Skip to content

Add project download limit and support updating settings via API

Eugie Limpin requested to merge unique_project_download_limit_update_via_api into master

What does this MR do and why?

Related to https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/36.

This MR introduces the following changes:

  1. Adds unique_project_download_limit_allowlist column to namespace_settings table. This will store an array of usernames that group owners can set to exclude specific users from unique project download limiting in top-level groups.
  2. Updates the Update group API endpoint to allow top-level group owners to set values for unique project download limiting. Settings are following:
    • unique_project_download_limit
    • unique_project_download_limit_interval
    • unique_project_download_limit_allowlist

DB Migrations

20220718083945_add_unique_project_download_limit_allowlist_to_namespace_settings

db:migrate

Click to expand 
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: migrating
main: -- add_column(:namespace_settings, :unique_project_download_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main:    -> 0.0072s
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: migrated (0.0087s)

db:rollback

Click to expand 
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: reverting
main: -- remove_column(:namespace_settings, :unique_project_download_limit_allowlist, :text, {:array=>true, :default=>[], :null=>false})
main:    -> 0.0121s
main: == 20220718083945 AddUniqueProjectDownloadLimitAllowlistToNamespaceSettings: reverted (0.0163s)

20220726025516_add_namespace_settings_unique_project_download_limit_allowlist_size_constraint

db:migrate

Click to expand 
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: migrating
main: -- transaction_open?()
main:    -> 0.0000s
main: -- current_schema()
main:    -> 0.0020s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- execute("ALTER TABLE namespace_settings\nADD CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size\nCHECK ( CARDINALITY(unique_project_download_limit_allowlist) <= 100 )\nNOT VALID;\n")
main:    -> 0.0047s
main: -- current_schema()
main:    -> 0.0003s
main: -- execute("SET statement_timeout TO 0")
main:    -> 0.0004s
main: -- execute("ALTER TABLE namespace_settings VALIDATE CONSTRAINT namespace_settings_unique_project_download_limit_allowlist_size;")
main:    -> 0.0006s
main: -- execute("RESET statement_timeout")
main:    -> 0.0004s
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: migrated (0.0273s)

db:rollback

Click to expand 
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: reverting
main: -- transaction_open?()
main:    -> 0.0000s
main: -- transaction_open?()
main:    -> 0.0000s
main: -- execute("ALTER TABLE namespace_settings\nDROP CONSTRAINT IF EXISTS namespace_settings_unique_project_download_limit_allowlist_size\n")
main:    -> 0.0023s
main: == 20220726025516 AddNamespaceSettingsUniqueProjectDownloadLimitAllowlistSizeConstraint: reverted (0.0179s)

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Set up

  1. Ensure you are running GDK with an Ultimate license. The following command should log true if this is set up correctly 
    echo "License.feature_available?(:unique_project_download_limit)" | rails c
  2. Turn on the feature flags: 
    echo "Feature.enable(:limit_unique_project_downloads_per_namespace_user)" | rails c

Validate

  1. Create a top-level group
  2. Using the group owner as user, create a personal access token to send requests to the relevant API endpoints
  3. Validate that the setting values are returned when fetching the group via curl 
    $ curl --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/groups/<your_group_id>"
{"id":"<your_group_id>", ... "unique_project_download_limit":1,"unique_project_download_limit_interval_in_seconds":2,"unique_project_download_limit_allowlist":["a_username"]}
  4. Validate that the setting values can be updated 
    curl --request PUT --header "PRIVATE-TOKEN: <your_access_token>" "http://localhost:3000/api/v4/groups/<your_group_id>?unique_project_download_limit=1&unique_project_download_limit_interval_in_seconds=2&unique_project_download_limit_allowlist[]=a_username"
{"id":"<your_group_id>", ... "unique_project_download_limit":1,"unique_project_download_limit_interval_in_seconds":2,"unique_project_download_limit_allowlist":["a_username"]}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Mayra Cabrera

Merge request reports