Reduce Rack Attack false positives causing 403 errors during HTTP authentication
### What does this MR do?
This MR reduces false positives causing `403 Forbidden` messages after HTTP authentication.
A Git client may attempt to access a repository without a password. If it receives a 401 error, the client often will try again, this time supplying a password. The problem is that `grack_auth.rb` considers a blank password an authentication failure and increases a Redis counter each time this happens. With enough requests, an IP can be banned temporarily even though previous attempts may have been successful. This leads users to see `403 Forbidden` errors until the ban times out (default: 1 hour).
To reduce the chance of a false positive, this MR resets the counter upon a successful authentication from an IP.
In addition, this MR logs when a user has been banned and introduces the ability to disable Rack Attack via a config variable.
### Are there points in the code the reviewer needs to double check?
rack-attack v4.2.0 doesn't support the ability to clear counters out of the box, so `rack_attack_helpers.rb` includes a number of monkey patches to make it work. It looks like this functionality may be added in v4.3.0. I've also sent pull requests to rack-attack to add the functionality necessary to delete a key.
Each time an authentication is successful, the Redis counter for that IP is cleared. I deemed it better to clear the counter than to allow for blank passwords, since the latter seems like a security risk.
### Why was this MR needed?
It was quite difficult to figure out why users were seeing `403 Forbidden`, which is why the log message was added. Users were getting a lot of false positives when accessing repositories with HTTPS. Including the username in the HTTPS URL (e.g. `https://username@mydomain.com/account/repo.git`) caused authentication failures because while the git client provided the username, it left the password blank, leading to an authentication failure.
### What are the relevant issue numbers / [Feature requests](http://feedback.gitlab.com/)?
See Issue #1171https://github.com/kickstarter/rack-attack/issues/113
See merge request !392
Fix nested task lists
When nesting task list items, the parent item is wrapped in a `<p>` tag. Update the task list parser to handle these paragraph wrappers.
cc @sytse
See merge request !413
Branch names that contain `/` return a 405 error when being deleted because the slash is escaped to `%2F`
This patch will unescape the param prior to executing the delete action.
Replace commits calendar with contributions calendar
* count opening of issues and merge requests
* dont trigger git repository - use events from database
* count pushes instead of commits for faster and easier counting
* much-much faster since does not affected by repository size
See merge request !420
Update views to single form of address. Change "my" to "your"
Part of user experience. Every software (twitter, facebook etc) talks to you like "change your password" but not "change my password".
cc @sytse @job
See merge request !1736
Fix OAuth2 issue importing a new project from GitHub and GitLab
It appears that the GitLab OAuth2 client options were converted to strings instead of symbols when merged with the default options (i.e. `{}.merge(github_options)`). As a result, the OAuth2 defaults were being used. For example, the OAuth2 client options would have a key with `authorize_url` and `:authorize_url`, but the former was never used. As a result, the OAuth2 client would always use the wrong URL to talk to GitHub.
Note that this bug should also have affected GitLab, but not Bitbucket: The OAuth client is careful to convert all keys to symbols.
Closes#1268
See merge request !425
Dmitriy Zaporozhets
Robert Schilling
Aurelio Jargas
Andrew Tomaka
Douwe Maan
Dan Tudor
Stan Hu
hebbet
Dmitriy Zaporozhets
Douwe Maan
vichak
Vinnie Okada
