diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2018-02-15 16:40:38 +0100 |
---|---|---|
committer | Francisco Javier López <fjlopez@gitlab.com> | 2018-02-15 16:40:38 +0100 |
commit | e575b17654fa3bb41afbe473036926789b8bcf33 (patch) | |
tree | f13174c9733af7d2561b1ecb0fe3198d5b505fbd | |
parent | c3baa69170da3c8f944e20c8e7b12edce5b37d40 (diff) | |
download | gitlab-ce-fj-42910-unauthenticated-limit-via-ssh.tar.gz |
Added specfj-42910-unauthenticated-limit-via-ssh
-rw-r--r-- | config/initializers/rack_attack_global.rb | 4 | ||||
-rw-r--r-- | spec/requests/rack_attack_global_spec.rb | 10 |
2 files changed, 12 insertions, 2 deletions
diff --git a/config/initializers/rack_attack_global.rb b/config/initializers/rack_attack_global.rb index 76634c249ea..a90516eee7d 100644 --- a/config/initializers/rack_attack_global.rb +++ b/config/initializers/rack_attack_global.rb @@ -26,8 +26,8 @@ class Rack::Attack throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| Gitlab::Throttle.settings.throttle_unauthenticated_enabled && req.unauthenticated? && - req.ip && - !req.api_internal_request? + !req.api_internal_request? && + req.ip end throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req| diff --git a/spec/requests/rack_attack_global_spec.rb b/spec/requests/rack_attack_global_spec.rb index 0fec14d0cce..b18e922b063 100644 --- a/spec/requests/rack_attack_global_spec.rb +++ b/spec/requests/rack_attack_global_spec.rb @@ -22,6 +22,7 @@ describe 'Rack Attack global throttles' do let(:url_that_does_not_require_authentication) { '/users/sign_in' } let(:url_that_requires_authentication) { '/dashboard/snippets' } + let(:url_api_internal) { '/api/v4/internal/check' } let(:api_partial_url) { '/todos' } around do |example| @@ -172,6 +173,15 @@ describe 'Rack Attack global throttles' do get url_that_does_not_require_authentication expect(response).to have_http_status 200 end + + context 'when the request is to the api internal endpoints' do + it 'allows requests over the rate limit' do + (1 + requests_per_period).times do + get url_api_internal, secret_token: Gitlab::Shell.secret_token + expect(response).to have_http_status 200 + end + end + end end context 'when the throttle is disabled' do |