mirror of https://github.com/coder/coder.git
175 lines
4.6 KiB
Go
175 lines
4.6 KiB
Go
package httpmw_test
|
|
|
|
import (
|
|
"context"
|
|
"crypto/sha256"
|
|
"fmt"
|
|
"math/rand"
|
|
"net"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/google/uuid"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/coder/coder/coderd/database"
|
|
"github.com/coder/coder/coderd/database/databasefake"
|
|
"github.com/coder/coder/coderd/httpmw"
|
|
"github.com/coder/coder/coderd/rbac"
|
|
"github.com/coder/coder/codersdk"
|
|
"github.com/coder/coder/testutil"
|
|
)
|
|
|
|
func insertAPIKey(ctx context.Context, t *testing.T, db database.Store, userID uuid.UUID) string {
|
|
id, secret := randomAPIKeyParts()
|
|
hashed := sha256.Sum256([]byte(secret))
|
|
|
|
_, err := db.InsertAPIKey(ctx, database.InsertAPIKeyParams{
|
|
ID: id,
|
|
HashedSecret: hashed[:],
|
|
LastUsed: database.Now().AddDate(0, 0, -1),
|
|
ExpiresAt: database.Now().AddDate(0, 0, 1),
|
|
UserID: userID,
|
|
LoginType: database.LoginTypePassword,
|
|
Scope: database.APIKeyScopeAll,
|
|
})
|
|
require.NoError(t, err)
|
|
|
|
return fmt.Sprintf("%s-%s", id, secret)
|
|
}
|
|
|
|
func randRemoteAddr() string {
|
|
var b [4]byte
|
|
// nolint:gosec
|
|
rand.Read(b[:])
|
|
// nolint:gosec
|
|
return fmt.Sprintf("%s:%v", net.IP(b[:]).String(), rand.Int31()%(1<<16))
|
|
}
|
|
|
|
func TestRateLimit(t *testing.T) {
|
|
t.Parallel()
|
|
t.Run("NoUserSucceeds", func(t *testing.T) {
|
|
t.Parallel()
|
|
rtr := chi.NewRouter()
|
|
rtr.Use(httpmw.RateLimit(5, time.Second))
|
|
rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
|
|
rw.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
require.Eventually(t, func() bool {
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
rec := httptest.NewRecorder()
|
|
rtr.ServeHTTP(rec, req)
|
|
resp := rec.Result()
|
|
defer resp.Body.Close()
|
|
return resp.StatusCode == http.StatusTooManyRequests
|
|
}, testutil.WaitShort, testutil.IntervalFast)
|
|
})
|
|
|
|
t.Run("RandomIPs", func(t *testing.T) {
|
|
t.Parallel()
|
|
rtr := chi.NewRouter()
|
|
rtr.Use(httpmw.RateLimit(5, time.Second))
|
|
rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
|
|
rw.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
require.Never(t, func() bool {
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
rec := httptest.NewRecorder()
|
|
req.RemoteAddr = randRemoteAddr()
|
|
rtr.ServeHTTP(rec, req)
|
|
resp := rec.Result()
|
|
defer resp.Body.Close()
|
|
return resp.StatusCode == http.StatusTooManyRequests
|
|
}, testutil.WaitShort, testutil.IntervalFast)
|
|
})
|
|
|
|
t.Run("RegularUser", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx := context.Background()
|
|
|
|
db := databasefake.New()
|
|
|
|
u := createUser(ctx, t, db)
|
|
key := insertAPIKey(ctx, t, db, u.ID)
|
|
|
|
rtr := chi.NewRouter()
|
|
rtr.Use(httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
|
|
DB: db,
|
|
Optional: false,
|
|
}))
|
|
|
|
rtr.Use(httpmw.RateLimit(5, time.Second))
|
|
rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
|
|
rw.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
// Bypass must fail
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set(codersdk.SessionTokenHeader, key)
|
|
req.Header.Set(codersdk.BypassRatelimitHeader, "true")
|
|
rec := httptest.NewRecorder()
|
|
// Assert we're not using IP address.
|
|
req.RemoteAddr = randRemoteAddr()
|
|
rtr.ServeHTTP(rec, req)
|
|
resp := rec.Result()
|
|
defer resp.Body.Close()
|
|
require.Equal(t, http.StatusPreconditionRequired, resp.StatusCode)
|
|
|
|
require.Eventually(t, func() bool {
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set(codersdk.SessionTokenHeader, key)
|
|
rec := httptest.NewRecorder()
|
|
// Assert we're not using IP address.
|
|
req.RemoteAddr = randRemoteAddr()
|
|
rtr.ServeHTTP(rec, req)
|
|
resp := rec.Result()
|
|
defer resp.Body.Close()
|
|
return resp.StatusCode == http.StatusTooManyRequests
|
|
}, testutil.WaitShort, testutil.IntervalFast)
|
|
})
|
|
|
|
t.Run("OwnerBypass", func(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
ctx := context.Background()
|
|
|
|
db := databasefake.New()
|
|
|
|
u := createUser(ctx, t, db, func(u *database.InsertUserParams) {
|
|
u.RBACRoles = []string{rbac.RoleOwner()}
|
|
})
|
|
|
|
key := insertAPIKey(ctx, t, db, u.ID)
|
|
|
|
rtr := chi.NewRouter()
|
|
rtr.Use(httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
|
|
DB: db,
|
|
Optional: false,
|
|
}))
|
|
|
|
rtr.Use(httpmw.RateLimit(5, time.Second))
|
|
rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
|
|
rw.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
require.Never(t, func() bool {
|
|
req := httptest.NewRequest("GET", "/", nil)
|
|
req.Header.Set(codersdk.SessionTokenHeader, key)
|
|
req.Header.Set(codersdk.BypassRatelimitHeader, "true")
|
|
rec := httptest.NewRecorder()
|
|
// Assert we're not using IP address.
|
|
req.RemoteAddr = randRemoteAddr()
|
|
rtr.ServeHTTP(rec, req)
|
|
resp := rec.Result()
|
|
defer resp.Body.Close()
|
|
return resp.StatusCode == http.StatusTooManyRequests
|
|
}, testutil.WaitShort, testutil.IntervalFast)
|
|
})
|
|
}
|