Allow scoping rate-limits to specific resources and paths

CHANGELOG.md

@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - The minimum supported Rust version (MSRV) is now 1.64.
 - Manual (and badly designed) threads have been replaced by async.
 - Randomized early delay, for spacing out renewals when dealing with a lot of certificates.
+- Reworked rate-limits, now with scopes for API paths and ACME resources.
 
 
 ## [0.21.0] - 2022-12-19

acmed/Cargo.toml

@@ -36,6 +36,9 @@ toml = "0.7"
 tokio = { version = "1", features = ["full"] }
 rand = "0.8.5"
 reqwest = "0.11.16"
+governor = { version = "0.5.1", default-features = false, features = ["std"] }
+regex = "1.7.3"
+itertools = "0.10.5"
 
 [target.'cfg(unix)'.dependencies]
 nix = "0.26"

acmed/config/letsencrypt.toml

@@ -1,16 +1,43 @@
 [[rate-limit]]
-name = "Let's Encrypt rate-limit"
+name = "Let's Encrypt newOrder"
+acme_resources = ["newOrder"]
+number = 300
+period = "3h"
+
+[[rate-limit]]
+name = "Let's Encrypt overall named resources"
+acme_resources = ["newNonce", "newAccount", "newOrder", "revokeCert"]
 number = 20
 period = "1s"
 
+[[rate-limit]]
+name = "Let's Encrypt overall path prefix"
+path = "^https://acmed-v02.api\.letsencrypt\.org/(directory)|(acme/.*)$"
+number = 40
+period = "1s"
+
 [[endpoint]]
 name = "Let's Encrypt v2 production"
 url = "https://acme-v02.api.letsencrypt.org/directory"
-rate_limits = ["Let's Encrypt rate-limit"]
+rate_limits = [
+  "Let's Encrypt newOrder",
+  "Let's Encrypt overall named resources",
+  "Let's Encrypt overall path prefix"
+]
 tos_agreed = false
 
+[[rate-limit]]
+name = "Let's Encrypt newOrder staging"
+acme_resources = ["newOrder"]
+number = 300
+period = "3h"
+
 [[endpoint]]
 name = "Let's Encrypt v2 staging"
 url = "https://acme-staging-v02.api.letsencrypt.org/directory"
-rate_limits = ["Let's Encrypt rate-limit"]
+rate_limits = [
+  "Let's Encrypt newOrder staging",
+  "Let's Encrypt overall named resources",
+  "Let's Encrypt overall path prefix"
+]
 tos_agreed = false

acmed/src/acme_proto.rs

@@ -180,6 +180,7 @@ pub async fn request_certificate(
 					&mut *(endpoint_s.write().await),
 					&data_builder,
 					&chall_url,
+					None,
 				)
 				.await
 				.map_err(HttpError::in_err)?;

acmed/src/acme_proto/account.rs

@@ -96,7 +96,7 @@ pub async fn update_account_contacts(
 		set_data_builder_sync!(account_owned, endpoint_name, acc_up_struct.as_bytes());
 	let url = account.get_endpoint(&endpoint_name)?.account_url.clone();
 	create_account_if_does_not_exist!(
-		http::post_jose_no_response(endpoint, &data_builder, &url).await,
+		http::post_jose_no_response(endpoint, &data_builder, &url, None).await,
 		endpoint,
 		account
 	)?;
@@ -141,7 +141,7 @@ pub async fn update_account_key(
 		)
 	};
 	create_account_if_does_not_exist!(
-		http::post_jose_no_response(endpoint, &data_builder, &url).await,
+		http::post_jose_no_response(endpoint, &data_builder, &url, None).await,
 		endpoint,
 		account
 	)?;

acmed/src/acme_proto/http.rs

@@ -1,14 +1,15 @@
 use crate::acme_proto::structs::{AccountResponse, Authorization, Directory, Order};
+use crate::config::NamedAcmeResource;
 use crate::endpoint::Endpoint;
 use crate::http;
 use acme_common::error::Error;
 use std::{thread, time};
 
 macro_rules! pool_object {
-	($obj_type: ty, $obj_name: expr, $endpoint: expr, $url: expr, $data_builder: expr, $break: expr) => {{
+	($obj_type: ty, $obj_name: expr, $endpoint: expr, $url: expr, $resource: expr, $data_builder: expr, $break: expr) => {{
 		for _ in 0..crate::DEFAULT_POOL_NB_TRIES {
 			thread::sleep(time::Duration::from_secs(crate::DEFAULT_POOL_WAIT_SEC));
-			let response = http::post_jose($endpoint, $url, $data_builder).await?;
+			let response = http::post_jose($endpoint, $url, $resource, $data_builder).await?;
 			let obj = response.json::<$obj_type>()?;
 			if $break(&obj) {
 				return Ok(obj);
@@ -21,7 +22,7 @@ macro_rules! pool_object {
 
 pub async fn refresh_directory(endpoint: &mut Endpoint) -> Result<(), http::HttpError> {
 	let url = endpoint.url.clone();
-	let response = http::get(endpoint, &url).await?;
+	let response = http::get(endpoint, &url, Some(NamedAcmeResource::Directory)).await?;
 	endpoint.dir = response.json::<Directory>()?;
 	Ok(())
 }
@@ -30,11 +31,12 @@ pub async fn post_jose_no_response<F>(
 	endpoint: &mut Endpoint,
 	data_builder: &F,
 	url: &str,
+	resource: Option<NamedAcmeResource>,
 ) -> Result<(), http::HttpError>
 where
 	F: Fn(&str, &str) -> Result<String, Error>,
 {
-	let _ = http::post_jose(endpoint, url, data_builder).await?;
+	let _ = http::post_jose(endpoint, url, resource, data_builder).await?;
 	Ok(())
 }
 
@@ -46,7 +48,13 @@ where
 	F: Fn(&str, &str) -> Result<String, Error>,
 {
 	let url = endpoint.dir.new_account.clone();
-	let response = http::post_jose(endpoint, &url, data_builder).await?;
+	let response = http::post_jose(
+		endpoint,
+		&url,
+		Some(NamedAcmeResource::NewAccount),
+		data_builder,
+	)
+	.await?;
 	let acc_uri = response
 		.get_header(http::HEADER_LOCATION)
 		.ok_or_else(|| Error::from("no account location found"))?;
@@ -62,7 +70,13 @@ where
 	F: Fn(&str, &str) -> Result<String, Error>,
 {
 	let url = endpoint.dir.new_order.clone();
-	let response = http::post_jose(endpoint, &url, data_builder).await?;
+	let response = http::post_jose(
+		endpoint,
+		&url,
+		Some(NamedAcmeResource::NewOrder),
+		data_builder,
+	)
+	.await?;
 	let order_uri = response
 		.get_header(http::HEADER_LOCATION)
 		.ok_or_else(|| Error::from("no account location found"))?;
@@ -78,7 +92,7 @@ pub async fn get_authorization<F>(
 where
 	F: Fn(&str, &str) -> Result<String, Error>,
 {
-	let response = http::post_jose(endpoint, url, data_builder).await?;
+	let response = http::post_jose(endpoint, url, None, data_builder).await?;
 	let auth = response.json::<Authorization>()?;
 	Ok(auth)
 }
@@ -98,6 +112,7 @@ where
 		"authorization",
 		endpoint,
 		url,
+		None,
 		data_builder,
 		break_fn
 	)
@@ -113,7 +128,7 @@ where
 	F: Fn(&str, &str) -> Result<String, Error>,
 	S: Fn(&Order) -> bool,
 {
-	pool_object!(Order, "order", endpoint, url, data_builder, break_fn)
+	pool_object!(Order, "order", endpoint, url, None, data_builder, break_fn)
 }
 
 pub async fn finalize_order<F>(
@@ -124,7 +139,7 @@ pub async fn finalize_order<F>(
 where
 	F: Fn(&str, &str) -> Result<String, Error>,
 {
-	let response = http::post_jose(endpoint, url, data_builder).await?;
+	let response = http::post_jose(endpoint, url, None, data_builder).await?;
 	let order = response.json::<Order>()?;
 	Ok(order)
 }
@@ -140,6 +155,7 @@ where
 	let response = http::post(
 		endpoint,
 		url,
+		None,
 		data_builder,
 		http::CONTENT_TYPE_JOSE,
 		http::CONTENT_TYPE_PEM,

acmed/src/config.rs

@@ -12,6 +12,7 @@ use std::collections::{BTreeSet, HashMap};
 use std::fmt;
 use std::fs::{self, File};
 use std::io::prelude::*;
+use std::num::NonZeroU32;
 use std::path::{Path, PathBuf};
 use std::result::Result;
 use std::time::Duration;
@@ -72,10 +73,10 @@ pub struct Config {
 }
 
 impl Config {
-	fn get_rate_limit(&self, name: &str) -> Result<(usize, String), Error> {
+	fn get_rate_limit(&self, name: &str) -> Result<RateLimit, Error> {
 		for rl in self.rate_limit.iter() {
 			if rl.name == name {
-				return Ok((rl.number, rl.period.to_owned()));
+				return Ok(rl.clone());
 			}
 		}
 		Err(format!("{name}: rate limit not found").into())
@@ -266,8 +267,7 @@ impl Endpoint {
 	) -> Result<crate::endpoint::Endpoint, Error> {
 		let mut limits = vec![];
 		for rl_name in self.rate_limits.iter() {
-			let (nb, timeframe) = cnf.get_rate_limit(rl_name)?;
-			limits.push((nb, timeframe));
+			limits.push(cnf.get_rate_limit(rl_name)?);
 		}
 		let mut root_lst: Vec<String> = vec![];
 		root_lst.extend(root_certs.iter().map(|v| v.to_string()));
@@ -293,8 +293,23 @@ impl Endpoint {
 #[serde(deny_unknown_fields)]
 pub struct RateLimit {
 	pub name: String,
-	pub number: usize,
+	pub number: NonZeroU32,
 	pub period: String,
+	#[serde(default)]
+	pub acme_resources: Vec<NamedAcmeResource>,
+	pub path: Option<String>,
+}
+
+#[derive(Deserialize, PartialEq, Eq, Clone, Copy, Debug)]
+#[serde(rename_all = "camelCase")]
+pub enum NamedAcmeResource {
+	Directory,
+	NewNonce,
+	NewAccount,
+	NewOrder,
+	NewAuthz,
+	RevokeCert,
+	KeyChange,
 }
 
 #[derive(Deserialize)]