Add a dry-run mode for RackAttack

This allows tracking rather than throttling certain or all configured
throttles.

This can be done by setting the GITLAB_THROTTLE_DRY_RUN env variable
to a comma separated list of throttles. Each of the throttles
specified in that list will be tracked instead of throttled.

To disable throttling for all configured throttles, we can specify '*'
in the environment variable.

When a request would be rate-limited but dry-run mode is set, the
request continues as normal, but we emit a log message.

config/initializers/rack_attack_logging.rb

@@ -6,7 +6,7 @@ ActiveSupport::Notifications.subscribe(/rack_attack/) do |name, start, finish, r
   req = payload[:request]
 
   case req.env['rack.attack.match_type']
-  when :throttle, :blocklist
+  when :throttle, :blocklist, :track
     rack_attack_info = {
       message: 'Rack_Attack',
       env: req.env['rack.attack.match_type'],

ee/lib/ee/gitlab/rack_attack.rb

@@ -12,7 +12,7 @@ module EE
         def configure_throttles(rack_attack)
           super
 
-          rack_attack.throttle('throttle_incident_management_notification_web', EE::Gitlab::Throttle.incident_management_options) do |req|
+          throttle_or_track(rack_attack, 'throttle_incident_management_notification_web', EE::Gitlab::Throttle.incident_management_options) do |req|
             if req.web_request? &&
                req.path.include?('alerts/notify') &&
                EE::Gitlab::Throttle.settings.throttle_incident_management_notification_enabled

ee/spec/lib/gitlab/rack_attack_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::RackAttack, :aggregate_failures do
+  describe '.configure' do
+    let(:fake_rack_attack) { class_double("Rack::Attack") }
+    let(:fake_rack_attack_request) { class_double("Rack::Attack::Request") }
+
+    before do
+      stub_const("Rack::Attack", fake_rack_attack)
+      stub_const("Rack::Attack::Request", fake_rack_attack_request)
+
+      allow(fake_rack_attack).to receive(:throttle)
+      allow(fake_rack_attack).to receive(:track)
+      allow(fake_rack_attack).to receive(:safelist)
+      allow(fake_rack_attack).to receive(:blocklist)
+    end
+
+    it 'adds the incident management throttle' do
+      described_class.configure(fake_rack_attack)
+
+      expect(fake_rack_attack).to have_received(:throttle)
+        .with('throttle_incident_management_notification_web', Gitlab::Throttle.authenticated_web_options)
+    end
+  end
+end

lib/gitlab/rack_attack.rb

 # frozen_string_literal: true
 
-# Integreation specs for throttling can be found in:
+# Integration specs for throttling can be found in:
 # spec/requests/rack_attack_global_spec.rb
 module Gitlab
   module RackAttack
     def self.configure(rack_attack)
       # This adds some methods used by our throttles to the `Rack::Request`
       rack_attack::Request.include(Gitlab::RackAttack::Request)
-      # Confugure the throttles
+      # Configure the throttles
       configure_throttles(rack_attack)
     end
 
     def self.configure_throttles(rack_attack)
-      rack_attack.throttle('throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_unauthenticated', Gitlab::Throttle.unauthenticated_options) do |req|
         if !req.should_be_skipped? &&
            Gitlab::Throttle.settings.throttle_unauthenticated_enabled &&
            req.unauthenticated?
@@ -20,7 +20,7 @@ module Gitlab
         end
       end
 
-      rack_attack.throttle('throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_authenticated_api', Gitlab::Throttle.authenticated_api_options) do |req|
         if req.api_request? &&
            Gitlab::Throttle.settings.throttle_authenticated_api_enabled
           req.authenticated_user_id([:api])
@@ -30,20 +30,20 @@ module Gitlab
       # Product analytics feature is in experimental stage.
       # At this point we want to limit amount of events registered
       # per application (aid stands for application id).
-      rack_attack.throttle('throttle_product_analytics_collector', limit: 100, period: 60) do |req|
+      throttle_or_track(rack_attack, 'throttle_product_analytics_collector', limit: 100, period: 60) do |req|
         if req.product_analytics_collector_request?
           req.params['aid']
         end
       end
 
-      rack_attack.throttle('throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_authenticated_web', Gitlab::Throttle.authenticated_web_options) do |req|
         if req.web_request? &&
            Gitlab::Throttle.settings.throttle_authenticated_web_enabled
           req.authenticated_user_id([:api, :rss, :ics])
         end
       end
 
-      rack_attack.throttle('throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_unauthenticated_protected_paths', Gitlab::Throttle.protected_paths_options) do |req|
         if req.post? &&
            !req.should_be_skipped? &&
            req.protected_path? &&
@@ -53,7 +53,7 @@ module Gitlab
         end
       end
 
-      rack_attack.throttle('throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_authenticated_protected_paths_api', Gitlab::Throttle.protected_paths_options) do |req|
         if req.post? &&
            req.api_request? &&
            req.protected_path? &&
@@ -62,7 +62,7 @@ module Gitlab
         end
       end
 
-      rack_attack.throttle('throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
+      throttle_or_track(rack_attack, 'throttle_authenticated_protected_paths_web', Gitlab::Throttle.protected_paths_options) do |req|
         if req.post? &&
            req.web_request? &&
            req.protected_path? &&
@@ -76,6 +76,23 @@ module Gitlab
           req.get_header(Gitlab::Throttle.bypass_header) == '1'
       end
     end
+
+    def self.throttle_or_track(rack_attack, throttle_name, *args, &block)
+      if track?(throttle_name)
+        rack_attack.track(throttle_name, *args, &block)
+      else
+        rack_attack.throttle(throttle_name, *args, &block)
+      end
+    end
+
+    def self.track?(name)
+      dry_run_config = ENV['GITLAB_THROTTLE_DRY_RUN'].to_s.strip
+
+      return false if dry_run_config.empty?
+      return true if dry_run_config == '*'
+
+      dry_run_config.split(',').map(&:strip).include?(name)
+    end
   end
 end
 ::Gitlab::RackAttack.prepend_if_ee('::EE::Gitlab::RackAttack')

spec/lib/gitlab/rack_attack_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::RackAttack, :aggregate_failures do
+  describe '.configure' do
+    let(:fake_rack_attack) { class_double("Rack::Attack") }
+    let(:fake_rack_attack_request) { class_double("Rack::Attack::Request") }
+
+    let(:throttles) do
+      {
+        throttle_unauthenticated: Gitlab::Throttle.unauthenticated_options,
+        throttle_authenticated_api: Gitlab::Throttle.authenticated_api_options,
+        throttle_product_analytics_collector: { limit: 100, period: 60 },
+        throttle_unauthenticated_protected_paths: Gitlab::Throttle.unauthenticated_options,
+        throttle_authenticated_protected_paths_api: Gitlab::Throttle.authenticated_api_options,
+        throttle_authenticated_protected_paths_web: Gitlab::Throttle.authenticated_web_options
+      }
+    end
+
+    before do
+      stub_const("Rack::Attack", fake_rack_attack)
+      stub_const("Rack::Attack::Request", fake_rack_attack_request)
+
+      allow(fake_rack_attack).to receive(:throttle)
+      allow(fake_rack_attack).to receive(:track)
+      allow(fake_rack_attack).to receive(:safelist)
+      allow(fake_rack_attack).to receive(:blocklist)
+    end
+
+    it 'extends the request class' do
+      described_class.configure(fake_rack_attack)
+
+      expect(fake_rack_attack_request).to include(described_class::Request)
+    end
+
+    it 'configures the safelist' do
+      described_class.configure(fake_rack_attack)
+
+      expect(fake_rack_attack).to have_received(:safelist).with('throttle_bypass_header')
+    end
+
+    it 'configures throttles if no dry-run was configured' do
+      described_class.configure(fake_rack_attack)
+
+      throttles.each do |throttle, options|
+        expect(fake_rack_attack).to have_received(:throttle).with(throttle.to_s, options)
+      end
+    end
+
+    it 'configures tracks if dry-run was configured for all throttles' do
+      stub_env('GITLAB_THROTTLE_DRY_RUN', '*')
+
+      described_class.configure(fake_rack_attack)
+
+      throttles.each do |throttle, options|
+        expect(fake_rack_attack).to have_received(:track).with(throttle.to_s, options)
+      end
+      expect(fake_rack_attack).not_to have_received(:throttle)
+    end
+
+    it 'configures tracks and throttles with a selected set of dry-runs' do
+      dry_run_throttles = throttles.each_key.first(2)
+      regular_throttles = throttles.keys[2..-1]
+      stub_env('GITLAB_THROTTLE_DRY_RUN', dry_run_throttles.join(','))
+
+      described_class.configure(fake_rack_attack)
+
+      dry_run_throttles.each do |throttle|
+        expect(fake_rack_attack).to have_received(:track).with(throttle.to_s, throttles[throttle])
+      end
+      regular_throttles.each do |throttle|
+        expect(fake_rack_attack).to have_received(:throttle).with(throttle.to_s, throttles[throttle])
+      end
+    end
+  end
+end

spec/requests/rack_attack_global_spec.rb

@@ -133,6 +133,14 @@ RSpec.describe 'Rack Attack global throttles' do
 
         get url_that_does_not_require_authentication
       end
+
+      it_behaves_like 'tracking when dry-run mode is set' do
+        let(:throttle_name) { 'throttle_unauthenticated' }
+
+        def do_request
+          get url_that_does_not_require_authentication
+        end
+      end
     end
 
     context 'when the throttle is disabled' do
@@ -231,6 +239,10 @@ RSpec.describe 'Rack Attack global throttles' do
 
       let(:post_params) { { user: { login: 'username', password: 'password' } } }
 
+      def do_request
+        post protected_path_that_does_not_require_authentication, params: post_params
+      end
+
       before do
         settings_to_set[:throttle_protected_paths_requests_per_period] = requests_per_period # 1
         settings_to_set[:throttle_protected_paths_period_in_seconds] = period_in_seconds # 10_000
@@ -244,7 +256,7 @@ RSpec.describe 'Rack Attack global throttles' do
 
         it 'allows requests over the rate limit' do
           (1 + requests_per_period).times do
-            post protected_path_that_does_not_require_authentication, params: post_params
+            do_request
             expect(response).to have_gitlab_http_status(:ok)
           end
         end
@@ -258,12 +270,16 @@ RSpec.describe 'Rack Attack global throttles' do
 
         it 'rejects requests over the rate limit' do
           requests_per_period.times do
-            post protected_path_that_does_not_require_authentication, params: post_params
+            do_request
             expect(response).to have_gitlab_http_status(:ok)
           end
 
           expect_rejection { post protected_path_that_does_not_require_authentication, params: post_params }
         end
+
+        it_behaves_like 'tracking when dry-run mode is set' do
+          let(:throttle_name) { 'throttle_unauthenticated_protected_paths' }
+        end
       end
     end
 

spec/support/shared_examples/requests/rack_attack_shared_examples.rb

@@ -110,6 +110,14 @@ RSpec.shared_examples 'rate-limited token-authenticated requests' do
         expect { make_request(request_args) }.not_to exceed_query_limit(control_count)
       end
     end
+
+    it_behaves_like 'tracking when dry-run mode is set' do
+      let(:throttle_name) { throttle_types[throttle_setting_prefix] }
+
+      def do_request
+        make_request(request_args)
+      end
+    end
   end
 
   context 'when the throttle is disabled' do
@@ -245,6 +253,14 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
       expect(Gitlab::AuthLogger).to receive(:error).with(arguments).once
       expect { request_authenticated_web_url }.not_to exceed_query_limit(control_count)
     end
+
+    it_behaves_like 'tracking when dry-run mode is set' do
+      let(:throttle_name) { throttle_types[throttle_setting_prefix] }
+
+      def do_request
+        request_authenticated_web_url
+      end
+    end
   end
 
   context 'when the throttle is disabled' do
@@ -269,3 +285,63 @@ RSpec.shared_examples 'rate-limited web authenticated requests' do
     end
   end
 end
+
+# Requires:
+# - #do_request - This needs to be a method so the result isn't memoized
+# - throttle_name
+RSpec.shared_examples 'tracking when dry-run mode is set' do
+  let(:dry_run_config) { '*' }
+
+  # we can't use `around` here, because stub_env isn't supported outside of the
+  # example itself
+  before do
+    stub_env('GITLAB_THROTTLE_DRY_RUN', dry_run_config)
+    reset_rack_attack
+  end
+
+  after do
+    stub_env('GITLAB_THROTTLE_DRY_RUN', '')
+    reset_rack_attack
+  end
+
+  def reset_rack_attack
+    Rack::Attack.reset!
+    Rack::Attack.clear_configuration
+    Gitlab::RackAttack.configure(Rack::Attack)
+  end
+
+  it 'does not throttle the requests when `*` is configured' do
+    (1 + requests_per_period).times do
+      do_request
+      expect(response).not_to have_gitlab_http_status(:too_many_requests)
+    end
+  end
+
+  it 'logs RackAttack info into structured logs' do
+    arguments = a_hash_including({
+      message: 'Rack_Attack',
+      env: :track,
+      remote_ip: '127.0.0.1',
+      matched: throttle_name
+    })
+
+    expect(Gitlab::AuthLogger).to receive(:error).with(arguments)
+
+    (1 + requests_per_period).times do
+      do_request
+    end
+  end
+
+  context 'when configured with the the throttled name in a list' do
+    let(:dry_run_config) do
+      "throttle_list, #{throttle_name}, other_throttle"
+    end
+
+    it 'does not throttle' do
+      (1 + requests_per_period).times do
+        do_request
+        expect(response).not_to have_gitlab_http_status(:too_many_requests)
+      end
+    end
+  end
+end