Merge branch 'git-http-blacklist' into 'master'

Git HTTP blacklist

See merge request !1328

4 files changed, 80 insertions, 0 deletions

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 7b4c180fccc..5d801b9ae5b 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -298,6 +298,20 @@ production: &base
     #   ![Company Logo](http://www.companydomain.com/logo.png)
     #   [Learn more about CompanyName](http://www.companydomain.com/)
 
+  rack_attack:
+    git_basic_auth:
+      # Whitelist requests from 127.0.0.1 for web proxies (NGINX/Apache) with incorrect headers
+      # ip_whitelist: ["127.0.0.1"]
+      #
+      # Limit the number of Git HTTP authentication attempts per IP
+      # maxretry: 10
+      #
+      # Reset the auth attempt counter per IP after 60 seconds
+      # findtime: 60
+      #
+      # Ban an IP for one hour (3600s) after too many auth attempts
+      # bantime: 3600
+
 development:
   <<: *base
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 27bb83784ba..c744577d516 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -172,6 +172,16 @@ Settings.satellites['timeout'] ||= 30
 Settings['extra'] ||= Settingslogic.new({})
 
 #
+# Rack::Attack settings
+#
+Settings['rack_attack'] ||= Settingslogic.new({})
+Settings.rack_attack['git_basic_auth'] ||= Settingslogic.new({})
+Settings.rack_attack.git_basic_auth['ip_whitelist'] ||= %w{127.0.0.1}
+Settings.rack_attack.git_basic_auth['maxretry'] ||= 10
+Settings.rack_attack.git_basic_auth['findtime'] ||= 1.minute
+Settings.rack_attack.git_basic_auth['bantime'] ||= 1.hour
+
+#
 # Testing settings
 #
 if Rails.env.test?
diff --git a/config/initializers/rack_attack_git_basic_auth.rb b/config/initializers/rack_attack_git_basic_auth.rb
new file mode 100644
index 00000000000..bbbfed68329
--- /dev/null
+++ b/config/initializers/rack_attack_git_basic_auth.rb
@@ -0,0 +1,12 @@
+unless Rails.env.test?
+  # Tell the Rack::Attack Rack middleware to maintain an IP blacklist. We will
+  # update the blacklist from Grack::Auth#authenticate_user.
+  Rack::Attack.blacklist('Git HTTP Basic Auth') do |req|
+    Rack::Attack::Allow2Ban.filter(req.ip, Gitlab.config.rack_attack.git_basic_auth) do
+      # This block only gets run if the IP was not already banned.
+      # Return false, meaning that we do not see anything wrong with the
+      # request at this time
+      false
+    end
+  end
+end
diff --git a/config/initializers/redis-store-fix-expiry.rb b/config/initializers/redis-store-fix-expiry.rb
new file mode 100644
index 00000000000..fce0a135330
--- /dev/null
+++ b/config/initializers/redis-store-fix-expiry.rb
@@ -0,0 +1,44 @@
+# Monkey-patch Redis::Store to make 'setex' and 'expire' work with namespacing
+
+module Gitlab
+  class Redis
+    class Store
+      module Namespace
+        # Redis::Store#setex in redis-store 1.1.4 does not respect namespaces;
+        # this new method does.
+        def setex(key, expires_in, value, options=nil)
+          namespace(key) { |key| super(key, expires_in, value) }
+        end
+
+        # Redis::Store#expire in redis-store 1.1.4 does not respect namespaces;
+        # this new method does.
+        def expire(key, expires_in)
+          namespace(key) { |key| super(key, expires_in) }
+        end
+
+        private
+
+        # Our new definitions of #setex and #expire above assume that the
+        # #namespace method exists. Because we cannot be sure of that, we
+        # re-implement the #namespace method from Redis::Store::Namespace so
+        # that it is available for all Redis::Store instances, whether they use
+        # namespacing or not.
+        #
+        # Based on lib/redis/store/namespace.rb L49-51 (redis-store 1.1.4)
+        def namespace(key)
+          if @namespace
+            yield interpolate(key)
+          else
+            # This Redis::Store instance does not use a namespace so we should
+            # just pass through the key.
+            yield key
+          end
+        end
+      end
+    end
+  end
+end
+
+Redis::Store.class_eval do
+  include Gitlab::Redis::Store::Namespace
+end