Skip to content

CLDSRV-759: bucketGetRateLimit #5997

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: improvement/CLDSRV-766/bucket_rate_limiting
Choose a base branch
from
Open

CLDSRV-759: bucketGetRateLimit #5997

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c353bab
impr(CLDSRV-759): Bump arsenal to branch
tmacro Nov 12, 2025
de2ed07
impr(CLDSRV-759): Adapt handler code to arsenal changes
tmacro Nov 12, 2025
074e87e
impr(CLDSRV-759): Add $RATE_LIMIT_SERVICE_USER_ARN to docker-entrypoi…
tmacro Nov 12, 2025
94e3fae
impr(CLDSRV-759): Setup rate limit config in CI
tmacro Nov 12, 2025
422cd7b
impr(CLDSRV-759): Add rate limit test tooling
tmacro Nov 12, 2025
c6dc6d9
impr(CLDSRV-759): Add tests for bucketGetRateLimit
tmacro Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions tests/functional/aws-node-sdk/test/bucket/getBucketRateLimit.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
const AWS = require('aws-sdk');
const S3 = AWS.S3;
const assert = require('assert');
const getConfig = require('../support/config');
const { sendRateLimitRequest, skipIfRateLimitDisabled } = require('../rateLimit/tooling');

const bucket = 'getratelimitestbucket';
const rateLimitConfig = { RequestsPerSecond: 100 };

skipIfRateLimitDisabled('Test get bucket rate limit', () => {
let s3;

before(() => {
const config = getConfig('lisa', { signatureVersion: 'v4' });
s3 = new S3(config);
AWS.config.update(config);
});

beforeEach(done => s3.createBucket({ Bucket: bucket }, done));

afterEach(done => s3.deleteBucket({ Bucket: bucket }, done));

it('should return the rate limit config', async () => {
try {
// First set the rate limit config
await sendRateLimitRequest('PUT', '127.0.0.1:8000',
`/${bucket}/?rate-limit`, JSON.stringify(rateLimitConfig));

// Then get it
const data = await sendRateLimitRequest('GET', '127.0.0.1:8000',
`/${bucket}/?rate-limit`);
assert.strictEqual(data.RequestsPerSecond.Limit, 100);
} catch (err) {
assert.ifError(err);
}
});

it('should return NoSuchRateLimitConfig error when config does not exist', async () => {
try {
await sendRateLimitRequest('GET', '127.0.0.1:8000', `/${bucket}/?rate-limit`);
assert.fail('Expected NoSuchRateLimitConfig error');
} catch (err) {
assert.strictEqual(err.Error.Code[0], 'NoSuchRateLimitConfig');
}
});

it('should return NoSuchBucket error when bucket does not exist', async () => {
try {
await sendRateLimitRequest('GET', '127.0.0.1:8000', '/nonexistentbucket/?rate-limit');
} catch (err) {
Copy link
Contributor

@jonathan-gramain jonathan-gramain Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add an assert.fail here too like in the above test

assert.strictEqual(err.Error.Code[0], 'NoSuchBucket');
}
});

it('should return AccessDenied error for non-service user', async () => {
// This test would require making a request with regular user credentials
// For now, we'll skip this as it requires additional setup
// In a real scenario, you'd use regular user credentials here
});
});
146 changes: 146 additions & 0 deletions tests/unit/api/bucketGetRateLimit.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,146 @@
const assert = require('assert');
const sinon = require('sinon');
const { bucketPut } = require('../../../lib/api/bucketPut');
const { cleanup, DummyRequestLogger, makeAuthInfo } = require('../helpers');
const bucketGetRateLimit = require('../../../lib/api/bucketGetRateLimit');
const bucketPutRateLimit = require('../../../lib/api/bucketPutRateLimit');
const { config } = require('../../../lib/Config');
const AuthInfo = require('arsenal').auth.AuthInfo;

const log = new DummyRequestLogger();
const bucketName = 'bucketname';
const serviceUserArn = 'arn:aws:iam::123456789012:user/rate-limit-service';

// Create a rate limit service user authInfo
function makeRateLimitServiceUserAuthInfo() {
return new AuthInfo({
canonicalID: '79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be',
shortid: '123456789012',
email: '[email protected]',
accountDisplayName: 'rateLimitServiceDisplayName',
arn: serviceUserArn,
});
}

const rateLimitServiceAuthInfo = makeRateLimitServiceUserAuthInfo();
const regularAuthInfo = makeAuthInfo('accessKey1');

const bucketPutReq = {
bucketName,
headers: {
host: `${bucketName}.s3.amazonaws.com`,
},
url: '/',
actionImplicitDenies: false,
};

function getRateLimitConfigRequest(bucketName) {
return {
bucketName,
headers: {
host: `${bucketName}.s3.amazonaws.com`,
},
url: '/?rate-limit',
method: 'GET',
actionImplicitDenies: false,
};
}

function getRateLimitPutRequest(bucketName, configJson) {
return {
bucketName,
headers: {
host: `${bucketName}.s3.amazonaws.com`,
},
url: '/?rate-limit',
method: 'PUT',
post: JSON.stringify(configJson),
actionImplicitDenies: false,
};
}

describe('bucketGetRateLimit API', () => {
let sandbox;

beforeEach(() => {
sandbox = sinon.createSandbox();
sandbox.stub(config, 'rateLimiting').value({
serviceUserArn,
});
});

afterEach(() => {
sandbox.restore();
cleanup();
});

it('should return AccessDenied error if user is not a rate limit service user', done => {
bucketPut(regularAuthInfo, bucketPutReq, log, err => {
assert.ifError(err);
const rateLimitRequest = getRateLimitConfigRequest(bucketName);
bucketGetRateLimit(regularAuthInfo, rateLimitRequest, log, err => {
assert.strictEqual(err.is.AccessDenied, true);
done();
});
});
});

it('should return NoSuchRateLimitConfig error if bucket exists but ' +
'rate limit config is not set', done => {
bucketPut(regularAuthInfo, bucketPutReq, log, err => {
assert.ifError(err);
const rateLimitRequest = getRateLimitConfigRequest(bucketName);
bucketGetRateLimit(rateLimitServiceAuthInfo, rateLimitRequest, log, err => {
assert.strictEqual(err.is.NoSuchRateLimitConfig, true);
done();
});
});
});

it('should return bucket not found error if bucket does not exist', done => {
const rateLimitRequest = getRateLimitConfigRequest('nonexistent-bucket');
bucketGetRateLimit(rateLimitServiceAuthInfo, rateLimitRequest, log, err => {
assert(err, 'should return an error');
assert.strictEqual(err.is.NoSuchBucket, true);
done();
});
});
});

describe('bucketGetRateLimit API with rate limit config', () => {
let sandbox;

beforeEach(() => {
sandbox = sinon.createSandbox();
sandbox.stub(config, 'rateLimiting').value({
serviceUserArn,
});
});

afterEach(() => {
sandbox.restore();
cleanup();
});

beforeEach(done => {
bucketPut(regularAuthInfo, bucketPutReq, log, err => {
assert.ifError(err);
const rateLimitConfig = { RequestsPerSecond: 100 };
const putRequest = getRateLimitPutRequest(bucketName, rateLimitConfig);
bucketPutRateLimit(rateLimitServiceAuthInfo, putRequest, log, err => {
assert.ifError(err);
done();
});
});
});

it('should return rate limit configuration JSON when config exists', done => {
const rateLimitRequest = getRateLimitConfigRequest(bucketName);
bucketGetRateLimit(rateLimitServiceAuthInfo, rateLimitRequest, log, (err, res) => {
assert.ifError(err);
const rateLimitConfig = JSON.parse(res);
assert.strictEqual(rateLimitConfig.RequestsPerSecond.Limit, 100);
done();
});
});
});
Loading