}, #{timestamp})" }.join(', ') + + connection.execute(UPSERT_SQL % { values: values }) + end + end + + class Vulnerability < ActiveRecord::Base # rubocop:disable Style/Documentation + include EachBatch + + self.table_name = 'vulnerabilities' + end + + def perform(*project_ids) + ProjectSetting.upsert_for(project_ids) + rescue StandardError => e + log_error(e, project_ids) + ensure + log_info(project_ids) + end + + private + + def log_error(error, project_ids) + ::Gitlab::BackgroundMigration::Logger.error( + migrator: self.class.name, + message: error.message, + project_ids: project_ids + ) + end + + def log_info(project_ids) + ::Gitlab::BackgroundMigration::Logger.info( + migrator: self.class.name, + message: 'Projects has been processed to populate `has_vulnerabilities` information', + count: project_ids.length + ) + end + end + end +end diff --git a/qa/qa/specs/features/browser_ui/1_manage/project/create_project_spec.rb b/qa/qa/specs/features/browser_ui/1_manage/project/create_project_spec.rb index 6d07f72a044..65ca905d05f 100644 --- a/qa/qa/specs/features/browser_ui/1_manage/project/create_project_spec.rb +++ b/qa/qa/specs/features/browser_ui/1_manage/project/create_project_spec.rb @@ -3,7 +3,7 @@ module QA RSpec.describe 'Manage', :smoke do describe 'Project creation' do - it 'user creates a new project', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/429' do + it 'user creates a new project', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/429', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/-/issues/280585', type: :investigating, only: { subdomain: :staging } } do Flow::Login.sign_in created_project = Resource::Project.fabricate_via_browser_ui! do |project| diff --git a/spec/frontend/blob/pipeline_tour_success_mock_data.js b/spec/frontend/blob/pipeline_tour_success_mock_data.js index 9dea3969d63..dbcba469df5 100644 --- a/spec/frontend/blob/pipeline_tour_success_mock_data.js +++ b/spec/frontend/blob/pipeline_tour_success_mock_data.js @@ -3,6 +3,8 @@ const modalProps = { projectMergeRequestsPath: 'some_mr_path', commitCookie: 'some_cookie', humanAccess: 'maintainer', + exampleLink: '/example', + codeQualityLink: '/code-quality-link', }; export default modalProps; diff --git a/spec/frontend/blob/pipeline_tour_success_modal_spec.js b/spec/frontend/blob/pipeline_tour_success_modal_spec.js index a02c968c4b5..e8011558765 100644 --- a/spec/frontend/blob/pipeline_tour_success_modal_spec.js +++ b/spec/frontend/blob/pipeline_tour_success_modal_spec.js @@ -75,7 +75,7 @@ describe('PipelineTourSuccessModal', () => { }); it('renders the link for codeQualityLink', () => { - expect(wrapper.find(GlLink).attributes('href')).toBe(wrapper.vm.$options.codeQualityLink); + expect(wrapper.find(GlLink).attributes('href')).toBe('/code-quality-link'); }); it('calls to remove cookie', () => { diff --git a/spec/graphql/resolvers/projects/snippets_resolver_spec.rb b/spec/graphql/resolvers/projects/snippets_resolver_spec.rb index b4a5eb8ddb0..6f7feff8fe5 100644 --- a/spec/graphql/resolvers/projects/snippets_resolver_spec.rb +++ b/spec/graphql/resolvers/projects/snippets_resolver_spec.rb @@ -56,12 +56,6 @@ RSpec.describe Resolvers::Projects::SnippetsResolver do expect(snippets).to contain_exactly(project_snippet, other_project_snippet) end - - it 'returns an error if the gid is invalid' do - expect do - resolve_snippets(args: { ids: 'foo' }) - end.to raise_error(Gitlab::Graphql::Errors::ArgumentError) - end end context 'when no project is provided' do diff --git a/spec/graphql/resolvers/snippets_resolver_spec.rb b/spec/graphql/resolvers/snippets_resolver_spec.rb index 180be8e8624..a58d9c5ac3a 100644 --- a/spec/graphql/resolvers/snippets_resolver_spec.rb +++ b/spec/graphql/resolvers/snippets_resolver_spec.rb @@ -36,7 +36,7 @@ RSpec.describe Resolvers::SnippetsResolver do context 'when using filters' do context 'by author id' do it 'returns the snippets' do - snippets = resolve_snippets(args: { author_id: current_user.to_global_id }) + snippets = resolve_snippets(args: { author_id: global_id_of(current_user) }) expect(snippets).to contain_exactly(personal_snippet, project_snippet) end @@ -44,7 +44,7 @@ RSpec.describe Resolvers::SnippetsResolver do it 'returns an error if the param id is invalid' do expect do resolve_snippets(args: { author_id: 'foo' }) - end.to raise_error(Gitlab::Graphql::Errors::ArgumentError) + end.to raise_error(GraphQL::CoercionError) end end @@ -65,7 +65,7 @@ RSpec.describe Resolvers::SnippetsResolver do it 'returns an error if the param id is invalid' do expect do resolve_snippets(args: { project_id: 'foo' }) - end.to raise_error(Gitlab::Graphql::Errors::ArgumentError) + end.to raise_error(GraphQL::CoercionError) end end @@ -99,14 +99,14 @@ RSpec.describe Resolvers::SnippetsResolver do expect(snippets).to contain_exactly(personal_snippet, project_snippet) end - it 'returns an error if the gid is invalid' do + it 'returns an error if the id cannot be coerced' do args = { ids: [personal_snippet.to_global_id, 'foo'] } expect do resolve_snippets(args: args) - end.to raise_error(Gitlab::Graphql::Errors::ArgumentError) + end.to raise_error(GraphQL::CoercionError, '"foo" is not a valid Global ID') end it 'returns an error if both project and author are provided' do diff --git a/spec/graphql/resolvers/users/snippets_resolver_spec.rb b/spec/graphql/resolvers/users/snippets_resolver_spec.rb index 497b6b11b46..9ccbebc59e6 100644 --- a/spec/graphql/resolvers/users/snippets_resolver_spec.rb +++ b/spec/graphql/resolvers/users/snippets_resolver_spec.rb @@ -73,7 +73,7 @@ RSpec.describe Resolvers::Users::SnippetsResolver do expect do resolve_snippets(args: args) - end.to raise_error(Gitlab::Graphql::Errors::ArgumentError) + end.to raise_error(GraphQL::CoercionError) end end end diff --git a/spec/lib/container_registry/client_spec.rb b/spec/lib/container_registry/client_spec.rb index 4daf7375a40..2c08fdc1e75 100644 --- a/spec/lib/container_registry/client_spec.rb +++ b/spec/lib/container_registry/client_spec.rb @@ -3,9 +3,12 @@ require 'spec_helper' RSpec.describe ContainerRegistry::Client do + using RSpec::Parameterized::TableSyntax + let(:token) { '12345' } let(:options) { { token: token } } - let(:client) { described_class.new("http://container-registry", options) } + let(:registry_api_url) { 'http://container-registry' } + let(:client) { described_class.new(registry_api_url, options) } let(:push_blob_headers) do { 'Accept' => 'application/vnd.docker.distribution.manifest.v2+json, application/vnd.oci.image.manifest.v1+json', @@ -101,16 +104,6 @@ RSpec.describe ContainerRegistry::Client do end end - def stub_upload(path, content, digest, status = 200) - stub_request(:post, "http://container-registry/v2/#{path}/blobs/uploads/") - .with(headers: headers_with_accept_types) - .to_return(status: status, body: "", headers: { 'location' => 'http://container-registry/next_upload?id=someid' }) - - stub_request(:put, "http://container-registry/next_upload?digest=#{digest}&id=someid") - .with(body: content, headers: push_blob_headers) - .to_return(status: status, body: "", headers: {}) - end - describe '#upload_blob' do subject { client.upload_blob('path', 'content', 'sha256:123') } @@ -221,28 +214,36 @@ RSpec.describe ContainerRegistry::Client do describe '#supports_tag_delete?' do subject { client.supports_tag_delete? } - context 'when the server supports tag deletion' do - before do - stub_request(:options, "http://container-registry/v2/name/tags/reference/tag") - .to_return(status: 200, body: "", headers: { 'Allow' => 'DELETE' }) - end - - it { is_expected.to be_truthy } + where(:registry_tags_support_enabled, :is_on_dot_com, :container_registry_features, :expect_registry_to_be_pinged, :expected_result) do + true | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | true + true | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | true | true + true | true | [] | true | true + true | false | [] | true | true + false | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | true + false | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | true | false + false | true | [] | true | false + false | false | [] | true | false end - context 'when the server does not support tag deletion' do + with_them do before do - stub_request(:options, "http://container-registry/v2/name/tags/reference/tag") - .to_return(status: 404, body: "") + allow(::Gitlab).to receive(:com?).and_return(is_on_dot_com) + stub_registry_tags_support(registry_tags_support_enabled) + stub_application_setting(container_registry_features: container_registry_features) end - it { is_expected.to be_falsey } - end - end + it 'returns the expected result' do + if expect_registry_to_be_pinged + expect_next_instance_of(Faraday::Connection) do |connection| + expect(connection).to receive(:run_request).and_call_original + end + else + expect(Faraday::Connection).not_to receive(:new) + end - def stub_registry_info(headers: {}, status: 200) - stub_request(:get, 'http://container-registry/v2/') - .to_return(status: status, body: "", headers: headers) + expect(subject).to be expected_result + end + end end describe '#registry_info' do @@ -291,55 +292,87 @@ RSpec.describe ContainerRegistry::Client do end describe '.supports_tag_delete?' do - let(:registry_enabled) { true } - let(:registry_api_url) { 'http://sandbox.local' } - let(:registry_tags_support_enabled) { true } - let(:is_on_dot_com) { false } - subject { described_class.supports_tag_delete? } - before do - allow(::Gitlab).to receive(:com?).and_return(is_on_dot_com) - stub_container_registry_config(enabled: registry_enabled, api_url: registry_api_url, key: 'spec/fixtures/x509_certificate_pk.key') - stub_registry_tags_support(registry_tags_support_enabled) + where(:registry_api_url, :registry_enabled, :registry_tags_support_enabled, :is_on_dot_com, :container_registry_features, :expect_registry_to_be_pinged, :expected_result) do + 'http://sandbox.local' | true | true | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | true + 'http://sandbox.local' | true | true | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | true | true + 'http://sandbox.local' | true | false | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | true + 'http://sandbox.local' | true | false | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | true | false + 'http://sandbox.local' | false | true | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + 'http://sandbox.local' | false | true | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + 'http://sandbox.local' | false | false | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + 'http://sandbox.local' | false | false | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + 'http://sandbox.local' | true | true | true | [] | true | true + 'http://sandbox.local' | true | true | false | [] | true | true + 'http://sandbox.local' | true | false | true | [] | true | false + 'http://sandbox.local' | true | false | false | [] | true | false + 'http://sandbox.local' | false | true | true | [] | false | false + 'http://sandbox.local' | false | true | false | [] | false | false + 'http://sandbox.local' | false | false | true | [] | false | false + 'http://sandbox.local' | false | false | false | [] | false | false + '' | true | true | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | true | true | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | true | false | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | true | false | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | false | true | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | false | true | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | false | false | true | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | false | false | false | [ContainerRegistry::Client::REGISTRY_TAG_DELETE_FEATURE] | false | false + '' | true | true | true | [] | false | false + '' | true | true | false | [] | false | false + '' | true | false | true | [] | false | false + '' | true | false | false | [] | false | false + '' | false | true | true | [] | false | false + '' | false | true | false | [] | false | false + '' | false | false | true | [] | false | false + '' | false | false | false | [] | false | false end - context 'with the registry enabled' do - it { is_expected.to be true } - - context 'without an api url' do - let(:registry_api_url) { '' } - - it { is_expected.to be false } - end - - context 'on .com' do - let(:is_on_dot_com) { true } - - it { is_expected.to be true } + with_them do + before do + allow(::Gitlab).to receive(:com?).and_return(is_on_dot_com) + stub_container_registry_config(enabled: registry_enabled, api_url: registry_api_url, key: 'spec/fixtures/x509_certificate_pk.key') + stub_registry_tags_support(registry_tags_support_enabled) + stub_application_setting(container_registry_features: container_registry_features) end - context 'when registry server does not support tag deletion' do - let(:registry_tags_support_enabled) { false } + it 'returns the expected result' do + if expect_registry_to_be_pinged + expect_next_instance_of(Faraday::Connection) do |connection| + expect(connection).to receive(:run_request).and_call_original + end + else + expect(Faraday::Connection).not_to receive(:new) + end - it { is_expected.to be false } + expect(subject).to be expected_result end end + end + + def stub_upload(path, content, digest, status = 200) + stub_request(:post, "#{registry_api_url}/v2/#{path}/blobs/uploads/") + .with(headers: headers_with_accept_types) + .to_return(status: status, body: "", headers: { 'location' => "#{registry_api_url}/next_upload?id=someid" }) - context 'with the registry disabled' do - let(:registry_enabled) { false } + stub_request(:put, "#{registry_api_url}/next_upload?digest=#{digest}&id=someid") + .with(body: content, headers: push_blob_headers) + .to_return(status: status, body: "", headers: {}) + end - it { is_expected.to be false } - end + def stub_registry_info(headers: {}, status: 200) + stub_request(:get, "#{registry_api_url}/v2/") + .to_return(status: status, body: "", headers: headers) + end - def stub_registry_tags_support(supported = true) - status_code = supported ? 200 : 404 - stub_request(:options, "#{registry_api_url}/v2/name/tags/reference/tag") - .to_return( - status: status_code, - body: '', - headers: { 'Allow' => 'DELETE' } - ) - end + def stub_registry_tags_support(supported = true) + status_code = supported ? 200 : 404 + stub_request(:options, "#{registry_api_url}/v2/name/tags/reference/tag") + .to_return( + status: status_code, + body: '', + headers: { 'Allow' => 'DELETE' } + ) end end diff --git a/spec/lib/gitlab/background_migration/populate_has_vulnerabilities_spec.rb b/spec/lib/gitlab/background_migration/populate_has_vulnerabilities_spec.rb new file mode 100644 index 00000000000..7f7cdb884f6 --- /dev/null +++ b/spec/lib/gitlab/background_migration/populate_has_vulnerabilities_spec.rb @@ -0,0 +1,56 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe Gitlab::BackgroundMigration::PopulateHasVulnerabilities, schema: 20201103192526 do + let(:users) { table(:users) } + let(:namespaces) { table(:namespaces) } + let(:projects) { table(:projects) } + let(:project_settings) { table(:project_settings) } + let(:vulnerabilities) { table(:vulnerabilities) } + + let(:user) { users.create!(name: 'test', email: 'test@example.com', projects_limit: 5) } + let(:namespace) { namespaces.create!(name: 'gitlab', path: 'gitlab-org') } + let(:vulnerability_base_params) { { title: 'title', state: 2, severity: 0, confidence: 5, report_type: 2, author_id: user.id } } + + let!(:project_1) { projects.create!(namespace_id: namespace.id, name: 'foo_1') } + let!(:project_2) { projects.create!(namespace_id: namespace.id, name: 'foo_2') } + let!(:project_3) { projects.create!(namespace_id: namespace.id, name: 'foo_3') } + + before do + project_settings.create!(project_id: project_1.id) + vulnerabilities.create!(vulnerability_base_params.merge(project_id: project_1.id)) + vulnerabilities.create!(vulnerability_base_params.merge(project_id: project_3.id)) + + allow(::Gitlab::BackgroundMigration::Logger).to receive_messages(info: true, error: true) + end + + describe '#perform' do + it 'sets `has_vulnerabilities` attribute of project_settings' do + expect { subject.perform(project_1.id, project_3.id) }.to change { project_settings.count }.from(1).to(2) + .and change { project_settings.where(has_vulnerabilities: true).count }.from(0).to(2) + end + + it 'writes info log message' do + subject.perform(project_1.id, project_3.id) + + expect(::Gitlab::BackgroundMigration::Logger).to have_received(:info).with(migrator: described_class.name, + message: 'Projects has been processed to populate `has_vulnerabilities` information', + count: 2) + end + + context 'when an error happens' do + before do + allow(described_class::ProjectSetting).to receive(:upsert_for).and_raise('foo') + end + + it 'writes error log message' do + subject.perform(project_1.id, project_3.id) + + expect(::Gitlab::BackgroundMigration::Logger).to have_received(:error).with(migrator: described_class.name, + message: 'foo', + project_ids: [project_1.id, project_3.id]) + end + end + end +end diff --git a/spec/lib/gitlab/import_export/all_models.yml b/spec/lib/gitlab/import_export/all_models.yml index 5ee7fb2adbf..9fca616ffc8 100644 --- a/spec/lib/gitlab/import_export/all_models.yml +++ b/spec/lib/gitlab/import_export/all_models.yml @@ -652,6 +652,7 @@ milestone_releases: evidences: - release design: &design +- authors - issue - actions - versions diff --git a/spec/migrations/schedule_populate_has_vulnerabilities_spec.rb b/spec/migrations/schedule_populate_has_vulnerabilities_spec.rb new file mode 100644 index 00000000000..edae7330b1e --- /dev/null +++ b/spec/migrations/schedule_populate_has_vulnerabilities_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +require 'spec_helper' +require_migration! + +RSpec.describe SchedulePopulateHasVulnerabilities do + let(:users) { table(:users) } + let(:namespaces) { table(:namespaces) } + let(:projects) { table(:projects) } + let(:vulnerabilities) { table(:vulnerabilities) } + let(:user) { users.create!(name: 'test', email: 'test@example.com', projects_limit: 5) } + let(:namespace) { namespaces.create!(name: 'gitlab', path: 'gitlab-org') } + let(:vulnerability_base_params) { { title: 'title', state: 2, severity: 0, confidence: 5, report_type: 2, author_id: user.id } } + let!(:project_1) { projects.create!(namespace_id: namespace.id, name: 'foo_1') } + let!(:project_2) { projects.create!(namespace_id: namespace.id, name: 'foo_2') } + let!(:project_3) { projects.create!(namespace_id: namespace.id, name: 'foo_3') } + + around do |example| + freeze_time { Sidekiq::Testing.fake! { example.run } } + end + + before do + stub_const("#{described_class.name}::BATCH_SIZE", 1) + + vulnerabilities.create!(vulnerability_base_params.merge(project_id: project_1.id)) + vulnerabilities.create!(vulnerability_base_params.merge(project_id: project_3.id)) + end + + it 'schedules the background jobs', :aggregate_failures do + migrate! + + expect(BackgroundMigrationWorker.jobs.size).to be(2) + expect(described_class::MIGRATION_CLASS).to be_scheduled_delayed_migration(2.minutes, project_1.id) + expect(described_class::MIGRATION_CLASS).to be_scheduled_delayed_migration(4.minutes, project_3.id) + end +end diff --git a/spec/models/design_management/design_spec.rb b/spec/models/design_management/design_spec.rb index 2ce9f00a056..833f32abfcc 100644 --- a/spec/models/design_management/design_spec.rb +++ b/spec/models/design_management/design_spec.rb @@ -23,8 +23,20 @@ RSpec.describe DesignManagement::Design do it { is_expected.to belong_to(:issue) } it { is_expected.to have_many(:actions) } it { is_expected.to have_many(:versions) } + it { is_expected.to have_many(:authors) } it { is_expected.to have_many(:notes).dependent(:delete_all) } it { is_expected.to have_many(:user_mentions) } + + describe '#authors' do + it 'returns unique version authors', :aggregate_failures do + author = create(:user) + create_list(:design_version, 2, designs: [design1], author: author) + version_authors = design1.versions.map(&:author) + + expect(version_authors).to contain_exactly(issue.author, author, author) + expect(design1.authors).to contain_exactly(issue.author, author) + end + end end describe 'validations' do @@ -326,6 +338,46 @@ RSpec.describe DesignManagement::Design do end end + describe '#participants' do + let_it_be_with_refind(:design) { create(:design, issue: issue) } + let_it_be(:current_user) { create(:user) } + let_it_be(:version_author) { create(:user) } + let_it_be(:note_author) { create(:user) } + let_it_be(:mentioned_user) { create(:user) } + let_it_be(:design_version) { create(:design_version, :committed, designs: [design], author: version_author) } + let_it_be(:note) do + create(:diff_note_on_design, + noteable: design, + issue: issue, + project: issue.project, + author: note_author, + note: mentioned_user.to_reference + ) + end + + subject { design.participants(current_user) } + + it { is_expected.to be_empty } + + context 'when participants can read the project' do + before do + design.project.add_guest(version_author) + design.project.add_guest(note_author) + design.project.add_guest(mentioned_user) + end + + it { is_expected.to contain_exactly(version_author, note_author, mentioned_user) } + + context 'when the feature flag is disabled' do + before do + stub_feature_flags(design_management_design_notification_participants: false) + end + + it { is_expected.to be_empty } + end + end + end + describe "#new_design?" do let(:design) { design1 } diff --git a/spec/requests/api/graphql/mutations/snippets/destroy_spec.rb b/spec/requests/api/graphql/mutations/snippets/destroy_spec.rb index b71f87d2702..1be8ce142ac 100644 --- a/spec/requests/api/graphql/mutations/snippets/destroy_spec.rb +++ b/spec/requests/api/graphql/mutations/snippets/destroy_spec.rb @@ -53,10 +53,11 @@ RSpec.describe 'Destroying a Snippet' do let!(:snippet_gid) { project.to_gid.to_s } it 'returns an error' do + err_message = %Q["#{snippet_gid}" does not represent an instance of Snippet] + post_graphql_mutation(mutation, current_user: current_user) - expect(graphql_errors) - .to include(a_hash_including('message' => "#{snippet_gid} is not a valid ID for Snippet.")) + expect(graphql_errors).to include(a_hash_including('message' => a_string_including(err_message))) end it 'does not destroy the Snippet' do diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index 916d8dec8c2..3348c103918 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -22,6 +22,7 @@ RSpec.describe API::Settings, 'Settings' do expect(json_response['default_ci_config_path']).to be_nil expect(json_response['sourcegraph_enabled']).to be_falsey expect(json_response['sourcegraph_url']).to be_nil + expect(json_response['secret_detection_token_revocation_url']).to be_nil expect(json_response['sourcegraph_public_only']).to be_truthy expect(json_response['default_project_visibility']).to be_a String expect(json_response['default_snippet_visibility']).to be_a String diff --git a/spec/services/notification_service_spec.rb b/spec/services/notification_service_spec.rb index e29cbd80a57..b6cbeea16ab 100644 --- a/spec/services/notification_service_spec.rb +++ b/spec/services/notification_service_spec.rb @@ -834,53 +834,63 @@ RSpec.describe NotificationService, :mailer do end end - context 'when notified of a new design diff note' do + context 'design diff note', :deliver_mails_inline do include DesignManagementTestHelpers let_it_be(:design) { create(:design, :with_file) } let_it_be(:project) { design.project } - let_it_be(:dev) { create(:user) } - let_it_be(:stranger) { create(:user) } + let_it_be(:member_and_mentioned) { create(:user, developer_projects: [project]) } + let_it_be(:member_and_author_of_second_note) { create(:user, developer_projects: [project]) } + let_it_be(:member_and_not_mentioned) { create(:user, developer_projects: [project]) } + let_it_be(:non_member_and_mentioned) { create(:user) } let_it_be(:note) do create(:diff_note_on_design, noteable: design, - note: "Hello #{dev.to_reference}, G'day #{stranger.to_reference}") + note: "Hello #{member_and_mentioned.to_reference}, G'day #{non_member_and_mentioned.to_reference}") + end + let_it_be(:note_2) do + create(:diff_note_on_design, noteable: design, author: member_and_author_of_second_note) end - let(:mailer) { double(deliver_later: true) } context 'design management is enabled' do before do enable_design_management - project.add_developer(dev) - allow(Notify).to receive(:note_design_email) { mailer } end - it 'sends new note notifications' do - expect(subject).to receive(:send_new_note_notifications).with(note) + it 'sends new note notifications', :aggregate_failures do + notification.new_note(note) - subject.new_note(note) + should_email(design.authors.first) + should_email(member_and_mentioned) + should_email(member_and_author_of_second_note) + should_not_email(member_and_not_mentioned) + should_not_email(non_member_and_mentioned) + should_not_email(note.author) end - it 'sends a mail to the developer' do - expect(Notify) - .to receive(:note_design_email).with(dev.id, note.id, 'mentioned') - - subject.new_note(note) - end + context 'when the feature flag is disabled' do + before do + stub_feature_flags(design_management_design_notification_participants: false) + end - it 'does not notify non-developers' do - expect(Notify) - .not_to receive(:note_design_email).with(stranger.id, note.id) + it 'sends a new note notification only to the mentioned member', :aggregate_failures do + notification.new_note(note) - subject.new_note(note) + should_email(member_and_mentioned) + should_not_email(design.authors.first) + should_not_email(member_and_author_of_second_note) + should_not_email(member_and_not_mentioned) + should_not_email(non_member_and_mentioned) + should_not_email(note.author) + end end end context 'design management is disabled' do - it 'does not notify the user' do - expect(Notify).not_to receive(:note_design_email) + it 'does not notify anyone' do + notification.new_note(note) - subject.new_note(note) + should_not_email_anyone end end end diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 8611b4f0f5f..ad84e274c5f 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -130,7 +130,6 @@ RSpec.configure do |config| config.include StubExperiments config.include StubGitlabCalls config.include StubGitlabData - config.include SnowplowHelpers config.include NextFoundInstanceOf config.include NextInstanceOf config.include TestEnv diff --git a/spec/support/snowplow.rb b/spec/support/snowplow.rb index 182cddaf08b..b67fa96fab8 100644 --- a/spec/support/snowplow.rb +++ b/spec/support/snowplow.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true RSpec.configure do |config| + config.include SnowplowHelpers, :snowplow + config.before(:each, :snowplow) do # Using a high buffer size to not cause early flushes buffer_size = 100 |
