gitlab-qa 14.13.0 → 14.15.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitlab-ci.yml +1 -1
- data/Gemfile.lock +1 -1
- data/docs/run_qa_against_gdk.md +6 -0
- data/docs/what_tests_can_be_run.md +25 -1
- data/fixtures/cvs/vulnerabilities_template.erb +2 -0
- data/lib/gitlab/qa/component/ai_gateway.rb +8 -0
- data/lib/gitlab/qa/component/base.rb +4 -2
- data/lib/gitlab/qa/component/gitlab.rb +1 -3
- data/lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb +86 -0
- data/lib/gitlab/qa/version.rb +1 -1
- data/support/data/admin_access_token_seed.rb +1 -0
- metadata +4 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 497913af708d5bd502f32c82f052d0dbcfddb70142979c9e2ecf76ea40ab76d8
|
|
4
|
+
data.tar.gz: 730eec75c41c7805635602a68d461844062dc786bf953071bc80a0256f5fec97
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e8e4b3d39cf8cdf652cdd0001bd1f3238e8f707e51159b3e48a8bf43d8827485684e18734b345a8a793afdb36bdc2fb8fe36437160ee997dc6a04a4647fb1b7b
|
|
7
|
+
data.tar.gz: c353c880a71f75860f0ffb6e8bfd13360680bdc5f31573abaa12b455194529273498728d9bbbbe48b61ffda62fddf1b7e02ddc93d5e1abb1ca96e0cbd68ae2be
|
data/.gitlab-ci.yml
CHANGED
|
@@ -152,7 +152,7 @@ package-and-test:
|
|
|
152
152
|
include:
|
|
153
153
|
- project: gitlab-org/gitlab
|
|
154
154
|
ref: master
|
|
155
|
-
file: .gitlab/ci/
|
|
155
|
+
file: .gitlab/ci/test-on-omnibus/main.gitlab-ci.yml
|
|
156
156
|
rules:
|
|
157
157
|
- if: '$CI_MERGE_REQUEST_IID'
|
|
158
158
|
when: manual
|
data/Gemfile.lock
CHANGED
data/docs/run_qa_against_gdk.md
CHANGED
|
@@ -59,6 +59,12 @@ variable.
|
|
|
59
59
|
export GITLAB_INITIAL_ROOT_PASSWORD="<GDK root password>"
|
|
60
60
|
```
|
|
61
61
|
|
|
62
|
+
**Note**: If you encounter the following error, you can resolve it by unsetting the Docker host environment variable using the command `unset DOCKER_HOST`:
|
|
63
|
+
|
|
64
|
+
```
|
|
65
|
+
ERROR: error during connect: get "http://docker.local:2375/v1.24/images/json": dial tcp: lookup docker.local: no such host
|
|
66
|
+
```
|
|
67
|
+
|
|
62
68
|
### Running EE tests
|
|
63
69
|
|
|
64
70
|
When running EE tests you'll need to have a license available. GitLab engineers can [request a license](https://about.gitlab.com/handbook/developer-onboarding/#working-on-gitlab-ee).
|
|
@@ -375,6 +375,30 @@ $ export EE_LICENSE=$(cat /path/to/Geo.gitlab_license)
|
|
|
375
375
|
$ gitlab-qa Test::Integration::Geo EE
|
|
376
376
|
```
|
|
377
377
|
|
|
378
|
+
[test-cvs]: ...
|
|
379
|
+
|
|
380
|
+
### `Test::Integration::ContinuousVulnerabilityScanning EE|<full image address>`
|
|
381
|
+
|
|
382
|
+
This tests [Continuous Vulnerability Scanning](https://docs.gitlab.com/ee/user/application_security/continuous_vulnerability_scanning/)
|
|
383
|
+
which is functionality to allow updated vulnerabilities to be downloaded and shown for
|
|
384
|
+
relevant software dependencies.
|
|
385
|
+
|
|
386
|
+
It is designed to run against a particular end to end spec as per the example.
|
|
387
|
+
|
|
388
|
+
It is EE functionality and requires a license to be set.
|
|
389
|
+
|
|
390
|
+
**Required environment variables:**
|
|
391
|
+
|
|
392
|
+
- `EE_LICENSE`: A valid EE license.
|
|
393
|
+
|
|
394
|
+
Example:
|
|
395
|
+
|
|
396
|
+
```shell
|
|
397
|
+
$ export EE_LICENSE=$(cat /path/to/gitlab_license)
|
|
398
|
+
$ export GITLAB_LICENSE_MODE=test
|
|
399
|
+
$ gitlab-qa Test::Integration::ContinuousVulnerabilityScanning EE
|
|
400
|
+
````
|
|
401
|
+
|
|
378
402
|
[test-geo]: https://gitlab.com/gitlab-org/gitlab-ee/blob/master/qa/qa/ee/scenario/test/geo.rb
|
|
379
403
|
|
|
380
404
|
### `Test::Integration::GitalyCluster CE|EE|<full image address>`
|
|
@@ -1166,7 +1190,7 @@ Testing import [by direct transfer](https://docs.gitlab.com/ee/user/group/import
|
|
|
1166
1190
|
|
|
1167
1191
|
### `AiGateway` Scenarios
|
|
1168
1192
|
|
|
1169
|
-
The following `AiGateway` scenarios spin up a GitLab Omnibus instance integrated with a test AI Gateway using [
|
|
1193
|
+
The following `AiGateway` scenarios spin up a GitLab Omnibus instance integrated with a test AI Gateway using [mocked models](https://gitlab.com/gitlab-org/modelops/applied-ml/code-suggestions/ai-assist#mocking-ai-model-responses). These scenarios help to verify various configurations of cloud licensing and seat assignment work as expected when authenticating for AI features on self-managed instances.
|
|
1170
1194
|
|
|
1171
1195
|
**Required environment variables:**
|
|
1172
1196
|
|
|
@@ -0,0 +1,2 @@
|
|
|
1
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Arbitrary test vulnerability","description":"An arbitrary vulnerability exists for testing. This vulnerability should be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= Date.today.prev_day.iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-12345","value":"CVE-2124-12345","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-12345"},{"type":"ghsa","name":"GHSA-abcd-123e-fg4h","value":"GHSA-abcd-123e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-42","value":"42","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
2
|
+
{"advisory":{"id":"<%= SecureRandom.uuid %>","source":"glad","title":"Outdated test vulnerability","description":"An Outdated vulnerability exists for testing. This vulnerability should NOT be picked up by Continuous Vulnerability Scanning.","cvss_v3":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","published_date":"<%= (Date.today - 15).iso8601 %>","urls":["https://gitlab.com/willmeek"],"identifiers":[{"type":"cve","name":"CVE-2124-54321","value":"CVE-2124-54321","url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2124-54321"},{"type":"ghsa","name":"GHSA-abcd-321e-fg4h","value":"GHSA-abcd-321e-fg4h","url":"https://gitlab.com/willmeek"},{"type":"cwe","name":"CWE-43","value":"43","url":"https://gitlab.com/willmeek"}]},"packages":[{"name":"RedCloth","purl_type":"gem","affected_range":"<=3.39.0","solution":"Upgrade to version 3.39.0 or above.","fixed_versions":["3.39.0"]}]}
|
|
@@ -76,6 +76,14 @@ module Gitlab
|
|
|
76
76
|
-----END PRIVATE KEY-----
|
|
77
77
|
VALIDATION_KEY
|
|
78
78
|
|
|
79
|
+
def initialize
|
|
80
|
+
super
|
|
81
|
+
|
|
82
|
+
# These keys are test keys and are safe to be shared, but masking them in logs so they do not raise concern
|
|
83
|
+
@secrets << TEST_SIGNING_KEY
|
|
84
|
+
@secrets << TEST_VALIDATION_KEY
|
|
85
|
+
end
|
|
86
|
+
|
|
79
87
|
def name
|
|
80
88
|
@name ||= 'ai-gateway'
|
|
81
89
|
end
|
|
@@ -17,7 +17,8 @@ module Gitlab
|
|
|
17
17
|
:environment,
|
|
18
18
|
:runner_network,
|
|
19
19
|
:airgapped_network,
|
|
20
|
-
:additional_hosts
|
|
20
|
+
:additional_hosts,
|
|
21
|
+
:secrets
|
|
21
22
|
|
|
22
23
|
def initialize
|
|
23
24
|
@docker = Docker::Engine.new
|
|
@@ -28,6 +29,7 @@ module Gitlab
|
|
|
28
29
|
@network_aliases = []
|
|
29
30
|
@exec_commands = []
|
|
30
31
|
@additional_hosts = []
|
|
32
|
+
@secrets = []
|
|
31
33
|
end
|
|
32
34
|
|
|
33
35
|
def add_network_alias(name)
|
|
@@ -109,7 +111,7 @@ module Gitlab
|
|
|
109
111
|
end
|
|
110
112
|
|
|
111
113
|
def start # rubocop:disable Metrics/AbcSize
|
|
112
|
-
docker.run(image: image, tag: tag) do |command|
|
|
114
|
+
docker.run(image: image, tag: tag, mask_secrets: secrets) do |command|
|
|
113
115
|
command << "-d"
|
|
114
116
|
command << "--name #{name}"
|
|
115
117
|
command << "--net #{network}"
|
|
@@ -29,8 +29,7 @@ module Gitlab
|
|
|
29
29
|
:seed_admin_token,
|
|
30
30
|
:seed_db,
|
|
31
31
|
:skip_server_hooks,
|
|
32
|
-
:gitaly_tls
|
|
33
|
-
:secrets
|
|
32
|
+
:gitaly_tls
|
|
34
33
|
|
|
35
34
|
attr_writer :name, :relative_path
|
|
36
35
|
|
|
@@ -52,7 +51,6 @@ module Gitlab
|
|
|
52
51
|
@seed_admin_token = Runtime::Scenario.seed_admin_token
|
|
53
52
|
@seed_db = Runtime::Scenario.seed_db
|
|
54
53
|
@skip_server_hooks = Runtime::Scenario.skip_server_hooks
|
|
55
|
-
@secrets = []
|
|
56
54
|
|
|
57
55
|
self.release = 'CE'
|
|
58
56
|
end
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
# frozen_string_literal: true
|
|
2
|
+
|
|
3
|
+
require 'date'
|
|
4
|
+
require 'erb'
|
|
5
|
+
require 'pathname'
|
|
6
|
+
|
|
7
|
+
module Gitlab
|
|
8
|
+
module QA
|
|
9
|
+
module Scenario
|
|
10
|
+
module Test
|
|
11
|
+
module Integration
|
|
12
|
+
class ContinuousVulnerabilityScanning < Scenario::Template
|
|
13
|
+
def initialize
|
|
14
|
+
@network = Runtime::Env.docker_network
|
|
15
|
+
@tag = 'secure_cvs'
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
def perform(release, *rspec_args)
|
|
19
|
+
Component::Gitlab.perform do |gitlab|
|
|
20
|
+
setup_and_run_tests(gitlab, release, *rspec_args)
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
private
|
|
25
|
+
|
|
26
|
+
def setup_and_run_tests(gitlab, release, *rspec_args)
|
|
27
|
+
set_up_gitlab(gitlab, release)
|
|
28
|
+
gitlab.instance do
|
|
29
|
+
place_new_vulnerabilities(gitlab)
|
|
30
|
+
run_specs(gitlab, *rspec_args)
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
|
|
34
|
+
def set_up_gitlab(gitlab, release)
|
|
35
|
+
gitlab.release = QA::Release.new(release)
|
|
36
|
+
gitlab.name = 'gitlab'
|
|
37
|
+
gitlab.network = @network
|
|
38
|
+
end
|
|
39
|
+
|
|
40
|
+
def place_new_vulnerabilities(gitlab)
|
|
41
|
+
write_vulnerabilities(gitlab, generate_filepath, generate_vulnerabilities)
|
|
42
|
+
start_advisory_sync_worker(gitlab)
|
|
43
|
+
end
|
|
44
|
+
|
|
45
|
+
def generate_vulnerabilities
|
|
46
|
+
template = File.read(File.expand_path('../../../../../../fixtures/cvs/vulnerabilities_template.erb', __dir__))
|
|
47
|
+
ERB.new(template).result(binding)
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
def generate_filepath
|
|
51
|
+
File.join(
|
|
52
|
+
"/opt/gitlab/embedded/service/gitlab-rails/vendor/package_metadata/advisories/v2/rubygem/#{Time.now.to_i}",
|
|
53
|
+
'000000000.ndjson'
|
|
54
|
+
)
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def write_vulnerabilities(gitlab, filepath, content)
|
|
58
|
+
gitlab.docker.exec(gitlab.name, "mkdir -p #{File.dirname(filepath)}")
|
|
59
|
+
gitlab.docker.write_files(gitlab.name) { |f| f.write(filepath, content, false) }
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def start_advisory_sync_worker(gitlab)
|
|
63
|
+
gitlab.docker.exec(gitlab.name, "PM_SYNC_IN_DEV=true gitlab-rails runner 'loop do PackageMetadata::AdvisoriesSyncWorker.new.perform; sleep 30; end' &")
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def run_specs(gitlab, *rspec_args)
|
|
67
|
+
Runtime::Logger.info('Running Continuous Vulnerability Scanning spec...')
|
|
68
|
+
rspec_args << "--" unless rspec_args.include?('--')
|
|
69
|
+
rspec_args << "--tag" << @tag
|
|
70
|
+
run_spec_component(gitlab, rspec_args)
|
|
71
|
+
end
|
|
72
|
+
|
|
73
|
+
def run_spec_component(gitlab, rspec_args)
|
|
74
|
+
Component::Specs.perform do |specs|
|
|
75
|
+
specs.suite = 'Test::Instance::All'
|
|
76
|
+
specs.release = gitlab.release
|
|
77
|
+
specs.network = gitlab.network
|
|
78
|
+
specs.args = [gitlab.address, *rspec_args]
|
|
79
|
+
end
|
|
80
|
+
end
|
|
81
|
+
end
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
end
|
|
85
|
+
end
|
|
86
|
+
end
|
data/lib/gitlab/qa/version.rb
CHANGED
|
@@ -18,6 +18,7 @@ class AdminAccessTokenSeed
|
|
|
18
18
|
|
|
19
19
|
admin_user.personal_access_tokens.build(token_params).tap do |pat|
|
|
20
20
|
pat.set_token(TOKEN_VALUE)
|
|
21
|
+
pat.organization = Organizations::Organization.default_organization if Gitlab.version_info >= Gitlab::VersionInfo.new(17, 4)
|
|
21
22
|
pat.save!
|
|
22
23
|
end
|
|
23
24
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: gitlab-qa
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 14.
|
|
4
|
+
version: 14.15.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- GitLab Quality
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-09-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: climate_control
|
|
@@ -376,6 +376,7 @@ files:
|
|
|
376
376
|
- docs/waits.md
|
|
377
377
|
- docs/what_tests_can_be_run.md
|
|
378
378
|
- exe/gitlab-qa
|
|
379
|
+
- fixtures/cvs/vulnerabilities_template.erb
|
|
379
380
|
- fixtures/ldap/1_add_nodes.ldif
|
|
380
381
|
- fixtures/ldap/2_add_users.ldif
|
|
381
382
|
- fixtures/ldap/3_add_groups.ldif
|
|
@@ -450,6 +451,7 @@ files:
|
|
|
450
451
|
- lib/gitlab/qa/scenario/test/integration/ai_gateway_no_seat_assigned.rb
|
|
451
452
|
- lib/gitlab/qa/scenario/test/integration/chaos.rb
|
|
452
453
|
- lib/gitlab/qa/scenario/test/integration/client_ssl.rb
|
|
454
|
+
- lib/gitlab/qa/scenario/test/integration/continuous_vulnerability_scanning.rb
|
|
453
455
|
- lib/gitlab/qa/scenario/test/integration/elasticsearch.rb
|
|
454
456
|
- lib/gitlab/qa/scenario/test/integration/geo.rb
|
|
455
457
|
- lib/gitlab/qa/scenario/test/integration/gitaly_cluster.rb
|