Basic `/internal/pages` endpoint that will be used for Pages virtual
domains internal API. The endpoint is currently behind feature flag and
provides authetication similar to how Workhorse is authenticating with
the GitLab.
- Add mail interceptor the signs outgoing email with SMIME
- Add lib and helpers to work with SMIME data
- New configuration params for setting up SMIME key and cert files
A nonce-based Content-Security-Policy thwarts XSS attacks by allowing
inline JavaScript to execute if the script nonce matches the header
value. Rails 5.2 supports nonce-based Content-Security-Policy headers,
so provide configuration to enable this and make it work.
To support this, we need to change all `:javascript` HAML filters to the
following form:
```
= javascript_tag nonce: true do
:plain
...
```
We use `%script` throughout our HAML to store JSON and other text, but
since this doesn't execute, browsers don't appear to block this content
from being used and require the nonce value to be present.
To make this happen, we need to conditionally add the group_saml
strategy when running tests, but only on EE. This requires some changes
to Gitlab.ee? so that it can be used before/without loading the Rails
environment. We also have to change how we require a few files, so this
can run outside of Rails.
Since external diffs are likely to be a bit slower than in-database
ones, add a mode that makes diffs external after they've been obsoleted
by events. This should strike a balance between performance and disk
space.
A background cron drives the majority of migrations, since diffs become
outdated through user actions.
In this commit, some methods that aren't being used
are removed from `Gitlab::Shell`. They are the ff:
- `#remove_keys_not_found_in_db`
- `#batch_read_key_ids`
- `#list_key_ids`
The corresponding methods in `Gitlab::Keys` have been
removed as well.
We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.
Adds gitlab.impersonation_enabled config option defaulting to true to
keep the current default behaviour.
Only the act of impersonation is modified, impersonation token
management is not affected.
Broken storage used to be used to test situations where the Git storage
wasn't being reached. These days we can just mock the Gitaly response.
But given the broken storage is removed now, Gitaly can take over
control of the storage being reachable. If it's not, Gitaly won't boot.
That's nice for situations where a disk wasn't mounted for instance.
Gitaly MR: https://gitlab.com/gitlab-org/gitaly/merge_requests/675
Krasimir Angelov
Winnie Hellmann
Valery Sizov
dodocat
Heinrich Lee Yu
J0WI
Diego Louzán
Stan Hu
Reuben Pereira
Robert Speicher
Takuya Noguchi
Yorick Peterse
Jan Provaznik
Gosia Ksionek
Douglas Barbosa Alexandre
Roger Meier
Dmitriy Zaporozhets
Nick Thomas
Patrick Bajao
Drew Blessing
Jacob Vosmaer
Pepijn Van Eeckhoudt
Ahmad Hassan
Michael Tsyganov
Imre Farkas
Marin Jankovski
George Tsiolis
Zeger-Jan van de Weg
Tuomo Ala-Vannesluoma
Marcel Amirault
Samuele Kaplun
Shinya Maeda
Balasankar "Balu" C
Rémy Coutable
Richard Hancock
Annabel Gray
Douwe Maan
Alessio Caiazza