Commit 0e415647 authored by Yorick Peterse's avatar Yorick Peterse

Backport gitlab.yml.example from EE

To make this happen, we need to conditionally add the group_saml
strategy when running tests, but only on EE. This requires some changes
to Gitlab.ee? so that it can be used before/without loading the Rails
environment. We also have to change how we require a few files, so this
can run outside of Rails.
parent 3cd038e3
...@@ -230,7 +230,45 @@ production: &base ...@@ -230,7 +230,45 @@ production: &base
## Packages (maven repository, npm registry, etc...) ## Packages (maven repository, npm registry, etc...)
packages: packages:
enabled: true
# The location where build packages are stored (default: shared/packages).
# storage_path: shared/packages
object_store:
enabled: false enabled: false
remote_directory: packages # The bucket name
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
# background_upload: false # Temporary option to limit automatic upload (Default: true)
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## Dependency Proxy
dependency_proxy:
enabled: true
# The location where build packages are stored (default: shared/dependency_proxy).
# storage_path: shared/dependency_proxy
object_store:
enabled: false
remote_directory: dependency_proxy # The bucket name
# direct_upload: false # Use Object Storage directly for uploads instead of background uploads if enabled (Default: false)
# background_upload: false # Temporary option to limit automatic upload (Default: true)
# proxy_download: false # Passthrough all downloads via GitLab instead of using Redirects to Object Storage
connection:
provider: AWS
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
# host: 'localhost' # default: s3.amazonaws.com
# endpoint: 'http://127.0.0.1:9000' # default: nil
# aws_signature_version: 4 # For creation of signed URLs. Set to 2 if provider does not support v4.
# path_style: true # Use 'host/bucket_name/object' instead of 'bucket_name.host/object'
## GitLab Pages ## GitLab Pages
pages: pages:
...@@ -306,6 +344,53 @@ production: &base ...@@ -306,6 +344,53 @@ production: &base
schedule_migrate_external_diffs_worker: schedule_migrate_external_diffs_worker:
cron: "15 * * * *" cron: "15 * * * *"
# GitLab EE only jobs. These jobs are automatically enabled for an EE
# installation, and ignored for a CE installation.
ee_cron_jobs:
# Snapshot active users statistics
historical_data_worker:
cron: "0 12 * * *"
# In addition to refreshing users when they log in,
# periodically refresh LDAP users membership.
# NOTE: This will only take effect if LDAP is enabled
ldap_sync_worker:
cron: "30 1 * * *"
# Periodically refresh LDAP groups membership.
# NOTE: This will only take effect if LDAP is enabled
ldap_group_sync_worker:
cron: "0 * * * *"
# GitLab Geo metrics update worker
# NOTE: This will only take effect if Geo is enabled
geo_metrics_update_worker:
cron: "*/1 * * * *"
# GitLab Geo prune event log worker
# NOTE: This will only take effect if Geo is enabled (primary node only)
geo_prune_event_log_worker:
cron: "*/5 * * * *"
# GitLab Geo repository sync worker
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_repository_sync_worker:
cron: "*/1 * * * *"
# GitLab Geo file download dispatch worker
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_file_download_dispatch_worker:
cron: "*/1 * * * *"
# GitLab Geo migrated local files clean up worker
# NOTE: This will only take effect if Geo is enabled (secondary nodes only)
geo_migrated_local_files_clean_up_worker:
cron: "15 */6 * * *"
# Export pseudonymized data in CSV format for analysis
pseudonymizer_worker:
cron: "0 * * * *"
registry: registry:
# enabled: true # enabled: true
# host: registry.example.com # host: registry.example.com
...@@ -323,6 +408,16 @@ production: &base ...@@ -323,6 +408,16 @@ production: &base
# clientside_dsn: https://<key>@sentry.io/<project> # clientside_dsn: https://<key>@sentry.io/<project>
# environment: 'production' # e.g. development, staging, production # environment: 'production' # e.g. development, staging, production
## Geo
# NOTE: These settings will only take effect if Geo is enabled
geo:
# This is an optional identifier which Geo nodes can use to identify themselves.
# For example, if external_url is the same for two secondaries, you must specify
# a unique Geo node name for those secondaries.
#
# If it is blank, it defaults to external_url.
node_name: ''
# #
# 2. GitLab CI settings # 2. GitLab CI settings
# ========================== # ==========================
...@@ -349,6 +444,19 @@ production: &base ...@@ -349,6 +444,19 @@ production: &base
# bundle exec rake gitlab:ldap:check RAILS_ENV=production # bundle exec rake gitlab:ldap:check RAILS_ENV=production
ldap: ldap:
enabled: false enabled: false
# This setting controls the number of seconds between LDAP permission checks
# for each user. After this time has expired for a given user, their next
# interaction with GitLab (a click in the web UI, a git pull, etc.) will be
# slower because the LDAP permission check is being performed. How much
# slower depends on your LDAP setup, but it is not uncommon for this check
# to add seconds of waiting time. The default value is to have a "slow
# click" once every 3600 seconds (i.e., once per hour).
#
# Warning: if you set this value too low, every click in GitLab will be a
# "slow click" for all of your LDAP users.
# sync_time: 3600
servers: servers:
########################################################################## ##########################################################################
# #
...@@ -446,6 +554,10 @@ production: &base ...@@ -446,6 +554,10 @@ production: &base
# A value of 0 means there is no timeout. # A value of 0 means there is no timeout.
timeout: 10 timeout: 10
# Enable smartcard authentication against the LDAP server. Valid values
# are "false", "optional", and "required".
smartcard_auth: false
# This setting specifies if LDAP server is Active Directory LDAP server. # This setting specifies if LDAP server is Active Directory LDAP server.
# For non AD servers it skips the AD specific queries. # For non AD servers it skips the AD specific queries.
# If your LDAP server is not AD, set this to false. # If your LDAP server is not AD, set this to false.
...@@ -485,6 +597,31 @@ production: &base ...@@ -485,6 +597,31 @@ production: &base
# #
user_filter: '' user_filter: ''
# Base where we can search for groups
#
# Ex. ou=Groups,dc=gitlab,dc=example
#
group_base: ''
# LDAP group of users who should be admins in GitLab
#
# Ex. GLAdmins
#
admin_group: ''
# LDAP group of users who should be marked as external users in GitLab
#
# Ex. ['Contractors', 'Interns']
#
external_groups: []
# Name of attribute which holds a ssh public key of the user object.
# If false or nil, SSH key syncronisation will be disabled.
#
# Ex. sshpublickey
#
sync_ssh_keys: false
# LDAP attributes that GitLab will use to create an account for the LDAP user. # LDAP attributes that GitLab will use to create an account for the LDAP user.
# The specified attribute can either be the attribute name as a string (e.g. 'mail'), # The specified attribute can either be the attribute name as a string (e.g. 'mail'),
# or an array of attribute names to try in order (e.g. ['mail', 'email']). # or an array of attribute names to try in order (e.g. ['mail', 'email']).
...@@ -516,6 +653,38 @@ production: &base ...@@ -516,6 +653,38 @@ production: &base
# host: # host:
# .... # ....
## Smartcard authentication settings
smartcard:
# Allow smartcard authentication
enabled: false
# Path to a file containing a CA certificate
ca_file: '/etc/ssl/certs/CA.pem'
# Port where the client side certificate is requested by the webserver (NGINX/Apache)
# client_certificate_required_port: 3444
## Kerberos settings
kerberos:
# Allow the HTTP Negotiate authentication method for Git clients
enabled: false
# Kerberos 5 keytab file. The keytab file must be readable by the GitLab user,
# and should be different from other keytabs in the system.
# (default: use default keytab from Krb5 config)
# keytab: /etc/http.keytab
# The Kerberos service name to be used by GitLab.
# (default: accept any service name in keytab file)
# service_principal_name: HTTP/gitlab.example.com@EXAMPLE.COM
# Dedicated port: Git before 2.4 does not fall back to Basic authentication if Negotiate fails.
# To support both Basic and Negotiate methods with older versions of Git, configure
# nginx to proxy GitLab on an extra port (e.g. 8443) and uncomment the following lines
# to dedicate this port to Kerberos authentication. (default: false)
# use_dedicated_port: true
# port: 8443
# https: true
## OmniAuth settings ## OmniAuth settings
omniauth: omniauth:
...@@ -635,6 +804,8 @@ production: &base ...@@ -635,6 +804,8 @@ production: &base
# name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' # name_identifier_format: 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'
# } } # } }
# #
# - { name: 'group_saml' }
#
# - { name: 'crowd', # - { name: 'crowd',
# args: { # args: {
# crowd_server_url: 'CROWD SERVER URL', # crowd_server_url: 'CROWD SERVER URL',
...@@ -707,6 +878,20 @@ production: &base ...@@ -707,6 +878,20 @@ production: &base
# # Specifies Amazon S3 storage class to use for backups, this is optional # # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD' # # storage_class: 'STANDARD'
## Pseudonymizer exporter
pseudonymizer:
# Tables manifest that specifies the fields to extract and pseudonymize.
manifest: config/pseudonymizer.yml
upload:
remote_directory: 'gitlab-elt'
# Fog storage connection settings, see http://fog.io/storage/ .
connection:
# provider: AWS
# region: eu-west-1
# aws_access_key_id: AKIAKIAKI
# aws_secret_access_key: 'secret123'
# # The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
## GitLab Shell settings ## GitLab Shell settings
gitlab_shell: gitlab_shell:
path: /home/git/gitlab-shell/ path: /home/git/gitlab-shell/
...@@ -872,6 +1057,17 @@ test: ...@@ -872,6 +1057,17 @@ test:
token: secret token: secret
backup: backup:
path: tmp/tests/backups path: tmp/tests/backups
pseudonymizer:
manifest: config/pseudonymizer.yml
upload:
# The remote 'directory' to store the CSV files. For S3, this would be the bucket name.
remote_directory: gitlab-elt.test
# Fog storage connection settings, see http://fog.io/storage/
connection:
provider: AWS # Only AWS supported at the moment
aws_access_key_id: AWS_ACCESS_KEY_ID
aws_secret_access_key: AWS_SECRET_ACCESS_KEY
region: us-east-1
gitlab_shell: gitlab_shell:
path: tmp/tests/gitlab-shell/ path: tmp/tests/gitlab-shell/
authorized_keys_file: tmp/tests/authorized_keys authorized_keys_file: tmp/tests/authorized_keys
......
...@@ -117,6 +117,15 @@ if github_settings ...@@ -117,6 +117,15 @@ if github_settings
end end
end end
# SAML should be enabled for the tests automatically, but only for EE.
saml_provider_enabled = Settings.omniauth.providers.any? do |provider|
provider['name'] == 'group_saml'
end
if Gitlab.ee? && Rails.env.test? && !saml_provider_enabled
Settings.omniauth.providers << Settingslogic.new({ 'name' => 'group_saml' })
end
Settings['shared'] ||= Settingslogic.new({}) Settings['shared'] ||= Settingslogic.new({})
Settings.shared['path'] = Settings.absolute(Settings.shared['path'] || "shared") Settings.shared['path'] = Settings.absolute(Settings.shared['path'] || "shared")
...@@ -291,6 +300,11 @@ Settings.gravatar['host'] = Settings.host_without_www(Settings.gravatar[ ...@@ -291,6 +300,11 @@ Settings.gravatar['host'] = Settings.host_without_www(Settings.gravatar[
# Cron Jobs # Cron Jobs
# #
Settings['cron_jobs'] ||= Settingslogic.new({}) Settings['cron_jobs'] ||= Settingslogic.new({})
if Gitlab.ee? && Settings['ee_cron_jobs']
Settings.cron_jobs.merge!(Settings.ee_cron_jobs)
end
Settings.cron_jobs['stuck_ci_jobs_worker'] ||= Settingslogic.new({}) Settings.cron_jobs['stuck_ci_jobs_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['stuck_ci_jobs_worker']['cron'] ||= '0 * * * *' Settings.cron_jobs['stuck_ci_jobs_worker']['cron'] ||= '0 * * * *'
Settings.cron_jobs['stuck_ci_jobs_worker']['job_class'] = 'StuckCiJobsWorker' Settings.cron_jobs['stuck_ci_jobs_worker']['job_class'] = 'StuckCiJobsWorker'
......
require 'settingslogic' require 'settingslogic'
# We can not use `Rails.root` here, as this file might be loaded without the
# full Rails environment being loaded. We can not use `require_relative` either,
# as Rails uses `load` for `require_dependency` (used when loading the Rails
# environment). This could then lead to this file being loaded twice.
require_dependency File.expand_path('../lib/gitlab', __dir__)
class Settings < Settingslogic class Settings < Settingslogic
source ENV.fetch('GITLAB_CONFIG') { Pathname.new(File.expand_path('..', __dir__)).join('config/gitlab.yml') } source ENV.fetch('GITLAB_CONFIG') { Pathname.new(File.expand_path('..', __dir__)).join('config/gitlab.yml') }
namespace ENV.fetch('GITLAB_ENV') { Rails.env } namespace ENV.fetch('GITLAB_ENV') { Rails.env }
......
# frozen_string_literal: true # frozen_string_literal: true
require_dependency 'gitlab/popen' require_dependency File.expand_path('gitlab/popen', __dir__)
module Gitlab module Gitlab
def self.root def self.root
...@@ -60,10 +60,14 @@ module Gitlab ...@@ -60,10 +60,14 @@ module Gitlab
end end
def self.ee? def self.ee?
@is_ee ||=
if ENV['IS_GITLAB_EE'].present? if ENV['IS_GITLAB_EE'].present?
Gitlab::Utils.to_boolean(ENV['IS_GITLAB_EE']) Gitlab::Utils.to_boolean(ENV['IS_GITLAB_EE'])
else else
Object.const_defined?(:License) # We may use this method when the Rails environment is not loaded. This
# means that checking the presence of the License class could result in
# this method returning `false`, even for an EE installation.
root.join('ee/app/models/license.rb').exist?
end end
end end
......
...@@ -3,6 +3,7 @@ require 'bundler/setup' ...@@ -3,6 +3,7 @@ require 'bundler/setup'
ENV['GITLAB_ENV'] = 'test' ENV['GITLAB_ENV'] = 'test'
ENV['IN_MEMORY_APPLICATION_SETTINGS'] = 'true' ENV['IN_MEMORY_APPLICATION_SETTINGS'] = 'true'
require 'active_support/dependencies'
require_relative '../config/settings' require_relative '../config/settings'
require_relative 'support/rspec' require_relative 'support/rspec'
require 'active_support/all' require 'active_support/all'
......
...@@ -97,14 +97,42 @@ describe Gitlab do ...@@ -97,14 +97,42 @@ describe Gitlab do
end end
describe '.ee?' do describe '.ee?' do
before do
described_class.instance_variable_set(:@is_ee, nil)
end
after do
described_class.instance_variable_set(:@is_ee, nil)
end
it 'returns true when using Enterprise Edition' do it 'returns true when using Enterprise Edition' do
stub_const('License', Class.new) root = Pathname.new('dummy')
license_path = double(:path, exist?: true)
allow(described_class)
.to receive(:root)
.and_return(root)
allow(root)
.to receive(:join)
.with('ee/app/models/license.rb')
.and_return(license_path)
expect(described_class.ee?).to eq(true) expect(described_class.ee?).to eq(true)
end end
it 'returns false when using Community Edition' do it 'returns false when using Community Edition' do
hide_const('License') root = double(:path)
license_path = double(:path, exists?: false)
allow(described_class)
.to receive(:root)
.and_return(Pathname.new('dummy'))
allow(root)
.to receive(:join)
.with('ee/app/models/license.rb')
.and_return(license_path)
expect(described_class.ee?).to eq(false) expect(described_class.ee?).to eq(false)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment