Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-10-11 12:09:08 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-10-11 12:09:08 +0300
commit: 31a9181ed65e80ceac2cbd6e2dba9af40e7b0d0b (patch)
tree: 29d9b11c777d092c0b3e453cc0f44a0a52ecb000 /app
parent: be7d70b884e6fa66c52862f38bf0f39b0631868b (diff)
5 files changed, 38 insertions, 10 deletions
diff --git a/app/controllers/jira_connect/app_descriptor_controller.rb b/app/controllers/jira_connect/app_descriptor_controller.rb
index 74fac6ff9bb..e96242c7052 100644
--- a/app/controllers/jira_connect/app_descriptor_controller.rb
+++ b/app/controllers/jira_connect/app_descriptor_controller.rb
@@ -32,6 +32,7 @@ class JiraConnect::AppDescriptorController < JiraConnect::ApplicationController
       apiVersion: 1,
       apiMigrations: {
         'context-qsh': true,
+        'signed-install': signed_install_active?,
         gdpr: true
       }
     }
diff --git a/app/controllers/jira_connect/application_controller.rb b/app/controllers/jira_connect/application_controller.rb
index 352e78d6255..ecb23c326fe 100644
--- a/app/controllers/jira_connect/application_controller.rb
+++ b/app/controllers/jira_connect/application_controller.rb
@@ -74,4 +74,8 @@ class JiraConnect::ApplicationController < ApplicationController
       params[:jwt] || request.headers['Authorization']&.split(' ', 2)&.last
     end
   end
+
+  def signed_install_active?
+    Feature.enabled?(:jira_connect_asymmetric_jwt)
+  end
 end
diff --git a/app/controllers/jira_connect/events_controller.rb b/app/controllers/jira_connect/events_controller.rb
index fe66e742c44..76ac15f7631 100644
--- a/app/controllers/jira_connect/events_controller.rb
+++ b/app/controllers/jira_connect/events_controller.rb
@@ -3,13 +3,18 @@
 class JiraConnect::EventsController < JiraConnect::ApplicationController
   # See https://developer.atlassian.com/cloud/jira/software/app-descriptor/#lifecycle
 
-  skip_before_action :verify_atlassian_jwt!, only: :installed
-  before_action :verify_qsh_claim!, only: :uninstalled
+  skip_before_action :verify_atlassian_jwt!
+  before_action :verify_asymmetric_atlassian_jwt!, if: :signed_install_active?
+
+  before_action :verify_atlassian_jwt!, only: :uninstalled, unless: :signed_install_active?
+  before_action :verify_qsh_claim!, only: :uninstalled, unless: :signed_install_active?
 
   def installed
-    return head :ok if atlassian_jwt_valid?
+    return head :ok if !signed_install_active? && atlassian_jwt_valid?
+
+    return head :ok if current_jira_installation
 
-    installation = JiraConnectInstallation.new(install_params)
+    installation = JiraConnectInstallation.new(event_params)
 
     if installation.save
       head :ok
@@ -28,7 +33,23 @@ class JiraConnect::EventsController < JiraConnect::ApplicationController
 
   private
 
-  def install_params
+  def event_params
     params.permit(:clientKey, :sharedSecret, :baseUrl).transform_keys(&:underscore)
   end
+
+  def verify_asymmetric_atlassian_jwt!
+    asymmetric_jwt = Atlassian::JiraConnect::AsymmetricJwt.new(auth_token, jwt_verification_claims)
+
+    return head :unauthorized unless asymmetric_jwt.valid?
+
+    @current_jira_installation = JiraConnectInstallation.find_by_client_key(asymmetric_jwt.iss_claim)
+  end
+
+  def jwt_verification_claims
+    {
+      aud: jira_connect_base_url(protocol: 'https'),
+      iss: event_params[:client_key],
+      qsh: Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url)
+    }
+  end
 end
diff --git a/app/services/ci/update_build_state_service.rb b/app/services/ci/update_build_state_service.rb
index abd50d2f110..3b403f92486 100644
--- a/app/services/ci/update_build_state_service.rb
+++ b/app/services/ci/update_build_state_service.rb
@@ -73,9 +73,11 @@ module Ci
       ::Gitlab::Ci::Trace::Checksum.new(build).then do |checksum|
         unless checksum.valid?
           metrics.increment_trace_operation(operation: :invalid)
+          metrics.increment_error_counter(type: :chunks_invalid_checksum)
 
           if checksum.corrupted?
             metrics.increment_trace_operation(operation: :corrupted)
+            metrics.increment_error_counter(type: :chunks_invalid_size)
           end
 
           next unless log_invalid_chunks?
diff --git a/app/workers/ci/build_finished_worker.rb b/app/workers/ci/build_finished_worker.rb
index 3bca3015988..f047ba8fde5 100644
--- a/app/workers/ci/build_finished_worker.rb
+++ b/app/workers/ci/build_finished_worker.rb
@@ -15,13 +15,13 @@ module Ci
 
     ARCHIVE_TRACES_IN = 2.minutes.freeze
 
-    # rubocop: disable CodeReuse/ActiveRecord
     def perform(build_id)
-      Ci::Build.find_by(id: build_id).try do |build|
-        process_build(build)
-      end
+      return unless build = Ci::Build.find_by(id: build_id) # rubocop: disable CodeReuse/ActiveRecord
+      return unless build.project
+      return if build.project.pending_delete?
+
+      process_build(build)
     end
-    # rubocop: enable CodeReuse/ActiveRecord
 
     private
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-10-11 12:09:08 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-10-11 12:09:08 +0300
commit	31a9181ed65e80ceac2cbd6e2dba9af40e7b0d0b (patch)
tree	29d9b11c777d092c0b3e453cc0f44a0a52ecb000 /app
parent	be7d70b884e6fa66c52862f38bf0f39b0631868b (diff)