x-pack/filebeat/input/entityanalytics/provider/okta: Rate limiting fixes #41583
Conversation
chrisberkhout
added
bugfix
Team:Security-Service Integrations
|
Pinging @elastic/security-service-integrations (Team:Security-Service Integrations) |
botelastic
bot
added
needs_team
|
This pull request does not have a backport label.
To fixup this pull request, you need to add the backport labels for the needed
|
|
|
mergify
bot
added
the
backport-8.x
chrisberkhout
force-pushed
the
okta-rate-limiting-logic
branch
from
368f547 to
b57da7b
Compare
chrisberkhout
added
backport-8.15
chrisberkhout
force-pushed
the
okta-rate-limiting-logic
branch
3 times, most recently
from
3c56801 to
317c45e
Compare
| endpoint = "/api/v1/users/{user}" | ||
| path = strings.Replace(endpoint, "{user}", user, 1) |
There was a problem hiding this comment.
Can we not just use path.Join here rather than a search/replace?
There was a problem hiding this comment.
We do also need endpoint now, without the ID inserted, for the rate limiter.
I think it's good that the final path is derived from the endpoint pattern. If there's a change they're less likely to diverge.
There was a problem hiding this comment.
I don't particularly like it, but OK.
There was a problem hiding this comment.
Ok. Leaving it like that.
| var endpoint string | ||
| var path string |
| u := &url.URL{ | ||
| Scheme: "https", | ||
| Host: host, | ||
| Path: path.Join(endpoint, user, "factors"), | ||
| Path: path, |
There was a problem hiding this comment.
I think keeping the use if path.Join would be better (also below).
There was a problem hiding this comment.
As above. Leaving it.
| } | ||
| if limiter.lim.Burst() != 1 { | ||
| t.Errorf("unexpected burst: got:%d want:1", limiter.lim.Burst()) | ||
| for _, l := range *limiter { |
There was a problem hiding this comment.
I think this needs a comment, or preferably since we have constructed the system here, use the key that we expect to exist using limiter[<key>].
There was a problem hiding this comment.
I went with the comment.
| type RateLimiter struct { | ||
| lim *rate.Limiter | ||
| } | ||
| type RateLimiter map[string]*rate.Limiter | ||
|
|
||
| func NewRateLimiter() *RateLimiter { |
There was a problem hiding this comment.
This does not need to be on a pointer.
There was a problem hiding this comment.
Changed to:
func NewRateLimiter() RateLimiter
| @@ -444,7 +444,7 @@ var nextTests = []struct { | |||
| func TestNext(t *testing.T) { | |||
| for i, test := range nextTests { | |||
| got, err := Next(test.header) | |||
| if err != test.wantErr { | |||
| if !errors.Is(err, test.wantErr) { | |||
There was a problem hiding this comment.
This is not right. The two cases are nil and io.EOF and the latter is never wrapped.
| @@ -478,7 +478,7 @@ func (p *oktaInput) doFetchUsers(ctx context.Context, state *stateStore, fullSyn | |||
|
|
|||
| next, err := okta.Next(h) | |||
| if err != nil { | |||
| if err == io.EOF { | |||
| if errors.Is(err, io.EOF) { | |||
There was a problem hiding this comment.
Reverted 3 cases.
| r.Update(endpoint, headers, window, logp.L()) | ||
| err := r.Update(endpoint, headers, window, logp.L()) | ||
| if err != nil { | ||
| t.Errorf("Update returned error: %v", err) |
There was a problem hiding this comment.
t.Errorf("unexpected error from Update(): %v", err)
| if _, copyErr := io.Copy(io.Discard, resp.Body); copyErr != nil { | ||
| err = errors.Join(err, copyErr) | ||
| } |
There was a problem hiding this comment.
If I were going to do this, I would have it as
_, cerr := io.Copy(io.Discard, resp.Body)
return nil, nil, errors.Join(err, cerr)
but we are just discarding the the body to recover the conn's usability, so this is really only an optimisation and as such should not change the behaviour qualitatively; I would leave this as it was originally.
| return &r | ||
| } | ||
|
|
||
| func (r RateLimiter) get(path string) *rate.Limiter { |
There was a problem hiding this comment.
| func (r RateLimiter) get(path string) *rate.Limiter { | |
| func (r RateLimiter) Limiter(path string) *rate.Limiter { |
with necessary changes elsewhere.
There was a problem hiding this comment.
Or unexported? I think this should only be used internally and for testing.
There was a problem hiding this comment.
Sure, unexported is fine. If this becomes something we need to share later, we can export it then.
|
This pull request is now in conflicts. Could you fix it? 🙏 |
chrisberkhout
force-pushed
the
okta-rate-limiting-logic
branch
from
23a565a to
13a79f3
Compare
…xes (#41583) - Separate rate limits by endpoint. - Stop requests until reset when `x-rate-limit-remaining: 0`. (cherry picked from commit 4e19d09) # Conflicts: # x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta.go # x-pack/filebeat/input/entityanalytics/provider/okta/internal/okta/okta_test.go
…xes (#41583) (#41902) - Separate rate limits by endpoint. - Stop requests until reset when `x-rate-limit-remaining: 0`. (cherry picked from commit 4e19d09) Co-authored-by: Chris Berkhout <[email protected]>
chrisberkhout
removed
the
backport-8.15
…r/okta: Rate limiting fixes (#41901) x-pack/filebeat/input/entityanalytics/provider/okta: Rate limiting fixes (#41583) - Separate rate limits by endpoint. - Stop requests until reset when `x-rate-limit-remaining: 0`. (cherry picked from commit 4e19d09) - Resolved conflicts by removing changes to `GetUserFactors`, `GetUserRoles` and `GetGroupRoles`, because 8.16 doesn't have #41044.
Proposed commit message
Checklist
CHANGELOG.next.asciidocorCHANGELOG-developer.next.asciidoc.Discussion
Can be reviewed commit-by-commit.
The reason a new
rate.Limiterneeds to be created whenx-rate-limit-remaining: 0is that whilerate.Limiterallows updating of the rate and burst, it doesn't allow clearing of existing tokens.Disruptive User Impact
None.
Related issues