Skip to content

Create a new Abuse::GitAbuse::NamespaceThrottleService

What does this MR do and why?

  • Creates a new Abuse::GitAbuse::NamespaceThrottleService which will throttle git_upload_pack requests based on the settings configured for the project's root_namespace
  • Runs namespace-level & application-level throttle at the same time. Both of them can be configured at the same time, either one can throttle the user.
  • Resolves https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/45

Screenshots or screen recordings

1. Configure namespace-level settings

2. Access denied when tried to clone 2nd repo in 10 minutes

3. Notification email to namespace admin

How to set up and validate locally

Namespace-level git rate limits

  1. Enable the feature flags
bundle exec rails c
> Feature.enable(:limit_unique_project_downloads_per_namespace_user)
> Feature.enable(:auto_ban_user_on_namespace_excessive_projects_download)
  1. Navigate to http://localhost:3000/groups/gitlab-org/-/settings/reporting and configure rate limits for this top-level namespace. I would recommend setting Number of projects = 1 and Interval = 600. This would mean that you will only be allowed to clone 1 repo in a 10 minute period.

  2. Then, try to clone 2 repos from projects that exist inside the Gitlab Org namespace

> git clone http://127.0.0.1:3000/gitlab-org/gitlab-shell.git
.. cloned

> git clone http://127.0.0.1:3000/gitlab-org/gitlab-test.git
.. fatal: unable to access 'http://127.0.0.1:3000/gitlab-org/gitlab-shell.git/': The requested URL returned error: 403
  1. Lastly (wait a minute for this step), navigate to http://localhost:3000/rails/letter_opener and you should see an email with the subject line We've detected unusual activity. This email notifies the email that a user has exceeded the rate limits that they set for the namespace.

  2. The user should also now be banned from the namespace.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hinam Mehra

Merge request reports

Loading