Skip to content

GitLab

Commit edb06ab2 authored by 徐豪's avatar 徐豪
Browse files

init

parents
Show whitespace changes
Inline Side-by-side
Showing with 2120 additions and 0 deletions

Too many changes to show.

To preserve performance only 532 of 532+ files are displayed.
Plain diff Email patch
config/patches/gitlab-rails/security-patch-14.1.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/note.rb b/app/models/note.rb
index 2ad6df85e5f..ed64a01756a 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -44,7 +44,7 @@ class Note < ApplicationRecord
attr_accessor :user_visible_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
- attr_accessor :commands_changes
+ attr_writer :commands_changes
default_value_for :system, false
@@ -576,6 +576,41 @@ def skip_notification?
review.present? || !author.can_trigger_notifications?
end
+ def commands_changes
+ @commands_changes&.slice(
+ :due_date,
+ :label_ids,
+ :remove_label_ids,
+ :add_label_ids,
+ :canonical_issue_id,
+ :clone_with_notes,
+ :confidential,
+ :create_merge_request,
+ :add_contacts,
+ :remove_contacts,
+ :assignee_ids,
+ :milestone_id,
+ :time_estimate,
+ :spend_time,
+ :discussion_locked,
+ :merge,
+ :rebase,
+ :wip_event,
+ :target_branch,
+ :reviewer_ids,
+ :health_status,
+ :promote_to_epic,
+ :weight,
+ :emoji_award,
+ :todo_event,
+ :subscription_event,
+ :state_event,
+ :title,
+ :tag_message,
+ :tag_name
+ )
+ end
+
private
# Using this method followed by a call to *save* may result in *ActiveRecord::RecordNotUnique* exception
config/patches/gitlab-rails/security-patch-14.2.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/note.rb b/app/models/note.rb
index 34ffd7c91af..18199b34c0e 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -46,7 +46,7 @@ class Note < ApplicationRecord
attr_accessor :user_visible_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
- attr_accessor :commands_changes
+ attr_writer :commands_changes
default_value_for :system, false
@@ -601,6 +601,41 @@ def user_mention_identifier
})
end
+ def commands_changes
+ @commands_changes&.slice(
+ :due_date,
+ :label_ids,
+ :remove_label_ids,
+ :add_label_ids,
+ :canonical_issue_id,
+ :clone_with_notes,
+ :confidential,
+ :create_merge_request,
+ :add_contacts,
+ :remove_contacts,
+ :assignee_ids,
+ :milestone_id,
+ :time_estimate,
+ :spend_time,
+ :discussion_locked,
+ :merge,
+ :rebase,
+ :wip_event,
+ :target_branch,
+ :reviewer_ids,
+ :health_status,
+ :promote_to_epic,
+ :weight,
+ :emoji_award,
+ :todo_event,
+ :subscription_event,
+ :state_event,
+ :title,
+ :tag_message,
+ :tag_name
+ )
+ end
+
private
# Using this method followed by a call to *save* may result in *ActiveRecord::RecordNotUnique* exception
config/patches/gitlab-rails/security-patch-14.3.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/note.rb b/app/models/note.rb
index a8f5c305d9b..439323a6ee9 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -46,7 +46,7 @@ class Note < ApplicationRecord
attr_accessor :user_visible_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
- attr_accessor :commands_changes
+ attr_writer :commands_changes
# Attribute used to determine whether keep_around_commits will be skipped for diff notes.
attr_accessor :skip_keep_around_commits
@@ -604,6 +604,41 @@ def user_mention_identifier
})
end
+ def commands_changes
+ @commands_changes&.slice(
+ :due_date,
+ :label_ids,
+ :remove_label_ids,
+ :add_label_ids,
+ :canonical_issue_id,
+ :clone_with_notes,
+ :confidential,
+ :create_merge_request,
+ :add_contacts,
+ :remove_contacts,
+ :assignee_ids,
+ :milestone_id,
+ :time_estimate,
+ :spend_time,
+ :discussion_locked,
+ :merge,
+ :rebase,
+ :wip_event,
+ :target_branch,
+ :reviewer_ids,
+ :health_status,
+ :promote_to_epic,
+ :weight,
+ :emoji_award,
+ :todo_event,
+ :subscription_event,
+ :state_event,
+ :title,
+ :tag_message,
+ :tag_name
+ )
+ end
+
private
def system_note_viewable_by?(user)
config/patches/gitlab-rails/security-patch-14.4.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/note.rb b/app/models/note.rb
index 37473518892..c37297bdc87 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -46,7 +46,7 @@ class Note < ApplicationRecord
attr_accessor :user_visible_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
- attr_accessor :commands_changes
+ attr_writer :commands_changes
# Attribute used to determine whether keep_around_commits will be skipped for diff notes.
attr_accessor :skip_keep_around_commits
@@ -602,6 +602,41 @@ def user_mention_identifier
})
end
+ def commands_changes
+ @commands_changes&.slice(
+ :due_date,
+ :label_ids,
+ :remove_label_ids,
+ :add_label_ids,
+ :canonical_issue_id,
+ :clone_with_notes,
+ :confidential,
+ :create_merge_request,
+ :add_contacts,
+ :remove_contacts,
+ :assignee_ids,
+ :milestone_id,
+ :time_estimate,
+ :spend_time,
+ :discussion_locked,
+ :merge,
+ :rebase,
+ :wip_event,
+ :target_branch,
+ :reviewer_ids,
+ :health_status,
+ :promote_to_epic,
+ :weight,
+ :emoji_award,
+ :todo_event,
+ :subscription_event,
+ :state_event,
+ :title,
+ :tag_message,
+ :tag_name
+ )
+ end
+
private
def system_note_viewable_by?(user)
config/patches/gitlab-rails/security-patch-14.5.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/note.rb b/app/models/note.rb
index cb285028203..e8342017bfe 100644
--- a/app/models/note.rb
+++ b/app/models/note.rb
@@ -46,7 +46,7 @@ class Note < ApplicationRecord
attr_accessor :user_visible_reference_count
# Attribute used to store the attributes that have been changed by quick actions.
- attr_accessor :commands_changes
+ attr_writer :commands_changes
# Attribute used to determine whether keep_around_commits will be skipped for diff notes.
attr_accessor :skip_keep_around_commits
@@ -603,6 +603,41 @@ def user_mention_identifier
})
end
+ def commands_changes
+ @commands_changes&.slice(
+ :due_date,
+ :label_ids,
+ :remove_label_ids,
+ :add_label_ids,
+ :canonical_issue_id,
+ :clone_with_notes,
+ :confidential,
+ :create_merge_request,
+ :add_contacts,
+ :remove_contacts,
+ :assignee_ids,
+ :milestone_id,
+ :time_estimate,
+ :spend_time,
+ :discussion_locked,
+ :merge,
+ :rebase,
+ :wip_event,
+ :target_branch,
+ :reviewer_ids,
+ :health_status,
+ :promote_to_epic,
+ :weight,
+ :emoji_award,
+ :todo_event,
+ :subscription_event,
+ :state_event,
+ :title,
+ :tag_message,
+ :tag_name
+ )
+ end
+
private
def system_note_viewable_by?(user)
config/patches/gitlab-rails/token-prefix-patch-13.12.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index 8114d75f682..1ceb326358a 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -17,9 +17,15 @@ class Group < Namespace
include GroupAPICompatibility
include EachBatch
include HasTimelogsReport
+ extend ::Gitlab::Utils::Override
ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT = 10
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
alias_method :members, :group_members
@@ -98,7 +104,9 @@ class Group < Namespace
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -640,6 +648,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 0e2c63e625c..ad65902b2aa 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -70,6 +70,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -91,7 +96,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1795,6 +1802,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.0.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index e645572d841..c2130a36401 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -17,6 +17,12 @@ class Group < Namespace
include GroupAPICompatibility
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
@@ -98,7 +104,9 @@ class Group < Namespace
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -630,6 +638,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 41fc9a2bcdf..f0a03e1f10c 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -68,6 +68,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -89,7 +94,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1792,6 +1799,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.1.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index 1e7308499a0..5d4185d2355 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -17,6 +17,12 @@ class Group < Namespace
include GroupAPICompatibility
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
@@ -98,7 +104,9 @@ class Group < Namespace
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -629,6 +637,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index c5522737b87..c71eb3fe0da 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -68,6 +68,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -89,7 +94,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1781,6 +1788,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.2.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index f6b45a755e4..e1d55514cff 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -17,6 +17,12 @@ class Group < Namespace
include GroupAPICompatibility
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
@@ -98,7 +104,9 @@ class Group < Namespace
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -630,6 +638,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 67fc53c5ff3..0addf0d8724 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -73,6 +73,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -93,7 +98,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1796,6 +1803,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.3.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index a667a908707..57a33b11221 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -18,6 +18,13 @@ class Group < Namespace
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
def self.sti_name
'Group'
end
@@ -105,7 +112,9 @@ def self.sti_name
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -646,6 +655,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index b0dafeccc92..0b82cef584d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -74,6 +74,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -94,7 +99,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1854,6 +1861,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.4.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index c5e119451e3..97bc07ff274 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -18,6 +18,13 @@ class Group < Namespace
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
def self.sti_name
'Group'
end
@@ -105,7 +112,9 @@ def self.sti_name
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -652,6 +661,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 6a5cf00aba1..7a927c559f3 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -74,6 +74,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -94,7 +99,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1846,6 +1853,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/gitlab-rails/token-prefix-patch-14.5.patch 0 → 100644
View file @ edb06ab2
diff --git a/app/models/concerns/token_authenticatable_strategies/encrypted.rb b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
index 50a2613bb10..e957d09fbc6 100644
--- a/app/models/concerns/token_authenticatable_strategies/encrypted.rb
+++ b/app/models/concerns/token_authenticatable_strategies/encrypted.rb
@@ -5,16 +5,18 @@ class Encrypted < Base
def find_token_authenticatable(token, unscoped = false)
return if token.blank?
- if required?
- find_by_encrypted_token(token, unscoped)
- elsif optional?
- find_by_encrypted_token(token, unscoped) ||
- find_by_plaintext_token(token, unscoped)
- elsif migrating?
- find_by_plaintext_token(token, unscoped)
- else
- raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
- end
+ instance = if required?
+ find_by_encrypted_token(token, unscoped)
+ elsif optional?
+ find_by_encrypted_token(token, unscoped) ||
+ find_by_plaintext_token(token, unscoped)
+ elsif migrating?
+ find_by_plaintext_token(token, unscoped)
+ else
+ raise ArgumentError, _("Unknown encryption strategy: %{encrypted_strategy}!") % { encrypted_strategy: encrypted_strategy }
+ end
+
+ instance if instance && matches_prefix?(instance, token)
end
def ensure_token(instance)
@@ -41,9 +43,7 @@ def ensure_token(instance)
def get_token(instance)
return insecure_strategy.get_token(instance) if migrating?
- encrypted_token = instance.read_attribute(encrypted_field)
- token = EncryptionHelper.decrypt_token(encrypted_token)
- token || (insecure_strategy.get_token(instance) if optional?)
+ get_encrypted_token(instance)
end
def set_token(instance, token)
@@ -69,6 +69,12 @@ def optional?
protected
+ def get_encrypted_token(instance)
+ encrypted_token = instance.read_attribute(encrypted_field)
+ token = EncryptionHelper.decrypt_token(encrypted_token)
+ token || (insecure_strategy.get_token(instance) if optional?)
+ end
+
def encrypted_strategy
value = options[:encrypted]
value = value.call if value.is_a?(Proc)
@@ -95,14 +101,22 @@ def insecure_strategy
.new(klass, token_field, options)
end
+ def matches_prefix?(instance, token)
+ prefix = options[:prefix]
+ prefix = prefix.call(instance) if prefix.is_a?(Proc)
+ prefix = '' unless prefix.is_a?(String)
+
+ token.start_with?(prefix)
+ end
+
def token_set?(instance)
- raw_token = instance.read_attribute(encrypted_field)
+ token = get_encrypted_token(instance)
unless required?
- raw_token ||= insecure_strategy.get_token(instance)
+ token ||= insecure_strategy.get_token(instance)
end
- raw_token.present?
+ token.present? && matches_prefix?(instance, token)
end
def encrypted_field
diff --git a/app/models/group.rb b/app/models/group.rb
index 2dd20300ad2..49d6c832ca7 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -18,6 +18,13 @@ class Group < Namespace
include EachBatch
include BulkMemberAccessLoad
+ extend ::Gitlab::Utils::Override
+
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
def self.sti_name
'Group'
end
@@ -108,7 +115,9 @@ def self.sti_name
message: Gitlab::Regex.group_name_regex_message },
if: :name_changed?
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
after_create :post_create_hook
after_destroy :post_destroy_hook
@@ -652,6 +661,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:groups_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def project_creation_level
super || ::Gitlab::CurrentSettings.default_project_creation
end
diff --git a/app/models/project.rb b/app/models/project.rb
index 45999da7839..dd0da082ad2 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -73,6 +73,11 @@ class Project < ApplicationRecord
GL_REPOSITORY_TYPES = [Gitlab::GlRepository::PROJECT, Gitlab::GlRepository::WIKI, Gitlab::GlRepository::DESIGN].freeze
+ # Prefix for runners_token which can be used to invalidate existing tokens.
+ # The value chosen here is GR (for Gitlab Runner) combined with the rotation
+ # date (20220225) decimal to hex encoded.
+ RUNNERS_TOKEN_PREFIX = 'GR1348941'
+
cache_markdown_field :description, pipeline: :description
default_value_for :packages_enabled, true
@@ -93,7 +98,9 @@ class Project < ApplicationRecord
default_value_for :autoclose_referenced_issues, true
default_value_for(:ci_config_path) { Gitlab::CurrentSettings.default_ci_config_path }
- add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
+ add_authentication_token_field :runners_token,
+ encrypted: -> { Feature.enabled?(:projects_tokens_optional_encryption, default_enabled: true) ? :optional : :required },
+ prefix: ->(instance) { instance.runners_token_prefix }
before_validation :mark_remote_mirrors_for_removal, if: -> { RemoteMirror.table_exists? }
@@ -1863,6 +1870,15 @@ def runners_token
ensure_runners_token!
end
+ def runners_token_prefix
+ Feature.enabled?(:projects_runners_token_prefix, self, default_enabled: :yaml) ? RUNNERS_TOKEN_PREFIX : ''
+ end
+
+ override :format_runners_token
+ def format_runners_token(token)
+ "#{runners_token_prefix}#{token}"
+ end
+
def pages_deployed?
pages_metadatum&.deployed?
end
diff --git a/config/feature_flags/development/groups_runners_token_prefix.yml b/config/feature_flags/development/groups_runners_token_prefix.yml
new file mode 100644
index 00000000000..87b87266673
--- /dev/null
+++ b/config/feature_flags/development/groups_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: groups_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
diff --git a/config/feature_flags/development/projects_runners_token_prefix.yml b/config/feature_flags/development/projects_runners_token_prefix.yml
new file mode 100644
index 00000000000..5dd21d115f6
--- /dev/null
+++ b/config/feature_flags/development/projects_runners_token_prefix.yml
@@ -0,0 +1,8 @@
+---
+name: projects_runners_token_prefix
+introduced_by_url:
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/353805
+milestone: '14.9'
+type: development
+group: group::database
+default_enabled: true
config/patches/go-crond/lock-dependencies.patch 0 → 100644
View file @ edb06ab2
commit 21e34f9365fb146d34c4d464a09ba1621cb2556a
Author: Richard Clamp <richardc@unixbeard.net>
Date: Fri Apr 6 10:53:44 2018 +0100
Add dep locks
diff --git a/Gopkg.lock b/Gopkg.lock
new file mode 100644
index 0000000..498755a
--- /dev/null
+++ b/Gopkg.lock
@@ -0,0 +1,21 @@
+# This file is autogenerated, do not edit; changes may be undone by the next 'dep ensure'.
+
+
+[[projects]]
+ name = "github.com/jessevdk/go-flags"
+ packages = ["."]
+ revision = "c6ca198ec95c841fdb89fc0de7496fed11ab854e"
+ version = "v1.4.0"
+
+[[projects]]
+ name = "github.com/robfig/cron"
+ packages = ["."]
+ revision = "b024fc5ea0e34bc3f83d9941c8d60b0622bfaca4"
+ version = "v1"
+
+[solve-meta]
+ analyzer-name = "dep"
+ analyzer-version = 1
+ inputs-digest = "fdbb0a0d4a02ae8aaddf59d803e0ed76548235527c5edb63b8757d2d55f0fc3e"
+ solver-name = "gps-cdcl"
+ solver-version = 1
diff --git a/Gopkg.toml b/Gopkg.toml
new file mode 100644
index 0000000..71542f8
--- /dev/null
+++ b/Gopkg.toml
@@ -0,0 +1,38 @@
+# Gopkg.toml example
+#
+# Refer to https://github.com/golang/dep/blob/master/docs/Gopkg.toml.md
+# for detailed Gopkg.toml documentation.
+#
+# required = ["github.com/user/thing/cmd/thing"]
+# ignored = ["github.com/user/project/pkgX", "bitbucket.org/user/project/pkgA/pkgY"]
+#
+# [[constraint]]
+# name = "github.com/user/project"
+# version = "1.0.0"
+#
+# [[constraint]]
+# name = "github.com/user/project2"
+# branch = "dev"
+# source = "github.com/myfork/project2"
+#
+# [[override]]
+# name = "github.com/x/y"
+# version = "2.4.0"
+#
+# [prune]
+# non-go = false
+# go-tests = true
+# unused-packages = true
+
+
+[[constraint]]
+ name = "github.com/jessevdk/go-flags"
+ version = "1.4.0"
+
+[[constraint]]
+ name = "github.com/robfig/cron"
+ version = "1.0.0"
+
+[prune]
+ go-tests = true
+ unused-packages = true
config/patches/inspec-gem/fix-uninitialized-constant-parser-mixin.patch 0 → 100644
View file @ edb06ab2
From c9bb58e9087b2fe5f211ce042bbce767397ca548 Mon Sep 17 00:00:00 2001
Message-ID: <c9bb58e9087b2fe5f211ce042bbce767397ca548.1715881810.git.stanhu@gmail.com>
From: Stan Hu <stanhu@gmail.com>
Date: Thu, 2 May 2024 01:46:33 -0700
Subject: [PATCH] Fix uninitialized constant Parser::AST::Processor::Mixin
(#7030)
parser 3.3.1.0 introduced
https://github.com/whitequark/parser/pull/1000, which causes this
failure:
```
% bundle exec ruby -Itest test/unit/profiles/profile_test.rb
inspec/lib/inspec/utils/profile_ast_helpers.rb:7:in `<class:CollectorBase>': uninitialized constant Parser::AST::Processor::Mixin (NameError)
include Parser::AST::Processor::Mixin
^^^^^^^
```
Fix this by inherting from `Parser::AST::Processor` instead.
Closes #7029
Signed-off-by: Stan Hu <stanhu@gmail.com>
---
lib/inspec/utils/profile_ast_helpers.rb | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/lib/inspec/utils/profile_ast_helpers.rb b/lib/inspec/utils/profile_ast_helpers.rb
index 8e00206f8..299e85bd5 100644
--- a/lib/inspec/utils/profile_ast_helpers.rb
+++ b/lib/inspec/utils/profile_ast_helpers.rb
@@ -3,8 +3,7 @@ require "rubocop-ast"
module Inspec
class Profile
class AstHelper
- class CollectorBase
- include Parser::AST::Processor::Mixin
+ class CollectorBase < Parser::AST::Processor
include RuboCop::AST::Traversal
attr_reader :memo
--
2.45.0
config/patches/krb5/Add-option-to-build-without-libkeyutils.patch 0 → 100644
View file @ edb06ab2
From b43ebf0f0adebab7df02ada88bf639ddd67e23e0 Mon Sep 17 00:00:00 2001
From: Robert Marshall <rmarshall@gitlab.com>
Date: Tue, 12 Mar 2019 23:20:06 -0400
Subject: [PATCH] Add option to build without libkeyutils
Add a --without-keyutils option to disable the keyring ccache, for
scenarios where minimizing libkrb5 dependencies is important.
[ghudson@mit.edu: moved processing to configure.ac; added error if
explicit --without-keyutils is given and libkeyutils is not found;
nested persistent keyring check for clarity; moved new documentation
to appropriate place and don't mention persistent keyrings; rephrased
commit message]
ticket: 8791 (new)
---
doc/build/options2configure.rst | 4 ++++
src/aclocal.m4 | 22 ----------------------
src/configure.ac | 21 +++++++++++++++++++++
3 files changed, 25 insertions(+), 22 deletions(-)
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
index ddbee2060..a8959626d 100644
--- a/doc/build/options2configure.rst
+++ b/doc/build/options2configure.rst
@@ -387,6 +387,10 @@ Optional packages
``--without-krb5-config`` to disable the use of krb5-config and
use the usual built-in defaults.
+**-**\ **-without-keyutils**
+ Build without libkeyutils support. This disables the KEYRING
+ credential cache type.
+
Examples
--------
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3752d9bd5..c74755a35 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -93,8 +93,6 @@ KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
KRB5_AC_FIND_DLOPEN
-KRB5_AC_KEYRING_CCACHE
-KRB5_AC_PERSISTENT_KEYRING
])dnl
dnl Maintainer mode, akin to what automake provides, 'cept we don't
@@ -1677,23 +1675,3 @@ if test "$with_ldap" = yes; then
OPENLDAP_PLUGIN=yes
fi
])dnl
-dnl
-dnl If libkeyutils exists (on Linux) include it and use keyring ccache
-AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[
- AC_CHECK_HEADERS([keyutils.h],
- AC_CHECK_LIB(keyutils, add_key,
- [dnl Pre-reqs were found
- AC_DEFINE(USE_KEYRING_CCACHE, 1, [Define if the keyring ccache should be enabled])
- LIBS="-lkeyutils $LIBS"
- ]))
-])dnl
-dnl
-dnl If libkeyutils supports persistent keyrings, use them
-AC_DEFUN(KRB5_AC_PERSISTENT_KEYRING,[
- AC_CHECK_HEADERS([keyutils.h],
- AC_CHECK_LIB(keyutils, keyctl_get_persistent,
- [AC_DEFINE(HAVE_PERSISTENT_KEYRING, 1,
- [Define if persistent keyrings are supported])
- ]))
-])dnl
-dnl
diff --git a/src/configure.ac b/src/configure.ac
index 59193c601..ed5c0a737 100644
--- a/src/configure.ac
+++ b/src/configure.ac
@@ -323,6 +323,27 @@ AC_SUBST(TLS_IMPL)
AC_SUBST(TLS_IMPL_CFLAGS)
AC_SUBST(TLS_IMPL_LIBS)
+AC_ARG_WITH([keyutils],
+AC_HELP_STRING([--without-keyutils],[do not link with libkeyutils]),
+ [], [with_keyutils=check])
+if test "$with_keyutils" != no; then
+ have_keyutils=false
+ AC_CHECK_HEADERS([keyutils.h],
+ AC_CHECK_LIB(keyutils, add_key, [have_keyutils=true]))
+ if test "$have_keyutils" = true; then
+ AC_DEFINE(USE_KEYRING_CCACHE, 1,
+ [Define if the keyring ccache should be enabled])
+ LIBS="-lkeyutils $LIBS"
+ # If libkeyutils supports persistent keyrings, use them.
+ AC_CHECK_LIB(keyutils, keyctl_get_persistent,
+ [AC_DEFINE(HAVE_PERSISTENT_KEYRING, 1,
+ [Define if persistent keyrings are supported])
+ ])
+ elif test "$with_keyutils" = yes; then
+ AC_MSG_ERROR([libkeyutils not found])
+ fi
+fi
+
# The SPAKE preauth plugin currently supports edwards25519 natively,
# and can support three NIST groups using OpenSSL.
HAVE_SPAKE_OPENSSL=no
--
2.21.0
config/patches/libffi/libffi-3.2.1-disable-multi-os-directory.patch 0 → 100644
View file @ edb06ab2
--- libffi-3.2.1-orig/configure.ac 2014-11-12 05:56:51.000000000 -0600
+++ libffi-3.2.1/configure.ac 2015-10-29 15:53:41.695055040 -0500
@@ -590,6 +590,10 @@
AC_DEFINE(USING_PURIFY, 1, [Define this if you are using Purify and want to suppress spurious messages.])
fi)
+AC_ARG_ENABLE(multi-os-directory,
+[ --disable-multi-os-directory
+ disable use of gcc --print-multi-os-directory to change the library installation directory])
+
# These variables are only ever used when we cross-build to X86_WIN32.
# And we only support this with GCC, so...
if test "x$GCC" = "xyes"; then
@@ -601,11 +605,13 @@
toolexecdir="${libdir}"/gcc-lib/'$(target_alias)'
toolexeclibdir="${libdir}"
fi
- multi_os_directory=`$CC $CFLAGS -print-multi-os-directory`
- case $multi_os_directory in
- .) ;; # Avoid trailing /.
- ../*) toolexeclibdir=$toolexeclibdir/$multi_os_directory ;;
- esac
+ if test x"$enable_multi_os_directory" != x"no"; then
+ multi_os_directory=`$CC $CFLAGS -print-multi-os-directory`
+ case $multi_os_directory in
+ .) ;; # Avoid trailing /.
+ ../*) toolexeclibdir=$toolexeclibdir/$multi_os_directory ;;
+ esac
+ fi
AC_SUBST(toolexecdir)
else
toolexeclibdir="${libdir}"
--- libffi-3.2.1-orig/configure 2014-11-12 11:59:57.000000000 +0000
+++ libffi-3.2.1/configure 2015-10-30 19:50:51.082221000 +0000
@@ -886,6 +886,7 @@
enable_structs
enable_raw_api
enable_purify_safety
+enable_multi_os_directory
'
ac_precious_vars='build_alias
host_alias
@@ -1538,6 +1539,8 @@
--disable-structs omit code for struct support
--disable-raw-api make the raw api unavailable
--enable-purify-safety purify-safe mode
+ --disable-multi-os-directory
+ disable use of gcc --print-multi-os-directory to change the library installation directory
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -18714,6 +18717,12 @@
fi
+# Check whether --enable-multi-os-directory was given.
+if test "${enable_multi_os_directory+set}" = set; then :
+ enableval=$enable_multi_os_directory;
+fi
+
+
# These variables are only ever used when we cross-build to X86_WIN32.
# And we only support this with GCC, so...
if test "x$GCC" = "xyes"; then
@@ -18725,11 +18734,13 @@
toolexecdir="${libdir}"/gcc-lib/'$(target_alias)'
toolexeclibdir="${libdir}"
fi
- multi_os_directory=`$CC $CFLAGS -print-multi-os-directory`
- case $multi_os_directory in
- .) ;; # Avoid trailing /.
- ../*) toolexeclibdir=$toolexeclibdir/$multi_os_directory ;;
- esac
+ if test x"$enable_multi_os_directory" != x"no"; then
+ multi_os_directory=`$CC $CFLAGS -print-multi-os-directory`
+ case $multi_os_directory in
+ .) ;; # Avoid trailing /.
+ ../*) toolexeclibdir=$toolexeclibdir/$multi_os_directory ;;
+ esac
+ fi
else
toolexeclibdir="${libdir}"
config/patches/libtiff/remove-config-guess-sub-download.patch 0 → 100644
View file @ edb06ab2
commit 4b33bc00cd49e98b93cf999bf8405909c24cf17a
Author: Balasankar "Balu" C <balasankarc@autistici.org>
Date: Thu Apr 22 16:40:21 2021 +0530
Remove code to download config.guess and config.sub
Signed-off-by: Balasankar "Balu" C <balasankarc@autistici.org>
diff --git a/autogen.sh b/autogen.sh
index 9ef71b53..db8c38e7 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -5,16 +5,3 @@ aclocal -I ./m4
autoheader
automake --foreign --add-missing --copy
autoconf
-# Get latest config.guess and config.sub from upstream master since
-# these are often out of date.
-for file in config.guess config.sub
-do
- echo "$0: getting $file..."
- wget -q --timeout=5 -O config/$file.tmp \
- "https://git.savannah.gnu.org/cgit/config.git/plain/${file}" \
- && mv -f config/$file.tmp config/$file \
- && chmod a+x config/$file
- retval=$?
- rm -f config/$file.tmp
- test $retval -eq 0 || exit $retval
-done
config/patches/mail_room/add-license-file.patch 0 → 100644
View file @ edb06ab2
diff --git a/LICENSE.txt b/LICENSE.txt
new file mode 100644
index 0000000..e103d0e
--- /dev/null
+++ b/LICENSE.txt
@@ -0,0 +1,22 @@
+Copyright (c) 2013 Tony Pitale
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
config/patches/nginx/CVE-2023-44487.patch 0 → 100644
View file @ edb06ab2
# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1696940019 -10800
# Node ID cdda286c0f1b4b10f30d4eb6a63fefb9b8708ecc
# Parent 3db945fda515014d220151046d02f3960bcfca0a
HTTP/2: per-iteration stream handling limit.
To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced. This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.
Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.
diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Fri Sep 22 19:23:57 2023 +0400
+++ b/src/http/v2/ngx_http_v2.c Tue Oct 10 15:13:39 2023 +0300
@@ -347,6 +347,7 @@
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 read handler");
h2c->blocked = 1;
+ h2c->new_streams = 0;
if (c->close) {
c->close = 0;
@@ -1284,6 +1285,14 @@
goto rst_stream;
}
+ if (h2c->new_streams++ >= 2 * h2scf->concurrent_streams) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many streams at once");
+
+ status = NGX_HTTP_V2_REFUSED_STREAM;
+ goto rst_stream;
+ }
+
if (!h2c->settings_ack
&& !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)
&& h2scf->preread_size < NGX_HTTP_V2_DEFAULT_WINDOW)
@@ -1349,6 +1358,12 @@
rst_stream:
+ if (h2c->refused_streams++ > ngx_max(h2scf->concurrent_streams, 100)) {
+ ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
+ "client sent too many refused streams");
+ return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_NO_ERROR);
+ }
+
if (ngx_http_v2_send_rst_stream(h2c, h2c->state.sid, status) != NGX_OK) {
return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
}
diff -r 3db945fda515 -r cdda286c0f1b src/http/v2/ngx_http_v2.h
--- a/src/http/v2/ngx_http_v2.h Fri Sep 22 19:23:57 2023 +0400
+++ b/src/http/v2/ngx_http_v2.h Tue Oct 10 15:13:39 2023 +0300
@@ -131,6 +131,8 @@
ngx_uint_t processing;
ngx_uint_t frames;
ngx_uint_t idle;
+ ngx_uint_t new_streams;
+ ngx_uint_t refused_streams;
ngx_uint_t priority_limit;
size_t send_window;
config/patches/omnibus-ctl/skip-license-acceptance.patch 0 → 100644
View file @ edb06ab2
diff --git a/lib/omnibus-ctl.rb b/lib/omnibus-ctl.rb
index b3e06c2..acbf8b9 100644
--- a/lib/omnibus-ctl.rb
+++ b/lib/omnibus-ctl.rb
@@ -504,7 +504,6 @@ EOM
# args being passed to this command does not include the ones that are
# starting with "-". See #is_option? method. If it is starting with "-"
# then it is treated as a option and we need to look for them in ARGV.
- check_license_acceptance(ARGV.include?("--accept-license"))
status = run_chef("#{base_path}/embedded/cookbooks/dna.json")
if status.success?
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment