Allow to configure rack-attack path to be protected

* A new feature allows to set rake-attack paths to be protected through * /etc/gitlab/gitlab.rb * Tests for the new feature * Documentation for all rake-attack features used in omnibus-gitlab

Allow to configure rack-attack path to be protected
a080a07c · Dmitry Ivanov · 30807304 · a080a07c · a080a07c · a080a07c
Commit a080a07c authored 8 years ago by Dmitry Ivanov
--- a/doc/settings/configuration.md
+++ b/doc/settings/configuration.md
@@ -347,6 +347,64 @@ high_availability['mountpoint'] = '/var/opt/gitlab'
  
 Run `sudo gitlab-ctl reconfigure` for the change to take effect.
  
+## Configuring Rake attack
+
+To prevent abusive clients doing damage GitLab uses rack-attack gem.
+Check [this page](https://gitlab.com/help/security/rack_attack.md)
+for more information.
+
+File `config/initializers/rack_attack.rb` is managed by omnibus-gitlab
+and must be configured in `/etc/gitlab/gitlab.rb`.
+
+### Enabling/Disabling Rake attack and setting up basic auth throttling
+
+Next configuration settings control rake attack:
+
+```ruby
+gitlab_rails['rack_attack_git_basic_auth'] = {
+  'enabled' => true, # Enable/Disable rake
+  'ip_whitelist' => ["127.0.0.1"], # Whitelisted urls
+  'maxretry' => 10, # Limit the number of Git HTTP authentication attempts per IP
+  'findtime' => 60, # Reset the auth attempt counter per IP after 60 seconds
+  'bantime' => 3600 # Ban an IP for one hour (3600s) after too many auth attempts
+}
+```
+
+### Setting up paths to be protected
+
+If you want to change default paths to be protected
+set `gitlab_rails['rack_attack_paths_to_be_protected']` in config file.
+
+Default list is:
+
+```ruby
+gitlab_rails['rack_attack_paths_to_be_protected'] = [
+  '/users/password',
+  '/users/sign_in',
+  '/api/#{API::API.version}/session.json',
+  '/api/#{API::API.version}/session',
+  '/users',
+  '/users/confirmation',
+  '/unsubscribes/',
+  '/import/github/personal_access_token'
+]
+```
+
+_**Note:** All paths are relative to the gitlab `external_url`._
+
+**Warning** If path contains variable/s which need to be
+interpolated by rails(ex "#{API::API.version}")
+then you need to escape curly brackets or use single quated string.
+
+Use next options to control throttling 'limit' and 'period' for protected paths:
+
+```ruby
+gitlab_rails['rate_limit_requests_per_period'] = 10
+gitlab_rails['rate_limit_period'] = 60
+```
+
+Run `sudo gitlab-ctl reconfigure` for the change to take effect.
+
 ## Setting up LDAP sign-in
  
 See [doc/settings/ldap.md](ldap.md).

--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -247,6 +247,17 @@ external_url 'GENERATED_EXTERNAL_URL'
 #   'bantime' => 3600
 # }
  
+# gitlab_rails['rack_attack_paths_to_be_protected'] = [
+#   '/users/password',
+#   '/users/sign_in',
+#   '/api/#{API::API.version}/session.json',
+#   '/api/#{API::API.version}/session',
+#   '/users',
+#   '/users/confirmation',
+#   '/unsubscribes/',
+#   '/import/github/personal_access_token'
+# ]
+
 # We do not recommend changing these directories.
 # gitlab_rails['dir'] = "/var/opt/gitlab/gitlab-rails"
 # gitlab_rails['log_directory'] = "/var/log/gitlab/gitlab-rails"

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -208,7 +208,16 @@ default['gitlab']['gitlab-rails']['extra_google_analytics_id'] = nil
 default['gitlab']['gitlab-rails']['extra_piwik_url'] = nil
 default['gitlab']['gitlab-rails']['extra_piwik_site_id'] = nil
 default['gitlab']['gitlab-rails']['rack_attack_git_basic_auth'] = nil
-
+default['gitlab']['gitlab-rails']['rack_attack_paths_to_be_protected'] = [
+  '/users/password',
+  '/users/sign_in',
+  '/api/#{API::API.version}/session.json',
+  '/api/#{API::API.version}/session',
+  '/users',
+  '/users/confirmation',
+  '/unsubscribes/',
+  '/import/github/personal_access_token'
+]
 default['gitlab']['gitlab-rails']['aws_enable'] = false
 default['gitlab']['gitlab-rails']['aws_access_key_id'] = nil
 default['gitlab']['gitlab-rails']['aws_secret_access_key'] = nil

--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb
@@ -23,6 +23,7 @@ module GitlabRails
      parse_external_url
      parse_directories
      parse_gitlab_trusted_proxies
+      parse_rack_attack_paths_to_be_protected
    end
  
    def parse_directories
@@ -91,6 +92,13 @@ module GitlabRails
      Gitlab['gitlab_rails']['trusted_proxies'] ||= Gitlab['nginx']['real_ip_trusted_addresses']
    end
  
+    def parse_rack_attack_paths_to_be_protected
+      return unless Gitlab['gitlab_rails']['rack_attack_paths_to_be_protected']
+      Gitlab['gitlab_rails']['rack_attack_paths_to_be_protected'].map! do |path|
+        path.start_with?('/') ? path : '/' + path
+      end
+    end
+
    def disable_gitlab_rails_services
      if Gitlab['gitlab_rails']["enable"] == false
        Gitlab['redis']["enable"] = false

--- a/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
@@ -7,15 +7,9 @@
 #
  
 paths_to_be_protected = [
-  "#{Rails.application.config.relative_url_root}/users/password",
-  "#{Rails.application.config.relative_url_root}/users/sign_in",
-  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
-  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
-  "#{Rails.application.config.relative_url_root}/users",
-  "#{Rails.application.config.relative_url_root}/users/confirmation",
-  "#{Rails.application.config.relative_url_root}/unsubscribes/",
-  "#{Rails.application.config.relative_url_root}/import/github/personal_access_token"
-
+  <% @rack_attack_paths_to_be_protected.each do |path| %>
+  "#{Rails.application.config.relative_url_root}<%= path %>",
+  <% end %>
 ]
  
 # Create one big regular expression that matches strings starting with any of

--- a/spec/chef/recipes/rake-attack_spec.rb
+++ b/spec/chef/recipes/rake-attack_spec.rb
+require 'chef_helper'
+
+describe 'rake-attack' do
+  let(:chef_run) { ChefSpec::SoloRunner.converge('gitlab::default') }
+
+  before { allow(Gitlab).to receive(:[]).and_call_original }
+
+  context 'when rack_attack_paths_to_be_protected is set' do
+    it 'adds leading slashes' do
+      stub_gitlab_rb(gitlab_rails: { rack_attack_paths_to_be_protected: ['admin/', 'users/password'] })
+      expect(chef_run.node['gitlab']['gitlab-rails']['rack_attack_paths_to_be_protected'])
+        .to eql(['/admin/', '/users/password'])
+    end
+
+    it 'does not add additional slashes' do
+      stub_gitlab_rb(gitlab_rails: { rack_attack_paths_to_be_protected: ['/admin/', '/users/password'] })
+      expect(chef_run.node['gitlab']['gitlab-rails']['rack_attack_paths_to_be_protected'])
+        .to eql(['/admin/', '/users/password'])
+    end
+
+    it 'creates rack_attack config file with user defined list' do
+      rack_attack_config = '/var/opt/gitlab/gitlab-rails/etc/rack_attack.rb'
+      stub_gitlab_rb(gitlab_rails: { rack_attack_paths_to_be_protected: ['/admin/', '/users/password'] })
+
+      expect(chef_run).to create_template(rack_attack_config)
+
+      expect(chef_run).to render_file(rack_attack_config)
+        .with_content(/#\{Rails.application.config.relative_url_root\}\/admin\//)
+      expect(chef_run).to render_file(rack_attack_config)
+        .with_content(/#\{Rails.application.config.relative_url_root\}\/users\/password/)
+    end
+
+  end
+
+  context 'when rack_attack_paths_to_be_protected is not set' do
+    default_paths_to_be_protected = ['/users/password',
+                                     '/users/sign_in',
+                                     '/api/#{API::API.version}/session.json',
+                                     '/api/#{API::API.version}/session',
+                                     '/users',
+                                     '/users/confirmation',
+                                     '/unsubscribes/',
+                                     '/import/github/personal_access_token'
+                                    ]
+    it 'uses default list' do
+      expect(chef_run.node['gitlab']['gitlab-rails']['rack_attack_paths_to_be_protected'])
+        .to eql(default_paths_to_be_protected)
+    end
+
+    it 'creates rack_attack config file with default list' do
+      rack_attack_config = '/var/opt/gitlab/gitlab-rails/etc/rack_attack.rb'
+      expect(chef_run).to create_template(rack_attack_config)
+      default_paths_to_be_protected.each do |path|
+        expect(chef_run).to render_file(rack_attack_config)
+          .with_content(/#\{Rails.application.config.relative_url_root\}#{path}/)
+
+      end
+
+    end
+  end
+
+end