Skip to content

[stable27] feat(perf): add cache for authtoken lookup #44447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
juliusknorr merged 2 commits into from
May 7, 2024
Merged

[stable27] feat(perf): add cache for authtoken lookup #44447

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
65e0bc7
feat(perf): add cache for authtoken lookup
Altahrim May 7, 2024
494648d
fix(session): Avoid race condition for cache::get() vs. cache::hasKey()
nickvergessen Apr 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 4 additions & 5 deletions lib/private/Authentication/Token/PublicKeyTokenMapper.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,6 @@ public function __construct(IDBConnection $db) {

/**
* Invalidate (delete) a given token
*
* @param string $token
*/
public function invalidate(string $token) {
/* @var $qb IQueryBuilder */
Expand Down Expand Up @@ -141,14 +139,15 @@ public function getTokenByUser(string $uid): array {
return $entities;
}

public function deleteById(string $uid, int $id) {
public function getTokenByUserAndId(string $uid, int $id): ?string {
/* @var $qb IQueryBuilder */
$qb = $this->db->getQueryBuilder();
$qb->delete($this->tableName)
$qb->select('token')
->from($this->tableName)
->where($qb->expr()->eq('id', $qb->createNamedParameter($id)))
->andWhere($qb->expr()->eq('uid', $qb->createNamedParameter($uid)))
->andWhere($qb->expr()->eq('version', $qb->createNamedParameter(PublicKeyToken::VERSION, IQueryBuilder::PARAM_INT)));
$qb->execute();
return $qb->executeQuery()->fetchOne() ?: null;
}

/**
Expand Down
126 changes: 70 additions & 56 deletions lib/private/Authentication/Token/PublicKeyTokenProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,13 +29,14 @@
*/
namespace OC\Authentication\Token;

use OCP\ICache;
use OCP\ICacheFactory;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\TokenPasswordExpiredException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
use OC\Authentication\Exceptions\WipeTokenException;
use OCP\AppFramework\Db\TTransactional;
use OCP\Cache\CappedMemoryCache;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\IConfig;
Expand All @@ -47,6 +48,8 @@

class PublicKeyTokenProvider implements IProvider {
public const TOKEN_MIN_LENGTH = 22;
/** Token cache TTL in seconds */
private const TOKEN_CACHE_TTL = 10;

use TTransactional;

Expand All @@ -67,26 +70,28 @@ class PublicKeyTokenProvider implements IProvider {
/** @var ITimeFactory */
private $time;

/** @var CappedMemoryCache */
/** @var ICache */
private $cache;

private IHasher $hasher;
/** @var IHasher */
private $hasher;

public function __construct(PublicKeyTokenMapper $mapper,
ICrypto $crypto,
IConfig $config,
IDBConnection $db,
LoggerInterface $logger,
ITimeFactory $time,
IHasher $hasher) {
IHasher $hasher,
ICacheFactory $cacheFactory) {
$this->mapper = $mapper;
$this->crypto = $crypto;
$this->config = $config;
$this->db = $db;
$this->logger = $logger;
$this->time = $time;

$this->cache = new CappedMemoryCache();
$this->cache = $cacheFactory->createLocal('authtoken_');
$this->hasher = $hasher;
}

Expand Down Expand Up @@ -128,7 +133,7 @@ public function generateToken(string $token,
}

// Add the token to the cache
$this->cache[$dbToken->getToken()] = $dbToken;
$this->cacheToken($dbToken);

return $dbToken;
}
Expand Down Expand Up @@ -156,43 +161,56 @@ public function getToken(string $tokenId): IToken {
}

$tokenHash = $this->hashToken($tokenId);
if ($token = $this->getTokenFromCache($tokenHash)) {
$this->checkToken($token);
return $token;
}

if (isset($this->cache[$tokenHash])) {
if ($this->cache[$tokenHash] instanceof DoesNotExistException) {
$ex = $this->cache[$tokenHash];
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
}
$token = $this->cache[$tokenHash];
} else {
try {
$token = $this->mapper->getToken($tokenHash);
$this->cacheToken($token);
} catch (DoesNotExistException $ex) {
try {
$token = $this->mapper->getToken($tokenHash);
$this->cache[$token->getToken()] = $token;
} catch (DoesNotExistException $ex) {
try {
$token = $this->mapper->getToken($this->hashTokenWithEmptySecret($tokenId));
$this->cache[$token->getToken()] = $token;
$this->rotate($token, $tokenId, $tokenId);
} catch (DoesNotExistException $ex2) {
$this->cache[$tokenHash] = $ex2;
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
}
$token = $this->mapper->getToken($this->hashTokenWithEmptySecret($tokenId));
$this->rotate($token, $tokenId, $tokenId);
} catch (DoesNotExistException) {
$this->cacheInvalidHash($tokenHash);
throw new InvalidTokenException("Token does not exist: " . $ex->getMessage(), 0, $ex);
}
}

if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
throw new ExpiredTokenException($token);
}
$this->checkToken($token);

if ($token->getType() === IToken::WIPE_TOKEN) {
throw new WipeTokenException($token);
return $token;
}

/**
* @throws InvalidTokenException when token doesn't exist
*/
private function getTokenFromCache(string $tokenHash): ?PublicKeyToken {
$serializedToken = $this->cache->get($tokenHash);
if ($serializedToken === false) {
throw new InvalidTokenException('Token does not exist: ' . $tokenHash);
}

if ($token->getPasswordInvalid() === true) {
//The password is invalid we should throw an TokenPasswordExpiredException
throw new TokenPasswordExpiredException($token);
if ($serializedToken === null) {
return null;
}

return $token;
$token = unserialize($serializedToken, [
'allowed_classes' => [PublicKeyToken::class],
]);

return $token instanceof PublicKeyToken ? $token : null;
}

private function cacheToken(PublicKeyToken $token): void {
$this->cache->set($token->getToken(), serialize($token), self::TOKEN_CACHE_TTL);
}

private function cacheInvalidHash(string $tokenHash): void {
// Invalid entries can be kept longer in cache since it’s unlikely to reuse them
$this->cache->set($tokenHash, false, self::TOKEN_CACHE_TTL * 2);
}

public function getTokenById(int $tokenId): IToken {
Expand All @@ -202,6 +220,12 @@ public function getTokenById(int $tokenId): IToken {
throw new InvalidTokenException("Token with ID $tokenId does not exist: " . $ex->getMessage(), 0, $ex);
}

$this->checkToken($token);

return $token;
}

private function checkToken($token): void {
if ((int)$token->getExpires() !== 0 && $token->getExpires() < $this->time->getTime()) {
throw new ExpiredTokenException($token);
}
Expand All @@ -214,13 +238,9 @@ public function getTokenById(int $tokenId): IToken {
//The password is invalid we should throw an TokenPasswordExpiredException
throw new TokenPasswordExpiredException($token);
}

return $token;
}

public function renewSessionToken(string $oldSessionId, string $sessionId): IToken {
$this->cache->clear();

return $this->atomic(function () use ($oldSessionId, $sessionId) {
$token = $this->getToken($oldSessionId);

Expand All @@ -242,29 +262,32 @@ public function renewSessionToken(string $oldSessionId, string $sessionId): ITok
IToken::TEMPORARY_TOKEN,
$token->getRemember()
);
$this->cacheToken($newToken);

$this->cacheInvalidHash($token->getToken());
$this->mapper->delete($token);

return $newToken;
}, $this->db);
}

public function invalidateToken(string $token) {
$this->cache->clear();

$tokenHash = $this->hashToken($token);
$this->mapper->invalidate($this->hashToken($token));
$this->mapper->invalidate($this->hashTokenWithEmptySecret($token));
$this->cacheInvalidHash($tokenHash);
}

public function invalidateTokenById(string $uid, int $id) {
$this->cache->clear();

$this->mapper->deleteById($uid, $id);
$token = $this->mapper->getTokenById($id);
if ($token->getUID() !== $uid) {
return;
}
$this->mapper->invalidate($token->getToken());
$this->cacheInvalidHash($token->getToken());
}

public function invalidateOldTokens() {
$this->cache->clear();

$olderThan = $this->time->getTime() - $this->config->getSystemValueInt('session_lifetime', 60 * 60 * 24);
$this->logger->debug('Invalidating session tokens older than ' . date('c', $olderThan), ['app' => 'cron']);
$this->mapper->invalidateOld($olderThan, IToken::DO_NOT_REMEMBER);
Expand All @@ -274,17 +297,14 @@ public function invalidateOldTokens() {
}

public function updateToken(IToken $token) {
$this->cache->clear();

if (!($token instanceof PublicKeyToken)) {
throw new InvalidTokenException("Invalid token type");
}
$this->mapper->update($token);
$this->cacheToken($token);
}

public function updateTokenActivity(IToken $token) {
$this->cache->clear();

if (!($token instanceof PublicKeyToken)) {
throw new InvalidTokenException("Invalid token type");
}
Expand All @@ -297,6 +317,7 @@ public function updateTokenActivity(IToken $token) {
if ($token->getLastActivity() < ($now - $activityInterval)) {
$token->setLastActivity($now);
$this->mapper->updateActivity($token, $now);
$this->cacheToken($token);
}
}

Expand All @@ -321,8 +342,6 @@ public function getPassword(IToken $savedToken, string $tokenId): string {
}

public function setPassword(IToken $token, string $tokenId, string $password) {
$this->cache->clear();

if (!($token instanceof PublicKeyToken)) {
throw new InvalidTokenException("Invalid token type");
}
Expand All @@ -348,8 +367,6 @@ private function hashPassword(string $password): string {
}

public function rotate(IToken $token, string $oldTokenId, string $newTokenId): IToken {
$this->cache->clear();

if (!($token instanceof PublicKeyToken)) {
throw new InvalidTokenException("Invalid token type");
}
Expand Down Expand Up @@ -473,19 +490,16 @@ private function newToken(string $token,
}

public function markPasswordInvalid(IToken $token, string $tokenId) {
$this->cache->clear();

if (!($token instanceof PublicKeyToken)) {
throw new InvalidTokenException("Invalid token type");
}

$token->setPasswordInvalid(true);
$this->mapper->update($token);
$this->cacheToken($token);
}

public function updatePasswords(string $uid, string $password) {
$this->cache->clear();

// prevent setting an empty pw as result of pw-less-login
if ($password === '' || !$this->config->getSystemValueBool('auth.storeCryptedPassword', true)) {
return;
Expand Down
15 changes: 3 additions & 12 deletions tests/lib/Authentication/Token/PublicKeyTokenMapperTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,7 +227,7 @@ public function testGetTokenByUserNotFound() {
$this->assertCount(0, $this->mapper->getTokenByUser('user1000'));
}

public function testDeleteById() {
public function testGetById() {
/** @var IUser|\PHPUnit\Framework\MockObject\MockObject $user */
$user = $this->createMock(IUser::class);
$qb = $this->dbConnection->getQueryBuilder();
Expand All @@ -237,17 +237,8 @@ public function testDeleteById() {
$result = $qb->execute();
$id = $result->fetch()['id'];

$this->mapper->deleteById('user1', (int)$id);
$this->assertEquals(3, $this->getNumberOfTokens());
}

public function testDeleteByIdWrongUser() {
/** @var IUser|\PHPUnit\Framework\MockObject\MockObject $user */
$user = $this->createMock(IUser::class);
$id = 33;

$this->mapper->deleteById('user1000', $id);
$this->assertEquals(4, $this->getNumberOfTokens());
$token = $this->mapper->getTokenById((int)$id);
$this->assertEquals('user1', $token->getUID());
}

public function testDeleteByName() {
Expand Down
14 changes: 11 additions & 3 deletions tests/lib/Authentication/Token/PublicKeyTokenProviderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@

namespace Test\Authentication\Token;

use OCP\Security\IHasher;
use OC\Authentication\Exceptions\ExpiredTokenException;
use OC\Authentication\Exceptions\InvalidTokenException;
use OC\Authentication\Exceptions\PasswordlessTokenException;
Expand All @@ -35,6 +36,7 @@
use OC\Authentication\Token\PublicKeyTokenProvider;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Utility\ITimeFactory;
use OCP\ICacheFactory;
use OCP\IConfig;
use OCP\IDBConnection;
use OCP\Security\ICrypto;
Expand All @@ -57,6 +59,10 @@ class PublicKeyTokenProviderTest extends TestCase {
private $logger;
/** @var ITimeFactory|\PHPUnit\Framework\MockObject\MockObject */
private $timeFactory;
/** @var IHasher|\PHPUnit\Framework\MockObject\MockObject */
private $hasher;
/** @var ICacheFactory|\PHPUnit\Framework\MockObject\MockObject */
private $cacheFactory;
/** @var int */
private $time;

Expand Down Expand Up @@ -87,6 +93,7 @@ protected function setUp(): void {
$this->time = 1313131;
$this->timeFactory->method('getTime')
->willReturn($this->time);
$this->cacheFactory = $this->createMock(ICacheFactory::class);

$this->tokenProvider = new PublicKeyTokenProvider(
$this->mapper,
Expand All @@ -96,6 +103,7 @@ protected function setUp(): void {
$this->logger,
$this->timeFactory,
$this->hasher,
$this->cacheFactory,
);
}

Expand Down Expand Up @@ -329,12 +337,12 @@ public function testInvalidateToken() {
$this->tokenProvider->invalidateToken('token7');
}

public function testInvaildateTokenById() {
public function testInvalidateTokenById() {
$id = 123;

$this->mapper->expects($this->once())
->method('deleteById')
->with('uid', $id);
->method('getTokenById')
->with($id);

$this->tokenProvider->invalidateTokenById('uid', $id);
}
Expand Down