Commit c82cd2ea authored by Douwe Maan's avatar Douwe Maan

Merge branch 'ee-56883-add-to-whitelist' into 'master'

Add prometheus listen address to whitelist

See merge request gitlab-org/gitlab-ee!14895
parents 6b02d4d1 1970d81f
......@@ -158,9 +158,20 @@ module ApplicationSettingImplementation
end
def outbound_local_requests_whitelist_raw=(values)
clear_memoization(:outbound_local_requests_whitelist_arrays)
self.outbound_local_requests_whitelist = domain_strings_to_array(values)
end
def add_to_outbound_local_requests_whitelist(values_array)
clear_memoization(:outbound_local_requests_whitelist_arrays)
self.outbound_local_requests_whitelist ||= []
self.outbound_local_requests_whitelist += values_array
self.outbound_local_requests_whitelist.uniq!
end
def outbound_local_requests_whitelist_arrays
strong_memoize(:outbound_local_requests_whitelist_arrays) do
next [[], []] unless self.outbound_local_requests_whitelist
......
......@@ -15,6 +15,8 @@ module ApplicationSettings
update_terms(@params.delete(:terms))
add_to_outbound_local_requests_whitelist(@params.delete(:add_to_outbound_local_requests_whitelist))
if params.key?(:performance_bar_allowed_group_path)
params[:performance_bar_allowed_group_id] = performance_bar_allowed_group_id
end
......@@ -32,6 +34,13 @@ module ApplicationSettings
params.key?(:usage_ping_enabled) || params.key?(:version_check_enabled)
end
def add_to_outbound_local_requests_whitelist(values)
values_array = Array(values).reject(&:empty?)
return if values_array.empty?
@application_setting.add_to_outbound_local_requests_whitelist(values_array)
end
def update_terms(terms)
return unless terms.present?
......
......@@ -14,6 +14,7 @@ module SelfMonitoring
steps :validate_admins,
:create_project,
:add_project_members,
:add_to_whitelist,
:add_prometheus_manual_configuration
def initialize
......@@ -59,15 +60,29 @@ module SelfMonitoring
end
end
def add_prometheus_manual_configuration
def add_to_whitelist
return success unless prometheus_enabled?
return success unless prometheus_listen_address.present?
# TODO: Currently, adding the internal prometheus server as a manual configuration
# is only possible if the setting to allow webhooks and services to connect
# to local network is on.
# https://gitlab.com/gitlab-org/gitlab-ce/issues/44496 will add
# a whitelist that will allow connections to certain ips on the local network.
uri = parse_url(internal_prometheus_listen_address_uri)
return error(_('Prometheus listen_address is not a valid URI')) unless uri
result = ApplicationSettings::UpdateService.new(
Gitlab::CurrentSettings.current_application_settings,
project_owner,
outbound_local_requests_whitelist: [uri.normalized_host]
).execute
if result
success
else
error(_('Could not add prometheus URL to whitelist'))
end
end
def add_prometheus_manual_configuration
return success unless prometheus_enabled?
return success unless prometheus_listen_address.present?
service = project.find_or_initialize_service('prometheus')
......@@ -79,6 +94,11 @@ module SelfMonitoring
success
end
def parse_url(uri_string)
Addressable::URI.parse(uri_string)
rescue Addressable::URI::InvalidURIError, TypeError
end
def prometheus_enabled?
Gitlab.config.prometheus.enable
rescue Settingslogic::MissingSetting
......
......@@ -4027,6 +4027,9 @@ msgstr ""
msgid "Copy token to clipboard"
msgstr ""
msgid "Could not add prometheus URL to whitelist"
msgstr ""
msgid "Could not authorize chat nickname. Try again!"
msgstr ""
......@@ -11321,6 +11324,9 @@ msgstr ""
msgid "ProjectsNew|Want to house several dependent projects under the same namespace? %{link_start}Create a group.%{link_end}"
msgstr ""
msgid "Prometheus listen_address is not a valid URI"
msgstr ""
msgid "PrometheusAlerts|Add alert"
msgstr ""
......
......@@ -62,6 +62,54 @@ describe ApplicationSettings::UpdateService do
end
end
describe 'updating outbound_local_requests_whitelist' do
context 'when params is blank' do
let(:params) { {} }
it 'does not add to whitelist' do
expect { subject.execute }.not_to change {
application_settings.outbound_local_requests_whitelist
}
end
end
context 'when param add_to_outbound_local_requests_whitelist contains values' do
before do
application_settings.outbound_local_requests_whitelist = ['127.0.0.1']
end
let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } }
it 'adds to whitelist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
expect(application_settings.outbound_local_requests_whitelist).to contain_exactly(
'127.0.0.1', 'example.com'
)
end
end
context 'when param outbound_local_requests_whitelist_raw is passed' do
before do
application_settings.outbound_local_requests_whitelist = ['127.0.0.1']
end
let(:params) { { outbound_local_requests_whitelist_raw: 'example.com;gitlab.com' } }
it 'overwrites the existing whitelist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
expect(application_settings.outbound_local_requests_whitelist).to contain_exactly(
'example.com', 'gitlab.com'
)
end
end
end
describe 'performance bar settings' do
using RSpec::Parameterized::TableSyntax
......
......@@ -90,19 +90,17 @@ describe SelfMonitoring::Project::CreateService do
)
end
# This should pass when https://gitlab.com/gitlab-org/gitlab-ce/issues/44496
# is complete and the prometheus listen address is added to the whitelist.
# context 'when local requests from hooks and services are not allowed' do
# before do
# allow(ApplicationSetting)
# .to receive(:current)
# .and_return(
# ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: false)
# )
# end
# it_behaves_like 'has prometheus service', 'http://localhost:9090'
# end
context 'when local requests from hooks and services are not allowed' do
before do
allow(ApplicationSetting)
.to receive(:current)
.and_return(
ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: false)
)
end
it_behaves_like 'has prometheus service', 'http://localhost:9090'
end
context 'with non default prometheus address' do
before do
......
......@@ -63,6 +63,19 @@ RSpec.shared_examples 'application settings examples' do
context 'outbound_local_requests_whitelist' do
it_behaves_like 'string of domains', :outbound_local_requests_whitelist
it 'clears outbound_local_requests_whitelist_arrays memoization' do
setting.outbound_local_requests_whitelist_raw = 'example.com'
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['example.com']
)
setting.outbound_local_requests_whitelist_raw = 'gitlab.com'
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['gitlab.com']
)
end
end
context 'outbound_local_requests_whitelist_arrays' do
......@@ -78,7 +91,54 @@ RSpec.shared_examples 'application settings examples' do
]
domain_whitelist = ['www.example.com', 'example.com', 'subdomain.example.com']
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(ip_whitelist, domain_whitelist)
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
ip_whitelist, domain_whitelist
)
end
end
context 'add_to_outbound_local_requests_whitelist' do
it 'adds entry to outbound_local_requests_whitelist' do
setting.outbound_local_requests_whitelist = ['example.com']
setting.add_to_outbound_local_requests_whitelist(
['example.com', '127.0.0.1', 'gitlab.com']
)
expect(setting.outbound_local_requests_whitelist).to contain_exactly(
'example.com',
'127.0.0.1',
'gitlab.com'
)
end
it 'clears outbound_local_requests_whitelist_arrays memoization' do
setting.outbound_local_requests_whitelist = ['example.com']
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[],
['example.com']
)
setting.add_to_outbound_local_requests_whitelist(
['example.com', 'gitlab.com']
)
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[],
['example.com', 'gitlab.com']
)
end
it 'does not raise error with nil' do
setting.outbound_local_requests_whitelist = nil
setting.add_to_outbound_local_requests_whitelist(['gitlab.com'])
expect(setting.outbound_local_requests_whitelist).to contain_exactly('gitlab.com')
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['gitlab.com']
)
end
it 'does not raise error with nil' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment