From 6760911e0f51f7bbffe09b0e91ad81b04a431027 Mon Sep 17 00:00:00 2001
From: Mayra Cabrera <mcabrera@gitlab.com>
Date: Tue, 21 May 2019 17:35:10 -0500
Subject: Changes RackAttack logger to use structured logs

Creates a new filename to register auth logs.
This change should allow SRE's queries to make better queries
through logging infrastructure.

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/54528
---
 config/database.yml.example                |  0
 config/initializers/rack_attack_logging.rb | 10 +++++++++-
 doc/administration/logs.md                 |  9 +++++++++
 doc/security/rack_attack.md                |  2 +-
 lib/gitlab/auth_logger.rb                  |  9 +++++++++
 spec/requests/rack_attack_global_spec.rb   | 22 ++++++++++++++++++++++
 6 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 config/database.yml.example
 create mode 100644 lib/gitlab/auth_logger.rb

diff --git a/config/database.yml.example b/config/database.yml.example
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/config/initializers/rack_attack_logging.rb b/config/initializers/rack_attack_logging.rb
index 8bb9ea29c33..2a3fdc8de5f 100644
--- a/config/initializers/rack_attack_logging.rb
+++ b/config/initializers/rack_attack_logging.rb
@@ -1,7 +1,15 @@
+# frozen_string_literal: true
+#
 # Adds logging for all Rack Attack blocks and throttling events.
 
 ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
   if [:throttle, :blacklist].include? req.env['rack.attack.match_type']
-    Rails.logger.info("Rack_Attack: #{req.env['rack.attack.match_type']} #{req.ip} #{req.request_method} #{req.fullpath}")
+    Gitlab::AuthLogger.error(
+      message: 'Rack_Attack',
+      env: req.env['rack.attack.match_type'],
+      ip: req.ip,
+      request_method: req.request_method,
+      fullpath: req.fullpath
+    )
   end
 end
diff --git a/doc/administration/logs.md b/doc/administration/logs.md
index 3d40cda491a..a7e57e44e86 100644
--- a/doc/administration/logs.md
+++ b/doc/administration/logs.md
@@ -280,6 +280,14 @@ installations from source.
 Currently it logs the progress of project imports from the Bitbucket Server
 importer. Future importers may use this file.
 
+## `auth.log`
+
+Introduced in GitLab 12.0. This file lives in `/var/log/gitlab/gitlab-rails/auth.log` for
+Omnibus GitLab packages or in `/home/git/gitlab/log/auth.log` for
+installations from source.
+
+It logs information whenever [Rack Attack] registers an abusive request.
+
 ## Reconfigure Logs
 
 Reconfigure log files live in `/var/log/gitlab/reconfigure` for Omnibus GitLab
@@ -298,3 +306,4 @@ Omnibus GitLab packages or in `/home/git/gitlab/log/sidekiq_exporter.log` for
 installations from source.
 
 [repocheck]: repository_checks.md
+[Rack Attack]: ../security/rack_attack.md
diff --git a/doc/security/rack_attack.md b/doc/security/rack_attack.md
index ad83dc05a93..66081d7e376 100644
--- a/doc/security/rack_attack.md
+++ b/doc/security/rack_attack.md
@@ -94,7 +94,7 @@ In case you want to remove a blocked IP, follow these steps:
 1. Find the IPs that have been blocked in the production log:
 
     ```sh
-    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/production.log
+    grep "Rack_Attack" /var/log/gitlab/gitlab-rails/auth.log
     ```
 
 1. Since the blacklist is stored in Redis, you need to open up `redis-cli`:
diff --git a/lib/gitlab/auth_logger.rb b/lib/gitlab/auth_logger.rb
new file mode 100644
index 00000000000..6d3edba02b0
--- /dev/null
+++ b/lib/gitlab/auth_logger.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Gitlab
+  class AuthLogger < Gitlab::JsonLogger
+    def self.file_name_noext
+      'auth'
+    end
+  end
+end
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index a12646ea222..89adbc77a7f 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -182,6 +182,17 @@ describe 'Rack Attack global throttles' do
           end
         end
       end
+
+      it 'logs RackAttack info into structured logs' do
+        requests_per_period.times do
+          get url_that_does_not_require_authentication
+          expect(response).to have_http_status 200
+        end
+
+        expect(Gitlab::AuthLogger).to receive(:error).once
+
+        get url_that_does_not_require_authentication
+      end
     end
 
     context 'when the throttle is disabled' do
@@ -327,6 +338,17 @@ describe 'Rack Attack global throttles' do
 
         expect_rejection { get url_that_requires_authentication }
       end
+
+      it 'logs RackAttack info into structured logs' do
+        requests_per_period.times do
+          get url_that_requires_authentication
+          expect(response).to have_http_status 200
+        end
+
+        expect(Gitlab::AuthLogger).to receive(:error).once
+
+        get url_that_requires_authentication
+      end
     end
 
     context 'when the throttle is disabled' do
-- 
cgit v1.2.1