#!trydef ANTIFLOOD_RATE_WINDOW 2
#!trydef ANTIFLOOD_RATE_DENSITY 50
#!trydef ANTIFLOOD_RATE_EXPIRE 4
#!trydef ANTIFLOOD_FAILED_AUTH_WINDOW 300
#!trydef ANTIFLOOD_FAILED_AUTH_DENSITY 4

######## Flood Prevention Hash Tables ########
modparam("htable", "htable", "antiflood=>size=16;autoexpire=ANTIFLOOD_CACHE_PERIOD;initval=0")

######## Flood Prevention Module ########
loadmodule "pike.so"
modparam("pike", "sampling_time_unit", ANTIFLOOD_RATE_WINDOW)
modparam("pike", "reqs_density_per_unit", ANTIFLOOD_RATE_DENSITY)
modparam("pike", "remove_latency", ANTIFLOOD_RATE_EXPIRE)


route[ANTIFLOOD_RATE_LIMIT]
{
    if (has_totag()
        || isflagset(FLAG_TRUSTED_SOURCE)
        || isflagset(FLAG_INTERNALLY_SOURCED)) {
        return;
    }

    # use pike to control the rates
    if (!pike_check_req()) {
        xlog("L_WARN", "$ci|end|dropping request from $fu due to rate of requests with source $si:$sp\n");
        drop();
        exit;
    }
}

route[ANITFLOOD_AUTH_LIMIT]
{
    if (has_totag()
        || isflagset(FLAG_TRUSTED_SOURCE)
        || isflagset(FLAG_INTERNALLY_SOURCED)) {
        return(1);
    }

    if ($Au != $null &&
        $sht(antiflood=>$Au::$si::count) >= ANTIFLOOD_FAILED_AUTH_DENSITY
    ) {
        xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp\n");
        $shtex(antiflood=>$Au::$si::count) = ANTIFLOOD_FAILED_AUTH_WINDOW;
        $sht(antiflood=>$Au::$si::last) = $Ts;
        append_to_reply("Retry-After: 3600\r\n");
        send_reply("500", "Retry Later");
        exit;
    }
}

route[ANTIFLOOD_SUCCESSFUL_AUTH]
{
    sht_rm_name_re("antiflood=>$(Au{re.subst,/\\./\\\\./g})::$(si{re.subst,/\\./\\\\./g})::.*");
}

route[ANTIFLOOD_RESET_AUTH]
{
    $var(user) = $(kzE{kz.json,Username}) + "@" + $(kzE{kz.json,Realm});
    sht_rm_name_re("antiflood=>$(var(user){re.subst,/\\./\\\\./g})::.*");
}

route[ANITFLOOD_FAILED_AUTH]
{
    if (isflagset(FLAG_TRUSTED_SOURCE)) {
        return;
    }

    $var(count) = $shtinc(antiflood=>$Au::$si::count);
    $sht(antiflood=>$Au::$si::last) = $Ts;

    xlog("L_INFO", "$ci|log|$var(count) errounous authorization response for $Au $si:$sp\n");

   if ($var(count) >= ANTIFLOOD_FAILED_AUTH_DENSITY) { 
        $var(exp) = $Ts - ANTIFLOOD_FAILED_AUTH_WINDOW;
        if($sht(antiflood=>$Au::$si::last) > $var(exp)){
            xlog("L_NOTICE", "$ci|end|request at authorization failure limit for $Au $si:$sp\n");
            append_to_reply("Retry-After: 3600\r\n");
            send_reply("500", "Retry Later");
            exit;
        }
  }
}

event_route[htable:expired:antiflood] 
{
    xlog("L_NOTICE", "antiflood expired record $shtrecord(key) => $shtrecord(value)\n");
}