address typecheck and lint errors

This commit is contained in:
pat-s 2024-05-08 23:49:22 +02:00
parent cc0b0e7d4f
commit 92473f08fe
No known key found for this signature in database
GPG key ID: 3C6318841EF78925
2 changed files with 40 additions and 11 deletions

View file

@ -70,6 +70,21 @@ func NewAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache
} }
} }
acmeClientOrderLimit, err := equalizer.NewTokenBucket(25, 15*time.Minute)
if err != nil {
log.Fatal().Err(err).Msg("error creating token bucket")
}
acmeClientRequestLimit, err := equalizer.NewTokenBucket(5, 1*time.Second)
if err != nil {
log.Fatal().Err(err).Msg("error creating token bucket")
}
acmeClientFailLimit, err := equalizer.NewTokenBucket(5, 1*time.Hour)
if err != nil {
log.Fatal().Err(err).Msg("error creating token bucket")
}
return &AcmeClient{ return &AcmeClient{
legoClient: acmeClient, legoClient: acmeClient,
dnsChallengerLegoClient: mainDomainAcmeClient, dnsChallengerLegoClient: mainDomainAcmeClient,
@ -82,11 +97,11 @@ func NewAcmeClient(cfg config.ACMEConfig, enableHTTPServer bool, challengeCache
// rate limit is 300 / 3 hours, we want 200 / 2 hours but to refill more often, so that's 25 new domains every 15 minutes // rate limit is 300 / 3 hours, we want 200 / 2 hours but to refill more often, so that's 25 new domains every 15 minutes
// TODO: when this is used a lot, we probably have to think of a somewhat better solution? // TODO: when this is used a lot, we probably have to think of a somewhat better solution?
acmeClientOrderLimit: equalizer.NewTokenBucket(25, 15*time.Minute), acmeClientOrderLimit: acmeClientOrderLimit,
// rate limit is 20 / second, we want 5 / second (especially as one cert takes at least two requests) // rate limit is 20 / second, we want 5 / second (especially as one cert takes at least two requests)
acmeClientRequestLimit: equalizer.NewTokenBucket(5, 1*time.Second), acmeClientRequestLimit: acmeClientRequestLimit,
// rate limit is 5 / hour https://letsencrypt.org/docs/failed-validation-limit/ // rate limit is 5 / hour https://letsencrypt.org/docs/failed-validation-limit/
acmeClientFailLimit: equalizer.NewTokenBucket(5, 1*time.Hour), acmeClientFailLimit: acmeClientFailLimit,
// checkUserLimit() use this to rate also per user // checkUserLimit() use this to rate also per user
acmeClientCertificateLimitPerUser: map[string]*equalizer.TokenBucket{}, acmeClientCertificateLimitPerUser: map[string]*equalizer.TokenBucket{},
}, nil }, nil

View file

@ -161,10 +161,10 @@ func (c *AcmeClient) checkUserLimit(user string) error {
userLimit, ok := c.acmeClientCertificateLimitPerUser[user] userLimit, ok := c.acmeClientCertificateLimitPerUser[user]
if !ok { if !ok {
// Each user can only add 10 new domains per day. // Each user can only add 10 new domains per day.
userLimit = equalizer.NewTokenBucket(10, time.Hour*24) userLimit, _ = equalizer.NewTokenBucket(10, time.Hour*24)
c.acmeClientCertificateLimitPerUser[user] = userLimit c.acmeClientCertificateLimitPerUser[user] = userLimit
} }
if !userLimit.Ask() { if !userLimit.TryAcquire() {
return fmt.Errorf("user '%s' error: %w", user, ErrUserRateLimitExceeded) return fmt.Errorf("user '%s' error: %w", user, ErrUserRateLimitExceeded)
} }
return nil return nil
@ -243,16 +243,21 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
// request actual cert // request actual cert
var res *certificate.Resource var res *certificate.Resource
var err error var err error
ctx := context.Background()
if renew != nil && renew.CertURL != "" { if renew != nil && renew.CertURL != "" {
if c.acmeUseRateLimits { if c.acmeUseRateLimits {
c.acmeClientRequestLimit.Take() err = c.acmeClientFailLimit.Acquire(ctx)
if err != nil {
log.Error().Err(err).Msg("Failed to acquire fail limit")
}
} }
log.Debug().Msgf("Renewing certificate for: %v", domains) log.Debug().Msgf("Renewing certificate for: %v", domains)
res, err = acmeClient.Certificate.Renew(*renew, true, false, "") res, err = acmeClient.Certificate.Renew(*renew, true, false, "")
if err != nil { if err != nil {
log.Error().Err(err).Msgf("Couldn't renew certificate for %v, trying to request a new one", domains) log.Error().Err(err).Msgf("Couldn't renew certificate for %v, trying to request a new one", domains)
if c.acmeUseRateLimits { err = c.acmeClientOrderLimit.Acquire(ctx)
c.acmeClientFailLimit.Take() if err != nil {
log.Error().Err(err).Msg("Failed to acquire order limit")
} }
res = nil res = nil
} }
@ -265,8 +270,14 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
} }
if c.acmeUseRateLimits { if c.acmeUseRateLimits {
c.acmeClientOrderLimit.Take() err = c.acmeClientOrderLimit.Acquire(ctx)
c.acmeClientRequestLimit.Take() if err != nil {
log.Error().Err(err).Msg("Failed to acquire order limit")
}
err = c.acmeClientRequestLimit.Acquire(ctx)
if err != nil {
log.Error().Err(err).Msg("Failed to acquire request limit")
}
} }
log.Debug().Msgf("Re-requesting new certificate for %v", domains) log.Debug().Msgf("Re-requesting new certificate for %v", domains)
res, err = acmeClient.Certificate.Obtain(certificate.ObtainRequest{ res, err = acmeClient.Certificate.Obtain(certificate.ObtainRequest{
@ -275,7 +286,10 @@ func (c *AcmeClient) obtainCert(acmeClient *lego.Client, domains []string, renew
MustStaple: false, MustStaple: false,
}) })
if c.acmeUseRateLimits && err != nil { if c.acmeUseRateLimits && err != nil {
c.acmeClientFailLimit.Take() err = c.acmeClientFailLimit.Acquire(ctx)
if err != nil {
log.Error().Err(err).Msg("Failed to acquire fail limit")
}
} }
} }
if err != nil { if err != nil {