Rate Limiting Policy does not work as expected

[OSMOSA44]

Apiman Version

ALL

Apiman Manager Distro

WildFly

Apiman Gateway Distro

WildFly

Java Version

ALL

Operating System

Ubuntu

Are you running Apiman in a container, or on an orchestration platform?

Docker / Podman

Describe the bug

Hi,

https://www.apiman.io/apiman-docs/user-guide/latest/gateway/policies/rate-limiting-policy.html

Rate Limiting Policy does not work as expected when filtering by API,

The counter is not global for the API,

There is a specific counter create for each couple of Client/API declared,

We cannot protect an API Endpoint whatever the client the request comes from

Expected behaviour

If the Rate Limiting Policy sets 10 Request / API / Hour
I expect only 10 Request per Hour to the backend whatever the number of clients contracting this api

Actual behaviour

If the Rate Limiting Policy sets 10 Request / API / Hour
each client contracting this api can make 10 request per hour

How to Reproduce

• Create an API with a Rate Limiting Policy setting 10 Request / API / Hour
• Create a contract with this api from 2 clients

Relevant log output

No response

Anything else?

No response

[volkflo]

I am able to reproduce this behavior.
In general I think we also have problems with the other 'granularity' options.
I guess this also affects the transfer-quota policy.

The buckets key is created like this:

apiman/gateway/engine/policies/src/main/java/io/apiman/gateway/engine/policies/limiting/BucketFactory.java

Lines 54 to 89 in 46ab5e7

	// Have a fully valid contract in this branch.
	ApiContract contract = context.getContract();
	Client client = contract.getClient();
	String apiKey = client.getApiKey();
	builder.append(apiKey);
	if (config.getGranularity() == RateLimitingGranularity.User) {
	String user = context.getUserSupplier().get();
	if (user == null) {
	return NO_USER_AVAILABLE;
	} else {
	builder.append("||USER||"); //$NON-NLS-1$
	builder.append(client.getOrganizationId());
	builder.append("||"); //$NON-NLS-1$
	builder.append(client.getClientId());
	builder.append("||"); //$NON-NLS-1$
	builder.append(user);
	}
	} else if (config.getGranularity() == RateLimitingGranularity.Client) {
	builder.append(apiKey);
	builder.append("||APP||"); //$NON-NLS-1$
	builder.append(client.getOrganizationId());
	builder.append("||"); //$NON-NLS-1$
	builder.append(client.getClientId());
	} else if (config.getGranularity() == RateLimitingGranularity.Ip) {
	builder.append(apiKey);
	builder.append("||IP||"); //$NON-NLS-1$
	builder.append(client.getOrganizationId());
	builder.append("||"); //$NON-NLS-1$
	builder.append(context.getRemoteAddr());
	} else {
	builder.append(apiKey);
	builder.append("||SERVICE||"); //$NON-NLS-1$
	builder.append(api.getOrganizationId());
	builder.append("||"); //$NON-NLS-1$
	builder.append(api.getApiId());
	}

@msavy Maybe this is for historic reasons but some conditions look wrong to me.
In L58 the apikey is added for all conditions so limits apply always per client (e.g user/client) and not global.

This only affects private APIs, its working as expected for public APIs

[msavy]

I will try to roll it into work I'm doing for a future release. Thanks