Add latest changes from gitlab-org/security/gitlab@12-6-stable-ee

8f414ef2 · GitLab Bot · 9fc86114 · 8f414ef2 · 8f414ef2 · 9fc86114
Commit 8f414ef2 authored 5 years ago by GitLab Bot
--- a/Gemfile
+++ b/Gemfile
@@ -327,7 +327,7 @@ group :metrics do
  gem 'influxdb', '~> 0.2', require: false
  
  # Prometheus
-  gem 'prometheus-client-mmap', '~> 0.9.10'
+  gem 'prometheus-client-mmap', '~> 0.10.0'
  gem 'raindrops', '~> 0.18'
 end
  

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -531,8 +531,8 @@ GEM
      regexp_parser (~> 1.1)
      regexp_property_values (~> 0.3)
    json (1.8.6)
-    json-jwt (1.9.4)
-      activesupport
+    json-jwt (1.11.0)
+      activesupport (>= 4.2)
      aes_key_wrap
      bindata
    json-schema (2.8.0)
@@ -746,7 +746,7 @@ GEM
      parser
      unparser
    procto (0.0.3)
-    prometheus-client-mmap (0.9.10)
+    prometheus-client-mmap (0.10.0)
    pry (0.11.3)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
@@ -1283,7 +1283,7 @@ DEPENDENCIES
  peek (~> 1.1)
  pg (~> 1.1)
  premailer-rails (~> 1.10.3)
-  prometheus-client-mmap (~> 0.9.10)
+  prometheus-client-mmap (~> 0.10.0)
  pry-byebug (~> 3.5.1)
  pry-rails (~> 0.3.4)
  rack (~> 2.0.7)

--- a/app/finders/clusters/knative_serving_namespace_finder.rb
+++ b/app/finders/clusters/knative_serving_namespace_finder.rb
-# frozen_string_literal: true
-
-module Clusters
-  class KnativeServingNamespaceFinder
-    attr_reader :cluster
-
-    def initialize(cluster)
-      @cluster = cluster
-    end
-
-    def execute
-      cluster.kubeclient&.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
-    rescue Kubeclient::ResourceNotFoundError
-      nil
-    rescue Kubeclient::HttpError => e
-      # If the kubernetes auth engine is enabled, it will return 403
-      if e.error_code == 403
-        Gitlab::ErrorTracking.track_exception(e)
-        nil
-      else
-        raise
-      end
-    end
-  end
-end
--- a/app/finders/clusters/knative_version_role_binding_finder.rb
+++ b/app/finders/clusters/knative_version_role_binding_finder.rb
-# frozen_string_literal: true
-
-module Clusters
-  class KnativeVersionRoleBindingFinder
-    attr_reader :cluster
-
-    def initialize(cluster)
-      @cluster = cluster
-    end
-
-    def execute
-      cluster.kubeclient&.get_cluster_role_binding(Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME)
-    rescue Kubeclient::ResourceNotFoundError
-      nil
-    end
-  end
-end
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -1320,7 +1320,7 @@ class Project < ApplicationRecord
  end
  
  def has_active_hooks?(hooks_scope = :push_hooks)
-    hooks.hooks_for(hooks_scope).any? || SystemHook.hooks_for(hooks_scope).any?
+    hooks.hooks_for(hooks_scope).any? || SystemHook.hooks_for(hooks_scope).any? || Gitlab::Plugin.any?
  end
  
  def has_active_services?(hooks_scope = :push_hooks)

--- a/app/presenters/release_presenter.rb
+++ b/app/presenters/release_presenter.rb
@@ -40,7 +40,7 @@ class ReleasePresenter < Gitlab::View::Presenter::Delegated
  def evidence_file_path
    return unless release.evidence.present?
  
-    evidence_project_release_url(project, tag, format: :json)
+    evidence_project_release_url(project, release.to_param, format: :json)
  end
  
  private

--- a/app/services/ci/find_exposed_artifacts_service.rb
+++ b/app/services/ci/find_exposed_artifacts_service.rb
@@ -46,6 +46,8 @@ module Ci
    # it could contain many. We only need to know whether it has 1 or more
    # artifacts, so fetching the first 2 would be sufficient.
    def first_2_metadata_entries_for_artifacts_paths(job)
+      return [] unless job.artifacts_metadata
+
      job.artifacts_paths
        .lazy
        .map { |path| job.artifacts_metadata_entry(path, recursive: true) }

--- a/app/services/clusters/aws/provision_service.rb
+++ b/app/services/clusters/aws/provision_service.rb
@@ -38,8 +38,7 @@ module Clusters
      def credentials
        @credentials ||= Clusters::Aws::FetchCredentialsService.new(
          provision_role,
-          provider: provider,
-          region: provider.region
+          provider: provider
        ).execute
      end
  

--- a/app/services/clusters/kubernetes.rb
+++ b/app/services/clusters/kubernetes.rb
@@ -12,8 +12,5 @@ module Clusters
    GITLAB_KNATIVE_SERVING_ROLE_BINDING_NAME = 'gitlab-knative-serving-rolebinding'
    GITLAB_CROSSPLANE_DATABASE_ROLE_NAME = 'gitlab-crossplane-database-role'
    GITLAB_CROSSPLANE_DATABASE_ROLE_BINDING_NAME = 'gitlab-crossplane-database-rolebinding'
-    GITLAB_KNATIVE_VERSION_ROLE_NAME = 'gitlab-knative-version-role'
-    GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME = 'gitlab-knative-version-rolebinding'
-    KNATIVE_SERVING_NAMESPACE = 'knative-serving'
  end
 end
--- a/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
+++ b/app/services/clusters/kubernetes/create_or_update_service_account_service.rb
@@ -49,14 +49,8 @@ module Clusters
  
        create_or_update_knative_serving_role
        create_or_update_knative_serving_role_binding
-
        create_or_update_crossplane_database_role
        create_or_update_crossplane_database_role_binding
-
-        return unless knative_serving_namespace
-
-        create_or_update_knative_version_role
-        create_or_update_knative_version_role_binding
      end
  
      private
@@ -70,12 +64,6 @@ module Clusters
        ).ensure_exists!
      end
  
-      def knative_serving_namespace
-        kubeclient.get_namespace(Clusters::Kubernetes::KNATIVE_SERVING_NAMESPACE)
-      rescue Kubeclient::ResourceNotFoundError
-        nil
-      end
-
      def create_role_or_cluster_role_binding
        if namespace_creator
          kubeclient.create_or_update_role_binding(role_binding_resource)
@@ -100,14 +88,6 @@ module Clusters
        kubeclient.update_role_binding(crossplane_database_role_binding_resource)
      end
  
-      def create_or_update_knative_version_role
-        kubeclient.update_cluster_role(knative_version_role_resource)
-      end
-
-      def create_or_update_knative_version_role_binding
-        kubeclient.update_cluster_role_binding(knative_version_role_binding_resource)
-      end
-
      def service_account_resource
        Gitlab::Kubernetes::ServiceAccount.new(
          service_account_name,
@@ -186,27 +166,6 @@ module Clusters
          service_account_name: service_account_name
        ).generate
      end
-
-      def knative_version_role_resource
-        Gitlab::Kubernetes::ClusterRole.new(
-          name: Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_NAME,
-          rules: [{
-            apiGroups: %w(apps),
-            resources: %w(deployments),
-            verbs: %w(list get)
-          }]
-        ).generate
-      end
-
-      def knative_version_role_binding_resource
-        subjects = [{ kind: 'ServiceAccount', name: service_account_name, namespace: service_account_namespace }]
-
-        Gitlab::Kubernetes::ClusterRoleBinding.new(
-          Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_BINDING_NAME,
-          Clusters::Kubernetes::GITLAB_KNATIVE_VERSION_ROLE_NAME,
-          subjects
-        ).generate
-      end
    end
  end
 end
--- a/changelogs/unreleased/121670-redis-cache-read-error-prevents-cas-users-from-remaining-signed-in.yml
+++ b/changelogs/unreleased/121670-redis-cache-read-error-prevents-cas-users-from-remaining-signed-in.yml
+---
+title: Fix CAS users being signed out repeatedly
+merge_request: 22704
+author:
+type: fixed
--- a/changelogs/unreleased/121751-new-eks-cluster-results-in-error-unknown-keyword-region.yml
+++ b/changelogs/unreleased/121751-new-eks-cluster-results-in-error-unknown-keyword-region.yml
+---
+title: Remove unused keyword from EKS provision service
+merge_request: 22633
+author:
+type: fixed
--- a/changelogs/unreleased/39119-actioncontroller-urlgenerationerror-no-route-matches-action-evidenc.yml
+++ b/changelogs/unreleased/39119-actioncontroller-urlgenerationerror-no-route-matches-action-evidenc.yml
+---
+title: Fix releases page when tag contains a slash
+merge_request: 22527
+author:
+type: fixed
--- a/changelogs/unreleased/fix-no-artifacts-when-exposed.yml
+++ b/changelogs/unreleased/fix-no-artifacts-when-exposed.yml
+---
+title: Fix bug when trying to expose artifacts and no artifacts are produced by the job
+merge_request: 22378
+author:
+type: fixed
--- a/changelogs/unreleased/fix-on-train-method-in-mr.yml
+++ b/changelogs/unreleased/fix-on-train-method-in-mr.yml
+---
+title: Fix RefreshMergeRequestsService raises an exception and unnecessary sidekiq retry
+merge_request: 22262
+author:
+type: fixed
--- a/changelogs/unreleased/revert-knative-version-prerequisite.yml
+++ b/changelogs/unreleased/revert-knative-version-prerequisite.yml
+---
+title: Reverts Add RBAC permissions for getting knative version
+merge_request: 22560
+author:
+type: fixed
--- a/changelogs/unreleased/sh-bump-json-jwt.yml
+++ b/changelogs/unreleased/sh-bump-json-jwt.yml
+---
+title: Upgrade json-jwt to v1.11.0
+merge_request: 22440
+author:
+type: security
--- a/changelogs/unreleased/sh-disable-prom-metrics-on-failure.yml
+++ b/changelogs/unreleased/sh-disable-prom-metrics-on-failure.yml
+---
+title: Disable Prometheus metrics if initialization fails
+merge_request: 22355
+author:
+type: fixed
--- a/changelogs/unreleased/sh-fix-ci-lint-errors.yml
+++ b/changelogs/unreleased/sh-fix-ci-lint-errors.yml
+---
+title: Gracefully error handle CI lint errors in artifacts section
+merge_request: 22388
+author:
+type: fixed
--- a/changelogs/unreleased/sh-fix-plugins-not-executing.yml
+++ b/changelogs/unreleased/sh-fix-plugins-not-executing.yml
+---
+title: Fix GitLab plugins not working without hooks configured
+merge_request: 22409
+author:
+type: fixed