gitlab-org--gitlab-foss/lib/gitlab/middleware/read_only.rb

module Gitlab
  module Middleware
    class ReadOnly
      DISALLOWED_METHODS = %w(POST PATCH PUT DELETE).freeze
      APPLICATION_JSON = 'application/json'.freeze
      API_VERSIONS = (3..4)

      class Controller
        def initialize(app, env)
          @app = app
          @env = env
        end

        def call
          if disallowed_request? && Gitlab::Database.read_only?
            Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')
            error_message = 'You cannot do writing operations on a read-only GitLab instance'

            if json_request?
              return [403, { 'Content-Type' => 'application/json' }, [{ 'message' => error_message }.to_json]]
            else
              rack_flash.alert = error_message
              rack_session['flash'] = rack_flash.to_session_value

              return [301, { 'Location' => last_visited_url }, []]
            end
          end

          @app.call(@env)
        end

        private

        def disallowed_request?
          DISALLOWED_METHODS.include?(@env['REQUEST_METHOD']) &&
            !whitelisted_routes
        end

        def json_request?
          request.media_type == APPLICATION_JSON
        end

        def rack_flash
          @rack_flash ||= ActionDispatch::Flash::FlashHash.from_session_value(rack_session)
        end

        def rack_session
          @env['rack.session']
        end

        def request
          @env['rack.request'] ||= Rack::Request.new(@env)
        end

        def last_visited_url
          @env['HTTP_REFERER'] || rack_session['user_return_to'] || Gitlab::Routing.url_helpers.root_url
        end

        def route_hash
          @route_hash ||= Rails.application.routes.recognize_path(request.url, { method: request.request_method }) rescue {}
        end

        def whitelisted_routes
          grack_route || ReadOnly.internal_routes.any? { |path| request.path.include?(path) } || lfs_route || sidekiq_route
        end

        def sidekiq_route
          request.path.start_with?('/admin/sidekiq')
        end

        def grack_route
          # Calling route_hash may be expensive. Only do it if we think there's a possible match
          return false unless request.path.end_with?('.git/git-upload-pack')

          route_hash[:controller] == 'projects/git_http' && route_hash[:action] == 'git_upload_pack'
        end

        def lfs_route
          # Calling route_hash may be expensive. Only do it if we think there's a possible match
          return false unless request.path.end_with?('/info/lfs/objects/batch')

          route_hash[:controller] == 'projects/lfs_api' && route_hash[:action] == 'batch'
        end
      end

      def self.internal_routes
        @internal_routes ||=
          API_VERSIONS.map { |version| "api/v#{version}/internal" }
      end

      def initialize(app)
        @app = app
      end

      def call(env)
        Controller.new(@app, env).call
      end
    end
  end
end
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00			`module Gitlab`
			`module Middleware`
			`class ReadOnly`
			`DISALLOWED_METHODS = %w(POST PATCH PUT DELETE).freeze`
			`APPLICATION_JSON = 'application/json'.freeze`
			`API_VERSIONS = (3..4)`

Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`class Controller`
			`def initialize(app, env)`
			`@app = app`
			`@env = env`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def call`
			`if disallowed_request? && Gitlab::Database.read_only?`
			`Rails.logger.debug('GitLab ReadOnly: preventing possible non read-only operation')`
			`error_message = 'You cannot do writing operations on a read-only GitLab instance'`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`if json_request?`
			`return [403, { 'Content-Type' => 'application/json' }, [{ 'message' => error_message }.to_json]]`
			`else`
			`rack_flash.alert = error_message`
			`rack_session['flash'] = rack_flash.to_session_value`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`return [301, { 'Location' => last_visited_url }, []]`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00			`end`
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00
			`@app.call(@env)`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00			`end`

Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`private`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def disallowed_request?`
			`DISALLOWED_METHODS.include?(@env['REQUEST_METHOD']) &&`
			`!whitelisted_routes`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def json_request?`
			`request.media_type == APPLICATION_JSON`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def rack_flash`
			`@rack_flash \|\|= ActionDispatch::Flash::FlashHash.from_session_value(rack_session)`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def rack_session`
			`@env['rack.session']`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def request`
			`@env['rack.request'] \|\|= Rack::Request.new(@env)`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def last_visited_url`
			`@env['HTTP_REFERER'] \|\| rack_session['user_return_to'] \|\| Gitlab::Routing.url_helpers.root_url`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def route_hash`
			`@route_hash \|\|= Rails.application.routes.recognize_path(request.url, { method: request.request_method }) rescue {}`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def whitelisted_routes`
			`grack_route \|\| ReadOnly.internal_routes.any? { \|path\| request.path.include?(path) } \|\| lfs_route \|\| sidekiq_route`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def sidekiq_route`
			`request.path.start_with?('/admin/sidekiq')`
			`end`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def grack_route`
			`# Calling route_hash may be expensive. Only do it if we think there's a possible match`
			`return false unless request.path.end_with?('.git/git-upload-pack')`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`route_hash[:controller] == 'projects/git_http' && route_hash[:action] == 'git_upload_pack'`
			`end`

			`def lfs_route`
			`# Calling route_hash may be expensive. Only do it if we think there's a possible match`
			`return false unless request.path.end_with?('/info/lfs/objects/batch')`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`route_hash[:controller] == 'projects/lfs_api' && route_hash[:action] == 'batch'`
			`end`
			`end`
Optimize read-only middleware so that it does not consume as much CPU In !15082, we changed the behavior of the middleware to call `Rails.application.routes.recognize_path` whenever a new route arrived. However, this can be a CPU-intensive task because Rails needs to allocate memory and compile 850+ different regular expressions, which are complicated in GitLab. As a short-term fix, we can do a lightweight string match before we do the heavier comparison. Closes #40185, gitlab-com/infrastructure#3240 2017-11-20 23:27:52 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def self.internal_routes`
			`@internal_routes \|\|=`
			`API_VERSIONS.map { \|version\| "api/v#{version}/internal" }`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00			`end`

Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def initialize(app)`
			`@app = app`
			`end`
Optimize read-only middleware so that it does not consume as much CPU In !15082, we changed the behavior of the middleware to call `Rails.application.routes.recognize_path` whenever a new route arrived. However, this can be a CPU-intensive task because Rails needs to allocate memory and compile 850+ different regular expressions, which are complicated in GitLab. As a short-term fix, we can do a lightweight string match before we do the heavier comparison. Closes #40185, gitlab-com/infrastructure#3240 2017-11-20 23:27:52 +00:00
Use a controller to hold request values So that we don't need to hold env after the request. This makes it much harder to test, especially Rails session is acting weirdly, so we need `dig('flash', 'flashes', 'alert')` to dig the actual flash value. 2018-02-02 14:12:28 +00:00			`def call(env)`
			`Controller.new(@app, env).call`
Create idea of read-only database In GitLab EE, a GitLab instance can be read-only (e.g. when it's a Geo secondary node). But in GitLab CE it also might be useful to have the "read-only" idea around. So port it back to GitLab CE. Also having the principle of read-only in GitLab CE would hopefully lead to less errors introduced, doing write operations when there aren't allowed for read-only calls. Closes gitlab-org/gitlab-ce#37534. 2017-09-19 07:44:58 +00:00			`end`
			`end`
			`end`
			`end`