volga-rate-limiter 0.9.3

A lightweight and efficient rate-limiting library for Rust.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

//! Generic rate limiter abstractions and shared utilities.
//!
//! This module defines the core traits and building blocks used by
//! all rate limiting algorithms provided by this crate.
//!
//! The primary abstraction is [`RateLimiter`], which represents a
//! stateful, thread-safe rate limiting algorithm operating on a
//! partition key.
//!
//! ## Design principles
//!
//! - **Algorithm-agnostic interface** - higher-level frameworks can
//!   work with any rate limiting strategy through a common API.
//! - **Partition-based limiting** - each limiter operates on a `u64`
//!   partition key representing a logical client or request group.
//! - **Time abstraction** - all time-dependent logic is driven by a
//!   pluggable [`TimeSource`] to allow deterministic testing.
//!
//! ## Thread safety
//!
//! All implementations of [`RateLimiter`] provided by this crate are:
//!
//! - Safe to use concurrently
//! - Designed for high-contention scenarios
//! - Intended to be shared between threads and async tasks
//!
//! ## Scope
//!
//! This module does **not** define how partition keys are created or
//! how rate limiting is applied to HTTP requests.
//! Those concerns are intentionally left to higher-level layers.

use std::time::Instant;

pub use fixed_window::{FixedWindowRateLimiter, InMemoryFixedWindowStore};
pub use gcra::{GcraRateLimiter, InMemoryGcraStore};
pub use sliding_window::{InMemorySlidingWindowStore, SlidingWindowRateLimiter};
pub use token_bucket::{InMemoryTokenBucketStore, TokenBucketRateLimiter};

mod fixed_window;
mod gcra;
mod sliding_window;
mod store;
mod token_bucket;

pub use store::{
    FixedWindowParams, FixedWindowStore, GcraParams, GcraStore, SlidingWindowParams,
    SlidingWindowStore, TokenBucketParams, TokenBucketStore,
};

const MICROS_PER_SEC: u64 = 1_000_000;

/// A generic rate limiter interface.
///
/// A rate limiter tracks request counts per **partition key** and
/// determines whether new requests are allowed.
///
/// Implementations must:
///
/// - Be thread-safe
/// - Handle concurrent access correctly
/// - Execute the `check` operation efficiently, as it is typically
///   called on every incoming request
///
/// The meaning of the partition key is defined by the caller
/// (for example: IP address, user ID, tenant ID, or API key).
pub trait RateLimiter {
    /// Checks whether a request is allowed for the given partition key.
    ///
    /// # Parameters
    ///
    /// - `key`: A stable `u64` value identifying a logical client or
    ///   request group.
    ///
    /// # Returns
    ///
    /// - `true` if the request is allowed and should proceed
    /// - `false` if the rate limit has been exceeded
    ///
    /// # Notes
    ///
    /// - This method may mutate internal state.
    /// - It is expected to be called on the hot path and should be fast.
    fn check(&self, key: u64) -> bool;
}

/// A source of time used by rate-limiting algorithms.
///
/// This abstraction allows rate limiters to be decoupled from
/// the system clock, enabling deterministic and fast unit tests.
///
/// Time is expressed in **microseconds** and must be **monotonic**
/// (non-decreasing).
pub trait TimeSource: Send + Sync {
    /// Returns a monotonic timestamp in microseconds.
    fn now_micros(&self) -> u64;

    /// Returns the number of seconds elapsed since [`UNIX_EPOCH`](std::time::UNIX_EPOCH)
    /// (`1970-01-01 00:00:00 UTC`).
    ///
    /// Implementations must ensure that the returned value is:
    ///
    /// - Monotonic (non-decreasing)
    /// - Cheap to compute
    #[inline(always)]
    fn now_secs(&self) -> u64 {
        self.now_micros() / MICROS_PER_SEC
    }
}

/// Monotonic system time source backed by `Instant`.
///
/// Uses an internal start anchor and returns elapsed microseconds since that anchor.
/// This avoids wall-clock jumps (NTP, manual adjustments, etc.).
#[derive(Debug, Default, Clone, Copy)]
pub struct SystemTimeSource;

impl SystemTimeSource {
    #[inline]
    fn anchor() -> Instant {
        // `Instant::now()` is cheap and monotonic.
        // We want a stable anchor shared across calls.
        // Using `OnceLock` gives us a process-wide start point.
        static START: std::sync::OnceLock<Instant> = std::sync::OnceLock::new();
        *START.get_or_init(Instant::now)
    }
}

impl TimeSource for SystemTimeSource {
    #[inline]
    fn now_micros(&self) -> u64 {
        let elapsed = Self::anchor().elapsed();
        // Saturating conversion to be extra defensive (though practically safe).
        elapsed.as_micros().try_into().unwrap_or(u64::MAX)
    }
}

#[cfg(test)]
pub(super) mod test_utils {
    use super::{MICROS_PER_SEC, TimeSource};
    use std::sync::{Arc, Mutex};

    #[derive(Clone)]
    pub(super) struct MockTimeSource {
        current_time: Arc<Mutex<u64>>,
    }

    impl MockTimeSource {
        pub(super) fn new(initial_time: u64) -> Self {
            Self {
                current_time: Arc::new(Mutex::new(initial_time * MICROS_PER_SEC)),
            }
        }

        pub(super) fn advance(&self, seconds: u64) {
            let mut time = self.current_time.lock().unwrap();
            *time += seconds * MICROS_PER_SEC;
        }
    }

    impl TimeSource for MockTimeSource {
        fn now_micros(&self) -> u64 {
            *self.current_time.lock().unwrap()
        }
    }
}