Merge branch 'git-http-controller' into 'master'

Dismantling Grack::Auth part 1: Git HTTP clients Part of https://gitlab.com/gitlab-org/gitlab-ce/issues/14501 This does not completely get rid of Grack::Auth yet because Git LFS support is 'behind' it and I would like to not make this MR bigger than needed. - changed tests to make HTTP requests instead of calling Rack apps - added missing test cases for Git HTTP authentication - moved Git HTTP requests into a 'normal' Rails controller See merge request !3361
author: Rémy Coutable <remy@rymai.me> 2016-06-08 14:03:27 +0000
committer: Rémy Coutable <remy@rymai.me> 2016-06-08 14:03:27 +0000
commit: 07b32287e51e621d8510f0b8e7103ed47c3b4636 (patch)
tree: a4ea8e547eccecceeb77c6124aa13689dacd6f89 /lib
parent: 99ea32714bb307421ff81ad17983c1b0dce0eac4 (diff)
parent: df62cbd917f85f85d2e3371da2eccf724d5d94e0 (diff)
download: gitlab-ce-07b32287e51e621d8510f0b8e7103ed47c3b4636.tar.gz
5 files changed, 134 insertions, 68 deletions
diff --git a/lib/api/session.rb b/lib/api/session.rb
index cc646895914..56e69b2366f 100644
--- a/lib/api/session.rb
+++ b/lib/api/session.rb
@@ -11,8 +11,7 @@ module API
     # Example Request:
     #  POST /session
     post "/session" do
-      auth = Gitlab::Auth.new
-      user = auth.find(params[:email] || params[:login], params[:password])
+      user = Gitlab::Auth.find_in_gitlab_or_ldap(params[:email] || params[:login], params[:password])
 
       return unauthorized! unless user
       present user, with: Entities::UserLogin
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 30509528b8b..076e2af7d38 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -1,17 +1,86 @@
 module Gitlab
-  class Auth
-    def find(login, password)
-      user = User.by_login(login)
-
-      # If no user is found, or it's an LDAP server, try LDAP.
-      #   LDAP users are only authenticated via LDAP
-      if user.nil? || user.ldap_user?
-        # Second chance - try LDAP authentication
-        return nil unless Gitlab::LDAP::Config.enabled?
-
-        Gitlab::LDAP::Authentication.login(login, password)
-      else
-        user if user.valid_password?(password)
+  module Auth
+    Result = Struct.new(:user, :type)
+
+    class << self
+      def find(login, password, project:, ip:)
+        raise "Must provide an IP for rate limiting" if ip.nil?
+
+        result = Result.new
+
+        if valid_ci_request?(login, password, project)
+          result.type = :ci
+        elsif result.user = find_in_gitlab_or_ldap(login, password)
+          result.type = :gitlab_or_ldap
+        elsif result.user = oauth_access_token_check(login, password)
+          result.type = :oauth
+        end
+
+        rate_limit!(ip, success: !!result.user || (result.type == :ci), login: login)
+        result
+      end
+
+      def find_in_gitlab_or_ldap(login, password)
+        user = User.by_login(login)
+
+        # If no user is found, or it's an LDAP server, try LDAP.
+        #   LDAP users are only authenticated via LDAP
+        if user.nil? || user.ldap_user?
+          # Second chance - try LDAP authentication
+          return nil unless Gitlab::LDAP::Config.enabled?
+
+          Gitlab::LDAP::Authentication.login(login, password)
+        else
+          user if user.valid_password?(password)
+        end
+      end
+
+      def rate_limit!(ip, success:, login:)
+        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
+        return unless rate_limiter.enabled?
+
+        if success
+          # Repeated login 'failures' are normal behavior for some Git clients so
+          # it is important to reset the ban counter once the client has proven
+          # they are not a 'bad guy'.
+          rate_limiter.reset!
+        else
+          # Register a login failure so that Rack::Attack can block the next
+          # request from this IP if needed.
+          rate_limiter.register_fail!
+
+          if rate_limiter.banned?
+            Rails.logger.info "IP #{ip} failed to login " \
+              "as #{login} but has been temporarily banned from Git auth"
+          end
+        end
+      end
+
+      private
+
+      def valid_ci_request?(login, password, project)
+        matched_login = /(?<service>^[a-zA-Z]*-ci)-token$/.match(login)
+
+        return false unless project && matched_login.present?
+
+        underscored_service = matched_login['service'].underscore
+
+        if underscored_service == 'gitlab_ci'
+          project && project.valid_build_token?(password)
+        elsif Service.available_services_names.include?(underscored_service)
+          # We treat underscored_service as a trusted input because it is included
+          # in the Service.available_services_names whitelist.
+          service = project.public_send("#{underscored_service}_service")
+
+          service && service.activated? && service.valid_token?(password)
+        end
+      end
+
+      def oauth_access_token_check(login, password)
+        if login == "oauth2" && password.present?
+          token = Doorkeeper::AccessToken.by_token(password)
+          token && token.accessible? && User.find_by(id: token.resource_owner_id)
+        end
       end
     end
   end
diff --git a/lib/gitlab/auth/ip_rate_limiter.rb b/lib/gitlab/auth/ip_rate_limiter.rb
new file mode 100644
index 00000000000..1089bc9f89e
--- /dev/null
+++ b/lib/gitlab/auth/ip_rate_limiter.rb
@@ -0,0 +1,42 @@
+module Gitlab
+  module Auth
+    class IpRateLimiter
+      attr_reader :ip
+
+      def initialize(ip)
+        @ip = ip
+        @banned = false
+      end
+
+      def enabled?
+        config.enabled
+      end
+      
+      def reset!
+        Rack::Attack::Allow2Ban.reset(ip, config)
+      end
+      
+      def register_fail!
+        # Allow2Ban.filter will return false if this IP has not failed too often yet
+        @banned = Rack::Attack::Allow2Ban.filter(ip, config) do
+          # If we return false here, the failure for this IP is ignored by Allow2Ban
+          ip_can_be_banned?
+        end
+      end
+      
+      def banned?
+        @banned
+      end
+      
+      private
+      
+      def config
+        Gitlab.config.rack_attack.git_basic_auth
+      end
+      
+      def ip_can_be_banned?
+        config.ip_whitelist.exclude?(ip)
+      end
+    end
+  end
+end
diff --git a/lib/gitlab/backend/grack_auth.rb b/lib/gitlab/backend/grack_auth.rb
index cdcaae8094c..9e09d2e118d 100644
--- a/lib/gitlab/backend/grack_auth.rb
+++ b/lib/gitlab/backend/grack_auth.rb
@@ -36,10 +36,7 @@ module Grack
       lfs_response = Gitlab::Lfs::Router.new(project, @user, @request).try_call
       return lfs_response unless lfs_response.nil?
 
-      if project && authorized_request?
-        # Tell gitlab-workhorse the request is OK, and what the GL_ID is
-        render_grack_auth_ok
-      elsif @user.nil? && !@ci
+      if @user.nil? && !@ci
         unauthorized
       else
         render_not_found
@@ -98,7 +95,7 @@ module Grack
     end
 
     def authenticate_user(login, password)
-      user = Gitlab::Auth.new.find(login, password)
+      user = Gitlab::Auth.find_in_gitlab_or_ldap(login, password)
 
       unless user
         user = oauth_access_token_check(login, password)
@@ -141,36 +138,6 @@ module Grack
       user
     end
 
-    def authorized_request?
-      return true if @ci
-
-      case git_cmd
-      when *Gitlab::GitAccess::DOWNLOAD_COMMANDS
-        if !Gitlab.config.gitlab_shell.upload_pack
-          false
-        elsif user
-          Gitlab::GitAccess.new(user, project).download_access_check.allowed?
-        elsif project.public?
-          # Allow clone/fetch for public projects
-          true
-        else
-          false
-        end
-      when *Gitlab::GitAccess::PUSH_COMMANDS
-        if !Gitlab.config.gitlab_shell.receive_pack
-          false
-        elsif user
-          # Skip user authorization on upload request.
-          # It will be done by the pre-receive hook in the repository.
-          true
-        else
-          false
-        end
-      else
-        false
-      end
-    end
-
     def git_cmd
       if @request.get?
         @request.params['service']
@@ -197,24 +164,6 @@ module Grack
       end
     end
 
-    def render_grack_auth_ok
-      repo_path =
-        if @request.path_info =~ /^([\w\.\/-]+)\.wiki\.git/
-          ProjectWiki.new(project).repository.path_to_repo
-        else
-          project.repository.path_to_repo
-        end
-
-      [
-        200,
-        { "Content-Type" => "application/json" },
-        [JSON.dump({
-          'GL_ID' => Gitlab::ShellEnv.gl_id(@user),
-          'RepoPath' => repo_path,
-        })]
-      ]
-    end
-
     def render_not_found
       [404, { "Content-Type" => "text/plain" }, ["Not Found"]]
     end
diff --git a/lib/gitlab/workhorse.rb b/lib/gitlab/workhorse.rb
index 7f6ef71b303..56af739b1ef 100644
--- a/lib/gitlab/workhorse.rb
+++ b/lib/gitlab/workhorse.rb
@@ -6,6 +6,13 @@ module Gitlab
     SEND_DATA_HEADER = 'Gitlab-Workhorse-Send-Data'
 
     class << self
+      def git_http_ok(repository, user)
+        {
+          'GL_ID' => Gitlab::ShellEnv.gl_id(user),
+          'RepoPath' => repository.path_to_repo,
+        }
+      end
+
       def send_git_blob(repository, blob)
         params = {
           'RepoPath' => repository.path_to_repo,
author	Rémy Coutable <remy@rymai.me>	2016-06-08 14:03:27 +0000
committer	Rémy Coutable <remy@rymai.me>	2016-06-08 14:03:27 +0000
commit	07b32287e51e621d8510f0b8e7103ed47c3b4636 (patch)
tree	a4ea8e547eccecceeb77c6124aa13689dacd6f89 /lib
parent	99ea32714bb307421ff81ad17983c1b0dce0eac4 (diff)
parent	df62cbd917f85f85d2e3371da2eccf724d5d94e0 (diff)
download	gitlab-ce-07b32287e51e621d8510f0b8e7103ed47c3b4636.tar.gz