Support setting Rails asset host via gitlab.yml

Previously the only way to set the Rails asset host was via the `GITLAB_CDN_HOST` environment variable. This still works, but the `gitlab.cdn_host` config parameter can now be used to better manage this setting. Relates to #332695 Changelog: added

Support setting Rails asset host via gitlab.yml
Previously the only way to set the Rails asset host was via the `GITLAB_CDN_HOST` environment variable. This still works, but the `gitlab.cdn_host` config parameter can now be used to better manage this setting. Relates to #332695 Changelog: added
d11ace24 · Stan Hu · Michael Kozono · d323d728 · d11ace24 · d11ace24
Commit d11ace24 authored Aug 10, 2021 by Stan Hu Committed by Michael Kozono Aug 10, 2021
7 changed files
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -51,9 +51,6 @@ Rails.application.configure do
  # Use a different logger for distributed setups
  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)

-  # Enable serving of images, stylesheets, and JavaScripts from an asset server
-  config.action_controller.asset_host = ENV['GITLAB_CDN_HOST'] if ENV['GITLAB_CDN_HOST'].present?
-
  # Do not dump schema after migrations.
  config.active_record.dump_schema_after_migration = false


--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -33,6 +33,10 @@ production: &base
    host: localhost
    port: 80 # Set to 443 if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
    https: false # Set to true if using HTTPS, see installation.md#using-https for additional HTTPS configuration details
+
+    # Uncomment this line if you want to configure the Rails asset host for a CDN.
+    # cdn_host: localhost
+
    # The maximum time Puma can spend on the request. This needs to be smaller than the worker timeout.
    # Default is 95% of the worker timeout
    max_request_duration_seconds: 57

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -164,6 +164,7 @@ Settings.gitlab['default_branch_protection'] ||= 2
 Settings.gitlab['default_can_create_group'] = true if Settings.gitlab['default_can_create_group'].nil?
 Settings.gitlab['default_theme'] = Gitlab::Themes::APPLICATION_DEFAULT if Settings.gitlab['default_theme'].nil?
 Settings.gitlab['host'] ||= ENV['GITLAB_HOST'] || 'localhost'
+Settings.gitlab['cdn_host'] ||= ENV['GITLAB_CDN_HOST'].presence
 Settings.gitlab['ssh_host'] ||= Settings.gitlab.host
 Settings.gitlab['https']        = false if Settings.gitlab['https'].nil?
 Settings.gitlab['port']       ||= ENV['GITLAB_PORT'] || (Settings.gitlab.https ? 443 : 80)
@@ -209,7 +210,7 @@ Settings.gitlab.default_projects_features['visibility_level']   = Settings.__sen
 Settings.gitlab['domain_allowlist'] ||= []
 Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
 Settings.gitlab['trusted_proxies'] ||= []
-Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash
+Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash(Settings.gitlab['cdn_host'])
 Settings.gitlab['allowed_hosts'] ||= []
 Settings.gitlab['no_todos_messages'] ||= YAML.load_file(Rails.root.join('config', 'no_todos_messages.yml'))
 Settings.gitlab['impersonation_enabled'] ||= true if Settings.gitlab['impersonation_enabled'].nil?

--- a/config/initializers/rails_asset_host.rb
+++ b/config/initializers/rails_asset_host.rb
+# frozen_string_literal: true
+
+if Gitlab.config.gitlab.cdn_host.present?
+  Rails.application.configure do
+    config.after_initialize do
+      # Enable serving of images, stylesheets, and JavaScripts from an asset server
+      Rails.application.config.action_controller.asset_host = Gitlab.config.gitlab.cdn_host
+
+      # If ActionController::Base is called before this initializer, then we must set
+      # the configuration directly.
+      # See https://github.com/rails/rails/issues/16209
+      ActionController::Base.asset_host = Gitlab.config.gitlab.cdn_host
+    end
+  end
+end
--- a/lib/gitlab/content_security_policy/config_loader.rb
+++ b/lib/gitlab/content_security_policy/config_loader.rb
@@ -7,7 +7,7 @@ module Gitlab
                      form_action frame_ancestors frame_src img_src manifest_src
                      media_src object_src report_uri script_src style_src worker_src).freeze

-      def self.default_settings_hash
+      def self.default_settings_hash(cdn_host)
        settings_hash = {
          'enabled' => Rails.env.development? || Rails.env.test?,
          'report_only' => false,
@@ -36,7 +36,7 @@ module Gitlab
        settings_hash['directives']['child_src'] = settings_hash['directives']['frame_src']

        allow_webpack_dev_server(settings_hash) if Rails.env.development?
-        allow_cdn(settings_hash) if ENV['GITLAB_CDN_HOST'].present?
+        allow_cdn(settings_hash, cdn_host) if cdn_host.present?
        allow_customersdot(settings_hash) if Rails.env.development? && ENV['CUSTOMER_PORTAL_URL'].present?

        settings_hash
@@ -75,9 +75,7 @@ module Gitlab
        append_to_directive(settings_hash, 'connect_src', "#{http_url} #{ws_url}")
      end

-      def self.allow_cdn(settings_hash)
-        cdn_host = ENV['GITLAB_CDN_HOST']
-
+      def self.allow_cdn(settings_hash, cdn_host)
        append_to_directive(settings_hash, 'script_src', cdn_host)
        append_to_directive(settings_hash, 'style_src', cdn_host)
        append_to_directive(settings_hash, 'font_src', cdn_host)

--- a/spec/initializers/rails_asset_host_spec.rb
+++ b/spec/initializers/rails_asset_host_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Rails asset host initializer' do
+  def load_initializer
+    load Rails.root.join('config/initializers/rails_asset_host.rb')
+  end
+
+  subject { Rails.application.config.action_controller.asset_host }
+
+  it 'uses no asset host by default' do
+    load_initializer
+
+    expect(subject).to be nil
+  end
+
+  context 'with cdn_host defined in gitlab.yml' do
+    before do
+      stub_config_setting(cdn_host: 'https://gitlab.example.com')
+    end
+
+    it 'returns https://gitlab.example.com' do
+      load_initializer
+
+      expect(subject).to eq('https://gitlab.example.com')
+    end
+  end
+end
--- a/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
+++ b/spec/lib/gitlab/content_security_policy/config_loader_spec.rb
@@ -4,6 +4,7 @@ require 'spec_helper'

 RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
  let(:policy) { ActionDispatch::ContentSecurityPolicy.new }
+  let(:cdn_host) { nil }
  let(:csp_config) do
    {
      enabled: true,
@@ -20,7 +21,7 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
  end

  describe '.default_settings_hash' do
-    let(:settings) { described_class.default_settings_hash }
+    let(:settings) { described_class.default_settings_hash(cdn_host) }

    it 'returns defaults for all keys' do
      expect(settings['enabled']).to be_truthy
@@ -48,12 +49,10 @@ RSpec.describe Gitlab::ContentSecurityPolicy::ConfigLoader do
      end
    end

-    context 'when GITLAB_CDN_HOST is set' do
-      before do
-        stub_env('GITLAB_CDN_HOST', 'https://example.com')
-      end
+    context 'when CDN host is defined' do
+      let(:cdn_host) { 'https://example.com' }

-      it 'adds GITLAB_CDN_HOST to CSP' do
+      it 'adds CDN host to CSP' do
        directives = settings['directives']

        expect(directives['script_src']).to eq("'strict-dynamic' 'self' 'unsafe-inline' 'unsafe-eval' https://www.google.com/recaptcha/ https://www.recaptcha.net https://apis.google.com https://example.com")