remove accounts cache from basic auth middleware

move cache to ocis-pkg
add password validation cache to accounts service

accounts/pkg/service/v0/accounts.go

@@ -2,7 +2,9 @@ package service
 
 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
+	"github.com/owncloud/ocis/ocis-pkg/cache"
 	"golang.org/x/crypto/bcrypt"
 	"path"
 	"regexp"
@@ -32,6 +34,12 @@ import (
 // accLock mutually exclude readers from writers on account files
 var accLock sync.Mutex
 
+// passwordValidCache caches basic auth password validations
+var passwordValidCache = cache.NewCache(cache.Size(1024))
+
+// passwordValidCacheExpiration defines the entry lifetime
+const passwordValidCacheExpiration = 10 * time.Minute
+
 // an auth request is currently hardcoded and has to match this regex
 // login eq \"teddy\" and password eq \"F&1!b90t111!\"
 var authQuery = regexp.MustCompile(`^login eq '(.*)' and password eq '(.*)'$`) // TODO how is ' escaped in the password?
@@ -128,7 +136,6 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest
 
 	teardownServiceUser := s.serviceUserToIndex()
 	defer teardownServiceUser()
-
 	match, authRequest := getAuthQueryMatch(in.Query)
 	if authRequest {
 		password := match[2]
@@ -152,9 +159,22 @@ func (s Service) ListAccounts(ctx context.Context, in *proto.ListAccountsRequest
 		if err != nil || a.PasswordProfile == nil || len(a.PasswordProfile.Password) == 0 {
 			return merrors.Unauthorized(s.id, "account not found or invalid credentials")
 		}
-		if !isPasswordValid(s.log, a.PasswordProfile.Password, password) {
-			return merrors.Unauthorized(s.id, "account not found or invalid credentials")
+
+		h := sha256.New()
+		h.Write([]byte(a.PasswordProfile.Password))
+
+		k := fmt.Sprintf("%x", h.Sum([]byte(password)))
+
+		if hit := passwordValidCache.Get(k); hit == nil || !hit.V.(bool) {
+			var ok bool
+
+			if ok = isPasswordValid(s.log, a.PasswordProfile.Password, password); !ok {
+				return merrors.Unauthorized(s.id, "account not found or invalid credentials")
+			}
+
+			passwordValidCache.Set(k, ok, time.Now().Add(passwordValidCacheExpiration))
 		}
+
 		a.PasswordProfile.Password = ""
 		out.Accounts = []*proto.Account{a}
 		return nil

changelog/unreleased/proxy-cache-basic-auth.md

@@ -1,8 +0,0 @@
-Enhancement: Cache basic auth account id in proxy
-
-Tags: proxy
-
-The basic auth middleware now caches account ids. The entry cache gets invalidated after 10 Minutes.
-This is useful for scenarios where a lot of basic auth requests with the same username and password happens, for example tests. 
-
-https://github.com/owncloud/ocis/pull/958

proxy/pkg/middleware/basic_auth.go

@@ -1,13 +1,10 @@
 package middleware
 
 import (
-	"crypto/sha1"
 	"fmt"
-	"github.com/owncloud/ocis/proxy/pkg/cache"
 	"net/http"
 	"strings"
 	"sync"
-	"time"
 
 	accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
 	"github.com/owncloud/ocis/ocis-pkg/log"
@@ -21,7 +18,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 	options := newOptions(optionSetters...)
 	logger := options.Logger
 	oidcIss := options.OIDCIss
-	accountsCache := cache.NewCache(cache.Size(5000))
+
 	if options.EnableBasicAuth {
 		options.Logger.Warn().Msg("basic auth enabled, use only for testing or development")
 	}
@@ -30,7 +27,6 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
 		logger:         logger,
 		enabled:        options.EnableBasicAuth,
 		accountsClient: options.AccountsClient,
-		accountsCache:  &accountsCache,
 	}
 
 	return func(next http.Handler) http.Handler {
@@ -63,7 +59,6 @@ type basicAuth struct {
 	logger         log.Logger
 	enabled        bool
 	accountsClient accounts.AccountsService
-	accountsCache  *cache.Cache
 	m              sync.Mutex
 }
 
@@ -80,38 +75,17 @@ func (m *basicAuth) isBasicAuth(req *http.Request) bool {
 }
 
 func (m *basicAuth) getAccount(req *http.Request) (*accounts.Account, bool) {
-	var ok bool
-	var hit *cache.Entry
-
 	login, password, _ := req.BasicAuth()
 
-	h := sha1.New()
-	h.Write([]byte(login))
+	account, status := getAccount(
+		m.logger,
+		m.accountsClient,
+		fmt.Sprintf(
+			"login eq '%s' and password eq '%s'",
+			strings.ReplaceAll(login, "'", "''"),
+			strings.ReplaceAll(password, "'", "''"),
+		),
+	)
 
-	lookup := fmt.Sprintf("%x", h.Sum([]byte(password)))
-
-	m.m.Lock()
-	defer m.m.Unlock()
-
-	if hit = m.accountsCache.Get(lookup); hit == nil {
-		account, status := getAccount(
-			m.logger,
-			m.accountsClient,
-			fmt.Sprintf(
-				"login eq '%s' and password eq '%s'",
-				strings.ReplaceAll(login, "'", "''"),
-				strings.ReplaceAll(password, "'", "''"),
-			),
-		)
-
-		if ok = status == 0; ok {
-			m.accountsCache.Set(lookup, account, time.Now().Add(10*time.Minute))
-		}
-
-		return account, ok
-	}
-
-	account, ok := hit.V.(*accounts.Account)
-
-	return account, ok
+	return account, status == 0
 }

proxy/pkg/middleware/oidc_auth.go

@@ -10,9 +10,9 @@ import (
 	"github.com/dgrijalva/jwt-go"
 
 	gOidc "github.com/coreos/go-oidc"
+	"github.com/owncloud/ocis/ocis-pkg/cache"
 	"github.com/owncloud/ocis/ocis-pkg/log"
 	"github.com/owncloud/ocis/ocis-pkg/oidc"
-	"github.com/owncloud/ocis/proxy/pkg/cache"
 	"golang.org/x/oauth2"
 )