Request Limiter listener config opt-out (#25098)

This commit introduces a new listener config option to allow disabling the request limiter per-listener.
2025-10-30 18:17:55 +00:00 · 2024-01-26 15:24:32 -05:00
parent dc9d1e275d
commit 12f69a8ce5
10 changed files with 94 additions and 13 deletions
--- a/changelog/25098.txt
+++ b/changelog/25098.txt
@@ -0,0 +1,4 @@
 ```release-note:improvement
 limits: Add a listener configuration option `disable_request_limiter` to allow
 disabling the request limiter per-listener.
 ```
--- a/command/agent_test.go
+++ b/command/agent_test.go
@@ -350,11 +350,13 @@ listener "tcp" {
    address = "%s"
    tls_disable = true
    require_request_header = false
    disable_request_limiter = false
 }
 listener "tcp" {
    address = "%s"
    tls_disable = true
    require_request_header = true
 	disable_request_limiter = true
 }
 `
 	listenAddr1 := generateListenerAddress(t)
--- a/command/server.go
+++ b/command/server.go
@@ -901,6 +901,8 @@ func (c *ServerCommand) InitListeners(config *server.Config, disableClustering b
 		}
 		props["max_request_duration"] = lnConfig.MaxRequestDuration.String()
 		props["disable_request_limiter"] = strconv.FormatBool(lnConfig.DisableRequestLimiter)
 		if lnConfig.ChrootNamespace != "" {
 			props["chroot_namespace"] = lnConfig.ChrootNamespace
 		}
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -611,6 +611,7 @@ func testLoadConfigFile_json(t *testing.T) {
 					Type:                  "tcp",
 					Address:               "127.0.0.1:443",
 					CustomResponseHeaders: DefaultCustomHeaders,
 					DisableRequestLimiter: false,
 				},
 			},
@@ -789,8 +790,9 @@ func testConfig_Sanitized(t *testing.T) {
 		"listeners": []interface{}{
 			map[string]interface{}{
 				"config": map[string]interface{}{
-					"address":          "127.0.0.1:443",
+					"address":                 "127.0.0.1:443",
-					"chroot_namespace": "admin/",
+					"chroot_namespace":        "admin/",
 					"disable_request_limiter": false,
 				},
 				"type": configutil.TCP,
 			},
@@ -889,6 +891,7 @@ listener "tcp" {
  redact_addresses = true
  redact_cluster_name = true
  redact_version = true
  disable_request_limiter = true
 }
 listener "unix" {
  address = "/var/run/vault.sock"
@@ -951,6 +954,7 @@ listener "unix" {
 					RedactAddresses:       true,
 					RedactClusterName:     true,
 					RedactVersion:         true,
 					DisableRequestLimiter: true,
 				},
 				{
 					Type:              "unix",
--- a/command/server/test-fixtures/config3.hcl
+++ b/command/server/test-fixtures/config3.hcl
@@ -13,6 +13,7 @@ cluster_addr = "top_level_cluster_addr"
 listener "tcp" {
  address = "127.0.0.1:443"
  chroot_namespace="admin/"
  disable_request_limiter = false
 }
 backend "consul" {
--- a/http/handler.go
+++ b/http/handler.go
@@ -263,6 +263,10 @@ func handler(props *vault.HandlerProperties) http.Handler {
 		wrappedHandler = disableReplicationStatusEndpointWrapping(wrappedHandler)
 	}
 	if props.ListenerConfig != nil && props.ListenerConfig.DisableRequestLimiter {
 		wrappedHandler = wrapRequestLimiterHandler(wrappedHandler, props)
 	}
 	return wrappedHandler
 }
@@ -910,6 +914,15 @@ func forwardRequest(core *vault.Core, w http.ResponseWriter, r *http.Request) {
 }
 func acquireLimiterListener(core *vault.Core, rawReq *http.Request, r *logical.Request) (*limits.RequestListener, bool) {
 	var disable bool
 	disableRequestLimiter := rawReq.Context().Value(logical.CtxKeyDisableRequestLimiter{})
 	if disableRequestLimiter != nil {
 		disable = disableRequestLimiter.(bool)
 	}
 	if disable {
 		return &limits.RequestListener{}, true
 	}
 	lim := &limits.RequestLimiter{}
 	if r.PathLimited {
 		lim = core.GetRequestLimiter(limits.SpecialPathLimiter)
--- a/http/util.go
+++ b/http/util.go
@@ -43,6 +43,19 @@ func wrapMaxRequestSizeHandler(handler http.Handler, props *vault.HandlerPropert
 	})
 }
 func wrapRequestLimiterHandler(handler http.Handler, props *vault.HandlerProperties) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		request := r.WithContext(
 			context.WithValue(
 				r.Context(),
 				logical.CtxKeyDisableRequestLimiter{},
 				props.ListenerConfig.DisableRequestLimiter,
 			),
 		)
 		handler.ServeHTTP(w, request)
 	})
 }
 func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ns, err := namespace.FromContext(r.Context())
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -143,6 +143,10 @@ type Listener struct {
 	// DisableReplicationStatusEndpoint disables the unauthenticated replication status endpoints
 	DisableReplicationStatusEndpointsRaw interface{} `hcl:"disable_replication_status_endpoints"`
 	DisableReplicationStatusEndpoints    bool        `hcl:"-"`
 	// DisableRequestLimiter allows per-listener disabling of the Request Limiter.
 	DisableRequestLimiterRaw any  `hcl:"disable_request_limiter"`
 	DisableRequestLimiter    bool `hcl:"-"`
 }
 // AgentAPI allows users to select which parts of the Agent API they want enabled.
@@ -257,6 +261,7 @@ func parseListener(item *ast.ObjectItem) (*Listener, error) {
 		l.parseChrootNamespaceSettings,
 		l.parseRedactionSettings,
 		l.parseDisableReplicationStatusEndpointSettings,
 		l.parseDisableRequestLimiter,
 	} {
 		err := parser()
 		if err != nil {
@@ -370,6 +375,17 @@ func (l *Listener) parseDisableReplicationStatusEndpointSettings() error {
 	return nil
 }
 // parseDisableRequestLimiter attempts to parse the raw disable_request_limiter
 // setting. The receiving Listener's DisableRequestLimiter field will be set
 // with the successfully parsed value or return an error
 func (l *Listener) parseDisableRequestLimiter() error {
 	if err := parseAndClearBool(&l.DisableRequestLimiterRaw, &l.DisableRequestLimiter); err != nil {
 		return fmt.Errorf("invalid value for disable_request_limiter: %w", err)
 	}
 	return nil
 }
 // parseChrootNamespace attempts to parse the raw listener chroot namespace settings.
 // The state of the listener will be modified, raw data will be cleared upon
 // successful parsing.
@@ -446,6 +462,10 @@ func (l *Listener) parseRequestSettings() error {
 		return fmt.Errorf("invalid value for require_request_header: %w", err)
 	}
 	if err := parseAndClearBool(&l.DisableRequestLimiterRaw, &l.DisableRequestLimiter); err != nil {
 		return fmt.Errorf("invalid value for disable_request_limiter: %w", err)
 	}
 	return nil
 }
--- a/internalshared/configutil/listener_test.go
+++ b/internalshared/configutil/listener_test.go
@@ -181,14 +181,16 @@ func TestListener_parseRequestSettings(t *testing.T) {
 	t.Parallel()
 	tests := map[string]struct {
-		rawMaxRequestSize            any
+		rawMaxRequestSize             any
-		expectedMaxRequestSize       int64
+		expectedMaxRequestSize        int64
-		rawMaxRequestDuration        any
+		rawMaxRequestDuration         any
-		expectedDuration             time.Duration
+		expectedDuration              time.Duration
-		rawRequireRequestHeader      any
+		rawRequireRequestHeader       any
-		expectedRequireRequestHeader bool
+		expectedRequireRequestHeader  bool
-		isErrorExpected              bool
+		rawDisableRequestLimiter      any
-		errorMessage                 string
+		expectedDisableRequestLimiter bool
 		isErrorExpected               bool
 		errorMessage                  string
 	}{
 		"nil": {
 			isErrorExpected: false,
@@ -224,6 +226,17 @@ func TestListener_parseRequestSettings(t *testing.T) {
 			expectedRequireRequestHeader: true,
 			isErrorExpected:              false,
 		},
 		"disable-request-limiter-bad": {
 			rawDisableRequestLimiter:      "badvalue",
 			expectedDisableRequestLimiter: false,
 			isErrorExpected:               true,
 			errorMessage:                  "invalid value for disable_request_limiter",
 		},
 		"disable-request-limiter-good": {
 			rawDisableRequestLimiter:      "true",
 			expectedDisableRequestLimiter: true,
 			isErrorExpected:               false,
 		},
 	}
 	for name, tc := range tests {
@@ -234,9 +247,10 @@ func TestListener_parseRequestSettings(t *testing.T) {
 			// Configure listener with raw values
 			l := &Listener{
-				MaxRequestSizeRaw:       tc.rawMaxRequestSize,
+				MaxRequestSizeRaw:        tc.rawMaxRequestSize,
-				MaxRequestDurationRaw:   tc.rawMaxRequestDuration,
+				MaxRequestDurationRaw:    tc.rawMaxRequestDuration,
-				RequireRequestHeaderRaw: tc.rawRequireRequestHeader,
+				RequireRequestHeaderRaw:  tc.rawRequireRequestHeader,
 				DisableRequestLimiterRaw: tc.rawDisableRequestLimiter,
 			}
 			err := l.parseRequestSettings()
@@ -251,11 +265,13 @@ func TestListener_parseRequestSettings(t *testing.T) {
 				require.Equal(t, tc.expectedMaxRequestSize, l.MaxRequestSize)
 				require.Equal(t, tc.expectedDuration, l.MaxRequestDuration)
 				require.Equal(t, tc.expectedRequireRequestHeader, l.RequireRequestHeader)
 				require.Equal(t, tc.expectedDisableRequestLimiter, l.DisableRequestLimiter)
 				// Ensure the state was modified for the raw values.
 				require.Nil(t, l.MaxRequestSizeRaw)
 				require.Nil(t, l.MaxRequestDurationRaw)
 				require.Nil(t, l.RequireRequestHeaderRaw)
 				require.Nil(t, l.DisableRequestLimiterRaw)
 			}
 		})
 	}
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@@ -543,3 +543,9 @@ func ContextOriginalBodyValue(ctx context.Context) (io.ReadCloser, bool) {
 func CreateContextOriginalBody(parent context.Context, body io.ReadCloser) context.Context {
 	return context.WithValue(parent, ctxKeyOriginalBody{}, body)
 }
 type CtxKeyDisableRequestLimiter struct{}
 func (c CtxKeyDisableRequestLimiter) String() string {
 	return "disable_request_limiter"
 }