feat: reset proxy cache with sigusr2

feat: add proxy information in sentry context
feat: silence context expired errors
2025-03-18 11:35:15 +01:00 · 2025-03-17 12:07:30 +01:00 · 2025-03-10 18:32:36 +01:00 · 2025-03-07 13:42:39 +01:00 · 2025-03-07 11:15:28 +01:00 · 2025-03-07 10:21:27 +01:00
15 changed files with 201 additions and 65 deletions
--- a/internal/cache/cache.go
+++ b/internal/cache/cache.go
@ -3,4 +3,5 @@ package cache
 type Cache[K comparable, V any] interface {
 	Get(key K) (V, bool)
 	Set(key K, value V)
+	Clear()
 }
--- a/internal/cache/memory/cache.go
+++ b/internal/cache/memory/cache.go
@ -25,6 +25,10 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.store.Store(key, value)
 }

+func (c *Cache[K, V]) Clear() {
+	c.store.Clear()
+}
+
 func NewCache[K comparable, V any]() *Cache[K, V] {
 	return &Cache[K, V]{
 		store: new(sync.Map),
--- a/internal/cache/ttl/cache.go
+++ b/internal/cache/ttl/cache.go
@ -28,6 +28,11 @@ func (c *Cache[K, V]) Set(key K, value V) {
 	c.values.Set(key, value)
 }

+func (c *Cache[K, V]) Clear() {
+	c.timestamps.Clear()
+	c.values.Clear()
+}
+
 func NewCache[K comparable, V any](values cache.Cache[K, V], timestamps cache.Cache[K, time.Time], ttl time.Duration) *Cache[K, V] {
 	return &Cache[K, V]{
 		values:     values,
--- a/internal/command/server/admin/run.go
+++ b/internal/command/server/admin/run.go
@ -17,9 +17,7 @@ const (
 )

 func RunCommand() *cli.Command {
-	flags := append(
-		common.Flags(),
-	)
+	flags := common.Flags()

 	return &cli.Command{
 		Name:  "run",
--- a/internal/config/layers.go
+++ b/internal/config/layers.go
@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@ -31,13 +35,19 @@ type QueueLayerConfig struct {
 }

 type AuthnLayerConfig struct {
-	Debug       InterpolatedBool     `yaml:"debug"`
-	TemplateDir InterpolatedString   `yaml:"templateDir"`
-	OIDC        AuthnOIDCLayerConfig `yaml:"oidc"`
+	Debug       InterpolatedBool        `yaml:"debug"`
+	TemplateDir InterpolatedString      `yaml:"templateDir"`
+	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }

 type AuthnOIDCLayerConfig struct {
-	HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }

 type AuthnOIDCHTTPClientConfig struct {
--- a/internal/proxy/director/context.go
+++ b/internal/proxy/director/context.go
@ -6,6 +6,7 @@ import (
 	"net/url"

 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"gitlab.com/wpetit/goweb/logger"
 )
@ -17,6 +18,7 @@ const (
 	contextKeyLayers      contextKey = "layers"
 	contextKeyOriginalURL contextKey = "originalURL"
 	contextKeyHandleError contextKey = "handleError"
+	contextKeySentryScope contextKey = "sentryScope"
 )

 var (
@ -82,3 +84,16 @@ func HandleError(ctx context.Context, w http.ResponseWriter, r *http.Request, st

 	fn(w, r, status, err)
 }
+
+func withSentryScope(ctx context.Context, scope *sentry.Scope) context.Context {
+	return context.WithValue(ctx, contextKeySentryScope, scope)
+}
+
+func SentryScope(ctx context.Context) (*sentry.Scope, error) {
+	scope, err := ctxValue[*sentry.Scope](ctx, contextKeySentryScope)
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+
+	return scope, nil
+}
--- a/internal/proxy/director/director.go
+++ b/internal/proxy/director/director.go
@ -9,6 +9,7 @@ import (
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
 	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/prometheus/client_golang/prometheus"
 	"gitlab.com/wpetit/goweb/logger"
@ -76,6 +77,13 @@ func (d *Director) rewriteRequest(r *http.Request) (*http.Request, error) {
 			proxyCtx = withLayers(proxyCtx, layers)
 			r = r.WithContext(proxyCtx)

+			if sentryScope, _ := SentryScope(ctx); sentryScope != nil {
+				sentryScope.SetContext("bouncer", sentry.Context{
+					"proxy_name":   p.Name,
+					"proxy_target": r.URL.String(),
+				})
+			}
+
 			return r, nil
 		}
 	}
@ -91,9 +99,12 @@ const proxiesCacheKey = "proxies"
 func (d *Director) getProxies(ctx context.Context) ([]*store.Proxy, error) {
 	proxies, exists := d.proxyCache.Get(proxiesCacheKey)
 	if exists {
+		logger.Debug(ctx, "using cached proxies")
 		return proxies, nil
 	}

+	logger.Debug(ctx, "querying fresh proxies")
+
 	headers, err := d.proxyRepository.QueryProxy(ctx, store.WithProxyQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -126,9 +137,12 @@ func (d *Director) getLayers(ctx context.Context, proxyName store.ProxyName) ([]

 	layers, exists := d.layerCache.Get(cacheKey)
 	if exists {
+		logger.Debug(ctx, "using cached layers")
 		return layers, nil
 	}

+	logger.Debug(ctx, "querying fresh layers")
+
 	headers, err := d.layerRepository.QueryLayers(ctx, proxyName, store.WithLayerQueryEnabled(true))
 	if err != nil {
 		return nil, errors.WithStack(err)
@ -216,40 +230,43 @@ func (d *Director) ResponseTransformer() proxy.ResponseTransformer {
 func (d *Director) Middleware() proxy.Middleware {
 	return func(next http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
-			ctx := withHandleError(r.Context(), d.handleError)
-			r = r.WithContext(ctx)
+			sentry.ConfigureScope(func(scope *sentry.Scope) {
+				ctx := withHandleError(r.Context(), d.handleError)
+				ctx = withSentryScope(ctx, scope)
+				r = r.WithContext(ctx)

-			r, err := d.rewriteRequest(r)
-			if err != nil {
-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
-				return
-			}
-
-			ctx = r.Context()
-
-			layers, err := ctxLayers(ctx)
-			if err != nil {
-				if errors.Is(err, errContextKeyNotFound) {
+				r, err := d.rewriteRequest(r)
+				if err != nil {
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not rewrite request"))
 					return
 				}

-				HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
-				return
-			}
+				ctx = r.Context()

-			httpMiddlewares := make([]proxy.Middleware, 0)
-			for _, layer := range layers {
-				middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
-				if !ok {
-					continue
+				layers, err := ctxLayers(ctx)
+				if err != nil {
+					if errors.Is(err, errContextKeyNotFound) {
+						return
+					}
+
+					HandleError(ctx, w, r, http.StatusInternalServerError, errors.Wrap(err, "could not retrieve proxy and layers from context"))
+					return
 				}

-				httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
-			}
+				httpMiddlewares := make([]proxy.Middleware, 0)
+				for _, layer := range layers {
+					middleware, ok := d.layerRegistry.GetMiddleware(layer.Type)
+					if !ok {
+						continue
+					}

-			handler := createMiddlewareChain(next, httpMiddlewares)
+					httpMiddlewares = append(httpMiddlewares, middleware.Middleware(layer))
+				}

-			handler.ServeHTTP(w, r)
+				handler := createMiddlewareChain(next, httpMiddlewares)
+
+				handler.ServeHTTP(w, r)
+			})
 		}

 		return http.HandlerFunc(fn)
--- a/internal/proxy/director/layer/authn/oidc/authenticator.go
+++ b/internal/proxy/director/layer/authn/oidc/authenticator.go
@ -13,6 +13,7 @@ import (
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -27,6 +28,7 @@ type Authenticator struct {
 	store             sessions.Store
 	httpTransport     *http.Transport
 	httpClientTimeout time.Duration
+	oidcProviderCache cache.Cache[string, *oidc.Provider]
 }

 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@ -378,15 +380,23 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		Transport: transport,
 	}

-	ctx = oidc.ClientContext(ctx, httpClient)
+	provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
+	if !exists {
+		var err error
+		ctx = oidc.ClientContext(ctx, httpClient)

-	if options.OIDC.SkipIssuerVerification {
-		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
-	}
+		if options.OIDC.SkipIssuerVerification {
+			ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+		}

-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
-	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
+
+		provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not create oidc provider")
+		}
+
+		a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
 	}

 	client := NewClient(
--- a/internal/proxy/director/layer/authn/oidc/layer.go
+++ b/internal/proxy/director/layer/authn/oidc/layer.go
@ -1,8 +1,13 @@
 package oidc

 import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 )

@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 		httpTransport:     opts.HTTPTransport,
 		httpClientTimeout: opts.HTTPClientTimeout,
 		store:             store,
+		oidcProviderCache: ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			opts.OIDCProviderCacheTimeout,
+		),
 	}, opts.AuthnOptions...)
 }
--- a/internal/proxy/director/layer/authn/oidc/options.go
+++ b/internal/proxy/director/layer/authn/oidc/options.go
@ -8,9 +8,10 @@ import (
 )

 type Options struct {
-	HTTPTransport     *http.Transport
-	HTTPClientTimeout time.Duration
-	AuthnOptions      []authn.OptionFunc
+	HTTPTransport            *http.Transport
+	HTTPClientTimeout        time.Duration
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }

 type OptionFunc func(opts *Options)
@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }

+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
-		HTTPTransport:     http.DefaultTransport.(*http.Transport),
-		HTTPClientTimeout: 30 * time.Second,
-		AuthnOptions:      make([]authn.OptionFunc, 0),
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
+		HTTPClientTimeout:        30 * time.Second,
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}

 	for _, fn := range funcs {
--- a/internal/proxy/server.go
+++ b/internal/proxy/server.go
@ -13,8 +13,11 @@ import (
 	"net/http/httputil"
 	"net/http/pprof"
 	"net/url"
+	"os"
+	"os/signal"
 	"path/filepath"
 	"strconv"
+	"syscall"
 	"time"

 	"forge.cadoles.com/Cadoles/go-proxy"
@ -94,24 +97,15 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e

 	logger.Info(ctx, "http server listening")

+	layerCache, proxyCache, cancel := s.createDirectorCaches(ctx)
+	defer cancel()
+
 	director := director.New(
 		s.proxyRepository,
 		s.layerRepository,
 		director.WithLayers(s.directorLayers...),
-		director.WithLayerCache(
-			ttl.NewCache(
-				memory.NewCache[string, []*store.Layer](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
-		director.WithProxyCache(
-			ttl.NewCache(
-				memory.NewCache[string, []*store.Proxy](),
-				memory.NewCache[string, time.Time](),
-				s.directorCacheTTL,
-			),
-		),
+		director.WithLayerCache(layerCache),
+		director.WithProxyCache(proxyCache),
 		director.WithHandleErrorFunc(s.handleError),
 	)

@ -205,6 +199,44 @@ func (s *Server) run(parentCtx context.Context, addrs chan net.Addr, errs chan e
 	logger.Info(ctx, "http server exiting")
 }

+func (s *Server) createDirectorCaches(ctx context.Context) (*ttl.Cache[string, []*store.Layer], *ttl.Cache[string, []*store.Proxy], func()) {
+	layerCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Layer](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	proxyCache := ttl.NewCache(
+		memory.NewCache[string, []*store.Proxy](),
+		memory.NewCache[string, time.Time](),
+		s.directorCacheTTL,
+	)
+
+	sig := make(chan os.Signal, 1)
+
+	signal.Notify(sig, syscall.SIGUSR2)
+
+	go func() {
+		for {
+			_, ok := <-sig
+			if !ok {
+				return
+			}
+
+			logger.Info(ctx, "received sigusr2 signal, clearing proxies and layers cache")
+
+			layerCache.Clear()
+			proxyCache.Clear()
+		}
+	}()
+
+	cancel := func() {
+		close(sig)
+	}
+
+	return layerCache, proxyCache, cancel
+}
+
 func (s *Server) createReverseProxy(ctx context.Context, target *url.URL) *httputil.ReverseProxy {
 	reverseProxy := httputil.NewSingleHostReverseProxy(target)

@ -233,9 +265,7 @@ func (s *Server) handleDefault(w http.ResponseWriter, r *http.Request) {
 func (s *Server) handleError(w http.ResponseWriter, r *http.Request, status int, err error) {
 	err = errors.WithStack(err)

-	if errors.Is(err, context.Canceled) {
-		logger.Warn(r.Context(), err.Error(), logger.E(err))
-	} else {
+	if !errors.Is(err, context.Canceled) {
 		logger.Error(r.Context(), err.Error(), logger.CapturedE(err))
 	}

--- a/internal/session/options.go
+++ b/internal/session/options.go
@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
+	TTL       time.Duration
 }

 type OptionFunc func(opts *Options)
@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
+		TTL:       time.Hour,
 	}

 	for _, fn := range funcs {
@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
+
+func WithTTL(ttl time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.TTL = ttl
+	}
+}
--- a/internal/session/store.go
+++ b/internal/session/store.go
@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
+	ttl        time.Duration
 }

 type KeyGenFunc func() (string, error)
@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
+		ttl:        opts.TTL,
 	}

 	return rs
@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
+
 	session.ID = c.Value

 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}

 	return session, nil
 }

 func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
-	if session.Options.MaxAge <= 0 {
+	if session.Options.MaxAge < 0 {
 		if err := s.delete(r.Context(), session); err != nil {
 			return errors.WithStack(err)
 		}
@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}

-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
+	if s.ttl < ttl || ttl == 0 {
+		ttl = s.ttl
+	}
+
+	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}

--- a/internal/setup/authn_oidc_layer.go
+++ b/internal/setup/authn_oidc_layer.go
@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }
--- a/misc/packaging/common/config.yml
+++ b/misc/packaging/common/config.yml
@ -131,6 +131,12 @@ proxy:
    # Les proxys/layers sont mis en cache local pour une durée de 30s
    # par défaut. Si les modifications sont rares, vous pouvez augmenter
    # cette valeur pour réduire la "pression" sur le serveur Redis.
+    # Il est possible de forcer la réinitialisation du cache en envoyant
+    # le signal SIGUSR2 au processus Bouncer.
+    #
+    # Exemple
+    #
+    # kill -s USR2 $(pgrep bouncer)
    ttl: 30s

  # Configuration du transport HTTP(S)
@ -218,6 +224,11 @@ layers:
  authn:
    # Répertoire contenant les templates
    templateDir: "/etc/bouncer/layers/authn/templates"
+    # Configuration des sessions
+    sessions:
+      # Temps de persistence sans actualisation des sessions dans le store
+      # (prévalent sur le MaxAge de la session)
+      ttl: "1h"

 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration
Author	SHA1	Message	Date
William Petit	1af7248a6f	feat: reset proxy cache with sigusr2 All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-18 11:35:15 +01:00
William Petit	8b132dddd4	feat: add proxy information in sentry context All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2025-03-17 12:07:30 +01:00
William Petit	6a4a144c97	feat: silence context expired errors All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details closes #49	2025-03-10 18:32:36 +01:00
wpetit	ac7b7e8189	Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48 ) from issue-47 into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #48 Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>	2025-03-07 13:42:39 +01:00
William Petit	2df74bad4f	feat: cache oidc.Provider to reduce pressure on OIDC identity provider (#47 ) All checks were successful Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2025-03-07 11:15:28 +01:00
wpetit	076a3d784e	Merge pull request 'Fix append error in admin/run.go' (#46 ) from fix-append into develop All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Reviewed-on: #46	2025-03-07 10:21:27 +01:00
Matthieu Lamalle	826edef358	fix : suppression de append inutile, remonté par go vet All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-develop This commit looks good Details	2024-11-18 11:05:17 +01:00
William Petit	ce7415af20	fix: prevent nil pointer when err session retrieval fails All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details see https://sentry.in.nuonet.fr/share/issue/48b82c13ee3f4721bb6306b533799709/	2024-11-14 10:10:16 +01:00
William Petit	7cc9de180c	feat(authn): add configurable global ttl for session storage	2024-11-14 10:09:33 +01:00
William Petit	74c2a2c055	fix(authn): correctly handle session-limited cookies All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details See CNOUS/mse#4347	2024-11-08 12:21:23 +01:00