summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-26 07:41:57 +0000
committerGitLab Release Tools Bot <robert+release-tools@gitlab.com>2019-08-26 07:41:57 +0000
commitff2c6c9d107eac46726f7a929e2400be8d917c44 (patch)
treeeae99b293b3dc4a2503b5b0fb70eeba873566f68 /lib
parentcd0dca4807f5e17151db70cbf7a0ff4304f5cbb8 (diff)
parent46e557359cff319bf936f3c011a9d21e091ae280 (diff)
downloadgitlab-ce-ff2c6c9d107eac46726f7a929e2400be8d917c44.tar.gz
Merge branch 'security-59549-add-capcha-for-failed-logins-12-2' into '12-2-stable'
Require a captcha after unique failed logins from the same IP See merge request gitlab/gitlabhq!3349
Diffstat (limited to 'lib')
-rw-r--r--lib/api/settings.rb5
-rw-r--r--lib/gitlab/anonymous_session.rb39
-rw-r--r--lib/gitlab/recaptcha.rb6
-rw-r--r--lib/gitlab/redis/shared_state.rb1
4 files changed, 50 insertions, 1 deletions
diff --git a/lib/api/settings.rb b/lib/api/settings.rb
index c36ee5af63f..a7d481befda 100644
--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -104,6 +104,11 @@ module API
requires :recaptcha_site_key, type: String, desc: 'Generate site key at http://www.google.com/recaptcha'
requires :recaptcha_private_key, type: String, desc: 'Generate private key at http://www.google.com/recaptcha'
end
+ optional :login_recaptcha_protection_enabled, type: Boolean, desc: 'Helps prevent brute-force attacks'
+ given login_recaptcha_protection_enabled: ->(val) { val } do
+ requires :recaptcha_site_key, type: String, desc: 'Generate site key at http://www.google.com/recaptcha'
+ requires :recaptcha_private_key, type: String, desc: 'Generate private key at http://www.google.com/recaptcha'
+ end
optional :repository_checks_enabled, type: Boolean, desc: "GitLab will periodically run 'git fsck' in all project and wiki repositories to look for silent disk corruption issues."
optional :repository_storages, type: Array[String], desc: 'Storage paths for new projects'
optional :require_two_factor_authentication, type: Boolean, desc: 'Require all users to set up Two-factor authentication'
diff --git a/lib/gitlab/anonymous_session.rb b/lib/gitlab/anonymous_session.rb
new file mode 100644
index 00000000000..148b6d3310d
--- /dev/null
+++ b/lib/gitlab/anonymous_session.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Gitlab
+ class AnonymousSession
+ def initialize(remote_ip, session_id: nil)
+ @remote_ip = remote_ip
+ @session_id = session_id
+ end
+
+ def store_session_id_per_ip
+ Gitlab::Redis::SharedState.with do |redis|
+ redis.pipelined do
+ redis.sadd(session_lookup_name, session_id)
+ redis.expire(session_lookup_name, 24.hours)
+ end
+ end
+ end
+
+ def stored_sessions
+ Gitlab::Redis::SharedState.with do |redis|
+ redis.scard(session_lookup_name)
+ end
+ end
+
+ def cleanup_session_per_ip_entries
+ Gitlab::Redis::SharedState.with do |redis|
+ redis.srem(session_lookup_name, session_id)
+ end
+ end
+
+ private
+
+ attr_reader :remote_ip, :session_id
+
+ def session_lookup_name
+ @session_lookup_name ||= "#{Gitlab::Redis::SharedState::IP_SESSIONS_LOOKUP_NAMESPACE}:#{remote_ip}"
+ end
+ end
+end
diff --git a/lib/gitlab/recaptcha.rb b/lib/gitlab/recaptcha.rb
index 772d743c9b0..f3cbe1db901 100644
--- a/lib/gitlab/recaptcha.rb
+++ b/lib/gitlab/recaptcha.rb
@@ -3,7 +3,7 @@
module Gitlab
module Recaptcha
def self.load_configurations!
- if Gitlab::CurrentSettings.recaptcha_enabled
+ if Gitlab::CurrentSettings.recaptcha_enabled || enabled_on_login?
::Recaptcha.configure do |config|
config.site_key = Gitlab::CurrentSettings.recaptcha_site_key
config.secret_key = Gitlab::CurrentSettings.recaptcha_private_key
@@ -16,5 +16,9 @@ module Gitlab
def self.enabled?
Gitlab::CurrentSettings.recaptcha_enabled
end
+
+ def self.enabled_on_login?
+ Gitlab::CurrentSettings.login_recaptcha_protection_enabled
+ end
end
end
diff --git a/lib/gitlab/redis/shared_state.rb b/lib/gitlab/redis/shared_state.rb
index 9066606ca21..270a19e780c 100644
--- a/lib/gitlab/redis/shared_state.rb
+++ b/lib/gitlab/redis/shared_state.rb
@@ -9,6 +9,7 @@ module Gitlab
SESSION_NAMESPACE = 'session:gitlab'.freeze
USER_SESSIONS_NAMESPACE = 'session:user:gitlab'.freeze
USER_SESSIONS_LOOKUP_NAMESPACE = 'session:lookup:user:gitlab'.freeze
+ IP_SESSIONS_LOOKUP_NAMESPACE = 'session:lookup:ip:gitlab'.freeze
DEFAULT_REDIS_SHARED_STATE_URL = 'redis://localhost:6382'.freeze
REDIS_SHARED_STATE_CONFIG_ENV_VAR_NAME = 'GITLAB_REDIS_SHARED_STATE_CONFIG_FILE'.freeze