[3/5] Apply throttling settings for unauthenticated API requests (!69388) · Merge requests · GitLab.org / GitLab

Markus Koller requested to merge 335300-rate-limit-for-unauthenticated-api-requests-3-rack-attack into master Sep 01, 2021

What does this MR do?

This applies the new rate limit settings for unauthenticated API requests, and restricts the previous general rate limit for unauthenticated requests to web requests.

Issue: #335300 (closed)

Roadmap

Rename attributes for unauthenticated rate limit: !69543 (merged)
Add columns for unauthenticated API rate limit: !69384 (merged)
Apply unauthenticated API rate limit in Rack Attack configuration: 👈 This MR
Update settings form in admin area: !69486 (merged)
Documentation update: !69487 (merged)

Manual QA

Enable unauthenticated web and API rate limits via gdk psql (admin UI will follow in the next MR, should have put that one first 🤦)

Note: The period is set to 10 seconds, so you might need to wait a bit between tests.

update application_settings set throttle_unauthenticated_enabled = true, throttle_unauthenticated_period_in_seconds = 10, throttle_unauthenticated_requests_per_period = 2, throttle_unauthenticated_api_enabled = true, throttle_unauthenticated_api_period_in_seconds = 10, throttle_unauthenticated_api_requests_per_period = 2;

Observe the rate limit kick in for API requests:

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done
200
200
429

Observe web requests getting rate limited separately from API requests:

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done; for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/users/sign_in; done
200
200
429
200
200
429

Packages API

Observe Packages API getting rate limited with the general API rate limit as well (since we didn't enable the Packages API rate limit):

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done; for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects/gitlab-org%2Fgitlab-test/packages/foo; done
200
200
429
429
429
429

Enable the Packages API rate limit via gdk psql:

update application_settings set throttle_unauthenticated_packages_api_enabled = true, throttle_unauthenticated_packages_api_period_in_seconds = 10, throttle_unauthenticated_packages_api_requests_per_period = 2;

Observe Packages API getting rate limited separately:

Note: The 404 is expected since the package doesn't actually exist 😀

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done; for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects/gitlab-org%2Fgitlab-test/packages/foo; done
200
200
429
404
404
429

Files API

Observe Files API getting rate limited with the general API rate limit as well (since we didn't enable the Files API rate limit):

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done; for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects/gitlab-org%2Fgitlab-test/repository/files/foo; done
200
200
429
429
429
429

Enable the Files API rate limit via gdk psql:

update application_settings set throttle_unauthenticated_files_api_enabled = true, throttle_unauthenticated_files_api_period_in_seconds = 10, throttle_unauthenticated_files_api_requests_per_period = 2;

Observe Files API getting rate limited separately:

Note: The 400 is expected since the package doesn't actually exist 😀

$ for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects; done; for i in $(seq 1 3); do curl -s -o /dev/null -w '%{http_code}\n' http://localhost:3000/api/v4/projects/gitlab-org%2Fgitlab-test/repository/files/foo; done
200
200
429
400
400
429

Restore default settings via gdk psql:

update application_settings set throttle_unauthenticated_enabled = false, throttle_unauthenticated_period_in_seconds = 3600, throttle_unauthenticated_requests_per_period = 3600, throttle_unauthenticated_api_enabled = false, throttle_unauthenticated_api_period_in_seconds = 3600, throttle_unauthenticated_api_requests_per_period = 3600, throttle_unauthenticated_packages_api_enabled = false, throttle_unauthenticated_packages_api_period_in_seconds = 15, throttle_unauthenticated_packages_api_requests_per_period = 800, throttle_unauthenticated_files_api_enabled = false, throttle_unauthenticated_files_api_period_in_seconds = 15, throttle_unauthenticated_files_api_requests_per_period = 125;

Does this MR meet the acceptance criteria?

Conformity

I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
[-] I have added/updated documentation, or it's not needed. (Is documentation required?)
[-] I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
[-] I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
I have self-reviewed this MR per code review guidelines.
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
I have followed the style guides.
This change is backwards compatible across updates, or this does not apply.

Availability and Testing

I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
[-] I have tested this MR in all supported browsers, or it's not needed.
[-] I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Related to #335300 (closed)

Edited Sep 13, 2021 by Markus Koller

[3/5] Apply throttling settings for unauthenticated API requests