impr(CLDSRV-766): Add skeleton

Author: tmacro

constants.js

@@ -250,6 +250,9 @@ const constants = {
     // if requester is not bucket owner, bucket policy actions should be denied with
     // MethodNotAllowed error
     onlyOwnerAllowed: ['bucketDeletePolicy', 'bucketGetPolicy', 'bucketPutPolicy'],
+    // Default value for rate limiting config cache TTL
+    rateLimitDefaultConfigCacheTTL: 30000,
+    rateLimitDefaultBurstCapacity: 1,
 };
 
 module.exports = constants;

lib/Config.js

@@ -8,7 +8,7 @@ const crypto = require('crypto');
 const { v4: uuidv4 } = require('uuid');
 const cronParser = require('cron-parser');
 const joi = require('@hapi/joi');
-const { s3routes, auth: arsenalAuth, s3middleware } = require('arsenal');
+const { s3routes, auth: arsenalAuth, s3middleware, errors, ArsenalError } = require('arsenal');
 const { isValidBucketName } = s3routes.routesUtils;
 const validateAuthConfig = arsenalAuth.inMemory.validateAuthConfig;
 const { buildAuthDataAccount } = require('./auth/in_memory/builder');
@@ -32,6 +32,7 @@ const {
     isValidType,
     isValidProtocol,
 } = require('arsenal/build/lib/network/KMSInterface');
+const { parseRateLimitConfig } = require('./api/apiUtils/rateLimit/config');
 
 // config paths
 const configSearchPaths = [
@@ -1803,6 +1804,86 @@ class Config extends EventEmitter {
         if (config.enableVeeamRoute !== undefined && config.enableVeeamRoute !== null) {
             this.enableVeeamRoute = config.enableVeeamRoute;
         }
+
+        this.rateLimiting = {
+            enabled: false,
+            bucket: {
+                configCacheTTL: constants.rateLimitDefaultConfigCacheTTL,
+            },
+        };
+
+        // {
+        //     "enabled": true,
+        //     "bucket": {
+        //         "defaultConfig": {
+        //             "requestsPerSecond": {
+        //                 "limit": 1000,
+        //                 "burstCapacity": 2
+        //             }
+        //         },
+        //         "configCacheTTL": 30000,
+        //     },
+        //     "account": {  // not in first iteration
+        //             "requestsPerSecond": {
+        //                 "limit": 1000,
+        //                 "burstCapacity": 2
+        //             }
+        //         },
+        //         "configCacheTTL": 30000,
+        //     },
+        //     "error": {
+        //         "code": 429,
+        //         "description": "Too Many Requests"
+        //     }
+        // }
+
+
+        if (config.rateLimiting?.enabled) {
+            this.rateLimiting.enabled = true;
+
+            assert.strictEqual(typeof config.rateLimiting.serviceUserArn, 'string');
+            this.rateLimiting.serviceUserArn = config.rateLimiting.serviceUserArn;
+
+            // this.rateLimiting.default = {};
+            if (config.rateLimiting.bucket) {
+                assert.strictEqual(
+                    typeof config.rateLimiting.bucket, 'object',
+                    'rateLimiting.bucket must be an object'
+                );
+
+                let defaultConfig = undefined;
+                if (config.rateLimiting.bucket.defaultConfig) {
+                    assert.strictEqual(
+                        typeof config.rateLimiting.bucket.defaultConfig, 'object',
+                        'rateLimiting.bucket.defaultConfig must be an object'
+                    );
+                    defaultConfig = parseRateLimitConfig(config.rateLimiting.bucket);
+                }
+
+                let configCacheTTL = constants.rateLimitDefaultConfigCacheTTL;
+                if (config.rateLimiting.bucket.configCacheTTL) {
+                    configCacheTTL = config.rateLimiting.bucket.configCacheTTL;
+                    assert(
+                        typeof configCacheTTL === 'number' && Number.isInteger(configCacheTTL) && configCacheTTL > 0,
+                        'ratelimiting.bucket.configCacheTTL must be a postive integer'
+                    );
+                }
+
+                this.rateLimiting.bucket = {
+                    defaultConfig,
+                    configCacheTTL,
+                };
+            }
+
+            if (config.error) {
+                assert.strictEqual(typeof config.rateLimiting.error, 'object', 'rateLimiting.error must be an object');
+                this.rateLimiting.error = new ArsenalError('SlowDown',
+                    config.throttling.errorResponse.code, config.throttling.errorResponse.message);
+            } else {
+                this.rateLimiting.error = errors.SlowDown;
+            }
+        }
+
         return config;
     }
 

lib/api/apiUtils/authorization/serviceUser.js

@@ -0,0 +1,15 @@
+const { timingSafeEqual } = require('crypto');
+
+const { config } = require('../../../Config');
+
+function isRateLimitServiceUser(authInfo) {
+    try {
+        return timingSafeEqual(Buffer.from(authInfo.getArn()), Buffer.from(config.rateLimiting.serviceUserArn));
+    } catch {
+        return false;
+    }
+}
+
+module.exports = {
+    isRateLimitServiceUser
+};

lib/api/apiUtils/rateLimit/config.js

@@ -0,0 +1,30 @@
+const assert = require('assert');
+
+const { rateLimitDefaultBurstCapacity } = require('../../../../constants');
+
+function parseRateLimitConfig(config) {
+    const limitConfig = {};
+
+    if (config.requestsPerSecond) {
+        assert.strictEqual(typeof config.requestsPerSecond, 'object');
+
+        const { limit } = config.requestsPerSecond;
+        assert(typeof limit === 'number' && Number.isInteger(limit) && limit > 0);
+
+        let { burstCapacity } = config.requestsPerSecond;
+        if (burstCapacity !== undefined) {
+            assert(typeof burstCapacity === 'number' && Number.isInteger(burstCapacity) && burstCapacity > 0);
+        } else {
+            burstCapacity = rateLimitDefaultBurstCapacity;
+        }
+
+        limitConfig.requestsPerSecond = {
+            interval: Math.ceil((1 / limit) * 1000),
+            bucketSize: burstCapacity * 1000,
+        };
+    }
+}
+
+module.exports = {
+    parseRateLimitConfig,
+};

lib/api/bucketDeleteRateLimit.js

@@ -0,0 +1,58 @@
+const { errors } = require('arsenal');
+
+const metadata = require('../metadata/wrapper');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
+const collectCorsHeaders = require('../utilities/collectCorsHeaders');
+const { isRateLimitServiceUser } = require('./apiUtils/authorization/serviceUser');
+
+/**
+ * bucketDeleteRateLimit - Delete the bucket rate limit configuration
+ * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
+ * @param {object} request - http request object
+ * @param {object} log - Werelogs logger
+ * @param {function} callback - callback to server
+ * @return {undefined}
+ */
+function bucketDeleteRateLimit(authInfo, request, log, callback) {
+    log.debug('processing request', { method: 'bucketDeleteRateLimit' });
+
+    if (!isRateLimitServiceUser(authInfo)) {
+        return callback(errors.AccessDenied);
+    }
+
+    const { bucketName, headers, method } = request;
+    const metadataValParams = {
+        authInfo,
+        bucketName,
+        requestType: request.apiMethods || 'bucketDeleteRateLimit',
+        request,
+    };
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
+        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
+        if (err) {
+            log.debug('error processing request', {
+                error: err,
+                method: 'bucketDeleteRateLimit',
+            });
+            return callback(err, corsHeaders);
+        }
+        if (!bucket.getRateLimitConfig()) {
+            log.trace('no existing bucket rate limit configuration', {
+                method: 'bucketDeleteRateLimit',
+            });
+            // TODO: implement Utapi metric support
+            return callback(null, corsHeaders);
+        }
+        log.trace('deleting bucket rate limit configuration in metadata');
+        bucket.setRateLimitConfig(null);
+        return metadata.updateBucket(bucketName, bucket, log, err => {
+            if (err) {
+                return callback(err, corsHeaders);
+            }
+            // TODO: implement Utapi metric support
+            return callback(null, corsHeaders);
+        });
+    });
+}
+
+module.exports = bucketDeleteRateLimit;

lib/api/bucketGetRateLimit.js

@@ -0,0 +1,54 @@
+const { errors } = require('arsenal');
+
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
+const collectCorsHeaders = require('../utilities/collectCorsHeaders');
+const { isRateLimitServiceUser } = require('./apiUtils/authorization/serviceUser');
+
+/**
+ * bucketGetRateLimit - Get the bucket rate limit config
+ * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
+ * @param {object} request - http request object
+ * @param {object} log - Werelogs logger
+ * @param {function} callback - callback to server
+ * @return {undefined}
+ */
+function bucketGetRateLimit(authInfo, request, log, callback) {
+    log.debug('processing request', { method: 'bucketGetRateLimit' });
+
+    if (!isRateLimitServiceUser(authInfo)) {
+        return callback(errors.AccessDenied);
+    }
+
+    const { bucketName, headers, method } = request;
+    const metadataValParams = {
+        authInfo,
+        bucketName,
+        requestType: request.apiMethods || 'bucketGetRateLimit',
+        request,
+    };
+
+    return standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log, (err, bucket) => {
+        const corsHeaders = collectCorsHeaders(headers.origin, method, bucket);
+        if (err) {
+            log.debug('error processing request', {
+                error: err,
+                method: 'bucketGetRateLimit',
+            });
+            return callback(err, null, corsHeaders);
+        }
+
+        const rateLimitConfig = bucket.getRateLimitConfig();
+        if (!rateLimitConfig) {
+            log.debug('error processing request', {
+                error: errors.NoSuchBucketRateLimit,
+                method: 'bucketGetRateLimit',
+            });
+            return callback(errors.NoSuchBucketRateLimit, null,
+                corsHeaders);
+        }
+
+        return callback(null, JSON.stringify(rateLimitConfig), corsHeaders);
+    });
+}
+
+module.exports = bucketGetRateLimit;

lib/api/bucketPutRateLimit.js

@@ -0,0 +1,90 @@
+const async = require('async');
+const { parseString } = require('xml2js');
+const { errorInstances, errors } = require('arsenal');
+
+const collectCorsHeaders = require('../utilities/collectCorsHeaders');
+const metadata = require('../metadata/wrapper');
+const { standardMetadataValidateBucket } = require('../metadata/metadataUtils');
+const { isRateLimitServiceUser } = require('./apiUtils/authorization/serviceUser');
+
+function parseRequestBody(requestBody, callback) {
+    try {
+        const jsonData = JSON.parse(requestBody);
+        if (typeof jsonData !== 'object') {
+            throw new Error('Invalid JSON');
+        }
+        return callback(null, jsonData);
+    } catch {
+        return parseString(requestBody, (xmlError, xmlData) => {
+            if (xmlError) {
+                return callback(errorInstances.InvalidArgument
+                    .customizeDescription('Request body must be a JSON object'));
+            }
+            return callback(null, xmlData);
+        });
+    }
+}
+
+function validateRateLimitConfig(config, callback) {
+    const limit = parseInt(config.RequestsPerSecond, 10);
+    if (Number.isNaN(limit) || !Number.isInteger(limit) || limit <= 0) {
+        return callback(errorInstances.InvalidArgument
+            .customizeDescription('RequestsPerSecond must be a positive integer'));
+    }
+    return callback(null, {
+            RequestsPerSecond: limit,
+    });
+}
+
+/**
+ * bucketPutRateLimit - create or update a bucket policy
+ * @param {AuthInfo} authInfo - Instance of AuthInfo class with requester's info
+ * @param {object} request - http request object
+ * @param {object} log - Werelogs logger
+ * @param {function} callback - callback to server
+ * @return {undefined}
+ */
+function bucketPutRateLimit(authInfo, request, log, callback) {
+    log.debug('processing request', { method: 'bucketPutRateLimit' });
+
+    if (!isRateLimitServiceUser(authInfo)) {
+        return callback(errors.AccessDenied);
+    }
+
+    const { bucketName } = request;
+    const metadataValParams = {
+        authInfo,
+        bucketName,
+        requestType: request.apiMethods || 'bucketPutRateLimit',
+        request,
+    };
+
+    return async.waterfall([
+        next => parseRequestBody(request.post, next),
+        (requestBody, next) => validateRateLimitConfig(requestBody, next),
+        (limitConfig, next) => standardMetadataValidateBucket(metadataValParams, request.actionImplicitDenies, log,
+            (err, bucket) => {
+                if (err) {
+                    return next(err, bucket);
+                }
+                return next(null, bucket, limitConfig);
+            }),
+        (bucket, limitConfig, next) => {
+            bucket.setRateLimitConfig(limitConfig);
+            metadata.updateBucket(bucket.getName(), bucket, log,
+                err => next(err, bucket));
+        },
+    ], (err, bucket) => {
+        const corsHeaders = collectCorsHeaders(request.headers.origin,
+            request.method, bucket);
+        if (err) {
+            log.trace('error processing request',
+                { error: err, method: 'bucketPutRateLimit' });
+            return callback(err, corsHeaders);
+        }
+        // TODO: implement Utapi metric support
+        return callback(null, corsHeaders);
+    });
+}
+
+module.exports = bucketPutRateLimit;