BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
143369e4
Commit
143369e4
authored
Oct 11, 2017
by
Michael Kozono
Committed by
Francisco Lopez
Nov 17, 2017
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add Rack::Attack throttle specs
parent
dc9266fb
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
286 additions
and
0 deletions
+286
-0
rack_attack_spec.rb
spec/requests/rack_attack_spec.rb
+286
-0
No files found.
spec/requests/rack_attack_spec.rb
0 → 100644
View file @
143369e4
require
'spec_helper'
describe
Rack
::
Attack
do
let
(
:settings
)
{
Gitlab
::
CurrentSettings
.
current_application_settings
}
before
do
# Ensure throttles are defined, because this is normally skipped for tests
described_class
.
define_throttles
# Instead of test environment's :null_store
Rack
::
Attack
.
cache
.
store
=
ActiveSupport
::
Cache
::
MemoryStore
.
new
# Start with really high limits to ensure the right settings are being exercised.
# Also note, settings will be saved later.
settings
.
throttle_unauthenticated_requests_per_period
=
100
settings
.
throttle_unauthenticated_period_in_seconds
=
1
settings
.
throttle_authenticated_api_requests_per_period
=
100
settings
.
throttle_authenticated_api_period_in_seconds
=
1
settings
.
throttle_authenticated_web_requests_per_period
=
100
settings
.
throttle_authenticated_web_period_in_seconds
=
1
end
# Make time-dependent tests deterministic
around
do
|
example
|
Timecop
.
freeze
{
example
.
run
}
end
describe
'unauthenticated requests'
do
let
(
:requests_per_period
)
{
settings
.
throttle_unauthenticated_requests_per_period
}
let
(
:period
)
{
settings
.
throttle_unauthenticated_period_in_seconds
.
seconds
}
before
do
# Set low limits
settings
.
throttle_unauthenticated_requests_per_period
=
1
settings
.
throttle_unauthenticated_period_in_seconds
=
10
end
context
'when the throttle is enabled'
do
before
do
settings
.
throttle_unauthenticated_enabled
=
true
settings
.
save!
end
it
'rejects requests over the rate limit'
do
# At first, allow requests under the rate limit.
requests_per_period
.
times
do
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
# the last straw
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
429
end
it
'allows requests after throttling and then waiting for the next period'
do
requests_per_period
.
times
do
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
429
Timecop
.
travel
(
period
.
from_now
)
do
requests_per_period
.
times
do
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
429
end
end
it
'counts requests from different IPs separately'
do
requests_per_period
.
times
do
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
expect_any_instance_of
(
Rack
::
Attack
::
Request
).
to
receive
(
:ip
).
and_return
(
'1.2.3.4'
)
# would be over limit for the same IP
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
end
context
'when the throttle is disabled'
do
before
do
settings
.
throttle_unauthenticated_enabled
=
false
settings
.
save!
end
it
'allows requests over the rate limit'
do
(
1
+
requests_per_period
).
times
do
get
'/users/sign_in'
expect
(
response
).
to
have_http_status
200
end
end
end
end
describe
'authenticated API requests'
,
:api
do
let
(
:requests_per_period
)
{
settings
.
throttle_authenticated_api_requests_per_period
}
let
(
:period
)
{
settings
.
throttle_authenticated_api_period_in_seconds
.
seconds
}
let
(
:user
)
{
create
(
:user
)
}
before
do
# Set low limits
settings
.
throttle_authenticated_api_requests_per_period
=
1
settings
.
throttle_authenticated_api_period_in_seconds
=
10
end
context
'when the throttle is enabled'
do
before
do
settings
.
throttle_authenticated_api_enabled
=
true
settings
.
save!
end
it
'rejects requests over the rate limit'
do
# At first, allow requests under the rate limit.
requests_per_period
.
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
# the last straw
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
429
end
it
'allows requests after throttling and then waiting for the next period'
do
requests_per_period
.
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
429
Timecop
.
travel
(
period
.
from_now
)
do
requests_per_period
.
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
429
end
end
it
'counts requests from different users separately, even from the same IP'
do
other_user
=
create
(
:user
)
requests_per_period
.
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
# would be over the limit if this wasn't a different user
get
api
(
'/todos'
,
other_user
)
expect
(
response
).
to
have_http_status
200
end
it
'counts all requests from the same user, even via different IPs'
do
requests_per_period
.
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
expect_any_instance_of
(
Rack
::
Attack
::
Request
).
to
receive
(
:ip
).
and_return
(
'1.2.3.4'
)
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
429
end
end
context
'when the throttle is disabled'
do
before
do
settings
.
throttle_authenticated_api_enabled
=
false
settings
.
save!
end
it
'allows requests over the rate limit'
do
(
1
+
requests_per_period
).
times
do
get
api
(
'/todos'
,
user
)
expect
(
response
).
to
have_http_status
200
end
end
end
end
describe
'authenticated web requests'
do
let
(
:requests_per_period
)
{
settings
.
throttle_authenticated_web_requests_per_period
}
let
(
:period
)
{
settings
.
throttle_authenticated_web_period_in_seconds
.
seconds
}
let
(
:user
)
{
create
(
:user
)
}
before
do
login_as
(
user
)
# Set low limits
settings
.
throttle_authenticated_web_requests_per_period
=
1
settings
.
throttle_authenticated_web_period_in_seconds
=
10
end
context
'when the throttle is enabled'
do
before
do
settings
.
throttle_authenticated_web_enabled
=
true
settings
.
save!
end
it
'rejects requests over the rate limit'
do
# At first, allow requests under the rate limit.
requests_per_period
.
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
# the last straw
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
429
end
it
'allows requests after throttling and then waiting for the next period'
do
requests_per_period
.
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
429
Timecop
.
travel
(
period
.
from_now
)
do
requests_per_period
.
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
429
end
end
it
'counts requests from different users separately, even from the same IP'
do
requests_per_period
.
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
# would be over the limit if this wasn't a different user
login_as
(
create
(
:user
))
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
it
'counts all requests from the same user, even via different IPs'
do
requests_per_period
.
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
expect_any_instance_of
(
Rack
::
Attack
::
Request
).
to
receive
(
:ip
).
and_return
(
'1.2.3.4'
)
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
429
end
end
context
'when the throttle is disabled'
do
before
do
settings
.
throttle_authenticated_web_enabled
=
false
settings
.
save!
end
it
'allows requests over the rate limit'
do
(
1
+
requests_per_period
).
times
do
get
'/dashboard/snippets'
expect
(
response
).
to
have_http_status
200
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment