Cache tokens when using swift's v2 authentication
Signed-off-by: Robin Appelman <robin@icewind.nl>
This commit is contained in:
parent
54093e2bd6
commit
615fb8cd77
|
@ -33,6 +33,7 @@ use OCP\ICache;
|
|||
use OCP\ILogger;
|
||||
use OpenStack\Common\Error\BadResponseError;
|
||||
use OpenStack\Common\Auth\Token;
|
||||
use OpenStack\Identity\v2\Models\Catalog;
|
||||
use OpenStack\Identity\v2\Service as IdentityV2Service;
|
||||
use OpenStack\Identity\v3\Service as IdentityV3Service;
|
||||
use OpenStack\OpenStack;
|
||||
|
@ -47,6 +48,13 @@ class SwiftFactory {
|
|||
private $container = null;
|
||||
private $logger;
|
||||
|
||||
const DEFAULT_OPTIONS = [
|
||||
'autocreate' => false,
|
||||
'urlType' => 'publicURL',
|
||||
'catalogName' => 'swift',
|
||||
'catalogType' => 'object-store'
|
||||
];
|
||||
|
||||
public function __construct(ICache $cache, array $params, ILogger $logger) {
|
||||
$this->cache = $cache;
|
||||
$this->params = $params;
|
||||
|
@ -62,11 +70,21 @@ class SwiftFactory {
|
|||
}
|
||||
}
|
||||
|
||||
private function cacheToken(Token $token, string $cacheKey) {
|
||||
private function cacheToken(Token $token, string $serviceUrl, string $cacheKey) {
|
||||
if ($token instanceof \OpenStack\Identity\v3\Models\Token) {
|
||||
// for v3 the catalog is cached as part of the token, so no need to cache $serviceUrl separately
|
||||
$value = json_encode($token->export());
|
||||
} else {
|
||||
$value = json_encode($token);
|
||||
/** @var \OpenStack\Identity\v2\Models\Token $token */
|
||||
$value = json_encode([
|
||||
'serviceUrl' => $serviceUrl,
|
||||
'token' => [
|
||||
'issued_at' => $token->issuedAt->format('c'),
|
||||
'expires' => $token->expires->format('c'),
|
||||
'id' => $token->id,
|
||||
'tenant' => $token->tenant
|
||||
]
|
||||
]);
|
||||
}
|
||||
$this->cache->set($cacheKey . '/token', $value);
|
||||
}
|
||||
|
@ -82,10 +100,6 @@ class SwiftFactory {
|
|||
if (!isset($this->params['container'])) {
|
||||
$this->params['container'] = 'nextcloud';
|
||||
}
|
||||
if (!isset($this->params['autocreate'])) {
|
||||
// should only be true for tests
|
||||
$this->params['autocreate'] = false;
|
||||
}
|
||||
if (isset($this->params['user']) && is_array($this->params['user'])) {
|
||||
$userName = $this->params['user']['name'];
|
||||
} else {
|
||||
|
@ -97,6 +111,7 @@ class SwiftFactory {
|
|||
if (!isset($this->params['tenantName']) && isset($this->params['tenant'])) {
|
||||
$this->params['tenantName'] = $this->params['tenant'];
|
||||
}
|
||||
$this->params = array_merge(self::DEFAULT_OPTIONS, $this->params);
|
||||
|
||||
$cacheKey = $userName . '@' . $this->params['url'] . '/' . $this->params['container'];
|
||||
$token = $this->getCachedToken($cacheKey);
|
||||
|
@ -114,7 +129,7 @@ class SwiftFactory {
|
|||
|
||||
return $this->auth(IdentityV3Service::factory($httpClient), $cacheKey);
|
||||
} else {
|
||||
return $this->auth(IdentityV2Service::factory($httpClient), $cacheKey);
|
||||
return $this->auth(SwiftV2CachingAuthService::factory($httpClient), $cacheKey);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -127,25 +142,41 @@ class SwiftFactory {
|
|||
private function auth($authService, string $cacheKey) {
|
||||
$this->params['identityService'] = $authService;
|
||||
$this->params['authUrl'] = $this->params['url'];
|
||||
$client = new OpenStack($this->params);
|
||||
|
||||
$cachedToken = $this->params['cachedToken'];
|
||||
$hasValidCachedToken = false;
|
||||
if (\is_array($cachedToken) && ($authService instanceof IdentityV3Service)) {
|
||||
$token = $authService->generateTokenFromCache($cachedToken);
|
||||
if (\is_null($token->catalog)) {
|
||||
$this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken));
|
||||
} else if ($token->hasExpired()) {
|
||||
$this->logger->debug('Cached token for swift expired');
|
||||
if (\is_array($cachedToken)) {
|
||||
if ($authService instanceof IdentityV3Service) {
|
||||
$token = $authService->generateTokenFromCache($cachedToken);
|
||||
if (\is_null($token->catalog)) {
|
||||
$this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken));
|
||||
} else if ($token->hasExpired()) {
|
||||
$this->logger->debug('Cached token for swift expired');
|
||||
} else {
|
||||
$hasValidCachedToken = true;
|
||||
}
|
||||
} else {
|
||||
$hasValidCachedToken = true;
|
||||
try {
|
||||
/** @var \OpenStack\Identity\v2\Models\Token $token */
|
||||
$token = $authService->model(\OpenStack\Identity\v2\Models\Token::class, $cachedToken['token']);
|
||||
$now = new \DateTimeImmutable("now");
|
||||
if ($token->expires > $now) {
|
||||
$hasValidCachedToken = true;
|
||||
$this->params['v2cachedToken'] = $token;
|
||||
$this->params['v2serviceUrl'] = $cachedToken['serviceUrl'];
|
||||
} else {
|
||||
$this->logger->debug('Cached token for swift expired');
|
||||
}
|
||||
} catch (\Exception $e) {
|
||||
$this->logger->logException($e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!$hasValidCachedToken) {
|
||||
try {
|
||||
$token = $authService->generateToken($this->params);
|
||||
$this->cacheToken($token, $cacheKey);
|
||||
list($token, $serviceUrl) = $authService->authenticate($this->params);
|
||||
$this->cacheToken($token, $serviceUrl, $cacheKey);
|
||||
} catch (ConnectException $e) {
|
||||
throw new StorageAuthException('Failed to connect to keystone, verify the keystone url', $e);
|
||||
} catch (ClientException $e) {
|
||||
|
@ -164,6 +195,9 @@ class SwiftFactory {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
$client = new OpenStack($this->params);
|
||||
|
||||
return $client;
|
||||
}
|
||||
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
<?php declare(strict_types=1);
|
||||
/**
|
||||
* @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
|
||||
*
|
||||
* @license GNU AGPL version 3 or any later version
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as
|
||||
* published by the Free Software Foundation, either version 3 of the
|
||||
* License, or (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
namespace OC\Files\ObjectStore;
|
||||
|
||||
|
||||
use OpenStack\Identity\v2\Service;
|
||||
|
||||
class SwiftV2CachingAuthService extends Service {
|
||||
public function authenticate(array $options = []): array {
|
||||
if (!empty($options['v2cachedToken'])) {
|
||||
return [$options['v2cachedToken'], $options['v2serviceUrl']];
|
||||
} else {
|
||||
return parent::authenticate($options);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -63,6 +63,14 @@ if (getenv('OBJECT_STORE') === 'swift') {
|
|||
'name' => 'default',
|
||||
]
|
||||
],
|
||||
'scope' => [
|
||||
'project' => [
|
||||
'name' => 'service',
|
||||
'domain' => [
|
||||
'name' => 'default',
|
||||
],
|
||||
],
|
||||
],
|
||||
'tenantName' => 'service',
|
||||
'serviceName' => 'swift',
|
||||
'region' => 'regionOne',
|
||||
|
|
Loading…
Reference in New Issue