Merge pull request #1175 from matrix-org/luke/feature-configurable-as-rate-limiting
Allow Configurable Rate Limiting Per AS
This commit is contained in:
Luke Barnard
GitHub
commit
e01a1bc92d
|
|
@ -603,10 +603,12 @@ class Auth(object):
|
||||||
"""
|
"""
|
||||||
# Can optionally look elsewhere in the request (e.g. headers)
|
# Can optionally look elsewhere in the request (e.g. headers)
|
||||||
try:
|
try:
|
||||||
user_id = yield self._get_appservice_user_id(request)
|
user_id, app_service = yield self._get_appservice_user_id(request)
|
||||||
if user_id:
|
if user_id:
|
||||||
request.authenticated_entity = user_id
|
request.authenticated_entity = user_id
|
||||||
defer.returnValue(synapse.types.create_requester(user_id))
|
defer.returnValue(
|
||||||
|
synapse.types.create_requester(user_id, app_service=app_service)
|
||||||
|
)
|
||||||
|
|
||||||
access_token = get_access_token_from_request(
|
access_token = get_access_token_from_request(
|
||||||
request, self.TOKEN_NOT_FOUND_HTTP_STATUS
|
request, self.TOKEN_NOT_FOUND_HTTP_STATUS
|
||||||
|
|
@ -644,7 +646,8 @@ class Auth(object):
|
||||||
request.authenticated_entity = user.to_string()
|
request.authenticated_entity = user.to_string()
|
||||||
|
|
||||||
defer.returnValue(synapse.types.create_requester(
|
defer.returnValue(synapse.types.create_requester(
|
||||||
user, token_id, is_guest, device_id))
|
user, token_id, is_guest, device_id, app_service=app_service)
|
||||||
|
)
|
||||||
except KeyError:
|
except KeyError:
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token.",
|
self.TOKEN_NOT_FOUND_HTTP_STATUS, "Missing access token.",
|
||||||
|
|
@ -659,14 +662,14 @@ class Auth(object):
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
if app_service is None:
|
if app_service is None:
|
||||||
defer.returnValue(None)
|
defer.returnValue((None, None))
|
||||||
|
|
||||||
if "user_id" not in request.args:
|
if "user_id" not in request.args:
|
||||||
defer.returnValue(app_service.sender)
|
defer.returnValue((app_service.sender, app_service))
|
||||||
|
|
||||||
user_id = request.args["user_id"][0]
|
user_id = request.args["user_id"][0]
|
||||||
if app_service.sender == user_id:
|
if app_service.sender == user_id:
|
||||||
defer.returnValue(app_service.sender)
|
defer.returnValue((app_service.sender, app_service))
|
||||||
|
|
||||||
if not app_service.is_interested_in_user(user_id):
|
if not app_service.is_interested_in_user(user_id):
|
||||||
raise AuthError(
|
raise AuthError(
|
||||||
|
|
@ -678,7 +681,7 @@ class Auth(object):
|
||||||
403,
|
403,
|
||||||
"Application service has not registered this user"
|
"Application service has not registered this user"
|
||||||
)
|
)
|
||||||
defer.returnValue(user_id)
|
defer.returnValue((user_id, app_service))
|
||||||
|
|
||||||
@defer.inlineCallbacks
|
@defer.inlineCallbacks
|
||||||
def get_user_by_access_token(self, token, rights="access"):
|
def get_user_by_access_token(self, token, rights="access"):
|
||||||
|
|
|
||||||
|
|
@ -81,7 +81,7 @@ class ApplicationService(object):
|
||||||
NS_LIST = [NS_USERS, NS_ALIASES, NS_ROOMS]
|
NS_LIST = [NS_USERS, NS_ALIASES, NS_ROOMS]
|
||||||
|
|
||||||
def __init__(self, token, url=None, namespaces=None, hs_token=None,
|
def __init__(self, token, url=None, namespaces=None, hs_token=None,
|
||||||
sender=None, id=None, protocols=None):
|
sender=None, id=None, protocols=None, rate_limited=True):
|
||||||
self.token = token
|
self.token = token
|
||||||
self.url = url
|
self.url = url
|
||||||
self.hs_token = hs_token
|
self.hs_token = hs_token
|
||||||
|
|
@ -95,6 +95,8 @@ class ApplicationService(object):
|
||||||
else:
|
else:
|
||||||
self.protocols = set()
|
self.protocols = set()
|
||||||
|
|
||||||
|
self.rate_limited = rate_limited
|
||||||
|
|
||||||
def _check_namespaces(self, namespaces):
|
def _check_namespaces(self, namespaces):
|
||||||
# Sanity check that it is of the form:
|
# Sanity check that it is of the form:
|
||||||
# {
|
# {
|
||||||
|
|
@ -234,5 +236,8 @@ class ApplicationService(object):
|
||||||
def is_exclusive_room(self, room_id):
|
def is_exclusive_room(self, room_id):
|
||||||
return self._is_exclusive(ApplicationService.NS_ROOMS, room_id)
|
return self._is_exclusive(ApplicationService.NS_ROOMS, room_id)
|
||||||
|
|
||||||
|
def is_rate_limited(self):
|
||||||
|
return self.rate_limited
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
return "ApplicationService: %s" % (self.__dict__,)
|
return "ApplicationService: %s" % (self.__dict__,)
|
||||||
|
|
|
||||||
|
|
@ -110,6 +110,11 @@ def _load_appservice(hostname, as_info, config_filename):
|
||||||
user = UserID(localpart, hostname)
|
user = UserID(localpart, hostname)
|
||||||
user_id = user.to_string()
|
user_id = user.to_string()
|
||||||
|
|
||||||
|
# Rate limiting for users of this AS is on by default (excludes sender)
|
||||||
|
rate_limited = True
|
||||||
|
if isinstance(as_info.get("rate_limited"), bool):
|
||||||
|
rate_limited = as_info.get("rate_limited")
|
||||||
|
|
||||||
# namespace checks
|
# namespace checks
|
||||||
if not isinstance(as_info.get("namespaces"), dict):
|
if not isinstance(as_info.get("namespaces"), dict):
|
||||||
raise KeyError("Requires 'namespaces' object.")
|
raise KeyError("Requires 'namespaces' object.")
|
||||||
|
|
@ -155,4 +160,5 @@ def _load_appservice(hostname, as_info, config_filename):
|
||||||
sender=user_id,
|
sender=user_id,
|
||||||
id=as_info["id"],
|
id=as_info["id"],
|
||||||
protocols=protocols,
|
protocols=protocols,
|
||||||
|
rate_limited=rate_limited
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -57,10 +57,16 @@ class BaseHandler(object):
|
||||||
time_now = self.clock.time()
|
time_now = self.clock.time()
|
||||||
user_id = requester.user.to_string()
|
user_id = requester.user.to_string()
|
||||||
|
|
||||||
|
# The AS user itself is never rate limited.
|
||||||
app_service = self.store.get_app_service_by_user_id(user_id)
|
app_service = self.store.get_app_service_by_user_id(user_id)
|
||||||
if app_service is not None:
|
if app_service is not None:
|
||||||
return # do not ratelimit app service senders
|
return # do not ratelimit app service senders
|
||||||
|
|
||||||
|
# Disable rate limiting of users belonging to any AS that is configured
|
||||||
|
# not to be rate limited in its registration file (rate_limited: true|false).
|
||||||
|
if requester.app_service and not requester.app_service.is_rate_limited():
|
||||||
|
return
|
||||||
|
|
||||||
allowed, time_allowed = self.ratelimiter.send_message(
|
allowed, time_allowed = self.ratelimiter.send_message(
|
||||||
user_id, time_now,
|
user_id, time_now,
|
||||||
msg_rate_hz=self.hs.config.rc_messages_per_second,
|
msg_rate_hz=self.hs.config.rc_messages_per_second,
|
||||||
|
|
|
||||||
|
|
@ -18,8 +18,9 @@ from synapse.api.errors import SynapseError
|
||||||
from collections import namedtuple
|
from collections import namedtuple
|
||||||
|
|
||||||
|
|
||||||
Requester = namedtuple("Requester",
|
Requester = namedtuple("Requester", [
|
||||||
["user", "access_token_id", "is_guest", "device_id"])
|
"user", "access_token_id", "is_guest", "device_id", "app_service",
|
||||||
|
])
|
||||||
"""
|
"""
|
||||||
Represents the user making a request
|
Represents the user making a request
|
||||||
|
|
||||||
|
|
@ -29,11 +30,12 @@ Attributes:
|
||||||
request, or None if it came via the appservice API or similar
|
request, or None if it came via the appservice API or similar
|
||||||
is_guest (bool): True if the user making this request is a guest user
|
is_guest (bool): True if the user making this request is a guest user
|
||||||
device_id (str|None): device_id which was set at authentication time
|
device_id (str|None): device_id which was set at authentication time
|
||||||
|
app_service (ApplicationService|None): the AS requesting on behalf of the user
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
|
||||||
def create_requester(user_id, access_token_id=None, is_guest=False,
|
def create_requester(user_id, access_token_id=None, is_guest=False,
|
||||||
device_id=None):
|
device_id=None, app_service=None):
|
||||||
"""
|
"""
|
||||||
Create a new ``Requester`` object
|
Create a new ``Requester`` object
|
||||||
|
|
||||||
|
|
@ -43,13 +45,14 @@ def create_requester(user_id, access_token_id=None, is_guest=False,
|
||||||
request, or None if it came via the appservice API or similar
|
request, or None if it came via the appservice API or similar
|
||||||
is_guest (bool): True if the user making this request is a guest user
|
is_guest (bool): True if the user making this request is a guest user
|
||||||
device_id (str|None): device_id which was set at authentication time
|
device_id (str|None): device_id which was set at authentication time
|
||||||
|
app_service (ApplicationService|None): the AS requesting on behalf of the user
|
||||||
|
|
||||||
Returns:
|
Returns:
|
||||||
Requester
|
Requester
|
||||||
"""
|
"""
|
||||||
if not isinstance(user_id, UserID):
|
if not isinstance(user_id, UserID):
|
||||||
user_id = UserID.from_string(user_id)
|
user_id = UserID.from_string(user_id)
|
||||||
return Requester(user_id, access_token_id, is_guest, device_id)
|
return Requester(user_id, access_token_id, is_guest, device_id, app_service)
|
||||||
|
|
||||||
|
|
||||||
def get_domain_from_id(string):
|
def get_domain_from_id(string):
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue