Scheduler rate limit functionality #1611
Conversation
* main: Fix robot test (#1420) Use the correct clearance level variable in organization member list template (#1427) Fix translation in Debian package (#1432) Reschedule tasks when no results in bytes are found after grace period (#1410) Don't scan hostname nmap in nmap boefje (#1415) Add and use our own CVE API (#1383) Add `task_id` as a query parameter to the `GET /origins` endpoint (#1414) Remove member group checks and check for permission instead (#1275) Bump cryptography from 41.0.0 to 41.0.2 in /boefjes/boefjes/plugins/kat_ssl_certificates (#1396) Bump cryptography from 41.0.1 to 41.0.2 in /bytes (#1397) Build the Debian build image on the main branch (#1387) Add explicit `black` config to all modules (#1395) Fix <no title> in the user guide docs (#1391) Add configurable octpoes request timeout (#1382) Remove hardcoded clearance level in member list for superusers (#1390) Add Debian build depends for CVE API package (#1384) Add buttons to manual rerun tasks, both boefjes or normalizers (#1339) Use fix multiprocessing bug on macOS where `qsize()` is not implemented (#1374)
* main: Create new filters for findings (#1293) Add Question OOI form rendering on the object detail page (#1408) Upgrade certifi (#1462) Default scan level filter to 0 (#1463) Remove some unused config options, and set better defaults for others (#1428) Remove unnecessary dependency on ipaddress package (#1448) Translations for release 1.11 - EN -> NL, PAP (#1439)
* main: Add sectxt dependency (#1610) Refactor environment settings, names, and documentation (#1517) Add pipeline to check if there are new translation strings (#1606) Translations update from Hosted Weblate (#1604) Update scheduler documentation (#1476) Add community install/update scripts (#1309) Bump actions/checkout from 1 to 3 (#1598) Run docker-compose pull in make pull (#1585) Configure github actions in dependabot (#1594) fix many ports open normalizer (#1592) Fix human-readable name for ImageMetadata (#1558) Upgrade FastAPI (#1576) OOI Detail page: Remember page position after clicking the "show inheritance" link (#1590) Fix `rstcheck` hook (#1584)
|
@ammar92 I've implemented cross-organisational support would you mind taking a look? |
|
Originally posted at #1413 (review), but still valid: As far as I understand, the rate limiter is a property of the In larger deployments, API keys such as for Shodan will likely be shared by multiple KAT organisations. How do we implement rate limiting for that scenario? |
I've updated the code so that the rate limiter memory is now on the application level. The identifier of the rate limiter can then be formatted with a key for instance so that it will be shared across multiple organisations. |
* main: Use 127.0.0.1 for RabbitMQ in install script (#1644) Remove environment variables from container docs (#1645) Feature/report generation timeout (#1640) Add reverse DNS boefje (#1579) Add first version of new normalisers runner design (#1538) Fix `poetry-dependencies` target in Makefile (#1627) Upgrade OpenTelemetry (#1626) Remove finding types from rocky/OOI_database_seed.json (#1619) Feature: Add task detail pages and show objects yielded by normalizer (#1506) Update django-admin-auto-tests (#1617) Update GitHub Actions (#1618) Updated cryptography (#1615) Improve filter by muted findings on findings page (#1595) Redteamer can now acknowledge clearance level during onboarding (#1549) Do not add line information in `.po` files (#1616) Add TLS Cipher checks (#1381)
This also means that we should probably include both 'shodan' and the actual key in the 'group' to make sure we don't limit shodan requests across the whole install even though we might have multiple keys available. |
| # Get the identifier for the rate limiter | ||
| identifier_template = rate_limit.identifier | ||
| environment = Environment(loader=BaseLoader()) | ||
| identifier = environment.from_string(identifier_template).render(task=task) |
There was a problem hiding this comment.
I feel like using Jinja here is probably too much of a good thing. Woudn't fstring be more than capable enough?
There was a problem hiding this comment.
I think the main reason was to give more flexibility to the user to construct a rate limit identifier that can use the information embedded in the task.
@ammar92 am I correct in that assumption?
Changes
This PR adds rate-limiting capabilities to the scheduler for tasks. Boefjes that are subject to rate limiting (defined in the boefje manifest) are being tracked by an in-memory rate limiter leveraging the package limits. When a task is subject to a rate-limit it will get the
DELAYEDstatus and will be postponed until it is allowed again. A thread will check for delayed tasks and put them on the queue when they're ready.This will expect some changes in the katalogus mainly exposing a grouping/namespacing on which to rate limit and the parseable rate limit.
Issue link
Closes #1317
Processess
For a boefje scheduler when a task gets created it will get check whether the boefje is rate limited or not:
flowchart TD A[Task Creation] --> B{is_task_rate_limited} B -->|Yes| C[set Task to status <br>DELAYED] B ---->|No| E[End]Checking if a task is rate limited:
graph TD A[Start] --> B{rate_limit is None?} B -- Yes --> C[Return False] B -- No --> D{Try to parse rate_limit} D --> E{parsed_rate_limit is None?} E -- Yes --> F[Raise ValueError] E -- No --> G[Lock rate_limiter] G --> H[Get identifier_template] H --> I[Render identifier from template] I --> J[Test rate_limiter with identifier] J --> K{can_consume?} K -- No --> L[Return True] K -- Yes --> M{hit?} M -- Yes --> N[Hit rate_limiter] N --> O[Return False] M -- No --> O D --> P[Caught ValueError] P --> Q[Log warning] Q --> R[Raise exc]Within the boefje scheduler a new process (
push_tasks_for_delayed_tasks) is running next to:This
push_tasks_for_delayed_tasksmethod gets all tasks that have the status ofDELAYED. And will be checked whether or not task can be pushed onto the queue.