2021-03-11 19:13:27 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require 'spec_helper'
|
|
|
|
|
|
|
|
RSpec.describe Gitlab::Metrics::Subscribers::RackAttack, :request_store do
|
|
|
|
let(:subscriber) { described_class.new }
|
|
|
|
|
|
|
|
describe '.payload' do
|
|
|
|
context 'when the request store is empty' do
|
|
|
|
it 'returns empty data' do
|
|
|
|
expect(described_class.payload).to eql(
|
|
|
|
rack_attack_redis_count: 0,
|
|
|
|
rack_attack_redis_duration_s: 0.0
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
context 'when the request store already has data' do
|
|
|
|
before do
|
|
|
|
Gitlab::SafeRequestStore[:rack_attack_instrumentation] = {
|
|
|
|
rack_attack_redis_count: 10,
|
|
|
|
rack_attack_redis_duration_s: 9.0
|
|
|
|
}
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'returns the accumulated data' do
|
|
|
|
expect(described_class.payload).to eql(
|
|
|
|
rack_attack_redis_count: 10,
|
|
|
|
rack_attack_redis_duration_s: 9.0
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#redis' do
|
|
|
|
it 'accumulates per-request RackAttack cache usage' do
|
|
|
|
freeze_time do
|
|
|
|
subscriber.redis(
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
'redis.rack_attack', Time.current, Time.current + 1.second, '1', { operation: 'fetch' }
|
|
|
|
)
|
|
|
|
)
|
|
|
|
subscriber.redis(
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
'redis.rack_attack', Time.current, Time.current + 2.seconds, '1', { operation: 'write' }
|
|
|
|
)
|
|
|
|
)
|
|
|
|
subscriber.redis(
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
'redis.rack_attack', Time.current, Time.current + 3.seconds, '1', { operation: 'read' }
|
|
|
|
)
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
expect(Gitlab::SafeRequestStore[:rack_attack_instrumentation]).to eql(
|
|
|
|
rack_attack_redis_count: 3,
|
|
|
|
rack_attack_redis_duration_s: 6.0
|
|
|
|
)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
shared_examples 'log into auth logger' do
|
|
|
|
context 'when matched throttle does not require user information' do
|
|
|
|
let(:event) do
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
|
|
|
|
:request,
|
|
|
|
ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
fullpath: '/api/v4/internal/authorized_keys',
|
|
|
|
env: {
|
|
|
|
'rack.attack.match_type' => match_type,
|
|
|
|
'rack.attack.matched' => 'throttle_unauthenticated'
|
|
|
|
}
|
|
|
|
)
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'logs request information' do
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
|
|
|
|
expect(arguments).to include(
|
2021-03-11 19:13:27 +05:30
|
|
|
message: 'Rack_Attack',
|
|
|
|
env: match_type,
|
|
|
|
remote_ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
path: '/api/v4/internal/authorized_keys',
|
|
|
|
matched: 'throttle_unauthenticated'
|
|
|
|
)
|
2022-07-16 23:28:13 +05:30
|
|
|
|
|
|
|
if expected_status
|
|
|
|
expect(arguments).to include(status: expected_status)
|
|
|
|
else
|
|
|
|
expect(arguments).not_to have_key(:status)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2021-03-11 19:13:27 +05:30
|
|
|
subscriber.send(match_type, event)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
context 'matching user or deploy token authenticated information' do
|
|
|
|
context 'when matching for user' do
|
|
|
|
context 'when user not found' do
|
|
|
|
let(:event) do
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
|
|
|
|
:request,
|
|
|
|
ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
fullpath: '/api/v4/internal/authorized_keys',
|
|
|
|
env: {
|
|
|
|
'rack.attack.match_type' => match_type,
|
|
|
|
'rack.attack.matched' => 'throttle_authenticated_api',
|
|
|
|
'rack.attack.match_discriminator' => "user:#{non_existing_record_id}"
|
|
|
|
}
|
|
|
|
)
|
2021-03-11 19:13:27 +05:30
|
|
|
)
|
2022-05-03 16:02:30 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'logs request information and user id' do
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
|
|
|
|
expect(arguments).to include(
|
2022-05-03 16:02:30 +05:30
|
|
|
message: 'Rack_Attack',
|
|
|
|
env: match_type,
|
|
|
|
remote_ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
path: '/api/v4/internal/authorized_keys',
|
|
|
|
matched: 'throttle_authenticated_api',
|
|
|
|
user_id: non_existing_record_id
|
|
|
|
)
|
2022-07-16 23:28:13 +05:30
|
|
|
|
|
|
|
if expected_status
|
|
|
|
expect(arguments).to include(status: expected_status)
|
|
|
|
else
|
|
|
|
expect(arguments).not_to have_key(:status)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
subscriber.send(match_type, event)
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
context 'when user found' do
|
|
|
|
let(:user) { create(:user) }
|
|
|
|
let(:event) do
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
|
|
|
|
:request,
|
|
|
|
ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
fullpath: '/api/v4/internal/authorized_keys',
|
|
|
|
env: {
|
|
|
|
'rack.attack.match_type' => match_type,
|
|
|
|
'rack.attack.matched' => 'throttle_authenticated_api',
|
|
|
|
'rack.attack.match_discriminator' => "user:#{user.id}"
|
|
|
|
}
|
|
|
|
)
|
2021-03-11 19:13:27 +05:30
|
|
|
)
|
2022-05-03 16:02:30 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
it 'logs request information and user meta' do
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
|
|
|
|
expect(arguments).to include(
|
2022-05-03 16:02:30 +05:30
|
|
|
message: 'Rack_Attack',
|
|
|
|
env: match_type,
|
|
|
|
remote_ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
path: '/api/v4/internal/authorized_keys',
|
|
|
|
matched: 'throttle_authenticated_api',
|
|
|
|
user_id: user.id,
|
|
|
|
'meta.user' => user.username
|
|
|
|
)
|
2022-07-16 23:28:13 +05:30
|
|
|
|
|
|
|
if expected_status
|
|
|
|
expect(arguments).to include(status: expected_status)
|
|
|
|
else
|
|
|
|
expect(arguments).not_to have_key(:status)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
subscriber.send(match_type, event)
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
context 'when matching for deploy token' do
|
|
|
|
context 'when deploy token found' do
|
|
|
|
let(:deploy_token) { create(:deploy_token) }
|
|
|
|
let(:event) do
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
|
|
|
|
:request,
|
|
|
|
ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
fullpath: '/api/v4/internal/authorized_keys',
|
|
|
|
env: {
|
|
|
|
'rack.attack.match_type' => match_type,
|
|
|
|
'rack.attack.matched' => 'throttle_authenticated_api',
|
|
|
|
'rack.attack.match_discriminator' => "deploy_token:#{deploy_token.id}"
|
|
|
|
}
|
|
|
|
)
|
2021-03-11 19:13:27 +05:30
|
|
|
)
|
2022-05-03 16:02:30 +05:30
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
it 'logs request information and user meta' do
|
2022-07-16 23:28:13 +05:30
|
|
|
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
|
|
|
|
expect(arguments).to include(
|
2022-05-03 16:02:30 +05:30
|
|
|
message: 'Rack_Attack',
|
|
|
|
env: match_type,
|
|
|
|
remote_ip: '1.2.3.4',
|
|
|
|
request_method: 'GET',
|
|
|
|
path: '/api/v4/internal/authorized_keys',
|
|
|
|
matched: 'throttle_authenticated_api',
|
|
|
|
deploy_token_id: deploy_token.id
|
|
|
|
)
|
2022-07-16 23:28:13 +05:30
|
|
|
|
|
|
|
if expected_status
|
|
|
|
expect(arguments).to include(status: expected_status)
|
|
|
|
else
|
|
|
|
expect(arguments).not_to have_key(:status)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2022-05-03 16:02:30 +05:30
|
|
|
subscriber.send(match_type, event)
|
|
|
|
end
|
2021-03-11 19:13:27 +05:30
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#throttle' do
|
|
|
|
let(:match_type) { :throttle }
|
2022-07-16 23:28:13 +05:30
|
|
|
let(:expected_status) { 429 }
|
2021-03-11 19:13:27 +05:30
|
|
|
let(:event_name) { 'throttle.rack_attack' }
|
|
|
|
|
|
|
|
it_behaves_like 'log into auth logger'
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#blocklist' do
|
|
|
|
let(:match_type) { :blocklist }
|
2022-07-16 23:28:13 +05:30
|
|
|
let(:expected_status) { 403 }
|
2021-03-11 19:13:27 +05:30
|
|
|
let(:event_name) { 'blocklist.rack_attack' }
|
|
|
|
|
|
|
|
it_behaves_like 'log into auth logger'
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#track' do
|
|
|
|
let(:match_type) { :track }
|
2022-07-16 23:28:13 +05:30
|
|
|
let(:expected_status) { nil }
|
2021-03-11 19:13:27 +05:30
|
|
|
let(:event_name) { 'track.rack_attack' }
|
|
|
|
|
|
|
|
it_behaves_like 'log into auth logger'
|
|
|
|
end
|
|
|
|
|
|
|
|
describe '#safelist' do
|
|
|
|
let(:event) do
|
|
|
|
ActiveSupport::Notifications::Event.new(
|
|
|
|
'safelist.rack_attack', Time.current, Time.current + 2.seconds, '1', request: double(
|
|
|
|
:request,
|
|
|
|
env: {
|
|
|
|
'rack.attack.matched' => 'throttle_unauthenticated'
|
|
|
|
}
|
|
|
|
)
|
|
|
|
)
|
|
|
|
end
|
|
|
|
|
|
|
|
it 'adds the matched name to safe request store' do
|
|
|
|
subscriber.safelist(event)
|
|
|
|
expect(Gitlab::SafeRequestStore[:instrumentation_throttle_safelist]).to eql('throttle_unauthenticated')
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|