Merge branch '338903_enable_files_api_throttling_by_default' into 'master'

Add throttling configuration for Files API endpoints

See merge request gitlab-org/gitlab!75918

app/views/admin/application_settings/network.html.haml

@@ -37,8 +37,7 @@
   .settings-content
     = render partial: 'network_rate_limits', locals: { anchor: 'js-packages-limits-settings', setting_fragment: 'packages_api' }
 
-- if Feature.enabled?(:files_api_throttling, default_enabled: :yaml)
-  %section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
+%section.settings.as-files-limits.no-animate#js-files-limits-settings{ class: ('expanded' if expanded_by_default?) }
   .settings-header
     %h4
       = _('Files API Rate Limits')

config/feature_flags/development/files_api_throttling.yml

----
-name: files_api_throttling
-introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68560
-rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/338903
-milestone: '14.3'
-type: development
-group: group::source code
-default_enabled: false

doc/administration/instance_limits.md

@@ -88,12 +88,8 @@ requests per user. For more information, read
 
 ### Files API
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
-
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it available,
-ask an administrator to [enable the `files_api_throttling` flag](../administration/feature_flags.md). On GitLab.com, this feature is available but can be configured by GitLab.com administrators only.
-The feature is not ready for production use.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3 [with a flag](../administration/feature_flags.md) named `files_api_throttling`. Disabled by default.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag `files_api_throttling`](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
 
 This setting limits the request rate on the Packages API per user or IP address. For more information, read
 [Files API rate limits](../user/admin_area/settings/files_api_rate_limits.md).

doc/user/admin_area/settings/files_api_rate_limits.md

@@ -7,13 +7,8 @@ type: reference
 
 # Files API rate limits **(FREE SELF)**
 
-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
-
-FLAG:
-On self-managed GitLab, by default this feature is not available. To make it
-available, ask an administrator to [enable the `files_api_throttling` flag](../../../administration/feature_flags.md).
-On GitLab.com, this feature is available but can be configured by GitLab.com
-administrators only. The feature is not ready for production use.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/68561) in GitLab 14.3.
+> - [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/75918) in GitLab 14.6. [Feature flag files_api_throttling](https://gitlab.com/gitlab-org/gitlab/-/issues/338903) removed.
 
 The [Repository files API](../../../api/repository_files.md) enables you to
 fetch, create, update, and delete files in your repository. To improve the security
@@ -29,10 +24,9 @@ the general user and IP rate limits for requests to the
 and IP rate limits already in place, and increase or decrease the rate limits
 for the Files API. No other new features are provided by this override.
 
-Prerequisites:
+Prerequisite:
 
 - You must have the Administrator role for your instance.
-- The `files_api_throttling` feature flag must be enabled.
 
 To override the general user and IP rate limits for requests to the Repository files API:
 

lib/gitlab/rack_attack/request.rb

@@ -139,14 +139,12 @@ module Gitlab
 
       def throttle_unauthenticated_files_api?
         files_api_path? &&
-        Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
         Gitlab::Throttle.settings.throttle_unauthenticated_files_api_enabled &&
         unauthenticated?
       end
 
       def throttle_authenticated_files_api?
         files_api_path? &&
-        Feature.enabled?(:files_api_throttling, default_enabled: :yaml) &&
         Gitlab::Throttle.settings.throttle_authenticated_files_api_enabled
       end
 

spec/requests/rack_attack_global_spec.rb

@@ -720,19 +720,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
           expect_rejection { do_request }
         end
 
-        context 'when feature flag is off' do
-          before do
-            stub_feature_flags(files_api_throttling: false)
-          end
-
-          it 'allows requests over the rate limit' do
-            (1 + requests_per_period).times do
-              do_request
-              expect(response).to have_gitlab_http_status(:ok)
-            end
-          end
-        end
-
         context 'when unauthenticated api throttle is lower' do
           before do
             settings_to_set[:throttle_unauthenticated_api_requests_per_period] = 0
@@ -817,19 +804,6 @@ RSpec.describe 'Rack Attack global throttles', :use_clean_rails_memory_store_cac
               expect_rejection { do_request }
             end
           end
-
-          context 'when feature flag is off' do
-            before do
-              stub_feature_flags(files_api_throttling: false)
-            end
-
-            it 'allows requests over the rate limit' do
-              (1 + requests_per_period).times do
-                do_request
-                expect(response).to have_gitlab_http_status(:ok)
-              end
-            end
-          end
         end
 
         context 'when authenticated files api throttle is disabled' do