Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48) from issue-47 into develop
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good

Reviewed-on: #48
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>
This commit is contained in:
wpetit 2025-03-07 13:42:39 +01:00
commit ac7b7e8189
5 changed files with 45 additions and 14 deletions

View File

@ -20,6 +20,7 @@ func NewDefaultLayersConfig() LayersConfig {
TransportConfig: NewDefaultTransportConfig(), TransportConfig: NewDefaultTransportConfig(),
Timeout: NewInterpolatedDuration(10 * time.Second), Timeout: NewInterpolatedDuration(10 * time.Second),
}, },
ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
}, },
Sessions: AuthnLayerSessionConfig{ Sessions: AuthnLayerSessionConfig{
TTL: NewInterpolatedDuration(time.Hour), TTL: NewInterpolatedDuration(time.Hour),
@ -45,7 +46,8 @@ type AuthnLayerSessionConfig struct {
} }
type AuthnOIDCLayerConfig struct { type AuthnOIDCLayerConfig struct {
HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"` HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
ProviderCacheTimeout *InterpolatedDuration `yaml:"providerCacheTimeout"`
} }
type AuthnOIDCHTTPClientConfig struct { type AuthnOIDCHTTPClientConfig struct {

View File

@ -13,6 +13,7 @@ import (
"time" "time"
"forge.cadoles.com/Cadoles/go-proxy/wildcard" "forge.cadoles.com/Cadoles/go-proxy/wildcard"
"forge.cadoles.com/cadoles/bouncer/internal/cache"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
"forge.cadoles.com/cadoles/bouncer/internal/store" "forge.cadoles.com/cadoles/bouncer/internal/store"
@ -27,6 +28,7 @@ type Authenticator struct {
store sessions.Store store sessions.Store
httpTransport *http.Transport httpTransport *http.Transport
httpClientTimeout time.Duration httpClientTimeout time.Duration
oidcProviderCache cache.Cache[string, *oidc.Provider]
} }
func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error { func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -378,15 +380,23 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
Transport: transport, Transport: transport,
} }
ctx = oidc.ClientContext(ctx, httpClient) provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
if !exists {
var err error
ctx = oidc.ClientContext(ctx, httpClient)
if options.OIDC.SkipIssuerVerification { if options.OIDC.SkipIssuerVerification {
ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL) ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
} }
provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL) logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
if err != nil {
return nil, errors.Wrap(err, "could not create oidc provider") provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
if err != nil {
return nil, errors.Wrap(err, "could not create oidc provider")
}
a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
} }
client := NewClient( client := NewClient(

View File

@ -1,8 +1,13 @@
package oidc package oidc
import ( import (
"time"
"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn" "forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
"forge.cadoles.com/cadoles/bouncer/internal/store" "forge.cadoles.com/cadoles/bouncer/internal/store"
"github.com/coreos/go-oidc/v3/oidc"
"github.com/gorilla/sessions" "github.com/gorilla/sessions"
) )
@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
httpTransport: opts.HTTPTransport, httpTransport: opts.HTTPTransport,
httpClientTimeout: opts.HTTPClientTimeout, httpClientTimeout: opts.HTTPClientTimeout,
store: store, store: store,
oidcProviderCache: ttl.NewCache(
memory.NewCache[string, *oidc.Provider](),
memory.NewCache[string, time.Time](),
opts.OIDCProviderCacheTimeout,
),
}, opts.AuthnOptions...) }, opts.AuthnOptions...)
} }

View File

@ -8,9 +8,10 @@ import (
) )
type Options struct { type Options struct {
HTTPTransport *http.Transport HTTPTransport *http.Transport
HTTPClientTimeout time.Duration HTTPClientTimeout time.Duration
AuthnOptions []authn.OptionFunc AuthnOptions []authn.OptionFunc
OIDCProviderCacheTimeout time.Duration
} }
type OptionFunc func(opts *Options) type OptionFunc func(opts *Options)
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
} }
} }
func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
return func(opts *Options) {
opts.OIDCProviderCacheTimeout = timeout
}
}
func NewOptions(funcs ...OptionFunc) *Options { func NewOptions(funcs ...OptionFunc) *Options {
opts := &Options{ opts := &Options{
HTTPTransport: http.DefaultTransport.(*http.Transport), HTTPTransport: http.DefaultTransport.(*http.Transport),
HTTPClientTimeout: 30 * time.Second, HTTPClientTimeout: 30 * time.Second,
AuthnOptions: make([]authn.OptionFunc, 0), AuthnOptions: make([]authn.OptionFunc, 0),
OIDCProviderCacheTimeout: time.Hour,
} }
for _, fn := range funcs { for _, fn := range funcs {

View File

@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)), authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
authn.WithDebug(bool(conf.Layers.Authn.Debug)), authn.WithDebug(bool(conf.Layers.Authn.Debug)),
), ),
oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
), nil ), nil
} }