diff --git a/app/assets/stylesheets/page_bundles/project.scss b/app/assets/stylesheets/page_bundles/project.scss index 8c2c8a8ed69..0bc3cc6678c 100644 --- a/app/assets/stylesheets/page_bundles/project.scss +++ b/app/assets/stylesheets/page_bundles/project.scss @@ -49,7 +49,7 @@ .project-repo-buttons { .btn { svg { - fill: $gray-500; + fill: var(--gray-500, $gray-500); } } @@ -148,13 +148,13 @@ background-color: transparent; font-size: $gl-font-size; line-height: $gl-btn-line-height; - color: $gl-text-color-secondary; + color: var(--gray-500, $gl-text-color-secondary); white-space: pre-wrap; } .stat-link { border-bottom: 0; - color: $black; + color: var(--black, $black); &:hover, &:focus { @@ -163,17 +163,17 @@ } .project-stat-value { - color: $gl-text-color; + color: var(--gl-text-color, $gl-text-color); } .icon { - color: $gl-text-color-secondary; + color: var(--gray-500, $gl-text-color-secondary); } .add-license-link { &, .icon { - color: $blue-600; + color: var(--blue-600, $blue-600); } } } @@ -200,13 +200,13 @@ margin-bottom: 7px; h5 { - color: $gl-text-color; + color: var(--gl-text-color, $gl-text-color); } .light-well { border-radius: 2px; - color: $well-light-text-color; + color: var(--gray-600, $well-light-text-color); font-size: 13px; line-height: 1.6em; } diff --git a/app/assets/stylesheets/page_bundles/projects_edit.scss b/app/assets/stylesheets/page_bundles/projects_edit.scss index 785505e86a2..9a8b4ffcdd7 100644 --- a/app/assets/stylesheets/page_bundles/projects_edit.scss +++ b/app/assets/stylesheets/page_bundles/projects_edit.scss @@ -9,7 +9,7 @@ } .highlight-changes & { - background: $highlight-changes-color; + background: var(--green-50, $highlight-changes-color); transition: none; } } diff --git a/app/views/projects/protected_tags/shared/_index.html.haml b/app/views/projects/protected_tags/shared/_index.html.haml index fe63f921780..8f5ce798dc7 100644 --- a/app/views/projects/protected_tags/shared/_index.html.haml +++ b/app/views/projects/protected_tags/shared/_index.html.haml @@ -11,7 +11,7 @@ = link_to s_("ProtectedTag|What are protected tags?"), help_page_path("user/project/protected_tags") .settings-content %p - = s_("ProtectedTag|By default, protected branches restrict who can modify the tag.") + = s_("ProtectedTag|By default, protected tags restrict who can modify the tag.") = link_to s_("ProtectedTag|Learn more."), help_page_path("user/project/protected_tags", anchor: "who-can-modify-a-protected-tag") - if can? current_user, :admin_project, @project diff --git a/doc/administration/geo/replication/troubleshooting.md b/doc/administration/geo/replication/troubleshooting.md index a6ea41171a9..1371e5d84c8 100644 --- a/doc/administration/geo/replication/troubleshooting.md +++ b/doc/administration/geo/replication/troubleshooting.md @@ -115,35 +115,39 @@ http://secondary.example.com/ To check if PostgreSQL replication is working, check if: -- [Nodes are pointing to the correct database instance](#are-nodes-pointing-to-the-correct-database-instance). -- [Geo can detect the current node correctly](#can-geo-detect-the-current-node-correctly). +- [Sites are pointing to the correct database node](#are-sites-pointing-to-the-correct-database-node). +- [Geo can detect the current site correctly](#can-geo-detect-the-current-site-correctly). -#### Are nodes pointing to the correct database instance? +#### Are sites pointing to the correct database node? -You should make sure your **primary** Geo node points to the instance with -writing permissions. +You should make sure your **primary** Geo [site](../glossary.md) points to +the database node that has write permissions. -Any **secondary** nodes should point only to read-only instances. +Any **secondary** sites should point only to read-only database nodes. -#### Can Geo detect the current node correctly? +#### Can Geo detect the current site correctly? -Geo finds the current machine's Geo node name in `/etc/gitlab/gitlab.rb` by: +Geo finds the current Puma or Sidekiq node's Geo [site](../glossary.md) name in +`/etc/gitlab/gitlab.rb` with the following logic: -- Using the `gitlab_rails['geo_node_name']` setting. -- If that is not defined, using the `external_url` setting. +1. Get the "Geo node name" (there is + [an issue to rename the settings to "Geo site name"](https://gitlab.com/gitlab-org/gitlab/-/issues/335944)): + - Omnibus GitLab: Get the `gitlab_rails['geo_node_name']` setting. + - GitLab Helm Charts: Get the `global.geo.nodeName` setting (see [Charts with GitLab Geo](https://docs.gitlab.com/charts/advanced/geo/index.html)). +1. If that is not defined, then get the `external_url` setting. -This name is used to look up the node with the same **Name** in the **Geo Nodes** +This name is used to look up the Geo site with the same **Name** in the **Geo Sites** dashboard. -To check if the current machine has a node name that matches a node in the +To check if the current machine has a site name that matches a site in the database, run the check task: ```shell sudo gitlab-rake gitlab:geo:check ``` -It displays the current machine's node name and whether the matching database -record is a **primary** or **secondary** node. +It displays the current machine's site name and whether the matching database +record is a **primary** or **secondary** site. ```plaintext This machine's Geo node name matches a database record ... yes, found a secondary node named "Shanghai" @@ -158,6 +162,9 @@ This machine's Geo node name matches a database record ... no doc/administration/geo/replication/troubleshooting.md#can-geo-detect-the-current-node-correctly ``` +Learn more about recommended site names in the description of the Name field in +[Geo Admin Area Common Settings](../../../user/admin_area/geo_nodes.md#common-settings). + ### Message: `WARNING: oldest xmin is far in the past` and `pg_wal` size growing If a replication slot is inactive, @@ -692,6 +699,8 @@ determine the actual replication status of Design repositories. ### Sync failure message: "Verification failed with: Error during verification: File is not checksummable" +#### Missing files on the Geo primary site + In GitLab 14.5 and earlier, certain data types which were missing on the Geo primary site were marked as "synced" on Geo secondary sites. This was because from the perspective of Geo secondary sites, the state matched the primary site and nothing more could be done on secondary sites. Secondaries would regularly try to sync these files again by using the "verification" feature: @@ -745,6 +754,32 @@ This behavior affects only the following data types through GitLab 14.6: to make Geo visibly surface data loss risks. The sync/verification loop is therefore short-circuited. `last_sync_failure` is now set to `The file is missing on the Geo primary site`. +#### Failed syncs with GitLab-managed object storage replication + +There is [an issue in GitLab 14.2 through 14.7](https://gitlab.com/gitlab-org/gitlab/-/issues/299819#note_822629467) +that affects Geo when the GitLab-managed object storage replication is used, causing blob object types to fail synchronization. + +Since GitLab 14.2, verification failures result in synchronization failures and cause +a re-synchronization of these objects. + +As verification is not implemented for files stored in object storage (see +[issue 13845](https://gitlab.com/gitlab-org/gitlab/-/issues/13845) for more details), this +results in a loop that consistently fails for all objects stored in object storage. + +You can work around this by marking the objects as synced and succeeded verification, however +be aware that can also mark objects that may be +[missing from the primary](#missing-files-on-the-geo-primary-site). + +To do that, enter the [Rails console](../../troubleshooting/navigating_gitlab_via_rails_console.md) +and run: + +```ruby +Gitlab::Geo.verification_enabled_replicator_classes.each do |klass| + updated = klass.registry_class.failed.where(last_sync_failure: "Verification failed with: Error during verification: File is not checksummable").update_all(verification_checksum: '0000000000000000000000000000000000000000', verification_state: 2, verification_failure: nil, verification_retry_at: nil, state: 2, last_sync_failure: nil, retry_at: nil, verification_retry_count: 0, retry_count: 0) + pp "Updated #{updated} #{klass.replicable_name_plural}" +end +``` + ## Fixing errors during a failover or when promoting a secondary to a primary node The following are possible error messages that might be encountered during failover or diff --git a/doc/administration/geo/replication/version_specific_updates.md b/doc/administration/geo/replication/version_specific_updates.md index d3a132a6666..bde95b8fd67 100644 --- a/doc/administration/geo/replication/version_specific_updates.md +++ b/doc/administration/geo/replication/version_specific_updates.md @@ -10,6 +10,21 @@ Review this page for update instructions for your version. These steps accompany the [general steps](updating_the_geo_sites.md#general-update-steps) for updating Geo nodes. +## Updating to 14.2 through 14.7 + +There is [an issue in GitLab 14.2 through 14.7](https://gitlab.com/gitlab-org/gitlab/-/issues/299819#note_822629467) +that affects Geo when the GitLab-managed object storage replication is used, causing blob object types to fail synchronization. + +Since GitLab 14.2, verification failures result in synchronization failures and cause +a resynchronization of these objects. + +As verification is not yet implemented for files stored in object storage (see +[issue 13845](https://gitlab.com/gitlab-org/gitlab/-/issues/13845) for more details), this +results in a loop that consistently fails for all objects stored in object storage. + +For information on how to fix this, see +[Troubleshooting - Failed syncs with GitLab-managed object storage replication](troubleshooting.md#failed-syncs-with-gitlab-managed-object-storage-replication). + ## Updating to 14.4 There is [an issue in GitLab 14.4.0 through 14.4.2](../../../update/index.md#1440) that can affect Geo and other features that rely on cronjobs. We recommend upgrading to GitLab 14.4.3 or later. diff --git a/doc/development/img/architecture_simplified.png b/doc/development/img/architecture_simplified.png index bd731758ddd..bab673feb4a 100644 Binary files a/doc/development/img/architecture_simplified.png and b/doc/development/img/architecture_simplified.png differ diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 4b63d423480..30cd0f8f511 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -966,6 +966,7 @@ sudo gitlab-backup restore BACKUP=11493107454_2018_04_25_10.6.4-ce ``` Users of GitLab 12.1 and earlier should use the command `gitlab-rake gitlab:backup:restore` instead. +Some [known non-blocking error messages may appear](#restoring-database-backup-using-omnibus-packages-outputs-warnings). WARNING: `gitlab-rake gitlab:backup:restore` doesn't set the correct file system diff --git a/doc/update/index.md b/doc/update/index.md index ddc18dff3e2..22e3ac7f351 100644 --- a/doc/update/index.md +++ b/doc/update/index.md @@ -98,7 +98,7 @@ that can process jobs in the `background_migration` queue. ```shell sudo gitlab-rails runner -e production 'puts Gitlab::BackgroundMigration.remaining' -sudo gitlab-rails runner -e production 'puts Gitlab::Database::BackgroundMigrationJob.pending' +sudo gitlab-rails runner -e production 'puts Gitlab::Database::BackgroundMigrationJob.pending.count' ``` **For installations from source:** diff --git a/doc/user/application_security/sast/index.md b/doc/user/application_security/sast/index.md index dfbc26593f2..f17bb03061a 100644 --- a/doc/user/application_security/sast/index.md +++ b/doc/user/application_security/sast/index.md @@ -832,86 +832,18 @@ variables: ## Reports JSON format -The SAST tool emits a JSON report file. For more information, see the -[schema for this report](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json). +SAST outputs a report file in JSON format. The report file contains details of all found vulnerabilities. +To download the report file, you can either: -The JSON report file can be downloaded from the CI pipelines page, or the -pipelines tab on merge requests by [setting `artifacts: paths`](../../../ci/yaml/index.md#artifactspaths) to `gl-sast-report.json`. For more information see [Downloading artifacts](../../../ci/pipelines/job_artifacts.md). +- Download the file from the CI/CD pipelines page. +- In the pipelines tab on merge requests, set [`artifacts: paths`](../../../ci/yaml/index.md#artifactspaths) to `gl-sast-report.json`. + +For information, see [Download job artifacts](../../../ci/pipelines/job_artifacts.md#download-job-artifacts). -Here's an example SAST report: +For details of the report file's schema, see +[SAST report file schema](https://gitlab.com/gitlab-org/security-products/security-report-schemas/-/blob/master/dist/sast-report-format.json). -```json-doc -{ - "version": "2.0", - "vulnerabilities": [ - { - "id": "9e96e0ab-23da-4d7d-a09e-0acbaa5e83ca", - "category": "sast", - "name": "Predictable pseudorandom number generator", - "message": "Predictable pseudorandom number generator", - "description": "The use of java.util.Random is predictable", - "severity": "Medium", - "confidence": "Medium", - "scanner": { - "id": "find_sec_bugs", - "name": "Find Security Bugs" - }, - "location": { - "file": "groovy/src/main/groovy/com/gitlab/security_products/tests/App.groovy", - "start_line": 47, - "end_line": 47, - "class": "com.gitlab.security_products.tests.App", - "method": "generateSecretToken2", - "dependency": { - "package": {} - } - }, - "identifiers": [ - { - "type": "find_sec_bugs_type", - "name": "Find Security Bugs-PREDICTABLE_RANDOM", - "value": "PREDICTABLE_RANDOM", - "url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM" - }, - { - "type": "cwe", - "name": "CWE-330", - "value": "330", - "url": "https://cwe.mitre.org/data/definitions/330.html" - } - ] - }, - { - "id": "e6dbf91f-4c07-46f7-a365-0169489c27d1", - "category": "sast", - "message": "Probable insecure usage of temp file/directory.", - "severity": "Medium", - "confidence": "Medium", - "scanner": { - "id": "bandit", - "name": "Bandit" - }, - "location": { - "file": "python/hardcoded/hardcoded-tmp.py", - "start_line": 10, - "end_line": 10, - "dependency": { - "package": {} - } - }, - "identifiers": [ - { - "type": "bandit_test_id", - "name": "Bandit Test ID B108", - "value": "B108", - "url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html" - } - ] - }, - ], - "remediations": [] -} -``` +For an example SAST report file, see [`gl-secret-detection-report.json`](https://gitlab.com/gitlab-org/security-products/analyzers/secrets/-/blob/master/qa/expect/secrets/gl-secret-detection-report.json) example. ## Running SAST in an offline environment diff --git a/lib/gitlab/email/handler/create_note_handler.rb b/lib/gitlab/email/handler/create_note_handler.rb index 4fa2fe1724e..b168efaac11 100644 --- a/lib/gitlab/email/handler/create_note_handler.rb +++ b/lib/gitlab/email/handler/create_note_handler.rb @@ -24,6 +24,8 @@ module Gitlab validate_permission!(:create_note) + validate_from_address! + raise NoteableNotFoundError unless noteable raise EmptyEmailError if note_message.blank? @@ -56,6 +58,17 @@ module Gitlab message_with_appended_reply end + + def from_address + mail.from&.first + end + + def validate_from_address! + # Recipieint is always set to Support bot for ServiceDesk issues so we should exclude those. + return if author == User.support_bot + + raise UserNotFoundError unless from_address && author.verified_email?(from_address) + end end end end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index b924913f274..299d8f98a67 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -29304,7 +29304,7 @@ msgstr "" msgid "ProtectedTags|default" msgstr "" -msgid "ProtectedTag|By default, protected branches restrict who can modify the tag." +msgid "ProtectedTag|By default, protected tags restrict who can modify the tag." msgstr "" msgid "ProtectedTag|Learn more." diff --git a/spec/lib/gitlab/email/handler/create_note_handler_spec.rb b/spec/lib/gitlab/email/handler/create_note_handler_spec.rb index c0ac40e3249..59b87c5d8e7 100644 --- a/spec/lib/gitlab/email/handler/create_note_handler_spec.rb +++ b/spec/lib/gitlab/email/handler/create_note_handler_spec.rb @@ -5,7 +5,7 @@ require 'spec_helper' RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do include_context :email_shared_context - let_it_be(:user) { create(:user) } + let_it_be(:user) { create(:user, email: 'jake@adventuretime.ooo') } let_it_be(:project) { create(:project, :public, :repository) } let(:noteable) { note.noteable } @@ -39,6 +39,43 @@ RSpec.describe Gitlab::Email::Handler::CreateNoteHandler do end end + context 'when the incoming email is from a different email address' do + before do + SentNotification.find_by(reply_key: mail_key).update!(recipient: original_recipient) + end + + context 'when the issue is not a Service Desk issue' do + let(:original_recipient) { create(:user, email: 'john@somethingelse.com') } + + context 'with only one email address' do + it 'raises a UserNotFoundError' do + expect { receiver.execute }.to raise_error(Gitlab::Email::UserNotFoundError) + end + end + + context 'with a secondary verified email address' do + let(:verified_email) { 'alan@adventuretime.ooo'} + let(:email_raw) { fixture_file('emails/valid_reply.eml').gsub('jake@adventuretime.ooo', verified_email) } + + before do + create(:email, :confirmed, user: original_recipient, email: verified_email) + end + + it 'does not raise a UserNotFoundError' do + expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError) + end + end + end + + context 'when the issue is a Service Desk issue' do + let(:original_recipient) { User.support_bot } + + it 'does not raise a UserNotFoundError' do + expect { receiver.execute }.not_to raise_error(Gitlab::Email::UserNotFoundError) + end + end + end + context 'when no sent notification for the mail key could be found' do let(:email_raw) { fixture_file('emails/wrong_mail_key.eml') }