Merge branch 'security-59549-add-capcha-for-failed-logins' into 'master'

Require a captcha after unique failed logins from the same IP

See merge request gitlab/gitlabhq!3270

4 files changed, 171 insertions, 18 deletions

diff --git a/spec/controllers/sessions_controller_spec.rb b/spec/controllers/sessions_controller_spec.rb
index 9c4ddce5409..68b7bf61231 100644
--- a/spec/controllers/sessions_controller_spec.rb
+++ b/spec/controllers/sessions_controller_spec.rb
@@ -100,16 +100,8 @@ describe SessionsController do
         end
       end
 
-      context 'when reCAPTCHA is enabled' do
-        let(:user) { create(:user) }
-        let(:user_params) { { login: user.username, password: user.password } }
-
-        before do
-          stub_application_setting(recaptcha_enabled: true)
-          request.headers[described_class::CAPTCHA_HEADER] = 1
-        end
-
-        it 'displays an error when the reCAPTCHA is not solved' do
+      context 'with reCAPTCHA' do
+        def unsuccesful_login(user_params, sesion_params: {})
           # Without this, `verify_recaptcha` arbitrarily returns true in test env
           Recaptcha.configuration.skip_verify_env.delete('test')
           counter = double(:counter)
@@ -119,14 +111,10 @@ describe SessionsController do
                                       .with(:failed_login_captcha_total, anything)
                                       .and_return(counter)
 
-          post(:create, params: { user: user_params })
-
-          expect(response).to render_template(:new)
-          expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
-          expect(subject.current_user).to be_nil
+          post(:create, params: { user: user_params }, session: sesion_params)
         end
 
-        it 'successfully logs in a user when reCAPTCHA is solved' do
+        def succesful_login(user_params, sesion_params: {})
           # Avoid test ordering issue and ensure `verify_recaptcha` returns true
           Recaptcha.configuration.skip_verify_env << 'test'
           counter = double(:counter)
@@ -137,9 +125,80 @@ describe SessionsController do
                                       .and_return(counter)
           expect(Gitlab::Metrics).to receive(:counter).and_call_original
 
-          post(:create, params: { user: user_params })
+          post(:create, params: { user: user_params }, session: sesion_params)
+        end
 
-          expect(subject.current_user).to eq user
+        context 'when reCAPTCHA is enabled' do
+          let(:user) { create(:user) }
+          let(:user_params) { { login: user.username, password: user.password } }
+
+          before do
+            stub_application_setting(recaptcha_enabled: true)
+            request.headers[described_class::CAPTCHA_HEADER] = 1
+          end
+
+          it 'displays an error when the reCAPTCHA is not solved' do
+            # Without this, `verify_recaptcha` arbitrarily returns true in test env
+
+            unsuccesful_login(user_params)
+
+            expect(response).to render_template(:new)
+            expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+            expect(subject.current_user).to be_nil
+          end
+
+          it 'successfully logs in a user when reCAPTCHA is solved' do
+            succesful_login(user_params)
+
+            expect(subject.current_user).to eq user
+          end
+        end
+
+        context 'when reCAPTCHA login protection is enabled' do
+          let(:user) { create(:user) }
+          let(:user_params) { { login: user.username, password: user.password } }
+
+          before do
+            stub_application_setting(login_recaptcha_protection_enabled: true)
+          end
+
+          context 'when user tried to login 5 times' do
+            it 'displays an error when the reCAPTCHA is not solved' do
+              unsuccesful_login(user_params, sesion_params: { failed_login_attempts: 6 })
+
+              expect(response).to render_template(:new)
+              expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+              expect(subject.current_user).to be_nil
+            end
+
+            it 'successfully logs in a user when reCAPTCHA is solved' do
+              succesful_login(user_params, sesion_params: { failed_login_attempts: 6 })
+
+              expect(subject.current_user).to eq user
+            end
+          end
+
+          context 'when there are more than 5 anonymous session with the same IP' do
+            before do
+              allow(Gitlab::AnonymousSession).to receive_message_chain(:new, :stored_sessions).and_return(6)
+            end
+
+            it 'displays an error when the reCAPTCHA is not solved' do
+              unsuccesful_login(user_params)
+
+              expect(response).to render_template(:new)
+              expect(flash[:alert]).to include 'There was an error with the reCAPTCHA. Please solve the reCAPTCHA again.'
+              expect(subject.current_user).to be_nil
+            end
+
+            it 'successfully logs in a user when reCAPTCHA is solved' do
+              expect(Gitlab::AnonymousSession).to receive_message_chain(:new, :cleanup_session_per_ip_entries)
+
+              succesful_login(user_params)
+
+              expect(subject.current_user).to eq user
+            end
+          end
         end
       end
     end
@@ -348,4 +407,17 @@ describe SessionsController do
       expect(controller.stored_location_for(:redirect)).to eq(search_path)
     end
   end
+
+  context 'when login fails' do
+    before do
+      set_devise_mapping(context: @request)
+      @request.env["warden.options"] = { action:  'unauthenticated' }
+    end
+
+    it 'does increment failed login counts for session' do
+      get(:new, params: { user: { login: 'failed' } })
+
+      expect(session[:failed_login_attempts]).to eq(1)
+    end
+  end
 end
diff --git a/spec/features/admin/admin_settings_spec.rb b/spec/features/admin/admin_settings_spec.rb
index ddd87404003..eb59de2e132 100644
--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -263,6 +263,7 @@ describe 'Admin updates settings' do
 
       page.within('.as-spam') do
         check 'Enable reCAPTCHA'
+        check 'Enable reCAPTCHA for login'
         fill_in 'reCAPTCHA Site Key', with: 'key'
         fill_in 'reCAPTCHA Private Key', with: 'key'
         fill_in 'IPs per user', with: 15
@@ -271,6 +272,7 @@ describe 'Admin updates settings' do
 
       expect(page).to have_content "Application settings saved successfully"
       expect(current_settings.recaptcha_enabled).to be true
+      expect(current_settings.login_recaptcha_protection_enabled).to be true
       expect(current_settings.unique_ips_limit_per_user).to eq(15)
     end
   end
diff --git a/spec/lib/gitlab/anonymous_session_spec.rb b/spec/lib/gitlab/anonymous_session_spec.rb
new file mode 100644
index 00000000000..628aae81ada
--- /dev/null
+++ b/spec/lib/gitlab/anonymous_session_spec.rb
@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Gitlab::AnonymousSession, :clean_gitlab_redis_shared_state do
+  let(:default_session_id) { '6919a6f1bb119dd7396fadc38fd18d0d' }
+  let(:additional_session_id) { '7919a6f1bb119dd7396fadc38fd18d0d' }
+
+  subject { new_anonymous_session }
+
+  def new_anonymous_session(session_id = default_session_id)
+    described_class.new('127.0.0.1', session_id: session_id)
+  end
+
+  describe '#store_session_id_per_ip' do
+    it 'adds session id to proper key' do
+      subject.store_session_id_per_ip
+
+      Gitlab::Redis::SharedState.with do |redis|
+        expect(redis.smembers("session:lookup:ip:gitlab:127.0.0.1")).to eq [default_session_id]
+      end
+    end
+
+    it 'adds expiration time to key' do
+      Timecop.freeze do
+        subject.store_session_id_per_ip
+
+        Gitlab::Redis::SharedState.with do |redis|
+          expect(redis.ttl("session:lookup:ip:gitlab:127.0.0.1")).to eq(24.hours.to_i)
+        end
+      end
+    end
+
+    it 'adds id only once' do
+      subject.store_session_id_per_ip
+      subject.store_session_id_per_ip
+
+      Gitlab::Redis::SharedState.with do |redis|
+        expect(redis.smembers("session:lookup:ip:gitlab:127.0.0.1")).to eq [default_session_id]
+      end
+    end
+
+    context 'when there is already one session' do
+      it 'adds session id to proper key' do
+        subject.store_session_id_per_ip
+        new_anonymous_session(additional_session_id).store_session_id_per_ip
+
+        Gitlab::Redis::SharedState.with do |redis|
+          expect(redis.smembers("session:lookup:ip:gitlab:127.0.0.1")).to contain_exactly(default_session_id, additional_session_id)
+        end
+      end
+    end
+  end
+
+  describe '#stored_sessions' do
+    it 'returns all anonymous sessions per ip' do
+      Gitlab::Redis::SharedState.with do |redis|
+        redis.sadd("session:lookup:ip:gitlab:127.0.0.1", default_session_id)
+        redis.sadd("session:lookup:ip:gitlab:127.0.0.1", additional_session_id)
+      end
+
+      expect(subject.stored_sessions).to eq(2)
+    end
+  end
+
+  it 'removes obsolete lookup through ip entries' do
+    Gitlab::Redis::SharedState.with do |redis|
+      redis.sadd("session:lookup:ip:gitlab:127.0.0.1", default_session_id)
+      redis.sadd("session:lookup:ip:gitlab:127.0.0.1", additional_session_id)
+    end
+
+    subject.cleanup_session_per_ip_entries
+
+    Gitlab::Redis::SharedState.with do |redis|
+      expect(redis.smembers("session:lookup:ip:gitlab:127.0.0.1")).to eq [additional_session_id]
+    end
+  end
+end
diff --git a/spec/views/devise/shared/_signin_box.html.haml_spec.rb b/spec/views/devise/shared/_signin_box.html.haml_spec.rb
index 66c064e3fba..5d521d18c70 100644
--- a/spec/views/devise/shared/_signin_box.html.haml_spec.rb
+++ b/spec/views/devise/shared/_signin_box.html.haml_spec.rb
@@ -7,6 +7,7 @@ describe 'devise/shared/_signin_box' do
       assign(:ldap_servers, [])
       allow(view).to receive(:current_application_settings).and_return(Gitlab::CurrentSettings.current_application_settings)
       allow(view).to receive(:captcha_enabled?).and_return(false)
+      allow(view).to receive(:captcha_on_login_required?).and_return(false)
     end
 
     it 'is shown when Crowd is enabled' do