getsentry
diff --git a/‎Cargo.lock‎
Lines changed: 21 additions & 0 deletions b/‎Cargo.lock‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎objectstore-server/Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎objectstore-server/Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎objectstore-server/src/config.rs‎
Lines changed: 5 additions & 0 deletions b/‎objectstore-server/src/config.rs‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎objectstore-server/src/extractors/id.rs‎
Lines changed: 14 additions & 0 deletions b/‎objectstore-server/src/extractors/id.rs‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎objectstore-server/src/lib.rs‎
Lines changed: 1 addition & 0 deletions b/‎objectstore-server/src/lib.rs‎
Lines changed: 1 addition & 0 deletions
@@ -52,6 +52,7 @@ tower-http = { version = "0.6.6", default-features = false, features = [
 tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 uuid = { workspace = true, features = ["v7"] }
+papaya = "0.2.3"
 
 [dev-dependencies]
 nix = { version = "0.30.1", features = ["signal"] }
 
@@ -46,6 +46,7 @@ use serde::{Deserialize, Serialize};
 use tracing::level_filters::LevelFilter;
 
 use crate::killswitches::Killswitches;
+use crate::rate_limits::RateLimits;
 
 /// Environment variable prefix for all configuration options.
 const ENV_PREFIX: &str = "OS__";
@@ -870,6 +871,9 @@ pub struct Config {
 
     /// A list of matchers for requests to discard without processing.
     pub killswitches: Killswitches,
+
+    /// Definitions for rate limits to enforce on incoming requests.
+    pub rate_limits: RateLimits,
 }
 
 impl Default for Config {
@@ -890,6 +894,7 @@ impl Default for Config {
             metrics: Metrics::default(),
             auth: AuthZ::default(),
             killswitches: Killswitches::default(),
+            rate_limits: RateLimits::default(),
         }
     }
 }
 
@@ -15,6 +15,7 @@ use crate::state::ServiceState;
 pub enum ObjectRejection {
     Path(PathRejection),
     Killswitched,
+    RateLimited,
 }
 
 impl IntoResponse for ObjectRejection {
@@ -26,6 +27,11 @@ impl IntoResponse for ObjectRejection {
                 "Object access is disabled for this scope through killswitches",
             )
                 .into_response(),
+            ObjectRejection::RateLimited => (
+                axum::http::StatusCode::TOO_MANY_REQUESTS,
+                "Object access is rate limited",
+            )
+                .into_response(),
         }
     }
 }
@@ -53,6 +59,10 @@ impl FromRequestParts<ServiceState> for Xt<ObjectId> {
             return Err(ObjectRejection::Killswitched);
         }
 
+        if !state.rate_limiter.check(id.context()) {
+            return Err(ObjectRejection::RateLimited);
+        }
+
         Ok(Xt(id))
     }
 }
@@ -114,6 +124,10 @@ impl FromRequestParts<ServiceState> for Xt<ObjectContext> {
             return Err(ObjectRejection::Killswitched);
         }
 
+        if !state.rate_limiter.check(&context) {
+            return Err(ObjectRejection::RateLimited);
+        }
+
         Ok(Xt(context))
     }
 }
 
@@ -11,5 +11,6 @@ pub mod extractors;
 pub mod healthcheck;
 pub mod killswitches;
 pub mod observability;
+pub mod rate_limits;
 pub mod state;
 pub mod web;
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@ use serde::{Deserialize, Serialize};`
`46`	`46`	`use tracing::level_filters::LevelFilter;`
`47`	`47`
`48`	`48`	`use crate::killswitches::Killswitches;`
	`49`	`+use crate::rate_limits::RateLimits;`
`49`	`50`
`50`	`51`	`/// Environment variable prefix for all configuration options.`
`51`	`52`	`const ENV_PREFIX: &str = "OS__";`
`@@ -870,6 +871,9 @@ pub struct Config {`
`870`	`871`
`871`	`872`	`/// A list of matchers for requests to discard without processing.`
`872`	`873`	`pub killswitches: Killswitches,`
	`874`	`+`
	`875`	`+ /// Definitions for rate limits to enforce on incoming requests.`
	`876`	`+ pub rate_limits: RateLimits,`
`873`	`877`	`}`
`874`	`878`
`875`	`879`	`impl Default for Config {`
`@@ -890,6 +894,7 @@ impl Default for Config {`
`890`	`894`	`metrics: Metrics::default(),`
`891`	`895`	`auth: AuthZ::default(),`
`892`	`896`	`killswitches: Killswitches::default(),`
	`897`	`+ rate_limits: RateLimits::default(),`
`893`	`898`	`}`
`894`	`899`	`}`
`895`	`900`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@ use crate::state::ServiceState;`
`15`	`15`	`pub enum ObjectRejection {`
`16`	`16`	`Path(PathRejection),`
`17`	`17`	`Killswitched,`
	`18`	`+ RateLimited,`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`impl IntoResponse for ObjectRejection {`
`@@ -26,6 +27,11 @@ impl IntoResponse for ObjectRejection {`
`26`	`27`	`"Object access is disabled for this scope through killswitches",`
`27`	`28`	`)`
`28`	`29`	`.into_response(),`
	`30`	`+ ObjectRejection::RateLimited => (`
	`31`	`+ axum::http::StatusCode::TOO_MANY_REQUESTS,`
	`32`	`+ "Object access is rate limited",`
	`33`	`+ )`
	`34`	`+ .into_response(),`
`29`	`35`	`}`
`30`	`36`	`}`
`31`	`37`	`}`
`@@ -53,6 +59,10 @@ impl FromRequestParts<ServiceState> for Xt<ObjectId> {`
`53`	`59`	`return Err(ObjectRejection::Killswitched);`
`54`	`60`	`}`
`55`	`61`
	`62`	`+ if !state.rate_limiter.check(id.context()) {`
	`63`	`+ return Err(ObjectRejection::RateLimited);`
	`64`	`+ }`
	`65`	`+`
`56`	`66`	`Ok(Xt(id))`
`57`	`67`	`}`
`58`	`68`	`}`
`@@ -114,6 +124,10 @@ impl FromRequestParts<ServiceState> for Xt<ObjectContext> {`
`114`	`124`	`return Err(ObjectRejection::Killswitched);`
`115`	`125`	`}`
`116`	`126`
	`127`	`+ if !state.rate_limiter.check(&context) {`
	`128`	`+ return Err(ObjectRejection::RateLimited);`
	`129`	`+ }`
	`130`	`+`
`117`	`131`	`Ok(Xt(context))`
`118`	`132`	`}`
`119`	`133`	`}`