coderd: add Bypass rate limit header

ammario · ammario · commit 6f375c739408 · 2022-10-08T19:33:58.000Z
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
@@ -591,16 +591,20 @@ func TestAPIKey(t *testing.T) {
 	})
 }
 
-func createUser(ctx context.Context, t *testing.T, db database.Store) database.User {
-	user, err := db.InsertUser(ctx, database.InsertUserParams{
+func createUser(ctx context.Context, t *testing.T, db database.Store, opts ...func(u *database.InsertUserParams)) database.User {
+	insert := database.InsertUserParams{
 		ID:             uuid.New(),
 		Email:          "email@coder.com",
 		Username:       "username",
 		HashedPassword: []byte{},
 		CreatedAt:      time.Now(),
 		UpdatedAt:      time.Now(),
 		RBACRoles:      []string{},
-	})
+	}
+	for _, opt := range opts {
+		opt(&insert)
+	}
+	user, err := db.InsertUser(ctx, insert)
 	require.NoError(t, err, "create user")
 	return user
 }
diff --git a/coderd/httpmw/ratelimit.go b/coderd/httpmw/ratelimit.go
@@ -5,10 +5,13 @@ import (
 	"time"
 
 	"github.com/go-chi/httprate"
+	"golang.org/x/xerrors"
 
 	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/coderd/rbac"
 	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/cryptorand"
 )
 
 // RateLimit returns a handler that limits requests per-minute based
@@ -26,10 +29,34 @@ func RateLimit(count int, window time.Duration) func(http.Handler) http.Handler
 		httprate.WithKeyFuncs(func(r *http.Request) (string, error) {
 			// Prioritize by user, but fallback to IP.
 			apiKey, ok := r.Context().Value(apiKeyContextKey{}).(database.APIKey)
-			if ok {
+			if !ok {
+				return httprate.KeyByIP(r)
+			}
+
+			if r.Header.Get(codersdk.BypassRatelimitHeader) == "" {
 				return apiKey.UserID.String(), nil
 			}
-			return httprate.KeyByIP(r)
+
+			// Allow Owner to bypass rate limiting for load tests
+			// and automation.
+
+			auth := UserAuthorization(r)
+
+			for _, role := range auth.Roles {
+				if role == rbac.RoleOwner() {
+					// HACK: use a random key each time to
+					// de facto disable rate limiting. The
+					// `httprate` package appears to have no
+					// support for selectively changing the limit
+					// for particular keys.
+					return cryptorand.String(16)
+				}
+			}
+
+			return apiKey.UserID.String(), xerrors.Errorf(
+				"%q provided but user is not %v",
+				codersdk.BypassRatelimitHeader, rbac.RoleOwner(),
+			)
 		}, httprate.KeyByEndpoint),
 		httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
 			httpapi.Write(r.Context(), w, http.StatusTooManyRequests, codersdk.Response{
diff --git a/coderd/httpmw/ratelimit_test.go b/coderd/httpmw/ratelimit_test.go
@@ -1,21 +1,55 @@
 package httpmw_test
 
 import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+	"math/rand"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"time"
 
 	"github.com/go-chi/chi/v5"
+	"github.com/google/uuid"
 	"github.com/stretchr/testify/require"
 
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/database/databasefake"
 	"github.com/coder/coder/coderd/httpmw"
+	"github.com/coder/coder/coderd/rbac"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/testutil"
 )
 
+func insertAPIKey(ctx context.Context, t *testing.T, db database.Store, userID uuid.UUID) string {
+	id, secret := randomAPIKeyParts()
+	hashed := sha256.Sum256([]byte(secret))
+
+	_, err := db.InsertAPIKey(ctx, database.InsertAPIKeyParams{
+		ID:           id,
+		HashedSecret: hashed[:],
+		LastUsed:     database.Now().AddDate(0, 0, -1),
+		ExpiresAt:    database.Now().AddDate(0, 0, 1),
+		UserID:       userID,
+		LoginType:    database.LoginTypePassword,
+		Scope:        database.APIKeyScopeAll,
+	})
+	require.NoError(t, err)
+
+	return fmt.Sprintf("%s-%s", id, secret)
+}
+
+func randRemoteAddr() string {
+	var b [4]byte
+	rand.Read(b[:])
+	return fmt.Sprintf("%s:%v", net.IP(b[:]).String(), rand.Int31()%(1<<16))
+}
+
 func TestRateLimit(t *testing.T) {
 	t.Parallel()
-	t.Run("NoUser", func(t *testing.T) {
+	t.Run("NoUserSucceeds", func(t *testing.T) {
 		t.Parallel()
 		rtr := chi.NewRouter()
 		rtr.Use(httpmw.RateLimit(5, time.Second))
@@ -32,4 +66,107 @@ func TestRateLimit(t *testing.T) {
 			return resp.StatusCode == http.StatusTooManyRequests
 		}, testutil.WaitShort, testutil.IntervalFast)
 	})
+
+	t.Run("RandomIPs", func(t *testing.T) {
+		t.Parallel()
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.RateLimit(5, time.Second))
+		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})
+
+		require.Never(t, func() bool {
+			req := httptest.NewRequest("GET", "/", nil)
+			rec := httptest.NewRecorder()
+			req.RemoteAddr = randRemoteAddr()
+			rtr.ServeHTTP(rec, req)
+			resp := rec.Result()
+			defer resp.Body.Close()
+			return resp.StatusCode == http.StatusTooManyRequests
+		}, testutil.WaitShort, testutil.IntervalFast)
+	})
+
+	t.Run("RegularUser", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := context.Background()
+
+		db := databasefake.New()
+
+		u := createUser(ctx, t, db)
+		key := insertAPIKey(ctx, t, db, u.ID)
+
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+			DB:       db,
+			Optional: false,
+		}))
+
+		rtr.Use(httpmw.RateLimit(5, time.Second))
+		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})
+
+		// Bypass must fail
+		req := httptest.NewRequest("GET", "/", nil)
+		req.Header.Set(codersdk.SessionCustomHeader, key)
+		req.Header.Set(codersdk.BypassRatelimitHeader, "true")
+		rec := httptest.NewRecorder()
+		// Assert we're not using IP address.
+		req.RemoteAddr = randRemoteAddr()
+		rtr.ServeHTTP(rec, req)
+		resp := rec.Result()
+		defer resp.Body.Close()
+		require.Equal(t, http.StatusPreconditionRequired, resp.StatusCode)
+
+		require.Eventually(t, func() bool {
+			req := httptest.NewRequest("GET", "/", nil)
+			req.Header.Set(codersdk.SessionCustomHeader, key)
+			rec := httptest.NewRecorder()
+			// Assert we're not using IP address.
+			req.RemoteAddr = randRemoteAddr()
+			rtr.ServeHTTP(rec, req)
+			resp := rec.Result()
+			defer resp.Body.Close()
+			return resp.StatusCode == http.StatusTooManyRequests
+		}, testutil.WaitShort, testutil.IntervalFast)
+	})
+
+	t.Run("OwnerBypass", func(t *testing.T) {
+		t.Parallel()
+
+		ctx := context.Background()
+
+		db := databasefake.New()
+
+		u := createUser(ctx, t, db, func(u *database.InsertUserParams) {
+			u.RBACRoles = []string{rbac.RoleOwner()}
+		})
+
+		key := insertAPIKey(ctx, t, db, u.ID)
+
+		rtr := chi.NewRouter()
+		rtr.Use(httpmw.ExtractAPIKey(httpmw.ExtractAPIKeyConfig{
+			DB:       db,
+			Optional: false,
+		}))
+
+		rtr.Use(httpmw.RateLimit(5, time.Second))
+		rtr.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+			rw.WriteHeader(http.StatusOK)
+		})
+
+		require.Never(t, func() bool {
+			req := httptest.NewRequest("GET", "/", nil)
+			req.Header.Set(codersdk.SessionCustomHeader, key)
+			req.Header.Set(codersdk.BypassRatelimitHeader, "true")
+			rec := httptest.NewRecorder()
+			// Assert we're not using IP address.
+			req.RemoteAddr = randRemoteAddr()
+			rtr.ServeHTTP(rec, req)
+			resp := rec.Result()
+			defer resp.Body.Close()
+			return resp.StatusCode == http.StatusTooManyRequests
+		}, testutil.WaitShort, testutil.IntervalFast)
+	})
 }
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -24,6 +24,9 @@ const (
 	SessionCustomHeader = "Coder-Session-Token"
 	OAuth2StateKey      = "oauth_state"
 	OAuth2RedirectKey   = "oauth_redirect"
+
+	// nolint: gosec
+	BypassRatelimitHeader = "X-Coder-Bypass-Ratelimit"
 )
 
 // New creates a Coder client for the provided URL.

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,9 @@ const (`
`24`	`24`	`SessionCustomHeader = "Coder-Session-Token"`
`25`	`25`	`OAuth2StateKey = "oauth_state"`
`26`	`26`	`OAuth2RedirectKey = "oauth_redirect"`
	`27`	`+`
	`28`	`+ // nolint: gosec`
	`29`	`+ BypassRatelimitHeader = "X-Coder-Bypass-Ratelimit"`
`27`	`30`	`)`
`28`	`31`
`29`	`32`	`// New creates a Coder client for the provided URL.`