guardian

package
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 1, 2020 License: MIT Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// GlobalRateLimitConfigKind identifies a Global Rate Limit config resource
	GlobalRateLimitConfigKind = "GlobalRateLimit"
	// RateLimitConfigKind identifies a Rate Limit config resource
	RateLimitConfigKind = "RateLimit"
	// JailConfigKind identifies a Jail config resource
	JailConfigKind = "Jail"
	// GlobalSettingsConfigKind identifies a Global Settings config resource
	GlobalSettingsConfigKind = "GlobalSettings"
)

Config kinds

View Source 
const (
	GlobalRateLimitConfigVersion = "v0"
	GlobalSettingsConfigVersion  = "v0"
	RateLimitConfigVersion       = "v0"
	JailConfigVersion            = "v0"
)

Config file format versions

View Source 
const RequestsRemainingMax = math.MaxUint32

Variables

This section is empty.

Functions

func IPNetsFromStrings 

func IPNetsFromStrings(ipNetStrs []string, logger logrus.FieldLogger) []net.IPNet

func IPRateLimiterKeyFunc 

func IPRateLimiterKeyFunc(req Request) string

RouteRateLimiterKeyFunc provides a key unique to a particular client IP.

func NamespacedKey 

func NamespacedKey(namespace, key string) string

NamespacedKey returns a key with the namespace prepended

func RouteRateLimiterKeyFunc 

func RouteRateLimiterKeyFunc(req Request) string

RouteRateLimiterKeyFunc provides a key unique to a particular client IP and request path.

func SlotKey 

func SlotKey(keybase string, slotTime time.Time, duration time.Duration) string

SlotKey generates the key for a slot determined by the request, slot time, and limit duration

Types

type BlacklistProvider 

type BlacklistProvider interface {
	GetBlacklist() []net.IPNet
}

type CondRequestBlockerFunc 

type CondRequestBlockerFunc func(context.Context, Request) (stop, blocked bool, remaining uint32, err error)

CondRequestBlockerFunc is the same as a RequestBlockerFunc with the added ability to indicate that the evaluation of a chain should stop

func CondStopOnBanned 

func CondStopOnBanned(jailer Jailer) CondRequestBlockerFunc

CondStopOnBanned uses a jailer to determine if a request should be blocked or not. It will also stop further processing on the request if the client ip is banned.

func CondStopOnBlacklistFunc 

func CondStopOnBlacklistFunc(blacklister *IPBlacklister) CondRequestBlockerFunc

func CondStopOnBlockOrError 

func CondStopOnBlockOrError(rl RateLimiter) CondRequestBlockerFunc

CondStopOnBlockOrError wraps a RateLimiter Limit call and returns true for stop if the request was blocked or errored out

func CondStopOnWhitelistFunc 

func CondStopOnWhitelistFunc(whitelister *IPWhitelister) CondRequestBlockerFunc

type Conditions added in v0.2.0 

type Conditions struct {
	Path string `yaml:"path" json:"path"`
}

Conditions represents conditions required for a Limit to be applied to a Request. Currently, Guardian only filters requests based on URL path, via RedisConfStore.GetRouteRateLimit(url.URL) or .GetJail(url.URL)

type Config added in v0.2.0 

type Config struct {
	ConfigMetadata      `yaml:",inline"`
	GlobalRateLimitSpec *GlobalRateLimitSpec `yaml:"globalRateLimitSpec"`
	GlobalSettingsSpec  *GlobalSettingsSpec  `yaml:"globalSettingsSpec"`
	RateLimitSpec       *RateLimitSpec       `yaml:"rateLimitSpec"`
	JailSpec            *JailSpec            `yaml:"jailSpec"`
}

Config represents a generic configuration file

type ConfigKind added in v0.2.0 

type ConfigKind string

ConfigKind identifies a kind of configuration resource

type ConfigMetadata added in v0.2.0 

type ConfigMetadata struct {
	// Version identifies the version of the configuration resource format
	Version string `yaml:"version" json:"version"`
	// Kind identifies the kind of the configuration resource
	Kind ConfigKind `yaml:"kind" json:"kind"`
	// Name uniquely identifies a configuration resource within the resource's Kind
	Name string `yaml:"name" json:"name"`
	// Description is a description to add context to a resource
	Description string `yaml:"description" json:"description"`
}

ConfigMetadata represents metadata associated with a configuration resource. Every configuration resource begins with this metadata.

type Counter 

type Counter interface {

	// Incr increments key by count and sets the expiration to expireIn from now. The result of the incr, whether to force block,
	// and an error is returned
	Incr(context context.Context, key string, incryBy uint, maxBeforeBlock uint64, expireIn time.Duration) (uint64, bool, error)
}

Counter is a data store capable of incrementing and expiring the count of a key

type DataDogReporter 

type DataDogReporter struct {
	// contains filtered or unexported fields
}

func NewDataDogReporter 

func NewDataDogReporter(client *statsd.Client, defaultTags []string, logger logrus.FieldLogger) *DataDogReporter

func (*DataDogReporter) CurrentBlacklist 

func (d *DataDogReporter) CurrentBlacklist(blacklist []net.IPNet)

func (*DataDogReporter) CurrentGlobalLimit 

func (d *DataDogReporter) CurrentGlobalLimit(limit Limit)

func (*DataDogReporter) CurrentPrisoners 

func (d *DataDogReporter) CurrentPrisoners(numPrisoners int)

func (*DataDogReporter) CurrentReportOnlyMode 

func (d *DataDogReporter) CurrentReportOnlyMode(reportOnly bool)

func (*DataDogReporter) CurrentRouteJail 

func (d *DataDogReporter) CurrentRouteJail(route string, jail Jail)

func (*DataDogReporter) CurrentRouteLimit 

func (d *DataDogReporter) CurrentRouteLimit(route string, limit Limit)

func (*DataDogReporter) CurrentWhitelist 

func (d *DataDogReporter) CurrentWhitelist(whitelist []net.IPNet)

func (*DataDogReporter) Duration 

func (d *DataDogReporter) Duration(request Request, blocked bool, errorOccurred bool, duration time.Duration)

func (*DataDogReporter) HandledAddPrisoner 

func (d *DataDogReporter) HandledAddPrisoner(ip net.IP, jail Jail)

func (*DataDogReporter) HandledBlacklist 

func (d *DataDogReporter) HandledBlacklist(request Request, blacklisted bool, errorOccurred bool, duration time.Duration)

func (*DataDogReporter) HandledJail 

func (d *DataDogReporter) HandledJail(request Request, blocked bool, errorOccurred bool, duration time.Duration, setters ...MetricOptionSetter)

func (*DataDogReporter) HandledRatelimit 

func (d *DataDogReporter) HandledRatelimit(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)

func (*DataDogReporter) HandledRatelimitWithRoute 

func (d *DataDogReporter) HandledRatelimitWithRoute(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)

func (*DataDogReporter) HandledWhitelist 

func (d *DataDogReporter) HandledWhitelist(request Request, whitelisted bool, errorOccurred bool, duration time.Duration)

func (*DataDogReporter) RedisCounterIncr 

func (d *DataDogReporter) RedisCounterIncr(duration time.Duration, errorOccurred bool)

func (*DataDogReporter) RedisCounterPruned 

func (d *DataDogReporter) RedisCounterPruned(duration time.Duration, cacheSize float64, prunedCounted float64)

func (*DataDogReporter) RedisObtainLock 

func (d *DataDogReporter) RedisObtainLock(errorOccurred bool)

func (*DataDogReporter) RedisReleaseLock 

func (d *DataDogReporter) RedisReleaseLock(duration time.Duration, errorOccurred bool)

func (*DataDogReporter) Run 

func (d *DataDogReporter) Run(stop <-chan struct{})

type GenericJailer 

type GenericJailer struct {
	// contains filtered or unexported fields
}

func NewGenericJailer 

func NewGenericJailer(store RouteJailStore, logger logrus.FieldLogger, c Counter, s PrisonerStore, mr MetricReporter) *GenericJailer

func (*GenericJailer) IsBanned 

func (gj *GenericJailer) IsBanned(ctx context.Context, request Request) (banned bool, err error)

type GenericRateLimiter 

type GenericRateLimiter struct {
	KeyFunc            func(req Request) string
	LimitProvider      LimitProvider
	Counter            Counter
	Logger             logrus.FieldLogger
	OnRateLimitHandled []RateLimitHook
}

GenericRateLimiter is a multipurpose rate limiter. It allows users to customize how the rate limiter behaves through 2 main mechanisms. 1. A KeyFunc that determines the key that wil be used for incrementing. 2. A LimitProvider that determines how the limit will be calculated.

func NewIPRateLimiter 

func NewIPRateLimiter(store GlobalLimitStore, l logrus.FieldLogger, mr MetricReporter, c Counter) *GenericRateLimiter

NewIPRateLimiter returns a rate limiter that enforces a limit upon all requests from each client IP.

func NewRouteRateLimiter 

func NewRouteRateLimiter(store RouteRateLimitStore, logger logrus.FieldLogger, mr MetricReporter, c Counter) *GenericRateLimiter

func (*GenericRateLimiter) Limit 

func (rl *GenericRateLimiter) Limit(context context.Context, request Request) (bool, uint32, error)

Limit limits a request if request exceeds rate limit

type GlobalLimitProvider 

type GlobalLimitProvider struct {
	// contains filtered or unexported fields
}

GlobalLimitProvider implements the LimitProvider interface.

func NewGlobalLimitProvider 

func NewGlobalLimitProvider(store GlobalLimitStore) *GlobalLimitProvider

NewGlobalLimitProvider returns an implementation of a LimitProvider intended to provide limits for all requests from a given client IP.

func (*GlobalLimitProvider) GetLimit 

func (glp *GlobalLimitProvider) GetLimit(_ Request) Limit

GetLimit gets the global limit applied to all requests.

type GlobalLimitStore 

type GlobalLimitStore interface {
	GetLimit() Limit
}

GlobalLimitStore is a limit store that does not accept any request metadata but can still return a Limit.

type GlobalRateLimitConfig added in v0.2.0 

type GlobalRateLimitConfig struct {
	ConfigMetadata `yaml:",inline" json:",inline"`
	Spec           GlobalRateLimitSpec `yaml:"globalRateLimitSpec" json:"globalRateLimitSpec"`
}

GlobalRateLimitConfig represents a resource that configures the global rate limit

type GlobalRateLimitSpec added in v0.2.0 

type GlobalRateLimitSpec struct {
	Limit Limit `yaml:"limit" json:"limit"`
}

GlobalRateLimitSpec represents the specification for a GlobalRateLimitConfig

type GlobalSettingsConfig added in v0.2.0 

type GlobalSettingsConfig struct {
	ConfigMetadata `yaml:",inline" json:",inline"`
	Spec           GlobalSettingsSpec `yaml:"globalSettingsSpec" json:"globalSettingsSpec"`
}

GlobalSettingsConfig represents a resource that configures global settings

type GlobalSettingsSpec added in v0.2.0 

type GlobalSettingsSpec struct {
	ReportOnly bool `yaml:"reportOnly" json:"reportOnly"`
}

GlobalSettingsSpec represents the specification for a GlobalSettingsConfig

type IPBlacklister 

type IPBlacklister struct {
	// contains filtered or unexported fields
}

func NewIPBlacklister 

func NewIPBlacklister(provider BlacklistProvider, logger logrus.FieldLogger, reporter MetricReporter) *IPBlacklister

func (*IPBlacklister) IsBlacklisted 

func (w *IPBlacklister) IsBlacklisted(context context.Context, req Request) (bool, error)

type IPWhitelister 

type IPWhitelister struct {
	// contains filtered or unexported fields
}

func NewIPWhitelister 

func NewIPWhitelister(provider WhitelistProvider, logger logrus.FieldLogger, reporter MetricReporter) *IPWhitelister

func (*IPWhitelister) IsWhitelisted 

func (w *IPWhitelister) IsWhitelisted(context context.Context, req Request) (bool, error)

type Jail 

type Jail struct {
	Limit       Limit         `yaml:"limit"" json:"limit"`
	BanDuration time.Duration `yaml:"banDuration" json:"banDuration"`
}

Jail is a namesake of a similar concept from fail2ban https://docs.plesk.com/en-US/obsidian/administrator-guide/73382/ In the context of Guardian, a Jail is a combination of a Limit and a BanDuration. If the Limit is reached, the the IP will be banned for the BanDuration.

func (Jail) String 

func (j Jail) String() string

type JailConfig 

type JailConfig struct {
	ConfigMetadata `yaml:",inline" json:",inline"`
	Spec           JailSpec `yaml:"jailSpec" json:"jailSpec"`
}

JailConfig represents a resource that configures a jail

type JailConfigDeprecated added in v0.2.0 

type JailConfigDeprecated struct {
	Jails []JailConfigEntryDeprecated `yaml:"jails"`
}

JailConfigEntryDeprecated represents the jail configuration format associated with the deprecated CLI

type JailConfigEntryDeprecated added in v0.2.0 

type JailConfigEntryDeprecated struct {
	Route string `yaml:"route"`
	Jail  Jail   `yaml:"jail"`
}

JailConfigEntryDeprecated represents an entry in the jail configuration format associated with the deprecated CLI

type JailProvider 

type JailProvider interface {
	GetJail(req Request) Jail
}

A JailProvider is a generic interface for determining which jail (if any) applies to a request

type JailSpec added in v0.2.0 

type JailSpec struct {
	Jail       `yaml:",inline" json:",inline"`
	Conditions Conditions `yaml:"conditions" json:"conditions"`
}

JailSpec represents the specification for a JailConfig

type Jailer 

type Jailer interface {
	IsBanned(ctx context.Context, request Request) (bool, error)
}

A Jailer can determine if the requests from a client has met the conditions of a Jail's Limit. If the limit has been exceeded, the Jailer should mark the ip as Banned for the entire BanDuration.

type Limit 

type Limit struct {
	Count    uint64
	Duration time.Duration
	Enabled  bool
}

Limit describes a rate limit

func (Limit) String 

func (l Limit) String() string

type LimitProvider 

type LimitProvider interface {
	// GetLimit can determine what the limit is based off the data provided in the request.
	// It is up to the limit provider to determine the characteristics of the requests it cares about.
	// For example, a simple IP rate limiter could ignore the request entirely.
	GetLimit(req Request) Limit
}

LimitProvider provides the current limit settings based off a given request.

type MetricOption 

type MetricOption struct {
	// contains filtered or unexported fields
}

type MetricOptionSetter 

type MetricOptionSetter func(mo *MetricOption)

func WithRemoteAddress 

func WithRemoteAddress(remoteAddress string) MetricOptionSetter

type MetricReporter 

type MetricReporter interface {
	Duration(request Request, blocked bool, errorOccurred bool, duration time.Duration)
	HandledWhitelist(request Request, whitelisted bool, errorOccurred bool, duration time.Duration)
	HandledBlacklist(request Request, whitelisted bool, errorOccurred bool, duration time.Duration)
	HandledRatelimit(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)
	HandledRatelimitWithRoute(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)
	HandledJail(request Request, blocked bool, errorOccurred bool, duration time.Duration, setters ...MetricOptionSetter)
	HandledAddPrisoner(ip net.IP, jail Jail)
	RedisCounterIncr(duration time.Duration, errorOccurred bool)
	RedisCounterPruned(duration time.Duration, cacheSize float64, prunedCounted float64)
	RedisObtainLock(errorOccurred bool)
	RedisReleaseLock(duration time.Duration, errorOccurred bool)
	CurrentGlobalLimit(limit Limit)
	CurrentRouteLimit(route string, limit Limit)
	CurrentWhitelist(whitelist []net.IPNet)
	CurrentBlacklist(blacklist []net.IPNet)
	CurrentRouteJail(route string, jail Jail)
	CurrentPrisoners(numPrisoners int)
	CurrentReportOnlyMode(reportOnly bool)
}

type NullReporter 

type NullReporter struct{}

func (NullReporter) CurrentBlacklist 

func (n NullReporter) CurrentBlacklist(blacklist []net.IPNet)

func (NullReporter) CurrentGlobalLimit 

func (n NullReporter) CurrentGlobalLimit(limit Limit)

func (NullReporter) CurrentPrisoners 

func (n NullReporter) CurrentPrisoners(numPrisoners int)

func (NullReporter) CurrentReportOnlyMode 

func (n NullReporter) CurrentReportOnlyMode(reportOnly bool)

func (NullReporter) CurrentRouteJail 

func (n NullReporter) CurrentRouteJail(route string, jail Jail)

func (NullReporter) CurrentRouteLimit 

func (n NullReporter) CurrentRouteLimit(route string, limit Limit)

func (NullReporter) CurrentWhitelist 

func (n NullReporter) CurrentWhitelist(whitelist []net.IPNet)

func (NullReporter) Duration 

func (n NullReporter) Duration(request Request, blocked bool, errorOccurred bool, duration time.Duration)

func (NullReporter) HandledAddPrisoner 

func (n NullReporter) HandledAddPrisoner(ip net.IP, jail Jail)

func (NullReporter) HandledBlacklist 

func (n NullReporter) HandledBlacklist(request Request, blacklisted bool, errorOccurred bool, duration time.Duration)

func (NullReporter) HandledJail 

func (n NullReporter) HandledJail(request Request, blocked bool, errorOccurred bool, duration time.Duration, setters ...MetricOptionSetter)

func (NullReporter) HandledRatelimit 

func (n NullReporter) HandledRatelimit(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)

func (NullReporter) HandledRatelimitWithRoute 

func (n NullReporter) HandledRatelimitWithRoute(request Request, ratelimited bool, errorOccurred bool, duration time.Duration)

func (NullReporter) HandledWhitelist 

func (n NullReporter) HandledWhitelist(request Request, whitelisted bool, errorOccurred bool, duration time.Duration)

func (NullReporter) RedisCounterIncr 

func (n NullReporter) RedisCounterIncr(duration time.Duration, errorOccurred bool)

func (NullReporter) RedisCounterPruned 

func (n NullReporter) RedisCounterPruned(duration time.Duration, cacheSize float64, prunedCounted float64)

func (NullReporter) RedisObtainLock 

func (n NullReporter) RedisObtainLock(errorOccurred bool)

func (NullReporter) RedisReleaseLock 

func (n NullReporter) RedisReleaseLock(duration time.Duration, errorOccurred bool)

type Prisoner 

type Prisoner struct {
	IP     net.IP    `yaml:"ip" json:"ip"`
	Jail   Jail      `yaml:"jail" json:"jail"`
	Expiry time.Time `yaml:"expiry" json:"expiry"`
}

type PrisonerStore 

type PrisonerStore interface {
	IsPrisoner(remoteAddress string) bool
	AddPrisoner(remoteAddress string, jail Jail)
}

PrisonerStore can check if a client ip is a prisoner and also add prisoners

type RateLimitConfig added in v0.2.0 

type RateLimitConfig struct {
	ConfigMetadata `yaml:",inline" json:",inline"`
	Spec           RateLimitSpec `yaml:"rateLimitSpec" json:"rateLimitSpec"`
}

RateLimitConfig represents a resource that configures a conditional rate limit

type RateLimitHook 

type RateLimitHook func(req Request, limit Limit, rateLimited bool, dur time.Duration, err error)

func OnRouteRateLimitHandled 

func OnRouteRateLimitHandled(mr MetricReporter) RateLimitHook

func ReportRateLimitHandled 

func ReportRateLimitHandled(mr MetricReporter) RateLimitHook

ReportRateLimitHandled reports that a rate limit request was handled and provides some metadata.

type RateLimitSpec added in v0.2.0 

type RateLimitSpec struct {
	Limit      Limit      `yaml:"limit" json:"limit"`
	Conditions Conditions `yaml:"conditions" json:"conditions"`
}

RateLimitSpec represents the specification for a RateLimitConfig

type RateLimiter 

type RateLimiter interface {
	Limit(context.Context, Request) (bool, uint32, error)
}

type RedisConfStore 

type RedisConfStore struct {
	// contains filtered or unexported fields
}

RedisConfStore is a configuration provider that uses Redis for persistence

func NewRedisConfStore 

func NewRedisConfStore(redis *redis.Client, defaultWhitelist []net.IPNet, defaultBlacklist []net.IPNet, defaultLimit Limit, defaultReportOnly, initConfig bool, maxPrisonerCacheSize uint16, logger logrus.FieldLogger, mr MetricReporter) (*RedisConfStore, error)

NewRedisConfStore creates a new RedisConfStore

func (*RedisConfStore) AddBlacklistCidrs 

func (rs *RedisConfStore) AddBlacklistCidrs(cidrs []net.IPNet) error

func (*RedisConfStore) AddPrisoner 

func (rs *RedisConfStore) AddPrisoner(remoteAddress string, jail Jail)

func (*RedisConfStore) AddWhitelistCidrs 

func (rs *RedisConfStore) AddWhitelistCidrs(cidrs []net.IPNet) error

func (*RedisConfStore) ApplyGlobalRateLimitConfig added in v0.2.0 

func (rs *RedisConfStore) ApplyGlobalRateLimitConfig(cfg GlobalRateLimitConfig) error

func (*RedisConfStore) ApplyGlobalSettingsConfig added in v0.2.0 

func (rs *RedisConfStore) ApplyGlobalSettingsConfig(cfg GlobalSettingsConfig) error

func (*RedisConfStore) ApplyJailConfig added in v0.2.0 

func (rs *RedisConfStore) ApplyJailConfig(cfg JailConfig) error

func (*RedisConfStore) ApplyRateLimitConfig added in v0.2.0 

func (rs *RedisConfStore) ApplyRateLimitConfig(cfg RateLimitConfig) error

func (*RedisConfStore) DeleteJailConfig added in v0.2.0 

func (rs *RedisConfStore) DeleteJailConfig(name string) error

func (*RedisConfStore) DeleteRateLimitConfig added in v0.2.0 

func (rs *RedisConfStore) DeleteRateLimitConfig(name string) error

func (*RedisConfStore) FetchBlacklist 

func (rs *RedisConfStore) FetchBlacklist() ([]net.IPNet, error)

func (*RedisConfStore) FetchGlobalRateLimitConfig added in v0.2.0 

func (rs *RedisConfStore) FetchGlobalRateLimitConfig() (GlobalRateLimitConfig, error)

func (*RedisConfStore) FetchGlobalSettingsConfig added in v0.2.0 

func (rs *RedisConfStore) FetchGlobalSettingsConfig() (GlobalSettingsConfig, error)

func (*RedisConfStore) FetchJailConfig added in v0.2.0 

func (rs *RedisConfStore) FetchJailConfig(name string) (JailConfig, error)

func (*RedisConfStore) FetchJailConfigs added in v0.2.0 

func (rs *RedisConfStore) FetchJailConfigs() []JailConfig

func (*RedisConfStore) FetchPrisoners 

func (rs *RedisConfStore) FetchPrisoners() ([]Prisoner, error)

func (*RedisConfStore) FetchRateLimitConfig added in v0.2.0 

func (rs *RedisConfStore) FetchRateLimitConfig(name string) (RateLimitConfig, error)

func (*RedisConfStore) FetchRateLimitConfigs added in v0.2.0 

func (rs *RedisConfStore) FetchRateLimitConfigs() []RateLimitConfig

func (*RedisConfStore) FetchWhitelist 

func (rs *RedisConfStore) FetchWhitelist() ([]net.IPNet, error)

func (*RedisConfStore) GetBlacklist 

func (rs *RedisConfStore) GetBlacklist() []net.IPNet

func (*RedisConfStore) GetJail 

func (rs *RedisConfStore) GetJail(url url.URL) Jail

func (*RedisConfStore) GetLimit 

func (rs *RedisConfStore) GetLimit() Limit

func (*RedisConfStore) GetReportOnly 

func (rs *RedisConfStore) GetReportOnly() bool

func (*RedisConfStore) GetRouteRateLimit 

func (rs *RedisConfStore) GetRouteRateLimit(url url.URL) Limit

GetRouteRateLimit gets a route limit from the local cache.

func (*RedisConfStore) GetWhitelist 

func (rs *RedisConfStore) GetWhitelist() []net.IPNet

func (*RedisConfStore) IsPrisoner 

func (rs *RedisConfStore) IsPrisoner(remoteAddress string) bool

func (*RedisConfStore) RemoveBlacklistCidrs 

func (rs *RedisConfStore) RemoveBlacklistCidrs(cidrs []net.IPNet) error

func (*RedisConfStore) RemovePrisoners 

func (rs *RedisConfStore) RemovePrisoners(prisoners []net.IP) (numDeleted int64, err error)

RemovePrisoners removes the specified prisoners from the prisoner hash map in Redis. This is intended to be used by the guardian-cli, so therefore it does not run rs.pipelinedFetchConf() or update the prisoners cache.

func (*RedisConfStore) RemoveWhitelistCidrs 

func (rs *RedisConfStore) RemoveWhitelistCidrs(cidrs []net.IPNet) error

func (*RedisConfStore) RunSync 

func (rs *RedisConfStore) RunSync(updateInterval time.Duration, stop <-chan struct{})

func (*RedisConfStore) UpdateCachedConf 

func (rs *RedisConfStore) UpdateCachedConf()

type RedisCounter 

type RedisCounter struct {
	// contains filtered or unexported fields
}

RedisLimitCounter is a Counter that uses Redis for persistence TODO: fetch the current limit configuration from redis instead of using a static one

func NewRedisCounter 

func NewRedisCounter(redis *redis.Client, synchronous bool, logger logrus.FieldLogger, reporter MetricReporter) *RedisCounter

func (*RedisCounter) Incr 

func (rs *RedisCounter) Incr(context context.Context, key string, incrBy uint, maxBeforeBlock uint64, expireIn time.Duration) (uint64, bool, error)

func (*RedisCounter) Run 

func (rs *RedisCounter) Run(pruneInterval time.Duration, stop <-chan struct{})

type ReportOnlyProvider 

type ReportOnlyProvider interface {
	GetReportOnly() bool
}

type Request 

type Request struct {
	RemoteAddress string
	Authority     string
	Method        string
	Path          string
	Headers       map[string]string
}

Request is an http request

func RequestFromRateLimitRequest 

func RequestFromRateLimitRequest(rlreq *ratelimit.RateLimitRequest) Request

RequestFromRateLimitRequest returns a Request from a RateLimitRequest

type RequestBlockerFunc 

type RequestBlockerFunc func(context.Context, Request) (bool, uint32, error)

RequestBlockerFunc is a function that evaluates a given request and determines if it should be blocked or not and how many requests are remaining.

func CondChain 

func CondChain(cf ...CondRequestBlockerFunc) RequestBlockerFunc

CondChain chains a series of CondRequestBlockerFunc running each until one indicates the chain should stop processing, returning that functions results

func DefaultCondChain 

func DefaultCondChain(whitelister *IPWhitelister, blacklister *IPBlacklister, jailer Jailer, rateLimiters ...RateLimiter) RequestBlockerFunc

DefaultCondChain is the default condition chain used by Guardian. This performs the following checks when processing a request: whitelist, blacklist, rate limiters.

type RouteJailProvider 

type RouteJailProvider struct {
	// contains filtered or unexported fields
}

A RouteJailProvider is a jail provider that provides a jail based off the route of a request

func NewRouteJailProvider 

func NewRouteJailProvider(store RouteJailStore, logger logrus.FieldLogger) *RouteJailProvider

NewRouteRateLimitProvider returns an implementation of a LimitProvider intended to provide limits based off a a request's path and a client's IP address.

func (*RouteJailProvider) GetJail 

func (jp *RouteJailProvider) GetJail(req Request) Jail

GetJail queries the store to determine which Jail, if any, applies to the request.

type RouteJailStore 

type RouteJailStore interface {
	GetJail(u url.URL) Jail
}

A RouteJailStore can retrieve the Jail configuration for a given route

type RouteLimitProvider 

type RouteLimitProvider struct {
	// contains filtered or unexported fields
}

RouteLimitProvider implements the LimitProvider interface.

func NewRouteRateLimitProvider 

func NewRouteRateLimitProvider(store RouteRateLimitStore, logger logrus.FieldLogger) *RouteLimitProvider

NewRouteRateLimitProvider returns an implementation of a LimitProvider intended to provide limits based off a a request's path and a client's IP address.

func (*RouteLimitProvider) GetLimit 

func (rlp *RouteLimitProvider) GetLimit(req Request) Limit

GetLimit gets the limit for a particular request's path.

type RouteRateLimitConfigDeprecated added in v0.2.0 

type RouteRateLimitConfigDeprecated struct {
	RouteRateLimits []RouteRateLimitConfigEntryDeprecated `yaml:"route_rate_limits"`
}

RouteRateLimitConfigDeprecated represents the conditional rate limit configuration format associated with the deprecated CLI

type RouteRateLimitConfigEntryDeprecated added in v0.2.0 

type RouteRateLimitConfigEntryDeprecated struct {
	Route string `yaml:"route"`
	Limit Limit  `yaml:"limit"`
}

RouteRateLimitConfigEntryDeprecated represents an entry in the conditional rate limit configuration format associated with the deprecated CLI

type RouteRateLimitStore 

type RouteRateLimitStore interface {
	GetRouteRateLimit(url url.URL) Limit
}

RouteRateLimitStore provides the ability to retrieve rate limit configuration for a given route

type Server 

type Server struct {
	// contains filtered or unexported fields
}

func NewServer 

func NewServer(blocker RequestBlockerFunc, reportOnlyProvider ReportOnlyProvider, logger logrus.FieldLogger, reporter MetricReporter) *Server

func (*Server) ShouldRateLimit 

func (s *Server) ShouldRateLimit(ctx context.Context, relreq *ratelimit.RateLimitRequest) (*ratelimit.RateLimitResponse, error)

type WhitelistProvider 

type WhitelistProvider interface {
	GetWhitelist() []net.IPNet
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.