-
Notifications
You must be signed in to change notification settings - Fork 5.5k
Add Jwt cache. #14341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Jwt cache. #14341
Changes from 1 commit
4bf0213
07e3923
e89cf2c
6c5e822
23d6b6b
0d70dd7
433e4c8
35383c3
4d92197
6d9cbac
4d27b57
742220e
883de98
ac891a6
d69df58
eacfbc3
1335cf6
c8efe0e
9875c74
26b94cb
11e4057
1f36422
8964983
8a3cb9c
a2a31e5
a52ec67
bb42b8d
04335c7
cfcd530
f33850d
e11c695
c18856c
b986895
3460ec0
ef3ad74
3b95eee
ca3cbee
3d47511
e13209e
b96dc33
8a175d5
9419ddf
7ac42c0
07d45bb
d0e83f2
3f7c0c4
45d3132
13cb2b5
f5fb8a4
3e7768d
17fe231
5372efd
a1d3c72
4f7caeb
e4ceaac
783c207
a583ba7
1de642f
45f7298
fd2f636
a23bf86
4989b45
25f366a
efb4bb6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,8 @@ | ||
| #include "extensions/filters/http/jwt_authn/jwks_cache.h" | ||
|
|
||
| #include <chrono> | ||
| #include <memory> | ||
| #include <string> | ||
|
|
||
| #include "envoy/common/time.h" | ||
| #include "envoy/extensions/filters/http/jwt_authn/v3/config.pb.h" | ||
|
|
@@ -26,7 +28,7 @@ namespace { | |
| // Default cache expiration time in 5 minutes. | ||
| constexpr int PubkeyCacheExpirationSec = 600; | ||
|
|
||
| class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable<Logger::Id::jwt> { | ||
| class JwksDataImpl : public Cache::JwksData, public Logger::Loggable<Logger::Id::jwt> { | ||
| public: | ||
| JwksDataImpl(const JwtProvider& jwt_provider, TimeSource& time_source, Api::Api& api) | ||
| : jwt_provider_(jwt_provider), time_source_(time_source) { | ||
|
|
@@ -63,6 +65,23 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable<Logger: | |
| return setKey(std::move(jwks), getRemoteJwksExpirationTime()); | ||
| } | ||
|
|
||
| Status getJwtStatus() override { return jwt_status_; } | ||
|
|
||
| void addTokenResult(const std::string& token, ::google::jwt_verify::Jwt& token_result) override { | ||
| jwt_status_ = token_result.parseFromString(token); | ||
| if (jwt_status_ == Status::Ok) { | ||
| jwt_ = std::make_unique<::google::jwt_verify::Jwt>(token_result); | ||
| } | ||
| } | ||
|
|
||
| bool findTokenResult(const std::string& token, ::google::jwt_verify::Jwt& token_result) override { | ||
| Status status = token_result.parseFromString(token); | ||
| if (status != Status::Ok) { | ||
| return false; | ||
| } | ||
| return true; | ||
| } | ||
|
|
||
| private: | ||
| // Get the expiration time for a remote Jwks | ||
| std::chrono::steady_clock::time_point getRemoteJwksExpirationTime() const { | ||
|
|
@@ -92,9 +111,13 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable<Logger: | |
| TimeSource& time_source_; | ||
| // The pubkey expiration time. | ||
| MonotonicTime expiration_time_; | ||
| // Jwt object for verified token. | ||
| std::unique_ptr<::google::jwt_verify::Jwt> jwt_; | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The cache should be: In the jwt_authn config, in the JwtProvider config, add
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should the cache have a (optionally) limited size to cap the amount of memory it can use?
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ahh nvm, i saw you commented on that.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. |
||
| // A valid error on parsing Jwt. | ||
| Status jwt_status_; | ||
| }; | ||
|
|
||
| class JwksCacheImpl : public JwksCache { | ||
| class JwksCacheImpl : public Cache { | ||
| public: | ||
| // Load the config from envoy config. | ||
| JwksCacheImpl(const JwtAuthentication& config, TimeSource& time_source, Api::Api& api) { | ||
|
|
@@ -132,10 +155,10 @@ class JwksCacheImpl : public JwksCache { | |
|
|
||
| } // namespace | ||
|
|
||
| JwksCachePtr | ||
| JwksCache::create(const envoy::extensions::filters::http::jwt_authn::v3::JwtAuthentication& config, | ||
| TimeSource& time_source, Api::Api& api) { | ||
| return JwksCachePtr(new JwksCacheImpl(config, time_source, api)); | ||
| CachePtr | ||
| Cache::create(const envoy::extensions::filters::http::jwt_authn::v3::JwtAuthentication& config, | ||
| TimeSource& time_source, Api::Api& api) { | ||
| return CachePtr(new JwksCacheImpl(config, time_source, api)); | ||
| } | ||
|
|
||
| } // namespace JwtAuthn | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.