2025-07-21 23:43:41 +00:00 · 2025-07-10 15:09:50 +00:00
parent 4be54a29ea
commit ee219f9b91
67 changed files with 1163 additions and 500 deletions
--- a/config/feature_flags/gitlab_com_derisk/generic_package_registry_ssrf_protection.yml
+++ b/config/feature_flags/gitlab_com_derisk/generic_package_registry_ssrf_protection.yml
@ -1,10 +1,10 @@
 ---
-name: cleanup_access_tokens
-description: A feature flag to control the background worker that deletes expired and revoked OAuth access tokens
-feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/521855
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/194633
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/549828
+name: generic_package_registry_ssrf_protection
+description:
+feature_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/520294
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/193902
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/547452
 milestone: '18.2'
-group: group::authentication
-type: ops
+group: group::package registry
+type: gitlab_com_derisk
 default_enabled: false
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@ -216,6 +216,12 @@ production: &base
    # this setting should be toggled from the admin pages in the UI.
    # initial_gitlab_product_usage_data: true

+  ## Openbao settings
+  ## Optional: Configure custom OpenBao server URL
+  ## If not specified, defaults to GitLab's host with port 8200
+  # openbao:
+    # url: https://vault.company.com:8200  # Example for external server
+
  ## Custom claim values for JWT ID Tokens
  # ci_id_tokens:
    # issuer_url: <custom-issuer-url>
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@ -774,9 +774,6 @@ Settings.cron_jobs['version_version_check_cron']['args'] = {
 Settings.cron_jobs['import_placeholder_user_cleanup_worker'] ||= {}
 Settings.cron_jobs['import_placeholder_user_cleanup_worker']['cron'] ||= "0 0 * * *"
 Settings.cron_jobs['import_placeholder_user_cleanup_worker']['job_class'] = 'Import::PlaceholderUserCleanupWorker'
-Settings.cron_jobs['authn_oauth_access_token_cleanup_worker'] ||= {}
-Settings.cron_jobs['authn_oauth_access_token_cleanup_worker']['cron'] ||= '5 6 * * *'
-Settings.cron_jobs['authn_oauth_access_token_cleanup_worker']['job_class'] = 'Authn::OauthAccessTokenCleanupWorker'

 Gitlab.ee do
  Settings.cron_jobs['analytics_devops_adoption_create_all_snapshots_worker'] ||= {}
@ -935,6 +932,9 @@ Gitlab.ee do
  Settings.cron_jobs['security_pipeline_execution_policies_schedule_worker'] ||= {}
  Settings.cron_jobs['security_pipeline_execution_policies_schedule_worker']['cron'] ||= '* * * * *'
  Settings.cron_jobs['security_pipeline_execution_policies_schedule_worker']['job_class'] = 'Security::PipelineExecutionPolicies::ScheduleWorker'
+  Settings.cron_jobs['users_security_policy_bot_cleanup_cron_worker'] ||= {}
+  Settings.cron_jobs['users_security_policy_bot_cleanup_cron_worker']['cron'] ||= '0 * * * *'
+  Settings.cron_jobs['users_security_policy_bot_cleanup_cron_worker']['job_class'] = 'Users::SecurityPolicyBotCleanupCronWorker'
  Settings.cron_jobs['security_scans_purge_worker'] ||= {}
  Settings.cron_jobs['security_scans_purge_worker']['cron'] ||= '0 */4 * * 6,0'
  Settings.cron_jobs['security_scans_purge_worker']['job_class'] = 'Security::Scans::PurgeWorker'