volli-manager 0.1.12

Manager for volli
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

use lru::LruCache;
use std::{collections::VecDeque, net::IpAddr, num::NonZeroUsize};
use tokio::time::{Duration, Instant};

pub struct RateLimiter {
    entries: LruCache<IpAddr, VecDeque<Instant>>,
    max: usize,
    interval: Duration,
}

impl RateLimiter {
    pub fn new(max: usize, interval: Duration) -> Self {
        Self {
            entries: LruCache::new(NonZeroUsize::new(1024).unwrap()),
            max,
            interval,
        }
    }

    pub fn check(&mut self, ip: IpAddr) -> bool {
        if self.max == 0 {
            return true;
        }
        let now = Instant::now();
        let deque = self.entries.get_or_insert_mut(ip, VecDeque::new);
        while let Some(&ts) = deque.front() {
            if now.duration_since(ts) > self.interval {
                deque.pop_front();
            } else {
                break;
            }
        }
        if deque.len() >= self.max {
            return false;
        }
        deque.push_back(now);
        true
    }
}

#[derive(Clone, Copy)]
struct BackoffEntry {
    failures: u32,
    next_allowed: Instant,
}

pub struct AuthBackoff {
    entries: LruCache<IpAddr, BackoffEntry>,
    base_delay: Duration,
    max_delay: Duration,
}

impl AuthBackoff {
    pub fn new(base_delay: Duration, max_delay: Duration) -> Self {
        Self {
            entries: LruCache::new(NonZeroUsize::new(1024).unwrap()),
            base_delay,
            max_delay,
        }
    }

    pub fn allow(&mut self, ip: IpAddr) -> bool {
        match self.entries.get(&ip) {
            Some(entry) => Instant::now() >= entry.next_allowed,
            None => true,
        }
    }

    pub fn record_failure(&mut self, ip: IpAddr) -> Duration {
        let now = Instant::now();
        let failures = self
            .entries
            .get(&ip)
            .map(|e| e.failures.saturating_add(1))
            .unwrap_or(1);
        let exp = failures.saturating_sub(1).min(6);
        let delay = self
            .base_delay
            .checked_mul(1u32 << exp)
            .unwrap_or(self.max_delay)
            .min(self.max_delay);
        self.entries.put(
            ip,
            BackoffEntry {
                failures,
                next_allowed: now + delay,
            },
        );
        delay
    }

    pub fn record_success(&mut self, ip: IpAddr) {
        self.entries.pop(&ip);
    }
}

#[cfg(test)]
mod tests {
    use super::{AuthBackoff, RateLimiter};
    use std::net::IpAddr;
    use std::str::FromStr;
    use tokio::time::Duration;

    #[tokio::test(flavor = "current_thread")]
    async fn rate_limiter_blocks_over_limit() {
        let mut limiter = RateLimiter::new(2, Duration::from_millis(50));
        let ip = IpAddr::from_str("127.0.0.1").unwrap();
        assert!(limiter.check(ip));
        assert!(limiter.check(ip));
        assert!(!limiter.check(ip));
    }

    #[tokio::test(flavor = "current_thread")]
    async fn auth_backoff_recovers_after_delay() {
        let mut backoff = AuthBackoff::new(Duration::from_millis(5), Duration::from_millis(20));
        let ip = IpAddr::from_str("127.0.0.1").unwrap();
        assert!(backoff.allow(ip));
        backoff.record_failure(ip);
        assert!(!backoff.allow(ip));
        tokio::time::sleep(Duration::from_millis(6)).await;
        assert!(backoff.allow(ip));
    }

    #[tokio::test(flavor = "current_thread")]
    async fn auth_backoff_clears_on_success() {
        let mut backoff = AuthBackoff::new(Duration::from_millis(5), Duration::from_millis(20));
        let ip = IpAddr::from_str("127.0.0.1").unwrap();
        backoff.record_failure(ip);
        assert!(!backoff.allow(ip));
        backoff.record_success(ip);
        assert!(backoff.allow(ip));
    }
}