Module: Gitlab::RackAttack::Request
- Includes:
- Utils::StrongMemoize
- Defined in:
- lib/gitlab/rack_attack/request.rb
Constant Summary collapse
- FILES_PATH_REGEX =
%r{^/api/v\d+/projects/[^/]+/repository/files/.+}
- GROUP_PATH_REGEX =
%r{^/api/v\d+/groups/[^/]+/?$}
Instance Method Summary collapse
- #api_internal_request? ⇒ Boolean
- #api_request? ⇒ Boolean
- #authenticated_runner_id ⇒ Object
- #container_registry_event? ⇒ Boolean
- #get_request_protected_path? ⇒ Boolean
- #health_check_request? ⇒ Boolean
- #logical_path ⇒ Object
- #matches?(regex) ⇒ Boolean
- #product_analytics_collector_request? ⇒ Boolean
- #protected_path? ⇒ Boolean
- #should_be_skipped? ⇒ Boolean
- #throttle?(throttle, authenticated:) ⇒ Boolean
- #throttle_authenticated_api? ⇒ Boolean
- #throttle_authenticated_deprecated_api? ⇒ Boolean
- #throttle_authenticated_files_api? ⇒ Boolean
- #throttle_authenticated_get_protected_paths_api? ⇒ Boolean
- #throttle_authenticated_get_protected_paths_web? ⇒ Boolean
- #throttle_authenticated_git_lfs? ⇒ Boolean
- #throttle_authenticated_packages_api? ⇒ Boolean
- #throttle_authenticated_protected_paths_api? ⇒ Boolean
- #throttle_authenticated_protected_paths_web? ⇒ Boolean
- #throttle_authenticated_web? ⇒ Boolean
- #throttle_unauthenticated_api? ⇒ Boolean
- #throttle_unauthenticated_deprecated_api? ⇒ Boolean
- #throttle_unauthenticated_files_api? ⇒ Boolean
- #throttle_unauthenticated_get_protected_paths? ⇒ Boolean
- #throttle_unauthenticated_packages_api? ⇒ Boolean
- #throttle_unauthenticated_protected_paths? ⇒ Boolean
- #throttle_unauthenticated_web? ⇒ Boolean
- #throttled_identifer(request_formats) ⇒ Object
- #unauthenticated? ⇒ Boolean
- #web_request? ⇒ Boolean
Instance Method Details
#api_internal_request? ⇒ Boolean
46 47 48 |
# File 'lib/gitlab/rack_attack/request.rb', line 46 def api_internal_request? matches?(%r{^/api/v\d+/internal/}) end |
#api_request? ⇒ Boolean
34 35 36 |
# File 'lib/gitlab/rack_attack/request.rb', line 34 def api_request? logical_path.start_with?('/api') end |
#authenticated_runner_id ⇒ Object
30 31 32 |
# File 'lib/gitlab/rack_attack/request.rb', line 30 def authenticated_runner_id request_authenticator.runner&.id end |
#container_registry_event? ⇒ Boolean
54 55 56 |
# File 'lib/gitlab/rack_attack/request.rb', line 54 def container_registry_event? matches?(%r{^/api/v\d+/container_registry_event/}) end |
#get_request_protected_path? ⇒ Boolean
74 75 76 |
# File 'lib/gitlab/rack_attack/request.rb', line 74 def get_request_protected_path? matches?(protected_paths_for_get_request_regex) end |
#health_check_request? ⇒ Boolean
50 51 52 |
# File 'lib/gitlab/rack_attack/request.rb', line 50 def health_check_request? matches?(%r{^/-/(health|liveness|readiness|metrics)}) end |
#logical_path ⇒ Object
38 39 40 |
# File 'lib/gitlab/rack_attack/request.rb', line 38 def logical_path @logical_path ||= path.delete_prefix(Gitlab.config.gitlab.relative_url_root) end |
#matches?(regex) ⇒ Boolean
42 43 44 |
# File 'lib/gitlab/rack_attack/request.rb', line 42 def matches?(regex) logical_path.match?(regex) end |
#product_analytics_collector_request? ⇒ Boolean
58 59 60 |
# File 'lib/gitlab/rack_attack/request.rb', line 58 def product_analytics_collector_request? logical_path.start_with?('/-/collector/i') end |
#protected_path? ⇒ Boolean
70 71 72 |
# File 'lib/gitlab/rack_attack/request.rb', line 70 def protected_path? matches?(protected_paths_regex) end |
#should_be_skipped? ⇒ Boolean
62 63 64 |
# File 'lib/gitlab/rack_attack/request.rb', line 62 def should_be_skipped? api_internal_request? || health_check_request? || container_registry_event? end |
#throttle?(throttle, authenticated:) ⇒ Boolean
78 79 80 81 82 |
# File 'lib/gitlab/rack_attack/request.rb', line 78 def throttle?(throttle, authenticated:) fragment = Gitlab::Throttle.throttle_fragment!(throttle, authenticated: authenticated) __send__("#{fragment}?") # rubocop:disable GitlabSecurity/PublicSend end |
#throttle_authenticated_api? ⇒ Boolean
103 104 105 106 107 108 109 110 |
# File 'lib/gitlab/rack_attack/request.rb', line 103 def throttle_authenticated_api? api_request? && !frontend_request? && !throttle_authenticated_packages_api? && !throttle_authenticated_files_api? && !throttle_authenticated_deprecated_api? && Gitlab::Throttle.settings.throttle_authenticated_api_enabled end |
#throttle_authenticated_deprecated_api? ⇒ Boolean
195 196 197 198 |
# File 'lib/gitlab/rack_attack/request.rb', line 195 def throttle_authenticated_deprecated_api? deprecated_api_request? && Gitlab::Throttle.settings.throttle_authenticated_deprecated_api_enabled end |
#throttle_authenticated_files_api? ⇒ Boolean
184 185 186 187 |
# File 'lib/gitlab/rack_attack/request.rb', line 184 def throttle_authenticated_files_api? files_api_path? && Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled end |
#throttle_authenticated_get_protected_paths_api? ⇒ Boolean
148 149 150 151 152 153 |
# File 'lib/gitlab/rack_attack/request.rb', line 148 def throttle_authenticated_get_protected_paths_api? get? && api_request? && get_request_protected_path? && Gitlab::Throttle.protected_paths_enabled? end |
#throttle_authenticated_get_protected_paths_web? ⇒ Boolean
155 156 157 158 159 160 |
# File 'lib/gitlab/rack_attack/request.rb', line 155 def throttle_authenticated_get_protected_paths_web? get? && web_request? && get_request_protected_path? && Gitlab::Throttle.protected_paths_enabled? end |
#throttle_authenticated_git_lfs? ⇒ Boolean
173 174 175 176 |
# File 'lib/gitlab/rack_attack/request.rb', line 173 def throttle_authenticated_git_lfs? git_lfs_path? && Gitlab::Throttle.settings.throttle_authenticated_git_lfs_enabled end |
#throttle_authenticated_packages_api? ⇒ Boolean
168 169 170 171 |
# File 'lib/gitlab/rack_attack/request.rb', line 168 def throttle_authenticated_packages_api? packages_api_path? && Gitlab::Throttle.settings.throttle_authenticated_packages_api_enabled end |
#throttle_authenticated_protected_paths_api? ⇒ Boolean
126 127 128 129 130 131 |
# File 'lib/gitlab/rack_attack/request.rb', line 126 def throttle_authenticated_protected_paths_api? post? && api_request? && protected_path? && Gitlab::Throttle.protected_paths_enabled? end |
#throttle_authenticated_protected_paths_web? ⇒ Boolean
133 134 135 136 137 138 |
# File 'lib/gitlab/rack_attack/request.rb', line 133 def throttle_authenticated_protected_paths_web? post? && web_request? && protected_path? && Gitlab::Throttle.protected_paths_enabled? end |
#throttle_authenticated_web? ⇒ Boolean
112 113 114 115 116 |
# File 'lib/gitlab/rack_attack/request.rb', line 112 def throttle_authenticated_web? (web_request? || frontend_request?) && !throttle_authenticated_git_lfs? && Gitlab::Throttle.settings.throttle_authenticated_web_enabled end |
#throttle_unauthenticated_api? ⇒ Boolean
84 85 86 87 88 89 90 91 92 93 |
# File 'lib/gitlab/rack_attack/request.rb', line 84 def throttle_unauthenticated_api? api_request? && !should_be_skipped? && !frontend_request? && !throttle_unauthenticated_packages_api? && !throttle_unauthenticated_files_api? && !throttle_unauthenticated_deprecated_api? && Gitlab::Throttle.settings.throttle_unauthenticated_api_enabled && unauthenticated? end |
#throttle_unauthenticated_deprecated_api? ⇒ Boolean
189 190 191 192 193 |
# File 'lib/gitlab/rack_attack/request.rb', line 189 def throttle_unauthenticated_deprecated_api? deprecated_api_request? && Gitlab::Throttle.settings.throttle_unauthenticated_deprecated_api_enabled && unauthenticated? end |
#throttle_unauthenticated_files_api? ⇒ Boolean
178 179 180 181 182 |
# File 'lib/gitlab/rack_attack/request.rb', line 178 def throttle_unauthenticated_files_api? files_api_path? && Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled && unauthenticated? end |
#throttle_unauthenticated_get_protected_paths? ⇒ Boolean
140 141 142 143 144 145 146 |
# File 'lib/gitlab/rack_attack/request.rb', line 140 def throttle_unauthenticated_get_protected_paths? get? && !should_be_skipped? && get_request_protected_path? && Gitlab::Throttle.protected_paths_enabled? && unauthenticated? end |
#throttle_unauthenticated_packages_api? ⇒ Boolean
162 163 164 165 166 |
# File 'lib/gitlab/rack_attack/request.rb', line 162 def throttle_unauthenticated_packages_api? packages_api_path? && Gitlab::Throttle.settings.throttle_unauthenticated_packages_api_enabled && unauthenticated? end |
#throttle_unauthenticated_protected_paths? ⇒ Boolean
118 119 120 121 122 123 124 |
# File 'lib/gitlab/rack_attack/request.rb', line 118 def throttle_unauthenticated_protected_paths? post? && !should_be_skipped? && protected_path? && Gitlab::Throttle.protected_paths_enabled? && unauthenticated? end |
#throttle_unauthenticated_web? ⇒ Boolean
95 96 97 98 99 100 101 |
# File 'lib/gitlab/rack_attack/request.rb', line 95 def throttle_unauthenticated_web? (web_request? || frontend_request?) && !should_be_skipped? && # TODO: Column will be renamed in https://gitlab.com/gitlab-org/gitlab/-/issues/340031 Gitlab::Throttle.settings.throttle_unauthenticated_enabled && unauthenticated? end |
#throttled_identifer(request_formats) ⇒ Object
15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/gitlab/rack_attack/request.rb', line 15 def throttled_identifer(request_formats) identifier = authenticated_identifier(request_formats) return unless identifier identifier_type = identifier[:identifier_type] identifier_id = identifier[:identifier_id] if identifier_type == :user && Gitlab::RackAttack.user_allowlist.include?(identifier_id) Gitlab::Instrumentation::Throttle.safelist = 'throttle_user_allowlist' return end "#{identifier_type}:#{identifier_id}" end |
#unauthenticated? ⇒ Boolean
11 12 13 |
# File 'lib/gitlab/rack_attack/request.rb', line 11 def unauthenticated? !(authenticated_identifier([:api, :rss, :ics]) || authenticated_runner_id) end |
#web_request? ⇒ Boolean
66 67 68 |
# File 'lib/gitlab/rack_attack/request.rb', line 66 def web_request? !api_request? && !health_check_request? end |