Merge branch 'sh-fix-unique-ips-limiter' into 'master'

Fix deploy tokens erroneously triggering unique IP limits Closes #22854 See merge request gitlab-org/gitlab!22445

Merge branch 'sh-fix-unique-ips-limiter' into 'master'
Fix deploy tokens erroneously triggering unique IP limits Closes #22854 See merge request gitlab-org/gitlab!22445
186b8d0e · Ash McKenzie · 5d2761a8 · 7337e578 · 186b8d0e · 186b8d0e
Commit 186b8d0e authored Jan 08, 2020 by Ash McKenzie
Showing with 25 additions and 1 deletion

changelogs/unreleased/sh-fix-unique-ips-limiter.yml changelogs/unreleased/sh-fix-unique-ips-limiter.yml +5 -0

lib/gitlab/auth.rb lib/gitlab/auth.rb +5 -1

spec/lib/gitlab/auth_spec.rb spec/lib/gitlab/auth_spec.rb +15 -0

No files found.
--- a/changelogs/unreleased/sh-fix-unique-ips-limiter.yml
+++ b/changelogs/unreleased/sh-fix-unique-ips-limiter.yml
+---
+title: Fix deploy tokens erroneously triggering unique IP limits
+merge_request: 22445
+author:
+type: fixed
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -54,7 +54,7 @@ module Gitlab
          Gitlab::Auth::Result.new

        rate_limit!(rate_limiter, success: result.success?, login: login)
-        Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
+        look_to_limit_user(result.actor)

        return result if result.success? || authenticate_using_internal_or_ldap_password?

@@ -129,6 +129,10 @@ module Gitlab
        ::Ci::Build::CI_REGISTRY_USER == login
      end

+      def look_to_limit_user(actor)
+        Gitlab::Auth::UniqueIpsLimiter.limit_user!(actor) if actor.is_a?(User)
+      end
+
      def authenticate_using_internal_or_ldap_password?
        Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled?
      end

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -130,6 +130,15 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
          gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
        end

+        it 'rate limits a user by unique IPs' do
+          expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
+            expect(rate_limiter).to receive(:reset!)
+          end
+          expect(Gitlab::Auth::UniqueIpsLimiter).to receive(:limit_user!).twice.and_call_original
+
+          gl_auth.find_for_git_client(user.username, user.password, project: nil, ip: 'ip')
+        end
+
        it 'registers failure for failed auth' do
          expect_next_instance_of(Gitlab::Auth::IpRateLimiter) do |rate_limiter|
            expect(rate_limiter).to receive(:register_fail!)
@@ -415,6 +424,12 @@ describe Gitlab::Auth, :use_clean_rails_memory_store_caching do
            .to eq(auth_success)
        end

+        it 'does not attempt to rate limit unique IPs for a deploy token' do
+          expect(Gitlab::Auth::UniqueIpsLimiter).not_to receive(:limit_user!)
+
+          gl_auth.find_for_git_client(login, deploy_token.token, project: project, ip: 'ip')
+        end
+
        it 'fails when login is not valid' do
          expect(gl_auth.find_for_git_client('random_login', deploy_token.token, project: project, ip: 'ip'))
            .to eq(auth_failure)