Feature: handle rate limiting of UAA server. Fixes #1307

Lokowandtg · Lokowandtg · commit 7728153030ed · 2025-12-17T19:37:57.000+01:00
diff --git a/README.md b/README.md
@@ -297,6 +297,7 @@ Name | Description
 `TEST_PROXY_PORT` | _(Optional)_ The port of a proxy to route all requests through. Defaults to `8080`.
 `TEST_PROXY_USERNAME` | _(Optional)_ The username for a proxy to route all requests through
 `TEST_SKIPSSLVALIDATION` | _(Optional)_ Whether to skip SSL validation when connecting to the Cloud Foundry instance.  Defaults to `false`.
+`UAA_API_REQUEST_LIMIT` | _(Optional)_ If your UAA server does rate limiting and returns 429 errors, set this variable to the smallest limit configured there. Whether your server limits UAA calls is shown in the log, together with the location of the configuration file on the server. Defaults to `0` (no limit).
 
 If you do not have access to a CloudFoundry instance with admin access, you can run one locally using [bosh-deployment](https://github.com/cloudfoundry/bosh-deployment) & [cf-deployment](https://github.com/cloudfoundry/cf-deployment/) and Virtualbox.
 
diff --git a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/ReactorRatelimit.java b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/ReactorRatelimit.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.reactor.uaa;
+
+import java.util.Map;
+import org.cloudfoundry.reactor.ConnectionContext;
+import org.cloudfoundry.reactor.TokenProvider;
+import org.cloudfoundry.uaa.ratelimit.Ratelimit;
+import org.cloudfoundry.uaa.ratelimit.RatelimitRequest;
+import org.cloudfoundry.uaa.ratelimit.RatelimitResponse;
+import reactor.core.publisher.Mono;
+
+public final class ReactorRatelimit extends AbstractUaaOperations implements Ratelimit {
+
+    /**
+     * Creates an instance
+     *
+     * @param connectionContext the {@link ConnectionContext} to use when communicating with the server
+     * @param root              the root URI of the server. Typically something like {@code https://uaa.run.pivotal.io}.
+     * @param tokenProvider     the {@link TokenProvider} to use when communicating with the server
+     * @param requestTags       map with custom http headers which will be added to web request
+     */
+    public ReactorRatelimit(
+            ConnectionContext connectionContext,
+            Mono<String> root,
+            TokenProvider tokenProvider,
+            Map<String, String> requestTags) {
+        super(connectionContext, root, tokenProvider, requestTags);
+    }
+
+    @Override
+    public Mono<RatelimitResponse> getRatelimit(RatelimitRequest request) {
+        return get(
+                        request,
+                        RatelimitResponse.class,
+                        builder -> builder.pathSegment("RateLimitingStatus"))
+                .checkpoint();
+    }
+}
diff --git a/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/_ReactorUaaClient.java b/cloudfoundry-client-reactor/src/main/java/org/cloudfoundry/reactor/uaa/_ReactorUaaClient.java
@@ -33,6 +33,7 @@
 import org.cloudfoundry.uaa.groups.Groups;
 import org.cloudfoundry.uaa.identityproviders.IdentityProviders;
 import org.cloudfoundry.uaa.identityzones.IdentityZones;
+import org.cloudfoundry.uaa.ratelimit.Ratelimit;
 import org.cloudfoundry.uaa.serverinformation.ServerInformation;
 import org.cloudfoundry.uaa.tokens.Tokens;
 import org.cloudfoundry.uaa.users.Users;
@@ -104,6 +105,12 @@ public Users users() {
         return new ReactorUsers(getConnectionContext(), getRoot(), getTokenProvider(), getRequestTags());
     }
 
+    @Override
+    @Value.Derived
+    public Ratelimit rateLimit() {
+        return new ReactorRatelimit(getConnectionContext(), getRoot(), getTokenProvider(), getRequestTags());
+    }
+
     /**
      * The connection context
      */
diff --git a/cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v3/serviceinstances/ReactorServiceInstancesV3Test.java b/cloudfoundry-client-reactor/src/test/java/org/cloudfoundry/reactor/client/v3/serviceinstances/ReactorServiceInstancesV3Test.java
diff --git a/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/UaaClient.java b/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/UaaClient.java
@@ -21,6 +21,7 @@
 import org.cloudfoundry.uaa.groups.Groups;
 import org.cloudfoundry.uaa.identityproviders.IdentityProviders;
 import org.cloudfoundry.uaa.identityzones.IdentityZones;
+import org.cloudfoundry.uaa.ratelimit.Ratelimit;
 import org.cloudfoundry.uaa.serverinformation.ServerInformation;
 import org.cloudfoundry.uaa.tokens.Tokens;
 import org.cloudfoundry.uaa.users.Users;
@@ -80,4 +81,9 @@ public interface UaaClient {
      * Main entry point to the UAA User Client API
      */
     Users users();
+
+    /**
+     * Main entry point to the UAA Ratelimit API
+     */
+    Ratelimit rateLimit();
 }
diff --git a/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/Ratelimit.java b/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/Ratelimit.java
@@ -0,0 +1,27 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.uaa.ratelimit;
+
+import reactor.core.publisher.Mono;
+
+/**
+ * Main entry point to the UAA Ratelimit Client API
+ */
+public interface Ratelimit {
+
+    Mono<RatelimitResponse> getRatelimit(RatelimitRequest request);
+}
diff --git a/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_Current.java b/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_Current.java
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.uaa.ratelimit;
+
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+
+import java.util.Date;
+
+import org.immutables.value.Value;
+
+/**
+ * The payload for the uaa ratelimiting
+ */
+@JsonDeserialize
+@Value.Immutable
+abstract class _Current {
+
+    /**
+     * The number of configured limiter mappings
+     */
+    @JsonProperty("limiterMappings")
+    abstract Integer getLimiterMappings();
+
+    /**
+     * Is ratelimit "ACTIVE" or not? Possible values are DISABLED, PENDING, ACTIVE
+     */
+    @JsonProperty("status")
+    abstract String getStatus();
+
+    /**
+     * Timestamp, when this Current was created.
+     */
+    @JsonProperty("asOf")
+    abstract Date getTimeOfCurrent();
+
+    /**
+     * The credentialIdExtractor
+     */
+    @JsonProperty("credentialIdExtractor")
+    abstract String getCredentialIdExtractor();
+
+    /**
+     * The loggingLevel. Valid values include: "OnlyLimited", "AllCalls" and "AllCallsWithDetails"
+     */
+    @JsonProperty("loggingLevel")
+    abstract String getLoggingLevel();
+}
diff --git a/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_RatelimitRequest.java b/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_RatelimitRequest.java
@@ -0,0 +1,24 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.uaa.ratelimit;
+
+import org.immutables.value.Value;
+
+@Value.Immutable
+abstract class _RatelimitRequest {
+
+}
diff --git a/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_RatelimitResponse.java b/cloudfoundry-client/src/main/java/org/cloudfoundry/uaa/ratelimit/_RatelimitResponse.java
@@ -0,0 +1,36 @@
+/*
+ * Copyright 2013-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.cloudfoundry.uaa.ratelimit;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.cloudfoundry.Nullable;
+import org.immutables.value.Value;
+
+@JsonDeserialize
+@Value.Immutable
+abstract class _RatelimitResponse {
+
+    @JsonProperty("current")
+    @Nullable
+    abstract Current getCurrentData();
+
+    @JsonProperty("fromSource")
+    @Nullable
+    abstract String getFromSource();
+
+}
diff --git a/integration-test/src/test/java/org/cloudfoundry/IntegrationTestConfiguration.java b/integration-test/src/test/java/org/cloudfoundry/IntegrationTestConfiguration.java
@@ -73,6 +73,9 @@
 import org.cloudfoundry.uaa.groups.ListGroupsRequest;
 import org.cloudfoundry.uaa.groups.ListGroupsResponse;
 import org.cloudfoundry.uaa.groups.MemberType;
+import org.cloudfoundry.uaa.ratelimit.Current;
+import org.cloudfoundry.uaa.ratelimit.RatelimitRequest;
+import org.cloudfoundry.uaa.ratelimit.RatelimitResponse;
 import org.cloudfoundry.uaa.users.CreateUserRequest;
 import org.cloudfoundry.uaa.users.CreateUserResponse;
 import org.cloudfoundry.uaa.users.Email;
@@ -195,7 +198,8 @@ NetworkingClient adminNetworkingClient(
     UaaClient adminUaaClient(
             ConnectionContext connectionContext,
             @Value("${test.admin.clientId}") String clientId,
-            @Value("${test.admin.clientSecret}") String clientSecret) {
+            @Value("${test.admin.clientSecret}") String clientSecret,
+            int uaaLimiterMapping) {
         return new ThrottlingUaaClient(
                 ReactorUaaClient.builder()
                         .connectionContext(connectionContext)
@@ -204,7 +208,8 @@ UaaClient adminUaaClient(
                                         .clientId(clientId)
                                         .clientSecret(clientSecret)
                                         .build())
-                        .build());
+                        .build(),
+                uaaLimiterMapping);
     }
 
     @Bean(initMethod = "block")
@@ -244,6 +249,7 @@ String clientSecret(NameFactory nameFactory) {
     }
 
     @Bean
+    @DependsOn("uaaRatelimit")
     CloudFoundryCleaner cloudFoundryCleaner(
             @Qualifier("admin") CloudFoundryClient cloudFoundryClient,
             NameFactory nameFactory,
@@ -320,6 +326,54 @@ DefaultConnectionContext connectionContext(
         return connectionContext.build();
     }
 
+    @Bean
+    public Integer uaaLimiterMapping(
+            @Value("${uaa.api.request.limit:#{null}}") Integer environmentRequestLimit) {
+        return environmentRequestLimit;
+    }
+
+    @Bean
+    Boolean uaaRatelimit(
+            ConnectionContext connectionContext, @Qualifier("admin") UaaClient uaaClient) {
+        return uaaClient
+                .rateLimit()
+                .getRatelimit(RatelimitRequest.builder().build())
+                .map(response -> getServerRatelimit(response))
+                .timeout(Duration.ofSeconds(5))
+                .onErrorResume(
+                        ex -> {
+                            logger.error(
+                                    "Warning: could not fetch UAA rate limit, using default"
+                                            + " "
+                                            + 0
+                                            + ". Cause: "
+                                            + ex);
+                            return Mono.just(false);
+                        })
+                .block();
+    }
+
+    private Boolean getServerRatelimit(RatelimitResponse response) {
+        Current curr = response.getCurrentData();
+        if (!"ACTIVE".equals(curr.getStatus())) {
+            logger.debug(
+                    "UaaRatelimitInitializer server ratelimit is not 'ACTIVE', but "
+                            + curr.getStatus()
+                            + ". Ignoring server value for ratelimit.");
+            return false;
+        }
+        Integer result = curr.getLimiterMappings();
+        logger.info(
+                "Server uses uaa rate limiting. There are "
+                        + result
+                        + " mappings declared in file "
+                        + response.getFromSource());
+        logger.info(
+                "If you encounter 429 return codes, configure uaa rate limiting or set variable"
+                        + " 'UAA_API_REQUEST_LIMIT' to a save value.");
+        return true;
+    }
+
     @Bean
     DopplerClient dopplerClient(ConnectionContext connectionContext, TokenProvider tokenProvider) {
         return ReactorDopplerClient.builder()
@@ -644,12 +698,16 @@ PasswordGrantTokenProvider tokenProvider(
     }
 
     @Bean
-    UaaClient uaaClient(ConnectionContext connectionContext, TokenProvider tokenProvider) {
+    UaaClient uaaClient(
+            ConnectionContext connectionContext,
+            TokenProvider tokenProvider,
+            int uaaLimiterMapping) {
         return new ThrottlingUaaClient(
                 ReactorUaaClient.builder()
                         .connectionContext(connectionContext)
                         .tokenProvider(tokenProvider)
-                        .build());
+                        .build(),
+                uaaLimiterMapping);
     }
 
     @Bean(initMethod = "block")
diff --git a/integration-test/src/test/java/org/cloudfoundry/ThrottlingUaaClient.java b/integration-test/src/test/java/org/cloudfoundry/ThrottlingUaaClient.java
