Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
dc9266fb
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
dc9266fb
编写于
9月 15, 2017
作者:
M
Michael Kozono
提交者:
Francisco Lopez
11月 17, 2017
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add request throttles
上级
732b1226
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
180 addition
and
3 deletion
+180
-3
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+10
-2
app/helpers/application_settings_helper.rb
app/helpers/application_settings_helper.rb
+9
-0
app/views/admin/application_settings/_form.html.haml
app/views/admin/application_settings/_form.html.haml
+51
-0
changelogs/unreleased/mk-add-user-rate-limits.yml
changelogs/unreleased/mk-add-user-rate-limits.yml
+6
-0
config/application.rb
config/application.rb
+1
-1
config/initializers/rack_attack_global.rb
config/initializers/rack_attack_global.rb
+73
-0
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+30
-0
未找到文件。
app/controllers/application_controller.rb
浏览文件 @
dc9266fb
...
...
@@ -11,8 +11,7 @@ class ApplicationController < ActionController::Base
include
EnforcesTwoFactorAuthentication
include
WithPerformanceBar
before_action
:authenticate_user_from_personal_access_token!
before_action
:authenticate_user_from_rss_token!
before_action
:authenticate_sessionless_user!
before_action
:authenticate_user!
before_action
:validate_user_service_ticket!
before_action
:check_password_expiration
...
...
@@ -100,6 +99,7 @@ class ApplicationController < ActionController::Base
return
try
(
:authenticated_user
)
end
<<<<<<<
HEAD
def
authenticate_user_from_personal_access_token!
token
=
params
[
:private_token
].
presence
||
request
.
headers
[
'PRIVATE-TOKEN'
].
presence
...
...
@@ -121,6 +121,14 @@ class ApplicationController < ActionController::Base
user
=
User
.
find_by_rss_token
(
token
)
sessionless_sign_in
(
user
)
=======
# This filter handles private tokens, personal access tokens, and atom
# requests with rss tokens
def
authenticate_sessionless_user!
user
=
Gitlab
::
Auth
.
find_sessionless_user
(
request
)
sessionless_sign_in
(
user
)
if
user
>>>>>>>
Add
request
throttles
end
def
log_exception
(
exception
)
...
...
app/helpers/application_settings_helper.rb
浏览文件 @
dc9266fb
...
...
@@ -231,6 +231,15 @@ module ApplicationSettingsHelper
:sign_in_text
,
:signup_enabled
,
:terminal_max_session_time
,
:throttle_unauthenticated_enabled
,
:throttle_unauthenticated_requests_per_period
,
:throttle_unauthenticated_period_in_seconds
,
:throttle_authenticated_web_enabled
,
:throttle_authenticated_web_requests_per_period
,
:throttle_authenticated_web_period_in_seconds
,
:throttle_authenticated_api_enabled
,
:throttle_authenticated_api_requests_per_period
,
:throttle_authenticated_api_period_in_seconds
,
:two_factor_grace_period
,
:unique_ips_limit_enabled
,
:unique_ips_limit_per_user
,
...
...
app/views/admin/application_settings/_form.html.haml
浏览文件 @
dc9266fb
...
...
@@ -743,5 +743,56 @@
installations. Set to 0 to completely disable polling.
=
link_to
icon
(
'question-circle'
),
help_page_path
(
'administration/polling'
)
%fieldset
%legend
User and IP Rate Limits
.form-group
.col-sm-offset-2.col-sm-10
.checkbox
=
f
.
label
:throttle_unauthenticated_enabled
do
=
f
.
check_box
:throttle_unauthenticated_enabled
Enable unauthenticated request rate limit
%span
.help-block
Helps reduce request volume (e.g. from crawlers or abusive bots)
.form-group
=
f
.
label
:throttle_unauthenticated_requests_per_period
,
'Max requests per period per IP'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_unauthenticated_requests_per_period
,
class:
'form-control'
.form-group
=
f
.
label
:throttle_unauthenticated_period_in_seconds
,
'Rate limit period in seconds'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_unauthenticated_period_in_seconds
,
class:
'form-control'
.form-group
.col-sm-offset-2.col-sm-10
.checkbox
=
f
.
label
:throttle_authenticated_api_enabled
do
=
f
.
check_box
:throttle_authenticated_api_enabled
Enable authenticated API request rate limit
%span
.help-block
Helps reduce request volume (e.g. from crawlers or abusive bots)
.form-group
=
f
.
label
:throttle_authenticated_api_requests_per_period
,
'Max requests per period per user'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_authenticated_api_requests_per_period
,
class:
'form-control'
.form-group
=
f
.
label
:throttle_authenticated_api_period_in_seconds
,
'Rate limit period in seconds'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_authenticated_api_period_in_seconds
,
class:
'form-control'
.form-group
.col-sm-offset-2.col-sm-10
.checkbox
=
f
.
label
:throttle_authenticated_web_enabled
do
=
f
.
check_box
:throttle_authenticated_web_enabled
Enable authenticated web request rate limit
%span
.help-block
Helps reduce request volume (e.g. from crawlers or abusive bots)
.form-group
=
f
.
label
:throttle_authenticated_web_requests_per_period
,
'Max requests per period per user'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_authenticated_web_requests_per_period
,
class:
'form-control'
.form-group
=
f
.
label
:throttle_authenticated_web_period_in_seconds
,
'Rate limit period in seconds'
,
class:
'control-label col-sm-2'
.col-sm-10
=
f
.
number_field
:throttle_authenticated_web_period_in_seconds
,
class:
'form-control'
.form-actions
=
f
.
submit
'Save'
,
class:
'btn btn-save'
changelogs/unreleased/mk-add-user-rate-limits.yml
0 → 100644
浏览文件 @
dc9266fb
---
title
:
Add anonymous rate limit per IP, and authenticated (web or API) rate limits
per user
merge_request
:
14708
author
:
type
:
added
config/application.rb
浏览文件 @
dc9266fb
...
...
@@ -113,7 +113,7 @@ module Gitlab
config
.
action_view
.
sanitized_allowed_protocols
=
%w(smb)
config
.
middleware
.
insert_
before
Warden
::
Manager
,
Rack
::
Attack
config
.
middleware
.
insert_
after
Warden
::
Manager
,
Rack
::
Attack
# Allow access to GitLab API from other domains
config
.
middleware
.
insert_before
Warden
::
Manager
,
Rack
::
Cors
do
...
...
config/initializers/rack_attack_global.rb
0 → 100644
浏览文件 @
dc9266fb
class
Rack::Attack
def
self
.
settings
Gitlab
::
CurrentSettings
.
current_application_settings
end
def
self
.
throttle_unauthenticated_options
limit_proc
=
proc
{
|
req
|
settings
.
throttle_unauthenticated_requests_per_period
}
period_proc
=
proc
{
|
req
|
settings
.
throttle_unauthenticated_period_in_seconds
.
seconds
}
{
limit:
limit_proc
,
period:
period_proc
}
end
def
self
.
throttle_authenticated_api_options
limit_proc
=
proc
{
|
req
|
settings
.
throttle_authenticated_api_requests_per_period
}
period_proc
=
proc
{
|
req
|
settings
.
throttle_authenticated_api_period_in_seconds
.
seconds
}
{
limit:
limit_proc
,
period:
period_proc
}
end
def
self
.
throttle_authenticated_web_options
limit_proc
=
proc
{
|
req
|
settings
.
throttle_authenticated_web_requests_per_period
}
period_proc
=
proc
{
|
req
|
settings
.
throttle_authenticated_web_period_in_seconds
.
seconds
}
{
limit:
limit_proc
,
period:
period_proc
}
end
def
self
.
define_throttles
throttle
(
'throttle_unauthenticated'
,
throttle_unauthenticated_options
)
do
|
req
|
settings
.
throttle_unauthenticated_enabled
&&
req
.
unauthenticated?
&&
req
.
ip
end
throttle
(
'throttle_authenticated_api'
,
throttle_authenticated_api_options
)
do
|
req
|
settings
.
throttle_authenticated_api_enabled
&&
req
.
api_request?
&&
req
.
authenticated_user_id
end
throttle
(
'throttle_authenticated_web'
,
throttle_authenticated_web_options
)
do
|
req
|
settings
.
throttle_authenticated_web_enabled
&&
req
.
web_request?
&&
req
.
authenticated_user_id
end
end
define_throttles
unless
Rails
.
env
.
test?
class
Request
def
unauthenticated?
!
authenticated_user_id
end
def
authenticated_user_id
session_user_id
||
sessionless_user_id
end
def
api_request?
path
.
start_with?
(
'/api'
)
end
def
web_request?
!
api_request?
end
private
def
session_user_id
Gitlab
::
Auth
.
find_session_user
(
self
)
&
.
id
end
def
sessionless_user_id
Gitlab
::
Auth
.
find_sessionless_user
(
self
)
&
.
id
end
end
end
lib/gitlab/auth.rb
浏览文件 @
dc9266fb
...
...
@@ -82,6 +82,36 @@ module Gitlab
end
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_private_token
(
request
)
token
=
request
.
params
[
'private_token'
].
presence
||
request
.
env
[
'HTTP_PRIVATE_TOKEN'
].
presence
return
unless
token
.
present?
User
.
find_by_authentication_token
(
token
)
||
User
.
find_by_personal_access_token
(
token
)
end
# request may be Rack::Attack::Request which is just a Rack::Request, so
# we cannot use ActionDispatch::Request methods.
def
find_user_by_rss_token
(
request
)
return
unless
request
.
params
[
'format'
]
==
'atom'
token
=
request
.
params
[
'rss_token'
].
presence
return
unless
token
.
present?
User
.
find_by_rss_token
(
token
)
end
def
find_session_user
(
request
)
request
.
env
[
'warden'
]
&
.
authenticate
end
def
find_sessionless_user
(
request
)
find_user_by_private_token
(
request
)
||
find_user_by_rss_token
(
request
)
end
private
def
service_request_check
(
login
,
password
,
project
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录