From fd9dffdc6a68668d1ab10c74dd7140948cdc09fd Mon Sep 17 00:00:00 2001
From: "data-plane-api(CircleCI)" <data-plane-api@users.noreply.github.com>
Date: Thu, 8 Oct 2020 15:32:16 +0000
Subject: [PATCH] Add HTTP local rate limiter (#13395)

Signed-off-by: Raul Gutierrez Segales <rgs@pinterest.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5d12b675fe13747bc716859275c2d3c21004e99f
---
 BUILD                                         |  1 +
 .../filters/http/local_ratelimit/v3/BUILD     | 13 ++++
 .../local_ratelimit/v3/local_rate_limit.proto | 70 +++++++++++++++++++
 versioning/BUILD                              |  1 +
 4 files changed, 85 insertions(+)
 create mode 100644 envoy/extensions/filters/http/local_ratelimit/v3/BUILD
 create mode 100644 envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto

diff --git a/BUILD b/BUILD
index 79b2194f..b13a579d 100644
--- a/BUILD
+++ b/BUILD
@@ -190,6 +190,7 @@ proto_library(
         "//envoy/extensions/filters/http/health_check/v3:pkg",
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
+        "//envoy/extensions/filters/http/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
         "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",
diff --git a/envoy/extensions/filters/http/local_ratelimit/v3/BUILD b/envoy/extensions/filters/http/local_ratelimit/v3/BUILD
new file mode 100644
index 00000000..ad2fc9a9
--- /dev/null
+++ b/envoy/extensions/filters/http/local_ratelimit/v3/BUILD
@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v3:pkg",
+        "//envoy/type/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)
diff --git a/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto b/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto
new file mode 100644
index 00000000..94f21edd
--- /dev/null
+++ b/envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto
@@ -0,0 +1,70 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.local_ratelimit.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/type/v3/http_status.proto";
+import "envoy/type/v3/token_bucket.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.local_ratelimit.v3";
+option java_outer_classname = "LocalRateLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Local Rate limit]
+// Local Rate limit :ref:`configuration overview <config_http_filters_local_rate_limit>`.
+// [#extension: envoy.filters.http.local_ratelimit]
+
+// [#next-free-field: 7]
+message LocalRateLimit {
+  // The human readable prefix to use when emitting stats.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // This field allows for a custom HTTP response status code to the downstream client when
+  // the request has been rate limited.
+  // Defaults to 429 (TooManyRequests).
+  //
+  // .. note::
+  //   If this is set to < 400, 429 will be used instead.
+  type.v3.HttpStatus status = 2;
+
+  // The token bucket configuration to use for rate limiting requests that are processed by this
+  // filter. Each request processed by the filter consumes a single token. If the token is available,
+  // the request will be allowed. If no tokens are available, the request will receive the configured
+  // rate limit status.
+  //
+  // .. note::
+  //   It's fine for the token bucket to be unset for the global configuration since the rate limit
+  //   can be applied at a the virtual host or route level. Thus, the token bucket must be set
+  //   for the per route configuration otherwise the config will be rejected.
+  //
+  // .. note::
+  //   When using per route configuration, the bucket becomes unique to that route.
+  //
+  // .. note::
+  //   In the current implementation the token bucket's :ref:`fill_interval
+  //   <envoy_api_field_type.v3.TokenBucket.fill_interval>` must be >= 50ms to avoid too aggressive
+  //   refills.
+  type.v3.TokenBucket token_bucket = 3;
+
+  // If set, this will enable -- but not necessarily enforce -- the rate limit for the given
+  // fraction of requests.
+  // Defaults to 0% of requests for safety.
+  config.core.v3.RuntimeFractionalPercent filter_enabled = 4;
+
+  // If set, this will enforce the rate limit decisions for the given fraction of requests.
+  //
+  // Note: this only applies to the fraction of enabled requests.
+  //
+  // Defaults to 0% of requests for safety.
+  config.core.v3.RuntimeFractionalPercent filter_enforced = 5;
+
+  // Specifies a list of HTTP headers that should be added to each response for requests that
+  // have been rate limited.
+  repeated config.core.v3.HeaderValueOption response_headers_to_add = 6
+      [(validate.rules).repeated = {max_items: 10}];
+}
diff --git a/versioning/BUILD b/versioning/BUILD
index 9abb9f09..d5a15436 100644
--- a/versioning/BUILD
+++ b/versioning/BUILD
@@ -73,6 +73,7 @@ proto_library(
         "//envoy/extensions/filters/http/health_check/v3:pkg",
         "//envoy/extensions/filters/http/ip_tagging/v3:pkg",
         "//envoy/extensions/filters/http/jwt_authn/v3:pkg",
+        "//envoy/extensions/filters/http/local_ratelimit/v3:pkg",
         "//envoy/extensions/filters/http/lua/v3:pkg",
         "//envoy/extensions/filters/http/oauth2/v3alpha:pkg",
         "//envoy/extensions/filters/http/on_demand/v3:pkg",