diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-11 12:09:08 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-11 12:09:08 +0300 |
commit | 31a9181ed65e80ceac2cbd6e2dba9af40e7b0d0b (patch) | |
tree | 29d9b11c777d092c0b3e453cc0f44a0a52ecb000 /app | |
parent | be7d70b884e6fa66c52862f38bf0f39b0631868b (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/jira_connect/app_descriptor_controller.rb | 1 | ||||
-rw-r--r-- | app/controllers/jira_connect/application_controller.rb | 4 | ||||
-rw-r--r-- | app/controllers/jira_connect/events_controller.rb | 31 | ||||
-rw-r--r-- | app/services/ci/update_build_state_service.rb | 2 | ||||
-rw-r--r-- | app/workers/ci/build_finished_worker.rb | 10 |
5 files changed, 38 insertions, 10 deletions
diff --git a/app/controllers/jira_connect/app_descriptor_controller.rb b/app/controllers/jira_connect/app_descriptor_controller.rb index 74fac6ff9bb..e96242c7052 100644 --- a/app/controllers/jira_connect/app_descriptor_controller.rb +++ b/app/controllers/jira_connect/app_descriptor_controller.rb @@ -32,6 +32,7 @@ class JiraConnect::AppDescriptorController < JiraConnect::ApplicationController apiVersion: 1, apiMigrations: { 'context-qsh': true, + 'signed-install': signed_install_active?, gdpr: true } } diff --git a/app/controllers/jira_connect/application_controller.rb b/app/controllers/jira_connect/application_controller.rb index 352e78d6255..ecb23c326fe 100644 --- a/app/controllers/jira_connect/application_controller.rb +++ b/app/controllers/jira_connect/application_controller.rb @@ -74,4 +74,8 @@ class JiraConnect::ApplicationController < ApplicationController params[:jwt] || request.headers['Authorization']&.split(' ', 2)&.last end end + + def signed_install_active? + Feature.enabled?(:jira_connect_asymmetric_jwt) + end end diff --git a/app/controllers/jira_connect/events_controller.rb b/app/controllers/jira_connect/events_controller.rb index fe66e742c44..76ac15f7631 100644 --- a/app/controllers/jira_connect/events_controller.rb +++ b/app/controllers/jira_connect/events_controller.rb @@ -3,13 +3,18 @@ class JiraConnect::EventsController < JiraConnect::ApplicationController # See https://developer.atlassian.com/cloud/jira/software/app-descriptor/#lifecycle - skip_before_action :verify_atlassian_jwt!, only: :installed - before_action :verify_qsh_claim!, only: :uninstalled + skip_before_action :verify_atlassian_jwt! + before_action :verify_asymmetric_atlassian_jwt!, if: :signed_install_active? + + before_action :verify_atlassian_jwt!, only: :uninstalled, unless: :signed_install_active? + before_action :verify_qsh_claim!, only: :uninstalled, unless: :signed_install_active? def installed - return head :ok if atlassian_jwt_valid? + return head :ok if !signed_install_active? && atlassian_jwt_valid? + + return head :ok if current_jira_installation - installation = JiraConnectInstallation.new(install_params) + installation = JiraConnectInstallation.new(event_params) if installation.save head :ok @@ -28,7 +33,23 @@ class JiraConnect::EventsController < JiraConnect::ApplicationController private - def install_params + def event_params params.permit(:clientKey, :sharedSecret, :baseUrl).transform_keys(&:underscore) end + + def verify_asymmetric_atlassian_jwt! + asymmetric_jwt = Atlassian::JiraConnect::AsymmetricJwt.new(auth_token, jwt_verification_claims) + + return head :unauthorized unless asymmetric_jwt.valid? + + @current_jira_installation = JiraConnectInstallation.find_by_client_key(asymmetric_jwt.iss_claim) + end + + def jwt_verification_claims + { + aud: jira_connect_base_url(protocol: 'https'), + iss: event_params[:client_key], + qsh: Atlassian::Jwt.create_query_string_hash(request.url, request.method, jira_connect_base_url) + } + end end diff --git a/app/services/ci/update_build_state_service.rb b/app/services/ci/update_build_state_service.rb index abd50d2f110..3b403f92486 100644 --- a/app/services/ci/update_build_state_service.rb +++ b/app/services/ci/update_build_state_service.rb @@ -73,9 +73,11 @@ module Ci ::Gitlab::Ci::Trace::Checksum.new(build).then do |checksum| unless checksum.valid? metrics.increment_trace_operation(operation: :invalid) + metrics.increment_error_counter(type: :chunks_invalid_checksum) if checksum.corrupted? metrics.increment_trace_operation(operation: :corrupted) + metrics.increment_error_counter(type: :chunks_invalid_size) end next unless log_invalid_chunks? diff --git a/app/workers/ci/build_finished_worker.rb b/app/workers/ci/build_finished_worker.rb index 3bca3015988..f047ba8fde5 100644 --- a/app/workers/ci/build_finished_worker.rb +++ b/app/workers/ci/build_finished_worker.rb @@ -15,13 +15,13 @@ module Ci ARCHIVE_TRACES_IN = 2.minutes.freeze - # rubocop: disable CodeReuse/ActiveRecord def perform(build_id) - Ci::Build.find_by(id: build_id).try do |build| - process_build(build) - end + return unless build = Ci::Build.find_by(id: build_id) # rubocop: disable CodeReuse/ActiveRecord + return unless build.project + return if build.project.pending_delete? + + process_build(build) end - # rubocop: enable CodeReuse/ActiveRecord private |