impr(CLDSRV-852): Refactor rate limit helpers

Author: tmacro

lib/api/apiUtils/rateLimit/helpers.js

@@ -1,24 +1,12 @@
 const { config } = require('../../../Config');
 const cache = require('./cache');
-const constants = require('../../../../constants');
 const { getTokenBucket } = require('./tokenBucket');
 const { policies: { actionMaps: { actionMapBucketRateLimit } } } = require('arsenal');
 
 const rateLimitApiActions = Object.keys(actionMapBucketRateLimit);
 
 /**
- * Get rate limit configuration from cache only (no metadata fetch)
- *
- * @param {string} bucketName - Bucket name
- * @returns {object|null|undefined} Rate limit config, null (no limit), or undefined (not cached)
- */
-function getRateLimitFromCache(bucketName) {
-    const cacheKey = `bucket:${bucketName}`;
-    return cache.getCachedConfig(cacheKey);
-}
-
-/**
- * Extract rate limit configuration from bucket metadata and cache it
+ * Extract rate limit configuration from bucket metadata or global rate limit configuration.
  *
  * Resolves in priority order:
  * 1. Per-bucket configuration (from bucket metadata)
@@ -30,24 +18,21 @@ function getRateLimitFromCache(bucketName) {
  * @param {object} log - Logger instance
  * @returns {object|null} Rate limit config or null if no limit
  */
-function extractAndCacheRateLimitConfig(bucket, bucketName, log) {
-    const cacheKey = `bucket:${bucketName}`;
-    const cacheTTL = config.rateLimiting.bucket?.configCacheTTL ||
-                     constants.rateLimitDefaultConfigCacheTTL;
-
+function extractBucketRateLimitConfig(bucket, bucketName, log) {
     // Try per-bucket config first
     const bucketConfig = bucket.getRateLimitConfiguration();
     if (bucketConfig) {
         const data = bucketConfig.getData();
         const limitConfig = {
             limit: data.RequestsPerSecond.Limit,
+            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
             source: 'bucket',
         };
 
-        cache.setCachedConfig(cacheKey, limitConfig, cacheTTL);
         log.debug('Extracted per-bucket rate limit config', {
             bucketName,
             limit: limitConfig.limit,
+            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
         });
 
         return limitConfig;
@@ -58,10 +43,10 @@ function extractAndCacheRateLimitConfig(bucket, bucketName, log) {
     if (globalLimit !== undefined && globalLimit > 0) {
         const limitConfig = {
             limit: globalLimit,
+            burstCapacity: config.rateLimiting.bucket.defaultBurstCapacity * 1000,
             source: 'global',
         };
 
-        cache.setCachedConfig(cacheKey, limitConfig, cacheTTL);
         log.debug('Using global default rate limit config', {
             bucketName,
             limit: limitConfig.limit,
@@ -71,58 +56,86 @@ function extractAndCacheRateLimitConfig(bucket, bucketName, log) {
     }
 
     // No rate limiting configured - cache null to avoid repeated lookups
-    cache.setCachedConfig(cacheKey, null, cacheTTL);
     log.trace('No rate limit configured for bucket', { bucketName });
-
     return null;
 }
 
-/**
- * Check rate limit with pre-resolved configuration using token reservation
- *
- * Uses token bucket: Workers maintain local tokens granted by Redis.
- * Token consumption is pure in-memory (fast). Refills happen async in background.
- *
- * @param {string} bucketName - Bucket name
- * @param {object|null} limitConfig - Pre-resolved rate limit config
- * @param {object} log - Logger instance
- * @param {function} callback - Callback(err, rateLimited boolean)
- * @returns {undefined}
- */
-function checkRateLimitWithConfig(bucketName, limitConfig, log, callback) {
-    // No rate limiting configured
-    if (!limitConfig || limitConfig.limit === 0) {
-        return callback(null, false);
+function extractRateLimitConfigFromRequest(request) {
+    const applyRateLimit = config.rateLimiting?.enabled
+        && !rateLimitApiActions.includes(request.apiMethod) // Don't limit any rate limit admin actions
+        && !request.isInternalServiceRequest;               // Don't limit any calls from internal services
+
+    if (!applyRateLimit) {
+        return { needsCheck: false };
+    }
+
+    const limitConfigs = {};
+    let needsCheck = false;
+
+    if (request.accountLimits) {
+        limitConfigs.account = {
+            ...request.accountLimits,
+            source: 'account',
+        };
+        needsCheck = true;
+    }
+
+    if (request.bucketName) {
+        const cachedConfig = cache.getCachedConfig(cache.namespace.bucket, request.bucketName);
+        if (cachedConfig) {
+            limitConfigs.bucket = cachedConfig;
+            needsCheck = true;
+        }
+
+        if (!request.accountLimits) {
+            const cachedOwner = cache.getCachedBucketOwner(request.bucketName);
+            if (cachedOwner !== undefined) {
+                const cachedConfig = cache.getCachedConfig(cache.namespace.account, cachedOwner);
+                if (cachedConfig) {
+                    limitConfigs.account = cachedConfig;
+                    limitConfigs.bucketOwner = cachedOwner;
+                    needsCheck = true;
+                }
+            }
+        }
     }
 
-    // Get or create token bucket for this bucket
-    const tokenBucket = getTokenBucket(bucketName, limitConfig, log);
+    return { needsCheck, limitConfigs };
+}
+
+function checkRateLimitsForRequest(checks, log) {
+    const buckets = [];
+    for (const check of checks) {
+        const bucket = getTokenBucket(check.resourceClass, check.resourceId, check.measure, check.config, log);
+        if (!bucket.hasCapacity()) {
+            log.debug('Rate limit check: denied (no tokens available)', {
+                resourceClass: bucket.resourceClass,
+                resourceId: bucket.resourceId,
+                measure: bucket.measure,
+                limit: bucket.limitConfig.limit,
+                source: bucket.limitConfig.source,
+            });
 
-    // Try to consume a token (in-memory, no Redis)
-    const allowed = tokenBucket.tryConsume();
+            return { allowed: false, rateLimitSource: `${check.resourceClass}:${check.source}`};
+        }
+
+        buckets.push(bucket);
 
-    if (allowed) {
         log.trace('Rate limit check: allowed (token consumed)', {
-            bucketName,
-            tokensRemaining: tokenBucket.tokens,
-        });
-    } else {
-        log.debug('Rate limit check: denied (no tokens available)', {
-            bucketName,
-            limit: limitConfig.limit,
-            source: limitConfig.source,
+            resourceClass: bucket.resourceClass,
+            resourceId: bucket.resourceId,
+            measure: bucket.measure,
+            source: bucket.limitConfig.source,
         });
     }
 
-    // Return inverse: callback expects "rateLimited" boolean
-    // allowed=true → rateLimited=false
-    // allowed=false → rateLimited=true
-    return callback(null, !allowed);
+    buckets.forEach(bucket => bucket.tryConsume());
+    return { allowed: true };
 }
 
 module.exports = {
-    getRateLimitFromCache,
-    extractAndCacheRateLimitConfig,
-    checkRateLimitWithConfig,
     rateLimitApiActions,
+    extractBucketRateLimitConfig,
+    extractRateLimitConfigFromRequest,
+    checkRateLimitsForRequest,
 };