impr(CLDSRV-855): Refactor helpers to extract bucket and account configs

Author: tmacro

lib/api/apiUtils/rateLimit/helpers.js

@@ -5,102 +5,159 @@ const { policies: { actionMaps: { actionMapBucketRateLimit } } } = require('arse
 
 const rateLimitApiActions = Object.keys(actionMapBucketRateLimit);
 
+function requestNeedsRateCheck(request) {
+    // Is the feature enabled?
+    if (!config.rateLimiting.enabled) {
+        return false;
+    }
+
+    // Is the request an internal or rate limit admin operation?
+    if (rateLimitApiActions.includes(request.apiMethod) || request.isInternalServiceRequest) {
+        return false;
+    }
+
+    // Have we already checked both bucket and account configs?
+    return !(request.rateLimitAccountAlreadyChecked && request.rateLimitBucketAlreadyChecked);
+}
+
 /**
- * Extract rate limit configuration from bucket metadata or global rate limit configuration.
+ * Extract bucket rate limit configuration from bucket metadata or global rate limit configuration.
  *
  * Resolves in priority order:
  * 1. Per-bucket configuration (from bucket metadata)
  * 2. Global default configuration
- * 3. No rate limiting (null)
  *
  * @param {object} bucket - Bucket metadata object
- * @param {string} bucketName - Bucket name
  * @param {object} log - Logger instance
- * @returns {object|null} Rate limit config or null if no limit
+ * @returns {object} Rate limit config
  */
-function extractBucketRateLimitConfig(bucket, bucketName, log) {
+function extractBucketRateLimitConfig(bucketMD, log) {
     // Try per-bucket config first
-    const bucketConfig = bucket.getRateLimitConfiguration();
+    const bucketConfig = bucketMD.getRateLimitConfiguration();
     if (bucketConfig) {
         const data = bucketConfig.getData();
-        const limitConfig = {
-            limit: data.RequestsPerSecond.Limit,
-            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
-            source: 'bucket',
+
+        const merged = {
+            RequestsPerSecond: {
+                ...config.rateLimiting.bucket.defaultConfig.RequestsPerSecond,
+                ...(data.RequestsPerSecond || {}),
+                source: data.RequestsPerSecond !== undefined ? 'resource' : 'global',
+            },
         };
 
         log.debug('Extracted per-bucket rate limit config', {
-            bucketName,
-            limit: limitConfig.limit,
-            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
+            bucketName: bucketMD.getName(),
+            cfg: merged,
         });
 
-        return limitConfig;
+        return merged;
     }
 
-    // Fall back to global default config
-    const globalLimit = config.rateLimiting.bucket?.defaultConfig?.limit;
-    if (globalLimit !== undefined && globalLimit > 0) {
-        const limitConfig = {
-            limit: globalLimit,
-            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
+    log.debug('Using global default rate limit config', {
+        bucketName: bucketMD.getName(),
+        cfg: {
+            ...config.rateLimiting.bucket.defaultConfig,
+            source: 'global',
+        }
+    });
+
+    return {
+        RequestsPerSecond: {
+            ...config.rateLimiting.bucket.defaultConfig.RequestsPerSecond,
             source: 'global',
+        },
+    };
+}
+
+/**
+ * Extract account rate limit configuration from request or global rate limit configuration.
+ *
+ * Resolves in priority order:
+ * 1. Per-account configuration (from request)
+ * 2. Global default configuration
+ *
+ * @param {object} authInfo - Instance of AuthInfo class with requester's info
+ * @param {object} request - request object given by router
+ * @param {object} log - Logger instance
+ * @returns {object} Rate limit config
+ */
+function extractAccountRateLimitConfig(authInfo, request, log) {
+    // Try per-account config first
+    if (request.accountLimits) {
+        const merged = {
+            RequestsPerSecond: {
+                ...config.rateLimiting.account.defaultConfig.RequestsPerSecond,
+                ...(request.accountLimits.RequestsPerSecond || {}),
+                source: request.accountLimits.RequestsPerSecond !== undefined ? 'resource' : 'global',
+            },
         };
 
-        log.debug('Using global default rate limit config', {
-            bucketName,
-            limit: limitConfig.limit,
+        log.debug('Extracted per-account rate limit config', {
+            accountId: authInfo.getCanonicalID(),
+            cfg: merged,
         });
 
-        return limitConfig;
+        return merged;
     }
 
-    // No rate limiting configured - cache null to avoid repeated lookups
-    log.trace('No rate limit configured for bucket', { bucketName });
-    return null;
-}
+    const cfg = {
+        RequestsPerSecond: {
+            ...config.rateLimiting.account.defaultConfig.RequestsPerSecond,
+            source: 'global',
+        },
+    };
 
-function extractRateLimitConfigFromRequest(request) {
-    const applyRateLimit = config.rateLimiting?.enabled
-        && !rateLimitApiActions.includes(request.apiMethod) // Don't limit any rate limit admin actions
-        && !request.isInternalServiceRequest;               // Don't limit any calls from internal services
+    log.debug('Using global default rate limit config', {
+        accountId: authInfo.getCanonicalID(),
+        cfg,
+    });
 
-    if (!applyRateLimit) {
-        return { needsCheck: false };
-    }
+    return cfg;
+}
 
-    const limitConfigs = {};
-    let needsCheck = false;
+function extractRateLimitConfigFromRequest(request, authInfo, bucketMD, log) {
+    const limitConfig = {
+        bucket: extractBucketRateLimitConfig(bucketMD, log),
+        account: extractAccountRateLimitConfig(authInfo, request, log),
+    };
+    return limitConfig;
+}
 
-    if (request.accountLimits) {
-        limitConfigs.account = {
-            ...request.accountLimits,
-            source: 'account',
-        };
-        needsCheck = true;
+function getCachedRateLimitConfig(request) {
+    const cachedConfig = {};
+    const cachedBucketConfig = cache.getCachedConfig(cache.namespace.bucket, request.bucketName);
+    if (cachedBucketConfig !== undefined) {
+        cachedConfig.bucket = cachedBucketConfig;
     }
 
-    if (request.bucketName) {
-        const cachedConfig = cache.getCachedConfig(cache.namespace.bucket, request.bucketName);
-        if (cachedConfig) {
-            limitConfigs.bucket = cachedConfig;
-            needsCheck = true;
+    const cachedOwner = cache.getCachedBucketOwner(request.bucketName);
+    if (cachedOwner !== undefined) {
+        const cachedAccountConfig = cache.getCachedConfig(cache.namespace.account, cachedOwner);
+        if (cachedAccountConfig !== undefined) {
+            cachedConfig.account = cachedAccountConfig;
+            cachedConfig.bucketOwner = cachedOwner;
         }
+    }
 
-        if (!request.accountLimits) {
-            const cachedOwner = cache.getCachedBucketOwner(request.bucketName);
-            if (cachedOwner !== undefined) {
-                const cachedConfig = cache.getCachedConfig(cache.namespace.account, cachedOwner);
-                if (cachedConfig) {
-                    limitConfigs.account = cachedConfig;
-                    limitConfigs.bucketOwner = cachedOwner;
-                    needsCheck = true;
-                }
-            }
-        }
+    return cachedConfig;
+}
+
+function buildRateChecksFromConfig(resourceClass, resourceId, limitConfig) {
+    const checks = [];
+    if (limitConfig?.RequestsPerSecond?.Limit > 0) {
+        checks.push({
+            resourceClass,
+            resourceId,
+            measure: 'rps',
+            source: limitConfig.RequestsPerSecond.source,
+            config: {
+                limit: limitConfig.RequestsPerSecond.Limit,
+                burstCapacity: limitConfig.RequestsPerSecond.BurstCapacity * 1000,
+            },
+        });
     }
 
-    return { needsCheck, limitConfigs };
+    return checks;
 }
 
 function checkRateLimitsForRequest(checks, log) {
@@ -109,11 +166,11 @@ function checkRateLimitsForRequest(checks, log) {
         const bucket = getTokenBucket(check.resourceClass, check.resourceId, check.measure, check.config, log);
         if (!bucket.hasCapacity()) {
             log.debug('Rate limit check: denied (no tokens available)', {
-                resourceClass: bucket.resourceClass,
-                resourceId: bucket.resourceId,
-                measure: bucket.measure,
-                limit: bucket.limitConfig.limit,
-                source: bucket.limitConfig.source,
+                resourceClass: check.resourceClass,
+                resourceId: check.resourceId,
+                measure: check.measure,
+                limit: check.config.limit,
+                source: check.source,
             });
 
             return { allowed: false, rateLimitSource: `${check.resourceClass}:${check.source}`};
@@ -122,13 +179,15 @@ function checkRateLimitsForRequest(checks, log) {
         buckets.push(bucket);
 
         log.trace('Rate limit check: allowed (token consumed)', {
-            resourceClass: bucket.resourceClass,
-            resourceId: bucket.resourceId,
-            measure: bucket.measure,
-            source: bucket.limitConfig.source,
+            resourceClass: check.resourceClass,
+            resourceId: check.resourceId,
+            measure: check.measure,
+            source: check.source,
         });
     }
 
+    // buckets have already been checked for available capacity
+    // no need to check return values
     buckets.forEach(bucket => bucket.tryConsume());
     return { allowed: true };
 }
@@ -137,5 +196,8 @@ module.exports = {
     rateLimitApiActions,
     extractBucketRateLimitConfig,
     extractRateLimitConfigFromRequest,
+    buildRateChecksFromConfig,
     checkRateLimitsForRequest,
+    getCachedRateLimitConfig,
+    requestNeedsRateCheck,
 };

lib/api/apiUtils/rateLimit/tokenBucket.js

@@ -200,7 +200,7 @@ function getTokenBucket(resourceClass, resourceId, measure, limitConfig, log) {
     } else {
         const { updated, oldConfig } = bucket.updateLimit(limitConfig);
         if (updated) {
-            log.info('Updated token bucket limit config', {
+            log.debug('Updated token bucket limit config', {
                 cacheKey,
                 old: oldConfig,
                 new: limitConfig,