From c47ab7ea13c8e09713a791de05b33b6af349c75e Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Wed, 7 Feb 2024 22:50:42 +0530 Subject: [PATCH 01/11] Add application setting column for downstream pipeline limit Make setting accessible from UI for changing settings Add specs for the new application setting in API and model Use the new setting column value in pipeline service rate limiter Update documentation to reflect the new setting changes Changelog: added MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077 --- app/helpers/application_settings_helper.rb | 3 +- app/models/application_setting.rb | 3 +- .../application_setting_implementation.rb | 3 +- .../ci/trigger_downstream_pipeline_service.rb | 4 -- .../application_settings/_ci_cd.html.haml | 5 +++ ...e_trigger_limit_to_application_settings.rb | 10 +++++ db/schema_migrations/20240207171317 | 1 + db/structure.sql | 1 + .../settings/continuous_integration.md | 12 ++++++ doc/api/settings.md | 4 +- lib/api/settings.rb | 1 + lib/gitlab/application_rate_limiter.rb | 2 +- locale/gitlab.pot | 6 +++ spec/models/application_setting_spec.rb | 1 + spec/requests/api/settings_spec.rb | 39 ++++++++++++++++++- ...rigger_downstream_pipeline_service_spec.rb | 2 +- 16 files changed, 86 insertions(+), 11 deletions(-) create mode 100644 db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb create mode 100644 db/schema_migrations/20240207171317 diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index 1affdd8f4339b6..2af212fd75c80b 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -514,7 +514,8 @@ def visible_attributes :ci_max_total_yaml_size_bytes, :project_jobs_api_rate_limit, :security_txt_content, - :allow_project_creation_for_guest_and_below + :allow_project_creation_for_guest_and_below, + :downstream_pipeline_trigger_limit_per_project_user_sha ].tap do |settings| next if Gitlab.com? diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 4cb918c9c8b0db..31ddfc9e26ffb3 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -597,7 +597,8 @@ def self.kroki_formats_attributes :sidekiq_job_limiter_compression_threshold_bytes, :sidekiq_job_limiter_limit_bytes, :terminal_max_session_time, - :users_get_by_id_limit + :users_get_by_id_limit, + :downstream_pipeline_trigger_limit_per_project_user_sha end jsonb_accessor :rate_limits, diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index e0b334780371e4..ebf6922467c8c0 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -280,7 +280,8 @@ def defaults # rubocop:disable Metrics/AbcSize security_txt_content: nil, allow_project_creation_for_guest_and_below: true, enable_member_promotion_management: false, - security_approval_policies_limit: 5 + security_approval_policies_limit: 5, + downstream_pipeline_trigger_limit_per_project_user_sha: 200 }.tap do |hsh| hsh.merge!(non_production_defaults) unless Rails.env.production? end diff --git a/app/services/ci/trigger_downstream_pipeline_service.rb b/app/services/ci/trigger_downstream_pipeline_service.rb index ac95c4596b1379..4fc09fd7492882 100644 --- a/app/services/ci/trigger_downstream_pipeline_service.rb +++ b/app/services/ci/trigger_downstream_pipeline_service.rb @@ -3,10 +3,6 @@ module Ci # Enqueues the downstream pipeline worker. class TriggerDownstreamPipelineService - # This is a temporary constant. It may be converted into an application setting - # in the future. See https://gitlab.com/gitlab-org/gitlab/-/issues/425941. - DOWNSTREAM_PIPELINE_TRIGGER_LIMIT_PER_PROJECT_USER_SHA = 200 - def initialize(bridge) @bridge = bridge @current_user = bridge.user diff --git a/app/views/admin/application_settings/_ci_cd.html.haml b/app/views/admin/application_settings/_ci_cd.html.haml index f63a9862c13c5e..6ae9122539ea0b 100644 --- a/app/views/admin/application_settings/_ci_cd.html.haml +++ b/app/views/admin/application_settings/_ci_cd.html.haml @@ -50,6 +50,11 @@ = f.number_field :ci_max_includes, class: 'form-control gl-form-input' .form-text.text-muted = s_('AdminSettings|The maximum number of included files per pipeline.') + .form-group + = f.label :downstream_pipeline_trigger_limit_per_project_user_sha, s_('AdminSettings|Maximum downstream pipelines triggered per project per user'), class: 'label-bold' + = f.number_field :downstream_pipeline_trigger_limit_per_project_user_sha, class: 'form-control gl-form-input' + .form-text.text-muted + = s_('AdminSettings|The maximum number of downstream pipelines triggered per project per user.') .form-group = f.label :ci_config_path, _('Default CI/CD configuration file'), class: 'label-bold' = f.text_field :default_ci_config_path, class: 'form-control gl-form-input', placeholder: '.gitlab-ci.yml' diff --git a/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb b/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb new file mode 100644 index 00000000000000..9b16325e28bdab --- /dev/null +++ b/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +class AddDownStreamPipelineTriggerLimitToApplicationSettings < Gitlab::Database::Migration[2.2] + milestone '16.9' + + def change + add_column :application_settings, :downstream_pipeline_trigger_limit_per_project_user_sha, + :integer, default: 200 + end +end diff --git a/db/schema_migrations/20240207171317 b/db/schema_migrations/20240207171317 new file mode 100644 index 00000000000000..5cb7f88f7d018e --- /dev/null +++ b/db/schema_migrations/20240207171317 @@ -0,0 +1 @@ +03a7f2caa935c3b3336b69e1624dbe70041453c6fdce09640373e64a8da11cc0 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 008d218d43aa85..7d635c399b516b 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -12656,6 +12656,7 @@ CREATE TABLE application_settings ( enable_member_promotion_management boolean DEFAULT false NOT NULL, lock_math_rendering_limits_enabled boolean DEFAULT false NOT NULL, security_approval_policies_limit integer DEFAULT 5 NOT NULL, + downstream_pipeline_trigger_limit_per_project_user_sha integer DEFAULT 200, CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), diff --git a/doc/administration/settings/continuous_integration.md b/doc/administration/settings/continuous_integration.md index 67f5889dd61ecd..cab8197d5133b3 100644 --- a/doc/administration/settings/continuous_integration.md +++ b/doc/administration/settings/continuous_integration.md @@ -205,6 +205,18 @@ The default is `150`. 1. Change the value of **Maximum includes**. 1. Select **Save changes** for the changes to take effect. +## Maximum downstream pipelines triggered per project + +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9. + +Tha maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. +The default is `200`. + +1. On the left sidebar, at the bottom, select **Admin Area**. +1. Select **Settings > CI/CD**. +1. Change the value of **Maximum downstream pipelines triggered per project per user**. +1. Select **Save changes** for the changes to take effect. + ## Default CI/CD configuration file > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/18073) in GitLab 12.5. diff --git a/doc/api/settings.md b/doc/api/settings.md index 5e2663e9fec071..d1449cc58b9a56 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -281,7 +281,8 @@ Example response: "bulk_import_max_download_file_size": 5120, "project_jobs_api_rate_limit": 600, "security_txt_content": null, - "bulk_import_concurrent_pipeline_batch_limit": 25 + "bulk_import_concurrent_pipeline_batch_limit": 25, + "downstream_pipeline_trigger_limit_per_project_user_sha": 200 } ``` @@ -390,6 +391,7 @@ listed in the descriptions of the relevant settings. | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist` | array of strings | no | Users with email addresses that match these domains **cannot** sign up. Wildcards allowed. Use separate lines for multiple entries. For example: `domain.com`, `*.domain.com`. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | +| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9. Rate limit creation of downstream pipelines. Default: 200. | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. | diff --git a/lib/api/settings.rb b/lib/api/settings.rb index 6ef68ccc3de638..8c542db06a74c1 100644 --- a/lib/api/settings.rb +++ b/lib/api/settings.rb @@ -229,6 +229,7 @@ def filter_attributes_using_license(attrs) optional :namespace_aggregation_schedule_lease_duration_in_seconds, type: Integer, desc: 'Maximum duration (in seconds) between refreshes of namespace statistics (Default: 300)' optional :project_jobs_api_rate_limit, type: Integer, desc: 'Maximum authenticated requests to /project/:id/jobs per minute' optional :security_txt_content, type: String, desc: 'Public security contact information made available at https://gitlab.example.com/.well-known/security.txt' + optional :downstream_pipeline_trigger_limit_per_project_user_sha, type: Integer, desc: 'Maximum number of downstream pipelines triggered per project' Gitlab::SSHPublicKey.supported_types.each do |type| optional :"#{type}_key_restriction", diff --git a/lib/gitlab/application_rate_limiter.rb b/lib/gitlab/application_rate_limiter.rb index 2e992e38a44c70..e13b54e40eea40 100644 --- a/lib/gitlab/application_rate_limiter.rb +++ b/lib/gitlab/application_rate_limiter.rb @@ -67,7 +67,7 @@ def rate_limits # rubocop:disable Metrics/AbcSize threshold: -> { application_settings.projects_api_rate_limit_unauthenticated }, interval: 10.minutes }, downstream_pipeline_trigger: { - threshold: -> { ::Ci::TriggerDownstreamPipelineService::DOWNSTREAM_PIPELINE_TRIGGER_LIMIT_PER_PROJECT_USER_SHA }, interval: 1.minute + threshold: -> { application_settings.downstream_pipeline_trigger_limit_per_project_user_sha }, interval: 1.minute } }.freeze end diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 65bb8ec785da09..9140634114af1e 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3584,6 +3584,9 @@ msgstr "" msgid "AdminSettings|Limit the number of namespaces and projects that can be indexed." msgstr "" +msgid "AdminSettings|Maximum downstream pipelines triggered per project" +msgstr "" + msgid "AdminSettings|Maximum duration of a session for Git operations when 2FA is enabled." msgstr "" @@ -3743,6 +3746,9 @@ msgstr "" msgid "AdminSettings|The latest artifacts for all jobs in the most recent successful pipelines in each project are stored and do not expire." msgstr "" +msgid "AdminSettings|The maximum number of downstream pipelines triggered per project." +msgstr "" + msgid "AdminSettings|The maximum number of included files per pipeline." msgstr "" diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index 18060d29ad52c7..8c71b2f5a681fd 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -244,6 +244,7 @@ def many_usernames(num = 100) sidekiq_job_limiter_limit_bytes terminal_max_session_time users_get_by_id_limit + downstream_pipeline_trigger_limit_per_project_user_sha ] end diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index 01aeb88a109685..8f3b4dca3ad240 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -95,6 +95,7 @@ expect(json_response['max_login_attempts']).to be_nil expect(json_response['failed_login_attempts_unlock_period_in_minutes']).to be_nil expect(json_response['bulk_import_concurrent_pipeline_batch_limit']).to eq(25) + expect(json_response['downstream_pipeline_trigger_limit_per_project_user_sha']).to eq(200) end end @@ -216,7 +217,8 @@ gitlab_shell_operation_limit: 500, namespace_aggregation_schedule_lease_duration_in_seconds: 400, max_import_remote_file_size: 2, - security_txt_content: nil + security_txt_content: nil, + downstream_pipeline_trigger_limit_per_project_user_sha: 300 } expect(response).to have_gitlab_http_status(:ok) @@ -302,6 +304,7 @@ expect(json_response['bulk_import_max_download_file_size']).to be(1) expect(json_response['security_txt_content']).to be(nil) expect(json_response['bulk_import_concurrent_pipeline_batch_limit']).to be(2) + expect(json_response['downstream_pipeline_trigger_limit_per_project_user_sha']).to be(300) end end @@ -1023,6 +1026,40 @@ end end + context 'with downstream_pipeline_trigger_limit_per_project_user_sha' do + it 'updates the settings' do + put api("/application/settings", admin), params: { + downstream_pipeline_trigger_limit_per_project_user_sha: 200 + } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include( + 'downstream_pipeline_trigger_limit_per_project_user_sha' => 200 + ) + end + + it 'allows a zero value' do + put api("/application/settings", admin), params: { + downstream_pipeline_trigger_limit_per_project_user_sha: 0 + } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include( + 'downstream_pipeline_trigger_limit_per_project_user_sha' => 0 + ) + end + + it 'does not allow a nil value' do + put api("/application/settings", admin), params: { + downstream_pipeline_trigger_limit_per_project_user_sha: nil + } + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['message']['downstream_pipeline_trigger_limit_per_project_user_sha']) + .to include(a_string_matching('is not a number')) + end + end + context 'with housekeeping enabled' do it 'at least one of housekeeping_incremental_repack_period or housekeeping_optimize_repository_period is required' do put api("/application/settings", admin), params: { diff --git a/spec/services/ci/trigger_downstream_pipeline_service_spec.rb b/spec/services/ci/trigger_downstream_pipeline_service_spec.rb index 71d6931658925f..299f765b95cd8c 100644 --- a/spec/services/ci/trigger_downstream_pipeline_service_spec.rb +++ b/spec/services/ci/trigger_downstream_pipeline_service_spec.rb @@ -50,7 +50,7 @@ context 'when the limit is exceeded' do before do - stub_const("#{described_class.name}::DOWNSTREAM_PIPELINE_TRIGGER_LIMIT_PER_PROJECT_USER_SHA", 1) + stub_application_setting(downstream_pipeline_trigger_limit_per_project_user_sha: 1) end it 'drops the bridge and does not schedule the downstream pipeline worker', :aggregate_failures do -- GitLab From 3ff8dbaba758f857328d2de1d1ecab2a45eca04f Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Fri, 9 Feb 2024 10:00:20 +0530 Subject: [PATCH 02/11] Remove migration as they are not required --- ...m_pipeline_trigger_limit_to_application_settings.rb | 10 ---------- db/schema_migrations/20240207171317 | 1 - db/structure.sql | 3 ++- 3 files changed, 2 insertions(+), 12 deletions(-) delete mode 100644 db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb delete mode 100644 db/schema_migrations/20240207171317 diff --git a/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb b/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb deleted file mode 100644 index 9b16325e28bdab..00000000000000 --- a/db/migrate/20240207171317_add_down_stream_pipeline_trigger_limit_to_application_settings.rb +++ /dev/null @@ -1,10 +0,0 @@ -# frozen_string_literal: true - -class AddDownStreamPipelineTriggerLimitToApplicationSettings < Gitlab::Database::Migration[2.2] - milestone '16.9' - - def change - add_column :application_settings, :downstream_pipeline_trigger_limit_per_project_user_sha, - :integer, default: 200 - end -end diff --git a/db/schema_migrations/20240207171317 b/db/schema_migrations/20240207171317 deleted file mode 100644 index 5cb7f88f7d018e..00000000000000 --- a/db/schema_migrations/20240207171317 +++ /dev/null @@ -1 +0,0 @@ -03a7f2caa935c3b3336b69e1624dbe70041453c6fdce09640373e64a8da11cc0 \ No newline at end of file diff --git a/db/structure.sql b/db/structure.sql index 7d635c399b516b..17f57569a31e3c 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -12656,7 +12656,8 @@ CREATE TABLE application_settings ( enable_member_promotion_management boolean DEFAULT false NOT NULL, lock_math_rendering_limits_enabled boolean DEFAULT false NOT NULL, security_approval_policies_limit integer DEFAULT 5 NOT NULL, - downstream_pipeline_trigger_limit_per_project_user_sha integer DEFAULT 200, + downstream_pipeline_trigger_limit_per_project_user_sha integer DEFAULT 200 + CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), -- GitLab From e07117202f6ab353202f7bbf849d07cc9051829b Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Fri, 9 Feb 2024 10:24:29 +0530 Subject: [PATCH 03/11] Rewrite setting as jsonb accessor instead of a column --- app/models/application_setting.rb | 3 ++- .../json_schemas/application_setting_rate_limits.json | 5 +++++ spec/helpers/application_settings_helper_spec.rb | 2 +- spec/models/application_setting_spec.rb | 1 + 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 31ddfc9e26ffb3..75942dd398516f 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -602,7 +602,8 @@ def self.kroki_formats_attributes end jsonb_accessor :rate_limits, - members_delete_limit: [:integer, { default: 60 }] + members_delete_limit: [:integer, { default: 60 }], + downstream_pipeline_trigger_limit_per_project_user_sha: [:integer, { default: 200 }] validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" } diff --git a/app/validators/json_schemas/application_setting_rate_limits.json b/app/validators/json_schemas/application_setting_rate_limits.json index e74295291dfdc0..035a50de0f1b91 100644 --- a/app/validators/json_schemas/application_setting_rate_limits.json +++ b/app/validators/json_schemas/application_setting_rate_limits.json @@ -8,6 +8,11 @@ "type": "integer", "minimum": 0, "description": "Number of project or group members a user can delete per minute." + }, + "downstream_pipeline_trigger_limit_per_project_user_sha": { + "type": "integer", + "minimum": 0, + "description": "Maximum number of downstream pipelines triggered per project per user" } } } diff --git a/spec/helpers/application_settings_helper_spec.rb b/spec/helpers/application_settings_helper_spec.rb index b378437c407555..43075a75d1ca1f 100644 --- a/spec/helpers/application_settings_helper_spec.rb +++ b/spec/helpers/application_settings_helper_spec.rb @@ -65,7 +65,7 @@ project_download_export_limit project_export_limit project_import_limit raw_blob_request_limit group_export_limit group_download_export_limit group_import_limit users_get_by_id_limit search_rate_limit search_rate_limit_unauthenticated - members_delete_limit + members_delete_limit downstream_pipeline_trigger_limit_per_project_user_sha ]) end diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index 8c71b2f5a681fd..18e6ff99b9494d 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -29,6 +29,7 @@ it { expect(setting.bulk_import_concurrent_pipeline_batch_limit).to eq(25) } it { expect(setting.allow_project_creation_for_guest_and_below).to eq(true) } it { expect(setting.members_delete_limit).to eq(60) } + it { expect(setting.downstream_pipeline_trigger_limit_per_project_user_sha).to eq(200) } end describe 'validations' do -- GitLab From 41c3853b04aa7b48213009189f75a9a66bc158d9 Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Fri, 9 Feb 2024 11:46:41 +0530 Subject: [PATCH 04/11] Update translations for setting form --- locale/gitlab.pot | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 9140634114af1e..bee5a7ca1974d7 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3584,7 +3584,7 @@ msgstr "" msgid "AdminSettings|Limit the number of namespaces and projects that can be indexed." msgstr "" -msgid "AdminSettings|Maximum downstream pipelines triggered per project" +msgid "AdminSettings|Maximum downstream pipelines triggered per project per user" msgstr "" msgid "AdminSettings|Maximum duration of a session for Git operations when 2FA is enabled." @@ -3746,7 +3746,7 @@ msgstr "" msgid "AdminSettings|The latest artifacts for all jobs in the most recent successful pipelines in each project are stored and do not expire." msgstr "" -msgid "AdminSettings|The maximum number of downstream pipelines triggered per project." +msgid "AdminSettings|The maximum number of downstream pipelines triggered per project per user." msgstr "" msgid "AdminSettings|The maximum number of included files per pipeline." -- GitLab From 99447f4aba4099c04bbecdf3a177f5a79667209c Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Fri, 9 Feb 2024 16:12:55 +0530 Subject: [PATCH 05/11] Update the doc with the FF name Set default value to 0 Make changes in docs --- app/models/application_setting.rb | 2 +- app/models/application_setting_implementation.rb | 2 +- doc/administration/settings/continuous_integration.md | 4 ++-- doc/api/settings.md | 4 ++-- spec/models/application_setting_spec.rb | 2 +- spec/requests/api/settings_spec.rb | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb index 75942dd398516f..e39dc127641499 100644 --- a/app/models/application_setting.rb +++ b/app/models/application_setting.rb @@ -603,7 +603,7 @@ def self.kroki_formats_attributes jsonb_accessor :rate_limits, members_delete_limit: [:integer, { default: 60 }], - downstream_pipeline_trigger_limit_per_project_user_sha: [:integer, { default: 200 }] + downstream_pipeline_trigger_limit_per_project_user_sha: [:integer, { default: 0 }] validates :rate_limits, json_schema: { filename: "application_setting_rate_limits" } diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb index ebf6922467c8c0..c3ff9c50e76466 100644 --- a/app/models/application_setting_implementation.rb +++ b/app/models/application_setting_implementation.rb @@ -281,7 +281,7 @@ def defaults # rubocop:disable Metrics/AbcSize allow_project_creation_for_guest_and_below: true, enable_member_promotion_management: false, security_approval_policies_limit: 5, - downstream_pipeline_trigger_limit_per_project_user_sha: 200 + downstream_pipeline_trigger_limit_per_project_user_sha: 0 }.tap do |hsh| hsh.merge!(non_production_defaults) unless Rails.env.production? end diff --git a/doc/administration/settings/continuous_integration.md b/doc/administration/settings/continuous_integration.md index cab8197d5133b3..5383d88a535da3 100644 --- a/doc/administration/settings/continuous_integration.md +++ b/doc/administration/settings/continuous_integration.md @@ -207,10 +207,10 @@ The default is `150`. ## Maximum downstream pipelines triggered per project -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 [with feature flags](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default Tha maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. -The default is `200`. +The default is `0` (no restriction). 1. On the left sidebar, at the bottom, select **Admin Area**. 1. Select **Settings > CI/CD**. diff --git a/doc/api/settings.md b/doc/api/settings.md index d1449cc58b9a56..18f243f7192eff 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -282,7 +282,7 @@ Example response: "project_jobs_api_rate_limit": 600, "security_txt_content": null, "bulk_import_concurrent_pipeline_batch_limit": 25, - "downstream_pipeline_trigger_limit_per_project_user_sha": 200 + "downstream_pipeline_trigger_limit_per_project_user_sha": 0 } ``` @@ -391,7 +391,7 @@ listed in the descriptions of the relevant settings. | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist` | array of strings | no | Users with email addresses that match these domains **cannot** sign up. Wildcards allowed. Use separate lines for multiple entries. For example: `domain.com`, `*.domain.com`. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | -| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9. Rate limit creation of downstream pipelines. Default: 200. +| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 with a [flag](../administration/feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Rate limit creation of downstream pipelines. Default: 0. | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. | diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb index 18e6ff99b9494d..d88415527ad420 100644 --- a/spec/models/application_setting_spec.rb +++ b/spec/models/application_setting_spec.rb @@ -29,7 +29,7 @@ it { expect(setting.bulk_import_concurrent_pipeline_batch_limit).to eq(25) } it { expect(setting.allow_project_creation_for_guest_and_below).to eq(true) } it { expect(setting.members_delete_limit).to eq(60) } - it { expect(setting.downstream_pipeline_trigger_limit_per_project_user_sha).to eq(200) } + it { expect(setting.downstream_pipeline_trigger_limit_per_project_user_sha).to eq(0) } end describe 'validations' do diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb index 8f3b4dca3ad240..018e6b9786418b 100644 --- a/spec/requests/api/settings_spec.rb +++ b/spec/requests/api/settings_spec.rb @@ -95,7 +95,7 @@ expect(json_response['max_login_attempts']).to be_nil expect(json_response['failed_login_attempts_unlock_period_in_minutes']).to be_nil expect(json_response['bulk_import_concurrent_pipeline_batch_limit']).to eq(25) - expect(json_response['downstream_pipeline_trigger_limit_per_project_user_sha']).to eq(200) + expect(json_response['downstream_pipeline_trigger_limit_per_project_user_sha']).to eq(0) end end -- GitLab From 0298fd37c4b4a66df12f4767192ae4b38dc5fbac Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Fri, 9 Feb 2024 16:14:58 +0530 Subject: [PATCH 06/11] Fix a typo in the doc --- doc/administration/settings/continuous_integration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/administration/settings/continuous_integration.md b/doc/administration/settings/continuous_integration.md index 5383d88a535da3..2d9aa8e32b4cca 100644 --- a/doc/administration/settings/continuous_integration.md +++ b/doc/administration/settings/continuous_integration.md @@ -207,7 +207,7 @@ The default is `150`. ## Maximum downstream pipelines triggered per project -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 [with feature flags](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 [with feature flag](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Tha maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. The default is `0` (no restriction). -- GitLab From b5c53d34617a25fe8ab744b3a27049e90bdaca04 Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Mon, 12 Feb 2024 10:11:49 +0530 Subject: [PATCH 07/11] Add feature spec for downstream pipeline setting --- spec/features/admin/admin_settings_spec.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/spec/features/admin/admin_settings_spec.rb b/spec/features/admin/admin_settings_spec.rb index d1fdbfc5329f33..8db9c45dbef90f 100644 --- a/spec/features/admin/admin_settings_spec.rb +++ b/spec/features/admin/admin_settings_spec.rb @@ -459,6 +459,7 @@ uncheck 'Keep the latest artifacts for all jobs in the latest successful pipelines' uncheck 'Enable pipeline suggestion banner' fill_in 'application_setting_ci_max_includes', with: 200 + fill_in 'application_setting_downstream_pipeline_trigger_limit_per_project_user_sha', with: 500 click_button 'Save changes' end @@ -467,6 +468,7 @@ expect(current_settings.keep_latest_artifact).to be false expect(current_settings.suggest_pipeline_enabled).to be false expect(current_settings.ci_max_includes).to be 200 + expect(current_settings.downstream_pipeline_trigger_limit_per_project_user_sha).to be 500 expect(page).to have_content "Application settings saved successfully" end -- GitLab From d106ccebc5369d5455c5a33a95c4dfd6cb0b3040 Mon Sep 17 00:00:00 2001 From: Max Woolf Date: Mon, 12 Feb 2024 10:25:23 +0000 Subject: [PATCH 08/11] Update milestone in the docs --- doc/administration/settings/continuous_integration.md | 2 +- doc/api/settings.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/administration/settings/continuous_integration.md b/doc/administration/settings/continuous_integration.md index 2d9aa8e32b4cca..63034883f96a6e 100644 --- a/doc/administration/settings/continuous_integration.md +++ b/doc/administration/settings/continuous_integration.md @@ -207,7 +207,7 @@ The default is `150`. ## Maximum downstream pipelines triggered per project -> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 [with feature flag](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. +> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.10 [with feature flag](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Tha maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. The default is `0` (no restriction). diff --git a/doc/api/settings.md b/doc/api/settings.md index 18f243f7192eff..4c3f2958000847 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -391,7 +391,7 @@ listed in the descriptions of the relevant settings. | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist` | array of strings | no | Users with email addresses that match these domains **cannot** sign up. Wildcards allowed. Use separate lines for multiple entries. For example: `domain.com`, `*.domain.com`. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | -| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.9 with a [flag](../administration/feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Rate limit creation of downstream pipelines. Default: 0. +| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.10 with a [flag](../administration/feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Rate limit creation of downstream pipelines. Default: 0. | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. | -- GitLab From 98dec35af0f33c0921a348c1493fa342781b51c5 Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Wed, 14 Feb 2024 10:17:21 +0530 Subject: [PATCH 09/11] Apply technical writer suggestions --- .../json_schemas/application_setting_rate_limits.json | 2 +- app/views/admin/application_settings/_ci_cd.html.haml | 4 ++-- doc/administration/settings/continuous_integration.md | 4 ++-- doc/api/settings.md | 2 +- locale/gitlab.pot | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/validators/json_schemas/application_setting_rate_limits.json b/app/validators/json_schemas/application_setting_rate_limits.json index 035a50de0f1b91..183c6327447175 100644 --- a/app/validators/json_schemas/application_setting_rate_limits.json +++ b/app/validators/json_schemas/application_setting_rate_limits.json @@ -12,7 +12,7 @@ "downstream_pipeline_trigger_limit_per_project_user_sha": { "type": "integer", "minimum": 0, - "description": "Maximum number of downstream pipelines triggered per project per user" + "description": "Maximum number of downstream pipelines triggered in a project per user" } } } diff --git a/app/views/admin/application_settings/_ci_cd.html.haml b/app/views/admin/application_settings/_ci_cd.html.haml index 6ae9122539ea0b..9e76526c722c64 100644 --- a/app/views/admin/application_settings/_ci_cd.html.haml +++ b/app/views/admin/application_settings/_ci_cd.html.haml @@ -51,10 +51,10 @@ .form-text.text-muted = s_('AdminSettings|The maximum number of included files per pipeline.') .form-group - = f.label :downstream_pipeline_trigger_limit_per_project_user_sha, s_('AdminSettings|Maximum downstream pipelines triggered per project per user'), class: 'label-bold' + = f.label :downstream_pipeline_trigger_limit_per_project_user_sha, s_('AdminSettings|Maximum downstream pipelines triggered in a project per user'), class: 'label-bold' = f.number_field :downstream_pipeline_trigger_limit_per_project_user_sha, class: 'form-control gl-form-input' .form-text.text-muted - = s_('AdminSettings|The maximum number of downstream pipelines triggered per project per user.') + = s_('AdminSettings|The maximum number of downstream pipelines triggered in a project per user.') .form-group = f.label :ci_config_path, _('Default CI/CD configuration file'), class: 'label-bold' = f.text_field :default_ci_config_path, class: 'form-control gl-form-input', placeholder: '.gitlab-ci.yml' diff --git a/doc/administration/settings/continuous_integration.md b/doc/administration/settings/continuous_integration.md index 63034883f96a6e..d8ba43d78a29d0 100644 --- a/doc/administration/settings/continuous_integration.md +++ b/doc/administration/settings/continuous_integration.md @@ -209,12 +209,12 @@ The default is `150`. > - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.10 [with feature flag](../feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. -Tha maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. +The maximum number of [downstream pipelines](../../ci/pipelines/downstream_pipelines.md) per project per user can be set at the instance level. The default is `0` (no restriction). 1. On the left sidebar, at the bottom, select **Admin Area**. 1. Select **Settings > CI/CD**. -1. Change the value of **Maximum downstream pipelines triggered per project per user**. +1. Change the value of **Maximum downstream pipelines triggered in a project per user**. 1. Select **Save changes** for the changes to take effect. ## Default CI/CD configuration file diff --git a/doc/api/settings.md b/doc/api/settings.md index 4c3f2958000847..922cb2bd3c86d6 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -391,7 +391,7 @@ listed in the descriptions of the relevant settings. | `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. | | `domain_denylist` | array of strings | no | Users with email addresses that match these domains **cannot** sign up. Wildcards allowed. Use separate lines for multiple entries. For example: `domain.com`, `*.domain.com`. | | `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. | -| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.10 with a [flag](../administration/feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. Rate limit creation of downstream pipelines. Default: 0. +| `downstream_pipeline_trigger_limit_per_project_user_sha` | integer | no | Rate limit creation of downstream pipelines. Default: `0`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/144077) in GitLab 16.10 with a [flag](../administration/feature_flags.md) named `ci_rate_limit_downstream_pipelines`. Disabled by default. | | `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. | | `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. | | `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. | diff --git a/locale/gitlab.pot b/locale/gitlab.pot index bee5a7ca1974d7..5b49c71adee3c3 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3584,7 +3584,7 @@ msgstr "" msgid "AdminSettings|Limit the number of namespaces and projects that can be indexed." msgstr "" -msgid "AdminSettings|Maximum downstream pipelines triggered per project per user" +msgid "AdminSettings|Maximum downstream pipelines triggered in a project per user" msgstr "" msgid "AdminSettings|Maximum duration of a session for Git operations when 2FA is enabled." @@ -3746,7 +3746,7 @@ msgstr "" msgid "AdminSettings|The latest artifacts for all jobs in the most recent successful pipelines in each project are stored and do not expire." msgstr "" -msgid "AdminSettings|The maximum number of downstream pipelines triggered per project per user." +msgid "AdminSettings|The maximum number of downstream pipelines triggered in a project per user." msgstr "" msgid "AdminSettings|The maximum number of included files per pipeline." -- GitLab From e3d1164cb05fd0a42ae052e8c5942a989ec858d2 Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Wed, 14 Feb 2024 11:38:24 +0530 Subject: [PATCH 10/11] Add min 0 for frontend validation --- app/views/admin/application_settings/_ci_cd.html.haml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/admin/application_settings/_ci_cd.html.haml b/app/views/admin/application_settings/_ci_cd.html.haml index 9e76526c722c64..a808c580c2fe84 100644 --- a/app/views/admin/application_settings/_ci_cd.html.haml +++ b/app/views/admin/application_settings/_ci_cd.html.haml @@ -52,7 +52,7 @@ = s_('AdminSettings|The maximum number of included files per pipeline.') .form-group = f.label :downstream_pipeline_trigger_limit_per_project_user_sha, s_('AdminSettings|Maximum downstream pipelines triggered in a project per user'), class: 'label-bold' - = f.number_field :downstream_pipeline_trigger_limit_per_project_user_sha, class: 'form-control gl-form-input' + = f.number_field :downstream_pipeline_trigger_limit_per_project_user_sha, min: 0, class: 'form-control gl-form-input' .form-text.text-muted = s_('AdminSettings|The maximum number of downstream pipelines triggered in a project per user.') .form-group -- GitLab From 5c5ae58e5549b616d5fe372f6ad8eb64b1a5110f Mon Sep 17 00:00:00 2001 From: Rajendra Kadam Date: Wed, 14 Feb 2024 12:12:38 +0530 Subject: [PATCH 11/11] Rebase to latest master and fix conflicts --- db/structure.sql | 2 -- 1 file changed, 2 deletions(-) diff --git a/db/structure.sql b/db/structure.sql index 17f57569a31e3c..008d218d43aa85 100644 --- a/db/structure.sql +++ b/db/structure.sql @@ -12656,8 +12656,6 @@ CREATE TABLE application_settings ( enable_member_promotion_management boolean DEFAULT false NOT NULL, lock_math_rendering_limits_enabled boolean DEFAULT false NOT NULL, security_approval_policies_limit integer DEFAULT 5 NOT NULL, - downstream_pipeline_trigger_limit_per_project_user_sha integer DEFAULT 200 - CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)), CONSTRAINT app_settings_container_registry_pre_import_tags_rate_positive CHECK ((container_registry_pre_import_tags_rate >= (0)::numeric)), CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)), -- GitLab