Add latest changes from gitlab-org/gitlab@master

9 files changed, 115 insertions, 72 deletions

diff --git a/lib/gitlab/ci/parsers/security/common.rb b/lib/gitlab/ci/parsers/security/common.rb
index 9032faa66d4..be6c6c2558b 100644
--- a/lib/gitlab/ci/parsers/security/common.rb
+++ b/lib/gitlab/ci/parsers/security/common.rb
@@ -141,7 +141,7 @@ module Gitlab
                 project_id: @project.id,
                 found_by_pipeline: report.pipeline,
                 vulnerability_finding_signatures_enabled: @signatures_enabled,
-                cvss: data['cvss'] || []
+                cvss: data['cvss_vectors'] || []
               )
             )
           end
diff --git a/lib/gitlab/ci/templates/Cosign.gitlab-ci.yml b/lib/gitlab/ci/templates/Cosign.gitlab-ci.yml
index 356062c734e..324128678de 100644
--- a/lib/gitlab/ci/templates/Cosign.gitlab-ci.yml
+++ b/lib/gitlab/ci/templates/Cosign.gitlab-ci.yml
@@ -12,9 +12,9 @@ include:
 
 docker-build:
   variables:
-    COSIGN_YES: "true" # Used by Cosign to skip confirmation prompts for non-destructive operations
+    COSIGN_YES: "true"  # Used by Cosign to skip confirmation prompts for non-destructive operations
   id_tokens:
-    SIGSTORE_ID_TOKEN: # Used by Cosign to get certificate from Fulcio
+    SIGSTORE_ID_TOKEN:  # Used by Cosign to get certificate from Fulcio
       aud: sigstore
   after_script:
     - apk add --update cosign
diff --git a/lib/gitlab/encrypted_command_base.rb b/lib/gitlab/encrypted_command_base.rb
index b35c28b85cd..679d9d8e31a 100644
--- a/lib/gitlab/encrypted_command_base.rb
+++ b/lib/gitlab/encrypted_command_base.rb
@@ -7,12 +7,12 @@ module Gitlab
     EDIT_COMMAND_NAME = "base"
 
     class << self
-      def encrypted_secrets
+      def encrypted_secrets(**args)
         raise NotImplementedError
       end
 
-      def write(contents)
-        encrypted = encrypted_secrets
+      def write(contents, args: {})
+        encrypted = encrypted_secrets(**args)
         return unless validate_config(encrypted)
 
         validate_contents(contents)
@@ -25,8 +25,8 @@ module Gitlab
         warn "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       end
 
-      def edit
-        encrypted = encrypted_secrets
+      def edit(args: {})
+        encrypted = encrypted_secrets(**args)
         return unless validate_config(encrypted)
 
         if ENV["EDITOR"].blank?
@@ -58,8 +58,8 @@ module Gitlab
         temp_file&.unlink
       end
 
-      def show
-        encrypted = encrypted_secrets
+      def show(args: {})
+        encrypted = encrypted_secrets(**args)
         return unless validate_config(encrypted)
 
         puts encrypted.read.presence || "File '#{encrypted.content_path}' does not exist. Use `gitlab-rake #{self::EDIT_COMMAND_NAME}` to change that."
diff --git a/lib/gitlab/encrypted_ldap_command.rb b/lib/gitlab/encrypted_ldap_command.rb
index 5e1eabe7ec6..442c675f19e 100644
--- a/lib/gitlab/encrypted_ldap_command.rb
+++ b/lib/gitlab/encrypted_ldap_command.rb
@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-# rubocop:disable Rails/Output
 module Gitlab
   class EncryptedLdapCommand < EncryptedCommandBase
     DISPLAY_NAME = "LDAP"
@@ -21,4 +20,3 @@ module Gitlab
     end
   end
 end
-# rubocop:enable Rails/Output
diff --git a/lib/gitlab/encrypted_redis_command.rb b/lib/gitlab/encrypted_redis_command.rb
new file mode 100644
index 00000000000..608edcdb950
--- /dev/null
+++ b/lib/gitlab/encrypted_redis_command.rb
@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+# rubocop:disable Rails/Output
+module Gitlab
+  class EncryptedRedisCommand < EncryptedCommandBase
+    DISPLAY_NAME = "Redis"
+    EDIT_COMMAND_NAME = "gitlab:redis:secret:edit"
+
+    class << self
+      def all_redis_instance_class_names
+        Gitlab::Redis::ALL_CLASSES.map do |c|
+          normalized_instance_name(c)
+        end
+      end
+
+      def normalized_instance_name(instance)
+        if instance.is_a?(Class)
+          # Gitlab::Redis::SharedState => sharedstate
+          instance.name.demodulize.to_s.downcase
+        else
+          # Drop all hyphens, underscores, and spaces from the name
+          # eg.: shared_state => sharedstate
+          instance.gsub(/[-_ ]/, '').downcase
+        end
+      end
+
+      def encrypted_secrets(**args)
+        if args[:instance_name]
+          instance_class = Gitlab::Redis::ALL_CLASSES.find do |instance|
+            normalized_instance_name(instance) == normalized_instance_name(args[:instance_name])
+          end
+
+          unless instance_class
+            error_message = <<~MSG
+            Specified instance name #{args[:instance_name]} does not exist.
+            The available instances are #{all_redis_instance_class_names.join(', ')}."
+            MSG
+
+            raise error_message
+          end
+        else
+          instance_class = Gitlab::Redis::Cache
+        end
+
+        instance_class.encrypted_secrets
+      end
+
+      def encrypted_file_template
+        <<~YAML
+          # password: '123'
+        YAML
+      end
+    end
+  end
+end
+# rubocop:enable Rails/Output
diff --git a/lib/gitlab/gitaly_client.rb b/lib/gitlab/gitaly_client.rb
index 5ec58fc4f44..da38c11ebca 100644
--- a/lib/gitlab/gitaly_client.rb
+++ b/lib/gitlab/gitaly_client.rb
@@ -328,6 +328,8 @@ module Gitlab
         'client_name' => CLIENT_NAME
       }
 
+      relative_path = fetch_relative_path
+
       context_data = Gitlab::ApplicationContext.current
 
       feature_stack = Thread.current[:gitaly_feature_stack]
@@ -339,6 +341,7 @@ module Gitlab
       metadata['username'] = context_data['meta.user'] if context_data&.fetch('meta.user', nil)
       metadata['user_id'] = context_data['meta.user_id'].to_s if context_data&.fetch('meta.user_id', nil)
       metadata['remote_ip'] = context_data['meta.remote_ip'] if context_data&.fetch('meta.remote_ip', nil)
+      metadata['relative-path-bin'] = relative_path if relative_path
       metadata.merge!(Feature::Gitaly.server_feature_flags(**feature_flag_actors))
       metadata.merge!(route_to_primary)
 
@@ -348,6 +351,17 @@ module Gitlab
       { metadata: metadata, deadline: deadline_info[:deadline] }
     end
 
+    # The GitLab `internal/allowed/` API sets the :gitlab_git_relative_path
+    # variable. This provides the repository relative path which can be used to
+    # locate snapshot repositories in Gitaly which act as a quarantine repository
+    # until a transaction is committed.
+    def self.fetch_relative_path
+      return unless Gitlab::SafeRequestStore.active?
+      return if Gitlab::SafeRequestStore[:gitlab_git_relative_path].blank?
+
+      Gitlab::SafeRequestStore.fetch(:gitlab_git_relative_path)
+    end
+
     # Gitlab::Git::HookEnv will set the :gitlab_git_env variable in case we're
     # running in the context of a Gitaly hook call, which may make use of
     # quarantined object directories. We thus need to pass along the path of
diff --git a/lib/gitlab/instrumentation_helper.rb b/lib/gitlab/instrumentation_helper.rb
index 2a3c4db5ffa..49078a7ccd0 100644
--- a/lib/gitlab/instrumentation_helper.rb
+++ b/lib/gitlab/instrumentation_helper.rb
@@ -12,7 +12,6 @@ module Gitlab
 
     def add_instrumentation_data(payload)
       instrument_gitaly(payload)
-      instrument_rugged(payload)
       instrument_redis(payload)
       instrument_elasticsearch(payload)
       instrument_zoekt(payload)
@@ -40,15 +39,6 @@ module Gitlab
       payload[:gitaly_duration_s] = Gitlab::GitalyClient.query_time
     end
 
-    def instrument_rugged(payload)
-      rugged_calls = Gitlab::RuggedInstrumentation.query_count
-
-      return if rugged_calls == 0
-
-      payload[:rugged_calls] = rugged_calls
-      payload[:rugged_duration_s] = Gitlab::RuggedInstrumentation.query_time
-    end
-
     def instrument_redis(payload)
       payload.merge! ::Gitlab::Instrumentation::Redis.payload
     end
diff --git a/lib/gitlab/redis/wrapper.rb b/lib/gitlab/redis/wrapper.rb
index 2bcf4769b5a..d5470bc0016 100644
--- a/lib/gitlab/redis/wrapper.rb
+++ b/lib/gitlab/redis/wrapper.rb
@@ -19,7 +19,7 @@ module Gitlab
       InvalidPathError = Class.new(StandardError)
 
       class << self
-        delegate :params, :url, :store, to: :new
+        delegate :params, :url, :store, :encrypted_secrets, to: :new
 
         def with
           pool.with { |redis| yield redis }
@@ -110,6 +110,14 @@ module Gitlab
         raw_config_hash[:sentinels]
       end
 
+      def secret_file
+        if raw_config_hash[:secret_file].blank?
+          File.join(Settings.encrypted_settings['path'], 'redis.yaml.enc')
+        else
+          Settings.absolute(raw_config_hash[:secret_file])
+        end
+      end
+
       def sentinels?
         sentinels && !sentinels.empty?
       end
@@ -118,22 +126,44 @@ module Gitlab
         ::Redis::Store::Factory.create(redis_store_options.merge(extras))
       end
 
+      def encrypted_secrets
+        # In rake tasks, we have to populate the encrypted_secrets even if the
+        # file does not exist, as it is the job of one of those tasks to create
+        # the file. In other cases, like when being loaded as part of spinning
+        # up test environment via `scripts/setup-test-env`, we should gate on
+        # the presence of the specified secret file so that
+        # `Settings.encrypted`, which might not be loadable does not gets
+        # called.
+        Settings.encrypted(secret_file) if File.exist?(secret_file) || ::Gitlab::Runtime.rake?
+      end
+
       private
 
       def redis_store_options
         config = raw_config_hash
         config[:instrumentation_class] ||= self.class.instrumentation_class
 
-        result = if config[:cluster].present?
-                   config[:db] = 0 # Redis Cluster only supports db 0
-                   config
+        decrypted_config = parse_encrypted_config(config)
+
+        result = if decrypted_config[:cluster].present?
+                   decrypted_config[:db] = 0 # Redis Cluster only supports db 0
+                   decrypted_config
                  else
-                   parse_redis_url(config)
+                   parse_redis_url(decrypted_config)
                  end
 
         parse_client_tls_options(result)
       end
 
+      def parse_encrypted_config(encrypted_config)
+        encrypted_config.delete(:secret_file)
+
+        decrypted_secrets = encrypted_secrets&.config
+        encrypted_config.merge!(decrypted_secrets) if decrypted_secrets
+
+        encrypted_config
+      end
+
       def parse_redis_url(config)
         redis_url = config.delete(:url)
         redis_uri = URI.parse(redis_url)
diff --git a/lib/gitlab/rugged_instrumentation.rb b/lib/gitlab/rugged_instrumentation.rb
deleted file mode 100644
index 36a3a491de6..00000000000
--- a/lib/gitlab/rugged_instrumentation.rb
+++ /dev/null
@@ -1,45 +0,0 @@
-# frozen_string_literal: true
-
-module Gitlab
-  module RuggedInstrumentation
-    def self.query_time
-      query_time = SafeRequestStore[:rugged_query_time] || 0
-      query_time.round(Gitlab::InstrumentationHelper::DURATION_PRECISION)
-    end
-
-    def self.add_query_time(duration)
-      SafeRequestStore[:rugged_query_time] ||= 0
-      SafeRequestStore[:rugged_query_time] += duration
-    end
-
-    def self.query_time_ms
-      (self.query_time * 1000).round(2)
-    end
-
-    def self.query_count
-      SafeRequestStore[:rugged_call_count] ||= 0
-    end
-
-    def self.increment_query_count
-      SafeRequestStore[:rugged_call_count] ||= 0
-      SafeRequestStore[:rugged_call_count] += 1
-    end
-
-    def self.active?
-      SafeRequestStore.active?
-    end
-
-    def self.add_call_details(details)
-      return unless Gitlab::PerformanceBar.enabled_for_request?
-
-      Gitlab::SafeRequestStore[:rugged_call_details] ||= []
-      Gitlab::SafeRequestStore[:rugged_call_details] << details
-    end
-
-    def self.list_call_details
-      return [] unless Gitlab::PerformanceBar.enabled_for_request?
-
-      Gitlab::SafeRequestStore[:rugged_call_details] || []
-    end
-  end
-end