1781610070

Committed 23 Apr 2025 09:54AM UTC coverage: 65.305% (+0.04%) from 65.262%

Build # 1781610070

Build Type

Pull #597

gitlab-ci

Committed by

alfrunes

Commit Message

ci: Retract 8c8028081 from changelog

The changelog is superseded by ec713ae42

Signed-off-by: Alf-Rune Siqveland <alf.rune@northern.tech>

Pull Request Pull Request #597: MEN-7744: Rate limit authenticated devices API

Run Details

27 of 54 new or added lines in 3 files covered. (50.0%)

64 existing lines in 3 files now uncovered.

31824 of 48731 relevant lines covered (65.31%)

1.37 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.2

/backend/services/deviceauth/devauth/devauth_ratelimits.go

package devauth

import (
        "context"
        "errors"
        "fmt"
        "strings"

        ctxhttpheader "github.com/mendersoftware/mender-server/pkg/context/httpheader"
        "github.com/mendersoftware/mender-server/pkg/identity"

        "github.com/mendersoftware/mender-server/services/deviceauth/cache"
        "github.com/mendersoftware/mender-server/services/deviceauth/model"
)

// ErrNoRatelimits is returned by RateLimitsFromContext when there are no limits.
var ErrNoRatelimits = errors.New("no ratelimits")

func (d *DevAuth) checkRateLimits(ctx context.Context) error {
        if d.rateLimiter != nil {
                rsp, err := d.rateLimiter.Reserve(ctx)
                if err != nil {
                        if errors.Is(err, ErrNoRatelimits) {
                                return nil
                        }
                        return err
                } else if !rsp.OK() {
                        return cache.ErrTooManyRequests
                }
        }
        return nil
}

const rateLimitMax = uint64(1 << 50)

func fmtEventID(tenantID, event string) string {
        return fmt.Sprintf("tenant:%s:event:%s", tenantID, event)
}

// rateLimitFromContext returns the burst quota given the context
func (d *DevAuth) RateLimitsFromContext(ctx context.Context) (
        limit uint64,
        eventID string,
        err error,
) {
        var tenantID string = "default"
        var weight float64 = d.rateLimiterWeightDefault
        id := identity.FromContext(ctx)
        if id != nil {
                tenantID = id.Tenant
                plan := id.Plan
                if w, ok := d.rateLimiterWeights[plan]; ok {
                        weight = w
                }
        }
        origUri := ctxhttpheader.FromContext(ctx, "X-Forwarded-Uri")
        origUri = purgeUriArgs(origUri)
        if splitPath := strings.SplitN(origUri, "/", 5); len(splitPath) == 5 {
                // discard `/api/devices/v*/`
                origUri = splitPath[4]
        }
        lim, err := d.GetLimit(ctx, model.LimitMaxDeviceCount)
        if err != nil {
                return 0, "", err
        } else if lim.Value == 0 {
                return 0, "", ErrNoRatelimits
        }
        var limitf64 float64
        if lim.Value >= uint64(rateLimitMax) {
                // overflow protection: 1 << 50 is practically unlimited
                limitf64 = float64(rateLimitMax)
        } else {
                limitf64 = float64(lim.Value)
        }
        limitf64 *= weight
        if limitf64 > float64(rateLimitMax) {
                limit = rateLimitMax
        } else {
                limit = uint64(limitf64)
        }
        return limit, fmtEventID(tenantID, origUri), nil
}

1	package devauth
2
3	import (
4	"context"
5	"errors"
6	"fmt"
7	"strings"
8
9	ctxhttpheader "github.com/mendersoftware/mender-server/pkg/context/httpheader"
10	"github.com/mendersoftware/mender-server/pkg/identity"
11
12	"github.com/mendersoftware/mender-server/services/deviceauth/cache"
13	"github.com/mendersoftware/mender-server/services/deviceauth/model"
14	)
15
16	// ErrNoRatelimits is returned by RateLimitsFromContext when there are no limits.
17	var ErrNoRatelimits = errors.New("no ratelimits")
18
19	func (d *DevAuth) checkRateLimits(ctx context.Context) error {	3✔
20	if d.rateLimiter != nil {	4✔
21	rsp, err := d.rateLimiter.Reserve(ctx)	1✔
22	if err != nil {	2✔
23	if errors.Is(err, ErrNoRatelimits) {	1✔
NEW 24	return nil	×
NEW 25	}	×
26	return err	1✔
27	} else if !rsp.OK() {	2✔
28	return cache.ErrTooManyRequests	1✔
29	}	1✔
30	}
31	return nil	3✔
32	}
33
34	const rateLimitMax = uint64(1 << 50)
35
36	func fmtEventID(tenantID, event string) string {	1✔
37	return fmt.Sprintf("tenant:%s:event:%s", tenantID, event)	1✔
38	}	1✔
39
40	// rateLimitFromContext returns the burst quota given the context
41	func (d *DevAuth) RateLimitsFromContext(ctx context.Context) (
42	limit uint64,
43	eventID string,
44	err error,
45	) {	1✔
46	var tenantID string = "default"	1✔
47	var weight float64 = d.rateLimiterWeightDefault	1✔
48	id := identity.FromContext(ctx)	1✔
49	if id != nil {	2✔
50	tenantID = id.Tenant	1✔
51	plan := id.Plan	1✔
52	if w, ok := d.rateLimiterWeights[plan]; ok {	2✔
53	weight = w	1✔
54	}	1✔
55	}
56	origUri := ctxhttpheader.FromContext(ctx, "X-Forwarded-Uri")	1✔
57	origUri = purgeUriArgs(origUri)	1✔
58	if splitPath := strings.SplitN(origUri, "/", 5); len(splitPath) == 5 {	2✔
59	// discard `/api/devices/v*/`	1✔
60	origUri = splitPath[4]	1✔
61	}	1✔
62	lim, err := d.GetLimit(ctx, model.LimitMaxDeviceCount)	1✔
63	if err != nil {	1✔
NEW 64	return 0, "", err	×
65	} else if lim.Value == 0 {	1✔
NEW 66	return 0, "", ErrNoRatelimits	×
67	}	×
68	var limitf64 float64	1✔
69	if lim.Value >= uint64(rateLimitMax) {	2✔
70	// overflow protection: 1 << 50 is practically unlimited	1✔
71	limitf64 = float64(rateLimitMax)	1✔
72	} else {	2✔
73	limitf64 = float64(lim.Value)	1✔
74	}	1✔
75	limitf64 *= weight	1✔
76	if limitf64 > float64(rateLimitMax) {	2✔
77	limit = rateLimitMax	1✔
78	} else {	2✔
79	limit = uint64(limitf64)	1✔
80	}	1✔
81	return limit, fmtEventID(tenantID, origUri), nil	1✔
82	}

mendersoftware / mender-server / 1781610070

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous