Create request limits middleware

Author: John Luo

AspNetCore.sln

@@ -1610,6 +1610,12 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "WebviewAppShared", "src\Com
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "TestStartupAssembly1", "src\Hosting\test\testassets\TestStartupAssembly1\TestStartupAssembly1.csproj", "{262FF30C-34B4-462D-B5E2-0DABB9196E40}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "RequestLimiter", "RequestLimiter", "{74BD81EC-1CE2-42F1-9588-F3812ECF73FD}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "Microsoft.AspNetCore.RequestLimiter", "src\Middleware\RequestLimiter\src\Microsoft.AspNetCore.RequestLimiter.csproj", "{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "RequestLimiterSample", "src\Middleware\RequestLimiter\sample\RequestLimiterSample.csproj", "{1F7135AE-40D4-4A92-9473-8EB38F56526A}"
+EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Spa", "Spa", "{0A064174-8E5C-4F97-B941-A4E302661DF2}"
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SpaProxy", "SpaProxy", "{5AC2A052-1D4F-4C2F-BCF5-3F07A3E31857}"
@@ -7665,6 +7671,30 @@ Global
 		{262FF30C-34B4-462D-B5E2-0DABB9196E40}.Release|x64.Build.0 = Release|Any CPU
 		{262FF30C-34B4-462D-B5E2-0DABB9196E40}.Release|x86.ActiveCfg = Release|Any CPU
 		{262FF30C-34B4-462D-B5E2-0DABB9196E40}.Release|x86.Build.0 = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|x64.Build.0 = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Debug|x86.Build.0 = Debug|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|Any CPU.Build.0 = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|x64.ActiveCfg = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|x64.Build.0 = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|x86.ActiveCfg = Release|Any CPU
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03}.Release|x86.Build.0 = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|x64.Build.0 = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Debug|x86.Build.0 = Debug|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|Any CPU.Build.0 = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|x64.ActiveCfg = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|x64.Build.0 = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|x86.ActiveCfg = Release|Any CPU
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A}.Release|x86.Build.0 = Release|Any CPU
 		{0DBACF8E-2EDB-47FC-B998-B76522637B2E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{0DBACF8E-2EDB-47FC-B998-B76522637B2E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{0DBACF8E-2EDB-47FC-B998-B76522637B2E}.Debug|x64.ActiveCfg = Debug|Any CPU
@@ -8594,6 +8624,9 @@ Global
 		{036C6BDA-7B69-4E8C-A921-822DA5972A56} = {94D0D6F3-8632-41DE-908B-47A787D570FF}
 		{64C3BAC8-C4F8-466A-9E84-0400EE54B25A} = {D3B76F4E-A980-45BF-AEA1-EA3175B0B5A1}
 		{262FF30C-34B4-462D-B5E2-0DABB9196E40} = {C1409A8F-555A-4A88-B803-C6D3E8B6C3B0}
+		{74BD81EC-1CE2-42F1-9588-F3812ECF73FD} = {E5963C9F-20A6-4385-B364-814D2581FADF}
+		{B5616C0A-5D0A-4099-B08E-971FE0B4BA03} = {74BD81EC-1CE2-42F1-9588-F3812ECF73FD}
+		{1F7135AE-40D4-4A92-9473-8EB38F56526A} = {74BD81EC-1CE2-42F1-9588-F3812ECF73FD}
 		{0A064174-8E5C-4F97-B941-A4E302661DF2} = {E5963C9F-20A6-4385-B364-814D2581FADF}
 		{5AC2A052-1D4F-4C2F-BCF5-3F07A3E31857} = {0A064174-8E5C-4F97-B941-A4E302661DF2}
 		{0DBACF8E-2EDB-47FC-B998-B76522637B2E} = {5AC2A052-1D4F-4C2F-BCF5-3F07A3E31857}

src/Middleware/RequestLimiter/RequestLimiter.slnf

@@ -0,0 +1,23 @@
+{
+  "solution": {
+    "path": "..\\..\\..\\AspNetCore.sln",
+    "projects": [
+      "src\\Hosting\\Abstractions\\src\\Microsoft.AspNetCore.Hosting.Abstractions.csproj",
+      "src\\Hosting\\Hosting\\src\\Microsoft.AspNetCore.Hosting.csproj",
+      "src\\Hosting\\Server.Abstractions\\src\\Microsoft.AspNetCore.Hosting.Server.Abstractions.csproj",
+      "src\\Http\\Http.Abstractions\\src\\Microsoft.AspNetCore.Http.Abstractions.csproj",
+      "src\\Http\\Http.Extensions\\src\\Microsoft.AspNetCore.Http.Extensions.csproj",
+      "src\\Http\\Http.Features\\src\\Microsoft.AspNetCore.Http.Features.csproj",
+      "src\\Http\\WebUtilities\\src\\Microsoft.AspNetCore.WebUtilities.csproj",
+      "src\\Servers\\Connections.Abstractions\\src\\Microsoft.AspNetCore.Connections.Abstractions.csproj",
+      "src\\Servers\\Kestrel\\Core\\src\\Microsoft.AspNetCore.Server.Kestrel.Core.csproj",
+      "src\\Servers\\Kestrel\\Kestrel\\src\\Microsoft.AspNetCore.Server.Kestrel.csproj",
+      "src\\Servers\\Kestrel\\Transport.Sockets\\src\\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.csproj",
+      "src\\http\\Headers\\src\\Microsoft.Net.Http.Headers.csproj",
+      "src\\http\\http\\src\\Microsoft.AspNetCore.Http.csproj",
+      "src\\Middleware\\RequestLimiter\\sample\\RequestLimiterSample.csproj",
+      "src\\Middleware\\RequestLimiter\\src\\Microsoft.AspNetCore.RequestLimiter.csproj",
+      "src\\Middleware\\HttpsPolicy\\src\\Microsoft.AspNetCore.HttpsPolicy.csproj"
+    ]
+  }
+}

src/Middleware/RequestLimiter/sample/Controllers/HomeController.cs

@@ -0,0 +1,19 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.RequestLimiter;
+
+namespace RequestLimiterSample
+{
+    [RequestLimit(requestPerSecond: 10)]
+    public class HomeController : Controller
+    {
+        [RequestLimit("rate")]
+        public IActionResult Index()
+        {
+            return View();
+        }
+    }
+}

src/Middleware/RequestLimiter/sample/Program.cs

@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.Extensions.Hosting;
+
+namespace RateLimiterSample
+{
+    public class Program
+    {
+        public static void Main(string[] args)
+        {
+            CreateHostBuilder(args).Build().Run();
+        }
+
+        public static IHostBuilder CreateHostBuilder(string[] args) =>
+            Host.CreateDefaultBuilder(args)
+                .ConfigureWebHost(webBuilder =>
+                {
+                    webBuilder.UseStartup<Startup>();
+                });
+    }
+}

src/Middleware/RequestLimiter/sample/RequestLimiterSample.csproj

@@ -0,0 +1,22 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>$(DefaultNetCoreTargetFramework)</TargetFramework>
+    <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
+    <GenerateRazorAssemblyInfo>false</GenerateRazorAssemblyInfo>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <Reference Include="Microsoft.AspNetCore" />
+    <Reference Include="Microsoft.AspNetCore.Mvc" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.Abstractions" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.Core" />
+    <Reference Include="Microsoft.AspNetCore.Mvc.ViewFeatures" />
+    <Reference Include="Microsoft.AspNetCore.RequestLimiter" />
+    <Reference Include="Microsoft.AspNetCore.Routing" />
+    <Reference Include="Microsoft.AspNetCore.Server.Kestrel" />
+    <Reference Include="Microsoft.Extensions.Logging.Console" />
+    <Reference Include="System.Threading.ResourceLimits" />
+  </ItemGroup>
+
+</Project>

src/Middleware/RequestLimiter/sample/Startup.cs

@@ -0,0 +1,94 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
+
+using System.Threading.ResourceLimits;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.RequestLimiter;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging;
+
+namespace RateLimiterSample
+{
+    public class Startup
+    {
+        // This method gets called by the runtime. Use this method to add services to the container.
+        // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
+        public void ConfigureServices(IServiceCollection services)
+        {
+            services.AddControllersWithViews();
+            services.AddSingleton(new IPAggregatedRateLimiter(2, 2));
+            services.AddSingleton(new RateLimiter(2, 2));
+
+            services.AddRequestLimiter(options =>
+            {
+                options.SetDefaultPolicy(new ConcurrencyLimiter(100));
+                // TODO: Consider a policy builder
+                // TODO: Support combining/composing policies
+                options.AddPolicy("concurrency", policy =>
+                {
+                    // Add instance
+                    policy.AddLimiter(new ConcurrencyLimiter(1));
+                });
+                options.AddPolicy("rate", policy =>
+                {
+                    // Add from DI
+                    policy.AddLimiter<RateLimiter>();
+                });
+            });
+        }
+
+        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
+        public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILogger<Startup> logger)
+        {
+            app.UseRouting();
+
+            app.UseRateLimiter();
+
+            app.UseEndpoints(endpoints =>
+            {
+                endpoints.MapGet("/defaultPolicy", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("Default!");
+                }).EnforceLimit();
+
+                endpoints.MapGet("/instance", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("Hello World!");
+                }).EnforceLimit(new RateLimiter(2, 2));
+
+                endpoints.MapGet("/concurrentPolicy", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("Wrote!");
+                }).EnforceLimit("concurrency");
+
+                endpoints.MapGet("/adhoc", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("Tested!");
+                }).EnforceLimit(requestPerSecond: 2);
+
+                endpoints.MapGet("/ipFromDI", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("IP limited!");
+                }).EnforceAggregatedLimit<IPAggregatedRateLimiter>();
+
+                endpoints.MapGet("/multiple", async context =>
+                {
+                    await Task.Delay(5000);
+                    await context.Response.WriteAsync("IP limited!");
+                }).EnforceLimit("concurrency").EnforceLimit("rate");
+
+                endpoints.MapControllerRoute(
+                    name: "default",
+                    pattern: "{controller=Home}/{action=Index}/{id?}");
+            });
+        }
+    }
+}

src/Middleware/RequestLimiter/sample/appsettings.Development.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft": "Information",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  }
+}

src/Middleware/RequestLimiter/sample/appsettings.json

@@ -0,0 +1,10 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft": "Information",
+      "Microsoft.Hosting.Lifetime": "Information"
+    }
+  },
+  "AllowedHosts": "*"
+}

src/Middleware/RequestLimiter/src/IPAggregatedRateLimiter.cs

@@ -0,0 +1,129 @@
+using System;
+using System.Collections.Concurrent;
+using System.Diagnostics.CodeAnalysis;
+using System.Net;
+using System.Threading;
+using System.Threading.ResourceLimits;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+
+namespace Microsoft.AspNetCore.RequestLimiter
+{
+    public class IPAggregatedRateLimiter : AggregatedResourceLimiter<HttpContext>
+    {
+        private long _resourceCount;
+        private readonly long _maxResourceCount;
+        private readonly long _newResourcePerSecond;
+
+        private Timer _renewTimer;
+        // This is racy
+        private ConcurrentDictionary<IPAddress, long> _cache = new ConcurrentDictionary<IPAddress, long>();
+
+        public IPAggregatedRateLimiter(long resourceCount, long newResourcePerSecond)
+        {
+            _resourceCount = resourceCount;
+            _maxResourceCount = resourceCount;
+            _newResourcePerSecond = newResourcePerSecond;
+
+            // Start timer (5s for demo)
+            _renewTimer = new Timer(Replenish, this, TimeSpan.FromSeconds(5), TimeSpan.FromSeconds(5));
+        }
+
+        public override long EstimatedCount(HttpContext resourceId)
+        {
+            if (resourceId.Connection.RemoteIpAddress == null)
+            {
+                // Unknown IP?
+                return 0;
+            }
+
+            return _cache.TryGetValue(resourceId.Connection.RemoteIpAddress, out var count) ? count : 0;
+        }
+
+        public override bool TryAcquire(HttpContext resourceId, long requestedCount, [NotNullWhen(true)] out Resource? resource)
+        {
+            resource = Resource.NoopResource;
+            if (requestedCount > _maxResourceCount)
+            {
+                return false;
+            }
+
+            if (resourceId.Connection.RemoteIpAddress == null)
+            {
+                return true;
+            }
+
+            var key = resourceId.Connection.RemoteIpAddress;
+
+            if (!_cache.TryGetValue(key, out var count))
+            {
+                if (_cache.TryAdd(key, requestedCount))
+                {
+                    return true;
+                }
+            }
+
+            while (true)
+            {
+                var newCount = count + requestedCount;
+                if (_cache.TryUpdate(key, count + requestedCount, count))
+                {
+                    if (newCount > _maxResourceCount)
+                    {
+                        return false;
+                    }
+
+                    return true;
+                }
+                if (!_cache.TryGetValue(key, out count))
+                {
+                    if (_cache.TryAdd(key, requestedCount))
+                    {
+                        return true;
+                    }
+                }
+            }
+        }
+
+        public override ValueTask<Resource> AcquireAsync(HttpContext resourceId, long requestedCount, CancellationToken cancellationToken = default)
+        {
+            throw new NotImplementedException();
+        }
+
+        private static void Replenish(object? state)
+        {
+            // Return if Replenish already running to avoid concurrency.
+            var limiter = state as IPAggregatedRateLimiter;
+
+            if (limiter == null)
+            {
+                return;
+            }
+
+            var cache = limiter._cache;
+
+            foreach (var entry in cache)
+            {
+                if (entry.Value < limiter._newResourcePerSecond)
+                {
+                    if (cache.TryRemove(entry))
+                    {
+                        continue;
+                    }
+                }
+
+                while (true)
+                {
+                    if (!cache.TryGetValue(entry.Key, out var newCount))
+                    {
+                        break;
+                    }
+                    if (cache.TryUpdate(entry.Key, Math.Max(0, newCount - limiter._newResourcePerSecond), newCount))
+                    {
+                        break;
+                    }
+                }
+            }
+        }
+    }
+}