RUST-1662: Correctly handle Client and Connection caching, add Speculative Auth #1040
Conversation
|
|
||
| - name: oidc | ||
| display_name: OIDC | ||
| patchable: false |
There was a problem hiding this comment.
This will be removed before merge, again :)
| refresh_token: Option<String>, | ||
| access_token: Option<String>, | ||
| token_gen_id: i32, | ||
| token_gen_id: u32, |
There was a problem hiding this comment.
u32 is the more correct type here, as this should never be negative
| pub struct CallbackContext { | ||
| pub timeout_seconds: Option<Instant>, | ||
| pub version: i32, | ||
| pub version: u32, |
| conn: &Connection, | ||
| credential: &Credential, | ||
| response: &IdpServerResponse, | ||
| token_gen_id: i32, |
There was a problem hiding this comment.
spec requires caching the IdP info to avoid asking the server for it when it is known (cached).
src/client/auth/oidc.rs
Outdated
| .write() | ||
| .await; | ||
| if cache.access_token == Some(access_token) { | ||
| cache.access_token = None; |
There was a problem hiding this comment.
I like to use let _ to be very explicit that it's being thrown away
src/client/auth/oidc.rs
Outdated
| }; | ||
| // Update the credential and connection caches with the access token and the credential | ||
| // cache with the refresh token and token_gen_id | ||
| update_caches(conn, credential, &idp_response, None).await; |
There was a problem hiding this comment.
The server info should have been set at some time in the past, but also we don't have it here except for whatever was already in the cache, so we just don't update it here. Updating something with itself is just a waste of time.
| pub refresh_token: Option<String>, | ||
| } | ||
|
|
||
| /// Constructs the first client message in the OIDC handshake for speculative authentication |
There was a problem hiding this comment.
Is it ok for this to return an empty speculative command when there is no access token, or should we actually make this return an Option?
There was a problem hiding this comment.
I think it's fine to return an empty command as long as the calling code doesn't have to special case that.
| patchable: true | ||
| run_on: | ||
| - rhel87-small | ||
| - ubuntu2204-small |
There was a problem hiding this comment.
This was just so the oidc tests would start immediately
src/cmap/conn.rs
Outdated
| compression::Compressor, | ||
| error::{load_balanced_mode_mismatch, Error, ErrorKind, Result}, | ||
| event::cmap::{ | ||
| CmapEventEmitter, ConnectionCheckedInEvent, ConnectionCheckedOutEvent, |
There was a problem hiding this comment.
Looks like somehow the rustfmt I run on nvim buffer save is not the correct version of rustfmt.
| #[derive(Clone)] | ||
| pub struct State { | ||
| callback: Callback, | ||
| cache: Arc<RwLock<Cache>>, |
There was a problem hiding this comment.
Does this need to be held across await points? If not, this could become a std::sync::RwLock and avoid the async that has to propagate in various places here.
There was a problem hiding this comment.
Looks like it will work. I didn't realize that it was safe to use std::sync::RwLock as long as it doesn't cross await, but that makes sense. I assume the only difference of the tokio version is it handles unlocking when the await is rescheduled.
| #[derive(Clone)] | ||
| pub struct State { | ||
| callback: Callback, | ||
| cache: Arc<RwLock<Cache>>, |
| pub refresh_token: Option<String>, | ||
| } | ||
|
|
||
| /// Constructs the first client message in the OIDC handshake for speculative authentication |
There was a problem hiding this comment.
I think it's fine to return an empty command as long as the calling code doesn't have to special case that.
|
@abr-egn unfortunately, the calling code would have to special case it if returned the Option. I think this approach is fine because the worst that happens is we send nonsense (e.g., an empty or missing jwt) in the speculative auth which just gets returned as nothing and then we do normal auth. Seems like there's no downside to that, and then we avoid the special casing. |
isabelatkinson
left a comment
isabelatkinson
left a comment
There was a problem hiding this comment.
just two very small suggestions, no need for a re-review!
src/cmap/establish/handshake.rs
Outdated
|
|
||
| /// Updates the handshake command document with the speculative authenitication info. | ||
| fn set_speculative_auth_info( | ||
| async fn set_speculative_auth_info( |
There was a problem hiding this comment.
Is async code going to be added to this method? If not recommend reverting this change
There was a problem hiding this comment.
Nope! I just missed this one, thanks!
src/client/auth/oidc.rs
Outdated
|
|
||
| if credential.oidc_callback.is_none() { | ||
| auth_command_doc.insert("jwt", ""); | ||
| } else if let Some(access_token) = credential |
There was a problem hiding this comment.
| } else if let Some(access_token) = credential | |
| } else if let Some(access_token) = credential.get_access_token() |
(looks like this chain of method calls is the same as the contents of get_access_token)
3 participants
No description provided.