Rate limit: Implement token buckets

Token buckets form the core of the XAPI rate limiter. Token buckets hold
tokens, which are refilled over time according to their refill rate up
to a maximum.

Each client making calls to XAPI will have one token bucket associated;
each call takes tokens out of the bucket, and delays will be enforced
such that any requests made to an empty bucket have to wait until the
bucket has been refilled.

The token bucket library implements functions for token bucket creation
and thread-safe token consumption. Refills are calculated only when the
bucket is observed by tracking a last_refill timestamp.

Signed-off-by: Christian Pardillo Laursen <christian.pardillolaursen@citrix.com>

Author: cplaursen

dune-project

@@ -52,6 +52,13 @@
  (name tgroup)
  (depends xapi-log xapi-stdext-unix))
 
+(package
+ (name xapi-rate-limit)
+ (synopsis "A simple token bucket-based rate limter for XAPI")
+ (depends
+   (ocaml (>= 4.12))
+   xapi-log xapi-stdext-unix))
+
 (package
  (name xml-light2))
 

ocaml/libs/rate-limit/dune

@@ -0,0 +1,8 @@
+(library
+ (name xapi_rate_limit)
+ (public_name xapi-rate-limit)
+
+ (libraries threads.posix mtime mtime.clock.os xapi-log xapi-stdext-threads clock)
+)
+
+

ocaml/libs/rate-limit/token_bucket.ml

@@ -0,0 +1,83 @@
+(*
+ * Copyright (C) 2025 Cloud Software Group
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+type state = {tokens: float; last_refill: Mtime.span}
+
+type t = {burst_size: float; fill_rate: float; state: state Atomic.t}
+
+let create_with_timestamp timestamp ~burst_size ~fill_rate =
+  if fill_rate <= 0. then
+    invalid_arg "Token_bucket.create: fill_rate must be positive"
+  else
+    let state = Atomic.make {tokens= burst_size; last_refill= timestamp} in
+    {burst_size; fill_rate; state}
+
+let create = create_with_timestamp (Mtime_clock.elapsed ())
+
+let compute_tokens timestamp {tokens; last_refill} ~burst_size ~fill_rate =
+  let time_delta = Mtime.Span.abs_diff last_refill timestamp in
+  let time_delta_seconds = Mtime.Span.to_float_ns time_delta *. 1e-9 in
+  min burst_size (tokens +. (time_delta_seconds *. fill_rate))
+
+let peek_with_timestamp timestamp tb =
+  let tb_state = Atomic.get tb.state in
+  compute_tokens timestamp tb_state ~burst_size:tb.burst_size
+    ~fill_rate:tb.fill_rate
+
+let peek tb = peek_with_timestamp (Mtime_clock.elapsed ()) tb
+
+let consume_with_timestamp get_time tb amount =
+  let rec try_consume () =
+    let timestamp = get_time () in
+    let old_state = Atomic.get tb.state in
+    let new_tokens =
+      compute_tokens timestamp old_state ~burst_size:tb.burst_size
+        ~fill_rate:tb.fill_rate
+    in
+    let success, final_tokens =
+      if new_tokens >= amount then
+        (true, new_tokens -. amount)
+      else
+        (false, new_tokens)
+    in
+    let new_state = {tokens= final_tokens; last_refill= timestamp} in
+    if Atomic.compare_and_set tb.state old_state new_state then
+      success
+    else
+      try_consume ()
+  in
+  try_consume ()
+
+let consume = consume_with_timestamp Mtime_clock.elapsed
+
+let get_delay_until_available_timestamp timestamp tb amount =
+  let {tokens; last_refill} = Atomic.get tb.state in
+  let current_tokens =
+    compute_tokens timestamp {tokens; last_refill} ~burst_size:tb.burst_size
+      ~fill_rate:tb.fill_rate
+  in
+  let required_tokens = max 0. (amount -. current_tokens) in
+  required_tokens /. tb.fill_rate
+
+let get_delay_until_available tb amount =
+  get_delay_until_available_timestamp (Mtime_clock.elapsed ()) tb amount
+
+(* This implementation only works when there is only one thread trying to
+   consume - fairness needs to be implemented on top of it with a queue.
+   If there is no contention, it should only delay once. *)
+let rec delay_then_consume tb amount =
+  if not (consume tb amount) then (
+    Thread.delay (get_delay_until_available tb amount) ;
+    delay_then_consume tb amount
+  )

ocaml/libs/rate-limit/token_bucket.mli

@@ -0,0 +1,112 @@
+(*
+ * Copyright (C) 2025 Cloud Software Group
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as published
+ * by the Free Software Foundation; version 2.1 only. with the special
+ * exception on linking described in file LICENSE.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *)
+
+(** This module implements a classic token-bucket rate limiter. Token buckets
+    contain tokens that are refilled over time, and can be consumed in a
+    thread-safe way. A token bucket accumulates [fill_rate] tokens per second,
+    up to [burst_size]. Consumers may take tokens (if available), or query when
+    enough tokens will become available.
+
+    Token counts are represented as floats rather than integers to allow
+    fractional token costs and fine-grained refill rates.
+
+    Token buckets implement rate limiting by allowing operations to proceed
+    only when sufficient tokens are available - otherwise, the operations can
+    be delayed until enough tokens are available.
+
+    To avoid doing unnecessary work to refill the bucket, token amounts are
+    only updated when a consume operation is carried out. The buckets keep a
+    last_refill timestamp which is updated on consume in tandem with the token
+    counts, and informs how many tokens should be added by the bucket refill.
+
+    We include versions of functions that take a timestamp as a parameter for
+    testing purposes only - consumers of this library should use the
+    timestamp-less versions.
+*)
+
+type t
+
+val create : burst_size:float -> fill_rate:float -> t
+(** Create token bucket with given parameters.
+    @raises Invalid_argument if the fill rate is 0 or negative.
+    @param burst_size Maximum number of tokens that can fit in the bucket
+    @param fill_rate Number of tokens added to the bucket per second
+    *)
+
+val peek : t -> float
+(** Retrieve current token amount
+     @param tb Token bucket
+     @return Amount of tokens in the token bucket
+   *)
+
+val consume : t -> float -> bool
+(** Consume tokens from the bucket in a thread-safe manner.
+     @param tb Token bucket
+     @param amount How many tokens to consume
+     @return Whether the tokens were successfully consumed
+   *)
+
+val get_delay_until_available : t -> float -> float
+(** Get number of seconds that need to pass until bucket is expected to have
+    enough tokens to fulfil the request
+    @param tb Token bucket
+    @param amount How many tokens we want to consume
+    @return Number of seconds until tokens are available
+*)
+
+val delay_then_consume : t -> float -> unit
+(** [delay_then_consume tb amount] sleeps the calling thread until [amount]
+    tokens are available, then consumes them. Thread-safe but does not
+    guarantee fairness between competing callers. *)
+
+(**/**)
+
+(* Fuctions accepting a timestamp are meant for testing only *)
+
+val create_with_timestamp :
+  Mtime.span -> burst_size:float -> fill_rate:float -> t
+(** Create token bucket with given parameters and supplied inital timestamp.
+    @raises Invalid_argument if the fill_rate is 0 or negative.
+    @param timestamp Initial timestamp
+    @param burst_size Maximum number of tokens that can fit in the bucket
+    @param fill_rate Number of tokens added to the bucket per second
+    *)
+
+val peek_with_timestamp : Mtime.span -> t -> float
+(** Retrieve token amount in token bucket at given timestamp.
+    Undefined behaviour when [timestamp] <= [tb.timestamp]
+     @param timestamp Current time
+     @param tb Token bucket
+     @return Amount of tokens in the token bucket
+   *)
+
+val consume_with_timestamp : (unit -> Mtime.span) -> t -> float -> bool
+(** Consume tokens from the bucket in a thread-safe manner, using supplied
+      function for obtaining the current time
+     @param get_time Function to obtain timestamp, e.g. Mtime_clock.elapsed
+     @param tb Token bucket
+     @param amount How many tokens to consume
+     @return Whether the tokens were successfully consumed
+   *)
+
+val get_delay_until_available_timestamp : Mtime.span -> t -> float -> float
+(** Get number of seconds that need to pass until bucket is expected to have
+    enough tokens to fulfil the request
+    @param timestamp
+    @param tb Token bucket
+    @param amount How many tokens we want to consume
+    @return Number of seconds until tokens are available
+*)
+
+(**/**)

opam/xapi-rate-limit.opam

@@ -0,0 +1,31 @@
+# This file is generated by dune, edit dune-project instead
+opam-version: "2.0"
+synopsis: "A simple token bucket-based rate limter for XAPI"
+maintainer: ["Xapi project maintainers"]
+authors: ["xen-api@lists.xen.org"]
+license: "LGPL-2.1-only WITH OCaml-LGPL-linking-exception"
+homepage: "https://xapi-project.github.io/"
+bug-reports: "https://github.com/xapi-project/xen-api/issues"
+depends: [
+  "dune" {>= "3.20"}
+  "ocaml" {>= "4.12"}
+  "xapi-log"
+  "xapi-stdext-unix"
+  "odoc" {with-doc}
+]
+build: [
+  ["dune" "subst"] {dev}
+  [
+    "dune"
+    "build"
+    "-p"
+    name
+    "-j"
+    jobs
+    "@install"
+    "@runtest" {with-test}
+    "@doc" {with-doc}
+  ]
+]
+dev-repo: "git+https://github.com/xapi-project/xen-api.git"
+x-maintenance-intent: ["(latest)"]