ratelimits: Supporting additions for admin tooling (#8279)

- Export `ValidateLimit()` for use in the admin tool.
- Add utility functions `DumpOverrides()` and
`LoadOverridesByBucketKey()` to dump/load overrides to/from a YAML file.
- Export `Limit` and several of its fields to support calls to
`LoadOverridesByBucketKey()` and `ValidateLimit()`, and to return
results from `DumpOverrides()`.
- Add `BuildBucketKey()`, which builds and validates bucket keys based
on the limit name and provided components.
- Also add a `MarshalYAML()` method to `config.Duration`.

Part of #8165

Author: beautifulentropy

config/duration.go

@@ -67,3 +67,8 @@ func (d *Duration) UnmarshalYAML(unmarshal func(interface{}) error) error {
 	d.Duration = dur
 	return nil
 }
+
+// MarshalYAML returns the string form of the duration, as a string.
+func (d Duration) MarshalYAML() (any, error) {
+	return d.Duration.String(), nil
+}

identifier/identifier.go

@@ -122,6 +122,24 @@ func NewIP(ip netip.Addr) ACMEIdentifier {
 	}
 }
 
+// FromString converts a string to an ACMEIdentifier.
+func FromString(identStr string) ACMEIdentifier {
+	ip, err := netip.ParseAddr(identStr)
+	if err == nil {
+		return NewIP(ip)
+	}
+	return NewDNS(identStr)
+}
+
+// FromStringSlice converts a slice of strings to a slice of ACMEIdentifier.
+func FromStringSlice(identStrs []string) ACMEIdentifiers {
+	var idents ACMEIdentifiers
+	for _, identStr := range identStrs {
+		idents = append(idents, FromString(identStr))
+	}
+	return idents
+}
+
 // fromX509 extracts the Subject Alternative Names from a certificate or CSR's fields, and
 // returns a slice of ACMEIdentifiers.
 func fromX509(commonName string, dnsNames []string, ipAddresses []net.IP) ACMEIdentifiers {

ratelimits/gcra.go

@@ -10,7 +10,7 @@ import (
 // returns a Decision struct with the result of the decision and the updated
 // TAT. The cost must be 0 or greater and <= the burst capacity of the limit.
 func maybeSpend(clk clock.Clock, txn Transaction, tat time.Time) *Decision {
-	if txn.cost < 0 || txn.cost > txn.limit.burst {
+	if txn.cost < 0 || txn.cost > txn.limit.Burst {
 		// The condition above is the union of the conditions checked in Check
 		// and Spend methods of Limiter. If this panic is reached, it means that
 		// the caller has introduced a bug.
@@ -67,7 +67,7 @@ func maybeSpend(clk clock.Clock, txn Transaction, tat time.Time) *Decision {
 // or greater. A cost will only be refunded up to the burst capacity of the
 // limit. A partial refund is still considered successful.
 func maybeRefund(clk clock.Clock, txn Transaction, tat time.Time) *Decision {
-	if txn.cost < 0 || txn.cost > txn.limit.burst {
+	if txn.cost < 0 || txn.cost > txn.limit.Burst {
 		// The condition above is checked in the Refund method of Limiter. If
 		// this panic is reached, it means that the caller has introduced a bug.
 		panic("invalid cost for maybeRefund")
@@ -80,7 +80,7 @@ func maybeRefund(clk clock.Clock, txn Transaction, tat time.Time) *Decision {
 		// The TAT is in the past, therefore the bucket is full.
 		return &Decision{
 			allowed:     false,
-			remaining:   txn.limit.burst,
+			remaining:   txn.limit.Burst,
 			retryIn:     time.Duration(0),
 			resetIn:     time.Duration(0),
 			newTAT:      tat,

ratelimits/gcra_test.go

@@ -12,7 +12,7 @@ import (
 
 func TestDecide(t *testing.T) {
 	clk := clock.NewFake()
-	limit := &limit{burst: 10, count: 1, period: config.Duration{Duration: time.Second}}
+	limit := &Limit{Burst: 10, Count: 1, Period: config.Duration{Duration: time.Second}}
 	limit.precompute()
 
 	// Begin by using 1 of our 10 requests.
@@ -139,7 +139,7 @@ func TestDecide(t *testing.T) {
 
 func TestMaybeRefund(t *testing.T) {
 	clk := clock.NewFake()
-	limit := &limit{burst: 10, count: 1, period: config.Duration{Duration: time.Second}}
+	limit := &Limit{Burst: 10, Count: 1, Period: config.Duration{Duration: time.Second}}
 	limit.precompute()
 
 	// Begin by using 1 of our 10 requests.