Add configurable rate limiting for dev/stage environments
- Add ORCHARD_LOGIN_RATE_LIMIT env var to Helm deployment template - Set relaxed rate limit (1000/minute) for dev/stage deployments - Production keeps strict default (5/minute) for security - Re-enable auth tests in CI (no longer excluded by marker) - Update test docstrings to reflect rate limit configuration
This commit is contained in:
Mondo Diaz
@@ -52,13 +52,13 @@ kics:
|
|||||||
- pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio httpx
|
- pip install --index-url "$PIP_INDEX_URL" pytest pytest-asyncio httpx
|
||||||
script:
|
script:
|
||||||
- cd backend
|
- cd backend
|
||||||
# Run full integration test suite, excluding large/slow tests and auth-intensive tests
|
# Run full integration test suite, excluding large/slow tests
|
||||||
# Auth-intensive tests make many login requests which trigger rate limiting on deployed environments
|
|
||||||
# ORCHARD_TEST_URL tells the tests which server to connect to
|
# ORCHARD_TEST_URL tells the tests which server to connect to
|
||||||
|
# Note: Auth tests work because dev/stage deployments have relaxed rate limits
|
||||||
- |
|
- |
|
||||||
python -m pytest tests/integration/ -v \
|
python -m pytest tests/integration/ -v \
|
||||||
--junitxml=integration-report.xml \
|
--junitxml=integration-report.xml \
|
||||||
-m "not large and not slow and not auth_intensive" \
|
-m "not large and not slow" \
|
||||||
--tb=short
|
--tb=short
|
||||||
artifacts:
|
artifacts:
|
||||||
when: always
|
when: always
|
||||||
|
|||||||
@@ -81,7 +81,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||||||
- Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)
|
- Improved pod naming: Orchard pods now named `orchard-{env}-server-*` for clarity (#51)
|
||||||
|
|
||||||
### Fixed
|
### Fixed
|
||||||
- Fixed CI integration test rate limiting: added `auth_intensive` marker and excluded auth-heavy tests from deployed environments
|
- Fixed CI integration test rate limiting: added configurable `ORCHARD_LOGIN_RATE_LIMIT` env var, relaxed to 1000/minute for dev/stage
|
||||||
- Fixed duplicate `TestSecurityEdgeCases` class definition in test_auth_api.py
|
- Fixed duplicate `TestSecurityEdgeCases` class definition in test_auth_api.py
|
||||||
- Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
|
- Fixed integration tests auth: session-scoped client, configurable credentials via env vars, fail-fast on auth errors
|
||||||
- Fixed Content-Disposition header encoding for non-ASCII filenames using RFC 5987 (#38)
|
- Fixed Content-Disposition header encoding for non-ASCII filenames using RFC 5987 (#38)
|
||||||
|
|||||||
@@ -1,15 +1,15 @@
|
|||||||
"""Integration tests for authentication API endpoints.
|
"""Integration tests for authentication API endpoints.
|
||||||
|
|
||||||
Note: These tests are marked as auth_intensive because they make many login
|
Note: These tests are marked as auth_intensive because they make many login
|
||||||
requests which can trigger rate limiting on deployed environments. They are
|
requests. Dev/stage deployments have relaxed rate limits (1000/minute) to
|
||||||
excluded from CI integration tests but run in local and unit test suites.
|
allow these tests to run. Production uses strict rate limits (5/minute).
|
||||||
"""
|
"""
|
||||||
|
|
||||||
import pytest
|
import pytest
|
||||||
from uuid import uuid4
|
from uuid import uuid4
|
||||||
|
|
||||||
|
|
||||||
# Mark all tests in this module as auth_intensive
|
# Mark all tests in this module as auth_intensive (informational, not excluded from CI)
|
||||||
pytestmark = pytest.mark.auth_intensive
|
pytestmark = pytest.mark.auth_intensive
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -110,6 +110,12 @@ spec:
|
|||||||
value: {{ .Values.orchard.download.mode | quote }}
|
value: {{ .Values.orchard.download.mode | quote }}
|
||||||
- name: ORCHARD_PRESIGNED_URL_EXPIRY
|
- name: ORCHARD_PRESIGNED_URL_EXPIRY
|
||||||
value: {{ .Values.orchard.download.presignedUrlExpiry | quote }}
|
value: {{ .Values.orchard.download.presignedUrlExpiry | quote }}
|
||||||
|
{{- if .Values.orchard.rateLimit }}
|
||||||
|
{{- if .Values.orchard.rateLimit.login }}
|
||||||
|
- name: ORCHARD_LOGIN_RATE_LIMIT
|
||||||
|
value: {{ .Values.orchard.rateLimit.login | quote }}
|
||||||
|
{{- end }}
|
||||||
|
{{- end }}
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
{{- toYaml .Values.livenessProbe | nindent 12 }}
|
{{- toYaml .Values.livenessProbe | nindent 12 }}
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
|
|||||||
@@ -113,6 +113,10 @@ orchard:
|
|||||||
mode: "presigned"
|
mode: "presigned"
|
||||||
presignedUrlExpiry: 3600
|
presignedUrlExpiry: 3600
|
||||||
|
|
||||||
|
# Relaxed rate limits for dev/feature environments (allows integration tests to run)
|
||||||
|
rateLimit:
|
||||||
|
login: "1000/minute" # Default is 5/minute, relaxed for CI integration tests
|
||||||
|
|
||||||
# PostgreSQL - ephemeral, no persistence
|
# PostgreSQL - ephemeral, no persistence
|
||||||
postgresql:
|
postgresql:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|||||||
@@ -120,6 +120,10 @@ orchard:
|
|||||||
mode: "presigned" # presigned, redirect, or proxy
|
mode: "presigned" # presigned, redirect, or proxy
|
||||||
presignedUrlExpiry: 3600 # Presigned URL expiry in seconds
|
presignedUrlExpiry: 3600 # Presigned URL expiry in seconds
|
||||||
|
|
||||||
|
# Relaxed rate limits for stage (allows CI integration tests to run)
|
||||||
|
rateLimit:
|
||||||
|
login: "1000/minute" # Default is 5/minute, relaxed for CI integration tests
|
||||||
|
|
||||||
# PostgreSQL subchart configuration
|
# PostgreSQL subchart configuration
|
||||||
postgresql:
|
postgresql:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|||||||
Reference in New Issue
Block a user