Fix race condition in rack-attack oAuth token specs (!153316) · Merge requests · GitLab.org / GitLab

Andrew Evans requested to merge atevans-rack-attack-broken-master into master May 16, 2024

What does this MR do and why?

Potentially fixes master broken incident 6315

Fix race condition in rack-attack oAuth token specs

When running the Rack::Attack request spec shared examples, it may be possible for a race condition to occur. To check that Rack::Attack will "unlock" a token after the specified throttling period, the specs use travel_to(period) to change the Ruby time into the future. However, one of the oAuth tokens generated for the spec is set to expire in period + 1 . If the clock ticks over to the next second while making the unlocked-period checks, then we would get an expired token error instead of the expected response.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

rspec spec/requests/rack_attack_global_spec.rb
Should pass consistently, even in CI

Fix race condition in rack-attack oAuth token specs

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports