Extend CSRF token mismatch instrumentation with auth metadata

05e195e1 · Grzegorz Bizon · 19c99bfa · 05e195e1 · 05e195e1 · 05e195e1
Commit 05e195e1 authored 4 months ago by Grzegorz Bizon
--- a/lib/gitlab/auth/activity.rb
+++ b/lib/gitlab/auth/activity.rb
@@ -63,10 +63,15 @@ def user_session_destroyed!
      end

      def user_csrf_token_mismatch!
-        label = @opts[:controller].class.name
-        label = 'other' unless label == 'GraphqlController'
+        controller = @opts[:controller]
+        controller_label = controller.class.name
+        controller_label = 'other' unless controller_label == 'GraphqlController'

-        self.class.user_csrf_token_invalid_counter.increment(controller: label)
+        session = controller.try(:request).try(:session)
+        user_auth_type_label = session.try(:loaded?) ? 'session' : 'other'
+
+        self.class.user_csrf_token_invalid_counter
+          .increment(controller: controller_label, auth: user_auth_type_label)
      end

      def self.each_counter

--- a/spec/lib/gitlab/auth/activity_spec.rb
+++ b/spec/lib/gitlab/auth/activity_spec.rb
@@ -2,7 +2,7 @@

 require 'spec_helper'

-RSpec.describe Gitlab::Auth::Activity do
+RSpec.describe Gitlab::Auth::Activity, feature_category: :system_access do
  describe '.each_counter' do
    it 'has all static counters defined' do
      described_class.each_counter do |counter|
@@ -36,7 +36,7 @@
        metrics = described_class.new(controller: GraphqlController.new)

        expect(described_class.user_csrf_token_invalid_counter)
-          .to receive(:increment).with(controller: 'GraphqlController')
+          .to receive(:increment).with(controller: 'GraphqlController', auth: 'other')

        metrics.user_csrf_token_mismatch!
      end
@@ -47,7 +47,7 @@
        metrics = described_class.new(controller: ApplicationController.new)

        expect(described_class.user_csrf_token_invalid_counter)
-          .to receive(:increment).with(controller: 'other')
+          .to receive(:increment).with(controller: 'other', auth: 'other')

        metrics.user_csrf_token_mismatch!
      end

--- a/spec/requests/api/graphql_spec.rb
+++ b/spec/requests/api/graphql_spec.rb
@@ -235,8 +235,10 @@
        stub_authentication_activity_metrics do |metrics|
          expect(metrics)
            .to increment(:user_authenticated_counter)
-            .and increment(:user_csrf_token_invalid_counter)
            .and increment(:user_session_destroyed_counter)
+
+          expect(metrics.user_csrf_token_invalid_counter)
+            .to receive(:increment).with(controller: 'GraphqlController', auth: 'session')
        end

        post_graphql(query, headers: { 'X-CSRF-Token' => 'invalid' })
@@ -268,7 +270,14 @@
            .to increment(:user_authenticated_counter)
            .and increment(:user_session_override_counter)
            .and increment(:user_sessionless_authentication_counter)
-            .and increment(:user_csrf_token_invalid_counter) # TODO: is that expected?
+
+          ##
+          # TODO: PAT authentication should not trigger `handle_unverified_request` on CSRF token mismatch.
+          #
+          # `auth` type is 'other' here, becase we `handle_unverified_request` before we call sessionless sign in hooks.
+          #
+          expect(metrics.user_csrf_token_invalid_counter)
+            .to receive(:increment).with(controller: 'GraphqlController', auth: 'other')
        end

        post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })