Add project download limit and support updating settings via API
What does this MR do and why?
Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/36.
This MR introduces the following changes:
- Adds
unique_project_download_limit_allowlist
column tonamespace_settings
table. This will store an array of usernames that group owners can set to exclude specific users from unique project download limiting in top-level groups. - Updates the
Update group
API endpoint to allow top-level group owners to set values for unique project download limiting. Settings are following:unique_project_download_limit
unique_project_download_limit_interval
unique_project_download_limit_allowlist
DB Migrations
20220718083945_add_unique_project_download_limit_allowlist_to_namespace_settings
db:migrate
Click to expand
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: migrating
main: -- add_column(:namespace_settings, :unique_project_download_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main: -> 0.0072s
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: migrated (0.0087s)
db:rollback
Click to expand
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: reverting
main: -- remove_column(:namespace_settings, :unique_project_download_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main: -> 0.0121s
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: reverted (0.0163s)
20220726025516_add_namespace_settings_unique_project_download_limit_allowlist_size_constraint
db:migrate
Click to expand
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: migrating
main: -- transaction_open?()
main: -> 0.0000s
main: -- current_schema()
main: -> 0.0020s
main: -- transaction_open?()
main: -> 0.0000s
main: -- execute("ALTER TABLE namespace_settings\nADD CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size\nCHECK ( CARDINALITY(unique_project_download_limit_allowlist) <= 100 )\nNOT VALID;\n")
main: -> 0.0047s
main: -- current_schema()
main: -> 0.0003s
main: -- execute("SET statement_timeout TO 0")
main: -> 0.0004s
main: -- execute("ALTER TABLE namespace_settings VALIDATE CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size;")
main: -> 0.0006s
main: -- execute("RESET statement_timeout")
main: -> 0.0004s
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: migrated (0.0273s)
db:rollback
Click to expand
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: reverting
main: -- transaction_open?()
main: -> 0.0000s
main: -- transaction_open?()
main: -> 0.0000s
main: -- execute("ALTER TABLE namespace_settings\nDROP CONSTRAINT IF EXISTS namespace_settings_unique_project_download_limit_allowlist_size\n")
main: -> 0.0023s
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: reverted (0.0179s)
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Set up
- Ensure you are running GDK with an Ultimate license. The following command should log
true
if this is set up correctlyecho "License.feature_available?(:unique_project_download_limit)" | rails c
- Turn on the feature flags:
echo "Feature.enable(:limit_unique_project_downloads_per_namespace_user)" | rails c
Validate
- Create a top-level group
- Using the group owner as user, create a personal access token to send requests to the relevant API endpoints
- Validate that the setting values are returned when fetching the group via
curl
$ curl --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/groups/<your_group_id>" {"id":"<your_group_id>", ... "unique_project_download_limit":1,"unique_project_download_limit_interval_in_seconds":2,"unique_project_download_limit_allowlist":["a_username"]}
- Validate that the setting values can be updated
curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/groups/<your_group_id>?unique_project_download_limit=1&unique_project_download_limit_interval_in_seconds=2&unique_project_download_limit_allowlist[]=a_username" {"id":"<your_group_id>", ... "unique_project_download_limit":1,"unique_project_download_limit_interval_in_seconds":2,"unique_project_download_limit_allowlist":["a_username"]}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Mayra Cabrera