Commit ded62383 authored by Douwe Maan's avatar Douwe Maan

Merge branch '5974-geo-unauthenticated-rate-limits-should-not-block-geo-requests' into 'master'

Resolve "Geo: Unauthenticated rate limits should not block Geo requests"

Closes #5974

See merge request gitlab-org/gitlab-ee!5876
parents 7162d9ec e67ba9b0
...@@ -26,7 +26,7 @@ class Rack::Attack ...@@ -26,7 +26,7 @@ class Rack::Attack
throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req| throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
Gitlab::Throttle.settings.throttle_unauthenticated_enabled && Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
req.unauthenticated? && req.unauthenticated? &&
!req.api_internal_request? && !req.should_be_skipped? &&
req.ip req.ip
end end
...@@ -43,6 +43,8 @@ class Rack::Attack ...@@ -43,6 +43,8 @@ class Rack::Attack
end end
class Request class Request
prepend ::EE::Gitlab::Rack::Attack::Request
def unauthenticated? def unauthenticated?
!authenticated_user_id !authenticated_user_id
end end
...@@ -59,6 +61,10 @@ class Rack::Attack ...@@ -59,6 +61,10 @@ class Rack::Attack
path =~ %r{^/api/v\d+/internal/} path =~ %r{^/api/v\d+/internal/}
end end
def should_be_skipped?
api_internal_request?
end
def web_request? def web_request?
!api_request? !api_request?
end end
......
---
title: "[Geo] Fix: Unauthenticated rate limits should not block Geo requests"
merge_request:
author:
type: fixed
module EE
module Gitlab
module Rack
module Attack
module Request
extend ::Gitlab::Utils::Override
override :should_be_skipped?
def should_be_skipped?
super || geo?
end
def geo?
::Gitlab::Geo::JwtRequestDecoder.geo_auth_attempt?(env['HTTP_AUTHORIZATION']) if env['HTTP_AUTHORIZATION']
end
end
end
end
end
end
require 'spec_helper'
describe 'Rack Attack global throttles' do
around do |example|
# Instead of test environment's :null_store so the throttles can increment
Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
# Make time-dependent tests deterministic
Timecop.freeze { example.run }
Rack::Attack.cache.store = Rails.cache
end
context 'when the request is from Geo secondary' do
let(:project) { create(:project) }
let(:requests_per_period) { 1 }
before do
settings_to_set = {
throttle_unauthenticated_requests_per_period: requests_per_period,
throttle_unauthenticated_enabled: true
}
stub_application_setting(settings_to_set)
end
it 'allows requests over the rate limit' do
(1 + requests_per_period).times do
get "/#{project.full_path}.git/info/refs", { service: 'git-upload-pack' }, { 'Authorization' => "#{::Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE} token" }
expect(response).to have_http_status 401
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment