feat(quotas): Project abuse limit for attachment items (#82155)

Attachment quotas and rate limits are currently defined in bytes, so we
have no way to prevent an abusively high number of very small
attachments.

No abuse limit will be set by default.

Author: jjbayer

src/sentry/options/defaults.py

@@ -1221,6 +1221,12 @@
     default=0,
     flags=FLAG_PRIORITIZE_DISK | FLAG_AUTOMATOR_MODIFIABLE,
 )
+register(
+    "project-abuse-quota.attachment-item-limit",
+    type=Int,
+    default=0,
+    flags=FLAG_PRIORITIZE_DISK | FLAG_AUTOMATOR_MODIFIABLE,
+)
 register(
     "project-abuse-quota.session-limit",
     type=Int,

src/sentry/quotas/base.py

@@ -457,6 +457,12 @@ def get_abuse_quotas(self, org):
                 categories=[DataCategory.ATTACHMENT],
                 scope=QuotaScope.PROJECT,
             ),
+            AbuseQuota(
+                id="paai",
+                option="project-abuse-quota.attachment-item-limit",
+                categories=[DataCategory.ATTACHMENT_ITEM],
+                scope=QuotaScope.PROJECT,
+            ),
             AbuseQuota(
                 id="pas",
                 option="project-abuse-quota.session-limit",

tests/sentry/quotas/test_redis.py

@@ -116,6 +116,7 @@ def test_abuse_quotas(self):
 
         self.organization.update_option("project-abuse-quota.transaction-limit", 600)
         self.organization.update_option("project-abuse-quota.attachment-limit", 601)
+        self.organization.update_option("project-abuse-quota.attachment-item-limit", 6010)
         self.organization.update_option("project-abuse-quota.session-limit", 602)
         self.organization.update_option("organization-abuse-quota.metric-bucket-limit", 603)
         self.organization.update_option("organization-abuse-quota.custom-metric-bucket-limit", 604)
@@ -145,22 +146,30 @@ def test_abuse_quotas(self):
         assert quotas[2].window == 10
         assert quotas[2].reason_code == "project_abuse_limit"
 
-        assert quotas[3].id == "pas"
+        assert quotas[3].id == "paai"
         assert quotas[3].scope == QuotaScope.PROJECT
         assert quotas[3].scope_id is None
-        assert quotas[3].categories == {DataCategory.SESSION}
-        assert quotas[3].limit == 6020
+        assert quotas[3].categories == {DataCategory.ATTACHMENT_ITEM}
+        assert quotas[3].limit == 60100
         assert quotas[3].window == 10
         assert quotas[3].reason_code == "project_abuse_limit"
 
-        assert quotas[4].id == "paspi"
+        assert quotas[4].id == "pas"
         assert quotas[4].scope == QuotaScope.PROJECT
         assert quotas[4].scope_id is None
-        assert quotas[4].categories == {DataCategory.SPAN_INDEXED}
-        assert quotas[4].limit == 6050
+        assert quotas[4].categories == {DataCategory.SESSION}
+        assert quotas[4].limit == 6020
         assert quotas[4].window == 10
         assert quotas[4].reason_code == "project_abuse_limit"
 
+        assert quotas[5].id == "paspi"
+        assert quotas[5].scope == QuotaScope.PROJECT
+        assert quotas[5].scope_id is None
+        assert quotas[5].categories == {DataCategory.SPAN_INDEXED}
+        assert quotas[5].limit == 6050
+        assert quotas[5].window == 10
+        assert quotas[5].reason_code == "project_abuse_limit"
+
         expected_quotas: dict[tuple[QuotaScope, UseCaseID | None], str] = dict()
         for scope, prefix in [
             (QuotaScope.PROJECT, "p"),