Bladeren bron
Cache tokens when using swift's v2 authentication
Signed-off-by: Robin Appelman <robin@icewind.nl>tags/v16.0.0alpha1
Robin Appelman
5 jaren geleden
3 gewijzigde bestanden met toevoegingen van 94 en 17 verwijderingen
+ 51
- 17
lib/private/Files/ObjectStore/SwiftFactory.php
Bestand weergeven
| @@ -33,6 +33,7 @@ use OCP\ICache; | |||
| use OCP\ILogger; | |||
| use OpenStack\Common\Error\BadResponseError; | |||
| use OpenStack\Common\Auth\Token; | |||
| use OpenStack\Identity\v2\Models\Catalog; | |||
| use OpenStack\Identity\v2\Service as IdentityV2Service; | |||
| use OpenStack\Identity\v3\Service as IdentityV3Service; | |||
| use OpenStack\OpenStack; | |||
| @@ -47,6 +48,13 @@ class SwiftFactory { | |||
| private $container = null; | |||
| private $logger; | |||
| const DEFAULT_OPTIONS = [ | |||
| 'autocreate' => false, | |||
| 'urlType' => 'publicURL', | |||
| 'catalogName' => 'swift', | |||
| 'catalogType' => 'object-store' | |||
| ]; | |||
| public function __construct(ICache $cache, array $params, ILogger $logger) { | |||
| $this->cache = $cache; | |||
| $this->params = $params; | |||
| @@ -62,11 +70,21 @@ class SwiftFactory { | |||
| } | |||
| } | |||
| private function cacheToken(Token $token, string $cacheKey) { | |||
| private function cacheToken(Token $token, string $serviceUrl, string $cacheKey) { | |||
| if ($token instanceof \OpenStack\Identity\v3\Models\Token) { | |||
| // for v3 the catalog is cached as part of the token, so no need to cache $serviceUrl separately | |||
| $value = json_encode($token->export()); | |||
| } else { | |||
| $value = json_encode($token); | |||
| /** @var \OpenStack\Identity\v2\Models\Token $token */ | |||
| $value = json_encode([ | |||
| 'serviceUrl' => $serviceUrl, | |||
| 'token' => [ | |||
| 'issued_at' => $token->issuedAt->format('c'), | |||
| 'expires' => $token->expires->format('c'), | |||
| 'id' => $token->id, | |||
| 'tenant' => $token->tenant | |||
| ] | |||
| ]); | |||
| } | |||
| $this->cache->set($cacheKey . '/token', $value); | |||
| } | |||
| @@ -82,10 +100,6 @@ class SwiftFactory { | |||
| if (!isset($this->params['container'])) { | |||
| $this->params['container'] = 'nextcloud'; | |||
| } | |||
| if (!isset($this->params['autocreate'])) { | |||
| // should only be true for tests | |||
| $this->params['autocreate'] = false; | |||
| } | |||
| if (isset($this->params['user']) && is_array($this->params['user'])) { | |||
| $userName = $this->params['user']['name']; | |||
| } else { | |||
| @@ -97,6 +111,7 @@ class SwiftFactory { | |||
| if (!isset($this->params['tenantName']) && isset($this->params['tenant'])) { | |||
| $this->params['tenantName'] = $this->params['tenant']; | |||
| } | |||
| $this->params = array_merge(self::DEFAULT_OPTIONS, $this->params); | |||
| $cacheKey = $userName . '@' . $this->params['url'] . '/' . $this->params['container']; | |||
| $token = $this->getCachedToken($cacheKey); | |||
| @@ -114,7 +129,7 @@ class SwiftFactory { | |||
| return $this->auth(IdentityV3Service::factory($httpClient), $cacheKey); | |||
| } else { | |||
| return $this->auth(IdentityV2Service::factory($httpClient), $cacheKey); | |||
| return $this->auth(SwiftV2CachingAuthService::factory($httpClient), $cacheKey); | |||
| } | |||
| } | |||
| @@ -127,25 +142,41 @@ class SwiftFactory { | |||
| private function auth($authService, string $cacheKey) { | |||
| $this->params['identityService'] = $authService; | |||
| $this->params['authUrl'] = $this->params['url']; | |||
| $client = new OpenStack($this->params); | |||
| $cachedToken = $this->params['cachedToken']; | |||
| $hasValidCachedToken = false; | |||
| if (\is_array($cachedToken) && ($authService instanceof IdentityV3Service)) { | |||
| $token = $authService->generateTokenFromCache($cachedToken); | |||
| if (\is_null($token->catalog)) { | |||
| $this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken)); | |||
| } else if ($token->hasExpired()) { | |||
| $this->logger->debug('Cached token for swift expired'); | |||
| if (\is_array($cachedToken)) { | |||
| if ($authService instanceof IdentityV3Service) { | |||
| $token = $authService->generateTokenFromCache($cachedToken); | |||
| if (\is_null($token->catalog)) { | |||
| $this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken)); | |||
| } else if ($token->hasExpired()) { | |||
| $this->logger->debug('Cached token for swift expired'); | |||
| } else { | |||
| $hasValidCachedToken = true; | |||
| } | |||
| } else { | |||
| $hasValidCachedToken = true; | |||
| try { | |||
| /** @var \OpenStack\Identity\v2\Models\Token $token */ | |||
| $token = $authService->model(\OpenStack\Identity\v2\Models\Token::class, $cachedToken['token']); | |||
| $now = new \DateTimeImmutable("now"); | |||
| if ($token->expires > $now) { | |||
| $hasValidCachedToken = true; | |||
| $this->params['v2cachedToken'] = $token; | |||
| $this->params['v2serviceUrl'] = $cachedToken['serviceUrl']; | |||
| } else { | |||
| $this->logger->debug('Cached token for swift expired'); | |||
| } | |||
| } catch (\Exception $e) { | |||
| $this->logger->logException($e); | |||
| } | |||
| } | |||
| } | |||
| if (!$hasValidCachedToken) { | |||
| try { | |||
| $token = $authService->generateToken($this->params); | |||
| $this->cacheToken($token, $cacheKey); | |||
| list($token, $serviceUrl) = $authService->authenticate($this->params); | |||
| $this->cacheToken($token, $serviceUrl, $cacheKey); | |||
| } catch (ConnectException $e) { | |||
| throw new StorageAuthException('Failed to connect to keystone, verify the keystone url', $e); | |||
| } catch (ClientException $e) { | |||
| @@ -164,6 +195,9 @@ class SwiftFactory { | |||
| } | |||
| } | |||
| $client = new OpenStack($this->params); | |||
| return $client; | |||
| } | |||
+ 35
- 0
lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php
Bestand weergeven
| @@ -0,0 +1,35 @@ | |||
| <?php declare(strict_types=1); | |||
| /** | |||
| * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl> | |||
| * | |||
| * @license GNU AGPL version 3 or any later version | |||
| * | |||
| * This program is free software: you can redistribute it and/or modify | |||
| * it under the terms of the GNU Affero General Public License as | |||
| * published by the Free Software Foundation, either version 3 of the | |||
| * License, or (at your option) any later version. | |||
| * | |||
| * This program is distributed in the hope that it will be useful, | |||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | |||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |||
| * GNU Affero General Public License for more details. | |||
| * | |||
| * You should have received a copy of the GNU Affero General Public License | |||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | |||
| * | |||
| */ | |||
| namespace OC\Files\ObjectStore; | |||
| use OpenStack\Identity\v2\Service; | |||
| class SwiftV2CachingAuthService extends Service { | |||
| public function authenticate(array $options = []): array { | |||
| if (!empty($options['v2cachedToken'])) { | |||
| return [$options['v2cachedToken'], $options['v2serviceUrl']]; | |||
| } else { | |||
| return parent::authenticate($options); | |||
| } | |||
| } | |||
| } | |||
+ 8
- 0
tests/preseed-config.php
Bestand weergeven
| @@ -63,6 +63,14 @@ if (getenv('OBJECT_STORE') === 'swift') { | |||
| 'name' => 'default', | |||
| ] | |||
| ], | |||
| 'scope' => [ | |||
| 'project' => [ | |||
| 'name' => 'service', | |||
| 'domain' => [ | |||
| 'name' => 'default', | |||
| ], | |||
| ], | |||
| ], | |||
| 'tenantName' => 'service', | |||
| 'serviceName' => 'swift', | |||
| 'region' => 'regionOne', | |||
Laden…