1 files changed, 221 insertions, 0 deletions

diff --git a/spec/lib/gitlab/web_hooks/recursion_detection_spec.rb b/spec/lib/gitlab/web_hooks/recursion_detection_spec.rb
new file mode 100644
index 00000000000..45170864967
--- /dev/null
+++ b/spec/lib/gitlab/web_hooks/recursion_detection_spec.rb
@@ -0,0 +1,221 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::WebHooks::RecursionDetection, :clean_gitlab_redis_shared_state, :request_store do
+  let_it_be(:web_hook) { create(:project_hook) }
+
+  let!(:uuid_class) { described_class::UUID }
+
+  describe '.set_from_headers' do
+    let(:old_uuid) { SecureRandom.uuid }
+    let(:rack_headers) { Rack::MockRequest.env_for("/").merge(headers) }
+
+    subject(:set_from_headers) { described_class.set_from_headers(rack_headers) }
+
+    # Note, having a previous `request_uuid` value set before `.set_from_headers` is
+    # called is contrived and should not normally happen. However, testing with this scenario
+    # allows us to assert the ideal outcome if it ever were to happen.
+    before do
+      uuid_class.instance.request_uuid = old_uuid
+    end
+
+    context 'when the detection header is present' do
+      let(:new_uuid) { SecureRandom.uuid }
+
+      let(:headers) do
+        { uuid_class::HEADER => new_uuid }
+      end
+
+      it 'sets the request UUID value from the headers' do
+        set_from_headers
+
+        expect(uuid_class.instance.request_uuid).to eq(new_uuid)
+      end
+    end
+
+    context 'when detection header is not present' do
+      let(:headers) { {} }
+
+      it 'does not set the request UUID' do
+        set_from_headers
+
+        expect(uuid_class.instance.request_uuid).to eq(old_uuid)
+      end
+    end
+  end
+
+  describe '.set_request_uuid' do
+    it 'sets the request UUID value' do
+      new_uuid = SecureRandom.uuid
+
+      described_class.set_request_uuid(new_uuid)
+
+      expect(uuid_class.instance.request_uuid).to eq(new_uuid)
+    end
+  end
+
+  describe '.register!' do
+    let_it_be(:second_web_hook) { create(:project_hook) }
+    let_it_be(:third_web_hook) { create(:project_hook) }
+
+    def cache_key(hook)
+      described_class.send(:cache_key_for_hook, hook)
+    end
+
+    it 'stores IDs in the same cache when a request UUID is set, until the request UUID changes', :aggregate_failures do
+      # Register web_hook and second_web_hook against the same request UUID.
+      uuid_class.instance.request_uuid = SecureRandom.uuid
+      described_class.register!(web_hook)
+      described_class.register!(second_web_hook)
+      first_cache_key = cache_key(web_hook)
+      second_cache_key = cache_key(second_web_hook)
+
+      # Register third_web_hook against a new request UUID.
+      uuid_class.instance.request_uuid = SecureRandom.uuid
+      described_class.register!(third_web_hook)
+      third_cache_key = cache_key(third_web_hook)
+
+      expect(first_cache_key).to eq(second_cache_key)
+      expect(second_cache_key).not_to eq(third_cache_key)
+
+      ::Gitlab::Redis::SharedState.with do |redis|
+        members = redis.smembers(first_cache_key).map(&:to_i)
+        expect(members).to contain_exactly(web_hook.id, second_web_hook.id)
+
+        members = redis.smembers(third_cache_key).map(&:to_i)
+        expect(members).to contain_exactly(third_web_hook.id)
+      end
+    end
+
+    it 'stores IDs in unique caches when no request UUID is present', :aggregate_failures do
+      described_class.register!(web_hook)
+      described_class.register!(second_web_hook)
+      described_class.register!(third_web_hook)
+
+      first_cache_key = cache_key(web_hook)
+      second_cache_key = cache_key(second_web_hook)
+      third_cache_key = cache_key(third_web_hook)
+
+      expect([first_cache_key, second_cache_key, third_cache_key].compact.length).to eq(3)
+
+      ::Gitlab::Redis::SharedState.with do |redis|
+        members = redis.smembers(first_cache_key).map(&:to_i)
+        expect(members).to contain_exactly(web_hook.id)
+
+        members = redis.smembers(second_cache_key).map(&:to_i)
+        expect(members).to contain_exactly(second_web_hook.id)
+
+        members = redis.smembers(third_cache_key).map(&:to_i)
+        expect(members).to contain_exactly(third_web_hook.id)
+      end
+    end
+
+    it 'touches the storage ttl each time it is called', :aggregate_failures do
+      freeze_time do
+        described_class.register!(web_hook)
+
+        ::Gitlab::Redis::SharedState.with do |redis|
+          expect(redis.ttl(cache_key(web_hook))).to eq(described_class::TOUCH_CACHE_TTL.to_i)
+        end
+      end
+
+      travel_to(1.minute.from_now) do
+        described_class.register!(second_web_hook)
+
+        ::Gitlab::Redis::SharedState.with do |redis|
+          expect(redis.ttl(cache_key(web_hook))).to eq(described_class::TOUCH_CACHE_TTL.to_i)
+        end
+      end
+    end
+  end
+
+  describe 'block?' do
+    let_it_be(:registered_web_hooks) { create_list(:project_hook, 2) }
+
+    subject(:block?) { described_class.block?(web_hook) }
+
+    before do
+      # Register some previous webhooks.
+      uuid_class.instance.request_uuid = SecureRandom.uuid
+
+      registered_web_hooks.each do |web_hook|
+        described_class.register!(web_hook)
+      end
+    end
+
+    it 'returns false if webhook should not be blocked' do
+      is_expected.to eq(false)
+    end
+
+    context 'when the webhook has previously fired' do
+      before do
+        described_class.register!(web_hook)
+      end
+
+      it 'returns true' do
+        is_expected.to eq(true)
+      end
+
+      context 'when the request UUID changes again' do
+        before do
+          uuid_class.instance.request_uuid = SecureRandom.uuid
+        end
+
+        it 'returns false' do
+          is_expected.to eq(false)
+        end
+      end
+    end
+
+    context 'when the count limit has been reached' do
+      let_it_be(:registered_web_hooks) { create_list(:project_hook, 2) }
+
+      before do
+        registered_web_hooks.each do |web_hook|
+          described_class.register!(web_hook)
+        end
+
+        stub_const("#{described_class.name}::COUNT_LIMIT", registered_web_hooks.size)
+      end
+
+      it 'returns true' do
+        is_expected.to eq(true)
+      end
+
+      context 'when the request UUID changes again' do
+        before do
+          uuid_class.instance.request_uuid = SecureRandom.uuid
+        end
+
+        it 'returns false' do
+          is_expected.to eq(false)
+        end
+      end
+    end
+  end
+
+  describe '.header' do
+    subject(:header) { described_class.header(web_hook) }
+
+    it 'returns a header with the UUID value' do
+      uuid = SecureRandom.uuid
+      allow(uuid_class.instance).to receive(:uuid_for_hook).and_return(uuid)
+
+      is_expected.to eq({ uuid_class::HEADER => uuid })
+    end
+  end
+
+  describe '.to_log' do
+    subject(:to_log) { described_class.to_log(web_hook) }
+
+    it 'returns the UUID value and all registered webhook IDs in a Hash' do
+      uuid = SecureRandom.uuid
+      allow(uuid_class.instance).to receive(:uuid_for_hook).and_return(uuid)
+      registered_web_hooks = create_list(:project_hook, 2)
+      registered_web_hooks.each { described_class.register!(_1) }
+
+      is_expected.to eq({ uuid: uuid, ids: registered_web_hooks.map(&:id) })
+    end
+  end
+end