Add latest changes from gitlab-org/gitlab@master

2 files changed, 65 insertions, 1 deletions

diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb
index b43fff24bb0..be7c2175cb2 100644
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
@@ -12,10 +12,18 @@ ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, r
       path: req.fullpath
     }
 
-    if %w(throttle_authenticated_api throttle_authenticated_web).include? req.env['rack.attack.matched']
+    throttles_with_user_information = [
+      :throttle_authenticated_api,
+      :throttle_authenticated_web,
+      :throttle_authenticated_protected_paths_api,
+      :throttle_authenticated_protected_paths_web
+    ]
+
+    if throttles_with_user_information.include? req.env['rack.attack.matched'].to_sym
       user_id = req.env['rack.attack.match_discriminator']
       user = User.find_by(id: user_id)
 
+      rack_attack_info[:throttle_type] = req.env['rack.attack.matched']
       rack_attack_info[:user_id] = user_id
       rack_attack_info[:username] = user.username unless user.nil?
     end
diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_new.rb
index 7f0439ef9bf..2812ceb3fd5 100644
--- a/config/initializers/rack_attack_global.rb
+++ b/config/initializers/rack_attack_new.rb
@@ -3,6 +3,15 @@ module Gitlab::Throttle
     Gitlab::CurrentSettings.current_application_settings
   end
 
+  def self.protected_paths_enabled?
+    !self.omnibus_protected_paths_present? &&
+      self.settings.throttle_protected_paths_enabled?
+  end
+
+  def self.omnibus_protected_paths_present?
+    Rack::Attack.throttles.key?('protected paths')
+  end
+
   def self.unauthenticated_options
     limit_proc = proc { |req| settings.throttle_unauthenticated_requests_per_period }
     period_proc = proc { |req| settings.throttle_unauthenticated_period_in_seconds.seconds }
@@ -20,6 +29,13 @@ module Gitlab::Throttle
     period_proc = proc { |req| settings.throttle_authenticated_web_period_in_seconds.seconds }
     { limit: limit_proc, period: period_proc }
   end
+
+  def self.protected_paths_options
+    limit_proc = proc { |req| settings.throttle_protected_paths_requests_per_period }
+    period_proc = proc { |req| settings.throttle_protected_paths_period_in_seconds.seconds }
+
+    { limit: limit_proc, period: period_proc }
+  end
 end
 
 class Rack::Attack
@@ -42,6 +58,28 @@ class Rack::Attack
       req.authenticated_user_id([:api, :rss, :ics])
   end
 
+  throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
+    Gitlab::Throttle.protected_paths_enabled? &&
+      req.unauthenticated? &&
+      !req.should_be_skipped? &&
+      req.protected_path? &&
+      req.ip
+  end
+
+  throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
+    Gitlab::Throttle.protected_paths_enabled? &&
+      req.api_request? &&
+      req.protected_path? &&
+      req.authenticated_user_id([:api])
+  end
+
+  throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
+    Gitlab::Throttle.protected_paths_enabled? &&
+      req.web_request? &&
+      req.protected_path? &&
+      req.authenticated_user_id([:api, :rss, :ics])
+  end
+
   class Request
     def unauthenticated?
       !authenticated_user_id([:api, :rss, :ics])
@@ -66,6 +104,24 @@ class Rack::Attack
     def web_request?
       !api_request?
     end
+
+    def protected_path?
+      !protected_path_regex.nil?
+    end
+
+    def protected_path_regex
+      path =~ protected_paths_regex
+    end
+
+    private
+
+    def protected_paths
+      Gitlab::CurrentSettings.current_application_settings.protected_paths
+    end
+
+    def protected_paths_regex
+      Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ })
+    end
   end
 end