def test_throttling_user_daily(self):
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for _ in range(0, 48):
self._add_fake_throttling_action(
view_class=FileUploadViewSet,
url=self.list_url,
user=self.user,
remote_addr=get_random_ip(),
)
# At this point we should be throttled since we're using the same
# user. (we're still inside the frozen time context).
response = self._create_post(ip=get_random_ip())
assert response.status_code == 429, response.content
# One minute later, past the 'burst' throttling period, we're still
# blocked by the 'hourly' limit.
frozen_time.tick(delta=timedelta(seconds=61))
response = self._create_post(ip=get_random_ip())
assert response.status_code == 429, response.content
# After the hourly limit, still blocked.
frozen_time.tick(delta=timedelta(seconds=3601))
response = self._create_post(ip=get_random_ip())
assert response.status_code == 429, response.content
# 86401 seconds later we should be allowed again (24h + 1s).
frozen_time.tick(delta=timedelta(seconds=86401))
response = self._create_post(ip=get_random_ip())
assert response.status_code == 201, response.content
def _test_throttling_verb_user_burst(self, verb, url, expected_status=201):
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for x in range(0, 6):
# Make the user different every time so that we test the ip
# throttling.
self._add_fake_throttling_action(
url, self.user, get_random_ip())
# At this point we should be throttled since we're using the same
# user. (we're still inside the frozen time context).
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == 429
# 'Burst' throttling is 1 minute, so 61 seconds later we should be
# allowed again.
frozen_time.tick(delta=timedelta(seconds=61))
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == expected_status
def _test_throttling_verb_user_burst(self, verb, url, expected_status=201):
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for x in range(0, 6):
# Make the user different every time so that we test the ip
# throttling.
self._add_fake_throttling_action(
view_class=self.view_class,
url=url,
user=self.user,
remote_addr=get_random_ip(),
)
# At this point we should be throttled since we're using the same
# user. (we're still inside the frozen time context).
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == 429
# 'Burst' throttling is 1 minute, so 61 seconds later we should be
# allowed again.
frozen_time.tick(delta=timedelta(seconds=61))
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == expected_status
def test_throttling(self, parse_addon_mock):
upload = FileUpload.objects.create(valid=True, name='foo.xpi')
data = {'upload': upload.uuid, 'compatible_apps': [amo.FIREFOX.id]}
request = req_factory_factory('/', post=True, data=data)
request.user = user_factory()
request.META['REMOTE_ADDR'] = '5.6.7.8'
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for x in range(0, 6):
self._add_fake_throttling_action(
view_class=VersionView,
url='/',
user=request.user,
remote_addr=get_random_ip(),
)
form = forms.NewUploadForm(data, request=request)
assert not form.is_valid()
assert form.errors.get('__all__') == [
'You have submitted too many uploads recently. '
'Please try again after some time.'
]
frozen_time.tick(delta=timedelta(seconds=61))
form = forms.NewUploadForm(data, request=request)
assert form.is_valid()
def test_rate_limiting(self):
self.request.META['REMOTE_ADDR'] = '5.6.7.8'
with freeze_time('2021-01-08 15:16:23.42') as frozen_time:
for x in range(0, 6):
self._add_fake_throttling_action(
view_class=VersionView,
url='/',
user=self.request.user,
remote_addr=get_random_ip(),
)
form = forms.SitePermissionGeneratorForm(
{
'site_permissions': _DEFAULT_SITE_PERMISSIONS,
'origin': 'https://foo.com',
},
request=self.request,
)
assert not form.is_valid()
assert form.errors.get('__all__') == [
'You have submitted too many uploads recently. '
'Please try again after some time.'
]
frozen_time.tick(delta=timedelta(seconds=61))
form = forms.SitePermissionGeneratorForm(
{
'site_permissions': _DEFAULT_SITE_PERMISSIONS,
'origin': 'https://foo.com',
},
request=self.request,
)
assert form.is_valid()
def test_throttling(self, parse_addon_mock):
upload = FileUpload.objects.create(valid=True, name='foo.xpi')
data = {'upload': upload.uuid, 'compatible_apps': [amo.FIREFOX.id]}
request = req_factory_factory('/', post=True, data=data)
request.user = user_factory()
request.META['REMOTE_ADDR'] = '5.6.7.8'
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for x in range(0, 6):
self._add_fake_throttling_action(
view_class=VersionView,
url='/',
user=request.user,
remote_addr=get_random_ip(),
)
form = forms.NewUploadForm(data, request=request)
assert not form.is_valid()
assert form.errors.get('__all__') == [
'You have submitted too many uploads recently. '
'Please try again after some time.'
]
frozen_time.tick(delta=timedelta(seconds=61))
form = forms.NewUploadForm(data, request=request)
assert form.is_valid()
def _test_throttling_verb_user_sustained(self,
verb,
url,
expected_status=201):
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for x in range(0, 50):
# Make the user different every time so that we test the ip
# throttling.
self._add_fake_throttling_action(
view_class=self.view_class,
url=url,
user=self.user,
remote_addr=get_random_ip(),
)
# At this point we should be throttled since we're using the same
# user. (we're still inside the frozen time context).
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == 429
# One minute later, past the 'burst' throttling period, we're still
# blocked by the 'sustained' limit.
frozen_time.tick(delta=timedelta(seconds=61))
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == 429
# 'Sustained' throttling is 1 hour, so 3601 seconds later we should
# be allowed again.
frozen_time.tick(delta=timedelta(seconds=3601))
response = self.request(
verb,
url=url,
addon='@create-webextension',
version='1.0',
extra_kwargs={'REMOTE_ADDR': get_random_ip()})
assert response.status_code == expected_status
def test_throttling_user_burst(self):
with freeze_time('2019-04-08 15:16:23.42') as frozen_time:
for _ in range(0, 6):
self._add_fake_throttling_action(
view_class=FileUploadViewSet,
url=self.list_url,
user=self.user,
remote_addr=get_random_ip(),
)
# At this point we should be throttled since we're using the same
# user. (we're still inside the frozen time context).
response = self._create_post(ip=get_random_ip())
assert response.status_code == 429, response.content
# 'Burst' throttling is 1 minute, so 61 seconds later we should be
# allowed again.
frozen_time.tick(delta=timedelta(seconds=61))
response = self._create_post(ip=get_random_ip())
assert response.status_code == 201, response.content
