Commit 1970d81f authored by Reuben Pereira's avatar Reuben Pereira Committed by Douwe Maan

Add prometheus listen address to whitelist

- Add to whitelist so that even if local requests from hooks and
services are not allowed, the prometheus manual configuration will
still succeed.
parent 6b02d4d1
...@@ -158,9 +158,20 @@ module ApplicationSettingImplementation ...@@ -158,9 +158,20 @@ module ApplicationSettingImplementation
end end
def outbound_local_requests_whitelist_raw=(values) def outbound_local_requests_whitelist_raw=(values)
clear_memoization(:outbound_local_requests_whitelist_arrays)
self.outbound_local_requests_whitelist = domain_strings_to_array(values) self.outbound_local_requests_whitelist = domain_strings_to_array(values)
end end
def add_to_outbound_local_requests_whitelist(values_array)
clear_memoization(:outbound_local_requests_whitelist_arrays)
self.outbound_local_requests_whitelist ||= []
self.outbound_local_requests_whitelist += values_array
self.outbound_local_requests_whitelist.uniq!
end
def outbound_local_requests_whitelist_arrays def outbound_local_requests_whitelist_arrays
strong_memoize(:outbound_local_requests_whitelist_arrays) do strong_memoize(:outbound_local_requests_whitelist_arrays) do
next [[], []] unless self.outbound_local_requests_whitelist next [[], []] unless self.outbound_local_requests_whitelist
......
...@@ -15,6 +15,8 @@ module ApplicationSettings ...@@ -15,6 +15,8 @@ module ApplicationSettings
update_terms(@params.delete(:terms)) update_terms(@params.delete(:terms))
add_to_outbound_local_requests_whitelist(@params.delete(:add_to_outbound_local_requests_whitelist))
if params.key?(:performance_bar_allowed_group_path) if params.key?(:performance_bar_allowed_group_path)
params[:performance_bar_allowed_group_id] = performance_bar_allowed_group_id params[:performance_bar_allowed_group_id] = performance_bar_allowed_group_id
end end
...@@ -32,6 +34,13 @@ module ApplicationSettings ...@@ -32,6 +34,13 @@ module ApplicationSettings
params.key?(:usage_ping_enabled) || params.key?(:version_check_enabled) params.key?(:usage_ping_enabled) || params.key?(:version_check_enabled)
end end
def add_to_outbound_local_requests_whitelist(values)
values_array = Array(values).reject(&:empty?)
return if values_array.empty?
@application_setting.add_to_outbound_local_requests_whitelist(values_array)
end
def update_terms(terms) def update_terms(terms)
return unless terms.present? return unless terms.present?
......
...@@ -14,6 +14,7 @@ module SelfMonitoring ...@@ -14,6 +14,7 @@ module SelfMonitoring
steps :validate_admins, steps :validate_admins,
:create_project, :create_project,
:add_project_members, :add_project_members,
:add_to_whitelist,
:add_prometheus_manual_configuration :add_prometheus_manual_configuration
def initialize def initialize
...@@ -59,15 +60,29 @@ module SelfMonitoring ...@@ -59,15 +60,29 @@ module SelfMonitoring
end end
end end
def add_prometheus_manual_configuration def add_to_whitelist
return success unless prometheus_enabled? return success unless prometheus_enabled?
return success unless prometheus_listen_address.present? return success unless prometheus_listen_address.present?
# TODO: Currently, adding the internal prometheus server as a manual configuration uri = parse_url(internal_prometheus_listen_address_uri)
# is only possible if the setting to allow webhooks and services to connect return error(_('Prometheus listen_address is not a valid URI')) unless uri
# to local network is on.
# https://gitlab.com/gitlab-org/gitlab-ce/issues/44496 will add result = ApplicationSettings::UpdateService.new(
# a whitelist that will allow connections to certain ips on the local network. Gitlab::CurrentSettings.current_application_settings,
project_owner,
outbound_local_requests_whitelist: [uri.normalized_host]
).execute
if result
success
else
error(_('Could not add prometheus URL to whitelist'))
end
end
def add_prometheus_manual_configuration
return success unless prometheus_enabled?
return success unless prometheus_listen_address.present?
service = project.find_or_initialize_service('prometheus') service = project.find_or_initialize_service('prometheus')
...@@ -79,6 +94,11 @@ module SelfMonitoring ...@@ -79,6 +94,11 @@ module SelfMonitoring
success success
end end
def parse_url(uri_string)
Addressable::URI.parse(uri_string)
rescue Addressable::URI::InvalidURIError, TypeError
end
def prometheus_enabled? def prometheus_enabled?
Gitlab.config.prometheus.enable Gitlab.config.prometheus.enable
rescue Settingslogic::MissingSetting rescue Settingslogic::MissingSetting
......
...@@ -4027,6 +4027,9 @@ msgstr "" ...@@ -4027,6 +4027,9 @@ msgstr ""
msgid "Copy token to clipboard" msgid "Copy token to clipboard"
msgstr "" msgstr ""
msgid "Could not add prometheus URL to whitelist"
msgstr ""
msgid "Could not authorize chat nickname. Try again!" msgid "Could not authorize chat nickname. Try again!"
msgstr "" msgstr ""
...@@ -11321,6 +11324,9 @@ msgstr "" ...@@ -11321,6 +11324,9 @@ msgstr ""
msgid "ProjectsNew|Want to house several dependent projects under the same namespace? %{link_start}Create a group.%{link_end}" msgid "ProjectsNew|Want to house several dependent projects under the same namespace? %{link_start}Create a group.%{link_end}"
msgstr "" msgstr ""
msgid "Prometheus listen_address is not a valid URI"
msgstr ""
msgid "PrometheusAlerts|Add alert" msgid "PrometheusAlerts|Add alert"
msgstr "" msgstr ""
......
...@@ -62,6 +62,54 @@ describe ApplicationSettings::UpdateService do ...@@ -62,6 +62,54 @@ describe ApplicationSettings::UpdateService do
end end
end end
describe 'updating outbound_local_requests_whitelist' do
context 'when params is blank' do
let(:params) { {} }
it 'does not add to whitelist' do
expect { subject.execute }.not_to change {
application_settings.outbound_local_requests_whitelist
}
end
end
context 'when param add_to_outbound_local_requests_whitelist contains values' do
before do
application_settings.outbound_local_requests_whitelist = ['127.0.0.1']
end
let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } }
it 'adds to whitelist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
expect(application_settings.outbound_local_requests_whitelist).to contain_exactly(
'127.0.0.1', 'example.com'
)
end
end
context 'when param outbound_local_requests_whitelist_raw is passed' do
before do
application_settings.outbound_local_requests_whitelist = ['127.0.0.1']
end
let(:params) { { outbound_local_requests_whitelist_raw: 'example.com;gitlab.com' } }
it 'overwrites the existing whitelist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
expect(application_settings.outbound_local_requests_whitelist).to contain_exactly(
'example.com', 'gitlab.com'
)
end
end
end
describe 'performance bar settings' do describe 'performance bar settings' do
using RSpec::Parameterized::TableSyntax using RSpec::Parameterized::TableSyntax
......
...@@ -90,19 +90,17 @@ describe SelfMonitoring::Project::CreateService do ...@@ -90,19 +90,17 @@ describe SelfMonitoring::Project::CreateService do
) )
end end
# This should pass when https://gitlab.com/gitlab-org/gitlab-ce/issues/44496 context 'when local requests from hooks and services are not allowed' do
# is complete and the prometheus listen address is added to the whitelist. before do
# context 'when local requests from hooks and services are not allowed' do allow(ApplicationSetting)
# before do .to receive(:current)
# allow(ApplicationSetting) .and_return(
# .to receive(:current) ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: false)
# .and_return( )
# ApplicationSetting.build_from_defaults(allow_local_requests_from_hooks_and_services: false) end
# )
# end it_behaves_like 'has prometheus service', 'http://localhost:9090'
end
# it_behaves_like 'has prometheus service', 'http://localhost:9090'
# end
context 'with non default prometheus address' do context 'with non default prometheus address' do
before do before do
......
...@@ -63,6 +63,19 @@ RSpec.shared_examples 'application settings examples' do ...@@ -63,6 +63,19 @@ RSpec.shared_examples 'application settings examples' do
context 'outbound_local_requests_whitelist' do context 'outbound_local_requests_whitelist' do
it_behaves_like 'string of domains', :outbound_local_requests_whitelist it_behaves_like 'string of domains', :outbound_local_requests_whitelist
it 'clears outbound_local_requests_whitelist_arrays memoization' do
setting.outbound_local_requests_whitelist_raw = 'example.com'
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['example.com']
)
setting.outbound_local_requests_whitelist_raw = 'gitlab.com'
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['gitlab.com']
)
end
end end
context 'outbound_local_requests_whitelist_arrays' do context 'outbound_local_requests_whitelist_arrays' do
...@@ -78,7 +91,54 @@ RSpec.shared_examples 'application settings examples' do ...@@ -78,7 +91,54 @@ RSpec.shared_examples 'application settings examples' do
] ]
domain_whitelist = ['www.example.com', 'example.com', 'subdomain.example.com'] domain_whitelist = ['www.example.com', 'example.com', 'subdomain.example.com']
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(ip_whitelist, domain_whitelist) expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
ip_whitelist, domain_whitelist
)
end
end
context 'add_to_outbound_local_requests_whitelist' do
it 'adds entry to outbound_local_requests_whitelist' do
setting.outbound_local_requests_whitelist = ['example.com']
setting.add_to_outbound_local_requests_whitelist(
['example.com', '127.0.0.1', 'gitlab.com']
)
expect(setting.outbound_local_requests_whitelist).to contain_exactly(
'example.com',
'127.0.0.1',
'gitlab.com'
)
end
it 'clears outbound_local_requests_whitelist_arrays memoization' do
setting.outbound_local_requests_whitelist = ['example.com']
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[],
['example.com']
)
setting.add_to_outbound_local_requests_whitelist(
['example.com', 'gitlab.com']
)
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[],
['example.com', 'gitlab.com']
)
end
it 'does not raise error with nil' do
setting.outbound_local_requests_whitelist = nil
setting.add_to_outbound_local_requests_whitelist(['gitlab.com'])
expect(setting.outbound_local_requests_whitelist).to contain_exactly('gitlab.com')
expect(setting.outbound_local_requests_whitelist_arrays).to contain_exactly(
[], ['gitlab.com']
)
end end
it 'does not raise error with nil' do it 'does not raise error with nil' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment