Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48) from issue-47 into develop
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
Reviewed-on: #48 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>
This commit is contained in:
commit
ac7b7e8189
@ -20,6 +20,7 @@ func NewDefaultLayersConfig() LayersConfig {
|
|||||||
TransportConfig: NewDefaultTransportConfig(),
|
TransportConfig: NewDefaultTransportConfig(),
|
||||||
Timeout: NewInterpolatedDuration(10 * time.Second),
|
Timeout: NewInterpolatedDuration(10 * time.Second),
|
||||||
},
|
},
|
||||||
|
ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
|
||||||
},
|
},
|
||||||
Sessions: AuthnLayerSessionConfig{
|
Sessions: AuthnLayerSessionConfig{
|
||||||
TTL: NewInterpolatedDuration(time.Hour),
|
TTL: NewInterpolatedDuration(time.Hour),
|
||||||
@ -46,6 +47,7 @@ type AuthnLayerSessionConfig struct {
|
|||||||
|
|
||||||
type AuthnOIDCLayerConfig struct {
|
type AuthnOIDCLayerConfig struct {
|
||||||
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
|
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
|
||||||
|
ProviderCacheTimeout *InterpolatedDuration `yaml:"providerCacheTimeout"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type AuthnOIDCHTTPClientConfig struct {
|
type AuthnOIDCHTTPClientConfig struct {
|
||||||
|
|||||||
@ -13,6 +13,7 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
|
"forge.cadoles.com/Cadoles/go-proxy/wildcard"
|
||||||
|
"forge.cadoles.com/cadoles/bouncer/internal/cache"
|
||||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
|
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
|
||||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
||||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||||
@ -27,6 +28,7 @@ type Authenticator struct {
|
|||||||
store sessions.Store
|
store sessions.Store
|
||||||
httpTransport *http.Transport
|
httpTransport *http.Transport
|
||||||
httpClientTimeout time.Duration
|
httpClientTimeout time.Duration
|
||||||
|
oidcProviderCache cache.Cache[string, *oidc.Provider]
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
|
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
|
||||||
@ -378,17 +380,25 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
|
|||||||
Transport: transport,
|
Transport: transport,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
|
||||||
|
if !exists {
|
||||||
|
var err error
|
||||||
ctx = oidc.ClientContext(ctx, httpClient)
|
ctx = oidc.ClientContext(ctx, httpClient)
|
||||||
|
|
||||||
if options.OIDC.SkipIssuerVerification {
|
if options.OIDC.SkipIssuerVerification {
|
||||||
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
|
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
|
||||||
}
|
}
|
||||||
|
|
||||||
provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
|
logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
|
||||||
|
|
||||||
|
provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errors.Wrap(err, "could not create oidc provider")
|
return nil, errors.Wrap(err, "could not create oidc provider")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
|
||||||
|
}
|
||||||
|
|
||||||
client := NewClient(
|
client := NewClient(
|
||||||
WithCredentials(options.OIDC.ClientID, options.OIDC.ClientSecret),
|
WithCredentials(options.OIDC.ClientID, options.OIDC.ClientSecret),
|
||||||
WithProvider(provider),
|
WithProvider(provider),
|
||||||
|
|||||||
@ -1,8 +1,13 @@
|
|||||||
package oidc
|
package oidc
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
|
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
|
||||||
|
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
|
||||||
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
|
||||||
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
"forge.cadoles.com/cadoles/bouncer/internal/store"
|
||||||
|
"github.com/coreos/go-oidc/v3/oidc"
|
||||||
"github.com/gorilla/sessions"
|
"github.com/gorilla/sessions"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
|
|||||||
httpTransport: opts.HTTPTransport,
|
httpTransport: opts.HTTPTransport,
|
||||||
httpClientTimeout: opts.HTTPClientTimeout,
|
httpClientTimeout: opts.HTTPClientTimeout,
|
||||||
store: store,
|
store: store,
|
||||||
|
oidcProviderCache: ttl.NewCache(
|
||||||
|
memory.NewCache[string, *oidc.Provider](),
|
||||||
|
memory.NewCache[string, time.Time](),
|
||||||
|
opts.OIDCProviderCacheTimeout,
|
||||||
|
),
|
||||||
}, opts.AuthnOptions...)
|
}, opts.AuthnOptions...)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -11,6 +11,7 @@ type Options struct {
|
|||||||
HTTPTransport *http.Transport
|
HTTPTransport *http.Transport
|
||||||
HTTPClientTimeout time.Duration
|
HTTPClientTimeout time.Duration
|
||||||
AuthnOptions []authn.OptionFunc
|
AuthnOptions []authn.OptionFunc
|
||||||
|
OIDCProviderCacheTimeout time.Duration
|
||||||
}
|
}
|
||||||
|
|
||||||
type OptionFunc func(opts *Options)
|
type OptionFunc func(opts *Options)
|
||||||
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
|
||||||
|
return func(opts *Options) {
|
||||||
|
opts.OIDCProviderCacheTimeout = timeout
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func NewOptions(funcs ...OptionFunc) *Options {
|
func NewOptions(funcs ...OptionFunc) *Options {
|
||||||
opts := &Options{
|
opts := &Options{
|
||||||
HTTPTransport: http.DefaultTransport.(*http.Transport),
|
HTTPTransport: http.DefaultTransport.(*http.Transport),
|
||||||
HTTPClientTimeout: 30 * time.Second,
|
HTTPClientTimeout: 30 * time.Second,
|
||||||
AuthnOptions: make([]authn.OptionFunc, 0),
|
AuthnOptions: make([]authn.OptionFunc, 0),
|
||||||
|
OIDCProviderCacheTimeout: time.Hour,
|
||||||
}
|
}
|
||||||
|
|
||||||
for _, fn := range funcs {
|
for _, fn := range funcs {
|
||||||
|
|||||||
@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
|
|||||||
authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
|
authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
|
||||||
authn.WithDebug(bool(conf.Layers.Authn.Debug)),
|
authn.WithDebug(bool(conf.Layers.Authn.Debug)),
|
||||||
),
|
),
|
||||||
|
oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
|
||||||
), nil
|
), nil
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user