From d550c69f7f8c5ca666a43d34bbeaa7c5af2622d2 Mon Sep 17 00:00:00 2001 From: Jonathan Klabunde Tomer Date: Mon, 23 Sep 2024 10:20:43 -0700 Subject: [PATCH] Enforce per-IP rate limits --- .../textsecuregcm/WhisperServerService.java | 4 ++-- .../limits/RateLimitByIpFilter.java | 16 +++------------- 2 files changed, 5 insertions(+), 15 deletions(-) diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java index 0e7487641..ff0570d18 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/WhisperServerService.java @@ -1003,7 +1003,7 @@ protected void configureServer(final ServerBuilder serverBuilder) { environment.jersey().register(new BufferingInterceptor()); environment.jersey().register(new VirtualExecutorServiceProvider("managed-async-virtual-thread-")); - environment.jersey().register(new RateLimitByIpFilter(rateLimiters, true)); + environment.jersey().register(new RateLimitByIpFilter(rateLimiters)); environment.jersey().register(new RequestStatisticsFilter(TrafficSource.HTTP)); environment.jersey().register(MultiRecipientMessageProvider.class); environment.jersey().register(new AuthDynamicFeature(accountAuthFilter)); @@ -1022,7 +1022,7 @@ protected void configureServer(final ServerBuilder serverBuilder) { clientReleaseManager, messageDeliveryLoopMonitor)); webSocketEnvironment.jersey() .register(new WebsocketRefreshApplicationEventListener(accountsManager, clientPresenceManager)); - webSocketEnvironment.jersey().register(new RateLimitByIpFilter(rateLimiters, true)); + webSocketEnvironment.jersey().register(new RateLimitByIpFilter(rateLimiters)); webSocketEnvironment.jersey().register(new RequestStatisticsFilter(TrafficSource.WEBSOCKET)); webSocketEnvironment.jersey().register(MultiRecipientMessageProvider.class); webSocketEnvironment.jersey().register(new MetricsApplicationEventListener(TrafficSource.WEBSOCKET, clientReleaseManager)); diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitByIpFilter.java b/service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitByIpFilter.java index c008bb89b..2fb834bb7 100644 --- a/service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitByIpFilter.java +++ b/service/src/main/java/org/whispersystems/textsecuregcm/limits/RateLimitByIpFilter.java @@ -41,15 +41,9 @@ public class RateLimitByIpFilter implements ContainerRequestFilter { private static final String NO_IP_COUNTER_NAME = MetricsUtil.name(RateLimitByIpFilter.class, "noIpAddress"); private final RateLimiters rateLimiters; - private final boolean softEnforcement; - - public RateLimitByIpFilter(final RateLimiters rateLimiters, final boolean softEnforcement) { - this.rateLimiters = requireNonNull(rateLimiters); - this.softEnforcement = softEnforcement; - } public RateLimitByIpFilter(final RateLimiters rateLimiters) { - this(rateLimiters, false); + this.rateLimiters = requireNonNull(rateLimiters); } @Override @@ -87,9 +81,7 @@ public void filter(final ContainerRequestContext requestContext) throws IOExcept // checking if annotation is configured to fail when the most recent IP is not resolved if (annotation.failOnUnresolvedIp()) { logger.error("Remote address was null"); - if (!softEnforcement) { - throw INVALID_HEADER_EXCEPTION; - } + throw INVALID_HEADER_EXCEPTION; } // otherwise, allow request return; @@ -99,9 +91,7 @@ public void filter(final ContainerRequestContext requestContext) throws IOExcept rateLimiter.validate(remoteAddress.get()); } catch (RateLimitExceededException e) { final Response response = EXCEPTION_MAPPER.toResponse(e); - if (!softEnforcement) { - throw new ClientErrorException(response); - } + throw new ClientErrorException(response); } } }