Application setting for FloC participation (disabled by default)

577966e9 · Lukas 'Eipi' Eipert · Natalia Tepluhina · c4ef6fee · 577966e9 · 577966e9
Commit 577966e9 authored May 07, 2021 by Lukas 'Eipi' Eipert Committed by Natalia Tepluhina May 07, 2021
15 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -22,6 +22,7 @@ class ApplicationController < ActionController::Base
  include Gitlab::Logging::CloudflareHelper
  include Gitlab::Utils::StrongMemoize
  include ::Gitlab::WithFeatureCategory
+  include FlocOptOut

  before_action :authenticate_user!, except: [:route_not_found]
  before_action :enforce_terms!, if: :should_enforce_terms?

--- a/app/controllers/concerns/floc_opt_out.rb
+++ b/app/controllers/concerns/floc_opt_out.rb
+# frozen_string_literal: true
+
+module FlocOptOut
+  extend ActiveSupport::Concern
+
+  included do
+    after_action :set_floc_opt_out_header, unless: :floc_enabled?
+  end
+
+  def floc_enabled?
+    Gitlab::CurrentSettings.floc_enabled
+  end
+
+  def set_floc_opt_out_header
+    response.headers['Permissions-Policy'] = 'interest-cohort=()'
+  end
+end
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -233,6 +233,7 @@ module ApplicationSettingsHelper
      :external_pipeline_validation_service_token,
      :external_pipeline_validation_service_url,
      :first_day_of_week,
+      :floc_enabled,
      :force_pages_access_control,
      :gitaly_timeout_default,
      :gitaly_timeout_medium,

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -504,6 +504,9 @@ class ApplicationSetting < ApplicationRecord
  validates :whats_new_variant,
            inclusion: { in: ApplicationSetting.whats_new_variants.keys }

+  validates :floc_enabled,
+            inclusion: { in: [true, false], message: _('must be a boolean value') }
+
  attr_encrypted :asset_proxy_secret_key,
                 mode: :per_attribute_iv,
                 key: Settings.attr_encrypted_db_key_base_truncated,

--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -77,6 +77,7 @@ module ApplicationSettingImplementation
        external_pipeline_validation_service_token: nil,
        external_pipeline_validation_service_url: nil,
        first_day_of_week: 0,
+        floc_enabled: false,
        gitaly_timeout_default: 55,
        gitaly_timeout_fast: 10,
        gitaly_timeout_medium: 30,

--- a/app/views/admin/application_settings/_floc.html.haml
+++ b/app/views/admin/application_settings/_floc.html.haml
+- expanded = integration_expanded?('floc_')
+
+%section.settings.no-animate#js-floc-settings{ class: ('expanded' if expanded) }
+  .settings-header
+    %h4
+      = s_('FloC|Federated Learning of Cohorts')
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded ? _('Collapse') : _('Expand')
+    %p
+      = s_('FloC|Configure whether you want to participate in FloC.').html_safe
+      = link_to sprite_icon('question-o'), 'https://github.com/WICG/floc', target: '_blank', class: 'has-tooltip', title: _('More information')
+
+  .settings-content
+    = form_for @application_setting, url: general_admin_application_settings_path(anchor: 'js-floc-settings'), html: { class: 'fieldset-form', id: 'floc-settings' } do |f|
+      = form_errors(@application_setting)
+
+      %fieldset
+        .form-group
+          .form-check
+            = f.check_box :floc_enabled, class: 'form-check-input'
+            = f.label :floc_enabled, s_('FloC|Enable FloC (Federated Learning of Cohorts)'), class: 'form-check-label'
+      = f.submit s_('Save changes'), class: 'gl-button btn btn-confirm'
--- a/app/views/admin/application_settings/general.html.haml
+++ b/app/views/admin/application_settings/general.html.haml
@@ -112,3 +112,4 @@
 = render 'admin/application_settings/third_party_offers'
 = render 'admin/application_settings/snowplow'
 = render 'admin/application_settings/eks'
+= render 'admin/application_settings/floc'
--- a/changelogs/unreleased/leipert-floc-opt-out-327904.yml
+++ b/changelogs/unreleased/leipert-floc-opt-out-327904.yml
+---
+title: Application setting for FloC participation (disabled by default)
+merge_request: 60933
+author:
+type: added
--- a/db/migrate/20210504135823_add_floc_application_settings.rb
+++ b/db/migrate/20210504135823_add_floc_application_settings.rb
+# frozen_string_literal: true
+
+class AddFlocApplicationSettings < ActiveRecord::Migration[6.0]
+  def change
+    add_column :application_settings, :floc_enabled, :boolean, default: false, null: false
+  end
+end
--- a/db/schema_migrations/20210504135823
+++ b/db/schema_migrations/20210504135823
+9d1254393da80e0b1e387fba493f83f8775f0340f23c648e638a9983f965f5c9
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9513,6 +9513,7 @@ CREATE TABLE application_settings (
    whats_new_variant smallint DEFAULT 0,
    encrypted_spam_check_api_key bytea,
    encrypted_spam_check_api_key_iv bytea,
+    floc_enabled boolean DEFAULT false NOT NULL,
    CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
    CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
    CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -88,6 +88,7 @@ Example response:
  "rate_limiting_response_text": null,
  "keep_latest_artifact": true,
  "admin_mode": false,
+  "floc_enabled": false,
  "external_pipeline_validation_service_timeout": null,
  "external_pipeline_validation_service_token": null,
  "external_pipeline_validation_service_url": null

--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -171,6 +171,7 @@ module API
      optional :wiki_page_max_content_bytes, type: Integer, desc: "Maximum wiki page content size in bytes"
      optional :require_admin_approval_after_user_signup, type: Boolean, desc: 'Require explicit admin approval for new signups'
      optional :whats_new_variant, type: String, values: ApplicationSetting.whats_new_variants.keys, desc: "What's new variant, possible values: `all_tiers`, `current_tier`, and `disabled`."
+      optional :floc_enabled, type: Grape::API::Boolean, desc: 'Enable FloC (Federated Learning of Cohorts)'

      ApplicationSetting::SUPPORTED_KEY_TYPES.each do |type|
        optional :"#{type}_key_restriction",

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -14079,6 +14079,15 @@ msgstr ""
 msgid "Flags"
 msgstr ""

+msgid "FloC|Configure whether you want to participate in FloC."
+msgstr ""
+
+msgid "FloC|Enable FloC (Federated Learning of Cohorts)"
+msgstr ""
+
+msgid "FloC|Federated Learning of Cohorts"
+msgstr ""
+
 msgid "FlowdockService|1b609b52537..."
 msgstr ""


--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -1027,4 +1027,44 @@ RSpec.describe ApplicationController do
      get :index
    end
  end
+
+  describe 'setting permissions-policy header' do
+    controller do
+      skip_before_action :authenticate_user!
+
+      def index
+        render html: 'It is a flock of sheep, not a floc of sheep.'
+      end
+    end
+
+    before do
+      routes.draw do
+        get 'index' => 'anonymous#index'
+      end
+    end
+
+    context 'with FloC enabled' do
+      before do
+        stub_application_setting floc_enabled: true
+      end
+
+      it 'does not set the Permissions-Policy header' do
+        get :index
+
+        expect(response.headers['Permissions-Policy']).to eq(nil)
+      end
+    end
+
+    context 'with FloC disabled' do
+      before do
+        stub_application_setting floc_enabled: false
+      end
+
+      it 'sets the Permissions-Policy header' do
+        get :index
+
+        expect(response.headers['Permissions-Policy']).to eq('interest-cohort=()')
+      end
+    end
+  end
 end