Add unauthenticated API throttle settings to admin area

This adds the new settings to the "User and IP Rate Limits" section
in the admin area, and also updates the styling a bit.

Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/335300
Changelog: added

app/views/admin/application_settings/_ip_limits.html.haml

-= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
+= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
   = form_errors(@application_setting)
 
   %fieldset
-    %h5
-      = _('Unauthenticated request rate limit')
+    %legend.h5.gl-border-none
+      = _('Unauthenticated API request rate limit')
     .form-group
-      .form-check
-        = f.check_box :throttle_unauthenticated_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_unauthenticated_checkbox' }
-        = f.label :throttle_unauthenticated_enabled, class: 'form-check-label label-bold' do
-          = _("Enable unauthenticated request rate limit")
-        %span.form-text.text-muted
-          = _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_api_enabled,
+        _("Enable unauthenticated API request rate limit"),
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
+        checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_api_checkbox' } }
     .form-group
-      = f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated requests per period per IP'), class: 'label-bold'
+      = f.label :throttle_unauthenticated_api_requests_per_period, _('Max unauthenticated API requests per period per IP'), class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_api_requests_per_period, class: 'form-control gl-form-input'
+    .form-group
+      = f.label :throttle_unauthenticated_api_period_in_seconds, _('Unauthenticated API rate limit period in seconds'), class: 'label-bold'
+      = f.number_field :throttle_unauthenticated_api_period_in_seconds, class: 'form-control gl-form-input'
+
+  %fieldset
+    %legend.h5.gl-border-none
+      = _('Unauthenticated web request rate limit')
+    .form-group
+      = f.gitlab_ui_checkbox_component :throttle_unauthenticated_enabled,
+        _("Enable unauthenticated web request rate limit"),
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
+        checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_web_checkbox' } }
+    .form-group
+      = f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated web requests per period per IP'), class: 'label-bold'
       = f.number_field :throttle_unauthenticated_requests_per_period, class: 'form-control gl-form-input'
     .form-group
-      = f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated rate limit period in seconds'), class: 'label-bold'
+      = f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated web rate limit period in seconds'), class: 'label-bold'
       = f.number_field :throttle_unauthenticated_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+
+  %fieldset
+    %legend.h5.gl-border-none
       = _('Authenticated API request rate limit')
     .form-group
-      .form-check
-        = f.check_box :throttle_authenticated_api_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_api_checkbox' }
-        = f.label :throttle_authenticated_api_enabled, class: 'form-check-label label-bold' do
-          = _("Enable authenticated API request rate limit")
-        %span.form-text.text-muted
-          = _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
+      = f.gitlab_ui_checkbox_component :throttle_authenticated_api_enabled,
+        _("Enable authenticated API request rate limit"),
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
+        checkbox_options: { data: { qa_selector: 'throttle_authenticated_api_checkbox' }}
     .form-group
       = f.label :throttle_authenticated_api_requests_per_period, _('Max authenticated API requests per period per user'), class: 'label-bold'
       = f.number_field :throttle_authenticated_api_requests_per_period, class: 'form-control gl-form-input'
     .form-group
       = f.label :throttle_authenticated_api_period_in_seconds, _('Authenticated API rate limit period in seconds'), class: 'label-bold'
       = f.number_field :throttle_authenticated_api_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+
+  %fieldset
+    %legend.h5.gl-border-none
       = _('Authenticated web request rate limit')
     .form-group
-      .form-check
-        = f.check_box :throttle_authenticated_web_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_web_checkbox' }
-        = f.label :throttle_authenticated_web_enabled, class: 'form-check-label label-bold' do
-          Enable authenticated web request rate limit
-        %span.form-text.text-muted
-          Helps reduce request volume (e.g. from crawlers or abusive bots)
+      = f.gitlab_ui_checkbox_component :throttle_authenticated_web_enabled,
+        _("Enable authenticated web request rate limit"),
+        help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
+        checkbox_options: { data: { qa_selector: 'throttle_authenticated_web_checkbox' } }
     .form-group
       = f.label :throttle_authenticated_web_requests_per_period, _('Max authenticated web requests per period per user'), class: 'label-bold'
       = f.number_field :throttle_authenticated_web_requests_per_period, class: 'form-control gl-form-input'
     .form-group
       = f.label :throttle_authenticated_web_period_in_seconds, _('Authenticated web rate limit period in seconds'), class: 'label-bold'
       = f.number_field :throttle_authenticated_web_period_in_seconds, class: 'form-control gl-form-input'
-    %hr
-    %h5
+
+  %fieldset
+    %legend.h5.gl-border-none
       = _('Response text')
     .form-group
       = f.label :rate_limiting_response_text, class: 'label-bold' do

locale/gitlab.pot

@@ -12481,6 +12481,9 @@ msgstr ""
 msgid "Enable authenticated Git LFS request rate limit"
 msgstr ""
 
+msgid "Enable authenticated web request rate limit"
+msgstr ""
+
 msgid "Enable authentication"
 msgstr ""
 
@@ -12586,7 +12589,7 @@ msgstr ""
 msgid "Enable unauthenticated API request rate limit"
 msgstr ""
 
-msgid "Enable unauthenticated request rate limit"
+msgid "Enable unauthenticated web request rate limit"
 msgstr ""
 
 msgid "Enable user deactivation emails"
@@ -20675,7 +20678,10 @@ msgstr ""
 msgid "Max session time"
 msgstr ""
 
-msgid "Max unauthenticated requests per period per IP"
+msgid "Max unauthenticated API requests per period per IP"
+msgstr ""
+
+msgid "Max unauthenticated web requests per period per IP"
 msgstr ""
 
 msgid "MaxBuilds"
@@ -35837,16 +35843,19 @@ msgstr ""
 msgid "Unassigned"
 msgstr ""
 
+msgid "Unauthenticated API rate limit period in seconds"
+msgstr ""
+
 msgid "Unauthenticated API request rate limit"
 msgstr ""
 
-msgid "Unauthenticated rate limit period in seconds"
+msgid "Unauthenticated requests"
 msgstr ""
 
-msgid "Unauthenticated request rate limit"
+msgid "Unauthenticated web rate limit period in seconds"
 msgstr ""
 
-msgid "Unauthenticated requests"
+msgid "Unauthenticated web request rate limit"
 msgstr ""
 
 msgid "Undo"

qa/qa/page/admin/settings/component/ip_limits.rb

@@ -7,16 +7,18 @@ module QA
         module Component
           class IpLimits < Page::Base
             view 'app/views/admin/application_settings/_ip_limits.html.haml' do
-              element :throttle_unauthenticated_checkbox
+              element :throttle_unauthenticated_api_checkbox
+              element :throttle_unauthenticated_web_checkbox
               element :throttle_authenticated_api_checkbox
               element :throttle_authenticated_web_checkbox
               element :save_changes_button
             end
 
             def enable_throttles
-              check_element(:throttle_unauthenticated_checkbox)
-              check_element(:throttle_authenticated_api_checkbox)
-              check_element(:throttle_authenticated_web_checkbox)
+              check_element(:throttle_unauthenticated_api_checkbox, true)
+              check_element(:throttle_unauthenticated_web_checkbox, true)
+              check_element(:throttle_authenticated_api_checkbox, true)
+              check_element(:throttle_authenticated_web_checkbox, true)
             end
 
             def save_settings

spec/features/admin/admin_settings_spec.rb

@@ -546,6 +546,50 @@ RSpec.describe 'Admin updates settings' do
         expect(current_settings.dns_rebinding_protection_enabled).to be false
       end
 
+      it 'changes User and IP Rate Limits settings' do
+        visit network_admin_application_settings_path
+
+        page.within('.as-ip-limits') do
+          check 'Enable unauthenticated API request rate limit'
+          fill_in 'Max unauthenticated API requests per period per IP', with: 100
+          fill_in 'Unauthenticated API rate limit period in seconds', with: 200
+
+          check 'Enable unauthenticated web request rate limit'
+          fill_in 'Max unauthenticated web requests per period per IP', with: 300
+          fill_in 'Unauthenticated web rate limit period in seconds', with: 400
+
+          check 'Enable authenticated API request rate limit'
+          fill_in 'Max authenticated API requests per period per user', with: 500
+          fill_in 'Authenticated API rate limit period in seconds', with: 600
+
+          check 'Enable authenticated web request rate limit'
+          fill_in 'Max authenticated web requests per period per user', with: 700
+          fill_in 'Authenticated web rate limit period in seconds', with: 800
+
+          fill_in 'A plain-text response to show to clients that hit the rate limit.', with: 'Custom message'
+
+          click_button 'Save changes'
+        end
+
+        expect(page).to have_content "Application settings saved successfully"
+
+        expect(current_settings).to have_attributes(
+          throttle_unauthenticated_api_enabled: true,
+          throttle_unauthenticated_api_requests_per_period: 100,
+          throttle_unauthenticated_api_period_in_seconds: 200,
+          throttle_unauthenticated_enabled: true,
+          throttle_unauthenticated_requests_per_period: 300,
+          throttle_unauthenticated_period_in_seconds: 400,
+          throttle_authenticated_api_enabled: true,
+          throttle_authenticated_api_requests_per_period: 500,
+          throttle_authenticated_api_period_in_seconds: 600,
+          throttle_authenticated_web_enabled: true,
+          throttle_authenticated_web_requests_per_period: 700,
+          throttle_authenticated_web_period_in_seconds: 800,
+          rate_limiting_response_text: 'Custom message'
+        )
+      end
+
       it 'changes Issues rate limits settings' do
         visit network_admin_application_settings_path