nodedb 0.3.0

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278

// SPDX-License-Identifier: BUSL-1.1

//! Per-tenant WASM quota enforcement.
//!
//! Separates the enforcement lifecycle into two steps that bracket execution:
//!
//! 1. [`WasmQuotaEnforcer::check`] — pre-flight before WASM runs. Rejects if the
//!    tenant has hit their invocation count limit.
//! 2. [`WasmQuotaEnforcer::record`] — post-execution after wasmtime returns. Records
//!    actual fuel consumed and rejects if the cumulative fuel quota is exceeded.
//!
//! Per-invocation fuel limits (hard execution caps) are handled separately by
//! wasmtime's fuel metering in [`super::fuel`]. This enforcer tracks accumulated
//! usage across invocations for tenant-level quota enforcement.

use std::collections::HashMap;
use std::sync::Mutex;

/// Quota limits applied per tenant.
///
/// `None` means unlimited for that dimension.
#[derive(Debug, Clone, Default)]
pub struct QuotaLimits {
    /// Maximum total invocations (across all functions, all time). `None` = unlimited.
    pub max_invocations: Option<u64>,
    /// Maximum total fuel consumed (across all functions, all time). `None` = unlimited.
    pub max_fuel: Option<u64>,
}

/// Per-function usage counters.
#[derive(Debug, Clone, Default)]
pub struct FunctionUsage {
    /// Total committed invocations.
    pub invocations: u64,
    /// Total fuel consumed across all committed invocations.
    pub fuel_consumed: u64,
}

/// Per-tenant WASM quota enforcer.
///
/// Thread-safe. Shared across all DataFusion UDF invocations on the Control Plane.
pub struct WasmQuotaEnforcer {
    /// (tenant_id, function_name) → accumulated usage.
    usage: Mutex<HashMap<(u64, String), FunctionUsage>>,
    /// Default limits when no per-tenant override is set.
    default_limits: QuotaLimits,
    /// Per-tenant limit overrides (set via admin DDL or config).
    tenant_limits: Mutex<HashMap<u64, QuotaLimits>>,
}

impl WasmQuotaEnforcer {
    pub fn new(default_limits: QuotaLimits) -> Self {
        Self {
            usage: Mutex::new(HashMap::new()),
            default_limits,
            tenant_limits: Mutex::new(HashMap::new()),
        }
    }

    /// Override the quota limits for a specific tenant.
    pub fn set_tenant_limits(&self, tenant_id: u64, limits: QuotaLimits) {
        self.tenant_limits
            .lock()
            .unwrap_or_else(|p| p.into_inner())
            .insert(tenant_id, limits);
    }

    /// Pre-flight check — call this **before** executing WASM.
    ///
    /// Rejects if the tenant has reached their maximum invocation count.
    /// Does not modify any counters.
    pub fn check(&self, tenant_id: u64, function_name: &str) -> crate::Result<()> {
        let limits = self.limits_for(tenant_id);
        let Some(max_inv) = limits.max_invocations else {
            return Ok(());
        };

        let map = self.usage.lock().unwrap_or_else(|p| p.into_inner());
        let current = map
            .get(&(tenant_id, function_name.to_string()))
            .map(|u| u.invocations)
            .unwrap_or(0);

        if current >= max_inv {
            return Err(crate::Error::ExecutionLimitExceeded {
                detail: format!(
                    "WASM UDF '{function_name}' invocation quota ({max_inv}) exceeded for tenant {tenant_id}"
                ),
            });
        }
        Ok(())
    }

    /// Post-execution recording — call this **after** WASM returns successfully.
    ///
    /// Records the invocation and fuel consumed. Rejects if the cumulative fuel
    /// quota is exceeded, returning an error that the caller should surface to
    /// the client (the invocation already happened but will not be billed again).
    pub fn record(
        &self,
        tenant_id: u64,
        function_name: &str,
        fuel_consumed: u64,
    ) -> crate::Result<()> {
        let limits = self.limits_for(tenant_id);

        let mut map = self.usage.lock().unwrap_or_else(|p| p.into_inner());
        let entry = map
            .entry((tenant_id, function_name.to_string()))
            .or_default();

        if let Some(max_fuel) = limits.max_fuel {
            let new_total = entry.fuel_consumed.saturating_add(fuel_consumed);
            if new_total > max_fuel {
                return Err(crate::Error::ExecutionLimitExceeded {
                    detail: format!(
                        "WASM UDF '{function_name}' fuel quota ({max_fuel}) exceeded for tenant {tenant_id}"
                    ),
                });
            }
        }

        entry.invocations += 1;
        entry.fuel_consumed += fuel_consumed;
        Ok(())
    }

    /// Get usage for a specific (tenant, function) pair.
    pub fn get_usage(&self, tenant_id: u64, function_name: &str) -> FunctionUsage {
        let map = self.usage.lock().unwrap_or_else(|p| p.into_inner());
        map.get(&(tenant_id, function_name.to_string()))
            .cloned()
            .unwrap_or_default()
    }

    /// Get all usage entries for a tenant.
    pub fn get_tenant_usage(&self, tenant_id: u64) -> Vec<(String, FunctionUsage)> {
        let map = self.usage.lock().unwrap_or_else(|p| p.into_inner());
        map.iter()
            .filter(|((tid, _), _)| *tid == tenant_id)
            .map(|((_, name), usage)| (name.clone(), usage.clone()))
            .collect()
    }

    /// Reset all usage counters (for periodic window reset or testing).
    pub fn clear(&self) {
        self.usage.lock().unwrap_or_else(|p| p.into_inner()).clear();
    }

    fn limits_for(&self, tenant_id: u64) -> QuotaLimits {
        self.tenant_limits
            .lock()
            .unwrap_or_else(|p| p.into_inner())
            .get(&tenant_id)
            .cloned()
            .unwrap_or_else(|| self.default_limits.clone())
    }
}

impl Default for WasmQuotaEnforcer {
    fn default() -> Self {
        Self::new(QuotaLimits::default())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    fn unlimited() -> WasmQuotaEnforcer {
        WasmQuotaEnforcer::default()
    }

    fn with_limits(max_inv: Option<u64>, max_fuel: Option<u64>) -> WasmQuotaEnforcer {
        WasmQuotaEnforcer::new(QuotaLimits {
            max_invocations: max_inv,
            max_fuel,
        })
    }

    #[test]
    fn unlimited_always_passes() {
        let e = unlimited();
        assert!(e.check(1, "add").is_ok());
        assert!(e.record(1, "add", 1_000_000).is_ok());
        assert!(e.check(1, "add").is_ok());
    }

    #[test]
    fn invocation_quota_enforced_on_check() {
        let e = with_limits(Some(2), None);
        e.record(1, "f", 100).unwrap();
        e.record(1, "f", 100).unwrap();
        // Two invocations recorded — next check must reject.
        assert!(e.check(1, "f").is_err());
    }

    #[test]
    fn fuel_quota_enforced_on_record() {
        let e = with_limits(None, Some(500));
        e.record(1, "f", 300).unwrap();
        // 300 + 300 = 600 > 500 → reject.
        assert!(e.record(1, "f", 300).is_err());
    }

    #[test]
    fn fuel_within_limit_passes() {
        let e = with_limits(None, Some(1000));
        assert!(e.record(1, "f", 400).is_ok());
        assert!(e.record(1, "f", 400).is_ok());
        // 800 total, still under 1000.
        assert!(e.check(1, "f").is_ok());
    }

    #[test]
    fn tenant_isolation() {
        let e = with_limits(Some(1), None);
        e.record(1, "f", 100).unwrap();
        // Tenant 1 is at quota, tenant 2 is unaffected.
        assert!(e.check(1, "f").is_err());
        assert!(e.check(2, "f").is_ok());
    }

    #[test]
    fn per_tenant_override() {
        let e = with_limits(Some(1), None);
        e.set_tenant_limits(
            42,
            QuotaLimits {
                max_invocations: Some(100),
                max_fuel: None,
            },
        );
        // Tenant 42 has a higher limit.
        for _ in 0..50 {
            e.record(42, "f", 0).unwrap();
        }
        assert!(e.check(42, "f").is_ok());
    }

    #[test]
    fn usage_query_correct() {
        let e = unlimited();
        e.record(1, "add", 500).unwrap();
        e.record(1, "add", 300).unwrap();
        e.record(1, "mul", 100).unwrap();

        let add = e.get_usage(1, "add");
        assert_eq!(add.invocations, 2);
        assert_eq!(add.fuel_consumed, 800);

        let mul = e.get_usage(1, "mul");
        assert_eq!(mul.invocations, 1);
        assert_eq!(mul.fuel_consumed, 100);
    }

    #[test]
    fn tenant_usage_list() {
        let e = unlimited();
        e.record(1, "a", 10).unwrap();
        e.record(1, "b", 20).unwrap();
        e.record(2, "c", 30).unwrap();

        let t1 = e.get_tenant_usage(1);
        assert_eq!(t1.len(), 2);
        let t2 = e.get_tenant_usage(2);
        assert_eq!(t2.len(), 1);
    }

    #[test]
    fn clear_resets_counters() {
        let e = with_limits(Some(1), None);
        e.record(1, "f", 100).unwrap();
        assert!(e.check(1, "f").is_err());
        e.clear();
        assert!(e.check(1, "f").is_ok());
    }
}