Merge branch 'instance-config-rate-limits' into 'master'

Extend /help/instance_configuration with rate limits

See merge request gitlab-org/gitlab!66151

app/models/instance_configuration.rb

@@ -13,7 +13,8 @@ class InstanceConfiguration
       { ssh_algorithms_hashes: ssh_algorithms_hashes,
         host: host,
         gitlab_pages: gitlab_pages,
-        gitlab_ci: gitlab_ci }.deep_symbolize_keys
+        gitlab_ci: gitlab_ci,
+        rate_limits: rate_limits }.deep_symbolize_keys
     end
   end
 
@@ -43,6 +44,50 @@ class InstanceConfiguration
                                          default: 100.megabytes })
   end
 
+  def rate_limits
+    {
+      unauthenticated: {
+        enabled: application_settings[:throttle_unauthenticated_enabled],
+        requests_per_period: application_settings[:throttle_unauthenticated_requests_per_period],
+        period_in_seconds: application_settings[:throttle_unauthenticated_period_in_seconds]
+      },
+      authenticated_api: {
+        enabled: application_settings[:throttle_authenticated_api_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_api_period_in_seconds]
+      },
+      authenticated_web: {
+        enabled: application_settings[:throttle_authenticated_web_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_web_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_web_period_in_seconds]
+      },
+      protected_paths: {
+        enabled: application_settings[:throttle_protected_paths_enabled],
+        requests_per_period: application_settings[:throttle_protected_paths_requests_per_period],
+        period_in_seconds: application_settings[:throttle_protected_paths_period_in_seconds]
+      },
+      unauthenticated_packages_api: {
+        enabled: application_settings[:throttle_unauthenticated_packages_api_enabled],
+        requests_per_period: application_settings[:throttle_unauthenticated_packages_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_unauthenticated_packages_api_period_in_seconds]
+      },
+      authenticated_packages_api: {
+        enabled: application_settings[:throttle_authenticated_packages_api_enabled],
+        requests_per_period: application_settings[:throttle_authenticated_packages_api_requests_per_period],
+        period_in_seconds: application_settings[:throttle_authenticated_packages_api_period_in_seconds]
+      },
+      issue_creation: application_setting_limit_per_minute(:issues_create_limit),
+      note_creation: application_setting_limit_per_minute(:notes_create_limit),
+      project_export: application_setting_limit_per_minute(:project_export_limit),
+      project_export_download: application_setting_limit_per_minute(:project_download_export_limit),
+      project_import: application_setting_limit_per_minute(:project_import_limit),
+      group_export: application_setting_limit_per_minute(:group_export_limit),
+      group_export_download: application_setting_limit_per_minute(:group_download_export_limit),
+      group_import: application_setting_limit_per_minute(:group_import_limit),
+      raw_blob: application_setting_limit_per_minute(:raw_blob_request_limit)
+    }
+  end
+
   def ssh_algorithm_file(algorithm)
     File.join(SSH_ALGORITHMS_PATH, "ssh_host_#{algorithm.downcase}_key.pub")
   end
@@ -70,4 +115,16 @@ class InstanceConfiguration
   def ssh_algorithm_sha256(ssh_file_content)
     Gitlab::SSHPublicKey.new(ssh_file_content).fingerprint('SHA256')
   end
+
+  def application_settings
+    Gitlab::CurrentSettings.current_application_settings
+  end
+
+  def application_setting_limit_per_minute(setting)
+    {
+      enabled: application_settings[setting] > 0,
+      requests_per_period: application_settings[setting],
+      period_in_seconds: 1.minute
+    }
+  end
 end

app/views/help/instance_configuration.html.haml

@@ -8,6 +8,7 @@
   = render 'help/instance_configuration/ssh_info'
   = render 'help/instance_configuration/gitlab_pages'
   = render 'help/instance_configuration/gitlab_ci'
+  = render 'help/instance_configuration/rate_limits'
   %p
     %strong= _("Table of contents")
 

app/views/help/instance_configuration/_rate_limit_row.html.haml

+- public_visible = local_assigns.fetch(:public_visible, false)
+
+- if rate_limit && (public_visible || user_signed_in?)
+  %tr
+    %td= title
+    %td= instance_configuration_cell_html(rate_limit[:enabled] ? rate_limit[:requests_per_period] : nil)
+    %td= instance_configuration_cell_html(rate_limit[:enabled] ? rate_limit[:period_in_seconds] : nil)

app/views/help/instance_configuration/_rate_limits.html.haml

+- rate_limits = @instance_configuration.settings[:rate_limits]
+- content_for :table_content do
+  - if rate_limits
+    %li= link_to _('Rate Limits'), '#rate-limits'
+
+- content_for :settings_content do
+  - if rate_limits
+    %h2#rate-limits
+      = _('Rate Limits')
+
+    %p
+      = _('There are several rate limits in place to protect the system.')
+    .table-responsive
+      %table
+        %thead
+          %tr
+            %th= _('Rate limit')
+            %th= _('Requests per period')
+            %th= _('Period in seconds')
+        %tbody
+          = render 'help/instance_configuration/rate_limit_row', title: _('Unauthenticated requests'), rate_limit: rate_limits[:unauthenticated], public_visible: true
+          = render 'help/instance_configuration/rate_limit_row', title: _('Authenticated API requests'), rate_limit: rate_limits[:authenticated_api]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Authenticated web requests'), rate_limit: rate_limits[:authenticated_web]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Protected Paths: requests'), rate_limit: rate_limits[:protected_paths]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Package Registry: unauthenticated API requests'), rate_limit: rate_limits[:unauthenticated_packages_api], public_visible: true
+          = render 'help/instance_configuration/rate_limit_row', title: _('Package Registry: authenticated API requests'), rate_limit: rate_limits[:authenticated_packages_api]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Issue creation requests'), rate_limit: rate_limits[:issue_creation]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Note creation requests'), rate_limit: rate_limits[:note_creation]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project export requests'), rate_limit: rate_limits[:project_export]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project export download requests'), rate_limit: rate_limits[:project_export_download]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Project import requests'), rate_limit: rate_limits[:project_import]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group export requests'), rate_limit: rate_limits[:group_export]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group export download requests'), rate_limit: rate_limits[:group_export_download]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Group import requests'), rate_limit: rate_limits[:group_import]
+          = render 'help/instance_configuration/rate_limit_row', title: _('Raw blob requests'), rate_limit: rate_limits[:raw_blob]
+    %br

locale/gitlab.pot

@@ -4689,12 +4689,18 @@ msgstr ""
 msgid "Authenticated API request rate limit"
 msgstr ""
 
+msgid "Authenticated API requests"
+msgstr ""
+
 msgid "Authenticated web rate limit period in seconds"
 msgstr ""
 
 msgid "Authenticated web request rate limit"
 msgstr ""
 
+msgid "Authenticated web requests"
+msgstr ""
+
 msgid "Authenticating"
 msgstr ""
 
@@ -15500,12 +15506,18 @@ msgstr ""
 msgid "Group export could not be started."
 msgstr ""
 
+msgid "Group export download requests"
+msgstr ""
+
 msgid "Group export error"
 msgstr ""
 
 msgid "Group export link has expired. Please generate a new export from your group settings."
 msgstr ""
 
+msgid "Group export requests"
+msgstr ""
+
 msgid "Group export started. A download link will be sent by email and made available on this page."
 msgstr ""
 
@@ -15518,6 +15530,9 @@ msgstr ""
 msgid "Group import could not be scheduled"
 msgstr ""
 
+msgid "Group import requests"
+msgstr ""
+
 msgid "Group info:"
 msgstr ""
 
@@ -18209,6 +18224,9 @@ msgstr ""
 msgid "Issue created from vulnerability %{vulnerability_link}"
 msgstr ""
 
+msgid "Issue creation requests"
+msgstr ""
+
 msgid "Issue details"
 msgstr ""
 
@@ -22511,6 +22529,9 @@ msgstr ""
 msgid "Note"
 msgstr ""
 
+msgid "Note creation requests"
+msgstr ""
+
 msgid "Note parameters are invalid: %{errors}"
 msgstr ""
 
@@ -23307,6 +23328,12 @@ msgstr ""
 msgid "Package Registry Rate Limits"
 msgstr ""
 
+msgid "Package Registry: authenticated API requests"
+msgstr ""
+
+msgid "Package Registry: unauthenticated API requests"
+msgstr ""
+
 msgid "Package already exists"
 msgstr ""
 
@@ -23940,6 +23967,9 @@ msgstr ""
 msgid "PerformanceBar|Trace"
 msgstr ""
 
+msgid "Period in seconds"
+msgstr ""
+
 msgid "Permanently delete project"
 msgstr ""
 
@@ -25518,6 +25548,9 @@ msgstr ""
 msgid "Project export could not be deleted."
 msgstr ""
 
+msgid "Project export download requests"
+msgstr ""
+
 msgid "Project export enabled"
 msgstr ""
 
@@ -25527,12 +25560,18 @@ msgstr ""
 msgid "Project export link has expired. Please generate a new export from your project settings."
 msgstr ""
 
+msgid "Project export requests"
+msgstr ""
+
 msgid "Project export started. A download link will be sent by email and made available on this page."
 msgstr ""
 
 msgid "Project has too many %{label_for_message} to search"
 msgstr ""
 
+msgid "Project import requests"
+msgstr ""
+
 msgid "Project info:"
 msgstr ""
 
@@ -26625,6 +26664,9 @@ msgstr ""
 msgid "Protected Paths"
 msgstr ""
 
+msgid "Protected Paths: requests"
+msgstr ""
+
 msgid "Protected Tag"
 msgstr ""
 
@@ -27003,9 +27045,18 @@ msgstr ""
 msgid "Random"
 msgstr ""
 
+msgid "Rate Limits"
+msgstr ""
+
+msgid "Rate limit"
+msgstr ""
+
 msgid "Raw blob request rate limit per minute"
 msgstr ""
 
+msgid "Raw blob requests"
+msgstr ""
+
 msgid "Re-authentication period expired or never requested. Please try again"
 msgstr ""
 
@@ -27921,6 +27972,9 @@ msgstr ""
 msgid "Requests Profiles"
 msgstr ""
 
+msgid "Requests per period"
+msgstr ""
+
 msgid "Requests to these domain(s)/address(es) on the local network will be allowed when local requests from hooks and services are not allowed. IP ranges such as 1:0:0:0:0:0:0:0/124 or 127.0.0.0/28 are supported. Domain wildcards are not supported currently. Use comma, semicolon, or newline to separate multiple entries. The allowlist can hold a maximum of 1000 entries. Domains should use IDNA encoding. Ex: example.com, 192.168.1.1, 127.0.0.0/28, xn--itlab-j1a.com."
 msgstr ""
 
@@ -33199,6 +33253,9 @@ msgstr ""
 msgid "There are running deployments on the environment. Please retry later."
 msgstr ""
 
+msgid "There are several rate limits in place to protect the system."
+msgstr ""
+
 msgid "There is a halted Elasticsearch migration"
 msgstr ""
 
@@ -35155,6 +35212,9 @@ msgstr ""
 msgid "Unauthenticated request rate limit"
 msgstr ""
 
+msgid "Unauthenticated requests"
+msgstr ""
+
 msgid "Undo"
 msgstr ""
 

spec/models/instance_configuration_spec.rb

@@ -96,6 +96,60 @@ RSpec.describe InstanceConfiguration do
           expect(gitlab_ci[:artifacts_max_size][:value]).to eq(200.megabytes)
         end
       end
+
+      describe '#rate_limits' do
+        before do
+          Gitlab::CurrentSettings.current_application_settings.update!(
+            throttle_unauthenticated_enabled: false,
+            throttle_unauthenticated_requests_per_period: 1001,
+            throttle_unauthenticated_period_in_seconds: 1002,
+            throttle_authenticated_api_enabled: true,
+            throttle_authenticated_api_requests_per_period: 1003,
+            throttle_authenticated_api_period_in_seconds: 1004,
+            throttle_authenticated_web_enabled: true,
+            throttle_authenticated_web_requests_per_period: 1005,
+            throttle_authenticated_web_period_in_seconds: 1006,
+            throttle_protected_paths_enabled: true,
+            throttle_protected_paths_requests_per_period: 1007,
+            throttle_protected_paths_period_in_seconds: 1008,
+            throttle_unauthenticated_packages_api_enabled: false,
+            throttle_unauthenticated_packages_api_requests_per_period: 1009,
+            throttle_unauthenticated_packages_api_period_in_seconds: 1010,
+            throttle_authenticated_packages_api_enabled: true,
+            throttle_authenticated_packages_api_requests_per_period: 1011,
+            throttle_authenticated_packages_api_period_in_seconds: 1012,
+            issues_create_limit: 1013,
+            notes_create_limit: 1014,
+            project_export_limit: 1015,
+            project_download_export_limit: 1016,
+            project_import_limit: 1017,
+            group_export_limit: 1018,
+            group_download_export_limit: 1019,
+            group_import_limit: 1020,
+            raw_blob_request_limit: 1021
+          )
+        end
+
+        it 'returns rate limits from application settings' do
+          rate_limits = subject.settings[:rate_limits]
+
+          expect(rate_limits[:unauthenticated]).to eq({ enabled: false, requests_per_period: 1001, period_in_seconds: 1002 })
+          expect(rate_limits[:authenticated_api]).to eq({ enabled: true, requests_per_period: 1003, period_in_seconds: 1004 })
+          expect(rate_limits[:authenticated_web]).to eq({ enabled: true, requests_per_period: 1005, period_in_seconds: 1006 })
+          expect(rate_limits[:protected_paths]).to eq({ enabled: true, requests_per_period: 1007, period_in_seconds: 1008 })
+          expect(rate_limits[:unauthenticated_packages_api]).to eq({ enabled: false, requests_per_period: 1009, period_in_seconds: 1010 })
+          expect(rate_limits[:authenticated_packages_api]).to eq({ enabled: true, requests_per_period: 1011, period_in_seconds: 1012 })
+          expect(rate_limits[:issue_creation]).to eq({ enabled: true, requests_per_period: 1013, period_in_seconds: 60 })
+          expect(rate_limits[:note_creation]).to eq({ enabled: true, requests_per_period: 1014, period_in_seconds: 60 })
+          expect(rate_limits[:project_export]).to eq({ enabled: true, requests_per_period: 1015, period_in_seconds: 60 })
+          expect(rate_limits[:project_export_download]).to eq({ enabled: true, requests_per_period: 1016, period_in_seconds: 60 })
+          expect(rate_limits[:project_import]).to eq({ enabled: true, requests_per_period: 1017, period_in_seconds: 60 })
+          expect(rate_limits[:group_export]).to eq({ enabled: true, requests_per_period: 1018, period_in_seconds: 60 })
+          expect(rate_limits[:group_export_download]).to eq({ enabled: true, requests_per_period: 1019, period_in_seconds: 60 })
+          expect(rate_limits[:group_import]).to eq({ enabled: true, requests_per_period: 1020, period_in_seconds: 60 })
+          expect(rate_limits[:raw_blob]).to eq({ enabled: true, requests_per_period: 1021, period_in_seconds: 60 })
+        end
+      end
     end
   end