debian-mirror-gitlab/lib/gitlab/rack_attack/request.rb

# frozen_string_literal: true

module Gitlab
  module RackAttack
    module Request
      FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze
      GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze

      def unauthenticated?
        !(authenticated_user_id([:api, :rss, :ics]) || authenticated_runner_id)
      end

      def throttled_user_id(request_formats)
        user_id = authenticated_user_id(request_formats)

        if Gitlab::RackAttack.user_allowlist.include?(user_id)
          Gitlab::Instrumentation::Throttle.safelist = 'throttle_user_allowlist'
          return
        end

        user_id
      end

      def authenticated_runner_id
        request_authenticator.runner&.id
      end

      def api_request?
        path.start_with?('/api')
      end

      def api_internal_request?
        path =~ %r{^/api/v\d+/internal/}
      end

      def health_check_request?
        path =~ %r{^/-/(health|liveness|readiness|metrics)}
      end

      def container_registry_event?
        path =~ %r{^/api/v\d+/container_registry_event/}
      end

      def product_analytics_collector_request?
        path.start_with?('/-/collector/i')
      end

      def should_be_skipped?
        api_internal_request? || health_check_request? || container_registry_event?
      end

      def web_request?
        !api_request? && !health_check_request?
      end

      def protected_path?
        !protected_path_regex.nil?
      end

      def protected_path_regex
        path =~ protected_paths_regex
      end

      def throttle?(throttle, authenticated:)
        fragment = Gitlab::Throttle.throttle_fragment!(throttle, authenticated: authenticated)

        __send__("#{fragment}?") # rubocop:disable GitlabSecurity/PublicSend
      end

      def throttle_unauthenticated_api?
        api_request? &&
        !should_be_skipped? &&
        !throttle_unauthenticated_packages_api? &&
        !throttle_unauthenticated_files_api? &&
        !throttle_unauthenticated_deprecated_api? &&
        Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&
        unauthenticated?
      end

      def throttle_unauthenticated_web?
        web_request? &&
        !should_be_skipped? &&
        # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031
        Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
        unauthenticated?
      end

      def throttle_authenticated_api?
        api_request? &&
        !throttle_authenticated_packages_api? &&
        !throttle_authenticated_files_api? &&
        !throttle_authenticated_deprecated_api? &&
        Gitlab::Throttle.settings.throttle_authenticated_api_enabled
      end

      def throttle_authenticated_web?
        web_request? &&
        !throttle_authenticated_git_lfs? &&
        Gitlab::Throttle.settings.throttle_authenticated_web_enabled
      end

      def throttle_unauthenticated_protected_paths?
        post? &&
        !should_be_skipped? &&
        protected_path? &&
        Gitlab::Throttle.protected_paths_enabled? &&
        unauthenticated?
      end

      def throttle_authenticated_protected_paths_api?
        post? &&
        api_request? &&
        protected_path? &&
        Gitlab::Throttle.protected_paths_enabled?
      end

      def throttle_authenticated_protected_paths_web?
        post? &&
        web_request? &&
        protected_path? &&
        Gitlab::Throttle.protected_paths_enabled?
      end

      def throttle_unauthenticated_packages_api?
        packages_api_path? &&
        Gitlab::Throttle.settings.throttle_unauthenticated_packages_api_enabled &&
        unauthenticated?
      end

      def throttle_authenticated_packages_api?
        packages_api_path? &&
        Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled
      end

      def throttle_authenticated_git_lfs?
        git_lfs_path? &&
        Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled
      end

      def throttle_unauthenticated_files_api?
        files_api_path? &&
        Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
        unauthenticated?
      end

      def throttle_authenticated_files_api?
        files_api_path? &&
        Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
      end

      def throttle_unauthenticated_deprecated_api?
        deprecated_api_request? &&
        Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&
        unauthenticated?
      end

      def throttle_authenticated_deprecated_api?
        deprecated_api_request? &&
        Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled
      end

      private

      def authenticated_user_id(request_formats)
        request_authenticator.user(request_formats)&.id
      end

      def request_authenticator
        @request_authenticator ||= Gitlab::Auth::RequestAuthenticator.new(self)
      end

      def protected_paths
        Gitlab::CurrentSettings.current_application_settings.protected_paths
      end

      def protected_paths_regex
        Regexp.union(protected_paths.map { |path| /\A#{Regexp.escape(path)}/ })
      end

      def packages_api_path?
        path =~ ::Gitlab::Regex::Packages::API_PATH_REGEX
      end

      def git_lfs_path?
        path =~ Gitlab::PathRegex.repository_git_lfs_route_regex
      end

      def files_api_path?
        path =~ FILES_PATH_REGEX
      end

      def deprecated_api_request?
        # The projects member of the groups endpoint is deprecated. If left
        # unspecified, with_projects defaults to true
        with_projects = params['with_projects']
        with_projects = true if with_projects.blank?

        path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects)
      end
    end
  end
end
::Gitlab::RackAttack::Request.prepend_mod_with('Gitlab::RackAttack::Request')
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`# frozen_string_literal: true`

			`module Gitlab`
			`module RackAttack`
			`module Request`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`FILES_PATH_REGEX = %r{^/api/v\d+/projects/[^/]+/repository/files/.+}.freeze`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`GROUP_PATH_REGEX = %r{^/api/v\d+/groups/[^/]+/?$}.freeze`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`def unauthenticated?`
			`!(authenticated_user_id([:api, :rss, :ics]) \|\| authenticated_runner_id)`
			`end`

			`def throttled_user_id(request_formats)`
			`user_id = authenticated_user_id(request_formats)`

			`if Gitlab::RackAttack.user_allowlist.include?(user_id)`
			`Gitlab::Instrumentation::Throttle.safelist = 'throttle_user_allowlist'`
			`return`
			`end`

			`user_id`
			`end`

			`def authenticated_runner_id`
			`request_authenticator.runner&.id`
			`end`

			`def api_request?`
			`path.start_with?('/api')`
			`end`

			`def api_internal_request?`
			`path =~ %r{^/api/v\d+/internal/}`
			`end`

			`def health_check_request?`
			`path =~ %r{^/-/(health\|liveness\|readiness\|metrics)}`
			`end`

New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`def container_registry_event?`
			`path =~ %r{^/api/v\d+/container_registry_event/}`
			`end`

New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`def product_analytics_collector_request?`
			`path.start_with?('/-/collector/i')`
			`end`

			`def should_be_skipped?`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`api_internal_request? \|\| health_check_request? \|\| container_registry_event?`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`end`

			`def web_request?`
			`!api_request? && !health_check_request?`
			`end`

			`def protected_path?`
			`!protected_path_regex.nil?`
			`end`

			`def protected_path_regex`
			`path =~ protected_paths_regex`
			`end`

New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`def throttle?(throttle, authenticated:)`
			`fragment = Gitlab::Throttle.throttle_fragment!(throttle, authenticated: authenticated)`

			`__send__("#{fragment}?") # rubocop:disable GitlabSecurity/PublicSend`
			`end`

			`def throttle_unauthenticated_api?`
			`api_request? &&`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`!should_be_skipped? &&`
			`!throttle_unauthenticated_packages_api? &&`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`!throttle_unauthenticated_files_api? &&`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`!throttle_unauthenticated_deprecated_api? &&`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled &&`
			`unauthenticated?`
			`end`

			`def throttle_unauthenticated_web?`
			`web_request? &&`
			`!should_be_skipped? &&`
			`# TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&`
			`unauthenticated?`
			`end`

			`def throttle_authenticated_api?`
			`api_request? &&`
			`!throttle_authenticated_packages_api? &&`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`!throttle_authenticated_files_api? &&`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`!throttle_authenticated_deprecated_api? &&`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`Gitlab::Throttle.settings.throttle_authenticated_api_enabled`
			`end`

			`def throttle_authenticated_web?`
			`web_request? &&`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`!throttle_authenticated_git_lfs? &&`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`Gitlab::Throttle.settings.throttle_authenticated_web_enabled`
			`end`

			`def throttle_unauthenticated_protected_paths?`
			`post? &&`
			`!should_be_skipped? &&`
			`protected_path? &&`
			`Gitlab::Throttle.protected_paths_enabled? &&`
			`unauthenticated?`
			`end`

			`def throttle_authenticated_protected_paths_api?`
			`post? &&`
			`api_request? &&`
			`protected_path? &&`
			`Gitlab::Throttle.protected_paths_enabled?`
			`end`

			`def throttle_authenticated_protected_paths_web?`
			`post? &&`
			`web_request? &&`
			`protected_path? &&`
			`Gitlab::Throttle.protected_paths_enabled?`
			`end`

			`def throttle_unauthenticated_packages_api?`
			`packages_api_path? &&`
			`Gitlab::Throttle.settings.throttle_unauthenticated_packages_api_enabled &&`
			`unauthenticated?`
			`end`

			`def throttle_authenticated_packages_api?`
			`packages_api_path? &&`
			`Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled`
			`end`

New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30			`def throttle_authenticated_git_lfs?`
			`git_lfs_path? &&`
			`Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled`
			`end`

			`def throttle_unauthenticated_files_api?`
			`files_api_path? &&`
			`Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&`
			`unauthenticated?`
			`end`

			`def throttle_authenticated_files_api?`
			`files_api_path? &&`
			`Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled`
			`end`

New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`def throttle_unauthenticated_deprecated_api?`
			`deprecated_api_request? &&`
			`Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled &&`
			`unauthenticated?`
			`end`

			`def throttle_authenticated_deprecated_api?`
			`deprecated_api_request? &&`
			`Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled`
			`end`

New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`private`

			`def authenticated_user_id(request_formats)`
			`request_authenticator.user(request_formats)&.id`
			`end`

			`def request_authenticator`
			`@request_authenticator \|\|= Gitlab::Auth::RequestAuthenticator.new(self)`
			`end`

			`def protected_paths`
			`Gitlab::CurrentSettings.current_application_settings.protected_paths`
			`end`

			`def protected_paths_regex`
			`Regexp.union(protected_paths.map { \|path\| /\A#{Regexp.escape(path)}/ })`
			`end`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30
			`def packages_api_path?`
			`path =~ ::Gitlab::Regex::Packages::API_PATH_REGEX`
			`end`
New upstream version 14.3.4+ds1 2021-11-11 11:23:49 +05:30
			`def git_lfs_path?`
			`path =~ Gitlab::PathRegex.repository_git_lfs_route_regex`
			`end`

			`def files_api_path?`
			`path =~ FILES_PATH_REGEX`
			`end`
New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30
			`def deprecated_api_request?`
			`# The projects member of the groups endpoint is deprecated. If left`
			`# unspecified, with_projects defaults to true`
			`with_projects = params['with_projects']`
			`with_projects = true if with_projects.blank?`

			`path =~ GROUP_PATH_REGEX && Gitlab::Utils.to_boolean(with_projects)`
			`end`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`end`
			`end`
			`end`
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`::Gitlab::RackAttack::Request.prepend_mod_with('Gitlab::RackAttack::Request')`