CLDSRV-781: Add ratelimiting post MD fetch

Author: anurag4DSB

lib/metadata/metadataUtils.js

@@ -9,6 +9,11 @@ const bucketShield = require('../api/apiUtils/bucket/bucketShield');
 const { onlyOwnerAllowed } = require('../../constants');
 const { actionNeedQuotaCheck, actionWithDataDeletion } = require('arsenal/build/lib/policyEvaluator/RequestContext');
 const { processBytesToWrite, validateQuotas } = require('../api/apiUtils/quotas/quotaUtils');
+const { config } = require('../Config');
+const {
+    extractAndCacheRateLimitConfig,
+    checkRateLimitWithConfig,
+} = require('../api/apiUtils/rateLimit/helpers');
 
 /** getNullVersionFromMaster - retrieves the null version
  * metadata via retrieving the master key
@@ -169,6 +174,65 @@ function validateBucket(bucket, params, log, actionImplicitDenies = {}) {
     }
     return null;
 }
+
+/**
+ * Check rate limiting if not already checked
+ *
+ * Extracts rate limit config from bucket metadata, caches it, and enforces limit.
+ * Calls callback with error if rate limited, null if allowed or no rate limiting.
+ *
+ * @param {object} bucket - Bucket metadata object
+ * @param {string} bucketName - Bucket name
+ * @param {object} request - Request object with rateLimitAlreadyChecked tracker
+ * @param {object} log - Logger instance
+ * @param {function} callback - Callback(err) - err if rate limited, null if allowed
+ * @returns {undefined}
+ */
+function checkRateLimitIfNeeded(bucket, bucketName, request, log, callback) {
+    // Skip if already checked or not enabled
+    if (request.rateLimitAlreadyChecked || !config.rateLimiting?.enabled) {
+        return process.nextTick(callback, null);
+    }
+
+    // Extract rate limit config from bucket metadata and cache it
+    const rateLimitConfig = extractAndCacheRateLimitConfig(bucket, bucketName, log);
+
+    // No rate limiting configured
+    if (!rateLimitConfig) {
+        // eslint-disable-next-line no-param-reassign
+        request.rateLimitAlreadyChecked = true;
+        return process.nextTick(callback, null);
+    }
+
+    // Check rate limit with GCRA
+    return checkRateLimitWithConfig(
+        bucketName,
+        rateLimitConfig,
+        log,
+        (rateLimitErr, rateLimited) => {
+            if (rateLimitErr) {
+                log.error('Rate limit check error in metadata validation', {
+                    error: rateLimitErr,
+                });
+            }
+
+            if (rateLimited) {
+                log.addDefaultFields({
+                    rateLimited: true,
+                    rateLimitSource: rateLimitConfig.source,
+                });
+                // eslint-disable-next-line no-param-reassign
+                request.rateLimitAlreadyChecked = true;
+                return callback(config.rateLimiting.error);
+            }
+
+            // Allowed - set tracker and continue
+            // eslint-disable-next-line no-param-reassign
+            request.rateLimitAlreadyChecked = true;
+            return callback(null);
+        }
+    );
+}
 /** standardMetadataValidateBucketAndObj - retrieve bucket and object md from metadata
  * and check if user is authorized to access them.
  * @param {object} params - function parameters
@@ -222,12 +286,21 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
             if (validationError) {
                 return next(validationError, bucket);
             }
-            const objMD = getResult.obj ? JSON.parse(getResult.obj) : undefined;
-            if (!objMD && versionId === 'null') {
-                return getNullVersionFromMaster(bucketName, objectKey, log,
-                     (err, nullVer) => next(err, bucket, nullVer));
-            }
-            return next(null, bucket, objMD);
+
+            // Rate limiting check if not already done in api.js
+            return checkRateLimitIfNeeded(bucket, bucketName, request, log, err => {
+                if (err) {
+                    return next(err, bucket);
+                }
+
+                // Continue with object metadata processing
+                const objMD = getResult.obj ? JSON.parse(getResult.obj) : undefined;
+                if (!objMD && versionId === 'null') {
+                    return getNullVersionFromMaster(bucketName, objectKey, log,
+                         (err, nullVer) => next(err, bucket, nullVer));
+                }
+                return next(null, bucket, objMD);
+            });
         },
         (bucket, objMD, next) => {
             const objMetadata = objMD;
@@ -294,7 +367,7 @@ function standardMetadataValidateBucketAndObj(params, actionImplicitDenies, log,
  * @return {undefined} - and call callback with params err, bucket md
  */
 function standardMetadataValidateBucket(params, actionImplicitDenies, log, callback) {
-    const { bucketName } = params;
+    const { bucketName, request } = params;
     return metadata.getBucket(bucketName, log, (err, bucket) => {
         if (err) {
             // if some implicit actionImplicitDenies, return AccessDenied before
@@ -305,8 +378,17 @@ function standardMetadataValidateBucket(params, actionImplicitDenies, log, callb
             log.debug('metadata getbucket failed', { error: err });
             return callback(err);
         }
-        const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
-        return callback(validationError, bucket);
+
+        // Rate limiting check if not already done in api.js
+        return checkRateLimitIfNeeded(bucket, bucketName, request, log, err => {
+            if (err) {
+                return callback(err);
+            }
+
+            // Continue with validation
+            const validationError = validateBucket(bucket, params, log, actionImplicitDenies);
+            return callback(validationError, bucket);
+        });
     });
 }