df2f4c70c9
Some checks failed
CI/CD Pipeline / Code Format (push) Successful in 3s
CI/CD Pipeline / Clippy Lints (push) Successful in 45s
CI/CD Pipeline / All Unit Tests (push) Successful in 1m24s
CI/CD Pipeline / Security Audit (push) Successful in 4s
CI/CD Pipeline / Enrollment Tests (push) Successful in 1m14s
CI/CD Pipeline / Build Debian Package (Ubuntu 22.04) (push) Failing after 4s
CI/CD Pipeline / Verify Enrollment CLI Flag (push) Successful in 1m0s
CI/CD Pipeline / Build Debian Package (push) Failing after 5s
CI/CD Pipeline / Build Arch Package (push) Successful in 2m24s
CI/CD Pipeline / Build RPM Package (push) Successful in 2m15s
CI/CD Pipeline / Build Alpine Package (push) Failing after 3m19s
- Add custom RateLimitMiddleware using governor crate for per-IP rate limiting - Two-tier rate limiting: destructive (20 req/min, burst 10) and read (120 req/min, burst 30) - Health endpoints (/health, /api/v1/system/info) exempt from rate limiting - Add max_queue_depth to JobManager (default: 100, configurable via config.yaml) - Return 429 Too Many Requests with Retry-After header when queue is full - Add RateLimitConfig to config.yaml with all rate limit settings - Add 10 tests covering rate limiting, queue depth, and configuration defaults Co-authored-by: git-echo <git-echo@moon-dragon.us>
59 lines
2.3 KiB
Rust
59 lines
2.3 KiB
Rust
//! API Routes Configuration
|
|
//!
|
|
//! Aggregates all endpoint routes and configures the Actix-web application.
|
|
//! Rate limiting is applied at the App level in main.rs using actix-governor
|
|
//! with method-based filtering:
|
|
//! - **Read tier** (120 req/min, burst 30): GET methods
|
|
//! - **Destructive tier** (20 req/min, burst 10): POST/PUT/DELETE methods
|
|
//! - **Health exempt**: /health, /api/v1/system/info (health-exempt routes)
|
|
|
|
use actix_web::{web, HttpResponse};
|
|
use tracing::info;
|
|
|
|
use crate::jobs::manager::JobManager;
|
|
use crate::packages::cache::PackageCacheState;
|
|
|
|
use super::handlers::{jobs, packages, patches, system, websocket};
|
|
|
|
/// Default service handler for unsupported HTTP methods (VULN-005)
|
|
/// Returns 405 Method Not Allowed instead of 404 for known endpoints
|
|
async fn method_not_allowed() -> HttpResponse {
|
|
HttpResponse::MethodNotAllowed()
|
|
.insert_header(("Allow", "GET, POST, PUT, DELETE"))
|
|
.finish()
|
|
}
|
|
|
|
/// Configure all API routes for the application
|
|
pub fn configure_api_routes(
|
|
cfg: &mut web::ServiceConfig,
|
|
job_manager: web::Data<JobManager>,
|
|
backend: web::Data<Box<dyn crate::packages::PackageManagerBackend>>,
|
|
cache_state: web::Data<PackageCacheState>,
|
|
) {
|
|
info!("Configuring API v1 routes");
|
|
|
|
// Health-exempt endpoint: /api/v1/system/info is registered separately
|
|
// so it can bypass rate limiting applied at the App level
|
|
cfg.service(web::resource("/api/v1/system/info").route(web::get().to(system::get_system_info)));
|
|
|
|
cfg.app_data(job_manager)
|
|
.app_data(backend)
|
|
.app_data(cache_state)
|
|
.service(
|
|
web::scope("/api/v1")
|
|
// VULN-005: Default handler for unsupported methods returns 405 instead of 404
|
|
.default_service(web::route().to(method_not_allowed))
|
|
.configure(packages::configure_routes)
|
|
.configure(patches::configure_routes)
|
|
.configure(system::configure_routes)
|
|
.configure(jobs::configure_routes)
|
|
.configure(websocket::configure_routes),
|
|
);
|
|
}
|
|
|
|
/// Health check route (outside API scope for load balancer checks)
|
|
/// Note: backend and cache_state are injected via app_data registered in main.rs
|
|
pub fn configure_health_route(cfg: &mut web::ServiceConfig) {
|
|
cfg.route("/health", web::get().to(system::health_check));
|
|
}
|