Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ETCM-331] Add Rate Limit for rpc requests #806

Merged
merged 11 commits into from
Dec 1, 2020
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions src/main/resources/application.conf
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,19 @@ mantis {
# Domains allowed to query RPC endpoint. Use "*" to enable requests from
# any domain.
cors-allowed-origins = []

# Ip Limit tracking for JSON-RPC requests
# Limits the amount of request the same ip can perform in a given amount of time
ip-restriction {
biandratti marked this conversation as resolved.
Show resolved Hide resolved
# If enabled, restrictions are applied
enabled = false

# Time that should pass between requests
min-request-interval = 10.seconds

# Size of stored timestamps for requests made from each ip
latest-timestamp-cache-size = 1024
}
}

ipc {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,23 +2,34 @@ package io.iohk.ethereum.jsonrpc.server.http

import akka.actor.ActorSystem
import akka.http.scaladsl.Http
import akka.http.scaladsl.model.RemoteAddress
import ch.megard.akka.http.cors.scaladsl.model.HttpOriginMatcher
import com.twitter.util.LruMap
import io.iohk.ethereum.jsonrpc._
import io.iohk.ethereum.jsonrpc.server.controllers.JsonRpcBaseController
import io.iohk.ethereum.jsonrpc.server.http.JsonRpcHttpServer.JsonRpcHttpServerConfig
import io.iohk.ethereum.utils.Logger

import scala.concurrent.ExecutionContext.Implicits.global
import scala.concurrent.duration.FiniteDuration
import scala.util.{Failure, Success}

class BasicJsonRpcHttpServer(
class InsecureJsonRpcHttpServer(
ntallar marked this conversation as resolved.
Show resolved Hide resolved
val jsonRpcController: JsonRpcBaseController,
val jsonRpcHealthChecker: JsonRpcHealthChecker,
config: JsonRpcHttpServerConfig
)(implicit val actorSystem: ActorSystem)
extends JsonRpcHttpServer
with Logger {

override val ipTrackingEnabled: Boolean = config.ipTrackingEnabled
biandratti marked this conversation as resolved.
Show resolved Hide resolved

override val minRequestInterval: FiniteDuration = config.minRequestInterval

override val latestTimestampCacheSize: Int = config.latestTimestampCacheSize

override val latestRequestTimestamps = new LruMap[RemoteAddress, Long](latestTimestampCacheSize)

def run(): Unit = {
val bindingResultF = Http(actorSystem).newServerAt(config.interface, config.port).bind(route)

Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package io.iohk.ethereum.jsonrpc.server.http

import java.security.SecureRandom
import java.time.Clock

import akka.actor.ActorSystem
import akka.http.scaladsl.model._
Expand All @@ -10,7 +11,9 @@ import ch.megard.akka.http.cors.javadsl.CorsRejection
import ch.megard.akka.http.cors.scaladsl.CorsDirectives._
import ch.megard.akka.http.cors.scaladsl.model.HttpOriginMatcher
import ch.megard.akka.http.cors.scaladsl.settings.CorsSettings
import com.twitter.util.LruMap
import de.heikoseeberger.akkahttpjson4s.Json4sSupport
import io.iohk.ethereum.faucet.jsonrpc.FaucetJsonRpcController
import io.iohk.ethereum.jsonrpc._
import io.iohk.ethereum.security.SSLError
import io.iohk.ethereum.jsonrpc.serialization.JsonSerializers
Expand All @@ -21,6 +24,8 @@ import monix.eval.Task
import monix.execution.Scheduler.Implicits.global
import org.json4s.{DefaultFormats, JInt, native}

import scala.concurrent.duration.{FiniteDuration, _}

trait JsonRpcHttpServer extends Json4sSupport {
val jsonRpcController: JsonRpcBaseController
val jsonRpcHealthChecker: JsonRpcHealthChecker
Expand All @@ -31,6 +36,16 @@ trait JsonRpcHttpServer extends Json4sSupport {

def corsAllowedOrigins: HttpOriginMatcher

val minRequestInterval: FiniteDuration
biandratti marked this conversation as resolved.
Show resolved Hide resolved

val latestTimestampCacheSize: Int

val latestRequestTimestamps: LruMap[RemoteAddress, Long]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this is included in the above comment by Maxi, but also this can be derived from the config here without having to override it on it's sons


val ipTrackingEnabled: Boolean

val clock: Clock = Clock.systemUTC()

val corsSettings = CorsSettings.defaultSettings
.withAllowGenericHttpRequests(true)
.withAllowedOrigins(corsAllowedOrigins)
Expand All @@ -50,14 +65,30 @@ trait JsonRpcHttpServer extends Json4sSupport {
(path("healthcheck") & pathEndOrSingleSlash & get) {
handleHealthcheck()
} ~ (pathEndOrSingleSlash & post) {
entity(as[JsonRpcRequest]) { request =>
handleRequest(request)
(extractClientIP & entity(as[JsonRpcRequest])) { (clientAddress, request) =>
handleRequest(clientAddress, request)
} ~ entity(as[Seq[JsonRpcRequest]]) { request =>
handleBatchRequest(request)
}
}
}

def handleRequest(clientAddress: RemoteAddress, request: JsonRpcRequest): StandardRoute = {
if (ipTrackingEnabled && request.method != FaucetJsonRpcController.Status) {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are we only disabling this for the faucet status? Maybe it's because it's used as the healthcheck? I though the healthcheck was something separately

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a FIXME for this, the faucet Status should somehow work as a healthcheck so I left it out of the rate limiting in case it's being used by some of our services. Eventually it should be part of the healthcheck or be handled more elegantly

handleRestrictedRequest(clientAddress, request)
} else complete(jsonRpcController.handleRequest(request).runToFuture)
}

def handleRestrictedRequest(clientAddress: RemoteAddress, request: JsonRpcRequest): StandardRoute = {
val timeMillis = clock.instant().toEpochMilli
biandratti marked this conversation as resolved.
Show resolved Hide resolved
val latestRequestTimestamp = latestRequestTimestamps.getOrElse(clientAddress, 0L)

if (latestRequestTimestamp + minRequestInterval.toMillis < timeMillis) {
latestRequestTimestamps.put(clientAddress, timeMillis)
complete(jsonRpcController.handleRequest(request).runToFuture)
} else complete(StatusCodes.TooManyRequests)
}

/**
* Try to start JSON RPC server
*/
Expand Down Expand Up @@ -86,11 +117,13 @@ trait JsonRpcHttpServer extends Json4sSupport {
}

private def handleBatchRequest(requests: Seq[JsonRpcRequest]) = {
complete {
Task
.traverse(requests)(request => jsonRpcController.handleRequest(request))
.runToFuture
}
if (!ipTrackingEnabled) {
complete {
Task
.traverse(requests)(request => jsonRpcController.handleRequest(request))
.runToFuture
}
} else complete(StatusCodes.MethodNotAllowed)
}
}

Expand All @@ -104,10 +137,10 @@ object JsonRpcHttpServer extends Logger {
fSslContext: () => Either[SSLError, SSLContext]
)(implicit actorSystem: ActorSystem): Either[String, JsonRpcHttpServer] =
config.mode match {
case "http" => Right(new BasicJsonRpcHttpServer(jsonRpcController, jsonRpcHealthchecker, config)(actorSystem))
case "http" => Right(new InsecureJsonRpcHttpServer(jsonRpcController, jsonRpcHealthchecker, config)(actorSystem))
case "https" =>
Right(
new JsonRpcHttpsServer(jsonRpcController, jsonRpcHealthchecker, config, secureRandom, fSslContext)(
new SecureJsonRpcHttpServer(jsonRpcController, jsonRpcHealthchecker, config, secureRandom, fSslContext)(
actorSystem
)
)
Expand All @@ -120,6 +153,9 @@ object JsonRpcHttpServer extends Logger {
val interface: String
val port: Int
val corsAllowedOrigins: HttpOriginMatcher
val ipTrackingEnabled: Boolean
val minRequestInterval: FiniteDuration
val latestTimestampCacheSize: Int
}

object JsonRpcHttpServerConfig {
Expand All @@ -135,6 +171,13 @@ object JsonRpcHttpServer extends Logger {
override val port: Int = rpcHttpConfig.getInt("port")

override val corsAllowedOrigins = ConfigUtils.parseCorsAllowedOrigins(rpcHttpConfig, "cors-allowed-origins")

private val ipTrackingConfig = rpcHttpConfig.getConfig("ip-restriction")
biandratti marked this conversation as resolved.
Show resolved Hide resolved

override val ipTrackingEnabled: Boolean = ipTrackingConfig.getBoolean("enabled")
override val minRequestInterval: FiniteDuration =
ipTrackingConfig.getDuration("min-request-interval").toMillis.millis
override val latestTimestampCacheSize: Int = ipTrackingConfig.getInt("latest-timestamp-cache-size")
}
}
}
Expand Down
Original file line number Diff line number Diff line change
@@ -1,21 +1,24 @@
package io.iohk.ethereum.jsonrpc.server.http

import java.security.SecureRandom

import akka.actor.ActorSystem
import akka.http.scaladsl.{ConnectionContext, Http}
import ch.megard.akka.http.cors.scaladsl.model.HttpOriginMatcher
import io.iohk.ethereum.jsonrpc.JsonRpcHealthChecker
import io.iohk.ethereum.security.SSLError
import io.iohk.ethereum.jsonrpc.server.controllers.JsonRpcBaseController
import io.iohk.ethereum.jsonrpc.server.http.JsonRpcHttpServer.JsonRpcHttpServerConfig
import java.security.SecureRandom

import akka.http.scaladsl.model.RemoteAddress
import com.twitter.util.LruMap
import io.iohk.ethereum.jsonrpc.server.controllers.JsonRpcBaseController
import scala.concurrent.duration.FiniteDuration
import io.iohk.ethereum.utils.Logger
import javax.net.ssl.SSLContext

import scala.concurrent.ExecutionContext.Implicits.global
import scala.util.{Failure, Success}

class JsonRpcHttpsServer(
class SecureJsonRpcHttpServer(
val jsonRpcController: JsonRpcBaseController,
val jsonRpcHealthChecker: JsonRpcHealthChecker,
config: JsonRpcHttpServerConfig,
Expand All @@ -25,6 +28,14 @@ class JsonRpcHttpsServer(
extends JsonRpcHttpServer
with Logger {

override val ipTrackingEnabled: Boolean = config.ipTrackingEnabled
biandratti marked this conversation as resolved.
Show resolved Hide resolved

override val minRequestInterval: FiniteDuration = config.minRequestInterval

override val latestTimestampCacheSize: Int = config.latestTimestampCacheSize

override val latestRequestTimestamps = new LruMap[RemoteAddress, Long](latestTimestampCacheSize)

def run(): Unit = {
val maybeHttpsContext = getSSLContext().map(sslContext => ConnectionContext.httpsServer(sslContext))

Expand Down
Loading