AC-1271: Add rate limiting for payment information endpoint and mutation

Author: arhiopterecs

app/code/Magento/Webapi/Controller/Rest/RequestValidator.php

@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 
 namespace Magento\Webapi\Controller\Rest;
 
@@ -15,9 +16,10 @@
 use Magento\Store\Model\StoreManagerInterface;
 use Magento\Framework\Webapi\Backpressure\BackpressureContextFactory;
 use Magento\Framework\Webapi\Exception as WebapiException;
+use Magento\Webapi\Controller\Rest\Router\Route;
 
 /**
- * This class is responsible for validating the request
+ * Validates a request
  */
 class RequestValidator
 {
@@ -52,8 +54,6 @@ class RequestValidator
     private BackpressureEnforcerInterface $backpressureEnforcer;
 
     /**
-     * Initialize dependencies
-     *
      * @param RestRequest $request
      * @param Router $router
      * @param StoreManagerInterface $storeManager
@@ -80,20 +80,62 @@ public function __construct(
     }
 
     /**
-     * Validate request
+     * Validates the request
      *
      * @throws AuthorizationException
      * @throws WebapiException
      * @return void
      */
     public function validate()
     {
-        $this->checkPermissions();
         $route = $this->router->match($this->request);
+        $this->checkPermissions($route);
+        $this->onlyHttps($route);
+        $this->checkBackpressure($route);
+    }
+
+    /**
+     * Perform authentication and authorization
+     *
+     * @param Route $route
+     * @return void
+     * @throws AuthorizationException
+     */
+    private function checkPermissions(Route $route)
+    {
+        if ($this->authorization->isAllowed($route->getAclResources())) {
+            return;
+        }
+
+        throw new AuthorizationException(
+            __(
+                "The consumer isn't authorized to access %resources.",
+                ['resources' => implode(', ', $route->getAclResources())]
+            )
+        );
+    }
+
+    /**
+     * Checks if operation allowed only in HTTPS
+     *
+     * @param Route $route
+     * @throws WebapiException
+     */
+    private function onlyHttps(Route $route)
+    {
         if ($route->isSecure() && !$this->request->isSecure()) {
             throw new WebapiException(__('Operation allowed only in HTTPS'));
         }
+    }
 
+    /**
+     * Checks backpressure
+     *
+     * @param Route $route
+     * @throws WebapiException
+     */
+    private function checkBackpressure(Route $route)
+    {
         $context = $this->backpressureContextFactory->create(
             $route->getServiceClass(),
             $route->getServiceMethod(),
@@ -107,21 +149,4 @@ public function validate()
             }
         }
     }
-
-    /**
-     * Perform authentication and authorization.
-     *
-     * @throws \Magento\Framework\Exception\AuthorizationException
-     * @return void
-     */
-    private function checkPermissions()
-    {
-        $route = $this->router->match($this->request);
-        if (!$this->authorization->isAllowed($route->getAclResources())) {
-            $params = ['resources' => implode(', ', $route->getAclResources())];
-            throw new AuthorizationException(
-                __("The consumer isn't authorized to access %resources.", $params)
-            );
-        }
-    }
 }

app/code/Magento/Webapi/Controller/Soap/Request/Handler.php

@@ -30,9 +30,9 @@
 use Magento\Webapi\Model\ServiceMetadata;
 
 /**
- * Handler of requests to SOAP server.
+ * Handler of requests to SOAP server
  *
- * The main responsibility is to instantiate proper action controller (service) and execute requested method on it.
+ * The main responsibility is to instantiate proper action controller (service) and execute requested method on it
  *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
@@ -101,8 +101,6 @@ class Handler
     private $inputArraySizeLimitValue;
 
     /**
-     * Initialize dependencies.
-     *
      * @param WebapiRequest $request
      * @param ObjectManagerInterface $objectManager
      * @param SoapConfig $apiConfig
@@ -149,7 +147,7 @@ public function __construct(
     }
 
     /**
-     * Handler for all SOAP operations.
+     * Handler for all SOAP operations
      *
      * @param string $operation
      * @param array $arguments
@@ -173,18 +171,7 @@ public function __call($operation, $arguments)
         }
 
         //Backpressure enforcement
-        $context = $this->backpressureContextFactory->create(
-            $serviceMethodInfo['class'],
-            $serviceMethodInfo['method'],
-            $operation
-        );
-        if ($context) {
-            try {
-                $this->backpressureEnforcer->enforce($context);
-            } catch (BackpressureExceededException $exception) {
-                throw new WebapiException(__('Something went wrong, please try again later'));
-            }
-        }
+        $this->backpressureEnforcement($serviceMethodInfo['class'], $serviceMethodInfo['method'], $operation);
 
         if (!$this->authorization->isAllowed($serviceMethodInfo[ServiceMetadata::KEY_ACL_RESOURCES])) {
             throw new AuthorizationException(
@@ -296,4 +283,24 @@ protected function _prepareResponseData($data, $serviceClassName, $serviceMethod
         }
         return [self::RESULT_NODE_NAME => $result];
     }
+
+    /**
+     * Backpressure enforcement
+     *
+     * @param string $class
+     * @param string $method
+     * @param string $operation
+     * @throws WebapiException
+     */
+    private function backpressureEnforcement(string $class, string $method, string $operation)
+    {
+        $context = $this->backpressureContextFactory->create($class, $method, $operation);
+        if ($context) {
+            try {
+                $this->backpressureEnforcer->enforce($context);
+            } catch (BackpressureExceededException $exception) {
+                throw new WebapiException(__('Something went wrong, please try again later'));
+            }
+        }
+    }
 }

app/code/Magento/Webapi/i18n/en_US.csv

@@ -22,3 +22,4 @@ Message,Message
 "If empty, UTF-8 will be used.","If empty, UTF-8 will be used."
 "Web Services Configuration","Web Services Configuration"
 "REST and SOAP configurations, generated WSDL file","REST and SOAP configurations, generated WSDL file"
+"Something went wrong, please try again later","Something went wrong, please try again later"