Commit 2ff139dd authored by Pawel Chojnacki's avatar Pawel Chojnacki

Make Warden set_user hook validate user ip uniquness

 + rename shared context
parent 0ef8a643
...@@ -41,7 +41,7 @@ class ApplicationController < ActionController::Base ...@@ -41,7 +41,7 @@ class ApplicationController < ActionController::Base
end end
rescue_from Gitlab::Auth::TooManyIps do |e| rescue_from Gitlab::Auth::TooManyIps do |e|
head :forbidden, retry_after: UniqueIpsLimiter.config.unique_ips_limit_time_window head :forbidden, retry_after: Gitlab::Auth::UniqueIpsLimiter.config.unique_ips_limit_time_window
end end
def redirect_back_or_default(default: root_path, options: {}) def redirect_back_or_default(default: root_path, options: {})
......
Rails.application.configure do |config|
Warden::Manager.after_set_user do |user, auth, opts|
Gitlab::Auth::UniqueIpsLimiter.limit_user!(user)
end
end
...@@ -30,11 +30,11 @@ describe SessionsController do ...@@ -30,11 +30,11 @@ describe SessionsController do
expect(SecurityEvent.last.details[:with]).to eq('standard') expect(SecurityEvent.last.details[:with]).to eq('standard')
end end
include_examples 'user login operation with unique ip limit' do include_examples 'user login request with unique ip limit', 302 do
def operation def request
post(:create, user: { login: user.username, password: user.password }) post(:create, user: { login: user.username, password: user.password })
expect(subject.current_user).to eq user expect(subject.current_user).to eq user
subject.sign_out user
end end
end end
end end
......
require 'spec_helper' require 'spec_helper'
describe Gitlab::Auth::UniqueIpsLimiter, :redis, lib: true do describe Gitlab::Auth::UniqueIpsLimiter, :redis, lib: true do
include_context 'enable unique ips sign in limit' include_context 'unique ips sign in limit'
let(:user) { create(:user) } let(:user) { create(:user) }
describe '#count_unique_ips' do describe '#count_unique_ips' do
......
...@@ -4,12 +4,12 @@ describe API::API, api: true do ...@@ -4,12 +4,12 @@ describe API::API, api: true do
include ApiHelpers include ApiHelpers
let!(:user) { create(:user) } let!(:user) { create(:user) }
let!(:application) { Doorkeeper::Application.create!(name: 'MyApp', redirect_uri: 'https://app.com', owner: user) } let!(:application) { Doorkeeper::Application.create!(name: "MyApp", redirect_uri: "https://app.com", owner: user) }
let!(:token) { Doorkeeper::AccessToken.create! application_id: application.id, resource_owner_id: user.id, scopes: 'api' } let!(:token) { Doorkeeper::AccessToken.create! application_id: application.id, resource_owner_id: user.id, scopes: "api" }
describe 'when unauthenticated' do describe "unauthenticated" do
it 'returns authentication success' do it "returns authentication success" do
get api('/user'), access_token: token.token get api("/user"), access_token: token.token
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
end end
...@@ -20,16 +20,16 @@ describe API::API, api: true do ...@@ -20,16 +20,16 @@ describe API::API, api: true do
end end
end end
describe 'when token invalid' do describe "when token invalid" do
it 'returns authentication error' do it "returns authentication error" do
get api('/user'), access_token: '123a' get api("/user"), access_token: "123a"
expect(response).to have_http_status(401) expect(response).to have_http_status(401)
end end
end end
describe 'authorization by private token' do describe "authorization by private token" do
it 'returns authentication success' do it "returns authentication success" do
get api('/user', user) get api("/user", user)
expect(response).to have_http_status(200) expect(response).to have_http_status(200)
end end
......
shared_context 'enable unique ips sign in limit' do shared_context 'unique ips sign in limit' do
include StubENV include StubENV
before(:each) do before(:each) do
Gitlab::Redis.with(&:flushall) Gitlab::Redis.with(&:flushall)
...@@ -19,7 +19,7 @@ shared_context 'enable unique ips sign in limit' do ...@@ -19,7 +19,7 @@ shared_context 'enable unique ips sign in limit' do
end end
shared_examples 'user login operation with unique ip limit' do shared_examples 'user login operation with unique ip limit' do
include_context 'enable unique ips sign in limit' do include_context 'unique ips sign in limit' do
before { current_application_settings.update!(unique_ips_limit_per_user: 1) } before { current_application_settings.update!(unique_ips_limit_per_user: 1) }
it 'allows user authenticating from the same ip' do it 'allows user authenticating from the same ip' do
...@@ -38,23 +38,23 @@ shared_examples 'user login operation with unique ip limit' do ...@@ -38,23 +38,23 @@ shared_examples 'user login operation with unique ip limit' do
end end
end end
shared_examples 'user login request with unique ip limit' do shared_examples 'user login request with unique ip limit' do |success_status = 200|
include_context 'enable unique ips sign in limit' do include_context 'unique ips sign in limit' do
before { current_application_settings.update!(unique_ips_limit_per_user: 1) } before { current_application_settings.update!(unique_ips_limit_per_user: 1) }
it 'allows user authenticating from the same ip' do it 'allows user authenticating from the same ip' do
change_ip('ip') change_ip('ip')
request request
expect(response).to have_http_status(200) expect(response).to have_http_status(success_status)
request request
expect(response).to have_http_status(200) expect(response).to have_http_status(success_status)
end end
it 'blocks user authenticating from two distinct ips' do it 'blocks user authenticating from two distinct ips' do
change_ip('ip') change_ip('ip')
request request
expect(response).to have_http_status(200) expect(response).to have_http_status(success_status)
change_ip('ip2') change_ip('ip2')
request request
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment