Merge pull request 'Mise en cache des fournisseurs oidc pour améliorer les performances' (#48) from issue-47 into develop

Reviewed-on: #48
Reviewed-by: Laurent Gourvenec <lgourvenec@cadoles.com>

internal/command/server/admin/run.go

@@ -17,9 +17,7 @@ const (
 )
 
 func RunCommand() *cli.Command {
-	flags := append(
-		common.Flags(),
-	)
+	flags := common.Flags()
 
 	return &cli.Command{
 		Name:  "run",

internal/config/layers.go

@@ -20,6 +20,10 @@ func NewDefaultLayersConfig() LayersConfig {
 					TransportConfig: NewDefaultTransportConfig(),
 					Timeout:         NewInterpolatedDuration(10 * time.Second),
 				},
+				ProviderCacheTimeout: NewInterpolatedDuration(time.Hour),
+			},
+			Sessions: AuthnLayerSessionConfig{
+				TTL: NewInterpolatedDuration(time.Hour),
 			},
 		},
 	}
@@ -31,13 +35,19 @@ type QueueLayerConfig struct {
 }
 
 type AuthnLayerConfig struct {
-	Debug       InterpolatedBool     `yaml:"debug"`
-	TemplateDir InterpolatedString   `yaml:"templateDir"`
-	OIDC        AuthnOIDCLayerConfig `yaml:"oidc"`
+	Debug       InterpolatedBool        `yaml:"debug"`
+	TemplateDir InterpolatedString      `yaml:"templateDir"`
+	OIDC        AuthnOIDCLayerConfig    `yaml:"oidc"`
+	Sessions    AuthnLayerSessionConfig `yaml:"sessions"`
+}
+
+type AuthnLayerSessionConfig struct {
+	TTL *InterpolatedDuration `yaml:"ttl"`
 }
 
 type AuthnOIDCLayerConfig struct {
-	HTTPClient AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	HTTPClient           AuthnOIDCHTTPClientConfig `yaml:"httpClient"`
+	ProviderCacheTimeout *InterpolatedDuration     `yaml:"providerCacheTimeout"`
 }
 
 type AuthnOIDCHTTPClientConfig struct {

internal/proxy/director/layer/authn/oidc/authenticator.go

@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"forge.cadoles.com/Cadoles/go-proxy/wildcard"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@@ -27,6 +28,7 @@ type Authenticator struct {
 	store             sessions.Store
 	httpTransport     *http.Transport
 	httpClientTimeout time.Duration
+	oidcProviderCache cache.Cache[string, *oidc.Provider]
 }
 
 func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request, layer *store.Layer) error {
@@ -378,15 +380,23 @@ func (a *Authenticator) getClient(options *LayerOptions, redirectURL string) (*C
 		Transport: transport,
 	}
 
-	ctx = oidc.ClientContext(ctx, httpClient)
+	provider, exists := a.oidcProviderCache.Get(options.OIDC.IssuerURL)
+	if !exists {
+		var err error
+		ctx = oidc.ClientContext(ctx, httpClient)
 
-	if options.OIDC.SkipIssuerVerification {
-		ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
-	}
+		if options.OIDC.SkipIssuerVerification {
+			ctx = oidc.InsecureIssuerURLContext(ctx, options.OIDC.IssuerURL)
+		}
 
-	provider, err := oidc.NewProvider(ctx, options.OIDC.IssuerURL)
-	if err != nil {
-		return nil, errors.Wrap(err, "could not create oidc provider")
+		logger.Debug(ctx, "refreshing oidc provider", logger.F("issuerURL", options.OIDC.IssuerURL))
+
+		provider, err = oidc.NewProvider(ctx, options.OIDC.IssuerURL)
+		if err != nil {
+			return nil, errors.Wrap(err, "could not create oidc provider")
+		}
+
+		a.oidcProviderCache.Set(options.OIDC.IssuerURL, provider)
 	}
 
 	client := NewClient(

internal/proxy/director/layer/authn/oidc/layer.go

@@ -1,8 +1,13 @@
 package oidc
 
 import (
+	"time"
+
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/memory"
+	"forge.cadoles.com/cadoles/bouncer/internal/cache/ttl"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gorilla/sessions"
 )
 
@@ -14,5 +19,10 @@ func NewLayer(store sessions.Store, funcs ...OptionFunc) *authn.Layer {
 		httpTransport:     opts.HTTPTransport,
 		httpClientTimeout: opts.HTTPClientTimeout,
 		store:             store,
+		oidcProviderCache: ttl.NewCache(
+			memory.NewCache[string, *oidc.Provider](),
+			memory.NewCache[string, time.Time](),
+			opts.OIDCProviderCacheTimeout,
+		),
 	}, opts.AuthnOptions...)
 }

internal/proxy/director/layer/authn/oidc/options.go

@@ -8,9 +8,10 @@ import (
 )
 
 type Options struct {
-	HTTPTransport     *http.Transport
-	HTTPClientTimeout time.Duration
-	AuthnOptions      []authn.OptionFunc
+	HTTPTransport            *http.Transport
+	HTTPClientTimeout        time.Duration
+	AuthnOptions             []authn.OptionFunc
+	OIDCProviderCacheTimeout time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -33,11 +34,18 @@ func WithAuthnOptions(funcs ...authn.OptionFunc) OptionFunc {
 	}
 }
 
+func WithOIDCProviderCacheTimeout(timeout time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.OIDCProviderCacheTimeout = timeout
+	}
+}
+
 func NewOptions(funcs ...OptionFunc) *Options {
 	opts := &Options{
-		HTTPTransport:     http.DefaultTransport.(*http.Transport),
-		HTTPClientTimeout: 30 * time.Second,
-		AuthnOptions:      make([]authn.OptionFunc, 0),
+		HTTPTransport:            http.DefaultTransport.(*http.Transport),
+		HTTPClientTimeout:        30 * time.Second,
+		AuthnOptions:             make([]authn.OptionFunc, 0),
+		OIDCProviderCacheTimeout: time.Hour,
 	}
 
 	for _, fn := range funcs {

internal/session/options.go

@@ -10,6 +10,7 @@ import (
 type Options struct {
 	Session   sessions.Options
 	KeyPrefix string
+	TTL       time.Duration
 }
 
 type OptionFunc func(opts *Options)
@@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
 			SameSite: http.SameSiteDefaultMode,
 		},
 		KeyPrefix: "session:",
+		TTL:       time.Hour,
 	}
 
 	for _, fn := range funcs {
@@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
 		opts.KeyPrefix = prefix
 	}
 }
+
+func WithTTL(ttl time.Duration) OptionFunc {
+	return func(opts *Options) {
+		opts.TTL = ttl
+	}
+}

internal/session/store.go

@@ -31,6 +31,7 @@ type Store struct {
 	keyPrefix  string
 	keyGen     KeyGenFunc
 	serializer SessionSerializer
+	ttl        time.Duration
 }
 
 type KeyGenFunc func() (string, error)
@@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
 		keyPrefix:  opts.KeyPrefix,
 		keyGen:     generateRandomKey,
 		serializer: GobSerializer{},
+		ttl:        opts.TTL,
 	}
 
 	return rs
@@ -62,13 +64,14 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
 	if err != nil {
 		return session, nil
 	}
+
 	session.ID = c.Value
 
 	err = s.load(r.Context(), session)
 	if err == nil {
 		session.IsNew = false
 	} else if !errors.Is(err, ErrNotFound) {
-		return nil, errors.WithStack(err)
+		return session, errors.WithStack(err)
 	}
 
 	return session, nil
@@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
 		return errors.WithStack(err)
 	}
 
-	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
+	ttl := time.Duration(session.Options.MaxAge) * time.Second
+	if s.ttl < ttl || ttl == 0 {
+		ttl = s.ttl
+	}
+
+	if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
 		return errors.WithStack(err)
 	}
 

internal/setup/authn_oidc_layer.go

@@ -37,5 +37,6 @@ func setupAuthnOIDCLayer(conf *config.Config) (director.Layer, error) {
 			authn.WithTemplateDir(string(conf.Layers.Authn.TemplateDir)),
 			authn.WithDebug(bool(conf.Layers.Authn.Debug)),
 		),
+		oidc.WithOIDCProviderCacheTimeout(time.Duration(*conf.Layers.Authn.OIDC.ProviderCacheTimeout)),
 	), nil
 }

misc/packaging/common/config.yml

@@ -218,6 +218,11 @@ layers:
   authn:
     # Répertoire contenant les templates
     templateDir: "/etc/bouncer/layers/authn/templates"
+    # Configuration des sessions
+    sessions:
+      # Temps de persistence sans actualisation des sessions dans le store
+      # (prévalent sur le MaxAge de la session)
+      ttl: "1h"
 
 # Configuration d'une série de proxy/layers
 # à créer par défaut par le serveur d'administration