Skip to content

Commit

Permalink
use LRU cache for valid tokens
Browse files Browse the repository at this point in the history
  • Loading branch information
Ravi Nagarjun Akella authored and Ravi Nagarjun Akella committed May 23, 2024
1 parent 04c74a1 commit 51f77d7
Show file tree
Hide file tree
Showing 3 changed files with 51 additions and 18 deletions.
21 changes: 6 additions & 15 deletions include/sisl/auth_manager/auth_manager.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -32,21 +32,7 @@ class LRUCache;
* they were extracted from decoded token.
*/
struct CachedToken {
AuthVerifyStatus response_status;
std::string msg;
bool valid;
std::chrono::system_clock::time_point expires_at;

inline void set_invalid(AuthVerifyStatus code, const std::string& reason) {
valid = false;
response_status = code;
msg = reason;
}

inline void set_valid() {
valid = true;
response_status = AuthVerifyStatus::OK;
}
};

class AuthManager {
Expand All @@ -60,7 +46,12 @@ class AuthManager {
virtual std::string download_key(const std::string& key_url) const;
std::string get_app(const jwt::decoded_jwt& decoded) const;

// the verify method is declared const. We make this mutable
// as these caches are modified in the verify method. md5_sum(raw_token) ->
// DecodedToken
mutable LRUCache< std::string, CachedToken > m_cached_tokens;

// key_id -> signing public key
mutable LRUCache< std::string, std::string > m_cached_keys;
};
} // namespace sisl
} // namespace sisl
45 changes: 43 additions & 2 deletions src/auth_manager/auth_manager.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,46 @@ extern "C" {

namespace sisl {

AuthManager::AuthManager() : m_cached_keys(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_key_cache_size)) {}
static std::string md5_sum(std::string const& s) {
unsigned char digest[MD5_DIGEST_LENGTH];

MD5(reinterpret_cast< unsigned char* >(const_cast< char* >(s.c_str())), s.length(),
reinterpret_cast< unsigned char* >(&digest));

std::ostringstream out;
out << std::hex;
for (int i = 0; i < MD5_DIGEST_LENGTH; i++) {
out << std::setfill('0') << std::setw(2) << std::hex << (int)(unsigned char)digest[i];
}
return out.str();
}

struct incomplete_verification_error : std::exception {
explicit incomplete_verification_error(const std::string& error) : error_(error) {}
const char* what() const noexcept { return error_.c_str(); }

private:
const std::string error_;
};

AuthManager::AuthManager() :
m_cached_tokens(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_token_cache_size)),
m_cached_keys(SECURITY_DYNAMIC_CONFIG(auth_manager->auth_key_cache_size)) {}

AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg) const {
// if we have it in cache, just use it to make the decision
auto const token_hash = md5_sum(token);
if (auto const ct = m_cached_tokens.get(token_hash); ct) {
auto now = std::chrono::system_clock::now();
if (now > ct->expires_at + std::chrono::seconds(SECURITY_DYNAMIC_CONFIG(auth_manager->expiry_leeway_secs))) {
msg = "token expired";
return AuthVerifyStatus::UNAUTH;
}
return AuthVerifyStatus::OK;
}

// not found in cache
CachedToken cached_token;
std::string app_name;
try {
// this may throw if token is ill formed
Expand All @@ -22,7 +59,10 @@ AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg)
// exception is thrown.
verify_decoded(decoded);
app_name = get_app(decoded);
cached_token.expires_at = decoded.get_expires_at();
} catch (const std::exception& e) {
// verification incomplete, the token validity is not determined, shouldn't
// cache
msg = e.what();
return AuthVerifyStatus::UNAUTH;
}
Expand All @@ -35,6 +75,7 @@ AuthVerifyStatus AuthManager::verify(const std::string& token, std::string& msg)
}
}

m_cached_tokens.put(token_hash, cached_token);
return AuthVerifyStatus::OK;
}

Expand Down Expand Up @@ -116,4 +157,4 @@ std::string AuthManager::get_app(const jwt::decoded_jwt& decoded) const {
const auto end{client_id.find_first_of(",", start)};
return client_id.substr(start, end - start);
}
} // namespace sisl
} // namespace sisl
3 changes: 2 additions & 1 deletion src/auth_manager/security_config.fbs
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@ table AuthManager {
// ssl verification for the signing key download url
verify: bool = true;

// LRUCache size
// LRUCache sizes
auth_token_cache_size: uint32 = 2000;
auth_key_cache_size: uint32 = 100;
}

Expand Down

0 comments on commit 51f77d7

Please sign in to comment.