Reduce Rack Attack false positives by clearing out auth failure count upon

successful Git over HTTP authentication.

Add logging when a ban goes into effect for debugging.

Issue #1171

2 files changed, 62 insertions, 14 deletions

diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index ee877e099b1..ffe4565ef1e 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -1,3 +1,4 @@
+require_relative 'rack_attack_helpers'
 require_relative 'shell_env'
 
 module Grack
@@ -85,25 +86,41 @@ module Grack
         user = oauth_access_token_check(login, password)
       end
 
-      return user if user.present?
-
-      # At this point, we know the credentials were wrong. We let Rack::Attack
-      # know there was a failed authentication attempt from this IP. This
-      # information is stored in the Rails cache (Redis) and will be used by
-      # the Rack::Attack middleware to decide whether to block requests from
-      # this IP.
+      # If the user authenticated successfully, we reset the auth failure count
+      # from Rack::Attack for that IP. A client may attempt to authenticate
+      # with a username and blank password first, and only after it receives
+      # a 401 error does it present a password. Resetting the count prevents
+      # false positives from occurring.
+      #
+      # Otherwise, we let Rack::Attack know there was a failed authentication
+      # attempt from this IP. This information is stored in the Rails cache
+      # (Redis) and will be used by the Rack::Attack middleware to decide
+      # whether to block requests from this IP.
       config = Gitlab.config.rack_attack.git_basic_auth
-      Rack::Attack::Allow2Ban.filter(@request.ip, config) do
-        # Unless the IP is whitelisted, return true so that Allow2Ban
-        # increments the counter (stored in Rails.cache) for the IP
-        if config.ip_whitelist.include?(@request.ip)
-          false
+
+      if config.enabled
+        if user
+          # A successful login will reset the auth failure count from this IP
+          Rack::Attack::Allow2Ban.reset(@request.ip, config)
         else
-          true
+          banned = Rack::Attack::Allow2Ban.filter(@request.ip, config) do
+            # Unless the IP is whitelisted, return true so that Allow2Ban
+            # increments the counter (stored in Rails.cache) for the IP
+            if config.ip_whitelist.include?(@request.ip)
+              false
+            else
+              true
+            end
+          end
+
+          if banned
+            Rails.logger.info "IP #{@request.ip} failed to login " \
+              "as #{login} but has been temporarily banned from Git auth"
+          end
         end
       end
 
-      nil # No user was found
+      user
     end
 
     def authorized_request?
diff --git a/lib/gitlab/backend/rack_attack_helpers.rb b/lib/gitlab/backend/rack_attack_helpers.rb
new file mode 100644
index 00000000000..8538f3f6eca
--- /dev/null
+++ b/lib/gitlab/backend/rack_attack_helpers.rb
@@ -0,0 +1,31 @@
+# rack-attack v4.2.0 doesn't yet support clearing of keys.
+# Taken from https://github.com/kickstarter/rack-attack/issues/113
+class Rack::Attack::Allow2Ban
+  def self.reset(discriminator, options)
+    findtime = options[:findtime] or raise ArgumentError, "Must pass findtime option"
+
+    cache.reset_count("#{key_prefix}:count:#{discriminator}", findtime)
+    cache.delete("#{key_prefix}:ban:#{discriminator}")
+  end
+end
+
+class Rack::Attack::Cache
+  def reset_count(unprefixed_key, period)
+    epoch_time = Time.now.to_i
+    # Add 1 to expires_in to avoid timing error: http://git.io/i1PHXA
+    expires_in = period - (epoch_time % period) + 1
+    key = "#{(epoch_time / period).to_i}:#{unprefixed_key}"
+    delete(key)
+  end
+
+  def delete(unprefixed_key)
+    store.delete("#{prefix}:#{unprefixed_key}")
+  end
+end
+
+class Rack::Attack::StoreProxy::RedisStoreProxy
+  def delete(key, options={})
+    self.del(key)
+    rescue Redis::BaseError
+  end
+end