chore: fix warning

Reviewed-on: #52

Dockerfile

@@ -1,4 +1,4 @@
-FROM reg.cadoles.com/proxy_cache/library/golang:1.23 AS BUILD
+FROM reg.cadoles.com/proxy_cache/library/golang:1.24.6 AS build
 
 RUN apt-get update \
     && apt-get install -y make
@@ -33,7 +33,7 @@ RUN /src/dist/bouncer_linux_amd64_v1/bouncer -c '' config dump > /src/dist/bounc
     && yq -i '.bootstrap.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml \
     && yq -i '.integrations.kubernetes.lockTimeout = "30s"' /src/dist/bouncer_linux_amd64_v1/config.yml
 
-FROM reg.cadoles.com/proxy_cache/library/alpine:3.20 AS RUNTIME
+FROM reg.cadoles.com/proxy_cache/library/alpine:3.21 AS runtime
 
 RUN apk add --no-cache ca-certificates dumb-init
 
@@ -41,10 +41,10 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 
 RUN mkdir -p /usr/local/bin /usr/share/bouncer/bin /etc/bouncer
 
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/bouncer /usr/share/bouncer/bin/bouncer
-COPY --from=BUILD /src/layers /usr/share/bouncer/layers
+COPY --from=build /src/layers /usr/share/bouncer/layers
-COPY --from=BUILD /src/templates /usr/share/bouncer/templates
+COPY --from=build /src/templates /usr/share/bouncer/templates
-COPY --from=BUILD /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
+COPY --from=build /src/dist/bouncer_linux_amd64_v1/config.yml /etc/bouncer/config.yml
 
 RUN ln -s /usr/share/bouncer/bin/bouncer /usr/local/bin/bouncer
 

Jenkinsfile

@@ -33,7 +33,6 @@ pipeline {
             when {
                 anyOf {
                     branch 'master'
-                    branch 'develop'
                 }
             }
             steps {
@@ -45,7 +44,7 @@ pipeline {
                             passwordVariable: 'GITEA_RELEASE_PASSWORD'
                         ])
                     ]) {
-                        sh 'make gitea-release'
+                        sh 'GITEA_RELEASE_IS_PRERELEASE=false make gitea-release'
                     }
                 }
             }
@@ -55,7 +54,6 @@ pipeline {
             when {
                 anyOf {
                     branch 'master'
-                    branch 'develop'
                 }
             }
             steps {

Makefile

@@ -6,7 +6,7 @@ SHELL := /bin/bash
 
 BOUNCER_VERSION ?= 
 GIT_COMMIT := $(shell git rev-parse --short HEAD)
-DATE_VERSION := $(shell date +%Y.%-m.%-d)
+DATE_VERSION := $(shell git show -s --format=%cd --date=format:'%Y-%-m-%d' $(GIT_COMMIT))
 FULL_VERSION := v$(DATE_VERSION)-$(GIT_COMMIT)$(if $(shell git diff --stat),-dirty,)
 
 DOCKER_IMAGE_NAME ?= reg.cadoles.com/cadoles/bouncer

go.mod

@@ -1,8 +1,6 @@
 module forge.cadoles.com/cadoles/bouncer
 
-go 1.23
+go 1.24.6
-
-toolchain go1.23.0
 
 require (
 	forge.cadoles.com/Cadoles/go-proxy v0.0.0-20240626132607-e1db6466a926
@@ -12,9 +10,9 @@ require (
 	github.com/coreos/go-oidc/v3 v3.10.0
 	github.com/dchest/uniuri v1.2.0
 	github.com/drone/envsubst v1.0.3
-	github.com/expr-lang/expr v1.16.7
+	github.com/expr-lang/expr v1.17.6
 	github.com/getsentry/sentry-go v0.22.0
-	github.com/go-chi/chi/v5 v5.0.10
+	github.com/go-chi/chi/v5 v5.2.2
 	github.com/gorilla/sessions v1.2.2
 	github.com/mitchellh/mapstructure v1.4.1
 	github.com/oklog/ulid/v2 v2.1.0
@@ -22,7 +20,7 @@ require (
 	github.com/prometheus/client_golang v1.16.0
 	github.com/qri-io/jsonschema v0.2.1
 	github.com/redis/go-redis/v9 v9.0.4
-	golang.org/x/oauth2 v0.13.0
+	golang.org/x/oauth2 v0.30.0
 	k8s.io/api v0.29.3
 	k8s.io/apimachinery v0.29.3
 	k8s.io/client-go v0.29.3
@@ -47,7 +45,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.2 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -92,11 +90,10 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/otel v1.21.0 // indirect
 	go.opentelemetry.io/otel/trace v1.21.0 // indirect
-	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/text v0.28.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
@@ -132,11 +129,11 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.24.0
+	golang.org/x/crypto v0.41.0
-	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/sys v0.21.0 // indirect
+	golang.org/x/sys v0.35.0 // indirect
-	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/term v0.34.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/tools v0.35.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gopkg.in/go-playground/validator.v9 v9.29.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -1,9 +1,8 @@
 cdr.dev/slog v1.6.1 h1:IQjWZD0x6//sfv5n+qEhbu3wBkmtBQY5DILXNvMaIv4=
 cdr.dev/slog v1.6.1/go.mod h1:eHEYQLaZvxnIAXC+XdTSNLb/kgA/X2RVSF72v5wsxEI=
 cloud.google.com/go/compute v1.23.0 h1:tP41Zoavr8ptEqaW6j+LQOnyBBhO7OkOMAGrgLopTwY=
-cloud.google.com/go/compute v1.23.0/go.mod h1:4tCnrn48xsqlwSAiLf1HXMQk8CONslYbdiEZc9FEIbM=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/logging v1.7.0 h1:CJYxlNNNNAMkHp9em/YEXcfJg+rPDg7YfwoRpMU+t5I=
 cloud.google.com/go/logging v1.7.0/go.mod h1:3xjP2CjkM3ZkO73aj4ASA5wRPGGCRrPIAeNqVNkzY8M=
 cloud.google.com/go/longrunning v0.5.1 h1:Fr7TXftcqTudoyRJa113hyaqlGdiBQkp0Gq7tErFDWI=
@@ -100,21 +99,21 @@ github.com/drone/envsubst v1.0.3 h1:PCIBwNDYjs50AsLZPYdfhSATKaRg/FJmDc2D6+C2x8g=
 github.com/drone/envsubst v1.0.3/go.mod h1:N2jZmlMufstn1KEqvbHjw40h1KyTmnVzHcSc9bFiJ2g=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/expr-lang/expr v1.16.7 h1:gCIiHt5ODA0xIaDbD0DPKyZpM9Drph3b3lolYAYq2Kw=
+github.com/expr-lang/expr v1.17.6 h1:1h6i8ONk9cexhDmowO/A64VPxHScu7qfSl2k8OlINec=
-github.com/expr-lang/expr v1.16.7/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
+github.com/expr-lang/expr v1.17.6/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/getsentry/sentry-go v0.22.0 h1:XNX9zKbv7baSEI65l+H1GEJgSeIC1c7EN5kluWaP6dM=
 github.com/getsentry/sentry-go v0.22.0/go.mod h1:lc76E2QywIyW8WuBnwl8Lc4bkmQH4+w1gwTf25trprY=
-github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
+github.com/go-chi/chi/v5 v5.2.2 h1:CMwsvRVTbXVytCk1Wd72Zy1LAsAh9GxMmSNWLHCG618=
-github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.2.2/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
 github.com/go-chi/cors v1.2.1 h1:xEC8UT3Rlp2QuWNEr4Fs/c2EAGVKBwy/1vHx3bppil4=
 github.com/go-chi/cors v1.2.1/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
 github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
+github.com/go-jose/go-jose/v4 v4.1.2 h1:TK/7NqRQZfgAh+Td8AlsrvtPoUyiHh0LqVvokh+1vHI=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.1.2/go.mod h1:22cg9HWM1pOlnRiY+9cQYJ9XHmya1bYW8OeDM6Ku6Oo=
 github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -148,7 +147,6 @@ github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:W
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -375,13 +373,13 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
 golang.org/x/net v0.0.0-20180719180050-a680a1efc54d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -395,18 +393,18 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -433,22 +431,21 @@ golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.21.0 h1:WVXCp+/EBEHOj53Rvu+7KiT/iElMrO8ACK16SMZ3jaA=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
-golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -457,16 +454,14 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
 golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e h1:xIXmWJ303kJCuogpj0bHq+dcjcZHU+XFyc1I0Yl9cRg=
 google.golang.org/genproto v0.0.0-20230726155614-23370e0ffb3e/go.mod h1:0ggbjUrZYpy1q+ANUS30SEoGZ53cdfwtbuG7Ptgy108=
 google.golang.org/genproto/googleapis/api v0.0.0-20230706204954-ccb25ca9f130 h1:XVeBY8d/FaK4848myy41HBqnDwvxeV3zMZhwN1TvAMU=
@@ -482,7 +477,6 @@ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miE
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
 google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=

internal/admin/bootstrap.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
-	"forge.cadoles.com/cadoles/bouncer/internal/lock/redis"
 	"forge.cadoles.com/cadoles/bouncer/internal/schema"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@@ -21,10 +20,9 @@ func (s *Server) bootstrapProxies(ctx context.Context) error {
 	proxyRepo := s.proxyRepository
 	layerRepo := s.layerRepository
 
-	lockTimeout := time.Duration(s.bootstrapConfig.LockTimeout)
+	lockTimeout := time.Duration(*s.bootstrapConfig.LockTimeout)
-	locker := redis.NewLocker(s.redisClient, int(s.bootstrapConfig.MaxConnectionRetries))
 
-	err := locker.WithLock(ctx, "bouncer-admin-bootstrap", lockTimeout, func(ctx context.Context) error {
+	err := s.locker.WithLock(ctx, "bouncer-admin-bootstrap", lockTimeout, func(ctx context.Context) error {
 		logger.Info(ctx, "bootstrapping proxies")
 
 		for proxyName, proxyConfig := range s.bootstrapConfig.Proxies {

internal/admin/init.go

@@ -5,57 +5,10 @@ import (
 
 	"forge.cadoles.com/cadoles/bouncer/internal/integration"
 	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
-	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
 
-func (s *Server) initRepositories(ctx context.Context) error {
-	if err := s.initRedisClient(ctx); err != nil {
-		return errors.WithStack(err)
-	}
-
-	if err := s.initLayerRepository(ctx); err != nil {
-		return errors.WithStack(err)
-	}
-
-	if err := s.initProxyRepository(ctx); err != nil {
-		return errors.WithStack(err)
-	}
-
-	return nil
-}
-
-func (s *Server) initRedisClient(ctx context.Context) error {
-	client := setup.NewSharedClient(s.redisConfig)
-
-	s.redisClient = client
-
-	return nil
-}
-
-func (s *Server) initLayerRepository(ctx context.Context) error {
-	layerRepository, err := setup.NewLayerRepository(ctx, s.redisClient)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	s.layerRepository = layerRepository
-
-	return nil
-}
-
-func (s *Server) initProxyRepository(ctx context.Context) error {
-	proxyRepository, err := setup.NewProxyRepository(ctx, s.redisClient)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	s.proxyRepository = proxyRepository
-
-	return nil
-}
-
 func (s *Server) initPrivateKey(ctx context.Context) error {
 	localKey, err := jwk.LoadOrGenerate(string(s.serverConfig.Auth.PrivateKey), jwk.DefaultKeySize)
 	if err != nil {

internal/admin/option.go

@@ -3,13 +3,19 @@ package admin
 import (
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/integration"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 )
 
 type Option struct {
 	BootstrapConfig config.BootstrapConfig
 	ServerConfig    config.AdminServerConfig
-	RedisConfig     config.RedisConfig
 	Integrations    []integration.Integration
+
+	ProxyRepository store.ProxyRepository
+	LayerRepository store.LayerRepository
+
+	Locker lock.Locker
 }
 
 type OptionFunc func(*Option)
@@ -17,7 +23,6 @@ type OptionFunc func(*Option)
 func defaultOption() *Option {
 	return &Option{
 		ServerConfig: config.NewDefaultAdminServerConfig(),
-		RedisConfig:  config.NewDefaultRedisConfig(),
 		Integrations: make([]integration.Integration, 0),
 	}
 }
@@ -28,12 +33,6 @@ func WithServerConfig(conf config.AdminServerConfig) OptionFunc {
 	}
 }
 
-func WithRedisConfig(conf config.RedisConfig) OptionFunc {
-	return func(opt *Option) {
-		opt.RedisConfig = conf
-	}
-}
-
 func WithBootstrapConfig(conf config.BootstrapConfig) OptionFunc {
 	return func(opt *Option) {
 		opt.BootstrapConfig = conf
@@ -45,3 +44,21 @@ func WithIntegrations(integrations ...integration.Integration) OptionFunc {
 		opt.Integrations = integrations
 	}
 }
+
+func WithLayerRepository(layerRepository store.LayerRepository) OptionFunc {
+	return func(opt *Option) {
+		opt.LayerRepository = layerRepository
+	}
+}
+
+func WithProxyRepository(proxyRepository store.ProxyRepository) OptionFunc {
+	return func(opt *Option) {
+		opt.ProxyRepository = proxyRepository
+	}
+}
+
+func WithLocker(locker lock.Locker) OptionFunc {
+	return func(opt *Option) {
+		opt.Locker = locker
+	}
+}

internal/admin/server.go

@@ -15,6 +15,7 @@ import (
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/integration"
 	"forge.cadoles.com/cadoles/bouncer/internal/jwk"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	sentryhttp "github.com/getsentry/sentry-go/http"
 	"github.com/go-chi/chi/v5"
@@ -22,15 +23,13 @@ import (
 	"github.com/go-chi/cors"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/redis/go-redis/v9"
 	"gitlab.com/wpetit/goweb/logger"
 )
 
 type Server struct {
 	serverConfig config.AdminServerConfig
-	redisConfig  config.RedisConfig
 
-	redisClient redis.UniversalClient
+	locker lock.Locker
 
 	integrations []integration.Integration
 
@@ -60,12 +59,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	ctx, cancel := context.WithCancel(parentCtx)
 	defer cancel()
 
-	if err := s.initRepositories(ctx); err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
 	if err := s.bootstrapProxies(ctx); err != nil {
 		errs <- errors.WithStack(err)
 
@@ -231,8 +224,10 @@ func NewServer(funcs ...OptionFunc) *Server {
 
 	return &Server{
 		serverConfig:    opt.ServerConfig,
-		redisConfig:     opt.RedisConfig,
 		bootstrapConfig: opt.BootstrapConfig,
 		integrations:    opt.Integrations,
+		proxyRepository: opt.ProxyRepository,
+		layerRepository: opt.LayerRepository,
+		locker:          opt.Locker,
 	}
 }

internal/cache/cache.go

@@ -3,4 +3,5 @@ package cache
 type Cache[K comparable, V any] interface {
 	Get(key K) (V, bool)
 	Set(key K, value V)
+	Clear()
 }

internal/cache/memory/cache.go

@@ -25,6 +25,10 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.store.Store(key, value)
 }
 
+func (c *Cache[K, V]) Clear() {
+	c.store.Clear()
+}
+
 func NewCache[K comparable, V any]() *Cache[K, V] {
 	return &Cache[K, V]{
 		store: new(sync.Map),

internal/cache/ttl/cache.go

@@ -28,6 +28,11 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.values.Set(key, value)
 }
 
+func (c *Cache[K, V]) Clear() {
+	c.timestamps.Clear()
+	c.values.Clear()
+}
+
 func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
 	return &Cache[K, V]{
 		values:     values,

internal/cidr/match.go

@@ -0,0 +1,42 @@
+package cidr
+
+import (
+	"net"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+func MatchAny(hostPort string, CIDRs ...string) (bool, error) {
+	var remoteHost string
+	if strings.Contains(hostPort, ":") {
+		var err error
+		remoteHost, _, err = net.SplitHostPort(hostPort)
+		if err != nil {
+			return false, errors.WithStack(err)
+		}
+	} else {
+		remoteHost = hostPort
+	}
+
+	remoteAddr := net.ParseIP(remoteHost)
+	if remoteAddr == nil {
+		return false, errors.Errorf("remote host '%s' is not a valid ip address", remoteHost)
+	}
+
+	for _, rawCIDR := range CIDRs {
+		_, net, err := net.ParseCIDR(rawCIDR)
+		if err != nil {
+			return false, errors.WithStack(err)
+		}
+
+		match := net.Contains(remoteAddr)
+		if !match {
+			continue
+		}
+
+		return true, nil
+	}
+
+	return false, nil
+}

internal/cidr/match_test.go

@@ -1,15 +1,13 @@
-package network
+package cidr
 
 import (
-	"context"
 	"fmt"
 	"testing"
 
 	"github.com/pkg/errors"
 )
 
-func TestMatchAuthorizedCIDRs(t *testing.T) {
+func TestMatchAny(t *testing.T) {
-
 	type testCase struct {
 		RemoteHostPort  string
 		AuthorizedCIDRs []string
@@ -56,14 +54,16 @@ func TestMatchAuthorizedCIDRs(t *testing.T) {
 			},
 			ExpectedResult: false,
 		},
+		{
+			RemoteHostPort:  "[2001:0db8:0000:85a3:0000:0000:ac1f:8001]:8001",
+			AuthorizedCIDRs: []string{"2000::/3"},
+			ExpectedResult:  true,
+		},
 	}
 
-	auth := Authenticator{}
-	ctx := context.Background()
-
 	for idx, tc := range testCases {
 		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
-			result, err := auth.matchAnyAuthorizedCIDRs(ctx, tc.RemoteHostPort, tc.AuthorizedCIDRs)
+			result, err := MatchAny(tc.RemoteHostPort, tc.AuthorizedCIDRs...)
 
 			if g, e := result, tc.ExpectedResult; e != g {
 				t.Errorf("result: expected '%v', got '%v'", e, g)

internal/command/admin/apierr/wrap.go

@@ -36,7 +36,7 @@ func wrapApiErrorWithMessage(err *api.Error) error {
 		return err
 	}
 
-	return errors.Wrapf(err, message)
+	return errors.Wrap(err, message)
 }
 
 func wrapInvalidFieldValueErr(err *api.Error) error {

internal/command/server/admin/run.go

@@ -6,20 +6,15 @@ import (
 
 	"forge.cadoles.com/cadoles/bouncer/internal/admin"
 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
+	"forge.cadoles.com/cadoles/bouncer/internal/lock/redis"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"gitlab.com/wpetit/goweb/logger"
 )
 
-const (
-	flagPrintDefaultToken = "print-default-token"
-)
-
 func RunCommand() *cli.Command {
-	flags := append(
+	flags := common.Flags()
-		common.Flags(),
-	)
 
 	return &cli.Command{
 		Name:  "run",
@@ -34,6 +29,8 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))
 
+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
+
 			projectVersion := ctx.String("projectVersion")
 
 			if conf.Proxy.Sentry.DSN != "" {
@@ -50,10 +47,26 @@ func RunCommand() *cli.Command {
 				return errors.Wrap(err, "could not setup integrations")
 			}
 
+			redisClient := setup.NewSharedClient(conf.Redis)
+
+			proxyRepository, err := setup.NewProxyRepository(ctx.Context, redisClient)
+			if err != nil {
+				return errors.Wrap(err, "could not initialize proxy repository")
+			}
+
+			layerRepository, err := setup.NewLayerRepository(ctx.Context, redisClient)
+			if err != nil {
+				return errors.Wrap(err, "could not initialize layer repository")
+			}
+
+			locker := redis.NewLocker(redisClient, int(conf.Bootstrap.MaxConnectionRetries))
+
 			srv := admin.NewServer(
 				admin.WithServerConfig(conf.Admin),
-				admin.WithRedisConfig(conf.Redis),
 				admin.WithBootstrapConfig(conf.Bootstrap),
+				admin.WithProxyRepository(proxyRepository),
+				admin.WithLayerRepository(layerRepository),
+				admin.WithLocker(locker),
 				admin.WithIntegrations(integrations...),
 			)
 

internal/command/server/proxy/run.go

@@ -2,12 +2,16 @@ package proxy
 
 import (
 	"fmt"
+	"os"
+	"os/signal"
 	"strings"
+	"syscall"
 	"time"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/command/common"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy"
 	"forge.cadoles.com/cadoles/bouncer/internal/setup"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"github.com/urfave/cli/v2"
 	"gitlab.com/wpetit/goweb/logger"
@@ -29,6 +33,8 @@ func RunCommand() *cli.Command {
 			logger.SetFormat(logger.Format(conf.Logger.Format))
 			logger.SetLevel(logger.Level(conf.Logger.Level))
 
+			logger.Debug(ctx.Context, "using config", logger.F("config", conf))
+
 			projectVersion := ctx.String("projectVersion")
 
 			if conf.Proxy.Sentry.DSN != "" {
@@ -45,15 +51,61 @@ func RunCommand() *cli.Command {
 				return errors.Wrap(err, "could not initialize director layers")
 			}
 
+			redisClient := setup.NewSharedClient(conf.Redis)
+
+			proxyRepository, err := setup.NewProxyRepository(ctx.Context, redisClient)
+			if err != nil {
+				return errors.Wrap(err, "could not initialize proxy repository")
+			}
+
+			layerRepository, err := setup.NewLayerRepository(ctx.Context, redisClient)
+			if err != nil {
+				return errors.Wrap(err, "could not initialize layer repository")
+			}
+
 			srv := proxy.NewServer(
 				proxy.WithServerConfig(conf.Proxy),
-				proxy.WithRedisConfig(conf.Redis),
+				proxy.WithProxyRepository(proxyRepository),
+				proxy.WithLayerRepository(layerRepository),
 				proxy.WithDirectorLayers(layers...),
-				proxy.WithDirectorCacheTTL(time.Duration(conf.Proxy.Cache.TTL)),
+				proxy.WithDirectorCacheTTL(time.Duration(*conf.Proxy.Cache.TTL)),
 			)
 
 			addrs, srvErrs := srv.Start(ctx.Context)
 
+			if observableProxyRepository, ok := proxyRepository.(store.Observable); ok {
+				logger.Info(ctx.Context, "observing proxy repository changes")
+				observableProxyRepository.Changes(ctx.Context, func(c store.Change) {
+					logger.Info(ctx.Context, "proxy change detected, clearing cache")
+					srv.ClearProxyCache()
+				})
+			}
+
+			if observableLayerRepository, ok := layerRepository.(store.Observable); ok {
+				logger.Info(ctx.Context, "observing layer repository changes")
+				observableLayerRepository.Changes(ctx.Context, func(c store.Change) {
+					logger.Info(ctx.Context, "layer change detected, clearing cache")
+					srv.ClearLayerCache()
+				})
+			}
+
+			// Clear director's cache on SIGUSR2
+			sig := make(chan os.Signal, 1)
+			signal.Notify(sig, syscall.SIGUSR2)
+
+			go func() {
+				for {
+					select {
+					case <-sig:
+						logger.Info(ctx.Context, "received sigusr2, clearing whole cache")
+						srv.ClearProxyCache()
+						srv.ClearLayerCache()
+					case <-ctx.Context.Done():
+						return
+					}
+				}
+			}()
+
 			select {
 			case addr := <-addrs:
 				url := fmt.Sprintf("http://%s", addr.String())

internal/config/bootstrap.go

@@ -14,7 +14,7 @@ import (
 type BootstrapConfig struct {
 	Proxies              map[store.ProxyName]BootstrapProxyConfig `yaml:"proxies"`
 	Dir                  InterpolatedString                       `yaml:"dir"`
-	LockTimeout          InterpolatedDuration                     `yaml:"lockTimeout"`
+	LockTimeout          *InterpolatedDuration                    `yaml:"lockTimeout"`
 	MaxConnectionRetries InterpolatedInt                          `yaml:"maxRetries"`
 }
 
@@ -65,7 +65,7 @@ type BootstrapLayerConfig struct {
 func NewDefaultBootstrapConfig() BootstrapConfig {
 	return BootstrapConfig{
 		Dir:                  "",
-		LockTimeout:          *NewInterpolatedDuration(30 * time.Second),
+		LockTimeout:          NewInterpolatedDuration(30 * time.Second),
 		MaxConnectionRetries: 10,
 	}
 }

internal/config/environment.go

@@ -19,7 +19,7 @@ func (is *InterpolatedString) UnmarshalYAML(value *yaml.Node) error {
 		return errors.WithStack(err)
 	}
 
-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -38,7 +38,7 @@ func (ii *InterpolatedInt) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
 
-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -62,7 +62,7 @@ func (ifl *InterpolatedFloat) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
 
-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -86,7 +86,7 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
 
-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -101,9 +101,10 @@ func (ib *InterpolatedBool) UnmarshalYAML(value *yaml.Node) error {
 	return nil
 }
 
+var getEnv = os.Getenv
+
 type InterpolatedMap struct {
-	Data   map[string]any
+	Data map[string]any
-	getEnv func(string) string
 }
 
 func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
@@ -113,10 +114,6 @@ func (im *InterpolatedMap) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into map", value.Value, value.Line)
 	}
 
-	if im.getEnv == nil {
-		im.getEnv = os.Getenv
-	}
-
 	interpolated, err := im.interpolateRecursive(data)
 	if err != nil {
 		return errors.WithStack(err)
@@ -140,7 +137,7 @@ func (im InterpolatedMap) interpolateRecursive(data any) (any, error) {
 		}
 
 	case string:
-		value, err := envsubst.Eval(typ, im.getEnv)
+		value, err := envsubst.Eval(typ, getEnv)
 		if err != nil {
 			return nil, errors.WithStack(err)
 		}
@@ -171,7 +168,7 @@ func (iss *InterpolatedStringSlice) UnmarshalYAML(value *yaml.Node) error {
 	}
 
 	for index, value := range data {
-		value, err := envsubst.EvalEnv(value)
+		value, err := envsubst.Eval(value, getEnv)
 		if err != nil {
 			return errors.WithStack(err)
 		}
@@ -193,7 +190,7 @@ func (id *InterpolatedDuration) UnmarshalYAML(value *yaml.Node) error {
 		return errors.Wrapf(err, "could not decode value '%v' (line '%d') into string", value.Value, value.Line)
 	}
 
-	str, err := envsubst.EvalEnv(str)
+	str, err := envsubst.Eval(str, getEnv)
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -223,3 +220,11 @@ func NewInterpolatedDuration(d time.Duration) *InterpolatedDuration {
 	id := InterpolatedDuration(d)
 	return &id
 }
+
+func Default[T any](value *T, defaultValue *T) *T {
+	if value == nil {
+		return defaultValue
+	}
+
+	return value
+}

internal/config/environment_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"testing"
+	"time"
 
 	"github.com/pkg/errors"
 	"gopkg.in/yaml.v3"
@@ -65,7 +66,7 @@ func TestInterpolatedMap(t *testing.T) {
 			var interpolatedMap InterpolatedMap
 
 			if tc.Env != nil {
-				interpolatedMap.getEnv = func(key string) string {
+				getEnv = func(key string) string {
 					return tc.Env[key]
 				}
 			}
@@ -80,3 +81,54 @@ func TestInterpolatedMap(t *testing.T) {
 		})
 	}
 }
+
+func TestInterpolatedDuration(t *testing.T) {
+	type testCase struct {
+		Path   string
+		Env    map[string]string
+		Assert func(t *testing.T, parsed *InterpolatedDuration)
+	}
+
+	testCases := []testCase{
+		{
+			Path: "testdata/environment/interpolated-duration.yml",
+			Env: map[string]string{
+				"MY_DURATION": "30s",
+			},
+			Assert: func(t *testing.T, parsed *InterpolatedDuration) {
+				if e, g := 30*time.Second, parsed; e != time.Duration(*g) {
+					t.Errorf("parsed: expected '%v', got '%v'", e, g)
+				}
+			},
+		},
+	}
+
+	for idx, tc := range testCases {
+		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
+			data, err := os.ReadFile(tc.Path)
+			if err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Env != nil {
+				getEnv = func(key string) string {
+					return tc.Env[key]
+				}
+			}
+
+			config := struct {
+				Duration *InterpolatedDuration `yaml:"duration"`
+			}{
+				Duration: NewInterpolatedDuration(-1),
+			}
+
+			if err := yaml.Unmarshal(data, &config); err != nil {
+				t.Fatalf("%+v", errors.WithStack(err))
+			}
+
+			if tc.Assert != nil {
+				tc.Assert(t, config.Duration)
+			}
+		})
+	}
+}

internal/config/integrations.go

@@ -16,18 +16,18 @@ func NewDefaultIntegrationsConfig() IntegrationsConfig {
 			PrivateKeySecret:           "",
 			PrivateKeySecretNamespace:  "",
 			ReaderTokenSecret:          "",
-			LockTimeout:                *NewInterpolatedDuration(30 * time.Second),
+			LockTimeout:                NewInterpolatedDuration(30 * time.Second),
 		},
 	}
 }
 
 type KubernetesConfig struct {
-	Enabled                    InterpolatedBool     `yaml:"enabled"`
+	Enabled                    InterpolatedBool      `yaml:"enabled"`
-	WriterTokenSecret          InterpolatedString   `yaml:"writerTokenSecret"`
+	WriterTokenSecret          InterpolatedString    `yaml:"writerTokenSecret"`
-	WriterTokenSecretNamespace InterpolatedString   `yaml:"writerTokenSecretNamespace"`
+	WriterTokenSecretNamespace InterpolatedString    `yaml:"writerTokenSecretNamespace"`
-	ReaderTokenSecret          InterpolatedString   `yaml:"readerTokenSecret"`
+	ReaderTokenSecret          InterpolatedString    `yaml:"readerTokenSecret"`
-	ReaderTokenSecretNamespace InterpolatedString   `yaml:"readerTokenSecretNamespace"`
+	ReaderTokenSecretNamespace InterpolatedString    `yaml:"readerTokenSecretNamespace"`
-	PrivateKeySecret           InterpolatedString   `yaml:"privateKeySecret"`
+	PrivateKeySecret           InterpolatedString    `yaml:"privateKeySecret"`
-	PrivateKeySecretNamespace  InterpolatedString   `yaml:"privateKeySecretNamespace"`
+	PrivateKeySecretNamespace  InterpolatedString    `yaml:"privateKeySecretNamespace"`
-	LockTimeout                InterpolatedDuration `yaml:"lockTimeout"`
+	LockTimeout                *InterpolatedDuration `yaml:"lockTimeout"`
 }

internal/config/layers.go

@@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@@ -31,13 +35,19 @@ type QueueLayerConfig struct {
 }
 
 type AuthnLayerConfig struct {
-	Debug       InterpolatedBool     `yaml:"debug"`
+	Debug       InterpolatedBool        `yaml:"debug"`
-	TemplateDir InterpolatedString   `yaml:"templateDir"`
+	TemplateDir InterpolatedString      `yaml:"templateDir"`
-	OIDC        AuthnOIDCLayerConfig `yaml:"oidc"`
+	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 
 type AuthnOIDCLayerConfig struct {
-	HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }
 
 type AuthnOIDCHTTPClientConfig struct {

internal/config/proxy_server.go

@@ -113,12 +113,12 @@ func NewDefaultDialConfig() DialConfig {
 }
 
 type CacheConfig struct {
-	TTL InterpolatedDuration `yaml:"ttl"`
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 
 func NewDefaultCacheConfig() CacheConfig {
 	return CacheConfig{
-		TTL: *NewInterpolatedDuration(time.Second * 30),
+		TTL: NewInterpolatedDuration(time.Second * 30),
 	}
 }
 

internal/config/redis.go

@@ -11,33 +11,36 @@ const (
 type RedisConfig struct {
 	Adresses              InterpolatedStringSlice `yaml:"addresses"`
 	Master                InterpolatedString      `yaml:"master"`
-	ReadTimeout           InterpolatedDuration    `yaml:"readTimeout"`
+	ReadTimeout           *InterpolatedDuration   `yaml:"readTimeout"`
-	WriteTimeout          InterpolatedDuration    `yaml:"writeTimeout"`
+	WriteTimeout          *InterpolatedDuration   `yaml:"writeTimeout"`
-	DialTimeout           InterpolatedDuration    `yaml:"dialTimeout"`
+	DialTimeout           *InterpolatedDuration   `yaml:"dialTimeout"`
 	LockMaxRetries        InterpolatedInt         `yaml:"lockMaxRetries"`
 	RouteByLatency        InterpolatedBool        `yaml:"routeByLatency"`
 	ContextTimeoutEnabled InterpolatedBool        `yaml:"contextTimeoutEnabled"`
 	MaxRetries            InterpolatedInt         `yaml:"maxRetries"`
-	PingInterval          InterpolatedDuration    `yaml:"pingInterval"`
+	PingInterval          *InterpolatedDuration   `yaml:"pingInterval"`
 	PoolSize              InterpolatedInt         `yaml:"poolSize"`
-	PoolTimeout           InterpolatedDuration    `yaml:"poolTimeout"`
+	PoolTimeout           *InterpolatedDuration   `yaml:"poolTimeout"`
 	MinIdleConns          InterpolatedInt         `yaml:"minIdleConns"`
 	MaxIdleConns          InterpolatedInt         `yaml:"maxIdleConns"`
-	ConnMaxIdleTime       InterpolatedDuration    `yaml:"connMaxIdleTime"`
+	ConnMaxIdleTime       *InterpolatedDuration   `yaml:"connMaxIdleTime"`
-	ConnMaxLifetime       InterpolatedDuration    `yaml:"connMaxLifeTime"`
+	ConnMaxLifetime       *InterpolatedDuration   `yaml:"connMaxLifeTime"`
 }
 
 func NewDefaultRedisConfig() RedisConfig {
 	return RedisConfig{
 		Adresses:              InterpolatedStringSlice{"localhost:6379"},
 		Master:                "",
-		ReadTimeout:           InterpolatedDuration(30 * time.Second),
+		ReadTimeout:           NewInterpolatedDuration(30 * time.Second),
-		WriteTimeout:          InterpolatedDuration(30 * time.Second),
+		WriteTimeout:          NewInterpolatedDuration(30 * time.Second),
-		DialTimeout:           InterpolatedDuration(30 * time.Second),
+		DialTimeout:           NewInterpolatedDuration(30 * time.Second),
+		PoolTimeout:           NewInterpolatedDuration(31 * time.Second),
 		LockMaxRetries:        10,
 		MaxRetries:            3,
-		PingInterval:          InterpolatedDuration(30 * time.Second),
+		PingInterval:          NewInterpolatedDuration(30 * time.Second),
 		ContextTimeoutEnabled: true,
 		RouteByLatency:        true,
+		ConnMaxIdleTime:       NewInterpolatedDuration(1 * time.Minute),
+		ConnMaxLifetime:       NewInterpolatedDuration(5 * time.Minute),
 	}
 }

internal/config/sentry.go

@@ -32,7 +32,7 @@ func NewDefaultSentryConfig() SentryConfig {
 		EnableTracing:      false,
 		TracesSampleRate:   0.1,
 		ProfilesSampleRate: 0.1,
-		IgnoreErrors:       []string{"context canceled"},
+		IgnoreErrors:       []string{"context canceled", "net/http: abort"},
 		SendDefaultPII:     false,
 		ServerName:         "",
 		Environment:        "",

internal/config/testdata/environment/interpolated-duration.yml

@@ -0,0 +1 @@
+duration: ${MY_DURATION}

internal/proxy/director/context.go

@@ -6,6 +6,7 @@ import (
 	"net/url"
 
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
@@ -17,6 +18,7 @@ const (
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
 	contextKeyHandleError contextKey = "handleError"
+	contextKeySentryScope contextKey = "sentryScope"
 )
 
 var (
@@ -82,3 +84,16 @@ func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, st
 
 	fn(w, r, status, err)
 }
+
+func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
+	return context.WithValue(ctx, contextKeySentryScope, scope)
+}
+
+func SentryScope(ctx context.Context) (*sentry.Scope, error) {
+	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return scope, nil
+}

internal/proxy/director/director.go

@@ -7,8 +7,9 @@ import (
 
 	"forge.cadoles.com/Cadoles/go-proxy"
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
-	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@@ -19,16 +20,18 @@ type Director struct {
 	layerRepository store.LayerRepository
 	layerRegistry   *LayerRegistry
 
-	proxyCache cache.Cache[string, []*store.Proxy]
+	cachedProxies *syncx.CachedResource[string, []*store.Proxy]
-	layerCache cache.Cache[string, []*store.Layer]
+	cachedLayers  *syncx.CachedResource[string, []*store.Layer]
 
 	handleError HandleErrorFunc
 }
 
+const proxiesCacheKey = "proxies"
+
 func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	ctx := r.Context()
 
-	proxies, err := d.getProxies(ctx)
+	proxies, _, err := d.cachedProxies.Get(ctx, proxiesCacheKey)
 	if err != nil {
 		return r, errors.WithStack(err)
 	}
@@ -53,7 +56,7 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 
 			metricProxyRequestsTotal.With(prometheus.Labels{metricLabelProxy: string(p.Name)}).Add(1)
 
-			proxyLayers, err := d.getLayers(proxyCtx, p.Name)
+			proxyLayers, _, err := d.cachedLayers.Get(proxyCtx, string(p.Name))
 			if err != nil {
 				return r, errors.WithStack(err)
 			}
@@ -76,6 +79,14 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			proxyCtx = withLayers(proxyCtx, layers)
 			r = r.WithContext(proxyCtx)
 
+			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
+				sentryScope.SetTags(map[string]string{
+					"bouncer.proxy.name":        string(p.Name),
+					"bouncer.proxy.target.url":  r.URL.String(),
+					"bouncer.proxy.target.host": r.URL.Host,
+				})
+			}
+
 			return r, nil
 		}
 	}
@@ -86,13 +97,8 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 	return r, nil
 }
 
-const proxiesCacheKey = "proxies"
+func (d *Director) getProxies(ctx context.Context, key string) ([]*store.Proxy, error) {
-
+	logger.Debug(ctx, "querying fresh proxies")
-func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
-	proxies, exists := d.proxyCache.Get(proxiesCacheKey)
-	if exists {
-		return proxies, nil
-	}
 
 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
@@ -101,7 +107,7 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 
 	sort.Sort(store.ByProxyWeight(headers))
 
-	proxies = make([]*store.Proxy, 0, len(headers))
+	proxies := make([]*store.Proxy, 0, len(headers))
 
 	for _, h := range headers {
 		if !h.Enabled {
@@ -116,18 +122,13 @@ func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 		proxies = append(proxies, proxy)
 	}
 
-	d.proxyCache.Set(proxiesCacheKey, proxies)
-
 	return proxies, nil
 }
 
-func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]*store.Layer, error) {
+func (d *Director) getLayers(ctx context.Context, rawProxyName string) ([]*store.Layer, error) {
-	cacheKey := "layers-" + string(proxyName)
+	proxyName := store.ProxyName(rawProxyName)
 
-	layers, exists := d.layerCache.Get(cacheKey)
+	logger.Debug(ctx, "querying fresh layers")
-	if exists {
-		return layers, nil
-	}
 
 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
@@ -136,7 +137,7 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 
 	sort.Sort(store.ByLayerWeight(headers))
 
-	layers = make([]*store.Layer, 0, len(headers))
+	layers := make([]*store.Layer, 0, len(headers))
 
 	for _, h := range headers {
 		if !h.Enabled {
@@ -151,8 +152,6 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]
 		layers = append(layers, layer)
 	}
 
-	d.layerCache.Set(cacheKey, layers)
-
 	return layers, nil
 }
 
@@ -216,40 +215,43 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			ctx := withHandleError(r.Context(), d.handleError)
+			sentry.ConfigureScope(func(scope *sentry.Scope) {
-			r = r.WithContext(ctx)
+				ctx := withHandleError(r.Context(), d.handleError)
+				ctx = withSentryScope(ctx, scope)
+				r = r.WithContext(ctx)
 
-			r, err := d.rewriteRequest(r)
+				r, err := d.rewriteRequest(r)
-			if err != nil {
+				if err != nil {
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
-				return
-			}
-
-			ctx = r.Context()
-
-			layers, err := ctxLayers(ctx)
-			if err != nil {
-				if errors.Is(err, errContextKeyNotFound) {
 					return
 				}
 
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+				ctx = r.Context()
-				return
-			}
 
-			httpMiddlewares := make([]proxy.Middleware, 0)
+				layers, err := ctxLayers(ctx)
-			for _, layer := range layers {
+				if err != nil {
-				middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if errors.Is(err, errContextKeyNotFound) {
-				if !ok {
+						return
-					continue
+					}
+
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+					return
 				}
 
-				httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				httpMiddlewares := make([]proxy.Middleware, 0)
-			}
+				for _, layer := range layers {
+					middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if !ok {
+						continue
+					}
 
-			handler := createMiddlewareChain(next, httpMiddlewares)
+					httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				}
 
-			handler.ServeHTTP(w, r)
+				handler := createMiddlewareChain(next, httpMiddlewares)
+
+				handler.ServeHTTP(w, r)
+			})
 		}
 
 		return http.HandlerFunc(fn)
@@ -261,12 +263,15 @@ func New(proxyRepository store.ProxyRepository, layerRepository store.LayerRepos
 
 	registry := NewLayerRegistry(opts.Layers...)
 
-	return &Director{
+	director := &Director{
 		proxyRepository: proxyRepository,
 		layerRepository: layerRepository,
 		layerRegistry:   registry,
-		proxyCache:      opts.ProxyCache,
-		layerCache:      opts.LayerCache,
 		handleError:     opts.HandleError,
 	}
+
+	director.cachedProxies = syncx.NewCachedResource(opts.ProxyCache, director.getProxies)
+	director.cachedLayers = syncx.NewCachedResource(opts.LayerCache, director.getLayers)
+
+	return director
 }

internal/proxy/director/layer/authn/basic/authenticator.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/cidr"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
@@ -23,6 +24,16 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}
 
+	matches, err := cidr.MatchAny(r.RemoteAddr, options.AuthorizedCIDRs...)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	if matches {
+		user := authn.NewUser(r.RemoteAddr, map[string]any{})
+		return user, nil
+	}
+
 	username, password, ok := r.BasicAuth()
 
 	unauthorized := func() {

internal/proxy/director/layer/authn/basic/authenticator_test.go

@@ -0,0 +1,130 @@
+package basic
+
+import (
+	"encoding/base64"
+	"net/http/httptest"
+	"testing"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+)
+
+func TestAuthenticatorWithCredentials(t *testing.T) {
+	r := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+
+	r.Header.Set("Authorization", "Basic "+basicAuth("foo", "bar"))
+
+	authenticator := &Authenticator{}
+
+	layer := &store.Layer{
+		LayerHeader: store.LayerHeader{
+			Proxy:    "test",
+			Name:     "test",
+			Revision: 0,
+			Type:     LayerType,
+			Enabled:  true,
+		},
+		Options: store.LayerOptions{
+			"users": []map[string]any{
+				{
+					"username":     "foo",
+					"passwordHash": "$2y$10$S3CfWRRMbOrOu3zUapZnfeU8xLtjH.MycWcvMRVHdc9RAty8lnn5q",
+				},
+			},
+		},
+	}
+
+	user, err := authenticator.Authenticate(w, r, layer)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if user == nil {
+		t.Fatalf("user should not be nil")
+	}
+
+	if e, g := "foo", user.Subject; e != g {
+		t.Fatalf("user.Subject: expected '%v', got '%v'", e, g)
+	}
+
+	r = httptest.NewRequest("GET", "/", nil)
+	w = httptest.NewRecorder()
+
+	r.Header.Set("Authorization", "Basic "+basicAuth("foo", "qsdq;sdqks"))
+
+	user, err = authenticator.Authenticate(w, r, layer)
+	if err == nil {
+		t.Errorf("err should not be nil")
+	}
+
+	if !errors.Is(err, authn.ErrSkipRequest) {
+		t.Errorf("err: expected %T, got %T", authn.ErrSkipRequest, err)
+	}
+
+	if user != nil {
+		t.Errorf("user should be nil")
+	}
+}
+
+func TestAuthenticatorWithAuthorizedRemoteAddr(t *testing.T) {
+	r := httptest.NewRequest("GET", "/", nil)
+	w := httptest.NewRecorder()
+
+	// Authorized address
+	r.RemoteAddr = "192.168.30.21"
+
+	authenticator := &Authenticator{}
+
+	layer := &store.Layer{
+		LayerHeader: store.LayerHeader{
+			Proxy:    "test",
+			Name:     "test",
+			Revision: 0,
+			Type:     LayerType,
+			Enabled:  true,
+		},
+		Options: store.LayerOptions{
+			"users":           []map[string]any{},
+			"authorizedCIDRs": []string{"192.168.30.1/24"},
+		},
+	}
+
+	user, err := authenticator.Authenticate(w, r, layer)
+	if err != nil {
+		t.Fatalf("%+v", errors.WithStack(err))
+	}
+
+	if user == nil {
+		t.Fatalf("user should not be nil")
+	}
+
+	if e, g := "192.168.30.21", user.Subject; e != g {
+		t.Fatalf("user.Subject: expected '%v', got '%v'", e, g)
+	}
+
+	r = httptest.NewRequest("GET", "/", nil)
+	w = httptest.NewRecorder()
+
+	// Unauthorized address
+	r.RemoteAddr = "192.168.40.36"
+
+	user, err = authenticator.Authenticate(w, r, layer)
+	if err == nil {
+		t.Errorf("err should not be nil")
+	}
+
+	if !errors.Is(err, authn.ErrSkipRequest) {
+		t.Errorf("err: expected %T, got %T", authn.ErrSkipRequest, err)
+	}
+
+	if user != nil {
+		t.Errorf("user should be nil")
+	}
+}
+
+func basicAuth(username, password string) string {
+	auth := username + ":" + password
+	return base64.StdEncoding.EncodeToString([]byte(auth))
+}

internal/proxy/director/layer/authn/basic/layer-options.json

@@ -34,6 +34,14 @@
                 ],
                 "additionalProperties": false
             }
+        },
+        "authorizedCIDRs": {
+            "title": "Liste des adresses réseau d'origine autorisées à contourner l'authentification (au format CIDR)",
+            "default": [],
+            "type": "array",
+            "items": {
+                "type": "string"
+            }
         }
     },
     "additionalProperties": false

internal/proxy/director/layer/authn/basic/layer_options.go

@@ -9,8 +9,9 @@ import (
 
 type LayerOptions struct {
 	authn.LayerOptions
-	Users []User `mapstructure:"users"`
+	Users           []User   `mapstructure:"users"`
-	Realm string `mapstructure:"realm"`
+	Realm           string   `mapstructure:"realm"`
+	AuthorizedCIDRs []string `mapstructure:"authorizedCIDRs"`
 }
 
 type User struct {
@@ -21,9 +22,10 @@ type User struct {
 
 func fromStoreOptions(storeOptions store.LayerOptions) (*LayerOptions, error) {
 	layerOptions := LayerOptions{
-		LayerOptions: authn.DefaultLayerOptions(),
+		LayerOptions:    authn.DefaultLayerOptions(),
-		Realm:        "Restricted area",
+		Realm:           "Restricted area",
-		Users:        make([]User, 0),
+		Users:           make([]User, 0),
+		AuthorizedCIDRs: make([]string, 0),
 	}
 
 	config := mapstructure.DecoderConfig{

internal/proxy/director/layer/authn/network/authenticator.go

@@ -1,16 +1,13 @@
 package network
 
 import (
-	"context"
-	"net"
 	"net/http"
-	"strings"
 
+	"forge.cadoles.com/cadoles/bouncer/internal/cidr"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
-	"gitlab.com/wpetit/goweb/logger"
 )
 
 type Authenticator struct {
@@ -18,14 +15,12 @@ type Authenticator struct {
 
 // Authenticate implements authn.Authenticator.
 func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, layer *store.Layer) (*authn.User, error) {
-	ctx := r.Context()
-
 	options, err := fromStoreOptions(layer.Options)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
 
-	matches, err := a.matchAnyAuthorizedCIDRs(ctx, r.RemoteAddr, options.AuthorizedCIDRs)
+	matches, err := cidr.MatchAny(r.RemoteAddr, options.AuthorizedCIDRs...)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -49,42 +44,6 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 	return user, nil
 }
 
-func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) {
-	var remoteHost string
-	if strings.Contains(remoteHostPort, ":") {
-		var err error
-		remoteHost, _, err = net.SplitHostPort(remoteHostPort)
-		if err != nil {
-			return false, errors.WithStack(err)
-		}
-	} else {
-		remoteHost = remoteHostPort
-	}
-
-	remoteAddr := net.ParseIP(remoteHost)
-	if remoteAddr == nil {
-		return false, errors.Errorf("remote host '%s' is not a valid ip address", remoteHost)
-	}
-
-	for _, rawCIDR := range CIDRs {
-		_, net, err := net.ParseCIDR(rawCIDR)
-		if err != nil {
-			return false, errors.WithStack(err)
-		}
-
-		match := net.Contains(remoteAddr)
-		if !match {
-			continue
-		}
-
-		return true, nil
-	}
-
-	logger.Debug(ctx, "comparing remote host with authorized cidrs", logger.F("remoteAddr", remoteAddr))
-
-	return false, nil
-}
-
 var (
 	_ authn.Authenticator = &Authenticator{}
 )

internal/proxy/director/layer/authn/oidc/authenticator.go

@@ -13,9 +13,12 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"forge.cadoles.com/cadoles/bouncer/internal/syncx"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 	"github.com/pkg/errors"
@@ -24,9 +27,10 @@ import (
 )
 
 type Authenticator struct {
-	store             sessions.Store
+	store              sessions.Store
-	httpTransport     *http.Transport
+	httpTransport      *http.Transport
-	httpClientTimeout time.Duration
+	httpClientTimeout  time.Duration
+	cachedOIDCProvider *syncx.CachedResource[string, *oidc.Provider]
 }
 
 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@@ -52,7 +56,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
 		return errors.WithStack(err)
 	}
 
-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return errors.WithStack(err)
 	}
@@ -158,7 +162,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 		return nil, errors.WithStack(err)
 	}
 
-	client, err := a.getClient(options, loginCallbackURL.String())
+	client, err := a.getClient(ctx, options, loginCallbackURL.String())
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -360,9 +364,7 @@ func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName
 	return raw.String(), nil
 }
 
-func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*Client, error) {
+func (a *Authenticator) getClient(ctx context.Context, options *LayerOptions, redirectURL string) (*Client, error) {
-	ctx := context.Background()
-
 	transport := a.httpTransport.Clone()
 
 	if options.OIDC.TLSInsecureSkipVerify {
@@ -373,6 +375,10 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		transport.TLSClientConfig.InsecureSkipVerify = true
 	}
 
+	if options.OIDC.SkipIssuerVerification {
+		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+	}
+
 	httpClient := &http.Client{
 		Timeout:   a.httpClientTimeout,
 		Transport: transport,
@@ -384,9 +390,9 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
 	}
 
-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+	provider, _, err := a.cachedOIDCProvider.Get(ctx, options.OIDC.IssuerURL)
 	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		return nil, errors.Wrap(err, "could not retrieve oidc provider")
 	}
 
 	client := NewClient(
@@ -401,6 +407,17 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 	return client, nil
 }
 
+func (a *Authenticator) getOIDCProvider(ctx context.Context, issuerURL string) (*oidc.Provider, error) {
+	logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", issuerURL))
+
+	provider, err := oidc.NewProvider(ctx, issuerURL)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not create oidc provider")
+	}
+
+	return provider, nil
+}
+
 const defaultCookieNamePrefix = "_bouncer_authn_oidc"
 
 func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyName, layerName store.LayerName) string {
@@ -411,6 +428,25 @@ func (a *Authenticator) getCookieName(cookieName string, proxyName store.ProxyNa
 	return strings.ToLower(fmt.Sprintf("%s_%s_%s", defaultCookieNamePrefix, proxyName, layerName))
 }
 
+func NewAuthenticator(httpTransport *http.Transport, clientTimeout time.Duration, store sessions.Store, oidcProviderCacheTimeout time.Duration) *Authenticator {
+	authenticator := &Authenticator{
+		httpTransport:     httpTransport,
+		httpClientTimeout: clientTimeout,
+		store:             store,
+	}
+
+	authenticator.cachedOIDCProvider = syncx.NewCachedResource(
+		ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			oidcProviderCacheTimeout,
+		),
+		authenticator.getOIDCProvider,
+	)
+
+	return authenticator
+}
+
 var (
 	_ authn.PreAuthentication = &Authenticator{}
 	_ authn.Authenticator     = &Authenticator{}

internal/proxy/director/layer/authn/oidc/client.go

@@ -69,7 +69,7 @@ func (c *Client) login(w http.ResponseWriter, r *http.Request, sess *sessions.Se
 	sess.Values[sessionKeyPostLoginRedirectURL] = postLoginRedirectURL
 
 	if err := sess.Save(r, w); err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not save session"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
 
 		return
 	}

internal/proxy/director/layer/authn/oidc/layer.go

@@ -10,9 +10,11 @@ const LayerType store.LayerType = "authn-oidc"
 
 func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 	opts := NewOptions(funcs...)
-	return authn.NewLayer(LayerType, &Authenticator{
+	authenticator := NewAuthenticator(
-		httpTransport:     opts.HTTPTransport,
+		opts.HTTPTransport,
-		httpClientTimeout: opts.HTTPClientTimeout,
+		opts.HTTPClientTimeout,
-		store:             store,
+		store,
-	}, opts.AuthnOptions...)
+		opts.OIDCProviderCacheTimeout,
+	)
+	return authn.NewLayer(LayerType, authenticator, opts.AuthnOptions...)
 }

internal/proxy/director/layer/authn/oidc/options.go

@@ -8,9 +8,10 @@ import (
 )
 
 type Options struct {
-	HTTPTransport     *http.Transport
+	HTTPTransport            *http.Transport
-	HTTPClientTimeout time.Duration
+	HTTPClientTimeout        time.Duration
-	AuthnOptions      []authn.OptionFunc
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }
 
+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
-		HTTPTransport:     http.DefaultTransport.(*http.Transport),
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
-		HTTPClientTimeout: 30 * time.Second,
+		HTTPClientTimeout:        30 * time.Second,
-		AuthnOptions:      make([]authn.OptionFunc, 0),
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}
 
 	for _, fn := range funcs {

internal/proxy/director/layer/queue/queue.go

@@ -54,7 +54,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options, q.defaultKeepAlive)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}
 
@@ -89,7 +89,7 @@ func (q *Queue) Middleware(layer *store.Layer) proxy.Middleware {
 
 			rank, err := q.adapter.Touch(ctx, queueName, sessionID)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve session rank"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not update queue session rank"))
 				return
 			}
 
@@ -142,7 +142,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 
 	status, err := q.adapter.Status(ctx, queueName)
 	if err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not retrieve queue status"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve queue status"))
 		return
 	}
 
@@ -191,7 +191,7 @@ func (q *Queue) renderQueuePage(w http.ResponseWriter, r *http.Request, queueNam
 	var buf bytes.Buffer
 
 	if err := q.tmpl.ExecuteTemplate(&buf, "queue", templateData); err != nil {
-		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not render queue page"))
+		director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not render queue page"))
 		return
 	}
 

internal/proxy/director/layer/rewriter/layer.go

@@ -31,7 +31,7 @@ func (l *Layer) Middleware(layer *store.Layer) proxy.Middleware {
 
 			options, err := fromStoreOptions(layer.Options)
 			if err != nil {
-				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.New("could not parse layer options"))
+				director.HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not parse layer options"))
 				return
 			}
 

internal/proxy/init.go

@@ -1,45 +0,0 @@
-package proxy
-
-import (
-	"context"
-
-	"forge.cadoles.com/cadoles/bouncer/internal/setup"
-	"github.com/pkg/errors"
-	"github.com/redis/go-redis/v9"
-)
-
-func (s *Server) initRepositories(ctx context.Context) error {
-	client := setup.NewSharedClient(s.redisConfig)
-
-	if err := s.initProxyRepository(ctx, client); err != nil {
-		return errors.WithStack(err)
-	}
-
-	if err := s.initLayerRepository(ctx, client); err != nil {
-		return errors.WithStack(err)
-	}
-
-	return nil
-}
-
-func (s *Server) initProxyRepository(ctx context.Context, client redis.UniversalClient) error {
-	proxyRepository, err := setup.NewProxyRepository(ctx, client)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	s.proxyRepository = proxyRepository
-
-	return nil
-}
-
-func (s *Server) initLayerRepository(ctx context.Context, client redis.UniversalClient) error {
-	layerRepository, err := setup.NewLayerRepository(ctx, client)
-	if err != nil {
-		return errors.WithStack(err)
-	}
-
-	s.layerRepository = layerRepository
-
-	return nil
-}

internal/proxy/option.go

@@ -5,13 +5,16 @@ import (
 
 	"forge.cadoles.com/cadoles/bouncer/internal/config"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
 )
 
 type Option struct {
 	ServerConfig     config.ProxyServerConfig
-	RedisConfig      config.RedisConfig
 	DirectorLayers   []director.Layer
 	DirectorCacheTTL time.Duration
+
+	ProxyRepository store.ProxyRepository
+	LayerRepository store.LayerRepository
 }
 
 type OptionFunc func(*Option)
@@ -19,7 +22,6 @@ type OptionFunc func(*Option)
 func defaultOption() *Option {
 	return &Option{
 		ServerConfig:     config.NewDefaultProxyServerConfig(),
-		RedisConfig:      config.NewDefaultRedisConfig(),
 		DirectorLayers:   make([]director.Layer, 0),
 		DirectorCacheTTL: 30 * time.Second,
 	}
@@ -31,12 +33,6 @@ func WithServerConfig(conf config.ProxyServerConfig) OptionFunc {
 	}
 }
 
-func WithRedisConfig(conf config.RedisConfig) OptionFunc {
-	return func(opt *Option) {
-		opt.RedisConfig = conf
-	}
-}
-
 func WithDirectorLayers(layers ...director.Layer) OptionFunc {
 	return func(opt *Option) {
 		opt.DirectorLayers = layers
@@ -48,3 +44,15 @@ func WithDirectorCacheTTL(ttl time.Duration) OptionFunc {
 		opt.DirectorCacheTTL = ttl
 	}
 }
+
+func WithLayerRepository(layerRepository store.LayerRepository) OptionFunc {
+	return func(opt *Option) {
+		opt.LayerRepository = layerRepository
+	}
+}
+
+func WithProxyRepository(proxyRepository store.ProxyRepository) OptionFunc {
+	return func(opt *Option) {
+		opt.ProxyRepository = proxyRepository
+	}
+}

internal/proxy/server.go

@@ -18,6 +18,7 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	bouncerChi "forge.cadoles.com/cadoles/bouncer/internal/chi"
@@ -35,12 +36,14 @@ import (
 )
 
 type Server struct {
-	serverConfig     config.ProxyServerConfig
+	serverConfig   config.ProxyServerConfig
-	redisConfig      config.RedisConfig
+	directorLayers []director.Layer
-	directorLayers   []director.Layer
+
-	directorCacheTTL time.Duration
+	proxyRepository store.ProxyRepository
-	proxyRepository  store.ProxyRepository
+	layerRepository store.LayerRepository
-	layerRepository  store.LayerRepository
+
+	layerCache cache.Cache[string, []*store.Layer]
+	proxyCache cache.Cache[string, []*store.Proxy]
 }
 
 func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
@@ -52,6 +55,14 @@ func (s *Server) Start(ctx context.Context) (<-chan net.Addr, <-chan error) {
 	return addrs, errs
 }
 
+func (s *Server) ClearProxyCache() {
+	s.proxyCache.Clear()
+}
+
+func (s *Server) ClearLayerCache() {
+	s.layerCache.Clear()
+}
+
 func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan error) {
 	defer func() {
 		close(errs)
@@ -61,12 +72,6 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	ctx, cancel := context.WithCancel(parentCtx)
 	defer cancel()
 
-	if err := s.initRepositories(ctx); err != nil {
-		errs <- errors.WithStack(err)
-
-		return
-	}
-
 	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", s.serverConfig.HTTP.Host, s.serverConfig.HTTP.Port))
 	if err != nil {
 		errs <- errors.WithStack(err)
@@ -98,20 +103,8 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 		s.proxyRepository,
 		s.layerRepository,
 		director.WithLayers(s.directorLayers...),
-		director.WithLayerCache(
+		director.WithLayerCache(s.layerCache),
-			ttl.NewCache(
+		director.WithProxyCache(s.proxyCache),
-				memory.NewCache[string, []*store.Layer](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
-		director.WithProxyCache(
-			ttl.NewCache(
-				memory.NewCache[string, []*store.Proxy](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
 		director.WithHandleErrorFunc(s.handleError),
 	)
 
@@ -233,9 +226,7 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)
 
-	if errors.Is(err, context.Canceled) {
+	if !errors.Is(err, context.Canceled) {
-		logger.Warn(r.Context(), err.Error(), logger.E(err))
-	} else {
 		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
 	}
 
@@ -315,9 +306,21 @@ func NewServer(funcs ...OptionFunc) *Server {
 	}
 
 	return &Server{
-		serverConfig:     opt.ServerConfig,
+		serverConfig:   opt.ServerConfig,
-		redisConfig:      opt.RedisConfig,
+		directorLayers: opt.DirectorLayers,
-		directorLayers:   opt.DirectorLayers,
+
-		directorCacheTTL: opt.DirectorCacheTTL,
+		proxyRepository: opt.ProxyRepository,
+		layerRepository: opt.LayerRepository,
+
+		layerCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Layer](),
+			memory.NewCache[string, time.Time](),
+			opt.DirectorCacheTTL,
+		),
+		proxyCache: ttl.NewCache(
+			memory.NewCache[string, []*store.Proxy](),
+			memory.NewCache[string, time.Time](),
+			opt.DirectorCacheTTL,
+		),
 	}
 }

internal/session/options.go

@@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
+	TTL       time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
+		TTL:       time.Hour,
 	}
 
 	for _, fn := range funcs {
@@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
+
+func WithTTL(ttl time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.TTL = ttl
+	}
+}

internal/session/store.go

@@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
+	ttl        time.Duration
 }
 
 type KeyGenFunc func() (string, error)
@@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
+		ttl:        opts.TTL,
 	}
 
 	return rs
@@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
+
 	session.ID = c.Value
 
 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}
 
 	return session, nil
 }
 
 func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
-	if session.Options.MaxAge <= 0 {
+	if session.Options.MaxAge < 0 {
 		if err := s.delete(r.Context(), session); err != nil {
 			return errors.WithStack(err)
 		}
@@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}
 
-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
+	if s.ttl < ttl || ttl == 0 {
+		ttl = s.ttl
+	}
+
+	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}
 

internal/setup/authn_oidc_layer.go

@@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }

internal/setup/integrations.go

@@ -39,7 +39,7 @@ func setupKubernetesIntegration(ctx context.Context, conf *config.Config) (*kube
 		kubernetes.WithPrivateKeySecretNamespace(string(conf.Integrations.Kubernetes.PrivateKeySecretNamespace)),
 		kubernetes.WithIssuer(string(conf.Admin.Auth.Issuer)),
 		kubernetes.WithLocker(locker),
-		kubernetes.WithLockTimeout(time.Duration(conf.Integrations.Kubernetes.LockTimeout)),
+		kubernetes.WithLockTimeout(time.Duration(*conf.Integrations.Kubernetes.LockTimeout)),
 	)
 
 	return integration, nil

internal/setup/redis.go

@@ -35,44 +35,52 @@ func newRedisClient(conf config.RedisConfig) redis.UniversalClient {
 	client := redis.NewUniversalClient(&redis.UniversalOptions{
 		Addrs:                 conf.Adresses,
 		MasterName:            string(conf.Master),
-		ReadTimeout:           time.Duration(conf.ReadTimeout),
+		ReadTimeout:           time.Duration(*conf.ReadTimeout),
-		WriteTimeout:          time.Duration(conf.WriteTimeout),
+		WriteTimeout:          time.Duration(*conf.WriteTimeout),
-		DialTimeout:           time.Duration(conf.DialTimeout),
+		DialTimeout:           time.Duration(*conf.DialTimeout),
 		RouteByLatency:        bool(conf.RouteByLatency),
 		ContextTimeoutEnabled: bool(conf.ContextTimeoutEnabled),
 		MaxRetries:            int(conf.MaxRetries),
 		PoolSize:              int(conf.PoolSize),
-		PoolTimeout:           time.Duration(conf.PoolTimeout),
+		PoolTimeout:           time.Duration(*conf.PoolTimeout),
 		MinIdleConns:          int(conf.MinIdleConns),
 		MaxIdleConns:          int(conf.MaxIdleConns),
-		ConnMaxIdleTime:       time.Duration(conf.ConnMaxIdleTime),
+		ConnMaxIdleTime:       time.Duration(*conf.ConnMaxIdleTime),
-		ConnMaxLifetime:       time.Duration(conf.ConnMaxLifetime),
+		ConnMaxLifetime:       time.Duration(*conf.ConnMaxLifetime),
 	})
 
-	go func() {
+	ctx := context.Background()
-		ctx := logger.With(context.Background(),
-			logger.F("adresses", conf.Adresses),
-			logger.F("master", conf.Master),
-		)
 
-		timer := time.NewTicker(time.Duration(conf.PingInterval))
+	pingInterval := time.Duration(*conf.PingInterval)
-		defer timer.Stop()
 
-		connected := true
+	if pingInterval > 0 {
+		go func() {
+			ctx := logger.With(ctx,
+				logger.F("adresses", conf.Adresses),
+				logger.F("master", conf.Master),
+			)
 
-		for range timer.C {
+			timer := time.NewTicker(pingInterval)
-			if _, err := client.Ping(ctx).Result(); err != nil {
+			defer timer.Stop()
-				logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
+
-				connected = false
+			connected := true
-				continue
+
+			for range timer.C {
+				if _, err := client.Ping(ctx).Result(); err != nil {
+					logger.Error(ctx, "redis disconnected", logger.CapturedE(errors.WithStack(err)))
+					connected = false
+					continue
+				}
+
+				if !connected {
+					logger.Info(ctx, "redis reconnected")
+					connected = true
+				}
 			}
-
+		}()
-			if !connected {
+	} else {
-				logger.Info(ctx, "redis reconnected")
+		logger.Warn(ctx, "redis ping interval at 0, disabling")
-				connected = true
+	}
-			}
-		}
-	}()
 
 	return client
 }

internal/store/observable.go

@@ -0,0 +1,11 @@
+package store
+
+import "context"
+
+type Change interface {
+	Change()
+}
+
+type Observable interface {
+	Changes(ctx context.Context, fn func(Change))
+}

internal/store/redis/layer_observable.go

@@ -0,0 +1,87 @@
+package redis
+
+import (
+	"bytes"
+	"context"
+	"encoding/gob"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+func init() {
+	gob.Register(&LayerChange{})
+}
+
+type LayerChange struct {
+	Operation ChangeOperation
+	Proxy     store.ProxyName
+	Layer     store.LayerName
+}
+
+// Change implements store.Change.
+func (p *LayerChange) Change() {}
+
+func NewLayerChange(op ChangeOperation, proxyName store.ProxyName, layerName store.LayerName) *LayerChange {
+	return &LayerChange{
+		Operation: op,
+		Proxy:     proxyName,
+		Layer:     layerName,
+	}
+}
+
+var _ store.Change = &ProxyChange{}
+
+const layerChangeChannel string = "layer-changes"
+
+// Changes implements store.Observable.
+func (r *LayerRepository) Changes(ctx context.Context, fn func(store.Change)) {
+	go func() {
+		sub := r.client.Subscribe(ctx, layerChangeChannel)
+		defer sub.Close()
+
+		for {
+			var buff bytes.Buffer
+			decoder := gob.NewDecoder(&buff)
+
+			msg, err := sub.ReceiveMessage(ctx)
+			if err != nil {
+				logger.Error(ctx, "could not receive message", logger.E(errors.WithStack(err)))
+				return
+			}
+
+			buff.Reset()
+			buff.WriteString(msg.Payload)
+
+			change := &ProxyChange{}
+			if err := decoder.Decode(change); err != nil {
+				logger.Error(ctx, "could not decode message", logger.E(errors.WithStack(err)))
+				continue
+			}
+
+			fn(change)
+		}
+	}()
+}
+
+func (r *LayerRepository) notifyChange(op ChangeOperation, proxyName store.ProxyName, layerName store.LayerName) {
+	change := NewLayerChange(op, proxyName, layerName)
+
+	var buff bytes.Buffer
+	encoder := gob.NewEncoder(&buff)
+
+	ctx := context.Background()
+
+	if err := encoder.Encode(change); err != nil {
+		logger.Error(ctx, "could not encode message", logger.E(errors.WithStack(err)))
+		return
+	}
+
+	if err := r.client.Publish(ctx, layerChangeChannel, buff.Bytes()).Err(); err != nil {
+		logger.Error(ctx, "could not publish message", logger.E(errors.WithStack(err)))
+		return
+	}
+}
+
+var _ store.Observable = &LayerRepository{}

internal/store/redis/layer_repository.go

@@ -73,6 +73,8 @@ func (r *LayerRepository) CreateLayer(ctx context.Context, proxyName store.Proxy
 		return nil, errors.WithStack(err)
 	}
 
+	go r.notifyChange(CreateOperation, proxyName, layerName)
+
 	return &store.Layer{
 		LayerHeader: store.LayerHeader{
 			Name:    store.LayerName(layerItem.Name),
@@ -96,6 +98,8 @@ func (r *LayerRepository) DeleteLayer(ctx context.Context, proxyName store.Proxy
 		return errors.WithStack(cmd.Err())
 	}
 
+	go r.notifyChange(DeleteOperation, proxyName, layerName)
+
 	return nil
 }
 
@@ -249,6 +253,8 @@ func (r *LayerRepository) UpdateLayer(ctx context.Context, proxyName store.Proxy
 		return nil, errors.WithStack(err)
 	}
 
+	go r.notifyChange(UpdateOperation, proxyName, layerName)
+
 	return layer, nil
 }
 

internal/store/redis/observable.go

@@ -0,0 +1,9 @@
+package redis
+
+type ChangeOperation int
+
+const (
+	CreateOperation ChangeOperation = iota
+	UpdateOperation
+	DeleteOperation
+)

internal/store/redis/proxy_observable.go

@@ -0,0 +1,85 @@
+package redis
+
+import (
+	"bytes"
+	"context"
+	"encoding/gob"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/pkg/errors"
+	"gitlab.com/wpetit/goweb/logger"
+)
+
+func init() {
+	gob.Register(&ProxyChange{})
+}
+
+type ProxyChange struct {
+	Operation ChangeOperation
+	Proxy     store.ProxyName
+}
+
+// Change implements store.Change.
+func (p *ProxyChange) Change() {}
+
+func NewProxyChange(op ChangeOperation, name store.ProxyName) *ProxyChange {
+	return &ProxyChange{
+		Operation: op,
+		Proxy:     name,
+	}
+}
+
+var _ store.Change = &ProxyChange{}
+
+const proxyChangeChannel string = "proxy-changes"
+
+// Changes implements store.Observable.
+func (r *ProxyRepository) Changes(ctx context.Context, fn func(store.Change)) {
+	go func() {
+		sub := r.client.Subscribe(ctx, proxyChangeChannel)
+		defer sub.Close()
+
+		for {
+			var buff bytes.Buffer
+			decoder := gob.NewDecoder(&buff)
+
+			msg, err := sub.ReceiveMessage(ctx)
+			if err != nil {
+				logger.Error(ctx, "could not receive message", logger.E(errors.WithStack(err)))
+				return
+			}
+
+			buff.Reset()
+			buff.WriteString(msg.Payload)
+
+			change := &ProxyChange{}
+			if err := decoder.Decode(change); err != nil {
+				logger.Error(ctx, "could not decode message", logger.E(errors.WithStack(err)))
+				continue
+			}
+
+			fn(change)
+		}
+	}()
+}
+
+func (r *ProxyRepository) notifyChange(op ChangeOperation, name store.ProxyName) {
+	change := NewProxyChange(op, name)
+
+	var buff bytes.Buffer
+	encoder := gob.NewEncoder(&buff)
+
+	ctx := context.Background()
+
+	if err := encoder.Encode(change); err != nil {
+		logger.Error(ctx, "could not encode message", logger.E(errors.WithStack(err)))
+		return
+	}
+
+	if err := r.client.Publish(ctx, proxyChangeChannel, buff.Bytes()).Err(); err != nil {
+		logger.Error(ctx, "could not publish message", logger.E(errors.WithStack(err)))
+		return
+	}
+}
+
+var _ store.Observable = &ProxyRepository{}

internal/store/redis/proxy_repository.go

@@ -117,6 +117,8 @@ func (r *ProxyRepository) CreateProxy(ctx context.Context, name store.ProxyName,
 		return nil, errors.WithStack(err)
 	}
 
+	go r.notifyChange(CreateOperation, name)
+
 	return &store.Proxy{
 		ProxyHeader: store.ProxyHeader{
 			Name: name,
@@ -139,6 +141,8 @@ func (r *ProxyRepository) DeleteProxy(ctx context.Context, name store.ProxyName)
 		return errors.WithStack(cmd.Err())
 	}
 
+	go r.notifyChange(DeleteOperation, name)
+
 	return nil
 }
 
@@ -242,6 +246,8 @@ func (r *ProxyRepository) UpdateProxy(ctx context.Context, name store.ProxyName,
 		return nil, errors.WithStack(err)
 	}
 
+	go r.notifyChange(UpdateOperation, name)
+
 	return proxy, nil
 }
 

internal/syncx/cached_resource.go

@@ -0,0 +1,63 @@
+package syncx
+
+import (
+	"context"
+	"sync"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
+	"github.com/pkg/errors"
+)
+
+type RefreshFunc[K comparable, V any] func(ctx context.Context, key K) (V, error)
+
+type CachedResource[K comparable, V any] struct {
+	cache   cache.Cache[K, V]
+	lock    sync.RWMutex
+	refresh RefreshFunc[K, V]
+}
+
+func (r *CachedResource[K, V]) Clear() {
+	r.cache.Clear()
+}
+
+func (r *CachedResource[K, V]) Get(ctx context.Context, key K) (V, bool, error) {
+	value, exists := r.cache.Get(key)
+	if exists {
+		return value, false, nil
+	}
+
+	locked := r.lock.TryLock()
+	if !locked {
+		r.lock.RLock()
+
+		value, exists := r.cache.Get(key)
+		if exists {
+			r.lock.RUnlock()
+			return value, false, nil
+		}
+
+		r.lock.RUnlock()
+	}
+
+	if !locked {
+		r.lock.Lock()
+	}
+
+	defer r.lock.Unlock()
+
+	value, err := r.refresh(ctx, key)
+	if err != nil {
+		return *new(V), false, errors.WithStack(err)
+	}
+
+	r.cache.Set(key, value)
+
+	return value, true, nil
+}
+
+func NewCachedResource[K comparable, V any](cache cache.Cache[K, V], refresh RefreshFunc[K, V]) *CachedResource[K, V] {
+	return &CachedResource[K, V]{
+		cache:   cache,
+		refresh: refresh,
+	}
+}

internal/syncx/cached_resource_test.go

@@ -0,0 +1,66 @@
+package syncx
+
+import (
+	"context"
+	"math"
+	"sync"
+	"testing"
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
+	"github.com/pkg/errors"
+)
+
+func TestCachedResource(t *testing.T) {
+	refreshCalls := 0
+	cacheTTL := 1*time.Second + 500*time.Millisecond
+	duration := 2 * time.Second
+
+	expectedCalls := math.Ceil(float64(duration) / float64(cacheTTL))
+
+	resource := NewCachedResource(
+		ttl.NewCache(
+			memory.NewCache[string, string](),
+			memory.NewCache[string, time.Time](),
+			cacheTTL,
+		),
+		func(ctx context.Context, key string) (string, error) {
+			refreshCalls++
+			return "bar", nil
+		},
+	)
+
+	concurrents := 50
+	key := "foo"
+
+	var wg sync.WaitGroup
+
+	wg.Add(concurrents)
+
+	for i := range concurrents {
+		go func(i int) {
+			done := time.After(duration)
+
+			defer wg.Done()
+			for {
+				select {
+				case <-done:
+					return
+				default:
+					value, fresh, err := resource.Get(context.Background(), key)
+					if err != nil {
+						t.Errorf("%+v", errors.WithStack(err))
+					}
+					t.Logf("resource retrieved for goroutine #%d: (%s, %s, %v)", i, key, value, fresh)
+				}
+			}
+		}(i)
+	}
+
+	wg.Wait()
+
+	if e, g := int(expectedCalls), refreshCalls; e != g {
+		t.Errorf("refreshCalls: expected '%d', got '%d'", e, g)
+	}
+}

misc/packaging/common/config.yml

@@ -131,6 +131,12 @@ proxy:
     # Les proxys/layers sont mis en cache local pour une durée de 30s
     # par défaut. Si les modifications sont rares, vous pouvez augmenter
     # cette valeur pour réduire la "pression" sur le serveur Redis.
+    # Il est possible de forcer la réinitialisation du cache en envoyant
+    # le signal SIGUSR2 au processus Bouncer.
+    #
+    # Exemple
+    #
+    # kill -s USR2 $(pgrep bouncer)
     ttl: 30s
 
   # Configuration du transport HTTP(S)
@@ -218,6 +224,11 @@ layers:
   authn:
     # Répertoire contenant les templates
     templateDir: "/etc/bouncer/layers/authn/templates"
+    # Configuration des sessions
+    sessions:
+      # Temps de persistence sans actualisation des sessions dans le store
+      # (prévalent sur le MaxAge de la session)
+      ttl: "1h"
 
 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration