gitlab-labkit 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1457da9fa7cec587b47834870a4eb60f5a21c9966111d1d9edd0e7e0a49b4ff3
-  data.tar.gz: 631e56481d2be50e976a16aefa6fd6a250759089b56dde0414af059fd55c4ba7
+  metadata.gz: e99765f42b600bc7e6307b75665409c3e3ee3b6aabf69f5bdb14d65fe20d8cdc
+  data.tar.gz: b2623750accd4178e7d938ebf87abbb6e1d40f14d4e252b9654f015d4141ce3c
 SHA512:
-  metadata.gz: 5d6aba7952cc495dd4b74ea0aa452f473e01dc6a6bda2a94d1238d9102f5b448de2b4ae1765f87e2020d2fb460b1613044fe9403f0019b54b050b3a48261b425
-  data.tar.gz: 21ddb1d302b53049a605052d67bbdf2d51bee9a4e80f82c6c10f689d5b292397e0d913dae4b05e66c93ee4c93d831e14e885c448a77b049dab48ac1bda3b84b5
+  metadata.gz: cfc0d196a34588965f17b6598b7bf8b1cdaa8d90d79e62bf5a4d75e07537473ee4a8011c7718e18af64d4ec216a85b7bd3a3099523404f6bd7c892b5a7b4ae35
+  data.tar.gz: fdb892b50ca446d76d999e7397c57df1539f6724e31ea698b440a7d08a5544e25246d2a4d7ed5bb4516dc5592b31fc7bb1860d29baac43bdc3b94052d011c24d

data/lib/labkit/fips.rb

@@ -25,7 +25,7 @@ module Labkit
         return true if %w[1 true yes].include?(ENV["FIPS_MODE"])
 
         # Otherwise, attempt to auto-detect FIPS mode from OpenSSL
-        return true if OpenSSL.fips_mode
+        return true if ::OpenSSL.fips_mode
 
         false
       end
@@ -44,7 +44,7 @@ module Labkit
 
       def use_openssl_digest(ruby_algorithm, openssl_algorithm)
         ::Digest.send(:remove_const, ruby_algorithm) # rubocop:disable GitlabSecurity/PublicSend
-        ::Digest.const_set(ruby_algorithm, OpenSSL::Digest.const_get(openssl_algorithm, false))
+        ::Digest.const_set(ruby_algorithm, ::OpenSSL::Digest.const_get(openssl_algorithm, false))
       end
     end
   end

data/lib/labkit/rate_limit/evaluator.rb

@@ -65,8 +65,8 @@ module Labkit
         @logger = logger
       end
 
-      def check(identifier, cost: 1)
-        check_rules(identifier, cost)
+      def check(identifier, cost: 1, rule_context: nil)
+        check_rules(identifier, cost, rule_context)
       rescue StandardError => e
         # Intentionally broad: fail-open applies to any unexpected error (network,
         # timeout, OOM) not only Redis protocol errors.
@@ -78,8 +78,8 @@ module Labkit
       # Read-without-increment counterpart to {#check}. Same matching and Result
       # shape; the underlying Redis counter is not mutated and the TTL is not
       # extended. A missing Redis key is treated as count=0 (matched, not exceeded).
-      def peek(identifier)
-        peek_rules(identifier)
+      def peek(identifier, rule_context: nil)
+        peek_rules(identifier, rule_context)
       rescue StandardError => e
         report_error_metrics
         log_error(e, identifier)
@@ -95,7 +95,7 @@ module Labkit
       # is missing the count_distinct key fail open + log + bump errors_total, and
       # the loop continues to the next rule (the rule is treated as not applicable
       # rather than aborting the whole evaluation).
-      def check_rules(identifier, cost)
+      def check_rules(identifier, cost, rule_context)
         @rules.each do |rule|
           next unless rule_matches?(rule, identifier)
 
@@ -105,7 +105,7 @@ module Labkit
             next
           end
 
-          result = evaluate_rule(rule, identifier, cost)
+          result = evaluate_rule(rule, identifier, cost, rule_context)
           report_matched_metrics(result)
           return result unless rule.action == :log
         end
@@ -120,12 +120,12 @@ module Labkit
       # peek does not need the count_distinct identifier key - it reads SCARD on
       # the rule-keyed compound key, which contains the cardinality across all
       # members. So missing-key fail-open does not apply here.
-      def peek_rules(identifier)
+      def peek_rules(identifier, rule_context)
         @rules.each do |rule|
           next if rule.action == :log
           next unless rule_matches?(rule, identifier)
 
-          return peek_rule(rule, identifier)
+          return peek_rule(rule, identifier, rule_context)
         end
 
         Result.new(matched: false, action: :allow)
@@ -140,10 +140,10 @@ module Labkit
         value.nil? || value.to_s.empty?
       end
 
-      def evaluate_rule(rule, identifier, cost)
+      def evaluate_rule(rule, identifier, cost, rule_context)
         redis_key = build_redis_key(rule, identifier)
-        resolved_limit = Integer(resolve_value(rule.limit))
-        resolved_period = Integer(resolve_value(rule.period))
+        resolved_limit = Integer(resolve_value(rule.limit, rule_context))
+        resolved_period = Integer(resolve_value(rule.period, rule_context))
 
         # cost is ignored for count_distinct rules: SADD is binary (a member is
         # either added or not), and the post-add count is SCARD regardless.
@@ -157,10 +157,10 @@ module Labkit
         build_result(rule, resolved_limit, resolved_period, count, ttl)
       end
 
-      def peek_rule(rule, identifier)
+      def peek_rule(rule, identifier, rule_context)
         redis_key = build_redis_key(rule, identifier)
-        resolved_limit = Integer(resolve_value(rule.limit))
-        resolved_period = Integer(resolve_value(rule.period))
+        resolved_limit = Integer(resolve_value(rule.limit, rule_context))
+        resolved_period = Integer(resolve_value(rule.period, rule_context))
 
         count, ttl = rule.count_distinct ? scard_with_ttl(redis_key) : read_with_ttl(redis_key)
         build_result(rule, resolved_limit, resolved_period, count, ttl)
@@ -195,8 +195,29 @@ module Labkit
         value.to_s
       end
 
-      def resolve_value(val)
-        val.respond_to?(:call) ? val.call : val
+      # Resolve a limit/period value. Plain values pass through; callables are
+      # invoked according to their arity:
+      #
+      # - Zero-arity callables call with no args (e.g. -> { ApplicationSetting.current.foo }).
+      # - Callables with arity >= 1 receive +rule_context+, which may be nil
+      #   if the caller didn't pass it. They must therefore handle nil -
+      #   typically with `ctx&.[](:key) || default`.
+      # - Variadic callables (negative arity, e.g. ->(*args) { ... }) take
+      #   the zero-arg path. Opt into rule_context by writing the lambda
+      #   with exactly one required parameter: ->(ctx) { ... }. This avoids
+      #   the footgun where ->(*args) silently receives [rule_context] and
+      #   the caller's overrides never take effect.
+      # - Callables that respond to +call+ but not +arity+ (e.g. a class with
+      #   `def call` and no explicit arity) take the zero-arg path, preserving
+      #   the pre-rule_context behaviour for custom callable objects.
+      #
+      # This lets rules carry callables that depend on per-request context (e.g.
+      # per-namespace settings) without rebuilding the Rule on every call or
+      # smuggling state through globals.
+      def resolve_value(val, rule_context = nil)
+        return val unless val.respond_to?(:call)
+
+        val.respond_to?(:arity) && val.arity >= 1 ? val.call(rule_context) : val.call
       end
 
       def encode_char_value(value)

data/lib/labkit/rate_limit/limiter.rb

@@ -35,10 +35,18 @@ module Labkit
       # @param cost [Numeric] amount to add to the counter. Defaults to 1
       #   (count-mode). Pass a non-1 Numeric for cost-mode counters such as
       #   resource-usage limits; passing 0 reads the counter without writing.
+      # @param rule_context [Hash, nil] optional per-request context passed to
+      #   one-arity callables on +limit+/+period+. Lets rules resolve dynamic
+      #   configuration (e.g. per-namespace settings) without rebuilding the
+      #   Rule or doing out-of-band DB queries. Zero-arity callables ignore it.
+      #   The key contract is owned by the rule's callable, not validated
+      #   here: if the rule reads ctx[:limit] and the caller passes
+      #   ctx[:lmit], the callable's fallback branch fires silently. Keep
+      #   the rule definition and the call site colocated.
       # @return [Result]
-      def check(identifier, cost: 1)
+      def check(identifier, cost: 1, rule_context: nil)
         id = identifier.is_a?(Identifier) ? identifier : Identifier.new(identifier)
-        @evaluator.check(id, cost: cost)
+        @evaluator.check(id, cost: cost, rule_context: rule_context)
       end
 
       # Read the current rate-limit state without incrementing the counter.
@@ -54,10 +62,11 @@ module Labkit
       # open identically to {#check}.
       #
       # @param identifier [Identifier, Hash] caller attributes for this request
+      # @param rule_context [Hash, nil] see {#check}
       # @return [Result]
-      def peek(identifier)
+      def peek(identifier, rule_context: nil)
         id = identifier.is_a?(Identifier) ? identifier : Identifier.new(identifier)
-        @evaluator.peek(id)
+        @evaluator.peek(id, rule_context: rule_context)
       end
 
       private

data/lib/labkit/rate_limit.rb

@@ -44,9 +44,12 @@ module Labkit
       # @param redis [Object, nil] Redis client; falls back to config.redis
       # @param logger [Logger, nil] logger; falls back to config.logger
       # @param cost [Numeric] amount to add to the counter; see Limiter#check
+      # @param rule_context [Hash, nil] per-request context for one-arity
+      #   callables on rule limit/period; see Limiter#check
       # @return [Result]
-      def check(name:, identifier:, rules:, redis: nil, logger: nil, cost: 1)
-        Limiter.new(name: name, rules: rules, redis: redis, logger: logger).check(identifier, cost: cost)
+      def check(name:, identifier:, rules:, redis: nil, logger: nil, cost: 1, rule_context: nil)
+        Limiter.new(name: name, rules: rules, redis: redis, logger: logger)
+          .check(identifier, cost: cost, rule_context: rule_context)
       end
     end
   end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: gitlab-labkit
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.2.0
 platform: ruby
 authors:
 - Andrew Newdigate