Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ONYX-11330: Fix cache of signing key #2353

Merged
merged 5 commits into from
Aug 10, 2021
Merged

ONYX-11330: Fix cache of signing key #2353

merged 5 commits into from
Aug 10, 2021

Conversation

tzheleznyak
Copy link
Contributor

@tzheleznyak tzheleznyak commented Aug 3, 2021
edited
Loading

What does this PR do?

Bugfix for cache not working at all for saving signing key.

  • Return Of FetchCachedSigningKey command class wrapper for signing keys fetchers
  • Add hash function to authentication_parameters. Algorithem and placemant of this function need to be discussed @sashaCher @nessiLahav
  • Check for hash of *args in rate_limited_cache and concurrency_limited_cache in a way that don't need to hurt other authenticators. ( If hash function exists use it otherwise keep normal)

What ticket does this PR close?

ONYX-11330

Checklists

Change log

  • The CHANGELOG has been updated, or
  • This PR does not include user-facing changes and doesn't require a CHANGELOG update

Test coverage

  • This PR includes new unit and integration tests to go with the code changes, or
  • The changes in this PR do not require tests

Documentation

  • Docs (e.g. READMEs) were updated in this PR, and/or there is a follow-on issue to update docs, or
  • This PR does not require updating any documentation

API Changes

  • The OpenAPI spec has been updated to meet new API changes (or an issue has been opened), or
  • The changes in this PR do not affect the Conjur API

@tzheleznyak tzheleznyak requested review from nessiLahav and a team August 3, 2021 18:06
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 72728a0 to 1a46ded Compare August 4, 2021 10:06
nessiLahav
nessiLahav suggested changes Aug 5, 2021
View reviewed changes
Copy link
Contributor

@nessiLahav nessiLahav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left some comments

@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch 2 times, most recently from d6a1987 to 951b371 Compare August 8, 2021 09:38
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 951b371 to dcc49eb Compare August 8, 2021 12:33
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch 2 times, most recently from 281a1fa to 64ad246 Compare August 9, 2021 07:22
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 64ad246 to bdd7a81 Compare August 9, 2021 08:29
@sashaCher sashaCher force-pushed the bugfix-jwt-signing-key-chache branch from 4a72688 to c4eedc7 Compare August 9, 2021 09:29
orenbm
orenbm reviewed Aug 9, 2021
View reviewed changes
app/domain/util/concurrency_limited_cache.rb Outdated
@@ -66,5 +71,15 @@ def decrease_concurrent_requests
)
end
end

def cached_key(args)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please add a description to this method? what is this cached key? is it cached key or cache key?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed to cache_key and added comment

nessiLahav and others added 2 commits August 9, 2021 15:07
@nessiLahav @tzheleznyak
Bugfix status cache (#2356)
2049cee 
* ONYX-11330: Fix cache of signing key

* Fix cache bug in authn-jwt status flow

* Fixes according to PR comments

Co-authored-by: Tamir Zheleznyak <[email protected]>
@sashaCher
Fix signing_key UTs
7cebf4a
codeclimate[bot]
codeclimate bot reviewed Aug 9, 2021
View reviewed changes
app/domain/authentication/authn_jwt/validate_and_decode/validate_and_decode_token.rb Outdated
@@ -7,19 +7,31 @@ module ValidateAndDecode
# for the 2nd validation
ValidateAndDecodeToken ||= CommandClass.new(
dependencies: {
fetch_signing_key_from_cache: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/authentication/authn_jwt/validate_status.rb Outdated
@@ -3,6 +3,16 @@ module AuthnJwt

ValidateStatus = CommandClass.new(
dependencies: {
fetch_signing_key_from_cache: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/util/concurrency_limited_cache.rb

return @cache[args]
return @cache[cache_key]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#call calls '@cache[cache_key]' 2 times

app/domain/util/concurrency_limited_cache.rb Outdated
@@ -66,5 +71,15 @@ def decrease_concurrent_requests
)
end
end

def cached_key(args)
cache_key = args.key?(:cache_key) ? args.fetch(:cache_key) : args
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#cached_key refers to 'args' more than self (maybe move it to another class?)

app/domain/util/rate_limited_cache.rb
end

def cached_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::RateLimitedCache#cached_key refers to 'args' more than self (maybe move it to another class?)

@tzheleznyak tzheleznyak marked this pull request as ready for review August 9, 2021 14:15
@tzheleznyak tzheleznyak requested a review from a team as a code owner August 9, 2021 14:15
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from c0119ec to fd5c93a Compare August 9, 2021 14:35
codeclimate[bot]
codeclimate bot reviewed Aug 9, 2021
View reviewed changes
app/domain/authentication/authn_jwt/validate_and_decode/validate_and_decode_token.rb
@@ -7,12 +7,23 @@ module ValidateAndDecode
# for the 2nd validation
ValidateAndDecodeToken ||= CommandClass.new(
dependencies: {
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/authentication/authn_jwt/validate_status.rb
@@ -3,7 +3,17 @@ module AuthnJwt

ValidateStatus = CommandClass.new(
dependencies: {
create_signing_key_interface: Authentication::AuthnJwt::SigningKey::CreateSigningKeyFactory.new,
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/util/concurrency_limited_cache.rb

return @cache[args]
return @cache[cache_key]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#call calls '@cache[cache_key]' 2 times

app/domain/util/concurrency_limited_cache.rb

# Function returning cache key to store/retrieve in the cache
def cache_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#cache_key refers to 'args' more than self (maybe move it to another class?)

app/domain/util/rate_limited_cache.rb
end

def cached_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::RateLimitedCache#cached_key refers to 'args' more than self (maybe move it to another class?)

@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from fd5c93a to 8247b0d Compare August 9, 2021 15:21
codeclimate[bot]
codeclimate bot reviewed Aug 9, 2021
View reviewed changes
app/domain/authentication/authn_jwt/validate_and_decode/validate_and_decode_token.rb
@@ -7,12 +7,23 @@ module ValidateAndDecode
# for the 2nd validation
ValidateAndDecodeToken ||= CommandClass.new(
dependencies: {
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/authentication/authn_jwt/validate_status.rb
@@ -3,7 +3,17 @@ module AuthnJwt

ValidateStatus = CommandClass.new(
dependencies: {
create_signing_key_interface: Authentication::AuthnJwt::SigningKey::CreateSigningKeyFactory.new,
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/util/concurrency_limited_cache.rb

return @cache[args]
return @cache[cache_key]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#call calls '@cache[cache_key]' 2 times

app/domain/util/concurrency_limited_cache.rb

# Function returning cache key to store/retrieve in the cache
def cache_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#cache_key refers to 'args' more than self (maybe move it to another class?)

app/domain/util/rate_limited_cache.rb
end

def cached_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::RateLimitedCache#cached_key refers to 'args' more than self (maybe move it to another class?)

@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 8247b0d to 3ed3fd9 Compare August 10, 2021 06:47
tzheleznyak
tzheleznyak commented Aug 10, 2021
View reviewed changes
CHANGELOG.md
@@ -6,6 +6,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.

## [Unreleased]

### Fixed
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hilagross @shulifink
Please review changelog message

orenbm
orenbm reviewed Aug 10, 2021
View reviewed changes
app/domain/authentication/authn_jwt/signing_key/create_signing_key_factory.rb Outdated
@@ -2,7 +2,7 @@ module Authentication
module AuthnJwt
module SigningKey
# Factory that returns the interface implementation of FetchSigningKey
CreateSigningKeyFactory ||= CommandClass.new(
CreateSigningKeyInterface ||= CommandClass.new(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. please match the class name to the file name (or the other way)
  2. What does Interface stand for? does this class create a Signing key object? if so it should be named CreateSigningKey

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you do change this to CreateSigningKey, please make the corresponding changes in the rest of the PR

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its creating a Provider object for signing key so i will rename to CreateSigningKeyProvider

@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 3ed3fd9 to f40ffe5 Compare August 10, 2021 07:16
@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from f40ffe5 to 673317e Compare August 10, 2021 07:22
orenbm
orenbm reviewed Aug 10, 2021
View reviewed changes
app/domain/authentication/authn_jwt/signing_key/fetch_cached_signing_key.rb Outdated
# :reek:InstanceVariableAssumption
FetchCachedSigningKey = CommandClass.new(
dependencies: {},
inputs: %i[signing_key_interface]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please change signing_key_interface to signing_key_provider in the whole PR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

and fix the description above

@tzheleznyak tzheleznyak force-pushed the bugfix-jwt-signing-key-chache branch from 673317e to 346f9d5 Compare August 10, 2021 08:17
codeclimate[bot]
codeclimate bot reviewed Aug 10, 2021
View reviewed changes
app/domain/authentication/authn_jwt/validate_and_decode/validate_and_decode_token.rb
@@ -7,12 +7,23 @@ module ValidateAndDecode
# for the 2nd validation
ValidateAndDecodeToken ||= CommandClass.new(
dependencies: {
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/authentication/authn_jwt/validate_status.rb
@@ -3,7 +3,17 @@ module AuthnJwt

ValidateStatus = CommandClass.new(
dependencies: {
create_signing_key_interface: Authentication::AuthnJwt::SigningKey::CreateSigningKeyFactory.new,
fetch_signing_key: ::Util::ConcurrencyLimitedCache.new(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Identical blocks of code found in 2 locations. Consider refactoring.

app/domain/util/rate_limited_cache.rb
end

def cached_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::RateLimitedCache#cached_key refers to 'args' more than self (maybe move it to another class?)

app/domain/util/concurrency_limited_cache.rb

return @cache[args]
return @cache[cache_key]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#call calls '@cache[cache_key]' 2 times

app/domain/util/concurrency_limited_cache.rb

# Function returning cache key to store/retrieve in the cache
def cache_key(args)
if args.key?(:cache_key)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Util::ConcurrencyLimitedCache#cache_key refers to 'args' more than self (maybe move it to another class?)

@codeclimate
Copy link

codeclimate bot commented Aug 10, 2021

Code Climate has analyzed commit 346f9d5 and detected 12 issues on this pull request.

Here's the issue category breakdown:

Category Count
Duplication 2
Style 1
Complexity 9

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 91.0% (0.0% change).

View more on Code Climate.

nessiLahav
nessiLahav approved these changes Aug 10, 2021
View reviewed changes
Copy link
Contributor

@nessiLahav nessiLahav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tzheleznyak tzheleznyak merged commit 7b5cffd into master Aug 10, 2021
@tzheleznyak tzheleznyak deleted the bugfix-jwt-signing-key-chache branch August 10, 2021 11:57
@jtuttle jtuttle mentioned this pull request Sep 14, 2021
Merged
@cyberark cyberark deleted a comment from orenbm Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codeclimate codeclimate[bot] codeclimate[bot] left review comments

@sashaCher sashaCher sashaCher left review comments

@nessiLahav nessiLahav nessiLahav approved these changes

@orenbm orenbm orenbm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@tzheleznyak @orenbm @sashaCher @nessiLahav