Refactor Gitlab::Auth rate limiting

fa35aea3 · Jacob Vosmaer · 46d5760c · fa35aea3 · fa35aea3
Commit fa35aea3 authored Jun 03, 2016 by Jacob Vosmaer
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 25 deletions

lib/gitlab/auth.rb lib/gitlab/auth.rb +11 -25

lib/gitlab/auth/rate_limiter.rb lib/gitlab/auth/rate_limiter.rb +42 -0

No files found.
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
 module Gitlab
-  class Auth
+  module Auth
    Result = Struct.new(:user, :type)

    class << self
@@ -64,34 +64,20 @@ module Gitlab
      end

      def rate_limit!(ip, success:, login:)
-        # If the user authenticated successfully, we reset the auth failure count
-        # from Rack::Attack for that IP. A client may attempt to authenticate
-        # with a username and blank password first, and only after it receives
-        # a 401 error does it present a password. Resetting the count prevents
-        # false positives.
-        #
-        # Otherwise, we let Rack::Attack know there was a failed authentication
-        # attempt from this IP. This information is stored in the Rails cache
-        # (Redis) and will be used by the Rack::Attack middleware to decide
-        # whether to block requests from this IP.
-
-        config = Gitlab.config.rack_attack.git_basic_auth
-        return unless config.enabled
+        rate_limiter = IpRateLimiter.new(ip)
+        return unless rate_limiter.enabled?

        if success
-          Rack::Attack::Allow2Ban.reset(ip, config)
+          # Repeated login 'failures' are normal behavior for some Git clients so
+          # it is important to reset the ban counter once the client has proven
+          # they are not a 'bad guy'.
+          rate_limiter.reset!
        else
-          banned = Rack::Attack::Allow2Ban.filter(ip, config) do
-            if config.ip_whitelist.include?(ip)
-              # Don't increment the ban counter for this IP
-              false
-            else
-              # Increment the ban counter for this IP
-              true
-            end
-          end
+          # Register a login failure so that Rack::Attack can block the next
+          # request from this IP if needed.
+          rate_limiter.register_fail!(ip, config)

-          if banned
+          if rate_limiter.banned?
            Rails.logger.info "IP #{ip} failed to login " \
              "as #{login} but has been temporarily banned from Git auth"
          end

--- a/lib/gitlab/auth/rate_limiter.rb
+++ b/lib/gitlab/auth/rate_limiter.rb
+module Gitlab
+  module Auth
+    class IpRateLimiter
+      attr_reader :ip
+
+      def initialize(ip)
+        @ip = ip
+        @banned = false
+      end
+
+      def enabled?
+        config.enabled
+      end
+      
+      def reset!
+        Rack::Attack::Allow2Ban.reset(ip, config)
+      end
+      
+      def register_fail!
+        # Allow2Ban.filter will return false if this IP has not failed too often yet
+        @banned = Rack::Attack::Allow2Ban.filter(ip, config) do
+          # If we return false here, the failure for this IP is ignored by Allow2Ban
+          ignore_failure?
+        end
+      end
+      
+      def banned?
+        @banned
+      end
+      
+      private
+      
+      def config
+        Gitlab.config.rack_attack.git_basic_auth
+      end
+      
+      def ignore_failure?
+        config.ip_whitelist.exclude?(ip)
+      end
+    end
+  end
+end