Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Léo-Paul Géneau
gitlab-ce
Commits
2ff139dd
Commit
2ff139dd
authored
Feb 21, 2017
by
Pawel Chojnacki
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Make Warden set_user hook validate user ip uniquness
+ rename shared context
parent
0ef8a643
Changes
6
Hide whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
28 additions
and
23 deletions
+28
-23
app/controllers/application_controller.rb
app/controllers/application_controller.rb
+1
-1
config/initializers/warden.rb
config/initializers/warden.rb
+5
-0
spec/controllers/sessions_controller_spec.rb
spec/controllers/sessions_controller_spec.rb
+3
-3
spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
+1
-1
spec/requests/api/doorkeeper_access_spec.rb
spec/requests/api/doorkeeper_access_spec.rb
+11
-11
spec/support/unique_ip_check_shared_examples.rb
spec/support/unique_ip_check_shared_examples.rb
+7
-7
No files found.
app/controllers/application_controller.rb
View file @
2ff139dd
...
@@ -41,7 +41,7 @@ class ApplicationController < ActionController::Base
...
@@ -41,7 +41,7 @@ class ApplicationController < ActionController::Base
end
end
rescue_from
Gitlab
::
Auth
::
TooManyIps
do
|
e
|
rescue_from
Gitlab
::
Auth
::
TooManyIps
do
|
e
|
head
:forbidden
,
retry_after:
UniqueIpsLimiter
.
config
.
unique_ips_limit_time_window
head
:forbidden
,
retry_after:
Gitlab
::
Auth
::
UniqueIpsLimiter
.
config
.
unique_ips_limit_time_window
end
end
def
redirect_back_or_default
(
default:
root_path
,
options:
{})
def
redirect_back_or_default
(
default:
root_path
,
options:
{})
...
...
config/initializers/warden.rb
0 → 100644
View file @
2ff139dd
Rails
.
application
.
configure
do
|
config
|
Warden
::
Manager
.
after_set_user
do
|
user
,
auth
,
opts
|
Gitlab
::
Auth
::
UniqueIpsLimiter
.
limit_user!
(
user
)
end
end
spec/controllers/sessions_controller_spec.rb
View file @
2ff139dd
...
@@ -30,11 +30,11 @@ describe SessionsController do
...
@@ -30,11 +30,11 @@ describe SessionsController do
expect
(
SecurityEvent
.
last
.
details
[
:with
]).
to
eq
(
'standard'
)
expect
(
SecurityEvent
.
last
.
details
[
:with
]).
to
eq
(
'standard'
)
end
end
include_examples
'user login
operation with unique ip limit'
do
include_examples
'user login
request with unique ip limit'
,
302
do
def
operation
def
request
post
(
:create
,
user:
{
login:
user
.
username
,
password:
user
.
password
})
post
(
:create
,
user:
{
login:
user
.
username
,
password:
user
.
password
})
expect
(
subject
.
current_user
).
to
eq
user
expect
(
subject
.
current_user
).
to
eq
user
subject
.
sign_out
user
end
end
end
end
end
end
...
...
spec/lib/gitlab/auth/unique_ips_limiter_spec.rb
View file @
2ff139dd
require
'spec_helper'
require
'spec_helper'
describe
Gitlab
::
Auth
::
UniqueIpsLimiter
,
:redis
,
lib:
true
do
describe
Gitlab
::
Auth
::
UniqueIpsLimiter
,
:redis
,
lib:
true
do
include_context
'
enable
unique ips sign in limit'
include_context
'unique ips sign in limit'
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
describe
'#count_unique_ips'
do
describe
'#count_unique_ips'
do
...
...
spec/requests/api/doorkeeper_access_spec.rb
View file @
2ff139dd
...
@@ -4,12 +4,12 @@ describe API::API, api: true do
...
@@ -4,12 +4,12 @@ describe API::API, api: true do
include
ApiHelpers
include
ApiHelpers
let!
(
:user
)
{
create
(
:user
)
}
let!
(
:user
)
{
create
(
:user
)
}
let!
(
:application
)
{
Doorkeeper
::
Application
.
create!
(
name:
'MyApp'
,
redirect_uri:
'https://app.com'
,
owner:
user
)
}
let!
(
:application
)
{
Doorkeeper
::
Application
.
create!
(
name:
"MyApp"
,
redirect_uri:
"https://app.com"
,
owner:
user
)
}
let!
(
:token
)
{
Doorkeeper
::
AccessToken
.
create!
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
'api'
}
let!
(
:token
)
{
Doorkeeper
::
AccessToken
.
create!
application_id:
application
.
id
,
resource_owner_id:
user
.
id
,
scopes:
"api"
}
describe
'when unauthenticated'
do
describe
"unauthenticated"
do
it
'returns authentication success'
do
it
"returns authentication success"
do
get
api
(
'/user'
),
access_token:
token
.
token
get
api
(
"/user"
),
access_token:
token
.
token
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
200
)
end
end
...
@@ -20,16 +20,16 @@ describe API::API, api: true do
...
@@ -20,16 +20,16 @@ describe API::API, api: true do
end
end
end
end
describe
'when token invalid'
do
describe
"when token invalid"
do
it
'returns authentication error'
do
it
"returns authentication error"
do
get
api
(
'/user'
),
access_token:
'123a'
get
api
(
"/user"
),
access_token:
"123a"
expect
(
response
).
to
have_http_status
(
401
)
expect
(
response
).
to
have_http_status
(
401
)
end
end
end
end
describe
'authorization by private token'
do
describe
"authorization by private token"
do
it
'returns authentication success'
do
it
"returns authentication success"
do
get
api
(
'/user'
,
user
)
get
api
(
"/user"
,
user
)
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
200
)
end
end
...
...
spec/support/unique_ip_check_shared_examples.rb
View file @
2ff139dd
shared_context
'
enable
unique ips sign in limit'
do
shared_context
'unique ips sign in limit'
do
include
StubENV
include
StubENV
before
(
:each
)
do
before
(
:each
)
do
Gitlab
::
Redis
.
with
(
&
:flushall
)
Gitlab
::
Redis
.
with
(
&
:flushall
)
...
@@ -19,7 +19,7 @@ shared_context 'enable unique ips sign in limit' do
...
@@ -19,7 +19,7 @@ shared_context 'enable unique ips sign in limit' do
end
end
shared_examples
'user login operation with unique ip limit'
do
shared_examples
'user login operation with unique ip limit'
do
include_context
'
enable
unique ips sign in limit'
do
include_context
'unique ips sign in limit'
do
before
{
current_application_settings
.
update!
(
unique_ips_limit_per_user:
1
)
}
before
{
current_application_settings
.
update!
(
unique_ips_limit_per_user:
1
)
}
it
'allows user authenticating from the same ip'
do
it
'allows user authenticating from the same ip'
do
...
@@ -38,23 +38,23 @@ shared_examples 'user login operation with unique ip limit' do
...
@@ -38,23 +38,23 @@ shared_examples 'user login operation with unique ip limit' do
end
end
end
end
shared_examples
'user login request with unique ip limit'
do
shared_examples
'user login request with unique ip limit'
do
|
success_status
=
200
|
include_context
'
enable
unique ips sign in limit'
do
include_context
'unique ips sign in limit'
do
before
{
current_application_settings
.
update!
(
unique_ips_limit_per_user:
1
)
}
before
{
current_application_settings
.
update!
(
unique_ips_limit_per_user:
1
)
}
it
'allows user authenticating from the same ip'
do
it
'allows user authenticating from the same ip'
do
change_ip
(
'ip'
)
change_ip
(
'ip'
)
request
request
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
success_status
)
request
request
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
success_status
)
end
end
it
'blocks user authenticating from two distinct ips'
do
it
'blocks user authenticating from two distinct ips'
do
change_ip
(
'ip'
)
change_ip
(
'ip'
)
request
request
expect
(
response
).
to
have_http_status
(
200
)
expect
(
response
).
to
have_http_status
(
success_status
)
change_ip
(
'ip2'
)
change_ip
(
'ip2'
)
request
request
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment