Add latest changes from gitlab-org/gitlab@master

7 files changed, 120 insertions, 11 deletions

diff --git a/lib/gitlab.rb b/lib/gitlab.rb
index 0f2fd01e3c7..d84196b0bc2 100644
--- a/lib/gitlab.rb
+++ b/lib/gitlab.rb
@@ -48,6 +48,10 @@ module Gitlab
     Gitlab.config.gitlab.url == COM_URL || gl_subdomain?
   end
 
+  def self.com
+    yield if com?
+  end
+
   def self.staging?
     Gitlab.config.gitlab.url == STAGING_COM_URL
   end
@@ -118,6 +122,7 @@ module Gitlab
 
   def self.maintenance_mode?
     return false unless ::Feature.enabled?(:maintenance_mode)
+    return false unless ::Gitlab::CurrentSettings.current_application_settings?
 
     ::Gitlab::CurrentSettings.maintenance_mode
   end
diff --git a/lib/gitlab/composer/cache.rb b/lib/gitlab/composer/cache.rb
new file mode 100644
index 00000000000..1f404d63047
--- /dev/null
+++ b/lib/gitlab/composer/cache.rb
@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'tempfile'
+
+module Gitlab
+  module Composer
+    class Cache
+      def initialize(project:, name:, last_page_sha: nil)
+        @project = project
+        @name = name
+        @last_page_sha = last_page_sha
+      end
+
+      def execute
+        Packages::Composer::Metadatum.transaction do # rubocop: disable CodeReuse/ActiveRecord
+          # make sure we lock these records at the start
+          locked_package_metadata
+
+          if locked_package_metadata.any?
+            mark_pages_for_delete(shas_to_delete)
+
+            create_cache_page!
+
+            # assign the newest page SHA to the packages
+            locked_package_metadata.update_all(version_cache_sha: version_index.sha)
+          elsif @last_page_sha
+            mark_pages_for_delete([@last_page_sha])
+          end
+        end
+      end
+
+      private
+
+      def mark_pages_for_delete(shas)
+        Packages::Composer::CacheFile
+          .with_namespace(@project.namespace)
+          .with_sha(shas)
+          .update_all(delete_at: 1.day.from_now)
+      end
+
+      def create_cache_page!
+        Packages::Composer::CacheFile
+          .safe_find_or_create_by!(namespace_id: @project.namespace_id, file_sha256: version_index.sha) do |cache_file|
+            cache_file.file = CarrierWaveStringFile.new(version_index.to_json)
+          end
+      end
+
+      def version_index
+        @version_index ||= ::Gitlab::Composer::VersionIndex.new(siblings)
+      end
+
+      def siblings
+        @siblings ||= locked_package_metadata.map(&:package)
+      end
+
+      # find all metadata of the package versions and lock it for update
+      def locked_package_metadata
+        @locked_package_metadata ||= Packages::Composer::Metadatum
+          .for_package(@name, @project.id)
+          .locked_for_update
+      end
+
+      def shas_to_delete
+        locked_package_metadata
+          .map(&:version_cache_sha)
+          .reject { |sha| sha == version_index.sha }
+          .compact
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/composer/version_index.rb b/lib/gitlab/composer/version_index.rb
index de9a17a453f..ac0071cdc53 100644
--- a/lib/gitlab/composer/version_index.rb
+++ b/lib/gitlab/composer/version_index.rb
@@ -20,7 +20,7 @@ module Gitlab
       private
 
       def package_versions_map
-        @packages.each_with_object({}) do |package, map|
+        @packages.sort_by(&:version).each_with_object({}) do |package, map|
           map[package.version] = package_metadata(package)
         end
       end
diff --git a/lib/gitlab/crypto_helper.rb b/lib/gitlab/crypto_helper.rb
index 87a03d9c58f..4428354642d 100644
--- a/lib/gitlab/crypto_helper.rb
+++ b/lib/gitlab/crypto_helper.rb
@@ -6,25 +6,44 @@ module Gitlab
 
     AES256_GCM_OPTIONS = {
       algorithm: 'aes-256-gcm',
-      key: Settings.attr_encrypted_db_key_base_32,
-      iv: Settings.attr_encrypted_db_key_base_12
+      key: Settings.attr_encrypted_db_key_base_32
     }.freeze
 
+    AES256_GCM_IV_STATIC = Settings.attr_encrypted_db_key_base_12
+
     def sha256(value)
       salt = Settings.attr_encrypted_db_key_base_truncated
       ::Digest::SHA256.base64digest("#{value}#{salt}")
     end
 
-    def aes256_gcm_encrypt(value)
-      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value))
-      Base64.strict_encode64(encrypted_token)
+    def aes256_gcm_encrypt(value, nonce: nil)
+      aes256_gcm_encrypt_using_static_nonce(value)
     end
 
     def aes256_gcm_decrypt(value)
       return unless value
 
+      nonce = Feature.enabled?(:dynamic_nonce_creation) ? dynamic_nonce(value) : AES256_GCM_IV_STATIC
       encrypted_token = Base64.decode64(value)
-      Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token))
+      decrypted_token = Encryptor.decrypt(AES256_GCM_OPTIONS.merge(value: encrypted_token, iv: nonce))
+      decrypted_token
+    end
+
+    def dynamic_nonce(value)
+      TokenWithIv.find_nonce_by_hashed_token(value) || AES256_GCM_IV_STATIC
+    end
+
+    def aes256_gcm_encrypt_using_static_nonce(value)
+      create_encrypted_token(value, AES256_GCM_IV_STATIC)
+    end
+
+    def read_only?
+      Gitlab::Database.read_only?
+    end
+
+    def create_encrypted_token(value, iv)
+      encrypted_token = Encryptor.encrypt(AES256_GCM_OPTIONS.merge(value: value, iv: iv))
+      Base64.strict_encode64(encrypted_token)
     end
   end
 end
diff --git a/lib/gitlab/current_settings.rb b/lib/gitlab/current_settings.rb
index d0579a44219..0bf41f9dc0d 100644
--- a/lib/gitlab/current_settings.rb
+++ b/lib/gitlab/current_settings.rb
@@ -7,6 +7,10 @@ module Gitlab
         Gitlab::SafeRequestStore.fetch(:current_application_settings) { ensure_application_settings! }
       end
 
+      def current_application_settings?
+        Gitlab::SafeRequestStore.exist?(:current_application_settings) || ::ApplicationSetting.current.present?
+      end
+
       def expire_current_application_settings
         ::ApplicationSetting.expire
         Gitlab::SafeRequestStore.delete(:current_application_settings)
diff --git a/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb b/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
index 1285365376f..0665ea8b6c9 100644
--- a/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
+++ b/lib/gitlab/graphql/query_analyzers/logger_analyzer.rb
@@ -49,13 +49,21 @@ module Gitlab
         private
 
         def process_variables(variables)
-          if variables.respond_to?(:to_s)
-            variables.to_s
+          filtered_variables = filter_sensitive_variables(variables)
+
+          if filtered_variables.respond_to?(:to_s)
+            filtered_variables.to_s
           else
-            variables
+            filtered_variables
           end
         end
 
+        def filter_sensitive_variables(variables)
+          ActiveSupport::ParameterFilter
+            .new(::Rails.application.config.filter_parameters)
+            .filter(variables)
+        end
+
         def duration(time_started)
           Gitlab::Metrics::System.monotonic_time - time_started
         end
diff --git a/lib/gitlab/url_blocker.rb b/lib/gitlab/url_blocker.rb
index eece2c343d2..10822f943b6 100644
--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -49,10 +49,12 @@ module Gitlab
         return [uri, nil] unless address_info
 
         ip_address = ip_address(address_info)
-        return [uri, nil] if domain_allowed?(uri) || ip_allowed?(ip_address, port: get_port(uri))
+        return [uri, nil] if domain_allowed?(uri)
 
         protected_uri_with_hostname = enforce_uri_hostname(ip_address, uri, dns_rebind_protection)
 
+        return protected_uri_with_hostname if ip_allowed?(ip_address, port: get_port(uri))
+
         # Allow url from the GitLab instance itself but only for the configured hostname and ports
         return protected_uri_with_hostname if internal?(uri)