Add throttling configuration for Files API endpoints

0f3e7efd · Vasilii Iakliushin · Douglas Barbosa Alexandre · 5122e90a · 0f3e7efd · 5122e90a
Commit 0f3e7efd authored Dec 08, 2021 by Vasilii Iakliushin Committed by Douglas Barbosa Alexandre Dec 08, 2021
6 changed files
--- a/app/views/admin/application_settings/network.html.haml
+++ b/app/views/admin/application_settings/network.html.haml
@@ -37,17 +37,16 @@
  .settings-content
    = render partial: 'network_rate_limits', locals: { anchor: 'js-packages-limits-settings', setting_fragment: 'packages_api' }
- if Feature.enabled?(:files_api_throttling, default_enabled: :yaml)
+%section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
-  %section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
+  .settings-header
-    .settings-header
+    %h4
-      %h4
+      = _('Files API Rate Limits')
-        = _('Files API Rate Limits')
+    %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
-      %button.btn.gl-button.btn-default.js-settings-toggle{ type: 'button' }
+      = expanded_by_default? ? _('Collapse') : _('Expand')
-        = expanded_by_default? ? _('Collapse') : _('Expand')
+    %p
-      %p
+      = _('Configure specific limits for Files API requests that supersede the general user and IP rate limits.')
-        = _('Configure specific limits for Files API requests that supersede the general user and IP rate limits.')
+  .settings-content
-    .settings-content
+    = render partial: 'network_rate_limits', locals: { anchor: 'js-files-limits-settings', setting_fragment: 'files_api' }
-      = render partial: 'network_rate_limits', locals: { anchor: 'js-files-limits-settings', setting_fragment: 'files_api' }
 %section.settings.as-deprecated-limits.no-animate#js-deprecated-limits-settings{ class: ('expanded' if expanded_by_default?) }
  .settings-header

--- a/config/feature_flags/development/files_api_throttling.yml
+++ b/config/feature_flags/development/files_api_throttling.yml
---
-name: files_api_throttling
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68560
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/338903
-milestone: '14.3'
-type: development
-group: group::source code
-default_enabled: false
--- a/doc/administration/instance_limits.md
+++ b/doc/administration/instance_limits.md
@@ -88,12 +88,8 @@ requests per user. For more information, read
 ### Files API
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3 [with a flag](../administration/feature_flags.md) named `files_api_throttling`. Disabled by default.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag `files_api_throttling`](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it available,
-ask an administrator to [enable the `files_api_throttling` flag](../administration/feature_flags.md). On GitLab.com, this feature is available but can be configured by GitLab.com administrators only.
-The feature is not ready for production use.
 This setting limits the request rate on the Packages API per user or IP address. For more information, read
 [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md).

--- a/doc/user/admin_area/settings/files_api_rate_limits.md
+++ b/doc/user/admin_area/settings/files_api_rate_limits.md
@@ -7,13 +7,8 @@ type: reference
 # Files API rate limits **(FREE SELF)**
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag files_api_throttling](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it
-available, ask an administrator to [enable the `files_api_throttling` flag](../../../administration/feature_flags.md).
-On GitLab.com, this feature is available but can be configured by GitLab.com
-administrators only. The feature is not ready for production use.
 The [Repository files API](../../../api/repository_files.md) enables you to
 fetch, create, update, and delete files in your repository. To improve the security
@@ -29,10 +24,9 @@ the general user and IP rate limits for requests to the
 and IP rate limits already in place, and increase or decrease the rate limits
 for the Files API. No other new features are provided by this override.
-Prerequisites:
+Prerequisite:
 - You must have the Administrator role for your instance.
- The `files_api_throttling` feature flag must be enabled.
 To override the general user and IP rate limits for requests to the Repository files API:

--- a/lib/gitlab/rack_attack/request.rb
+++ b/lib/gitlab/rack_attack/request.rb
@@ -139,14 +139,12 @@ module Gitlab
      def throttle_unauthenticated_files_api?
        files_api_path? &&
-        Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
        Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
        unauthenticated?
      end
      def throttle_authenticated_files_api?
        files_api_path? &&
-        Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
        Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
      end

--- a/spec/requests/rack_attack_global_spec.rb
+++ b/spec/requests/rack_attack_global_spec.rb
@@ -720,19 +720,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
          expect_rejection { do_request }
        end
-        context 'when feature flag is off' do
-          before do
-            stub_feature_flags(files_api_throttling: false)
-          end
-          it 'allows requests over the rate limit' do
-            (1 + requests_per_period).times do
-              do_request
-              expect(response).to have_gitlab_http_status(:ok)
-            end
-          end
-        end
        context 'when unauthenticated api throttle is lower' do
          before do
            settings_to_set[:throttle_unauthenticated_api_requests_per_period] = 0
@@ -817,19 +804,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
              expect_rejection { do_request }
            end
          end
-          context 'when feature flag is off' do
-            before do
-              stub_feature_flags(files_api_throttling: false)
-            end
-            it 'allows requests over the rate limit' do
-              (1 + requests_per_period).times do
-                do_request
-                expect(response).to have_gitlab_http_status(:ok)
-              end
-            end
-          end
        end
        context 'when authenticated files api throttle is disabled' do