Skip to content

Auto-ban users exceeding project downloads limit within a time period

Eugie Limpin requested to merge anti_abuse/ban_on_excessive_project_fetch into master

What does this MR do?

This MR implements requirement 5 of https://gitlab.com/groups/gitlab-org/-/epics/8066.

This MR introduces a service that auto-bans a user and alerts instance admins via email (implemented in !88057 (merged)) when the user downloads projects (i.e. git clone/fetch/pull) that exceed the set limit and interval.

This feature is only available with an Ultimate plan.

Why?

Please see https://gitlab.com/groups/gitlab-org/-/epics/8066 (confidential) for the rationale behind this feature.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Set up

  1. Ensure you are running GDK with an Ultimate license. The following command should log true if this is set up correctly

    echo "License.feature_available?(:git_abuse_rate_limit)" | rails c

  2. Turn on the relevant feature flags:

    echo "Feature.enable(:git_abuse_rate_limit_feature_flag)" | rails c
echo "Feature.enable(:auto_ban_user_on_excessive_projects_download)" | rails c

  3. Ensure you have SSH keys set up to be able to clone/fetch/pull projects from your GDK instance

  4. Set max_number_of_repository_downloads and max_number_of_repository_downloads_within_time_period

    Set max_number_of_repository_downloads to 1 for easy testing and max_number_of_repository_downloads_within_time_period to 5 minutes:

    echo "ApplicationSetting.first.update(max_number_of_repository_downloads: 1, max_number_of_repository_downloads_within_time_period: 300)" | rails c

Validate

  1. Using the default GDK root user (with SSH keys properly set up), clone your first project

    git clone ssh://git@127.0.0.1:2222/flightjs/Flight.git

  2. Clone a second project to exceed the limit

    git clone ssh://git@127.0.0.1:2222/gitlab-org/gitlab-shell.git

  3. Validate that you see the following output:

    Expected output 
    Cloning into 'gitlab-shell'...
remote:
remote: ========================================================================
remote:
remote: ERROR: You are not allowed to download code from this project.

remote:
remote: ========================================================================
remote:
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

  4. Validate that the alert email has been sent. Go to http://localhost:3000/rails/letter_opener and look for the sent email that should look like

    this Screen_Shot_2022-06-23_at_1.26.16_PM

  5. Validate that the root user has been banned. The following command should log true

    echo "User.find_by_username('root').banned?" | rails c

    Make sure to undo the ban on root:

    echo "User.find_by_username('root').unban" | rails c`

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports