From d51365efe7378eed087d9d925dec1624cb933ae6 Mon Sep 17 00:00:00 2001
From: Marius Bobin <mbobin@gitlab.com>
Date: Fri, 23 Aug 2019 08:05:48 +0000
Subject: Exempt `jwt/auth` for user `gitlab-ci-token` from rate limiting

---
 ...-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml | 5 +++++
 lib/gitlab/auth.rb                                                  | 6 +++++-
 spec/lib/gitlab/auth_spec.rb                                        | 4 ++--
 3 files changed, 12 insertions(+), 3 deletions(-)
 create mode 100644 changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml

diff --git a/changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml b/changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml
new file mode 100644
index 00000000000..3ce96e64736
--- /dev/null
+++ b/changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml
@@ -0,0 +1,5 @@
+---
+title: Exempt user gitlab-ci-token from rate limiting
+merge_request: 31909
+author:
+type: fixed
diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 82e0c7ceeaa..e17a096ef19 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -46,7 +46,7 @@ module Gitlab
           user_with_password_for_git(login, password) ||
           Gitlab::Auth::Result.new
 
-        rate_limit!(ip, success: result.success?, login: login)
+        rate_limit!(ip, success: result.success?, login: login) unless skip_rate_limit?(login: login)
         Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
 
         return result if result.success? || authenticate_using_internal_or_ldap_password?
@@ -119,6 +119,10 @@ module Gitlab
 
       private
 
+      def skip_rate_limit?(login:)
+        ::Ci::Build::CI_REGISTRY_USER == login
+      end
+
       def authenticate_using_internal_or_ldap_password?
         Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled?
       end
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index edff38f05ec..098c33f9cb1 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -86,7 +86,7 @@ describe Gitlab::Auth do
         let(:project) { build.project }
 
         before do
-          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
+          expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
         end
 
         it 'recognises user-less build' do
@@ -106,7 +106,7 @@ describe Gitlab::Auth do
           let(:project) { build.project }
 
           before do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
+            expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
           end
 
           it 'denies authentication' do
-- 
cgit v1.2.1