ContainerImage.Pinniped/pkg/oidcclient/filesession/filesession.go
Margo Crawford 8a4bbbfcbe Proof of concept: client-side logout
Signed-off-by: Margo Crawford <margaretc@vmware.com>
2022-03-04 17:01:26 -08:00

170 lines
5.2 KiB
Go

// Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0
// Package filesession implements a simple YAML file-based login.sessionCache.
package filesession
import (
"context"
"errors"
"fmt"
"os"
"path/filepath"
"time"
"github.com/gofrs/flock"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"go.pinniped.dev/pkg/oidcclient"
"go.pinniped.dev/pkg/oidcclient/oidctypes"
)
const (
// defaultFileLockTimeout is how long we will wait trying to acquire the file lock on the session file before timing out.
defaultFileLockTimeout = 10 * time.Second
// defaultFileLockRetryInterval is how often we will poll while waiting for the file lock to become available.
defaultFileLockRetryInterval = 10 * time.Millisecond
)
// Option configures a cache in New().
type Option func(*Cache)
// WithErrorReporter is an Option that specifies a callback which will be invoked for each error reported during
// session cache operations. By default, these errors are silently ignored.
func WithErrorReporter(reporter func(error)) Option {
return func(c *Cache) {
c.errReporter = reporter
}
}
// New returns a login.SessionCache implementation backed by the specified file path.
func New(path string, options ...Option) *Cache {
lock := flock.New(path + ".lock")
c := Cache{
path: path,
trylockFunc: func() error {
ctx, cancel := context.WithTimeout(context.Background(), defaultFileLockTimeout)
defer cancel()
_, err := lock.TryLockContext(ctx, defaultFileLockRetryInterval)
return err
},
unlockFunc: lock.Unlock,
errReporter: func(_ error) {},
}
for _, opt := range options {
opt(&c)
}
return &c
}
type Cache struct {
path string
errReporter func(error)
trylockFunc func() error
unlockFunc func() error
}
// GetToken looks up the cached data for the given parameters. It may return nil if no valid matching session is cached.
func (c *Cache) GetToken(key oidcclient.SessionCacheKey) *oidctypes.Token {
// If the cache file does not exist, exit immediately with no error log
if _, err := os.Stat(c.path); errors.Is(err, os.ErrNotExist) {
return nil
}
// Read the cache and lookup the matching entry. If one exists, update its last used timestamp and return it.
var result *oidctypes.Token
c.withCache(func(cache *sessionCache) {
if entry := cache.lookup(key); entry != nil {
result = &entry.Tokens
entry.LastUsedTimestamp = metav1.Now()
}
})
return result
}
// PutToken stores the provided token into the session cache under the given parameters. It does not return an error
// but may silently fail to update the session cache.
func (c *Cache) PutToken(key oidcclient.SessionCacheKey, token *oidctypes.Token) {
// Create the cache directory if it does not exist.
if err := os.MkdirAll(filepath.Dir(c.path), 0700); err != nil && !errors.Is(err, os.ErrExist) {
c.errReporter(fmt.Errorf("could not create session cache directory: %w", err))
return
}
// Mutate the cache to upsert the new session entry.
c.withCache(func(cache *sessionCache) {
// Find the existing entry, if one exists
if match := cache.lookup(key); match != nil {
// Update the stored token.
match.Tokens = *token
match.LastUsedTimestamp = metav1.Now()
return
}
// If there's not an entry for this key, insert one.
now := metav1.Now()
cache.insert(sessionEntry{
Key: key,
CreationTimestamp: now,
LastUsedTimestamp: now,
Tokens: *token,
})
})
}
// DeleteToken deletes the token from the session cache at the given cache cache key.
// It returns whether it deleted a token.
func (c *Cache) DeleteToken(key oidcclient.SessionCacheKey) bool {
_, err := os.Stat(c.path)
if errors.Is(err, os.ErrNotExist) {
// if the cache file doesn't exist there's no session info
// to delete
return false
}
deleted := false
c.withCache(func(cache *sessionCache) {
deleted = cache.delete(key)
})
return deleted
}
// withCache is an internal helper which locks, reads the cache, processes/mutates it with the provided function, then
// saves it back to the file.
func (c *Cache) withCache(transact func(*sessionCache)) {
// Grab the file lock so we have exclusive access to read the file.
if err := c.trylockFunc(); err != nil {
c.errReporter(fmt.Errorf("could not lock session file: %w", err))
return
}
// Unlock the file at the end of this call, bubbling up the error if things were otherwise successful.
defer func() {
if err := c.unlockFunc(); err != nil {
c.errReporter(fmt.Errorf("could not unlock session file: %w", err))
}
}()
// Try to read the existing cache.
cache, err := readSessionCache(c.path)
if err != nil {
// If that fails, fall back to resetting to a blank slate.
c.errReporter(fmt.Errorf("failed to read cache, resetting: %w", err))
cache = emptySessionCache()
}
// Normalize the cache before modifying it, to remove any entries that have already expired.
cache = cache.normalized()
// Process/mutate the session using the provided function.
transact(cache)
// Normalize again to put everything into a known order.
cache = cache.normalized()
// Marshal the session back to YAML and save it to the file.
if err := cache.writeTo(c.path); err != nil {
c.errReporter(fmt.Errorf("could not write session cache: %w", err))
}
}