From dfacd04eed0981f4ff054f40d5615a40c3ba3993 Mon Sep 17 00:00:00 2001 From: Diane Russel Date: Fri, 28 Feb 2025 16:45:57 -0500 Subject: [PATCH 1/5] Remove limit_unique_project_downloads_per_namespace_user This rolls out the feature to implement an automatic ban/block for users that clone more than X repositories within Y time period. Changelog: added EE: true --- .../assets/javascripts/members/constants.js | 4 +--- .../ee/groups/group_members_controller.rb | 1 - ee/app/models/ee/group.rb | 4 +--- ...e_project_downloads_per_namespace_user.yml | 8 -------- .../groups/members/manage_members_spec.rb | 20 ------------------- .../groups/settings/reporting_spec.rb | 2 -- ee/spec/models/ee/group_spec.rb | 8 -------- ee/spec/policies/group_policy_spec.rb | 8 -------- ee/spec/policies/project_policy_spec.rb | 8 -------- ee/spec/requests/api/groups_spec.rb | 16 +++------------ .../groups/group_members_controller_spec.rb | 15 -------------- .../settings/reporting_controller_spec.rb | 8 -------- ...rojects_download_ban_check_service_spec.rb | 8 -------- 13 files changed, 5 insertions(+), 105 deletions(-) delete mode 100644 ee/config/feature_flags/development/limit_unique_project_downloads_per_namespace_user.yml diff --git a/ee/app/assets/javascripts/members/constants.js b/ee/app/assets/javascripts/members/constants.js index 4a6b2ce73af969..dafc4b3a39f02e 100644 --- a/ee/app/assets/javascripts/members/constants.js +++ b/ee/app/assets/javascripts/members/constants.js @@ -76,9 +76,7 @@ const APP_OPTIONS_BASE = { [MEMBERS_TAB_TYPES.promotionRequest]: true, }; -const uniqueProjectDownloadLimitEnabled = - gon.features?.limitUniqueProjectDownloadsPerNamespaceUser && - gon.licensed_features?.uniqueProjectDownloadLimit; +const uniqueProjectDownloadLimitEnabled = gon.licensed_features?.uniqueProjectDownloadLimit; // eslint-disable-next-line import/export export const GROUPS_APP_OPTIONS = uniqueProjectDownloadLimitEnabled diff --git a/ee/app/controllers/ee/groups/group_members_controller.rb b/ee/app/controllers/ee/groups/group_members_controller.rb index b03f0c494e3557..da901feb911ef2 100644 --- a/ee/app/controllers/ee/groups/group_members_controller.rb +++ b/ee/app/controllers/ee/groups/group_members_controller.rb @@ -25,7 +25,6 @@ def admin_not_required_endpoints before_action :authorize_update_group_member!, only: [:update, :override] before_action do - push_frontend_feature_flag(:limit_unique_project_downloads_per_namespace_user, @group) push_frontend_feature_flag(:show_overage_on_role_promotion) push_licensed_feature(:unique_project_download_limit, @group) push_frontend_feature_flag(:show_role_details_in_drawer, @group) diff --git a/ee/app/models/ee/group.rb b/ee/app/models/ee/group.rb index 0227040a5780cf..16501131417e75 100644 --- a/ee/app/models/ee/group.rb +++ b/ee/app/models/ee/group.rb @@ -271,9 +271,7 @@ def repository_read_only? end def unique_project_download_limit_enabled? - root? && - ::Feature.enabled?(:limit_unique_project_downloads_per_namespace_user, self) && - licensed_feature_available?(:unique_project_download_limit) + root? && licensed_feature_available?(:unique_project_download_limit) end def service_accounts diff --git a/ee/config/feature_flags/development/limit_unique_project_downloads_per_namespace_user.yml b/ee/config/feature_flags/development/limit_unique_project_downloads_per_namespace_user.yml deleted file mode 100644 index e8875897076454..00000000000000 --- a/ee/config/feature_flags/development/limit_unique_project_downloads_per_namespace_user.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -name: limit_unique_project_downloads_per_namespace_user -introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/89996 -rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/365724 -milestone: '15.2' -type: development -group: group::authorization -default_enabled: false diff --git a/ee/spec/features/groups/members/manage_members_spec.rb b/ee/spec/features/groups/members/manage_members_spec.rb index 452e474c95084e..ac3b33dff20c57 100644 --- a/ee/spec/features/groups/members/manage_members_spec.rb +++ b/ee/spec/features/groups/members/manage_members_spec.rb @@ -317,18 +317,6 @@ def add_user_by_email(role, use_exact_text_match: true) expect(page).not_to have_content('Banned') end - context 'when feature flag is disabled' do - before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: false) - end - - it 'owner cannot see banned users' do - visit group_group_members_path(group) - - expect(page).not_to have_content('Banned') - end - end - context 'when licensed feature is not available' do let(:licensed_feature_available) { false } @@ -386,14 +374,6 @@ def add_user_by_email(role, use_exact_text_match: true) it_behaves_like 'action is not available' end - context 'when feature flag is disabled' do - before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: false) - end - - it_behaves_like 'action is not available' - end - context 'when licensed feature is not available' do let(:licensed_feature_available) { false } diff --git a/ee/spec/features/groups/settings/reporting_spec.rb b/ee/spec/features/groups/settings/reporting_spec.rb index 7acd3803a9a287..cc00e3fc678b13 100644 --- a/ee/spec/features/groups/settings/reporting_spec.rb +++ b/ee/spec/features/groups/settings/reporting_spec.rb @@ -6,13 +6,11 @@ let_it_be(:user) { create(:user) } let(:group) { create(:group) } - let(:feature_flag_enabled) { true } let(:licensed_feature_available) { true } let(:current_limit) { 1 } let(:current_interval) { 9 } before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: feature_flag_enabled) stub_licensed_features(unique_project_download_limit: licensed_feature_available) sign_in(user) diff --git a/ee/spec/models/ee/group_spec.rb b/ee/spec/models/ee/group_spec.rb index 75b1ad043192d0..334881b2c463de 100644 --- a/ee/spec/models/ee/group_spec.rb +++ b/ee/spec/models/ee/group_spec.rb @@ -3598,11 +3598,9 @@ def webhook_headers describe '#unique_project_download_limit_enabled?' do let_it_be(:group) { create(:group) } - let(:feature_flag_enabled) { true } let(:licensed_feature_available) { true } before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: feature_flag_enabled) stub_licensed_features(unique_project_download_limit: licensed_feature_available) end @@ -3610,12 +3608,6 @@ def webhook_headers it { is_expected.to eq true } - context 'when feature flag is disabled' do - let(:feature_flag_enabled) { false } - - it { is_expected.to eq false } - end - context 'when licensed feature is not available' do let(:licensed_feature_available) { false } diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 3af399274c79e5..ca7f32556c072f 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -3291,14 +3291,6 @@ def expect_private_group_permissions_as_if_non_member it { is_expected.to be_disallowed(:read_group) } end - context 'when the limit_unique_project_downloads_per_namespace_user feature flag is disabled' do - before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: false) - end - - it { is_expected.to be_allowed(:read_group) } - end - context 'when licensed feature unique_project_download_limit is not available' do before do stub_licensed_features(unique_project_download_limit: false) diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index f0e6901838c12d..bb89092f3c625a 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2657,14 +2657,6 @@ def expect_private_project_permissions_as_if_non_member it { is_expected.to be_disallowed(:read_project) } end - context 'when the limit_unique_project_downloads_per_namespace_user feature flag is disabled' do - before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: false) - end - - it { is_expected.to be_allowed(:read_project) } - end - context 'when licensed feature unique_project_download_limit is not available' do before do stub_licensed_features(unique_project_download_limit: false) diff --git a/ee/spec/requests/api/groups_spec.rb b/ee/spec/requests/api/groups_spec.rb index 31f0851ec7a536..5679d51fa03aa6 100644 --- a/ee/spec/requests/api/groups_spec.rb +++ b/ee/spec/requests/api/groups_spec.rb @@ -485,16 +485,12 @@ end before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: flag_enabled) stub_licensed_features(unique_project_download_limit: feature_available) - group.add_owner(user) - subject end - context 'when feature flag enabled and feature available' do - let(:flag_enabled) { true } + context 'when feature is available' do let(:feature_available) { true } it 'updates the attributes as expected' do @@ -509,15 +505,9 @@ end end - using RSpec::Parameterized::TableSyntax - - where(:flag_enabled, :feature_available) do - true | false - false | true - false | false - end + context 'when feature is not available' do + let(:feature_available) { false } - with_them do it 'does not update the attributes' do settings = group.namespace_settings.reload diff --git a/ee/spec/requests/groups/group_members_controller_spec.rb b/ee/spec/requests/groups/group_members_controller_spec.rb index fd40f5105d7869..03dbef4abf94e5 100644 --- a/ee/spec/requests/groups/group_members_controller_spec.rb +++ b/ee/spec/requests/groups/group_members_controller_spec.rb @@ -30,12 +30,6 @@ create(:namespace_ban, namespace: group, user: banned_member.user) end - it 'pushes feature flag to frontend' do - get_group_members - - expect(response.body).to have_pushed_frontend_feature_flags(limitUniqueProjectDownloadsPerNamespaceUser: true) - end - it 'sets @banned to include banned group members' do get_group_members @@ -68,14 +62,6 @@ it_behaves_like 'assigns @banned and @members correctly' end - context 'when feature flag is disabled' do - before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: false) - end - - it_behaves_like 'assigns @banned and @members correctly' - end - context 'when sub-group' do before do group.update!(parent: create(:group)) @@ -159,7 +145,6 @@ end before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: true) stub_licensed_features(unique_project_download_limit: true) end diff --git a/ee/spec/requests/groups/settings/reporting_controller_spec.rb b/ee/spec/requests/groups/settings/reporting_controller_spec.rb index 145444595a5d49..0c5f9aa25aa894 100644 --- a/ee/spec/requests/groups/settings/reporting_controller_spec.rb +++ b/ee/spec/requests/groups/settings/reporting_controller_spec.rb @@ -6,11 +6,9 @@ let_it_be(:user) { create(:user) } let(:group) { create(:group) } - let(:feature_flag_enabled) { true } let(:licensed_feature_available) { true } before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: feature_flag_enabled) stub_licensed_features(unique_project_download_limit: licensed_feature_available) sign_in(user) @@ -27,12 +25,6 @@ subject end - context 'when feature flag is disabled' do - let(:feature_flag_enabled) { false } - - it_behaves_like 'renders 404' - end - context 'when licensed feature is not available' do let(:licensed_feature_available) { false } diff --git a/ee/spec/services/users/abuse/projects_download_ban_check_service_spec.rb b/ee/spec/services/users/abuse/projects_download_ban_check_service_spec.rb index f2e9ab11d34b2e..6194614873bdef 100644 --- a/ee/spec/services/users/abuse/projects_download_ban_check_service_spec.rb +++ b/ee/spec/services/users/abuse/projects_download_ban_check_service_spec.rb @@ -28,7 +28,6 @@ end context 'when application-level OR namespace-level projects download throttling is configured' do - let(:feature_flag_state) { true } let(:licensed_feature_state) { true } let(:service_response) { { banned: true } } @@ -77,7 +76,6 @@ context 'when namespace-level projects download throttling is configured' do before do - stub_feature_flags(limit_unique_project_downloads_per_namespace_user: feature_flag_state) stub_licensed_features(unique_project_download_limit: licensed_feature_state) allow_next_instance_of(Users::Abuse::GitAbuse::NamespaceThrottleService, project, user) do |service| @@ -85,12 +83,6 @@ end end - context 'when feature flag is disabled' do - let(:feature_flag_state) { false } - - it { is_expected.to be_success } - end - it_behaves_like 'uses the result of the configured projects download throttle service' context 'when project\'s root namespace is a User namespace' do -- GitLab From d5b8236872ce46af0ffa34e40fa87313eea31458 Mon Sep 17 00:00:00 2001 From: Diane Russel Date: Fri, 25 Apr 2025 14:36:29 -0400 Subject: [PATCH 2/5] Update docs --- doc/user/group/reporting/git_abuse_rate_limit.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/doc/user/group/reporting/git_abuse_rate_limit.md b/doc/user/group/reporting/git_abuse_rate_limit.md index 4f5bb5fc2672cd..794e68c50c7c62 100644 --- a/doc/user/group/reporting/git_abuse_rate_limit.md +++ b/doc/user/group/reporting/git_abuse_rate_limit.md @@ -18,13 +18,6 @@ title: Git abuse rate limit {{< /history >}} -{{< alert type="flag" >}} - -The availability of this feature is controlled by a feature flag. -For more information, see the history. - -{{< /alert >}} - This is the group-level documentation. For GitLab Self-Managed instances, see the [administration documentation](../../../administration/reporting/git_abuse_rate_limit.md). Git abuse rate limiting is a feature to automatically ban users who download, clone, pull, fetch, or fork more than a specified number of repositories of a group in a given time frame. Banned users cannot access the top-level group or any of its non-public subgroups through HTTP or SSH. The rate limit also applies to users who authenticate with [personal](../../profile/personal_access_tokens.md) or [group access tokens](../settings/group_access_tokens.md), as well as [CI/CD job tokens](../../../ci/jobs/ci_job_token.md). Access to unrelated groups is unaffected. @@ -37,7 +30,7 @@ GitLab team members can view more information in this confidential epic: ## Automatic ban notifications -If the `limit_unique_project_downloads_per_namespace_user` feature flag is enabled, selected users receive an email when a user is about to be banned. +When a user is about to be banned, selected users receive an email notification. If automatic banning is disabled, a user is not banned automatically when they exceed the limit. However, notifications are still sent. You can use this setup to determine the correct values of the rate limit settings before enabling automatic banning. -- GitLab From b89b665ff4333b16e279ce31cc2068172c4b09b8 Mon Sep 17 00:00:00 2001 From: Diane Russel Date: Wed, 30 Apr 2025 13:44:11 -0400 Subject: [PATCH 3/5] Apply 1 suggestion(s) to 1 file(s) Co-authored-by: Ian Anderson --- doc/user/group/reporting/git_abuse_rate_limit.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/user/group/reporting/git_abuse_rate_limit.md b/doc/user/group/reporting/git_abuse_rate_limit.md index 794e68c50c7c62..ef72bf45b64cf2 100644 --- a/doc/user/group/reporting/git_abuse_rate_limit.md +++ b/doc/user/group/reporting/git_abuse_rate_limit.md @@ -30,7 +30,7 @@ GitLab team members can view more information in this confidential epic: ## Automatic ban notifications -When a user is about to be banned, selected users receive an email notification. +Selected users receive an email notification when a user is banned. If automatic banning is disabled, a user is not banned automatically when they exceed the limit. However, notifications are still sent. You can use this setup to determine the correct values of the rate limit settings before enabling automatic banning. -- GitLab From 573535f1212364e3c40303e8b475348448768a06 Mon Sep 17 00:00:00 2001 From: Diane Russel Date: Wed, 30 Apr 2025 15:34:48 -0400 Subject: [PATCH 4/5] Add version history to docs --- doc/api/groups.md | 8 -------- doc/user/group/moderate_users.md | 2 ++ doc/user/group/reporting/git_abuse_rate_limit.md | 2 ++ 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/doc/api/groups.md b/doc/api/groups.md index 4b264c0ba0f38e..dc75b0b794f0a5 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1549,14 +1549,6 @@ Parameters: {{< /history >}} -{{< alert type="flag" >}} - -On GitLab Self-Managed, by default `unique_project_download_limit`, `unique_project_download_limit_interval_in_seconds`, `unique_project_download_limit_allowlist` and `auto_ban_user_on_excessive_projects_download` are not available. -To make them available, an administrator can [enable the feature flag](../administration/feature_flags.md) -named `limit_unique_project_downloads_per_namespace_user`. - -{{< /alert >}} - Updates the project group. Only available to group owners and administrators. ```plaintext diff --git a/doc/user/group/moderate_users.md b/doc/user/group/moderate_users.md index 9d3d04de490968..da1098a9f63c3e 100644 --- a/doc/user/group/moderate_users.md +++ b/doc/user/group/moderate_users.md @@ -25,6 +25,8 @@ This topic is specifically related to user moderation in groups. For information {{< history >}} - [Introduced](https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/155) in GitLab 15.8 [with a flag](../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. Disabled by default. +- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/365724) in GitLab 15.6. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183101) in GitLab 18.0. Feature flag `limit_unique_project_downloads_per_namespace_user` removed. {{< /history >}} diff --git a/doc/user/group/reporting/git_abuse_rate_limit.md b/doc/user/group/reporting/git_abuse_rate_limit.md index ef72bf45b64cf2..5ad2f7c436df18 100644 --- a/doc/user/group/reporting/git_abuse_rate_limit.md +++ b/doc/user/group/reporting/git_abuse_rate_limit.md @@ -15,6 +15,8 @@ title: Git abuse rate limit {{< history >}} - [Introduced](https://gitlab.com/groups/gitlab-org/-/epics/8066) in GitLab 15.2 [with a flag](../../../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. Disabled by default. +- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/365724) in GitLab 15.6. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183101) in GitLab 18.0. Feature flag `limit_unique_project_downloads_per_namespace_user` removed. {{< /history >}} -- GitLab From 949546fc117a0a72cc4011d78c2a19c946e49705 Mon Sep 17 00:00:00 2001 From: Diane Russel Date: Wed, 30 Apr 2025 16:34:31 -0400 Subject: [PATCH 5/5] Add version history to docs --- doc/api/groups.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/api/groups.md b/doc/api/groups.md index dc75b0b794f0a5..a697e3fb305e41 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1546,6 +1546,8 @@ Parameters: {{< history >}} - `unique_project_download_limit`, `unique_project_download_limit_interval_in_seconds`, and `unique_project_download_limit_allowlist` [introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/92970) in GitLab 15.3 [with a flag](../administration/feature_flags.md) named `limit_unique_project_downloads_per_namespace_user`. Disabled by default. +- [Enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/365724) in GitLab 15.6. +- [Generally available](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183101) in GitLab 18.0. Feature flag `limit_unique_project_downloads_per_namespace_user` removed. {{< /history >}} -- GitLab