gitlab-labkit 1.14.0 → 1.15.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/labkit/rate_limit/evaluator.rb +4 -3
- data/lib/labkit/rate_limit/limiter.rb +46 -7
- data/lib/labkit/rate_limit/result.rb +7 -2
- data/lib/labkit/rate_limit/rule.rb +23 -2
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 55b7255672a78e7ce050b17dee4a50b0c9ceadd2093986dc0d5d3822076423b0
|
|
4
|
+
data.tar.gz: fe70e4a910d27fa2d8d1a61216825bb811a8a43b9fbd75d4c0bd32220e8551b3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 38e4de6ac2d9e677a269f757e4c01a1bb1d9e3ce4cec0065512a03d07650339ae6e5f27415be76ba02cc316c56e5fd8d4922389e856da152be527800a6f58de6
|
|
7
|
+
data.tar.gz: 613915d89f71db61f3a984ae979d704753c9284d196dc7f31c92426b0f037ded2c0140ea9fc778dbbd42bb7c0ccfa0884b3d67e3ebc38b791bc84edfa6cb852d
|
|
@@ -25,7 +25,7 @@ module Labkit
|
|
|
25
25
|
# Intentionally broad: fail-open applies to any unexpected error (network,
|
|
26
26
|
# timeout, OOM) not only Redis protocol errors.
|
|
27
27
|
log_error(e, identifier)
|
|
28
|
-
Result.new(matched: false, error: true)
|
|
28
|
+
Result.new(matched: false, error: true, action: :allow)
|
|
29
29
|
end
|
|
30
30
|
|
|
31
31
|
private
|
|
@@ -37,7 +37,7 @@ module Labkit
|
|
|
37
37
|
return evaluate_rule(rule, identifier)
|
|
38
38
|
end
|
|
39
39
|
|
|
40
|
-
Result.new(matched: false)
|
|
40
|
+
Result.new(matched: false, action: :allow)
|
|
41
41
|
end
|
|
42
42
|
|
|
43
43
|
def rule_matches?(rule, identifier)
|
|
@@ -51,8 +51,9 @@ module Labkit
|
|
|
51
51
|
|
|
52
52
|
count = incr_with_ttl(redis_key, resolved_period)
|
|
53
53
|
exceeded = count > resolved_limit
|
|
54
|
+
action = exceeded ? rule.action : :allow
|
|
54
55
|
|
|
55
|
-
Result.new(matched: true, exceeded: exceeded, action:
|
|
56
|
+
Result.new(matched: true, exceeded: exceeded, action: action, rule: rule)
|
|
56
57
|
end
|
|
57
58
|
|
|
58
59
|
def build_redis_key(rule, identifier)
|
|
@@ -20,14 +20,14 @@ module Labkit
|
|
|
20
20
|
NAME_PATTERN = /\A[a-z0-9_]+\z/
|
|
21
21
|
|
|
22
22
|
def initialize(name:, rules:, redis: nil, logger: nil)
|
|
23
|
-
|
|
24
|
-
|
|
23
|
+
@logger = logger || RateLimit.config.logger || Labkit::Logging::JsonLogger.new($stdout)
|
|
24
|
+
@name = validate_name!(name)
|
|
25
25
|
|
|
26
26
|
@evaluator = Evaluator.new(
|
|
27
|
-
name:
|
|
28
|
-
rules: rules,
|
|
27
|
+
name: @name,
|
|
28
|
+
rules: prepare_rules(rules),
|
|
29
29
|
redis: redis || RateLimit.config.redis,
|
|
30
|
-
logger:
|
|
30
|
+
logger: @logger
|
|
31
31
|
)
|
|
32
32
|
end
|
|
33
33
|
|
|
@@ -40,14 +40,53 @@ module Labkit
|
|
|
40
40
|
|
|
41
41
|
private
|
|
42
42
|
|
|
43
|
-
def validate_name!(name
|
|
43
|
+
def validate_name!(name)
|
|
44
44
|
raise ArgumentError, "name must be a non-empty String" unless name.is_a?(String) && !name.empty?
|
|
45
45
|
return name if NAME_PATTERN.match?(name)
|
|
46
46
|
|
|
47
47
|
raise ArgumentError, "Invalid name: #{name.inspect}. Must match /\\A[a-z0-9_]+\\z/" if Labkit.dev_or_test?
|
|
48
48
|
|
|
49
49
|
sanitized = name.gsub(/[^a-z0-9_]/, "_")
|
|
50
|
-
logger.warn(message: "rate_limit_invalid_name", name: name, sanitized: sanitized)
|
|
50
|
+
@logger.warn(message: "rate_limit_invalid_name", name: name, sanitized: sanitized)
|
|
51
|
+
sanitized
|
|
52
|
+
end
|
|
53
|
+
|
|
54
|
+
# Validates and deduplicates rule names before passing rules to Evaluator.
|
|
55
|
+
# In dev/test: raises on invalid format or duplicate names.
|
|
56
|
+
# In production: sanitizes invalid names (WARN) and drops duplicates (WARN, first wins).
|
|
57
|
+
# Returns an array of rules with sanitized names.
|
|
58
|
+
def prepare_rules(rules)
|
|
59
|
+
seen = {}
|
|
60
|
+
rules.each_with_index.filter_map do |rule, idx|
|
|
61
|
+
sanitized = sanitize_rule_name(rule.name)
|
|
62
|
+
|
|
63
|
+
if seen.key?(sanitized)
|
|
64
|
+
raise ArgumentError, "Duplicate rule name #{sanitized.inspect} at index #{idx}" if Labkit.dev_or_test?
|
|
65
|
+
|
|
66
|
+
@logger.warn(
|
|
67
|
+
message: "rate_limit_duplicate_rule_name",
|
|
68
|
+
name: sanitized,
|
|
69
|
+
dropped_occurrence: idx
|
|
70
|
+
)
|
|
71
|
+
next nil
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
seen[sanitized] = true
|
|
75
|
+
sanitized == rule.name ? rule : rule.with(name: sanitized) # rubocop:disable CodeReuse/ActiveRecord
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def sanitize_rule_name(name)
|
|
80
|
+
s = name.to_s
|
|
81
|
+
return s if RULE_NAME_PATTERN.match?(s) && s.length <= RULE_NAME_MAX_LENGTH
|
|
82
|
+
|
|
83
|
+
sanitized = s.downcase.gsub(/[^a-z0-9_]/, "_")[0, RULE_NAME_MAX_LENGTH]
|
|
84
|
+
sanitized = "unnamed_rule" if sanitized.empty?
|
|
85
|
+
@logger.warn(
|
|
86
|
+
message: "rate_limit_invalid_rule_name",
|
|
87
|
+
original_name: s,
|
|
88
|
+
sanitized_name: sanitized
|
|
89
|
+
)
|
|
51
90
|
sanitized
|
|
52
91
|
end
|
|
53
92
|
end
|
|
@@ -5,11 +5,16 @@ module Labkit
|
|
|
5
5
|
# Result is the return value of Limiter#check.
|
|
6
6
|
# matched? - true if a rule's match conditions were satisfied
|
|
7
7
|
# exceeded? - true if the matched rule's counter exceeded its limit
|
|
8
|
-
# action -
|
|
8
|
+
# action - the outcome: what the caller should do
|
|
9
|
+
# :block = rule matched, exceeded, rule configured to block
|
|
10
|
+
# :log = rule matched, exceeded, rule configured to log only
|
|
11
|
+
# :allow = rule matched but count within limit, or
|
|
12
|
+
# no rule matched, or error (fail-open)
|
|
13
|
+
# The rule's configured action is available via rule.action
|
|
9
14
|
# rule - the matched Rule object (nil when matched? is false)
|
|
10
15
|
# error? - true if Redis was unavailable; result fails open (exceeded? is false)
|
|
11
16
|
Result = Data.define(:matched, :exceeded, :action, :rule, :error) do
|
|
12
|
-
def initialize(matched:, exceeded: false,
|
|
17
|
+
def initialize(matched:, action:, exceeded: false, rule: nil, error: false)
|
|
13
18
|
super
|
|
14
19
|
end
|
|
15
20
|
|
|
@@ -2,6 +2,10 @@
|
|
|
2
2
|
|
|
3
3
|
module Labkit
|
|
4
4
|
module RateLimit
|
|
5
|
+
KNOWN_ACTIONS = [:block, :log].freeze
|
|
6
|
+
RULE_NAME_PATTERN = /\A[a-z0-9_]+\z/
|
|
7
|
+
RULE_NAME_MAX_LENGTH = 64
|
|
8
|
+
|
|
5
9
|
# Rule is a value object describing a single rate limit rule.
|
|
6
10
|
# name - stable identifier used in Redis keys and log entries
|
|
7
11
|
# match - hash of identifier key/value pairs that must all match for
|
|
@@ -10,14 +14,31 @@ module Labkit
|
|
|
10
14
|
# period - window in seconds; may be a callable (resolved per check)
|
|
11
15
|
# action - :block (enforce) or :log (count and log, but do not block)
|
|
12
16
|
# characteristics - identifier keys used to build the compound Redis counter key
|
|
17
|
+
#
|
|
18
|
+
# +name+ must be a lowercase alphanumeric-and-underscore string of at most 64
|
|
19
|
+
# characters. It is used as the middle segment of every Redis counter key for
|
|
20
|
+
# this rule, so changing a rule's name mid-window abandons its in-flight counters.
|
|
13
21
|
Rule = Data.define(:name, :match, :limit, :period, :action, :characteristics) do
|
|
14
22
|
def initialize(name:, limit:, period:, characteristics:, match: {}, action: :block)
|
|
23
|
+
raise ArgumentError, "name must be a String or Symbol, got #{name.class}" unless name.is_a?(String) || name.is_a?(Symbol)
|
|
24
|
+
|
|
25
|
+
name_str = name.to_s
|
|
26
|
+
raise ArgumentError, "name must not be empty" if name_str.empty?
|
|
27
|
+
|
|
28
|
+
action_sym = action.to_sym
|
|
29
|
+
raise ArgumentError, "Invalid action: #{action.inspect}. Must be one of: #{KNOWN_ACTIONS.inspect}" unless KNOWN_ACTIONS.include?(action_sym)
|
|
30
|
+
|
|
31
|
+
if Labkit.dev_or_test?
|
|
32
|
+
raise ArgumentError, "Invalid rule name: #{name.inspect}. Must match /\\A[a-z0-9_]+\\z/" unless RULE_NAME_PATTERN.match?(name_str)
|
|
33
|
+
raise ArgumentError, "Rule name too long: #{name.inspect}. Maximum 64 characters" if name_str.length > RULE_NAME_MAX_LENGTH
|
|
34
|
+
end
|
|
35
|
+
|
|
15
36
|
super(
|
|
16
|
-
name:
|
|
37
|
+
name: name_str.freeze,
|
|
17
38
|
match: match.transform_keys(&:to_sym).freeze,
|
|
18
39
|
limit: limit,
|
|
19
40
|
period: period,
|
|
20
|
-
action:
|
|
41
|
+
action: action_sym,
|
|
21
42
|
characteristics: Array(characteristics).map(&:to_sym).freeze
|
|
22
43
|
)
|
|
23
44
|
end
|