It consists of two parts:

1. Redirecting users to the configured external storage
1. Allowing the external storage to request the static object(s)
   on behalf of the user by means of specific tokens

Part of https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/6829

User images and videos will get proxied through
the Camo server in order to keep malicious
sites from collecting the IP address of users.

Jeremy Jackson authored 5 years ago and Mayra Cabrera committed 5 years ago

This introduces several changes, but these are all just ported from the
EE project.

This MR adds new application setting to network section
`allow_local_requests_from_system_hooks`. Prior to this change
system hooks were allowed to do local network requests by default
and we are adding an ability for admins to control it.

Reuben Pereira authored 5 years ago and Douwe Maan committed 5 years ago

- Add to whitelist so that even if local requests from hooks and
services are not allowed, the prometheus manual configuration will
still succeed.

Add method to store session ids by ip

Add new specs for storing session ids

Add cleaning up records after login

Add retrieving anonymous sessions

Add login recaptcha setting

Add new setting to sessions controller

Add conditions for showing captcha

Add sessions controller specs

Add admin settings specs for login protection

Add new settings to api

Add stub to devise spec

Add new translation key

Add cr remarks

Rename class call

Add cr remarks

Change if-clause for consistency

Add cr remarks

Add code review remarks

Refactor AnonymousSession class

Add changelog entry

Move AnonymousSession class to lib

Move store unauthenticated sessions to sessions controller

Move link to recaptcha info

Regenerate text file

Improve copy on the spam page

Change action filter for storing anonymous sessions

Fix rubocop offences

Add code review remarks

Reuben Pereira authored 5 years ago and James Lopez committed 5 years ago

- The most common use case for qualified_domain_validator currently is
to allow blank ([]) but not allow nil. Modify the
qualified_domain_validator to support this use case.

* Limits raw requests to 300 per minute and per raw path.
* Add a new attribute to ApplicationSettings so user can change this
value on their instance.
* Uses Gitlab::ActionRateLimiter to limit the raw requests.
* Add a new method into ActionRateLimiter to log the event into auth.log

Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717

Reuben Pereira authored 5 years ago and Mayra Cabrera committed 5 years ago

Signed-off-by: Istvan szalai <istvan.szalai@savoirfairelinux.com>

Changes migration and all other places the attribute is used

Jon Kolb authored 5 years ago and Heinrich Lee Yu committed 5 years ago

Adds an instance setting to limit display of time tracking
values to hours only

Add columns to store project creation settings

Add project creation level column in groups
 and default project creation column in application settings

Remove obsolete line from schema

Update migration with project_creation_level column existence check

Rename migrations to avoid conflicts

Update migration methods

Update migration method

So the fake can enjoy it, too. We don't use `prepend`
because that'll require we change `allow_any_instance_of` to
`expect_next_instance_of`, but that's not very easy to do.
We can do that later.