gitlab-org--gitlab-foss/lib/gitlab/action_rate_limiter.rb

# frozen_string_literal: true

module Gitlab
  # This class implements a simple rate limiter that can be used to throttle
  # certain actions. Unlike Rack Attack and Rack::Throttle, which operate at
  # the middleware level, this can be used at the controller level.
  class ActionRateLimiter
    TIME_TO_EXPIRE = 60 # 1 min

    attr_accessor :action, :expiry_time

    def initialize(action:, expiry_time: TIME_TO_EXPIRE)
      @action = action
      @expiry_time = expiry_time
    end

    # Increments the given cache key and increments the value by 1 with the
    # given expiration time. Returns the incremented value.
    #
    # key - An array of ActiveRecord instances
    def increment(key)
      value = 0

      Gitlab::Redis::Cache.with do |redis|
        cache_key = action_key(key)
        value = redis.incr(cache_key)
        redis.expire(cache_key, expiry_time) if value == 1
      end

      value
    end

    # Increments the given key and returns true if the action should
    # be throttled.
    #
    # key - An array of ActiveRecord instances or strings
    # threshold_value - The maximum number of times this action should occur in the given time interval. If number is zero is considered disabled.
    def throttled?(key, threshold_value)
      threshold_value > 0 &&
        self.increment(key) > threshold_value
    end

    # Logs request into auth.log
    #
    # request - Web request to be logged
    # type - A symbol key that represents the request.
    # current_user - Current user of the request, it can be nil.
    def log_request(request, type, current_user)
      request_information = {
        message: 'Action_Rate_Limiter_Request',
        env: type,
        remote_ip: request.ip,
        request_method: request.request_method,
        path: request.fullpath
      }

      if current_user
        request_information.merge!({
          user_id: current_user.id,
          username: current_user.username
        })
      end

      Gitlab::AuthLogger.error(request_information)
    end

    private

    def action_key(key)
      serialized = key.map do |obj|
        if obj.is_a?(String)
          "#{obj}"
        else
          "#{obj.class.model_name.to_s.underscore}:#{obj.id}"
        end
      end.join(":")

      "action_rate_limiter:#{action}:#{serialized}"
    end
  end
end
Enable frozen string for lib/gitlab/*.rb 2018-10-22 03:00:50 -04:00			`# frozen_string_literal: true`

Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`module Gitlab`
			`# This class implements a simple rate limiter that can be used to throttle`
			`# certain actions. Unlike Rack Attack and Rack::Throttle, which operate at`
			`# the middleware level, this can be used at the controller level.`
			`class ActionRateLimiter`
			`TIME_TO_EXPIRE = 60 # 1 min`

			`attr_accessor :action, :expiry_time`

			`def initialize(action:, expiry_time: TIME_TO_EXPIRE)`
			`@action = action`
			`@expiry_time = expiry_time`
			`end`

Address review comments with playing pipeline scheduler 2017-12-12 18:46:05 -05:00			`# Increments the given cache key and increments the value by 1 with the`
			`# given expiration time. Returns the incremented value.`
			`#`
			`# key - An array of ActiveRecord instances`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`def increment(key)`
			`value = 0`

			`Gitlab::Redis::Cache.with do \|redis\|`
Address review comments with playing pipeline scheduler 2017-12-12 18:46:05 -05:00			`cache_key = action_key(key)`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`value = redis.incr(cache_key)`
			`redis.expire(cache_key, expiry_time) if value == 1`
			`end`

Add spec for ActionRateLimiter 2017-12-09 18:45:01 -05:00			`value`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`end`

Address review comments with playing pipeline scheduler 2017-12-12 18:46:05 -05:00			`# Increments the given key and returns true if the action should`
			`# be throttled.`
			`#`
Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 2019-07-24 15:49:31 -04:00			`# key - An array of ActiveRecord instances or strings`
			`# threshold_value - The maximum number of times this action should occur in the given time interval. If number is zero is considered disabled.`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`def throttled?(key, threshold_value)`
Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 2019-07-24 15:49:31 -04:00			`threshold_value > 0 &&`
			`self.increment(key) > threshold_value`
			`end`

			`# Logs request into auth.log`
			`#`
			`# request - Web request to be logged`
			`# type - A symbol key that represents the request.`
			`# current_user - Current user of the request, it can be nil.`
			`def log_request(request, type, current_user)`
			`request_information = {`
			`message: 'Action_Rate_Limiter_Request',`
			`env: type,`
Standardize remote_ip and path keys for auth.log and api_json.log Current `auth.log` uses `fullpath` and `ip`, while `api_json.log` uses `remote_ip` and `path` for the same fields. Let's standardize these namings to make it easier for people working with the data. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66167 2019-08-20 14:12:28 -04:00			`remote_ip: request.ip,`
Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 2019-07-24 15:49:31 -04:00			`request_method: request.request_method,`
Standardize remote_ip and path keys for auth.log and api_json.log Current `auth.log` uses `fullpath` and `ip`, while `api_json.log` uses `remote_ip` and `path` for the same fields. Let's standardize these namings to make it easier for people working with the data. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/66167 2019-08-20 14:12:28 -04:00			`path: request.fullpath`
Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 2019-07-24 15:49:31 -04:00			`}`

			`if current_user`
			`request_information.merge!({`
			`user_id: current_user.id,`
			`username: current_user.username`
			`})`
			`end`

			`Gitlab::AuthLogger.error(request_information)`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`end`
Address review comments with playing pipeline scheduler 2017-12-12 18:46:05 -05:00
			`private`

			`def action_key(key)`
Add RateLimiter to RawController * Limits raw requests to 300 per minute and per raw path. * Add a new attribute to ApplicationSettings so user can change this value on their instance. * Uses Gitlab::ActionRateLimiter to limit the raw requests. * Add a new method into ActionRateLimiter to log the event into auth.log Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/48717 2019-07-24 15:49:31 -04:00			`serialized = key.map do \|obj\|`
			`if obj.is_a?(String)`
			`"#{obj}"`
			`else`
			`"#{obj.class.model_name.to_s.underscore}:#{obj.id}"`
			`end`
			`end.join(":")`

Address review comments with playing pipeline scheduler 2017-12-12 18:46:05 -05:00			`"action_rate_limiter:#{action}:#{serialized}"`
			`end`
Add rate limiting to guard against excessive scheduling of pipelines 2017-12-09 04:01:42 -05:00			`end`
			`end`