diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-09-27 00:06:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-09-27 00:06:29 +0300 |
commit | 430999251558db3c64b4adfc6e2b4fb771f6cd48 (patch) | |
tree | dd8bb7eab17ab8072179b9636bde34ec67ea17f5 /spec/requests/rack_attack_global_spec.rb | |
parent | e66d6781ef36e39d15b1b9bc84cc30e87969edad (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/requests/rack_attack_global_spec.rb')
-rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 161 |
1 files changed, 160 insertions, 1 deletions
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index cf459ba99c1..0e757e8743a 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -12,7 +12,9 @@ describe 'Rack Attack global throttles' do throttle_authenticated_api_requests_per_period: 100, throttle_authenticated_api_period_in_seconds: 1, throttle_authenticated_web_requests_per_period: 100, - throttle_authenticated_web_period_in_seconds: 1 + throttle_authenticated_web_period_in_seconds: 1, + throttle_authenticated_protected_paths_request_per_period: 100, + throttle_authenticated_protected_paths_in_seconds: 1 } end @@ -35,6 +37,10 @@ describe 'Rack Attack global throttles' do let(:url_api_internal) { '/api/v4/internal/check' } before do + # Disabling protected paths throttle, otherwise requests to + # '/users/sign_in' are caught by this throttle. + settings_to_set[:throttle_protected_paths_enabled] = false + # Set low limits settings_to_set[:throttle_unauthenticated_requests_per_period] = requests_per_period settings_to_set[:throttle_unauthenticated_period_in_seconds] = period_in_seconds @@ -203,6 +209,159 @@ describe 'Rack Attack global throttles' do it_behaves_like 'rate-limited web authenticated requests' end + describe 'protected paths' do + context 'unauthenticated requests' do + let(:protected_path_that_does_not_require_authentication) do + '/users/confirmation' + end + + before do + settings_to_set[:throttle_protected_paths_requests_per_period] = requests_per_period # 1 + settings_to_set[:throttle_protected_paths_period_in_seconds] = period_in_seconds # 10_000 + end + + context 'when protected paths throttle is disabled' do + before do + settings_to_set[:throttle_protected_paths_enabled] = false + stub_application_setting(settings_to_set) + end + + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get protected_path_that_does_not_require_authentication + expect(response).to have_http_status 200 + end + end + end + + context 'when protected paths throttle is enabled' do + before do + settings_to_set[:throttle_protected_paths_enabled] = true + stub_application_setting(settings_to_set) + end + + it 'rejects requests over the rate limit' do + requests_per_period.times do + get protected_path_that_does_not_require_authentication + expect(response).to have_http_status 200 + end + + expect_rejection { get protected_path_that_does_not_require_authentication } + end + + context 'when Omnibus throttle is present' do + before do + allow(Gitlab::Throttle) + .to receive(:omnibus_protected_paths_present?).and_return(true) + end + + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get protected_path_that_does_not_require_authentication + expect(response).to have_http_status 200 + end + end + end + end + end + + context 'API requests authenticated with personal access token', :api do + let(:user) { create(:user) } + let(:token) { create(:personal_access_token, user: user) } + let(:other_user) { create(:user) } + let(:other_user_token) { create(:personal_access_token, user: other_user) } + let(:throttle_setting_prefix) { 'throttle_protected_paths' } + let(:api_partial_url) { '/users' } + + let(:protected_paths) do + [ + '/api/v4/users' + ] + end + + before do + settings_to_set[:protected_paths] = protected_paths + stub_application_setting(settings_to_set) + end + + context 'with the token in the query string' do + let(:get_args) { [api(api_partial_url, personal_access_token: token)] } + let(:other_user_get_args) { [api(api_partial_url, personal_access_token: other_user_token)] } + + it_behaves_like 'rate-limited token-authenticated requests' + end + + context 'with the token in the headers' do + let(:get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) } + let(:other_user_get_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) } + + it_behaves_like 'rate-limited token-authenticated requests' + end + + context 'when Omnibus throttle is present' do + let(:get_args) { [api(api_partial_url, personal_access_token: token)] } + let(:other_user_get_args) { [api(api_partial_url, personal_access_token: other_user_token)] } + + before do + settings_to_set[:"#{throttle_setting_prefix}_requests_per_period"] = requests_per_period + settings_to_set[:"#{throttle_setting_prefix}_period_in_seconds"] = period_in_seconds + settings_to_set[:"#{throttle_setting_prefix}_enabled"] = true + stub_application_setting(settings_to_set) + + allow(Gitlab::Throttle) + .to receive(:omnibus_protected_paths_present?).and_return(true) + end + + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get(*get_args) + expect(response).to have_http_status 200 + end + end + end + end + + describe 'web requests authenticated with regular login' do + let(:throttle_setting_prefix) { 'throttle_protected_paths' } + let(:user) { create(:user) } + let(:url_that_requires_authentication) { '/dashboard/snippets' } + + let(:protected_paths) do + [ + url_that_requires_authentication + ] + end + + before do + settings_to_set[:protected_paths] = protected_paths + stub_application_setting(settings_to_set) + end + + it_behaves_like 'rate-limited web authenticated requests' + + context 'when Omnibus throttle is present' do + before do + settings_to_set[:"#{throttle_setting_prefix}_requests_per_period"] = requests_per_period + settings_to_set[:"#{throttle_setting_prefix}_period_in_seconds"] = period_in_seconds + settings_to_set[:"#{throttle_setting_prefix}_enabled"] = true + stub_application_setting(settings_to_set) + + allow(Gitlab::Throttle) + .to receive(:omnibus_protected_paths_present?).and_return(true) + + login_as(user) + end + + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get url_that_requires_authentication + expect(response).to have_http_status 200 + end + end + end + end + end + def api_get_args_with_token_headers(partial_url, token_headers) ["/api/#{API::API.version}#{partial_url}", params: nil, headers: token_headers] end |