Add latest changes from gitlab-org/gitlab@14-3-stable-eev14.3.0-rc42

12 files changed, 73 insertions, 15 deletions

diff --git a/workhorse/internal/artifacts/artifacts_upload_test.go b/workhorse/internal/artifacts/artifacts_upload_test.go
index ce078c78559..2b11d56f4ee 100644
--- a/workhorse/internal/artifacts/artifacts_upload_test.go
+++ b/workhorse/internal/artifacts/artifacts_upload_test.go
@@ -14,7 +14,7 @@ import (
 	"os"
 	"testing"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/api"
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/filestore"
diff --git a/workhorse/internal/filestore/file_handler.go b/workhorse/internal/filestore/file_handler.go
index 06948941c04..b4d7250fe0c 100644
--- a/workhorse/internal/filestore/file_handler.go
+++ b/workhorse/internal/filestore/file_handler.go
@@ -10,7 +10,7 @@ import (
 	"strconv"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 
 	"gitlab.com/gitlab-org/labkit/log"
 
diff --git a/workhorse/internal/filestore/file_handler_test.go b/workhorse/internal/filestore/file_handler_test.go
index b1d4e64b666..16af56dcf48 100644
--- a/workhorse/internal/filestore/file_handler_test.go
+++ b/workhorse/internal/filestore/file_handler_test.go
@@ -12,7 +12,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/require"
 	"gocloud.dev/blob"
 
diff --git a/workhorse/internal/imageresizer/image_resizer.go b/workhorse/internal/imageresizer/image_resizer.go
index a21d2838acb..cd0fa946530 100644
--- a/workhorse/internal/imageresizer/image_resizer.go
+++ b/workhorse/internal/imageresizer/image_resizer.go
@@ -186,12 +186,15 @@ func (r *Resizer) Inject(w http.ResponseWriter, req *http.Request, paramsData st
 	}
 	defer imageFile.reader.Close()
 
+	widthLabelVal := strconv.Itoa(int(params.Width))
+
 	outcome.originalFileSize = imageFile.contentLength
 
 	setLastModified(w, imageFile.lastModified)
 	// If the original file has not changed, then any cached resized versions have not changed either.
 	if checkNotModified(req, imageFile.lastModified) {
 		writeNotModified(w)
+		imageResizeDurations.WithLabelValues(params.ContentType, widthLabelVal).Observe(time.Since(start).Seconds())
 		outcome.ok(statusClientCache)
 		return
 	}
@@ -221,7 +224,6 @@ func (r *Resizer) Inject(w http.ResponseWriter, req *http.Request, paramsData st
 		return
 	}
 
-	widthLabelVal := strconv.Itoa(int(params.Width))
 	imageResizeDurations.WithLabelValues(params.ContentType, widthLabelVal).Observe(time.Since(start).Seconds())
 
 	outcome.ok(statusSuccess)
diff --git a/workhorse/internal/secret/jwt.go b/workhorse/internal/secret/jwt.go
index 04335e58f76..804f3a9aba9 100644
--- a/workhorse/internal/secret/jwt.go
+++ b/workhorse/internal/secret/jwt.go
@@ -3,7 +3,7 @@ package secret
 import (
 	"fmt"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 )
 
 var (
diff --git a/workhorse/internal/testhelper/testhelper.go b/workhorse/internal/testhelper/testhelper.go
index d94341cd2b6..7e66563e438 100644
--- a/workhorse/internal/testhelper/testhelper.go
+++ b/workhorse/internal/testhelper/testhelper.go
@@ -14,7 +14,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/require"
 
 	"gitlab.com/gitlab-org/labkit/log"
diff --git a/workhorse/internal/upload/accelerate.go b/workhorse/internal/upload/accelerate.go
index 08a84c6f670..81f44d33a82 100644
--- a/workhorse/internal/upload/accelerate.go
+++ b/workhorse/internal/upload/accelerate.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/api"
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/helper"
diff --git a/workhorse/internal/upload/body_uploader_test.go b/workhorse/internal/upload/body_uploader_test.go
index 35509cb86c4..aeb366616ca 100644
--- a/workhorse/internal/upload/body_uploader_test.go
+++ b/workhorse/internal/upload/body_uploader_test.go
@@ -11,7 +11,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/stretchr/testify/require"
 
 	"gitlab.com/gitlab-org/gitlab/workhorse/internal/api"
diff --git a/workhorse/internal/upload/saved_file_tracker_test.go b/workhorse/internal/upload/saved_file_tracker_test.go
index b294d04b216..b34dd9aed4f 100644
--- a/workhorse/internal/upload/saved_file_tracker_test.go
+++ b/workhorse/internal/upload/saved_file_tracker_test.go
@@ -3,7 +3,7 @@ package upload
 import (
 	"context"
 
-	"github.com/dgrijalva/jwt-go"
+	"github.com/golang-jwt/jwt/v4"
 
 	"net/http"
 	"testing"
diff --git a/workhorse/internal/upstream/roundtripper/roundtripper.go b/workhorse/internal/upstream/roundtripper/roundtripper.go
index 947b80ddcf6..fdbca5c0120 100644
--- a/workhorse/internal/upstream/roundtripper/roundtripper.go
+++ b/workhorse/internal/upstream/roundtripper/roundtripper.go
@@ -2,6 +2,7 @@ package roundtripper
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -15,10 +16,6 @@ import (
 )
 
 func mustParseAddress(address, scheme string) string {
-	if scheme == "https" {
-		panic("TLS is not supported for backend connections")
-	}
-
 	for _, suffix := range []string{"", ":" + scheme} {
 		address += suffix
 		if host, port, err := net.SplitHostPort(address); err == nil && host != "" && port != "" {
@@ -31,9 +28,14 @@ func mustParseAddress(address, scheme string) string {
 
 // NewBackendRoundTripper returns a new RoundTripper instance using the provided values
 func NewBackendRoundTripper(backend *url.URL, socket string, proxyHeadersTimeout time.Duration, developmentMode bool) http.RoundTripper {
+	return newBackendRoundTripper(backend, socket, proxyHeadersTimeout, developmentMode, nil)
+}
+
+func newBackendRoundTripper(backend *url.URL, socket string, proxyHeadersTimeout time.Duration, developmentMode bool, tlsConf *tls.Config) http.RoundTripper {
 	// Copied from the definition of http.DefaultTransport. We can't literally copy http.DefaultTransport because of its hidden internal state.
 	transport, dialer := newBackendTransport()
 	transport.ResponseHeaderTimeout = proxyHeadersTimeout
+	transport.TLSClientConfig = tlsConf
 
 	if backend != nil && socket == "" {
 		address := mustParseAddress(backend.Host, backend.Scheme)
diff --git a/workhorse/internal/upstream/roundtripper/roundtripper_test.go b/workhorse/internal/upstream/roundtripper/roundtripper_test.go
index 79ffa244918..eed71cc5bae 100644
--- a/workhorse/internal/upstream/roundtripper/roundtripper_test.go
+++ b/workhorse/internal/upstream/roundtripper/roundtripper_test.go
@@ -1,6 +1,13 @@
 package roundtripper
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
 	"strconv"
 	"testing"
 
@@ -12,6 +19,7 @@ func TestMustParseAddress(t *testing.T) {
 		{"1.2.3.4:56", "http", "1.2.3.4:56"},
 		{"[::1]:23", "http", "::1:23"},
 		{"4.5.6.7", "http", "4.5.6.7:http"},
+		{"4.5.6.7", "https", "4.5.6.7:https"},
 	}
 	for i, example := range successExamples {
 		t.Run(strconv.Itoa(i), func(t *testing.T) {
@@ -23,7 +31,6 @@ func TestMustParseAddress(t *testing.T) {
 func TestMustParseAddressPanic(t *testing.T) {
 	panicExamples := []struct{ address, scheme string }{
 		{"1.2.3.4", ""},
-		{"1.2.3.4", "https"},
 	}
 
 	for i, panicExample := range panicExamples {
@@ -37,3 +44,50 @@ func TestMustParseAddressPanic(t *testing.T) {
 		})
 	}
 }
+
+func TestSupportsHTTPBackend(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+		fmt.Fprint(w, "successful response")
+	}))
+	defer ts.Close()
+
+	testNewBackendRoundTripper(t, ts, nil, "successful response")
+}
+
+func TestSupportsHTTPSBackend(t *testing.T) {
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(200)
+		fmt.Fprint(w, "successful response")
+	}))
+	defer ts.Close()
+
+	certpool := x509.NewCertPool()
+	certpool.AddCert(ts.Certificate())
+	tlsClientConfig := &tls.Config{
+		RootCAs: certpool,
+	}
+
+	testNewBackendRoundTripper(t, ts, tlsClientConfig, "successful response")
+}
+
+func testNewBackendRoundTripper(t *testing.T, ts *httptest.Server, tlsClientConfig *tls.Config, expectedResponseBody string) {
+	t.Helper()
+
+	backend, err := url.Parse(ts.URL)
+	require.NoError(t, err, "parse url")
+
+	rt := newBackendRoundTripper(backend, "", 0, true, tlsClientConfig)
+
+	req, err := http.NewRequest("GET", ts.URL+"/", nil)
+	require.NoError(t, err, "build request")
+
+	response, err := rt.RoundTrip(req)
+	require.NoError(t, err, "perform roundtrip")
+	defer response.Body.Close()
+
+	body, err := ioutil.ReadAll(response.Body)
+	require.NoError(t, err)
+
+	require.Equal(t, expectedResponseBody, string(body))
+}
diff --git a/workhorse/internal/upstream/routes.go b/workhorse/internal/upstream/routes.go
index a4b453f047d..8c85c5144e5 100644
--- a/workhorse/internal/upstream/routes.go
+++ b/workhorse/internal/upstream/routes.go
@@ -359,7 +359,7 @@ func configureRoutes(u *upstream) {
 		u.route("", "^/-/metrics$", defaultUpstream),
 
 		// Authentication routes
-		u.route("", "^/users/(sign_in|sign_out)$", defaultUpstream),
+		u.route("", "^/users/auth/geo/(sign_in|sign_out)$", defaultUpstream),
 		u.route("", "^/oauth/geo/(auth|callback|logout)$", defaultUpstream),
 
 		// Admin Area > Geo routes