diff options
Diffstat (limited to 'spec/requests/rack_attack_global_spec.rb')
-rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 0dd8a15c3a4..3f5cd24f3dd 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -320,6 +320,120 @@ feature_category: :system_access do end end + describe 'protected paths for get' do + let(:request_method) { 'GET' } + + context 'unauthenticated requests' do + let(:protected_path_for_get_request_that_does_not_require_authentication) do + '/users/sign_in' + end + + def do_request + get protected_path_for_get_request_that_does_not_require_authentication + end + + before do + settings_to_set[:throttle_protected_paths_requests_per_period] = requests_per_period # 1 + settings_to_set[:throttle_protected_paths_period_in_seconds] = period_in_seconds # 10_000 + settings_to_set[:protected_paths_for_get_request] = %w[/users/sign_in] + end + + context 'when protected paths throttle is disabled' do + before do + settings_to_set[:throttle_protected_paths_enabled] = false + stub_application_setting(settings_to_set) + end + + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + do_request + expect(response).to have_gitlab_http_status(:ok) + end + end + end + + context 'when protected paths throttle is enabled' do + before do + settings_to_set[:throttle_protected_paths_enabled] = true + stub_application_setting(settings_to_set) + end + + it 'rejects requests over the rate limit' do + requests_per_period.times do + do_request + expect(response).to have_gitlab_http_status(:ok) + end + + expect_rejection { get protected_path_for_get_request_that_does_not_require_authentication } + end + + it 'allows GET requests to unprotected paths over the rate limit' do + (1 + requests_per_period).times do + get '/api/graphql' + expect(response).to have_gitlab_http_status(:ok) + end + end + + it_behaves_like 'tracking when dry-run mode is set' do + let(:throttle_name) { 'throttle_unauthenticated_get_protected_paths' } + end + end + end + + context 'API requests authenticated with personal access token', :api do + let(:user) { create(:user) } + let(:token) { create(:personal_access_token, user: user) } + let(:other_user) { create(:user) } + let(:other_user_token) { create(:personal_access_token, user: other_user) } + let(:throttle_setting_prefix) { 'throttle_protected_paths' } + let(:api_partial_url) { '/user/emails' } + + let(:protected_paths_for_get_request) do + [ + '/api/v4/user/emails' + ] + end + + before do + settings_to_set[:protected_paths_for_get_request] = protected_paths_for_get_request + stub_application_setting(settings_to_set) + end + + context 'with the token in the query string' do + let(:request_args) { [api(api_partial_url, personal_access_token: token), {}] } + let(:other_user_request_args) { [api(api_partial_url, personal_access_token: other_user_token), {}] } + + it_behaves_like 'rate-limited user based token-authenticated requests' + end + + context 'with the token in the headers' do + let(:request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(token)) } + let(:other_user_request_args) { api_get_args_with_token_headers(api_partial_url, personal_access_token_headers(other_user_token)) } + + it_behaves_like 'rate-limited user based token-authenticated requests' + end + end + + describe 'web requests authenticated with regular login' do + let(:throttle_setting_prefix) { 'throttle_protected_paths' } + let(:user) { create(:user) } + let(:url_that_requires_authentication) { '/users/confirmation' } + + let(:protected_paths_for_get_request) do + [ + url_that_requires_authentication + ] + end + + before do + settings_to_set[:protected_paths_for_get_request] = protected_paths_for_get_request + stub_application_setting(settings_to_set) + end + + it_behaves_like 'rate-limited web authenticated requests' + end + end + describe 'Packages API' do let(:request_method) { 'GET' } |