Merge remote-tracking branch 'origin/develop' into fb-optic-174

HumanSignal · Oct 19, 2023 · 824d2e9 · 824d2e9
2 parents 7fb02c8 + a7a71e5
commit 824d2e9
Show file tree

Hide file tree

Showing 63 changed files with 761 additions and 224 deletions.
diff --git a/.github/workflows/delete_pr_branch.yml b/.github/workflows/delete_pr_branch.yml
@@ -15,12 +15,15 @@ jobs:
       - name: Delete branch
         uses: actions/github-script@v6
         if: startsWith(github.event.pull_request.head.ref, 'fb-')
+        env:
+          HEAD_REF: ${{ github.event.pull_request.head.ref }}
         with:
           script: |
             const { repo, owner } = context.repo;
+            const head_ref = process.env.HEAD_REF;
             await github.rest.git.deleteRef({
               owner,
               repo,
-              ref: 'heads/${{ github.event.pull_request.head.ref }}',
+              ref: `heads/${head_ref}`,
             });
-            console.log(`Branch ${{ github.event.pull_request.head.ref }} is deleted`)
+            console.log(`Branch ${head_ref} is deleted`)
diff --git a/.github/workflows/follow-merge-sync-pr.yml b/.github/workflows/follow-merge-sync-pr.yml
@@ -19,7 +19,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
 
 env:
-  DOWNSTREAM_REPO: label-studio-enterprise
+  DOWNSTREAM_REPOSITORY: "label-studio-enterprise"
+  DOWNSTREAM_EVENT_TYPE: "upstream_repo_update"
 
 jobs:
   sync:
@@ -59,7 +60,7 @@ jobs:
               body: [
                 'Hi @${{ github.actor }}!',
                 '',
-                `Unfortunately you don't have membership in ${owner} organization, your PR wasn't synced with ${owner}/${{ env.DOWNSTREAM_REPO }}.`
+                `Unfortunately you don't have membership in ${owner} organization, your PR wasn't synced with ${owner}/${{ env.DOWNSTREAM_REPOSITORY }}.`
               ].join('\n')
             });
 
@@ -69,16 +70,26 @@ jobs:
         id: sync-pr
         env:
           TITLE: ${{ github.event.pull_request.title }}
+          HEAD_REF: ${{ github.head_ref }}
+          BASE_REF: ${{ github.base_ref }}
+          PR_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name || github.repository }}
+          DOWNSTREAM_REPOSITORY: ${{ env.DOWNSTREAM_REPOSITORY }}
+          DOWNSTREAM_EVENT_TYPE: ${{ env.DOWNSTREAM_EVENT_TYPE }}
         with:
           github-token: ${{ secrets.GIT_PAT }}
           script: |
             const { repo, owner } = context.repo;
-            const [pr_owner, pr_repo] = '${{ github.event.pull_request.head.repo.full_name || github.repository }}'.split('/');
-            let event_action = '${{ github.event.action }}'
-            let commit_sha = '${{ github.event.pull_request.head.sha }}'
+            const pr_head_repository = process.env.PR_HEAD_REPOSITORY;
+            const downstream_repository = process.env.DOWNSTREAM_REPOSITORY;
+            const downstream_event_type = process.env.DOWNSTREAM_EVENT_TYPE;
+            const [pr_owner, pr_repo] = pr_head_repository.split('/');
+            const head_ref = process.env.HEAD_REF;
+            const base_ref = process.env.BASE_REF;
+            let event_action = '${{ github.event.action }}';
+            let commit_sha = '${{ github.event.pull_request.head.sha }}';
             if (${{ github.event.pull_request.merged }}) {
-              event_action = 'merged'
-              commit_sha = '${{ github.sha }}'
+              event_action = 'merged';
+              commit_sha = '${{ github.sha }}';
             }
             const getCommitResponse = await github.rest.repos.getCommit({
               owner: pr_owner,
@@ -87,11 +98,11 @@ jobs:
             });
             const result = await github.rest.repos.createDispatchEvent({
               owner: owner,
-              repo: '${{ env.DOWNSTREAM_REPO }}',
-              event_type: 'upstream_repo_update',
+              repo: downstream_repository,
+              event_type: downstream_event_type,
               client_payload: {
-                branch_name: '${{ github.head_ref }}',
-                base_branch_name: '${{ github.base_ref }}',
+                branch_name: head_ref,
+                base_branch_name: base_ref,
                 repo_name: '${{ github.repository }}',
                 commit_sha : commit_sha,
                 title: process.env.TITLE,

diff --git a/.github/workflows/invite-check.yml b/.github/workflows/invite-check.yml
@@ -9,7 +9,7 @@ env:
   INVITE_LINK: 'https://slack.labelstud.io/'
 
 jobs:
-  check:
+  check_link:
     runs-on: ubuntu-latest
     steps:
       - name: Check if the invite link is valid
@@ -27,17 +27,20 @@ jobs:
         env:
           SLACK_BOT_TOKEN: ${{ secrets.SLACK_LS_BOT_TOKEN }}
 
+  check_domains:
+    runs-on: ubuntu-latest
+    steps:
       - name: Check if the invite link has teamDomains arg
         id: invite_link_has_teamdomains
         run: |
           grep -Eo '(&quot;|")teamSignupDomains(&quot;|")\s*:\s*\[\]' <(
               curl --silent --location ${{ env.INVITE_LINK }} -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0' -H "Accept: application/json"
           )
-      - name: Notify to Slack
-        if: always() && steps.invite_link_has_teamdomains.outcome == 'failure'
-        uses: slackapi/slack-github-action@v1.24
-        with:
-          channel-id: '${{ secrets.SLACK_LS_MONITORING_CHANNEL }}'
-          slack-message: "Our <${{ env.INVITE_LINK }}|public invite link> was configured to allow signups only from a list of allowed domains:\n1. Go to <https://label-studio.slack.com/admin/settings|Workspace settings>, next to `Joining This Workspace`, click `Expand`.\n2. Delete all domains from the list, select `Allow invitations` and click `Save`."
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.SLACK_LS_BOT_TOKEN }}
+#      - name: Notify to Slack
+#        if: always() && steps.invite_link_has_teamdomains.outcome == 'failure'
+#        uses: slackapi/slack-github-action@v1.24
+#        with:
+#          channel-id: '${{ secrets.SLACK_LS_MONITORING_CHANNEL }}'
+#          slack-message: "Our <${{ env.INVITE_LINK }}|public invite link> was configured to allow signups only from a list of allowed domains:\n1. Go to <https://label-studio.slack.com/admin/settings|Workspace settings>, next to `Joining This Workspace`, click `Expand`.\n2. Delete all domains from the list, select `Allow invitations` and click `Save`."
+#        env:
+#          SLACK_BOT_TOKEN: ${{ secrets.SLACK_LS_BOT_TOKEN }}
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -29,7 +29,7 @@ jobs:
       - uses: hmarr/debug-action@v2.1.0
 
       - name: "Validate PR's title"
-        uses: thehanimo/pr-title-checker@v1.4.0
+        uses: thehanimo/pr-title-checker@v1.4.1
         with:
           GITHUB_TOKEN: ${{ github.token }}
           pass_on_octokit_error: false

diff --git a/deploy/requirements-test.txt b/deploy/requirements-test.txt
@@ -3,7 +3,8 @@ pytest-cov==2.12.1
 pytest-django==4.1.0
 pytest-mock==1.10.3
 requests-mock==1.5.2
-moto==1.3.16.dev122
+moto==4.2.6
+mock==5.1.0
 tavern==2.3.0
 fakeredis==1.5.0
 pytest-env==0.6.2

diff --git a/deploy/requirements.txt b/deploy/requirements.txt
@@ -64,4 +64,4 @@ sentry-sdk>=1.1.0
 launchdarkly-server-sdk==7.5.0
 python-json-logger==2.0.4
 
-label-studio-converter==0.0.55
+label-studio-converter==0.0.57
diff --git a/docs/scripts/index.js b/docs/scripts/index.js
@@ -1,3 +1,5 @@
-var breadcrumb = require('./breadcrumb')(hexo);
+var breadcrumb = require("./breadcrumb")(hexo);
+var removeContent = require("./removeContent")(hexo);
 
-hexo.extend.helper.register('breadcrumb', breadcrumb, {async: true});
+hexo.extend.helper.register("breadcrumb", breadcrumb, { async: true });
+hexo.extend.helper.register("removeContent", removeContent, { async: true });
diff --git a/docs/scripts/removeContent.js b/docs/scripts/removeContent.js
@@ -1,17 +1,21 @@
-var HTMLParser = require('node-html-parser');
+var HTMLParser = require("node-html-parser");
 
-hexo.extend.filter.register('after_render:html', function(data) {
+module.exports = function (ctx) {
+  return function includeTag(content) {
+    const { config } = ctx;
 
-  const { config } = this;
+    /* If you’re on the OSS site, remove every `.enterprise-only` element. Opposite for the ENT site */
+    const classToRemove =
+      config.theme_config.tier === "opensource"
+        ? ".enterprise-only"
+        : ".opensource-only";
 
-  /* If you’re on the OSS site, remove every `.enterprise-only` element. Opposite for the ENT site */
-  const classToRemove = config.theme_config.tier === "opensource" ? ".enterprise-only" : ".opensource-only";
+    const template = HTMLParser.parse(content);
 
-  const template = HTMLParser.parse(data);
+    template.querySelectorAll(classToRemove).forEach((x) => x.remove());
 
-  template.querySelectorAll(classToRemove).forEach(x=> x.remove()); 
+    content = template.toString();
 
-  data = template.toString();
-
-  return data;
-})
+    return content;
+  };
+};
diff --git a/docs/source/guide/auth_setup.md b/docs/source/guide/auth_setup.md
@@ -86,7 +86,9 @@ The details will vary depending on your IdP, but in general you will complete th
     * **Workspaces to Groups Mapping**---Add groups as members to workspaces. Users with Manager, Reviewer, or Annotator roles can only see workspaces after they've been added as a member to that workspace.
 
         Select an existing workspace or create a new one. You can map multiple groups to the same workspace. 
-    * **Projects to Groups Mapping**---Map groups to roles at the project level. Project-level roles can be **Annotator**, **Reviewer**, or **Inherit**. You can map multiple groups to the same roles and the same projects. For more information on roles, see [Roles in Label Studio Enterprise](manage_users#Roles-in-Label-Studio-Enterprise). 
+    * **Projects to Groups Mapping**---Map groups to roles at the project level. Project-level roles can be **Annotator**, **Reviewer**, or **Inherit**. 
+
+        You can map a group to different roles across multiple projects. You can also map multiple groups to the same roles and the same projects. For more information on roles, see [Roles in Label Studio Enterprise](manage_users#Roles-in-Label-Studio-Enterprise). 
 
         If you select **Inherit**, the group will inherit the role set above under **Organization Roles to Groups Mapping.** If the group is inheriting the Not Activated role, the users are mapped to the project, but they are not actually assigned to the project until the group is synced (meaning that the user authenticates with SSO). 
 4. Click **Save**.

diff --git a/docs/source/guide/helm_values.md b/docs/source/guide/helm_values.md
@@ -174,8 +174,8 @@ Parameters specific to the `app` portion of the Label Studio deployment.
 | `app.nginx.livenessProbe.periodSeconds`        | Nginx sidecar container: How often (in seconds) to perform the probe                                                 | `5`                      |
 | `app.nginx.livenessProbe.successThreshold`     | Nginx sidecar container: Minimum consecutive successes for the probe to be considered successful after having failed | `1`                      |
 | `app.nginx.livenessProbe.timeoutSeconds`       | Nginx sidecar container: Number of seconds after which the probe times out                                           | `3`                      |
-| `app.nginx.readinessProbe.enabled`             | Nginx sidecar container: Enable redinessProbe                                                                        | `true`                   |
-| `app.nginx.readinessProbe.path`                | Nginx sidecar container: Path for reasinessProbe                                                                     | `/version`               |
+| `app.nginx.readinessProbe.enabled`             | Nginx sidecar container: Enable readinessProbe                                                                        | `true`                   |
+| `app.nginx.readinessProbe.path`                | Nginx sidecar container: Path for readinessProbe                                                                     | `/version`               |
 | `app.nginx.readinessProbe.failureThreshold`    | Nginx sidecar container: When a probe fails, Kubernetes will try failureThreshold times before giving up             | `2`                      |
 | `app.nginx.readinessProbe.initialDelaySeconds` | Nginx sidecar container: Number of seconds after the container has started before probe initiates                    | `60`                     |
 | `app.nginx.readinessProbe.periodSeconds`       | Nginx sidecar container: How often (in seconds) to perform the probe                                                 | `10`                     |
@@ -294,8 +294,9 @@ Parameters specific to the `rqworkers` service of your Label Studio Enterprise d
 ## The `global.extraEnvironmentVars` usage
 
 The `global.extraEnvironmentVars` section can be used to configure environment properties of Label Studio.
-Any key value put under this section translates to environment variables
-used to control Label Studio's configuration. Every key is upper-cased before setting the environment variable.
+
+Any key value put under this section translates to environment variables used to control Label Studio's configuration. Every key is upper-cased before setting the environment variable.
+
 An example:
 
 ```yaml
@@ -304,11 +305,16 @@ global:
      PG_USER: labelstudio
 ```
 
+!!! note
+    If you are deploying to a production environment, you should set `SSRF_PROTECTION_ENABLED: true`. See [Secure Label Studio](security#Enable-SSRF-protection-for-production-environments). 
+
+
 ## The `global.featureFlags` usage
 
 The `global.featureFlags` section can be used to set feature flags of Label Studio.
-Any key value put under this section translates to environment variables
-used to control Label Studio's feature flags configuration. Every key should start from `ff_` or `fflag_` in lower case.
+
+Any key value put under this section translates to environment variables used to control Label Studio's feature flags configuration. Every key should start from `ff_` or `fflag_` in lower case.
+
 An example:
 
 ```yaml

diff --git a/docs/source/guide/install_enterprise_k8s.md b/docs/source/guide/install_enterprise_k8s.md
@@ -309,10 +309,13 @@ global:
 
 4. Install or upgrade Label Studio Enterprise using Helm.
 
-### Use Helm to install Label Studio Enterprise on your Kubernetes cluster
+## Use Helm to install Label Studio Enterprise on your Kubernetes cluster
 
 Use Helm to install Label Studio Enterprise on your Kubernetes cluster. Provide your custom resource definitions YAML file. Specify any environment variables that you need to set for your Label Studio Enterprise installation using the `--set` argument with the `helm install` command.
 
+!!! note
+    If you are deploying to a production environment, you should set the `SSRF_PROTECTION_ENABLED: true` environment variable. See [Secure Label Studio](security#Enable-SSRF-protection-for-production-environments).
+
 From the command line, run the following:
 ```shell
 helm install <RELEASE_NAME> heartex/label-studio -f ls-values.yaml

diff --git a/docs/source/guide/install_k8s.md b/docs/source/guide/install_k8s.md
@@ -150,10 +150,13 @@ global:
 
 4. Install or upgrade Label Studio using Helm.
 
-### Use Helm to install Label Studio on your Kubernetes cluster
+## Use Helm to install Label Studio on your Kubernetes cluster
 
 Use Helm to install Label Studio on your Kubernetes cluster. Provide your custom resource definitions YAML file. Specify any environment variables that you need to set for your Label Studio installation using the `--set` argument with the `helm install` command.
 
+!!! note
+    If you are deploying to a production environment, you should set the `SSRF_PROTECTION_ENABLED: true` environment variable. See [Secure Label Studio](security#Enable-SSRF-protection-for-production-environments).
+
 From the command line, run the following:
 
 ```shell

diff --git a/docs/source/guide/release_notes/onprem/2.5.0-1.md b/docs/source/guide/release_notes/onprem/2.5.0-1.md
@@ -1,11 +1,10 @@
----
-hide_sidebar: true
----
-
-## Label Studio Enterprise 2.5.0-1
-
-*Sep 30, 2023*
-
-### Security
-- Security fix for Data Manager task filters
-
+---
+hide_sidebar: true
+---
+
+## Label Studio Enterprise 2.5.0-1
+
+*Sep 30, 2023*
+
+### Security
+- Security fix for Data Manager
diff --git a/docs/source/guide/scim_setup.md b/docs/source/guide/scim_setup.md
@@ -113,7 +113,9 @@ The most convenient way to manage access to the application is via groups. You c
     * **Workspaces to Groups Mapping**---Add groups as members to workspaces. Users with Manager, Reviewer, or Annotator roles can only see workspaces after they've been added as a member to that workspace.
 
         Select an existing workspace or create a new one. You can map multiple groups to the same workspace.  
-    * **Projects to Groups Mapping**---Map groups to roles at the project level. Project-level roles can be **Annotator**, **Reviewer**, or **Inherit**. You can map multiple groups to the same roles and the same projects. For more information on roles, see [Roles in Label Studio Enterprise](manage_users#Roles-in-Label-Studio-Enterprise). 
+    * **Projects to Groups Mapping**---Map groups to roles at the project level. Project-level roles can be **Annotator**, **Reviewer**, or **Inherit**. 
+
+        You can map a group to different roles across multiple projects. You can also map multiple groups to the same roles and the same projects. For more information on roles, see [Roles in Label Studio Enterprise](manage_users#Roles-in-Label-Studio-Enterprise). 
 
         If you select **Inherit**, the group will inherit the role set above under **Organization Roles to Groups Mapping.** If the group is inheriting the Not Activated role, the users are mapped to the project, but they are not actually assigned to the project until the group is synced (meaning that the user authenticates first). 
 

diff --git a/docs/source/guide/security.md b/docs/source/guide/security.md
@@ -61,6 +61,13 @@ If you're using Label Studio Enterprise, you can further secure user access in m
 
 Access to the REST API is restricted by user role and requires an access token that is specific to a user account. Access tokens can be reset at any time from the Label Studio UI or using the API.
 
+## Enable SSRF protection for production environments
+
+When deploying Label Studio into a production environment, set the `SSRF_PROTECTION_ENABLED` environment variable to `true`. 
+
+This variable is disabled by default to support users who are working with data in their local environments. However, it should be enabled in production usage. 
+
+
 ## Secure access to data in Label Studio
 
 Data in Label Studio is stored in one or two places, depending on your deployment configuration.