Commit e3983e8a authored by Peter Leitzen's avatar Peter Leitzen

Merge branch 'ag-change-whitelist-to-allowlist-in-readonly-middleware' into 'master'

Change `whitelisted` to `allowlisted` in ReadOnly Middleware

See merge request gitlab-org/gitlab!46542
parents dc2041a6 47880945
...@@ -7,19 +7,19 @@ module EE ...@@ -7,19 +7,19 @@ module EE
module Controller module Controller
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
WHITELISTED_GEO_ROUTES = { ALLOWLISTED_GEO_ROUTES = {
'admin/geo/nodes' => %w{update} 'admin/geo/nodes' => %w{update}
}.freeze }.freeze
WHITELISTED_GEO_ROUTES_TRACKING_DB = { ALLOWLISTED_GEO_ROUTES_TRACKING_DB = {
'admin/geo/projects' => %w{destroy resync reverify force_redownload resync_all reverify_all}, 'admin/geo/projects' => %w{destroy resync reverify force_redownload resync_all reverify_all},
'admin/geo/uploads' => %w{destroy} 'admin/geo/uploads' => %w{destroy}
}.freeze }.freeze
private private
override :whitelisted_routes override :allowlisted_routes
def whitelisted_routes def allowlisted_routes
super || geo_node_update_route? || geo_proxy_git_ssh_route? || geo_api_route? super || geo_node_update_route? || geo_proxy_git_ssh_route? || geo_api_route?
end end
...@@ -30,10 +30,10 @@ module EE ...@@ -30,10 +30,10 @@ module EE
controller = route_hash[:controller] controller = route_hash[:controller]
action = route_hash[:action] action = route_hash[:action]
if WHITELISTED_GEO_ROUTES[controller]&.include?(action) if ALLOWLISTED_GEO_ROUTES[controller]&.include?(action)
::Gitlab::Database.db_read_write? ::Gitlab::Database.db_read_write?
else else
WHITELISTED_GEO_ROUTES_TRACKING_DB[controller]&.include?(action) ALLOWLISTED_GEO_ROUTES_TRACKING_DB[controller]&.include?(action)
end end
end end
......
...@@ -9,20 +9,20 @@ module Gitlab ...@@ -9,20 +9,20 @@ module Gitlab
APPLICATION_JSON_TYPES = %W{#{APPLICATION_JSON} application/vnd.git-lfs+json}.freeze APPLICATION_JSON_TYPES = %W{#{APPLICATION_JSON} application/vnd.git-lfs+json}.freeze
ERROR_MESSAGE = 'You cannot perform write operations on a read-only instance' ERROR_MESSAGE = 'You cannot perform write operations on a read-only instance'
WHITELISTED_GIT_ROUTES = { ALLOWLISTED_GIT_ROUTES = {
'repositories/git_http' => %w{git_upload_pack git_receive_pack} 'repositories/git_http' => %w{git_upload_pack git_receive_pack}
}.freeze }.freeze
WHITELISTED_GIT_LFS_ROUTES = { ALLOWLISTED_GIT_LFS_ROUTES = {
'repositories/lfs_api' => %w{batch}, 'repositories/lfs_api' => %w{batch},
'repositories/lfs_locks_api' => %w{verify create unlock} 'repositories/lfs_locks_api' => %w{verify create unlock}
}.freeze }.freeze
WHITELISTED_GIT_REVISION_ROUTES = { ALLOWLISTED_GIT_REVISION_ROUTES = {
'projects/compare' => %w{create} 'projects/compare' => %w{create}
}.freeze }.freeze
WHITELISTED_SESSION_ROUTES = { ALLOWLISTED_SESSION_ROUTES = {
'sessions' => %w{destroy}, 'sessions' => %w{destroy},
'admin/sessions' => %w{create destroy} 'admin/sessions' => %w{create destroy}
}.freeze }.freeze
...@@ -55,7 +55,7 @@ module Gitlab ...@@ -55,7 +55,7 @@ module Gitlab
def disallowed_request? def disallowed_request?
DISALLOWED_METHODS.include?(@env['REQUEST_METHOD']) && DISALLOWED_METHODS.include?(@env['REQUEST_METHOD']) &&
!whitelisted_routes !allowlisted_routes
end end
def json_request? def json_request?
...@@ -87,7 +87,7 @@ module Gitlab ...@@ -87,7 +87,7 @@ module Gitlab
end end
# Overridden in EE module # Overridden in EE module
def whitelisted_routes def allowlisted_routes
workhorse_passthrough_route? || internal_route? || lfs_route? || compare_git_revisions_route? || sidekiq_route? || session_route? || graphql_query? workhorse_passthrough_route? || internal_route? || lfs_route? || compare_git_revisions_route? || sidekiq_route? || session_route? || graphql_query?
end end
...@@ -98,7 +98,7 @@ module Gitlab ...@@ -98,7 +98,7 @@ module Gitlab
return false unless request.post? && return false unless request.post? &&
request.path.end_with?('.git/git-upload-pack', '.git/git-receive-pack') request.path.end_with?('.git/git-upload-pack', '.git/git-receive-pack')
WHITELISTED_GIT_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) ALLOWLISTED_GIT_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
end end
def internal_route? def internal_route?
...@@ -109,7 +109,7 @@ module Gitlab ...@@ -109,7 +109,7 @@ module Gitlab
# Calling route_hash may be expensive. Only do it if we think there's a possible match # Calling route_hash may be expensive. Only do it if we think there's a possible match
return false unless request.post? && request.path.end_with?('compare') return false unless request.post? && request.path.end_with?('compare')
WHITELISTED_GIT_REVISION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) ALLOWLISTED_GIT_REVISION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
end end
def lfs_route? def lfs_route?
...@@ -120,7 +120,7 @@ module Gitlab ...@@ -120,7 +120,7 @@ module Gitlab
return false return false
end end
WHITELISTED_GIT_LFS_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) ALLOWLISTED_GIT_LFS_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
end end
def session_route? def session_route?
...@@ -128,7 +128,7 @@ module Gitlab ...@@ -128,7 +128,7 @@ module Gitlab
return false unless request.post? && request.path.end_with?('/users/sign_out', return false unless request.post? && request.path.end_with?('/users/sign_out',
'/admin/session', '/admin/session/destroy') '/admin/session', '/admin/session/destroy')
WHITELISTED_SESSION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action]) ALLOWLISTED_SESSION_ROUTES[route_hash[:controller]]&.include?(route_hash[:action])
end end
def sidekiq_route? def sidekiq_route?
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment