Specify timeout for external authorization

This commit allows a user to set a timeout for the external authorization service. When the external service does not reply in time, access will be denied.

Specify timeout for external authorization
This commit allows a user to set a timeout for the external authorization service. When the external service does not reply in time, access will be denied.
854f61b6 · Bob Van Landuyt · 8f3014b0 · 854f61b6 · 854f61b6 · 854f61b6
Commit 854f61b6 authored Mar 14, 2018 by Bob Van Landuyt
11 changed files
--- a/ee/app/helpers/ee/application_settings_helper.rb
+++ b/ee/app/helpers/ee/application_settings_helper.rb
@@ -2,6 +2,17 @@ module EE
  module ApplicationSettingsHelper
    extend ::Gitlab::Utils::Override

+    def external_authorization_description
+      _("If enabled, access to projects will be validated on an external service"\
+        " using their classification label.")
+    end
+
+    def external_authorization_timeout_help_text
+      _("Time in seconds GitLab will wait for a response from the external "\
+        "service. When the service does not respond in time, access will be "\
+        "denied.")
+    end
+
    override :visible_attributes
    def visible_attributes
      super + [
@@ -39,7 +50,8 @@ module EE
      [
        :external_authorization_service_enabled,
        :external_authorization_service_url,
-        :external_authorization_service_default_label
+        :external_authorization_service_default_label,
+        :external_authorization_service_timeout
      ]
    end


--- a/ee/app/models/ee/application_setting.rb
+++ b/ee/app/models/ee/application_setting.rb
@@ -42,12 +42,17 @@ module EE

      validates :external_authorization_service_url,
                :external_authorization_service_default_label,
+                :external_authorization_service_timeout,
                presence: true,
                if: :external_authorization_service_enabled?

      validates :external_authorization_service_url,
                url: true,
                if: :external_authorization_service_enabled?
+
+      validates :external_authorization_service_timeout,
+                numericality: { greater_than: 0, less_than_or_equal_to: 10 },
+                if: :external_authorization_service_enabled?
    end

    module ClassMethods

--- a/ee/app/views/admin/application_settings/_external_authorization_service_form.html.haml
+++ b/ee/app/views/admin/application_settings/_external_authorization_service_form.html.haml
@@ -7,15 +7,20 @@
        .checkbox
          = f.label :external_authorization_service_enabled do
            = f.check_box :external_authorization_service_enabled
-            Enable classification control using an external service
+            = _('Enable classification control using an external service')
        %span.help-block
-          If enabled, access to projects will be validated on an external service
-          using their classification label.
+          = external_authorization_description
          = link_to icon('question-circle'), help_page_path('user/admin_area/settings/external_authorization')
    .form-group
      = f.label :external_authorization_service_url, _('Service URL'), class: 'control-label col-sm-2'
      .col-sm-10
        = f.text_field :external_authorization_service_url, class: 'form-control'
+    .form-group
+      = f.label :external_authorization_service_timeout, _('External authorization request timeout'), class: 'control-label col-sm-2'
+      .col-sm-10
+        = f.number_field :external_authorization_service_timeout, class: 'form-control', min: 0.001, max: 10, step: 0.001
+        %span.help-block
+          = external_authorization_timeout_help_text
    .form-group
      = f.label :external_authorization_service_default_label, _('Default classification label'), class: 'control-label col-sm-2'
      .col-sm-10

--- a/ee/changelogs/unreleased/bvl-ext-auth-configurable-timeout.yml
+++ b/ee/changelogs/unreleased/bvl-ext-auth-configurable-timeout.yml
+---
+title: Timeout for external authorization is now configurable
+merge_request: 4971
+author:
+type: added
--- a/ee/lib/ee/gitlab/external_authorization.rb
+++ b/ee/lib/ee/gitlab/external_authorization.rb
@@ -38,6 +38,12 @@ module EE
          .current_application_settings
          .external_authorization_service_url
      end
+
+      def self.timeout
+        ::Gitlab::CurrentSettings
+          .current_application_settings
+          .external_authorization_service_timeout
+      end
    end
  end
 end
--- a/ee/lib/ee/gitlab/external_authorization/client.rb
+++ b/ee/lib/ee/gitlab/external_authorization/client.rb
@@ -6,18 +6,18 @@ module EE
          'Content-Type' => 'application/json',
          'Accept' => 'application/json'
        }.freeze
-        TIMEOUT = 0.5

        def self.build(user, label)
          new(
            ::EE::Gitlab::ExternalAuthorization.service_url,
+            ::EE::Gitlab::ExternalAuthorization.timeout,
            user,
            label
          )
        end

-        def initialize(url, user, label)
-          @url, @user, @label = url, user, label
+        def initialize(url, timeout, user, label)
+          @url, @timeout, @user, @label = url, timeout, user, label
        end

        def request_access
@@ -25,9 +25,9 @@ module EE
            @url,
            headers: REQUEST_HEADERS,
            body: body.to_json,
-            connect_timeout: TIMEOUT,
-            read_timeout: TIMEOUT,
-            write_timeout: TIMEOUT
+            connect_timeout: @timeout,
+            read_timeout: @timeout,
+            write_timeout: @timeout
          )
          EE::Gitlab::ExternalAuthorization::Response.new(response)
        rescue Excon::Error => e

--- a/ee/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/ee/spec/controllers/admin/application_settings_controller_spec.rb
@@ -85,7 +85,8 @@ describe Admin::ApplicationSettingsController do
        {
          external_authorization_service_enabled: true,
          external_authorization_service_url: 'https://custom.service/',
-          external_authorization_service_default_label: 'default'
+          external_authorization_service_default_label: 'default',
+          external_authorization_service_timeout: 3
        }
      end
      let(:feature) { :external_authorization_service }

--- a/ee/spec/lib/ee/gitlab/external_authorization/client_spec.rb
+++ b/ee/spec/lib/ee/gitlab/external_authorization/client_spec.rb
@@ -27,6 +27,19 @@ describe EE::Gitlab::ExternalAuthorization::Client do
      client.request_access
    end

+    it 'respects the the timeout' do
+      allow(EE::Gitlab::ExternalAuthorization).to receive(:timeout).and_return(3)
+
+      expect(Excon).to receive(:post).with(dummy_url,
+                                           hash_including(
+                                             connect_timeout: 3,
+                                             read_timeout: 3,
+                                             write_timeout: 3
+                                           ))
+
+      client.request_access
+    end
+
    it 'returns an expected response' do
      expect(Excon).to receive(:post)


--- a/ee/spec/models/application_setting_spec.rb
+++ b/ee/spec/models/application_setting_spec.rb
@@ -34,6 +34,8 @@ describe ApplicationSetting do
      it { is_expected.not_to allow_value('not a URL').for(:external_authorization_service_url) }
      it { is_expected.to allow_value('https://example.com').for(:external_authorization_service_url) }
      it { is_expected.not_to allow_value(nil).for(:external_authorization_service_default_label) }
+      it { is_expected.not_to allow_value(11).for(:external_authorization_service_timeout) }
+      it { is_expected.not_to allow_value(0).for(:external_authorization_service_timeout) }
    end
  end


--- a/ee/spec/requests/api/settings_spec.rb
+++ b/ee/spec/requests/api/settings_spec.rb
@@ -83,7 +83,8 @@ describe API::Settings, 'EE Settings' do
      {
        external_authorization_service_enabled: true,
        external_authorization_service_url: 'https://custom.service/',
-        external_authorization_service_default_label: 'default'
+        external_authorization_service_default_label: 'default',
+        external_authorization_service_timeout: 9.99
      }
    end
    let(:feature) { :external_authorization_service }

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: gitlab 1.0.0\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2018-03-13 20:43+0100\n"
-"PO-Revision-Date: 2018-03-13 20:43+0100\n"
+"POT-Creation-Date: 2018-03-14 16:41+0100\n"
+"PO-Revision-Date: 2018-03-14 16:41+0100\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "Language: \n"
@@ -1602,6 +1602,9 @@ msgstr ""
 msgid "Enable Auto DevOps"
 msgstr ""

+msgid "Enable classification control using an external service"
+msgstr ""
+
 msgid "Environments|An error occurred while fetching the environments."
 msgstr ""

@@ -1740,6 +1743,9 @@ msgstr ""
 msgid "External authorization denied access to this project"
 msgstr ""

+msgid "External authorization request timeout"
+msgstr ""
+
 msgid "ExternalAuthorizationService|Classification Label"
 msgstr ""

@@ -2146,6 +2152,9 @@ msgstr ""
 msgid "Housekeeping successfully started"
 msgstr ""

+msgid "If enabled, access to projects will be validated on an external service using their classification label."
+msgstr ""
+
 msgid "If using GitHub, you’ll see pipeline statuses on GitHub for your commits and pull requests. %{more_info_link}"
 msgstr ""

@@ -3979,6 +3988,9 @@ msgstr ""
 msgid "Time between merge request creation and merge/close"
 msgstr ""

+msgid "Time in seconds GitLab will wait for a response from the external service. When the service does not respond in time, access will be denied."
+msgstr ""
+
 msgid "Time tracking"
 msgstr ""