Commit 0f3e7efd authored by Vasilii Iakliushin's avatar Vasilii Iakliushin Committed by Douglas Barbosa Alexandre

Add throttling configuration for Files API endpoints

parent 5122e90a
...@@ -37,8 +37,7 @@ ...@@ -37,8 +37,7 @@
.settings-content .settings-content
= render partial: 'network_rate_limits', locals: { anchor: 'js-packages-limits-settings', setting_fragment: 'packages_api' } = render partial: 'network_rate_limits', locals: { anchor: 'js-packages-limits-settings', setting_fragment: 'packages_api' }
- if Feature.enabled?(:files_api_throttling, default_enabled: :yaml) %section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
%section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
.settings-header .settings-header
%h4 %h4
= _('Files API Rate Limits') = _('Files API Rate Limits')
......
---
name: files_api_throttling
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68560
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/338903
milestone: '14.3'
type: development
group: group::source code
default_enabled: false
...@@ -88,12 +88,8 @@ requests per user. For more information, read ...@@ -88,12 +88,8 @@ requests per user. For more information, read
### Files API ### Files API
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3 [with a flag](../administration/feature_flags.md) named `files_api_throttling`. Disabled by default.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag `files_api_throttling`](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it available,
ask an administrator to [enable the `files_api_throttling` flag](../administration/feature_flags.md). On GitLab.com, this feature is available but can be configured by GitLab.com administrators only.
The feature is not ready for production use.
This setting limits the request rate on the Packages API per user or IP address. For more information, read This setting limits the request rate on the Packages API per user or IP address. For more information, read
[Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md). [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md).
......
...@@ -7,13 +7,8 @@ type: reference ...@@ -7,13 +7,8 @@ type: reference
# Files API rate limits **(FREE SELF)** # Files API rate limits **(FREE SELF)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag files_api_throttling](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
FLAG:
On self-managed GitLab, by default this feature is not available. To make it
available, ask an administrator to [enable the `files_api_throttling` flag](../../../administration/feature_flags.md).
On GitLab.com, this feature is available but can be configured by GitLab.com
administrators only. The feature is not ready for production use.
The [Repository files API](../../../api/repository_files.md) enables you to The [Repository files API](../../../api/repository_files.md) enables you to
fetch, create, update, and delete files in your repository. To improve the security fetch, create, update, and delete files in your repository. To improve the security
...@@ -29,10 +24,9 @@ the general user and IP rate limits for requests to the ...@@ -29,10 +24,9 @@ the general user and IP rate limits for requests to the
and IP rate limits already in place, and increase or decrease the rate limits and IP rate limits already in place, and increase or decrease the rate limits
for the Files API. No other new features are provided by this override. for the Files API. No other new features are provided by this override.
Prerequisites: Prerequisite:
- You must have the Administrator role for your instance. - You must have the Administrator role for your instance.
- The `files_api_throttling` feature flag must be enabled.
To override the general user and IP rate limits for requests to the Repository files API: To override the general user and IP rate limits for requests to the Repository files API:
......
...@@ -139,14 +139,12 @@ module Gitlab ...@@ -139,14 +139,12 @@ module Gitlab
def throttle_unauthenticated_files_api? def throttle_unauthenticated_files_api?
files_api_path? && files_api_path? &&
Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled && Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
unauthenticated? unauthenticated?
end end
def throttle_authenticated_files_api? def throttle_authenticated_files_api?
files_api_path? && files_api_path? &&
Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
end end
......
...@@ -720,19 +720,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac ...@@ -720,19 +720,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
expect_rejection { do_request } expect_rejection { do_request }
end end
context 'when feature flag is off' do
before do
stub_feature_flags(files_api_throttling: false)
end
it 'allows requests over the rate limit' do
(1 + requests_per_period).times do
do_request
expect(response).to have_gitlab_http_status(:ok)
end
end
end
context 'when unauthenticated api throttle is lower' do context 'when unauthenticated api throttle is lower' do
before do before do
settings_to_set[:throttle_unauthenticated_api_requests_per_period] = 0 settings_to_set[:throttle_unauthenticated_api_requests_per_period] = 0
...@@ -817,19 +804,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac ...@@ -817,19 +804,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
expect_rejection { do_request } expect_rejection { do_request }
end end
end end
context 'when feature flag is off' do
before do
stub_feature_flags(files_api_throttling: false)
end
it 'allows requests over the rate limit' do
(1 + requests_per_period).times do
do_request
expect(response).to have_gitlab_http_status(:ok)
end
end
end
end end
context 'when authenticated files api throttle is disabled' do context 'when authenticated files api throttle is disabled' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment