Skip to content

G
gitlab-ce
Commit d51365ef authored by Marius Bobin's avatar Marius Bobin Committed by Jan Provaznik
Browse files
Options

Exempt `jwt/auth` for user `gitlab-ci-token` from rate limiting

parent 8634cca3
Show whitespace changes
Inline Side-by-side
Showing with 12 additions and 3 deletions
changelogs/unreleased/49392-exempt-jwt-auth-for-user-gitlab-ci-token-from-rate-limiting.yml 0 → 100644
View file @ d51365ef
---
title: Exempt user gitlab-ci-token from rate limiting
merge_request: 31909
author:
type: fixed
lib/gitlab/auth.rb
View file @ d51365ef
...@@ -46,7 +46,7 @@ module Gitlab ...@@ -46,7 +46,7 @@ module Gitlab
user_with_password_for_git(login, password) || user_with_password_for_git(login, password) ||
Gitlab::Auth::Result.new Gitlab::Auth::Result.new
rate_limit!(ip, success: result.success?, login: login) rate_limit!(ip, success: result.success?, login: login) unless skip_rate_limit?(login: login)
Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor) Gitlab::Auth::UniqueIpsLimiter.limit_user!(result.actor)
return result if result.success? || authenticate_using_internal_or_ldap_password? return result if result.success? || authenticate_using_internal_or_ldap_password?
...@@ -119,6 +119,10 @@ module Gitlab ...@@ -119,6 +119,10 @@ module Gitlab
private private
def skip_rate_limit?(login:)
::Ci::Build::CI_REGISTRY_USER == login
end
def authenticate_using_internal_or_ldap_password? def authenticate_using_internal_or_ldap_password?
Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled? Gitlab::CurrentSettings.password_authentication_enabled_for_git? || Gitlab::Auth::LDAP::Config.enabled?
end end
......
spec/lib/gitlab/auth_spec.rb
View file @ d51365ef
...@@ -86,7 +86,7 @@ describe Gitlab::Auth do ...@@ -86,7 +86,7 @@ describe Gitlab::Auth do
let(:project) { build.project } let(:project) { build.project }
before do before do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token') expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: true, login: 'gitlab-ci-token')
end end
it 'recognises user-less build' do it 'recognises user-less build' do
...@@ -106,7 +106,7 @@ describe Gitlab::Auth do ...@@ -106,7 +106,7 @@ describe Gitlab::Auth do
let(:project) { build.project } let(:project) { build.project }
before do before do
expect(gl_auth).to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token') expect(gl_auth).not_to receive(:rate_limit!).with('ip', success: false, login: 'gitlab-ci-token')
end end
it 'denies authentication' do it 'denies authentication' do
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7