Proxy accesstoken cache store (#5829)

* refactor middleware options Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use ocmemstore micro store implementaiton for token cache Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * refactor ocis store options, support redis sentinel Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * align cache configuration Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * database and tabe are used to build prefixes for inmemory stores Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add global persistent store options to userlog config Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * log cache errors but continue Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * drup unnecessary type conversion Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Better description for the default userinfo ttl Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use global cache options for even more caches Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * don't log userinfo cache misses Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * default to stock memory store Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use correct mem store typo string Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * split cache options, doc cleanup Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * mint and write userinfo to cache async Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * use hashed token as key Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * go mod tidy Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update docs Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update cache store naming Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * bring back depreceted ocis-pkg/store package for backwards compatability Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * update changelog Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * Apply suggestions from code review Co-authored-by: kobergj <jkoberg@owncloud.com> * revert ocis-pkg/cache to store rename Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> * add waiting for each step 50 milliseconds * starlack check --------- Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de> Co-authored-by: kobergj <jkoberg@owncloud.com> Co-authored-by: Viktor Scharf <scharf.vi@gmail.com>
2026-04-24 21:18:19 -05:00 · 2023-03-22 15:21:57 +01:00
parent 688d07e297
commit 6bec87f582
37 changed files with 468 additions and 461 deletions
@@ -17,6 +17,7 @@ import (
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
 	pkgmiddleware "github.com/owncloud/ocis/v2/ocis-pkg/middleware"
 	"github.com/owncloud/ocis/v2/ocis-pkg/service/grpc"
+	"github.com/owncloud/ocis/v2/ocis-pkg/store"
 	"github.com/owncloud/ocis/v2/ocis-pkg/version"
 	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
 	storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
@@ -34,6 +35,7 @@ import (
 	"github.com/owncloud/ocis/v2/services/proxy/pkg/user/backend"
 	"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles"
 	"github.com/urfave/cli/v2"
+	microstore "go-micro.dev/v4/store"
 	"golang.org/x/oauth2"
 )

@@ -209,12 +211,25 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 			UserProvider: userProvider,
 		})
 	}
+
+	cache := store.Create(
+		store.Store(cfg.OIDC.UserinfoCache.Store),
+		store.TTL(cfg.OIDC.UserinfoCache.TTL),
+		store.Size(cfg.OIDC.UserinfoCache.Size),
+		microstore.Nodes(cfg.OIDC.UserinfoCache.Nodes...),
+		microstore.Database(cfg.OIDC.UserinfoCache.Database),
+		microstore.Table(cfg.OIDC.UserinfoCache.Table),
+	)
+
 	authenticators = append(authenticators, middleware.NewOIDCAuthenticator(
-		logger,
-		cfg.OIDC.UserinfoCache.TTL,
-		oidcHTTPClient,
-		cfg.OIDC.Issuer,
-		func() (middleware.OIDCProvider, error) {
+		middleware.Logger(logger),
+		middleware.Cache(cache),
+		middleware.DefaultAccessTokenTTL(cfg.OIDC.UserinfoCache.TTL),
+		middleware.HTTPClient(oidcHTTPClient),
+		middleware.OIDCIss(cfg.OIDC.Issuer),
+		middleware.JWKSOptions(cfg.OIDC.JWKS),
+		middleware.AccessTokenVerifyMethod(cfg.OIDC.AccessTokenVerifyMethod),
+		middleware.OIDCProviderFunc(func() (middleware.OIDCProvider, error) {
 			// Initialize a provider by specifying the issuer URL.
 			// it will fetch the keys from the issuer using the .well-known
 			// endpoint
@@ -222,9 +237,7 @@ func loadMiddlewares(ctx context.Context, logger log.Logger, cfg *config.Config)
 				context.WithValue(ctx, oauth2.HTTPClient, oidcHTTPClient),
 				cfg.OIDC.Issuer,
 			)
-		},
-		cfg.OIDC.JWKS,
-		cfg.OIDC.AccessTokenVerifyMethod,
+		}),
 	))
 	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
 		Logger:            logger,
@@ -2,6 +2,7 @@ package config

 import (
 	"context"
+	"time"

 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
 )
@@ -101,12 +102,12 @@ const (
 // OIDC is the config for the OpenID-Connect middleware. If set the proxy will try to authenticate every request
 // with the configured oidc-provider
 type OIDC struct {
-	Issuer                  string        `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER" desc:"URL of the OIDC issuer. It defaults to URL of the builtin IDP."`
-	Insecure                bool          `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE" desc:"Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments."`
-	AccessTokenVerifyMethod string        `yaml:"access_token_verify_method" env:"PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD" desc:"Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IPD's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'."`
-	UserinfoCache           UserinfoCache `yaml:"user_info_cache"`
-	JWKS                    JWKS          `yaml:"jwks"`
-	RewriteWellKnown        bool          `yaml:"rewrite_well_known" env:"PROXY_OIDC_REWRITE_WELLKNOWN" desc:"Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider."`
+	Issuer                  string `yaml:"issuer" env:"OCIS_URL;OCIS_OIDC_ISSUER;PROXY_OIDC_ISSUER" desc:"URL of the OIDC issuer. It defaults to URL of the builtin IDP."`
+	Insecure                bool   `yaml:"insecure" env:"OCIS_INSECURE;PROXY_OIDC_INSECURE" desc:"Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments."`
+	AccessTokenVerifyMethod string `yaml:"access_token_verify_method" env:"PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD" desc:"Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IPD's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'."`
+	UserinfoCache           *Cache `yaml:"user_info_cache"`
+	JWKS                    JWKS   `yaml:"jwks"`
+	RewriteWellKnown        bool   `yaml:"rewrite_well_known" env:"PROXY_OIDC_REWRITE_WELLKNOWN" desc:"Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider."`
 }

 type JWKS struct {
@@ -116,10 +117,14 @@ type JWKS struct {
 	RefreshUnknownKID bool   `yaml:"refresh_unknown_kid" env:"PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID" desc:"If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this."`
 }

-// UserinfoCache is a TTL cache configuration.
-type UserinfoCache struct {
-	Size int `yaml:"size" env:"PROXY_OIDC_USERINFO_CACHE_SIZE" desc:"Cache size for OIDC user info."`
-	TTL  int `yaml:"ttl" env:"PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Max TTL in seconds for the OIDC user info cache."`
+// Cache is a TTL cache configuration.
+type Cache struct {
+	Store    string        `yaml:"store" env:"OCIS_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE;OCIS_CACHE_STORE_TYPE;PROXY_OIDC_USERINFO_CACHE_TYPE" desc:"The type of the userinfo cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details."`
+	Nodes    []string      `yaml:"addresses" env:"OCIS_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_NODES;OCIS_CACHE_STORE_ADDRESSES;PROXY_OIDC_USERINFO_CACHE_ADDRESSES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'in-memory' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store."`
+	Database string        `yaml:"database" env:"PROXY_OIDC_USERINFO_CACHE_DATABASE" desc:"The database name the configured store should use."`
+	Table    string        `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use."`
+	TTL      time.Duration `yaml:"ttl" env:"OCIS_CACHE_STORE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '10s' (10 seconds)."`
+	Size     int           `yaml:"size" env:"OCIS_CACHE_STORE_SIZE;PROXY_OIDC_USERINFO_CACHE_SIZE" desc:"The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512."`
 }

 // RoleAssignment contains the configuration for how to assign roles to users during login
@@ -3,6 +3,7 @@ package defaults
 import (
 	"path"
 	"strings"
+	"time"

 	"github.com/owncloud/ocis/v2/ocis-pkg/config/defaults"
 	"github.com/owncloud/ocis/v2/ocis-pkg/shared"
@@ -40,9 +41,11 @@ func DefaultConfig() *config.Config {
 			Issuer: "https://localhost:9200",

 			AccessTokenVerifyMethod: config.AccessTokenVerificationJWT,
-			UserinfoCache: config.UserinfoCache{
-				Size: 1024,
-				TTL:  10,
+			UserinfoCache: &config.Cache{
+				Store:    "memory",
+				Database: "proxy",
+				Table:    "userinfo",
+				TTL:      time.Second * 10,
 			},
 			JWKS: config.JWKS{
 				RefreshInterval:   60, // minutes
@@ -254,6 +257,16 @@ func EnsureDefaults(cfg *config.Config) {
 		cfg.Tracing = &config.Tracing{}
 	}

+	if cfg.OIDC.UserinfoCache == nil && cfg.Commons != nil && cfg.Commons.Cache != nil {
+		cfg.OIDC.UserinfoCache = &config.Cache{
+			Store: cfg.Commons.Cache.Store,
+			Nodes: cfg.Commons.Cache.Nodes,
+			Size:  cfg.Commons.Cache.Size,
+		}
+	} else if cfg.OIDC.UserinfoCache == nil {
+		cfg.OIDC.UserinfoCache = &config.Cache{}
+	}
+
 	if cfg.TokenManager == nil && cfg.Commons != nil && cfg.Commons.TokenManager != nil {
 		cfg.TokenManager = &config.TokenManager{
 			JWTSecret: cfg.Commons.TokenManager.JWTSecret,
@@ -2,19 +2,23 @@ package middleware

 import (
 	"context"
+	"encoding/base64"
 	"net/http"
 	"strings"
 	"sync"
 	"time"

+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	"github.com/owncloud/ocis/v2/ocis-pkg/oidc"
+	"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
+
 	"github.com/MicahParks/keyfunc"
 	gOidc "github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v4"
-	"github.com/owncloud/ocis/v2/ocis-pkg/log"
-	"github.com/owncloud/ocis/v2/ocis-pkg/oidc"
-	osync "github.com/owncloud/ocis/v2/ocis-pkg/sync"
-	"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
 	"github.com/pkg/errors"
+	"github.com/shamaton/msgpack/v2"
+	store "go-micro.dev/v4/store"
+	"golang.org/x/crypto/sha3"
 	"golang.org/x/oauth2"
 )

@@ -29,18 +33,18 @@ type OIDCProvider interface {
 }

 // NewOIDCAuthenticator returns a ready to use authenticator which can handle OIDC authentication.
-func NewOIDCAuthenticator(logger log.Logger, tokenCacheTTL int, oidcHTTPClient *http.Client, oidcIss string, providerFunc func() (OIDCProvider, error),
-	jwksOptions config.JWKS, accessTokenVerifyMethod string) *OIDCAuthenticator {
-	tokenCache := osync.NewCache(tokenCacheTTL)
+func NewOIDCAuthenticator(opts ...Option) *OIDCAuthenticator {
+	options := newOptions(opts...)
+
 	return &OIDCAuthenticator{
-		Logger:                  logger,
-		tokenCache:              &tokenCache,
-		TokenCacheTTL:           time.Duration(tokenCacheTTL),
-		HTTPClient:              oidcHTTPClient,
-		OIDCIss:                 oidcIss,
-		ProviderFunc:            providerFunc,
-		JWKSOptions:             jwksOptions,
-		AccessTokenVerifyMethod: accessTokenVerifyMethod,
+		Logger:                  options.Logger,
+		userInfoCache:           options.Cache,
+		DefaultTokenCacheTTL:    options.DefaultAccessTokenTTL,
+		HTTPClient:              options.HTTPClient,
+		OIDCIss:                 options.OIDCIss,
+		ProviderFunc:            options.OIDCProviderFunc,
+		JWKSOptions:             options.JWKS,
+		AccessTokenVerifyMethod: options.AccessTokenVerifyMethod,
 		providerLock:            &sync.Mutex{},
 		jwksLock:                &sync.Mutex{},
 	}
@@ -51,8 +55,8 @@ type OIDCAuthenticator struct {
 	Logger                  log.Logger
 	HTTPClient              *http.Client
 	OIDCIss                 string
-	tokenCache              *osync.Cache
-	TokenCacheTTL           time.Duration
+	userInfoCache           store.Store
+	DefaultTokenCacheTTL    time.Duration
 	ProviderFunc            func() (OIDCProvider, error)
 	AccessTokenVerifyMethod string
 	JWKSOptions             config.JWKS
@@ -66,40 +70,60 @@ type OIDCAuthenticator struct {

 func (m *OIDCAuthenticator) getClaims(token string, req *http.Request) (map[string]interface{}, error) {
 	var claims map[string]interface{}
-	hit := m.tokenCache.Load(token)
-	if hit == nil {
-		aClaims, err := m.verifyAccessToken(token)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to verify access token")
-		}

-		oauth2Token := &oauth2.Token{
-			AccessToken: token,
-		}
+	// usea 64 bytes long hash to have 256-bit collision resistance.
+	hash := make([]byte, 64)
+	sha3.ShakeSum256(hash, []byte(token))
+	encodedHash := base64.URLEncoding.EncodeToString(hash)

-		userInfo, err := m.getProvider().UserInfo(
-			context.WithValue(req.Context(), oauth2.HTTPClient, m.HTTPClient),
-			oauth2.StaticTokenSource(oauth2Token),
-		)
-		if err != nil {
-			return nil, errors.Wrap(err, "failed to get userinfo")
+	record, err := m.userInfoCache.Read(encodedHash)
+	if err != nil && err != store.ErrNotFound {
+		m.Logger.Error().Err(err).Msg("could not read from userinfo cache")
+	}
+	if len(record) > 1 {
+		if err = msgpack.Unmarshal(record[0].Value, &claims); err == nil {
+			m.Logger.Debug().Interface("claims", claims).Msg("cache hit for userinfo")
+			return claims, nil
 		}
-		if err := userInfo.Claims(&claims); err != nil {
-			return nil, errors.Wrap(err, "failed to unmarshal userinfo claims")
-		}
-
-		expiration := m.extractExpiration(aClaims)
-		m.tokenCache.Store(token, claims, expiration)
-
-		m.Logger.Debug().Interface("claims", claims).Interface("userInfo", userInfo).Time("expiration", expiration.UTC()).Msg("unmarshalled and cached userinfo")
-		return claims, nil
+		m.Logger.Error().Err(err).Msg("could not unmarshal userinfo")
+	}
+	aClaims, err := m.verifyAccessToken(token)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to verify access token")
 	}

-	var ok bool
-	if claims, ok = hit.V.(map[string]interface{}); !ok {
-		return nil, errors.New("failed to cast claims from the cache")
+	oauth2Token := &oauth2.Token{
+		AccessToken: token,
 	}
-	m.Logger.Debug().Interface("claims", claims).Msg("cache hit for userinfo")
+
+	userInfo, err := m.getProvider().UserInfo(
+		context.WithValue(req.Context(), oauth2.HTTPClient, m.HTTPClient),
+		oauth2.StaticTokenSource(oauth2Token),
+	)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get userinfo")
+	}
+	if err := userInfo.Claims(&claims); err != nil {
+		return nil, errors.Wrap(err, "failed to unmarshal userinfo claims")
+	}
+
+	expiration := m.extractExpiration(aClaims)
+	go func() {
+		if d, err := msgpack.Marshal(claims); err != nil {
+			m.Logger.Error().Err(err).Msg("failed to marshal claims for userinfo cache")
+		} else {
+			err = m.userInfoCache.Write(&store.Record{
+				Key:    encodedHash,
+				Value:  d,
+				Expiry: time.Until(expiration),
+			})
+			if err != nil {
+				m.Logger.Error().Err(err).Msg("failed to write to userinfo cache")
+			}
+		}
+	}()
+
+	m.Logger.Debug().Interface("claims", claims).Msg("extracted claims")
 	return claims, nil
 }

@@ -145,7 +169,7 @@ func (m OIDCAuthenticator) verifyAccessTokenJWT(token string) (jwt.RegisteredCla
 // If the access token does not have an exp claim it will fallback to the configured
 // default expiration
 func (m OIDCAuthenticator) extractExpiration(aClaims jwt.RegisteredClaims) time.Time {
-	defaultExpiration := time.Now().Add(m.TokenCacheTTL)
+	defaultExpiration := time.Now().Add(m.DefaultTokenCacheTTL)
 	if aClaims.ExpiresAt != nil {
 		m.Logger.Debug().Str("exp", aClaims.ExpiresAt.String()).Msg("Expiration Time from access_token")
 		return aClaims.ExpiresAt.Time
@@ -4,15 +4,14 @@ import (
 	"net/http"
 	"time"

-	"github.com/owncloud/ocis/v2/services/proxy/pkg/user/backend"
-	"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles"
-
-	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
-	storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
-
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+	settingssvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/settings/v0"
+	storesvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/store/v0"
 	"github.com/owncloud/ocis/v2/services/proxy/pkg/config"
+	"github.com/owncloud/ocis/v2/services/proxy/pkg/user/backend"
+	"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles"
+	store "go-micro.dev/v4/store"
 )

 // Option defines a single option function.
@@ -52,10 +51,10 @@ type Options struct {
 	AutoprovisionAccounts bool
 	// EnableBasicAuth to allow basic auth
 	EnableBasicAuth bool
-	// UserinfoCacheSize defines the max number of entries in the userinfo cache, intended for the oidc_auth middleware
-	UserinfoCacheSize int
-	// UserinfoCacheTTL sets the max cache duration for the userinfo cache, intended for the oidc_auth middleware
-	UserinfoCacheTTL time.Duration
+	// DefaultAccessTokenTTL is used to calculate the expiration when an access token has no expiration set
+	DefaultAccessTokenTTL time.Duration
+	// Cache sets the access token cache store
+	Cache store.Store
 	// CredentialsByUserAgent sets the auth challenges on a per user-agent basis
 	CredentialsByUserAgent map[string]string
 	// AccessTokenVerifyMethod configures how access_tokens should be verified but the oidc_auth middleware.
@@ -184,17 +183,17 @@ func EnableBasicAuth(enableBasicAuth bool) Option {
 	}
 }

-// TokenCacheSize provides a function to set the TokenCacheSize
-func TokenCacheSize(size int) Option {
+// DefaultAccessTokenTTL provides a function to set the DefaultAccessTokenTTL
+func DefaultAccessTokenTTL(ttl time.Duration) Option {
 	return func(o *Options) {
-		o.UserinfoCacheSize = size
+		o.DefaultAccessTokenTTL = ttl
 	}
 }

-// TokenCacheTTL provides a function to set the TokenCacheTTL
-func TokenCacheTTL(ttl time.Duration) Option {
+// Cache provides a function to set the Cache
+func Cache(val store.Store) Option {
 	return func(o *Options) {
-		o.UserinfoCacheTTL = ttl
+		o.Cache = val
 	}
 }