X rack-attack

software/gitlab/instance-gitlab.cfg.in

@@ -41,6 +41,13 @@ cert    = ${slap-connection:cert-file}
 #
 #   last updated for omnibus-gitlab 8.1.0+rc1.ce.0-24-g3021ed9
 #   TODO recheck )
+
+configuration.rate_limit_requests_per_period    = 10
+configuration.rate_limit_period                 = 60
+
+# XXX not used yet
+configuration.initial_root_password     = "password"
+
 configuration.email_enabled             = true
 configuration.email_from                = lab@example.com
 configuration.email_display_name        = GitLab
@@ -237,6 +244,12 @@ template= {{ smtp_settings_rb_in }}
 context =
     section instance_parameter  instance-parameter
 
+[rack_attack.rb]
+<= gitlab-etc-template
+template = {{ rack_attack_rb_in }}
+context =
+    section instance_parameter  instance-parameter
+
 
 # TODO log: logrotate
 
@@ -309,6 +322,7 @@ command-line =
 # This way Gitlab/Rails still think they work in 1 code / 1 instance way,
 # and we can reuse SR.
 # XXX run second time after first error try? (mkdir fails)
+# XXX naming
 [gitlab-root-shadow]
 recipe  = plone.recipe.command
 stop-on-error = yes
@@ -332,7 +346,7 @@ command =
     ln -s ${resque.yml:rendered} resque.yml &&
 # config/initializers/
     cd initializers     &&
-    ln -s ${gitlab:etc}/rack_attack.rb .    &&
+    ln -s ${rack_attack.rb:rendered} rack_attack.rb &&
     ln -s ${smtp_settings.rb:rendered} smtp_settings.rb &&
 # public/
     cd ../../public     &&

software/gitlab/instance.cfg.in

@@ -36,6 +36,7 @@ context =
     raw gitlab_yml_in               ${gitlab.yml.in:target}
     raw resque_yml_in               ${resque.yml.in:target}
     raw smtp_settings_rb_in         ${smtp_settings.rb.in:target}
+    raw rack_attack_rb_in           ${rack_attack.rb.in:target}
 
 # XXX hack - better use ${gitlab-shell-repository:location} directly
     raw gitlab_shell                ${gitlab-shell-repository:location}

software/gitlab/software.cfg

@@ -194,6 +194,10 @@ url     = ${:_profile_base_location_}/template/${:_buildout_section_name_}
 <= download-template
 # md5sum = TODO
 
+[rack_attack.rb.in]
+<= download-template
+# md5sum = TODO
+
 [unicorn.rb.in]
 <= download-template
 # md5sum = TODO

software/gitlab/template/rack_attack.rb.in

+# @autogenerated
+# see:
+# https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/rack_attack.rb.example
+# https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/rack_attack.rb.erb
+# (last updated for omnibus-gitlab 8.1.0+rc1.ce.0-30-g38ef5d7)
+
+{# cfg(name) -> instance_parameter:configuration.<name> #}
+{# XXX dup -> import from gitlab.yml.in ? #}
+{% macro cfg(name) %}{{ instance_parameter[str("configuration." + name)] }}{% endmacro %}
+
+# 1. Rename this file to rack_attack.rb
+# 2. Review the paths_to_be_protected and add any other path you need protecting
+#
+
+paths_to_be_protected = [
+  "#{Rails.application.config.relative_url_root}/users/password",
+  "#{Rails.application.config.relative_url_root}/users/sign_in",
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session.json",
+  "#{Rails.application.config.relative_url_root}/api/#{API::API.version}/session",
+  "#{Rails.application.config.relative_url_root}/users",
+  "#{Rails.application.config.relative_url_root}/users/confirmation",
+  "#{Rails.application.config.relative_url_root}/unsubscribes/"
+
+]
+
+# Create one big regular expression that matches strings starting with any of
+# the paths_to_be_protected.
+paths_regex = Regexp.union(paths_to_be_protected.map { |path| /\A#{Regexp.escape(path)}/ })
+
+unless Rails.env.test?
+  Rack::Attack.throttle('protected paths', limit: {{ cfg('rate_limit_requests_per_period') }}, period: {{ cfg('rate_limit_period') }}.seconds) do |req|
+    if req.post? && req.path =~ paths_regex
+      req.ip
+    end
+  end
+end
+