Changes from code review

* Use a different namespace for the `--verify` integration test * Rate limit the number of requests to verify endpoint based on remote IP address
cknowles · Nov 3, 2018 · adfe747 · adfe747
1 parent b931cbc
commit adfe747
Show file tree

Hide file tree

Showing 14 changed files with 863 additions and 3 deletions.
diff --git a/cmd/controller/server.go b/cmd/controller/server.go
@@ -9,6 +9,8 @@ import (
 	"time"
 
 	flag "github.com/spf13/pflag"
+	"github.com/throttled/throttled"
+	"github.com/throttled/throttled/store/memstore"
 	certUtil "k8s.io/client-go/util/cert"
 )
 
@@ -24,14 +26,16 @@ type certProvider func() ([]*x509.Certificate, error)
 type secretChecker func([]byte) (bool, error)
 
 func httpserver(cp certProvider, sc secretChecker) {
+	httpRateLimiter := rateLimter()
+
 	mux := http.NewServeMux()
 
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		io.WriteString(w, "ok\n")
 	})
 
-	mux.HandleFunc("/v1/verify", func(w http.ResponseWriter, r *http.Request) {
+	mux.Handle("/v1/verify", httpRateLimiter.RateLimit(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		content, err := ioutil.ReadAll(r.Body)
 
 		if err != nil {
@@ -54,7 +58,7 @@ func httpserver(cp certProvider, sc secretChecker) {
 			w.WriteHeader(http.StatusConflict)
 		}
 
-	})
+	})))
 
 	mux.HandleFunc("/v1/cert.pem", func(w http.ResponseWriter, r *http.Request) {
 		certs, err := cp()
@@ -84,3 +88,21 @@ func httpserver(cp certProvider, sc secretChecker) {
 	err := server.ListenAndServe()
 	log.Printf("HTTP server exiting: %v", err)
 }
+
+func rateLimter() throttled.HTTPRateLimiter {
+	store, err := memstore.New(65536)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	quota := throttled.RateQuota{MaxRate: throttled.PerSec(2), MaxBurst: 2}
+	rateLimiter, err := throttled.NewGCRARateLimiter(store, quota)
+	if err != nil {
+		log.Fatal(err)
+	}
+	return throttled.HTTPRateLimiter{
+		RateLimiter: rateLimiter,
+		VaryBy:      &throttled.VaryBy{Path: true, Headers: []string{"X-Forwarded-For"}},
+	}
+
+}
diff --git a/integration/kubeseal_test.go b/integration/kubeseal_test.go
@@ -233,7 +233,7 @@ var _ = Describe("kubeseal --version", func() {
 var _ = Describe("kubeseal --verify", func() {
 	var c corev1.CoreV1Interface
 	const secretName = "testSecret"
-	const testNs = "testns"
+	const testNs = "testverifyns"
 	var input io.Reader
 	var output *bytes.Buffer
 	var ss *ssv1alpha1.SealedSecret

diff --git a/vendor/github.com/throttled/throttled/CHANGELOG.md b/vendor/github.com/throttled/throttled/CHANGELOG.md
diff --git a/vendor/github.com/throttled/throttled/LICENSE b/vendor/github.com/throttled/throttled/LICENSE
diff --git a/vendor/github.com/throttled/throttled/Makefile b/vendor/github.com/throttled/throttled/Makefile
diff --git a/vendor/github.com/throttled/throttled/README.md b/vendor/github.com/throttled/throttled/README.md
diff --git a/vendor/github.com/throttled/throttled/deprecated.go b/vendor/github.com/throttled/throttled/deprecated.go
diff --git a/vendor/github.com/throttled/throttled/doc.go b/vendor/github.com/throttled/throttled/doc.go