Test various login scenarios if the limit gets enforced

author: Pawel Chojnacki <pawel@chojnacki.ws> 2017-02-17 14:52:27 +0300
committer: Pawel Chojnacki <pawel@chojnacki.ws> 2017-03-06 17:41:25 +0300
commit: 8993801f0cefdc64b46b8fe30622cc78eaa03173 (patch)
tree: f9a9a38c91e99f03ea87978119a03538d1e91175 /lib
parent: 66dc71599cb698d380e14be7230ae3495c78d266 (diff)
4 files changed, 14 insertions, 9 deletions
diff --git a/lib/api/api.rb b/lib/api/api.rb
index 89449ce8813..6f37fa9d8e9 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -60,6 +60,10 @@ module API
       error! e.message, e.status, e.headers
     end
 
+    rescue_from Gitlab::Auth::TooManyIps do |e|
+      rack_response({'message'=>'403 Forbidden'}.to_json, 403)
+    end
+
     rescue_from :all do |exception|
       handle_api_exception(exception)
     end
diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb
index a43252a4661..f325f0a3050 100644
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -336,16 +336,17 @@ module API
 
     def initial_current_user
       return @initial_current_user if defined?(@initial_current_user)
+      Gitlab::Auth::UniqueIpsLimiter.limit_user! do
+        @initial_current_user ||= find_user_by_private_token(scopes: @scopes)
+        @initial_current_user ||= doorkeeper_guard(scopes: @scopes)
+        @initial_current_user ||= find_user_from_warden
 
-      @initial_current_user ||= find_user_by_private_token(scopes: @scopes)
-      @initial_current_user ||= doorkeeper_guard(scopes: @scopes)
-      @initial_current_user ||= find_user_from_warden
+        unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
+          @initial_current_user = nil
+        end
 
-      unless @initial_current_user && Gitlab::UserAccess.new(@initial_current_user).allowed?
-        @initial_current_user = nil
+        @initial_current_user
       end
-
-      @initial_current_user
     end
 
     def sudo!
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index be055080853..8e2aee2d7a0 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -22,7 +22,7 @@ module Gitlab
           user_with_password_for_git(login, password) ||
           Gitlab::Auth::Result.new
 
-        Gitlab::Auth::UniqueIpsLimiter.limit_user! { result.actor }
+        Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
 
         rate_limit!(ip, success: result.success?, login: login)
 
diff --git a/lib/gitlab/auth/unique_ips_limiter.rb b/lib/gitlab/auth/unique_ips_limiter.rb
index 01850ae31e8..7f849ef4c38 100644
--- a/lib/gitlab/auth/unique_ips_limiter.rb
+++ b/lib/gitlab/auth/unique_ips_limiter.rb
@@ -62,7 +62,7 @@ module Gitlab
         rescue TooManyIps => ex
 
           Rails.logger.info ex.message
-          [429, { 'Content-Type' => 'text/plain', 'Retry-After' => UniqueIpsLimiter.config.unique_ips_limit_time_window }, ["Retry later\n"]]
+          [403, { 'Content-Type' => 'text/plain', 'Retry-After' => UniqueIpsLimiter.config.unique_ips_limit_time_window }, ["Too many logins from different IPs\n"]]
         end
       end
     end
author	Pawel Chojnacki <pawel@chojnacki.ws>	2017-02-17 14:52:27 +0300
committer	Pawel Chojnacki <pawel@chojnacki.ws>	2017-03-06 17:41:25 +0300
commit	8993801f0cefdc64b46b8fe30622cc78eaa03173 (patch)
tree	f9a9a38c91e99f03ea87978119a03538d1e91175 /lib
parent	66dc71599cb698d380e14be7230ae3495c78d266 (diff)