update test for rack_attack

dd7081cd · Alain Takoudjou · 854f6248 · dd7081cd · dd7081cd · dd7081cd
Commit dd7081cd authored Apr 24, 2024 by Alain Takoudjou
5 changed files
--- a/software/gitlab/buildout.hash.cfg
+++ b/software/gitlab/buildout.hash.cfg
@@ -46,7 +46,7 @@ md5sum = f21ad3ae0e96e80ca4ea3819d4e9097f

 [gitlab.yml.in]
 _update_hash_filename_ = template/gitlab.yml.in
-md5sum = aa22a70294cb78577588854ef8403dba
+md5sum = 0618288bd77ccbc7f7e9460be230fbf8

 [gitaly-config.toml.in]
 _update_hash_filename_ = template/gitaly-config.toml.in

--- a/software/gitlab/software.cfg
+++ b/software/gitlab/software.cfg
@@ -402,3 +402,4 @@ docutils = 0.16
 cns.recipe.symlink = 0.2.3
 plone.recipe.command = 1.1
 z3c.recipe.scripts = 1.0.1
+beautifulsoup4 = 4.12.3
--- a/software/gitlab/template/gitlab.yml.in
+++ b/software/gitlab/template/gitlab.yml.in
@@ -566,7 +566,7 @@ production: &base
    {# ICP: '{{ cfg("icp_license") }}' #}
    {% endif %}

-rack_attack:
+  rack_attack:
    git_basic_auth:
      # Rack Attack IP banning enabled
      enabled: {{ cfg("rack_attack_enable") }}

--- a/software/gitlab/test/setup.py
+++ b/software/gitlab/test/setup.py
@@ -46,6 +46,7 @@ setup(
        'erp5.util',
        'supervisor',
        'requests',
+        'beautifulsoup4'
    ],
    zip_safe=True,
    test_suite='test',

--- a/software/gitlab/test/test.py
+++ b/software/gitlab/test/test.py
@@ -26,10 +26,10 @@
 ##############################################################################

 import os
-import logging
-import urllib
 import requests
 import functools
+import bs4
+from urllib.parse import urljoin

 from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass

@@ -56,10 +56,28 @@ class TestGitlab(SlapOSInstanceTestCase):
      resp.status_code in [requests.codes.ok, requests.codes.found])

  def test_rack_attack_sign_in_rate_limiting(self):
+    session = requests.session()
+
+    # Load the login page to get a CSRF token.
+    response = session.get(urljoin(self.backend_url, 'users/sign_in'))
+    self.assertEqual(response.status_code, 200)
+
+    # Extract the CSRF token and param.
+    bsoup = bs4.BeautifulSoup(response.text, 'html.parser')
+    csrf_param = bsoup.find('meta', dict(name='csrf-param'))['content']
+    csrf_token = bsoup.find('meta', dict(name='csrf-token'))['content']
+
+    request_data = {
+                    'user[login]': 'test',
+                    'user[password]': 'random',
+                    csrf_param: csrf_token}
+
    sign_in = functools.partial(
       requests.post,
-       urllib.parse.urljoin(self.backend_url, '/users/sign_in'),
+       response.url,
+       data=request_data,
       verify=False)
+
    for _ in range(10):
      sign_in(headers={'X_FORWARDED_FOR': '1.2.3.4'})
    # after 10 authentication failures, this client is rate limited