-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #103 from OdyseeTeam/firewall
merge high level firewall measures
- Loading branch information
Showing
10 changed files
with
264 additions
and
69 deletions.
There are no files selected for viewing
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
package firewall | ||
|
||
import ( | ||
"errors" | ||
"sync" | ||
"time" | ||
|
||
"github.com/bluele/gcache" | ||
) | ||
|
||
var WindowSize = 120 * time.Second | ||
|
||
const MaxStringsPerIp = 6 | ||
|
||
var resourcesForIPCache = gcache.New(1000).Simple().Build() | ||
var whitelist = map[string]bool{ | ||
"51.210.0.171": true, | ||
} | ||
|
||
func CheckAndRateLimitIp(ip string, endpoint string) (bool, int) { | ||
if ip == "" { | ||
return false, 0 | ||
} | ||
if whitelist[ip] { | ||
return false, 0 | ||
} | ||
resources, err := resourcesForIPCache.Get(ip) | ||
if errors.Is(err, gcache.KeyNotFoundError) { | ||
tokensMap := &sync.Map{} | ||
tokensMap.Store(endpoint, time.Now()) | ||
err := resourcesForIPCache.SetWithExpire(ip, tokensMap, WindowSize*10) | ||
if err != nil { | ||
return false, 1 | ||
} | ||
return false, 1 | ||
} | ||
tokensForIP, _ := resources.(*sync.Map) | ||
currentTime := time.Now() | ||
tokensForIP.Store(endpoint, currentTime) | ||
resourcesCount := 0 | ||
flagged := false | ||
tokensForIP.Range(func(k, v interface{}) bool { | ||
if currentTime.Sub(v.(time.Time)) > WindowSize { | ||
tokensForIP.Delete(k) | ||
return true | ||
} | ||
resourcesCount++ | ||
if !flagged && resourcesCount > MaxStringsPerIp { | ||
flagged = true | ||
} | ||
return true | ||
}) | ||
return flagged, resourcesCount | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
package firewall | ||
|
||
import ( | ||
"strconv" | ||
"testing" | ||
"time" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestCheckIPAccess(t *testing.T) { | ||
ip := "192.168.0.1" | ||
endpoint := "/api/v1/example" | ||
WindowSize = 7 * time.Second | ||
// Test the first five accesses for an IP don't exceed the limit | ||
for i := 1; i <= 6; i++ { | ||
result, _ := CheckAndRateLimitIp(ip, endpoint+strconv.Itoa(i)) | ||
assert.False(t, result, "Expected result to be false, got %v for endpoint %s", result, endpoint+strconv.Itoa(i)) | ||
} | ||
|
||
// Test the sixth access for an IP exceeds the limit | ||
result, _ := CheckAndRateLimitIp(ip, endpoint+"7") | ||
assert.True(t, result, "Expected result to be true, got %v for endpoint %s", result, endpoint+"7") | ||
|
||
// Wait for the window size to elapse | ||
time.Sleep(WindowSize) | ||
|
||
// Test the access for an IP after the window size elapses doesn't exceed the limit | ||
result, _ = CheckAndRateLimitIp(ip, endpoint+"7") | ||
assert.False(t, result, "Expected result to be false, got %v for endpoint %s", result, endpoint+"7") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
use godycdn; | ||
CREATE TABLE `object` | ||
( | ||
`id` bigint unsigned NOT NULL AUTO_INCREMENT, | ||
`hash` char(64) COLLATE utf8_unicode_ci NOT NULL, | ||
`is_stored` tinyint(1) NOT NULL DEFAULT '0', | ||
`length` bigint unsigned DEFAULT NULL, | ||
`last_accessed_at` timestamp NULL DEFAULT NULL, | ||
PRIMARY KEY (`id`), | ||
UNIQUE KEY `id` (`id`), | ||
UNIQUE KEY `hash_idx` (`hash`), | ||
KEY `last_accessed_idx` (`last_accessed_at`), | ||
KEY `is_stored_idx` (`is_stored`) | ||
); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.