Merge branch '335075_frontend_rate_limiting_files_api' into 'master'

Add form to Admin Area to control Files API throttling See merge request gitlab-org/gitlab!68560

Merge branch '335075_frontend_rate_limiting_files_api' into 'master'
Add form to Admin Area to control Files API throttling See merge request gitlab-org/gitlab!68560
e5e615c0 · Natalia Tepluhina · c6b4adcd · 43f2efbc · e5e615c0 · e5e615c0
Commit e5e615c0 authored Sep 03, 2021 by Natalia Tepluhina
5 changed files
--- a/app/views/admin/application_settings/_files_limits.html.haml
+++ b/app/views/admin/application_settings/_files_limits.html.haml
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-files-limits-settings'), html: { class: 'fieldset-form' } do |f|
+  = form_errors(@application_setting)
+
+  %fieldset
+    %legend.h5.gl-border-none
+      = _('Unauthenticated API request rate limit')
+    .form-group
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_files_api_enabled,
+        _('Enable unauthenticated API request rate limit'),
+        help_text: _('Helps reduce request volume (e.g. from crawlers or abusive bots)'),
+        checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_files_api_checkbox' } }
+    .form-group
+      = f.label :throttle_unauthenticated_files_api_requests_per_period, 'Max unauthenticated API requests per period per IP', class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_files_api_requests_per_period, class: 'form-control gl-form-input'
+    .form-group
+      = f.label :throttle_unauthenticated_files_api_period_in_seconds, 'Unauthenticated API rate limit period in seconds', class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_files_api_period_in_seconds, class: 'form-control gl-form-input'
+
+  %fieldset
+    %legend.h5.gl-border-none
+      = _('Authenticated API request rate limit')
+    .form-group
+      = f.gitlab_ui_checkbox_component :throttle_authenticated_files_api_enabled,
+        _('Enable authenticated API request rate limit'),
+        help_text: _('Helps reduce request volume (e.g. from crawlers or abusive bots)'),
+        checkbox_options: { data: { qa_selector: 'throttle_authenticated_files_api_checkbox' } }
+    .form-group
+      = f.label :throttle_authenticated_files_api_requests_per_period, 'Max authenticated API requests per period per user', class: 'label-bold'
+      = f.number_field :throttle_authenticated_files_api_requests_per_period, class: 'form-control gl-form-input'
+    .form-group
+      = f.label :throttle_authenticated_files_api_period_in_seconds, 'Authenticated API rate limit period in seconds', class: 'label-bold'
+      = f.number_field :throttle_authenticated_files_api_period_in_seconds, class: 'form-control gl-form-input'
+
+  = f.submit 'Save changes', class: "gl-button btn btn-confirm", data: { qa_selector: 'save_changes_button' }
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -34,6 +34,17 @@
      = _('Configure specific limits for Packages API requests that supersede the general user and IP rate limits.')
  .settings-content
    = render 'package_registry_limits'
+- if Feature.enabled?(:files_api_throttling, default_enabled: :yaml)
+  %section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?), data: { testid: 'files-limits-settings' } }
+    .settings-header
+      %h4
+        = _('Files API Rate Limits')
+      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
+        = expanded_by_default? ? _('Collapse') : _('Expand')
+      %p
+        = _('Configure specific limits for Files API requests that supersede the general user and IP rate limits.')
+    .settings-content
+      = render 'files_limits'

 %section.settings.as-git-lfs-limits.no-animate#js-git-lfs-limits-settings{ class: ('expanded' if expanded_by_default?), data: { qa_selector: 'git_lfs_limits_content' } }
  .settings-header

--- a/config/feature_flags/development/files_api_throttling.yml
+++ b/config/feature_flags/development/files_api_throttling.yml
+---
+name: files_api_throttling
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68560
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/338903
+milestone: '14.3'
+type: development
+group: group::source code
+default_enabled: false
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -8505,6 +8505,9 @@ msgstr ""
 msgid "Configure settings for Advanced Search with Elasticsearch."
 msgstr ""

+msgid "Configure specific limits for Files API requests that supersede the general user and IP rate limits."
+msgstr ""
+
 msgid "Configure specific limits for Git LFS requests that supersede the general user and IP rate limits."
 msgstr ""

@@ -14305,6 +14308,9 @@ msgstr ""
 msgid "Files"
 msgstr ""

+msgid "Files API Rate Limits"
+msgstr ""
+
 msgid "Files breadcrumb"
 msgstr ""


--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -557,6 +557,20 @@ RSpec.describe 'Admin updates settings' do
        expect(page).to have_content "Application settings saved successfully"
        expect(current_settings.issues_create_limit).to eq(0)
      end
+
+      it 'changes Files API rate limits settings' do
+        visit network_admin_application_settings_path
+
+        page.within('[data-testid="files-limits-settings"]') do
+          check 'Enable unauthenticated API request rate limit'
+          fill_in 'Max unauthenticated API requests per period per IP', with: 10
+          click_button 'Save changes'
+        end
+
+        expect(page).to have_content "Application settings saved successfully"
+        expect(current_settings.throttle_unauthenticated_files_api_enabled).to be true
+        expect(current_settings.throttle_unauthenticated_files_api_requests_per_period).to eq(10)
+      end
    end

    context 'Preferences page' do