From d8e46b9034e3f68650ae23849beaa6d6bafac95c Mon Sep 17 00:00:00 2001 From: Ravi Nagarjun Akella Date: Thu, 23 May 2024 16:20:43 -0700 Subject: [PATCH] use LRU cache for valid tokens --- include/sisl/auth_manager/auth_manager.hpp | 21 +++------- src/auth_manager/auth_manager.cpp | 45 +++++++++++++++++++++- src/auth_manager/security_config.fbs | 3 +- 3 files changed, 51 insertions(+), 18 deletions(-) diff --git a/include/sisl/auth_manager/auth_manager.hpp b/include/sisl/auth_manager/auth_manager.hpp index e7516997..69c26b16 100644 --- a/include/sisl/auth_manager/auth_manager.hpp +++ b/include/sisl/auth_manager/auth_manager.hpp @@ -32,21 +32,7 @@ class LRUCache; * they were extracted from decoded token. */ struct CachedToken { - AuthVerifyStatus response_status; - std::string msg; - bool valid; std::chrono::system_clock::time_point expires_at; - - inline void set_invalid(AuthVerifyStatus code, const std::string& reason) { - valid = false; - response_status = code; - msg = reason; - } - - inline void set_valid() { - valid = true; - response_status = AuthVerifyStatus::OK; - } }; class AuthManager { @@ -60,7 +46,12 @@ class AuthManager { virtual std::string download_key(const std::string& key_url) const; std::string get_app(const jwt::decoded_jwt& decoded) const; + // the verify method is declared const. We make this mutable + // as these caches are modified in the verify method. md5_sum(raw_token) -> + // DecodedToken + mutable LRUCache< std::string, CachedToken > m_cached_tokens; + // key_id -> signing public key mutable LRUCache< std::string, std::string > m_cached_keys; }; -} // namespace sisl +} // namespace sisl \ No newline at end of file diff --git a/src/auth_manager/auth_manager.cpp b/src/auth_manager/auth_manager.cpp index cbcb71e5..795ad6b1 100644 --- a/src/auth_manager/auth_manager.cpp +++ b/src/auth_manager/auth_manager.cpp @@ -10,9 +10,46 @@ extern "C" { namespace sisl { -AuthManager::AuthManager() : m_cached_keys(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_key_cache_size)) {} +static std::string md5_sum(std::string const& s) { + unsigned char digest[MD5_DIGEST_LENGTH]; + + MD5(reinterpret_cast< unsigned char* >(const_cast< char* >(s.c_str())), s.length(), + reinterpret_cast< unsigned char* >(&digest)); + + std::ostringstream out; + out << std::hex; + for (int i = 0; i < MD5_DIGEST_LENGTH; i++) { + out << std::setfill('0') << std::setw(2) << std::hex << (int)(unsigned char)digest[i]; + } + return out.str(); +} + +struct incomplete_verification_error : std::exception { + explicit incomplete_verification_error(const std::string& error) : error_(error) {} + const char* what() const noexcept { return error_.c_str(); } + +private: + const std::string error_; +}; + +AuthManager::AuthManager() : + m_cached_tokens(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_token_cache_size)), + m_cached_keys(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_key_cache_size)) {} AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg) const { + // if we have it in cache, just use it to make the decision + auto const token_hash = md5_sum(token); + if (auto const ct = m_cached_tokens.get(token_hash); ct) { + auto now = std::chrono::system_clock::now(); + if (now > ct->expires_at + std::chrono::seconds(SECURITY_DYNAMIC_CONFIG(auth_manager->expiry_leeway_secs))) { + msg = "token expired"; + return AuthVerifyStatus::UNAUTH; + } + return AuthVerifyStatus::OK; + } + + // not found in cache + CachedToken cached_token; std::string app_name; try { // this may throw if token is ill formed @@ -22,7 +59,10 @@ AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg) // exception is thrown. verify_decoded(decoded); app_name = get_app(decoded); + cached_token.expires_at = decoded.get_expires_at(); } catch (const std::exception& e) { + // verification incomplete, the token validity is not determined, shouldn't + // cache msg = e.what(); return AuthVerifyStatus::UNAUTH; } @@ -35,6 +75,7 @@ AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg) } } + m_cached_tokens.put(token_hash, cached_token); return AuthVerifyStatus::OK; } @@ -116,4 +157,4 @@ std::string AuthManager::get_app(const jwt::decoded_jwt& decoded) const { const auto end{client_id.find_first_of(",", start)}; return client_id.substr(start, end - start); } -} // namespace sisl +} // namespace sisl \ No newline at end of file diff --git a/src/auth_manager/security_config.fbs b/src/auth_manager/security_config.fbs index cb4945aa..6f259ad1 100644 --- a/src/auth_manager/security_config.fbs +++ b/src/auth_manager/security_config.fbs @@ -43,7 +43,8 @@ table AuthManager { // ssl verification for the signing key download url verify: bool = true; - // LRUCache size + // LRUCache sizes + auth_token_cache_size: uint32 = 1000; auth_key_cache_size: uint32 = 100; }