Merge branch '426491-improve-ip-block-logs' into 'master'

Improve logs when IP is banned from Git auth

See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134371



Merged-by: Smriti Garg <sgarg@gitlab.com>
Approved-by: Aboobacker MK <akarakath@gitlab.com>
Approved-by: Smriti Garg <sgarg@gitlab.com>
Reviewed-by: Heinrich Lee Yu <heinrich@gitlab.com>
Co-authored-by: Heinrich Lee Yu <heinrich@gitlab.com>

app/controllers/jwt_controller.rb

@@ -33,7 +33,7 @@ def authenticate_project_or_user
     @authentication_result = Gitlab::Auth::Result.new(nil, nil, :none, Gitlab::Auth.read_only_authentication_abilities)
 
     authenticate_with_http_basic do |login, password|
-      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, ip: request.ip)
+      @authentication_result = Gitlab::Auth.find_for_git_client(login, password, project: nil, request: request)
 
       if @authentication_result.failed?
         log_authentication_failed(login, @authentication_result)

app/controllers/repositories/git_http_client_controller.rb

@@ -129,7 +129,7 @@ def repo_type
 
     def handle_basic_authentication(login, password)
       @authentication_result = Gitlab::Auth.find_for_git_client(
-        login, password, project: project, ip: request.ip)
+        login, password, project: project, request: request)
 
       @authentication_result.success?
     end

ee/spec/lib/gitlab/auth_spec.rb

@@ -9,6 +9,8 @@
   let(:gl_auth) { described_class }
 
   describe '.find_for_git_client' do
+    let(:request) { instance_double(ActionDispatch::Request, ip: 'ip') }
+
     context 'when using personal access token as password' do
       shared_examples 'successfully authenticates' do
         it 'successfully authenticates' do
@@ -17,7 +19,7 @@
               personal_access_token.user.username,
               personal_access_token.token,
               project: project,
-              ip: 'ip'
+              request: request
             )
           ).to have_attributes(
             actor: personal_access_token.user,
@@ -35,7 +37,7 @@
               personal_access_token.user.username,
               personal_access_token.token,
               project: project,
-              ip: 'ip'
+              request: request
             )
           ).to have_attributes(auth_failure)
         end
@@ -106,7 +108,7 @@
     end
 
     context 'when using build token as password' do
-      subject { gl_auth.find_for_git_client(username, build.token, project: project, ip: 'ip') }
+      subject { gl_auth.find_for_git_client(username, build.token, project: project, request: request) }
 
       let(:username) { 'gitlab-ci-token' }
 

lib/gitlab/auth.rb

@@ -60,10 +60,10 @@ def omniauth_enabled?
         Gitlab.config.omniauth.enabled
       end
 
-      def find_for_git_client(login, password, project:, ip:)
-        raise "Must provide an IP for rate limiting" if ip.nil?
+      def find_for_git_client(login, password, project:, request:)
+        raise "Must provide an IP for rate limiting" if request.ip.nil?
 
-        rate_limiter = Gitlab::Auth::IpRateLimiter.new(ip)
+        rate_limiter = Gitlab::Auth::IpRateLimiter.new(request.ip)
 
         raise IpBlocked if !skip_rate_limit?(login: login) && rate_limiter.banned?
 
@@ -80,7 +80,7 @@ def find_for_git_client(login, password, project:, ip:)
           user_with_password_for_git(login, password) ||
           Gitlab::Auth::Result::EMPTY
 
-        rate_limit!(rate_limiter, success: result.success?, login: login)
+        rate_limit!(rate_limiter, success: result.success?, login: login, request: request)
         look_to_limit_user(result.actor)
 
         return result if result.success? || authenticate_using_internal_or_ldap_password?
@@ -142,7 +142,7 @@ def find_with_user_password(login, password, increment_failed_attempts: false)
 
       private
 
-      def rate_limit!(rate_limiter, success:, login:)
+      def rate_limit!(rate_limiter, success:, login:, request:)
         return if skip_rate_limit?(login: login)
 
         if success
@@ -155,8 +155,18 @@ def rate_limit!(rate_limiter, success:, login:)
           # request from this IP if needed.
           # This returns true when the failures are over the threshold and the IP
           # is banned.
-          Gitlab::AppLogger.info "IP #{rate_limiter.ip} failed to login " \
-              "as #{login} but has been temporarily banned from Git auth"
+
+          message = "Rack_Attack: Git auth failures has exceeded the threshold." \
+            "IP has been temporarily banned from Git auth."
+
+          Gitlab::AuthLogger.error(
+            message: message,
+            env: :blocklist,
+            remote_ip: request.ip,
+            request_method: request.request_method,
+            path: request.fullpath,
+            login: login
+          )
         end
       end
 

lib/gitlab/middleware/go.rb

@@ -141,7 +141,7 @@ def authentication_result(request, project)
         return empty_result unless has_basic_credentials?(request)
 
         login, password = user_name_and_password(request)
-        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, ip: request.ip)
+        auth_result = Gitlab::Auth.find_for_git_client(login, password, project: project, request: request)
         return empty_result unless auth_result.success?
 
         return empty_result unless auth_result.can?(:access_git)