Add comprehensive security tests for quota management and relay functionality

- Introduced `relay_dual_lock_race_harness_security_tests.rs` to validate user liveness during lock hold and release cycles. - Added `relay_quota_extended_attack_surface_security_tests.rs` to cover various quota scenarios including positive, negative, edge cases, and adversarial conditions. - Implemented `relay_quota_lock_eviction_lifecycle_tdd_tests.rs` to ensure proper eviction of stale entries and lifecycle management of quota locks. - Created `relay_quota_lock_eviction_stress_security_tests.rs` to stress test the eviction mechanism under high churn conditions. - Enhanced `relay_quota_lock_pressure_adversarial_tests.rs` to verify reclaiming of unreferenced entries after explicit eviction. - Developed `relay_quota_retry_allocation_latency_security_tests.rs` to benchmark and validate latency and allocation behavior under contention.
2026-04-18 19:14:09 +03:00 · 2026-03-23 12:04:41 +04:00
parent 91be148b72
commit 6f17d4d231
42 changed files with 6774 additions and 178 deletions
--- a/src/maestro/runtime_tasks.rs
+++ b/src/maestro/runtime_tasks.rs
@@ -32,6 +32,14 @@ pub(crate) struct RuntimeWatches {
    pub(crate) detected_ip_v6: Option<IpAddr>,
 }

+const QUOTA_USER_LOCK_EVICT_INTERVAL_SECS: u64 = 60;
+
+fn spawn_quota_lock_maintenance_task() -> tokio::task::JoinHandle<()> {
+    crate::proxy::relay::spawn_quota_user_lock_evictor(std::time::Duration::from_secs(
+        QUOTA_USER_LOCK_EVICT_INTERVAL_SECS,
+    ))
+}
+
 #[allow(clippy::too_many_arguments)]
 pub(crate) async fn spawn_runtime_tasks(
    config: &Arc<ProxyConfig>,
@@ -69,6 +77,8 @@ pub(crate) async fn spawn_runtime_tasks(
        rc_clone.run_periodic_cleanup().await;
    });

+    spawn_quota_lock_maintenance_task();
+
    let detected_ip_v4: Option<IpAddr> = probe.detected_ipv4.map(IpAddr::V4);
    let detected_ip_v6: Option<IpAddr> = probe.detected_ipv6.map(IpAddr::V6);
    debug!(
@@ -360,3 +370,24 @@ pub(crate) async fn mark_runtime_ready(startup_tracker: &Arc<StartupTracker>) {
        .await;
    startup_tracker.mark_ready().await;
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn tdd_runtime_quota_lock_maintenance_path_spawns_single_evictor_task() {
+        crate::proxy::relay::reset_quota_user_lock_evictor_spawn_count_for_tests();
+
+        let handle = spawn_quota_lock_maintenance_task();
+        tokio::time::sleep(std::time::Duration::from_millis(5)).await;
+
+        assert_eq!(
+            crate::proxy::relay::quota_user_lock_evictor_spawn_count_for_tests(),
+            1,
+            "runtime maintenance path must spawn exactly one quota lock evictor task per call"
+        );
+
+        handle.abort();
+    }
+}