Automatic merge of gitlab-org/gitlab master

app/assets/javascripts/mr_popover/index.js

@@ -48,7 +48,12 @@ export default (elements) => {
     Vue.use(VueApollo);
 
     const apolloProvider = new VueApollo({
-      defaultClient: createDefaultClient(),
+      defaultClient: createDefaultClient(
+        {},
+        {
+          assumeImmutableResults: true,
+        },
+      ),
     });
     const listenerAddedAttr = 'data-mr-listener-added';
 

app/assets/javascripts/vue_merge_request_widget/components/extensions/base.vue

@@ -140,9 +140,7 @@ export default {
           <div
             class="gl-mt-2 gl-mb-2 align-content-around align-items-start flex-wrap align-self-center d-flex"
           >
-            <div class="gl-mr-4">
-              {{ data.text }}
-            </div>
+            <div v-safe-html="data.text" class="gl-mr-4"></div>
             <div v-if="data.link">
               <gl-link :href="data.link.href">{{ data.link.text }}</gl-link>
             </div>

doc/administration/gitaly/index.md

@@ -379,6 +379,18 @@ Some [known database inconsistency issues](#known-issues) exist in Gitaly Cluste
 remain on your current service for now. We can adjust the date for
 [NFS support removal](#nfs-deprecation-notice) if this applies to you.
 
+### Migrate off Gitaly Cluster
+
+If you have repositories stored on a Gitaly Cluster, but you'd like to migrate
+them back to direct Gitaly storage:
+
+1. Create and configure a new
+   [Gitaly server](configure_gitaly.md#run-gitaly-on-its-own-server).
+1. [Move the repositories](../operations/moving_repositories.md#move-repositories)
+   to the newly created storage. There are different possibilities to move them
+   by shard or by group, this gives you the opportunity to spread them over
+   multiple Gitaly servers.
+
 ## Monitor Gitaly and Gitaly Cluster
 
 You can use the available logs and [Prometheus metrics](../monitoring/prometheus/index.md) to

ee/app/services/app_sec/dast/site_profile_secret_variables/create_or_update_service.rb

+# frozen_string_literal: true
+
+module AppSec
+  module Dast
+    module SiteProfileSecretVariables
+      class CreateOrUpdateService < BaseContainerService
+        def execute
+          return error_response('Insufficient permissions') unless allowed?
+
+          return error_response('Dast site profile param is missing') unless site_profile
+          return error_response('Key param is missing') unless key
+          return error_response('Raw value param is missing') unless raw_value
+
+          secret_variable = find_or_create_secret_variable
+
+          return error_response(secret_variable.errors.full_messages) unless secret_variable.valid? && secret_variable.persisted?
+
+          success_response(secret_variable)
+        end
+
+        private
+
+        def allowed?
+          Ability.allowed?(current_user, :create_on_demand_dast_scan, container)
+        end
+
+        def site_profile
+          params[:dast_site_profile]
+        end
+
+        def key
+          params[:key]
+        end
+
+        def raw_value
+          params[:raw_value]
+        end
+
+        def success_response(secret_variable)
+          ServiceResponse.success(payload: secret_variable)
+        end
+
+        def error_response(message)
+          ServiceResponse.error(message: message)
+        end
+
+        # rubocop: disable CodeReuse/ActiveRecord
+        def find_or_create_secret_variable
+          secret_variable = ::Dast::SiteProfileSecretVariable.find_or_initialize_by(dast_site_profile: site_profile, key: key)
+          secret_variable.update(raw_value: raw_value)
+
+          secret_variable
+        end
+        # rubocop: enable CodeReuse/ActiveRecord
+      end
+    end
+  end
+end

ee/app/services/app_sec/dast/site_profile_secret_variables/destroy_service.rb

+# frozen_string_literal: true
+
+module AppSec
+  module Dast
+    module SiteProfileSecretVariables
+      class DestroyService < BaseContainerService
+        def execute
+          return ServiceResponse.error(message: 'Insufficient permissions') unless allowed?
+          return ServiceResponse.error(message: 'Variable parameter missing') unless dast_site_profile_secret_variable
+          return ServiceResponse.error(message: 'Variable failed to delete') unless dast_site_profile_secret_variable.destroy
+
+          ServiceResponse.success(payload: dast_site_profile_secret_variable)
+        end
+
+        private
+
+        def allowed?
+          Ability.allowed?(current_user, :create_on_demand_dast_scan, container)
+        end
+
+        def dast_site_profile_secret_variable
+          params[:dast_site_profile_secret_variable]
+        end
+      end
+    end
+  end
+end

ee/app/services/app_sec/dast/site_profiles/create_service.rb

@@ -51,7 +51,7 @@ module AppSec
         def create_secret_variable!(key, value)
           return ServiceResponse.success unless value
 
-          response = ::Dast::SiteProfileSecretVariables::CreateOrUpdateService.new(
+          response = ::AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService.new(
             container: project,
             current_user: current_user,
             params: { dast_site_profile: dast_site_profile, key: key, raw_value: value }

ee/app/services/app_sec/dast/site_profiles/update_service.rb

@@ -73,7 +73,7 @@ module AppSec
 
           return delete_secret_variable!(key) if value == ''
 
-          response = ::Dast::SiteProfileSecretVariables::CreateOrUpdateService.new(
+          response = ::AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService.new(
             container: project,
             current_user: current_user,
             params: { dast_site_profile: dast_site_profile, key: key, raw_value: value }
@@ -90,7 +90,7 @@ module AppSec
 
           return ServiceResponse.success unless variable
 
-          response = ::Dast::SiteProfileSecretVariables::DestroyService.new(
+          response = ::AppSec::Dast::SiteProfileSecretVariables::DestroyService.new(
             container: project,
             current_user: current_user,
             params: { dast_site_profile_secret_variable: variable }

ee/app/services/dast/site_profile_secret_variables/create_or_update_service.rb

-# frozen_string_literal: true
-
-module Dast
-  module SiteProfileSecretVariables
-    class CreateOrUpdateService < BaseContainerService
-      def execute
-        return error_response('Insufficient permissions') unless allowed?
-
-        return error_response('Dast site profile param is missing') unless site_profile
-        return error_response('Key param is missing') unless key
-        return error_response('Raw value param is missing') unless raw_value
-
-        secret_variable = find_or_create_secret_variable
-
-        return error_response(secret_variable.errors.full_messages) unless secret_variable.valid? && secret_variable.persisted?
-
-        success_response(secret_variable)
-      end
-
-      private
-
-      def allowed?
-        Ability.allowed?(current_user, :create_on_demand_dast_scan, container)
-      end
-
-      def site_profile
-        params[:dast_site_profile]
-      end
-
-      def key
-        params[:key]
-      end
-
-      def raw_value
-        params[:raw_value]
-      end
-
-      def success_response(secret_variable)
-        ServiceResponse.success(payload: secret_variable)
-      end
-
-      def error_response(message)
-        ServiceResponse.error(message: message)
-      end
-
-      # rubocop: disable CodeReuse/ActiveRecord
-      def find_or_create_secret_variable
-        secret_variable = Dast::SiteProfileSecretVariable.find_or_initialize_by(dast_site_profile: site_profile, key: key)
-        secret_variable.update(raw_value: raw_value)
-
-        secret_variable
-      end
-      # rubocop: enable CodeReuse/ActiveRecord
-    end
-  end
-end

ee/app/services/dast/site_profile_secret_variables/destroy_service.rb

-# frozen_string_literal: true
-
-module Dast
-  module SiteProfileSecretVariables
-    class DestroyService < BaseContainerService
-      def execute
-        return ServiceResponse.error(message: 'Insufficient permissions') unless allowed?
-        return ServiceResponse.error(message: 'Variable parameter missing') unless dast_site_profile_secret_variable
-        return ServiceResponse.error(message: 'Variable failed to delete') unless dast_site_profile_secret_variable.destroy
-
-        ServiceResponse.success(payload: dast_site_profile_secret_variable)
-      end
-
-      private
-
-      def allowed?
-        Ability.allowed?(current_user, :create_on_demand_dast_scan, container)
-      end
-
-      def dast_site_profile_secret_variable
-        params[:dast_site_profile_secret_variable]
-      end
-    end
-  end
-end

ee/spec/graphql/mutations/dast_site_profiles/create_spec.rb

@@ -129,10 +129,10 @@ RSpec.describe Mutations::DastSiteProfiles::Create do
 
         context 'when variable creation fails' do
           it 'returns an error and the dast_site_profile' do
-            service = double(Dast::SiteProfileSecretVariables::CreateOrUpdateService)
+            service = double(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService)
             result = ServiceResponse.error(payload: create(:dast_site_profile), message: 'Oops')
 
-            allow(Dast::SiteProfileSecretVariables::CreateOrUpdateService).to receive(:new).and_return(service)
+            allow(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService).to receive(:new).and_return(service)
             allow(service).to receive(:execute).and_return(result)
 
             expect(subject).to include(errors: ['Oops'])

ee/spec/graphql/mutations/dast_site_profiles/update_spec.rb

@@ -146,10 +146,10 @@ RSpec.describe Mutations::DastSiteProfiles::Update do
 
         context 'when variable creation fails' do
           it 'returns an error and the dast_site_profile' do
-            service = double(Dast::SiteProfileSecretVariables::CreateOrUpdateService)
+            service = double(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService)
             result = ServiceResponse.error(payload: create(:dast_site_profile), message: 'Oops')
 
-            allow(Dast::SiteProfileSecretVariables::CreateOrUpdateService).to receive(:new).and_return(service)
+            allow(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService).to receive(:new).and_return(service)
             allow(service).to receive(:execute).and_return(result)
 
             expect(subject).to include(errors: ['Oops'])

ee/spec/services/dast/site_profile_secret_variables/create_or_update_service_spec.rb → ee/spec/services/app_sec/dast/site_profile_secret_variables/create_or_update_service_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Dast::SiteProfileSecretVariables::CreateOrUpdateService do
+RSpec.describe AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService do
   let_it_be(:project) { create(:project) }
   let_it_be(:dast_profile) { create(:dast_profile, project: project) }
   let_it_be(:developer) { create(:user, developer_projects: [project] ) }

ee/spec/services/dast/site_profile_secret_variables/destroy_service_spec.rb → ee/spec/services/app_sec/dast/site_profile_secret_variables/destroy_service_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Dast::SiteProfileSecretVariables::DestroyService do
+RSpec.describe AppSec::Dast::SiteProfileSecretVariables::DestroyService do
   include GraphqlHelpers
 
   let_it_be(:user) { create(:user) }

ee/spec/services/app_sec/dast/site_profiles/create_service_spec.rb

@@ -150,7 +150,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::CreateService do
 
       shared_examples 'it handles secret variable creation failure' do
         before do
-          allow_next_instance_of(Dast::SiteProfileSecretVariables::CreateOrUpdateService) do |service|
+          allow_next_instance_of(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService) do |service|
             response = ServiceResponse.error(message: 'Something went wrong')
 
             allow(service).to receive(:execute).and_return(response)

ee/spec/services/app_sec/dast/site_profiles/update_service_spec.rb

@@ -184,7 +184,7 @@ RSpec.describe AppSec::Dast::SiteProfiles::UpdateService do
 
       shared_examples 'it handles secret variable updating failure' do
         before do
-          allow_next_instance_of(Dast::SiteProfileSecretVariables::CreateOrUpdateService) do |service|
+          allow_next_instance_of(AppSec::Dast::SiteProfileSecretVariables::CreateOrUpdateService) do |service|
             response = ServiceResponse.error(message: 'Something went wrong')
 
             allow(service).to receive(:execute).and_return(response)

lib/backup/gitaly_backup.rb

@@ -25,7 +25,7 @@ module Backup
       args += ['-parallel', @parallel.to_s] if @parallel
       args += ['-parallel-storage', @parallel_storage.to_s] if @parallel_storage
 
-      @stdin, stdout, @thread = Open3.popen2(ENV, bin_path, command, '-path', backup_repos_path, *args)
+      @stdin, stdout, @thread = Open3.popen2(build_env, bin_path, command, '-path', backup_repos_path, *args)
 
       @out_reader = Thread.new do
         IO.copy_stream(stdout, @progress)
@@ -63,6 +63,13 @@ module Backup
 
     private
 
+    def build_env
+      {
+        'SSL_CERT_FILE' => OpenSSL::X509::DEFAULT_CERT_FILE,
+        'SSL_CERT_DIR'  => OpenSSL::X509::DEFAULT_CERT_DIR
+      }.merge(ENV)
+    end
+
     def started?
       @thread.present?
     end

spec/lib/backup/gitaly_backup_spec.rb

@@ -5,12 +5,20 @@ require 'spec_helper'
 RSpec.describe Backup::GitalyBackup do
   let(:parallel) { nil }
   let(:parallel_storage) { nil }
+
   let(:progress) do
     Tempfile.new('progress').tap do |progress|
       progress.unlink
     end
   end
 
+  let(:expected_env) do
+    {
+      'SSL_CERT_FILE' => OpenSSL::X509::DEFAULT_CERT_FILE,
+      'SSL_CERT_DIR'  => OpenSSL::X509::DEFAULT_CERT_DIR
+    }.merge(ENV)
+  end
+
   after do
     progress.close
   end
@@ -32,7 +40,7 @@ RSpec.describe Backup::GitalyBackup do
         project_snippet = create(:project_snippet, :repository, project: project)
         personal_snippet = create(:personal_snippet, :repository, author: project.owner)
 
-        expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything).and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything).and_call_original
 
         subject.start(:create)
         subject.enqueue(project, Gitlab::GlRepository::PROJECT)
@@ -53,7 +61,7 @@ RSpec.describe Backup::GitalyBackup do
         let(:parallel) { 3 }
 
         it 'passes parallel option through' do
-          expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything, '-parallel', '3').and_call_original
+          expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything, '-parallel', '3').and_call_original
 
           subject.start(:create)
           subject.wait
@@ -64,7 +72,7 @@ RSpec.describe Backup::GitalyBackup do
         let(:parallel_storage) { 3 }
 
         it 'passes parallel option through' do
-          expect(Open3).to receive(:popen2).with(ENV, anything, 'create', '-path', anything, '-parallel-storage', '3').and_call_original
+          expect(Open3).to receive(:popen2).with(expected_env, anything, 'create', '-path', anything, '-parallel-storage', '3').and_call_original
 
           subject.start(:create)
           subject.wait
@@ -90,6 +98,26 @@ RSpec.describe Backup::GitalyBackup do
 
       it_behaves_like 'creates a repository backup'
     end
+
+    context 'custom SSL envs set' do
+      let(:ssl_env) do
+        {
+          'SSL_CERT_FILE' => '/some/cert/file',
+          'SSL_CERT_DIR'  => '/some/cert'
+        }
+      end
+
+      before do
+        stub_const('ENV', ssl_env)
+      end
+
+      it 'passes through SSL envs' do
+        expect(Open3).to receive(:popen2).with(ssl_env, anything, 'create', '-path', anything).and_call_original
+
+        subject.start(:create)
+        subject.wait
+      end
+    end
   end
 
   context 'restore' do
@@ -109,7 +137,7 @@ RSpec.describe Backup::GitalyBackup do
       copy_bundle_to_backup_path('personal_snippet_repo.bundle', personal_snippet.disk_path + '.bundle')
       copy_bundle_to_backup_path('project_snippet_repo.bundle', project_snippet.disk_path + '.bundle')
 
-      expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything).and_call_original
+      expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything).and_call_original
 
       subject.start(:restore)
       subject.enqueue(project, Gitlab::GlRepository::PROJECT)
@@ -132,7 +160,7 @@ RSpec.describe Backup::GitalyBackup do
       let(:parallel) { 3 }
 
       it 'passes parallel option through' do
-        expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything, '-parallel', '3').and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything, '-parallel', '3').and_call_original
 
         subject.start(:restore)
         subject.wait
@@ -143,7 +171,7 @@ RSpec.describe Backup::GitalyBackup do
       let(:parallel_storage) { 3 }
 
       it 'passes parallel option through' do
-        expect(Open3).to receive(:popen2).with(ENV, anything, 'restore', '-path', anything, '-parallel-storage', '3').and_call_original
+        expect(Open3).to receive(:popen2).with(expected_env, anything, 'restore', '-path', anything, '-parallel-storage', '3').and_call_original
 
         subject.start(:restore)
         subject.wait