Merge branch 'OpenIDC:master' into pr3_defaulturl_t2

brandonk10 · Aug 18, 2023 · 4747a98 · 4747a98
2 parents f04991f + 7db010d
commit 4747a98
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 10 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+08/13/2023
+- increase performance of JQ filtering by caching JQ filtering results
+  default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL
+- bump to 2.4.14.3rc5
+
 07/25/2023
 - support "authenticate_on_error" 2nd parameter value in OIDCRefreshAccessTokenBeforeExpiry 
   to reauthenticate the user when refreshing the access token fails

diff --git a/configure.ac b/configure.ac
@@ -1,4 +1,4 @@
-AC_INIT([mod_auth_openidc],[2.4.14.3rc4],[[email protected]])
+AC_INIT([mod_auth_openidc],[2.4.14.3rc6],[[email protected]])
 
 AC_SUBST(NAMEVER, AC_PACKAGE_TARNAME()-AC_PACKAGE_VERSION())
 

diff --git a/src/cache/cache.h b/src/cache/cache.h
@@ -100,6 +100,7 @@ apr_byte_t oidc_cache_set(request_rec *r, const char *section, const char *key,
 #define OIDC_CACHE_SECTION_REQUEST_URI       "r"
 #define OIDC_CACHE_SECTION_SID               "d"
 #define OIDC_CACHE_SECTION_USERINFO_SJWT     "u"
+#define OIDC_CACHE_SECTION_JQ_FILTER         "q"
 
 // TODO: now every section occupies the same space; we may want to differentiate
 //       according to section-based size, at least for the shm backend
@@ -114,6 +115,7 @@ apr_byte_t oidc_cache_set(request_rec *r, const char *section, const char *key,
 #define oidc_cache_get_request_uri(r, key, value) oidc_cache_get(r, OIDC_CACHE_SECTION_REQUEST_URI, key, value)
 #define oidc_cache_get_sid(r, key, value) oidc_cache_get(r, OIDC_CACHE_SECTION_SID, key, value)
 #define oidc_cache_get_signed_jwt(r, key, value) oidc_cache_get(r, OIDC_CACHE_SECTION_USERINFO_SJWT, key, value)
+#define oidc_cache_get_jq_filter(r, key, value) oidc_cache_get(r, OIDC_CACHE_SECTION_JQ_FILTER, key, value)
 
 #define oidc_cache_set_session(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_SESSION, key, value, expiry)
 #define oidc_cache_set_nonce(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_NONCE, key, value, expiry)
@@ -125,6 +127,7 @@ apr_byte_t oidc_cache_set(request_rec *r, const char *section, const char *key,
 #define oidc_cache_set_request_uri(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_REQUEST_URI, key, value, expiry)
 #define oidc_cache_set_sid(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_SID, key, value, expiry)
 #define oidc_cache_set_signed_jwt(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_USERINFO_SJWT, key, value, expiry)
+#define oidc_cache_set_jq_filter(r, key, value, expiry) oidc_cache_set(r, OIDC_CACHE_SECTION_JQ_FILTER, key, value, expiry)
 
 extern oidc_cache_t oidc_cache_file;
 extern oidc_cache_t oidc_cache_shm;

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1221,8 +1221,6 @@ static apr_byte_t oidc_refresh_claims_from_userinfo_endpoint(request_rec *r,
 	const char *access_token = NULL;
 	char *userinfo_jwt = NULL;
 
-	*needs_save = FALSE;
-
 	/* get the current provider info */
 	if (oidc_get_provider_from_session(r, cfg, session, &provider) == FALSE) {
 		*needs_save = TRUE;
@@ -1423,6 +1421,15 @@ static int oidc_userinfo_signed_jwt_cache_ttl(request_rec *r) {
 			_oidc_str_to_int(s_ttl) : OIDC_USERINFO_SIGNED_JWT_EXPIRE_DEFAULT);
 }
 
+#define OIDC_JQ_FILTER_EXPIRE_DEFAULT 600
+#define OIDC_JQ_FILTER_CACHE_TTL_ENVVAR "OIDC_JQ_FILTER_CACHE_TTL"
+
+int oidc_jq_filter_cache_ttl(request_rec *r) {
+	const char *s_ttl = apr_table_get(r->subprocess_env,
+			OIDC_JQ_FILTER_CACHE_TTL_ENVVAR);
+	return (s_ttl ? _oidc_str_to_int(s_ttl) : OIDC_JQ_FILTER_EXPIRE_DEFAULT);
+}
+
 static apr_byte_t oidc_userinfo_create_signed_jwt(request_rec *r, oidc_cfg *cfg,
 		oidc_session_t *session, const char *s_claims, char **cser) {
 	apr_byte_t rv = FALSE;
@@ -1705,8 +1712,6 @@ static int oidc_handle_existing_session(request_rec *r, oidc_cfg *cfg,
 		}
 	}
 
-	*needs_save |= rv;
-
 	/* set the user authentication HTTP header if set and required */
 	if ((r->user != NULL) && (authn_header != NULL))
 		oidc_util_hdr_in_set(r, authn_header, r->user);
@@ -3959,11 +3964,8 @@ static int oidc_handle_info_request(request_rec *r, oidc_cfg *c,
 	 * side-effect is that this may refresh the access token if not already done
 	 * note that OIDCUserInfoRefreshInterval should be set to control the refresh policy
 	 */
-	if (b_extend_session) {
-		apr_byte_t l_needs_save = FALSE;
-		oidc_refresh_claims_from_userinfo_endpoint(r, c, session, &l_needs_save);
-		needs_save |= l_needs_save;
-	}
+	if (b_extend_session)
+		oidc_refresh_claims_from_userinfo_endpoint(r, c, session, &needs_save);
 
 	/* include the access token in the session info */
 	if (apr_hash_get(c->info_hook_data, OIDC_HOOK_INFO_ACCES_TOKEN,

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -814,6 +814,7 @@ int oidc_cfg_delete_oldest_state_cookies(oidc_cfg *cfg);
 oidc_provider_t* oidc_cfg_provider_create(apr_pool_t *pool);
 oidc_provider_t* oidc_cfg_provider_copy(apr_pool_t *pool, const oidc_provider_t *src);
 void oidc_config_check_x_forwarded(request_rec *r, const apr_byte_t x_forwarded_headers);
+int oidc_jq_filter_cache_ttl(request_rec *r);
 
 // oidc_util.c
 int oidc_strnenvcmp(const char *a, const char *b, int len);

diff --git a/src/util.c b/src/util.c
@@ -3145,6 +3145,9 @@ const char* oidc_util_jq_filter(request_rec *r, const char *input,
 #ifdef USE_LIBJQ
 	jq_state *jq = NULL;
 	struct jv_parser *parser = NULL;
+	int ttl = 0;
+	char *key = NULL;
+	char *value = NULL;
 
 	if (filter == NULL) {
 		oidc_debug(r, "filter is NULL, abort");
@@ -3159,6 +3162,22 @@ const char* oidc_util_jq_filter(request_rec *r, const char *input,
 	oidc_debug(r, "processing input: %s", input);
 	oidc_debug(r, "processing filter: %s", filter);
 
+	ttl = oidc_jq_filter_cache_ttl(r);
+	if (ttl != 0) {
+		if (oidc_util_hash_string_and_base64url_encode(r, OIDC_JOSE_ALG_SHA256,
+				apr_pstrcat(r->pool, input, filter, NULL), &key) == FALSE) {
+			oidc_error(r,
+					"oidc_util_hash_string_and_base64url_encode returned an error");
+			goto end;
+		}
+		oidc_cache_get_jq_filter(r, key, &value);
+		if (value != NULL) {
+			oidc_debug(r, "return cached result: %s", value);
+			result = value;
+			goto end;
+		}
+	}
+
 	jq = jq_init();
 	if (jq == NULL) {
 		oidc_error(r, "jq_init returned NULL");
@@ -3180,6 +3199,12 @@ const char* oidc_util_jq_filter(request_rec *r, const char *input,
 
 	result = oidc_util_jq_exec(r, jq, parser);
 
+	if ((result != NULL) && (ttl != 0)) {
+		oidc_debug(r, "caching result: %s", result);
+		oidc_cache_set_jq_filter(r, key, result,
+				apr_time_now() + apr_time_from_sec(ttl));
+	}
+
 end:
 
 	if (parser)