MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce per-IP rate limits

This commit is contained in:
Jonathan Klabunde Tomer 2024-09-23 10:20:43 -07:00 committed by ravi-signal
parent 087e192fac
commit d550c69f7f
2 changed files with 5 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java
View File

@ -1003,7 +1003,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
environment.jersey().register(new BufferingInterceptor()); environment.jersey().register(new BufferingInterceptor());
environment.jersey().register(new VirtualExecutorServiceProvider("managed-async-virtual-thread-")); environment.jersey().register(new VirtualExecutorServiceProvider("managed-async-virtual-thread-"));
environment.jersey().register(new RateLimitByIpFilter(rateLimiters, true)); environment.jersey().register(new RateLimitByIpFilter(rateLimiters));
environment.jersey().register(new RequestStatisticsFilter(TrafficSource.HTTP)); environment.jersey().register(new RequestStatisticsFilter(TrafficSource.HTTP));
environment.jersey().register(MultiRecipientMessageProvider.class); environment.jersey().register(MultiRecipientMessageProvider.class);
environment.jersey().register(new AuthDynamicFeature(accountAuthFilter)); environment.jersey().register(new AuthDynamicFeature(accountAuthFilter));
@ -1022,7 +1022,7 @@ public class WhisperServerService extends Application<WhisperServerConfiguration
clientReleaseManager, messageDeliveryLoopMonitor)); clientReleaseManager, messageDeliveryLoopMonitor));
webSocketEnvironment.jersey() webSocketEnvironment.jersey()
.register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager)); .register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager));
webSocketEnvironment.jersey().register(new RateLimitByIpFilter(rateLimiters, true)); webSocketEnvironment.jersey().register(new RateLimitByIpFilter(rateLimiters));
webSocketEnvironment.jersey().register(new RequestStatisticsFilter(TrafficSource.WEBSOCKET)); webSocketEnvironment.jersey().register(new RequestStatisticsFilter(TrafficSource.WEBSOCKET));
webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class); webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class);
webSocketEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET, clientReleaseManager)); webSocketEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET, clientReleaseManager));

16
service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitByIpFilter.java
View File

@ -41,15 +41,9 @@ public class RateLimitByIpFilter implements ContainerRequestFilter {
private static final String NO_IP_COUNTER_NAME = MetricsUtil.name(RateLimitByIpFilter.class, "noIpAddress"); private static final String NO_IP_COUNTER_NAME = MetricsUtil.name(RateLimitByIpFilter.class, "noIpAddress");
private final RateLimiters rateLimiters; private final RateLimiters rateLimiters;
private final boolean softEnforcement;
public RateLimitByIpFilter(final RateLimiters rateLimiters, final boolean softEnforcement) {
this.rateLimiters = requireNonNull(rateLimiters);
this.softEnforcement = softEnforcement;
}
public RateLimitByIpFilter(final RateLimiters rateLimiters) { public RateLimitByIpFilter(final RateLimiters rateLimiters) {
this(rateLimiters, false); this.rateLimiters = requireNonNull(rateLimiters);
} }
@Override @Override
@ -87,9 +81,7 @@ public class RateLimitByIpFilter implements ContainerRequestFilter {
// checking if annotation is configured to fail when the most recent IP is not resolved // checking if annotation is configured to fail when the most recent IP is not resolved
if (annotation.failOnUnresolvedIp()) { if (annotation.failOnUnresolvedIp()) {
logger.error("Remote address was null"); logger.error("Remote address was null");
if (!softEnforcement) { throw INVALID_HEADER_EXCEPTION;
throw INVALID_HEADER_EXCEPTION;
}
} }
// otherwise, allow request // otherwise, allow request
return; return;
@ -99,9 +91,7 @@ public class RateLimitByIpFilter implements ContainerRequestFilter {
rateLimiter.validate(remoteAddress.get()); rateLimiter.validate(remoteAddress.get());
} catch (RateLimitExceededException e) { } catch (RateLimitExceededException e) {
final Response response = EXCEPTION_MAPPER.toResponse(e); final Response response = EXCEPTION_MAPPER.toResponse(e);
if (!softEnforcement) { throw new ClientErrorException(response);
throw new ClientErrorException(response);
}
} }
} }
} }