Use redis to store user sessions

6 files changed, 52 insertions, 5 deletions

diff --git a/CHANGELOG b/CHANGELOG
index 8b7af68..73ad8d1 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -30,6 +30,7 @@ v7.13.0
   - Store all secrets in config/secrets.yml
   - Encrypt variables
   - Allow to specify flexible list of types in yaml
+  - Use redis to store user sessions
 
 v7.12.2
   - Revert: Runner without tag should pick builds without tag only
diff --git a/Gemfile b/Gemfile
index f8ffdde..0cc01a8 100644
--- a/Gemfile
+++ b/Gemfile
@@ -33,6 +33,9 @@ gem "unicorn", "~> 4.8.2"
 # Haml
 gem 'haml-rails','~> 0.5.3'
 
+# Cache
+gem 'redis-rails'
+
 # Background jobs
 gem 'slim'
 gem 'sinatra', require: nil
diff --git a/Gemfile.lock b/Gemfile.lock
index 5d648b3..3674c03 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -337,8 +337,24 @@ GEM
       nokogiri (>= 1.4.1)
       trollop
     redis (3.0.6)
+    redis-actionpack (4.0.0)
+      actionpack (~> 4)
+      redis-rack (~> 1.5.0)
+      redis-store (~> 1.1.0)
+    redis-activesupport (4.0.0)
+      activesupport (~> 4)
+      redis-store (~> 1.1.0)
     redis-namespace (1.4.1)
       redis (~> 3.0.4)
+    redis-rack (1.5.0)
+      rack (~> 1.5)
+      redis-store (~> 1.1.0)
+    redis-rails (4.0.0)
+      redis-actionpack (~> 4)
+      redis-activesupport (~> 4)
+      redis-store (~> 1.1.0)
+    redis-store (1.1.5)
+      redis (>= 2.2)
     request_store (1.2.0)
     rest-client (1.8.0)
       http-cookie (>= 1.0.2, < 2.0)
@@ -506,6 +522,7 @@ DEPENDENCIES
   rake
   rb-fsevent
   rb-inotify
+  redis-rails
   request_store
   rspec-rails
   rubocop (= 0.28.0)
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 00a6495..347de66 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -5,7 +5,7 @@ GitlabCi::Application.configure do
   # test suite. You never need to work with it otherwise. Remember that
   # your test database is "scratch space" for the test suite and is wiped
   # and recreated between test runs. Don't rely on the data there!
-  config.cache_classes = true
+  config.cache_classes = false
 
   # Configure static asset server for tests with Cache-Control for performance
   config.serve_static_assets = true
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index f344685..0bbc7ae 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -41,6 +41,7 @@ Settings.gitlab_ci['all_broken_builds']   = true if Settings.gitlab_ci['all_brok
 Settings.gitlab_ci['add_pusher']          = false if Settings.gitlab_ci['add_pusher'].nil?
 Settings.gitlab_ci['url']                 ||= Settings.send(:build_gitlab_ci_url)
 Settings.gitlab_ci['builds_path']         = File.expand_path(Settings.gitlab_ci['builds_path'] || "builds/", Rails.root)
+Settings.gitlab_ci['session_expire_delay']||= 10080
 
 # Compatibility with old config
 Settings['gitlab_server_urls'] ||= Settings['allowed_gitlab_urls']
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 21ff758..7ab8a9c 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -1,4 +1,29 @@
-# Use the database for sessions instead of the cookie-based default,
-# which shouldn't be used to store highly confidential information
-# (create the session table with "rails generate session_migration")
-Rails.application.config.session_store :active_record_store
+# Be sure to restart your server when you modify this file.
+
+# Use Redis caching across all environments
+redis_config_file = Rails.root.join('config', 'resque.yml')
+
+redis_url_string = if File.exists?(redis_config_file)
+                     YAML.load_file(redis_config_file)[Rails.env]
+                   else
+                     "redis://localhost:6379"
+                   end
+
+# Redis::Store does not handle Unix sockets well, so let's do it for them
+redis_config_hash = Redis::Store::Factory.extract_host_options_from_uri(redis_url_string)
+redis_uri = URI.parse(redis_url_string)
+if redis_uri.scheme == 'unix'
+  redis_config_hash[:path] = redis_uri.path
+end
+
+redis_config_hash[:namespace] = 'session:gitlab_ci'
+
+GitlabCi::Application.config.session_store(
+  :redis_store, # Using the cookie_store would enable session replay attacks.
+  servers: redis_config_hash,
+  key: '_gitlab_ci_session',
+  secure: GitlabCi.config.gitlab_ci.https,
+  httponly: true,
+  expire_after: Settings.gitlab_ci['session_expire_delay'] * 60,
+  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
+)