Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve trusted cert loading in Certificate Auth #27902

Merged
merged 7 commits into from
Jul 29, 2024
Merged

Improve trusted cert loading in Certificate Auth #27902

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ac1bbb7
Improve trusted cert loading in Certificate Auth
sgmiller Jul 29, 2024
638847a
changelog
sgmiller Jul 29, 2024
ccb7a25
cleanup
sgmiller Jul 29, 2024
73624ef
Lock around reads correctly
sgmiller Jul 29, 2024
da782ef
check cache first
sgmiller Jul 29, 2024
3836c15
dont read lock in the loadTrustedCerts recheck
sgmiller Jul 29, 2024
e2a71ed
remove unnecessary read locking
sgmiller Jul 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions builtin/credential/cert/backend.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ import (
"github.com/hashicorp/go-multierror"
lru "github.com/hashicorp/golang-lru/v2"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/locksutil"
"github.com/hashicorp/vault/sdk/helper/ocsp"
"github.com/hashicorp/vault/sdk/logical"
)
Expand All @@ -43,7 +44,8 @@ func Backend() *backend {
// ignoring the error as it only can occur with <= 0 size
cache, _ := lru.New[string, *trusted](defaultRoleCacheSize)
b := backend{
trustedCache: cache,
trustedCache: cache,
trustedCacheLocks: locksutil.CreateLocks(),
}
b.Backend = &framework.Backend{
Help: backendHelp,
Expand Down Expand Up @@ -90,6 +92,8 @@ type backend struct {

trustedCache *lru.Cache[string, *trusted]
trustedCacheDisabled atomic.Bool
trustedCacheLocks []*locksutil.LockEntry
trustedCacheFull atomic.Pointer[trusted]
}

func (b *backend) initialize(ctx context.Context, req *logical.InitializationRequest) error {
Expand Down Expand Up @@ -137,7 +141,7 @@ func (b *backend) updatedConfig(config *config) {
case config.RoleCacheSize < 0:
// Just to clean up memory
b.trustedCacheDisabled.Store(true)
b.trustedCache.Purge()
b.flushTrustedCache()
case config.RoleCacheSize == 0:
config.RoleCacheSize = defaultRoleCacheSize
fallthrough
Expand Down Expand Up @@ -200,6 +204,7 @@ func (b *backend) flushTrustedCache() {
if b.trustedCache != nil { // defensive
b.trustedCache.Purge()
}
b.trustedCacheFull.Store(nil)
stevendpclark marked this conversation as resolved.
Show resolved Hide resolved
}

const backendHelp = `
Expand Down
37 changes: 34 additions & 3 deletions builtin/credential/cert/path_login.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ import (
"net/url"
"strings"

"github.com/hashicorp/vault/sdk/helper/locksutil"

"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-multierror"
"github.com/hashicorp/vault/sdk/framework"
Expand Down Expand Up @@ -596,15 +598,39 @@ func (b *backend) certificateExtensionsMetadata(clientCert *x509.Certificate, co

func (b *backend) getTrustedCerts(ctx context.Context, storage logical.Storage, certName string) (pool *x509.CertPool, trusted []*ParsedCert, trustedNonCAs []*ParsedCert, conf *ocsp.VerifyConfig) {
if !b.trustedCacheDisabled.Load() {
if trusted, found := b.trustedCache.Get(certName); found {
trusted, found := b.getTrustedCertsFromCache(certName)
if found {
return trusted.pool, trusted.trusted, trusted.trustedNonCAs, trusted.ocspConf
}
}
return b.loadTrustedCerts(ctx, storage, certName)
}

func (b *backend) getTrustedCertsFromCache(certName string) (*trusted, bool) {
if certName == "" {
trusted := b.trustedCacheFull.Load()
if trusted != nil {
return trusted, true
}
} else if trusted, found := b.trustedCache.Get(certName); found {
return trusted, true
}
return nil, false
}

// loadTrustedCerts is used to load all the trusted certificates from the backend
func (b *backend) loadTrustedCerts(ctx context.Context, storage logical.Storage, certName string) (pool *x509.CertPool, trustedCerts []*ParsedCert, trustedNonCAs []*ParsedCert, conf *ocsp.VerifyConfig) {
lock := locksutil.LockForKey(b.trustedCacheLocks, certName)
lock.Lock()
defer lock.Unlock()

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To avoid re-doing the work, shouldn't we check to make sure that b.trustedCache.Get(certName) keep doing the work only if nil, otherwise leverage the newly populated cache while we were locked?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You only get to this point after a cache test in getTrustedCerts, so yeah, there is a tiny race here where it could have been filled in prior to getting the lock. Worth another test?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well the point of the lock was to avoid different clients from re-populating the cache? All this will do is actually make it worse by serializing all the requests but they will still re-populate the cache no?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh! You're right. I should take an RLock in the read case. And sure, I'll do a re-test.

if !b.trustedCacheDisabled.Load() {
trusted, found := b.getTrustedCertsFromCache(certName)
if found {
return trusted.pool, trusted.trusted, trusted.trustedNonCAs, trusted.ocspConf
}
}

pool = x509.NewCertPool()
trustedCerts = make([]*ParsedCert, 0)
trustedNonCAs = make([]*ParsedCert, 0)
Expand Down Expand Up @@ -672,12 +698,17 @@ func (b *backend) loadTrustedCerts(ctx context.Context, storage logical.Storage,
}

if !b.trustedCacheDisabled.Load() {
b.trustedCache.Add(certName, &trusted{
entry := &trusted{
pool: pool,
trusted: trustedCerts,
trustedNonCAs: trustedNonCAs,
ocspConf: conf,
})
}
if certName == "" {
b.trustedCacheFull.Store(entry)
} else {
b.trustedCache.Add(certName, entry)
}
}
return
}
Expand Down
5 changes: 5 additions & 0 deletions changelog/27902.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
```release-note:improvement
auth/cert: Cache full list of role trust information separately to avoid
eviction, and avoid duplicate loading during multiple simultaneous logins on
the same role.
```
Loading