feat: add Memory Protection Middleware via RTML

Author: ecordell

.gitattributes

@@ -1,3 +1,4 @@
+internal/**/mock_*.go linguist-generated=true
 *.pb.go linguist-generated=true
 *.pb.*.go linguist-generated=true
 proto/internal/buf.lock linguist-generated=true

.github/workflows/build-test.yaml

@@ -59,6 +59,8 @@ jobs:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
           password: "${{ env.DOCKERHUB_PUBLIC_ACCESS_TOKEN }}"
       - uses: "authzed/actions/go-build@70432bd54a9e690d7fe19817dda46d8e4c0a2c3a" # main
+        with:
+          ldflags: "-checklinkname=0"
       - name: "Image tests"
         run: "go run mage.go test:image"
 

.goreleaser.nightly.yml

@@ -12,7 +12,7 @@ builds:
       - "arm64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 kos:
   - id: "spicedb"

.goreleaser.windows.yml

@@ -17,7 +17,7 @@ builds:
       - "amd64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 archives:
   - files:

.goreleaser.yml

@@ -20,7 +20,7 @@ builds:
       - "arm64"
     mod_timestamp: "{{ .CommitTimestamp }}"
     ldflags:
-      - "-s -w"
+      - "-s -w -checklinkname=0"
       - "-X github.com/jzelinskie/cobrautil/v2.Version=v{{ .Version }}"
 archives:
   - files:
@@ -95,7 +95,7 @@ brews:
         if build.head?
           versionVar = "github.com/jzelinskie/cobrautil/v2.Version"
           versionCmd = "$(git describe --always --abbrev=7 --dirty --tags)"
-          system "go build --ldflags '-s -w -X #{versionVar}=#{versionCmd}' ./cmd/spicedb"
+          system "go build --ldflags '-s -w -checklinkname=0 -X #{versionVar}=#{versionCmd}' ./cmd/spicedb"
         end
         bin.install "spicedb"
         generate_completions_from_executable(bin/"spicedb", "completion", shells: [:bash, :zsh, :fish])

Dockerfile

@@ -3,7 +3,8 @@ FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55a
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v -o spicedb ./cmd/spicedb
+# https://github.com/odigos-io/go-rtml#about-ldflags-checklinkname0
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v -ldflags=-checklinkname=0 -o spicedb ./cmd/spicedb
 
 # use `docker buildx imagetools inspect <image>` to get the multi-platform sha256
 FROM golang:1.25.3-alpine@sha256:aee43c3ccbf24fdffb7295693b6e33b21e01baec1b2a55acc351fde345e9ec34 AS health-probe-builder

cmd/spicedb/serve_integration_test.go

@@ -92,6 +92,56 @@ func TestServe(t *testing.T) {
 	}
 }
 
+func TestServeWithMemoryProtectionMiddleware(t *testing.T) {
+	t.Parallel()
+
+	pool, err := dockertest.NewPool("")
+	require.NoError(t, err)
+
+	serverToken := "mykey"
+	serveResource, err := pool.RunWithOptions(&dockertest.RunOptions{
+		Repository:   "authzed/spicedb",
+		Tag:          "ci",
+		Cmd:          []string{"serve", "--log-level=debug", "--grpc-preshared-key", serverToken, "--telemetry-endpoint=\"\""},
+		ExposedPorts: []string{"50051/tcp"},
+		Env:          []string{"GOMEMLIMIT=1B"}, // NOTE: Absurdly low on purpose
+	}, func(config *docker.HostConfig) {
+		config.RestartPolicy = docker.RestartPolicy{
+			Name: "no",
+		}
+	})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		require.NoError(t, pool.Purge(serveResource))
+	})
+
+	serverPort := serveResource.GetPort("50051/tcp")
+	conn, err := grpc.NewClient(fmt.Sprintf("localhost:%s", serverPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpcutil.WithInsecureBearerToken(serverToken),
+	)
+
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = conn.Close()
+	})
+
+	// Health requests bypass the memory middleware
+	require.Eventually(t, func() bool {
+		resp, err := healthpb.NewHealthClient(conn).Check(context.Background(), &healthpb.HealthCheckRequest{Service: "authzed.api.v1.SchemaService"})
+		return err == nil && resp.GetStatus() == healthpb.HealthCheckResponse_SERVING
+	}, 5*time.Second, 1*time.Second, "server never became healthy")
+
+	// Other requests have the memory middleware
+	client := v1.NewSchemaServiceClient(conn)
+	_, err = client.WriteSchema(context.Background(), &v1.WriteSchemaRequest{
+		Schema: `definition user {}`,
+	})
+	s, ok := status.FromError(err)
+	require.True(t, ok)
+	require.Equal(t, codes.ResourceExhausted, s.Code())
+}
+
 func gracefulShutdown(pool *dockertest.Pool, serveResource *dockertest.Resource) bool {
 	closed := make(chan bool, 1)
 	go func() {

development/prometheus.yaml

@@ -1,7 +1,7 @@
 ---
 global:
-  scrape_interval: "15s"
-  evaluation_interval: "15s"
+  scrape_interval: "1s"
+  evaluation_interval: "1s"
 
 scrape_configs:
   - job_name: "spicedb"

e2e/go.mod

@@ -59,6 +59,7 @@ require (
 	github.com/jzelinskie/stringz v0.0.3 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/odigos-io/go-rtml v0.0.1 // indirect
 	github.com/onsi/ginkgo/v2 v2.23.4 // indirect
 	github.com/onsi/gomega v1.38.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240917153116-6f2963f01587 // indirect

e2e/go.sum

@@ -1789,6 +1789,8 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ngrok/sqlmw v0.0.0-20220520173518-97c9c04efc79 h1:Dmx8g2747UTVPzSkmohk84S3g/uWqd6+f4SSLPhLcfA=
 github.com/ngrok/sqlmw v0.0.0-20220520173518-97c9c04efc79/go.mod h1:E26fwEtRNigBfFfHDWsklmo0T7Ixbg0XXgck+Hq4O9k=
+github.com/odigos-io/go-rtml v0.0.1 h1:5w21AOXZGq/6UhECv5B9RCrW7R8PzA8YgwdxqtajD0w=
+github.com/odigos-io/go-rtml v0.0.1/go.mod h1:LqKwlorUKSNj1WQ0p/5e9+aOkirEiHQx+FOxdhku/cs=
 github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
 github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
@@ -1821,6 +1823,8 @@ github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzM
 github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/prometheus/statsd_exporter v0.22.7 h1:7Pji/i2GuhK6Lu7DHrtTkFmNBCudCPT1pX2CziuyQR0=
 github.com/prometheus/statsd_exporter v0.22.7/go.mod h1:N/TevpjkIh9ccs6nuzY3jQn9dFqnUakOjnEuMPJJJnI=
+github.com/puzpuzpuz/xsync/v4 v4.2.0 h1:dlxm77dZj2c3rxq0/XNvvUKISAmovoXF4a4qM6Wvkr0=
+github.com/puzpuzpuz/xsync/v4 v4.2.0/go.mod h1:VJDmTCJMBt8igNxnkQd86r+8KUeN1quSfNKu5bLYFQo=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=