How do I disable csrf protection on gitlab enterprise server? - ruby-on-rails

I have an internal requirement to stress gitlab to evaluate its performance serving requests for large sized repos with concurrent commits by many engineers. I am using JMeter to record a flow of committing a file from the UI. On replay, I get a 403 because the csrf token validation fails. I have tried extracting the authenticity_token via Regex but the value getting used as part of the X-CSRF_Token header is different and there is no way for me to extract that value from the preceding response.
For the purposes of my load testing, I want to disable this check in gitlab-rails. Where and how should I go about doing this?

Related

I am trying to perform mobile load testing using Jmeter but i receive 401 error in result tree

I am trying to load test my mobile application using jmeter, I have given authorization token in HTTP header manager and recorded the mobile app operations. But when I run this recorded script and view the result in result tree, all of the operations appear as failed and for some i see 401 un-authorization error. Please help me in solving this problem.
This image shows the result I get after running the recorded
HTTP 401 status code means that you failed to provide correct credentials or token, you need either to login somehow or to pass a "good" token which your system expects.
In the majority of cases you cannot just replay recorded script without prior correlation - the process of extracting dynamic data from the previous response using a suitable Post-Processor, converting it into a JMeter Variable and adding it to the next request.
You can determine which parts of request are dynamic by recording the same actions once again and comparing the scripts. If there will be differences - you will need to handle the corresponding parameters.
Alternative option is using cloud-based proxy service for recording, it can export recorded requests in SmartJMX mode assuming automatic detection and correlation of any dynamic parameters. See How to Cut Your JMeter Scripting Time by 80% article for more information.

Controlling IIS BITS uploads

I'm running an IIS web site (built using ASP.NET/MVC) that among other things collects files from multiple agents that anonymously upload the files via BITS.
I need to make sure that only files uploaded from known sources as well as matching certain predefined file name pattern will be accepted by IIS. All other BITS upload attempts must be cancelled.
As I understand, BITS uses an ad hoc protocol over HTTP 1.1 using "BITS_POST" verb. So, ideally, I'd like to hook into IIS, analyze a BITS_POST request info and if it does not satisfy my pre-conditions, drop the request.
I've tried to create and register a filter implementing IActionFilter.OnActionExecuting, but it seems that my filter does not receive BITS_POST requests.
I'd be glad to hear if somebody have implemented similar BITS related solutions and how this was done. Anyway, other ideas are welcome too.
Regards,
Natan
I have never worked with BITS, frankly i dont know what is it.
What i usually do is such situations is implement an HTTP module. On its begin request event, you can iterate through incoming HTTP request data and decide to stop processing the request if data is not complying with requirements. You have full access to HttpContext.Current.Request object from HTTP module code.
With HTTP modules, you can execute .NET code even before entering the ASP.NET pipeline.

Recorded Scripts in JMeter doesn't make an order due to csrf token in URL

Using Jmeter GUI, I recorded a test scenario (placing an order) and the script ran successfully. But when I replay the test scripts it doesn't function as it was recorded to do, it did not make an order.
After query the dev, found that with each item selected, the server generate a CSRF token, and put the token in the URL path (Like: /cart/add/type/product_id/7245985/_csrf_token/b46c0aec2e5891808ec42141b1956943204ae8f8) when the item is added to the shopping cart. This is all recorded in the script. This path with the token is used to add the item to cart.
My question is how to test this dynamic token when it is concatenated in the path of URL?
Any help are appreciated.
If you have not already added Tree View Listener to your Test Plan, then add it now. You can use it to view the details of requests & responses. JMeter considers a request successful if it gets "some" response from Server-side. It does not matter if the response is functionally valid or not. So, in order to make sure that JMeter is sending valid parameters and receiving expected response, you will have to check the details of requests / responses in Tree view listener.
You can also add Response Assertions to requests so JMeter itself verifies that it is getting expected responses.
Important Tips:
Use TreeView Listener for debugging only. In real load test keep it disabled as it consumes lot of memory.
Do not use response assertions excessively as they consume lot of memory as well.
JMeter is not a browser-based tool. It just deals with back-end requests. Hence it is expected to be very fast. So nothing wrong with that. You should remove un-necessary timers as there is nothing wrong with it being fast.
If your requests involve some kind of login authorization then have a look at this question for further details Load testing using jmeter with basic authentication
Recording doesn't guarantee working script, it gives you only a "skeleton" and usually you need to perform some correlation (the process of extracting mandatory dynamic parameter from previous response and adding it to the next request).
Reference material:
Building a Web Test Plan
Building an Advanced Web Test Plan
How to use JMeter for Login Authentication?
How to make JMeter behave more like a real browser

Intermittent token failure with load balanced oAuth

We have implemented our own oAuth provider and are having an issue when the system runs in a load balanced scenario. When we run with a single server all is well but when we switch the other on we get the following situation:
Token ‘A’ generated on server 1
Token ‘A’ not valid on server 2.
I have done some Googling on this and it seems to be a known issue but can’t seem to find a solution.
Anybody got an idea.
Thanks
You will have to make sure that you do one of:
synchronize the state of your Authorization Server between all load balanced nodes by using a shared cache (e.g. database or file system) or replicates state across nodes using some replication mechanism
your Authorization Server issues tokens that can be inspected by the load balancer to find out to which node it needs to send the validation request
The latter. has the downside that it cannot be used in a high availability scenario.

Replay Ruby on Rails logs including parameters and session information?

JMeter's Access Log Sampler requires common log format logs to replay http requests. I want to use it to replay actions in a Rails application from the log, including params passing. Is there any way to do this with JMeter or any other tool? I suppose I could parse the logs into curl requests, but can this way maintain session information (keeping track of which user performed which action)?
Edit I should say what this is for. It can be useful for either performance testing or data recovery. In our case we need to verify some data in the database by using our logs because the db may have data integrity issues.
I am looking at paper_trail to get this kind of functionality in the future. For the app in question, we had to do some heavy-duty log parsing to get the results we needed. It included separating the actions out by IP address (thus similating sessions, although some IP addresses contained multiple user sessions) and parsing the actions and params in the logs. It was not 100% effective at reproducing the exact state of the database, but it was pretty close.
HTTP Raw Request for JMeter may help with this

Resources