feat: block instances (#7129)

* docs: fix init description typos * feat: block instances using limits * translate * unit tests * fix translations * redirect /ui/login * fix http interceptor * cleanup * fix http interceptor * fix: delete cookies on gateway 200 * add integration tests * add command test * docs * fix integration tests * add bulk api and integration test * optimize bulk set limits * unit test bulk limits * fix broken link * fix assets middleware * fix broken link * validate instance id format * Update internal/eventstore/search_query.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove support for owner bulk limit commands * project limits to instances * migrate instances projection * Revert "migrate instances projection" This reverts commit 214218732a. * join limits, remove owner * remove todo * use optional bool * normally validate instance ids * use 302 * cleanup * cleanup * Update internal/api/grpc/system/limits_converter.go Co-authored-by: Livio Spring <livio.a@gmail.com> * remove owner * remove owner from reset --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:37:34 +00:00 · 2024-01-17 11:16:48 +01:00
parent d9d376a275
commit ed0bc39ea4
80 changed files with 1609 additions and 438 deletions
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -185,7 +185,7 @@ func addInterceptors(
 	handler = http_mw.ActivityHandler(handler)
 	// For some non-obvious reason, the exhaustedCookieInterceptor sends the SetCookie header
 	// only if it follows the http_mw.DefaultTelemetryHandler
-	handler = exhaustedCookieInterceptor(handler, accessInterceptor, queries)
+	handler = exhaustedCookieInterceptor(handler, accessInterceptor)
 	handler = http_mw.DefaultMetricsHandler(handler)
 	return handler
 }
@@ -205,14 +205,12 @@ func http1Host(next http.Handler, http1HostName string) http.Handler {
 func exhaustedCookieInterceptor(
 	next http.Handler,
 	accessInterceptor *http_mw.AccessInterceptor,
-	queries *query.Queries,
 ) http.Handler {
 	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 		next.ServeHTTP(&cookieResponseWriter{
 			ResponseWriter:    writer,
 			accessInterceptor: accessInterceptor,
 			request:           request,
-			queries:           queries,
 		}, request)
 	})
 }
@@ -221,7 +219,7 @@ type cookieResponseWriter struct {
 	http.ResponseWriter
 	accessInterceptor *http_mw.AccessInterceptor
 	request           *http.Request
-	queries           *query.Queries
+	headerWritten     bool
 }

 func (r *cookieResponseWriter) WriteHeader(status int) {
@@ -231,9 +229,18 @@ func (r *cookieResponseWriter) WriteHeader(status int) {
 	if status == http.StatusTooManyRequests {
 		r.accessInterceptor.SetExhaustedCookie(r.ResponseWriter, r.request)
 	}
+	r.headerWritten = true
 	r.ResponseWriter.WriteHeader(status)
 }

+func (r *cookieResponseWriter) Write(bytes []byte) (int, error) {
+	if !r.headerWritten {
+		// If no header was written before the data, the status code is 200 and we can delete the cookie
+		r.accessInterceptor.DeleteExhaustedCookie(r.ResponseWriter)
+	}
+	return r.ResponseWriter.Write(bytes)
+}
+
 func grpcCredentials(tlsConfig *tls.Config) credentials.TransportCredentials {
 	creds := insecure.NewCredentials()
 	if tlsConfig != nil {
--- a/internal/api/grpc/server/middleware/instance_interceptor_test.go
+++ b/internal/api/grpc/server/middleware/instance_interceptor_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"reflect"
 	"testing"
+	"time"

 	"golang.org/x/text/language"
 	"google.golang.org/grpc"
@@ -164,6 +165,14 @@ func (m *mockInstanceVerifier) InstanceByID(context.Context) (authz.Instance, er

 type mockInstance struct{}

+func (m *mockInstance) Block() *bool {
+	panic("shouldn't be called here")
+}
+
+func (m *mockInstance) AuditLogRetention() *time.Duration {
+	panic("shouldn't be called here")
+}
+
 func (m *mockInstance) InstanceID() string {
 	return "instanceID"
 }
--- a/internal/api/grpc/server/middleware/limits_interceptor.go
+++ b/internal/api/grpc/server/middleware/limits_interceptor.go
@@ -0,0 +1,31 @@
+package middleware
+
+import (
+	"context"
+	"strings"
+
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func LimitsInterceptor(ignoreService ...string) grpc.UnaryServerInterceptor {
+	for idx, service := range ignoreService {
+		if !strings.HasPrefix(service, "/") {
+			ignoreService[idx] = "/" + service
+		}
+	}
+	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (_ interface{}, err error) {
+		for _, service := range ignoreService {
+			if strings.HasPrefix(info.FullMethod, service) {
+				return handler(ctx, req)
+			}
+		}
+		instance := authz.GetInstance(ctx)
+		if block := instance.Block(); block != nil && *block {
+			return nil, zerrors.ThrowResourceExhausted(nil, "LIMITS-molsj", "Errors.Limits.Instance.Blocked")
+		}
+		return handler(ctx, req)
+	}
+}
--- a/internal/api/grpc/server/server.go
+++ b/internal/api/grpc/server/server.go
@@ -53,9 +53,10 @@ func CreateServer(
 				middleware.InstanceInterceptor(queries, hostHeaderName, system_pb.SystemService_ServiceDesc.ServiceName, healthpb.Health_ServiceDesc.ServiceName),
 				middleware.AccessStorageInterceptor(accessSvc),
 				middleware.ErrorHandler(),
+				middleware.LimitsInterceptor(system_pb.SystemService_ServiceDesc.ServiceName),
 				middleware.AuthorizationInterceptor(verifier, authConfig),
-				middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_ServiceDesc.ServiceName),
 				middleware.TranslationHandler(),
+				middleware.QuotaExhaustedInterceptor(accessSvc, system_pb.SystemService_ServiceDesc.ServiceName),
 				middleware.ValidationHandler(),
 				middleware.ServiceHandler(),
 				middleware.ActivityInterceptor(),