Skip to content
Snippets Groups Projects
Commit 6c445a97 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot
Browse files

Merge remote-tracking branch 'dev/16-3-stable-ee' into 16-3-stable-ee

parents 131cb84e 12886247
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 254 additions and 64 deletions
CHANGELOG.md
+ 14
0
View file @ 6c445a97
@@ -2,6 +2,20 @@
documentation](doc/development/changelog.md) for instructions on adding your own
entry.
 
## 16.3.6 (2023-10-30)
### Security (9 changes)
- [Fix infinite loop when finding component project](gitlab-org/security/gitlab@a1c1255f8f767f1b9a26aee1008ef6a286988a1d) ([merge request](gitlab-org/security/gitlab!3667))
- [Update gitlab-chronic-duration to 0.12](gitlab-org/security/gitlab@89ed5a67a26c362d197eae4f3228755a5e3a1c03) ([merge request](gitlab-org/security/gitlab!3630))
- [Guard gitlab_version_check helper](gitlab-org/security/gitlab@b8f490fc3cfe465d46666380b17c065669c216e1) ([merge request](gitlab-org/security/gitlab!3654))
- [Add the environment action to the CI JWT token fields](gitlab-org/security/gitlab@0563e1a02c2b6886cc21c4dfbedd975c102f0fbb) ([merge request](gitlab-org/security/gitlab!3615))
- [Remove FIFO files from tarball extract](gitlab-org/security/gitlab@d794f0c972e2e081c0ed78ed5001bdd111688641) ([merge request](gitlab-org/security/gitlab!3634))
- [Backport add abuse detection for pipes](gitlab-org/security/gitlab@84a3debec3ce0473598d4681850ccca74a892b30) ([merge request](gitlab-org/security/gitlab!3619))
- [Prevent unprivileged user assignment in templated projects](gitlab-org/security/gitlab@b4ba31c793317dee41382f7a41af4637f38cddaa) ([merge request](gitlab-org/security/gitlab!3637))
- [Fixes Service Desk email template issue description privileges](gitlab-org/security/gitlab@223765ae04031afda38f10e8487a3785ab53032b) ([merge request](gitlab-org/security/gitlab!3639))
- [Update mermaid version for DOS fixes](gitlab-org/security/gitlab@602b89ced4ccad048819fc1603d6e978fd58c882) ([merge request](gitlab-org/security/gitlab!3627))
## 16.3.5 (2023-09-28)
 
### Security (16 changes)
GITALY_SERVER_VERSION
+ 1
1
View file @ 6c445a97
16.3.5
\ No newline at end of file
16.3.6
\ No newline at end of file
GITLAB_PAGES_VERSION
+ 1
1
View file @ 6c445a97
16.3.5
\ No newline at end of file
16.3.6
\ No newline at end of file
Gemfile
+ 1
1
View file @ 6c445a97
@@ -324,7 +324,7 @@ gem 'fast_blank'
 
# Parse time & duration
gem 'gitlab-chronic', '~> 0.10.5'
gem 'gitlab_chronic_duration', '~> 0.10.6.2'
gem 'gitlab_chronic_duration', '~> 0.12'
 
gem 'rack-proxy', '~> 0.7.6'
 
Gemfile.checksum
+ 1
1
View file @ 6c445a97
@@ -215,7 +215,7 @@
{"name":"gitlab-markup","version":"1.9.0","platform":"ruby","checksum":"7eda045a08ec2d110084252fa13a8c9eac8bdac0e302035ca7db4b82bcbd7ed4"},
{"name":"gitlab-net-dns","version":"0.9.2","platform":"ruby","checksum":"f726d978479d43810819f12a45c0906d775a07e34df111bbe693fffbbef3059d"},
{"name":"gitlab-styles","version":"10.1.0","platform":"ruby","checksum":"f42745f5397d042fe24cf2d0eb56c995b37f9f43d8fb79b834d197a1cafdc84a"},
{"name":"gitlab_chronic_duration","version":"0.10.6.2","platform":"ruby","checksum":"6dda4cfe7dca9b958f163ac8835c3d9cc70cf8df8cbb89bb2fbf9ba4375105fb"},
{"name":"gitlab_chronic_duration","version":"0.12.0","platform":"ruby","checksum":"0d766944d415b5c831f176871ee8625783fc0c5bfbef2d79a3a616f207ffc16d"},
{"name":"gitlab_omniauth-ldap","version":"2.2.0","platform":"ruby","checksum":"bb4d20acb3b123ed654a8f6a47d3fac673ece7ed0b6992edb92dca14bad2838c"},
{"name":"gitlab_quality-test_tooling","version":"0.9.3","platform":"ruby","checksum":"9751f3504b717499588bd0fa5517de9b6756e8b9548777ea0283b889694580f0"},
{"name":"globalid","version":"1.1.0","platform":"ruby","checksum":"b337e1746f0c8cb0a6c918234b03a1ddeb4966206ce288fbb57779f59b2d154f"},
Gemfile.lock
+ 2
2
View file @ 6c445a97
@@ -675,7 +675,7 @@ GEM
rubocop-performance (~> 1.15)
rubocop-rails (~> 2.17)
rubocop-rspec (~> 2.22)
gitlab_chronic_duration (0.10.6.2)
gitlab_chronic_duration (0.12.0)
numerizer (~> 0.2)
gitlab_omniauth-ldap (2.2.0)
net-ldap (~> 0.16)
@@ -1825,7 +1825,7 @@ DEPENDENCIES
gitlab-sidekiq-fetcher!
gitlab-styles (~> 10.1.0)
gitlab-utils!
gitlab_chronic_duration (~> 0.10.6.2)
gitlab_chronic_duration (~> 0.12)
gitlab_omniauth-ldap (~> 2.2.0)
gitlab_quality-test_tooling (~> 0.9.3)
gon (~> 6.4.0)
VERSION
+ 1
1
View file @ 6c445a97
16.3.5-ee
\ No newline at end of file
16.3.6-ee
\ No newline at end of file
app/helpers/version_check_helper.rb
+ 3
1
View file @ 6c445a97
@@ -11,12 +11,14 @@ def show_version_check?
end
 
def gitlab_version_check
return unless show_version_check?
VersionCheck.new.response
end
strong_memoize_attr :gitlab_version_check
 
def show_security_patch_upgrade_alert?
return false unless show_version_check? && gitlab_version_check
return false unless gitlab_version_check
 
Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability'])
end
app/mailers/emails/service_desk.rb
+ 5
1
View file @ 6c445a97
@@ -195,7 +195,11 @@ def note_text
end
 
def issue_description
@issue.description_html.to_s
return '' if @issue.description_html.blank?
# Remove references etc. from description HTML because external participants
# are no regular users and don't have permission to access them.
::Banzai::Renderer.post_process(@issue.description_html, {})
end
 
def subject_base
config/session_store.yml 0 → 100644
+ 3
0
View file @ 6c445a97
development:
unique_cookie_key_postfix: true
cookie_key: "_gitlab_session"
doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+ 27
25
View file @ 6c445a97
@@ -33,31 +33,32 @@ ID tokens are JSON Web Tokens (JWTs) used for OIDC authentication with third-par
 
The following fields are included in the JWT:
 
| Field | When | Description |
|-------------------------|------------------------------|-------------|
| `jti` | Always | Unique identifier for this token |
| `iss` | Always | Issuer, the domain of your GitLab instance |
| `iat` | Always | Issued at |
| `nbf` | Always | Not valid before |
| `exp` | Always | Expires at |
| `sub` | Always | Subject (job ID) |
| `namespace_id` | Always | Use this to scope to group or user level namespace by ID |
| `namespace_path` | Always | Use this to scope to group or user level namespace by path |
| `project_id` | Always | Use this to scope to project by ID |
| `project_path` | Always | Use this to scope to project by path |
| `user_id` | Always | ID of the user executing the job |
| `user_login` | Always | Username of the user executing the job |
| `user_email` | Always | Email of the user executing the job |
| `pipeline_id` | Always | ID of this pipeline |
| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) |
| `job_id` | Always | ID of this job |
| `ref` | Always | Git ref for this job |
| `ref_type` | Always | Git ref type, either `branch` or `tag` |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
| Field | When | Description |
|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `jti` | Always | Unique identifier for this token |
| `iss` | Always | Issuer, the domain of your GitLab instance |
| `iat` | Always | Issued at |
| `nbf` | Always | Not valid before |
| `exp` | Always | Expires at |
| `sub` | Always | Subject (job ID) |
| `namespace_id` | Always | Use this to scope to group or user level namespace by ID |
| `namespace_path` | Always | Use this to scope to group or user level namespace by path |
| `project_id` | Always | Use this to scope to project by ID |
| `project_path` | Always | Use this to scope to project by path |
| `user_id` | Always | ID of the user executing the job |
| `user_login` | Always | Username of the user executing the job |
| `user_email` | Always | Email of the user executing the job |
| `pipeline_id` | Always | ID of this pipeline |
| `pipeline_source` | Always | [Pipeline source](../../jobs/job_control.md#common-if-clauses-for-rules) |
| `job_id` | Always | ID of this job |
| `ref` | Always | Git ref for this job |
| `ref_type` | Always | Git ref type, either `branch` or `tag` |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise |
| `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
| `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../../environments/index.md#deployment-tier-of-environments) of environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2) |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
 
Example JWT payload:
 
@@ -84,7 +85,8 @@ Example JWT payload:
"ref_path": "refs/heads/auto-deploy-2020-04-01",
"ref_protected": "true",
"environment": "production",
"environment_protected": "true"
"environment_protected": "true",
"environment_action": "start"
}
```
 
doc/ci/secrets/id_token_authentication.md
+ 27
25
View file @ 6c445a97
@@ -51,32 +51,33 @@ The following standard claims are included in each ID token:
 
The token also includes custom claims provided by GitLab:
 
| Field | When | Description |
|-------------------------|------------------------------|-------------|
| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. |
| `namespace_path` | Always | Use this to scope to group or user level namespace by path. |
| `project_id` | Always | Use this to scope to project by ID. |
| `project_path` | Always | Use this to scope to project by path. |
| `user_id` | Always | ID of the user executing the job. |
| `user_login` | Always | Username of the user executing the job. |
| `user_email` | Always | Email of the user executing the job. |
| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). |
| `pipeline_id` | Always | ID of the pipeline. |
| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). |
| `job_id` | Always | ID of the job. |
| `ref` | Always | Git ref for the job. |
| `ref_type` | Always | Git ref type, either `branch` or `tag`. |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| Field | When | Description |
|-------------------------|------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `namespace_id` | Always | Use this to scope to group or user level namespace by ID. |
| `namespace_path` | Always | Use this to scope to group or user level namespace by path. |
| `project_id` | Always | Use this to scope to project by ID. |
| `project_path` | Always | Use this to scope to project by path. |
| `user_id` | Always | ID of the user executing the job. |
| `user_login` | Always | Username of the user executing the job. |
| `user_email` | Always | Email of the user executing the job. |
| `user_identities` | User Preference setting | List of the user's external identities ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387537) in GitLab 16.0). |
| `pipeline_id` | Always | ID of the pipeline. |
| `pipeline_source` | Always | [Pipeline source](../jobs/job_control.md#common-if-clauses-for-rules). |
| `job_id` | Always | ID of the job. |
| `ref` | Always | Git ref for the job. |
| `ref_type` | Always | Git ref type, either `branch` or `tag`. |
| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. |
| `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. |
| `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
| `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). |
| `deployment_tier` | Job specifies an environment | [Deployment tier](../environments/index.md#deployment-tier-of-environments) of the environment the job specifies. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/363590) in GitLab 15.2. |
| `environment_action` | Job specifies an environment | [Environment action (`environment:action`)](../environments/index.md) specified in the job. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/) in GitLab 16.5) |
| `runner_id` | Always | ID of the runner executing the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `runner_environment` | Always | The type of runner used by the job. Can be either `gitlab-hosted` or `self-hosted`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `sha` | Always | The commit SHA for the job. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.0. |
| `ci_config_ref_uri` | Always | The ref path to the top-level pipeline definition, for example, `gitlab.example.com/my-group/my-project//.gitlab-ci.yml@refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. |
| `ci_config_sha` | Always | Git commit SHA for the `ci_config_ref_uri`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/404722) in GitLab 16.2. This claim is `null` unless the pipeline definition is located in the same project. |
| `project_visibility` | Always | The [visibility](../../user/public_access.md) of the project where the pipeline is running. Can be `internal`, `private`, or `public`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/418810) in GitLab 16.3. |
 
```json
{
@@ -101,6 +102,7 @@ The token also includes custom claims provided by GitLab:
"environment": "test-environment2",
"environment_protected": "false",
"deployment_tier": "testing",
"environment_action": "start",
"runner_id": 1,
"runner_environment": "self-hosted",
"sha": "714a629c0b401fdce83e847fc9589983fc6f46bc",
ee/lib/ee/gitlab/import_export/project/relation_factory.rb
+ 24
1
View file @ 6c445a97
@@ -22,6 +22,13 @@ module RelationFactory
iteration
].freeze
 
PROTECTED_ACCESS_LEVEL_RELATION_NAMES = %i[
ProtectedBranch::MergeAccessLevel
ProtectedBranch::PushAccessLevel
ProtectedBranch::UnprotectAccessLevel
ProtectedTag::CreateAccessLevel
].freeze
class_methods do
extend ::Gitlab::Utils::Override
 
@@ -38,7 +45,23 @@ def existing_object_relations
 
override :invalid_relation?
def invalid_relation?
super || iteration_relation_without_group?
super || iteration_relation_without_group? || protected_access_level?
end
# ProtectedBranch merge and push access levels cannot be assigned to
# users without project administration permissions as they may gain
# access to sensitive data like group CI/CD variables.
def protected_access_level?
user_access_level_relation? && !user_can_admin_importable?
end
def user_access_level_relation?
relation_name.in?(PROTECTED_ACCESS_LEVEL_RELATION_NAMES) &&
relation_hash['user_id'].present?
end
def user_can_admin_importable?
user.can_admin_all_resources? || user.can?(:owner_access, importable)
end
 
override :generate_imported_object
ee/spec/fixtures/lib/gitlab/import_export/complex/tree/project/protected_branches.ndjson
+ 1
1
View file @ 6c445a97
{"id":1,"project_id":9,"name":"master","created_at":"2016-08-30T07:32:52.426Z","updated_at":"2016-08-30T07:32:52.426Z","merge_access_levels":[{"id":1,"protected_branch_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"}],"push_access_levels":[{"id":1,"protected_branch_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.490Z","updated_at":"2016-08-30T07:32:52.490Z"}]}
{"id":1,"project_id":9,"name":"master","created_at":"2016-08-30T07:32:52.426Z","updated_at":"2016-08-30T07:32:52.426Z","merge_access_levels":[{"id":1,"protected_branch_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"},{"id":2,"protected_branch_id":1,"access_level":40,"user_id":1,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"}],"push_access_levels":[{"id":1,"protected_branch_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.490Z","updated_at":"2016-08-30T07:32:52.490Z"},{"id":2,"protected_branch_id":1,"access_level":40,"user_id":1,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"}],"unprotect_access_levels":[{"id":1,"protected_branch_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.490Z","updated_at":"2016-08-30T07:32:52.490Z"},{"id":2,"protected_branch_id":1,"access_level":40,"user_id":1,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"}]}
ee/spec/fixtures/lib/gitlab/import_export/complex/tree/project/protected_tags.ndjson 0 → 100644
+ 1
0
View file @ 6c445a97
{"id":1,"project_id":9,"name":"v*","created_at":"2016-08-30T07:32:52.426Z","updated_at":"2016-08-30T07:32:52.426Z","create_access_levels":[{"id":1,"protected_tag_id":1,"access_level":40,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"},{"id":2,"protected_tag_id":1,"access_level":40,"user_id":1,"created_at":"2016-08-30T07:32:52.458Z","updated_at":"2016-08-30T07:32:52.458Z"}]}
ee/spec/lib/ee/gitlab/import_export/project/tree_restorer_spec.rb
+ 129
0
View file @ 6c445a97
@@ -163,6 +163,135 @@
end
end
 
describe 'protected branches' do
let_it_be(:project) { create(:project, :in_group, name: 'project', path: 'project') }
let(:user) { create(:user) }
subject(:protected_branch) { project.protected_branches.find_by(name: "master") }
context 'when user is admin', :enable_admin_mode do
before do
user.update!(admin: true)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'creates all access levels' do
expect(project.protected_branches.count).to eq(1)
expect(protected_branch.merge_access_levels.for_role.count).to eq(1)
expect(protected_branch.merge_access_levels.by_user(user).count).to eq(1)
expect(protected_branch.push_access_levels.for_role.count).to eq(1)
expect(protected_branch.push_access_levels.by_user(user).count).to eq(1)
expect(protected_branch.unprotect_access_levels.for_role.count).to eq(1)
expect(protected_branch.unprotect_access_levels.by_user(user).count).to eq(1)
end
end
context 'when user is the group owner' do
before do
project.group.add_owner(user)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'creates all access levels' do
expect(project.protected_branches.count).to eq(1)
expect(protected_branch.merge_access_levels.for_role.count).to eq(1)
expect(protected_branch.merge_access_levels.by_user(user).count).to eq(1)
expect(protected_branch.push_access_levels.for_role.count).to eq(1)
expect(protected_branch.push_access_levels.by_user(user).count).to eq(1)
expect(protected_branch.unprotect_access_levels.for_role.count).to eq(1)
expect(protected_branch.unprotect_access_levels.by_user(user).count).to eq(1)
end
end
context 'when user is maintainer' do
before do
project.group.add_maintainer(user)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'excludes access levels assigned to users' do
expect(project.protected_branches.count).to eq(1)
expect(protected_branch.merge_access_levels.for_role.count).to eq(1)
expect(protected_branch.merge_access_levels.for_user.count).to eq(0)
expect(protected_branch.push_access_levels.for_role.count).to eq(1)
expect(protected_branch.push_access_levels.for_user.count).to eq(0)
expect(protected_branch.unprotect_access_levels.for_role.count).to eq(1)
expect(protected_branch.unprotect_access_levels.for_user.count).to eq(0)
end
end
end
describe 'protected tags' do
let_it_be(:project) { create(:project, :in_group, name: 'project', path: 'project') }
let(:user) { create(:user) }
context 'when user is admin', :enable_admin_mode do
before do
user.update!(admin: true)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'creates all access levels' do
project = Project.find_by_path('project')
protected_tag = project.protected_tags.find_by(name: "v*")
expect(project.protected_tags.count).to eq(1)
expect(protected_tag.create_access_levels.for_role.count).to eq(1)
expect(protected_tag.create_access_levels.by_user(user).count).to eq(1)
end
end
context 'when user is the group owner' do
before do
project.group.add_owner(user)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'creates all access levels' do
project = Project.find_by_path('project')
protected_tag = project.protected_tags.find_by(name: "v*")
expect(project.protected_tags.count).to eq(1)
expect(protected_tag.create_access_levels.for_role.count).to eq(1)
expect(protected_tag.create_access_levels.by_user(user).count).to eq(1)
end
end
context 'when user is maintainer' do
before do
project.group.add_maintainer(user)
setup_import_export_config('complex', 'ee')
restored_project_json
end
it 'excludes access levels assigned to users' do
project = Project.find_by_path('project')
protected_tag = project.protected_tags.find_by(name: "v*")
expect(project.protected_tags.count).to eq(1)
expect(protected_tag.create_access_levels.for_role.count).to eq(1)
expect(protected_tag.create_access_levels.for_user.count).to eq(0)
end
end
end
describe 'boards' do
let_it_be(:project) { create(:project, :builds_enabled, :issues_disabled, name: 'project', path: 'project') }
 
lib/gitlab/ci/components/instance_path.rb
+ 8
1
View file @ 6c445a97
@@ -5,6 +5,7 @@ module Ci
module Components
class InstancePath
include Gitlab::Utils::StrongMemoize
include ::Gitlab::LoopHelpers
 
LATEST_VERSION_KEYWORD = '~latest'
 
@@ -60,9 +61,15 @@ def instance_path
# Given a path like "my-org/sub-group/the-project/path/to/component"
# find the project "my-org/sub-group/the-project" by looking at all possible paths.
def find_project_by_component_path(path)
return if path.start_with?('/') # exit early if path starts with `/` or it will loop forever.
possible_paths = [path]
index = nil
loop_until(limit: 20) do
index = path.rindex('/') # find index of last `/` in a path
break unless index
 
while index = path.rindex('/') # find index of last `/` in a path
possible_paths << (path = path[0..index - 1])
end
 
lib/gitlab/ci/jwt.rb
+ 2
1
View file @ 6c445a97
@@ -71,7 +71,8 @@ def custom_claims
fields.merge!(
environment: environment.name,
environment_protected: environment_protected?.to_s,
deployment_tier: build.environment_tier
deployment_tier: build.environment_tier,
environment_action: build.environment_action
)
end
 
lib/gitlab/import_export/command_line_util.rb
+ 1
1
View file @ 6c445a97
@@ -139,7 +139,7 @@ def clean_extraction_dir!(dir)
 
raise HardLinkError, 'File shares hard link' if Gitlab::Utils::FileInfo.shares_hard_link?(filepath)
 
FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath)
FileUtils.rm(filepath) if Gitlab::Utils::FileInfo.linked?(filepath) || File.pipe?(filepath)
end
 
true
lib/gitlab/import_export/project/relation_factory.rb
+ 2
0
View file @ 6c445a97
@@ -82,6 +82,8 @@ def create
 
private
 
attr_reader :relation_hash, :user
def invalid_relation?
# Do not create relation if it is a legacy trigger
legacy_trigger?
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment