feat: add quotas (#4779)

adds possibilities to cap authenticated requests and execution seconds of actions on a defined intervall
2025-08-12 01:27:32 +00:00 · 2023-02-15 02:52:11 +01:00
parent 45f6a4436e
commit 681541f41b
117 changed files with 4652 additions and 510 deletions
--- a/internal/api/grpc/server/middleware/access_interceptor.go
+++ b/internal/api/grpc/server/middleware/access_interceptor.go
@@ -0,0 +1,55 @@
+package middleware
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/logstore"
+	"github.com/zitadel/zitadel/internal/logstore/emitters/access"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+func AccessStorageInterceptor(svc *logstore.Service) grpc.UnaryServerInterceptor {
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (_ interface{}, err error) {
+		if !svc.Enabled() {
+			return handler(ctx, req)
+		}
+
+		reqMd, _ := metadata.FromIncomingContext(ctx)
+
+		resp, handlerErr := handler(ctx, req)
+
+		interceptorCtx, span := tracing.NewServerInterceptorSpan(ctx)
+		defer func() { span.EndWithError(err) }()
+
+		var respStatus uint32
+		grpcStatus, ok := status.FromError(handlerErr)
+		if ok {
+			respStatus = uint32(grpcStatus.Code())
+		}
+
+		resMd, _ := metadata.FromOutgoingContext(ctx)
+		instance := authz.GetInstance(ctx)
+
+		record := &access.Record{
+			LogDate:         time.Now(),
+			Protocol:        access.GRPC,
+			RequestURL:      info.FullMethod,
+			ResponseStatus:  respStatus,
+			RequestHeaders:  reqMd,
+			ResponseHeaders: resMd,
+			InstanceID:      instance.InstanceID(),
+			ProjectID:       instance.ProjectID(),
+			RequestedDomain: instance.RequestedDomain(),
+			RequestedHost:   instance.RequestedHost(),
+		}
+
+		svc.Handle(interceptorCtx, record)
+		return resp, handlerErr
+	}
+}