spec/lib/gitlab/web_hooks/recursion_detection_spec.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221

# frozen_string_literal: true

require 'spec_helper'

RSpec.describe Gitlab::WebHooks::RecursionDetection, :clean_gitlab_redis_shared_state, :request_store do
  let_it_be(:web_hook) { create(:project_hook) }

  let!(:uuid_class) { described_class::UUID }

  describe '.set_from_headers' do
    let(:old_uuid) { SecureRandom.uuid }
    let(:rack_headers) { Rack::MockRequest.env_for("/").merge(headers) }

    subject(:set_from_headers) { described_class.set_from_headers(rack_headers) }

    # Note, having a previous `request_uuid` value set before `.set_from_headers` is
    # called is contrived and should not normally happen. However, testing with this scenario
    # allows us to assert the ideal outcome if it ever were to happen.
    before do
      uuid_class.instance.request_uuid = old_uuid
    end

    context 'when the detection header is present' do
      let(:new_uuid) { SecureRandom.uuid }

      let(:headers) do
        { uuid_class::HEADER => new_uuid }
      end

      it 'sets the request UUID value from the headers' do
        set_from_headers

        expect(uuid_class.instance.request_uuid).to eq(new_uuid)
      end
    end

    context 'when detection header is not present' do
      let(:headers) { {} }

      it 'does not set the request UUID' do
        set_from_headers

        expect(uuid_class.instance.request_uuid).to eq(old_uuid)
      end
    end
  end

  describe '.set_request_uuid' do
    it 'sets the request UUID value' do
      new_uuid = SecureRandom.uuid

      described_class.set_request_uuid(new_uuid)

      expect(uuid_class.instance.request_uuid).to eq(new_uuid)
    end
  end

  describe '.register!' do
    let_it_be(:second_web_hook) { create(:project_hook) }
    let_it_be(:third_web_hook) { create(:project_hook) }

    def cache_key(hook)
      described_class.send(:cache_key_for_hook, hook)
    end

    it 'stores IDs in the same cache when a request UUID is set, until the request UUID changes', :aggregate_failures do
      # Register web_hook and second_web_hook against the same request UUID.
      uuid_class.instance.request_uuid = SecureRandom.uuid
      described_class.register!(web_hook)
      described_class.register!(second_web_hook)
      first_cache_key = cache_key(web_hook)
      second_cache_key = cache_key(second_web_hook)

      # Register third_web_hook against a new request UUID.
      uuid_class.instance.request_uuid = SecureRandom.uuid
      described_class.register!(third_web_hook)
      third_cache_key = cache_key(third_web_hook)

      expect(first_cache_key).to eq(second_cache_key)
      expect(second_cache_key).not_to eq(third_cache_key)

      ::Gitlab::Redis::SharedState.with do |redis|
        members = redis.smembers(first_cache_key).map(&:to_i)
        expect(members).to contain_exactly(web_hook.id, second_web_hook.id)

        members = redis.smembers(third_cache_key).map(&:to_i)
        expect(members).to contain_exactly(third_web_hook.id)
      end
    end

    it 'stores IDs in unique caches when no request UUID is present', :aggregate_failures do
      described_class.register!(web_hook)
      described_class.register!(second_web_hook)
      described_class.register!(third_web_hook)

      first_cache_key = cache_key(web_hook)
      second_cache_key = cache_key(second_web_hook)
      third_cache_key = cache_key(third_web_hook)

      expect([first_cache_key, second_cache_key, third_cache_key].compact.length).to eq(3)

      ::Gitlab::Redis::SharedState.with do |redis|
        members = redis.smembers(first_cache_key).map(&:to_i)
        expect(members).to contain_exactly(web_hook.id)

        members = redis.smembers(second_cache_key).map(&:to_i)
        expect(members).to contain_exactly(second_web_hook.id)

        members = redis.smembers(third_cache_key).map(&:to_i)
        expect(members).to contain_exactly(third_web_hook.id)
      end
    end

    it 'touches the storage ttl each time it is called', :aggregate_failures do
      freeze_time do
        described_class.register!(web_hook)

        ::Gitlab::Redis::SharedState.with do |redis|
          expect(redis.ttl(cache_key(web_hook))).to eq(described_class::TOUCH_CACHE_TTL.to_i)
        end
      end

      travel_to(1.minute.from_now) do
        described_class.register!(second_web_hook)

        ::Gitlab::Redis::SharedState.with do |redis|
          expect(redis.ttl(cache_key(web_hook))).to eq(described_class::TOUCH_CACHE_TTL.to_i)
        end
      end
    end
  end

  describe 'block?' do
    let_it_be(:registered_web_hooks) { create_list(:project_hook, 2) }

    subject(:block?) { described_class.block?(web_hook) }

    before do
      # Register some previous webhooks.
      uuid_class.instance.request_uuid = SecureRandom.uuid

      registered_web_hooks.each do |web_hook|
        described_class.register!(web_hook)
      end
    end

    it 'returns false if webhook should not be blocked' do
      is_expected.to eq(false)
    end

    context 'when the webhook has previously fired' do
      before do
        described_class.register!(web_hook)
      end

      it 'returns true' do
        is_expected.to eq(true)
      end

      context 'when the request UUID changes again' do
        before do
          uuid_class.instance.request_uuid = SecureRandom.uuid
        end

        it 'returns false' do
          is_expected.to eq(false)
        end
      end
    end

    context 'when the count limit has been reached' do
      let_it_be(:registered_web_hooks) { create_list(:project_hook, 2) }

      before do
        registered_web_hooks.each do |web_hook|
          described_class.register!(web_hook)
        end

        stub_const("#{described_class.name}::COUNT_LIMIT", registered_web_hooks.size)
      end

      it 'returns true' do
        is_expected.to eq(true)
      end

      context 'when the request UUID changes again' do
        before do
          uuid_class.instance.request_uuid = SecureRandom.uuid
        end

        it 'returns false' do
          is_expected.to eq(false)
        end
      end
    end
  end

  describe '.header' do
    subject(:header) { described_class.header(web_hook) }

    it 'returns a header with the UUID value' do
      uuid = SecureRandom.uuid
      allow(uuid_class.instance).to receive(:uuid_for_hook).and_return(uuid)

      is_expected.to eq({ uuid_class::HEADER => uuid })
    end
  end

  describe '.to_log' do
    subject(:to_log) { described_class.to_log(web_hook) }

    it 'returns the UUID value and all registered webhook IDs in a Hash' do
      uuid = SecureRandom.uuid
      allow(uuid_class.instance).to receive(:uuid_for_hook).and_return(uuid)
      registered_web_hooks = create_list(:project_hook, 2)
      registered_web_hooks.each { described_class.register!(_1) }

      is_expected.to eq({ uuid: uuid, ids: registered_web_hooks.map(&:id) })
    end
  end
end