Add latest changes from gitlab-org/gitlab@master

GitLab Bot · GitLab Bot · commit 0a367a4a1ba0 · 2024-12-16T06:28:37.000Z
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -90,10 +90,6 @@ def self.endpoint_id_for_action(action_name)
     render_403
   end
 
-  rescue_from ActionController::InvalidAuthenticityToken do
-    render_403
-  end
-
   rescue_from Browser::Error do |e|
     render plain: e.message, status: :forbidden
   end
diff --git a/app/controllers/graphql_controller.rb b/app/controllers/graphql_controller.rb
@@ -13,6 +13,9 @@ class GraphqlController < ApplicationController
   skip_before_action :verify_authenticity_token, if: -> {
     Feature.enabled?(:fix_graphql_csrf, Feature.current_request) && (current_user.nil? || sessionless_user?)
   }
+  skip_before_action :check_two_factor_requirement, if: -> {
+    Feature.enabled?(:fix_graphql_csrf, Feature.current_request) && sessionless_user?
+  }
 
   # Header can be passed by tests to disable SQL query limits.
   DISABLE_SQL_QUERY_LIMIT_HEADER = 'HTTP_X_GITLAB_DISABLE_SQL_QUERY_LIMIT'
@@ -106,7 +109,7 @@ def execute
   # `rescue_from StandardError` above would prevent these from bubbling up to ApplicationController.
   # These also return errors in a JSON format similar to GraphQL errors.
   rescue_from ActionController::InvalidAuthenticityToken do |exception|
-    render_error(exception.message, status: :forbidden)
+    render_error(exception.message, status: :unprocessable_entity)
   end
 
   rescue_from Gitlab::Auth::TooManyIps do |exception|
diff --git a/app/workers/authorized_project_update/periodic_recalculate_worker.rb b/app/workers/authorized_project_update/periodic_recalculate_worker.rb
@@ -4,7 +4,7 @@ module AuthorizedProjectUpdate
   class PeriodicRecalculateWorker
     include ApplicationWorker
 
-    data_consistency :always # rubocop:disable SidekiqLoadBalancing/WorkerDataConsistency -- will change to sticky with feature-flag
+    data_consistency :sticky, feature_flag: :change_data_consistency_for_permissions_workers
 
     # This worker does not perform work scoped to a context
     include CronjobQueue # rubocop:disable Scalability/CronWorkerContext
diff --git a/app/workers/authorized_project_update/project_recalculate_per_user_worker.rb b/app/workers/authorized_project_update/project_recalculate_per_user_worker.rb
@@ -2,7 +2,7 @@
 
 module AuthorizedProjectUpdate
   class ProjectRecalculatePerUserWorker < ProjectRecalculateWorker
-    data_consistency :always
+    data_consistency :sticky, feature_flag: :change_data_consistency_for_permissions_workers
 
     feature_category :permissions
     urgency :high
diff --git a/app/workers/authorized_project_update/project_recalculate_worker.rb b/app/workers/authorized_project_update/project_recalculate_worker.rb
@@ -4,7 +4,7 @@ module AuthorizedProjectUpdate
   class ProjectRecalculateWorker
     include ApplicationWorker
 
-    data_consistency :always # rubocop:disable SidekiqLoadBalancing/WorkerDataConsistency -- will change to sticky with feature-flag
+    data_consistency :sticky, feature_flag: :change_data_consistency_for_permissions_workers
     include Gitlab::ExclusiveLeaseHelpers
 
     feature_category :permissions
diff --git a/app/workers/authorized_project_update/user_refresh_from_replica_worker.rb b/app/workers/authorized_project_update/user_refresh_from_replica_worker.rb
@@ -7,7 +7,7 @@ class UserRefreshFromReplicaWorker
     sidekiq_options retry: 3
     feature_category :permissions
     urgency :low
-    data_consistency :always # rubocop:disable SidekiqLoadBalancing/WorkerDataConsistency -- will change to sticky with feature-flag
+    data_consistency :delayed, feature_flag: :change_data_consistency_for_permissions_workers
     queue_namespace :authorized_project_update
 
     idempotent!
@@ -25,10 +25,6 @@ def perform(user_id)
 
     private
 
-    # We use this approach instead of specifying `data_consistency :delayed` because these jobs
-    # are enqueued in large numbers, and using `data_consistency :delayed`
-    # does not allow us to deduplicate these jobs.
-    # https://gitlab.com/gitlab-org/gitlab/-/issues/325291
     def use_replica_if_available(&block)
       ::Gitlab::Database::LoadBalancing::SessionMap
         .with_sessions([::ApplicationRecord, ::Ci::ApplicationRecord])
diff --git a/app/workers/authorized_projects_worker.rb b/app/workers/authorized_projects_worker.rb
@@ -3,7 +3,7 @@
 class AuthorizedProjectsWorker
   include ApplicationWorker
 
-  data_consistency :always # rubocop:disable SidekiqLoadBalancing/WorkerDataConsistency -- will change to sticky with feature-flag
+  data_consistency :sticky, feature_flag: :change_data_consistency_for_permissions_workers
 
   sidekiq_options retry: 3
 
diff --git a/config/feature_flags/worker/change_data_consistency_for_permissions_workers.yml b/config/feature_flags/worker/change_data_consistency_for_permissions_workers.yml
@@ -0,0 +1,9 @@
+---
+name: change_data_consistency_for_permissions_workers
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/462611
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/173210
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/505413
+milestone: '17.7'
+group: group::authorization
+type: worker
+default_enabled: false
diff --git a/db/post_migrate/20240124043507_migrate_sidekiq_queued_and_future_jobs.rb b/db/post_migrate/20240124043507_migrate_sidekiq_queued_and_future_jobs.rb
@@ -4,6 +4,8 @@ class MigrateSidekiqQueuedAndFutureJobs < Gitlab::Database::Migration[2.2]
   milestone '16.10'
   disable_ddl_transaction!
 
+  restrict_gitlab_migration gitlab_schema: :gitlab_main
+
   class SidekiqMigrateJobs
     LOG_FREQUENCY_QUEUES = 10
     LOG_FREQUENCY = 1000
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
@@ -1139,19 +1139,6 @@ def index
           .to raise_error(ActionController::InvalidAuthenticityToken)
       end
     end
-
-    controller(described_class) do
-      self.allow_forgery_protection = true
-      skip_before_action :authenticate_user!
-
-      def create; end
-    end
-
-    it 'returns a 403' do
-      post :create
-
-      expect(response).to have_gitlab_http_status(:forbidden)
-    end
   end
 
   describe '#after_sign_in_path_for' do
diff --git a/spec/requests/api/graphql_spec.rb b/spec/requests/api/graphql_spec.rb
@@ -242,7 +242,7 @@
 
         post_graphql(query, headers: { 'X-CSRF-Token' => 'invalid' })
 
-        expect(response).to have_gitlab_http_status(:forbidden)
+        expect(response).to have_gitlab_http_status(:unprocessable_entity)
       end
 
       it 'authenticates a user with a valid session token' do
@@ -315,6 +315,30 @@
         expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
       end
 
+      context 'when two-factor authentication is required' do
+        before do
+          stub_application_setting(require_two_factor_authentication: true)
+        end
+
+        it 'does not enforce 2FA' do
+          post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+          expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
+        end
+
+        context 'when fix_graphql_csrf is disabled' do
+          before do
+            stub_feature_flags(fix_graphql_csrf: false)
+          end
+
+          it 'does not enforce 2FA' do
+            post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+            expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
+          end
+        end
+      end
+
       context 'when user also has a valid session' do
         let_it_be(:other_user) { create(:user) }
 
