Merge branch '335300-rate-limit-for-unauthenticated-api-requests-4-admin-area-form' into 'master'

[4/5] Add unauthenticated API throttle settings to admin area See merge request gitlab-org/gitlab!69486

Merge branch '335300-rate-limit-for-unauthenticated-api-requests-4-admin-area-form' into 'master'
[4/5] Add unauthenticated API throttle settings to admin area See merge request gitlab-org/gitlab!69486
3557f4cd · Natalia Tepluhina · 250eb8c2 · 2b4723b5 · 3557f4cd · 3557f4cd
Commit 3557f4cd authored Sep 15, 2021 by Natalia Tepluhina
4 changed files
--- a/app/views/admin/application_settings/_ip_limits.html.haml
+++ b/app/views/admin/application_settings/_ip_limits.html.haml
-= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
  = form_errors(@application_setting)
  %fieldset
-    %h5
+    %legend.h5.gl-border-none
-      = _('Unauthenticated request rate limit')
+      = _('Unauthenticated API request rate limit')
    .form-group
-      .form-check
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_api_enabled,
-        = f.check_box :throttle_unauthenticated_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_unauthenticated_checkbox' }
+        _("Enable unauthenticated API request rate limit"),
-        = f.label :throttle_unauthenticated_enabled, class: 'form-check-label label-bold' do
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
-          = _("Enable unauthenticated request rate limit")
+        checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_api_checkbox' } }
-        %span.form-text.text-muted
-          = _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
    .form-group
-      = f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated requests per period per IP'), class: 'label-bold'
+      = f.label :throttle_unauthenticated_api_requests_per_period, _('Max unauthenticated API requests per period per IP'), class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_api_requests_per_period, class: 'form-control gl-form-input'
+    .form-group
+      = f.label :throttle_unauthenticated_api_period_in_seconds, _('Unauthenticated API rate limit period in seconds'), class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_api_period_in_seconds, class: 'form-control gl-form-input'
+  %fieldset
+    %legend.h5.gl-border-none
+      = _('Unauthenticated web request rate limit')
+    .form-group
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_enabled,
+        _("Enable unauthenticated web request rate limit"),
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
+        checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_web_checkbox' } }
+    .form-group
+      = f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated web requests per period per IP'), class: 'label-bold'
      = f.number_field :throttle_unauthenticated_requests_per_period, class: 'form-control gl-form-input'
    .form-group
-      = f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated rate limit period in seconds'), class: 'label-bold'
+      = f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated web rate limit period in seconds'), class: 'label-bold'
      = f.number_field :throttle_unauthenticated_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+  %fieldset
+    %legend.h5.gl-border-none
      = _('Authenticated API request rate limit')
    .form-group
-      .form-check
+      = f.gitlab_ui_checkbox_component :throttle_authenticated_api_enabled,
-        = f.check_box :throttle_authenticated_api_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_api_checkbox' }
+        _("Enable authenticated API request rate limit"),
-        = f.label :throttle_authenticated_api_enabled, class: 'form-check-label label-bold' do
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
-          = _("Enable authenticated API request rate limit")
+        checkbox_options: { data: { qa_selector: 'throttle_authenticated_api_checkbox' }}
-        %span.form-text.text-muted
-          = _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
    .form-group
      = f.label :throttle_authenticated_api_requests_per_period, _('Max authenticated API requests per period per user'), class: 'label-bold'
      = f.number_field :throttle_authenticated_api_requests_per_period, class: 'form-control gl-form-input'
    .form-group
      = f.label :throttle_authenticated_api_period_in_seconds, _('Authenticated API rate limit period in seconds'), class: 'label-bold'
      = f.number_field :throttle_authenticated_api_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+  %fieldset
+    %legend.h5.gl-border-none
      = _('Authenticated web request rate limit')
    .form-group
-      .form-check
+      = f.gitlab_ui_checkbox_component :throttle_authenticated_web_enabled,
-        = f.check_box :throttle_authenticated_web_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_web_checkbox' }
+        _("Enable authenticated web request rate limit"),
-        = f.label :throttle_authenticated_web_enabled, class: 'form-check-label label-bold' do
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
-          Enable authenticated web request rate limit
+        checkbox_options: { data: { qa_selector: 'throttle_authenticated_web_checkbox' } }
-        %span.form-text.text-muted
-          Helps reduce request volume (e.g. from crawlers or abusive bots)
    .form-group
      = f.label :throttle_authenticated_web_requests_per_period, _('Max authenticated web requests per period per user'), class: 'label-bold'
      = f.number_field :throttle_authenticated_web_requests_per_period, class: 'form-control gl-form-input'
    .form-group
      = f.label :throttle_authenticated_web_period_in_seconds, _('Authenticated web rate limit period in seconds'), class: 'label-bold'
      = f.number_field :throttle_authenticated_web_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+  %fieldset
+    %legend.h5.gl-border-none
      = _('Response text')
    .form-group
      = f.label :rate_limiting_response_text, class: 'label-bold' do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -12493,6 +12493,9 @@ msgstr ""
 msgid "Enable authenticated Git LFS request rate limit"
 msgstr ""
+msgid "Enable authenticated web request rate limit"
+msgstr ""
 msgid "Enable authentication"
 msgstr ""
@@ -12598,7 +12601,7 @@ msgstr ""
 msgid "Enable unauthenticated API request rate limit"
 msgstr ""
-msgid "Enable unauthenticated request rate limit"
+msgid "Enable unauthenticated web request rate limit"
 msgstr ""
 msgid "Enable user deactivation emails"
@@ -20726,7 +20729,10 @@ msgstr ""
 msgid "Max session time"
 msgstr ""
-msgid "Max unauthenticated requests per period per IP"
+msgid "Max unauthenticated API requests per period per IP"
+msgstr ""
+msgid "Max unauthenticated web requests per period per IP"
 msgstr ""
 msgid "MaxBuilds"
@@ -35927,16 +35933,19 @@ msgstr ""
 msgid "Unassigned"
 msgstr ""
+msgid "Unauthenticated API rate limit period in seconds"
+msgstr ""
 msgid "Unauthenticated API request rate limit"
 msgstr ""
-msgid "Unauthenticated rate limit period in seconds"
+msgid "Unauthenticated requests"
 msgstr ""
-msgid "Unauthenticated request rate limit"
+msgid "Unauthenticated web rate limit period in seconds"
 msgstr ""
-msgid "Unauthenticated requests"
+msgid "Unauthenticated web request rate limit"
 msgstr ""
 msgid "Undo"

--- a/qa/qa/page/admin/settings/component/ip_limits.rb
+++ b/qa/qa/page/admin/settings/component/ip_limits.rb
@@ -7,16 +7,18 @@ module QA
        module Component
          class IpLimits < Page::Base
            view 'app/views/admin/application_settings/_ip_limits.html.haml' do
-              element :throttle_unauthenticated_checkbox
+              element :throttle_unauthenticated_api_checkbox
+              element :throttle_unauthenticated_web_checkbox
              element :throttle_authenticated_api_checkbox
              element :throttle_authenticated_web_checkbox
              element :save_changes_button
            end
            def enable_throttles
-              check_element(:throttle_unauthenticated_checkbox)
+              check_element(:throttle_unauthenticated_api_checkbox, true)
-              check_element(:throttle_authenticated_api_checkbox)
+              check_element(:throttle_unauthenticated_web_checkbox, true)
-              check_element(:throttle_authenticated_web_checkbox)
+              check_element(:throttle_authenticated_api_checkbox, true)
+              check_element(:throttle_authenticated_web_checkbox, true)
            end
            def save_settings

--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -546,6 +546,50 @@ RSpec.describe 'Admin updates settings' do
        expect(current_settings.dns_rebinding_protection_enabled).to be false
      end
+      it 'changes User and IP Rate Limits settings' do
+        visit network_admin_application_settings_path
+        page.within('.as-ip-limits') do
+          check 'Enable unauthenticated API request rate limit'
+          fill_in 'Max unauthenticated API requests per period per IP', with: 100
+          fill_in 'Unauthenticated API rate limit period in seconds', with: 200
+          check 'Enable unauthenticated web request rate limit'
+          fill_in 'Max unauthenticated web requests per period per IP', with: 300
+          fill_in 'Unauthenticated web rate limit period in seconds', with: 400
+          check 'Enable authenticated API request rate limit'
+          fill_in 'Max authenticated API requests per period per user', with: 500
+          fill_in 'Authenticated API rate limit period in seconds', with: 600
+          check 'Enable authenticated web request rate limit'
+          fill_in 'Max authenticated web requests per period per user', with: 700
+          fill_in 'Authenticated web rate limit period in seconds', with: 800
+          fill_in 'A plain-text response to show to clients that hit the rate limit.', with: 'Custom message'
+          click_button 'Save changes'
+        end
+        expect(page).to have_content "Application settings saved successfully"
+        expect(current_settings).to have_attributes(
+          throttle_unauthenticated_api_enabled: true,
+          throttle_unauthenticated_api_requests_per_period: 100,
+          throttle_unauthenticated_api_period_in_seconds: 200,
+          throttle_unauthenticated_enabled: true,
+          throttle_unauthenticated_requests_per_period: 300,
+          throttle_unauthenticated_period_in_seconds: 400,
+          throttle_authenticated_api_enabled: true,
+          throttle_authenticated_api_requests_per_period: 500,
+          throttle_authenticated_api_period_in_seconds: 600,
+          throttle_authenticated_web_enabled: true,
+          throttle_authenticated_web_requests_per_period: 700,
+          throttle_authenticated_web_period_in_seconds: 800,
+          rate_limiting_response_text: 'Custom message'
+        )
+      end
      it 'changes Issues rate limits settings' do
        visit network_admin_application_settings_path