Merge branch 'revert-d9652a83' into 'master'

Rails 6.0.3.1 Take 2 See merge request gitlab-org/gitlab!33454

Merge branch 'revert-d9652a83' into 'master'
Rails 6.0.3.1 Take 2 See merge request gitlab-org/gitlab!33454
829cac03 · Heinrich Lee Yu · 62d4de74 · 86ef86b5 · 829cac03 · 829cac03
Commit 829cac03 authored Jun 04, 2020 by Heinrich Lee Yu
8 changed files
--- a/Gemfile
+++ b/Gemfile
 source 'https://rubygems.org'

-gem 'rails', '~> 6.0.3'
+gem 'rails', '~> 6.0.3.1'

 gem 'bootsnap', '~> 1.4.6'


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -6,59 +6,59 @@ GEM
    ace-rails-ap (4.1.2)
    acme-client (2.0.5)
      faraday (~> 0.9, >= 0.9.1)
-    actioncable (6.0.3)
-      actionpack (= 6.0.3)
+    actioncable (6.0.3.1)
+      actionpack (= 6.0.3.1)
      nio4r (~> 2.0)
      websocket-driver (>= 0.6.1)
-    actionmailbox (6.0.3)
-      actionpack (= 6.0.3)
-      activejob (= 6.0.3)
-      activerecord (= 6.0.3)
-      activestorage (= 6.0.3)
-      activesupport (= 6.0.3)
+    actionmailbox (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
      mail (>= 2.7.1)
-    actionmailer (6.0.3)
-      actionpack (= 6.0.3)
-      actionview (= 6.0.3)
-      activejob (= 6.0.3)
+    actionmailer (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      actionview (= 6.0.3.1)
+      activejob (= 6.0.3.1)
      mail (~> 2.5, >= 2.5.4)
      rails-dom-testing (~> 2.0)
-    actionpack (6.0.3)
-      actionview (= 6.0.3)
-      activesupport (= 6.0.3)
+    actionpack (6.0.3.1)
+      actionview (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
      rack (~> 2.0, >= 2.0.8)
      rack-test (>= 0.6.3)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (6.0.3)
-      actionpack (= 6.0.3)
-      activerecord (= 6.0.3)
-      activestorage (= 6.0.3)
-      activesupport (= 6.0.3)
+    actiontext (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
      nokogiri (>= 1.8.5)
-    actionview (6.0.3)
-      activesupport (= 6.0.3)
+    actionview (6.0.3.1)
+      activesupport (= 6.0.3.1)
      builder (~> 3.1)
      erubi (~> 1.4)
      rails-dom-testing (~> 2.0)
      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (6.0.3)
-      activesupport (= 6.0.3)
+    activejob (6.0.3.1)
+      activesupport (= 6.0.3.1)
      globalid (>= 0.3.6)
-    activemodel (6.0.3)
-      activesupport (= 6.0.3)
-    activerecord (6.0.3)
-      activemodel (= 6.0.3)
-      activesupport (= 6.0.3)
+    activemodel (6.0.3.1)
+      activesupport (= 6.0.3.1)
+    activerecord (6.0.3.1)
+      activemodel (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
    activerecord-explain-analyze (0.1.0)
      activerecord (>= 4)
      pg
-    activestorage (6.0.3)
-      actionpack (= 6.0.3)
-      activejob (= 6.0.3)
-      activerecord (= 6.0.3)
+    activestorage (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
      marcel (~> 0.3.1)
-    activesupport (6.0.3)
+    activesupport (6.0.3.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
@@ -801,20 +801,20 @@ GEM
    rack-test (1.1.0)
      rack (>= 1.0, < 3)
    rack-timeout (0.5.1)
-    rails (6.0.3)
-      actioncable (= 6.0.3)
-      actionmailbox (= 6.0.3)
-      actionmailer (= 6.0.3)
-      actionpack (= 6.0.3)
-      actiontext (= 6.0.3)
-      actionview (= 6.0.3)
-      activejob (= 6.0.3)
-      activemodel (= 6.0.3)
-      activerecord (= 6.0.3)
-      activestorage (= 6.0.3)
-      activesupport (= 6.0.3)
+    rails (6.0.3.1)
+      actioncable (= 6.0.3.1)
+      actionmailbox (= 6.0.3.1)
+      actionmailer (= 6.0.3.1)
+      actionpack (= 6.0.3.1)
+      actiontext (= 6.0.3.1)
+      actionview (= 6.0.3.1)
+      activejob (= 6.0.3.1)
+      activemodel (= 6.0.3.1)
+      activerecord (= 6.0.3.1)
+      activestorage (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
      bundler (>= 1.3.0)
-      railties (= 6.0.3)
+      railties (= 6.0.3.1)
      sprockets-rails (>= 2.0.0)
    rails-controller-testing (1.0.4)
      actionpack (>= 5.0.1.x)
@@ -828,9 +828,9 @@ GEM
    rails-i18n (6.0.0)
      i18n (>= 0.7, < 2)
      railties (>= 6.0.0, < 7)
-    railties (6.0.3)
-      actionpack (= 6.0.3)
-      activesupport (= 6.0.3)
+    railties (6.0.3.1)
+      actionpack (= 6.0.3.1)
+      activesupport (= 6.0.3.1)
      method_source
      rake (>= 0.8.7)
      thor (>= 0.20.3, < 2.0)
@@ -1335,7 +1335,7 @@ DEPENDENCIES
  rack-oauth2 (~> 1.9.3)
  rack-proxy (~> 0.6.0)
  rack-timeout
-  rails (~> 6.0.3)
+  rails (~> 6.0.3.1)
  rails-controller-testing
  rails-i18n (~> 6.0)
  rainbow (~> 3.0)

--- a/config/initializers/actionpack_generate_old_csrf_token.rb
+++ b/config/initializers/actionpack_generate_old_csrf_token.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module RequestForgeryProtectionPatch
+    private
+
+    # Patch to generate 6.0.3 tokens so that we do not have CSRF errors while
+    # rolling out 6.0.3.1. This enables GitLab to have a mix of 6.0.3 and
+    # 6.0.3.1 Rails servers
+    #
+    # 1. Deploy this patch with :global_csrf_token FF disabled.
+    # 2. Once all Rails servers are on 6.0.3.1, enable :global_csrf_token FF.
+    # 3. On GitLab 13.2, remove this patch
+    def masked_authenticity_token(session, form_options: {})
+      action, method = form_options.values_at(:action, :method)
+
+      raw_token = if per_form_csrf_tokens && action && method
+                    action_path = normalize_action_path(action)
+                    per_form_csrf_token(session, action_path, method)
+                  else
+                    if Feature.enabled?(:global_csrf_token)
+                      global_csrf_token(session)
+                    else
+                      real_csrf_token(session)
+                    end
+                  end
+
+      mask_token(raw_token)
+    end
+  end
+end
+
+ActionController::Base.include Gitlab::RequestForgeryProtectionPatch
--- a/package.json
+++ b/package.json
@@ -43,7 +43,7 @@
    "@gitlab/svgs": "1.137.0",
    "@gitlab/ui": "16.2.0",
    "@gitlab/visual-review-tools": "1.6.1",
-    "@rails/actioncable": "^6.0.3",
+    "@rails/actioncable": "^6.0.3-1",
    "@sentry/browser": "^5.10.2",
    "@sourcegraph/code-host-integration": "0.0.48",
    "@toast-ui/editor": "^2.0.1",

--- a/qa/Gemfile
+++ b/qa/Gemfile
 source 'https://rubygems.org'

 gem 'gitlab-qa'
-gem 'activesupport', '~> 6.0.3' # This should stay in sync with the root's Gemfile
+gem 'activesupport', '~> 6.0.3.1' # This should stay in sync with the root's Gemfile
 gem 'capybara', '~> 3.29.0'
 gem 'capybara-screenshot', '~> 1.0.23'
 gem 'rake', '~> 12.3.0'

--- a/qa/Gemfile.lock
+++ b/qa/Gemfile.lock
 GEM
  remote: https://rubygems.org/
  specs:
-    activesupport (6.0.3)
+    activesupport (6.0.3.1)
      concurrent-ruby (~> 1.0, >= 1.0.2)
      i18n (>= 0.7, < 2)
      minitest (~> 5.1)
@@ -54,7 +54,7 @@ GEM
    mime-types-data (3.2020.0425)
    mini_mime (1.0.2)
    mini_portile2 (2.4.0)
-    minitest (5.14.0)
+    minitest (5.14.1)
    netrc (0.11.0)
    nokogiri (1.10.9)
      mini_portile2 (~> 2.4.0)
@@ -116,7 +116,7 @@ PLATFORMS
  ruby

 DEPENDENCIES
-  activesupport (~> 6.0.3)
+  activesupport (~> 6.0.3.1)
  airborne (~> 0.3.4)
  capybara (~> 3.29.0)
  capybara-screenshot (~> 1.0.23)

--- a/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
+++ b/spec/initializers/actionpack_generate_old_csrf_token_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe ActionController::Base, 'CSRF token generation patch', type: :controller do # rubocop:disable RSpec/FilePath
+  let(:fixed_seed) { SecureRandom.random_bytes(described_class::AUTHENTICITY_TOKEN_LENGTH) }
+
+  context 'global_csrf_token feature flag is enabled' do
+    it 'generates 6.0.3.1 style CSRF token', :aggregate_failures do
+      generated_token = controller.send(:form_authenticity_token)
+
+      expect(valid_authenticity_token?(generated_token)).to be_truthy
+      expect(compare_with_real_token(generated_token)).to be_falsey
+      expect(compare_with_global_token(generated_token)).to be_truthy
+    end
+  end
+
+  context 'global_csrf_token feature flag is disabled' do
+    before do
+      stub_feature_flags(global_csrf_token: false)
+    end
+
+    it 'generates 6.0.3 style CSRF token', :aggregate_failures do
+      generated_token = controller.send(:form_authenticity_token)
+
+      expect(valid_authenticity_token?(generated_token)).to be_truthy
+      expect(compare_with_real_token(generated_token)).to be_truthy
+      expect(compare_with_global_token(generated_token)).to be_falsey
+    end
+  end
+
+  def compare_with_global_token(token)
+    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
+
+    controller.send(:compare_with_global_token, unmasked_token, session)
+  end
+
+  def compare_with_real_token(token)
+    unmasked_token = controller.send :unmask_token, Base64.strict_decode64(token)
+
+    controller.send(:compare_with_real_token, unmasked_token, session)
+  end
+
+  def valid_authenticity_token?(token)
+    controller.send(:valid_authenticity_token?, session, token)
+  end
+end
--- a/yarn.lock
+++ b/yarn.lock
@@ -983,10 +983,10 @@
    consola "^2.10.1"
    node-fetch "^2.6.0"

-"@rails/actioncable@^6.0.3":
-  version "6.0.3"
-  resolved "https://registry.yarnpkg.com/@rails/actioncable/-/actioncable-6.0.3.tgz#722b4b639936129307ddbab3a390f6bcacf3e7bc"
-  integrity sha512-I01hgqxxnOgOtJTGlq0ZsGJYiTEEiSGVEGQn3vimZSqEP1HqzyFNbzGTq14Xdyeow2yGJjygjoFF1pmtE+SQaw==
+"@rails/actioncable@^6.0.3-1":
+  version "6.0.3-1"
+  resolved "https://registry.yarnpkg.com/@rails/actioncable/-/actioncable-6.0.3-1.tgz#9b9eb8858a6507162911007d355d9a206e1c5caa"
+  integrity sha512-szFhWD+V5TAxVNVIG16klgq+ypqA5k5AecLarTTrXgOG8cawVbQdOAwLbCmzkwiQ60rGSxAFoC1u2LrzxSK2Aw==

 "@sentry/browser@^5.10.2":
  version "5.10.2"