application_setting.rb 16.4 KB
Newer Older
1 2
# frozen_string_literal: true

3
class ApplicationSetting < ActiveRecord::Base
4
  include CacheableAttributes
5
  include CacheMarkdownField
6
  include TokenAuthenticatable
7
  include IgnorableColumn
8
  include ChronicDurationAttribute
9

10
  add_authentication_token_field :runners_registration_token, encrypted: -> { Feature.enabled?(:application_settings_tokens_optional_encryption, default_enabled: true) ? :optional : :required }
11
  add_authentication_token_field :health_check_access_token
12

13 14 15 16 17 18
  DOMAIN_LIST_SEPARATOR = %r{\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace
                            |               # or
                            \s              # any whitespace character
                            |               # or
                            [\r\n]          # any number of newline characters
                          }x
19

20 21
  # Setting a key restriction to `-1` means that all keys of this type are
  # forbidden.
22
  FORBIDDEN_KEY_VALUE = KeyRestrictionValidator::FORBIDDEN
23 24
  SUPPORTED_KEY_TYPES = %i[rsa dsa ecdsa ed25519].freeze

25 26 27 28 29 30
  serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
  serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
  serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
  serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
  serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize
  serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
31

32 33 34 35 36
  ignore_column :circuitbreaker_failure_count_threshold
  ignore_column :circuitbreaker_failure_reset_time
  ignore_column :circuitbreaker_storage_timeout
  ignore_column :circuitbreaker_access_retries
  ignore_column :circuitbreaker_check_interval
37 38
  ignore_column :koding_url
  ignore_column :koding_enabled
39

40 41 42 43 44
  cache_markdown_field :sign_in_text
  cache_markdown_field :help_page_text
  cache_markdown_field :shared_runners_text, pipeline: :plain_markdown
  cache_markdown_field :after_sign_up_text

45
  attr_accessor :domain_whitelist_raw, :domain_blacklist_raw
46

47 48
  default_value_for :id, 1

49 50
  chronic_duration_attr_writer :archive_builds_in_human_readable, :archive_builds_in_seconds

51 52
  validates :uuid, presence: true

53
  validates :session_expire_delay,
54 55
            presence: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0 }
56

57
  validates :home_page_url,
58 59
            allow_blank: true,
            url: true,
60 61 62 63 64 65
            if: :home_page_url_column_exists?

  validates :help_page_support_url,
            allow_blank: true,
            url: true,
            if: :help_page_support_url_column_exists?
66

67
  validates :after_sign_out_path,
68 69
            allow_blank: true,
            url: true
70

71
  validates :admin_notification_email,
72
            email: true,
73
            allow_blank: true
74

75
  validates :two_factor_grace_period,
76 77 78 79 80 81 82 83 84
            numericality: { greater_than_or_equal_to: 0 }

  validates :recaptcha_site_key,
            presence: true,
            if: :recaptcha_enabled

  validates :recaptcha_private_key,
            presence: true,
            if: :recaptcha_enabled
85

Jeroen Nijhof's avatar
Jeroen Nijhof committed
86 87 88 89
  validates :sentry_dsn,
            presence: true,
            if: :sentry_enabled

90 91 92 93
  validates :clientside_sentry_dsn,
            presence: true,
            if: :clientside_sentry_enabled

94 95 96 97
  validates :akismet_api_key,
            presence: true,
            if: :akismet_enabled

Pawel Chojnacki's avatar
Pawel Chojnacki committed
98 99 100 101 102 103 104 105 106 107
  validates :unique_ips_limit_per_user,
            numericality: { greater_than_or_equal_to: 1 },
            presence: true,
            if: :unique_ips_limit_enabled

  validates :unique_ips_limit_time_window,
            numericality: { greater_than_or_equal_to: 0 },
            presence: true,
            if: :unique_ips_limit_enabled

108 109 110 111
  validates :plantuml_url,
            presence: true,
            if: :plantuml_enabled

112 113 114 115
  validates :max_attachment_size,
            presence: true,
            numericality: { only_integer: true, greater_than: 0 }

116 117 118 119
  validates :max_artifacts_size,
            presence: true,
            numericality: { only_integer: true, greater_than: 0 }

120
  validates :default_artifacts_expire_in, presence: true, duration: true
121

122 123 124 125
  validates :container_registry_token_expire_delay,
            presence: true,
            numericality: { only_integer: true, greater_than: 0 }

126 127
  validates :repository_storages, presence: true
  validate :check_repository_storages
128

129 130 131 132 133
  validates :auto_devops_domain,
            allow_blank: true,
            hostname: { allow_numeric_hostname: true, require_valid_tld: true },
            if: :auto_devops_enabled?

134
  validates :enabled_git_access_protocol,
135
            inclusion: { in: %w(ssh http), allow_blank: true, allow_nil: true }
136

137
  validates :domain_blacklist,
138
            presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' },
139 140
            if: :domain_blacklist_enabled?

Jacob Vosmaer's avatar
Jacob Vosmaer committed
141 142 143 144 145 146
  validates :housekeeping_incremental_repack_period,
            presence: true,
            numericality: { only_integer: true, greater_than: 0 }

  validates :housekeeping_full_repack_period,
            presence: true,
147
            numericality: { only_integer: true, greater_than_or_equal_to: :housekeeping_incremental_repack_period }
Jacob Vosmaer's avatar
Jacob Vosmaer committed
148 149 150

  validates :housekeeping_gc_period,
            presence: true,
151
            numericality: { only_integer: true, greater_than_or_equal_to: :housekeeping_full_repack_period }
Jacob Vosmaer's avatar
Jacob Vosmaer committed
152

153 154 155 156
  validates :terminal_max_session_time,
            presence: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0 }

157 158 159 160
  validates :polling_interval_multiplier,
            presence: true,
            numericality: { greater_than_or_equal_to: 0 }

161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
  validates :gitaly_timeout_default,
            presence: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0 }

  validates :gitaly_timeout_medium,
            presence: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0 }
  validates :gitaly_timeout_medium,
            numericality: { less_than_or_equal_to: :gitaly_timeout_default },
            if: :gitaly_timeout_default
  validates :gitaly_timeout_medium,
            numericality: { greater_than_or_equal_to: :gitaly_timeout_fast },
            if: :gitaly_timeout_fast

  validates :gitaly_timeout_fast,
            presence: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0 }
  validates :gitaly_timeout_fast,
            numericality: { less_than_or_equal_to: :gitaly_timeout_default },
            if: :gitaly_timeout_default

182 183 184 185 186 187
  validates :diff_max_patch_bytes,
            presence: true,
            numericality: { only_integer: true,
                            greater_than_or_equal_to: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
                            less_than_or_equal_to: Gitlab::Git::Diff::MAX_PATCH_BYTES_UPPER_BOUND }

188 189
  validates :user_default_internal_regex, js_regex: true, allow_nil: true

190 191
  validates :commit_email_hostname, format: { with: /\A[^@]+\z/ }

192 193 194 195
  validates :archive_builds_in_seconds,
            allow_nil: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 1.day.seconds }

Jan Provaznik's avatar
Jan Provaznik committed
196 197 198 199
  validates :local_markdown_version,
            allow_nil: true,
            numericality: { only_integer: true, greater_than_or_equal_to: 0, less_than: 65536 }

200
  SUPPORTED_KEY_TYPES.each do |type|
201
    validates :"#{type}_key_restriction", presence: true, key_restriction: { type: type }
202
  end
203

Nick Thomas's avatar
Nick Thomas committed
204 205
  validates :allowed_key_types, presence: true

206
  validates_each :restricted_visibility_levels do |record, attr, value|
Z.J. van de Weg's avatar
Z.J. van de Weg committed
207
    value&.each do |level|
208
      unless Gitlab::VisibilityLevel.options.value?(level)
Z.J. van de Weg's avatar
Z.J. van de Weg committed
209
        record.errors.add(attr, "'#{level}' is not a valid visibility level")
210 211 212 213
      end
    end
  end

214
  validates_each :import_sources do |record, attr, value|
Z.J. van de Weg's avatar
Z.J. van de Weg committed
215
    value&.each do |source|
216
      unless Gitlab::ImportSources.options.value?(source)
Z.J. van de Weg's avatar
Z.J. van de Weg committed
217
        record.errors.add(attr, "'#{source}' is not a import source")
218 219 220 221
      end
    end
  end

Bob Van Landuyt's avatar
Bob Van Landuyt committed
222 223
  validate :terms_exist, if: :enforce_terms?

224
  before_validation :ensure_uuid!
Stan Hu's avatar
Stan Hu committed
225
  before_validation :strip_sentry_values
226

227
  before_save :ensure_runners_registration_token
228
  before_save :ensure_health_check_access_token
229

230
  after_commit do
Bob Van Landuyt's avatar
Bob Van Landuyt committed
231
    reset_memoized_terms
232
  end
233
  after_commit :expire_performance_bar_allowed_user_ids_cache, if: -> { previous_changes.key?('performance_bar_allowed_group_id') }
234

235
  def self.defaults
236 237 238
    {
      after_sign_up_text: nil,
      akismet_enabled: false,
239
      allow_local_requests_from_hooks_and_services: false,
240
      authorized_keys_enabled: true, # TODO default to false if the instance is configured to use AuthorizedKeysCommand
241
      container_registry_token_expire_delay: 5,
242
      default_artifacts_expire_in: '30 days',
243
      default_branch_protection: Settings.gitlab['default_branch_protection'],
244
      default_group_visibility: Settings.gitlab.default_projects_features['visibility_level'],
245 246 247 248 249
      default_project_visibility: Settings.gitlab.default_projects_features['visibility_level'],
      default_projects_limit: Settings.gitlab['default_projects_limit'],
      default_snippet_visibility: Settings.gitlab.default_projects_features['visibility_level'],
      disabled_oauth_sign_in_sources: [],
      domain_whitelist: Settings.gitlab['domain_whitelist'],
250 251 252
      dsa_key_restriction: 0,
      ecdsa_key_restriction: 0,
      ed25519_key_restriction: 0,
253
      first_day_of_week: 0,
254 255 256
      gitaly_timeout_default: 55,
      gitaly_timeout_fast: 10,
      gitaly_timeout_medium: 30,
257
      gravatar_enabled: Settings.gravatar['enabled'],
258
      help_page_hide_commercial_content: false,
259 260
      help_page_text: nil,
      hide_third_party_offers: false,
261 262 263 264 265
      housekeeping_bitmaps_enabled: true,
      housekeeping_enabled: true,
      housekeeping_full_repack_period: 50,
      housekeeping_gc_period: 200,
      housekeeping_incremental_repack_period: 10,
266
      import_sources: Settings.gitlab['import_sources'],
267 268
      max_artifacts_size: Settings.artifacts['max_size'],
      max_attachment_size: Settings.gitlab['max_attachment_size'],
269
      mirror_available: true,
270
      password_authentication_enabled_for_git: true,
271
      password_authentication_enabled_for_web: Settings.gitlab['signin_enabled'],
272
      performance_bar_allowed_group_id: nil,
273
      rsa_key_restriction: 0,
274 275
      plantuml_enabled: false,
      plantuml_url: nil,
276
      polling_interval_multiplier: 1,
277
      project_export_enabled: true,
278 279 280 281 282 283 284 285 286 287 288
      recaptcha_enabled: false,
      repository_checks_enabled: true,
      repository_storages: ['default'],
      require_two_factor_authentication: false,
      restricted_visibility_levels: Settings.gitlab['restricted_visibility_levels'],
      session_expire_delay: Settings.gitlab['session_expire_delay'],
      send_user_confirmation_email: false,
      shared_runners_enabled: Settings.gitlab_ci['shared_runners_enabled'],
      shared_runners_text: nil,
      sign_in_text: nil,
      signup_enabled: Settings.gitlab['signup_enabled'],
289
      terminal_max_session_time: 0,
290 291
      throttle_authenticated_api_enabled: false,
      throttle_authenticated_api_period_in_seconds: 3600,
292 293 294 295 296 297 298
      throttle_authenticated_api_requests_per_period: 7200,
      throttle_authenticated_web_enabled: false,
      throttle_authenticated_web_period_in_seconds: 3600,
      throttle_authenticated_web_requests_per_period: 7200,
      throttle_unauthenticated_enabled: false,
      throttle_unauthenticated_period_in_seconds: 3600,
      throttle_unauthenticated_requests_per_period: 3600,
299
      two_factor_grace_period: 48,
300 301 302
      unique_ips_limit_enabled: false,
      unique_ips_limit_per_user: 10,
      unique_ips_limit_time_window: 3600,
303
      usage_ping_enabled: Settings.gitlab['usage_ping_enabled'],
304
      instance_statistics_visibility_private: false,
305
      user_default_external: false,
306
      user_default_internal_regex: nil,
307
      user_show_add_ssh_key_message: true,
308
      usage_stats_set_by_user_id: nil,
309
      diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
310
      commit_email_hostname: default_commit_email_hostname,
Jan Provaznik's avatar
Jan Provaznik committed
311 312
      protected_ci_variables: false,
      local_markdown_version: 0
313 314 315
    }
  end

316 317 318 319
  def self.default_commit_email_hostname
    "users.noreply.#{Gitlab.config.gitlab.host}"
  end

320
  def self.create_from_defaults
321
    build_from_defaults.tap(&:save)
322
  end
323

324 325 326 327 328 329 330 331
  def self.human_attribute_name(attr, _options = {})
    if attr == :default_artifacts_expire_in
      'Default artifacts expiration'
    else
      super
    end
  end

332
  def home_page_url_column_exists?
333
    ::Gitlab::Database.cached_column_exists?(:application_settings, :home_page_url)
334
  end
335

336
  def help_page_support_url_column_exists?
337
    ::Gitlab::Database.cached_column_exists?(:application_settings, :help_page_support_url)
338 339
  end

340 341 342 343 344
  def disabled_oauth_sign_in_sources=(sources)
    sources = (sources || []).map(&:to_s) & Devise.omniauth_providers.map(&:to_s)
    super(sources)
  end

345
  def domain_whitelist_raw
Z.J. van de Weg's avatar
Z.J. van de Weg committed
346
    self.domain_whitelist&.join("\n")
347 348
  end

349
  def domain_blacklist_raw
Z.J. van de Weg's avatar
Z.J. van de Weg committed
350
    self.domain_blacklist&.join("\n")
351 352
  end

353 354 355 356 357
  def domain_whitelist_raw=(values)
    self.domain_whitelist = []
    self.domain_whitelist = values.split(DOMAIN_LIST_SEPARATOR)
    self.domain_whitelist.reject! { |d| d.empty? }
    self.domain_whitelist
358
  end
359

360 361
  def domain_blacklist_raw=(values)
    self.domain_blacklist = []
362
    self.domain_blacklist = values.split(DOMAIN_LIST_SEPARATOR)
363
    self.domain_blacklist.reject! { |d| d.empty? }
364
    self.domain_blacklist
365 366 367 368 369 370
  end

  def domain_blacklist_file=(file)
    self.domain_blacklist_raw = file.read
  end

371
  def repository_storages
372
    Array(read_attribute(:repository_storages))
373 374
  end

375 376 377 378
  def commit_email_hostname
    super.presence || self.class.default_commit_email_hostname
  end

379 380 381 382 383 384 385 386 387 388 389 390 391
  def default_project_visibility=(level)
    super(Gitlab::VisibilityLevel.level_value(level))
  end

  def default_snippet_visibility=(level)
    super(Gitlab::VisibilityLevel.level_value(level))
  end

  def default_group_visibility=(level)
    super(Gitlab::VisibilityLevel.level_value(level))
  end

  def restricted_visibility_levels=(levels)
392
    super(levels&.map { |level| Gitlab::VisibilityLevel.level_value(level) })
393 394
  end

Stan Hu's avatar
Stan Hu committed
395 396 397 398 399
  def strip_sentry_values
    sentry_dsn.strip! if sentry_dsn.present?
    clientside_sentry_dsn.strip! if clientside_sentry_dsn.present?
  end

400 401 402 403
  def performance_bar_allowed_group
    Group.find_by_id(performance_bar_allowed_group_id)
  end

404 405 406
  # Return true if the Performance Bar is enabled for a given group
  def performance_bar_enabled
    performance_bar_allowed_group_id.present?
407 408
  end

409 410 411 412 413 414
  # Choose one of the available repository storage options. Currently all have
  # equal weighting.
  def pick_repository_storage
    repository_storages.sample
  end

415 416 417
  def runners_registration_token
    ensure_runners_registration_token!
  end
418 419 420 421

  def health_check_access_token
    ensure_health_check_access_token!
  end
422

423 424 425 426 427 428 429 430
  def usage_ping_can_be_configured?
    Settings.gitlab.usage_ping_enabled
  end

  def usage_ping_enabled
    usage_ping_can_be_configured? && super
  end

431 432 433 434 435 436 437 438 439
  def allowed_key_types
    SUPPORTED_KEY_TYPES.select do |type|
      key_restriction_for(type) != FORBIDDEN_KEY_VALUE
    end
  end

  def key_restriction_for(type)
    attr_name = "#{type}_key_restriction"

Nick Thomas's avatar
Nick Thomas committed
440
    has_attribute?(attr_name) ? public_send(attr_name) : FORBIDDEN_KEY_VALUE # rubocop:disable GitlabSecurity/PublicSend
441 442
  end

443 444 445 446 447 448 449 450
  def allow_signup?
    signup_enabled? && password_authentication_enabled_for_web?
  end

  def password_authentication_enabled?
    password_authentication_enabled_for_web? || password_authentication_enabled_for_git?
  end

451 452 453 454 455 456 457 458
  def user_default_internal_regex_enabled?
    user_default_external? && user_default_internal_regex.present?
  end

  def user_default_internal_regex_instance
    Regexp.new(user_default_internal_regex, Regexp::IGNORECASE)
  end

Bob Van Landuyt's avatar
Bob Van Landuyt committed
459 460 461 462 463 464 465 466 467 468
  delegate :terms, to: :latest_terms, allow_nil: true
  def latest_terms
    @latest_terms ||= Term.latest
  end

  def reset_memoized_terms
    @latest_terms = nil
    latest_terms
  end

469 470 471 472
  def archive_builds_older_than
    archive_builds_in_seconds.seconds.ago if archive_builds_in_seconds
  end

473 474
  private

475 476 477 478 479 480
  def ensure_uuid!
    return if uuid?

    self.uuid = SecureRandom.uuid
  end

481 482 483 484 485
  def check_repository_storages
    invalid = repository_storages - Gitlab.config.repositories.storages.keys
    errors.add(:repository_storages, "can't include: #{invalid.join(", ")}") unless
      invalid.empty?
  end
Bob Van Landuyt's avatar
Bob Van Landuyt committed
486 487 488 489 490 491

  def terms_exist
    return unless enforce_terms?

    errors.add(:terms, "You need to set terms to be enforced") unless terms.present?
  end
492 493 494 495

  def expire_performance_bar_allowed_user_ids_cache
    Gitlab::PerformanceBar.expire_allowed_user_ids_cache
  end
496
end