Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-09 03:06:40 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2019-11-09 03:06:40 +0000
commit: d5f38aabd6b3bf03ed5506eb269062750bc60399 (patch)
tree: 5f7945e6fce3b9e48cc9b41d5c7f1e8d983838eb /spec/support/shared_examples/requests
parent: ab0f1c7a99c03725b3b5a1b7fee9aba879129e83 (diff)
download: gitlab-ce-d5f38aabd6b3bf03ed5506eb269062750bc60399.tar.gz
1 files changed, 66 insertions, 48 deletions
diff --git a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
index 0897f643796..c078e982e87 100644
--- a/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
+++ b/spec/support/shared_examples/requests/rack_attack_shared_examples.rb
@@ -2,8 +2,9 @@
 #
 # Requires let variables:
 # * throttle_setting_prefix: "throttle_authenticated_api", "throttle_authenticated_web", "throttle_protected_paths"
-# * get_args
-# * other_user_get_args
+# * request_method
+# * request_args
+# * other_user_request_args
 # * requests_per_period
 # * period_in_seconds
 # * period
@@ -31,66 +32,66 @@ shared_examples_for 'rate-limited token-authenticated requests' do
     it 'rejects requests over the rate limit' do
       # At first, allow requests under the rate limit.
       requests_per_period.times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
 
       # the last straw
-      expect_rejection { get(*get_args) }
+      expect_rejection { make_request(request_args) }
     end
 
     it 'allows requests after throttling and then waiting for the next period' do
       requests_per_period.times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
 
-      expect_rejection { get(*get_args) }
+      expect_rejection { make_request(request_args) }
 
       Timecop.travel(period.from_now) do
         requests_per_period.times do
-          get(*get_args)
-          expect(response).to have_http_status 200
+          make_request(request_args)
+          expect(response).not_to have_http_status 429
         end
 
-        expect_rejection { get(*get_args) }
+        expect_rejection { make_request(request_args) }
       end
     end
 
     it 'counts requests from different users separately, even from the same IP' do
       requests_per_period.times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
 
       # would be over the limit if this wasn't a different user
-      get(*other_user_get_args)
-      expect(response).to have_http_status 200
+      make_request(other_user_request_args)
+      expect(response).not_to have_http_status 429
     end
 
     it 'counts all requests from the same user, even via different IPs' do
       requests_per_period.times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
 
       expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4')
 
-      expect_rejection { get(*get_args) }
+      expect_rejection { make_request(request_args) }
     end
 
     it 'logs RackAttack info into structured logs' do
       requests_per_period.times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
 
       arguments = {
         message: 'Rack_Attack',
         env: :throttle,
         remote_ip: '127.0.0.1',
-        request_method: 'GET',
-        path: get_args.first,
+        request_method: request_method,
+        path: request_args.first,
         user_id: user.id,
         username: user.username,
         throttle_type: throttle_types[throttle_setting_prefix]
@@ -98,7 +99,7 @@ shared_examples_for 'rate-limited token-authenticated requests' do
 
       expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once
 
-      expect_rejection { get(*get_args) }
+      expect_rejection { make_request(request_args) }
     end
   end
 
@@ -110,17 +111,26 @@ shared_examples_for 'rate-limited token-authenticated requests' do
 
     it 'allows requests over the rate limit' do
       (1 + requests_per_period).times do
-        get(*get_args)
-        expect(response).to have_http_status 200
+        make_request(request_args)
+        expect(response).not_to have_http_status 429
       end
     end
   end
+
+  def make_request(args)
+    if request_method == 'POST'
+      post(*args)
+    else
+      get(*args)
+    end
+  end
 end
 
 # Requires let variables:
 # * throttle_setting_prefix: "throttle_authenticated_web" or "throttle_protected_paths"
 # * user
 # * url_that_requires_authentication
+# * request_method
 # * requests_per_period
 # * period_in_seconds
 # * period
@@ -149,68 +159,68 @@ shared_examples_for 'rate-limited web authenticated requests' do
     it 'rejects requests over the rate limit' do
       # At first, allow requests under the rate limit.
       requests_per_period.times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
 
       # the last straw
-      expect_rejection { get url_that_requires_authentication }
+      expect_rejection { request_authenticated_web_url }
     end
 
     it 'allows requests after throttling and then waiting for the next period' do
       requests_per_period.times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
 
-      expect_rejection { get url_that_requires_authentication }
+      expect_rejection { request_authenticated_web_url }
 
       Timecop.travel(period.from_now) do
         requests_per_period.times do
-          get url_that_requires_authentication
-          expect(response).to have_http_status 200
+          request_authenticated_web_url
+          expect(response).not_to have_http_status 429
         end
 
-        expect_rejection { get url_that_requires_authentication }
+        expect_rejection { request_authenticated_web_url }
       end
     end
 
     it 'counts requests from different users separately, even from the same IP' do
       requests_per_period.times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
 
       # would be over the limit if this wasn't a different user
       login_as(create(:user))
 
-      get url_that_requires_authentication
-      expect(response).to have_http_status 200
+      request_authenticated_web_url
+      expect(response).not_to have_http_status 429
     end
 
     it 'counts all requests from the same user, even via different IPs' do
       requests_per_period.times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
 
       expect_any_instance_of(Rack::Attack::Request).to receive(:ip).at_least(:once).and_return('1.2.3.4')
 
-      expect_rejection { get url_that_requires_authentication }
+      expect_rejection { request_authenticated_web_url }
     end
 
     it 'logs RackAttack info into structured logs' do
       requests_per_period.times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
 
       arguments = {
         message: 'Rack_Attack',
         env: :throttle,
         remote_ip: '127.0.0.1',
-        request_method: 'GET',
-        path: '/dashboard/snippets',
+        request_method: request_method,
+        path: url_that_requires_authentication,
         user_id: user.id,
         username: user.username,
         throttle_type: throttle_types[throttle_setting_prefix]
@@ -218,7 +228,7 @@ shared_examples_for 'rate-limited web authenticated requests' do
 
       expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once
 
-      get url_that_requires_authentication
+      request_authenticated_web_url
     end
   end
 
@@ -230,9 +240,17 @@ shared_examples_for 'rate-limited web authenticated requests' do
 
     it 'allows requests over the rate limit' do
       (1 + requests_per_period).times do
-        get url_that_requires_authentication
-        expect(response).to have_http_status 200
+        request_authenticated_web_url
+        expect(response).not_to have_http_status 429
       end
     end
   end
+
+  def request_authenticated_web_url
+    if request_method == 'POST'
+      post url_that_requires_authentication
+    else
+      get url_that_requires_authentication
+    end
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-09 03:06:40 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2019-11-09 03:06:40 +0000
commit	d5f38aabd6b3bf03ed5506eb269062750bc60399 (patch)
tree	5f7945e6fce3b9e48cc9b41d5c7f1e8d983838eb /spec/support/shared_examples/requests
parent	ab0f1c7a99c03725b3b5a1b7fee9aba879129e83 (diff)
download	gitlab-ce-d5f38aabd6b3bf03ed5506eb269062750bc60399.tar.gz