Add latest changes from gitlab-org/gitlab@master

config/initializers/rack_attack_git_basic_auth.rb

@@ -1,7 +1,9 @@
 # Tell the Rack::Attack Rack middleware to maintain an IP blacklist.
 # We update the blacklist in Gitlab::Auth::IpRateLimiter.
 Rack::Attack.blocklist('Git HTTP Basic Auth') do |req|
-  next false unless Gitlab.config.rack_attack.git_basic_auth.enabled
+  rate_limiter = Gitlab::Auth::IpRateLimiter.new(req.ip)
+
+  next false if !rate_limiter.enabled? || rate_limiter.trusted_ip?
 
   Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
     # This block only gets run if the IP was not already banned.

doc/user/project/clusters/add_remove_clusters.md

@@ -119,6 +119,8 @@ GitLab supports:
 - Creating a new GKE cluster using the GitLab UI.
 - Providing credentials to add an [existing Kubernetes cluster](#add-existing-cluster).
 
+Starting from [GitLab 12.4](https://gitlab.com/gitlab-org/gitlab/issues/25925), all the GKE clusters provisioned by GitLab are [VPC-Native](https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips).
+
 NOTE: **Note:**
 The [Google authentication integration](../../../integration/google.md) must
 be enabled in GitLab at the instance level. If that's not the case, ask your

lib/gitlab/auth/ip_rate_limiter.rb

@@ -21,11 +21,12 @@ module Gitlab
       end
 
       def register_fail!
+        return false if trusted_ip?
+
         # Allow2Ban.filter will return false if this IP has not failed too often yet
         @banned = Rack::Attack::Allow2Ban.filter(ip, config) do
-          # If we return false here, the failure for this IP is ignored by Allow2Ban
-          # If we return true here, the count for the IP is incremented.
-          ip_can_be_banned?
+          # We return true to increment the count for this IP
+          true
         end
       end
 
@@ -33,20 +34,16 @@ module Gitlab
         @banned
       end
 
+      def trusted_ip?
+        trusted_ips.any? { |netmask| netmask.include?(ip) }
+      end
+
       private
 
       def config
         Gitlab.config.rack_attack.git_basic_auth
       end
 
-      def ip_can_be_banned?
-        !trusted_ip?
-      end
-
-      def trusted_ip?
-        trusted_ips.any? { |netmask| netmask.include?(ip) }
-      end
-
       def trusted_ips
         strong_memoize(:trusted_ips) do
           config.ip_whitelist.map do |proxy|

spec/lib/gitlab/exclusive_lease_helpers_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::ExclusiveLeaseHelpers, :clean_gitlab_redis_shared_state do

spec/lib/gitlab/exclusive_lease_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::ExclusiveLease, :clean_gitlab_redis_shared_state do

spec/lib/gitlab/external_authorization_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::ExternalAuthorization, :request_store do

spec/lib/gitlab/fake_application_settings_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::FakeApplicationSettings do

spec/lib/gitlab/favicon_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 RSpec.describe Gitlab::Favicon, :request_store do

spec/lib/gitlab/file_detector_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::FileDetector do

spec/lib/gitlab/file_finder_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::FileFinder do

spec/lib/gitlab/git_access_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::GitAccess do

spec/lib/gitlab/git_access_wiki_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::GitAccessWiki do

spec/lib/gitlab/git_ref_validator_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::GitRefValidator do

spec/lib/gitlab/git_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Git do

spec/lib/gitlab/gitaly_client_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 # We stub Gitaly in `spec/support/gitaly.rb` for other tests. We don't want

spec/lib/gitlab/github_import_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::GithubImport do

spec/lib/gitlab/gl_repository_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe ::Gitlab::GlRepository do

spec/lib/gitlab/gpg_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Gpg do
@@ -63,7 +65,7 @@ describe Gitlab::Gpg do
     it 'downcases the email' do
       public_key = double(:key)
       fingerprints = double(:fingerprints)
-      uid = double(:uid, name: 'Nannie Bernhard', email: 'NANNIE.BERNHARD@EXAMPLE.COM')
+      uid = double(:uid, name: +'Nannie Bernhard', email: +'NANNIE.BERNHARD@EXAMPLE.COM')
       raw_key = double(:raw_key, uids: [uid])
       allow(Gitlab::Gpg::CurrentKeyChain).to receive(:fingerprints_from_key).with(public_key).and_return(fingerprints)
       allow(GPGME::Key).to receive(:find).with(:public, anything).and_return([raw_key])
@@ -78,8 +80,8 @@ describe Gitlab::Gpg do
     it 'rejects non UTF-8 names and addresses' do
       public_key = double(:key)
       fingerprints = double(:fingerprints)
-      email = "\xEEch@test.com".force_encoding('ASCII-8BIT')
-      uid = double(:uid, name: 'Test User', email: email)
+      email = (+"\xEEch@test.com").force_encoding('ASCII-8BIT')
+      uid = double(:uid, name: +'Test User', email: email)
       raw_key = double(:raw_key, uids: [uid])
       allow(Gitlab::Gpg::CurrentKeyChain).to receive(:fingerprints_from_key).with(public_key).and_return(fingerprints)
       allow(GPGME::Key).to receive(:find).with(:public, anything).and_return([raw_key])

spec/lib/gitlab/group_search_results_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::GroupSearchResults do

spec/lib/gitlab/highlight_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Highlight do

spec/lib/gitlab/http_io_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::HttpIO do

spec/lib/gitlab/http_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::HTTP do

spec/lib/gitlab/i18n_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::I18n do

spec/lib/gitlab/identifier_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Identifier do

spec/lib/gitlab/import_sources_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::ImportSources do

spec/lib/gitlab/incoming_email_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "spec_helper"
 
 describe Gitlab::IncomingEmail do

spec/lib/gitlab/insecure_key_fingerprint_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::InsecureKeyFingerprint do

spec/lib/gitlab/issuable_metadata_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::IssuableMetadata do

spec/lib/gitlab/issuable_sorter_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::IssuableSorter do

spec/lib/gitlab/issuables_count_for_state_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::IssuablesCountForState do

spec/lib/gitlab/job_waiter_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::JobWaiter do

spec/lib/gitlab/json_logger_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::JsonLogger do

spec/lib/gitlab/kubernetes_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Kubernetes do

spec/lib/gitlab/language_detection_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::LanguageDetection do

spec/lib/gitlab/lazy_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::Lazy do

spec/lib/gitlab/visibility_level_checker_spec.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Gitlab::VisibilityLevelChecker do

spec/requests/git_http_spec.rb

@@ -452,7 +452,7 @@ describe 'Git HTTP requests' do
           context "when authentication fails" do
             context "when the user is IP banned" do
               before do
-                stub_rack_attack_setting(enabled: true)
+                stub_rack_attack_setting(enabled: true, ip_whitelist: [])
               end
 
               it "responds with status 403" do

spec/requests/rack_attack_global_spec.rb

@@ -83,7 +83,7 @@ describe 'Rack Attack global throttles' do
           expect(response).to have_http_status 200
         end
 
-        expect_any_instance_of(Rack::Attack::Request).to receive(:ip).and_return('1.2.3.4')
+        expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4')
 
         # would be over limit for the same IP
         get url_that_does_not_require_authentication

spec/support/shared_examples/requests/rack_attack_shared_examples.rb

@@ -74,7 +74,7 @@ shared_examples_for 'rate-limited token-authenticated requests' do
         expect(response).to have_http_status 200
       end
 
-      expect_any_instance_of(Rack::Attack::Request).to receive(:ip).and_return('1.2.3.4')
+      expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4')
 
       expect_rejection { get(*get_args) }
     end
@@ -194,7 +194,7 @@ shared_examples_for 'rate-limited web authenticated requests' do
         expect(response).to have_http_status 200
       end
 
-      expect_any_instance_of(Rack::Attack::Request).to receive(:ip).and_return('1.2.3.4')
+      expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4')
 
       expect_rejection { get url_that_requires_authentication }
     end