Skip to content

Commit

Permalink
Improve testing and used more mature and concurrency-safe LRU cache f…
Browse files Browse the repository at this point in the history
…rom hashicorp
  • Loading branch information
tom-haines committed Aug 19, 2020
1 parent fb8af76 commit aab3288
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 10 deletions.
1 change: 1 addition & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ require (
github.com/gorilla/mux v1.7.3
github.com/gorilla/websocket v1.4.0 // indirect
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0
github.com/hashicorp/golang-lru v0.5.4
github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
github.com/kylelemons/godebug v1.1.0
github.com/lib/pq v1.3.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+dAcgU=
github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
Expand Down
8 changes: 4 additions & 4 deletions server/oauth2.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,10 +21,10 @@ import (
"strings"
"time"

"github.com/golang/groupcache/lru"

jose "gopkg.in/square/go-jose.v2"

lru "github.com/hashicorp/golang-lru"

"github.com/dexidp/dex/connector"
"github.com/dexidp/dex/server/internal"
"github.com/dexidp/dex/storage"
Expand Down Expand Up @@ -559,7 +559,7 @@ func (s *Server) validateCrossClientTrust(clientID, peerID string) (trusted bool
return false, nil
}

func validateRedirectURI(client storage.Client, wildcardCache *lru.Cache, redirectURI string) bool {
func validateRedirectURI(client storage.Client, wildcardCache *lru.ARCCache, redirectURI string) bool {
if !client.Public {
for _, uri := range client.RedirectURIs {
if redirectURI == uri {
Expand Down Expand Up @@ -594,7 +594,7 @@ func validateRedirectURI(client storage.Client, wildcardCache *lru.Cache, redire
return err == nil && host == "localhost"
}

func wildcardMatch(knownRedirectUri string, requestedRedirectUri string, wildcardCache *lru.Cache) bool {
func wildcardMatch(knownRedirectUri string, requestedRedirectUri string, wildcardCache *lru.ARCCache) bool {
if wildcardCache == nil {
return false
}
Expand Down
41 changes: 38 additions & 3 deletions server/oauth2_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ import (
"strings"
"testing"

"github.com/golang/groupcache/lru"
"github.com/hashicorp/golang-lru"
"gopkg.in/square/go-jose.v2"

"github.com/dexidp/dex/storage"
Expand Down Expand Up @@ -286,6 +286,20 @@ func TestValidRedirectURI(t *testing.T) {
redirectURI: "http://abc.foo.com/bar",
wantValid: true,
},
{
client: storage.Client{
RedirectURIs: []string{"http://abc.foo.com/bar"},
},
redirectURI: "http://abc.foo.com/bar",
wantValid: true,
},
{
client: storage.Client{
RedirectURIs: []string{"http://b*.foo.com/bar"},
},
redirectURI: "http://abc.foo.com/bar",
wantValid: false,
},
{
// URL must use http: or https: protocol
client: storage.Client{
Expand Down Expand Up @@ -374,15 +388,36 @@ func TestValidRedirectURI(t *testing.T) {
},
}

wildcardCache := lru.New(2)
maxCacheSize := 3
wildcardCache, _ := lru.NewARC(maxCacheSize)

for _, test := range tests {
if maxCacheSize >= len(tests) {
t.Errorf("cache tests pre-condition is that mac cache size is less than test suite size" +
" cacheMax=%d testItemsSize=%d", maxCacheSize, len(tests))
}

var firstWildcardCache = ""
for i, test := range tests {
got := validateRedirectURI(test.client, wildcardCache, test.redirectURI)
if got != test.wantValid {
t.Errorf("client=%#v, redirectURI=%q, wanted valid=%t, got=%t",
test.client, test.redirectURI, test.wantValid, got)
}

// expect redirectURI last used should be stored in cache
if !test.client.Public && len(test.client.RedirectURIs) > 0 && test.redirectURI != test.client.RedirectURIs[0] {
if !wildcardCache.Contains(test.client.RedirectURIs[0]) {
t.Errorf("test[%d] should contain redirectURI as cache key %s", i, test.client.RedirectURIs[0])
}
if len(firstWildcardCache) == 0 {
firstWildcardCache = test.client.RedirectURIs[0]
}
}
}

if wildcardCache.Contains(firstWildcardCache) {
// check eviction policed
t.Errorf("first redirectURI should have been evicted from cache %s", tests[0].client.RedirectURIs[0])
}
}

Expand Down
13 changes: 10 additions & 3 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,13 @@ import (
"time"

"github.com/felixge/httpsnoop"
"github.com/golang/groupcache/lru"
"github.com/gorilla/handlers"
"github.com/gorilla/mux"
"github.com/prometheus/client_golang/prometheus"
"golang.org/x/crypto/bcrypt"

lru "github.com/hashicorp/golang-lru"

"github.com/dexidp/dex/connector"
"github.com/dexidp/dex/connector/atlassiancrowd"
"github.com/dexidp/dex/connector/authproxy"
Expand Down Expand Up @@ -163,7 +164,7 @@ type Server struct {
logger log.Logger

// LRU cache of regex matchers for a given permitted redirect URI defined in Client
wildcardMatcherCache *lru.Cache
wildcardMatcherCache *lru.ARCCache
}

// NewServer constructs a server from the provided config.
Expand Down Expand Up @@ -216,6 +217,12 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
now = time.Now
}

arcCache, err := lru.NewARC(500)
if err != nil {
c.Logger.Infof("ARC LRU case failed to load, wildcard redirect URIs disabled: %v", err)
}


s := &Server{
issuerURL: *issuerURL,
connectors: make(map[string]Connector),
Expand All @@ -229,7 +236,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
templates: tmpls,
passwordConnector: c.PasswordConnector,
logger: c.Logger,
wildcardMatcherCache: lru.New(500),
wildcardMatcherCache: arcCache,
}

// Retrieves connector objects in backend storage. This list includes the static connectors
Expand Down

0 comments on commit aab3288

Please sign in to comment.