Merge branch '5.2' into 5.x

javiereguiluz · javiereguiluz · commit e43d5415cd6f · 2021-04-21T10:08:17.000+02:00
* 5.2:
  Minor rewords
  [RateLimiter][Security] More precisely document advanced rate limiter configuration
diff --git a/cache.rst b/cache.rst
@@ -183,6 +183,8 @@ will create pools with service IDs that follow the pattern ``cache.[type]``.
             ],
         ]);
 
+.. _cache-create-pools:
+
 Creating Custom (Namespaced) Pools
 ----------------------------------
 
diff --git a/lock.rst b/lock.rst
@@ -228,6 +228,8 @@ processes asking for the same ``$version``::
         }
     }
 
+.. _lock-named-locks:
+
 Named Lock
 ----------
 
diff --git a/rate_limiter.rst b/rate_limiter.rst
@@ -124,20 +124,74 @@ Configuration
 The following example creates two different rate limiters for an API service, to
 enforce different levels of service (free or paid):
 
-.. code-block:: yaml
-
-    # config/packages/rate_limiter.yaml
-    framework:
-        rate_limiter:
-            anonymous_api:
-                # use 'sliding_window' if you prefer that policy
-                policy: 'fixed_window'
-                limit: 100
-                interval: '60 minutes'
-            authenticated_api:
-                policy: 'token_bucket'
-                limit: 5000
-                rate: { interval: '15 minutes', amount: 500 }
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/rate_limiter.yaml
+        framework:
+            rate_limiter:
+                anonymous_api:
+                    # use 'sliding_window' if you prefer that policy
+                    policy: 'fixed_window'
+                    limit: 100
+                    interval: '60 minutes'
+                authenticated_api:
+                    policy: 'token_bucket'
+                    limit: 5000
+                    rate: { interval: '15 minutes', amount: 500 }
+
+    .. code-block:: xml
+
+        <!-- config/packages/rate_limiter.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony
+                https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:rate-limiter>
+                    <!-- policy: use 'sliding_window' if you prefer that policy -->
+                    <framework:limiter name="anonymous_api"
+                        policy="fixed_window"
+                        limit="100"
+                        interval="60 minutes"
+                    />
+
+                    <framework:limiter name="authenticated_api"
+                        policy="token_bucket"
+                        limit="5000"
+                    >
+                        <framework:rate interval="15 minutes"
+                            amount="500"
+                        />
+                    </framework:limiter>
+                </framework:rate-limiter>
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/rate_limiter.php
+        $container->loadFromExtension('framework', [
+            rate_limiter' => [
+                'anonymous_api' => [
+                    // use 'sliding_window' if you prefer that policy
+                    'policy' => 'fixed_window',
+                    'limit' => 100,
+                    'interval' => '60 minutes',
+                ],
+                'authenticated_api' => [
+                    'policy' => 'token_bucket',
+                    'limit' => 5000,
+                    'rate' => [ 'interval' =>  '15 minutes', 'amount' =>  500 ],
+                ],
+            ],
+        ]);
 
 .. note::
 
@@ -302,30 +356,147 @@ the :class:`Symfony\\Component\\RateLimiter\\Reservation` object returned by the
         }
     }
 
-Rate Limiter Storage and Locking
---------------------------------
+Storing Rate Limiter State
+--------------------------
+
+All rate limiter policies require to store their state(e.g. how many hits were
+already made in the current time window). By default, all limiters use the
+``cache.rate_limiter`` cache pool created with the :doc:`Cache component </cache>`.
+
+Use the ``cache_pool`` option to override the cache used by a specific limiter
+(or even :ref:`create a new cache pool <cache-create-pools>` for it):
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/rate_limiter.yaml
+        framework:
+            rate_limiter:
+                anonymous_api:
+                    # ...
+
+                    # use the "cache.anonymous_rate_limiter" cache pool
+                    cache_pool: 'cache.anonymous_rate_limiter'
+
+    .. code-block:: xml
+
+        <!-- config/packages/rate_limiter.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony
+                https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:rate-limiter>
+                    <!-- cache-pool: use the "cache.anonymous_rate_limiter" cache pool -->
+                    <framework:limiter name="anonymous_api"
+                        policy="fixed_window"
+                        limit="100"
+                        interval="60 minutes"
+                        cache-pool="cache.anonymous_rate_limiter"
+                    />
+
+                    <!-- ... ->
+                </framework:rate-limiter>
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/rate_limiter.php
+        $container->loadFromExtension('framework', [
+            rate_limiter' => [
+                'anonymous_api' => [
+                    // ...
+
+                    // use the "cache.anonymous_rate_limiter" cache pool
+                    'cache_pool' => 'cache.anonymous_rate_limiter',
+                ],
+            ],
+        ]);
 
-Rate limiters use the default cache and locking mechanisms defined in your
-Symfony application. If you prefer to change that, use the ``lock_factory`` and
-``storage_service`` options:
-
-.. code-block:: yaml
+.. note::
 
-    # config/packages/rate_limiter.yaml
-    framework:
-        rate_limiter:
-            anonymous_api_limiter:
-                # ...
-                # the value is the name of any cache pool defined in your application
-                cache_pool: 'app.redis_cache'
-                # or define a service implementing StorageInterface to use a different
-                # mechanism to store the limiter information
-                storage_service: 'App\RateLimiter\CustomRedisStorage'
-                # the value is the name of any lock defined in your application
-                lock_factory: 'app.rate_limiter_lock'
+    Instead of using the Cache component, you can also implement a custom
+    storage. Create a PHP class that implements the
+    :class:`Symfony\\Component\\RateLimiter\\Storage\\StorageInterface` and
+    use the ``storage_service`` setting of each limiter to the service ID
+    of this class.
+
+Using Locks to Prevent Race Conditions
+--------------------------------------
+
+`Race conditions`_ can happen when the same rate limiter is used by multiple
+simultaneous requests (e.g. three servers of a company hitting your API at the
+same time). Rate limiters use :doc:`locks </lock>` to protect their operations
+against these race conditions.
+
+By default, Symfony uses the global lock configured by ``framework.lock``), but
+you can use a specific :ref:`named lock <lock-named-locks>` via the
+``lock_factory`` option:
+
+.. configuration-block::
+
+    .. code-block:: yaml
+
+        # config/packages/rate_limiter.yaml
+        framework:
+            rate_limiter:
+                anonymous_api:
+                    # ...
+
+                    # use the "lock.rate_limiter.factory" for this limiter
+                    lock_factory: 'lock.rate_limiter.factory'
+
+    .. code-block:: xml
+
+        <!-- config/packages/rate_limiter.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <container xmlns="http://symfony.com/schema/dic/services"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xmlns:framework="http://symfony.com/schema/dic/symfony"
+            xsi:schemaLocation="http://symfony.com/schema/dic/services
+                https://symfony.com/schema/dic/services/services-1.0.xsd
+                http://symfony.com/schema/dic/symfony
+                https://symfony.com/schema/dic/symfony/symfony-1.0.xsd">
+
+            <framework:config>
+                <framework:rate-limiter>
+                    <!-- limiter-factory: use the "lock.rate_limiter.factory" for this limiter -->
+                    <framework:limiter name="anonymous_api"
+                        policy="fixed_window"
+                        limit="100"
+                        interval="60 minutes"
+                        lock-factory="lock.rate_limiter.factory"
+                    />
+
+                    <!-- ... -->
+                </framework:rate-limiter>
+            </framework:config>
+        </container>
+
+    .. code-block:: php
+
+        // config/packages/rate_limiter.php
+        $container->loadFromExtension('framework', [
+            rate_limiter' => [
+                'anonymous_api' => [
+                    // ...
+
+                    // use the "lock.rate_limiter.factory" for this limiter
+                    'lock_factory' => 'lock.rate_limiter.factory',
+                ],
+            ],
+        ]);
 
 .. _`DoS attacks`: https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html
 .. _`Apache mod_ratelimit`: https://httpd.apache.org/docs/current/mod/mod_ratelimit.html
 .. _`NGINX rate limiting`: https://www.nginx.com/blog/rate-limiting-nginx/
 .. _`token bucket algorithm`: https://en.wikipedia.org/wiki/Token_bucket
 .. _`PHP date relative formats`: https://www.php.net/datetime.formats.relative
+.. _`Race conditions`: https://en.wikipedia.org/wiki/Race_condition
diff --git a/security.rst b/security.rst

Original file line number	Diff line number	Diff line change
@@ -228,6 +228,8 @@ processes asking for the same ``$version``::
`228`	`228`	`}`
`229`	`229`	`}`
`230`	`230`
	`231`	`+.. _lock-named-locks:`
	`232`	`+`
`231`	`233`	`Named Lock`
`232`	`234`	`----------`
`233`	`235`