Commit 497239d4 authored by Heinrich Lee Yu's avatar Heinrich Lee Yu Committed by Stan Hu

Upgrade Rack Attack to 6.0.0

This adds support for Rails' builtin redis store
parent 5d2d1d79
......@@ -259,9 +259,6 @@ gem 'loofah', '~> 2.2'
# Working with license
gem 'licensee', '~> 8.9'
# Protect against bruteforcing
gem 'rack-attack', '~> 4.4.1'
# Ace editor
gem 'ace-rails-ap', '~> 4.1.0'
......@@ -293,6 +290,9 @@ gem 'base32', '~> 0.3.0'
gem "gitlab-license", "~> 1.0"
# Protect against bruteforcing
gem 'rack-attack', '~> 6.2.0'
# Sentry integration
gem 'sentry-raven', '~> 2.9'
......
......@@ -734,8 +734,8 @@ GEM
rack (2.0.7)
rack-accept (0.4.5)
rack (>= 0.4)
rack-attack (4.4.1)
rack
rack-attack (6.2.0)
rack (>= 1.0, < 3)
rack-cors (1.0.2)
rack-oauth2 (1.9.3)
activesupport
......@@ -1256,7 +1256,7 @@ DEPENDENCIES
puma (~> 3.12)
puma_worker_killer
rack (~> 2.0.7)
rack-attack (~> 4.4.1)
rack-attack (~> 6.2.0)
rack-cors (~> 1.0.0)
rack-oauth2 (~> 1.9.3)
rack-proxy (~> 0.6.0)
......
rack_attack_enabled = Gitlab.config.rack_attack.git_basic_auth['enabled']
# Tell the Rack::Attack Rack middleware to maintain an IP blacklist.
# We update the blacklist in Gitlab::Auth::IpRateLimiter.
Rack::Attack.blocklist('Git HTTP Basic Auth') do |req|
next false unless Gitlab.config.rack_attack.git_basic_auth.enabled
unless Rails.env.test? || !rack_attack_enabled
# Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will
# update the blacklist from Grack::Auth#authenticate_user.
Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
# This block only gets run if the IP was not already banned.
# Return false, meaning that we do not see anything wrong with the
# request at this time
false
end
end
end
......@@ -2,8 +2,10 @@
#
# Adds logging for all Rack Attack blocks and throttling events.
ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, request_id, payload|
req = payload[:request]
if [:throttle, :blocklist].include? req.env['rack.attack.match_type']
rack_attack_info = {
message: 'Rack_Attack',
env: req.env['rack.attack.match_type'],
......
......@@ -450,16 +450,22 @@ describe 'Git HTTP requests' do
context "when authentication fails" do
context "when the user is IP banned" do
before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
stub_rack_attack_setting(enabled: true)
end
it "responds with status 401" do
it "responds with status 403" do
expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return('1.2.3.4')
expect(Gitlab::AuthLogger).to receive(:error).with({
message: 'Rack_Attack',
env: :blocklist,
remote_ip: '127.0.0.1',
request_method: 'GET',
path: "/#{path}/info/refs?service=git-upload-pack"
})
clone_get(path, env)
expect(response).to have_gitlab_http_status(:unauthorized)
expect(response).to have_gitlab_http_status(:forbidden)
end
end
end
......@@ -493,7 +499,7 @@ describe 'Git HTTP requests' do
context "when the user isn't blocked" do
before do
Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
stub_rack_attack_setting(enabled: true, bantime: 1.minute, findtime: 5.minutes, maxretry: 2, ip_whitelist: [])
end
it "resets the IP in Rack Attack on download" do
......@@ -652,9 +658,11 @@ describe 'Git HTTP requests' do
response.status
end
include_context 'rack attack cache store'
it "repeated attempts followed by successful attempt" do
options = Gitlab.config.rack_attack.git_basic_auth
maxretry = options[:maxretry] - 1
maxretry = options[:maxretry]
ip = '1.2.3.4'
allow_any_instance_of(ActionDispatch::Request).to receive(:ip).and_return(ip)
......@@ -666,12 +674,6 @@ describe 'Git HTTP requests' do
expect(attempt_login(true)).to eq(200)
expect(Rack::Attack::Allow2Ban.banned?(ip)).to be_falsey
maxretry.times.each do
expect(attempt_login(false)).to eq(401)
end
Rack::Attack::Allow2Ban.reset(ip, options)
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment