Make an API for increasing a user's rate limit

Author: carols10cents

src/controllers.rs

@@ -76,6 +76,7 @@ mod prelude {
 pub mod helpers;
 mod util;
 
+pub mod admin;
 pub mod category;
 pub mod crate_owner_invitation;
 pub mod keyword;

src/controllers/admin.rs

@@ -0,0 +1,48 @@
+use super::frontend_prelude::*;
+use crate::{
+    models::{AdminUser, User},
+    schema::{publish_limit_buckets, publish_rate_overrides},
+};
+use diesel::dsl::*;
+
+#[derive(Deserialize)]
+struct RateLimitIncrease {
+    email: String,
+    rate_limit: i32,
+}
+
+/// Increases the rate limit for the user with the specified verified email address.
+pub fn publish_rate_override(req: &mut dyn RequestExt) -> EndpointResult {
+    let admin = req.authenticate()?.forbid_api_token_auth()?.admin_user()?;
+    increase_rate_limit(admin, req)
+}
+
+/// Increasing the rate limit requires that you are an admin user, but no information from the
+/// admin user is currently needed. Someday having an audit log of which admin user took the action
+/// would be nice.
+fn increase_rate_limit(_admin: AdminUser, req: &mut dyn RequestExt) -> EndpointResult {
+    let mut body = String::new();
+    req.body().read_to_string(&mut body)?;
+
+    let rate_limit_increase: RateLimitIncrease = serde_json::from_str(&body)
+        .map_err(|e| bad_request(&format!("invalid json request: {e}")))?;
+
+    let conn = req.db_write()?;
+    let user = User::find_by_verified_email(&conn, &rate_limit_increase.email)?;
+
+    conn.transaction(|| {
+        diesel::insert_into(publish_rate_overrides::table)
+            .values((
+                publish_rate_overrides::user_id.eq(user.id),
+                publish_rate_overrides::burst.eq(rate_limit_increase.rate_limit),
+                publish_rate_overrides::expires_at.eq((now + 30.days()).nullable()),
+            ))
+            .execute(&*conn)?;
+
+        diesel::delete(publish_limit_buckets::table)
+            .filter(publish_limit_buckets::user_id.eq(user.id))
+            .execute(&*conn)
+    })?;
+
+    ok_true()
+}

src/lib.rs

@@ -46,7 +46,7 @@ pub mod email;
 pub mod github;
 pub mod metrics;
 pub mod middleware;
-mod publish_rate_limit;
+pub mod publish_rate_limit;
 pub mod schema;
 pub mod sql;
 mod test_util;

src/models/user.rs

@@ -121,6 +121,16 @@ impl User {
         Ok(Self::find(conn, api_token.user_id)?)
     }
 
+    /// Queries the database for a user with the specified verified email address.
+    pub fn find_by_verified_email(conn: &PgConnection, email: &str) -> AppResult<User> {
+        let email: Email = emails::table
+            .filter(emails::email.eq(email))
+            .filter(emails::verified.eq(true))
+            .first(conn)?;
+
+        Ok(Self::find(conn, email.user_id)?)
+    }
+
     pub fn owning(krate: &Crate, conn: &PgConnection) -> QueryResult<Vec<Owner>> {
         let users = CrateOwner::by_owner_kind(OwnerKind::User)
             .inner_join(users::table)

src/router.rs

@@ -157,6 +157,12 @@ pub fn build_router(app: &App) -> RouteBuilder {
         C(crate_owner_invitation::private_list),
     );
 
+    // Admin actions
+    router.put(
+        "/api/private/admin/rate-limits",
+        C(admin::publish_rate_override),
+    );
+
     // Only serve the local checkout of the git index in development mode.
     // In production, for crates.io, cargo gets the index from
     // https://github.com/rust-lang/crates.io-index directly.

src/tests/admin_actions.rs

@@ -0,0 +1,141 @@
+use crate::{util::RequestHelper, TestApp};
+use chrono::{NaiveDateTime, Utc};
+use conduit::StatusCode;
+use diesel::prelude::*;
+
+mod rate_limits {
+    use super::*;
+
+    const RATE_LIMITS_URL: &str = "/api/private/admin/rate-limits";
+
+    #[test]
+    fn anon_sending_rate_limit_changes_returns_unauthorized() {
+        let (_app, anon) = TestApp::init().empty();
+        anon.put(RATE_LIMITS_URL, &[]).assert_forbidden();
+    }
+
+    #[test]
+    fn non_admin_sending_rate_limit_changes_returns_unauthorized() {
+        let (app, _anon) = TestApp::init().empty();
+        let user = app.db_new_user("foo");
+        user.put(RATE_LIMITS_URL, &[]).assert_forbidden();
+    }
+
+    #[test]
+    fn no_body_content_returns_400() {
+        let (app, _anon) = TestApp::init().empty();
+        let admin_user = app.db_new_user("carols10cents");
+        let response = admin_user.put::<()>(RATE_LIMITS_URL, &[]);
+
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+        assert_eq!(
+            response.into_json(),
+            json!({ "errors": [{
+                "detail": "invalid json request: EOF while parsing a value at line 1 column 0"
+            }] })
+        );
+    }
+
+    #[test]
+    fn rate_limit_nan_returns_400() {
+        let (app, _anon) = TestApp::init().empty();
+        let admin_user = app.db_new_user("carols10cents");
+
+        let body = json!({
+            "email": "foo@example.com",
+            "rate_limit": "-34g",
+        });
+
+        let response = admin_user.put::<()>(RATE_LIMITS_URL, body.to_string().as_bytes());
+
+        assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+        assert_eq!(
+            response.into_json(),
+            json!({ "errors": [{
+                "detail": "invalid json request: invalid type: string \"-34g\", expected i32 at \
+                line 1 column 46"
+            }] })
+        );
+    }
+
+    #[test]
+    fn email_address_lookup_failure_returns_not_found() {
+        let (app, _anon) = TestApp::init().empty();
+        let admin_user = app.db_new_user("carols10cents");
+
+        let body = json!({
+            "email": "foo@example.com",
+            "rate_limit": 88,
+        });
+
+        let response = admin_user.put::<()>(RATE_LIMITS_URL, body.to_string().as_bytes());
+
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+        assert_eq!(
+            response.into_json(),
+            json!({ "errors": [{
+                "detail": "Not Found"
+            }] })
+        );
+    }
+
+    #[test]
+    fn email_address_lookup_success_updates_rate_limit() {
+        use cargo_registry::{
+            publish_rate_limit::PublishRateLimit,
+            schema::{publish_limit_buckets, publish_rate_overrides},
+        };
+        use std::time::Duration;
+
+        let (app, _, user) = TestApp::init().with_user();
+        let user_model = user.as_model();
+
+        // Check the rate limit for a user, which inserts a record for the user into the
+        // `publish_limit_buckets` table so that we can test it gets deleted by the rate limit
+        // override.
+        app.db(|conn| {
+            let rate = PublishRateLimit {
+                rate: Duration::from_secs(1),
+                burst: 10,
+            };
+            rate.check_rate_limit(user_model.id, conn).unwrap();
+        });
+
+        let admin_user = app.db_new_user("carols10cents");
+
+        let email = app.db(|conn| user_model.email(conn).unwrap());
+        let new_rate_limit = 88;
+        let body = json!({
+            "email": email,
+            "rate_limit": new_rate_limit,
+        });
+        let response = admin_user.put::<()>(RATE_LIMITS_URL, body.to_string().as_bytes());
+
+        assert_eq!(response.status(), StatusCode::OK);
+
+        let (rate_limit, expires_at): (i32, Option<NaiveDateTime>) = app
+            .db(|conn| {
+                publish_rate_overrides::table
+                    .select((
+                        publish_rate_overrides::burst,
+                        publish_rate_overrides::expires_at,
+                    ))
+                    .filter(publish_rate_overrides::user_id.eq(user_model.id))
+                    .first(conn)
+            })
+            .unwrap();
+        assert_eq!(rate_limit, new_rate_limit);
+        assert_eq!(
+            expires_at.unwrap().date(),
+            (Utc::now() + chrono::Duration::days(30)).naive_utc().date()
+        );
+        app.db(|conn| {
+            assert!(!diesel::select(diesel::dsl::exists(
+                publish_limit_buckets::table
+                    .filter(publish_limit_buckets::user_id.eq(user_model.id))
+            ))
+            .get_result::<bool>(conn)
+            .unwrap());
+        });
+    }
+}

src/tests/all.rs

@@ -28,6 +28,7 @@ use std::{
 use diesel::prelude::*;
 
 mod account_lock;
+mod admin_actions;
 mod authentication;
 mod badge;
 mod blocked_routes;