Introduce the concept of daily limit

Author: Marco Napetti

src/controllers/krate/publish.rs

@@ -128,6 +128,10 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
             )));
         }
 
+        app.config
+            .publish_rate_limit
+            .check_daily_limit(krate.id, &conn)?;
+
         // Length of the .crate tarball, which appears after the metadata in the request body.
         // TODO: Not sure why we're using the total content length (metadata + .crate file length)
         // to compare against the max upload size... investigate that and perhaps change to use

src/lib.rs

@@ -46,7 +46,7 @@ pub mod email;
 pub mod github;
 pub mod metrics;
 pub mod middleware;
-mod publish_rate_limit;
+pub mod publish_rate_limit;
 pub mod schema;
 pub mod sql;
 mod test_util;

src/publish_rate_limit.rs

@@ -6,12 +6,13 @@ use std::time::Duration;
 
 use crate::schema::{publish_limit_buckets, publish_rate_overrides};
 use crate::sql::{date_part, floor, greatest, interval_part, least};
-use crate::util::errors::{AppResult, TooManyRequests};
+use crate::util::errors::{cargo_err, AppResult, TooManyRequests};
 
 #[derive(Debug, Clone, Copy)]
 pub struct PublishRateLimit {
     pub rate: Duration,
     pub burst: i32,
+    pub daily: Option<i64>,
 }
 
 impl Default for PublishRateLimit {
@@ -26,9 +27,14 @@ impl Default for PublishRateLimit {
             .parse()
             .ok()
             .unwrap_or(5);
+        let daily = dotenv::var("MAX_NEW_VERSIONS_DAILY")
+            .unwrap_or_default()
+            .parse()
+            .ok();
         Self {
             rate: Duration::from_secs(60) * minutes,
             burst,
+            daily,
         }
     }
 }
@@ -106,6 +112,27 @@ impl PublishRateLimit {
         use diesel::dsl::*;
         (self.rate.as_millis() as i64).milliseconds()
     }
+
+    pub fn check_daily_limit(&self, krate_id: i32, conn: &PgConnection) -> AppResult<()> {
+        use crate::schema::versions::dsl::*;
+        use diesel::dsl::{count_star, now, IntervalDsl};
+
+        if let Some(daily_limit) = self.daily {
+            let today: i64 = versions
+                .filter(crate_id.eq(krate_id))
+                .filter(created_at.gt(now - 24.hours()))
+                .select(count_star())
+                .first(conn)
+                .optional()?
+                .unwrap_or_default();
+            if today >= daily_limit {
+                return Err(cargo_err(
+                    "You have published too many versions of this crate in the last 24 hours",
+                ));
+            }
+        }
+        Ok(())
+    }
 }
 
 #[cfg(test)]
@@ -122,6 +149,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let bucket = rate.take_token(new_user(&conn, "user1")?, now, &conn)?;
         let expected = Bucket {
@@ -134,6 +162,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_millis(50),
             burst: 20,
+            daily: None,
         };
         let bucket = rate.take_token(new_user(&conn, "user2")?, now, &conn)?;
         let expected = Bucket {
@@ -153,6 +182,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 5, now)?.user_id;
         let bucket = rate.take_token(user_id, now, &conn)?;
@@ -173,6 +203,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 5, now)?.user_id;
         let refill_time = now + chrono::Duration::seconds(2);
@@ -198,6 +229,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_millis(100),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 5, now)?.user_id;
         let refill_time = now + chrono::Duration::milliseconds(300);
@@ -219,6 +251,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_millis(100),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 5, now)?.user_id;
         let bucket = rate.take_token(user_id, now + chrono::Duration::milliseconds(250), &conn)?;
@@ -240,6 +273,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 1, now)?.user_id;
         let bucket = rate.take_token(user_id, now, &conn)?;
@@ -263,6 +297,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 0, now)?.user_id;
         let refill_time = now + chrono::Duration::seconds(1);
@@ -285,6 +320,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user_bucket(&conn, 8, now)?.user_id;
         let refill_time = now + chrono::Duration::seconds(4);
@@ -307,6 +343,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user(&conn, "user1")?;
         let other_user_id = new_user(&conn, "user2")?;
@@ -334,6 +371,7 @@ mod tests {
         let rate = PublishRateLimit {
             rate: Duration::from_secs(1),
             burst: 10,
+            daily: None,
         };
         let user_id = new_user(&conn, "user1")?;
         let other_user_id = new_user(&conn, "user2")?;