mirror of
https://github.com/opencloud-eu/opencloud.git
synced 2026-04-23 04:28:48 -05:00
remove accounts cache from basic auth middleware
move cache to ocis-pkg add password validation cache to accounts service
This commit is contained in:
Florian Schade
Vendored
-78
@@ -1,78 +0,0 @@
|
||||
package cache
|
||||
|
||||
import (
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
// Entry represents an entry on the cache. You can type assert on V.
|
||||
type Entry struct {
|
||||
V interface{}
|
||||
expiration time.Time
|
||||
}
|
||||
|
||||
// Cache is a barebones cache implementation.
|
||||
type Cache struct {
|
||||
entries map[string]*Entry
|
||||
size int
|
||||
m sync.Mutex
|
||||
}
|
||||
|
||||
// NewCache returns a new instance of Cache.
|
||||
func NewCache(o ...Option) Cache {
|
||||
opts := newOptions(o...)
|
||||
|
||||
return Cache{
|
||||
size: opts.size,
|
||||
entries: map[string]*Entry{},
|
||||
}
|
||||
}
|
||||
|
||||
// Get gets a role-bundle by a given `roleID`.
|
||||
func (c *Cache) Get(k string) *Entry {
|
||||
c.m.Lock()
|
||||
defer c.m.Unlock()
|
||||
|
||||
if _, ok := c.entries[k]; ok {
|
||||
if c.expired(c.entries[k]) {
|
||||
delete(c.entries, k)
|
||||
return nil
|
||||
}
|
||||
return c.entries[k]
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Set sets a roleID / role-bundle.
|
||||
func (c *Cache) Set(k string, val interface{}, expiration time.Time) {
|
||||
c.m.Lock()
|
||||
defer c.m.Unlock()
|
||||
|
||||
if !c.fits() {
|
||||
c.evict()
|
||||
}
|
||||
|
||||
c.entries[k] = &Entry{
|
||||
val,
|
||||
expiration,
|
||||
}
|
||||
}
|
||||
|
||||
// evict frees memory from the cache by removing entries that exceeded the cache TTL.
|
||||
func (c *Cache) evict() {
|
||||
for i := range c.entries {
|
||||
if c.expired(c.entries[i]) {
|
||||
delete(c.entries, i)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// expired checks if an entry is expired
|
||||
func (c *Cache) expired(e *Entry) bool {
|
||||
return e.expiration.Before(time.Now())
|
||||
}
|
||||
|
||||
// fits returns whether the cache fits more entries.
|
||||
func (c *Cache) fits() bool {
|
||||
return c.size > len(c.entries)
|
||||
}
|
||||
Vendored
-36
@@ -1,36 +0,0 @@
|
||||
package cache
|
||||
|
||||
import "time"
|
||||
|
||||
// Options are all the possible options.
|
||||
type Options struct {
|
||||
size int
|
||||
ttl time.Duration
|
||||
}
|
||||
|
||||
// Option mutates option
|
||||
type Option func(*Options)
|
||||
|
||||
// Size configures the size of the cache in items.
|
||||
func Size(s int) Option {
|
||||
return func(o *Options) {
|
||||
o.size = s
|
||||
}
|
||||
}
|
||||
|
||||
// TTL rebuilds the cache after the configured duration.
|
||||
func TTL(ttl time.Duration) Option {
|
||||
return func(o *Options) {
|
||||
o.ttl = ttl
|
||||
}
|
||||
}
|
||||
|
||||
func newOptions(opts ...Option) Options {
|
||||
o := Options{}
|
||||
|
||||
for _, v := range opts {
|
||||
v(&o)
|
||||
}
|
||||
|
||||
return o
|
||||
}
|
||||
@@ -1,13 +1,10 @@
|
||||
package middleware
|
||||
|
||||
import (
|
||||
"crypto/sha1"
|
||||
"fmt"
|
||||
"github.com/owncloud/ocis/proxy/pkg/cache"
|
||||
"net/http"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
accounts "github.com/owncloud/ocis/accounts/pkg/proto/v0"
|
||||
"github.com/owncloud/ocis/ocis-pkg/log"
|
||||
@@ -21,7 +18,7 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
|
||||
options := newOptions(optionSetters...)
|
||||
logger := options.Logger
|
||||
oidcIss := options.OIDCIss
|
||||
accountsCache := cache.NewCache(cache.Size(5000))
|
||||
|
||||
if options.EnableBasicAuth {
|
||||
options.Logger.Warn().Msg("basic auth enabled, use only for testing or development")
|
||||
}
|
||||
@@ -30,7 +27,6 @@ func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
|
||||
logger: logger,
|
||||
enabled: options.EnableBasicAuth,
|
||||
accountsClient: options.AccountsClient,
|
||||
accountsCache: &accountsCache,
|
||||
}
|
||||
|
||||
return func(next http.Handler) http.Handler {
|
||||
@@ -63,7 +59,6 @@ type basicAuth struct {
|
||||
logger log.Logger
|
||||
enabled bool
|
||||
accountsClient accounts.AccountsService
|
||||
accountsCache *cache.Cache
|
||||
m sync.Mutex
|
||||
}
|
||||
|
||||
@@ -80,38 +75,17 @@ func (m *basicAuth) isBasicAuth(req *http.Request) bool {
|
||||
}
|
||||
|
||||
func (m *basicAuth) getAccount(req *http.Request) (*accounts.Account, bool) {
|
||||
var ok bool
|
||||
var hit *cache.Entry
|
||||
|
||||
login, password, _ := req.BasicAuth()
|
||||
|
||||
h := sha1.New()
|
||||
h.Write([]byte(login))
|
||||
account, status := getAccount(
|
||||
m.logger,
|
||||
m.accountsClient,
|
||||
fmt.Sprintf(
|
||||
"login eq '%s' and password eq '%s'",
|
||||
strings.ReplaceAll(login, "'", "''"),
|
||||
strings.ReplaceAll(password, "'", "''"),
|
||||
),
|
||||
)
|
||||
|
||||
lookup := fmt.Sprintf("%x", h.Sum([]byte(password)))
|
||||
|
||||
m.m.Lock()
|
||||
defer m.m.Unlock()
|
||||
|
||||
if hit = m.accountsCache.Get(lookup); hit == nil {
|
||||
account, status := getAccount(
|
||||
m.logger,
|
||||
m.accountsClient,
|
||||
fmt.Sprintf(
|
||||
"login eq '%s' and password eq '%s'",
|
||||
strings.ReplaceAll(login, "'", "''"),
|
||||
strings.ReplaceAll(password, "'", "''"),
|
||||
),
|
||||
)
|
||||
|
||||
if ok = status == 0; ok {
|
||||
m.accountsCache.Set(lookup, account, time.Now().Add(10*time.Minute))
|
||||
}
|
||||
|
||||
return account, ok
|
||||
}
|
||||
|
||||
account, ok := hit.V.(*accounts.Account)
|
||||
|
||||
return account, ok
|
||||
return account, status == 0
|
||||
}
|
||||
|
||||
@@ -10,9 +10,9 @@ import (
|
||||
"github.com/dgrijalva/jwt-go"
|
||||
|
||||
gOidc "github.com/coreos/go-oidc"
|
||||
"github.com/owncloud/ocis/ocis-pkg/cache"
|
||||
"github.com/owncloud/ocis/ocis-pkg/log"
|
||||
"github.com/owncloud/ocis/ocis-pkg/oidc"
|
||||
"github.com/owncloud/ocis/proxy/pkg/cache"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user