fix: add memory pressure for jwt's cryptography usage

related to cffi issue #320: pypy's GC isn't aware of many of cryptography's allocations, manually add pressure for now so it keeps up temporarily toggleable so we can experiment w/ it vs the cryptography recent leak fix (cryptography PR 3732) Closes #917
mozilla-services · Jun 28, 2017 · 99048cd · 99048cd
1 parent b839bb5
commit 99048cd
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/autopush/jwt.py b/autopush/jwt.py
@@ -1,6 +1,7 @@
 import base64
 import binascii
 import json
+import os
 
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.backends import default_backend
@@ -12,6 +13,19 @@
 
 from autopush.types import JSONDict  # noqa
 
+# temporarily toggleable for easily enabling on production
+_JWT_MEMORY_PRESSURE = os.environ.get('_JWT_MEMORY_PRESSURE', 0)
+if _JWT_MEMORY_PRESSURE != 0:  # pragma: nocover
+    try:
+        from __pypy__ import add_memory_pressure
+    except ImportError:
+        _JWT_MEMORY_PRESSURE = 0
+    else:
+        try:
+            _JWT_MEMORY_PRESSURE = int(_JWT_MEMORY_PRESSURE)
+        except ValueError:
+            _JWT_MEMORY_PRESSURE = 2496
+
 
 def repad(string):
     # type: (str) -> str
@@ -89,6 +103,11 @@ def decode(token, key):
                 ec.SECP256R1(),
                 key
             ).public_key(default_backend())
+
+            # cffi issue #320: public_key & verify allocate approx.
+            if _JWT_MEMORY_PRESSURE:  # pragma: nocover
+                add_memory_pressure(_JWT_MEMORY_PRESSURE)
+
             # NOTE: verify() will take any string as the signature. It appears
             # to be doing lazy verification and matching strings rather than
             # comparing content values. If the signatures start failing for