Introduce the concept of daily limit

Author: Marco Napetti

src/config.rs

@@ -14,6 +14,7 @@ use std::time::Duration;
 
 const DEFAULT_VERSION_ID_CACHE_SIZE: u64 = 10_000;
 const DEFAULT_VERSION_ID_CACHE_TTL: u64 = 5 * 60; // 5 minutes
+const DEFAULT_MAX_NEW_VERSIONS_DAILY: i64 = 10;
 
 pub struct Server {
     pub base: Base,
@@ -41,6 +42,7 @@ pub struct Server {
     pub blocked_routes: HashSet<String>,
     pub version_id_cache_size: u64,
     pub version_id_cache_ttl: Duration,
+    pub max_new_versions_daily: i64,
 }
 
 impl Default for Server {
@@ -76,6 +78,7 @@ impl Default for Server {
     ///   endpoint even with a healthy database pool.
     /// - `BLOCKED_ROUTES`: A comma separated list of HTTP route patterns that are manually blocked
     ///   by an operator (e.g. `/crates/:crate_id/:version/download`).
+    /// - `MAX_NEW_VERSIONS_DAILY`: Maximum number of new crate versions creatable in a 24 hours span.
     ///
     /// # Panics
     ///
@@ -145,6 +148,8 @@ impl Default for Server {
             version_id_cache_ttl: Duration::from_secs(
                 env_optional("VERSION_ID_CACHE_TTL").unwrap_or(DEFAULT_VERSION_ID_CACHE_TTL),
             ),
+            max_new_versions_daily: env_optional("MAX_NEW_VERSIONS_DAILY")
+                .unwrap_or(DEFAULT_MAX_NEW_VERSIONS_DAILY),
         }
     }
 }

src/controllers/krate/publish.rs

@@ -173,7 +173,7 @@ pub fn publish(req: &mut dyn RequestExt) -> EndpointResult {
             hex_cksum.clone(),
             links.clone(),
         )?
-        .save(&conn, &verified_email_address)?;
+        .save(&conn, &verified_email_address, Some(app.config.max_new_versions_daily))?;
 
         insert_version_owner_action(
             &conn,

src/downloads_counter.rs

@@ -461,7 +461,7 @@ mod tests {
                 None,
             )
             .expect("failed to create version")
-            .save(conn, "[email protected]")
+            .save(conn, "[email protected]", None)
             .expect("failed to save version");
 
             self.next_version += 1;

src/models/version.rs

@@ -155,7 +155,7 @@ impl NewVersion {
         Ok(new_version)
     }
 
-    pub fn save(&self, conn: &PgConnection, published_by_email: &str) -> AppResult<Version> {
+    pub fn save(&self, conn: &PgConnection, published_by_email: &str, daily_limit: Option<i64>) -> AppResult<Version> {
         use crate::schema::versions::dsl::*;
         use diesel::dsl::exists;
         use diesel::{insert_into, select};
@@ -172,6 +172,10 @@ impl NewVersion {
                 )));
             }
 
+            if let Some(limit) = daily_limit {
+                self.rate_limit(conn, limit)?;
+            }
+
             let version: Version = insert_into(versions).values(self).get_result(conn)?;
 
             insert_into(versions_published_by::table)
@@ -195,6 +199,24 @@ impl NewVersion {
         }
         Ok(())
     }
+
+    fn rate_limit(&self, conn: &PgConnection, daily_limit: i64) -> AppResult<()> {
+        use crate::schema::versions::dsl::*;
+        use diesel::dsl::{IntervalDsl, count_star, now};
+
+        let today: i64 = versions
+            .filter(crate_id.eq(self.crate_id))
+            .filter(created_at.gt(now - 24.hours()))
+            .select(count_star())
+            .first(conn)
+            .optional()?
+            .unwrap_or_default();
+        if today >= daily_limit {
+            Err(cargo_err("You have published too many crates in the last 24 hours"))
+        } else {
+            Ok(())
+        }
+    }
 }
 
 fn validate_license_expr(s: &str) -> AppResult<()> {

src/tests/builders/version.rs

@@ -104,7 +104,7 @@ impl<'a> VersionBuilder<'a> {
             self.checksum,
             self.links,
         )?
-        .save(connection, "[email protected]")?;
+        .save(connection, "[email protected]", None)?;
 
         if self.yanked {
             vers = update(&vers)

src/tests/util/test_app.rs

@@ -357,6 +357,7 @@ fn simple_config() -> config::Server {
         blocked_routes: HashSet::new(),
         version_id_cache_size: 10000,
         version_id_cache_ttl: Duration::from_secs(5 * 60),
+        max_new_versions_daily: 10,
     }
 }
 

src/tests/version.rs

@@ -177,3 +177,16 @@ fn version_size() {
         .expect("Could not find v2.0.0");
     assert_eq!(version2.crate_size, Some(91));
 }
+
+#[test]
+fn daily_limit() {
+    let (_, _, user) = TestApp::full().with_user();
+
+    for version in 1..=10 {
+        let crate_to_publish = PublishBuilder::new("foo_version_size").version(&format!("0.0.{}", version));
+        user.publish_crate(crate_to_publish).good();
+    }
+
+    let crate_to_publish = PublishBuilder::new("foo_version_size").version("1.0.0");
+    assert!(!user.publish_crate(crate_to_publish).status().is_success());
+}

src/worker/update_downloads.rs

@@ -112,7 +112,7 @@ mod test {
             None,
         )
         .unwrap();
-        let version = version.save(conn, "[email protected]").unwrap();
+        let version = version.save(conn, "[email protected]", None).unwrap();
         (krate, version)
     }