feat: Always apply TLS limits even without ServerName

author: Vladimir Shushlin <v.shushlin@gmail.com> 2022-02-21 20:00:46 +0300
committer: Vladimir Shushlin <v.shushlin@gmail.com> 2022-02-22 12:38:49 +0300
commit: 58581c5a2ff3e95e1dc3acc69913412477a37557 (patch)
tree: f6f89f7ebe87075601c7cb94c608701b37d3d40a /test
parent: 62a6491652aa6975d9ecf3b9e258766c886d49d4 (diff)
1 files changed, 45 insertions, 74 deletions
diff --git a/test/acceptance/ratelimiter_test.go b/test/acceptance/ratelimiter_test.go
index 365ba4cd..a97fdfb1 100644
--- a/test/acceptance/ratelimiter_test.go
+++ b/test/acceptance/ratelimiter_test.go
@@ -114,121 +114,92 @@ func TestDomainRateLimits(t *testing.T) {
 }
 
 func TestTLSRateLimits(t *testing.T) {
-	rateLimit := 5
-
 	tests := map[string]struct {
 		spec           ListenSpec
-		options        []processOption
+		domainLimit    bool
 		sourceIP       string
-		featureName    string
 		enforceEnabled bool
-		limitName      string
 	}{
 		"https_with_domain_limit": {
-			spec: httpsListener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-domain", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-domain-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsListener,
+			domainLimit:    true,
 			sourceIP:       "127.0.0.1",
-			featureName:    feature.EnforceDomainTLSRateLimits.EnvVariable,
 			enforceEnabled: true,
-			limitName:      "tls_connections_by_domain",
 		},
 		"https_with_domain_limit_not_enforced": {
-			spec: httpsListener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-domain", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-domain-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsListener,
+			domainLimit:    true,
 			sourceIP:       "127.0.0.1",
-			featureName:    feature.EnforceDomainTLSRateLimits.EnvVariable,
 			enforceEnabled: false,
-			limitName:      "tls_connections_by_domain",
 		},
 		"https_with_ip_limit": {
-			spec: httpsListener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-source-ip", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-source-ip-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsListener,
 			sourceIP:       "127.0.0.1",
-			featureName:    feature.EnforceIPTLSRateLimits.EnvVariable,
 			enforceEnabled: true,
-			limitName:      "tls_connections_by_source_ip",
 		},
 		"https_with_ip_limit_not_enforced": {
-			spec: httpsListener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-source-ip", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-source-ip-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsListener,
 			sourceIP:       "127.0.0.1",
-			featureName:    feature.EnforceIPTLSRateLimits.EnvVariable,
 			enforceEnabled: false,
-			limitName:      "tls_connections_by_source_ip",
 		},
 		"proxyv2_with_domain_limit": {
-			spec: httpsProxyv2Listener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-domain", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-domain-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsProxyv2Listener,
+			domainLimit:    true,
 			sourceIP:       "10.1.1.1",
-			featureName:    feature.EnforceDomainTLSRateLimits.EnvVariable,
 			enforceEnabled: true,
-			limitName:      "tls_connections_by_domain",
 		},
 		"proxyv2_with_domain_limit_not_enforced": {
-			spec: httpsProxyv2Listener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-domain", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-domain-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsProxyv2Listener,
+			domainLimit:    true,
 			sourceIP:       "10.1.1.1",
-			featureName:    feature.EnforceDomainTLSRateLimits.EnvVariable,
 			enforceEnabled: false,
-			limitName:      "tls_connections_by_domain",
 		},
 		"proxyv2_with_ip_limit": {
-			spec: httpsProxyv2Listener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-source-ip", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-source-ip-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsProxyv2Listener,
 			sourceIP:       "10.1.1.1",
-			featureName:    feature.EnforceIPTLSRateLimits.EnvVariable,
 			enforceEnabled: true,
-			limitName:      "tls_connections_by_source_ip",
 		},
 		"proxyv2_with_ip_limit_not_enforced": {
-			spec: httpsProxyv2Listener,
-			options: []processOption{
-				withExtraArgument("metrics-address", ":42345"),
-				withExtraArgument("rate-limit-tls-source-ip", fmt.Sprint(rateLimit)),
-				withExtraArgument("rate-limit-tls-source-ip-burst", fmt.Sprint(rateLimit)),
-			},
+			spec:           httpsProxyv2Listener,
 			sourceIP:       "10.1.1.1",
-			featureName:    feature.EnforceIPTLSRateLimits.EnvVariable,
 			enforceEnabled: false,
-			limitName:      "tls_connections_by_source_ip",
 		},
 	}
 
 	for name, tt := range tests {
 		t.Run(name, func(t *testing.T) {
-			testhelpers.StubFeatureFlagValue(t, tt.featureName, tt.enforceEnabled)
+			rateLimit := 5
 
-			options := append(tt.options, withListeners([]ListenSpec{tt.spec}))
+			options := []processOption{
+				withListeners([]ListenSpec{tt.spec}),
+				withExtraArgument("metrics-address", ":42345"),
+			}
+
+			featureName := feature.EnforceIPTLSRateLimits.EnvVariable
+			limitName := "tls_connections_by_source_ip"
+
+			if tt.domainLimit {
+				options = append(options,
+					withExtraArgument("rate-limit-tls-domain", fmt.Sprint(rateLimit)),
+					withExtraArgument("rate-limit-tls-domain-burst", fmt.Sprint(rateLimit)))
+
+				featureName = feature.EnforceDomainTLSRateLimits.EnvVariable
+				limitName = "tls_connections_by_domain"
+			} else {
+				options = append(options,
+					withExtraArgument("rate-limit-tls-source-ip", fmt.Sprint(rateLimit)),
+					withExtraArgument("rate-limit-tls-source-ip-burst", fmt.Sprint(rateLimit)))
+			}
+
+			testhelpers.StubFeatureFlagValue(t, featureName, tt.enforceEnabled)
 			logBuf := RunPagesProcess(t, options...)
 
+			// when we start the process we make 1 requests to verify that process is up
+			// it gets counted in the rate limit for IP, but host is different
+			if !tt.domainLimit {
+				rateLimit--
+			}
+
 			for i := 0; i < 10; i++ {
 				rsp, err := makeTLSRequest(t, tt.spec)
 
@@ -247,13 +218,13 @@ func TestTLSRateLimits(t *testing.T) {
 					continue
 				}
 
-				require.NoError(t, err)
+				require.NoError(t, err, "request: %d failed", i)
 				require.NoError(t, rsp.Body.Close())
 				require.Equal(t, http.StatusOK, rsp.StatusCode, "request: %d failed", i)
 			}
 			expectedMetric := fmt.Sprintf(
-				"gitlab_pages_rate_limit_blocked_count{enforced=\"%t\",limit_name=\"%s\"} 5",
-				tt.enforceEnabled, tt.limitName)
+				"gitlab_pages_rate_limit_blocked_count{enforced=\"%t\",limit_name=\"%s\"} %v",
+				tt.enforceEnabled, limitName, 10-rateLimit)
 
 			RequireMetricEqual(t, "127.0.0.1:42345", expectedMetric)
 		})
author	Vladimir Shushlin <v.shushlin@gmail.com>	2022-02-21 20:00:46 +0300
committer	Vladimir Shushlin <v.shushlin@gmail.com>	2022-02-22 12:38:49 +0300
commit	58581c5a2ff3e95e1dc3acc69913412477a37557 (patch)
tree	f6f89f7ebe87075601c7cb94c608701b37d3d40a /test
parent	62a6491652aa6975d9ecf3b9e258766c886d49d4 (diff)