envoyproxy · ccaraman · Sep 23, 2016 · Sep 22, 2016 · Sep 22, 2016 · Sep 22, 2016
diff --git a/docs/configuration/http_conn_man/route_config/route.rst b/docs/configuration/http_conn_man/route_config/route.rst
@@ -153,14 +153,20 @@ Global rate limit :ref:`architecture overview <arch_overview_rate_limit>`.
 .. code-block:: json
 
   {
-    "global": "..."
+    "global": "...",
+    "route_key": "..."
   }
 
 global
   *(optional, boolean)* Specifies whether the global rate limit service should be called for a
   request that matches this route. This information is used by the :ref:`rate limit filter
   <config_http_filters_rate_limit>` if it is installed. Defaults to false if not specified.
 
+route_key
+  *(optional, string)* Specifies a descriptor value to be used when rate limiting for a route.
+  This information is used by :ref:`rate limit filter
+  <config_http_filters_rate_limit>` if it is installed.
+
 .. _config_http_conn_man_route_table_route_shadow:
 
 Shadow

diff --git a/docs/configuration/http_filters/rate_limit_filter.rst b/docs/configuration/http_filters/rate_limit_filter.rst
@@ -40,8 +40,8 @@ Actions
   }
 
 type
-  *(required, string) The type of rate limit action to perform. The currently supported action
-  type is *service_to_service*.
+  *(required, string)* The type of rate limit action to perform. The currently supported action
+  types are *service_to_service* and *request_headers*.
 
 Service to service
 ^^^^^^^^^^^^^^^^^^
@@ -60,6 +60,33 @@ The following descriptors are sent:
 
 <local service cluster> is derived from the :option:`--service-cluster` option.
 
+Request Headers
+^^^^^^^^^^^^^^^
+
+.. code-block:: json
+
+  {
+    "type": "request_headers",
+    "header_name": "...",
+    "descriptor_key" : "..."
+  }
+
+header_name
+  *(required, string)* The header name to be queried from the request headers and used to
+  populate the descriptor value for the *descriptor_key*.
+
+descriptor_key
+  *(required, string)* The key to use in the descriptor.
+
+The following descriptor is sent when a header contains a key that matches the *header_name*:
+
+  * ("<descriptor_key>", "<header_value_queried_from_header>")
+
+If *route_key* is set in the :ref:`route <config_http_conn_man_route_table_route_rate_limit>`, the following
+descriptor is sent as well:
+
+  * ("route_key", "<route_key>"), ("<descriptor_key>", "<header_value_queried_from_header>")
+
 Statistics
 ----------
 

diff --git a/include/envoy/router/router.h b/include/envoy/router/router.h
@@ -90,6 +90,11 @@ class RateLimitPolicy {
    * @return whether the global rate limiting service should be called for the owning route.
    */
   virtual bool doGlobalLimiting() const PURE;
+
+  /**
+   * @return the rate limit key for a service, if it exists.
+   */
+  virtual const std::string& routeKey() const PURE;
 };
 
 /**

diff --git a/source/common/http/async_client_impl.h b/source/common/http/async_client_impl.h
@@ -61,6 +61,7 @@ class AsyncRequestImpl final : public AsyncClient::Request,
   struct NullRateLimitPolicy : public Router::RateLimitPolicy {
     // Router::RateLimitPolicy
     bool doGlobalLimiting() const override { return false; }
+    const std::string& routeKey() const override { return EMPTY_STRING; }
   };
 
   struct NullRetryPolicy : public Router::RetryPolicy {

diff --git a/source/common/http/filter/ratelimit.cc b/source/common/http/filter/ratelimit.cc
@@ -16,7 +16,7 @@ const Http::HeaderMapImpl Filter::TOO_MANY_REQUESTS_HEADER{
 
 void ServiceToServiceAction::populateDescriptors(const Router::RouteEntry& route,
                                                  std::vector<::RateLimit::Descriptor>& descriptors,
-                                                 FilterConfig& config) {
+                                                 FilterConfig& config, const HeaderMap&) {
   // We limit on 2 dimensions.
   // 1) All calls to the given cluster.
   // 2) Calls to the given cluster and from this cluster.
@@ -26,6 +26,24 @@ void ServiceToServiceAction::populateDescriptors(const Router::RouteEntry& route
       {{{"to_cluster", route.clusterName()}, {"from_cluster", config.localServiceCluster()}}});
 }
 
+void RequestHeadersAction::populateDescriptors(const Router::RouteEntry& route,
+                                               std::vector<::RateLimit::Descriptor>& descriptors,
+                                               FilterConfig&, const HeaderMap& headers) {
+  std::string header_value = headers.get(header_name_);
+  if (header_value.empty()) {
+    return;
+  }
+
+  descriptors.push_back({{{descriptor_key_, header_value}}});
+
+  std::string route_key = route.rateLimitPolicy().routeKey();
+  if (route_key.empty()) {
+    return;
+  }
+
+  descriptors.push_back({{{"route_key", route_key}, {descriptor_key_, header_value}}});
+}
+
 FilterConfig::FilterConfig(const Json::Object& config, const std::string& local_service_cluster,
                            Stats::Store& stats_store, Runtime::Loader& runtime)
     : domain_(config.getString("domain")), local_service_cluster_(local_service_cluster),
@@ -34,6 +52,8 @@ FilterConfig::FilterConfig(const Json::Object& config, const std::string& local_
     std::string type = action.getString("type");
     if (type == "service_to_service") {
       actions_.emplace_back(new ServiceToServiceAction());
+    } else if (type == "request_headers") {
+      actions_.emplace_back(new RequestHeadersAction(action));
     } else {
       throw EnvoyException(fmt::format("unknown http rate limit filter action '{}'", type));
     }
@@ -49,7 +69,7 @@ FilterHeadersStatus Filter::decodeHeaders(HeaderMap& headers, bool) {
   if (route && route->rateLimitPolicy().doGlobalLimiting()) {
     std::vector<::RateLimit::Descriptor> descriptors;
     for (const ActionPtr& action : config_->actions()) {
-      action->populateDescriptors(*route, descriptors, *config_);
+      action->populateDescriptors(*route, descriptors, *config_, headers);
     }
 
     if (!descriptors.empty()) {

diff --git a/source/common/http/filter/ratelimit.h b/source/common/http/filter/ratelimit.h
@@ -27,7 +27,7 @@ class Action {
    */
   virtual void populateDescriptors(const Router::RouteEntry& route,
                                    std::vector<::RateLimit::Descriptor>& descriptors,
-                                   FilterConfig& config) PURE;
+                                   FilterConfig& config, const HeaderMap& headers) PURE;
 };
 
 typedef std::unique_ptr<Action> ActionPtr;
@@ -39,10 +39,27 @@ class ServiceToServiceAction : public Action {
 public:
   // Action
   void populateDescriptors(const Router::RouteEntry& route,
-                           std::vector<::RateLimit::Descriptor>& descriptors,
-                           FilterConfig& config) override;
+                           std::vector<::RateLimit::Descriptor>& descriptors, FilterConfig& config,
+                           const HeaderMap&) override;
 };
 
+/**
+ * Action for request headers rate limiting.
+ */
+class RequestHeadersAction : public Action {
+public:
+  RequestHeadersAction(const Json::Object& action)
+      : header_name_(action.getString("header_name")),
+        descriptor_key_(action.getString("descriptor_key")) {}
+  // Action
+  void populateDescriptors(const Router::RouteEntry& route,
+                           std::vector<::RateLimit::Descriptor>& descriptors, FilterConfig& config,
+                           const HeaderMap& headers) override;
+
+private:
+  const LowerCaseString header_name_;
+  const std::string descriptor_key_;
+};
 /**
  * Global configuration for the HTTP rate limit filter.
  */

diff --git a/source/common/router/config_impl.cc b/source/common/router/config_impl.cc
@@ -28,14 +28,6 @@ RetryPolicyImpl::RetryPolicyImpl(const Json::Object& config) {
   retry_on_ = RetryStateImpl::parseRetryOn(config.getObject("retry_policy").getString("retry_on"));
 }
 
-RateLimitPolicyImpl::RateLimitPolicyImpl(const Json::Object& config) {
-  if (!config.hasObject("rate_limit")) {
-    return;
-  }
-
-  do_global_limiting_ = config.getObject("rate_limit").getBoolean("global", false);
-}
-
 ShadowPolicyImpl::ShadowPolicyImpl(const Json::Object& config) {
   if (!config.hasObject("shadow")) {
     return;

diff --git a/source/common/router/config_impl.h b/source/common/router/config_impl.h
@@ -122,13 +122,19 @@ class RetryPolicyImpl : public RetryPolicy {
  */
 class RateLimitPolicyImpl : public RateLimitPolicy {
 public:
-  RateLimitPolicyImpl(const Json::Object& config);
+  RateLimitPolicyImpl(const Json::Object& config)
+      : do_global_limiting_(config.getObject("rate_limit", true).getBoolean("global", false)),
+        route_key_(config.getObject("rate_limit", true).getString("route_key", "")) {}
 
   // Router::RateLimitPolicy
   bool doGlobalLimiting() const override { return do_global_limiting_; }
 
+  // Router::RateLimitPolicy
+  const std::string& routeKey() const override { return route_key_; }
+
 private:
-  bool do_global_limiting_{};
+  const bool do_global_limiting_;
+  const std::string route_key_;
 };
 
 /**