Create gitlab-http gem

Furkan Ayhanrequested to merge
415686-gitlab-http-gem into master

What does this MR do and why?

Related to #415686 (closed)

  • Copy the contents and requirements of lib/gitlab/http.rb into the new gitlab-http gem.
  • While lib/gitlab/http.rb is using Gitlab::HTTP, the gitlab-http gem is using Gitlab::HTTP_V2. So, we can gradually migrate to the gem.
Issue / MR Link
Main issue #415686 (closed)
First MR to initialize the gem =HERE= !125024 (merged)
Small fixes !131612 (merged)
POC !131644 (closed)
Enabling on GitLab !132238 (merged)

Difference between Gitlab::HTTP and Gitlab::HTTP_V2

  1. While Gitlab::HTTP fetches all its requirements from the GitLab config and the application setting, Gitlab::HTTP_V2 needs to be initialized with GitLab config first and passed the application setting in every call.
Details; 
Gitlab::HTTP_V2.configure do |config|
  config.allowed_internal_uris = [
    URI::HTTP.build(
      scheme: Gitlab.config.gitlab.protocol,
      host: Gitlab.config.gitlab.host,
      port: Gitlab.config.gitlab.port
    ),
    URI::Generic.build(
      scheme: 'ssh',
      host: Gitlab.config.gitlab_shell.ssh_host,
      port: Gitlab.config.gitlab_shell.ssh_port
    )
  ]

  config.log_exception_proc = ->(exception, extra_info) do
    Gitlab::ErrorTracking.log_exception(exception, extra_info)
  end
  config.silent_mode_log_info_proc = ->(message, http_method) do
    Gitlab::SilentMode.log_info(message: message, outbound_http_request_method: http_method)
  end
end
module Gitlab
  class SafeHTTP # rubocop:disable Naming/ClassAndModuleCamelCase
    class << self
      ::Gitlab::HTTP_V2::SUPPORTED_HTTP_METHODS.each do |method|
        define_method(method) do |path, options = {}, &block|
          ::Gitlab::HTTP_V2.public_send(method, path, default_options.merge(options), &block) # rubocop:disable GitlabSecurity/PublicSend
        end
      end

      def default_options
        {
          outbound_local_requests_allowlist: Gitlab::CurrentSettings.outbound_local_requests_whitelist, # rubocop:disable Naming/InclusiveLanguage
          deny_all_requests_except_allowed: Gitlab::CurrentSettings.deny_all_requests_except_allowed?,
          dns_rebinding_protection_enabled: Gitlab::CurrentSettings.dns_rebinding_protection_enabled?,
          allow_local_requests: Gitlab::CurrentSettings.allow_local_requests_from_web_hooks_and_services?,
          silent_mode_enabled: Gitlab::SilentMode.enabled?
        }
      end
    end
  end
end
  1. The new UrlBlocker has some parameter changes;
    • Added: extra_allowed_uris: This will be used to replace allow_object_storage. Instead of passing allow_object_storage and calculating "enabled_object_storage_endpoints", we will directly pass extra_allowed_uris as an option.
    • Removed: allow_object_storage:
    • Added: deny_all_requests_except_allowed: This is an instance setting; deny_all_requests_except_allowed?, so we are passing it as an option.
    • Added: outbound_local_requests_allowlist: This is an instance setting; outbound_local_requests_whitelist, so we are passing it as an option.
  2. allowed_internal_uris is passed to the library as a configuration. It replaces the Gitlab.config inside UrlBlocker.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Furkan Ayhan

Merge request reports