diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-22 14:31:16 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-10-22 14:31:16 +0300 |
| commit | 905c1110b08f93a19661cf42a276c7ea90d0a0ff (patch) | |
| tree | 756d138db422392c00471ab06acdff92c5a9b69c /config | |
| parent | 50d93f8d1686950fc58dda4823c4835fd0d8c14b (diff) | |
Add latest changes from gitlab-org/gitlab@12-4-stable-ee
Diffstat (limited to 'config')
34 files changed, 403 insertions, 84 deletions
diff --git a/config/application.rb b/config/application.rb index c1e3b6f7a20..5d7c52c5d81 100644 --- a/config/application.rb +++ b/config/application.rb @@ -13,6 +13,7 @@ Bundler.require(*Rails.groups) module Gitlab class Application < Rails::Application require_dependency Rails.root.join('lib/gitlab') + require_dependency Rails.root.join('lib/gitlab/utils') require_dependency Rails.root.join('lib/gitlab/redis/wrapper') require_dependency Rails.root.join('lib/gitlab/redis/cache') require_dependency Rails.root.join('lib/gitlab/redis/queues') @@ -46,18 +47,20 @@ module Gitlab config.generators.templates.push("#{config.root}/generator_templates") - ee_paths = config.eager_load_paths.each_with_object([]) do |path, memo| - ee_path = config.root.join('ee', Pathname.new(path).relative_path_from(config.root)) - memo << ee_path.to_s if ee_path.exist? - end + if Gitlab.ee? + ee_paths = config.eager_load_paths.each_with_object([]) do |path, memo| + ee_path = config.root.join('ee', Pathname.new(path).relative_path_from(config.root)) + memo << ee_path.to_s + end - # Eager load should load CE first - config.eager_load_paths.push(*ee_paths) - config.helpers_paths.push "#{config.root}/ee/app/helpers" + # Eager load should load CE first + config.eager_load_paths.push(*ee_paths) + config.helpers_paths.push "#{config.root}/ee/app/helpers" - # Other than Ruby modules we load EE first - config.paths['lib/tasks'].unshift "#{config.root}/ee/lib/tasks" - config.paths['app/views'].unshift "#{config.root}/ee/app/views" + # Other than Ruby modules we load EE first + config.paths['lib/tasks'].unshift "#{config.root}/ee/lib/tasks" + config.paths['app/views'].unshift "#{config.root}/ee/app/views" + end # Rake tasks ignore the eager loading settings, so we need to set the # autoload paths explicitly @@ -178,16 +181,18 @@ module Gitlab config.assets.paths << "#{config.root}/node_modules/xterm/src/" config.assets.precompile << "xterm.css" - %w[images javascripts stylesheets].each do |path| - config.assets.paths << "#{config.root}/ee/app/assets/#{path}" - config.assets.precompile << "jira_connect.js" - config.assets.precompile << "pages/jira_connect.css" + if Gitlab.ee? + %w[images javascripts stylesheets].each do |path| + config.assets.paths << "#{config.root}/ee/app/assets/#{path}" + config.assets.precompile << "jira_connect.js" + config.assets.precompile << "pages/jira_connect.css" + end end # Import path for EE specific SCSS entry point # In CE it will import a noop file, in EE a functioning file # Order is important, so that the ee file takes precedence: - config.assets.paths << "#{config.root}/ee/app/assets/stylesheets/_ee" + config.assets.paths << "#{config.root}/ee/app/assets/stylesheets/_ee" if Gitlab.ee? config.assets.paths << "#{config.root}/app/assets/stylesheets/_ee" config.assets.paths << "#{config.root}/vendor/assets/javascripts/" @@ -197,13 +202,15 @@ module Gitlab # See https://gitlab.com/gitlab-org/gitlab-foss/issues/64091#note_194512508 config.assets.paths << "#{config.root}/node_modules" - # Compile non-JS/CSS assets in the ee/app/assets folder by default - # Mimic sprockets-rails default: https://github.com/rails/sprockets-rails/blob/v3.2.1/lib/sprockets/railtie.rb#L84-L87 - LOOSE_EE_APP_ASSETS = lambda do |logical_path, filename| - filename.start_with?(config.root.join("ee/app/assets").to_s) && - !['.js', '.css', ''].include?(File.extname(logical_path)) + if Gitlab.ee? + # Compile non-JS/CSS assets in the ee/app/assets folder by default + # Mimic sprockets-rails default: https://github.com/rails/sprockets-rails/blob/v3.2.1/lib/sprockets/railtie.rb#L84-L87 + LOOSE_EE_APP_ASSETS = lambda do |logical_path, filename| + filename.start_with?(config.root.join("ee/app/assets").to_s) && + !['.js', '.css', ''].include?(File.extname(logical_path)) + end + config.assets.precompile << LOOSE_EE_APP_ASSETS end - config.assets.precompile << LOOSE_EE_APP_ASSETS # Version of your assets, change this if you want to expire all your assets config.assets.version = '1.0' diff --git a/config/brakeman.ignore b/config/brakeman.ignore deleted file mode 100644 index 0e4fef65781..00000000000 --- a/config/brakeman.ignore +++ /dev/null @@ -1,24 +0,0 @@ -{ - "ignored_warnings": [ - { - "warning_type": "Cross-Site Request Forgery", - "warning_code": 7, - "fingerprint": "dc562678129557cdb8b187217da304044547a3605f05fe678093dcb4b4d8bbe4", - "message": "'protect_from_forgery' should be called in Oauth::GeoAuthController", - "file": "app/controllers/oauth/geo_auth_controller.rb", - "line": 1, - "link": "http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/", - "code": null, - "render_path": null, - "location": { - "type": "controller", - "controller": "Oauth::GeoAuthController" - }, - "user_input": null, - "confidence": "High", - "note": "" - } - ], - "updated": "2017-01-20 02:06:54 +0000", - "brakeman_version": "3.4.1" -} diff --git a/config/environments/development.rb b/config/environments/development.rb index 3881f1be152..2939e13ef94 100644 --- a/config/environments/development.rb +++ b/config/environments/development.rb @@ -11,9 +11,6 @@ Rails.application.configure do config.consider_all_requests_local = true config.action_controller.perform_caching = false - # Don't care if the mailer can't send - config.action_mailer.raise_delivery_errors = false - # Print deprecation notices to the Rails logger config.active_support.deprecation = :log @@ -38,6 +35,8 @@ Rails.application.configure do config.action_mailer.default_url_options = { host: 'localhost', port: 3000 } # Open sent mails in browser config.action_mailer.delivery_method = :letter_opener_web + # Log mail delivery errors + config.action_mailer.raise_delivery_errors = true # Don't make a mess when bootstrapping a development environment config.action_mailer.perform_deliveries = (ENV['BOOTSTRAP'] != '1') config.action_mailer.preview_path = 'app/mailers/previews' diff --git a/config/feature_categories.yml b/config/feature_categories.yml new file mode 100644 index 00000000000..59752a81f60 --- /dev/null +++ b/config/feature_categories.yml @@ -0,0 +1,103 @@ +# +# This file contains a list of all feature categories in GitLab +# It is generated from the stages file at https://gitlab.com/gitlab-com/www-gitlab-com/raw/master/data/stages.yml. +# If you would like to update it, please run +# `./scripts/update-feature-categories` to generate a new copy +# +# PLEASE DO NOT EDIT THIS FILE MANUALLY. +# +--- +- accessibility_testing +- account-management +- agile_portfolio_management +- analysis +- audit_management +- authentication_and_authorization +- auto_devops +- backup_restore +- behavior_analytics +- chaos_engineering +- chatops +- cloud_native_installation +- cluster_cost_optimization +- cluster_monitoring +- code_analytics +- code_quality +- code_review +- collection +- container_network_security +- container_registry +- container_scanning +- continuous_delivery +- continuous_integration +- data_loss_prevention +- dependency_proxy +- dependency_scanning +- design_management +- devops_score +- disaster_recovery +- dynamic_application_security_testing +- error_tracking +- feature_flags +- fuzzing +- geo_replication +- gitaly +- gitter +- groups +- helm_chart_registry +- importers +- incident_management +- incremental_rollout +- infrastructure_as_code +- integration_testing +- integrations +- interactive_application_security_testing +- internationalization +- issue_tracking +- kanban_boards +- kubernetes_configuration +- language_specific +- license_compliance +- live_coding +- load_testing +- logging +- metrics +- omnibus_package +- package_registry +- pages +- quality_management +- release_governance +- release_orchestration +- requirements_management +- review_apps +- runbooks +- runner +- runtime_application_self_protection +- sdk +- search +- secret_detection +- secrets_management +- serverless +- service_desk +- snippets +- source_code_management +- static_application_security_testing +- status_page +- storage_security +- synthetic_monitoring +- system_testing +- templates +- threat_detection +- time_tracking +- tracing +- unit_testing +- usability_testing +- users +- value_stream_management +- vulnerability_database +- vulnerability_management +- web_firewall +- web_ide +- web_performance +- wiki +- workflow_policies diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 814ea551e19..f6814262b7a 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -319,8 +319,7 @@ production: &base artifacts_server: true # Set to false if you want to disable online view of HTML artifacts # external_http: ["1.1.1.1:80", "[2001::1]:80"] # If defined, enables custom domain support in GitLab Pages # external_https: ["1.1.1.1:443", "[2001::1]:443"] # If defined, enables custom domain and certificate support in GitLab Pages - admin: - address: unix:/home/git/gitlab/tmp/sockets/private/pages-admin.socket # TCP connections are supported too (e.g. tcp://host:port) + # File that contains the shared secret key for verifying access for gitlab-pages. # Default is '.gitlab_pages_shared_secret' relative to Rails.root (i.e. root of the GitLab app). # secret_file: /home/git/gitlab/.gitlab_pages_shared_secret @@ -1017,7 +1016,20 @@ production: &base sidekiq_exporter: # enabled: true # address: localhost - # port: 3807 + # port: 8082 + + # Web exporter is webserver built in to Unicorn/Puma to expose Prometheus metrics + # It runs alongside the `/metrics` endpoints to ease the publish of metrics + web_exporter: + # enabled: true + # address: localhost + # port: 8083 + # # blackout_seconds: + # # defines an interval to block healthcheck, + # # but continue accepting application requests + # # this allows Load Balancer to notice service + # # being shutdown and not interrupt any of the clients + # blackout_seconds: 10 ## Prometheus settings # Do not modify these settings here. They should be modified in /etc/gitlab/gitlab.rb @@ -1061,6 +1073,21 @@ production: &base development: <<: *base + # We want to run web/sidekiq exporters for devs + # to catch errors from using them. + # + # We use random port to not block ability to run + # multiple instances of the service + monitoring: + sidekiq_exporter: + enabled: true + address: 127.0.0.1 + port: 0 + web_exporter: + enabled: true + address: 127.0.0.1 + port: 0 + test: <<: *base gravatar: diff --git a/config/helpers/is_ee_env.js b/config/helpers/is_ee_env.js index 3fe9bb891eb..78f0bd65528 100644 --- a/config/helpers/is_ee_env.js +++ b/config/helpers/is_ee_env.js @@ -3,7 +3,12 @@ const path = require('path'); const ROOT_PATH = path.resolve(__dirname, '../..'); +// The `FOSS_ONLY` is always `string` or `nil` +// Thus the nil or empty string will result +// in using default value: false +// +// The behavior needs to be synchronised with +// lib/gitlab.rb: Gitlab.ee? +const isFossOnly = JSON.parse(process.env.FOSS_ONLY || 'false'); module.exports = - process.env.IS_GITLAB_EE !== undefined - ? JSON.parse(process.env.IS_GITLAB_EE) - : fs.existsSync(path.join(ROOT_PATH, 'ee')); + fs.existsSync(path.join(ROOT_PATH, 'ee', 'app', 'models', 'license.rb')) && !isFossOnly; diff --git a/config/initializers/0_inflections.rb b/config/initializers/0_inflections.rb index d317825c1b8..c0afa207ac3 100644 --- a/config/initializers/0_inflections.rb +++ b/config/initializers/0_inflections.rb @@ -20,6 +20,7 @@ ActiveSupport::Inflector.inflections do |inflect| file_registry job_artifact_registry container_repository_registry + design_registry vulnerability_feedback vulnerabilities_feedback group_view diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index fbe6c21e53d..7ee4a4e3610 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -290,9 +290,6 @@ Settings.pages['url'] ||= Settings.__send__(:build_pages_url) Settings.pages['external_http'] ||= false unless Settings.pages['external_http'].present? Settings.pages['external_https'] ||= false unless Settings.pages['external_https'].present? Settings.pages['artifacts_server'] ||= Settings.pages['enabled'] if Settings.pages['artifacts_server'].nil? - -Settings.pages['admin'] ||= Settingslogic.new({}) -Settings.pages.admin['certificate'] ||= '' Settings.pages['secret_file'] ||= Rails.root.join('.gitlab_pages_shared_secret') # @@ -491,6 +488,9 @@ Gitlab.ee do Settings.cron_jobs['historical_data_worker'] ||= Settingslogic.new({}) Settings.cron_jobs['historical_data_worker']['cron'] ||= '0 12 * * *' Settings.cron_jobs['historical_data_worker']['job_class'] = 'HistoricalDataWorker' + Settings.cron_jobs['import_software_licenses_worker'] ||= Settingslogic.new({}) + Settings.cron_jobs['import_software_licenses_worker']['cron'] ||= '0 3 * * 0' + Settings.cron_jobs['import_software_licenses_worker']['job_class'] = 'ImportSoftwareLicensesWorker' Settings.cron_jobs['ldap_group_sync_worker'] ||= Settingslogic.new({}) Settings.cron_jobs['ldap_group_sync_worker']['cron'] ||= '0 * * * *' Settings.cron_jobs['ldap_group_sync_worker']['job_class'] = 'LdapAllGroupsSyncWorker' @@ -663,7 +663,12 @@ Settings.monitoring['ruby_sampler_interval'] ||= 60 Settings.monitoring['sidekiq_exporter'] ||= Settingslogic.new({}) Settings.monitoring.sidekiq_exporter['enabled'] ||= false Settings.monitoring.sidekiq_exporter['address'] ||= 'localhost' -Settings.monitoring.sidekiq_exporter['port'] ||= 3807 +Settings.monitoring.sidekiq_exporter['port'] ||= 8082 +Settings.monitoring['web_exporter'] ||= Settingslogic.new({}) +Settings.monitoring.web_exporter['enabled'] ||= false +Settings.monitoring.web_exporter['address'] ||= 'localhost' +Settings.monitoring.web_exporter['port'] ||= 8083 +Settings.monitoring.web_exporter['blackout_seconds'] ||= 10 # # Testing settings diff --git a/config/initializers/7_prometheus_metrics.rb b/config/initializers/7_prometheus_metrics.rb index 6bd2256ac0e..974eff1a528 100644 --- a/config/initializers/7_prometheus_metrics.rb +++ b/config/initializers/7_prometheus_metrics.rb @@ -34,8 +34,14 @@ Sidekiq.configure_server do |config| config.on(:startup) do # webserver metrics are cleaned up in config.ru: `warmup` block Prometheus::CleanupMultiprocDirService.new.execute + # In production, sidekiq is run in a multi-process setup where processes might interfere + # with each other cleaning up and reinitializing prometheus database files, which is why + # we're re-doing the work every time here. + # A cleaner solution would be to run the cleanup pre-fork, and the initialization once + # after all workers have forked, but I don't know how at this point. + ::Prometheus::Client.reinitialize_on_pid_change(force: true) - Gitlab::Metrics::SidekiqMetricsExporter.instance.start + Gitlab::Metrics::Exporter::SidekiqExporter.instance.start end end @@ -54,5 +60,36 @@ if !Rails.env.test? && Gitlab::Metrics.prometheus_metrics_enabled? elsif defined?(::Puma) Gitlab::Metrics::Samplers::PumaSampler.instance(Settings.monitoring.puma_sampler_interval).start end + + Gitlab::Metrics::RequestsRackMiddleware.initialize_http_request_duration_seconds + end +end + +if defined?(::Unicorn) || defined?(::Puma) + Gitlab::Cluster::LifecycleEvents.on_master_start do + Gitlab::Metrics::Exporter::WebExporter.instance.start + end + + Gitlab::Cluster::LifecycleEvents.on_before_phased_restart do + # We need to ensure that before we re-exec server + # we do stop the exporter + Gitlab::Metrics::Exporter::WebExporter.instance.stop + end + + Gitlab::Cluster::LifecycleEvents.on_before_master_restart do + # We need to ensure that before we re-exec server + # we do stop the exporter + # + # We do it again, for being extra safe, + # but it should not be needed + Gitlab::Metrics::Exporter::WebExporter.instance.stop + end + + Gitlab::Cluster::LifecycleEvents.on_worker_start do + # The `#close_on_exec=` takes effect only on `execve` + # but this does not happen for Ruby fork + # + # This does stop server, as it is running on master. + Gitlab::Metrics::Exporter::WebExporter.instance.stop end end diff --git a/config/initializers/cluster_events_before_phased_restart.rb b/config/initializers/cluster_events_before_phased_restart.rb new file mode 100644 index 00000000000..cbb1dd1a53a --- /dev/null +++ b/config/initializers/cluster_events_before_phased_restart.rb @@ -0,0 +1,14 @@ +# Technical debt, this should be ideally upstreamed. +# +# However, there's currently no way to hook before doing +# graceful shutdown today. +# +# Follow-up the issue: https://gitlab.com/gitlab-org/gitlab/issues/34107 + +if defined?(::Puma) + Puma::Cluster.prepend(::Gitlab::Cluster::Mixins::PumaCluster) +end + +if defined?(::Unicorn::HttpServer) + Unicorn::HttpServer.prepend(::Gitlab::Cluster::Mixins::UnicornHttpServer) +end diff --git a/config/initializers/fog_core_patch.rb b/config/initializers/fog_core_patch.rb index d3d02216d45..053e0460a19 100644 --- a/config/initializers/fog_core_patch.rb +++ b/config/initializers/fog_core_patch.rb @@ -34,6 +34,7 @@ module Fog # Gems that have not yet updated with the new fog-core namespace LEGACY_FOG_PROVIDERS = %w(google rackspace aliyun).freeze + # rubocop:disable Gitlab/ConstGetInheritFalse def service_provider_constant(service_name, provider_name) args = service_provider_search_args(service_name, provider_name) Fog.const_get(args.first).const_get(*const_get_args(args.second)) @@ -48,5 +49,6 @@ module Fog [provider_name, service_name] end end + # rubocop:enable Gitlab/ConstGetInheritFalse end end diff --git a/config/initializers/google_api_client.rb b/config/initializers/google_api_client.rb new file mode 100644 index 00000000000..443bb29fb52 --- /dev/null +++ b/config/initializers/google_api_client.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true +# +# google-api-client >= 0.26.0 supports enabling CloudRun and Istio during +# cluster creation, but fog-google currently hard deps on '~> 0.23.0', which +# prevents us from upgrading. We are injecting these options as hashes below +# as a workaround until this is resolved. +# +# This can be removed once fog-google and google-api-client can be upgraded. +# See https://gitlab.com/gitlab-org/gitlab/issues/31280 for more details. +# + +require 'google/apis/container_v1beta1' +require 'google/apis/options' + +# As stated in https://github.com/googleapis/google-api-ruby-client#errors--retries, +# enabling retries is strongly encouraged but disabled by default. Large uploads +# that may hit timeouts will mainly benefit from this. +Google::Apis::RequestOptions.default.retries = 3 if Gitlab::Utils.to_boolean(ENV.fetch('ENABLE_GOOGLE_API_RETRIES', true)) + +Google::Apis::ContainerV1beta1::AddonsConfig::Representation.tap do |representation| + representation.hash :cloud_run_config, as: 'cloudRunConfig' + representation.hash :istio_config, as: 'istioConfig' +end diff --git a/config/initializers/lograge.rb b/config/initializers/lograge.rb index 346725e4080..d5d4c589884 100644 --- a/config/initializers/lograge.rb +++ b/config/initializers/lograge.rb @@ -32,6 +32,10 @@ unless Sidekiq.server? payload[:response] = event.payload[:response] if event.payload[:response] payload[Labkit::Correlation::CorrelationId::LOG_KEY] = Labkit::Correlation::CorrelationId.current_id + if cpu_s = Gitlab::Metrics::System.thread_cpu_duration(::Gitlab::RequestContext.start_thread_cpu_time) + payload[:cpu_s] = cpu_s + end + payload end end diff --git a/config/initializers/pages.rb b/config/initializers/pages.rb deleted file mode 100644 index 835197557e8..00000000000 --- a/config/initializers/pages.rb +++ /dev/null @@ -1,2 +0,0 @@ -Gitlab::PagesClient.read_or_create_token -Gitlab::PagesClient.load_certificate diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb index b43fff24bb0..be7c2175cb2 100644 --- a/config/initializers/rack_attack_logging.rb +++ b/config/initializers/rack_attack_logging.rb @@ -12,10 +12,18 @@ ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, r path: req.fullpath } - if %w(throttle_authenticated_api throttle_authenticated_web).include? req.env['rack.attack.matched'] + throttles_with_user_information = [ + :throttle_authenticated_api, + :throttle_authenticated_web, + :throttle_authenticated_protected_paths_api, + :throttle_authenticated_protected_paths_web + ] + + if throttles_with_user_information.include? req.env['rack.attack.matched'].to_sym user_id = req.env['rack.attack.match_discriminator'] user = User.find_by(id: user_id) + rack_attack_info[:throttle_type] = req.env['rack.attack.matched'] rack_attack_info[:user_id] = user_id rack_attack_info[:username] = user.username unless user.nil? end diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_new.rb index 7f0439ef9bf..b0f7febe427 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_new.rb @@ -3,6 +3,15 @@ module Gitlab::Throttle Gitlab::CurrentSettings.current_application_settings end + def self.protected_paths_enabled? + !self.omnibus_protected_paths_present? && + self.settings.throttle_protected_paths_enabled? + end + + def self.omnibus_protected_paths_present? + Rack::Attack.throttles.key?('protected paths') + end + def self.unauthenticated_options limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period } period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds } @@ -20,6 +29,13 @@ module Gitlab::Throttle period_proc = proc { |req| settings.throttle_authenticated_web_period_in_seconds.seconds } { limit: limit_proc, period: period_proc } end + + def self.protected_paths_options + limit_proc = proc { |req| settings.throttle_protected_paths_requests_per_period } + period_proc = proc { |req| settings.throttle_protected_paths_period_in_seconds.seconds } + + { limit: limit_proc, period: period_proc } + end end class Rack::Attack @@ -42,6 +58,28 @@ class Rack::Attack req.authenticated_user_id([:api, :rss, :ics]) end + throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.unauthenticated? && + !req.should_be_skipped? && + req.protected_path? && + req.ip + end + + throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.api_request? && + req.protected_path? && + req.authenticated_user_id([:api]) + end + + throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req| + Gitlab::Throttle.protected_paths_enabled? && + req.web_request? && + req.protected_path? && + req.authenticated_user_id([:api, :rss, :ics]) + end + class Request def unauthenticated? !authenticated_user_id([:api, :rss, :ics]) @@ -66,7 +104,26 @@ class Rack::Attack def web_request? !api_request? end + + def protected_path? + !protected_path_regex.nil? + end + + def protected_path_regex + path =~ protected_paths_regex + end + + private + + def protected_paths + Gitlab::CurrentSettings.current_application_settings.protected_paths + end + + def protected_paths_regex + Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ }) + end end end +::Rack::Attack.extend_if_ee('::EE::Gitlab::Rack::Attack') # rubocop: disable Cop/InjectEnterpriseEditionModule ::Rack::Attack::Request.prepend_if_ee('::EE::Gitlab::Rack::Attack::Request') diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb index 20f31ff6810..b5d98399015 100644 --- a/config/initializers/sidekiq.rb +++ b/config/initializers/sidekiq.rb @@ -28,16 +28,18 @@ if Rails.env.development? end enable_json_logs = Gitlab.config.sidekiq.log_format == 'json' -enable_sidekiq_monitor = ENV.fetch("SIDEKIQ_MONITOR_WORKER", 0).to_i.nonzero? +enable_sidekiq_memory_killer = ENV['SIDEKIQ_MEMORY_KILLER_MAX_RSS'].to_i.nonzero? +use_sidekiq_daemon_memory_killer = ENV["SIDEKIQ_DAEMON_MEMORY_KILLER"].to_i.nonzero? +use_sidekiq_legacy_memory_killer = !use_sidekiq_daemon_memory_killer Sidekiq.configure_server do |config| config.redis = queues_config_hash config.server_middleware do |chain| - chain.add Gitlab::SidekiqMiddleware::Monitor if enable_sidekiq_monitor + chain.add Gitlab::SidekiqMiddleware::Monitor chain.add Gitlab::SidekiqMiddleware::Metrics if Settings.monitoring.sidekiq_exporter chain.add Gitlab::SidekiqMiddleware::ArgumentsLogger if ENV['SIDEKIQ_LOG_ARGUMENTS'] && !enable_json_logs - chain.add Gitlab::SidekiqMiddleware::MemoryKiller if ENV['SIDEKIQ_MEMORY_KILLER_MAX_RSS'] + chain.add Gitlab::SidekiqMiddleware::MemoryKiller if enable_sidekiq_memory_killer && use_sidekiq_legacy_memory_killer chain.add Gitlab::SidekiqMiddleware::RequestStoreMiddleware unless ENV['SIDEKIQ_REQUEST_STORE'] == '0' chain.add Gitlab::SidekiqMiddleware::BatchLoader chain.add Gitlab::SidekiqMiddleware::CorrelationLogger @@ -48,6 +50,10 @@ Sidekiq.configure_server do |config| if enable_json_logs Sidekiq.logger.formatter = Gitlab::SidekiqLogging::JSONFormatter.new config.options[:job_logger] = Gitlab::SidekiqLogging::StructuredLogger + + # Remove the default-provided handler + config.error_handlers.reject! { |handler| handler.is_a?(Sidekiq::ExceptionHandler::Logger) } + config.error_handlers << Gitlab::SidekiqLogging::ExceptionHandler.new end config.client_middleware do |chain| @@ -60,7 +66,11 @@ Sidekiq.configure_server do |config| # Sidekiq (e.g. in an initializer). ActiveRecord::Base.clear_all_connections! - Gitlab::SidekiqDaemon::Monitor.instance.start if enable_sidekiq_monitor + # Start monitor to track running jobs. By default, cancel job is not enabled + # To cancel job, it requires `SIDEKIQ_MONITOR_WORKER=1` to enable notification channel + Gitlab::SidekiqDaemon::Monitor.instance.start + + Gitlab::SidekiqDaemon::MemoryKiller.instance.start if enable_sidekiq_memory_killer && use_sidekiq_daemon_memory_killer end if enable_reliable_fetch? diff --git a/config/initializers/zz_metrics.rb b/config/initializers/zz_metrics.rb index 501ec8ccc06..bc28780cc77 100644 --- a/config/initializers/zz_metrics.rb +++ b/config/initializers/zz_metrics.rb @@ -13,7 +13,7 @@ def instrument_classes(instrumentation) instrumentation.instrument_methods(Gitlab::Git) Gitlab::Git.constants.each do |name| - const = Gitlab::Git.const_get(name) + const = Gitlab::Git.const_get(name, false) next unless const.is_a?(Module) @@ -75,7 +75,7 @@ def instrument_classes(instrumentation) instrumentation.instrument_instance_methods(Rouge::Formatters::HTMLGitlab) [:XML, :HTML].each do |namespace| - namespace_mod = Nokogiri.const_get(namespace) + namespace_mod = Nokogiri.const_get(namespace, false) instrumentation.instrument_methods(namespace_mod) instrumentation.instrument_methods(namespace_mod::Document) diff --git a/config/knative/api_resources.yml b/config/knative/api_resources.yml index 43427b730db..095f44ed799 100644 --- a/config/knative/api_resources.yml +++ b/config/knative/api_resources.yml @@ -61,4 +61,10 @@ - virtualservices.networking.istio.io - rbacconfigs.rbac.istio.io - servicerolebindings.rbac.istio.io -- serviceroles.rbac.istio.io
\ No newline at end of file +- serviceroles.rbac.istio.io +- cloudwatches.config.istio.io +- clusterrbacconfigs.rbac.istio.io +- dogstatsds.config.istio.io +- ingresses.networking.internal.knative.dev +- sidecars.networking.istio.io +- zipkins.config.istio.io diff --git a/config/locales/en.yml b/config/locales/en.yml index a60f86e1d80..eff015459e3 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -16,6 +16,9 @@ en: api_url: "Sentry API URL" project/metrics_setting: external_dashboard_url: "External dashboard URL" + project/grafana_integration: + token: "Grafana HTTP API Token" + grafana_url: "Grafana API URL" views: pagination: previous: "Prev" diff --git a/config/locales/sherlock.en.yml b/config/locales/sherlock.en.yml index f24b825f585..963e1d6295a 100644 --- a/config/locales/sherlock.en.yml +++ b/config/locales/sherlock.en.yml @@ -30,7 +30,7 @@ en: origin: Origin line: line line_capitalized: Line - copy_to_clipboard: Copy to clipboard + copy_to_clipboard: Copy query_plan: Query Plan events: Events percent: '%' diff --git a/config/prometheus/common_metrics.yml b/config/prometheus/common_metrics.yml index 08504d6f7d5..795243fab49 100644 --- a/config/prometheus/common_metrics.yml +++ b/config/prometheus/common_metrics.yml @@ -209,6 +209,6 @@ panel_groups: weight: 1 metrics: - id: system_metrics_knative_function_invocation_count - query_range: 'floor(sum(rate(istio_revision_request_count{destination_configuration="%{function_name}", destination_namespace="%{kube_namespace}"}[1m])/3))' + query_range: 'sum(ceil(rate(istio_requests_total{destination_service_namespace="%{kube_namespace}", destination_app=~"%{function_name}.*"}[1m])*60))' label: invocations / minute unit: requests diff --git a/config/puma.example.development.rb b/config/puma.example.development.rb index 9df24bf74e3..f23ccc23c9a 100644 --- a/config/puma.example.development.rb +++ b/config/puma.example.development.rb @@ -45,7 +45,7 @@ require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events" on_restart do # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_master_restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart end before_fork do diff --git a/config/puma.rb.example b/config/puma.rb.example index 6558dbc6cfe..10f255a87de 100644 --- a/config/puma.rb.example +++ b/config/puma.rb.example @@ -40,7 +40,7 @@ require_relative "/home/git/gitlab/lib/gitlab/cluster/puma_worker_killer_initial on_restart do # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_master_restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart end before_fork do diff --git a/config/routes.rb b/config/routes.rb index 4319431ed48..5bfae777f17 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -55,6 +55,10 @@ Rails.application.routes.draw do get '/autocomplete/project_groups' => 'autocomplete#project_groups' end + # Sign up + get 'users/sign_up/welcome' => 'registrations#welcome' + patch 'users/sign_up/update_role' => 'registrations#update_role' + # Search get 'search' => 'search#show' get 'search/autocomplete' => 'search#autocomplete', as: :search_autocomplete @@ -145,6 +149,7 @@ Rails.application.routes.draw do get :metrics, format: :json get :metrics_dashboard get :'/prometheus/api/v1/*proxy_path', to: 'clusters#prometheus_proxy', as: :prometheus_api + get :environments, format: :json end scope :applications do diff --git a/config/routes/admin.rb b/config/routes/admin.rb index a003ffca270..9238eae3a8e 100644 --- a/config/routes/admin.rb +++ b/config/routes/admin.rb @@ -13,6 +13,8 @@ namespace :admin do get :keys put :block put :unblock + put :deactivate + put :activate put :unlock put :confirm post :impersonate @@ -21,6 +23,10 @@ namespace :admin do end end + resource :session, only: [:new, :create] do + get 'destroy', action: :destroy, as: :destroy + end + resource :impersonation, only: :destroy resources :abuse_reports, only: [:index, :destroy] @@ -110,7 +116,7 @@ namespace :admin do put :reset_registration_token put :reset_health_check_token put :clear_repository_check_states - match :general, :integrations, :repository, :templates, :ci_cd, :reporting, :metrics_and_profiling, :network, :geo, :preferences, via: [:get, :patch] + match :general, :integrations, :repository, :ci_cd, :reporting, :metrics_and_profiling, :network, :preferences, via: [:get, :patch] get :lets_encrypt_terms_of_service end diff --git a/config/routes/group.rb b/config/routes/group.rb index 37bc6085931..093cde64c85 100644 --- a/config/routes/group.rb +++ b/config/routes/group.rb @@ -30,7 +30,7 @@ constraints(::Constraints::GroupUrlConstrainer.new) do as: :group, constraints: { group_id: Gitlab::PathRegex.full_namespace_route_regex }) do namespace :settings do - resource :ci_cd, only: [:show], controller: 'ci_cd' do + resource :ci_cd, only: [:show, :update], controller: 'ci_cd' do put :reset_registration_token patch :update_auto_devops end @@ -77,6 +77,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do post :pause end end + + resources :container_registries, only: [:index], controller: 'registry/repositories' end scope(path: '*id', diff --git a/config/routes/project.rb b/config/routes/project.rb index c1273db8ee5..7d51cfd6dee 100644 --- a/config/routes/project.rb +++ b/config/routes/project.rb @@ -37,6 +37,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do scope '-' do get 'archive/*id', constraints: { format: Gitlab::PathRegex.archive_formats_regex, id: /.+?/ }, to: 'repositories#archive', as: 'archive' + resources :artifacts, only: [:index, :destroy] + resources :jobs, only: [:index, :show], constraints: { id: /\d+/ } do collection do resources :artifacts, only: [] do @@ -184,6 +186,10 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do resource :import, only: [:new, :create, :show] resource :avatar, only: [:show, :destroy] + + get 'grafana/proxy/:datasource_id/*proxy_path', + to: 'grafana_api#proxy', + as: :grafana_api end # End of the /-/ scope. @@ -195,6 +201,12 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do defaults: { format: 'json' }, constraints: { key: %r{[^/]+}, template_type: %r{issue|merge_request}, format: 'json' } + get '/description_templates/names/:template_type', + to: 'templates#names', + as: :template_names, + defaults: { format: 'json' }, + constraints: { template_type: %r{issue|merge_request}, format: 'json' } + resources :commit, only: [:show], constraints: { id: /\h{7,40}/ } do member do get :branches @@ -273,6 +285,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do get :commits get :pipelines get :diffs, to: 'merge_requests/diffs#show' + get :diffs_batch, to: 'merge_requests/diffs#diffs_batch' + get :diffs_metadata, to: 'merge_requests/diffs#diffs_metadata' get :widget, to: 'merge_requests/content#widget' get :cached_widget, to: 'merge_requests/content#cached_widget' end @@ -379,6 +393,7 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do get :builds get :failures get :status + get :test_report Gitlab.ee do get :security diff --git a/config/routes/repository.rb b/config/routes/repository.rb index 093b86f3259..4815575ba9f 100644 --- a/config/routes/repository.rb +++ b/config/routes/repository.rb @@ -34,7 +34,7 @@ scope format: false do # ref regex used in constraints. Regex verification now done in controller. get 'logs_tree/*path', action: :logs_tree, as: :logs_file, format: false, constraints: { id: /.*/, - path: /.*/ + path: /[^\0]*/ } end end diff --git a/config/settings.rb b/config/settings.rb index 8756c120645..767c6c56337 100644 --- a/config/settings.rb +++ b/config/settings.rb @@ -104,10 +104,10 @@ class Settings < Settingslogic # check that `current` (string or integer) is a contant in `modul`. def verify_constant(modul, current, default) - constant = modul.constants.find { |name| modul.const_get(name) == current } - value = constant.nil? ? default : modul.const_get(constant) + constant = modul.constants.find { |name| modul.const_get(name, false) == current } + value = constant.nil? ? default : modul.const_get(constant, false) if current.is_a? String - value = modul.const_get(current.upcase) rescue default + value = modul.const_get(current.upcase, false) rescue default end value diff --git a/config/sidekiq_queues.yml b/config/sidekiq_queues.yml index f37cd518d48..b97e8ad67c9 100644 --- a/config/sidekiq_queues.yml +++ b/config/sidekiq_queues.yml @@ -24,6 +24,7 @@ - [process_commit, 3] - [new_note, 2] - [new_issue, 2] + - [notifications, 2] - [new_merge_request, 2] - [pipeline_processing, 5] - [pipeline_creation, 4] @@ -49,7 +50,7 @@ - [delete_user, 1] - [todos_destroyer, 1] - [delete_merged_branches, 1] - - [authorized_projects, 1] + - [authorized_projects, 2] - [expire_build_instance_artifacts, 1] - [group_destroy, 1] - [irker, 1] @@ -96,6 +97,7 @@ - [phabricator_import_import_tasks, 1] - [update_namespace_statistics, 1] - [chaos, 2] + - [create_evidence, 2] # EE-specific queues - [ldap_group_sync, 2] @@ -117,3 +119,4 @@ - [jira_connect, 1] - [update_external_pull_requests, 3] - [refresh_license_compliance_checks, 2] + - [design_management_new_version, 1] diff --git a/config/unicorn.rb.example b/config/unicorn.rb.example index 581fde84c95..9f13fac5cca 100644 --- a/config/unicorn.rb.example +++ b/config/unicorn.rb.example @@ -85,7 +85,7 @@ require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events" before_exec do |server| # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_master_restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart end run_once = true diff --git a/config/unicorn.rb.example.development b/config/unicorn.rb.example.development index 9a02d5f1007..92bb1c7344a 100644 --- a/config/unicorn.rb.example.development +++ b/config/unicorn.rb.example.development @@ -18,7 +18,7 @@ require_relative "/home/git/gitlab/lib/gitlab/cluster/lifecycle_events" before_exec do |server| # Signal application hooks that we're about to restart - Gitlab::Cluster::LifecycleEvents.do_master_restart + Gitlab::Cluster::LifecycleEvents.do_before_master_restart end run_once = true diff --git a/config/webpack.config.js b/config/webpack.config.js index f3f0a5f8934..25fb6cc5f5a 100644 --- a/config/webpack.config.js +++ b/config/webpack.config.js @@ -11,7 +11,7 @@ const CopyWebpackPlugin = require('copy-webpack-plugin'); const ROOT_PATH = path.resolve(__dirname, '..'); const CACHE_PATH = process.env.WEBPACK_CACHE_PATH || path.join(ROOT_PATH, 'tmp/cache'); const IS_PRODUCTION = process.env.NODE_ENV === 'production'; -const IS_DEV_SERVER = process.argv.join(' ').indexOf('webpack-dev-server') !== -1; +const IS_DEV_SERVER = process.env.WEBPACK_DEV_SERVER === 'true'; const IS_EE = require('./helpers/is_ee_env'); const DEV_SERVER_HOST = process.env.DEV_SERVER_HOST || 'localhost'; const DEV_SERVER_PORT = parseInt(process.env.DEV_SERVER_PORT, 10) || 3808; @@ -373,11 +373,14 @@ module.exports = { openAnalyzer: false, reportFilename: path.join(ROOT_PATH, 'webpack-report/index.html'), statsFilename: path.join(ROOT_PATH, 'webpack-report/stats.json'), + statsOptions: { + source: false, + }, }), new webpack.DefinePlugin({ // This one is used to define window.gon.ee and other things properly in tests: - 'process.env.IS_GITLAB_EE': JSON.stringify(IS_EE), + 'process.env.IS_EE': JSON.stringify(IS_EE), // This one is used to check against "EE" properly in application code IS_EE: IS_EE ? 'window.gon && window.gon.ee' : JSON.stringify(false), }), |