summaryrefslogtreecommitdiff
path: root/config/initializers
diff options
context:
space:
mode:
Diffstat (limited to 'config/initializers')
-rw-r--r--config/initializers/01_secret_token.rb3
-rw-r--r--config/initializers/1_settings.rb28
-rw-r--r--config/initializers/active_record_ping.rb5
-rw-r--r--config/initializers/active_record_table_definition.rb4
-rw-r--r--config/initializers/gitlab_experiment.rb6
-rw-r--r--config/initializers/grape_validators.rb1
-rw-r--r--config/initializers/lograge.rb2
-rw-r--r--config/initializers/rack_attack.rb190
-rw-r--r--config/initializers/rack_attack_logging.rb2
-rw-r--r--config/initializers/sidekiq.rb2
-rw-r--r--config/initializers/structure_load_in_transaction.rb9
-rw-r--r--config/initializers/zz_metrics.rb6
12 files changed, 55 insertions, 203 deletions
diff --git a/config/initializers/01_secret_token.rb b/config/initializers/01_secret_token.rb
index 5949f463457..d7e725477eb 100644
--- a/config/initializers/01_secret_token.rb
+++ b/config/initializers/01_secret_token.rb
@@ -34,6 +34,9 @@ def create_tokens
openid_connect_signing_key: generate_new_rsa_private_key
}
+ # encrypted_settings_key_base is optional for now
+ defaults[:encrypted_settings_key_base] = generate_new_secure_token if ENV['GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE']
+
missing_secrets = set_missing_keys(defaults)
write_secrets_yml(missing_secrets) unless missing_secrets.empty?
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 022f372a608..97c0e051f1f 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -3,9 +3,17 @@ require_relative '../object_store_settings'
require_relative '../smime_signature_settings'
# Default settings
+Settings['shared'] ||= Settingslogic.new({})
+Settings.shared['path'] = Settings.absolute(Settings.shared['path'] || "shared")
+
+Settings['encrypted_settings'] ||= Settingslogic.new({})
+Settings.encrypted_settings['path'] ||= File.join(Settings.shared['path'], "encrypted_settings")
+Settings.encrypted_settings['path'] = Settings.absolute(Settings.encrypted_settings['path'])
+
Settings['ldap'] ||= Settingslogic.new({})
Settings.ldap['enabled'] = false if Settings.ldap['enabled'].nil?
Settings.ldap['prevent_ldap_sign_in'] = false if Settings.ldap['prevent_ldap_sign_in'].blank?
+Settings.ldap['secret_file'] = Settings.absolute(Settings.ldap['secret_file'] || File.join(Settings.encrypted_settings['path'], "ldap.yaml.enc"))
Gitlab.ee do
Settings.ldap['sync_time'] = 3600 if Settings.ldap['sync_time'].nil?
@@ -140,9 +148,6 @@ if Gitlab.ee? && Rails.env.test? && !saml_provider_enabled
Settings.omniauth.providers << Settingslogic.new({ 'name' => 'group_saml' })
end
-Settings['shared'] ||= Settingslogic.new({})
-Settings.shared['path'] = Settings.absolute(Settings.shared['path'] || "shared")
-
Settings['issues_tracker'] ||= {}
#
@@ -532,8 +537,14 @@ Settings.cron_jobs['member_invitation_reminder_emails_worker']['job_class'] = 'M
Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker']['cron'] ||= '* * * * *'
Settings.cron_jobs['schedule_merge_request_cleanup_refs_worker']['job_class'] = 'ScheduleMergeRequestCleanupRefsWorker'
+Settings.cron_jobs['manage_evidence_worker'] ||= Settingslogic.new({})
+Settings.cron_jobs['manage_evidence_worker']['cron'] ||= '0 * * * *'
+Settings.cron_jobs['manage_evidence_worker']['job_class'] = 'Releases::ManageEvidenceWorker'
Gitlab.ee do
+ Settings.cron_jobs['analytics_devops_adoption_create_all_snapshots_worker'] ||= Settingslogic.new({})
+ Settings.cron_jobs['analytics_devops_adoption_create_all_snapshots_worker']['cron'] ||= '0 0 1 * *'
+ Settings.cron_jobs['analytics_devops_adoption_create_all_snapshots_worker']['job_class'] = 'Analytics::DevopsAdoption::CreateAllSnapshotsWorker'
Settings.cron_jobs['active_user_count_threshold_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['active_user_count_threshold_worker']['cron'] ||= '0 12 * * *'
Settings.cron_jobs['active_user_count_threshold_worker']['job_class'] = 'ActiveUserCountThresholdWorker'
@@ -546,6 +557,9 @@ Gitlab.ee do
Settings.cron_jobs['adjourned_projects_deletion_cron_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['adjourned_projects_deletion_cron_worker']['cron'] ||= '0 4 * * *'
Settings.cron_jobs['adjourned_projects_deletion_cron_worker']['job_class'] = 'AdjournedProjectsDeletionCronWorker'
+ Settings.cron_jobs['geo_verification_cron_worker'] ||= Settingslogic.new({})
+ Settings.cron_jobs['geo_verification_cron_worker']['cron'] ||= '* * * * *'
+ Settings.cron_jobs['geo_verification_cron_worker']['job_class'] ||= 'Geo::VerificationCronWorker'
Settings.cron_jobs['geo_file_download_dispatch_worker'] ||= Settingslogic.new({})
Settings.cron_jobs['geo_file_download_dispatch_worker']['cron'] ||= '*/1 * * * *'
Settings.cron_jobs['geo_file_download_dispatch_worker']['job_class'] ||= 'Geo::FileDownloadDispatchWorker'
@@ -779,9 +793,17 @@ Settings.forti_authenticator['enabled'] = false if Settings.forti_authenticator[
Settings.forti_authenticator['port'] = 443 if Settings.forti_authenticator['port'].to_i == 0
#
+# FortiToken Cloud
+#
+Settings['forti_token_cloud'] ||= Settingslogic.new({})
+Settings.forti_token_cloud['enabled'] = false if Settings.forti_token_cloud['enabled'].nil?
+
+#
# Extra customization
#
Settings['extra'] ||= Settingslogic.new({})
+Settings.extra['matomo_site_id'] ||= Settings.extra['piwik_site_id'] if Settings.extra['piwik_site_id'].present?
+Settings.extra['matomo_url'] ||= Settings.extra['piwik_url'] if Settings.extra['piwik_url'].present?
#
# Rack::Attack settings
diff --git a/config/initializers/active_record_ping.rb b/config/initializers/active_record_ping.rb
new file mode 100644
index 00000000000..349a7e4a496
--- /dev/null
+++ b/config/initializers/active_record_ping.rb
@@ -0,0 +1,5 @@
+# # frozen_string_literal: true
+
+if Gitlab::Utils.to_boolean(ENV['ENABLE_ACTIVERECORD_EMPTY_PING'], default: false)
+ ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.prepend(Gitlab::Database::PostgresqlAdapter::EmptyQueryPing)
+end
diff --git a/config/initializers/active_record_table_definition.rb b/config/initializers/active_record_table_definition.rb
index 81a8e5906f4..9220620da41 100644
--- a/config/initializers/active_record_table_definition.rb
+++ b/config/initializers/active_record_table_definition.rb
@@ -16,7 +16,7 @@ module ActiveRecord
options[:null] = false if options[:null].nil?
[:created_at, :updated_at].each do |column_name|
- column(column_name, :datetime_with_timezone, options)
+ column(column_name, :datetime_with_timezone, **options)
end
end
@@ -27,7 +27,7 @@ module ActiveRecord
# t.datetime_with_timezone :did_something_at
# end
def datetime_with_timezone(column_name, **options)
- column(column_name, :datetime_with_timezone, options)
+ column(column_name, :datetime_with_timezone, **options)
end
# Disable timestamp alias to datetime
diff --git a/config/initializers/gitlab_experiment.rb b/config/initializers/gitlab_experiment.rb
new file mode 100644
index 00000000000..40b4c0dc4ee
--- /dev/null
+++ b/config/initializers/gitlab_experiment.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+Gitlab::Experiment.configure do |config|
+ config.base_class = 'ApplicationExperiment'
+ config.cache = ApplicationExperiment::Cache.new
+end
diff --git a/config/initializers/grape_validators.rb b/config/initializers/grape_validators.rb
index 715949a276f..07dd70822a2 100644
--- a/config/initializers/grape_validators.rb
+++ b/config/initializers/grape_validators.rb
@@ -9,3 +9,4 @@ Grape::Validations.register_validator(:array_none_any, ::API::Validations::Valid
Grape::Validations.register_validator(:check_assignees_count, ::API::Validations::Validators::CheckAssigneesCount)
Grape::Validations.register_validator(:untrusted_regexp, ::API::Validations::Validators::UntrustedRegexp)
Grape::Validations.register_validator(:email_or_email_list, ::API::Validations::Validators::EmailOrEmailList)
+Grape::Validations.register_validator(:iteration_id, ::API::Validations::Validators::IntegerOrCustomValue)
diff --git a/config/initializers/lograge.rb b/config/initializers/lograge.rb
index 0ea0adf86bc..5b068c15aad 100644
--- a/config/initializers/lograge.rb
+++ b/config/initializers/lograge.rb
@@ -2,7 +2,6 @@
unless Gitlab::Runtime.sidekiq?
Rails.application.reloader.to_prepare do
filename = File.join(Rails.root, 'log', "#{Rails.env}_json.log")
- db_counter = Gitlab::Metrics::Subscribers::ActiveRecord
Rails.application.configure do
config.lograge.enabled = true
@@ -17,7 +16,6 @@ unless Gitlab::Runtime.sidekiq?
data[:db_duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:db)) if data[:db]
data[:view_duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:view)) if data[:view]
data[:duration_s] = Gitlab::Utils.ms_to_round_sec(data.delete(:duration)) if data[:duration]
- data.merge!(db_counter.db_counter_payload)
# Remove empty hashes to prevent type mismatches
# These are set to empty hashes in Lograge's ActionCable subscriber
diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 58bf3f6013c..6cc4fe25765 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -1,191 +1,3 @@
# frozen_string_literal: true
-# Specs for this file can be found on:
-# * spec/lib/gitlab/throttle_spec.rb
-# * spec/requests/rack_attack_global_spec.rb
-module Gitlab::Throttle
- def self.settings
- Gitlab::CurrentSettings.current_application_settings
- end
-
- # Returns true if we should use the Admin Area protected paths throttle
- def self.protected_paths_enabled?
- self.settings.throttle_protected_paths_enabled?
- end
-
- def self.omnibus_protected_paths_present?
- Rack::Attack.throttles.key?('protected paths')
- end
-
- def self.bypass_header
- env_value = ENV['GITLAB_THROTTLE_BYPASS_HEADER']
- return unless env_value.present?
-
- "HTTP_#{env_value.upcase.tr('-', '_')}"
- end
-
- def self.unauthenticated_options
- limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period }
- period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds }
- { limit: limit_proc, period: period_proc }
- end
-
- def self.authenticated_api_options
- limit_proc = proc { |req| settings.throttle_authenticated_api_requests_per_period }
- period_proc = proc { |req| settings.throttle_authenticated_api_period_in_seconds.seconds }
- { limit: limit_proc, period: period_proc }
- end
-
- def self.authenticated_web_options
- limit_proc = proc { |req| settings.throttle_authenticated_web_requests_per_period }
- period_proc = proc { |req| settings.throttle_authenticated_web_period_in_seconds.seconds }
- { limit: limit_proc, period: period_proc }
- end
-
- def self.protected_paths_options
- limit_proc = proc { |req| settings.throttle_protected_paths_requests_per_period }
- period_proc = proc { |req| settings.throttle_protected_paths_period_in_seconds.seconds }
-
- { limit: limit_proc, period: period_proc }
- end
-end
-
-class Rack::Attack
- # Order conditions by how expensive they are:
- # 1. The most expensive is the `req.unauthenticated?` and
- # `req.authenticated_user_id` as it performs an expensive
- # DB/Redis query to validate the request
- # 2. Slightly less expensive is the need to query DB/Redis
- # to unmarshal settings (`Gitlab::Throttle.settings`)
- #
- # We deliberately skip `/-/health|liveness|readiness`
- # from Rack Attack as they need to always be accessible
- # by Load Balancer and additional measure is implemented
- # (token and whitelisting) to prevent abuse.
- throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
- if !req.should_be_skipped? &&
- Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
- req.unauthenticated?
- req.ip
- end
- end
-
- throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req|
- if req.api_request? &&
- Gitlab::Throttle.settings.throttle_authenticated_api_enabled
- req.authenticated_user_id([:api])
- end
- end
-
- # Product analytics feature is in experimental stage.
- # At this point we want to limit amount of events registered
- # per application (aid stands for application id).
- throttle('throttle_product_analytics_collector', limit: 100, period: 60) do |req|
- if req.product_analytics_collector_request?
- req.params['aid']
- end
- end
-
- throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req|
- if req.web_request? &&
- Gitlab::Throttle.settings.throttle_authenticated_web_enabled
- req.authenticated_user_id([:api, :rss, :ics])
- end
- end
-
- throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
- if req.post? &&
- !req.should_be_skipped? &&
- req.protected_path? &&
- Gitlab::Throttle.protected_paths_enabled? &&
- req.unauthenticated?
- req.ip
- end
- end
-
- throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
- if req.post? &&
- req.api_request? &&
- req.protected_path? &&
- Gitlab::Throttle.protected_paths_enabled?
- req.authenticated_user_id([:api])
- end
- end
-
- throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
- if req.post? &&
- req.web_request? &&
- req.protected_path? &&
- Gitlab::Throttle.protected_paths_enabled?
- req.authenticated_user_id([:api, :rss, :ics])
- end
- end
-
- safelist('throttle_bypass_header') do |req|
- Gitlab::Throttle.bypass_header.present? &&
- req.get_header(Gitlab::Throttle.bypass_header) == '1'
- end
-
- class Request
- def unauthenticated?
- !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id)
- end
-
- def authenticated_user_id(request_formats)
- request_authenticator.user(request_formats)&.id
- end
-
- def authenticated_runner_id
- request_authenticator.runner&.id
- end
-
- def api_request?
- path.start_with?('/api')
- end
-
- def api_internal_request?
- path =~ %r{^/api/v\d+/internal/}
- end
-
- def health_check_request?
- path =~ %r{^/-/(health|liveness|readiness)}
- end
-
- def product_analytics_collector_request?
- path.start_with?('/-/collector/i')
- end
-
- def should_be_skipped?
- api_internal_request? || health_check_request?
- end
-
- def web_request?
- !api_request? && !health_check_request?
- end
-
- def protected_path?
- !protected_path_regex.nil?
- end
-
- def protected_path_regex
- path =~ protected_paths_regex
- end
-
- private
-
- def request_authenticator
- @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(self)
- end
-
- def protected_paths
- Gitlab::CurrentSettings.current_application_settings.protected_paths
- end
-
- def protected_paths_regex
- Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ })
- end
- end
-end
-
-::Rack::Attack.extend_if_ee('::EE::Gitlab::Rack::Attack')
-::Rack::Attack::Request.prepend_if_ee('::EE::Gitlab::Rack::Attack::Request')
+Gitlab::RackAttack.configure(::Rack::Attack)
diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb
index e89c6b1b794..7b0a8f0d7dd 100644
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
@@ -6,7 +6,7 @@ ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, r
req = payload[:request]
case req.env['rack.attack.match_type']
- when :throttle, :blocklist
+ when :throttle, :blocklist, :track
rack_attack_info = {
message: 'Rack_Attack',
env: req.env['rack.attack.match_type'],
diff --git a/config/initializers/sidekiq.rb b/config/initializers/sidekiq.rb
index 8e3241a2e4c..43beae3f50d 100644
--- a/config/initializers/sidekiq.rb
+++ b/config/initializers/sidekiq.rb
@@ -46,6 +46,8 @@ Sidekiq.configure_server do |config|
config.client_middleware(&Gitlab::SidekiqMiddleware.client_configurator)
+ config.death_handlers << Gitlab::SidekiqDeathHandler.method(:handler)
+
config.on :startup do
# Clear any connections that might have been obtained before starting
# Sidekiq (e.g. in an initializer).
diff --git a/config/initializers/structure_load_in_transaction.rb b/config/initializers/structure_load_in_transaction.rb
new file mode 100644
index 00000000000..7b8f0e07203
--- /dev/null
+++ b/config/initializers/structure_load_in_transaction.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+ActiveRecord::Tasks::DatabaseTasks.structure_load_flags ||= []
+
+flag = '--single-transaction'
+
+unless ActiveRecord::Tasks::DatabaseTasks.structure_load_flags.include?(flag)
+ ActiveRecord::Tasks::DatabaseTasks.structure_load_flags << flag
+end
diff --git a/config/initializers/zz_metrics.rb b/config/initializers/zz_metrics.rb
index 8e31e4f9282..430e4d60d61 100644
--- a/config/initializers/zz_metrics.rb
+++ b/config/initializers/zz_metrics.rb
@@ -150,12 +150,6 @@ if Gitlab::Metrics.enabled? && !Rails.env.test? && !(Rails.env.development? && d
config.middleware.use(Gitlab::Metrics::ElasticsearchRackMiddleware)
end
- Sidekiq.configure_server do |config|
- config.server_middleware do |chain|
- chain.add Gitlab::Metrics::SidekiqMiddleware
- end
- end
-
# This instruments all methods residing in app/models that (appear to) use any
# of the ActiveRecord methods. This has to take place _after_ initializing as
# for some unknown reason calling eager_load! earlier breaks Devise.
View Lorry Controller Status