Add latest changes from gitlab-org/gitlab@master

6 files changed, 87 insertions, 7 deletions

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 0d0384ba52f..224ce75c83f 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -13,6 +13,7 @@ class ApplicationController < ActionController::Base
   include WithPerformanceBar
   include SessionlessAuthentication
   include ConfirmEmailWarning
+  include Gitlab::Tracking::ControllerConcern
 
   before_action :authenticate_user!
   before_action :enforce_terms!, if: :should_enforce_terms?
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 8c5be1c315d..42fe42398f1 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -265,6 +265,10 @@ module ApplicationSettingsHelper
       :throttle_unauthenticated_enabled,
       :throttle_unauthenticated_period_in_seconds,
       :throttle_unauthenticated_requests_per_period,
+      :throttle_protected_paths_enabled,
+      :throttle_protected_paths_period_in_seconds,
+      :throttle_protected_paths_requests_per_period,
+      :protected_paths_raw,
       :time_tracking_limit_to_hours,
       :two_factor_grace_period,
       :unique_ips_limit_enabled,
@@ -308,6 +312,10 @@ module ApplicationSettingsHelper
   def instance_clusters_enabled?
     can?(current_user, :read_cluster, Clusters::Instance.new)
   end
+
+  def omnibus_protected_paths_throttle?
+    Rack::Attack.throttles.key?('protected paths')
+  end
 end
 
 ApplicationSettingsHelper.prepend_if_ee('EE::ApplicationSettingsHelper') # rubocop: disable Cop/InjectEnterpriseEditionModule
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 92526def144..02f214341fb 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -210,6 +210,10 @@ class ApplicationSetting < ApplicationRecord
             presence: true,
             if: :static_objects_external_storage_url?
 
+  validates :protected_paths,
+            length: { maximum: 100, message: N_('is too long (maximum is 100 entries)') },
+            allow_nil: false
+
   SUPPORTED_KEY_TYPES.each do |type|
     validates :"#{type}_key_restriction", presence: true, key_restriction: { type: type }
   end
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index 8d9597aa5a4..d486347bb1d 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -4,7 +4,7 @@ module ApplicationSettingImplementation
   extend ActiveSupport::Concern
   include Gitlab::Utils::StrongMemoize
 
-  DOMAIN_LIST_SEPARATOR = %r{\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace
+  STRING_LIST_SEPARATOR = %r{\s*[,;]\s*     # comma or semicolon, optionally surrounded by whitespace
                             |               # or
                             \s              # any whitespace character
                             |               # or
@@ -16,6 +16,19 @@ module ApplicationSettingImplementation
   FORBIDDEN_KEY_VALUE = KeyRestrictionValidator::FORBIDDEN
   SUPPORTED_KEY_TYPES = %i[rsa dsa ecdsa ed25519].freeze
 
+  DEFAULT_PROTECTED_PATHS = [
+    '/users/password',
+    '/users/sign_in',
+    '/api/v3/session.json',
+    '/api/v3/session',
+    '/api/v4/session.json',
+    '/api/v4/session',
+    '/users',
+    '/users/confirmation',
+    '/unsubscribes/',
+    '/import/github/personal_access_token'
+  ].freeze
+
   class_methods do
     def defaults
       {
@@ -92,6 +105,10 @@ module ApplicationSettingImplementation
         throttle_unauthenticated_enabled: false,
         throttle_unauthenticated_period_in_seconds: 3600,
         throttle_unauthenticated_requests_per_period: 3600,
+        throttle_protected_paths_enabled: false,
+        throttle_protected_paths_in_seconds: 10,
+        throttle_protected_paths_per_period: 60,
+        protected_paths: DEFAULT_PROTECTED_PATHS,
         time_tracking_limit_to_hours: false,
         two_factor_grace_period: 48,
         unique_ips_limit_enabled: false,
@@ -149,11 +166,11 @@ module ApplicationSettingImplementation
   end
 
   def domain_whitelist_raw=(values)
-    self.domain_whitelist = domain_strings_to_array(values)
+    self.domain_whitelist = strings_to_array(values)
   end
 
   def domain_blacklist_raw=(values)
-    self.domain_blacklist = domain_strings_to_array(values)
+    self.domain_blacklist = strings_to_array(values)
   end
 
   def domain_blacklist_file=(file)
@@ -167,7 +184,7 @@ module ApplicationSettingImplementation
   def outbound_local_requests_whitelist_raw=(values)
     clear_memoization(:outbound_local_requests_whitelist_arrays)
 
-    self.outbound_local_requests_whitelist = domain_strings_to_array(values)
+    self.outbound_local_requests_whitelist = strings_to_array(values)
   end
 
   def add_to_outbound_local_requests_whitelist(values_array)
@@ -200,8 +217,16 @@ module ApplicationSettingImplementation
     end
   end
 
+  def protected_paths_raw
+    array_to_string(self.protected_paths)
+  end
+
+  def protected_paths_raw=(values)
+    self.protected_paths = strings_to_array(values)
+  end
+
   def asset_proxy_whitelist=(values)
-    values = domain_strings_to_array(values) if values.is_a?(String)
+    values = strings_to_array(values) if values.is_a?(String)
 
     # make sure we always whitelist the running host
     values << Gitlab.config.gitlab.host unless values.include?(Gitlab.config.gitlab.host)
@@ -316,11 +341,11 @@ module ApplicationSettingImplementation
     arr&.join("\n")
   end
 
-  def domain_strings_to_array(values)
+  def strings_to_array(values)
     return [] unless values
 
     values
-      .split(DOMAIN_LIST_SEPARATOR)
+      .split(STRING_LIST_SEPARATOR)
       .map(&:strip)
       .reject(&:empty?)
       .uniq
diff --git a/app/views/admin/application_settings/_protected_paths.html.haml b/app/views/admin/application_settings/_protected_paths.html.haml
new file mode 100644
index 00000000000..cfb04562b59
--- /dev/null
+++ b/app/views/admin/application_settings/_protected_paths.html.haml
@@ -0,0 +1,31 @@
+= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-protected-paths-settings'), html: { class: 'fieldset-form' } do |f|
+  = form_errors(@application_setting)
+
+  %fieldset
+    - if omnibus_protected_paths_throttle?
+      .bs-callout.bs-callout-danger
+        - relative_url_link = 'https://docs.gitlab.com/ee/user/admin_area/settings/protected_paths.html#migrating-from-omnibus'
+        - relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link }
+        = _("Omnibus Protected Paths throttle is active. From 12.4, Omnibus throttle is deprecated and will be removed in a future release. Please read the %{relative_url_link_start}Migrating Protected Paths documentation%{relative_url_link_end}.").html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
+
+    .form-group
+      .form-check
+        = f.check_box :throttle_protected_paths_enabled, class: 'form-check-input'
+        = f.label :throttle_protected_paths_enabled, class: 'form-check-label' do
+          = _('Enable protected paths rate limit')
+        %span.form-text.text-muted
+          = _('Helps reduce request volume for protected paths')
+    .form-group
+      = f.label :throttle_protected_paths_requests_per_period, 'Max requests per period per user', class: 'label-bold'
+      = f.number_field :throttle_protected_paths_requests_per_period, class: 'form-control'
+    .form-group
+      = f.label :throttle_protected_paths_period_in_seconds, 'Rate limit period in seconds', class: 'label-bold'
+      = f.number_field :throttle_protected_paths_period_in_seconds, class: 'form-control'
+    .form-group
+      = f.label :protected_paths, class: 'label-bold' do
+        - relative_url_link = 'https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-a-relative-url-for-gitlab'
+        - relative_url_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: relative_url_link }
+        = _('All paths are relative to the GitLab URL. Do not include %{relative_url_link_start}relative URL%{relative_url_link_end}.').html_safe % { relative_url_link_start: relative_url_link_start, relative_url_link_end: '</a>'.html_safe }
+      = f.text_area :protected_paths_raw, placeholder: '/users/sign_in,/users/password', class: 'form-control', rows: 10
+
+  = f.submit 'Save changes', class: 'btn btn-success'
diff --git a/app/views/admin/application_settings/network.html.haml b/app/views/admin/application_settings/network.html.haml
index 3a4d901ca1d..a1f39e22e80 100644
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -34,3 +34,14 @@
       = _('Allow requests to the local network from hooks and services.')
   .settings-content
     = render 'outbound'
+
+%section.settings.as-protected-paths.no-animate#js-protected-paths-settings{ class: ('expanded' if expanded_by_default?) }
+  .settings-header
+    %h4
+      = _('Protected Paths')
+    %button.btn.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded_by_default? ? _('Collapse') : _('Expand')
+    %p
+      = _('Configure paths to be protected by Rack Attack. A web server restart is required after changing these settings.')
+  .settings-content
+    = render 'protected_paths'