Commit 9b03d512 authored by Alper Akgun's avatar Alper Akgun

Merge branch...

Merge branch '243555-update-whitelist-blacklist-to-allowlist-denylist-in-signup-restrictions-window-2' into 'master'

Use allowlist/denylist in application settings backend

See merge request gitlab-org/gitlab!46170
parents eb632e1d 40c46f39
...@@ -218,8 +218,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController ...@@ -218,8 +218,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
# TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204) # TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
params.delete(:domain_denylist_raw) if params[:domain_denylist_file] params.delete(:domain_denylist_raw) if params[:domain_denylist_file]
params.delete(:domain_denylist_raw) if params[:domain_blacklist] params.delete(:domain_denylist_raw) if params[:domain_denylist]
params.delete(:domain_allowlist_raw) if params[:domain_whitelist] params.delete(:domain_allowlist_raw) if params[:domain_allowlist]
params.require(:application_setting).permit( params.require(:application_setting).permit(
visible_application_setting_attributes visible_application_setting_attributes
......
...@@ -199,11 +199,11 @@ module ApplicationSettingsHelper ...@@ -199,11 +199,11 @@ module ApplicationSettingsHelper
:default_projects_limit, :default_projects_limit,
:default_snippet_visibility, :default_snippet_visibility,
:disabled_oauth_sign_in_sources, :disabled_oauth_sign_in_sources,
:domain_blacklist, :domain_denylist,
:domain_blacklist_enabled, :domain_denylist_enabled,
# TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204) # TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
:domain_denylist_raw, :domain_denylist_raw,
:domain_whitelist, :domain_allowlist,
# TODO Remove domain_allowlist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204) # TODO Remove domain_allowlist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
:domain_allowlist_raw, :domain_allowlist_raw,
:outbound_local_requests_allowlist_raw, :outbound_local_requests_allowlist_raw,
......
...@@ -40,8 +40,8 @@ class ApplicationSetting < ApplicationRecord ...@@ -40,8 +40,8 @@ class ApplicationSetting < ApplicationRecord
serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :domain_allowlist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :domain_denylist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
serialize :asset_proxy_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize serialize :asset_proxy_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
...@@ -184,9 +184,9 @@ class ApplicationSetting < ApplicationRecord ...@@ -184,9 +184,9 @@ class ApplicationSetting < ApplicationRecord
validates :enabled_git_access_protocol, validates :enabled_git_access_protocol,
inclusion: { in: %w(ssh http), allow_blank: true } inclusion: { in: %w(ssh http), allow_blank: true }
validates :domain_blacklist, validates :domain_denylist,
presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' }, presence: { message: 'Domain denylist cannot be empty if denylist is enabled.' },
if: :domain_blacklist_enabled? if: :domain_denylist_enabled?
validates :housekeeping_incremental_repack_period, validates :housekeeping_incremental_repack_period,
presence: true, presence: true,
......
...@@ -60,7 +60,7 @@ module ApplicationSettingImplementation ...@@ -60,7 +60,7 @@ module ApplicationSettingImplementation
diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES, diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
disabled_oauth_sign_in_sources: [], disabled_oauth_sign_in_sources: [],
dns_rebinding_protection_enabled: true, dns_rebinding_protection_enabled: true,
domain_whitelist: Settings.gitlab['domain_whitelist'], domain_allowlist: Settings.gitlab['domain_allowlist'],
dsa_key_restriction: 0, dsa_key_restriction: 0,
ecdsa_key_restriction: 0, ecdsa_key_restriction: 0,
ed25519_key_restriction: 0, ed25519_key_restriction: 0,
...@@ -203,19 +203,19 @@ module ApplicationSettingImplementation ...@@ -203,19 +203,19 @@ module ApplicationSettingImplementation
end end
def domain_allowlist_raw def domain_allowlist_raw
array_to_string(self.domain_whitelist) array_to_string(self.domain_allowlist)
end end
def domain_denylist_raw def domain_denylist_raw
array_to_string(self.domain_blacklist) array_to_string(self.domain_denylist)
end end
def domain_allowlist_raw=(values) def domain_allowlist_raw=(values)
self.domain_whitelist = strings_to_array(values) self.domain_allowlist = strings_to_array(values)
end end
def domain_denylist_raw=(values) def domain_denylist_raw=(values)
self.domain_blacklist = strings_to_array(values) self.domain_denylist = strings_to_array(values)
end end
def domain_denylist_file=(file) def domain_denylist_file=(file)
...@@ -242,7 +242,7 @@ module ApplicationSettingImplementation ...@@ -242,7 +242,7 @@ module ApplicationSettingImplementation
end end
# This method separates out the strings stored in the # This method separates out the strings stored in the
# application_setting.outbound_local_requests_allowlist array into 2 arrays; # application_setting.outbound_local_requests_whitelist array into 2 arrays;
# an array of IPAddr objects (`[IPAddr.new('127.0.0.1')]`), and an array of # an array of IPAddr objects (`[IPAddr.new('127.0.0.1')]`), and an array of
# domain strings (`['www.example.com']`). # domain strings (`['www.example.com']`).
def outbound_local_requests_allowlist_arrays def outbound_local_requests_allowlist_arrays
......
...@@ -1843,15 +1843,15 @@ class User < ApplicationRecord ...@@ -1843,15 +1843,15 @@ class User < ApplicationRecord
valid = true valid = true
error = nil error = nil
if Gitlab::CurrentSettings.domain_blacklist_enabled? if Gitlab::CurrentSettings.domain_denylist_enabled?
blocked_domains = Gitlab::CurrentSettings.domain_blacklist blocked_domains = Gitlab::CurrentSettings.domain_denylist
if domain_matches?(blocked_domains, email) if domain_matches?(blocked_domains, email)
error = 'is not from an allowed domain.' error = 'is not from an allowed domain.'
valid = false valid = false
end end
end end
allowed_domains = Gitlab::CurrentSettings.domain_whitelist allowed_domains = Gitlab::CurrentSettings.domain_allowlist
unless allowed_domains.blank? unless allowed_domains.blank?
if domain_matches?(allowed_domains, email) if domain_matches?(allowed_domains, email)
valid = true valid = true
......
...@@ -31,14 +31,14 @@ ...@@ -31,14 +31,14 @@
.form-text.text-muted .form-text.text-muted
= _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link } = _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link }
.form-group .form-group
= f.label :domain_whitelist, _('Allowed domains for sign-ups'), class: 'label-bold' = f.label :domain_allowlist, _('Allowed domains for sign-ups'), class: 'label-bold'
= f.text_area :domain_allowlist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8 = f.text_area :domain_allowlist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
.form-text.text-muted ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com .form-text.text-muted ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
.form-group .form-group
= f.label :domain_blacklist_enabled, _('Domain denylist'), class: 'label-bold' = f.label :domain_denylist_enabled, _('Domain denylist'), class: 'label-bold'
.form-check .form-check
= f.check_box :domain_blacklist_enabled, class: 'form-check-input' = f.check_box :domain_denylist_enabled, class: 'form-check-input'
= f.label :domain_blacklist_enabled, class: 'form-check-label' do = f.label :domain_denylist_enabled, class: 'form-check-label' do
Enable domain denylist for sign ups Enable domain denylist for sign ups
.form-group .form-group
.form-check .form-check
...@@ -47,7 +47,7 @@ ...@@ -47,7 +47,7 @@
.option-title .option-title
Upload denylist file Upload denylist file
.form-check .form-check
= radio_button_tag :denylist_type, :raw, @application_setting.domain_blacklist.present? || @application_setting.domain_blacklist.blank?, class: 'form-check-input' = radio_button_tag :denylist_type, :raw, @application_setting.domain_denylist.present? || @application_setting.domain_denylist.blank?, class: 'form-check-input'
= label_tag :denylist_type_raw, class: 'form-check-label' do = label_tag :denylist_type_raw, class: 'form-check-label' do
.option-title .option-title
Enter denylist manually Enter denylist manually
...@@ -56,7 +56,7 @@ ...@@ -56,7 +56,7 @@
= f.file_field :domain_denylist_file, class: 'form-control', accept: '.txt,.conf' = f.file_field :domain_denylist_file, class: 'form-control', accept: '.txt,.conf'
.form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines or commas for multiple entries. .form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines or commas for multiple entries.
.form-group.js-denylist-raw .form-group.js-denylist-raw
= f.label :domain_blacklist, _('Denied domains for sign-ups'), class: 'label-bold' = f.label :domain_denylist, _('Denied domains for sign-ups'), class: 'label-bold'
= f.text_area :domain_denylist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8 = f.text_area :domain_denylist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
.form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com .form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
.form-group .form-group
......
---
title: Use allowlist/denylist in application settings backend
merge_request: 46170
author:
type: changed
...@@ -198,7 +198,7 @@ Settings.gitlab.default_projects_features['snippets'] = true if Settin ...@@ -198,7 +198,7 @@ Settings.gitlab.default_projects_features['snippets'] = true if Settin
Settings.gitlab.default_projects_features['builds'] = true if Settings.gitlab.default_projects_features['builds'].nil? Settings.gitlab.default_projects_features['builds'] = true if Settings.gitlab.default_projects_features['builds'].nil?
Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil? Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
Settings.gitlab.default_projects_features['visibility_level'] = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE) Settings.gitlab.default_projects_features['visibility_level'] = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
Settings.gitlab['domain_whitelist'] ||= [] Settings.gitlab['domain_allowlist'] ||= []
Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
Settings.gitlab['trusted_proxies'] ||= [] Settings.gitlab['trusted_proxies'] ||= []
Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash
......
# frozen_string_literal: true
class RenameApplicationSettingsToAllowDenyNames < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
end
def down
undo_rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
undo_rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
undo_rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
end
end
# frozen_string_literal: true
class CleanupApplicationSettingsToAllowDenyRename < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
disable_ddl_transaction!
def up
cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
end
def down
undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
undo_cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
end
end
c718bc731f7dc3e1f0104dfdb79a3dc46c46849153ec9b228600eeb5a92465e7
\ No newline at end of file
a61310c95a1302871ea18881d45bc0c7357baa8f24daa31b7e2174318dab5707
\ No newline at end of file
...@@ -9083,7 +9083,6 @@ CREATE TABLE application_settings ( ...@@ -9083,7 +9083,6 @@ CREATE TABLE application_settings (
max_attachment_size integer DEFAULT 10 NOT NULL, max_attachment_size integer DEFAULT 10 NOT NULL,
default_project_visibility integer DEFAULT 0 NOT NULL, default_project_visibility integer DEFAULT 0 NOT NULL,
default_snippet_visibility integer DEFAULT 0 NOT NULL, default_snippet_visibility integer DEFAULT 0 NOT NULL,
domain_whitelist text,
user_oauth_applications boolean DEFAULT true, user_oauth_applications boolean DEFAULT true,
after_sign_out_path character varying, after_sign_out_path character varying,
session_expire_delay integer DEFAULT 10080 NOT NULL, session_expire_delay integer DEFAULT 10080 NOT NULL,
...@@ -9119,8 +9118,6 @@ CREATE TABLE application_settings ( ...@@ -9119,8 +9118,6 @@ CREATE TABLE application_settings (
elasticsearch_search boolean DEFAULT false NOT NULL, elasticsearch_search boolean DEFAULT false NOT NULL,
repository_storages character varying DEFAULT 'default'::character varying, repository_storages character varying DEFAULT 'default'::character varying,
enabled_git_access_protocol character varying, enabled_git_access_protocol character varying,
domain_blacklist_enabled boolean DEFAULT false,
domain_blacklist text,
usage_ping_enabled boolean DEFAULT true NOT NULL, usage_ping_enabled boolean DEFAULT true NOT NULL,
sign_in_text_html text, sign_in_text_html text,
help_page_text_html text, help_page_text_html text,
...@@ -9341,6 +9338,9 @@ CREATE TABLE application_settings ( ...@@ -9341,6 +9338,9 @@ CREATE TABLE application_settings (
secret_detection_token_revocation_url text, secret_detection_token_revocation_url text,
encrypted_secret_detection_token_revocation_token text, encrypted_secret_detection_token_revocation_token text,
encrypted_secret_detection_token_revocation_token_iv text, encrypted_secret_detection_token_revocation_token_iv text,
domain_denylist_enabled boolean DEFAULT false,
domain_denylist text,
domain_allowlist text,
new_user_signups_cap integer, new_user_signups_cap integer,
CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)), CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)), CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)),
......
...@@ -43,9 +43,9 @@ Example response: ...@@ -43,9 +43,9 @@ Example response:
"home_page_url" : null, "home_page_url" : null,
"default_snippet_visibility" : "private", "default_snippet_visibility" : "private",
"outbound_local_requests_whitelist": [], "outbound_local_requests_whitelist": [],
"domain_whitelist" : [], "domain_allowlist" : [],
"domain_blacklist_enabled" : false, "domain_denylist_enabled" : false,
"domain_blacklist" : [], "domain_denylist" : [],
"created_at" : "2016-01-04T15:44:55.176Z", "created_at" : "2016-01-04T15:44:55.176Z",
"default_ci_config_path" : null, "default_ci_config_path" : null,
"default_project_visibility" : "private", "default_project_visibility" : "private",
...@@ -134,9 +134,9 @@ Example response: ...@@ -134,9 +134,9 @@ Example response:
"default_snippet_visibility": "private", "default_snippet_visibility": "private",
"default_group_visibility": "private", "default_group_visibility": "private",
"outbound_local_requests_whitelist": [], "outbound_local_requests_whitelist": [],
"domain_whitelist": [], "domain_allowlist": [],
"domain_blacklist_enabled" : false, "domain_denylist_enabled" : false,
"domain_blacklist" : [], "domain_denylist" : [],
"external_authorization_service_enabled": true, "external_authorization_service_enabled": true,
"external_authorization_service_url": "https://authorize.me", "external_authorization_service_url": "https://authorize.me",
"external_authorization_service_default_label": "default", "external_authorization_service_default_label": "default",
...@@ -233,9 +233,9 @@ listed in the descriptions of the relevant settings. ...@@ -233,9 +233,9 @@ listed in the descriptions of the relevant settings.
| `diff_max_patch_bytes` | integer | no | Maximum diff patch size (Bytes). | | `diff_max_patch_bytes` | integer | no | Maximum diff patch size (Bytes). |
| `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. | | `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. |
| `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS rebinding attack protection. | | `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS rebinding attack protection. |
| `domain_blacklist_enabled` | boolean | no | (**If enabled, requires:** `domain_blacklist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. |
| `domain_blacklist` | array of strings | no | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. | | `domain_denylist` | array of strings | no | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
| `domain_whitelist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
| `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
| `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
| `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. | | `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
......
...@@ -94,6 +94,8 @@ renaming. For example ...@@ -94,6 +94,8 @@ renaming. For example
class RenameUsersUpdatedAtToUpdatedAtTimestamp < ActiveRecord::Migration[4.2] class RenameUsersUpdatedAtToUpdatedAtTimestamp < ActiveRecord::Migration[4.2]
include Gitlab::Database::MigrationHelpers include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction! disable_ddl_transaction!
def up def up
......
...@@ -53,9 +53,9 @@ module API ...@@ -53,9 +53,9 @@ module API
optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects' optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects'
optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility' optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility'
optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources' optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources'
optional :domain_blacklist_enabled, type: Boolean, desc: 'Enable domain blacklist for sign ups' optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups'
optional :domain_blacklist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com' optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :domain_whitelist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com' optional :domain_allowlist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :eks_integration_enabled, type: Boolean, desc: 'Enable integration with Amazon EKS' optional :eks_integration_enabled, type: Boolean, desc: 'Enable integration with Amazon EKS'
given eks_integration_enabled: -> (val) { val } do given eks_integration_enabled: -> (val) { val } do
requires :eks_account_id, type: String, desc: 'Amazon account ID for EKS integration' requires :eks_account_id, type: String, desc: 'Amazon account ID for EKS integration'
......
...@@ -113,7 +113,7 @@ module Gitlab ...@@ -113,7 +113,7 @@ module Gitlab
end end
rescue SocketError rescue SocketError
# If the dns rebinding protection is not enabled or the domain # If the dns rebinding protection is not enabled or the domain
# is whitelisted we avoid the dns rebinding checks # is allowed we avoid the dns rebinding checks
return if domain_allowed?(uri) || !dns_rebind_protection return if domain_allowed?(uri) || !dns_rebind_protection
# In the test suite we use a lot of mocked urls that are either invalid or # In the test suite we use a lot of mocked urls that are either invalid or
......
...@@ -350,7 +350,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -350,7 +350,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect(described_class).to be_blocked_url('http://[fe80::c800:eff:fe74:8]', allow_local_network: false) expect(described_class).to be_blocked_url('http://[fe80::c800:eff:fe74:8]', allow_local_network: false)
end end
context 'when local domain/IP is whitelisted' do context 'when local domain/IP is allowed' do
let(:url_blocker_attributes) do let(:url_blocker_attributes) do
{ {
allow_localhost: false, allow_localhost: false,
...@@ -360,11 +360,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -360,11 +360,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
before do before do
allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new) allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new)
stub_application_setting(outbound_local_requests_whitelist: whitelist) stub_application_setting(outbound_local_requests_whitelist: allowlist)
end end
context 'with IPs in whitelist' do context 'with IPs in allowlist' do
let(:whitelist) do let(:allowlist) do
[ [
'0.0.0.0', '0.0.0.0',
'127.0.0.1', '127.0.0.1',
...@@ -396,7 +396,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -396,7 +396,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
it_behaves_like 'allows local requests', { allow_localhost: false, allow_local_network: false } it_behaves_like 'allows local requests', { allow_localhost: false, allow_local_network: false }
it 'whitelists IP when dns_rebind_protection is disabled' do it 'allows IP when dns_rebind_protection is disabled' do
url = "http://example.com" url = "http://example.com"
attrs = url_blocker_attributes.merge(dns_rebind_protection: false) attrs = url_blocker_attributes.merge(dns_rebind_protection: false)
...@@ -410,8 +410,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -410,8 +410,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end end
end end
context 'with domains in whitelist' do context 'with domains in allowlist' do
let(:whitelist) do let(:allowlist) do
[ [
'www.example.com', 'www.example.com',
'example.com', 'example.com',
...@@ -420,7 +420,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -420,7 +420,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
] ]
end end
it 'allows domains present in whitelist' do it 'allows domains present in allowlist' do
domain = 'example.com' domain = 'example.com'
subdomain1 = 'www.example.com' subdomain1 = 'www.example.com'
subdomain2 = 'subdomain.example.com' subdomain2 = 'subdomain.example.com'
...@@ -435,7 +435,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -435,7 +435,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
url_blocker_attributes) url_blocker_attributes)
end end
# subdomain2 is not part of the whitelist so it should be blocked # subdomain2 is not part of the allowlist so it should be blocked
stub_domain_resolv(subdomain2, '192.168.1.1') do stub_domain_resolv(subdomain2, '192.168.1.1') do
expect(described_class).to be_blocked_url("http://#{subdomain2}", expect(described_class).to be_blocked_url("http://#{subdomain2}",
url_blocker_attributes) url_blocker_attributes)
...@@ -458,8 +458,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -458,8 +458,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end end
shared_examples 'dns rebinding checks' do shared_examples 'dns rebinding checks' do
shared_examples 'whitelists the domain' do shared_examples 'allowlists the domain' do
let(:whitelist) { [domain] } let(:allowlist) { [domain] }
let(:url) { "http://#{domain}" } let(:url) { "http://#{domain}" }
before do before do
...@@ -475,13 +475,13 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -475,13 +475,13 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
context 'enabled' do context 'enabled' do
let(:dns_rebind_value) { true } let(:dns_rebind_value) { true }
it_behaves_like 'whitelists the domain' it_behaves_like 'allowlists the domain'
end end
context 'disabled' do context 'disabled' do
let(:dns_rebind_value) { false } let(:dns_rebind_value) { false }
it_behaves_like 'whitelists the domain' it_behaves_like 'allowlists the domain'
end end
end end
end end
...@@ -504,11 +504,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do ...@@ -504,11 +504,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end end
context 'with ports' do context 'with ports' do
let(:whitelist) do let(:allowlist) do
["127.0.0.1:2000"] ["127.0.0.1:2000"]
end end
it 'allows domain with port when resolved ip has port whitelisted' do it 'allows domain with port when resolved ip has port allowed' do
stub_domain_resolv("www.resolve-domain.com", '127.0.0.1') do stub_domain_resolv("www.resolve-domain.com", '127.0.0.1') do
expect(described_class).not_to be_blocked_url("http://www.resolve-domain.com:2000", url_blocker_attributes) expect(described_class).not_to be_blocked_url("http://www.resolve-domain.com:2000", url_blocker_attributes)
end end
......
...@@ -319,7 +319,7 @@ RSpec.describe User do ...@@ -319,7 +319,7 @@ RSpec.describe User do
expect(subject).to validate_presence_of(:username) expect(subject).to validate_presence_of(:username)
end end
it 'rejects blacklisted names' do it 'rejects denied names' do
user = build(:user, username: 'dashboard') user = build(:user, username: 'dashboard')
expect(user).not_to be_valid expect(user).not_to be_valid
...@@ -442,9 +442,9 @@ RSpec.describe User do ...@@ -442,9 +442,9 @@ RSpec.describe User do
end end
describe 'email' do describe 'email' do
context 'when no signup domains whitelisted' do context 'when no signup domains allowed' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return([]) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return([])
end end
it 'accepts any email' do it 'accepts any email' do
...@@ -455,7 +455,7 @@ RSpec.describe User do ...@@ -455,7 +455,7 @@ RSpec.describe User do
context 'bad regex' do context 'bad regex' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['([a-zA-Z0-9]+)+\.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['([a-zA-Z0-9]+)+\.com'])
end end
it 'does not hang on evil input' do it 'does not hang on evil input' do
...@@ -467,9 +467,9 @@ RSpec.describe User do ...@@ -467,9 +467,9 @@ RSpec.describe User do
end end
end end
context 'when a signup domain is whitelisted and subdomains are allowed' do context 'when a signup domain is allowed and subdomains are allowed' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com', '*.example.com'])
end end
it 'accepts info@example.com' do it 'accepts info@example.com' do
...@@ -488,9 +488,9 @@ RSpec.describe User do ...@@ -488,9 +488,9 @@ RSpec.describe User do
end end
end end
context 'when a signup domain is whitelisted and subdomains are not allowed' do context 'when a signup domain is allowed and subdomains are not allowed' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com'])
end end
it 'accepts info@example.com' do it 'accepts info@example.com' do
...@@ -514,15 +514,15 @@ RSpec.describe User do ...@@ -514,15 +514,15 @@ RSpec.describe User do
end end
end end
context 'domain blacklist' do context 'domain denylist' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist_enabled?).and_return(true) allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist_enabled?).and_return(true)
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['example.com'])
end end
context 'bad regex' do context 'bad regex' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['([a-zA-Z0-9]+)+\.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['([a-zA-Z0-9]+)+\.com'])
end end
it 'does not hang on evil input' do it 'does not hang on evil input' do
...@@ -534,7 +534,7 @@ RSpec.describe User do ...@@ -534,7 +534,7 @@ RSpec.describe User do
end end
end end
context 'when a signup domain is blacklisted' do context 'when a signup domain is denied' do
it 'accepts info@test.com' do it 'accepts info@test.com' do
user = build(:user, email: 'info@test.com') user = build(:user, email: 'info@test.com')
expect(user).to be_valid expect(user).to be_valid
...@@ -551,13 +551,13 @@ RSpec.describe User do ...@@ -551,13 +551,13 @@ RSpec.describe User do
end end
end end
context 'when a signup domain is blacklisted but a wildcard subdomain is allowed' do context 'when a signup domain is denied but a wildcard subdomain is allowed' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['test.example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['test.example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['*.example.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['*.example.com'])
end end
it 'gives priority to whitelist and allow info@test.example.com' do it 'gives priority to allowlist and allow info@test.example.com' do
user = build(:user, email: 'info@test.example.com') user = build(:user, email: 'info@test.example.com')
expect(user).to be_valid expect(user).to be_valid
end end
...@@ -565,7 +565,7 @@ RSpec.describe User do ...@@ -565,7 +565,7 @@ RSpec.describe User do
context 'with both lists containing a domain' do context 'with both lists containing a domain' do
before do before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['test.com']) allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['test.com'])
end end
it 'accepts info@test.com' do it 'accepts info@test.com' do
...@@ -3637,9 +3637,9 @@ RSpec.describe User do ...@@ -3637,9 +3637,9 @@ RSpec.describe User do
end end
end end
context 'when a domain whitelist is in place' do context 'when a domain allowlist is in place' do
before do before do
stub_application_setting(domain_whitelist: ['gitlab.com']) stub_application_setting(domain_allowlist: ['gitlab.com'])
end end
it 'creates a ghost user' do it 'creates a ghost user' do
......
...@@ -379,41 +379,41 @@ RSpec.describe API::Settings, 'Settings' do ...@@ -379,41 +379,41 @@ RSpec.describe API::Settings, 'Settings' do
end end
end end
context 'domain_blacklist settings' do context 'domain_denylist settings' do
it 'rejects domain_blacklist_enabled when domain_blacklist is empty' do it 'rejects domain_denylist_enabled when domain_denylist is empty' do
put api('/application/settings', admin), put api('/application/settings', admin),
params: { params: {
domain_blacklist_enabled: true, domain_denylist_enabled: true,
domain_blacklist: [] domain_denylist: []
} }
expect(response).to have_gitlab_http_status(:bad_request) expect(response).to have_gitlab_http_status(:bad_request)
message = json_response["message"] message = json_response["message"]
expect(message["domain_blacklist"]).to eq(["Domain blacklist cannot be empty if Blacklist is enabled."]) expect(message["domain_denylist"]).to eq(["Domain denylist cannot be empty if denylist is enabled."])
end end
it 'allows array for domain_blacklist' do it 'allows array for domain_denylist' do
put api('/application/settings', admin), put api('/application/settings', admin),
params: { params: {
domain_blacklist_enabled: true, domain_denylist_enabled: true,
domain_blacklist: ['domain1.com', 'domain2.com'] domain_denylist: ['domain1.com', 'domain2.com']
} }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['domain_blacklist_enabled']).to be(true) expect(json_response['domain_denylist_enabled']).to be(true)
expect(json_response['domain_blacklist']).to eq(['domain1.com', 'domain2.com']) expect(json_response['domain_denylist']).to eq(['domain1.com', 'domain2.com'])
end end
it 'allows a string for domain_blacklist' do it 'allows a string for domain_denylist' do
put api('/application/settings', admin), put api('/application/settings', admin),
params: { params: {
domain_blacklist_enabled: true, domain_denylist_enabled: true,
domain_blacklist: 'domain3.com, *.domain4.com' domain_denylist: 'domain3.com, *.domain4.com'
} }
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['domain_blacklist_enabled']).to be(true) expect(json_response['domain_denylist_enabled']).to be(true)
expect(json_response['domain_blacklist']).to eq(['domain3.com', '*.domain4.com']) expect(json_response['domain_denylist']).to eq(['domain3.com', '*.domain4.com'])
end end
end end
......
...@@ -66,7 +66,7 @@ RSpec.describe ApplicationSettings::UpdateService do ...@@ -66,7 +66,7 @@ RSpec.describe ApplicationSettings::UpdateService do
context 'when params is blank' do context 'when params is blank' do
let(:params) { {} } let(:params) { {} }
it 'does not add to whitelist' do it 'does not add to allowlist' do
expect { subject.execute }.not_to change { expect { subject.execute }.not_to change {
application_settings.outbound_local_requests_whitelist application_settings.outbound_local_requests_whitelist
} }
...@@ -80,7 +80,7 @@ RSpec.describe ApplicationSettings::UpdateService do ...@@ -80,7 +80,7 @@ RSpec.describe ApplicationSettings::UpdateService do
let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } } let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } }
it 'adds to whitelist' do it 'adds to allowlist' do
expect { subject.execute }.to change { expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist application_settings.outbound_local_requests_whitelist
} }
...@@ -98,7 +98,7 @@ RSpec.describe ApplicationSettings::UpdateService do ...@@ -98,7 +98,7 @@ RSpec.describe ApplicationSettings::UpdateService do
let(:params) { { outbound_local_requests_allowlist_raw: 'example.com;gitlab.com' } } let(:params) { { outbound_local_requests_allowlist_raw: 'example.com;gitlab.com' } }
it 'overwrites the existing whitelist' do it 'overwrites the existing allowlist' do
expect { subject.execute }.to change { expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist application_settings.outbound_local_requests_whitelist
} }
......
...@@ -49,15 +49,15 @@ end ...@@ -49,15 +49,15 @@ end
RSpec.shared_examples 'application settings examples' do RSpec.shared_examples 'application settings examples' do
context 'restricted signup domains' do context 'restricted signup domains' do
it_behaves_like 'string of domains', :domain_allowlist, :domain_whitelist it_behaves_like 'string of domains', :domain_allowlist, :domain_allowlist
end end
context 'blacklisted signup domains' do context 'denied signup domains' do
it_behaves_like 'string of domains', :domain_denylist, :domain_blacklist it_behaves_like 'string of domains', :domain_denylist, :domain_denylist
it 'sets multiple domain with file' do it 'sets multiple domain with file' do
setting.domain_denylist_file = File.open(Rails.root.join('spec/fixtures/', 'domain_denylist.txt')) setting.domain_denylist_file = File.open(Rails.root.join('spec/fixtures/', 'domain_denylist.txt'))
expect(setting.domain_blacklist).to contain_exactly('example.com', 'test.com', 'foo.bar') expect(setting.domain_denylist).to contain_exactly('example.com', 'test.com', 'foo.bar')
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment