Commit bac5bfc7 authored by Thong Kuah's avatar Thong Kuah

Merge branch 'sh-support-subnets-ip-rate-limiter' into 'master'

Support CIDR notation in IP rate limiter

See merge request gitlab-org/gitlab-ce!30146
parents 2321b337 82c31a9a
---
title: Support CIDR notation in IP rate limiter
merge_request: 30146
author:
type: changed
...@@ -53,8 +53,9 @@ For more information on how to use these options check out ...@@ -53,8 +53,9 @@ For more information on how to use these options check out
The following settings can be configured: The following settings can be configured:
- `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack. - `enabled`: By default this is set to `false`. Set this to `true` to enable Rack Attack.
- `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a ruby array. - `ip_whitelist`: Whitelist any IPs from being blocked. They must be formatted as strings within a Ruby array.
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3"]`. CIDR notation is supported in GitLab v12.1 and up.
For example, `["127.0.0.1", "127.0.0.2", "127.0.0.3", "192.168.0.1/24"]`.
- `maxretry`: The maximum amount of times a request can be made in the - `maxretry`: The maximum amount of times a request can be made in the
specified time. specified time.
- `findtime`: The maximum amount of time that failed requests can count against an IP - `findtime`: The maximum amount of time that failed requests can count against an IP
......
...@@ -3,6 +3,8 @@ ...@@ -3,6 +3,8 @@
module Gitlab module Gitlab
module Auth module Auth
class IpRateLimiter class IpRateLimiter
include ::Gitlab::Utils::StrongMemoize
attr_reader :ip attr_reader :ip
def initialize(ip) def initialize(ip)
...@@ -37,7 +39,20 @@ module Gitlab ...@@ -37,7 +39,20 @@ module Gitlab
end end
def ip_can_be_banned? def ip_can_be_banned?
config.ip_whitelist.exclude?(ip) !trusted_ip?
end
def trusted_ip?
trusted_ips.any? { |netmask| netmask.include?(ip) }
end
def trusted_ips
strong_memoize(:trusted_ips) do
config.ip_whitelist.map do |proxy|
IPAddr.new(proxy)
rescue IPAddr::InvalidAddressError
end.compact
end
end end
end end
end end
......
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::Auth::IpRateLimiter, :use_clean_rails_memory_store_caching do
let(:ip) { '10.2.2.3' }
let(:whitelist) { ['127.0.0.1'] }
let(:options) do
{
enabled: true,
ip_whitelist: whitelist,
bantime: 1.minute,
findtime: 1.minute,
maxretry: 2
}
end
subject { described_class.new(ip) }
before do
stub_rack_attack_setting(options)
end
after do
subject.reset!
end
describe '#register_fail!' do
it 'bans after 3 consecutive failures' do
expect(subject.banned?).to be_falsey
3.times { subject.register_fail! }
expect(subject.banned?).to be_truthy
end
shared_examples 'whitelisted IPs' do
it 'does not ban after max retry limit' do
expect(subject.banned?).to be_falsey
3.times { subject.register_fail! }
expect(subject.banned?).to be_falsey
end
end
context 'with a whitelisted netmask' do
before do
options[:ip_whitelist] = ['127.0.0.1', '10.2.2.0/24', 'bad']
stub_rack_attack_setting(options)
end
it_behaves_like 'whitelisted IPs'
end
context 'with a whitelisted IP' do
before do
options[:ip_whitelist] = ['10.2.2.3']
stub_rack_attack_setting(options)
end
it_behaves_like 'whitelisted IPs'
end
end
end
...@@ -95,6 +95,11 @@ module StubConfiguration ...@@ -95,6 +95,11 @@ module StubConfiguration
allow(Gitlab.config.gitlab_shell).to receive_messages(to_settings(messages)) allow(Gitlab.config.gitlab_shell).to receive_messages(to_settings(messages))
end end
def stub_rack_attack_setting(messages)
allow(Gitlab.config.rack_attack).to receive(:git_basic_auth).and_return(messages)
allow(Gitlab.config.rack_attack.git_basic_auth).to receive_messages(to_settings(messages))
end
private private
# Modifies stubbed messages to also stub possible predicate versions # Modifies stubbed messages to also stub possible predicate versions
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment