upgrade to 17.3.4

.gitlab-version

@@ -1 +1 @@
-17.2.1
+17.3.4

Dockerfile

@@ -1,4 +1,4 @@
-FROM ghcr.io/rtxux/gitlab:17.2.1
+FROM ghcr.io/rtxux/gitlab:17.3.4
 
 # Override files
 COPY assets/runtime/config/gitlabhq/gitlab.yml ${GITLAB_RUNTIME_DIR}/config/gitlabhq/gitlab.yml

assets/runtime/functions

@@ -351,6 +351,10 @@ gitlab_configure_gitaly() {
 gitlab_configure_monitoring() {
   echo "Configuring gitlab::monitoring..."
 
+  if [ "${GITLAB_MONITORING_IP_WHITELIST}" == "" ]; then
+    exec_as_git sed -i "/{{GITLAB_MONITORING_IP_WHITELIST}}/d" ${GITLAB_CONFIG}
+  fi
+
   update_template ${GITLAB_CONFIG} \
     GITLAB_MONITORING_UNICORN_SAMPLER_INTERVAL \
     GITLAB_MONITORING_IP_WHITELIST \
@@ -705,28 +709,30 @@ gitlab_configure_oauth_saml() {
   fi
 }
 
-# gitlab_configure_oauth2_generic() {
-#   if [[ -n ${OAUTH2_GENERIC_APP_ID} && \
-#         -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then
-#     echo "Configuring gitlab::oauth::generic..."
-#     OAUTH_ENABLED=${OAUTH_ENABLED:-true}
-#     update_template ${GITLAB_CONFIG} \
-#     OAUTH2_GENERIC_APP_ID \
-#     OAUTH2_GENERIC_APP_SECRET \
-#     OAUTH2_GENERIC_CLIENT_SITE \
-#     OAUTH2_GENERIC_CLIENT_USER_INFO_URL \
-#     OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \
-#     OAUTH2_GENERIC_CLIENT_TOKEN_URL \
-#     OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \
-#     OAUTH2_GENERIC_ID_PATH \
-#     OAUTH2_GENERIC_USER_UID \
-#     OAUTH2_GENERIC_USER_NAME \
-#     OAUTH2_GENERIC_USER_EMAIL \
-#     OAUTH2_GENERIC_NAME
-#   else
-#       exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG}
-#   fi
-# }
+gitlab_configure_oauth2_generic() {
+  if [[ -n ${OAUTH2_GENERIC_APP_ID} && \
+        -n ${OAUTH2_GENERIC_APP_SECRET} ]]; then
+    echo "Configuring gitlab::oauth::generic..."
+    OAUTH_ENABLED=${OAUTH_ENABLED:-true}
+    update_template ${GITLAB_CONFIG} \
+    OAUTH2_GENERIC_APP_ID \
+    OAUTH2_GENERIC_APP_SECRET \
+    OAUTH2_GENERIC_CLIENT_SITE \
+    OAUTH2_GENERIC_CLIENT_USER_INFO_URL \
+    OAUTH2_GENERIC_CLIENT_AUTHORIZE_URL \
+    OAUTH2_GENERIC_CLIENT_TOKEN_URL \
+    OAUTH2_GENERIC_CLIENT_END_SESSION_ENDPOINT \
+    OAUTH2_GENERIC_ID_PATH \
+    OAUTH2_GENERIC_USER_UID \
+    OAUTH2_GENERIC_USER_NAME \
+    OAUTH2_GENERIC_USER_EMAIL \
+    OAUTH2_GENERIC_AUTHORIZE_PARAMS_SCOPE \
+    OAUTH2_GENERIC_LABEL \
+    OAUTH2_GENERIC_NAME
+  else
+      exec_as_git sed -i "/name: 'oauth2_generic'/,/{{OAUTH2_GENERIC_NAME}}/d" ${GITLAB_CONFIG}
+  fi
+}
 
 gitlab_configure_oauth_crowd() {
   if [[ -n ${OAUTH_CROWD_SERVER_URL} && \
@@ -778,7 +784,7 @@ gitlab_configure_oauth_azure() {
 gitlab_configure_oauth2_generic_ustc() {
   if [[ -n ${OAUTH2_GENERIC_USTC_APP_ID} && \
         -n ${OAUTH2_GENERIC_USTC_APP_SECRET} ]]; then
-    echo "Configuring gitlab::oauth::generic_ustc..."
+    echo "Configuring gitlab::oauth::generic..."
     OAUTH_ENABLED=${OAUTH_ENABLED:-true}
     update_template ${GITLAB_CONFIG} \
     OAUTH2_GENERIC_USTC_APP_ID \
@@ -830,11 +836,11 @@ gitlab_configure_oauth() {
   gitlab_configure_oauth_gitlab
   gitlab_configure_oauth_bitbucket
   gitlab_configure_oauth_saml
-  # gitlab_configure_oauth2_generic
+  gitlab_configure_oauth2_generic
   gitlab_configure_oauth_crowd
   gitlab_configure_oauth_auth0
   gitlab_configure_oauth_azure
-  gitlab_configure_oauth2_generic_ustc
+  gitlab_configure_oauth_azure_ad_v2
   gitlab_configure_oauth_oidc
 
   OAUTH_ENABLED=${OAUTH_ENABLED:-false}
@@ -845,7 +851,8 @@ gitlab_configure_oauth() {
     OAUTH_AUTO_LINK_LDAP_USER \
     OAUTH_AUTO_LINK_SAML_USER \
     OAUTH_AUTO_LINK_USER \
-    OAUTH_EXTERNAL_PROVIDERS
+    OAUTH_EXTERNAL_PROVIDERS \
+    OAUTH_ALLOW_BYPASS_TWO_FACTOR
 
   case ${OAUTH_AUTO_SIGN_IN_WITH_PROVIDER} in
     cas3|google_oauth2|facebook|twitter|github|gitlab|bitbucket|saml|crowd|azure_oauth2|azure_activedirectory_v2|oauth2_generic|$OAUTH2_GENERIC_NAME|oidc)
@@ -1097,6 +1104,24 @@ gitlab_configure_analytics() {
 
 gitlab_configure_rack_attack() {
   echo "Configuring gitlab::rack_attack..."
+
+  # validity check : RACK_ATTACK_WHITELIST should be an array of valid IP Address string
+  echo " Validating RACK_ATTACK_WHITELIST..."
+  /usr/bin/env ruby << SCRIPT
+  require 'ipaddr'
+  ${RACK_ATTACK_WHITELIST}.each do |host|
+    begin
+      printf("  input=%s, to_range=%s\n", host, IPAddr.new(host).to_range)
+    rescue IPAddr::InvalidAddressError => e
+      p e
+      exit 1
+    rescue => e
+      put "Unexpected error", e
+      exit 1
+    end
+  end
+SCRIPT
+
   update_template ${GITLAB_CONFIG} \
     RACK_ATTACK_ENABLED \
     RACK_ATTACK_WHITELIST \
@@ -1672,7 +1697,12 @@ initialize_datadir() {
   chmod u+rwX ${GITLAB_SHARED_DIR}/ci_secure_files
   chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/ci_secure_files
 
-  # create attifacts dir
+  # create external-diffs dir
+  mkdir -p ${GITLAB_SHARED_DIR}/external-diffs
+  chmod u+rwX ${GITLAB_SHARED_DIR}/external-diffs
+  chown ${GITLAB_USER}: ${GITLAB_SHARED_DIR}/external-diffs
+
+  # create artifacts dir
   mkdir -p ${GITLAB_ARTIFACTS_DIR}
   chmod u+rwX ${GITLAB_ARTIFACTS_DIR}
   chown ${GITLAB_USER}: ${GITLAB_ARTIFACTS_DIR}
@@ -1832,13 +1862,13 @@ generate_healthcheck_script() {
   # configure healthcheck script
   ## https://docs.gitlab.com/ee/user/admin_area/monitoring/health_check.html
   local HEALTHCHECK_PROTOCOL="http"
-  if [[ "${GITLAB_HTTPS}" == true ]]; then
+  if [[ "${GITLAB_HTTPS}" == true && "${SSL_SELF_SIGNED}" == false ]]; then
     HEALTHCHECK_PROTOCOL="${HEALTHCHECK_PROTOCOL}s"
   fi
 cat > /usr/local/sbin/healthcheck <<EOF
 #!/bin/bash
-url=${HEALTHCHECK_PROTOCOL}://localhost${GITLAB_RELATIVE_URL_ROOT}/-/liveness
-options=( '--insecure' '--location' '--silent' )
+url=${HEALTHCHECK_PROTOCOL}://127.0.0.1${GITLAB_RELATIVE_URL_ROOT}/-/liveness
+options=( '--insecure' '--silent' )
 curl "\${options[@]}" \$url
 [[ "\$(curl \${options[@]} -o /dev/null -I -w '%{http_code}' \$url)" == "200" ]]
 EOF
@@ -2014,6 +2044,7 @@ configure_gitlab() {
   rm -rf ${GITLAB_INSTALL_DIR}/tmp/sockets/gitlab.socket
 }
 
+# feature flags are recorded to database (schema "application_settings") so requires DB is (at least) initialized
 gitlab_configure_feature_flags() {  
   echo "Configuring gitlab::feature_flags..."
 
@@ -2228,10 +2259,9 @@ migrate_database() {
         mkdir -p ${GITLAB_HOME}/gitlab/node_modules
         chown -R ${GITLAB_USER}: ${GITLAB_HOME}/gitlab/node_modules
       fi
-      echo "Prepare recomplie assets... Installing missing node_modules for assets"
+      echo "Prepare recompile assets... Installing missing node_modules for assets"
       chown -R ${GITLAB_USER}: ${GITLAB_HOME}/gitlab/node_modules
       exec_as_git yarn install --production --pure-lockfile
-      exec_as_git yarn add ajv@^4.0.0
       echo "Recompiling assets (relative_url in use), this could take a while..."
       exec_as_git bundle exec rake gitlab:assets:compile NODE_OPTIONS="--max-old-space-size=4096" >/dev/null 2>&1
     fi