Support CIDR notation in IP rate limitersh-support-subnets-ip-rate-limiter

This will make it possible to whitelist multiple IP addresses
(e.g. 192.168.0.1/24).

1 files changed, 65 insertions, 0 deletions

diff --git a/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb b/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb
new file mode 100644
index 00000000000..8d6bf45ab30
--- /dev/null
+++ b/spec/lib/gitlab/auth/ip_rate_limiter_spec.rb
@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Auth::IpRateLimiter, :use_clean_rails_memory_store_caching do
+  let(:ip) { '10.2.2.3' }
+  let(:whitelist) { ['127.0.0.1'] }
+  let(:options) do
+    {
+      enabled: true,
+      ip_whitelist: whitelist,
+      bantime: 1.minute,
+      findtime: 1.minute,
+      maxretry: 2
+    }
+  end
+
+  subject { described_class.new(ip) }
+
+  before do
+    stub_rack_attack_setting(options)
+  end
+
+  after do
+    subject.reset!
+  end
+
+  describe '#register_fail!' do
+    it 'bans after 3 consecutive failures' do
+      expect(subject.banned?).to be_falsey
+
+      3.times { subject.register_fail! }
+
+      expect(subject.banned?).to be_truthy
+    end
+
+    shared_examples 'whitelisted IPs' do
+      it 'does not ban after max retry limit' do
+        expect(subject.banned?).to be_falsey
+
+        3.times { subject.register_fail! }
+
+        expect(subject.banned?).to be_falsey
+      end
+    end
+
+    context 'with a whitelisted netmask' do
+      before do
+        options[:ip_whitelist] = ['127.0.0.1', '10.2.2.0/24', 'bad']
+        stub_rack_attack_setting(options)
+      end
+
+      it_behaves_like 'whitelisted IPs'
+    end
+
+    context 'with a whitelisted IP' do
+      before do
+        options[:ip_whitelist] = ['10.2.2.3']
+        stub_rack_attack_setting(options)
+      end
+
+      it_behaves_like 'whitelisted IPs'
+    end
+  end
+end