Merge branch '40973-disable-rack-attack-by-default' into 'master'

Disable Rack Attack by default Closes #40973 See merge request gitlab-org/gitlab-ce!16669

Merge branch '40973-disable-rack-attack-by-default' into 'master'
Disable Rack Attack by default Closes #40973 See merge request gitlab-org/gitlab-ce!16669
cd03a8ad · Douwe Maan · 891cb10f · 8f39bb5d · cd03a8ad · cd03a8ad
Commit cd03a8ad authored Jul 25, 2018 by Douwe Maan
4 changed files
--- a/changelogs/unreleased/40973-disable-rack-attack-by-default.yml
+++ b/changelogs/unreleased/40973-disable-rack-attack-by-default.yml
+---
+title: Rack attack is now disabled by default
+merge_request: 16669
+author:
+type: changed
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -418,7 +418,7 @@ Settings['extra'] ||= Settingslogic.new({})
 #
 Settings['rack_attack'] ||= Settingslogic.new({})
 Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
-Settings.rack_attack.git_basic_auth['enabled'] = true if Settings.rack_attack.git_basic_auth['enabled'].nil?
+Settings.rack_attack.git_basic_auth['enabled'] = false if Settings.rack_attack.git_basic_auth['enabled'].nil?
 Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
 Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
 Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute

--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -14,8 +14,8 @@ limited to 6 requests per minute. After trying for 6 times, the client will
 have to wait for the next minute to be able to try again.

 If you installed or upgraded GitLab by following the [official guides](../install/README.md)
-this should be enabled by default. If your instance is not exposed to any incoming
-connections, it is recommended to disable Rack Attack.
+this should be disabled by default. If your instance is not exposed to any incoming
+connections, it is recommended to leave Rack Attack disabled.

 For more information on how to use these options check out
 [rack-attack README](https://github.com/kickstarter/rack-attack/blob/master/README.md).
@@ -45,7 +45,7 @@ For more information on how to use these options check out

 The following settings can be configured:

- `enabled`: By default this is set to `true`. Set this to `false` to disable Rack Attack.
+- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
 - `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array.
   For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`.
 - `maxretry`: The maximum amount of times a request can be made in the

--- a/spec/requests/git_http_spec.rb
+++ b/spec/requests/git_http_spec.rb
@@ -381,6 +381,10 @@ describe 'Git HTTP requests' do

          context "when authentication fails" do
            context "when the user is IP banned" do
+              before do
+                Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
+              end
+
              it "responds with status 401" do
                expect(Rack::Attack::Allow2Ban).to receive(:filter).and_return(true)
                allow_any_instance_of(Rack::Request).to receive(:ip).and_return('1.2.3.4')
@@ -420,6 +424,10 @@ describe 'Git HTTP requests' do
              end

              context "when the user isn't blocked" do
+                before do
+                  Gitlab.config.rack_attack.git_basic_auth['enabled'] = true
+                end
+
                it "resets the IP in Rack Attack on download" do
                  expect(Rack::Attack::Allow2Ban).to receive(:reset).twice