ratelimits: improve disabled limit handling #7803

jsha · 2024-11-12T22:14:12Z

In the FailedAuthorizations limits, there was code that intentionally ignored errLimitDisabled errors (errors.Is(err, errLimitDisabled)). However, that that resulted in those functions later using a returned limit value that was invalid (i.e. its zero value). That happened to trigger some later checks in validateTransaction. Specifically this check failed:

	if txn.cost > txn.limit.Burst {
    // error

When txt.limit.Burst is zero, this will always fail.

This problem doesn't really show up in prod, where all the limits are configured. But it showed up in tests, specifically TestPerformValidation_FailedValidationsTriggerPauseIdentifiersRatelimit, where the limits are constructed using a simplified config that leaves most of them disabled.

In this change, I tried to make handling of errLimitDisabled more consistent, and always return an allow-only transaction as early as possible instead of falling through the error condition.

Where that wasn't possible, I used a boolean to record whether the result of builder.getLimit() was valid before referencing any of its fields.

I also added some "shouldn't happen" errors to catch this problem earlier if it recurs.

I removed some "skip disabled limit" comments because those say "what the code does" (which the code also says), not "why the code does it".

Fixes the test failures in #7797.

In the FailedAuthorizations limits, there was code that intentionally ignored errLimitDisabled errors (`errors.Is(err, errLimitDisabled)`). However, that that resulted in those functions later using a returned `limit` value that was invalid (i.e. its zero value). That happened to trigger some later checks in validateTransaction. Specifically this check failed: if txn.cost > txn.limit.Burst { // error When txt.limit.Burst is zero, this will always fail. This problem doesn't really show up in prod, where all the limits are configured. But it showed up in tests, specifically TestPerformValidation_FailedValidationsTriggerPauseIdentifiersRatelimit, where the limits are constructed using a simplified config that leaves most of them disabled. In this change, I tried to make handling of errLimitDisabled more consistent, and always return an allow-only transaction as early as possible instead of falling through the error condition. Where that wasn't possible, I used a boolean to record whether the result of `builder.getLimit()` was valid before referencing any of its fields. I also added some "shouldn't happen" errors to catch this problem earlier if it recurs.

The zero value for `limit` is invalid, so returning `nil` in error cases avoids silently returning invalid limits (and means that if code makes a mistake and references an invalid limit it will be an obvious clear stack trace). This is more consistent, since the methods on `limit` use a pointer receiver. Also, since `limit` is a fairly large object, this saves some copying. Related to #7803 and #7797.

jsha requested a review from a team as a code owner November 12, 2024 22:14

jsha requested a review from beautifulentropy November 12, 2024 22:14

jsha mentioned this pull request Nov 12, 2024

ratelimits: always use a pointer for limit #7804

Merged

beautifulentropy approved these changes Nov 13, 2024

View reviewed changes

beautifulentropy requested review from aarongable and jprenken November 13, 2024 15:30

jprenken approved these changes Nov 13, 2024

View reviewed changes

beautifulentropy merged commit 26a9910 into main Nov 13, 2024
12 checks passed

beautifulentropy deleted the transaction-consistent-returns-2 branch November 13, 2024 21:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ratelimits: improve disabled limit handling #7803

ratelimits: improve disabled limit handling #7803

jsha commented Nov 12, 2024

ratelimits: improve disabled limit handling #7803

ratelimits: improve disabled limit handling #7803

Conversation

jsha commented Nov 12, 2024