Commit 3557f4cd authored by Natalia Tepluhina's avatar Natalia Tepluhina

Merge branch '335300-rate-limit-for-unauthenticated-api-requests-4-admin-area-form' into 'master'

[4/5] Add unauthenticated API throttle settings to admin area

See merge request gitlab-org/gitlab!69486
parents 250eb8c2 2b4723b5
= form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
= gitlab_ui_form_for @application_setting, url: network_admin_application_settings_path(anchor: 'js-ip-limits-settings'), html: { class: 'fieldset-form' } do |f|
= form_errors(@application_setting)
%fieldset
%h5
= _('Unauthenticated request rate limit')
%legend.h5.gl-border-none
= _('Unauthenticated API request rate limit')
.form-group
.form-check
= f.check_box :throttle_unauthenticated_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_unauthenticated_checkbox' }
= f.label :throttle_unauthenticated_enabled, class: 'form-check-label label-bold' do
= _("Enable unauthenticated request rate limit")
%span.form-text.text-muted
= _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
= f.gitlab_ui_checkbox_component :throttle_unauthenticated_api_enabled,
_("Enable unauthenticated API request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_api_checkbox' } }
.form-group
= f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated requests per period per IP'), class: 'label-bold'
= f.label :throttle_unauthenticated_api_requests_per_period, _('Max unauthenticated API requests per period per IP'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_api_requests_per_period, class: 'form-control gl-form-input'
.form-group
= f.label :throttle_unauthenticated_api_period_in_seconds, _('Unauthenticated API rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_api_period_in_seconds, class: 'form-control gl-form-input'
%fieldset
%legend.h5.gl-border-none
= _('Unauthenticated web request rate limit')
.form-group
= f.gitlab_ui_checkbox_component :throttle_unauthenticated_enabled,
_("Enable unauthenticated web request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
checkbox_options: { data: { qa_selector: 'throttle_unauthenticated_web_checkbox' } }
.form-group
= f.label :throttle_unauthenticated_requests_per_period, _('Max unauthenticated web requests per period per IP'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_requests_per_period, class: 'form-control gl-form-input'
.form-group
= f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated rate limit period in seconds'), class: 'label-bold'
= f.label :throttle_unauthenticated_period_in_seconds, _('Unauthenticated web rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_unauthenticated_period_in_seconds, class: 'form-control gl-form-input'
%hr
%h5
%fieldset
%legend.h5.gl-border-none
= _('Authenticated API request rate limit')
.form-group
.form-check
= f.check_box :throttle_authenticated_api_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_api_checkbox' }
= f.label :throttle_authenticated_api_enabled, class: 'form-check-label label-bold' do
= _("Enable authenticated API request rate limit")
%span.form-text.text-muted
= _("Helps reduce request volume (e.g. from crawlers or abusive bots)")
= f.gitlab_ui_checkbox_component :throttle_authenticated_api_enabled,
_("Enable authenticated API request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
checkbox_options: { data: { qa_selector: 'throttle_authenticated_api_checkbox' }}
.form-group
= f.label :throttle_authenticated_api_requests_per_period, _('Max authenticated API requests per period per user'), class: 'label-bold'
= f.number_field :throttle_authenticated_api_requests_per_period, class: 'form-control gl-form-input'
.form-group
= f.label :throttle_authenticated_api_period_in_seconds, _('Authenticated API rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_authenticated_api_period_in_seconds, class: 'form-control gl-form-input'
%hr
%h5
%fieldset
%legend.h5.gl-border-none
= _('Authenticated web request rate limit')
.form-group
.form-check
= f.check_box :throttle_authenticated_web_enabled, class: 'form-check-input', data: { qa_selector: 'throttle_authenticated_web_checkbox' }
= f.label :throttle_authenticated_web_enabled, class: 'form-check-label label-bold' do
Enable authenticated web request rate limit
%span.form-text.text-muted
Helps reduce request volume (e.g. from crawlers or abusive bots)
= f.gitlab_ui_checkbox_component :throttle_authenticated_web_enabled,
_("Enable authenticated web request rate limit"),
help_text: _("Helps reduce request volume (e.g. from crawlers or abusive bots)"),
checkbox_options: { data: { qa_selector: 'throttle_authenticated_web_checkbox' } }
.form-group
= f.label :throttle_authenticated_web_requests_per_period, _('Max authenticated web requests per period per user'), class: 'label-bold'
= f.number_field :throttle_authenticated_web_requests_per_period, class: 'form-control gl-form-input'
.form-group
= f.label :throttle_authenticated_web_period_in_seconds, _('Authenticated web rate limit period in seconds'), class: 'label-bold'
= f.number_field :throttle_authenticated_web_period_in_seconds, class: 'form-control gl-form-input'
%hr
%h5
%fieldset
%legend.h5.gl-border-none
= _('Response text')
.form-group
= f.label :rate_limiting_response_text, class: 'label-bold' do
......
......@@ -12493,6 +12493,9 @@ msgstr ""
msgid "Enable authenticated Git LFS request rate limit"
msgstr ""
msgid "Enable authenticated web request rate limit"
msgstr ""
msgid "Enable authentication"
msgstr ""
......@@ -12598,7 +12601,7 @@ msgstr ""
msgid "Enable unauthenticated API request rate limit"
msgstr ""
msgid "Enable unauthenticated request rate limit"
msgid "Enable unauthenticated web request rate limit"
msgstr ""
msgid "Enable user deactivation emails"
......@@ -20726,7 +20729,10 @@ msgstr ""
msgid "Max session time"
msgstr ""
msgid "Max unauthenticated requests per period per IP"
msgid "Max unauthenticated API requests per period per IP"
msgstr ""
msgid "Max unauthenticated web requests per period per IP"
msgstr ""
msgid "MaxBuilds"
......@@ -35927,16 +35933,19 @@ msgstr ""
msgid "Unassigned"
msgstr ""
msgid "Unauthenticated API rate limit period in seconds"
msgstr ""
msgid "Unauthenticated API request rate limit"
msgstr ""
msgid "Unauthenticated rate limit period in seconds"
msgid "Unauthenticated requests"
msgstr ""
msgid "Unauthenticated request rate limit"
msgid "Unauthenticated web rate limit period in seconds"
msgstr ""
msgid "Unauthenticated requests"
msgid "Unauthenticated web request rate limit"
msgstr ""
msgid "Undo"
......
......@@ -7,16 +7,18 @@ module QA
module Component
class IpLimits < Page::Base
view 'app/views/admin/application_settings/_ip_limits.html.haml' do
element :throttle_unauthenticated_checkbox
element :throttle_unauthenticated_api_checkbox
element :throttle_unauthenticated_web_checkbox
element :throttle_authenticated_api_checkbox
element :throttle_authenticated_web_checkbox
element :save_changes_button
end
def enable_throttles
check_element(:throttle_unauthenticated_checkbox)
check_element(:throttle_authenticated_api_checkbox)
check_element(:throttle_authenticated_web_checkbox)
check_element(:throttle_unauthenticated_api_checkbox, true)
check_element(:throttle_unauthenticated_web_checkbox, true)
check_element(:throttle_authenticated_api_checkbox, true)
check_element(:throttle_authenticated_web_checkbox, true)
end
def save_settings
......
......@@ -546,6 +546,50 @@ RSpec.describe 'Admin updates settings' do
expect(current_settings.dns_rebinding_protection_enabled).to be false
end
it 'changes User and IP Rate Limits settings' do
visit network_admin_application_settings_path
page.within('.as-ip-limits') do
check 'Enable unauthenticated API request rate limit'
fill_in 'Max unauthenticated API requests per period per IP', with: 100
fill_in 'Unauthenticated API rate limit period in seconds', with: 200
check 'Enable unauthenticated web request rate limit'
fill_in 'Max unauthenticated web requests per period per IP', with: 300
fill_in 'Unauthenticated web rate limit period in seconds', with: 400
check 'Enable authenticated API request rate limit'
fill_in 'Max authenticated API requests per period per user', with: 500
fill_in 'Authenticated API rate limit period in seconds', with: 600
check 'Enable authenticated web request rate limit'
fill_in 'Max authenticated web requests per period per user', with: 700
fill_in 'Authenticated web rate limit period in seconds', with: 800
fill_in 'A plain-text response to show to clients that hit the rate limit.', with: 'Custom message'
click_button 'Save changes'
end
expect(page).to have_content "Application settings saved successfully"
expect(current_settings).to have_attributes(
throttle_unauthenticated_api_enabled: true,
throttle_unauthenticated_api_requests_per_period: 100,
throttle_unauthenticated_api_period_in_seconds: 200,
throttle_unauthenticated_enabled: true,
throttle_unauthenticated_requests_per_period: 300,
throttle_unauthenticated_period_in_seconds: 400,
throttle_authenticated_api_enabled: true,
throttle_authenticated_api_requests_per_period: 500,
throttle_authenticated_api_period_in_seconds: 600,
throttle_authenticated_web_enabled: true,
throttle_authenticated_web_requests_per_period: 700,
throttle_authenticated_web_period_in_seconds: 800,
rate_limiting_response_text: 'Custom message'
)
end
it 'changes Issues rate limits settings' do
visit network_admin_application_settings_path
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment