Merge branch 'rp-allow-local-prom-queries-self-monitoring' into 'master'

Allow queries to internal Prometheus

See merge request gitlab-org/gitlab!27865

app/models/project_services/prometheus_service.rb

@@ -81,7 +81,7 @@ class PrometheusService < MonitoringService
   def prometheus_client
     return unless should_return_client?
 
-    Gitlab::PrometheusClient.new(api_url)
+    Gitlab::PrometheusClient.new(api_url, allow_local_requests: allow_local_api_url?)
   end
 
   def prometheus_available?
@@ -94,7 +94,8 @@ class PrometheusService < MonitoringService
   end
 
   def allow_local_api_url?
-    self_monitoring_project? && internal_prometheus_url?
+    allow_local_requests_from_web_hooks_and_services? ||
+    (self_monitoring_project? && internal_prometheus_url?)
   end
 
   def configured?
@@ -111,6 +112,10 @@ class PrometheusService < MonitoringService
     api_url.present? && api_url == ::Gitlab::Prometheus::Internal.uri
   end
 
+  def allow_local_requests_from_web_hooks_and_services?
+    current_settings.allow_local_requests_from_web_hooks_and_services?
+  end
+
   def should_return_client?
     api_url.present? && manual_configuration? && active? && valid?
   end

changelogs/unreleased/rp-allow-local-prom-queries-self-monitoring.yml

+---
+title: Allow self monitoring project to query internal Prometheus even when "Allow local requests in webhooks and services" setting is false
+merge_request: 27865
+author:
+type: fixed

spec/models/project_services/prometheus_service_spec.rb

@@ -66,6 +66,18 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
         end
       end
 
+      it 'can query when local requests are allowed' do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+
+        aggregate_failures do
+          ['127.0.0.1', '192.168.2.3'].each do |url|
+            allow(Addrinfo).to receive(:getaddrinfo).with(domain, any_args).and_return([Addrinfo.tcp(url, 80)])
+
+            expect(service.can_query?).to be true
+          end
+        end
+      end
+
       context 'with self-monitoring project and internal Prometheus' do
         before do
           service.api_url = 'http://localhost:9090'
@@ -152,6 +164,54 @@ describe PrometheusService, :use_clean_rails_memory_store_caching do
         expect(service.prometheus_client).to be_nil
       end
     end
+
+    context 'when local requests are allowed' do
+      let(:manual_configuration) { true }
+      let(:api_url) { 'http://192.168.1.1:9090' }
+
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: true)
+
+        stub_prometheus_request("#{api_url}/api/v1/query?query=1")
+      end
+
+      it 'allows local requests' do
+        expect(service.prometheus_client).not_to be_nil
+        expect { service.prometheus_client.ping }.not_to raise_error
+      end
+    end
+
+    context 'when local requests are blocked' do
+      let(:manual_configuration) { true }
+      let(:api_url) { 'http://192.168.1.1:9090' }
+
+      before do
+        stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+
+        stub_prometheus_request("#{api_url}/api/v1/query?query=1")
+      end
+
+      it 'blocks local requests' do
+        expect(service.prometheus_client).to be_nil
+      end
+
+      context 'with self monitoring project and internal Prometheus URL' do
+        before do
+          stub_application_setting(allow_local_requests_from_web_hooks_and_services: false)
+          stub_application_setting(self_monitoring_project_id: project.id)
+
+          stub_config(prometheus: {
+            enable: true,
+            listen_address: api_url
+          })
+        end
+
+        it 'allows local requests' do
+          expect(service.prometheus_client).not_to be_nil
+          expect { service.prometheus_client.ping }.not_to raise_error
+        end
+      end
+    end
   end
 
   describe '#prometheus_available?' do