Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
fa35aea3
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
fa35aea3
编写于
6月 03, 2016
作者:
J
Jacob Vosmaer
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Refactor Gitlab::Auth rate limiting
上级
46d5760c
变更
2
显示空白变更内容
内联
并排
Showing
2 changed file
with
53 addition
and
25 deletion
+53
-25
lib/gitlab/auth.rb
lib/gitlab/auth.rb
+11
-25
lib/gitlab/auth/rate_limiter.rb
lib/gitlab/auth/rate_limiter.rb
+42
-0
未找到文件。
lib/gitlab/auth.rb
浏览文件 @
fa35aea3
module
Gitlab
module
Gitlab
class
Auth
module
Auth
Result
=
Struct
.
new
(
:user
,
:type
)
Result
=
Struct
.
new
(
:user
,
:type
)
class
<<
self
class
<<
self
...
@@ -64,34 +64,20 @@ module Gitlab
...
@@ -64,34 +64,20 @@ module Gitlab
end
end
def
rate_limit!
(
ip
,
success
:,
login
:)
def
rate_limit!
(
ip
,
success
:,
login
:)
# If the user authenticated successfully, we reset the auth failure count
rate_limiter
=
IpRateLimiter
.
new
(
ip
)
# from Rack::Attack for that IP. A client may attempt to authenticate
return
unless
rate_limiter
.
enabled?
# with a username and blank password first, and only after it receives
# a 401 error does it present a password. Resetting the count prevents
# false positives.
#
# Otherwise, we let Rack::Attack know there was a failed authentication
# attempt from this IP. This information is stored in the Rails cache
# (Redis) and will be used by the Rack::Attack middleware to decide
# whether to block requests from this IP.
config
=
Gitlab
.
config
.
rack_attack
.
git_basic_auth
return
unless
config
.
enabled
if
success
if
success
Rack
::
Attack
::
Allow2Ban
.
reset
(
ip
,
config
)
# Repeated login 'failures' are normal behavior for some Git clients so
# it is important to reset the ban counter once the client has proven
# they are not a 'bad guy'.
rate_limiter
.
reset!
else
else
banned
=
Rack
::
Attack
::
Allow2Ban
.
filter
(
ip
,
config
)
do
# Register a login failure so that Rack::Attack can block the next
if
config
.
ip_whitelist
.
include?
(
ip
)
# request from this IP if needed.
# Don't increment the ban counter for this IP
rate_limiter
.
register_fail!
(
ip
,
config
)
false
else
# Increment the ban counter for this IP
true
end
end
if
banned
if
rate_limiter
.
banned?
Rails
.
logger
.
info
"IP
#{
ip
}
failed to login "
\
Rails
.
logger
.
info
"IP
#{
ip
}
failed to login "
\
"as
#{
login
}
but has been temporarily banned from Git auth"
"as
#{
login
}
but has been temporarily banned from Git auth"
end
end
...
...
lib/gitlab/auth/rate_limiter.rb
0 → 100644
浏览文件 @
fa35aea3
module
Gitlab
module
Auth
class
IpRateLimiter
attr_reader
:ip
def
initialize
(
ip
)
@ip
=
ip
@banned
=
false
end
def
enabled?
config
.
enabled
end
def
reset!
Rack
::
Attack
::
Allow2Ban
.
reset
(
ip
,
config
)
end
def
register_fail!
# Allow2Ban.filter will return false if this IP has not failed too often yet
@banned
=
Rack
::
Attack
::
Allow2Ban
.
filter
(
ip
,
config
)
do
# If we return false here, the failure for this IP is ignored by Allow2Ban
ignore_failure?
end
end
def
banned?
@banned
end
private
def
config
Gitlab
.
config
.
rack_attack
.
git_basic_auth
end
def
ignore_failure?
config
.
ip_whitelist
.
exclude?
(
ip
)
end
end
end
end
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录