Merge branch 'ashmckenzie/add-metadata-settings-section-for-workhorse' into 'master'

Allow metadata  zip reader limit to be configurable

See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/7410

Merged-by: Robert Marshall <rmarshall@gitlab.com>
Approved-by: Robert Marshall <rmarshall@gitlab.com>
Approved-by: João Alexandre Cunha <j.a.cunha@gmail.com>
Co-authored-by: Ash McKenzie <amckenzie@gitlab.com>

files/gitlab-config-template/gitlab.rb.template

@@ -1162,10 +1162,12 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_workhorse['redis_sentinel_master_ip'] = nil
 # gitlab_workhorse['redis_sentinel_master_port'] = nil
 
-
 ##! Command to generate extra configuration
 # gitlab_workhorse['extra_config_command'] = nil
 
+##! Metadata configuration section
+# gitlab_workhorse['metadata_zip_reader_limit_bytes'] = nil
+
 ################################################################################
 ## GitLab User Settings
 ##! Modify default git user.

files/gitlab-cookbooks/gitlab/attributes/default.rb

@@ -848,6 +848,8 @@ default['gitlab']['gitlab_workhorse']['redis_sentinel_master_port'] = nil
 
 default['gitlab']['gitlab_workhorse']['extra_config_command'] = nil
 
+default['gitlab']['gitlab_workhorse']['metadata_zip_reader_limit_bytes'] = nil
+
 ####
 # mailroom
 ####

files/gitlab-cookbooks/gitlab/recipes/gitlab-workhorse.rb

@@ -96,6 +96,7 @@ image_scaler_max_filesize = node['gitlab']['gitlab_workhorse']['image_scaler_max
 trusted_cidrs_for_propagation = node['gitlab']['gitlab_workhorse']['trusted_cidrs_for_propagation']
 trusted_cidrs_for_x_forwarded_for = node['gitlab']['gitlab_workhorse']['trusted_cidrs_for_x_forwarded_for']
 extra_config_command = node['gitlab']['gitlab_workhorse']['extra_config_command']
+metadata_zip_reader_limit_bytes = node['gitlab']['gitlab_workhorse']['metadata_zip_reader_limit_bytes']
 
 template config_file_path do
   source "workhorse-config.toml.erb"
@@ -116,7 +117,8 @@ template config_file_path do
     trusted_cidrs_for_propagation: trusted_cidrs_for_propagation,
     trusted_cidrs_for_x_forwarded_for: trusted_cidrs_for_x_forwarded_for,
     object_store_toml: workhorse_helper.object_store_toml,
-    extra_config_command: extra_config_command
+    extra_config_command: extra_config_command,
+    metadata_zip_reader_limit_bytes: metadata_zip_reader_limit_bytes
   )
   notifies :restart, "runit_service[gitlab-workhorse]"
   notifies :run, 'bash[Set proper security context on ssh files for selinux]', :delayed if SELinuxHelper.enabled?

files/gitlab-cookbooks/gitlab/templates/default/workhorse-config.toml.erb

@@ -34,3 +34,10 @@ SentinelPassword = "<%= @sentinel_password %>"
 [image_resizer]
   max_scaler_procs = <%= @image_scaler_max_procs %>
   max_filesize = <%= @image_scaler_max_filesize %>
+
+<%- unless @metadata_zip_reader_limit_bytes.nil? %>
+[metadata]
+  <%- if @metadata_zip_reader_limit_bytes %>
+  zip_reader_limit_bytes = <%= @metadata_zip_reader_limit_bytes %>
+  <%- end %>
+<%- end %>

spec/chef/cookbooks/gitlab/recipes/gitlab-workhorse_spec.rb

@@ -66,6 +66,12 @@ RSpec.describe 'gitlab::gitlab-workhorse' do
         expect(content).not_to match(/config_command/)
       }
     end
+
+    it 'does not include metadata section' do
+      expect(chef_run).to render_file(config_file).with_content { |content|
+        expect(content).not_to match(/\[metadata\]/)
+      }
+    end
   end
 
   context 'user and group' do
@@ -787,5 +793,21 @@ RSpec.describe 'gitlab::gitlab-workhorse' do
     end
   end
 
+  context 'with metadata_zip_reader_limit_bytes specified' do
+    before do
+      stub_gitlab_rb(
+        gitlab_workhorse: {
+          metadata_zip_reader_limit_bytes: 209715200
+        }
+      )
+    end
+
+    it 'specifies zip_reader_limit_bytes in the config file' do
+      expect(chef_run).to render_file(config_file).with_content { |content|
+        expect(content).to match(%r(\[metadata\]\n  zip_reader_limit_bytes = 209715200))
+      }
+    end
+  end
+
   include_examples "consul service discovery", "gitlab_workhorse", "workhorse"
 end