Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-09 06:06:40 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-09 06:06:40 +0300
commit: d5f38aabd6b3bf03ed5506eb269062750bc60399 (patch)
tree: 5f7945e6fce3b9e48cc9b41d5c7f1e8d983838eb /spec/requests/rack_attack_global_spec.rb
parent: ab0f1c7a99c03725b3b5a1b7fee9aba879129e83 (diff)
1 files changed, 32 insertions, 28 deletions
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb
index 0c148102e79..4d5055a7e27 100644
--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do
     }
   end
 
+  let(:request_method) { 'GET' }
   let(:requests_per_period) { 1 }
   let(:period_in_seconds) { 10000 }
   let(:period) { period_in_seconds.seconds }
@@ -143,15 +144,15 @@ describe 'Rack Attack global throttles' do
     let(:api_partial_url) { '/todos' }
 
     context 'with the token in the query string' do
-      let(:get_args) { [api(api_partial_url, personal_access_token: token)] }
-      let(:other_user_get_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
+      let(:request_args) { [api(api_partial_url, personal_access_token: token)] }
+      let(:other_user_request_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
 
       it_behaves_like 'rate-limited token-authenticated requests'
     end
 
     context 'with the token in the headers' do
-      let(:get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) }
-      let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) }
+      let(:request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) }
+      let(:other_user_request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) }
 
       it_behaves_like 'rate-limited token-authenticated requests'
     end
@@ -170,15 +171,15 @@ describe 'Rack Attack global throttles' do
     let(:api_partial_url) { '/todos' }
 
     context 'with the token in the query string' do
-      let(:get_args) { [api(api_partial_url, oauth_access_token: token)] }
-      let(:other_user_get_args) { [api(api_partial_url, oauth_access_token: other_user_token)] }
+      let(:request_args) { [api(api_partial_url, oauth_access_token: token)] }
+      let(:other_user_request_args) { [api(api_partial_url, oauth_access_token: other_user_token)] }
 
       it_behaves_like 'rate-limited token-authenticated requests'
     end
 
     context 'with the token in the headers' do
-      let(:get_args) { api_get_args_with_token_headers(api_partial_url, oauth_token_headers(token)) }
-      let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, oauth_token_headers(other_user_token)) }
+      let(:request_args) { api_get_args_with_token_headers(api_partial_url, oauth_token_headers(token)) }
+      let(:other_user_request_args) { api_get_args_with_token_headers(api_partial_url, oauth_token_headers(other_user_token)) }
 
       it_behaves_like 'rate-limited token-authenticated requests'
     end
@@ -190,8 +191,8 @@ describe 'Rack Attack global throttles' do
     let(:throttle_setting_prefix) { 'throttle_authenticated_web' }
 
     context 'with the token in the query string' do
-      let(:get_args) { [rss_url(user), params: nil] }
-      let(:other_user_get_args) { [rss_url(other_user), params: nil] }
+      let(:request_args) { [rss_url(user), params: nil] }
+      let(:other_user_request_args) { [rss_url(other_user), params: nil] }
 
       it_behaves_like 'rate-limited token-authenticated requests'
     end
@@ -206,10 +207,13 @@ describe 'Rack Attack global throttles' do
   end
 
   describe 'protected paths' do
+    let(:request_method) { 'POST' }
+
     context 'unauthenticated requests' do
       let(:protected_path_that_does_not_require_authentication) do
-        '/users/confirmation'
+        '/users/sign_in'
       end
+      let(:post_params) { { user: { login: 'username', password: 'password' } } }
 
       before do
         settings_to_set[:throttle_protected_paths_requests_per_period] = requests_per_period # 1
@@ -224,7 +228,7 @@ describe 'Rack Attack global throttles' do
 
         it 'allows requests over the rate limit' do
           (1 + requests_per_period).times do
-            get protected_path_that_does_not_require_authentication
+            post protected_path_that_does_not_require_authentication, params: post_params
             expect(response).to have_http_status 200
           end
         end
@@ -238,11 +242,11 @@ describe 'Rack Attack global throttles' do
 
         it 'rejects requests over the rate limit' do
           requests_per_period.times do
-            get protected_path_that_does_not_require_authentication
+            post protected_path_that_does_not_require_authentication, params: post_params
             expect(response).to have_http_status 200
           end
 
-          expect_rejection { get protected_path_that_does_not_require_authentication }
+          expect_rejection { post protected_path_that_does_not_require_authentication, params: post_params }
         end
 
         context 'when Omnibus throttle is present' do
@@ -253,7 +257,7 @@ describe 'Rack Attack global throttles' do
 
           it 'allows requests over the rate limit' do
             (1 + requests_per_period).times do
-              get protected_path_that_does_not_require_authentication
+              post protected_path_that_does_not_require_authentication, params: post_params
               expect(response).to have_http_status 200
             end
           end
@@ -267,11 +271,11 @@ describe 'Rack Attack global throttles' do
       let(:other_user) { create(:user) }
       let(:other_user_token) { create(:personal_access_token, user: other_user) }
       let(:throttle_setting_prefix) { 'throttle_protected_paths' }
-      let(:api_partial_url) { '/users' }
+      let(:api_partial_url) { '/user/emails' }
 
       let(:protected_paths) do
         [
-          '/api/v4/users'
+          '/api/v4/user/emails'
         ]
       end
 
@@ -281,22 +285,22 @@ describe 'Rack Attack global throttles' do
       end
 
       context 'with the token in the query string' do
-        let(:get_args) { [api(api_partial_url, personal_access_token: token)] }
-        let(:other_user_get_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
+        let(:request_args) { [api(api_partial_url, personal_access_token: token)] }
+        let(:other_user_request_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
 
         it_behaves_like 'rate-limited token-authenticated requests'
       end
 
       context 'with the token in the headers' do
-        let(:get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) }
-        let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) }
+        let(:request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) }
+        let(:other_user_request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) }
 
         it_behaves_like 'rate-limited token-authenticated requests'
       end
 
       context 'when Omnibus throttle is present' do
-        let(:get_args) { [api(api_partial_url, personal_access_token: token)] }
-        let(:other_user_get_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
+        let(:request_args) { [api(api_partial_url, personal_access_token: token)] }
+        let(:other_user_request_args) { [api(api_partial_url, personal_access_token: other_user_token)] }
 
         before do
           settings_to_set[:"#{throttle_setting_prefix}_requests_per_period"] = requests_per_period
@@ -310,8 +314,8 @@ describe 'Rack Attack global throttles' do
 
         it 'allows requests over the rate limit' do
           (1 + requests_per_period).times do
-            get(*get_args)
-            expect(response).to have_http_status 200
+            post(*request_args)
+            expect(response).not_to have_http_status 429
           end
         end
       end
@@ -320,7 +324,7 @@ describe 'Rack Attack global throttles' do
     describe 'web requests authenticated with regular login' do
       let(:throttle_setting_prefix) { 'throttle_protected_paths' }
       let(:user) { create(:user) }
-      let(:url_that_requires_authentication) { '/dashboard/snippets' }
+      let(:url_that_requires_authentication) { '/users/confirmation' }
 
       let(:protected_paths) do
         [
@@ -350,8 +354,8 @@ describe 'Rack Attack global throttles' do
 
         it 'allows requests over the rate limit' do
           (1 + requests_per_period).times do
-            get url_that_requires_authentication
-            expect(response).to have_http_status 200
+            post url_that_requires_authentication
+            expect(response).not_to have_http_status 429
           end
         end
       end
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-09 06:06:40 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-09 06:06:40 +0300
commit	d5f38aabd6b3bf03ed5506eb269062750bc60399 (patch)
tree	5f7945e6fce3b9e48cc9b41d5c7f1e8d983838eb /spec/requests/rack_attack_global_spec.rb
parent	ab0f1c7a99c03725b3b5a1b7fee9aba879129e83 (diff)