From 615fb8cd77038d1e14e0afebd4b0d7ba0de89e3d Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Tue, 18 Dec 2018 14:27:29 +0100 Subject: [PATCH] Cache tokens when using swift's v2 authentication Signed-off-by: Robin Appelman --- .../Files/ObjectStore/SwiftFactory.php | 68 ++++++++++++++----- .../ObjectStore/SwiftV2CachingAuthService.php | 35 ++++++++++ tests/preseed-config.php | 8 +++ 3 files changed, 94 insertions(+), 17 deletions(-) create mode 100644 lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php diff --git a/lib/private/Files/ObjectStore/SwiftFactory.php b/lib/private/Files/ObjectStore/SwiftFactory.php index 3ff534b4e6..1034026327 100644 --- a/lib/private/Files/ObjectStore/SwiftFactory.php +++ b/lib/private/Files/ObjectStore/SwiftFactory.php @@ -33,6 +33,7 @@ use OCP\ICache; use OCP\ILogger; use OpenStack\Common\Error\BadResponseError; use OpenStack\Common\Auth\Token; +use OpenStack\Identity\v2\Models\Catalog; use OpenStack\Identity\v2\Service as IdentityV2Service; use OpenStack\Identity\v3\Service as IdentityV3Service; use OpenStack\OpenStack; @@ -47,6 +48,13 @@ class SwiftFactory { private $container = null; private $logger; + const DEFAULT_OPTIONS = [ + 'autocreate' => false, + 'urlType' => 'publicURL', + 'catalogName' => 'swift', + 'catalogType' => 'object-store' + ]; + public function __construct(ICache $cache, array $params, ILogger $logger) { $this->cache = $cache; $this->params = $params; @@ -62,11 +70,21 @@ class SwiftFactory { } } - private function cacheToken(Token $token, string $cacheKey) { + private function cacheToken(Token $token, string $serviceUrl, string $cacheKey) { if ($token instanceof \OpenStack\Identity\v3\Models\Token) { + // for v3 the catalog is cached as part of the token, so no need to cache $serviceUrl separately $value = json_encode($token->export()); } else { - $value = json_encode($token); + /** @var \OpenStack\Identity\v2\Models\Token $token */ + $value = json_encode([ + 'serviceUrl' => $serviceUrl, + 'token' => [ + 'issued_at' => $token->issuedAt->format('c'), + 'expires' => $token->expires->format('c'), + 'id' => $token->id, + 'tenant' => $token->tenant + ] + ]); } $this->cache->set($cacheKey . '/token', $value); } @@ -82,10 +100,6 @@ class SwiftFactory { if (!isset($this->params['container'])) { $this->params['container'] = 'nextcloud'; } - if (!isset($this->params['autocreate'])) { - // should only be true for tests - $this->params['autocreate'] = false; - } if (isset($this->params['user']) && is_array($this->params['user'])) { $userName = $this->params['user']['name']; } else { @@ -97,6 +111,7 @@ class SwiftFactory { if (!isset($this->params['tenantName']) && isset($this->params['tenant'])) { $this->params['tenantName'] = $this->params['tenant']; } + $this->params = array_merge(self::DEFAULT_OPTIONS, $this->params); $cacheKey = $userName . '@' . $this->params['url'] . '/' . $this->params['container']; $token = $this->getCachedToken($cacheKey); @@ -114,7 +129,7 @@ class SwiftFactory { return $this->auth(IdentityV3Service::factory($httpClient), $cacheKey); } else { - return $this->auth(IdentityV2Service::factory($httpClient), $cacheKey); + return $this->auth(SwiftV2CachingAuthService::factory($httpClient), $cacheKey); } } @@ -127,25 +142,41 @@ class SwiftFactory { private function auth($authService, string $cacheKey) { $this->params['identityService'] = $authService; $this->params['authUrl'] = $this->params['url']; - $client = new OpenStack($this->params); $cachedToken = $this->params['cachedToken']; $hasValidCachedToken = false; - if (\is_array($cachedToken) && ($authService instanceof IdentityV3Service)) { - $token = $authService->generateTokenFromCache($cachedToken); - if (\is_null($token->catalog)) { - $this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken)); - } else if ($token->hasExpired()) { - $this->logger->debug('Cached token for swift expired'); + if (\is_array($cachedToken)) { + if ($authService instanceof IdentityV3Service) { + $token = $authService->generateTokenFromCache($cachedToken); + if (\is_null($token->catalog)) { + $this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken)); + } else if ($token->hasExpired()) { + $this->logger->debug('Cached token for swift expired'); + } else { + $hasValidCachedToken = true; + } } else { - $hasValidCachedToken = true; + try { + /** @var \OpenStack\Identity\v2\Models\Token $token */ + $token = $authService->model(\OpenStack\Identity\v2\Models\Token::class, $cachedToken['token']); + $now = new \DateTimeImmutable("now"); + if ($token->expires > $now) { + $hasValidCachedToken = true; + $this->params['v2cachedToken'] = $token; + $this->params['v2serviceUrl'] = $cachedToken['serviceUrl']; + } else { + $this->logger->debug('Cached token for swift expired'); + } + } catch (\Exception $e) { + $this->logger->logException($e); + } } } if (!$hasValidCachedToken) { try { - $token = $authService->generateToken($this->params); - $this->cacheToken($token, $cacheKey); + list($token, $serviceUrl) = $authService->authenticate($this->params); + $this->cacheToken($token, $serviceUrl, $cacheKey); } catch (ConnectException $e) { throw new StorageAuthException('Failed to connect to keystone, verify the keystone url', $e); } catch (ClientException $e) { @@ -164,6 +195,9 @@ class SwiftFactory { } } + + $client = new OpenStack($this->params); + return $client; } diff --git a/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php b/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php new file mode 100644 index 0000000000..38f1e54dac --- /dev/null +++ b/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php @@ -0,0 +1,35 @@ + + * + * @license GNU AGPL version 3 or any later version + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + * + */ + +namespace OC\Files\ObjectStore; + + +use OpenStack\Identity\v2\Service; + +class SwiftV2CachingAuthService extends Service { + public function authenticate(array $options = []): array { + if (!empty($options['v2cachedToken'])) { + return [$options['v2cachedToken'], $options['v2serviceUrl']]; + } else { + return parent::authenticate($options); + } + } +} diff --git a/tests/preseed-config.php b/tests/preseed-config.php index 70cf272fae..2d88d93915 100644 --- a/tests/preseed-config.php +++ b/tests/preseed-config.php @@ -63,6 +63,14 @@ if (getenv('OBJECT_STORE') === 'swift') { 'name' => 'default', ] ], + 'scope' => [ + 'project' => [ + 'name' => 'service', + 'domain' => [ + 'name' => 'default', + ], + ], + ], 'tenantName' => 'service', 'serviceName' => 'swift', 'region' => 'regionOne',