Allow local Prom queries in selfmonitoring project

If the Prometheus service API URL is the internal Prometheus URL, allow
the self monitoring project to send Prometheus queries to it even if it
is a local URL.

app/models/project_services/prometheus_service.rb

@@ -81,7 +81,7 @@ class PrometheusService < MonitoringService
   def prometheus_client
     return unless should_return_client?
 
-    Gitlab::PrometheusClient.new(api_url)
+    Gitlab::PrometheusClient.new(api_url, allow_local_requests: allow_local_api_url?)
   end
 
   def prometheus_available?
@@ -94,7 +94,8 @@ class PrometheusService < MonitoringService
   end
 
   def allow_local_api_url?
-    self_monitoring_project? && internal_prometheus_url?
+    allow_local_requests_from_web_hooks_and_services? ||
+    (self_monitoring_project? && internal_prometheus_url?)
   end
 
   def configured?
@@ -111,6 +112,10 @@ class PrometheusService < MonitoringService
     api_url.present? && api_url == ::Gitlab::Prometheus::Internal.uri
   end
 
+  def allow_local_requests_from_web_hooks_and_services?
+    current_settings.allow_local_requests_from_web_hooks_and_services?
+  end
+
   def should_return_client?
     api_url.present? && manual_configuration? && active? && valid?
   end

changelogs/unreleased/rp-allow-local-prom-queries-self-monitoring.yml

+---
+title: Allow self monitoring project to query internal Prometheus even when "Allow local requests in webhooks and services" setting is false
+merge_request: 27865
+author:
+type: fixed

spec/models/project_services/prometheus_service_spec.rb

@@ -66,6 +66,18 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
         end
       end
 
+      it 'can query when local requests are allowed' do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+
+        aggregate_failures do
+          ['127.0.0.1', '192.168.2.3'].each do |url|
+            allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([Addrinfo.tcp(url, 80)])
+
+            expect(service.can_query?).to be true
+          end
+        end
+      end
+
       context 'with self-monitoring project and internal Prometheus' do
         before do
           service.api_url = 'http://localhost:9090'
@@ -152,6 +164,54 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
         expect(service.prometheus_client).to be_nil
       end
     end
+
+    context 'when local requests are allowed' do
+      let(:manual_configuration) { true }
+      let(:api_url) { 'http://192.168.1.1:9090' }
+
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+
+        stub_prometheus_request("#{api_url}/api/v1/query?query=1")
+      end
+
+      it 'allows local requests' do
+        expect(service.prometheus_client).not_to be_nil
+        expect { service.prometheus_client.ping }.not_to raise_error
+      end
+    end
+
+    context 'when local requests are blocked' do
+      let(:manual_configuration) { true }
+      let(:api_url) { 'http://192.168.1.1:9090' }
+
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+
+        stub_prometheus_request("#{api_url}/api/v1/query?query=1")
+      end
+
+      it 'blocks local requests' do
+        expect(service.prometheus_client).to be_nil
+      end
+
+      context 'with self monitoring project and internal Prometheus URL' do
+        before do
+          stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+          stub_application_setting(self_monitoring_project_id: project.id)
+
+          stub_config(prometheus: {
+            enable: true,
+            listen_address: api_url
+          })
+        end
+
+        it 'allows local requests' do
+          expect(service.prometheus_client).not_to be_nil
+          expect { service.prometheus_client.ping }.not_to raise_error
+        end
+      end
+    end
   end
 
   describe '#prometheus_available?' do