feat: add limit-count sliding window for redis-cluster with tests

sihyeonn · sihyeonn · commit 03e41612bee4 · 2025-11-18T14:56:55.000+09:00
Signed-off-by: Sihyeon Jang &lt;sihyeon.jang@navercorp.com&gt;
diff --git a/apisix/plugins/limit-count/limit-count-redis-cluster.lua b/apisix/plugins/limit-count/limit-count-redis-cluster.lua
@@ -20,15 +20,15 @@ local core = require("apisix.core")
 local setmetatable = setmetatable
 local tostring = tostring
 
-local _M = {}
+local _M = {version = 0.2}
 
 
 local mt = {
     __index = _M
 }
 
 
-local script = core.string.compress_script([=[
+local script_fixed = core.string.compress_script([=[
     assert(tonumber(ARGV[3]) >= 1, "cost must be at least 1")
     local ttl = redis.call('ttl', KEYS[1])
     if ttl < 0 then
@@ -39,7 +39,54 @@ local script = core.string.compress_script([=[
 ]=])
 
 
-function _M.new(plugin_name, limit, window, conf)
+local script_sliding = core.string.compress_script([=[
+    assert(tonumber(ARGV[3]) >= 1, "cost must be at least 1")
+
+    local now = tonumber(ARGV[1])
+    local window = tonumber(ARGV[2])
+    local limit = tonumber(ARGV[3])
+    local cost = tonumber(ARGV[4])
+
+    local window_start = now - window
+
+    redis.call('ZREMRANGEBYSCORE', KEYS[1], 0, window_start)
+
+    local current = redis.call('ZCARD', KEYS[1])
+
+    if current + cost > limit then
+        local earliest = redis.call('ZRANGE', KEYS[1], 0, 0, 'WITHSCORES')
+        local reset = 0
+        if #earliest == 2 then
+            reset = earliest[2] + window - now
+            if reset < 0 then
+                reset = 0
+            end
+        end
+        return {-1, reset}
+    end
+
+    for i = 1, cost do
+        redis.call('ZADD', KEYS[1], now, now .. ':' .. i)
+    end
+
+    redis.call('PEXPIRE', KEYS[1], window)
+
+    local remaining = limit - (current + cost)
+
+    local earliest = redis.call('ZRANGE', KEYS[1], 0, 0, 'WITHSCORES')
+    local reset = 0
+    if #earliest == 2 then
+        reset = earliest[2] + window - now
+        if reset < 0 then
+            reset = 0
+        end
+    end
+
+    return {remaining, reset}
+]=])
+
+
+function _M.new(plugin_name, limit, window, window_type, conf)
     local red_cli, err = redis_cluster.new(conf, "plugin-limit-count-redis-cluster-slot-lock")
     if not red_cli then
         return nil, err
@@ -48,6 +95,7 @@ function _M.new(plugin_name, limit, window, conf)
     local self = {
         limit = limit,
         window = window,
+        window_type = window_type or "fixed",
         conf = conf,
         plugin_name = plugin_name,
         red_cli = red_cli,
@@ -59,12 +107,23 @@ end
 
 function _M.incoming(self, key, cost)
     local red = self.red_cli
-    local limit = self.limit
-    local window = self.window
     key = self.plugin_name .. tostring(key)
 
     local ttl = 0
-    local res, err = red:eval(script, 1, key, limit, window, cost or 1)
+    local limit = self.limit
+    local c = cost or 1
+    local res
+
+    if self.window_type == "sliding" then
+        local now = ngx.now() * 1000
+        local window = self.window * 1000
+
+        res, err = red:eval(script_sliding, 1, key, now, window, limit, c)
+    else
+        local window = self.window
+
+        res, err = red:eval(script_fixed, 1, key, limit, window, c)
+    end
 
     if err then
         return nil, err, ttl
diff --git a/t/plugin/limit-count-redis-cluster-sliding.t b/t/plugin/limit-count-redis-cluster-sliding.t
@@ -0,0 +1,188 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+use t::APISIX 'no_plan';
+
+repeat_each(1);
+no_long_string();
+no_shuffle();
+no_root_location();
+
+add_block_preprocessor(sub {
+    my ($block) = @_;
+
+    if (!$block->request) {
+        $block->set_value("request", "GET /t");
+    }
+
+    if (!$block->error_log && !$block->no_error_log) {
+        $block->set_value("no_error_log", "[error]\n[alert]");
+    }
+});
+
+run_tests;
+
+__DATA__
+
+=== TEST 1: redis-cluster policy with sliding window - basic N per window
+--- config
+    location /t {
+        content_by_lua_block {
+            local t = require("lib.test_admin").test
+            local code, body = t('/apisix/admin/routes/1',
+                ngx.HTTP_PUT,
+                [[{
+                    "uri": "/hello",
+                    "plugins": {
+                        "limit-count": {
+                            "count": 2,
+                            "time_window": 2,
+                            "window_type": "sliding",
+                            "rejected_code": 503,
+                            "key": "remote_addr",
+                            "policy": "redis-cluster",
+                            "redis_cluster_nodes": [
+                                "127.0.0.1:5000",
+                                "127.0.0.1:5001"
+                            ],
+                            "redis_cluster_name": "redis-cluster-1"
+                        }
+                    },
+                    "upstream": {
+                        "nodes": {
+                            "127.0.0.1:1980": 1
+                        },
+                        "type": "roundrobin"
+                    }
+                }]]
+            )
+
+            if code >= 300 then
+                ngx.status = code
+            end
+            ngx.say(body)
+        }
+    }
+--- response_body
+passed
+
+
+=== TEST 2: redis-cluster policy with sliding window - enforce N per window
+--- pipelined_requests eval
+["GET /hello", "GET /hello", "GET /hello"]
+--- error_code eval
+[200, 200, 503]
+
+
+=== TEST 3: redis-cluster policy with sliding window - remaining header on reject
+--- config
+    location /t {
+        content_by_lua_block {
+            local json = require "t.toolkit.json"
+            local http = require "resty.http"
+            local uri = "http://127.0.0.1:" .. ngx.var.server_port
+                        .. "/hello"
+            local ress = {}
+
+            -- ensure previous windows are expired before starting this test
+            ngx.sleep(2.2)
+
+            -- first request: allowed, remaining should be 1
+            do
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+                table.insert(ress, {res.status, res.headers["X-RateLimit-Remaining"]})
+            end
+
+            -- second request: allowed, remaining should be 0
+            do
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+                table.insert(ress, {res.status, res.headers["X-RateLimit-Remaining"]})
+            end
+
+            -- third request: rejected, remaining header should stay at 0
+            do
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+                table.insert(ress, {res.status, res.headers["X-RateLimit-Remaining"]})
+            end
+
+            ngx.say(json.encode(ress))
+        }
+    }
+--- response_body
+[[200,"1"],[200,"0"],[503,"0"]]
+
+
+=== TEST 4: redis-cluster policy with sliding window - allow after window passes
+--- config
+    location /t {
+        content_by_lua_block {
+            local json = require "t.toolkit.json"
+            local http = require "resty.http"
+            local uri = "http://127.0.0.1:" .. ngx.var.server_port
+                        .. "/hello"
+            local codes = {}
+
+            -- ensure previous windows are expired before starting this test
+            ngx.sleep(2.2)
+
+            -- consume full quota
+            for i = 1, 2 do
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+                table.insert(codes, res.status)
+            end
+
+            -- wait longer than the sliding window (2s)
+            ngx.sleep(2.2)
+
+            -- should be allowed again after window has passed
+            do
+                local httpc = http.new()
+                local res, err = httpc:request_uri(uri)
+                if not res then
+                    ngx.say(err)
+                    return
+                end
+                table.insert(codes, res.status)
+            end
+
+            ngx.say(json.encode(codes))
+        }
+    }
+--- response_body
+[200,200,200]
+
+
