perf: project quotas and usages (#6441)

* project quota added * project quota removed * add periods table * make log record generic * accumulate usage * query usage * count action run seconds * fix filter in ReportQuotaUsage * fix existing tests * fix logstore tests * fix typo * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * move notifications into debouncer and improve limit querying * cleanup * comment * fix: add quota unit tests command side * fix remaining quota usage query * implement InmemLogStorage * cleanup and linting * improve test * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * fix: add quota unit tests command side * action notifications and fixes for notifications query * revert console prefix * fix: add quota unit tests command side * fix: add quota integration tests * improve accountable requests * improve accountable requests * fix: add quota integration tests * fix: add quota integration tests * fix: add quota integration tests * comment * remove ability to store logs in db and other changes requested from review * changes requested from review * changes requested from review * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * tests: fix quotas integration tests * improve incrementUsageStatement * linting * fix: delete e2e tests as intergation tests cover functionality * Update internal/api/http/middleware/access_interceptor.go Co-authored-by: Silvan <silvan.reusser@gmail.com> * backup * fix conflict * create rc * create prerelease * remove issue release labeling * fix tracing --------- Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Stefan Benz <stefan@caos.ch> Co-authored-by: adlerhurst <silvan.reusser@gmail.com> (cherry picked from commit 1a49b7d298)
2025-08-11 21:07:31 +00:00 · 2023-09-15 16:58:45 +02:00
parent b688d6f842
commit 5823fdbef9
66 changed files with 3423 additions and 1413 deletions
--- a/internal/api/grpc/server/middleware/access_interceptor.go
+++ b/internal/api/grpc/server/middleware/access_interceptor.go
@@ -10,11 +10,11 @@ import (

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/logstore"
-	"github.com/zitadel/zitadel/internal/logstore/emitters/access"
+	"github.com/zitadel/zitadel/internal/logstore/record"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func AccessStorageInterceptor(svc *logstore.Service) grpc.UnaryServerInterceptor {
+func AccessStorageInterceptor(svc *logstore.Service[*record.AccessLog]) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (_ interface{}, err error) {
 		if !svc.Enabled() {
 			return handler(ctx, req)
@@ -36,9 +36,9 @@ func AccessStorageInterceptor(svc *logstore.Service) grpc.UnaryServerInterceptor
 		resMd, _ := metadata.FromOutgoingContext(ctx)
 		instance := authz.GetInstance(ctx)

-		record := &access.Record{
+		r := &record.AccessLog{
 			LogDate:         time.Now(),
-			Protocol:        access.GRPC,
+			Protocol:        record.GRPC,
 			RequestURL:      info.FullMethod,
 			ResponseStatus:  respStatus,
 			RequestHeaders:  reqMd,
@@ -49,7 +49,7 @@ func AccessStorageInterceptor(svc *logstore.Service) grpc.UnaryServerInterceptor
 			RequestedHost:   instance.RequestedHost(),
 		}

-		svc.Handle(interceptorCtx, record)
+		svc.Handle(interceptorCtx, r)
 		return resp, handlerErr
 	}
 }
--- a/internal/api/grpc/server/middleware/quota_interceptor.go
+++ b/internal/api/grpc/server/middleware/quota_interceptor.go
@@ -9,19 +9,16 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/logstore"
+	"github.com/zitadel/zitadel/internal/logstore/record"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 )

-func QuotaExhaustedInterceptor(svc *logstore.Service, ignoreService ...string) grpc.UnaryServerInterceptor {
-
-	prunedIgnoredServices := make([]string, len(ignoreService))
+func QuotaExhaustedInterceptor(svc *logstore.Service[*record.AccessLog], ignoreService ...string) grpc.UnaryServerInterceptor {
 	for idx, service := range ignoreService {
 		if !strings.HasPrefix(service, "/") {
-			service = "/" + service
+			ignoreService[idx] = "/" + service
 		}
-		prunedIgnoredServices[idx] = service
 	}
-
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (_ interface{}, err error) {
 		if !svc.Enabled() {
 			return handler(ctx, req)
@@ -29,7 +26,13 @@ func QuotaExhaustedInterceptor(svc *logstore.Service, ignoreService ...string) g
 		interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
 		defer func() { span.EndWithError(err) }()

-		for _, service := range prunedIgnoredServices {
+		// The auth interceptor will ensure that only authorized or public requests are allowed.
+		// So if there's no authorization context, we don't need to check for limitation
+		if authz.GetCtxData(ctx).IsZero() {
+			return handler(ctx, req)
+		}
+
+		for _, service := range ignoreService {
 			if strings.HasPrefix(info.FullMethod, service) {
 				return handler(ctx, req)
 			}