Merge branch 'security-59549-add-capcha-for-failed-logins-12-2' into '12-2-stable'

Require a captcha after unique failed logins from the same IP

See merge request gitlab/gitlabhq!3349

4 files changed, 50 insertions, 1 deletions

diff --git a/lib/api/settings.rb b/lib/api/settings.rb
index c36ee5af63f..a7d481befda 100644
--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -104,6 +104,11 @@ module API
         requires :recaptcha_site_key, type: String, desc: 'Generate site key at http://www.google.com/recaptcha'
         requires :recaptcha_private_key, type: String, desc: 'Generate private key at http://www.google.com/recaptcha'
       end
+      optional :login_recaptcha_protection_enabled, type: Boolean, desc: 'Helps prevent brute-force attacks'
+      given login_recaptcha_protection_enabled: ->(val) { val } do
+        requires :recaptcha_site_key, type: String, desc: 'Generate site key at http://www.google.com/recaptcha'
+        requires :recaptcha_private_key, type: String, desc: 'Generate private key at http://www.google.com/recaptcha'
+      end
       optional :repository_checks_enabled, type: Boolean, desc: "GitLab will periodically run 'git fsck' in all project and wiki repositories to look for silent disk corruption issues."
       optional :repository_storages, type: Array[String], desc: 'Storage paths for new projects'
       optional :require_two_factor_authentication, type: Boolean, desc: 'Require all users to set up Two-factor authentication'
diff --git a/lib/gitlab/anonymous_session.rb b/lib/gitlab/anonymous_session.rb
new file mode 100644
index 00000000000..148b6d3310d
--- /dev/null
+++ b/lib/gitlab/anonymous_session.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Gitlab
+  class AnonymousSession
+    def initialize(remote_ip, session_id: nil)
+      @remote_ip = remote_ip
+      @session_id = session_id
+    end
+
+    def store_session_id_per_ip
+      Gitlab::Redis::SharedState.with do |redis|
+        redis.pipelined do
+          redis.sadd(session_lookup_name, session_id)
+          redis.expire(session_lookup_name, 24.hours)
+        end
+      end
+    end
+
+    def stored_sessions
+      Gitlab::Redis::SharedState.with do |redis|
+        redis.scard(session_lookup_name)
+      end
+    end
+
+    def cleanup_session_per_ip_entries
+      Gitlab::Redis::SharedState.with do |redis|
+        redis.srem(session_lookup_name, session_id)
+      end
+    end
+
+    private
+
+    attr_reader :remote_ip, :session_id
+
+    def session_lookup_name
+      @session_lookup_name ||= "#{Gitlab::Redis::SharedState::IP_SESSIONS_LOOKUP_NAMESPACE}:#{remote_ip}"
+    end
+  end
+end
diff --git a/lib/gitlab/recaptcha.rb b/lib/gitlab/recaptcha.rb
index 772d743c9b0..f3cbe1db901 100644
--- a/lib/gitlab/recaptcha.rb
+++ b/lib/gitlab/recaptcha.rb
@@ -3,7 +3,7 @@
 module Gitlab
   module Recaptcha
     def self.load_configurations!
-      if Gitlab::CurrentSettings.recaptcha_enabled
+      if Gitlab::CurrentSettings.recaptcha_enabled || enabled_on_login?
         ::Recaptcha.configure do |config|
           config.site_key = Gitlab::CurrentSettings.recaptcha_site_key
           config.secret_key = Gitlab::CurrentSettings.recaptcha_private_key
@@ -16,5 +16,9 @@ module Gitlab
     def self.enabled?
       Gitlab::CurrentSettings.recaptcha_enabled
     end
+
+    def self.enabled_on_login?
+      Gitlab::CurrentSettings.login_recaptcha_protection_enabled
+    end
   end
 end
diff --git a/lib/gitlab/redis/shared_state.rb b/lib/gitlab/redis/shared_state.rb
index 9066606ca21..270a19e780c 100644
--- a/lib/gitlab/redis/shared_state.rb
+++ b/lib/gitlab/redis/shared_state.rb
@@ -9,6 +9,7 @@ module Gitlab
       SESSION_NAMESPACE = 'session:gitlab'.freeze
       USER_SESSIONS_NAMESPACE = 'session:user:gitlab'.freeze
       USER_SESSIONS_LOOKUP_NAMESPACE = 'session:lookup:user:gitlab'.freeze
+      IP_SESSIONS_LOOKUP_NAMESPACE = 'session:lookup:ip:gitlab'.freeze
       DEFAULT_REDIS_SHARED_STATE_URL = 'redis://localhost:6382'.freeze
       REDIS_SHARED_STATE_CONFIG_ENV_VAR_NAME = 'GITLAB_REDIS_SHARED_STATE_CONFIG_FILE'.freeze