Module: Gitlab::ApplicationRateLimiter

Defined in:

lib/gitlab/application_rate_limiter.rb

Overview

This module implements a simple rate limiter that can be used to throttle certain actions. Unlike Rack Attack and Rack::Throttle, which operate at the middleware level, this can be used at the controller or API level. See CheckRateLimit concern for usage.

Constant Summary

InvalidKeyError =

Class.new(StandardError)

Class Method Summary

• .log_request(request, type, current_user, logger = Gitlab::AuthLogger) ⇒ Object

  Logs request using provided logger.

• .peek(key, scope:, threshold: nil, users_allowlist: nil) ⇒ Boolean

  Returns the current rate limited state without incrementing the count.

• .rate_limits ⇒ Object

  Application rate limits.

• .throttled?(key, scope:, threshold: nil, users_allowlist: nil, peek: false) ⇒ Boolean

  Increments the given key and returns true if the action should be throttled.

Class Method Details

.log_request(request, type, current_user, logger = Gitlab::AuthLogger) ⇒ Object

Logs request using provided logger

Parameters:

• request (Http::Request) —

  • Web request to be logged

• type (Symbol) —

  A symbol key that represents the request

• current_user (User) —

  Current user of the request, it can be nil

• logger (Logger) (defaults to: Gitlab::AuthLogger) —

  Logger to log request to a specific log file. Defaults to Gitlab::AuthLogger

# File 'lib/gitlab/application_rate_limiter.rb', line 102

def log_request(request, type, current_user, logger = Gitlab::AuthLogger)
  request_information = {
    message:        'Application_Rate_Limiter_Request',
    env:            type,
    remote_ip:      request.ip,
    request_method: request.request_method,
    path:           request.fullpath
  }

  if current_user
    request_information.merge!({
                                 user_id:  current_user.id,
                                 username: current_user.username
                               })
  end

  logger.error(request_information)
end

.peek(key, scope:, threshold: nil, users_allowlist: nil) ⇒ Boolean

Returns the current rate limited state without incrementing the count.

Parameters:

• key (Symbol) —

  Key attribute registered in `.rate_limits`

• scope (Array<ActiveRecord>) —

  Array of ActiveRecord models to scope throttling to a specific request (e.g. per user per project)

• threshold (Integer) (defaults to: nil) —

  Optional threshold value to override default one registered in `.rate_limits`

• users_allowlist (Array<String>) (defaults to: nil) —

  Optional list of usernames to exclude from the limit. This param will only be functional if Scope includes a current user.

Returns:

• (Boolean) —

  Whether or not a request is currently throttled

# File 'lib/gitlab/application_rate_limiter.rb', line 92

def peek(key, scope:, threshold: nil, users_allowlist: nil)
  throttled?(key, peek: true, scope: scope, threshold: threshold, users_allowlist: users_allowlist)
end

.rate_limits ⇒ Object

Application rate limits

Threshold value can be either an Integer or a Proc in order to not evaluate it's value every time this method is called and only do that when it's needed.

# File 'lib/gitlab/application_rate_limiter.rb', line 17

def rate_limits # rubocop:disable Metrics/AbcSize
  {
    issues_create:                { threshold: -> { application_settings.issues_create_limit }, interval: 1.minute },
    notes_create:                 { threshold: -> { application_settings.notes_create_limit }, interval: 1.minute },
    project_export:               { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
    project_download_export:      { threshold: -> { application_settings.project_download_export_limit }, interval: 1.minute },
    project_repositories_archive: { threshold: 5, interval: 1.minute },
    project_generate_new_export:  { threshold: -> { application_settings.project_export_limit }, interval: 1.minute },
    project_import:               { threshold: -> { application_settings.project_import_limit }, interval: 1.minute },
    project_testing_hook:         { threshold: 5, interval: 1.minute },
    play_pipeline_schedule:       { threshold: 1, interval: 1.minute },
    raw_blob:                     { threshold: -> { application_settings.raw_blob_request_limit }, interval: 1.minute },
    group_export:                 { threshold: -> { application_settings.group_export_limit }, interval: 1.minute },
    group_download_export:        { threshold: -> { application_settings.group_download_export_limit }, interval: 1.minute },
    group_import:                 { threshold: -> { application_settings.group_import_limit }, interval: 1.minute },
    group_testing_hook:           { threshold: 5, interval: 1.minute },
    profile_add_new_email:        { threshold: 5, interval: 1.minute },
    web_hook_calls:               { interval: 1.minute },
    users_get_by_id:              { threshold: -> { application_settings.users_get_by_id_limit }, interval: 10.minutes },
    username_exists:              { threshold: 20, interval: 1.minute },
    user_sign_up:                 { threshold: 20, interval: 1.minute },
    profile_resend_email_confirmation:  { threshold: 5, interval: 1.minute },
    profile_update_username:            { threshold: 10, interval: 1.minute },
    update_environment_canary_ingress:  { threshold: 1, interval: 1.minute },
    auto_rollback_deployment:           { threshold: 1, interval: 3.minutes },
    search_rate_limit:                  { threshold: -> { application_settings.search_rate_limit }, interval: 1.minute },
    search_rate_limit_unauthenticated:  { threshold: -> { application_settings.search_rate_limit_unauthenticated }, interval: 1.minute },
    gitlab_shell_operation:       { threshold: 600, interval: 1.minute },
    pipelines_create:             { threshold: 25, interval: 1.minute }
  }.freeze
end

.throttled?(key, scope:, threshold: nil, users_allowlist: nil, peek: false) ⇒ Boolean

Increments the given key and returns true if the action should be throttled.

Parameters:

• key (Symbol) —

  Key attribute registered in `.rate_limits`

• scope (Array<ActiveRecord>) —

  Array of ActiveRecord models, Strings or Symbols to scope throttling to a specific request (e.g. per user per project)

• threshold (Integer) (defaults to: nil) —

  Optional threshold value to override default one registered in `.rate_limits`

• users_allowlist (Array<String>) (defaults to: nil) —

  Optional list of usernames to exclude from the limit. This param will only be functional if Scope includes a current user.

• peek (Boolean) (defaults to: false) —

  Optional. When true the key will not be incremented but the current throttled state will be returned.

Returns:

• (Boolean) —

  Whether or not a request should be throttled

Raises:

• (InvalidKeyError)

# File 'lib/gitlab/application_rate_limiter.rb', line 59

def throttled?(key, scope:, threshold: nil, users_allowlist: nil, peek: false)
  raise InvalidKeyError unless rate_limits[key]

  return false if scoped_user_in_allowlist?(scope, users_allowlist)

  threshold_value = threshold || threshold(key)

  return false if threshold_value == 0

  interval_value = interval(key)
  # `period_key` is based on the current time and interval so when time passes to the next interval
  # the key changes and the rate limit count starts again from 0.
  # Based on https://github.com/rack/rack-attack/blob/886ba3a18d13c6484cd511a4dc9b76c0d14e5e96/lib/rack/attack/cache.rb#L63-L68
  period_key, time_elapsed_in_period = Time.now.to_i.divmod(interval_value)
  cache_key = cache_key(key, scope, period_key)

  value = if peek
            read(cache_key)
          else
            increment(cache_key, interval_value, time_elapsed_in_period)
          end

  value > threshold_value
end