Include repo archiving via UI and API in projects download throttling
Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/65
What does this MR do and why?
Previously, users are banned (from the application or a namespace) only when they exceed the threshold for project downloads when cloning via SSH and HTTP. This MR updates the feature to apply the same restriction when users download repositories via UI and API (archive).
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Validate user is banned from the application when exceeding projects download threshold
-
Ensure you are running GDK with an Ultimate license. The following command should log
true
if this is set up correctlyecho "License.feature_available?(:git_abuse_rate_limit)" | rails c
-
Turn on the following feature flags:
$ rails console > Feature.enable(:git_abuse_rate_limit_feature_flag) > Feature.enable(:auto_ban_user_on_excessive_projects_download)
-
Using an admin user (
root
), set the application settings for the feature$ rails console > ApplicationSetting.first.update({ max_number_of_repository_downloads: 1, max_number_of_repository_downloads_within_time_period: 300, auto_ban_user_on_excessive_projects_download: true })
-
Create a private top-level group and two projects under the group
-
Add a user as a developer/maintainer to the group
-
Using the developer/maintainer user from the previous step, download an archive of the first project
-
Validate that the download works as expected
-
Download an archive of the second project
-
Validate that the download does not work (user is banned at this point)
-
Validate that the user is banned. Refreshing the project page should sign the user out and a message is shown in the login page
-
Using the admin user (
root
), unban the user -
Using the developer/maintainer user, create a personal access token with
api
scope -
In a command line, download an archive of the first project (fill in
<your_access_token>
and<project_1_id>
with the correct values)> curl -H 'Cache-Control: no-cache' --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/projects/<project_1_id>/repository/archive" --output -
-
Validate that the download works as expected. You should see some gibberish in your command line like
�kO�H���+������A�4p�A�"�PA�
-
Download an archive of the second project (fill in
<your_access_token>
and<project_2_id>
with the correct values)> curl -H 'Cache-Control: no-cache' --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/projects/<project_2_id>/repository/archive" --output -
-
Validate that the download work does not work. You should see
{"message":"403 Forbidden - You are not allowed to download code from this project."}
-
Using the admin user (
root
), validate that the user is banned
Validate user is banned from a namespace when exceeding projects download threshold
- Turn off the feature flag for application-wide projects download throttling. Otherwise, that will take precedence
$ rails console > Feature.disable(:git_abuse_rate_limit_feature_flag)
- Turn on the following feature flags:
$ rails console > Feature.enable(:limit_unique_project_downloads_per_namespace_user)
- Using a normal (non-admin) user (
owner
), create a private top-level group and two projects under the group - As
owner
, set the settings for the feature. Go to the group's page -> Settings -> Reporting - Add a user (
user
) as a developer/maintainer to the group - Using
user
from the previous step, download an archive of the first project - Validate that the download works as expected
- Download an archive of the second project
- Validate that the download does not work (user is banned at this point)
- Validate that the user is banned from the namespace. Refreshing the project page return 404
- Using
owner
, validate that the user is banned from the namespace - Using
owner
, unban the user - Using
user
, create a personal access token withapi
scope - In a command line, download an archive of the first project (fill in
<your_access_token>
and<project_1_id>
with the correct values)> curl -H 'Cache-Control: no-cache' --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/projects/<project_1_id>/repository/archive" --output -
- Validate that the download works as expected. You should see some gibberish in your command line like
�kO�H���+������A�4p�A�"�PA�
- Download an archive of the second project (fill in
<your_access_token>
and<project_2_id>
with the correct values)> curl -H 'Cache-Control: no-cache' --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/projects/<project_2_id>/repository/archive" --output -
- Validate that the download work does not work. You should see
{"message":"403 Forbidden - You are not allowed to download code from this project."}
- Using
owner
, validate that the user is banned
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.