feat(balances): adding project IDs denylist (#931)

Author: geekbrother

src/env/mod.rs

@@ -3,6 +3,7 @@ use {
         analytics::Config as AnalyticsConfig,
         database::config::PostgresConfig,
         error,
+        handlers::balance::Config as BalanceConfig,
         names::Config as NamesConfig,
         profiler::ProfilerConfig,
         project::{storage::Config as StorageConfig, Config as RegistryConfig},
@@ -66,6 +67,7 @@ pub struct Config {
     pub rate_limiting: RateLimitingConfig,
     pub irn: IrnConfig,
     pub names: NamesConfig,
+    pub balances: BalanceConfig,
 }
 
 impl Config {
@@ -81,6 +83,7 @@ impl Config {
             rate_limiting: from_env("RPC_PROXY_RATE_LIMITING_")?,
             irn: from_env("RPC_PROXY_IRN_")?,
             names: from_env("RPC_PROXY_NAMES_")?,
+            balances: from_env("RPC_PROXY_BALANCES_")?,
         })
     }
 }
@@ -108,6 +111,7 @@ mod test {
             analytics,
             database::config::PostgresConfig,
             env::{Config, ServerConfig},
+            handlers::balance::Config as BalanceConfig,
             names::Config as NamesConfig,
             profiler::ProfilerConfig,
             project,
@@ -229,6 +233,8 @@ mod test {
             ("RPC_PROXY_IRN_NAMESPACE_SECRET", "namespace"),
             // Names configuration
             ("RPC_PROXY_NAMES_ALLOWED_ZONES", "test1.id,test2.id"),
+            // Account balances-related configuration
+            ("RPC_PROXY_BALANCES_DENYLIST_PROJECT_IDS", "test_project_id"),
         ];
 
         values.iter().for_each(set_env_var);
@@ -323,7 +329,10 @@ mod test {
                 },
                 names: NamesConfig {
                     allowed_zones: Some(vec!["test1.id".to_owned(), "test2.id".to_owned()]),
-                }
+                },
+                balances: BalanceConfig {
+                    denylist_project_ids: Some(vec!["test_project_id".to_owned()]),
+                },
             }
         );
 

src/handlers/balance.rs

@@ -27,6 +27,13 @@ pub const H160_EMPTY_ADDRESS: H160 = H160::repeat_byte(0xee);
 const PROVIDER_MAX_CALLS: usize = 2;
 const METADATA_CACHE_TTL: Duration = Duration::from_secs(60 * 60 * 24); // 1 day
 
+#[derive(Debug, Clone, Deserialize, Eq, PartialEq)]
+pub struct Config {
+    /// List of project ids that are not allowed to use the balance RPC call
+    /// An empty balances list will be returned for the project ids in the denylist
+    pub denylist_project_ids: Option<Vec<String>>,
+}
+
 #[derive(Debug, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct BalanceQueryParams {
@@ -127,6 +134,14 @@ async fn handler_internal(
     Path(address): Path<String>,
 ) -> Result<Response, RpcError> {
     let project_id = query.project_id.clone();
+
+    // Check the denylist for the project id
+    if let Some(denylist_project_ids) = &state.config.balances.denylist_project_ids {
+        if denylist_project_ids.contains(&project_id) {
+            return Ok(Json(BalanceResponseBody { balances: vec![] }).into_response());
+        }
+    }
+
     state.validate_project_access_and_quota(&project_id).await?;
 
     // if headers not contains `x-sdk-version` then respond with an empty balance

terraform/ecs/cluster.tf

@@ -134,6 +134,7 @@ resource "aws_ecs_task_definition" "app_task" {
         { name = "RPC_PROXY_IRN_NAMESPACE_SECRET", value = var.irn_namespace_secret },
 
         { name = "RPC_PROXY_NAMES_ALLOWED_ZONES", value = var.names_allowed_zones },
+        { name = "RPC_PROXY_BALANCES_DENYLIST_PROJECT_IDS", value = var.balances_denylist_project_ids },
 
         { name = "RPC_PROXY_ANALYTICS_EXPORT_BUCKET", value = var.analytics_datalake_bucket_name },
       ],

terraform/ecs/variables.tf

@@ -428,3 +428,10 @@ variable "names_allowed_zones" {
   description = "Comma separated list of allowed zones for names"
   type        = string
 }
+
+#-------------------------------------------------------------------------------
+# Address balances projects denylist
+variable "balances_denylist_project_ids" {
+  description = "Comma separated list of project IDs to denylist"
+  type        = string
+}

terraform/res_ecs.tf

@@ -102,6 +102,9 @@ module "ecs" {
   # ENS Names
   names_allowed_zones = var.names_allowed_zones
 
+  # Address balances related configuration
+  balances_denylist_project_ids = var.balances_denylist_project_ids
+
   # Analytics
   analytics_datalake_bucket_name = data.terraform_remote_state.datalake.outputs.datalake_bucket_id
   analytics_datalake_kms_key_arn = data.terraform_remote_state.datalake.outputs.datalake_kms_key_arn

terraform/variables.tf

@@ -278,3 +278,10 @@ variable "names_allowed_zones" {
   description = "Comma separated list of allowed zones for names"
   type        = string
 }
+
+#-------------------------------------------------------------------------------
+# Address balances projects denylist
+variable "balances_denylist_project_ids" {
+  description = "Comma separated list of project IDs to denylist"
+  type        = string
+}