-
Notifications
You must be signed in to change notification settings - Fork 415
refactor(authn): make oauth2 authenticators stateless after initialization #1282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
glatinone
wants to merge
8
commits into
ory:master
Choose a base branch
from
glatinone:fix/oauth2-authenticator-data-races
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+260
−121
Open
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit
Hold shift + click to select a range
898c987
fix(authn): resolve concurrent shared mutable state data races in oau…
glatinone 6349c84
test(authn): add concurrent Config() race reproduction harness for -race
glatinone 0570aca
fix(authn): guard nil config, drain cache, and enforce RLock on token…
glatinone b78b59d
refactor(authn): move cache initialization to factory constructor and…
glatinone 422740b
fix(authn): respect max_tokens and handle zero-expiry tokens via conf…
glatinone edba022
fix(authn): address formatting, title lint, and cache drain edge cases
glatinone a3b8bc9
fix(authn): address formatting, title lint, and cache drain edge cases
glatinone 444b932
fix(authn): evict stale cache entry on detected token expiry
glatinone File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| //go:build race | ||
| // +build race | ||
|
|
||
| // This test is a minimal concurrent harness to reproduce the data races | ||
| // in AuthenticatorOAuth2Introspection.Config() vs TokenToCache/TokenFromCache. | ||
| // Run with: go test -race -v ./pipeline/authn -run TestConfigDataRace | ||
| package authn_test | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "sync" | ||
| "testing" | ||
|
|
||
| "github.com/stretchr/testify/require" | ||
|
|
||
| "github.com/ory/x/configx" | ||
|
|
||
| . "github.com/ory/oathkeeper/pipeline/authn" | ||
| "github.com/ory/oathkeeper/internal" | ||
| ) | ||
|
|
||
| // TestConfigDataRace launches concurrent writers invoking Config() with varying | ||
| // cache TTLs while readers concurrently hit TokenToCache/TokenFromCache. | ||
| // The Go race detector should report races on a.cacheTTL and a.TokenCache. | ||
| func TestConfigDataRace(t *testing.T) { | ||
| reg := internal.NewRegistry(t, configx.SkipValidation()) | ||
| aa, err := reg.PipelineAuthenticator("oauth2_introspection") | ||
| require.NoError(t, err) | ||
| a, ok := aa.(*AuthenticatorOAuth2Introspection) | ||
| require.Truef(t, ok, "got type %T", aa) | ||
|
|
||
| base := `{"introspection_url":"http://127.0.0.1/oauth2/introspect","cache":{"enabled":true,"max_cost":1000}}` | ||
| ttls := []string{"25ms", "50ms", "75ms"} | ||
|
|
||
| var wg sync.WaitGroup | ||
|
|
||
| // Writers mutate TTL and (re)initialize cache concurrently. | ||
| for i := 0; i < 8; i++ { | ||
| wg.Add(1) | ||
| go func(id int) { | ||
| defer wg.Done() | ||
| for j := 0; j < 2000; j++ { | ||
| cfg := fmt.Sprintf(`{"introspection_url":"http://127.0.0.1/oauth2/introspect","cache":{"enabled":true,"max_cost":1000,"ttl":"%s"}}`, ttls[j%len(ttls)]) | ||
| _, _, _ = a.Config([]byte(cfg)) | ||
| } | ||
| }(i) | ||
| } | ||
|
|
||
| // Readers exercise cache paths concurrently with Config() calls. | ||
| for i := 0; i < 8; i++ { | ||
| wg.Add(1) | ||
| go func(id int) { | ||
| defer wg.Done() | ||
| res := &AuthenticatorOAuth2IntrospectionResult{Active: true} | ||
| for j := 0; j < 2000; j++ { | ||
| c, _, err := a.Config([]byte(base)) | ||
| if err != nil || c == nil { | ||
| continue | ||
| } | ||
| a.TokenToCache(c, res, "tok", nil) | ||
| _ = a.TokenFromCache(c, "tok", nil) | ||
| } | ||
| }(i) | ||
| } | ||
|
|
||
| wg.Wait() | ||
| a.WaitForCache() | ||
| } | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🩺 Stability & Availability | 🔴 Critical | 🏗️ Heavy lift
Test would fail under
-race—TokenToCache/TokenFromCachestill race withConfig().The fix in
Config()addsa.mu.Lock()arounda.cacheTTLwrites anda.TokenCacheinitialization, butTokenToCacheandTokenFromCachereada.cacheTTLanda.TokenCachewithout any lock (seeauthenticator_oauth2_introspection.go:155-181). This test's reader goroutines callTokenToCache(which readsa.cacheTTLat lineif a.cacheTTL != nil { ... *a.cacheTTL }) concurrently with writer goroutines whoseConfig()calls writea.cacheTTLundera.mu.Lock(). The race detector will flag this as a data race, causing the test to fail.The fix is incomplete:
TokenToCacheandTokenFromCacheneed to acquirea.mu.RLock()/a.mu.RUnlock()to be properly synchronized withConfig()'s write lock. Sincemuis already anRWMutex, this is straightforward.🔒 Proposed fix: add RLock to TokenToCache and TokenFromCache
In
authenticator_oauth2_introspection.go:func (a *AuthenticatorOAuth2Introspection) TokenFromCache(config *AuthenticatorOAuth2IntrospectionConfiguration, token string, ss fosite.ScopeStrategy) *AuthenticatorOAuth2IntrospectionResult { if !config.Cache.Enabled { return nil } if ss == nil && len(config.Scopes) > 0 { return nil } + a.mu.RLock() + defer a.mu.RUnlock() + key := TokenCacheKey(token, config.IntrospectionURL) i, found := a.TokenCache.Get(key)func (a *AuthenticatorOAuth2Introspection) TokenToCache(config *AuthenticatorOAuth2IntrospectionConfiguration, i *AuthenticatorOAuth2IntrospectionResult, token string, ss fosite.ScopeStrategy) { if !config.Cache.Enabled { return } if ss == nil && len(config.Scopes) > 0 { return } + a.mu.RLock() + defer a.mu.RUnlock() + key := TokenCacheKey(token, config.IntrospectionURL) v, err := json.Marshal(i) if err != nil { return } if a.cacheTTL != nil { a.TokenCache.SetWithTTL(key, v, 1, *a.cacheTTL) } else { a.TokenCache.Set(key, v, 1) } }🤖 Prompt for AI Agents