diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-09 03:06:40 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2019-11-09 03:06:40 +0000 |
commit | d5f38aabd6b3bf03ed5506eb269062750bc60399 (patch) | |
tree | 5f7945e6fce3b9e48cc9b41d5c7f1e8d983838eb /spec/support/shared_examples/requests | |
parent | ab0f1c7a99c03725b3b5a1b7fee9aba879129e83 (diff) | |
download | gitlab-ce-d5f38aabd6b3bf03ed5506eb269062750bc60399.tar.gz |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'spec/support/shared_examples/requests')
-rw-r--r-- | spec/support/shared_examples/requests/rack_attack_shared_examples.rb | 114 |
1 files changed, 66 insertions, 48 deletions
diff --git a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb index 0897f643796..c078e982e87 100644 --- a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb +++ b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb @@ -2,8 +2,9 @@ # # Requires let variables: # * throttle_setting_prefix: "throttle_authenticated_api", "throttle_authenticated_web", "throttle_protected_paths" -# * get_args -# * other_user_get_args +# * request_method +# * request_args +# * other_user_request_args # * requests_per_period # * period_in_seconds # * period @@ -31,66 +32,66 @@ shared_examples_for 'rate-limited token-authenticated requests' do it 'rejects requests over the rate limit' do # At first, allow requests under the rate limit. requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end # the last straw - expect_rejection { get(*get_args) } + expect_rejection { make_request(request_args) } end it 'allows requests after throttling and then waiting for the next period' do requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end - expect_rejection { get(*get_args) } + expect_rejection { make_request(request_args) } Timecop.travel(period.from_now) do requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end - expect_rejection { get(*get_args) } + expect_rejection { make_request(request_args) } end end it 'counts requests from different users separately, even from the same IP' do requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end # would be over the limit if this wasn't a different user - get(*other_user_get_args) - expect(response).to have_http_status 200 + make_request(other_user_request_args) + expect(response).not_to have_http_status 429 end it 'counts all requests from the same user, even via different IPs' do requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4') - expect_rejection { get(*get_args) } + expect_rejection { make_request(request_args) } end it 'logs RackAttack info into structured logs' do requests_per_period.times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end arguments = { message: 'Rack_Attack', env: :throttle, remote_ip: '127.0.0.1', - request_method: 'GET', - path: get_args.first, + request_method: request_method, + path: request_args.first, user_id: user.id, username: user.username, throttle_type: throttle_types[throttle_setting_prefix] @@ -98,7 +99,7 @@ shared_examples_for 'rate-limited token-authenticated requests' do expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once - expect_rejection { get(*get_args) } + expect_rejection { make_request(request_args) } end end @@ -110,17 +111,26 @@ shared_examples_for 'rate-limited token-authenticated requests' do it 'allows requests over the rate limit' do (1 + requests_per_period).times do - get(*get_args) - expect(response).to have_http_status 200 + make_request(request_args) + expect(response).not_to have_http_status 429 end end end + + def make_request(args) + if request_method == 'POST' + post(*args) + else + get(*args) + end + end end # Requires let variables: # * throttle_setting_prefix: "throttle_authenticated_web" or "throttle_protected_paths" # * user # * url_that_requires_authentication +# * request_method # * requests_per_period # * period_in_seconds # * period @@ -149,68 +159,68 @@ shared_examples_for 'rate-limited web authenticated requests' do it 'rejects requests over the rate limit' do # At first, allow requests under the rate limit. requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end # the last straw - expect_rejection { get url_that_requires_authentication } + expect_rejection { request_authenticated_web_url } end it 'allows requests after throttling and then waiting for the next period' do requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end - expect_rejection { get url_that_requires_authentication } + expect_rejection { request_authenticated_web_url } Timecop.travel(period.from_now) do requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end - expect_rejection { get url_that_requires_authentication } + expect_rejection { request_authenticated_web_url } end end it 'counts requests from different users separately, even from the same IP' do requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end # would be over the limit if this wasn't a different user login_as(create(:user)) - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end it 'counts all requests from the same user, even via different IPs' do requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4') - expect_rejection { get url_that_requires_authentication } + expect_rejection { request_authenticated_web_url } end it 'logs RackAttack info into structured logs' do requests_per_period.times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end arguments = { message: 'Rack_Attack', env: :throttle, remote_ip: '127.0.0.1', - request_method: 'GET', - path: '/dashboard/snippets', + request_method: request_method, + path: url_that_requires_authentication, user_id: user.id, username: user.username, throttle_type: throttle_types[throttle_setting_prefix] @@ -218,7 +228,7 @@ shared_examples_for 'rate-limited web authenticated requests' do expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once - get url_that_requires_authentication + request_authenticated_web_url end end @@ -230,9 +240,17 @@ shared_examples_for 'rate-limited web authenticated requests' do it 'allows requests over the rate limit' do (1 + requests_per_period).times do - get url_that_requires_authentication - expect(response).to have_http_status 200 + request_authenticated_web_url + expect(response).not_to have_http_status 429 end end end + + def request_authenticated_web_url + if request_method == 'POST' + post url_that_requires_authentication + else + get url_that_requires_authentication + end + end end |