User email as rate limiter key

Signed-off-by: Paolo Di Tommaso <[email protected]>
seqeralabs · Dec 12, 2024 · eddc9ee · eddc9ee
1 parent d72b69c
commit eddc9ee
Show file tree

Hide file tree

Showing 7 changed files with 16 additions and 11 deletions.
diff --git a/src/main/groovy/io/seqera/wave/controller/ContainerController.groovy b/src/main/groovy/io/seqera/wave/controller/ContainerController.groovy
@@ -265,7 +265,7 @@ class ContainerController {
         final ip = addressResolver.resolve(httpRequest)
         // check the rate limit before continuing
         if( rateLimiterService )
-            rateLimiterService.acquirePull(new AcquireRequest(identity.userId as String, ip))
+            rateLimiterService.acquirePull(new AcquireRequest(identity.userEmail, ip))
         // create request data
         final data = makeRequestData(req, identity, ip)
         final token = containerService.computeToken(data)

diff --git a/src/main/groovy/io/seqera/wave/controller/RegistryProxyController.groovy b/src/main/groovy/io/seqera/wave/controller/RegistryProxyController.groovy
@@ -123,7 +123,7 @@ class RegistryProxyController {
 
         if( route.manifest && route.digest ){
             String ip = addressResolver.resolve(httpRequest)
-            rateLimiterService?.acquirePull( new AcquireRequest(route.identity.userId as String, ip) )
+            rateLimiterService?.acquirePull( new AcquireRequest(route.identity.userEmail, ip) )
         }
 
         // check if it's a container under build

diff --git a/src/main/groovy/io/seqera/wave/ratelimit/AcquireRequest.groovy b/src/main/groovy/io/seqera/wave/ratelimit/AcquireRequest.groovy
@@ -35,7 +35,7 @@ class AcquireRequest {
     /**
      * Principal key to use in the search. Can be null
      */
-    String userId
+    String user
 
     /**
      * Secondary key to use if principal is not present

diff --git a/src/main/groovy/io/seqera/wave/ratelimit/impl/SpillwayRateLimiter.groovy b/src/main/groovy/io/seqera/wave/ratelimit/impl/SpillwayRateLimiter.groovy
@@ -68,20 +68,20 @@ class SpillwayRateLimiter implements RateLimiterService {
 
     @Override
     void acquireBuild(AcquireRequest request) throws SlowDownException {
-        Spillway<String> resource = request.userId ? authsBuilds : anonymousBuilds
-        String key = request.userId ?: request.ip
+        Spillway<String> resource = request.user ? authsBuilds : anonymousBuilds
+        String key = request.user ?: request.ip
         if (!resource.tryCall(key)) {
-            final prefix = request.userId ? 'user' : 'IP'
+            final prefix = request.user ? 'user' : 'IP'
             throw new SlowDownException("Request exceeded build rate limit for $prefix $key")
         }
     }
 
     @Override
     void acquirePull(AcquireRequest request) throws SlowDownException {
-        Spillway<String> resource = request.userId ? authsPulls : anonymousPulls
-        String key = request.userId ?: request.ip
+        Spillway<String> resource = request.user ? authsPulls : anonymousPulls
+        String key = request.user ?: request.ip
         if (!resource.tryCall(key)) {
-            final prefix = request.userId ? 'user' : 'IP'
+            final prefix = request.user ? 'user' : 'IP'
             throw new SlowDownException("Request exceeded pull rate limit for $prefix $key")
         }
     }

diff --git a/src/main/groovy/io/seqera/wave/service/builder/impl/ContainerBuildServiceImpl.groovy b/src/main/groovy/io/seqera/wave/service/builder/impl/ContainerBuildServiceImpl.groovy
@@ -198,7 +198,7 @@ class ContainerBuildServiceImpl implements ContainerBuildService, JobHandler<Bui
         // check the build rate limit
         try {
             if( rateLimiterService )
-                rateLimiterService.acquireBuild(new AcquireRequest(request.identity.userId as String, request.ip))
+                rateLimiterService.acquireBuild(new AcquireRequest(request.identity.userEmail, request.ip))
         }
         catch (Exception e) {
             buildStore.removeBuild(request.targetImage)

diff --git a/src/main/groovy/io/seqera/wave/tower/PlatformId.groovy b/src/main/groovy/io/seqera/wave/tower/PlatformId.groovy
@@ -49,6 +49,10 @@ class PlatformId {
         return user?.id
     }
 
+    String getUserEmail() {
+        return user?.email
+    }
+
     static PlatformId of(User user, SubmitContainerTokenRequest request) {
         new PlatformId(
                 user,

diff --git a/src/test/groovy/io/seqera/wave/tower/PlatformIdTest.groovy b/src/test/groovy/io/seqera/wave/tower/PlatformIdTest.groovy
@@ -42,7 +42,7 @@ class PlatformIdTest extends Specification {
 
     def 'should create form a container request' () {
         when:
-        def id = PlatformId.of(new User(id:1), new SubmitContainerTokenRequest(
+        def id = PlatformId.of(new User(id:1, email: '[email protected]'), new SubmitContainerTokenRequest(
                 towerWorkspaceId: 100,
                 towerEndpoint: 'http://foo.com',
                 towerAccessToken: 'token-123',
@@ -53,6 +53,7 @@ class PlatformIdTest extends Specification {
         id.workspaceId == 100
         id.towerEndpoint == 'http://foo.com'
         id.accessToken == 'token-123'
+        id.userEmail == '[email protected]'
     }
 
     def 'should create form a inspect request' () {