Automatic merge of gitlab-org/gitlab master

72dd03d1 · GitLab Bot · 7e9cac46 · fdcf6a41 · 72dd03d1 · 72dd03d1
Commit 72dd03d1 authored Sep 29, 2021 by GitLab Bot
13 changed files
--- a/app/assets/javascripts/editor/schema/ci.json
+++ b/app/assets/javascripts/editor/schema/ci.json
@@ -277,7 +277,8 @@
              "type": "string",
              "format": "uri-reference",
              "pattern": "\\.ya?ml$"
-            }
+            },
+            "rules": { "$ref": "#/definitions/rules" }
          },
          "required": ["local"]
        },
@@ -491,7 +492,7 @@
    },
    "rules": {
      "type": "array",
-      "description": "rules allows for an array of individual rule objects to be evaluated in order, until one matches and dynamically provides attributes to the job.",
+      "description": "Rules allows for an array of individual rule objects to be evaluated in order, until one matches and dynamically provides attributes to the job.",
      "items": {
        "type": "object",
        "additionalProperties": false,
@@ -625,17 +626,26 @@
      ]
    },
    "cache": {
-      "oneOf": [
+      "properties": {
-        {
+        "when": {
-          "$ref": "#/definitions/cache_entry"
+          "description": "Defines when to save the cache, based on the status of the job.",
-        },
+          "default": "on_success",
-        {
+          "oneOf": [
-          "type": "array",
+            {
-          "items": {
+              "enum": ["on_success"],
-            "$ref": "#/definitions/cache_entry"
+              "description": "Save the cache only when the job succeeds."
-          }
+            },
+            {
+              "enum": ["on_failure"],
+              "description": "Save the cache only when the job fails. "
+            },
+            {
+              "enum": ["always"],
+              "description": "Always save the cache. "
+            }
+          ]
        }
-      ]
+      }
    },
    "cache_entry": {
      "type": "object",
@@ -1320,6 +1330,29 @@
                              }
                            },
                            "required": ["artifact", "job"]
+                          },
+                          {
+                            "type": "object",
+                            "additionalProperties": false,
+                            "properties": {
+                              "project": {
+                                "description": "Path to another private project under the same GitLab instance, like `group/project` or `group/sub-group/project`.",
+                                "type": "string",
+                                "pattern": "\\S/\\S"
+                              },
+                              "ref": {
+                                "description": "Branch/Tag/Commit hash for the target project.",
+                                "minLength": 1,
+                                "type": "string"
+                              },
+                              "file": {
+                                "description": "Relative path from repository root (`/`) to the pipeline configuration YAML file.",
+                                "type": "string",
+                                "format": "uri-reference",
+                                "pattern": "\\.ya?ml$"
+                              }
+                            },
+                            "required": ["project", "file"]
                          }
                        ]
                      }

--- a/app/helpers/routing/pseudonymization_helper.rb
+++ b/app/helpers/routing/pseudonymization_helper.rb
@@ -28,7 +28,7 @@ module Routing
                    when 'groups'
                      "/namespace:#{group.id}"
                    when 'projects'
-                      "/namespace:#{project.namespace.id}/project:#{project.id}"
+                      "/namespace:#{project.namespace_id}/project:#{project.id}"
                    when 'root'
                      ''
                    else
@@ -44,7 +44,7 @@ module Routing
      masked_url = "#{request.protocol}#{request.host_with_port}"
      if request_params.has_key?(:project_id)
-        masked_url += "/namespace:#{project.namespace.id}/project:#{project.id}/-/#{namespace_type}"
+        masked_url += "/namespace:#{project.namespace_id}/project:#{project.id}/-/#{namespace_type}"
      end
      if request_params.has_key?(:id)

--- a/app/helpers/tab_helper.rb
+++ b/app/helpers/tab_helper.rb
@@ -73,7 +73,6 @@ module TabHelper
  #           :action       - One or more action names to check (optional).
  #           :path         - A shorthand path, such as 'dashboard#index', to check (optional).
  #           :html_options - Extra options to be passed to the list element (optional).
-  #           :unless       - Callable object to skip rendering the 'active' class on `li` element (optional).
  # block   - An optional block that will become the contents of the returned
  #           `li` element.
  #
@@ -118,11 +117,6 @@ module TabHelper
  #   nav_link(path: 'admin/appearances#show') { "Hello"}
  #   # => '<li class="active">Hello</li>'
  #
-  #   # Shorthand path + unless
-  #   # Add `active` class when TreeController is requested, except the `index` action.
-  #   nav_link(controller: 'tree', unless: -> { action_name?('index') }) { "Hello" }
-  #   # => '<li class="active">Hello</li>'
-  #
  #   # When `TreeController#index` is requested
  #   # => '<li>Hello</li>'
  #
@@ -151,8 +145,6 @@ module TabHelper
  end
  def active_nav_link?(options)
-    return false if options[:unless]&.call
    controller = options.delete(:controller)
    action = options.delete(:action)

--- a/app/services/projects/overwrite_project_service.rb
+++ b/app/services/projects/overwrite_project_service.rb
@@ -3,7 +3,7 @@
 module Projects
  class OverwriteProjectService < BaseService
    def execute(source_project)
-      return unless source_project && source_project.namespace == @project.namespace
+      return unless source_project && source_project.namespace_id == @project.namespace_id
      start_time = ::Gitlab::Metrics::System.monotonic_time
@@ -40,7 +40,7 @@ module Projects
      duration = ::Gitlab::Metrics::System.monotonic_time - start_time
      Gitlab::AppJsonLogger.info(class: self.class.name,
-                                 namespace_id: source_project.namespace.id,
+                                 namespace_id: source_project.namespace_id,
                                 project_id: source_project.id,
                                 duration_s: duration.to_f,
                                 error: exception.class.name)

--- a/doc/integration/vault.md
+++ b/doc/integration/vault.md
@@ -5,7 +5,7 @@ info: To determine the technical writer assigned to the Stage/Group associated w
 type: reference, howto
 ---
-# Vault Authentication with GitLab OpenID Connect
+# Vault Authentication with GitLab OpenID Connect **(FREE)**
 > [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/issues/22323) in GitLab 9.0

--- a/doc/user/application_security/dast/dast_troubleshooting.md
+++ b/doc/user/application_security/dast/dast_troubleshooting.md
@@ -20,7 +20,7 @@ A DAST job has two executing processes:
 Enable the `DAST_DEBUG` CI/CD variable to debug scripts. This can help when troubleshooting the job,
 and outputs statements indicating what percentage of the scan is complete.
-For details on using variables, see [Overriding the DAST template](index.md#customizing-the-dast-settings).
+For details on using variables, see [Overriding the DAST template](index.md#customize-dast-settings).
 Debug mode of the ZAP server can be enabled using the `DAST_ZAP_LOG_CONFIGURATION` variable.
 The following table outlines examples of values that can be set and the effect that they have on the output that is logged.

--- a/doc/user/application_security/dast/index.md
+++ b/doc/user/application_security/dast/index.md
--- a/ee/app/models/dast/profile_schedule.rb
+++ b/ee/app/models/dast/profile_schedule.rb
@@ -51,6 +51,10 @@ class Dast::ProfileSchedule < ApplicationRecord
    self.class.active_for_project(project_id)
  end
+  def owner_valid?
+    Ability.allowed?(owner, :create_on_demand_dast_scan, project)
+  end
  private
  def deactivate!

--- a/ee/app/services/app_sec/dast/profiles/update_service.rb
+++ b/ee/app/services/app_sec/dast/profiles/update_service.rb
@@ -52,7 +52,9 @@ module AppSec
        def update_or_create_schedule!
          if schedule
-            schedule.update!(schedule_input_params)
+            attributes = schedule_input_params
+            attributes = attributes.merge(user_id: current_user.id) unless schedule.owner_valid?
+            schedule.update!(attributes)
          else
            ::Dast::ProfileSchedule.new(
              dast_profile: dast_profile,

--- a/ee/app/services/security/security_orchestration_policies/project_create_service.rb
+++ b/ee/app/services/security/security_orchestration_policies/project_create_service.rb
@@ -35,7 +35,7 @@ module Security
          security_policy_target_project_id: project.id,
          name: "#{project.name} - Security policy project",
          description: "This project is automatically generated to manage security policies for the project.",
-          namespace_id: project.namespace.id,
+          namespace_id: project.namespace_id,
          initialize_with_readme: true,
          container_registry_enabled: false,
          packages_enabled: false,

--- a/ee/spec/services/app_sec/dast/profiles/update_service_spec.rb
+++ b/ee/spec/services/app_sec/dast/profiles/update_service_spec.rb
@@ -9,6 +9,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
  let_it_be(:dast_site_profile) { create(:dast_site_profile, project: project) }
  let_it_be(:dast_scanner_profile) { create(:dast_scanner_profile, project: project) }
  let_it_be(:plan_limits) { create(:plan_limits, :default_plan) }
+  let_it_be(:scheduler_owner) { create(:user, name: 'Scheduler Owner') }
  let(:default_params) do
    {
@@ -59,7 +60,7 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
      context 'when the user can run a DAST scan' do
        before do
-          project.add_developer(user)
+          project.add_users([user, scheduler_owner], :developer)
        end
        it 'communicates success' do
@@ -127,24 +128,69 @@ RSpec.describe AppSec::Dast::Profiles::UpdateService do
          end
          context 'when associated schedule is present' do
-            before do
+            let_it_be_with_reload(:dast_profile_schedule) { create(:dast_profile_schedule, project: project, dast_profile: dast_profile, owner: scheduler_owner) }
-              create(:dast_profile_schedule, dast_profile: dast_profile)
-            end
            it 'updates the dast profile schedule' do
-              updated_schedule = subject.payload[:dast_profile_schedule].reload
+              subject
              aggregate_failures do
-                expect(updated_schedule.active).to eq(params[:dast_profile_schedule][:active])
+                expect(dast_profile_schedule.active).to eq(params[:dast_profile_schedule][:active])
-                expect(updated_schedule.starts_at.to_i).to eq(params[:dast_profile_schedule][:starts_at].to_i)
+                expect(dast_profile_schedule.starts_at.to_i).to eq(params[:dast_profile_schedule][:starts_at].to_i)
-                expect(updated_schedule.timezone).to eq(params[:dast_profile_schedule][:timezone])
+                expect(dast_profile_schedule.timezone).to eq(params[:dast_profile_schedule][:timezone])
-                expect(updated_schedule.cadence).to eq(params[:dast_profile_schedule][:cadence].stringify_keys)
+                expect(dast_profile_schedule.cadence).to eq(params[:dast_profile_schedule][:cadence].stringify_keys)
              end
            end
            it 'creates the audit event' do
              expect { subject }.to change { AuditEvent.where(target_id: dast_profile.dast_profile_schedule.id).count }
            end
+            context 'when the owner is valid' do
+              it 'does not updates the schedule owner' do
+                subject
+                expect(dast_profile_schedule.user_id).to eq(scheduler_owner.id)
+              end
+            end
+            context 'when the owner was deleted' do
+              before do
+                scheduler_owner.destroy!
+                subject.payload[:dast_profile_schedule].reload
+              end
+              it 'updates the schedule owner' do
+                subject
+                expect(dast_profile_schedule.user_id).to eq(user.id)
+              end
+            end
+            context 'when the owner permission was downgraded' do
+              before do
+                project.add_guest(scheduler_owner)
+              end
+              it 'updates the schedule owner' do
+                subject
+                expect(dast_profile_schedule.user_id).to eq(user.id)
+              end
+            end
+            context 'when the owner was removed from the project' do
+              before do
+                stub_feature_flags(member_destroy_async_auth_refresh: false)
+                project.team.truncate
+                project.add_developer(user)
+              end
+              it 'updates the schedule owner' do
+                subject
+                expect(dast_profile_schedule.user_id).to eq(user.id)
+              end
+            end
          end
        end

--- a/lib/gitlab/issuable_sorter.rb
+++ b/lib/gitlab/issuable_sorter.rb
@@ -7,7 +7,7 @@ module Gitlab
        grouped_items = issuables.group_by do |issuable|
          if issuable.project.id == project.id
            :project_ref
-          elsif issuable.project.namespace.id == project.namespace.id
+          elsif issuable.project.namespace_id == project.namespace_id
            :namespace_ref
          else
            :full_ref

--- a/spec/helpers/routing/pseudonymization_helper_spec.rb
+++ b/spec/helpers/routing/pseudonymization_helper_spec.rb
@@ -6,6 +6,7 @@ RSpec.describe ::Routing::PseudonymizationHelper do
  let_it_be(:group) { create(:group) }
  let_it_be(:subgroup) { create(:group, parent: group) }
  let_it_be(:project) { create(:project, group: group) }
+  let_it_be(:subproject) { create(:project, group: subgroup) }
  let_it_be(:issue) { create(:issue, project: project) }
  let(:merge_request) { create(:merge_request, source_project: project) }
@@ -56,16 +57,16 @@ RSpec.describe ::Routing::PseudonymizationHelper do
    end
    context 'with controller for groups with subgroups and project' do
-      let(:masked_url) { "http://test.host/namespace:#{subgroup.id}/project:#{project.id}"}
+      let(:masked_url) { "http://test.host/namespace:#{subgroup.id}/project:#{subproject.id}"}
      before do
        allow(helper).to receive(:group).and_return(subgroup)
-        allow(helper.project).to receive(:namespace).and_return(subgroup)
+        allow(helper).to receive(:project).and_return(subproject)
        allow(Rails.application.routes).to receive(:recognize_path).and_return({
          controller: 'projects',
          action: 'show',
          namespace_id: subgroup.name,
-          id: project.name
+          id: subproject.name
        })
      end