Add deny all requests setting to UrlBlocker: Part 2
What does this MR do and why?
!110599 (merged) introduced a new deny_all_requests_except_allowed
to application settings.
This merge request addresses the problem outlined in #377371 (comment 1271330392) that previously led the ApplicationSetting
model to be saved in an invalid state due to the new setting.
This change has ApplicationSetting
refer to the current, potentially
unpersisted, state of its deny_all_requests_except_allowed
property to control
whether the validation enforces the setting or not.
This means an instance cannot enable deny_all_requests_except_allowed
while a URL in the application settings would break the rule. This prevents the application settings from being able to become invalid. The admin must first change that URL property or add it to the allow list before they can enable the deny setting.
QA steps:
- Enable the feature flag:
Feature.enable(:deny_all_requests_except_allowed)
- Visit the admin Settings > Network and expand the Outbound requests section, or visit
/admin/application_settings/network#js-outbound-settings
directly. - Check the
Block all requests...
checkbox. - Click Save changes.
- You should be prevented from saving the settings, and see an error like below:
This is because by default GitLab instances should have a public_runner_releases_url
property that would violate the setting.
For now, until we handle a better way to allow admins to change the public_runner_releases_url
property #377371 (comment 1294228003), you can have your instance enable the setting by adding gitlab.com to the list of allowed domains:
- Uncheck the
Block all requests...
checkbox. - Add
gitlab.com:443
to the Local IP addresses and domain names that hooks and integrations can access text area of the form. - Save.
You will be able to toggle the Block all requests...
checkbox and save.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #377371 (closed)