Merge lp:~maxiberta/canonical-identity-provider/registration-throttling into lp:canonical-identity-provider/release

Proposed by Maximiliano Bertacchini on 2018-12-20
Status: Merged
Approved by: Maximiliano Bertacchini on 2019-01-07
Approved revision: 1672
Merge reported by: Otto Co-Pilot
Merged at revision: not available
Proposed branch: lp:~maxiberta/canonical-identity-provider/registration-throttling
Merge into: lp:canonical-identity-provider/release
Diff against target: 77 lines (+14/-6)
3 files modified
django_project/settings_base.py (+1/-0)
src/api/v20/handlers.py (+1/-1)
src/api/v20/tests/test_handlers.py (+12/-5)
To merge this branch: bzr merge lp:~maxiberta/canonical-identity-provider/registration-throttling
Reviewer Review Type Date Requested Status
Adam Collard (community) 2018-12-20 Approve on 2018-12-21
Review via email: mp+361212@code.launchpad.net

Commit message

Update account registration throttling from 3600 req/h/IP to 360 req/h/IP.

To post a comment you must log in.
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'django_project/settings_base.py'
--- django_project/settings_base.py 2018-10-22 17:15:12 +0000
+++ django_project/settings_base.py 2018-12-20 20:30:44 +0000
@@ -582,6 +582,7 @@
582TESTING = False582TESTING = False
583THOUSAND_SEPARATOR = ','583THOUSAND_SEPARATOR = ','
584THROTTLE_MAX_REQUESTS = 3600584THROTTLE_MAX_REQUESTS = 3600
585THROTTLE_MAX_REQUESTS_REGISTRATION = 360
585THROTTLE_WHITELIST_EMAIL_REGEXP_LIST = []586THROTTLE_WHITELIST_EMAIL_REGEXP_LIST = []
586TIMELOG_LOG = 'timelog.log'587TIMELOG_LOG = 'timelog.log'
587TIME_FORMAT = 'P'588TIME_FORMAT = 'P'
588589
=== modified file 'src/api/v20/handlers.py'
--- src/api/v20/handlers.py 2018-10-22 16:51:54 +0000
+++ src/api/v20/handlers.py 2018-12-20 20:30:44 +0000
@@ -277,7 +277,7 @@
277 allowed_methods = ('POST',)277 allowed_methods = ('POST',)
278278
279 @require_mime('json')279 @require_mime('json')
280 @throttle()280 @throttle(max_requests=settings.THROTTLE_MAX_REQUESTS_REGISTRATION)
281 def create(self, request):281 def create(self, request):
282 """Create/register a new account."""282 """Create/register a new account."""
283 if not gargoyle.is_active('USER_REGISTRATION_API_ENABLED', request):283 if not gargoyle.is_active('USER_REGISTRATION_API_ENABLED', request):
284284
=== modified file 'src/api/v20/tests/test_handlers.py'
--- src/api/v20/tests/test_handlers.py 2018-10-22 16:51:54 +0000
+++ src/api/v20/tests/test_handlers.py 2018-12-20 20:30:44 +0000
@@ -601,10 +601,14 @@
601 other_email = 'other@email.com'601 other_email = 'other@email.com'
602 assert other_email != data['email']602 assert other_email != data['email']
603603
604 with self.settings(THROTTLE_MAX_REQUESTS=2):604 max_requests = settings.THROTTLE_MAX_REQUESTS_REGISTRATION
605 with patch('piston.utils.cache') as mock_cache:
606 mock_cache.get.return_value = (max_requests - 1, time.time() + 42)
605 response = self.do_post(data, status_code=201)607 response = self.do_post(data, status_code=201)
606 self.assert_account_created()608 self.assert_account_created()
607609
610 with patch('piston.utils.cache') as mock_cache:
611 mock_cache.get.return_value = (max_requests, time.time() + 42)
608 data['email'] = other_email612 data['email'] = other_email
609 response = self.do_post(data, status_code=429)613 response = self.do_post(data, status_code=429)
610 self.assertEqual(response['code'], 'TOO_MANY_REQUESTS')614 self.assertEqual(response['code'], 'TOO_MANY_REQUESTS')
@@ -2005,7 +2009,8 @@
2005 mock_cache.get.return_value = (2009 mock_cache.get.return_value = (
2006 settings.THROTTLE_MAX_REQUESTS, time.time() + 42.99)2010 settings.THROTTLE_MAX_REQUESTS, time.time() + 42.99)
20072011
2008 def throttle_by_openid(self, openid):2012 def throttle_by_openid(self, openid,
2013 max_requests=settings.THROTTLE_MAX_REQUESTS):
2009 mock_cache = self.patch('piston.utils.cache')2014 mock_cache = self.patch('piston.utils.cache')
20102015
2011 def mock_get(key, default=None, version=None):2016 def mock_get(key, default=None, version=None):
@@ -2013,9 +2018,9 @@
2013 # the first part of the key is the requester username2018 # the first part of the key is the requester username
2014 _, extra = key.split(':', 1)2019 _, extra = key.split(':', 1)
2015 if openid in extra:2020 if openid in extra:
2016 return settings.THROTTLE_MAX_REQUESTS, time.time() + 42.992021 return max_requests, time.time() + 42.99
2017 else:2022 else:
2018 return settings.THROTTLE_MAX_REQUESTS - 1, time.time() + 42.992023 return max_requests - 1, time.time() + 42.99
2019 mock_cache.get = mock_get2024 mock_cache.get = mock_get
20202025
2021 throttle_by_email = throttle_by_token = throttle_by_openid2026 throttle_by_email = throttle_by_token = throttle_by_openid
@@ -2116,7 +2121,9 @@
2116 self.assert_handler_not_throttled(2121 self.assert_handler_not_throttled(
2117 request, data=json.dumps(data),2122 request, data=json.dumps(data),
2118 content_type='application/json',2123 content_type='application/json',
2119 throttle_func=lambda: self.throttle_by_email(email))2124 throttle_func=lambda: self.throttle_by_email(
2125 email,
2126 max_requests=settings.THROTTLE_MAX_REQUESTS_REGISTRATION))
21202127
2121 def test_account_login_handler_throttled_by_email(self):2128 def test_account_login_handler_throttled_by_email(self):
2122 url = reverse('api-login')2129 url = reverse('api-login')