dodocat authored 5 years ago and Mike Kozono committed 5 years ago

allow_bypass_two_factor configration dose not work with saml provider

- Add mail interceptor the signs outgoing email with SMIME
- Add lib and helpers to work with SMIME data
- New configuration params for setting up SMIME key and cert files

Stan Hu authored 5 years ago and Ash McKenzie committed 5 years ago

A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.

To support this, we need to change all `:javascript` HAML filters to the
following form:

```
= javascript_tag nonce: true do
  :plain
    ...
```

We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.

Introducing Docker Registry replication

This is the first part of Docker Registry replication
    for secondary Geo node.

Mayra Cabrera authored 5 years ago and Stan Hu committed 5 years ago

Suggests to use a JSON structured log instead

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/54102

Mayra Cabrera authored 5 years ago and Kamil Trzciński committed 5 years ago

- Add two new ActiveRecord models:
  - RootNamespaceStoragestatistics will persist root namespace statistics
  - NamespaceAggregationSchedule will save information when a new update
to the namespace statistics needs to be scheduled
- Inject into UpdateProjectStatistics concern a new callback that will
call an async job to insert a new row onto NamespaceAggregationSchedule
table
- When a new row is inserted a new job is scheduled. This job will
update call an specific service to update the statistics and after that
it will delete thee aggregated scheduled row
- The RefresherServices makes heavy use of arel to build composable
queries to update Namespace::RootStorageStatistics attributes.
- Add an extra worker to traverse pending rows on
NAmespace::AggregationSchedule table and schedule a worker for each one
of this rows.
- Add an extra worker to traverse pending rows on
NAmespace::AggregationSchedule table and schedule a worker for each one
of this rows

This brings parity between the two versions.

Add index for pages domain ssl auto renewal
Add PagesDomain.needs_ssl_renewal scope
Add cron worker for ssl renewal
Add worker for ssl renewal
Add pages ssl renewal worker queues settings

To make this happen, we need to conditionally add the group_saml
strategy when running tests, but only on EE. This requires some changes
to Gitlab.ee? so that it can be used before/without loading the Rails
environment. We also have to change how we require a few files, so this
can run outside of Rails.

Jan Provaznik authored 5 years ago and Kamil Trzciński committed 5 years ago

This sampler gathers Puma-specific metrics which can be used by
Prometheus then.

Domain will be removed by verification worker after 1 week
of being disabled

This will fail in a few ways:

1. We might end up having a path (not a URL) starting with `//`, which
   will be interpreted by browsers as a protocol-relative URL.
2. Issue, MR, snippet, etc. reference parsing will look for URLs at
   `http://gitlab.example.com//project/...`, with the double slash
   preventing single slashes from working.

In general, it doesn't seem like there's a valid case for this.

Gosia Ksionek authored 5 years ago and Douglas Barbosa Alexandre committed 5 years ago

Add columns to store project creation settings

Add project creation level column in groups
 and default project creation column in application settings

Remove obsolete line from schema

Update migration with project_creation_level column existence check

Rename migrations to avoid conflicts

Update migration methods

Update migration method

Since external diffs are likely to be a bit slower than in-database
ones, add a mode that makes diffs external after they've been obsoleted
by events. This should strike a balance between performance and disk
space.

A background cron drives the majority of migrations, since diffs become
outdated through user actions.

In this commit, some methods that aren't being used
are removed from `Gitlab::Shell`. They are the ff:
- `#remove_keys_not_found_in_db`
- `#batch_read_key_ids`
- `#list_key_ids`

The corresponding methods in `Gitlab::Keys` have been
removed as well.

Drew Blessing authored 6 years ago and Drew Blessing committed 6 years ago

We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.

Adds gitlab.impersonation_enabled config option defaulting to true to
keep the current default behaviour.

Only the act of impersonation is modified, impersonation token
management is not affected.

* (Suf)fix #51085 :-)

Signed-off-by: Samuele Kaplun <kaplun@protonmail.com>

Users who have their system clocks configured inconsistently due to Daylight
Savings may see a GitLab session cookie that immediately expires, resulting in
a 422 error. To avoid these errors, we can bump the unauthenticated session
time from 1 hour to 2 hours so they have time to login and get the default 7-day
session.

Closes #50393

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

By default, all sessions are given the same expiration time configured in the
session store (e.g. 1 week). However, unauthenticated users can generate a lot
of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
for unauthenticated to something much lower than the default (e.g. 1 hour) to
limit Redis memory. In addition, Rails creates a new session after login,
so the short TTL doesn't even need to be extended.

Closes #48101