gitlab-org--gitlab-foss/lib/gitlab
Dmitriy Zaporozhets fc4af9b197 Merge branch 'git-auth-rack-attack-improvements' into 'master'
Reduce Rack Attack false positives causing 403 errors during HTTP authentication

### What does this MR do?

This MR reduces false positives causing `403 Forbidden` messages after HTTP authentication.

A Git client may attempt to access a repository without a password. If it receives a 401 error, the client often will try again, this time supplying a password. The problem is that `grack_auth.rb` considers a blank password an authentication failure and increases a Redis counter each time this happens. With enough requests, an IP can be banned temporarily even though previous attempts may have been successful. This leads users to see `403 Forbidden` errors until the ban times out (default: 1 hour).

To reduce the chance of a false positive, this MR resets the counter upon a successful authentication from an IP.

In addition, this MR logs when a user has been banned and introduces the ability to disable Rack Attack via a config variable.

### Are there points in the code the reviewer needs to double check?

rack-attack v4.2.0 doesn't support the ability to clear counters out of the box, so `rack_attack_helpers.rb` includes a number of monkey patches to make it work. It looks like this functionality may be added in v4.3.0. I've also sent pull requests to rack-attack to add the functionality necessary to delete a key.

Each time an authentication is successful, the Redis counter for that IP is cleared. I deemed it better to clear the counter than to allow for blank passwords, since the latter seems like a security risk.

### Why was this MR needed?

It was quite difficult to figure out why users were seeing `403 Forbidden`, which is why the log message was added. Users were getting a lot of false positives when accessing repositories with HTTPS. Including the username in the HTTPS URL (e.g. `https://username@mydomain.com/account/repo.git`) caused authentication failures because while the git client provided the username, it left the password blank, leading to an authentication failure.

### What are the relevant issue numbers / [Feature requests](http://feedback.gitlab.com/)?

See Issue #1171

https://github.com/kickstarter/rack-attack/issues/113

See merge request !392
2015-03-24 21:51:40 +00:00
..
backend Reduce Rack Attack false positives by clearing out auth failure count upon 2015-03-24 00:36:46 -07:00
bitbucket_import Fix OAuth2 issue importing a new project from GitHub and GitLab 2015-03-22 18:16:48 -07:00
diff Fix commit comments on first line of diff not rendering in Merge Request Discussion view. 2015-02-20 10:23:34 +01:00
github_import Fix OAuth2 issue importing a new project from GitHub and GitLab 2015-03-22 18:16:48 -07:00
gitlab_import Fix OAuth2 issue importing a new project from GitHub and GitLab 2015-03-22 18:16:48 -07:00
gitorious_import Add gitorious.org importer 2015-02-20 17:42:58 +00:00
graphs Refactor commits graph 2014-09-29 12:05:17 +03:00
ldap Faulty LDAP DN name escaping removed 2015-03-21 22:57:55 +01:00
middleware Revert "Increase timeout for Git-over-HTTP requests." 2015-03-19 18:29:20 -07:00
oauth Allow users that signed up via OAuth to set their password in order to use Git over HTTP(S). 2015-02-13 14:44:42 +01:00
satellite Web Editor: save to new branch 2015-02-24 11:43:20 +02:00
sidekiq_middleware Fix typo 2014-12-08 13:39:18 +01:00
access.rb Improve protected branches selectbox options 2015-02-03 18:12:20 -08:00
app_logger.rb Dry admin logs. 2014-10-06 00:14:46 +02:00
auth.rb Session API: Use case-insensitive authentication like in UI 2014-10-30 18:29:18 +02:00
bitbucket_import.rb Fix specs. 2015-02-24 15:07:24 +01:00
blacklist.rb Prevent people from using ci since we plan to host ci on /ci later. 2014-09-09 10:11:07 +02:00
closing_issue_extractor.rb Allow commit messages to close several issues at once (thanks @123Haynes 2015-01-20 10:45:48 +01:00
compare_result.rb Refactor compare logic for MR. Use satellites only for forks for better performance 2014-07-29 12:11:16 +03:00
config_helper.rb Make app works with strong params 2014-06-26 23:24:17 +03:00
contributions_calendar.rb Improve contribution calendar per day info 2015-03-22 14:52:44 -07:00
contributors.rb Use Contributor class instead of hash 2014-07-02 15:09:06 +03:00
current_settings.rb Move restricted visibility settings to the UI 2015-03-07 13:11:08 -07:00
force_push_check.rb Fewer constants, more helpers. 2015-03-19 10:34:04 +01:00
git.rb Use Gitlab::Git helper methods and constants as much as possible. 2015-03-10 13:39:31 +01:00
git_access.rb Use Gitlab::Git helper methods and constants as much as possible. 2015-03-10 13:39:31 +01:00
git_access_status.rb Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 20:36:54 -08:00
git_access_wiki.rb Git hook messages: wiki access fix 2014-11-24 16:21:35 +02:00
git_logger.rb Dry admin logs. 2014-10-06 00:14:46 +02:00
git_ref_validator.rb fix system silent call 2014-11-06 13:07:42 +02:00
identifier.rb Remove deprecated finders 2014-01-19 23:39:56 +04:00
import_formatter.rb Add Bitbucket importer. 2015-02-24 15:07:24 +01:00
inline_diff.rb Add parenthesis to function def with arguments. 2014-10-03 09:18:46 +02:00
issues_labels.rb remove feature label 2014-10-31 17:22:16 -07:00
logger.rb Dry admin logs. 2014-10-06 00:14:46 +02:00
markdown.rb Fix nested task lists 2015-03-21 08:45:28 -06:00
markdown_helper.rb Factor markup? || gitlab_markdown? into new method 2014-10-04 17:56:12 +02:00
note_data_builder.rb Added comment notification events to HipChat and Slack services. 2015-03-06 06:54:00 -08:00
popen.rb Close standard input in Gitlab::Popen.popen 2015-01-05 11:51:21 +01:00
production_logger.rb Dry admin logs. 2014-10-06 00:14:46 +02:00
project_search_results.rb Don't include system notes in issue/MR comment count. 2015-03-23 16:43:08 +01:00
push_data_builder.rb Extend push_tag event to include tag message and last commit 2015-03-21 11:25:27 +01:00
reference_extractor.rb Disable reference creation for comments surrounded by code/preformatted blocks 2015-03-19 14:37:35 -07:00
regex.rb Github Importer 2015-01-10 09:51:43 -08:00
search_results.rb Fix tests 2014-08-27 15:26:35 +03:00
seeder.rb Revert "Create dev fixture projects with fixed visibility" 2014-11-10 16:17:04 +02:00
sidekiq_logger.rb Dry admin logs. 2014-10-06 00:14:46 +02:00
snippet_search_results.rb Updating to persist a params snippets variable 2014-09-05 13:30:55 -04:00
theme.rb Add blue theme to GitLab 2015-03-11 21:29:11 -07:00
upgrader.rb Rubocop enabled for: Use spaces inside hash literal braces 2015-02-02 20:36:54 -08:00
url_builder.rb Enforce restricted visibilities for snippets 2015-03-08 17:57:08 -06:00
user_access.rb Cache LDAP check in Gitlab::UserAccess 2014-08-06 18:03:01 +02:00
utils.rb fix system silent call 2014-11-06 13:07:42 +02:00
version_info.rb Fix abort gitlab:app:check 2013-06-06 10:10:51 +09:00
visibility_level.rb Move application setting to separate variable. 2015-03-18 13:55:41 -07:00