Add support for configuring globally-allowed IPs in restrictions
What does this MR do and why?
Adds support for configuring globally allowed IP ranges in addition to the custom IP lists at group level. This allows a GitLab system administrator to set their internal IP ranges in an admin setting and prevent those IPs from being blocked when group-level IP allow lists are enabled. This is required for components such as GitLab Pages to function correctly.
This is tied to a rapid action
Related https://gitlab.com/gitlab-org/gitlab/-/issues/362240
Related https://gitlab.com/gitlab-org/gitlab/-/issues/300268
Related https://gitlab.com/gitlab-org/gitlab/-/issues/362354
Related https://gitlab.com/groups/gitlab-org/-/epics/8062
Feature flag
This introduces the :group_ip_restrictions_allow_global
feature flag, which is tied to a group for a subject. This will allow us to toggle support for the overrides in the new application setting to specific groups.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
Migrations
Up
❯ rake db:migrate 13:50:05== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: migrating ========
-- add_column(:application_settings, :globally_allowed_ips, :text, {:null=>false, :default=>""})
-> 0.0032s
== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: migrated (0.0032s)
== 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: migrating
-- transaction_open?()
-> 0.0000s
-- current_schema()
-> 0.0003s
-- transaction_open?()
-> 0.0000s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_734cc9407a\nCHECK ( char_length(globally_allowed_ips) <= 255 )\nNOT VALID;\n")
-> 0.0011s
-- current_schema()
-> 0.0003s
-- execute("SET statement_timeout TO 0")
-> 0.0005s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_734cc9407a;")
-> 0.0009s
-- execute("RESET statement_timeout")
-> 0.0006s
== 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: migrated (0.0116s)
== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: migrating ========
-- add_column(:application_settings, :globally_allowed_ips, :text, {:null=>false, :default=>""})
-> 0.0025s
== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: migrated (0.0026s)
== 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: migrating
-- transaction_open?()
-> 0.0000s
-- current_schema()
-> 0.0002s
-- transaction_open?()
-> 0.0000s
-- execute("ALTER TABLE application_settings\nADD CONSTRAINT check_734cc9407a\nCHECK ( char_length(globally_allowed_ips) <= 255 )\nNOT VALID;\n")
-> 0.0010s
-- current_schema()
-> 0.0002s
-- execute("SET statement_timeout TO 0")
-> 0.0004s
-- execute("ALTER TABLE application_settings VALIDATE CONSTRAINT check_734cc9407a;")
-> 0.0008s
-- execute("RESET statement_timeout")
-> 0.0004s
== 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: migrated (0.0076s)
Down
❯ rake db:rollback:main == 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: reverting
-- transaction_open?()
-> 0.0000s
-- transaction_open?()
-> 0.0000s
-- execute("ALTER TABLE application_settings\nDROP CONSTRAINT IF EXISTS check_734cc9407a\n")
-> 0.0013s
== 20220516123101 AddTextLimitToGloballyAllowedIpsOnApplicationSettings: reverted (0.0065s)
❯ rake db:rollback:main
== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: reverting ========
-- remove_column(:application_settings, :globally_allowed_ips, :text, {:null=>false, :default=>""})
-> 0.0028s
== 20220516092207 AddGloballyAllowedIpsToApplicationSetting: reverted (0.0038s)
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.