summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.rubocop_todo/gitlab/namespaced_class.yml5
-rw-r--r--app/helpers/storage_helper.rb1
-rw-r--r--app/models/x509_certificate.rb2
-rw-r--r--app/models/x509_issuer.rb2
-rw-r--r--config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml8
-rw-r--r--doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md19
-rw-r--r--doc/development/migration_style_guide.md8
-rw-r--r--lib/feature.rb2
-rw-r--r--lib/feature/definition.rb2
-rw-r--r--lib/feature/gitaly.rb2
-rw-r--r--lib/feature/logger.rb2
-rw-r--r--lib/feature/shared.rb2
-rw-r--r--lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml1
-rw-r--r--lib/gitlab/regex.rb4
-rw-r--r--lib/tasks/gitlab/graphql.rake6
-rw-r--r--spec/helpers/storage_helper_spec.rb6
-rw-r--r--spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb10
-rw-r--r--spec/lib/gitlab/regex_spec.rb14
-rw-r--r--spec/models/x509_certificate_spec.rb5
-rw-r--r--spec/models/x509_issuer_spec.rb5
20 files changed, 83 insertions, 23 deletions
diff --git a/.rubocop_todo/gitlab/namespaced_class.yml b/.rubocop_todo/gitlab/namespaced_class.yml
index 103628c577c..ffa0f4d0b2f 100644
--- a/.rubocop_todo/gitlab/namespaced_class.yml
+++ b/.rubocop_todo/gitlab/namespaced_class.yml
@@ -1105,11 +1105,6 @@ Gitlab/NamespacedClass:
- 'lib/carrier_wave_string_file.rb'
- 'lib/csv_builder.rb'
- 'lib/event_filter.rb'
- - 'lib/feature.rb'
- - 'lib/feature/definition.rb'
- - 'lib/feature/gitaly.rb'
- - 'lib/feature/logger.rb'
- - 'lib/feature/shared.rb'
- 'lib/file_size_validator.rb'
- 'lib/forever.rb'
- 'lib/generators/gitlab/snowplow_event_definition_generator.rb'
diff --git a/app/helpers/storage_helper.rb b/app/helpers/storage_helper.rb
index f978b9f51f3..ca81d5af4af 100644
--- a/app/helpers/storage_helper.rb
+++ b/app/helpers/storage_helper.rb
@@ -31,6 +31,7 @@ module StorageHelper
return if root_ancestor.paid?
return unless future_enforcement_date?(root_ancestor)
return if user_dismissed_storage_enforcement_banner?(root_ancestor)
+ return unless ::Feature.enabled?(:namespace_storage_limit_show_preenforcement_banner, root_ancestor)
{
text: html_escape_once(s_("UsageQuota|From %{storage_enforcement_date} storage limits will apply to this namespace. " \
diff --git a/app/models/x509_certificate.rb b/app/models/x509_certificate.rb
index 2c1d0110b7c..7c2581b8bb2 100644
--- a/app/models/x509_certificate.rb
+++ b/app/models/x509_certificate.rb
@@ -16,7 +16,7 @@ class X509Certificate < ApplicationRecord
has_many :x509_commit_signatures, class_name: 'CommitSignatures::X509CommitSignature', inverse_of: 'x509_certificate'
# rfc 5280 - 4.2.1.2 Subject Key Identifier
- validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+ validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
# rfc 5280 - 4.1.2.6 Subject
validates :subject, presence: true
# rfc 5280 - 4.1.2.6 Subject (subjectAltName contains the email address)
diff --git a/app/models/x509_issuer.rb b/app/models/x509_issuer.rb
index 4b75e38bbde..81491d8e507 100644
--- a/app/models/x509_issuer.rb
+++ b/app/models/x509_issuer.rb
@@ -4,7 +4,7 @@ class X509Issuer < ApplicationRecord
has_many :x509_certificates, inverse_of: 'x509_issuer'
# rfc 5280 - 4.2.1.1 Authority Key Identifier
- validates :subject_key_identifier, presence: true, format: { with: /\A(\h{2}:){19}\h{2}\z/ }
+ validates :subject_key_identifier, presence: true, format: { with: Gitlab::Regex.x509_subject_key_identifier_regex }
# rfc 5280 - 4.1.2.4 Issuer
validates :subject, presence: true
# rfc 5280 - 4.2.1.13 CRL Distribution Points
diff --git a/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
new file mode 100644
index 00000000000..754a6a16356
--- /dev/null
+++ b/config/feature_flags/development/namespace_storage_limit_show_preenforcement_banner.yml
@@ -0,0 +1,8 @@
+---
+name: namespace_storage_limit_show_preenforcement_banner
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/issues/350632
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/362340
+milestone: '15.2'
+type: development
+group: group::utilization
+default_enabled: false
diff --git a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
index a2f50fdc741..5356ebb84f1 100644
--- a/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
+++ b/doc/ci/cloud_deployment/ecs/deploy_to_aws_ecs.md
@@ -256,13 +256,26 @@ Since this service is shared by all review apps, there is a limitation that only
### Configure SAST
-Using [SAST](../../../user/application_security/sast/index.md) with ECS requires no extra configuration. For more
-details about how to configure SAST, see the SAST [documentation](../../../user/application_security/sast/index.md).
+To use [SAST](../../../user/application_security/sast/index.md) with ECS, add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+ - template: Security/SAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [SAST documentation](../../../user/application_security/sast/index.md#configuration).
### Configure DAST
To use [DAST](../../../user/application_security/dast/index.md) on non-default branches, [set up review apps](#set-up-review-apps)
-and then follow the steps outlined in the DAST [documentation](../../../user/application_security/dast/index.md).
+and add the following to your `.gitlab-ci.yml` file:
+
+```yaml
+include:
+ - template: Security/DAST.gitlab-ci.yml
+```
+
+For more details and configuration options, see the [DAST documentation](../../../user/application_security/dast/index.md).
## Further reading
diff --git a/doc/development/migration_style_guide.md b/doc/development/migration_style_guide.md
index c9b59ba66b5..4a1d4389ceb 100644
--- a/doc/development/migration_style_guide.md
+++ b/doc/development/migration_style_guide.md
@@ -90,6 +90,14 @@ Keep in mind that all durations should be measured against GitLab.com.
| Post-deployment migrations | `<= 10 minutes` | A valid exception are schema changes, since they must not happen in background migrations. |
| Background migrations | `> 10 minutes` | Since these are suitable for larger tables, it's not possible to set a precise timing guideline, however, any single query must stay below [`1 second` execution time](query_performance.md#timing-guidelines-for-queries) with cold caches. |
+## Decide which database to target
+
+GitLab connects to two different Postgres databases: `main` and `ci`. This split can affect migrations
+as they may run on either or both of these databases.
+
+Read [Migrations for Multiple databases](database/migrations_for_multiple_databases.md) to understand if or how
+a migration you add should account for this.
+
## Create a regular schema migration
To create a migration you can use the following Rails generator:
diff --git a/lib/feature.rb b/lib/feature.rb
index 3bba4be7514..36d2456ec6f 100644
--- a/lib/feature.rb
+++ b/lib/feature.rb
@@ -3,7 +3,7 @@
require 'flipper/adapters/active_record'
require 'flipper/adapters/active_support_cache_store'
-class Feature
+module Feature
# Classes to override flipper table names
class FlipperFeature < Flipper::Adapters::ActiveRecord::Feature
include DatabaseReflection
diff --git a/lib/feature/definition.rb b/lib/feature/definition.rb
index 1551af730db..270bf46221d 100644
--- a/lib/feature/definition.rb
+++ b/lib/feature/definition.rb
@@ -1,6 +1,6 @@
# frozen_string_literal: true
-class Feature
+module Feature
class Definition
include ::Feature::Shared
diff --git a/lib/feature/gitaly.rb b/lib/feature/gitaly.rb
index 04ed78b8a51..0c6b9dfde7a 100644
--- a/lib/feature/gitaly.rb
+++ b/lib/feature/gitaly.rb
@@ -1,6 +1,6 @@
# frozen_string_literal: true
-class Feature
+module Feature
class Gitaly
PREFIX = "gitaly_"
diff --git a/lib/feature/logger.rb b/lib/feature/logger.rb
index 784a619e182..95e160273b6 100644
--- a/lib/feature/logger.rb
+++ b/lib/feature/logger.rb
@@ -1,6 +1,6 @@
# frozen_string_literal: true
-class Feature
+module Feature
class Logger < ::Gitlab::JsonLogger
def self.file_name_noext
'features_json'
diff --git a/lib/feature/shared.rb b/lib/feature/shared.rb
index 40f21fc4f50..edfc39aea0c 100644
--- a/lib/feature/shared.rb
+++ b/lib/feature/shared.rb
@@ -4,7 +4,7 @@
# 1. `Pure Ruby`: `bin/feature-flag`
# 2. `GitLab Rails`: `lib/feature/definition.rb`
-class Feature
+module Feature
module Shared
# optional: defines if a on-disk definition is required for this feature flag type
# rollout_issue: defines if `bin/feature-flag` asks for rollout issue
diff --git a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
index 17e49440784..1ac9c319429 100644
--- a/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/AWS/Deploy-ECS.gitlab-ci.yml
@@ -7,6 +7,7 @@ stages:
- build
- test
- review
+ - dast
- deploy
- production
- cleanup
diff --git a/lib/gitlab/regex.rb b/lib/gitlab/regex.rb
index b0f4194b7a0..0534f890152 100644
--- a/lib/gitlab/regex.rb
+++ b/lib/gitlab/regex.rb
@@ -486,6 +486,10 @@ module Gitlab
def sep_by_1(separator, part)
%r(#{part} (#{separator} #{part})*)x
end
+
+ def x509_subject_key_identifier_regex
+ @x509_subject_key_identifier_regex ||= /\A(?:\h{2}:)*\h{2}\z/.freeze
+ end
end
end
diff --git a/lib/tasks/gitlab/graphql.rake b/lib/tasks/gitlab/graphql.rake
index b9137aa0d4c..a05b749a60e 100644
--- a/lib/tasks/gitlab/graphql.rake
+++ b/lib/tasks/gitlab/graphql.rake
@@ -15,10 +15,8 @@ namespace :gitlab do
# Also avoids pipeline failures in case developer
# dumps schema with flags disabled locally before pushing
task enable_feature_flags: :environment do
- class Feature
- def self.enabled?(*args)
- true
- end
+ def Feature.enabled?(*args)
+ true
end
end
diff --git a/spec/helpers/storage_helper_spec.rb b/spec/helpers/storage_helper_spec.rb
index 4732076ab13..cd5701db83b 100644
--- a/spec/helpers/storage_helper_spec.rb
+++ b/spec/helpers/storage_helper_spec.rb
@@ -89,6 +89,12 @@ RSpec.describe StorageHelper do
expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
end
+ it 'returns nil when namespace_storage_limit_show_preenforcement_banner FF is disabled' do
+ stub_feature_flags(namespace_storage_limit_show_preenforcement_banner: false)
+
+ expect(helper.storage_enforcement_banner_info(free_group)).to be(nil)
+ end
+
context 'when current_user can access the usage quotas page' do
it 'returns a hash' do
expect(helper.storage_enforcement_banner_info(free_group)).to eql({
diff --git a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
index 27de8324206..65fd2b016ac 100644
--- a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
@@ -34,6 +34,16 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
expect(build_names).to include('production_ecs')
end
+ context 'when the DAST template is also included' do
+ let(:dast_template) { Gitlab::Template::GitlabCiYmlTemplate.find('Security/DAST') }
+
+ before do
+ stub_ci_pipeline_yaml_file(template.content + dast_template.content)
+ end
+
+ include_examples 'no pipeline yaml error'
+ end
+
context 'when running a pipeline for a branch' do
let(:pipeline_branch) { 'test_branch' }
diff --git a/spec/lib/gitlab/regex_spec.rb b/spec/lib/gitlab/regex_spec.rb
index d48e8183650..a3afbed18e2 100644
--- a/spec/lib/gitlab/regex_spec.rb
+++ b/spec/lib/gitlab/regex_spec.rb
@@ -968,4 +968,18 @@ RSpec.describe Gitlab::Regex do
it { is_expected.not_to match('abc!abc') }
it { is_expected.not_to match((['abc'] * 100).join('.') + '!') }
end
+
+ describe '.x509_subject_key_identifier_regex' do
+ subject { described_class.x509_subject_key_identifier_regex }
+
+ it { is_expected.to match('AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB') }
+ it { is_expected.to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD') }
+ it { is_expected.to match('79:FB:C1:E5:6B:53:8B:0A') }
+ it { is_expected.to match('79:fb:c1:e5:6b:53:8b:0a') }
+
+ it { is_expected.not_to match('') }
+ it { is_expected.not_to match('CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG') }
+ it { is_expected.not_to match('random string') }
+ it { is_expected.not_to match('12321342545356434523412341245452345623453542345234523453245') }
+ end
end
diff --git a/spec/models/x509_certificate_spec.rb b/spec/models/x509_certificate_spec.rb
index d3b4470d3f4..5723bd80739 100644
--- a/spec/models/x509_certificate_spec.rb
+++ b/spec/models/x509_certificate_spec.rb
@@ -73,7 +73,9 @@ RSpec.describe X509Certificate do
it 'accepts correct subject_key_identifier' do
subject_key_identifiers = [
'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
- 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+ 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+ '79:FB:C1:E5:6B:53:8B:0A',
+ '79:fb:c1:e5:6b:53:8b:0a'
]
subject_key_identifiers.each do |identifier|
@@ -83,7 +85,6 @@ RSpec.describe X509Certificate do
it 'rejects invalid subject_key_identifier' do
subject_key_identifiers = [
- 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
'random string',
'12321342545356434523412341245452345623453542345234523453245'
diff --git a/spec/models/x509_issuer_spec.rb b/spec/models/x509_issuer_spec.rb
index f1067cad655..3d04adf7e26 100644
--- a/spec/models/x509_issuer_spec.rb
+++ b/spec/models/x509_issuer_spec.rb
@@ -39,7 +39,9 @@ RSpec.describe X509Issuer do
it 'accepts correct subject_key_identifier' do
subject_key_identifiers = [
'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
- 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD'
+ 'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD',
+ '79:FB:C1:E5:6B:53:8B:0A',
+ '79:fb:c1:e5:6b:53:8b:0a'
]
subject_key_identifiers.each do |identifier|
@@ -49,7 +51,6 @@ RSpec.describe X509Issuer do
it 'rejects invalid subject_key_identifier' do
subject_key_identifiers = [
- 'AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB:AB',
'CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:CD:GG',
'random string',
'12321342545356434523412341245452345623453542345234523453245'