Merge branch '49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting' into 'master'

Exempt `jwt/auth` for user `gitlab-ci-token` from rate limiting Closes #49392 See merge request gitlab-org/gitlab-ce!31909

Merge branch '49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting' into 'master'
Exempt `jwt/auth` for user `gitlab-ci-token` from rate limiting Closes #49392 See merge request gitlab-org/gitlab-ce!31909
46dc5072 · Jan Provaznik · 8634cca3 · d51365ef · 46dc5072 · 46dc5072
Commit 46dc5072 authored Aug 23, 2019 by Jan Provaznik
3 changed files
--- a/changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml
+++ b/changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml
+---
+title: Exempt user gitlab-ci-token from rate limiting
+merge_request: 31909
+author:
+type: fixed
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -46,7 +46,7 @@ module Gitlab
          user_with_password_for_git(login, password) ||
          Gitlab::Auth::Result.new

-        rate_limit!(ip, success: result.success?, login: login)
+        rate_limit!(ip, success: result.success?, login: login) unless skip_rate_limit?(login: login)
        Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)

        return result if result.success? || authenticate_using_internal_or_ldap_password?
@@ -119,6 +119,10 @@ module Gitlab

      private

+      def skip_rate_limit?(login:)
+        ::Ci::Build::CI_REGISTRY_USER == login
+      end
+
      def authenticate_using_internal_or_ldap_password?
        Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled?
      end

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -86,7 +86,7 @@ describe Gitlab::Auth do
        let(:project) { build.project }

        before do
-          expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
+          expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
        end

        it 'recognises user-less build' do
@@ -106,7 +106,7 @@ describe Gitlab::Auth do
          let(:project) { build.project }

          before do
-            expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
+            expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
          end

          it 'denies authentication' do