[Geo] Fix: Unauthenticated rate limits should not block Geo requests

e67ba9b0 · Valery Sizov · 7f392a9b · e67ba9b0 · e67ba9b0 · e67ba9b0
Commit e67ba9b0 authored May 28, 2018 by Valery Sizov
3 changed files
--- a/config/initializers/rack_attack_global.rb
+++ b/config/initializers/rack_attack_global.rb
@@ -26,7 +26,7 @@ class Rack::Attack
  throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
    Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
      req.unauthenticated? &&
-      !req.api_internal_request? &&
+      !req.should_be_skipped? &&
      req.ip
  end

@@ -43,6 +43,8 @@ class Rack::Attack
  end

  class Request
+    prepend ::EE::Gitlab::Rack::Attack::Request
+
    def unauthenticated?
      !authenticated_user_id
    end
@@ -59,6 +61,10 @@ class Rack::Attack
      path =~ %r{^/api/v\d+/internal/}
    end

+    def should_be_skipped?
+      api_internal_request?
+    end
+
    def web_request?
      !api_request?
    end

--- a/ee/lib/ee/gitlab/rack/attack/request.rb
+++ b/ee/lib/ee/gitlab/rack/attack/request.rb
+module EE
+  module Gitlab
+    module Rack
+      module Attack
+        module Request
+          extend ::Gitlab::Utils::Override
+
+          override :should_be_skipped?
+          def should_be_skipped?
+            super || geo?
+          end
+
+          def geo?
+            ::Gitlab::Geo::JwtRequestDecoder.geo_auth_attempt?(env['HTTP_AUTHORIZATION']) if env['HTTP_AUTHORIZATION']
+          end
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/requests/rack_attack_global_spec.rb
+++ b/ee/spec/requests/rack_attack_global_spec.rb
+require 'spec_helper'
+
+describe 'Rack Attack global throttles' do
+  around do |example|
+    # Instead of test environment's :null_store so the throttles can increment
+    Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new
+
+    # Make time-dependent tests deterministic
+    Timecop.freeze { example.run }
+
+    Rack::Attack.cache.store = Rails.cache
+  end
+
+  context 'when the request is from Geo secondary' do
+    let(:project) { create(:project) }
+    let(:requests_per_period) { 1 }
+
+    before do
+      settings_to_set = {
+        throttle_unauthenticated_requests_per_period: requests_per_period,
+        throttle_unauthenticated_enabled:  true
+      }
+      stub_application_setting(settings_to_set)
+    end
+
+    it 'allows requests over the rate limit' do
+      (1 + requests_per_period).times do
+        get "/#{project.full_path}.git/info/refs", { service: 'git-upload-pack' }, { 'Authorization' => "#{::Gitlab::Geo::BaseRequest::GITLAB_GEO_AUTH_TOKEN_TYPE} token" }
+        expect(response).to have_http_status 401
+      end
+    end
+  end
+end