debian-mirror-gitlab/spec/lib/gitlab/metrics/subscribers/rack_attack_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

273 lines
8.6 KiB
Ruby
Raw Normal View History

2021-03-11 19:13:27 +05:30
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Metrics::Subscribers::RackAttack, :request_store do
let(:subscriber) { described_class.new }
describe '.payload' do
context 'when the request store is empty' do
it 'returns empty data' do
expect(described_class.payload).to eql(
rack_attack_redis_count: 0,
rack_attack_redis_duration_s: 0.0
)
end
end
context 'when the request store already has data' do
before do
Gitlab::SafeRequestStore[:rack_attack_instrumentation] = {
rack_attack_redis_count: 10,
rack_attack_redis_duration_s: 9.0
}
end
it 'returns the accumulated data' do
expect(described_class.payload).to eql(
rack_attack_redis_count: 10,
rack_attack_redis_duration_s: 9.0
)
end
end
end
describe '#redis' do
it 'accumulates per-request RackAttack cache usage' do
freeze_time do
subscriber.redis(
ActiveSupport::Notifications::Event.new(
'redis.rack_attack', Time.current, Time.current + 1.second, '1', { operation: 'fetch' }
)
)
subscriber.redis(
ActiveSupport::Notifications::Event.new(
'redis.rack_attack', Time.current, Time.current + 2.seconds, '1', { operation: 'write' }
)
)
subscriber.redis(
ActiveSupport::Notifications::Event.new(
'redis.rack_attack', Time.current, Time.current + 3.seconds, '1', { operation: 'read' }
)
)
end
expect(Gitlab::SafeRequestStore[:rack_attack_instrumentation]).to eql(
rack_attack_redis_count: 3,
rack_attack_redis_duration_s: 6.0
)
end
end
shared_examples 'log into auth logger' do
context 'when matched throttle does not require user information' do
let(:event) do
ActiveSupport::Notifications::Event.new(
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
:request,
ip: '1.2.3.4',
request_method: 'GET',
fullpath: '/api/v4/internal/authorized_keys',
env: {
'rack.attack.match_type' => match_type,
'rack.attack.matched' => 'throttle_unauthenticated'
}
)
)
end
it 'logs request information' do
2022-07-16 23:28:13 +05:30
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
expect(arguments).to include(
2021-03-11 19:13:27 +05:30
message: 'Rack_Attack',
env: match_type,
remote_ip: '1.2.3.4',
request_method: 'GET',
path: '/api/v4/internal/authorized_keys',
matched: 'throttle_unauthenticated'
)
2022-07-16 23:28:13 +05:30
if expected_status
expect(arguments).to include(status: expected_status)
else
expect(arguments).not_to have_key(:status)
end
end
2021-03-11 19:13:27 +05:30
subscriber.send(match_type, event)
end
end
2022-05-03 16:02:30 +05:30
context 'matching user or deploy token authenticated information' do
context 'when matching for user' do
context 'when user not found' do
let(:event) do
ActiveSupport::Notifications::Event.new(
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
:request,
ip: '1.2.3.4',
request_method: 'GET',
fullpath: '/api/v4/internal/authorized_keys',
env: {
'rack.attack.match_type' => match_type,
'rack.attack.matched' => 'throttle_authenticated_api',
'rack.attack.match_discriminator' => "user:#{non_existing_record_id}"
}
)
2021-03-11 19:13:27 +05:30
)
2022-05-03 16:02:30 +05:30
end
it 'logs request information and user id' do
2022-07-16 23:28:13 +05:30
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
expect(arguments).to include(
2022-05-03 16:02:30 +05:30
message: 'Rack_Attack',
env: match_type,
remote_ip: '1.2.3.4',
request_method: 'GET',
path: '/api/v4/internal/authorized_keys',
matched: 'throttle_authenticated_api',
user_id: non_existing_record_id
)
2022-07-16 23:28:13 +05:30
if expected_status
expect(arguments).to include(status: expected_status)
else
expect(arguments).not_to have_key(:status)
end
end
2022-05-03 16:02:30 +05:30
subscriber.send(match_type, event)
end
2021-03-11 19:13:27 +05:30
end
2022-05-03 16:02:30 +05:30
context 'when user found' do
let(:user) { create(:user) }
let(:event) do
ActiveSupport::Notifications::Event.new(
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
:request,
ip: '1.2.3.4',
request_method: 'GET',
fullpath: '/api/v4/internal/authorized_keys',
env: {
'rack.attack.match_type' => match_type,
'rack.attack.matched' => 'throttle_authenticated_api',
'rack.attack.match_discriminator' => "user:#{user.id}"
}
)
2021-03-11 19:13:27 +05:30
)
2022-05-03 16:02:30 +05:30
end
it 'logs request information and user meta' do
2022-07-16 23:28:13 +05:30
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
expect(arguments).to include(
2022-05-03 16:02:30 +05:30
message: 'Rack_Attack',
env: match_type,
remote_ip: '1.2.3.4',
request_method: 'GET',
path: '/api/v4/internal/authorized_keys',
matched: 'throttle_authenticated_api',
user_id: user.id,
'meta.user' => user.username
)
2022-07-16 23:28:13 +05:30
if expected_status
expect(arguments).to include(status: expected_status)
else
expect(arguments).not_to have_key(:status)
end
end
2022-05-03 16:02:30 +05:30
subscriber.send(match_type, event)
end
2021-03-11 19:13:27 +05:30
end
end
2022-05-03 16:02:30 +05:30
context 'when matching for deploy token' do
context 'when deploy token found' do
let(:deploy_token) { create(:deploy_token) }
let(:event) do
ActiveSupport::Notifications::Event.new(
event_name, Time.current, Time.current + 2.seconds, '1', request: double(
:request,
ip: '1.2.3.4',
request_method: 'GET',
fullpath: '/api/v4/internal/authorized_keys',
env: {
'rack.attack.match_type' => match_type,
'rack.attack.matched' => 'throttle_authenticated_api',
'rack.attack.match_discriminator' => "deploy_token:#{deploy_token.id}"
}
)
2021-03-11 19:13:27 +05:30
)
2022-05-03 16:02:30 +05:30
end
2021-03-11 19:13:27 +05:30
2022-05-03 16:02:30 +05:30
it 'logs request information and user meta' do
2022-07-16 23:28:13 +05:30
expect(Gitlab::AuthLogger).to receive(:error) do |arguments|
expect(arguments).to include(
2022-05-03 16:02:30 +05:30
message: 'Rack_Attack',
env: match_type,
remote_ip: '1.2.3.4',
request_method: 'GET',
path: '/api/v4/internal/authorized_keys',
matched: 'throttle_authenticated_api',
deploy_token_id: deploy_token.id
)
2022-07-16 23:28:13 +05:30
if expected_status
expect(arguments).to include(status: expected_status)
else
expect(arguments).not_to have_key(:status)
end
end
2022-05-03 16:02:30 +05:30
subscriber.send(match_type, event)
end
2021-03-11 19:13:27 +05:30
end
end
end
end
describe '#throttle' do
let(:match_type) { :throttle }
2022-07-16 23:28:13 +05:30
let(:expected_status) { 429 }
2021-03-11 19:13:27 +05:30
let(:event_name) { 'throttle.rack_attack' }
it_behaves_like 'log into auth logger'
end
describe '#blocklist' do
let(:match_type) { :blocklist }
2022-07-16 23:28:13 +05:30
let(:expected_status) { 403 }
2021-03-11 19:13:27 +05:30
let(:event_name) { 'blocklist.rack_attack' }
it_behaves_like 'log into auth logger'
end
describe '#track' do
let(:match_type) { :track }
2022-07-16 23:28:13 +05:30
let(:expected_status) { nil }
2021-03-11 19:13:27 +05:30
let(:event_name) { 'track.rack_attack' }
it_behaves_like 'log into auth logger'
end
describe '#safelist' do
let(:event) do
ActiveSupport::Notifications::Event.new(
'safelist.rack_attack', Time.current, Time.current + 2.seconds, '1', request: double(
:request,
env: {
'rack.attack.matched' => 'throttle_unauthenticated'
}
)
)
end
it 'adds the matched name to safe request store' do
subscriber.safelist(event)
expect(Gitlab::SafeRequestStore[:instrumentation_throttle_safelist]).to eql('throttle_unauthenticated')
end
end
end