Add per-IP rate limiting and Unix socket support for gRPC admin API

Rate limiting: per-source-IP connection rate limiter in the firewall layer with configurable limit and sliding window. Blocklisted IPs are rejected before rate limit evaluation to avoid wasting quota. Unix socket: the gRPC admin API can now listen on a Unix domain socket (no TLS required), secured by file permissions (0600), as a simpler alternative for local-only access. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 14:37:21 -07:00
parent e84093b7fb
commit b25e1b0e79
16 changed files with 694 additions and 43 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"strings"
 	"time"

 	"github.com/pelletier/go-toml/v2"
@@ -44,6 +45,8 @@ type Firewall struct {
 	BlockedIPs       []string `toml:"blocked_ips"`
 	BlockedCIDRs     []string `toml:"blocked_cidrs"`
 	BlockedCountries []string `toml:"blocked_countries"`
+	RateLimit        int64    `toml:"rate_limit"`
+	RateWindow       Duration `toml:"rate_window"`
 }

 type Proxy struct {
@@ -61,6 +64,18 @@ type Duration struct {
 	time.Duration
 }

+// IsUnixSocket returns true if the gRPC address refers to a Unix domain socket.
+func (g GRPC) IsUnixSocket() bool {
+	path := strings.TrimPrefix(g.Addr, "unix:")
+	return strings.Contains(path, "/")
+}
+
+// SocketPath returns the filesystem path for a Unix socket address,
+// stripping any "unix:" prefix.
+func (g GRPC) SocketPath() string {
+	return strings.TrimPrefix(g.Addr, "unix:")
+}
+
 func (d *Duration) UnmarshalText(text []byte) error {
 	var err error
 	d.Duration, err = time.ParseDuration(string(text))
@@ -114,5 +129,34 @@ func (c *Config) validate() error {
 		return fmt.Errorf("firewall: geoip_db is required when blocked_countries is set")
 	}

+	if c.Firewall.RateLimit < 0 {
+		return fmt.Errorf("firewall.rate_limit must not be negative")
+	}
+	if c.Firewall.RateWindow.Duration < 0 {
+		return fmt.Errorf("firewall.rate_window must not be negative")
+	}
+	if c.Firewall.RateLimit > 0 && c.Firewall.RateWindow.Duration == 0 {
+		return fmt.Errorf("firewall.rate_window is required when rate_limit is set")
+	}
+
+	// Validate gRPC config: if enabled, TLS cert and key are required
+	// (unless using a Unix socket, which doesn't need TLS).
+	if c.GRPC.Addr != "" && !c.GRPC.IsUnixSocket() {
+		if c.GRPC.TLSCert == "" || c.GRPC.TLSKey == "" {
+			return fmt.Errorf("grpc: tls_cert and tls_key are required when grpc.addr is a TCP address")
+		}
+	}
+
+	// Validate timeouts are non-negative.
+	if c.Proxy.ConnectTimeout.Duration < 0 {
+		return fmt.Errorf("proxy.connect_timeout must not be negative")
+	}
+	if c.Proxy.IdleTimeout.Duration < 0 {
+		return fmt.Errorf("proxy.idle_timeout must not be negative")
+	}
+	if c.Proxy.ShutdownTimeout.Duration < 0 {
+		return fmt.Errorf("proxy.shutdown_timeout must not be negative")
+	}
+
 	return nil
 }
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -195,6 +195,113 @@ addr = ":8443"
 	}
 }

+func TestGRPCIsUnixSocket(t *testing.T) {
+	tests := []struct {
+		addr string
+		want bool
+	}{
+		{"/var/run/mc-proxy.sock", true},
+		{"unix:/var/run/mc-proxy.sock", true},
+		{"127.0.0.1:9090", false},
+		{":9090", false},
+		{"", false},
+	}
+	for _, tt := range tests {
+		g := GRPC{Addr: tt.addr}
+		if got := g.IsUnixSocket(); got != tt.want {
+			t.Fatalf("IsUnixSocket(%q) = %v, want %v", tt.addr, got, tt.want)
+		}
+	}
+}
+
+func TestValidateGRPCUnixNoTLS(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+
+	data := `
+[database]
+path = "/tmp/test.db"
+
+[grpc]
+addr = "/var/run/mc-proxy.sock"
+`
+	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	_, err := Load(path)
+	if err != nil {
+		t.Fatalf("expected Unix socket without TLS to be valid, got: %v", err)
+	}
+}
+
+func TestValidateGRPCTCPRequiresTLS(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+
+	data := `
+[database]
+path = "/tmp/test.db"
+
+[grpc]
+addr = "127.0.0.1:9090"
+`
+	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for TCP gRPC addr without TLS certs")
+	}
+}
+
+func TestValidateRateLimitRequiresWindow(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+
+	data := `
+[database]
+path = "/tmp/test.db"
+
+[firewall]
+rate_limit = 100
+`
+	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	_, err := Load(path)
+	if err == nil {
+		t.Fatal("expected error for rate_limit without rate_window")
+	}
+}
+
+func TestValidateRateLimitWithWindow(t *testing.T) {
+	dir := t.TempDir()
+	path := filepath.Join(dir, "test.toml")
+
+	data := `
+[database]
+path = "/tmp/test.db"
+
+[firewall]
+rate_limit = 100
+rate_window = "1m"
+`
+	if err := os.WriteFile(path, []byte(data), 0600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	cfg, err := Load(path)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if cfg.Firewall.RateLimit != 100 {
+		t.Fatalf("got rate_limit %d, want 100", cfg.Firewall.RateLimit)
+	}
+}
+
 func TestDuration(t *testing.T) {
 	var d Duration
 	if err := d.UnmarshalText([]byte("5s")); err != nil {