gitlab-qa 14.13.0 → 14.15.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitlab-ci.yml +1 -1
- data/Gemfile.lock +1 -1
- data/docs/run_qa_against_gdk.md +6 -0
- data/docs/what_tests_can_be_run.md +25 -1
- data/fixtures/cvs/vulnerabilities_template.erb +2 -0
- data/lib/gitlab/qa/component/ai_gateway.rb +8 -0
- data/lib/gitlab/qa/component/base.rb +4 -2
- data/lib/gitlab/qa/component/gitlab.rb +1 -3
- data/lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb +86 -0
- data/lib/gitlab/qa/version.rb +1 -1
- data/support/data/admin_access_token_seed.rb +1 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 497913af708d5bd502f32c82f052d0dbcfddb70142979c9e2ecf76ea40ab76d8
|
|
4
|
+
data.tar.gz: 730eec75c41c7805635602a68d461844062dc786bf953071bc80a0256f5fec97
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e8e4b3d39cf8cdf652cdd0001bd1f3238e8f707e51159b3e48a8bf43d8827485684e18734b345a8a793afdb36bdc2fb8fe36437160ee997dc6a04a4647fb1b7b
|
|
7
|
+
data.tar.gz: c353c880a71f75860f0ffb6e8bfd13360680bdc5f31573abaa12b455194529273498728d9bbbbe48b61ffda62fddf1b7e02ddc93d5e1abb1ca96e0cbd68ae2be
|
data/.gitlab-ci.yml
CHANGED
|
@@ -152,7 +152,7 @@ package-and-test:
|
|
|
152
152
|
include:
|
|
153
153
|
- project: gitlab-org/gitlab
|
|
154
154
|
ref: master
|
|
155
|
-
file: .gitlab/ci/
|
|
155
|
+
file: .gitlab/ci/test-on-omnibus/main.gitlab-ci.yml
|
|
156
156
|
rules:
|
|
157
157
|
- if: '$CI_MERGE_REQUEST_IID'
|
|
158
158
|
when: manual
|
data/Gemfile.lock
CHANGED
data/docs/run_qa_against_gdk.md
CHANGED
|
@@ -59,6 +59,12 @@ variable.
|
|
|
59
59
|
export GITLAB_INITIAL_ROOT_PASSWORD="<GDK root password>"
|
|
60
60
|
```
|
|
61
61
|
|
|
62
|
+
**Note**: If you encounter the following error, you can resolve it by unsetting the Docker host environment variable using the command `unset DOCKER_HOST`:
|
|
63
|
+
|
|
64
|
+
```
|
|
65
|
+
ERROR: error during connect: get "http://docker.local:2375/v1.24/images/json": dial tcp: lookup docker.local: no such host
|
|
66
|
+
```
|
|
67
|
+
|
|
62
68
|
### Running EE tests
|
|
63
69
|
|
|
64
70
|
When running EE tests you'll need to have a license available. GitLab engineers can [request a license](https://about.gitlab.com/handbook/developer-onboarding/#working-on-gitlab-ee).
|
|
@@ -375,6 +375,30 @@ $ export EE_LICENSE=$(cat /path/to/Geo.gitlab_license)
|
|
|
375
375
|
$ gitlab-qa Test::Integration::Geo EE
|
|
376
376
|
```
|
|
377
377
|
|
|
378
|
+
[test-cvs]: ...
|
|
379
|
+
|
|
380
|
+
### `Test::Integration::ContinuousVulnerabilityScanning EE|<full image address>`
|
|
381
|
+
|
|
382
|
+
This tests [Continuous Vulnerability Scanning](https://docs.gitlab.com/ee/user/application_security/continuous_vulnerability_scanning/)
|
|
383
|
+
which is functionality to allow updated vulnerabilities to be downloaded and shown for
|
|
384
|
+
relevant software dependencies.
|
|
385
|
+
|
|
386
|
+
It is designed to run against a particular end to end spec as per the example.
|
|
387
|
+
|
|
388
|
+
It is EE functionality and requires a license to be set.
|
|
389
|
+
|
|
390
|
+
**Required environment variables:**
|
|
391
|
+
|
|
392
|
+
- `EE_LICENSE`: A valid EE license.
|
|
393
|
+
|
|
394
|
+
Example:
|
|
395
|
+
|
|
396
|
+
```shell
|
|
397
|
+
$ export EE_LICENSE=$(cat /path/to/gitlab_license)
|
|
398
|
+
$ export GITLAB_LICENSE_MODE=test
|
|
399
|
+
$ gitlab-qa Test::Integration::ContinuousVulnerabilityScanning EE
|
|
400
|
+
````
|
|
401
|
+
|
|
378
402
|
[test-geo]: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/qa/qa/ee/scenario/test/geo.rb
|
|
379
403
|
|
|
380
404
|
### `Test::Integration::GitalyCluster CE|EE|<full image address>`
|
|
@@ -1166,7 +1190,7 @@ Testing import [by direct transfer](https://docs.gitlab.com/ee/user/group/import
|
|
|
1166
1190
|
|
|
1167
1191
|
### `AiGateway` Scenarios
|
|
1168
1192
|
|
|
1169
|
-
The following `AiGateway` scenarios spin up a GitLab Omnibus instance integrated with a test AI Gateway using [
|
|
1193
|
+
The following `AiGateway` scenarios spin up a GitLab Omnibus instance integrated with a test AI Gateway using [mocked models](https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#mocking-ai-model-responses). These scenarios help to verify various configurations of cloud licensing and seat assignment work as expected when authenticating for AI features on self-managed instances.
|
|
1170
1194
|
|
|
1171
1195
|
**Required environment variables:**
|
|
1172
1196
|
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Arbitrary test vulnerability","description":"An arbitrary vulnerability exists for testing. This vulnerability should be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= Date.today.prev_day.iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-12345","value":"CVE-2124-12345","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-12345"},{"type":"ghsa","name":"GHSA-abcd-123e-fg4h","value":"GHSA-abcd-123e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-42","value":"42","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
2
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Outdated test vulnerability","description":"An Outdated vulnerability exists for testing. This vulnerability should NOT be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= (Date.today - 15).iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-54321","value":"CVE-2124-54321","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-54321"},{"type":"ghsa","name":"GHSA-abcd-321e-fg4h","value":"GHSA-abcd-321e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-43","value":"43","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
@@ -76,6 +76,14 @@ module Gitlab
|
|
|
76
76
|
-----END PRIVATE KEY-----
|
|
77
77
|
VALIDATION_KEY
|
|
78
78
|
|
|
79
|
+
def initialize
|
|
80
|
+
super
|
|
81
|
+
|
|
82
|
+
# These keys are test keys and are safe to be shared, but masking them in logs so they do not raise concern
|
|
83
|
+
@secrets << TEST_SIGNING_KEY
|
|
84
|
+
@secrets << TEST_VALIDATION_KEY
|
|
85
|
+
end
|
|
86
|
+
|
|
79
87
|
def name
|
|
80
88
|
@name ||= 'ai-gateway'
|
|
81
89
|
end
|
|
@@ -17,7 +17,8 @@ module Gitlab
|
|
|
17
17
|
:environment,
|
|
18
18
|
:runner_network,
|
|
19
19
|
:airgapped_network,
|
|
20
|
-
:additional_hosts
|
|
20
|
+
:additional_hosts,
|
|
21
|
+
:secrets
|
|
21
22
|
|
|
22
23
|
def initialize
|
|
23
24
|
@docker = Docker::Engine.new
|
|
@@ -28,6 +29,7 @@ module Gitlab
|
|
|
28
29
|
@network_aliases = []
|
|
29
30
|
@exec_commands = []
|
|
30
31
|
@additional_hosts = []
|
|
32
|
+
@secrets = []
|
|
31
33
|
end
|
|
32
34
|
|
|
33
35
|
def add_network_alias(name)
|
|
@@ -109,7 +111,7 @@ module Gitlab
|
|
|
109
111
|
end
|
|
110
112
|
|
|
111
113
|
def start # rubocop:disable Metrics/AbcSize
|
|
112
|
-
docker.run(image: image, tag: tag) do |command|
|
|
114
|
+
docker.run(image: image, tag: tag, mask_secrets: secrets) do |command|
|
|
113
115
|
command << "-d"
|
|
114
116
|
command << "--name #{name}"
|
|
115
117
|
command << "--net #{network}"
|
|
@@ -29,8 +29,7 @@ module Gitlab
|
|
|
29
29
|
:seed_admin_token,
|
|
30
30
|
:seed_db,
|
|
31
31
|
:skip_server_hooks,
|
|
32
|
-
:gitaly_tls
|
|
33
|
-
:secrets
|
|
32
|
+
:gitaly_tls
|
|
34
33
|
|
|
35
34
|
attr_writer :name, :relative_path
|
|
36
35
|
|
|
@@ -52,7 +51,6 @@ module Gitlab
|
|
|
52
51
|
@seed_admin_token = Runtime::Scenario.seed_admin_token
|
|
53
52
|
@seed_db = Runtime::Scenario.seed_db
|
|
54
53
|
@skip_server_hooks = Runtime::Scenario.skip_server_hooks
|
|
55
|
-
@secrets = []
|
|
56
54
|
|
|
57
55
|
self.release = 'CE'
|
|
58
56
|
end
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'date'
|
|
4
|
+
require 'erb'
|
|
5
|
+
require 'pathname'
|
|
6
|
+
|
|
7
|
+
module Gitlab
|
|
8
|
+
module QA
|
|
9
|
+
module Scenario
|
|
10
|
+
module Test
|
|
11
|
+
module Integration
|
|
12
|
+
class ContinuousVulnerabilityScanning < Scenario::Template
|
|
13
|
+
def initialize
|
|
14
|
+
@network = Runtime::Env.docker_network
|
|
15
|
+
@tag = 'secure_cvs'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def perform(release, *rspec_args)
|
|
19
|
+
Component::Gitlab.perform do |gitlab|
|
|
20
|
+
setup_and_run_tests(gitlab, release, *rspec_args)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
def setup_and_run_tests(gitlab, release, *rspec_args)
|
|
27
|
+
set_up_gitlab(gitlab, release)
|
|
28
|
+
gitlab.instance do
|
|
29
|
+
place_new_vulnerabilities(gitlab)
|
|
30
|
+
run_specs(gitlab, *rspec_args)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def set_up_gitlab(gitlab, release)
|
|
35
|
+
gitlab.release = QA::Release.new(release)
|
|
36
|
+
gitlab.name = 'gitlab'
|
|
37
|
+
gitlab.network = @network
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def place_new_vulnerabilities(gitlab)
|
|
41
|
+
write_vulnerabilities(gitlab, generate_filepath, generate_vulnerabilities)
|
|
42
|
+
start_advisory_sync_worker(gitlab)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def generate_vulnerabilities
|
|
46
|
+
template = File.read(File.expand_path('../../../../../../fixtures/cvs/vulnerabilities_template.erb', __dir__))
|
|
47
|
+
ERB.new(template).result(binding)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def generate_filepath
|
|
51
|
+
File.join(
|
|
52
|
+
"/opt/gitlab/embedded/service/gitlab-rails/vendor/package_metadata/advisories/v2/rubygem/#{Time.now.to_i}",
|
|
53
|
+
'000000000.ndjson'
|
|
54
|
+
)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def write_vulnerabilities(gitlab, filepath, content)
|
|
58
|
+
gitlab.docker.exec(gitlab.name, "mkdir -p #{File.dirname(filepath)}")
|
|
59
|
+
gitlab.docker.write_files(gitlab.name) { |f| f.write(filepath, content, false) }
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def start_advisory_sync_worker(gitlab)
|
|
63
|
+
gitlab.docker.exec(gitlab.name, "PM_SYNC_IN_DEV=true gitlab-rails runner 'loop do PackageMetadata::AdvisoriesSyncWorker.new.perform; sleep 30; end' &")
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def run_specs(gitlab, *rspec_args)
|
|
67
|
+
Runtime::Logger.info('Running Continuous Vulnerability Scanning spec...')
|
|
68
|
+
rspec_args << "--" unless rspec_args.include?('--')
|
|
69
|
+
rspec_args << "--tag" << @tag
|
|
70
|
+
run_spec_component(gitlab, rspec_args)
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def run_spec_component(gitlab, rspec_args)
|
|
74
|
+
Component::Specs.perform do |specs|
|
|
75
|
+
specs.suite = 'Test::Instance::All'
|
|
76
|
+
specs.release = gitlab.release
|
|
77
|
+
specs.network = gitlab.network
|
|
78
|
+
specs.args = [gitlab.address, *rspec_args]
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
data/lib/gitlab/qa/version.rb
CHANGED
|
@@ -18,6 +18,7 @@ class AdminAccessTokenSeed
|
|
|
18
18
|
|
|
19
19
|
admin_user.personal_access_tokens.build(token_params).tap do |pat|
|
|
20
20
|
pat.set_token(TOKEN_VALUE)
|
|
21
|
+
pat.organization = Organizations::Organization.default_organization if Gitlab.version_info >= Gitlab::VersionInfo.new(17, 4)
|
|
21
22
|
pat.save!
|
|
22
23
|
end
|
|
23
24
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-qa
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 14.
|
|
4
|
+
version: 14.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitLab Quality
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-09-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: climate_control
|
|
@@ -376,6 +376,7 @@ files:
|
|
|
376
376
|
- docs/waits.md
|
|
377
377
|
- docs/what_tests_can_be_run.md
|
|
378
378
|
- exe/gitlab-qa
|
|
379
|
+
- fixtures/cvs/vulnerabilities_template.erb
|
|
379
380
|
- fixtures/ldap/1_add_nodes.ldif
|
|
380
381
|
- fixtures/ldap/2_add_users.ldif
|
|
381
382
|
- fixtures/ldap/3_add_groups.ldif
|
|
@@ -450,6 +451,7 @@ files:
|
|
|
450
451
|
- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_seat_assigned.rb
|
|
451
452
|
- lib/gitlab/qa/scenario/test/integration/chaos.rb
|
|
452
453
|
- lib/gitlab/qa/scenario/test/integration/client_ssl.rb
|
|
454
|
+
- lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb
|
|
453
455
|
- lib/gitlab/qa/scenario/test/integration/elasticsearch.rb
|
|
454
456
|
- lib/gitlab/qa/scenario/test/integration/geo.rb
|
|
455
457
|
- lib/gitlab/qa/scenario/test/integration/gitaly_cluster.rb
|